As someone who has dropped almost all social media (mostly so I can get more done, but also for privacy), I can point out some non obvious consequences. This blog post mentions that stopping the use of Facebook will prevent you from seeing your nephews baby pictures... This is true.
My extended family and remote friends actually got upset when I dropped Facebook. They asked why I didn't want to be part of their lives, asked why I was choosing not to talk to them anymore... All while texting me on phones that allow instantaneous communication of any type of election media imaginable, more so that Facebook allows.
Moral of the story: Facebook and other social media makes most people socially lazy with continuous use. If you don't believe me, go try to meet someone under the age of 30 "out in the wild", at a bar or venue. Bars used to be easiest places to meet anyone at, just walk in, sit at the front, and start chatting. I'm not talking about people who are on their phones ignoring the outside world; even people just chilling and having a beer just don't know how to talk to someone outside of their social media platforms.
I think he's saying that in the persuit of security, Google has engineered the usefulness and useability out of this application.
There are good, sane, safe ways to hold login credentials. Instead of those ways, Google has picked one that is incredibly inconvenient, and with opening a server on your machine, also opens a new attack surface... I hope they deviated from their aweful coding practices and made the server right...
What’s insane or unsafe about this method? Using this method for signing in a local application with Oauth is used all over the place with very little issue.
Sure the interface could be tweaked a little by maybe offering to select which browser to login with or othering the user a “copy sign in link to clipboard” button or something for few people using multiple browser slash containers to keep there accounts separated.
As for the localhost server listening for the code from oauth, it only needs to run for the duration of processing the first login (if you are going to use a keep signed in feature) reducing the window anyone could attack the server. It doesn’t need to punch a hole in your nat, it just needs to bind to localhost instead of your network card so only processes running locally could access the server during the process.
Using a state field could remove any csrf attack surface.
All the server should be receiving in this case is a single use code which can be exchanged for an access token to use the account depending on the scope you have defined during to login process. The data in transit it’s still encrypted all the way back to your browser. It’s only after you have successfully logged in with the auth site send you a redirect header so your browser does the final step of passing the code to the application.
If you captured the code in the redirect you would have to use the code before the application could and if you managed that the application can not use the code to the user in asking the user to log in again, if the user is able to successfully login to the application then your access token will probably be revoked once it’s regenerated when the application exchanges the code it got from the successful login for a account bearer token.
Considering all this I would say it would be easier to just intercept the access token over the network, the application memory or from where ever the application stores it for its next use (it’s keep me signed in functionality) which could be exploited from any other locally running application on your system.
I don’t see how this is any less secure than sending the users password over the wire from your application, having to dead with any 2fa the user has.
No, takes a ridiculously long time on my school's network, which is blazing fast. It's limited by my laptops cpu and ram, which is maxed the whole time it's loading
Is it just me, or do all of these state operated bulk data spying programs come off as incredibly rapey?
NSA: hey, can I read your email?
Me: nah, I really don't know you that well...I like my privacy, and frankly don't really trust you with my data... You tend to accidentally leak it to hackers, because you're irresponsible.
NSA: I'm gonna read your email. Read every single message. Every byte. Every bit.
Me: okay that's creepy as fuck, please go away.
NSA: ahhh yeha I'm taking your email to party town! I'm looking at all your contacts now
Me:Jesus just get the fuck away... Aren't you funded by my tax dollars? Why am I paying you sick fucks???
NSA: cause we are the NSA, and you don't have a goddam choice. We are gonna take whatever we want from you, and you are gonna smile and bend over, cause there are no other options!
Me: yeah okay well maybe this is why the 2nd amendment is a THING
I disagree. Musk as CEO drove Tesla, against every estimate I've seen or heard of, to be profitable. Prior to musk, the cars didn't exist... So they were unavailable to buy. And I don't see how changing him out will fix quality issues, other than having a future CEO halt innovation in favor of bug hunting... Which would be the start of a quick end for Tesla. They are built on innovation.
> Musk is a great startup CEO. But what Tesla needs now is an enterprise CEO.
I guess that’s the new meme about Musk now, but I see no reason to believe it. Plenty of startup CEOs have done well after their companies became enterprises. Larry Ellison and Bill Gates and Jeff Bezos are obvious examples. So is Steve Jobs, who came back to Apple after a decade of absence and rebuilt the company.
Some have, but what are the numbers on that? Do more handle the switch ok (not even great, but in the "The company isn't going to tank" sense), or do more have problems and need to be replaced, if only for a while?
Many traditional automaker executives are playing catch-up with Tesla with regards to electrification of transport. They're moving second, copying Elon Musk. There is some truth to the idea that Tesla can benefit from the experience of legacy automakers. It is why they have hired people who have such experience. Replacing the founder that the other executives are still in the process of copying though? Kind of crazy.
Especially since Tesla is not just a car company. They are making headway into utility scale energy markets, planning to get into roofing, and have a relationship which will likely help them in the disrupting-the-use-of-roads-as-primary-means-of-transport-by-the-elimination-of-traffic industry that Elon Musk is trying to get set up. It's very safe to say that the status-quo certified executives could still need to continue playing a game of following-the-leader.
While Elon Musk is saying that the only thing that matters is pace of innovation, legacy automaker executives are advocated for on the basis of their relationship with status quo. Tesla doesn't exist in a world with status quo. In a world with status quo, regulators force the automakers to acknowledge the impact of their work on climate change and they grudgingly change course. This has been happening over time. We've seen them faking emission test results. We've seen them producing compliance vehicles so that they have access to markets that are trying to convince them to actually do the right thing.
"As broadband became more common, web sites got needlessly heavier."
100% this. About 8 years ago, I had LIGHTNING fast loading times on every page I visited. 800-1000ms was average, on a connection that is slower than mine is today... Now 4-8 seconds is average, and the new Gmail takes 10-12 seconds to load.
I'm nostalgic for the days when the web was faster and more functional than it is today.
My extended family and remote friends actually got upset when I dropped Facebook. They asked why I didn't want to be part of their lives, asked why I was choosing not to talk to them anymore... All while texting me on phones that allow instantaneous communication of any type of election media imaginable, more so that Facebook allows.
Moral of the story: Facebook and other social media makes most people socially lazy with continuous use. If you don't believe me, go try to meet someone under the age of 30 "out in the wild", at a bar or venue. Bars used to be easiest places to meet anyone at, just walk in, sit at the front, and start chatting. I'm not talking about people who are on their phones ignoring the outside world; even people just chilling and having a beer just don't know how to talk to someone outside of their social media platforms.