Errm...
That's the part where the server doesn't story any information that an attacker could use to log in. The attacker would need the private key, which is stored inside a secure chip on your device (unless you decide to store it in your password manager). All that's stored server side, is the public key.
When you're using a password, the server will store a hashed version of that password. If this is leaked, an attacker can attempt to brute-force this leaked password. If the server didn't properly store hash the password, a leak simply exposes the password and allows the attacker access. If the user didn't generate unique passwords for each site/server, that exposes them further to password spraying. In that case an attacker would try these same credentials on multiple sites, potentially giving them access to all these accounts.
In case of passkey, the public key doesn't need to be secret. The secret part is all on your end (unless you store that secret in the managed vault of your password manager).
I do agree that your risk is quite small if you're already
- using a decent password manager
- doing that the right way
- have enabled 2FA wherever possible
The biggest difference: nothing sensitive is stored on the server. No passwords, no password hashes, just a public key. No amount of brute forcing, dictionary attacks or rainbow tables can help an attacker log in with a public key.
"But what about phising? If the attacker has the public key, they can pretend to be the actual site and trick the user into logging in." Only if they also manage to use the same domain name. Like a password manager, passkeys are stored for a specific domain name. If the domain doesn't match, the passkey won't be found.
https://www.youtube.com/watch?v=qNy_Q9fth-4 gives a pretty good introduction on them.
It gets worse: it's extremely addictive. Research has shown that habitual users who want to detox die within 48 hours unless they start consuming it again.
Not sure what part you don't understand, but I'll try and help: Snopes (a fact checking website) shows that the way links are displayed nowadays (the new link presentation or new way links are presented) on X (formerly Twitter) lacks any sense -> snopes shows the folly of it.
I recently saw this video about the British Library. They collect everything that's published in the UK (books, magazines, papers, leaflets, flyers, ...). One of the librarians makes a pretty good case about the use of collecting and preserving everything. Even (or especially) the things you don't think are worth preserving.
But only one is reality.
It's rather vague to me too, the most helpful summary I found was this one:
In general, the condition applies when:
- The processing isn’t required by law, but there’s a clear benefit to it;
- There is little risk of the processing infringing on data subjects’ privacy; and
- The data subject should reasonably expect their data to be used in that way.
So "we don't have to do this, and most likely it won't be privacy sensitive, and you probably already know we want to do this, but you can still opt out"
Source: https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply
"God bless America" seems a more apt comparison. Seeing as "Sieg Heil" was meant to glorify Hitler, rather than inspire pride of the country. Besides that, comparing Ukraine to Nazi Germany seems a bit too "Russian propaganda" for my tastes.
Basically, yes. Appliances are delivered and installed, usually free of charge (read: the price of delivery and installation is just calculated into the price of the appliance). Same for furniture.
Most home improvement stores either offer a (paid) delivery service or you can rent a small van/truck to get your larger purchases home.
Trailer hitches are quite common too, allowing you to tow a simple trailer (which you can either buy or rent):
What you are doing is exporting your key. Your public key is indeed something you can (and should) share as it enables others to verify that you are indeed who you claim to be (or more accurately, that you're in control of the private key that's linked to that public key). So while you should share your public key, your private key must remain private.
What these people on the dark web are doing is one step further: they sign their messages with their private key. This creates a cryptographic signature that's different for each message (changing a single character in the message will generate a wildly different signature). Anyone with the public key can simply copy that message including the signature and validate it. If even a single character of the message was changed, the signature will not be valid. Thus ensuring others that the person who posted the message is indeed in control of the private key.
Signing is different from encrypting: while encryption renders your message totally unreadable to anyone without the correct key, signing doesn't change the message itself. It simply appends a signature allowing others to check that the message wasn't tampered with.
You can follow the steps here to use a previous version of the desktop app to extract the keys: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93
The javascript didn't seem to send the extracted data anywhere, but I did disconnect from the internet while running the script.