script stuff regenerated by a tool

2025-12-28 12:28:18 -05:00 · 2025-12-28 12:28:18 -05:00 · f6ef76859b
commit f6ef76859b
parent 5b01eae5ce
17 changed files with 176 additions and 0 deletions
--- a/Sounds/VO/altVO.wav
+++ b/Sounds/VO/altVO.wav
--- a/Sounds/VO/primaryVO.wav
+++ b/Sounds/VO/primaryVO.wav
--- a/notes/note1.png
+++ b/notes/note1.png
--- a/notes/tc1.png
+++ b/notes/tc1.png
--- a/notes/tc10.png
+++ b/notes/tc10.png
--- a/notes/tc11.png
+++ b/notes/tc11.png
--- a/notes/tc12.png
+++ b/notes/tc12.png
--- a/notes/tc2.png
+++ b/notes/tc2.png
--- a/notes/tc3.png
+++ b/notes/tc3.png
--- a/notes/tc4.png
+++ b/notes/tc4.png
--- a/notes/tc5.png
+++ b/notes/tc5.png
--- a/notes/tc6.png
+++ b/notes/tc6.png
--- a/notes/tc7.png
+++ b/notes/tc7.png
--- a/notes/tc8.png
+++ b/notes/tc8.png
--- a/notes/tc9.png
+++ b/notes/tc9.png
--- a/src/script-altVO.txt
+++ b/src/script-altVO.txt
@ -0,0 +1,11 @@
 You've got mail!
 "you WILL give us a spam vector and set up a passkey, AND YOU WILL THANK ME. no complaints, dissent will not be tolerated. it's for security. this is for your own good."
 "if i've set up a passkey on m'laptop.. how do i use that on m'phone?" "you can't."
 What's so great about passkeys?
 i mean exactly this, very literally: i don't know.
 Don't understand why you think passkeys are something bad?
 "if i've set up a passkey on m'laptop.. how do i use that on m'phone?" "you can't."
 will this make me immune to phishing?
 will this make 2-factor obsolete?
 Incremental progress, yeahhg!
 will this make me more secure?
--- a/src/script-primaryVO.txt
+++ b/src/script-primaryVO.txt
@ -0,0 +1,165 @@
 the war on passwords looks like it's coming to an end, and evil is prevailing.
 so Passkeys and multifactor. Let's do this iceberg style. only, instead of deep underwater, it's deep into nerdery.
 surface level, what is a passkey?
 A way to force you to use software to create a very strong authentication method, unique to each party. It's really good at not letting you accidentally authenticate for someone bad.  the problem is that it's difficult for *you* to own the keys to your property.
 computerphile, in a rare break from their tendency to fellate some generative AI crap, explained it quite succinctly. chick out this chart.
 so there's 3 things involved:
 * the reliant party; that's the thing that wants to authenticate you.
 * the client, that's you.
 * the authenticator, that's what you have instead of a password manager.
 now, instead of a shared secret, or smoke and mirrors about pretending we're involving one of the other 2 factors.. it's *not* a shared secret. it's public key cryptography, how cool is that!
 ok. so.
 let's say I want to send you my card, but i don't want anyone along the way to know. So i put it in a box,  locked with a code that only the 2 of us know. that way any mail carriers or amazon drivers shouldn't be able to see the card, but you and I can. (in theory. pray we don't encounter the god of lockpicking.)
 let's unpack that metaphor. 
 on the internet, there is only data.
 I want to send you some data, for example my credit card details. And I very much don't want anyone else to see.
 fortunately, there's a whole branch of mathematics that lets us turn that data into other data, and back.
 "shared key" cryptography is a simple way to do that - we share a key with only each other.
 so, one way that we *could* authenticate is to just send each other an encrypted message given our shared key.
 that's just a piece of information that only the 2 of us should have - authentication via something i know.
 that's all great and wonderful, as long as both you and i can keep a secret. But what's that saying though, three may keep a netflix password, if two of them have hulu? something like that.
 And it's not just users.
 boy i wished this aged better...
 anyway, public key cryptography is way cooler. Instead of a key we both have, what if I have a key that can unlock, but not lock... then from that, i generate an anti-key that can only lock. 
 I'll give you this lock-only key, the public key. now you can send me a message that no one else, not even you, can decrypt. That lets me give the public key out to anyone. honestly, business cards should have public keys on them.
 isn't this way cooler? 
 now our authenticator generates a private key unique to each service! 
 in short, rather than some incompetant putting a secret (or overt!) password *maximum* length, for example FIFTEEN, both parties are forced to generate strong shared secrets, which aren't even fully shared!
 I'll tell you what i thought at the time: i was convinced that a person would never control their authenticator. That it would always be the property of some anonymous board of cufflink wearing motherfuckers.
 extremely fortunately, it is not! At the moment!
 ok, computerphile acknowledges - 
 the reason for that: *presently*, most implementations have the authenticator being the browser.
 and if you look at the specification, these soulless husks love to talk about "secure enclaves" and "trusted platform modules".
 hardware that exists to allow the manufacturer to maintain control over a device, in spite of any protests by the person who paid to own it.
 I maintain that the reason capitalists pretending to be technologists insist on framing passwords as a bad thing is that users get to control them.
 Literally, it comes down to shared netflix passwords.
 for fuck's sake look at HDCP, which acts like HDMI splitters are on par with a meth lab.
 as always, there's a relevant XKCD.
 both of you are deriving from the real question. but let's go in order.
 will passkeys make you immune to phishing. 
 They are certainly advertised that way. Aggressively.
 As far as we know, at present, we haven't seen a high-profile phishing attack that has worked against a proper implementation of passkeys.
 Suppose we were an attacker. how would we do one? i'd have to convince your software that i'm X website, and when you're ready to be convinced to authenticate, i jump in the middle.
 that's essentially how a phishing attack works as usual.. but at least now the software is checking the url for you, so an attacker would have to breach a high-value target *before* compromising you. So instead of low-cost phishing with a very wide net, an attack would be more expensive and would have to be targeted.
 will this make 2-factor obsolete.
 technically: "no", because it was always obsolete.
 I have said, and will continue to say: 2 factor is bullshit. it's at best an illusion.
 Repeatedly, forever, the response is "nuh-uh", but never with elaboration. which is telling.
 So here we go again, but breifly. 
 first we identify. you say you are John Doe. Authentication is the act of verifying that identity. 
 broadly, the way we do that is by verifying something from one of 3 categories: something you know, something you are, and something you have.
 How can i tell you're really you? I ask you something only you would know.
 That's a password. This has the benefit of being information, and therefore, it can be sent across the internet.
 the only (valid) reason self-styled experts hate passwords is that they are *convinced* you are not competant at the task of managing passwords.
 it's not hard to calculate entropy and force the user to come up with a better one.
 or you could generate one for them, hell most browsers are happy to handle that.
 Something you are would be something like biometric data. if i could read your thumbprint, or test your blood, or something like that, it's probably you. The entire concept of police fingerprinting is about authenticating someone who doesn't want to be authenticated.
 it's not *that* hard for someone to copy or steal biometric data, but it would have to be targeted. 
 Something you have would be great. Suppose I wanted to pretend to be you, I'd have to 
 the issue with 2 of the 3 is that we are far apart.
 you can't shove a physical key through an ethernet cord.
 you can't drip a blood sample through an ethernet cord.
 physics is a cruelly indifferent master.
 so any time some technology claims you're doing biometric authentication, for example your phone...
 that authentication happens *here*. Across the internet, that isn't possible.
 there do exist hardware keys that are only $5. wait, $10. wait, $25. They're quite good at what they do, but the larger portion of what they do is control their ecosystem.
 again, the authentication happens *here*, and then their software (emphasis on the possesive "their") sends information across the internet.
 again, multifactor is an illusion.
 all of these so-called second factors are truly more information.
 So really it's just a long and complicated way to improve your password.
 for example, let's pull out possibly the most important piece of software you should be running, and make a password for some hypothetical service.
 now hypothetically, to be authenticated, we send the password, + whatever data our thumbprint scanner would send.
 depending on how our second factors are being simulated, we just have a longer password.
 and it is, measurably, improving our password.
 we could do this with a timed one-time password. I love those things, by the way. much easier to type, a bit of built-in resistance against brute-force attacks. would it be so bad if we *just* used those?
 The thing i hate adjacent to TOTP codes is the way they're framed to users... it's always presented as "get google authenticator", so that google gets to own your authenticator codes. more than that, it's always considered "an authenticator app". Because of course, it must be on your phone.
 welcome to another installment of my billion-part series, Phones Are Bad Actually.
 Your phone is treated as the Something You Have. because of course, a person is not permitted to exist without a phone in 2012. or whatever year it is by now.
 Naturally, when i complain about having to give my cellphone number to the services i'm forced to interact with, there's always some idiot who goes "no, you can just use an authenticator app."
 The technology exists. Theoretically it *ought* to be possible to not even have a cellphone number.
 But for those of us who exist in society, you'll quickly find that it isn't. Do you rent your own basement, rather than living in your mother's? no shot the conglomerated landlord company will let you pay rent in cash. They'll begrudgingly let you use a website on a real computer until they can force you to get an app, and in both cases I'm *sure* they demand a cellphone number for authentication. Ditto if you pay a mortgage.
 If you're one of the lucky few people who rents from a human, you're a vanishingly rare exception.
 do you have a job? I don't imagine your boss gives you an envelope full of cash, or even a physical check. one imagines they have you log in to one of the 2 brands of HR software, neither of which will allow you to not have a cellphone, and set up direct deposit to a bank.
 have you found a bank, somewhere in the country, that allows you to not have a cellphone on file? where. literally where, i am begging to know.
 if you say you don't have to give out your cellphone number to exist in society, you are talking out of your ass. There's no way around it.
 so what, you may say. let your cellphone be the key to your entire self.
 your cellphone ought to be treated as the least secure device you own.
 No joke, no hyperbole. If i force you to run my software on your device, that is called a compromised device. 
 there are cellphones that you just aren't allowed to put a different operating system on.
 how many times have the tech oligopolies said "we don't listen to audio streams", and how many people have said "a stranger mentioned a thing out loud and now i'm seeing ads for it"?
 it's kind of amazing how google and facebook ramped *up* their surveillance capitalism, but everyone just decided to trust big tech *more*.
 sorry, rant over, the relevant point here is: your cellphone is not a 2nd authentication factor. the traditional way that your cellphone pretends to prove to be something you have is that a one-time code is texted to you. So it's assumed that you, and only you, are in control of that cellphone. and that your phone, and only your phone, is in control of that number.
 it just isn't true.
 multi-channel authentication is largely not talked about.
 I've been saying that everything is information, a single factor. But are we not more secure by simply authenticating with a second channel?
 after all, the reason most normal people think 2fa will help is that they believe their password can be intercepted or guessed, but they'll always receive a text message alerting them about a login.
 That alerting factor *does* help. That's a good thing.
 personally the only time i've ever been alerted that apparently my data is being stolen was when it was actually me in a cvs trying to pick up some prescription, and but the text didn't come in until i had already given up and driven home. I got no reception inside that building.
 admittedly, that must be quite rare.
 But we should be precise enough to note that so-called 2-factor does nothing to protect against phishing. Neither does 2-channel.
 because again, if a victim will be phished, and give their password to a malicious site... why do we assume they wouldn't also enter a secret code from a text message? what sudden epiphany are we waiting for?
 it is time at last. Let us get to the bottom of the true question.
 if you've descended this far with me, no. It makes our security more difficult, so that capitalists have another way to enclose real peoples' property.
 But, think of those we've left on the surface.
 at last: the world has achieved certs for normies!