script draft 1

2025-12-28 12:27:14 -05:00 · 2025-12-28 12:27:14 -05:00 · 5b01eae5ce
commit 5b01eae5ce
parent bc23b9e52b
1 changed files with 207 additions and 4 deletions
--- a/src/script.md
+++ b/src/script.md
@ -1,7 +1,210 @@
-# $REPO_NAME
+[we should have every transition be elevator doors closing in front of the camera, then when they open we see the next setting. then we can have a "ding", and the next setting in a dark-souls-ass font]
 # myth of multifactor 2
-incitement
+the war on passwords looks like it's coming to an end, and evil is prevailing.
 [popup] You've got mail!
 [bank] "you WILL give us a spam vector and set up a passkey, AND YOU WILL THANK ME. no complaints, dissent will not be tolerated. it's for security. this is for your own good."
-## section
+so Passkeys and multifactor. Let's do this iceberg style. only, instead of deep underwater, it's deep into nerdery.
-text
+## deck
 [costume: socially acceptable. do a man bun, but leave a few hairs to demonstrate gravity.]
 [setting: green screen so that you can be sideways; view the whole thing in vertical. we'll have tiktok shit all over]
 surface level, what is a passkey?
 A way to force you to use software to create a very strong authentication method, unique to each party. It's really good at not letting you accidentally authenticate for someone bad.  the problem is that it's difficult for *you* to own the keys to your property.
 [computerphile] "if i've set up a passkey on m'laptop.. how do i use that on m'phone?" "you can't."
 ## basement
 [costume: rolled out of bed]
 [setting: no green screen]
 [straw man] What's so great about passkeys?
 computerphile, in a rare break from their tendency to fellate some generative AI crap, explained it quite succinctly. chick out this chart.
 [computerphile] [bit with the chart]
 so there's 3 things involved:
 * the reliant party; that's the thing that wants to authenticate you.
 * the client, that's you.
 * the authenticator, that's what you have instead of a password manager.
 now, instead of a shared secret, or smoke and mirrors about pretending we're involving one of the other 2 factors.. it's *not* a shared secret. it's public key cryptography, how cool is that!
 [straw man] i mean exactly this, very literally: i don't know.
 ok. so.
 let's say I want to send you my card, but i don't want anyone along the way to know. So i put it in a box,  locked with a code that only the 2 of us know. that way any mail carriers or amazon drivers shouldn't be able to see the card, but you and I can. (in theory. pray we don't encounter the god of lockpicking.)
 let's unpack that metaphor. 
 on the internet, there is only data.
 I want to send you some data, for example my credit card details. And I very much don't want anyone else to see.
 fortunately, there's a whole branch of mathematics that lets us turn that data into other data, and back.
 "shared key" cryptography is a simple way to do that - we share a key with only each other.
 so, one way that we *could* authenticate is to just send each other an encrypted message given our shared key.
 that's just a piece of information that only the 2 of us should have - authentication via something i know.
 that's all great and wonderful, as long as both you and i can keep a secret. But what's that saying though, three may keep a netflix password, if two of them have hulu? something like that.
 [poor richard's almanack, benjamin franklin]
 And it's not just users.
 [https://xkcd.com/792/ - boy i wish that aged better]
 boy i wished this aged better...
 [put the real terms on screen; private key, encrypt, etc]
 anyway, public key cryptography is way cooler. Instead of a key we both have, what if I have a key that can unlock, but not lock... then from that, i generate an anti-key that can only lock. 
 I'll give you this lock-only key, the public key. now you can send me a message that no one else, not even you, can decrypt. That lets me give the public key out to anyone. honestly, business cards should have public keys on them.
 isn't this way cooler? 
 [computerphile chart again]
 now our authenticator generates a private key unique to each service! 
 in short, rather than some incompetant putting a secret (or overt!) password *maximum* length, for example FIFTEEN, both parties are forced to generate strong shared secrets, which aren't even fully shared!
 ## below
 [costume: ghost]
 [setting: secretive mad science shit?]
 [be crafting a tin foil hat]
 [alt vo] Don't understand why you think passkeys are something bad?
 I'll tell you what i thought at the time: i was convinced that a person would never control their authenticator. That it would always be the property of some anonymous board of cufflink wearing motherfuckers.
 extremely fortunately, it is not! At the moment!
 ok, computerphile acknowledges - 
 [computerphile] "if i've set up a passkey on m'laptop.. how do i use that on m'phone?" "you can't."
 the reason for that: *presently*, most implementations have the authenticator being the browser.
 [put on tin foil hat]
 and if you look at the specification, these soulless husks love to talk about "secure enclaves" and "trusted platform modules".
 hardware that exists to allow the manufacturer to maintain control over a device, in spite of any protests by the person who paid to own it.
 I maintain that the reason capitalists pretending to be technologists insist on framing passwords as a bad thing is that users get to control them.
 Literally, it comes down to shared netflix passwords.
 for fuck's sake look at HDCP, which acts like HDMI splitters are on par with a meth lab.
 as always, there's a relevant XKCD.
 ## forever
 [costume: burger vtuber rig]
 [setting: ash desert]
 [alt vo] will this make me immune to phishing?
 [alt vo] will this make 2-factor obsolete?
 both of you are deriving from the real question. but let's go in order.
 ### passkeys vs phishing
 will passkeys make you immune to phishing. 
 They are certainly advertised that way. Aggressively.
 As far as we know, at present, we haven't seen a high-profile phishing attack that has worked against a proper implementation of passkeys.
 Suppose we were an attacker. how would we do one? i'd have to convince your software that i'm X website, and when you're ready to be convinced to authenticate, i jump in the middle.
 that's essentially how a phishing attack works as usual.. but at least now the software is checking the url for you, so an attacker would have to breach a high-value target *before* compromising you. So instead of low-cost phishing with a very wide net, an attack would be more expensive and would have to be targeted.
 [egghead] Incremental progress, yeahhg!
 ### passkeys vs 2-factor
 will this make 2-factor obsolete.
 technically: "no", because it was always obsolete.
 #### factor 1: smoke. factor 2: mirrors.
 I have said, and will continue to say: 2 factor is bullshit. it's at best an illusion.
 Repeatedly, forever, the response is "nuh-uh", but never with elaboration. which is telling.
 So here we go again, but breifly. 
 first we identify. you say you are John Doe. Authentication is the act of verifying that identity. 
 broadly, the way we do that is by verifying something from one of 3 categories: something you know, something you are, and something you have.
 How can i tell you're really you? I ask you something only you would know.
 That's a password. This has the benefit of being information, and therefore, it can be sent across the internet.
 the only (valid) reason self-styled experts hate passwords is that they are *convinced* you are not competant at the task of managing passwords.
 [clip from Detroit, "what's my dog's name"]
 it's not hard to calculate entropy and force the user to come up with a better one.
 or you could generate one for them, hell most browsers are happy to handle that.
 Something you are would be something like biometric data. if i could read your thumbprint, or test your blood, or something like that, it's probably you. The entire concept of police fingerprinting is about authenticating someone who doesn't want to be authenticated.
 it's not *that* hard for someone to copy or steal biometric data, but it would have to be targeted. 
 Something you have would be great. Suppose I wanted to pretend to be you, I'd have to 
 the issue with 2 of the 3 is that we are far apart.
 [ethernet fiber-optic visualization]
 you can't shove a physical key through an ethernet cord.
 you can't drip a blood sample through an ethernet cord.
 physics is a cruelly indifferent master.
 so any time some technology claims you're doing biometric authentication, for example your phone...
 that authentication happens *here*. Across the internet, that isn't possible.
 there do exist hardware keys that are only $5. wait, $10. wait, $25. They're quite good at what they do, but the larger portion of what they do is control their ecosystem.
 again, the authentication happens *here*, and then their software (emphasis on the possesive "their") sends information across the internet.
 again, multifactor is an illusion.
 #### extended 1-factor
 all of these so-called second factors are truly more information.
 So really it's just a long and complicated way to improve your password.
 for example, let's pull out possibly the most important piece of software you should be running, and make a password for some hypothetical service.
 now hypothetically, to be authenticated, we send the password, + whatever data our thumbprint scanner would send.
 [simulate a json payload]
 depending on how our second factors are being simulated, we just have a longer password.
 [put that pw in the entropy-rater]
 and it is, measurably, improving our password.
 [note] simulated here, but actually measurable
 we could do this with a timed one-time password. I love those things, by the way. much easier to type, a bit of built-in resistance against brute-force attacks. would it be so bad if we *just* used those?
 #### the most insecure enclave
 The thing i hate adjacent to TOTP codes is the way they're framed to users... it's always presented as "get google authenticator", so that google gets to own your authenticator codes. more than that, it's always considered "an authenticator app". Because of course, it must be on your phone.
 welcome to another installment of my billion-part series, Phones Are Bad Actually.
 Your phone is treated as the Something You Have. because of course, a person is not permitted to exist without a phone in 2012. or whatever year it is by now.
 Naturally, when i complain about having to give my cellphone number to the services i'm forced to interact with, there's always some idiot who goes "no, you can just use an authenticator app."
 The technology exists. Theoretically it *ought* to be possible to not even have a cellphone number.
 But for those of us who exist in society, you'll quickly find that it isn't. Do you rent your own basement, rather than living in your mother's? no shot the conglomerated landlord company will let you pay rent in cash. They'll begrudgingly let you use a website on a real computer until they can force you to get an app, and in both cases I'm *sure* they demand a cellphone number for authentication. Ditto if you pay a mortgage.
 If you're one of the lucky few people who rents from a human, you're a vanishingly rare exception.
 do you have a job? I don't imagine your boss gives you an envelope full of cash, or even a physical check. one imagines they have you log in to one of the 2 brands of HR software, neither of which will allow you to not have a cellphone, and set up direct deposit to a bank.
 have you found a bank, somewhere in the country, that allows you to not have a cellphone on file? where. literally where, i am begging to know.
 if you say you don't have to give out your cellphone number to exist in society, you are talking out of your ass. There's no way around it.
 so what, you may say. let your cellphone be the key to your entire self.
 your cellphone ought to be treated as the least secure device you own.
 No joke, no hyperbole. If i force you to run my software on your device, that is called a compromised device. 
 there are cellphones that you just aren't allowed to put a different operating system on.
 how many times have the tech oligopolies said "we don't listen to audio streams", and how many people have said "a stranger mentioned a thing out loud and now i'm seeing ads for it"?
 it's kind of amazing how google and facebook ramped *up* their surveillance capitalism, but everyone just decided to trust big tech *more*.
 sorry, rant over, the relevant point here is: your cellphone is not a 2nd authentication factor. the traditional way that your cellphone pretends to prove to be something you have is that a one-time code is texted to you. So it's assumed that you, and only you, are in control of that cellphone. and that your phone, and only your phone, is in control of that number.
 it just isn't true.
 [https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/]
 #### improper multi-channel
 multi-channel authentication is largely not talked about.
 I've been saying that everything is information, a single factor. But are we not more secure by simply authenticating with a second channel?
 after all, the reason most normal people think 2fa will help is that they believe their password can be intercepted or guessed, but they'll always receive a text message alerting them about a login.
 That alerting factor *does* help. That's a good thing.
 personally the only time i've ever been alerted that apparently my data is being stolen was when it was actually me in a cvs trying to pick up some prescription, and but the text didn't come in until i had already given up and driven home. I got no reception inside that building.
 admittedly, that must be quite rare.
 But we should be precise enough to note that so-called 2-factor does nothing to protect against phishing. Neither does 2-channel.
 because again, if a victim will be phished, and give their password to a malicious site... why do we assume they wouldn't also enter a secret code from a text message? what sudden epiphany are we waiting for?
 ## the source
 [costume: none, just symbols]
 [setting: void]
 [transition: once elevator doors close; "all muzak radio presents: the most irritating possible configuration of sound waves, a joint collaboration by creed and nickleback." and then have an image of nails on a chalkboard, but subtitle: "muted for your nonlistening pleasure".]
 it is time at last. Let us get to the bottom of the true question.
 [alt vo] will this make me more secure?
 if you've descended this far with me, no. It makes our security more difficult, so that capitalists have another way to enclose real peoples' property.
 But, think of those we've left on the surface.
 at last: the world has achieved certs for normies!
 [show a party scene from Severance, and have it muted with a subtitle of "platform shareholders have not approved celebratory music"]