Sure, but you can get (much) better price-performance-power out of a CPU which isn't approaching a decade old, when mining ASIC and GPU-resistant cryptocurrencies like Manero. I don't know it'd be worth the effort to buy E5-2697-v4 CPUs which are running in such a specialized configuration over and above AMD Ryzen or EPYC CPUs in commodity, inexpensive mainboards.
There’s some hope for interoperability between password managers someday. There doesn’t seem to be agreement on how you can securely export, transfer and import today however.
I’m really not sure the “only real solution” is every human needs to selfhost a password manager. That’s ill-advised; an extreme take.
The vast majority of the population will do a worse job on the availability and security of a selfhost solution than 1Password, whose core business and value proposition is password management.
I’m a very happy user of 1Password for Families and consider it the likely the best ~$50 a year that I spend on hosted technologies.
The whole original point of what underpins FIDO2 was device locked, unphishable credentials. Wanting to export and move passkeys between devices is kind of counter to that. And I would argue vendors completing the attestation process are much more trustworthy than storing your own keys god knows where.
Oh, ok. If that's the same thing as passkeys, then I finally figured out that I'm not interested. To me it looks like another vector for platform lock-in, or getting mysteriously locked out of my accounts with no recourse. I'll wait for FIDO3.
Yep. I absolutely refuse to support anything that wants to dictate what I do with my identity.
Such things do have purposes, in high-stakes environments. They prevent accidents. The vast majority of uses on the public web are not even remotely in that realm. It'd be better off being a separate spec that only a handful of internal-only systems use, ideally requiring MDM to set up conveniently (to strongly discourage normal and even high-stakes-normal website usage).
My banking website has absolutely no business knowing and being able to approve or deny what brand my authenticator is.
I disagree. While Vaultwarden may be a bit much to ask of the unwashed masses, the storage model of KeePass* is very easy to understand and works with any existing file synchronisation solution, which almost everyone already has at this point. The effort is nearly as low as with a cloud hosted solution, and the value/safety proposition is quite high.
I also think that the "self-hosted" requirement is an over-reach. It would be sufficient to require some standardized commodity that can, in principle, be self-hosted, but is available in an equivalent form from multiple unaffiliated third parties. E.g., a WebDAV folder.
That's a fundamental problem with cryptographic security: you cannot trust people to manage your keys for you (because due to lack of regulation preventing that companies have this bad habit of pulling the rug under their customers' feet) but you cannot trust yourself doing that either, because you can, and will, make mistakes.
My rule of thumb is if for some reason you need to use crypto keys that can't be easily replaced, you need to have a safe at the bank with the keys stored in 2 differente media formats, that are recreated every year.
I don't trust many people to do that.
I have everything encrypted and self hosted and I sometimes wonder what I would do if I was suffering from amnesia after an accident for example. And having a note somewhere telling me I have a safe in bank X is the only solution I have found.
> I have everything encrypted and self hosted and I sometimes wonder what I would do if I was suffering from amnesia after an accident for example.
Ah! I have the exact same recurring worry, it's very unpleasant. I'd really prefer to keep home media unencrypted, but the thought of a robber seeing my tax returns or photos of my infant daughter is constantly at the back of my mind.
> the thought of a robber seeing my tax returns or photos of my infant daughter is constantly at the back of my mind.
Even worse is the eventuality of them getting their hand of a picture of your ID card or passport, or whatever they can later use to steal your identity. Identity theft is nightmare stuff.
I know how to do that in theory (I've worked with Shamir secret sharing on elliptic curves before) but you don't have the option to do that in LUKS, so in practice you can't use it.
> [...] you cannot trust people to manage your keys for you (because due to lack of regulation preventing that companies have this bad habit of pulling the rug under their customers' feet) [...]
Huh? There's plenty of already existing legal ways to do that. Just leave your key with your lawyer or a notary, and existing regulation about fiduciary duty handle everything just fine. You can also make normal private contracts that stipulate fiduciary duties, courts will enforce those contracts just fine.
As a technical alternative (or augmentation), you can also use a threshold secret sharing mechanism to store your keys amongst your friends and/or with companies.
Now what you can complain about is that there is no convenient way to do all of this. And that's a very legitimate complaint! Convenience is important.
However, the way to get convenience is not via regulation.
> Just leave your key with your lawyer or a notary
> […]
> However, the way to get convenience is not via regulation.
Fun fact: the reason why giving it to your lawyer or a notary works is exactly because of regulation regarding these professions. Without regulations, there would be no such alternative.
I'm not sure what you mean by 'despite all evidence'?
You can also write:
> The blind faith some people have in [regulation and government] despite all evidence always leaves me in awe.
In any case, markets ain't perfect. They are made of people, after all. But they are better than the alternatives. And most importantly: if you don't like what's on offer, you are allowed to get an alternative without going to jail.
> The blind faith some people have in [regulation and government] despite all evidence always leaves me in awe.
The Western world and Asia is a pretty good evidence that government works. If you want the libertarian dream of no government, you can go to Somalia, or South Sudan, or Yemen, or whatever failed states you can think about.
> And most importantly: if you don't like what's on offer, you are allowed to get an alternative without going to jail.
Oh sure you won't go to jail, but the alternative doesn't exists so you can't get it either. Like the convenient safe storage we both wish it existed.
In totalitarian dictatorship, you can't build such a tool without getting murdered or jailed, in totalitarian Capitalism you can build it but it will eventually be blocked from reaching any significant room on the market because of big corps or if you raise money from VC in order to get the marketing you need, it will eventually be bought out by one of the big player who will close or enshitify it.
The good alternative is what's called democracy, where the sovereign people vote for things instead of leaving the power to the party or the market.
I would definitely trust my lawyer with my bitcoin seed.
But the whole thing depends on how much you own in bitcoin.
If it's a whole lot, check how other people in more traditional domains are dealing with their lawyers or notaries handling these sums. (For one, it's a bit easier with bitcoin, because you don't need to tell your lawyer or notary what you are giving them. And you can encrypt the private key data with something derived from an easy to remember password. It doesn't need to be 100% cryptograhpically secure, it just needs to lower the temptation for your lawyer.)
Btw, I think the bigger problem in practice wouldn't be your lawyer stealing from you, but your lawyer somehow losing your data.
Feels. I had half a bitcoin on a disk that I left alone. Forgot about it. Reinstalled the OS. Three times. I was a sysadmin for years, but the cobblers' children go barefoot.
Pricing tends to be a spectrum. If I’m just getting a report which interprets some commonly-used scanners, that’s cheap(er) — this feels like a “Box Check” test if I gave it a term. When someone’s going beyond scanners and digging into source code to find issues — that’s often more valuable. Bringing specialized knowledge about cryptography to evaluate our implementation? Also more valuable!
Beyond pricing have you thought about your differentiation, or what’s special about you? Are you able to do web applications, but i.e. intending to be focusing on industrial control systems, financial systems? Are you going to be comfortable auditing C# or Rust and identifying issues? Do you know a lot about Kubernetes?
Next thing I think is important to be able to answer: why award the business to you over Deloitte, or over a smaller shop with a good reputation like Cure53, Trail of Bits, TrustedSec, etc? Perhaps you’re a prolific speaker in the security community at Black Hat, Defcon, CCC, or something?
If you’re going to be a one-man band, does that rule out engagements large enough to require 5 people for a month? (Sometimes engagements are urgent and multiple people sure helps them go faster).
I don't know if you ever hired or done a penetration test, but when someone uses a common vulnerability scanner to identify issues, that's called a VRA (Virtual Risk Assessment), which is way different as a penetration test. In a penetration test you are not only focusing on tools, but you also perform manual testing. common tools aren't able to find business logic vulnerabilities, and also they are not able to chain them.
I see you also mentioned digging into code (code review), which is a different service. In cybersecurity there are different branches, and I don't think you want a guy that "knows" how to do everything, cause that person is probably not an expert in any of the mentioned areas. a Penetration test it's not the same as a code review, and it's not the same as a VRA, and it's not the same as a Red Team. They all cover different things, and are meant to satisfy different needs.
Trust me, in cybersecurity you cannot be an expert in every area. So you better find a specialist for web apps and a specialist for code review if you need both. Same for infra, cloud, etc.
The only one that is simple is the VRA cause it only depends on running a vulnerability scanner and checking if the reported vulnerabilities aren't false positives. (but you need a license for that software and those are pretty expensive)
First of all, one of my advantages over larger firms like or smaller, well-established firms like Cure53 is my flexibility and personalized service. As a smaller entity I can offer quicker turnaround times and more direct communication with clients. So I can ensure that every aspect of the client’s security posture is thoroughly assessed personally by me. Additionally, while I'm currently a one-man band, I have a network of trusted and certified freelance professionals who can be brought in for either larger or urgent projects if needed. This allows me to scale without compromising on the quality and speed of the engagement. Not even mentioning that based on my experience, when you hire a penetration testing service from a big company you don't really know who's performing the pentest and sometimes it's being done by not really qualified people. (I know about some companies that outsource certain projects and they're not doing a good job at all, this means reporting non-sense findings, or not being able to properly address the impact/risk of them).
This being mentioned, I own well known cybersecurity certifications (for web apps and infra), I'm constantly developing my skills and I also have been awarded by different bug bounty programs. And planning to be a speaker soon!
Regarding the specialty, I'm not planning to focus on industrial control systems, but apart form that specific case, the approach of a pentest is the same for every web application, I mean, the pentest methodology is the same if you are testing a fintech, a bank, an insurance company, an ecommerce, or any other web app. You can show yourself as an expert in ecommerce, but in the background there's no difference at all, since the procedures and methodologies are the same.
As you may have realized, I'm gonna be focusing on web application penetration testing which is my specialty, at least at the beginning. But I have experience in either webapp, infra and mobile.
Was it picked as $50/day because that represents some (not even most) of the cost to the State of Florida for incarcerating you for crimes? Did Florida justify this or decide that taxpayers shouldn’t be so heavily burdened by individuals who decide to commit crimes?
I’m not even sure this is simply a “rent” — unlike renting an apartment or a house (shelter), while the prison is also shelter, it also has to be 24x7 staffed with guards (and likely other personnel like a medical clinic). There’s fixed costs like utilities which probably don’t vary much based on population (lighting and heating), and variable costs like food, water and waste management.
It’s certainly a bit crazy to charge someone for 7 years if they only serve 70 days, but I see some logic to charging per day you’re actually incarcerated. It’s not a “rehabilitation friendly” policy due to the effects on your finance after release, but it may be argued it amplifies the deterrent — “if you don’t want to do the time (and pay); don’t do the crime”.
> per day you’re actually incarcerated. It’s not a “rehabilitation friendly” policy due to the effects on your finance after release, but it may be argued it amplifies the deterrent — “if you don’t want to do the time (and pay); don’t do the crime”.
Arguably, it generates the opposite behavior in some folks: "Well, my circumstances are bad, so I may as well always do bad since there's no upside to participating in society since I'm permanently screwed."
