Yep. To give you some example I login to my self-hosted forge this way. I also use PAM on my desktop to login this way. I also sudo this way. Unfortunately I don’t use this on my phone anymore as I switched to GrapheneOS which requires GooglePlay Services for this kind of auth mechanism (with possible work around https://codeberg.org/s1m/hw-fido2-provider that I didn’t try yet).

Please note I’m no security expert but to clarify few things are important precisely when you are not a professional :

• does it support standards? Basically acronyms like TOTP, FIDO, U2F, are what you should be looking for
• is it supported without additional software by supporting standards? can you use e.g. PAM on Linux with it or does it need a companion “app” somehow?

If the answer to either is “maybe” then I recommend before buying you search online and insure it does work with your specific setup. If the answer though is yes to standards and no to additional software then you are, unless there is a weird bug basically, pretty sure to be able to use it however you want, wherever you want.

Sidenote that it’s the same heuristic for IoT. If you buy a “brandname smart thing” then you probably need their idiosyncratic stack whereas if you rely on standards, e.g. Zigbee or ZWave, then you are nearly guaranteed a smooth experience.

Hope that helps. I know that navigating acronyms can be tricky but IMHO here it’s worth investing a tiny bit of time to recognize them.

Finally as we are talking about open hardware and security I would also add 3rd party audits. I don’t have the competency to insure that the hardware and software implementation are cryptographically safe. I can test that it does in some case what it claim to do, e.g. lock after 3 failed attempt, but could some kind of weird collision hash or bad pseudorandomness be used to practically limit the pool of potential keys or passwords? I don’t have the knowledge for that. I also can’t trust that NitroKey did it right based on the claim of their website. So… audits help bridge that gap in trust. If I can’t trust the vendor and I don’t have the expertise despite being entirely open then I look for others who did verify on my behalf.

Yes precisely because I don’t rely on Microsoft or Google to handle that.

I have my own physical keys. I started like most with YubiKey, including a YubiKey Bio, then learned about NitroKey https://www.nitrokey.com/ thanks to NLNet https://nlnet.nl/project/Nitrokey-3/ so now I have passkey that I could verify https://certification.oshwa.org/list.html?q=nitrokey as they are certified and audited https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit

That being said… IMHO your doubt raises an interesting question, why? Why do you NOT trust them? Do you imagine they have your data? Do you think an interactive explanation where one exchange data would help to understand why no trust is required or maybe better, where it matters?

I’m not familiar with lcpi but I’d ask in https://github.com/apprenticeharper/DeDRM_tools/issues as it’s quite active despite not being maintained.

There are some already, e.g. https://docs.brilliant.xyz/ with firmware you can replace or https://mentraglass.com/ and I even made one by sticking a RPi with its tiny camera on 3D printed frames https://twitter-archive.benetou.fr/utopiah/status/1449023602079240194/

I’m not saying it’s a good idea or that it’s private enough, just that it’s not a theoretical questions, alternatives to Meta or Google Glass do exist already and some of them are not cloud dependent.

IMHO what’s important is to be explicit about usage, understand how it’s used and have informed consent. If you use them to be sneaky and hurt others, even if they are private, fuck off.

lol, $100k+… HP revenue in 2024 was $53,559,000k.

Dell same year $88,000,000k and Lenovo $69,000,000k, so ~$50B to $90B

I let you calculate the percentage but… I’d guesstimate it’s approximately nothing.

Honestly it’s trickier than most think.

There are plenty of theoretical use cases, sure, especially for AI because it’s basically just either statistics on very large datasets or heuristics. Most of us, if not all of us, use that pretty much daily.

LLM though is a lot of less obvious but one can easily imagine public research on language, namely being able to study how language evolved.

GenAI… also, in itself honestly it might even be the most interesting of all because it’s makes us pragmatically ask what it’s like to be creative.

Yet… all that is so SO different from the commercialization and the capture of it.

So public research in AI, I’m 100% behind it. It can be useful. VC backed for-profit systems that extract and capture value, no, nearly nothing legitimate can come out of this… but to be fair it’s not limited to AI, AI just happens to be the last thing they try to capture.

Ugh… just replace them with robots! So easy I should be World CEO. /$ (obviously)

Indeed, I try to have as little apps as possible… because I don’t trust them.

Now that I mostly rely on F-Droid it’s a bit different but my default behavior when I have to use an app is “Oh no… you’re going to siphon all my data in exchange for mediocre service I’ll still have to pay for” whereas I trust my browser a lot more.

Literally posted a suggestion yesterday for a sport project to use https://developer.mozilla.org/en-US/docs/Web/API/Accelerometer so I definitely see reasons. It might be better with a permission prompt first but still it’s not without reason.

What makes you think they aren’t?

I participated to W3C workshops and privacy data was definitely part of most if not all discussions.

That being said each browser vendor have their own strategy and opinion based on their business model and culture.

That’s positive indeed. After Signal, maybe it’s time we all add PQC to our ssh, HTTPS, etc.

In fact if you are wondering OpenSSL supports PQC since 3.5 the current LTS and Debian stable relies on it https://packages.debian.org/stable/openssl

So… you might already be PQC-ready. In fact if you also run Debian on your server (or its exposed containers) maybe you connected over HTTPS already in a PQC-ready compliant fashion.

Hey there, I wrote https://forum.techreclaimers.club/public/d/36-reclaming-for-kids and few replied back. You might find that useful.

Interesting, I didn’t see it in the documentation so if you didn’t document that already, you can have your local instance as search suggestion for Firefox on mobile and desktop. I use it for my own wiki, e.g. https://mastodon.pirateparty.be/@utopiah/116351732150481942

Also how I would imagine it is default search there and if no hit then fallback to a default search engine, e.g. DDG.

Indeed, I think vulgarization of CVEs for a broader audience should start with requirements.

Few seem to address the issue here : it does not work 100% of the time for you.

It might work for everybody else but that doesn’t help you much. You have your setup, no theirs.

So… you need to investigate. When it works, great, nothing to learn from. When it fails though… can you find a pattern? Does it always fail after you have use something specific? Check https://lemmy.ml/post/46800646/25494455 which gives examples of potential failure point and journalctl logs. You can then check what failed and if not you can at least know when then backtrack to others logs, e.g. dmesg.

They key take away is that when things do not behave as expected you need to put a detective hat on and you investigate :

• what’s your crime scene? Your laptop and it’s log files
• what’s the crime? It didn’t suspend properly
• where are the traces? In the logs
• where are the logs? Using journalctl or dmesg and typically in /var/log/
• what would a good detective do? Search for specific clues, e.g. places where fingerprints do stick, e.g metal or glass, which here would be error messages. That can be found using grep and other tools

You also have limited times because the logs will, just like on a real crime scene, get contaminated or rotated or deleted. So… if you do encounter the problem do not rush to the next tasks at hand because you are wasting an opportunity to learn and there is vanishing window.

TL;DR : grep logs

what about just using Debian? It’s a bit hassle

What hassle? Genuinely curious.

A lot of already great advice here, often clarifying that a computer that is not yours… is not yours.

What I would still add though is that you are NOT, and I’m very confident in saying this, the only one there, in your very school, to ask that question. In fact I would argue MOST users have the exact same concerns but they might even be aware that alternatives exist.

So… do not push back, or even just avoid, all this alone. Find others who have similar problems and solve them together.

There might be a Linux User Group already, join them. If there isn’t one, consider making it. It might just be you for few weeks, even month, but at least you will dedicate time and space to improve YOUR situation. Chances are though that others, even if only curious at first, might check what you are up to, if they can replicate that, etc.

Don’t feel isolate, move the needle for yourself first, in your corner, but be welcoming to others who are eager to contribute.

It’s a challenge, but it’s a fun challenge while trying to tackle it with others.

Try GNU Taler https://www.taler.net/

I’m aware (unfortunately) of the marketing claims and even if they might be true, as you say it is “for now”. So if it’s only temporary for that arm race, especially if held by a company who leaked its own code just days ago, then I have a hard time understanding why ‘zero-days are numbered’ because this title claims the dynamic itself is gone. That’s now my understanding, especially if other models are just marginally (which is hard to prove with models, finding proper metrics) worst than it.

See comment that shared https://techcrunch.com/2026/04/21/unauthorized-group-has-gained-access-to-anthropics-exclusive-cyber-tool-mythos-report-claims just few hours ago, and that’s not even sophisticated.

Anthropic and OpenAI have multiple times used this arm race rhetoric before and it worked. Their models are supposedly “too dangerous” to be released thus consequently they have to control access.

It might be true but so far what we have witnessed is that roughly equivalent models get released by others merely weeks or maybe months after, sometimes open, but the “moat” never lasted long so I’m questioning why it would be different this time.

That doesn’t make sense. Don’t the attackers have the same tools?