biometrics

Here’s a Naomi Brockwell video about it. I also used to avoid it, but that video changed my mind. I can easily turn off the biometrics if I’m going somewhere where LE might force me to unlock it (e.g. travel), but I can just mis-scan it a few times and it’ll force me to enter the PIN anyway.

Tasker

Yeah, that can work, but GrapheneOS at least has an automatic reboot option after so much time has passed w/o being used. I set mine to 4 hours so it’ll reboot at night, but I make it a lot less when I’m traveling. Everything is encrypted on a fresh boot and calls still work (emergency outgoing, and any incoming), so it’s a really nice bit of extra security for lazy people like me.

Yeah, I only use credit cards or cash these days, and leave my debit cards frozen/locked. The only time I would need my debit card is to use an ATM, and it’s easy enough to login on my phone and unlock it. I’ve had several fraudulent charges on various cards, and so far it has been resolved with a short phone call and a reissue, and my replacements seem to come faster than new credit cards. The rewards are nice, but the purchase protections are the real reason I use them.

biometrics

Biometrics are really nice, and on newer phones, way more secure than a PIN. They’re also local-only, so they’re quite privacy-friendly.

But absolutely have a backup. I use a long PIN as my backup, and my bank lets me use a long PIN on my debit card as well, so I keep them the same (easier to remember that way). I use my fingerprint for pretty much everything, but I also have my phone reboot itself after a period of inactivity, which forces a PIN login (again, helps me remember it). Oh, and it’s a random PIN, so not something anyone could guess (I’m a developer, so I used a small Python script: import random; ''.join(str(random.randint(9)) for _ in range(N)) where N is your desired length). I ran three of those and picked one.

And yeah, Bitwarden is fantastic. I apparently have >300 logins, and there’s no way I’d be able to remember that many unique passwords.

I mean, I do. I’ve had three tickets over my entire driving career, each in a different state, and nothing in the last 10 years. I’ve also never been in an accident.

But I’ve been pulled over something like 10 times total for various reasons (registration expired, headlight out, speeding), and because I’m a responsible driver (no infractions or warnings in the prior year or two), I generally get warnings. If warnings were national, one or two of those might have turned into a ticket, and those would probably be fightable in court (but I’m not going to travel hundreds of miles to fight a $100 fine).

Eh, there are good parts to it as well. The only Federal ID I have is my passport, so there’s no reason for them to track me across state lines. If I get pulled over in Oregon, they don’t necessarily know my driving history in California or Nevada, so I’m more likely to get a warning than a ticket. If I had a Federal ID, they’d probably communicate across state lines more.

It’s mostly bad, but with a silver lining.

Yet pretty much everyone uses it for identification:

• apply for a credit card - SSN
• apply for a bank account - SSN
• apply for a job - SSN
• get a mortgage - SSN

Basically, any time an org needs to prove you are who you say you are, they’ll ask for state-issued ID and your SSN. Every time. Sometimes they’ll even want a copy of your SSN card, which is extremely stupid.

The SSN should only be used for SS benefits. If we want a federal ID, we should make a federal ID system based on challenge/response.

I’m pretty sure mine has been stolen a dozen times at this point. You should never assume your SSN is private information, but you should treat it as such to limit how many people have it.

The main issues here are:

• applications for credit - freeze your credit at the major credit bureaus - Experian, Equifax, Transunion (bonus points for ARS and SageStream); make sure to unfreeze if you apply for a credit card or bank account though
• impersonating - like applying for jobs and whatnot; this shouldn’t directly impact you, and it’s on the employer to make sure they know who they’re employing
• password resets - the best you can do is use MFA, though many services will allow resets with just personal information; I hope this changes, and some orgs are doing things to prevent abuse (e.g. Fidelity has voice recognition to cut down on support scams)

Honestly, we really need to stop using the SSN as identification.

Yes, it’s Google:

Registrant Organization: Google LLC

You can get more details if you run whois on your machine (this is about half of the output):

refer:        whois.nic.google

domain:       APP

organisation: Charleston Road Registry Inc.
address:      1600 Amphitheatre Parkway
address:      Mountain View CA 94043
address:      United States of America (the)

contact:      administrative
name:         TLD Admin
organisation: Google Inc.
address:      111 8th Avenue
address:      New York NY 10011
address:      United States of America (the)
phone:        +1 404 978 8419
fax-no:       +1 650 492 5631
e-mail:       [email protected]

contact:      technical
name:         TLD Engineering
organisation: Google Inc
address:      76 Ninth Avenue, 4th Floor
address:      New York NY 10011
address:      United States of America (the)
phone:        +1 404 978 8419
fax-no:       +1 650 492 5631
e-mail:       [email protected]

nserver:      NS-TLD1.CHARLESTONROADREGISTRY.COM 2001:4860:4802:32:0:0:0:69 216.239.32.105
nserver:      NS-TLD2.CHARLESTONROADREGISTRY.COM 2001:4860:4802:34:0:0:0:69 216.239.34.105
nserver:      NS-TLD3.CHARLESTONROADREGISTRY.COM 2001:4860:4802:36:0:0:0:69 216.239.36.105
nserver:      NS-TLD4.CHARLESTONROADREGISTRY.COM 2001:4860:4802:38:0:0:0:69 216.239.38.105
nserver:      NS-TLD5.CHARLESTONROADREGISTRY.COM 2001:4860:4805:0:0:0:0:69 216.239.60.105
ds-rdata:     23684 8 2 3a5cc8a31e02c94aba6461912fabb7e9f5e34957bb6114a55a864d96aec31836

whois:        whois.nic.google

status:       ACTIVE
remarks:      Registration information: https://www.registry.google

created:      2015-06-25
changed:      2020-04-20
source:       IANA

It’s even worse when they block access to an account if you don’t accept the revised ToS. I was a Vultr customer for years, and then earlier this year they put a ToS block in my face when I logged on with a binding arbitration agreement, and there was no way to disagree or “remind me later.” My servers were still running, so they obviously didn’t need my consent to continue using the service, but they prevented me from managing my account without accepting the Tos.

So, out of spite, I used “Inspect Element” to remove the popup to get to the support page to close my account. I’m now with Hetzner, which also has the stupid binding arbitration agreement, but so far they haven’t presented me with a page-blocking popup.

I use Bitwarden, and it only checks when I ask it to, after unlocking my vault.

Some I didn’t see mentioned:

• Death Squared
• Rocket League
• various Switch games - Super Mario 3D World, Kirby (2P), etc

Where do you buy groceries with Monero?

Yup, Darkside Detective is fantastic for a non-spooky, but spooky-themed point and click adventure. If you like point and clicks, it’s a bit older, but I really like Grim Fandango, which is a bit more classic point and click with a Halloween theme.

The first thing that comes to my mind is Summer in Mara. It’s a chill, relatively shallow farming sim with fetch quests and exploration.

Some more based on other games you liked:

• Arida - short-ish adventure game with a bigger emotional impact
• Nuts - probably most similar to Firewatch; core gameplay loop is taking pictures of squirrels, but there’s some plot development
• A Juggler’s Tale - side scroller adventure with some feels
• Deponia - funny point and click adventure series; if you like the genre, try The Darkside Detective (less “summer adventure” more “weird mysteries”)
• Manifold Garden - more chill than The Talos Principle or The Witness, with less feels than the first; decent, trippy puzzle game

I’d take it the opposite way, does Google have evidence that it wasn’t used outside the hangouts domain?

My understanding is that it affects it all the same.

Nope, that’s the only one, I checked. ;)

Same. I actually did pick up 5 games in this Steam Summer sale, but most are pretty short experiences that I’ll blow through on my Steam deck, and the other is Cities: Skylines 2, because people are claiming they’ve fixed the issues. But on net, I’ve played more this year so far than I’ve bought, so I think I’m not wasting my money on my new purchases.

I’ve just seen far too many people express a sense of guilt about their unplayed games and an obligation to play them all. There’s also the “completionist” group who need to get every achievement in every game they have. Both are unhealthy IMO.

But yeah, I don’t see any negatives to the term “backlog,” provided you don’t intend to actually play all of them.

I personally do it because I get “analysis paralysis” where I just freeze up and don’t play anything if the list is too long. So I keep my “play next” list pretty short (like 10-20 games), which also forces me to be a bit more critical about my intentions to play a game.

That’s the great thing about being a patient gamer: games are usually cheaper, so I don’t feel obligated to get every ounce of value from it.

I use guides a lot if the game stops being fun. If it’s still not fun with the guide, I drop it. Most of the games I play cost $5-10, with a handful being $20-30 and a very small number being more than that (just bought Cities: Skylines 2 for <$40, which is the most I’ve spent in years on a game). So if a game ends up sucking or not being long enough, I don’t feel like I’ve been cheated, I mentally appreciate the time I spent with it and move on.

What helped me was creating labels for my game library:

• done - maybe completed, maybe not, but I have no interest in revisiting
• replay - was fun and I could probably enjoy it again, but I’m done with it for now
• play next - games I’m excited to play soon
• maybe later - kind of interesting, but not right now
• probably never - I didn’t give it a solid shake, but I also don’t think it’s worth spending time on; maybe I’ll sift through if I’m bored

If I have a long break, I’ll install a handful from “maybe later” and see if I find a gem. If I’m strapped from time, I’ll pull from “play next,” which is where I’m much more likely to find something fun. If I’m feeling nostalgic, “replay” is right over there.

if you’re struggling with your backlog

IMO, stop calling it a backlog. Organize stuff by how interested you are, and play stuff when you feel excited to play. I have hundreds of games collected over years of buying way too many bundles, and there’s absolutely no way I’m playing through them all. So I organize them by interest and play when I have a spare minute.

malware could just capture that

From the article:

This means that while a keylogger might require admin access to install, any app or script with sufficient permissions could access these plaintext keys.

Malware to capture input would require privilege escalation as well, whereas this just requires being able to run code/copy files.

there is not a simple solution

But there are:

• use the system keyring
• store unencrypted key in memory in a background process (I.e. DIY keyring)

Essentially, force malware to either copy keystrokes or memory, both of which require admin privileges on most systems.