Technically it is possible to configure butlocker using passphrase instead of a TPM. It is not easy though. It is configured via GPO. However it is not a local account password. It is a separate passphrase which you need to provide early in boot process, similar to LUKS on linux systems. It works on windows computers without TPM, i’m not sure is it supported on systems that actually have TPM available.
The system handles these changes for the user automatically. The disk key is encrypted by user password, when user changes the password, the system completes disk key rollover automatically. Which means it will decrypt key with old password and then encrypt key with new password.
In practice, there's some bugs around this. There's no way to force Windows to update your password when you change it via Microsoft; I went through the password change due to Microsoft locking my Microsoft account, and Windows didn't update the password locally until I played around with group policy settings (that I'd never touched before) for password expiry and signed in via PIN and rebooted a dozen times (over the course of about 2 weeks).
It works for macOS. Filevault key is encrypted by user password. User login screen is shown early in boot process, so that Filevault is able to decrypt data and continue boot process. It sure works fine for a about a decade. No TPM nonsense required. Imo, the TPM based key only makes sense for unattended systems such as servers.
> NAT66 doesn't add much in the way of security here, because the external address is fully routable and maps 1:1 to the internal address. You are once again fully dependent on a correctly configured firewall.
When using the stateful firewall provided by Linux's packet filter, the IPv6 NAT66 "masquerade" works very similar to IPv4 NAT. 1:1 mapping is NOT required.
For example internal hosts are configured as follows:
inet6 fd00::200/64 scope global noprefixroute
ip -6 route add default via fd00::1
Edit:
From my understanding the NAT66 is ambiguous and it may work as a stateful port-based translation similar to IPv4 NAT, whereas NPTv6 is a stateless prefix-only translation.
That is how it works if you have Messages sync enabled. Other MFAs are also synced on Apple devices: TOTP and Passkeys are synced via iCloud Keychain to all iPhones and Macs using the same iCloud Keychain account.
I believe google synced TOTP and Passkeys between Android devices using same google account, i did not test this though.
Obviously one can disable sync, but imo synced MFA is what most want anyway.
If you have a localhost server that uses a client input to execute code without authentication, that’s a local code execution vulnerability at the very least. It becomes a RCE when you find a way to reach local server over the wire, such as via browser http request.
I don’t use VSCode you have mentioned so i don’t know how it is implemented but one can guess that it is implemented with some authentication in mind.
Sometimes the WebDAV client is to blame, especially clients provided by the OS itself, awful performance.
Nowdays i just use (encrypted) SMB over the internet, performance is great and it works on all major systems without additional software. Basically the best and easiest way to transfer (large) files over the network.
> It should be no surprise that even the SPF-DKIM-DMARC trinity is not actually enough to avoid bounces and disappearances
That is the main takeaway.
Unauthenticated mail is guaranteed to cause delivery issues to gmail and then authenticated mail got something like 50/50 chance to get delivered to INBOX.
reply