Note also the significance of the dots vs dashes in their taxonomy. Once it gets to "mailbox" it's all dashes, signifying no more breakdown by the overarching system beyond "we finally hit a mailbox designation".
I presume that dashed bit is what we'd think of as a normal email address.
I think online matchmaking has absolutely destroyed people's ability to feel like they're good at any game.
Like you'll never be a big fish in a small pond. If you played as much as you currently do but could only play with people local to you, you'd be the best person you know at this thing. And that's a really good feeling. But you'll never get that feeling, because you should really be grinding past whatever plat 3 is in order to not suck.
Conversely you'll never be a small fish in a big pond. If you could only play with people local to you and they all played much more than you, you'd be the worse person you know at this thing. And that's a really bad feeling. That gets people to quit games.
The big fish eat all the small fish until the big fish are the only ones left.
I have a triple-digit-hour play time and I could barely get out of Bronze. I can't really explain why, but my brain just doesn't mesh with it, skill-wise. It's still a lot of fun though (otherwise I wouldn't have spent so long playing it!). In fact, being so bad at it somehow made it more enjoyable - it's not often I allow myself to be bad at something.
I'd rank myself as "unusually good" at Mario Kart, which is obviously a very different game, but it surprises me that I have such a wide skill gap between the two games.
I'm decent at Rocket League and sit between Plat III and Diamond I. It seems our metrics are slightly different :) I've found these ranks are the natural breaking point between what I could classify as "sweaty" players and "casuals." I've never been interested in going much further.
It's very weird seeing RL discussed on HN - worlds are colliding! But, yes, this is good advice. Also consider playing 1v1. I'm Diamond I-II there. It's a lot of fun, and probably the only mode where turning off the chat doesn't put you at a disadvantage.
I heard Comm, a pro, once say that he wished he had his 14 year old fingers back...think he was 17 at a time. To me, a 40 year old playing with KBM, I feel like I just can't bend my brain around all of the 3d possibilities. I just don't have any intuition for rolling my car while it accelerates towards the front...and then you add in the complexity of the camera and, yeah, I suck.
Part of the problem is rolling vs. yawing. Most players have something along the lines of LB mapped to powerslide + air roll. So when flying, they have to think (actively or otherwise) about when to roll vs. when to release LB so that the left stick X axis will yaw instead. This is, in my experience, very difficult to actually do.
There's a control config I tried and greatly enjoyed that addresses this. I want to get back into it but I haven't yet felt like dealing with the adjustment period again. This works best if you have a controller with mappable paddles.
Left stick X: Ground steer and air steer (yaw)
Left stick Y: Pitch
Right stick X: Air roll
Right stick Y: Ground throttle
And then jump/boost/powerslide go on triggers/bumpers/paddles as desired.
Being able to simultaneously yaw and roll feels quite nice once you get used to it and allows for some surprisingly intuitive recoveries, wall jumps, etc. "Tornado spinning" is now as simple as pushing the sticks in opposite directions. Other interesting results can be had from the various other combinations of stick directions.
This does require you to no longer use the button pad for anything, so if you use ballcam toggle while playing, or need to peek at the scoreboard a lot, or need a thumb free for real-time quickchats, or whatever, then I hope you have a lot of extra paddles
I've only just started trying to do aerials, really, and I find myself getting vertigo from it haha. I'm also 40. It's so disorienting. None of the camera settings feel "right".
It takes some playing around with and is highly subjective. Best method I found was to just try camera configs used by pros or recommended by others and see what feels good. My current:
The rest aren't relevant for me because swivel speed is about looking with the right stick and transition speed is about switching to/from ball cam, and I leave ball cam on.
Of these, I believe the most important (by which I mean tangibly relevant to control quality/feel) are distance, stiffness, and, to some degree, height+angle. Shake and FOV are also important, but those are the only good values for those settings.
I used to play with max distance because it felt better for visibility, but I found some people saying 270/280 works much better for them for precise ball control and accurate strikes, and that does seem to be the case. Stiffness is the other setting that will make the most difference in feel: Lower values let the camera's distance from your car rubber-band further in relation to your speed. It might seem as if maxing this out would be ideal, because why wouldn't you want the camera to follow your movement as closely as possible, and why would you want the camera to lag behind you when you go faster and disorient you when you're trying to aerial? But I'm not so sure. I've tried stiffness at 1 (max) and I don't remember why, but apparently it didn't work for me, because I lowered it to 0.75, which I guess I found acceptable enough not to have changed it. I've just come across some people saying a stiffness of around 0.35 is counterintuitively great as it turns out that moving the car without instantly moving the camera helps a lot with car control for some reason, so I'm about to test run that value myself and see about it.
I also used to run with stiffness maxed out and I think it contributed to the motion sickness feeling. There's definitely a tradeoff in all of these values.
I thought I'd share a side project I've been work on recently.
I've always struggled with procrastination. The final straw came last year when I forgot to book an MOT for my campervan, resulting in a cancelled weekend away, grief from my wife and kids and a realisation that I needed to address my procrastination problem.
So, I did what all good software engineers do: I spent a weekend hacking together a small reminder service.
The service emails me 12 weeks before, 8 weeks before, 5 weeks before, 3 weeks before, 2 weeks before, and 1 week before an important deadline. I can also choose daily reminders on the same 12, 8, 5, 3, 2, 1 schedule.
I have found that this increasingly frequent nagging helps me focus on important tasks and I haven't missed any renewals or deadlines since.
Following feedback from people I have shared the idea with, I put some more effort into the service and built remindify.co
> I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.
I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?
If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If Bitwarden is compromised, like LastPass was. Of course the vault should still be encrypted, but I don't want to rely on a single company managing everything correctly. It seems much less likely that two different companies will be compromised at the same time.
that's been my attitude, both are keyed to my face id, otherwise encrypted. my phone times out really quickly if i'm not typing away on it. I feel relatively safe. I wonder though how much longer they will maintain the phone apps. All my desktop versions are verified from my phone, so them dropping the desktop sucks but isn't catastrophic.
Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.
>Generally the threat model that TOTP protects against is not someone breaking into your device.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
> How is it secure if the only thing an attacker needs is a single method of accessing a single device?
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
Key logger?
I unlock my password vault frequently. I only unlock my TOTP vault to:
1. Add a new secret
2. Recover access to an account if my authenticator has died.
Since I unlock my TOTP vault so infrequently, the number of hashing rounds/etc are tuned to be _much_ slower and require _much_ more memory. It uses an entirely separate set of credentials from my main vault. And you're unlikely to snag the password unless you're watching me for a long time or get very lucky.
Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.
I use iCloud Keychain because I use a Mac, iPad, and iPhone.
I use Authy with Face ID protecting the entire app on my phone. I don't use the Desktop app because it won't use Touch ID, meaning I have to type in a long master password.
I don't see an attack as likely to happen (I own no Bitcoin, not a billionaire, not in charge of anyone else's secrets) but if there was a flaw that let somebody access the passwords on my Mac or iPhone, they'd still need the 2FA codes from my phone. I think that's more likely to happen on the Mac because I do have apps downloaded from somewhere else besides Apple's App Store.
My guess is that most of the people who worked on Authy have fallen by the wayside after the Twilio acquisition. It's annoying every time I have to search the boxes on my phone or the list on my watch: can't we please have alphabetization?
I had the same problem and didn't want to keep all of my eggs in the same basket, plus I lost faith in these backup apps after Google Auth lost user codes at some point.
I decided to create a private backup which I control and so I built a client-side web app that encrypts QR codes (like 2FA codes). It was inspired by a similar CLI based project I saw here on HN. I still use Authy (for now) but now I have encrypted images that I can decrypt and rescan easily. And since they're just images I saved them in various places and even printed out copies should I lose my phone or Authy access.
To 'migrate' my codes out of Authy I just went through each site and regenerated the codes (plus encrypted them). It's annoying that they force you to do this but doesn't take too long.
I'm still polishing it up but it works well and I would love some feedback if there's anyone who finds it useful - https://encrypt-qr-codes.netlify.app/
> not sure how I feel about passwords and totp being in the same app
I felt the same way and I've come to realize that it is not a big deal. One advantage is that with a shared password manager account, you can also share the TOTP along with it. Very convenient for a bunch of usecases.
The way I see it, your password manager becomes the central point of failure. Therefore, secure your password manager with a hardware security key (yubi). Not all accounts stored in a password manager are created equal... some need more security than others. If there are accounts that you want additional 2FA security on, just use a separate TOTP app. It doesn't have to be an all or none option.
The second factor is not meant or designed to safe you against a compromised PC or phone (your session or cookies could be probably more easily stolen even when second factor on another device). Many people have passwords and totp on the same phone too. The second factor is more meant to verify that you are really you to a web site and safeguard your account on that web site.
I've moved over to Proton Pass (you can do TOTP on the desktop through a browser, I figured if I'm authenticating into a site I must have internet) but KeepassXC was a strong contender. Both have excellent mobile support and Keepass has native desktop clients.
Proton Pass isn't free, though, but I already had their services.
I used to use it, but the author refuses to publish a desktop app. I actually was able to install the iOS app on my desktop, but if I ever remove it, it is gone forever because he revoked it from the appstore. He only wants you to use the desktop receiver.
It is also buggy af and doesn't sync properly. He's pretty much not doing any more updates of the app either.
That experience pushed me off it forever.
Edit: The app has been acquired by a third party. I'd move off it.
I'm not even sure this will help much. Yes, in addition to AWS account bot farms now would have to pay X per-bot but this is hardly an issue for state-sponsored bot-farms or bit dark net operators.
With that it's going to push out lots of human users who either can't afford to pay or don't see enough value to justify the price (e.g. casual/occasional users). And with outflow of audience value diminishes for users who might be willing to pay, pushing some of them over the edge.
I wonder whether this would actually increase bot-to-human ratio.
My prediction if would get implemented it would last a week. Like with login-wall last time numbers would plummet too much.
I think it very much could help. As it stands there is a minimal cost per bot account, if it gets banned you try again.
With a monthly subscription you'd be out of pocket for a month, even if your bot is banned the next day. That's terrible ROI for a spammer.
Furthermore getting a supply of "plausible" cards (corresponding to the account's/IPs location) that would pass fraud checks is not as cheap as phone numbers either.
It will be effective. Large state-sponsored actors will no doubt get through it, but it still shrinks the amount of spam significantly.
I feel like there are a few assumptions in there that might not be true.
First, I don't think there ever will be a limitation of 1 (or even small n) account per card. This excludes big corporate clients, media networks, etc. who have legitimate reason to have more than one account but would still pay from the same account. I'd bet a buck these are the accounts that most likely to actually pay for X. It would be unwise to gate them out.
Second, if detecting bots would've been as easy as taking only a day (even a few days) worth of posting then there would never be a need to paywall the whole of X. I believe it's because it's hard (either objectively hard, or just expensive for X) to detect bots Musk considers such a disruptive measure.
Third, cards are probably not a good verification mechanism. More so if there's not card-to-account limitation. Stolen cards don't have to be used directly. Money can be laundered elsewhere and then used with a good card. It is an obstacle but probably only for small/ad-hoc operations. Big bot nets will hardly be impacted by this.
usarmy.jble.tradoc.mbx.eustis-tboc-dtl-helpdesk@mail.mil