APU's are great for the mini pc market. I don't need a laptop (currently) but I love using a SFF machine without much fan noise. These parts tend to get packaged into these machine. Lenovo M75q Tiny etc.
Based on these parts speed I may move to a laptop as my "main" machine in the future. Just dock it at home, office and use on road.
Same. I have a 2015-era home NAS that could really use new guts, but I'm waiting for a 12W-or-lower Ryzen CPU and matching Mini ITX motherboard to become available first.
Why do we falsely claim their pods are plastic? Their competitors use plastic and receive no criticism. They do aluminum and a bag drop program and are trashed
If you're looking for someone to say "Fuck Keurig too" I'm happy to oblige. We're saying there's no need to create these pods at all when regular coffee brewing doesn't produce this kind of waste. 95% of pods don't get recycled, that deserves some criticism.
I admit I did not do research before posting, my bad. Was not aware they are made from aluminum.
But it is still nonsense to create packaging for every 5 grams of product made.
At least locally Kcups from Kurig are much more common - 100% plastic. I always thought of the nespresso ones with the recycling bags as more enviro friendly.
But I also thought Apple with its long support lifetimes for products and good resale values was probably better for environment than the android junk with uncertain supply chains, but HN regularly has stories trashing apple has terrible for environment and never says anything about android so who knows.
I did international first in the 747. Def not ‘cattle car’. The front windows are angled so you can see forward more than usual - it’s surprisingly quiet in the top front and the views were beautiful- you felt like you were floating. I slept well too which is rare (wine may have helped) and fun to think of the engineering that went into these big birds. Only negative is that it is all so over the top - wife and I more comfortable in biz or e+
i’m sorry, did you just sincerely talk about your experience in international first-class as a retort to the cattle car conditions that 95%+ of the passengers on the very same flight as you would’ve experienced?
No, I'm pretty sure they mean international first class, especially since they also mention 'it's surprisingly quiet in the top front', which is where first class is.
Right, they meant that the trappings of first class are so over the top that it makes them uncomfortable.
Odd thing is I thought the 747 was usually configured with biz class upstairs (I got a biz upgrade on a SIN->DPS flight many years ago and flew upstairs) and first class in the front of the main level, so maybe they weren't talking about first class. Or perhaps some airlines have/had 747s with first upstairs.
As I mentioned in a different thread, I love it because it's so stable. There's no constant shaking or rocking, and you don't get woken up every 5 minutes by random minor turbulence - it just powers through it like the beast that it is.
I can relate. Flew A380 in biz with family London to Singapore, 4 seats across the middle, 9 mo old on the outside, then wife, then 3 yr, then me. Great flight
A month later we flew onto Sydney, but there were no Business seats left, instead we had to fly in First. My seat was dirty, during turbulence the pursar woke us and told us we had to remove our sleeping child from his nice safe airline approved car seat (which he'd flown in from London to Singapore) and put him our our lap.
Haven't flown BA F since, or flown them with family, and only taken 18 BA flights in 4 years since then. The 4 years before then I'd taken 243.
Amazing how one bad experience and the inability to get a simple apology can shift your buying habits.
This is 100% false. You need to have a 2FA authenticated connection or be on a 2FA authenticated device within validity period to change 2FA settings. You can elect to have 2FA not remember the device you have logged into as well (ie, the remember this device for 30 days option) if you are particularly paranoid.
The headline should say - You can disable Google 2FA on 2FA authenticated connections without re-authenticating.
This is a fantastic balance in terms of security and usability. I switched iphones and google authenticator did not bring my 2FA's over, I got on my machine that had already authenticated and setup a new 2FA. Whew. Other systems were MUCH much harder to restore AND you could still get around 2FA but now with human involvement (social engineering risk). I've worked govt jobs with security so "tight" that everyone got the workarounds worked out - the social engineering would be as easy as I need reset for user X and they stopped even checking who anyone was the volumes were so high.
The loss in security is minimal here, and the loss is controllable, and it reduces pressure on other reset approaches (seriously, if you lock yourself out of google you will REALLY want to get back in).
That's a bit harsh, the actual disabling does not require a 2FA token so that part at least is true. And this is not the behavior I was expecting. On many other services I use disabling the 2FA requires 2FA confirmation and sometimes just visiting the security settings for the account requires the 2FA (if enabled). So maybe it's just "50% false"...
It does require 2FA, which makes the statement in the headline false.
It doesn't require 2FA reauthentication, which means you already passed 2FA.
You could say: "You don't need a password to log in to anyone's gmail account", while meaning that you just need to have access to their unlocked device while they're logged in.
Eh, it still comes down to how you interpret the sentence, which is non-obvious.
In your mind, "2FA" means "2FA authentication session", but in most people's mind, "2FA" means a "2FA code". And it is true that you don't need a new 2FA code. So depending on the interpretation you take, it's either 0% true or 100% true.
There’s a difference between logging into Google via 2FA and having subsequent interactions not require the 2nd factor, and turning off 2FA without a reconfirmation. You don’t want maximum usability in disabling your security mechanisms.
What threat model concerns you here? Anybody who'd be able to disable 2FA already has access to my logged in Google session on a trusted device. The game is over.
Right. Instead of debating the headline, this is the real question. The current behavior is that "someone on a 2FA authenticated session can disable 2FA". OK, so what?
Google is intentionally leaving this route open to lessen the impact of a lost authenticator. Probably this is a very significant cost savings for them -- although I don't know what their account recovery policy is for "lost" 2FA.
I'd say one risk factor here is that if someone is able to piggyback your session (e.g. CSRF) specifically into the 2FA Settings API, they may be able to get your 2FA disabled in a way that meaningfully exposes your account to a wider attack.
Another risk is similar to why you should require a password to be re-entered in order to change a password. The user is already in an authenticated session, and yet, it's still considered best practice to prompt for the existing password at the same time. This can't merely be as a second layer of CSRF protection, right? If your CSRF is broken, fix your CSRF.
I would assume the theory is to prevent an opportunist attacker with a small time window of access to your session (keyboard) from getting longer term access to your account.
Particularly for accounts that have long-lived sessions that don't have to use 2FA very often because of the cached session, you might not notice for quite some time that 2FA is no longer active.
As with most things in security, it's a double-edged sword.
Pragmatically, I believe the threat is that someone has managed to install some malware on your phone/computer/... you are 2FA logged in.
If so, then the bad guys can disable 2FA on your account without you having to prove the 2FA token. [Edit: but nowadays, at least you get emails and device notification that it has happened]
Traditionally, security teams have thrown up their hands and said - with malware installed, all bets are off.
I'm not sure I agree with that assessment these days, with state sponsored 0-days and trojans. I think that OPs sentiment is right, and Google and others should require 2FA reauthentication to remove 2FA, especially for their 'titanium' security tier.
BTW, it's interesting to ask what is the downside of requiring 2FA re-authentication: I believe the reason to not require 2FA is historical: When it was initially rolled out, a bunch of people tried out 2FA because it was the new coolness, got somehow lost and immediately wanted to disable it, but are not able to (lost token, have no idea what the heck they are doing etc) and get stuck. Since 2FA account recovery is very manual and expensive, Google probably doesn't want to take that hit.
This defeats the point of 2FA if you can turn it off without that second factor. In your example, if you don't have that authenticated session then you're still screwed... so you must design for the worst case scenario. The risk of 2FA is losing a device, which is why a proper design has other safety backups, such as backup codes, or leveraging a combination of other accounts that can vouch for you and humans in the loop.
that's not true. You need to think of a threat model. 2FA still successfully prevents attackers that do not yet have a session to connect to your account.
So it is still a clear net benefit.
What it does not prevent, is attackers downgrading your account from a session that already exist. At this point it is easy to argue that if an attacker has this kind of access then the only thing you can do is add 2FA to all critical actions, not just removing 2FA (that would be the least of your issue), but every critical action you can do in the app.
For example if the app is a bank, and wants to protect against these kind of attacks, then they have to prompt 2FA every time you want to want to send money (at least).
Actually the newest version does allow export. For years it was true you couldn't export. But now they allow you to export. Thankfully.
Though I tend to use U2F. With Yubikeys and other U2F keys. I use my Yubikey to store a backup of the TOTP (Authenticator type) codes. I also set a password and touch required to generate the codes.
I'm sorry but that's really being pedantic. Re-authentication is an authentication, again. You can change (remove!) a security factor with no confirmation of that particular factor for that particular action.
> You could say: "You don't need a password to log in to anyone's gmail account"
You could say it and it would be true, just not very interesting as this is exactly what everybody expects. But if you'd say you are allowed to change the password without entering the old one it would sound pretty much like what's happening here, no?
Google is not consistent with how they treat the 2 factors (password vs. second factor). At the very least they should make it clear when enabling it under what circumstances it can be disabled. No guarantee people will read but at least the more security concerned would. You can defend their decision if you want but contradicting the situation is really not "factual", it's just playing with words.
If you have a valid 2FA authenticator, you should be able to edit your 2FA Device List for any of your authenticators. But to do that, I would still expect the site to re-authenticate the user with one of their 2FA options in order to make the change.
It's not that I can't get back into the account - it's just that I can't delete an old 2FA token that I lost. Because it asks for a code from the token that I'm trying to delete...
I see, that's a bug then. For all intents and purposes, backup codes should be equivalent to a 2FA token. So you should be able to use it when removing the old 2FA.
Well... the security benefit is precisely that nobody can access your account without 2FA. Maybe you wanted to ask "what's the point in having security if usability can become so fragile?".
The point is to give users the secure option and let them decide what to go with, or at least make it clear for the users what the expected behavior is. So far it's obviously not clear. People assume you need that since you need the password to change the password, you need 2FA to change 2FA. I mean that's why you enabled it, to protect all aspects of your account.
On the other hand you should have plenty of options to protect your 2FA: save the seed (QR code), have multiple tokens, save your recovery keys, etc. Not the least of which should also be for the operator to give you a secure reset option.
It's the opposite. I actually lost a 2FA token, got back into the account, added a new one - but I can't delete the old 2FA. You shouldn't ask for 2FA authentication of the same device that I'm deleting....
It'd be nice if they accepted the 2FA code from my other devices, but then it's questionable security; I just managed to log in with 2FA, are you asking me again to confirm my identity in order to delete old device? Ok I guess... but I can already add a new device, you know. And then use it to delete all the others.... are you really giving extra security?
there is no point of having a circle of trust in that case. i do the 2FA for my son but then son loses authentication - that should mean i can get access
if you want zero grade authentication use one of the 8 one time use codes you get in authenticator instead.
While it can help you get out of a bind if you misplaced your 2FA token/app, changing any security parameters (especially when reducing security)should require entering all authentication methods enabled for the account. Imagine how changing a password requires the old password, not just the new one.
At the very least they could make it configurable, let the user decide if they want to be able to turn off 2FA without being asked for a confirmation token.
> I switched iphones and google authenticator did not bring my 2FA's over
I recommend using an encrypted local backup created with a Mac (or iMazing), as _everything_ comes over except Secure Element-based info (Apple Pay cards, Touch/Face ID enrollment).
> I switched iphones and google authenticator did not bring my 2FA's over,
I have lost 2 FA's on other services via that means as well. I think it is easy if you have cloud backup on your phone that you think that you can just wipe your old phone and sync your new phone and you will be all set. Google Authenticator doesn't work like that.
Google Authenticator made it slightly easier with the "Transfer Account" functionality, but still requires access to your old device, so it doesn't help if your already wiped it. I personally would prefer backups would transfer all configuration, but understand this would be an additional risk.
Of course you can just use Authy, although it does introduces the risk of an attacker compromising your phone number.
> You need to have a 2FA authenticated connection or be on a 2FA authenticated device within validity period to change 2FA settings. You can elect to have 2FA not remember the device you have logged into as well (ie, the remember this device for 30 days option) if you are particularly paranoid.
To change security-related settings, it's default practice to double-check even the user's password without 2fa.
> This is a fantastic balance in terms of security and usability.
Sorry, that's plain apologetic bullshit. How often do you enable and disable 2fa? This has nothing to do with usability.
Your comment illustrates a DEEP misunderstanding of dealing with users at scale.
You have millions and millions of users.
You are proposing that the threat / benefit model is such that if they lose their 2FA device (very easy via upgrades to phones, lost phones broken phones) EVEN though they have their password and and have access to a trusted device within the validity window for device trust they will be locked out, potentially forever from their account?
Do you
a) realize how common this situation is?
b) realize how angry users will be to lose access to all their google services with basically no support route to recover that?
c) what pressure there will be to allow for other recovery methods THAT ARE EVEN WEAKER?
I've gone through 2FA reset procedures over the phone with a few companies, and in EACH case it struck me how easy it would be to socially engineer or use very minimal info to get a new 2FA when they allow these methods (ie, last 4 digits of CC was one reset piece of info). So you need to allow workable 2FA update methods so that your fallback can be pretty tight if allowed at all.
Finally, consumer accounts have basically NO recovery option if you are locked out. I had a relative get locked out, nothing to be done (they had a landline that couldn't accept text messages and the system won't do voice calls). There is NO human backup - all emails, google photos, google drive etc GONE.
You started by claiming it's "100% false" and ended up saying changing your mind and agreeing it's true but for a good cause.
I agree it's not BS but apologetic it definitely is. You are justifying a decrease in security for the benefit of usability. This in itself would be a worthwhile goal if it wasn't for the facts that it goes against reasonably expected behavior and as a user I am not made clearly aware of this or given the option to control it.
Everyone is used to being asked for password reconfirmation before changing the password so it figures that they have the same expectation for the 2FA. I know I did.
> There is NO human backup - all emails, google photos, google drive etc GONE.
That's also Google's decision. You can't use one bad decision to justify another. It's likely this 2FA decision wasn't taken to help you get easier access to your account but to allow them to have 0 support knowing 2FA issues are easy to happen especially to people who won't properly save recovery keys (most people).
This is the "It's because of our amazing success that we totally fail at things" argument. If you can't do things right "at scale," that's fine, but everyone should know you suck at servicing that level of load, for example the fact that you don't require 2FA to change my 2FA settings, and there's no support path or even a support department for when my phone falls into a port-a-potty.
You can't change 2FA with just your password - you are being confused by the headline.
You need a second factor. That is either your 2FA device, a backup 2fa, backup codes, an authenticated and still valid login session etc.
If you are security paranoid you can lockout insecure 2fa methods, never validate your device and sign up for their Advanced Protection Program.
Note however, google is VERY clear -> if you lock yourself out it is game over. They do not allow humans to override the lockouts -> period. This is obviously good for security. All the folks here complaining about this supposed 2FA issue while asking for human support to allow login override / resets really have no clue about the GIANT security hole that opens.
Witness all the sim card hijacking done through phone co's (that do allow human involvement).
Google is CRYSTAL clear.
Q: Create a replacement Google Account
A: If you still can't get into your account, create a new one.
Q: Why can't I get into my old account?
A: We couldn't be sure that you're the owner. To keep accounts safe, we can't give access to them if we can't confirm who the owner is.
They've closed the big hole (human override / corruption / bribes / social engineering). And have made it so that you have only a bit of extra risk to stay in your account. Don't like that? Don't authenticate your devices as trusted.
> but everyone should know you suck at servicing that level of load
I think that mission is pretty well accomplished, right? I mean it is basically a meme at this point that Google has declined to spend the money that would be required to offer high quality interactive support for unpaid consumer accounts. Apparently people value their services more than they are concerned about the risk of needing support.
So, within that framework, the important question for both the consumer and for the service provider is what the best security trade-off is to accomplish their various goals. I think there's a pretty compelling argument made in this thread that the current stance is more optimal that requiring reauthentication for the vast majority of stakeholders.
Have to agree, though maybe not with the tone. Speaking in absolutes, the whole point of security is to make things unusable. Then for the resource owner we open up a small hole that only they can pass through, by some proof, of varying strenuousness. Wouldn't it be so much more usable if they didn't have to do that? Yes but other people would then find it "usable" as well.
She asks why her husband gets more of a response (a sign of the racism she is facing).
- Her linkedin doesn't show what her major was as an undergrad.
- After 4 years of working she was a powerlifting coach.
- Then boom, in 2017/2018 she is an owner of two gyms and in 2019 she is trying to get benchmark to invest in her app.
Her Husband:
Google Engineer
Masters in CS from Berkeley / Undergrad in CS
Started companies and managed employees.
15 years experience - 40 apps developed. Top 10 apps
Multiple successful exists (to zynga then another one to google).
Talking about being successful as a gym owner etc she says folks can assume its because black folks were helped out.
"They assume it’s because they’re somehow lucky or exceptional or that they gained success because of help from white people. This—of course—isn’t true, but it’s an idea that continues to spread, sending the message that Black professionals require help from white people to build their careers."
"We need to put an end to the lie that Black people are still in need of white folks’ help,” she continues. “What we need is the freedom to live, work, and act without white people and white institutions disproportionately targeting us and stopping us from building the success we are already capable of building on our own."
I raised a $2M seed for Smartcar. I had no college degree as I had dropped out. I had no prior work experience. I had no team. The product was still an early prototype.
MANY of the founders I know who've also raised similar sized rounds from top VCs have stories quite like mine.
Her point is that her husband got more responses. My guess - her husband would get more responses than you as well.
As someone who also took time off (and built apps) from college, the fact that I'd built some apps (that got write-ups) was a big positive for my early career, even if just prototypes. But I was at a top education org before taking time off so I'd already proven I could get into a reasonable place.
No need to disclose, but your and my story tends to work if you (and or others on team) got into a place like an Ivy or a UC or top liberal arts, majoring in CS or engineering, then dropped out (aka were into the entrepreneurial space)
I think it works a lot less well with an undisclosed and possibly non-tech background.
If you had a path like hers then I am very impressed, your deck or prototype must have been compelling. But very often there are some other proof points (top school acceptance / cs majors etc). That is almost silicon valley cliche at this point.
An awesome scenario would be if someone focused on black led businesses in terms of VC and made a killing.
THIS, thank you for acknowledging that! It often feels like there are two lanes, there is all this talk of the steps to get on the fast lane, and then you realize there are some people who just got put in the fast lane, and you are still supposed to be 'working' towards getting in the fast lane.
It is frustrating that happens all over the place. Even YC - if I had a penny for every male founder that got into YC without an idea or just a new idea and then if that penny was taken away for every female founder who had a product that was doing well, well, I would be in real debt!
1. You think people are actually looking at her LinkedIn before the racial email filtering kicks in? You could easily test that, I suspect the implicit bias kick in right at the name and email stage. About 20 years ago, before LinkedIn, my dad sent resumes with his Brazilian name and an anglicized version. It was like 10:1 greater response to the Anglo version, and he changed our family name shortly after.
2. If the dynamic she describes existed her whole life wouldn’t it make sense that she has had a harder time building the LinkedIn profile and credentials her husband did? Not to take away from his accomplishment, he clearly worked hard and is talented, but one can’t take advantage of opportunities if they are not available by systematic design whether implicit or intentional.
Ah, so they meant they're only going to invest in and help black founders who've already had some other VC take a chance on and are safe investments.
Got it. Someone else needs to actually "venture" and take a risk. You'll just sit back and tweet about how you'd love to help, but your LPs say it's too risky.
Many vc's do like past success (even white on white candidates, if you have had multiple successful exists you are much more likely to be funded).
VCs arguably are taking less risk. Now sometimes it stuff like capital domination (I think super stupid)
They like seeing what you've done yourself. You've built x / y / z - delivered this and that - great. This can be big if you don't have an exit yet.
Or proof in pudding - good traction already, good pitch deck etc.
etc.
It's not clear what she's done herself. Even her gym ownership success is complicated by potential involvement of her husband even though she goes to some lengths to say it's racist to assume the ownership was result of some help.
And her philosophy is that she doesn't want help from white folks, just for them to get out of the way. Then she's applying to benchmark vs Harlem capital? Its confusing.
Based on these parts speed I may move to a laptop as my "main" machine in the future. Just dock it at home, office and use on road.