@vpz @jaythvv @SwiftOnSecurity Why I use the Advanced Protection for Google with their password store. I think password + SMS is enough for some money transactions (new Zelle recipients on new devices may require more verification). But at least the password is randomly generated.
Matt Waters
@mwaters
- 8 Followers
- 122 Following
- 86 Posts
It could be made into a monster, if we all pull together as a team.
@dangoodin It's also, I think, a nonrefundable tax credit. Which shouldn't be an issue, but in case you have really low tax liability for whatever reason.
@dangoodin https://www.energystar.gov/about/federal_tax_credits/air_source_heat_pumps
Ducted Heat Pumps link below the Energy Star logo gives eligible models for a zip code.
@dangoodin Get the government's 30% off coupon. DOE has a list of models which qualify for the tax credit.
I haven't heard of ducting being an issue for cooling versus heating. They're both just based on moving air.
@davep @GossiTheDog Apple says they store iCloud escrow secrets in the HSMs. Apple says there is an encrypted channel from device to HSM, with the PIN. Apple says the PIN encrypts the secret within the HSM and the secrets are deleted after 10th PIN presented to it.
https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/web
@davep @GossiTheDog To be precise, the Apple recovery first requires accessing the Apple account with its password and an SMS text, then a device PIN.
Google also uses private key in HSM with apparently a similar method.
It is not exactly clear how this solves the phishing vector. Apple/Google don't seem to have a waiting period for password+SMS authentication.
The normal login (passkeys) for other sites can't be phished, but say Amazon or Chase will have their own recovery mechanisms.
@davep @GossiTheDog It depends on the recovery model. If there's an out of band way, in enterprises, to unenroll a user's old devices and enroll a new one, then passwords aren't necessary.
In Azure AD (err, Entra), it may ultimately peel back to break-glass accounts, which may have a strong password printed out and a security key.
For regular users with Apple or Google, it's less clear. Apple seems to support passkeys in other sites, with recovery of private keys through HSM w/ device PIN.
@Lee_Holmes @[email protected] It could be predictably zoomed in on where Wikipedia shows your user name.
But as stated, it does seem to have significant questions about using it in the wild. Any bank or financial websites don't use cookies for login to begin with. Data could be read with a very large iFrame on a phished website, but with this exploit it would soon look bizarre and would be much easier getting the credentials directly if you already have the user visiting your site.
@annmlipton Don't Waymo and Cruise use Lidar, not camera sending?