Previously, you had to pay for Bitwarden's premium plan to add 2FA for your stored logins. Bitwarden is claiming they are the only password manager to now include 2FA logins for free.

As a paying customer, I've long been using Bitwarden's 2FA for logins, and it is pretty seamless. Bitwarden places the 2FA number ready in the device's clipboard, to just paste in straight after completing the login screen process.

Today, 2FA is absolutely essential for any login security, until passkeys are the norm. It sounds like Bitwarden's own passkey management for logins, will go live during October, and their own passkey access to Bitwarden, a while after that. It is not clear to me yet whether free tier users now also have 2FA login into Bitwarden itself. I'm using a Yubikey device for my 2FA when logging into Bitwarden, and that may still be for the paid service only.

I also noted when last renewing my Bitwarden subscription that they forced us to up our vault encryption iterations to 600,000. This was also a lesson learnt after the LastPass hack, where it was found the encryption iterations were way too low.

I'm eagerly awaiting to see how Bitwarden implements passkeys in October, as I'm dead set against using passkeys that tie me to any particular device or operating system. I have too many passwords to just lose or have to change.

See https://www.androidpolice.com/bitwarden-2fa-free-passkey/

#technology #passwords #2FA #bitwarden

Gmail may be very easy to use, and probably also one of the most used e-mail services out there, but Google has still not made any real effort to help e-mails going proper E2EE for all, despite the technology being available for a very long time.

Gmail's confidential mode is not E2EE at all. It is merely a self-destruct timer or password to open, type e-mail. The latter probably only works to other Gmail users.

The encrypted offering they have is only for paid Workspace account holders, and seeing Google controls the web interface and services... I'm not sure the NSA will be using it (then again, maybe Gmail at least seems to be hacked less often than Microsoft's cloud mail service!).

So ordinary users are probably better off adding one of the 3rd party browser extension that allow true OpenPGP E2EE for Gmail. It is free, and you can use your own public private key pair. But although this is free, the barrier for most normal users, is the 'complexity'. You need to set up a signed key pair, load it into the extension, and of course have friends that are suitably equipped to actually decrypt E2EE e-mail. Unfortunately, the reality here is that both sides of this equation are just not within feasible for many users. There is also no single standard used across all e-mail services for E2EE, and you can forget about sending an encrypted e-mail to 99.999% of business or government departments, and expecting any of them to be able to read it.

Where any e-mail service has a POP3 or IMAP protocol interface (like Gmail has), it is possible to use an offline mail app like Thunderbird, and also add your OpenPGP key in there. But the same barriers to adoption exist for ordinary non-tech users, and it means also taking accountability to backup your own e-mail.

The reality is, most users are going to be far better off with services like Proton Mail, or Tutanota, that make the encryption process about as seamless as it can be (even my own family managed to get Proton Mail right, but only one is bothered to use it, and only with me).

Most people are not bothered, unless there is some very simple one button press to encrypt e-mail. And it seems, sadly, that the world is dependent upon Google to make this happen, mainly because there are so many Gmail accounts. If a Gmail user can't read an encrypted e-mail, then you can't send an E2EE mail to them (yes, I know Proton and Tutanota have workarounds where the Gmail user clicks to log in and enters a password to read the mail. But those are great phishing opportunities against non-tech users too).

So, it does come down again to Big Tech, unfortunately, to decide whether average users will ever be able to have truly private and secure e-mail, as well as interoperability between instant messengers (my previous post about WhatsApp is what I'm referring to).

Certainly, all the technology has long existed, but the biggest user bases are 'stuck' in Big Tech services, and there is no easy way for them to adopt the alternatives en masse. Whilst they feel (or don't feel should I say) trapped there, they hold everyone else back too, and your E2EE e-mail is meaningless when you have to still send plain text e-mails to so many Gmail users. E-mail takes two or more parties to send and receive e-mail.

I'm only speculating here, but I'm suspecting Google is in no hurry to provide proper E2EE e-mail for Gmail users as it is a treasure trove of information about travel habits, medical details, banking details (less often now), relationships, and much more that is all open to analysis. Google certainly does scan e-mail as their TOS state they do this to detect viruses and malware, to provide search in e-mail, and 'to provide you personally relevant product features'. Gmail would likely have to become a paid service to make E2EE worthwhile for Google.

You either have complete privacy and pay for every service, or you lose privacy for those free services. The majority of users are still opting for free services.

See https://www.androidpolice.com/gmail-send-encrypted-emails/

#technology #Gmail #privacy #E2EE

The Watch 2 Pro is Xiaomi's first smartwatch to run Wear OS. It is a properly high-end smartwatch with a 1.43-inch OLED screen inside a 46mm stainless steel case with an IP68 rating. It also features a digital crown, similar to the Apple Watch and the Pixel Watch.

Qualcomm's 4nm Snapdragon W5+ Gen 1 chip powers this smartwatch. It comes with a 65-hour battery life promise, higher than the Galaxy Watch 6's 40-hour claim but lower than the Galaxy Watch 5 Pro's 80-hour figure.

Xiaomi's new smartwatch can also measure body composition, which was earlier only available on Galaxy Watches. It also features blood oxygen measurement, heart rate tracking with high heart rate notifications, sleep tracking, and stress measurements. It has dual-frequency GPS, though, which is not available on any Galaxy Watch, and it offers more accurate location tracking accuracy.

So, all in all, very interesting, and it is high time there was better competition in the Wear OS market. It lacks ECG functionality, and we'll have to see how it does in the real-world for heart rate tracking. So far, only the Huawei watch is close to Apple Watch territory when it comes to really accurate heart rate tracking (my own Galaxy Watch has shown rather disappointing results for exercise tracking). The Huawei watch, though, had its NFC payments functionality pulled in my country, and that was a bit of a dealbreaker for me (and interestingly, the linked article does not mention anything about NFC on the Xiaomi watch).

The Wear OS watches have not had really great battery life, like the Huawei watch does, which runs its own OS. I get about two and a half days off my Galaxy Watch, but I feel it could be better.

So, I'm going to be very interested to see the hands-on reviews of this watch, as well as the objective health tracking tests.

See https://www.sammobile.com/news/xiaomi-watch-2-pro-wear-os-launched-compete-galaxy-watch-6

#technology #WearOS #Xiaomi

ShareID spokesperson Eliana Daboul described the company in an email as “an Authentication-as-a-Service solution tied to government-issued IDs.”

The twist is that, unlike other similar companies, ShareID claims it doesn’t store any personal data. Instead, according to ShareID’s CEO Sara Sebti, the company asks users to submit a video to prove their “liveness” — a fancy word that means the user has to prove they are a real person in front of their phone’s camera and it’s not a pre-recorded video — and a picture of their government ID. But ShareID says it doesn’t store this data, it keeps it in memory on its servers and creates a hash — a unique ID — and then wipes the data, which effectively was never stored on the servers.

Whether we like it or not, many government departments want to store copies of IDs, and I've also been finding the same now in South Africa with charities wanting ID numbers for income tax rebates. What we also know is that both of these types of entities are not the most secure to be doing this. It's also been seen that hackers often target a soft 3rd party service looking for credentials. So, the whole wanting copies of IDs is becoming very problematic.

A best practice is certainly to encrypt any such documentation (at the very minimum), but I often find that big companies will encrypt when they send statements and other documentation to you, but just you try responding back to them with similarly encrypted documents, and they don't seem to be geared for that. If documents are stored in an encrypted format, that is a lot better, though.

So whether ShareID is the best solution or not, remains to be seen, but I do like that there are such solutions being proposed. Citizens can be secure and private as they want to be, but if their governments are not practising the same cautions, then it helps little. Fining a government department for negligence does zero to help any citizen who has had their data breached (the fine is anyway paid with taxpayer money, too). It probably helps to fine private organisations, but for government agencies that is really no deterrent.

See https://techcrunch.com/2023/09/27/this-startup-wants-to-verify-your-id-without-storing-your-personal-data/

#technology #privacy #identity

I still don't place a lot of faith in stats around Linux desktop OS market share from web browser visits (because mine, for example, are "Other" and on a VPN that exits outside of SA, and our Linux computers in the home are behind one public IP address that can't be counting them separately, etc).

But be that as it may, it was still interesting to see a quite noticeable uptick in the Linux share in the South African market. It has been around 1.6% for quite a long while, but over just these few months in 2023 it has shot up to 4.5% showing quite consistent growth. That is also much higher than the current global average of 3.2%.

There is no real reason that I know of for this change. It may just be that Linux users in SA are browsing the Internet more. It may be that the high inflation rate and cost of living is driving more computer users in SA to use Linux. Or it may be that some saw the light and realised they can buy bare-bones computers cheaper, and just the latest up-to-date Linux on it for free.

I'd like to have thought it was because of a roll-out across schools, or government departments, to spark better innovation and cost-savings, but I know that won't be happening any time soon, even if there is a budget deficit right now. We'' raise taxes before we cut costs...

See https://gs.statcounter.com/os-market-share/desktop/south-africa/#monthly-202209-202308

#technology #SouthAfrica #Linux

Have you ever imagined a vault so secure that even the craftiest of digital cat burglars would be left scratching their heads? That's what encrypted digital notebooks offer. A realm where your words are not just words, but treasures locked away in a digital Fort Knox. This is about blending usability with top-tier security, like mixing your favourite cocktail – it's got to have the right balance.

"Why do I even need this?" you might wonder. Think about it: in an era where our lives are so intertwined with the digital realm, shouldn't our private thoughts get the VIP treatment too? So, whether you're penning the next great novel, planning a surprise for a loved one, or just noting down what groceries to pick up, it’s time to ensure your notes are stored safely and stylishly.

Although there are countless note-taking apps around, the one's in this list do focus more specifically on security, as well as ease of use (no self-hosting installation required, easy to access, and easy syncing).

I thought Cryptee was related to CryptPad, but it appears not. CryptPad is similar, and I use it for secure private sharing of documents, but it lacks slick mobile apps.

See https://stackdiary.com/best-encrypted-digital-notebooks/

#technology #privacy #notes

Over the first 138 days of this year, digital rights group AccessNow estimates there were 80 internet shutdown incidents across 21 countries. Feldstein says that all free internet advocates can do is keep innovating. And, he says, eQsat is a prime example of that.

A team of cybersecurity researchers believe they have come up with a clever new way to fight back: a trojan horse. Specifically, a satellite feed designed to look like a television station, which actually carries a payload of uncensored news and information. It’s a particularly retro solution to a very modern problem.

The program, dubbed eQsat, has been tested and is ready to be put into action during the next internet shutdown—whether it’s in Russian-occupied Ukraine, Iran, or one of the many repressive regimes that regularly block internet access.

It's true that whilst there is some form of Internet connectivity, it is not too difficult to use various technologies to circumvent the censorships. For example, even the Telegram app, Tor browser and others have such capability built in. Some of it is also disguised to look like normal http traffic. But a complete Internet blackout is a different story.

Traditional radio is still around, but fewer and fewer people actually have good short wave radio receivers, and it's also true that the more something gets used, the quicker authorities catch onto it. Something being used is also pretty useless if the population has no knowledge about it.

But the old scout motto is still true: Be Prepared! It's always better to test and prepare for something, than to wait until after the event, and then try to establish communications. As another saying goes: When all else fails, there's ham radio.

See https://www.wired.com/story/equalitie-trojan-horse-internet-censorship/

#technology #censorship #InternetBlackout

I vividly remember the DOS wars when I was using an early IBM compatible. I also remember DR-DOS being noticeably better than MS-DOS (accessing high memory etc) but I had no idea about all these tangles behind the scenes, or that DR-DOS was essentially a clone of the OS that had previously cloned CP/M.

It also seems that Gary Kildall embraced many of the principles that are enshrined in open source today, long before open source was coined as a term.

What was particularly tragic for me, in this story, was that essentially IBM had not agreed to Digital Research's request for royalties instead of an outright license purchase, and yet ultimately the deal with Microsoft was based on royalties. In other words, the original deal could have been done with DR.

And yes, Microsoft was originally just a language company without any operating system. They actually bought their first operating system (said to be a clone/copy of Gary Kildall's OS) for a steal.

In the business world, though, it comes down to who is the most ruthless and who has the money. The innovators basically get bought out. Yet as far as brilliant products go, we are totally still dependent upon those innovators to innovate.

I'm glad Hackaday featured this article about Gary Kildall, as it is a pity we did not know all this then, but the world was a very different place in the 1980s. All three parts of the video are well worth watching to understand how all the parts unfolded, and Part 3 gives insight into where DR-DOS came into the picture, what Gary did after that, and how he tragically died so young in the 1990s.

Given today's susceptibility to conspiracy theories, and the DOS wars etc raging in the early 1990s, I really had to hold myself in to stop thinking his death was something sinister, given his pending book publication, and the later fact that his kids did not want to publish the latter part of his book.

See https://hackaday.com/2023/09/25/bill-steve-and-gary-computer-pioneers/

#technology #garykildall #computerpioneers

I had not tried Omnisearch, but apart from that and Advanced Tables, the suggested ones are not really "my best ones". But the linked article does again highlight one of Obsidian's most powerful features - it's community plugins. Many note takers are good Markdown editors, but few come close to rivalling Obsidian's plugin power, largely created by the community themselves.

Even though free Obsidian is not open-source, it gained a lot of traction and users have created so many valuable plugins. I also like that it leaves all my Markdown formatted files in place where they are. One excellent open-source notes editor I tried, insisted on inserting an odd character at the start of every new line as it was intended an outliner, not a notes editor. Thing is, I like to keep my notes as standard as possible so that I can switch to another note taker in future.

The ones I find really useful are:

• Advanced Tables
• cMenu
• Code block from selection
• Copy Image and URL context menu
• Dynamic Table of Contents
• Excel to Markdown Table
• Highglightr
• Kanban
• Kindle Highlights
• Local Images
• Markdown Formatting Assistant
• Obsidian Enhancing Export
• Omnisearch
• Ozan's Image Editor Plugin
• Related Notes Finder
• Tag & Word Cloud
• Tag Wrangler
• Text Format
• txt as md (edits existing .txt files)
• Underline
• Vault Statistics

But we all have different requirements (like some wanting to play Zoom inside Obsidian, use AI, publish to Nostr, etc), so it is well worth browsing the community plugins and seeing what is of interest to you. There are around 1,180 plugins right now.

See https://www.alphr.com/best-obsidian-plugins/

If you've not seen Obsidian, I did quite a long video about it at https://www.youtube.com/watch?v=q_4LR76g-jU

#technology #markdown #notes #productivity