Latest episode: #327: Untangling XML with Pydantic
with @brianokken and @mkennedy #python
https://pythonbytes.fm/episodes/show/327/untangling-xml-with-pydantic
@pythonbytes @brianokken @mkennedy In regards to the rant about 2FA, checkout LTT's recent video about the rash of YT account takeovers using stolen session cookies. These attacks bypass 2FA, because they impersonate your "trusted" browser.
I would also recommend Shannon Morse's hardware 2FA playlist for a deeper dive. She debunks a lot of the myths you've cited in the past.
https://www.youtube.com/watch?v=xalg8a3eIy4&list=PLeYHKbaShxTH0GV0jMstXygTRowCnAWiJ
@sitwon @pythonbytes @brianokken Thanks for the info. I'm a big fan of Shannon Morse. I've seen that video I think. As for those take overs, yes, that is a problem. But it's not the same problem as protecting you against stolen or guessed / brute forced credentials. If someone has full control of my computer, I'm not sure whether it's cookie take over or just recording my keystrokes and/or automating my computer to do the deed. So while bad, I don't know they are the same problem.
These are two separate complaints I have about your 2FA rants. (#327, #293)
1) You have been dismissive and perpetuated fear and misconceptions about how hardware 2FA works and how safe/easy/effective it is.
2) In #327 specifically you were additionally complaining about short expiration times on session cookies.
2FA and session expiration work together to mitigate the risk of stolen credentials.
It's challenging to have a nuanced convo in this format.
@sitwon Hi, thanks for the feedback. Let's take these as two separate threads...
>> 1) 2FA hardware
If you watch the live stream of the actual release of Python 3.11 ( https://www.youtube.com/watch?v=PGZPSWZSkJI ) you'll see Pablo's Yubikey actually fail on stream. If he did not have a backup with him at that moment (maybe he had put it in a safety deposit in his bank?) it would have literally failed the release of 3.11 and stymied the work of 100s or 1,000s of people across the year.
Imagine he was traveling and did the release on the road and (smartly) left his backup at home?
@mkennedy That's 1) incorrect, and 2) super disingenuous.
1) The Yubikey failure there wasn't a FIDO U2F failure. He was using it as a smartcard for his GPG key and that's what failed. Even if it was the hardware that failed (always possible), you literally cannot enroll a hardware 2FA token without also creating backup codes or having some other alternate.
2) It wouldn't have failed the release, just delayed the signing. They could have released anyway without signing with that specific key.
