Aaron Parecki

Yikes, found a reference to it in this article, definitely malware https://www.zdnet.com/google-amp/article/promethium-apt-attacks-surge-government-sponsorship-suspected/

That's exactly what I want, but across the whole internet, oh and maybe drop the password too 😅

My problem with this whole thread is that yes, of course we need something better than passwords, but also, yes, there is a lot of improvement being made right now. It's not like someone can make something that "solves passwords" and suddenly everyone will be using it.

There's a scifi book from 10 years ago about literally this, it's a trip 😂 https://amzn.to/37oaMKb

Depends on what's powering the other end of the fiber line. I guess mine is on a different grid, but I'm also in a weird spot between two different power companies.

👏 that is some A plus countertrolling 👏

I would if it were me! Just stay on high alert mode of course... don't download anything, don't connect any OAuth apps to anything, and click links only using an isolated computer. I'm always curious about these things!

yeah I suspect you're right. I'm curious what the next play is. Maybe they send you a download link to the special "Spotify VIP" app?

Clearly I need to beef it up a bit, but right now I have a UPS on the network gear and also at my desk. It can keep things powered for about 30-40 minutes, and my internet is fiber so it stays online too

No not really, that's why the redirect URL is so important to get right. It's not a great situation, but it would require cooperation from the OS in order to have a more secure flow. That said, it's also a relatively unlikely attack vector so people mostly don't worry about it.

Yes, you're right, but that doesn't mean PKCE is not secure. This is just an inherent limitation of public clients that can't use a client secret. PKCE does solve several attacks, but it doesn't provide authentication of the app itself.

That's one opinion yes. There are good arguments on both sides.

Yep although the WordPress plugin requires some active effort by the user. At least it’s just installing a plugin and not dealing with markup though.

Nah, don’t forget that every micro.blog account is an IndieAuth account too. Users don’t need to have any knowledge of anything under the hood for that to work. We need more service providers to implement it more than anything.

I would actually be very curious to learn more about this, cause we've got some fun stuff coming down the pipe too

sometimes you have to sell faster horses until people realize what they actually want is a car 😄

Not to kick the can down the road, but we wouldn't even provide the option of a security question if people didn't ask for it 😦

I've been getting 1-2 calls a day for the last few weeks from this, always a company assuming I have some role based on my title that I definitely don't have. I really hope this makes it stop.

Ugh I know. The good news is the admin can disable security questions on the entire org if they want.

There's an option under "customize channel" to add a "featured section" that shows the next upcoming livestream. It takes a bit to find and youtube keeps rearranging stuff. Hope that helps!