Search
1000 results for “erikjan”
-
I was about to propose our upcoming workshop on #clustercomputing for social scientists with #rstats but I just heard that it's fully booked!
https://www.surf.nl/en/agenda/cluster-computing-for-social-scientists-with-r
-
We just had all the Applied Data Science master thesis students of the #HumanDataScience group at #UniUtrecht present their work in an informal session. They are doing wonderful stuff on Network Data analysis, LLM bias assessment, missing data methods, synthetic data generation, and more 💪
-
I'm really proud to announce that we released version 1.0 of our :python: #python package {metasyn} today!
https://github.com/sodascience/metasyn
Metasyn can generate #syntheticdata in a transparent and privacy-friendly way. Sensitive data owners can use it to make their data more #accessible and research thereon more #reproducible
We put a lot of effort in the readme and documentation to make it (hopefully) super easy to get started!
Supported by #odissei_nl and #UniUtrecht
-
After some nice #OpenSource collaboration, version 0.3.0 of the #rstats penalised #SyntheticControl package "pensynth" is now available on CRAN! :rstats:
https://cran.r-project.org/package=pensynth
Do you want to use the synthetic control method for #CausalInference with observational data? Try it out!
(⚡ It's faster than vanilla synthetic controls even without penalty)
-
New :rstats: package! For a project, I had to implement penalized synthetic control estimation, and I thought it would be nice to implement it "properly" so others could use it too.
https://github.com/vankesteren/pensynth
It also has a basic form of cross-validation to automatically determine the penalty parameter.
Feel free to try out / comment / collaborate! :air_quotes_left:
#rstats #statistics #economics #SyntheticControl #PolicyEvaluation #CausalInference
-
Was going through old repositories; found this nice document on estimating treatment effect of a medicine for a single patient with seizures #rstats :rstats:
It goes from simple to complex:
- #Visualization & summary statistics
- Poisson regression (glm) with a treatment dummy
- Penalized poisson regression to deal with 0s
- Correcting for autocorrelation
- #Bayesian Poisson model with #stan #rstanarm
- Correcting for autocorrelation and #BayesFactors #bridgesampling -
I really want to believe you because this was my intuition as well. I double checked it with a structural equation model:
- one model where residual covariance is constrained to be 0
- one model where residual covariance is estimated freelyFit with #lavaan, check the regression parameter estimates...
they are the same.
see here: https://gist.github.com/vankesteren/310ba8ff91149c5d91fdffb1cb42f5d3
Do you mean something else than this?
-
Today we're (https://odissei-soda.nl) teaching a workshop on causal inference for policy evaluation for social scientists in the Netherlands! #ODISSEI
There are some really nice discussions ☺️
Full workshop materials with lectures and :rstats: practicals here (CC-BY):
-
Hi everyone 👋
I'm an Assistant Professor at Utrecht University's dept. of Methodology & Statistics, working in data science for the social sciences.
I do not post a lot, but when I do it's likely about #statistics #datascience #probabilisticprogramming #syntheticdata #openscience #rstats or #teaching
I'm also the (proud) team lead of the ODISSEI Social Data Science team: https://odissei-soda.nl. So I'll probably post about all the cool things our team does too!
-
@roelgrif : en dit kabinet geeft ook niets om onze privacy.
"Slimme oplossingen" - slim voor wie?
https://todon.nl/@ErikvanStraten/116482603102360900
#CE #ISO27001 #NEN7510 #BullShitCerts#Topicus #PGO #MedischeGegevens #EHDS #AVG #Mitz #MijnMitz #BigTechIsEvil #CloudflareIsEvil
-
@roelgrif : en dit kabinet geeft ook niets om onze privacy.
"Slimme oplossingen" - slim voor wie?
https://todon.nl/@ErikvanStraten/116482603102360900
#CE #ISO27001 #NEN7510 #BullShitCerts#Topicus #PGO #MedischeGegevens #EHDS #AVG #Mitz #MijnMitz #BigTechIsEvil #CloudflareIsEvil
-
@roelgrif : en dit kabinet geeft ook niets om onze privacy.
"Slimme oplossingen" - slim voor wie?
https://todon.nl/@ErikvanStraten/116482603102360900
#CE #ISO27001 #NEN7510 #BullShitCerts#Topicus #PGO #MedischeGegevens #EHDS #AVG #Mitz #MijnMitz #BigTechIsEvil #CloudflareIsEvil
-
@roelgrif : en dit kabinet geeft ook niets om onze privacy.
"Slimme oplossingen" - slim voor wie?
https://todon.nl/@ErikvanStraten/116482603102360900
#CE #ISO27001 #NEN7510 #BullShitCerts#Topicus #PGO #MedischeGegevens #EHDS #AVG #Mitz #MijnMitz #BigTechIsEvil #CloudflareIsEvil
-
HET WEB IS EEN MIJNENVELD
Terwijl:
https:⧸⧸mijn.benu-apotheek2026.com/index.php
https:⧸⧸www.benu-apotheek2026.comnog steeds live zijn - zonder phishingwaarschuwing (zie https://todon.nl/@ErikvanStraten/116535469861220802 van 14 dagen geleden) kreeg ik afgelopen nacht een SMS die verwijst naar een andere nepsite:
https:⧸⧸benu-online.net
Als u op de getoonde pagina op "Nu bijwerken" klikt, opent een formulier waarin om heel veel persoonsgegevens wordt gevraagd, nl. naam, geslacht, geboortedatum, IBAN, e-mailadres, telefoonnummer en woonadres.
Als u die gegevens invult, wordt u waarschijnlijk binnenkort gebeld door een bankhelpdeskfraudeur, of door "de politie" die doorgeeft dat er inbrekers in uw buurt actief zijn - en dat er daarom een agent langskomt om uw waardevolle bezittingen op te komen halen (inclusief uw bankpas en pincode).
Op dezelfde server (d.w.z. het IP-adres, aldus het RELATIONS tabblad van https://www.virustotal.com/gui/ip-address/31.57.216.15) was ook de volgende nepsite actief (momenteel niet meer):
https:⧸⧸mijnbenu.net
Nb. ik vervang https:// steeds door https:⧸⧸ om onbedoeld openen te voorkomen.
#InternetIsEenMijnenveld #Phishing #CloudflareIsEvil #BigTechIsEvil #GoogleIsEvil #LetsEncryptIsEvil #Cloudflare #Google #LetsEncrypt #BigTech #DV #DomainValidated #DVcertsSuck #DVcerts
-
HET WEB IS EEN MIJNENVELD
Terwijl:
https:⧸⧸mijn.benu-apotheek2026.com/index.php
https:⧸⧸www.benu-apotheek2026.comnog steeds live zijn - zonder phishingwaarschuwing (zie https://todon.nl/@ErikvanStraten/116535469861220802 van 14 dagen geleden) kreeg ik afgelopen nacht een SMS die verwijst naar een andere nepsite:
https:⧸⧸benu-online.net
Als u op de getoonde pagina op "Nu bijwerken" klikt, opent een formulier waarin om heel veel persoonsgegevens wordt gevraagd, nl. naam, geslacht, geboortedatum, IBAN, e-mailadres, telefoonnummer en woonadres.
Als u die gegevens invult, wordt u waarschijnlijk binnenkort gebeld door een bankhelpdeskfraudeur, of door "de politie" die doorgeeft dat er inbrekers in uw buurt actief zijn - en dat er daarom een agent langskomt om uw waardevolle bezittingen op te komen halen (inclusief uw bankpas en pincode).
Op dezelfde server (d.w.z. het IP-adres, aldus het RELATIONS tabblad van https://www.virustotal.com/gui/ip-address/31.57.216.15) was ook de volgende nepsite actief (momenteel niet meer):
https:⧸⧸mijnbenu.net
Nb. ik vervang https:// steeds door https:⧸⧸ om onbedoeld openen te voorkomen.
#InternetIsEenMijnenveld #Phishing #CloudflareIsEvil #BigTechIsEvil #GoogleIsEvil #LetsEncryptIsEvil #Cloudflare #Google #LetsEncrypt #BigTech #DV #DomainValidated #DVcertsSuck #DVcerts
-
HET WEB IS EEN MIJNENVELD
Terwijl:
https:⧸⧸mijn.benu-apotheek2026.com/index.php
https:⧸⧸www.benu-apotheek2026.comnog steeds live zijn - zonder phishingwaarschuwing (zie https://todon.nl/@ErikvanStraten/116535469861220802 van 14 dagen geleden) kreeg ik afgelopen nacht een SMS die verwijst naar een andere nepsite:
https:⧸⧸benu-online.net
Als u op de getoonde pagina op "Nu bijwerken" klikt, opent een formulier waarin om heel veel persoonsgegevens wordt gevraagd, nl. naam, geslacht, geboortedatum, IBAN, e-mailadres, telefoonnummer en woonadres.
Als u die gegevens invult, wordt u waarschijnlijk binnenkort gebeld door een bankhelpdeskfraudeur, of door "de politie" die doorgeeft dat er inbrekers in uw buurt actief zijn - en dat er daarom een agent langskomt om uw waardevolle bezittingen op te komen halen (inclusief uw bankpas en pincode).
Op dezelfde server (d.w.z. het IP-adres, aldus het RELATIONS tabblad van https://www.virustotal.com/gui/ip-address/31.57.216.15) was ook de volgende nepsite actief (momenteel niet meer):
https:⧸⧸mijnbenu.net
Nb. ik vervang https:// steeds door https:⧸⧸ om onbedoeld openen te voorkomen.
#InternetIsEenMijnenveld #Phishing #CloudflareIsEvil #BigTechIsEvil #GoogleIsEvil #LetsEncryptIsEvil #Cloudflare #Google #LetsEncrypt #BigTech #DV #DomainValidated #DVcertsSuck #DVcerts
-
HET WEB IS EEN MIJNENVELD
Terwijl:
https:⧸⧸mijn.benu-apotheek2026.com/index.php
https:⧸⧸www.benu-apotheek2026.comnog steeds live zijn - zonder phishingwaarschuwing (zie https://todon.nl/@ErikvanStraten/116535469861220802 van 14 dagen geleden) kreeg ik afgelopen nacht een SMS die verwijst naar een andere nepsite:
https:⧸⧸benu-online.net
Als u op de getoonde pagina op "Nu bijwerken" klikt, opent een formulier waarin om heel veel persoonsgegevens wordt gevraagd, nl. naam, geslacht, geboortedatum, IBAN, e-mailadres, telefoonnummer en woonadres.
Als u die gegevens invult, wordt u waarschijnlijk binnenkort gebeld door een bankhelpdeskfraudeur, of door "de politie" die doorgeeft dat er inbrekers in uw buurt actief zijn - en dat er daarom een agent langskomt om uw waardevolle bezittingen op te komen halen (inclusief uw bankpas en pincode).
Op dezelfde server (d.w.z. het IP-adres, aldus het RELATIONS tabblad van https://www.virustotal.com/gui/ip-address/31.57.216.15) was ook de volgende nepsite actief (momenteel niet meer):
https:⧸⧸mijnbenu.net
Nb. ik vervang https:// steeds door https:⧸⧸ om onbedoeld openen te voorkomen.
#InternetIsEenMijnenveld #Phishing #CloudflareIsEvil #BigTechIsEvil #GoogleIsEvil #LetsEncryptIsEvil #Cloudflare #Google #LetsEncrypt #BigTech #DV #DomainValidated #DVcertsSuck #DVcerts
-
@ErikJonker Hoogste tijd om de staat #Palestina te erkennen.
"As of September 2025, the State of Palestine is recognized as a sovereign state by 157 of the 193 member states of the United Nations (UN), or just over 81% of all UN members."
https://en.wikipedia.org/wiki/International_recognition_of_Palestine
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@oatmeal : one day later I found https://www.jewishnews.co.uk/keir-starmer-interview-i-will-work-to-eradicate-antisemitism-from-day-one/ (see https://todon.nl/@ErikvanStraten/116566778160014096 <- corrected 15:18 +0200) which is even more convincing.
Politicians with Zionist relatives or friends in Israel, or those being sponsored or bribed by Zionist organisations, are a huge problem in the western world.
For example, in NL the defence minister, Dilan Yesilgöz (she fled Turkey with her parents when she was young, and now she also hates asylum seekers) is maried to a Jew. He has two daughters from an earlier marriage, I would not be surprised is one or both of them live in Israel. She is an extreme Zionist.
Also Kamala Harris is married to a Jew, Doug Emhoff, who fights "AntiSemitism" (i.e. AntiZionism): https://forward.com/news/antisemitism-decoded/636663/kamala-harris-emhoff-biden-israel/.
#ZionismIsFascism #AntiZionismIsNotAntiSemitism #StopIHRA #DefinitionOfAntiSemitism #DefinitionOfAntiSemitismHijackedByZionists #FrancescaAlbaneseIsRight #DaniDayanToICC
-
@pietkuip : uit https://www.cjo.nl/over-het-centraal-joods-overleg/:
❝
In het Centraal Joods Overleg (CJO) werken de voornaamste joodse organisaties samen.
❞
Niet alle. Zij vertegenwoordigen beslist niet ALLE Joden in Nederland.❝
Het CJO houdt zich bezig met zaken in Nederland. Kwesties die Israël betreffen liggen op het terrein van organisaties als CIDI en FNZ.
❞
De voorzitter (ultraZionist Chanan Hertzberger) "vergeet" dus wat er op hun website staat.In https://todon.nl/@ErikvanStraten/116529097760981622 verwijs ik naar een artikel (uit 2019) dat de splijting van de Joodse gemeenschap in NL toelicht a.d.h.v. twee gelijktijdige kristalnacht-herdenkingen. Uit dat artikel:
❝
In het CJO participeren naast de drie joodse kerkgenootschappen: het Nederlands-Israëlitisch Kerkgenootschap (NIK), het Nederlands Verbond voor Progressief Jodendom (NVPI) en het Portugees-Israëlitisch Kerkgenootschap (PIK), ook de Federatie Nederlandse Zionisten (FNZ) en het Centrum Informatie en Documentatie Israël (CIDI).
❞Een grove leugen in https://nl.wikipedia.org/wiki/Centraal_Joods_Overleg:
❝
Het stelt zich daartoe tot doel een verbindende rol te spelen tussen de verschillende groepen binnen de Joodse gemeenschap.
❞
Bedoeld wordt "de Zionistische gemeenschap".#ZionismeIsFascisme #NietAlleJodenZijnZionisten #IsraelTerroristState #ZionistenZijnFascisten #FrancescaAlbaneseIsRight
-
@pietkuip : uit https://www.cjo.nl/over-het-centraal-joods-overleg/:
❝
In het Centraal Joods Overleg (CJO) werken de voornaamste joodse organisaties samen.
❞
Niet alle. Zij vertegenwoordigen beslist niet ALLE Joden in Nederland.❝
Het CJO houdt zich bezig met zaken in Nederland. Kwesties die Israël betreffen liggen op het terrein van organisaties als CIDI en FNZ.
❞
De voorzitter (ultraZionist Chanan Hertzberger) "vergeet" dus wat er op hun website staat.In https://todon.nl/@ErikvanStraten/116529097760981622 verwijs ik naar een artikel (uit 2019) dat de splijting van de Joodse gemeenschap in NL toelicht a.d.h.v. twee gelijktijdige kristalnacht-herdenkingen. Uit dat artikel:
❝
In het CJO participeren naast de drie joodse kerkgenootschappen: het Nederlands-Israëlitisch Kerkgenootschap (NIK), het Nederlands Verbond voor Progressief Jodendom (NVPI) en het Portugees-Israëlitisch Kerkgenootschap (PIK), ook de Federatie Nederlandse Zionisten (FNZ) en het Centrum Informatie en Documentatie Israël (CIDI).
❞Een grove leugen in https://nl.wikipedia.org/wiki/Centraal_Joods_Overleg:
❝
Het stelt zich daartoe tot doel een verbindende rol te spelen tussen de verschillende groepen binnen de Joodse gemeenschap.
❞
Bedoeld wordt "de Zionistische gemeenschap".#ZionismeIsFascisme #NietAlleJodenZijnZionisten #IsraelTerroristState #ZionistenZijnFascisten #FrancescaAlbaneseIsRight
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":
1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).
The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.
Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).
2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.
3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.
4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.
#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules