I have officially deleted my Amazon account and cut ties with their ecosystem entirely. For a long time, the convenience of Prime felt like a necessary evil, especially since they have a warehouse in my city and can do same day shipping. But I can no longer reconcile the big tech giant's behavior with the values I promote at Terminal Tilt. As a privacy advocate and FOSS supporter, continuing to feed the machine feels increasingly hypocritical.

Ethically, their treatment of labor is indefensible. Between the terrible warehouse conditions and the dark patterns designed to make canceling subscriptions nearly impossible, it is clear they view both employees and customers as numbers to be exploited, with contempt. Their anti-competitive practices have done irreparable harm to small businesses and independent creators who are forced to play in a rigged sandbox.

As an FSF and EFF member, I believe privacy is a fundamental right. Amazon's business model relies on massive data harvesting and a huge surveillance network that I simply do not want to be a part of. Deleting my account is my way of reclaiming my digital sovereignty and refusing to let my personal data be a product in their inventory.

The change also affects how I handle Terminal Tilt going forward. I am officially ending the use of Amazon affiliate links for the channel. While the links are a standard revenue stream for most creators, I refuse to track my audience into the Amazon ecosystem just for a small commission. I would rather the channel grow slower and more honestly than profit from a company that actively works against user freedom. Convenience is the enemy of sovereignty.

When I review products now, whether it is the security keys from @nitrokey , @yubico , and Token2 or open source hardware, I will provide links to direct manufacturers or ethical, privacy-respecting retailers instead. Convenience should never be the primary metric for our choices.

If you want to support my work on Linux, privacy, and the #NoAI movement, I encourage you to use my LiberaPay or Ko-Fi links. Supporting creators directly ensures that the content remains independent and free from the influence of the Epstein class and corporate overlords. You can find all my direct support links on my self-hosted Linkstack: https://links.terminaltilt.com

It feels good to be out. It is time to prioritize people and principles over same-day shipping.

#DeleteAmazon #AmazonBoycott #Amazon #Privacy #FOSS #Linux #TerminalTilt #EthicalConsumerism #Ethics #InfoSec #Yubikey #Nitrokey #Token2 #2FA #MFA #Surveillance #SurveillanceCapitalism #DigitalSovereignty #SelfHosting

I have officially deleted my Amazon account and cut ties with their ecosystem entirely. For a long time, the convenience of Prime felt like a necessary evil, especially since they have a warehouse in my city and can do same day shipping. But I can no longer reconcile the big tech giant's behavior with the values I promote at Terminal Tilt. As a privacy advocate and FOSS supporter, continuing to feed the machine feels increasingly hypocritical.

Ethically, their treatment of labor is indefensible. Between the terrible warehouse conditions and the dark patterns designed to make canceling subscriptions nearly impossible, it is clear they view both employees and customers as numbers to be exploited, with contempt. Their anti-competitive practices have done irreparable harm to small businesses and independent creators who are forced to play in a rigged sandbox.

As an FSF and EFF member, I believe privacy is a fundamental right. Amazon's business model relies on massive data harvesting and a huge surveillance network that I simply do not want to be a part of. Deleting my account is my way of reclaiming my digital sovereignty and refusing to let my personal data be a product in their inventory.

The change also affects how I handle Terminal Tilt going forward. I am officially ending the use of Amazon affiliate links for the channel. While the links are a standard revenue stream for most creators, I refuse to track my audience into the Amazon ecosystem just for a small commission. I would rather the channel grow slower and more honestly than profit from a company that actively works against user freedom. Convenience is the enemy of sovereignty.

When I review products now, whether it is the security keys from @nitrokey , @yubico , and Token2 or open source hardware, I will provide links to direct manufacturers or ethical, privacy-respecting retailers instead. Convenience should never be the primary metric for our choices.

If you want to support my work on Linux, privacy, and the #NoAI movement, I encourage you to use my LiberaPay or Ko-Fi links. Supporting creators directly ensures that the content remains independent and free from the influence of the Epstein class and corporate overlords. You can find all my direct support links on my self-hosted Linkstack: https://links.terminaltilt.com

It feels good to be out. It is time to prioritize people and principles over same-day shipping.

#DeleteAmazon #AmazonBoycott #Amazon #Privacy #FOSS #Linux #TerminalTilt #EthicalConsumerism #Ethics #InfoSec #Yubikey #Nitrokey #Token2 #2FA #MFA #Surveillance #SurveillanceCapitalism #DigitalSovereignty #SelfHosting

The countdown in the 2FA code apps that shows you how long until the code refreshes, is, low-key, kind of stressful.

Who decided 30 seconds was the standard?

When you open it and the little progress bar around the circle is 3/4 of the way around... do you race it, or wait for the new one?? If only I didn't routinely have to do this 15 times a day... 😆

#security #2fa

🔐 Aegis Authenticator is a free, open-source 2FA app for Android focused on privacy and security.

Stores all tokens in a locally encrypted vault (AES-256-GCM), works fully offline, supports TOTP & HOTP, and lets you create encrypted backups you control.
Available on F-Droid — no cloud, no tracking.

👉 https://github.com/beemdevelopment/Aegis

🔍 Listed on https://digital-escape-tools-phi.vercel.app/

#Privacy #OpenSource #Security #2FA #Android #FOSS #DeGoogle

MTOTP: Wouldn't it be nice if you were the 2FA device?

https://github.com/VBranimir/mTOTP/tree/develop

#HackerNews #MTOTP #2FA #Security #Authentication #Technology

@77nn tutte dipendenze artificiose. I #2fa si possono sostituire con #OTP che girano anche su desktop. Anche dal famigerato #Google Authenticator poi estrarre le chiavi ed usarle su un OTP su #Linux. Io l'ho fatto.
Non tutti le banche obbligano l'uso di smartphone. Monte dei Paschi e Mediolanum, per esempio.
CIE manda tranquillamente SMS per il 2fa ma ad onor del vero non so se l'attivazione si possa fare con un #tontofonino
@Steutt @BucciaBuccia @quinta @informapirata

@77nn tutte dipendenze artificiose. I #2fa si possono sostituire con #OTP che girano anche su desktop. Anche dal famigerato #Google Authenticator poi estrarre le chiavi ed usarle su un OTP su #Linux. Io l'ho fatto.
Non tutti le banche obbligano l'uso di smartphone. Monte dei Paschi e Mediolanum, per esempio.
CIE manda tranquillamente SMS per il 2fa ma ad onor del vero non so se l'attivazione si possa fare con un #tontofonino
@Steutt @BucciaBuccia @quinta @informapirata

#Cursor generate roughly 1k lines of Python.
This included the (pseudo) code for querying #Bookwyrm. I would have preferred to generate this later (as a second step) But maybe it my mistake. I was prompting it wrong. I shouldn't have mentioned anything I didn't directly want.

Without looking at the Bookwyrm client code in detail, I doubt that it will work as my instance ( @realn2s@bookwyrm.social) require #2fa 🤷🏻

Checking the HumbleBundle client code I noticed several things

It contained a ton of normalization code. Of which I'm not sure if it is necessary (it might as well be, but I would leave it out for now. As it much harder to figure out that code isn't required but get executed nevertheless, than noticing that code is missing)

The authentication was done through a session cookie you had to extract form the browser. Cursor proposed to write it to an env file (that doesn't feel terrible secure 😬)

The Humble bundle client could either get the session cookie passed, or it would query the env 😬. I don't consider this good programming practice.

The code looks like it handles HumbleBundle games as well. This was requested and is additional code which shouldn't be there.

Reading through the code it looked about right. But it was too mich code, too much gold plating for me to be confident that the code really would be working.

Cursor provided no way to test the code apart from running it. And I'm not going to run it with my understanding.

On the positive side
I learned about the Click command line option "parsing" library

and about the dataclass decorator in #Python

Next step, let's try if Cursor can iteratively fixe some of my "issues"

2/n

Damn, #Yubikey migration almost complete...

It's like most people dependent on smartphones for #2FA logins everywhere, but much worse. Smartphone usually has one #authenticator app, everything visible in one place, Yubikeys have various modules inside and I use most of it for many different things.
Authenticator part here is the easiest one, at least I have nice list of accounts/services to display with one simple command. But I have to remember U2F enabled services myself... Or check how many files I encrypted with GPG, or where I could use ssh keys...
Oh, and I use also pam-u2f and have FIDO LUKS login configured...

Seriously, user could become even more dependent in more complex ways...

Why the hell these things don't just support firmware updates?!

Uffa #2fa #cambiopassword

Uffa #2fa #cambiopassword

Looks like somebody broke into #atari's #Sendgrid account and used it to send a bunch of phishing emails.
No explanation given for how; perhaps @zackwhittaker can wheedle it out of them.
Since it says here that they've "secured" the account, my guess is a bad password (or infostealer) + no #2FA. The most obvious explanation is usually the correct one.
Though I suppose a cracked Lastpass vault is also a possibility.
#infosec #breach

Hackers can steal 2FA codes and private messages from Android phones. The "Pixnapping" attack is a really clever piece of research. It shows that the theoretical wall between apps on your phone isn't as solid as we'd like to believe. By exploiting a GPU side channel, a malicious app with zero permissions can effectively screenshot other apps, one pixel at a time. It's a reminder that security is a stack, and a vulnerability at the hardware level can undermine everything built on top of it.

TL;DR
👾 A new attack called "Pixnapping" can read visual data from other apps on Android devices.
🔑 It exploits a GPU side-channel leak to steal sensitive info like 2FA codes and messages, pixel by pixel.
⚠️ The scary part: the malicious app required for the attack needs zero special permissions to be granted.
🧠 While complex to pull off, this is a serious proof of concept that challenges the core idea of OS app sandboxing.

https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/
#Android #Cybersecurity #SideChannelAttack #2FA #security #privacy #cloud #infosec

Hackers can steal 2FA codes and private messages from Android phones. The "Pixnapping" attack is a really clever piece of research. It shows that the theoretical wall between apps on your phone isn't as solid as we'd like to believe. By exploiting a GPU side channel, a malicious app with zero permissions can effectively screenshot other apps, one pixel at a time. It's a reminder that security is a stack, and a vulnerability at the hardware level can undermine everything built on top of it.

TL;DR
👾 A new attack called "Pixnapping" can read visual data from other apps on Android devices.
🔑 It exploits a GPU side-channel leak to steal sensitive info like 2FA codes and messages, pixel by pixel.
⚠️ The scary part: the malicious app required for the attack needs zero special permissions to be granted.
🧠 While complex to pull off, this is a serious proof of concept that challenges the core idea of OS app sandboxing.

https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/
#Android #Cybersecurity #SideChannelAttack #2FA #security #privacy #cloud #infosec

Hackers can steal 2FA codes and private messages from Android phones

> Android devices are vulnerable to a new attack that can covertly steal 2FA codes, location timelines, and other private data in less than 30 seconds.

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

> The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/ #Android #Cybersecurity #InfoSec #2FA #Privacy #Pixnapping #GooglePixel #Samsung #MobileSecurity #DataBreach #ZeroDay #TechNews #Hacking

Hackers can steal 2FA codes and private messages from Android phones

> Android devices are vulnerable to a new attack that can covertly steal 2FA codes, location timelines, and other private data in less than 30 seconds.

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

> The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/ #Android #Cybersecurity #InfoSec #2FA #Privacy #Pixnapping #GooglePixel #Samsung #MobileSecurity #DataBreach #ZeroDay #TechNews #Hacking

Hey @bitwarden you are being misleading and it's making us sad.

Your website currently has a misleading link (and its affecting us being able to recommend ur tools).

Your dedicated Authentor app on the "Bitwarden Authenticator' page, has a Download it today button at the top of the page > That SHOULD take folks to the Authenticator download links (like at the bottom of the page), but instead it takes people to download the FULL Bitwarden Password Manager software.

Currently we're having to recommend folks use an alternative service as this is coming across as sneaky and dirty tactics. Really hoping it was unintentional. Regardless, pls fix so that this link takes ppl to download the tool they are expecting.

We were hoping to recommend ur service at our upcoming Digital Lounges, but we only endorse the most ethical open providers and stuff like this is the stuff the community notices.

#BItwarden #AuthenticatorApp #MFA #2FA #Authentication #Misleading #MisleadingCopy #Marketing #BigTech #FOSS

Warum Zwei-Faktor-Authentifizierung wichtig ist... 😁 #2fa