Depends on the vendor for the specifics. In general, they don’t protect against an attacker who has gained persistent privileged access to the machine, only against theft.
Since the key either can’t leave the tpm or is useless without it (some tpms have one key that it can never return, and will generate a new key and return it encrypted with it’s internal key. This means you get protection but don’t need to worry about storage on the chip), the attacker needs to remain undetected on the server as long as they want to use it, which is difficult for anyone less sophisticated than an advanced persistent threat.

The Apple system, to its credit, does a degree of user and application validation to use the keys. Generally good for security, but it makes it so if you want to share a key between users you probably won’t be using the secure enclave.

Most of the trust checks end up being the tpm proving itself to the remote service that’s checking the service. For example, when you use your phones biometrics to log into a website, part of that handshake is the tpm on the phone proving that it’s made by a company to a spec validated by the standards to be secure in the way it’s claiming.

Package signing is used to make sure you only get packages from sources you trust.
Every Linux distro does it and it’s why if you add a new source for packages you get asked to accept a key signature.

For a long time, the keys used for signing were just files on disk, and you protected them by protecting the server they were on, but they were technically able to be stolen and used to sign malicious packages.

Some advanced in chip design and cost reductions later, we now have what is often called a “secure enclave”, “trusted platform module”, or a general provider for a non-exportable key.
It’s a little chip that holds or manages a cryptographic key such that it can’t (or is exceptionally difficult) to get the signing key off the chip or extract it, making it nearly impossible to steal the key without actually physically stealing the server, which is much easier to prevent by putting it in a room with doors, and impossible to do without detection, making a forged package vastly less likely.

There are services that exist that provide the infrastructure needed to do this, but they cost money and it takes time and money to build it into your system in a way that’s reliable and doesn’t lock you to a vendor if you ever need to switch for whatever reason.

So I believe this is valve picking up the bill to move archs package infrastructure security up to the top tier.
It was fine before, but that upgrade is expensive for a volunteer and donation based project and cheap for a high profile company that might legitimately be worried about their use of arch on physical hardware increasing the threat interest.

Yeah, it’s definitely faster, but I’m not sure it’s going to make too much of a difference for a Minecraft server.

With setting it up being a bit annoying by hand, I’d still rank the router option higher even if it’s a worse VPN. Otherwise you risk ending up in that yak shaving situation where you’re fighting with routing tables and DNS when you wanted a Minecraft server.

Oh for sure. What I meant was “check router for a built in VPN and use it if it has one, otherwise use wireguard because it’s the easiest”.

The specific VPN doesn’t really matter so much. The built-in one would be the easiest, so checking for a solution that took a few clicks is worth it. :)

I would use something like wireguard, or another VPN service you can host yourself if your router supports it natively.

From the looks of it Minecraft servers seem to have dogshit authentication, so using some form of private network setup is going to be your best move.

Because the headline literally says “world’s first all electric train”, which it very much is not.

Most of them are mediocre. Most burger places were mediocre, and then the American gastropub trend saw burgers being made nice as opposed to diner food or bar food. They could also charge more money because they were making nicer food.

Eventually a bunch of the mediocre places shifted to try to also be nice, but mostly just increased prices, changed decor, and started using the word aioli more than mayo. Oh, and pretzel buns on burgers that got taller without being bigger and are cumbersome to eat.

In the plus side, if you like a Swiss burger with a garlic aioli, a burger with a fried egg on it, or a burger with 2 pieces of bacon, a spicy BBQ sauce, and fried onion strings and you’re in the mood for some fries with bits of peel on them and a garlic Parmesan butter, then you know exactly what they’re going to put in from of you and exactly what it’ll taste like.

Mediocre. Not bad, but definitely not the best you’ve ever had.

Yup, that would indicate that likely a bot is trying to guess it’s way in.

You are still safe.

The only weird thing here is that Microsoft lets such things bother you instead of guessing that you didn’t teleport to Brazil and instead putting a little extra burden on the Brazil end before sending you an email.

If you’re still feeling worried, the biggest thing you can do is enable two-factor auth (which you should do anyway), or even better: enable something like passkeys which are very secure and also easier than username/password.

Two-factor/password manager is the “remember to brush and floss” of the security industry, so… Please do those things. :)

That is wonderful advice and I’m glad you pointed that out. :)

If I knew how to give directions to the page, I would, but unfortunately I don’t know the Microsoft site layout, only the URL that their help center directed to.

In mitigation of my indiscretion: it’s generally safer to trust a person you approach out of nowhere than to trust someone who approaches you out of nowhere.
Since they chose the venue and asked the question, the likelihood that an attacker is present in the replies is lower than the expectation that an unsolicited email is from an attacker.

But it’s also entirely correct to be distrustful of anything anyone asks you to click on, triply so if it involves security or login pages.

It is actually safe to ignore them. It means either someone has an email address similar to yours, or a bot of some sort has you email address and only your email address.

Essentially, someone or something goes to the login screen, enters your login, and says “I don’t have the password, let me in!”.
Sending a code to your email like this is the first step in letting someone in without the password, or more specifically to having them reset it.

Since the email is to check “did you ask for this?”, doing nothing tells them that you did not.

If you want some extra peace of mind: https://account.live.com/Activity should show you any recent login activity which you can use to confirm that no one has gotten in.

Also, use two factor, a password manager, and keep your recovery codes somewhere safe. The usual security person mantra. :)

Someone near him has recorded it on their phone if he has, and is just walking around numbly aware that they have the Nixon tapes sitting in their pocket.

They’re using tap to pay, and having the stark reminder that they just bought a sandwich with something that could change the election be on the news for 30 minutes because no one expects him not to drop a hard N in casual conversation so it’s not as noteworthy as a woman politician laughing in public.

Same, felt weird.

Beyond that, I learned about it via a particularly cold meme.

No, yours literally says “featured snippets”, as opposed to something saying it’s AI generated.

https://support.google.com/websearch/answer/9351707?hl=en

Your’s is a “featured snippet”, which is where it highlights a relevant portion from a top result.
The AI results have the AI synthesize a new sentence or set of paragraphs answering the question using data from multiple sources.

They’re different results because you didn’t seem to get the AI search results. After making it available to everyone they’ve been hit with a bunch of weird results and have started scrambling to manually remove the particularly strange ones as they crop up.

This is what it typically looks like:

For a brief moment in the beta for all this, it basically just summarized the top two or three reputable results, and attached a link to where it got the data.

They should have just left it at that, and not started mixing in random blogs and social media sites.
The ability to summarize the Wikipedia article and a random university professors page where they list every fact known to man about pine trees or something was actually helpful.

If I want the AIs best guess about how to fuck up a pizza, I just go to the site where I can ask it. Bad advice when searching is just shit.
A tldr for “what is turpentine” is actually helpful.

I could see a federated recommendation engine/ranking system/the social parts of game ownership, but I just don’t see it panning out for the actual commerce part.
Those parts benefit from being able to control your own data and who it’s shared with. I don’t think there’s a reasonable way to federate giving a specific individual money and them authorizing you to download or access a resource they control.

Well, I don’t think they’re interested in selling directly. There’s a lot of overhead in handling credit card payments and dealing with the jurisdictional issues of sales tax, currency conversion, and regional age and content restrictions.

Your notion sounds perfectly lovely from the consumer side, but from the creator side it’s not much different from not using the system at all.

It would be!

The big issue would be getting game developers onboard. The service valve provides is both to developers and to consumers.
The appeal to developers is that they can toss the game on steam and valve will manage putting it in front of players and getting them to buy it, and all the associated payment processing that entails.
Developers like steam because it has all the users and does a good job of “based on your games, buy these too”.
Users like it because it has all the games, installation is inevitably trivial, and it does a good job offering them games they could plausibly like, often on sale, and there’s a feeling of platform security: valve won’t screw you over.

Any new distribution system will have a tough time breaking in. Just look at the difficulties epic has had despite giving away games constantly and offering extremely generous developer revenue shares.
Valve aimed to make steam $30-60 dollars more convenient than piracy, and that seems to extend to other forms of free as well.

First step is figuring out secure decentralized credit card payments. 😊

I kinda like a little thingy that has a USB plug on one end under a cap, and a salt shaker on the other. Or maybe like a little hot sauce shaker, if we’re moving away from salt.

Yeah, look at image before title, wondered if it was a salt shaker and what language uses kalt for salt.

Hrm, USB stick salt shaker…