I made a huge mistake in my article on how to post to Mastodon through IFTTT.

I gave the wrong directions on what to put in the Application Website field in Mastodon. It just needs to be https://ifttt.com. It isn’t used for identifying the source to your Mastodon server as I thought it was, but appears as a link when the post is viewed by itself on the web. If you followed on my mistake, I highly recommend (1) removing the URL from your Mastodon config and just putting in ifttt.com and (2) going into your Webhooks settings at IFTTT and generating a new key. I feel horrible that I messed this up, and I am so sorry to everyone I steered wrong.

Phishers: Hi, we’re your bank, please click on this attachment for important information.

Security experts: Never click on an unexpected attachment in an email even if you think you know who it’s from. It’s likely to be malware or a scam to steal your login credentials.

Actual banks: Hi, we’re your bank, please click on this attachment for important information. 🤦‍♂️

Seriously, I HATE these systems. The way they keep phishing and malware techniques believable — and have for years! — is worse than any supposed security advantage in not just using email. Half the time the info isn’t any more sensitive than a receipt would be. Or heck, even just “There’s a new message in your account, please log in to see it and use your own bookmarks to get there.” That’s actually more secure!

:sigh:

It’s really too bad all the schemes to add end-to-end security to email over the years have been either too cumbersome to take off for general usage or vendor-specific.

Purism’s explanations for removing various safety features from Librem One’s social network sound like someone explaining why they removed the mirrors, brakes, horns, seat belts, airbags and signals from the cars they’re reselling, because they know those cars are only ever going to be driven on a track where they’ll never have to change lanes or negotiate with other drivers.

Even though there’s a bunch of driveways on that track, connecting to the public road system.

If a collision does happen, we can call in the tow trucks and ambulances. But giving drivers tools to avoid collisions or reduce injuries? That would be interfering with their freedom!

The last time I set up a new computer, I was surprised to find that installing a password manager has become a critical part of getting the system ready to use.

It used to be that you could pick a few unique passwords for critical services like your primary email and banking sites, and reuse some passwords for less important sites, and maybe remember them all. But when so much of what we do happens online in so many places with so many different levels of security (and visibility), the attack surface is huge. Add in how many criminals and others are trying to break into those sites, and it’s no longer safe to reuse passwords.

Why?

If one site gets hacked, and you use the same password at another site, someone will try it just to see if it works.

The only way to protect against that is to use a different password on every site. And unless your online activity is very narrow, chances are you can only memorize a few of them. You can stretch it out with mnemonics like XKCD’s passphrase scheme, but eventually you’re going to have to record them somewhere. Putting it in a text file or spreadsheet is bad, because anything that gets onto your system can read it, but password managers are designed to encrypt them.

You still have to protect the master password on that file, but now you don’t need to worry that when someone finds your old MySpace password, they’ll start buying stuff on one of your shopping accounts, or hijack your Twitter as part of a harassment campaign, or use your email account to send malware to all your friends.

LastPass is a popular one. It’s cloud-based, which makes it convenient to use on multiple devices, but you do have to trust them. If you’d rather not trust your passwords to someone else’s computer, you can go with an offline manager like KeePass, which stores everything locally on your system in an encrypted file.