Huh, strange. I remember when I was a little 9 year old boy typing in:
FD 40
RT 90
FD 40
RT 90
FD 40
RT 90
FD 40
RT 90
To get a square on the screen. And then I was slightly older boy destroying my dad's precious slides for his presentation by formatting the entire disk accidentally while installing Red Hat Linux 8 Psyche from CDs my dad got at the bazaar. I was so excited for Shrike to come out the next year.
Then I was slightly older and discovered that 'programs' are just text you use a 'compiler' on and not a special thing you made in Borland's Turbo C.
Then I was older and started using vim. Then older still and made HTML pages with this new thing called DHTML on Geocities. Then ActivePerl. Then a VPS. Then Wordpress. Then discovered Prolog, Eclipse for Java, Mex for C++ in Matlab, and git. Then some years later github. Then interned in SF and discovered CI/CD, Hadoop et al. and how servers look in a DC in SOMA. Then IntelliJ. Then a trading engine. And then GPT was announced. And TalkToTransformer showed the future. And then people were demoing these ugly To-Do lists it could make. And suddenly we're here today.
Every stage of software has been incredible. I don't have to `movq`. I don't have to `jstack`. If I want a TUI, the tools can construct one to my specifications in moments. It's sheer magic, man. It's a scary time (I've had a couple of what-if nightmares about Dario Amodei ruling the world with his LLMs) but it's also exciting. I think I am happiest today. We're going to do so many wonderful things for so many people now that this is so much cheaper.
Perhaps it's just the good fortune of being born at this time during this thing and riding that wave, but it feels like the world of computing has just been so full of amazing leaps forward during my life. I look back each time and I think "man, I was doing that thing when I could have been doing it so much better?". And I feel so hopeful for the future.
We're retiring later and later, working more per week, purchasing power is going down, quality of goods is going down, life expectancy is decreasing, child mortality is increasing, teenage suicide is increasing, illiteracy is increasing, &c.
But trust us this time we'll do incredible things, the same things but more of it, faster and cheaper, will automatically make things amazing!
Crime rates going down and down. Purchasing power grows everywhere in the world (but we want much nicer things now, so don't feel it). Travel is more accessible that it ever was in humanity history. Information keeps getting more and more accessible.
And literacy rates are increasing. I don't know why you say it's not, just google "literacy rates trend".
Efficiency gains have primarily benefited the capital owners. Workers ability to buy essentials like housing and healthcare have not gotten worse, not better.
I can cover every wall of my living space in flat screen color television more cheaply than feed, house, heal, and educate another child in my family.
I started reading about the industrial revolutions and the evolution of capitalism recently. And it is my understanding that something similar was happening around the second industrial revolution - normal people barely making a living while owners of massive factories and other "means of production" getting richer rand richer.
That's why communism got so popular in some places and why after capitalism won, it demonized communism so much that people now think those are the only two options and communism is the bad one so capitalism must be the good one.
There are other options like mutualism or market socialism and people (including me until recently) have never heard of them.
Cooperatives exist and most people don't even know what that word means.
We need a system where ownership of both the means of production and more importantly the product goes to the workers. If production is more effective with an assistant ("manager") overseeing them, then can hire one and negotiate his salary collectively. If they need an investment, they can quantify the risk and agree how much the investor gets in return after how long but it should not give the investor a massive chunk of or complete ownership - at most it should give small ownership according to his hourly rate compared to other workers.
Sure consumer goods are cheaper, but I don't need more "stuff". The essentials I need for my family: food, energy, housing, and most importantly time are much less accessible. Sure, we could buy bulk, move to a LCOL area and work remote, but not everyone can do that.
This is the trend that a lot of people in my generation complain about.
This scares me. Humans are getting so domesticated and docile they might soon be content with being pets. I am not sure US independence or French revolution could happen today.
I am obviously not a fan of crime against other peaceful individuals. But crime against an oppressive regime is still crime by that regime's rules.
> But, if somebody offered me a time machine to travel back in time and live at any point in history, would I take it? Hell no.
If given a choice I would rather be born in 1940s. 80 years of relative peace, prosperity, cheap education, cheap housing, only single parent needs to work, stronger community network, less overpopulation, better access to doctors, better wealth equality, and you get to partake in the first generation of computers before computers became a method of spying and manipulation of purchasing decisions. Honestly I would much rather be hacking on v6 unix than what I am currently doing.
Would you want to be born a girl in the 1940s? How about as a non white person? And that is assuming you were even born in the US.
Before women had the ability to be professionals earning real money, or access to birth control and many, many other types of healthcare specific to women. Before no fault divorce and before rape within marriage was outlawed?
Decades before the Civil Rights Act and Jim Crow laws still existed?
> better access to doctors
I would take a nurse today over a doctor from the 1940s. The amount of advancement in healthcare between 1940 to today, even just over the counter stuff or information wise from online searches is tremendous.
But when meeting friends, you’d have to agree in advance to a spot and time and wait aimlessly, so many times in the day. Then you’d pick up smoking or reading depending on your character.
If you work most jobs, whether cognitive or manual labor, after some point you can't do them anymore, due to physical and cognitive decline, medical issues, and the plain fact that you can do that shit as a hobby if you really like it, but you shouldn't need to go to some fucking office or greet people in your local Walmart in your late 60s and 70s just to survive.
We call this stopping of work at that point retirement.
Right, and a nice thing about software is that retirement doesn’t mean you have to stop doing what you used to do.
I’m retired (I know, I’m very lucky), and I’ve done as much or more coding since retirement than I did in my job. But to be fair, AI has really changed how I’m going about things, and I’m not sure what the future is going to bring. I really worry about my adult children and their careers.
Only if your life is so insignificant and your interests and social circle so narrow that your paid gig determines the whole of it and is your sole purpose.
Funny, I also accidentally formatted my dad’s hard drive, destroying work, while trying to install Red Hat, though in my case it was 6.2 “Zoot” somewhere around 1999.
And simultaneously we built this huge machine that gives us everything we need to survive on software we don't understand, ready to have it abducted by people who have never done a (positively) productive thing in their lives seemingly any moment now. Monkeys with computers.
People are either proactive or reactive. Proactive think about the system and its incentives and how to align them for everyone's benefit. Reactive people only complain after they have been exploited.
Most people are reactive.
If AI is not a scam, we're gonna see a massive wave of unemployment and only then will many people realize they have spent half of their waking hours making someone else richer and they have no control over what they created.
And I don't meant just those who build AI. I mean everyone whose work isn't mostly manual/physical.
They're OK with open source code being turned into statistical patterns and plagiarized en masse. They will only start complaining once their work has been stolen and they are broke.
>I look back each time and I think "man, I was doing that thing when I could have been doing it so much better?". And I feel so hopeful for the future.
The future appears now to be: "Young kids wont have this sense of wonder, or control of the machine, anymore. And a whole lot less will now have a career in IT either".
Learning the lower layer felt like earning access to the next level of reality. You had to understand the constraints to make anything happen at all. Now it increasingly feels like you can just describe the intent and skip straight to the outcome.
I thought for a moment you were serious, but the line about us doing wonderful things with tech gave it away as satire. Yeah no. Best we can do is technofascism and surveillance state. Glad you happy though!
In my case, I would rather keep it than lose it. It's just text so small amount of data. You can trivially get a GPT Embedding for it and search it in DuckDB later for things you asked.
This is a classic problem when people try to find "the current price" of something. A typical error is to take an average of the current rentals currently on the market and describe that as the average rental cost somewhere. Usually the book is so thin that a few places being taken off the market will shift the price a lot while most people can be paying something like half of that and every rental that lists for less than the clearing price is acquired so rapidly that any sampling method will reliably miss it.
Passkeys have way too many footguns for me. If I use my phone to sign in I'm going to accidentally create a passkey there on iOS embedded webview. When I use Google Chrome, the website won't give me any information for me to find where I stored the passkey. Was it in iOS keyring? Chrome? My Bitwarden? If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.
I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.
I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
Beware that Passkey storage is limited though and I don't think you can reuse one for multiple sites. My Yubikey 5 NFC stores up to 32 and you should have some redundancy if you ever lose it. You also can't export them. I only use passkeys (in Bitwarden) for things I don't care about.
Passkeys on iOS and macOS actually work quite well in that regard. They get stored in your provider of choice across the web, web views, apps etc., at least in my experience.
Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise.
For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers.
Does their Firefox extension not inject its own WebAuthN implementation into every visited site on Linux? It does for me on macOS (i.e. it overrides the OS/browser-provided one).
Is this really how password managers extensions work? They inject arbitrary javascript in every page you visit?
I would have naively thought that there'd be a better and safer API for it, considering that all browsers already have the infrastructure in place to handle login autocomplete.
except... i store my password for work in bitwarden, so I dont want to also keep my work passkeys in the same place. For my personal stuff, that is a risk I can live with so far, but for work it seems dumb.
Your Bitwarden should enforce the necessary 2-Factor auth for this scenario, but if you’re worried just make sure to be careful when registering that single passkey.
Yup. I hate them. I get the problem they're trying to solve, it just seems like I have more work to do... and I honestly don't even follow what is going on sometimes.
I recently moved to a new computer and it's just an AUTHHELLSCAPE.
The main benefit is you will never put your passkey on a phishing site. Password managers provide some protections against it because if they do not work automatically on a website you know something is fishy, but sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.
The problem is whether or not the benefit outweighs the additional risks introduced — losing account access when you lose a device, furthering device lock down, difficulty transferring the passkey between devices, UX degradation due to bad implementation. In my opinion the answer is no and I am sticking with my passwords.
> sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.
Unfortunately, it’s exactly those websites that I think would be unlikely to support passkeys at all.
The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login
It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.
Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.
Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain
> Sure, but then you still need a protocol between user agent and website.
Yes of course. Just like you do for passkeys.
> Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain
No, not quite. It's written on there:
> "Login" with your passphrase, and you can create non-discoverable WebAuthN credentials (don't call them passkeys, but definitely be reminded of them) at ~all~ some websites supporting them (...)
That's the thing: with passwords, a website/app cannot prevent you from controlling the password yourself. With passkeys and attestation it can.
But attestation for passkeys is dead. Neither Apple's, nor Google's implementation (with negligible exceptions) support it anymore, so any site demanding attestation will immediately disqualify > 99% of all potential users.
Some still might, e.g. for corporate or high security contexts, but I don't think it'll become a mass-adopted thing if things don't somehow drastically change course.
It's still in the standard. They could remove it, but they don't, so from my perspective it's just like how Google wasn't evil. Until they decided otherwise.
Yes, because hardware authenticators (like Yubikeys) still commonly support it, and it makes sense there.
I guess they could add an explicit remark like "synchronized credentials must not support attestation", and given the amount of FUD this regularly seems to generate I'd appreciate that. But attestation semantics seem to be governed more by FIDO than the W3C, so putting that in the WebAuthN spec would be a bit awkward, I think.
Hm, I disagree. I prefer if the user has the freedom to choose how they want to do things. At the cost of some users choosing the wrong way and then getting problems. It's a question of balance, but when I look at recent tech/internet history, I tend to not want to give central authorities any more power than they already have.
Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.
In other words, you have a principal-agent problem: Users doing custom software passkey acrobatics and the banks liable for any funds lost.
Preferably, use of attestation should be limited to these (and enterprise) scenarios, and I do share the concern of others starting to use them as weak proofs of humanity etc.
> Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.
Seems like an absolutely rare edge case to me. Or maybe even just a misunderstanding. I doubt there is a law that says that. If anything, I could imagine a law saying that a company has to take "sufficient precautions".
But even if what you say were to be true - that's not something to solve with tech. That means the law should be changed.
It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone.
I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.
That qualifies as "immune to phishing" as far as I'm concerned. No reasonable person using a reasonable implementation will ever be successfully victimized in that manner.
We need to stop pretending that padded cells for the criminally incompetent are a desirable design target. If you are too stupid to realize that you are being taken for a ride when asked to go through a manual export process and fork over sensitive information (in this case your passkeys) to a third party then you have no business managing sensitive information to begin with. Such people should not have online accounts. We should not design technology to accommodate that level of incompetence.
If you can't stop driving your car into pedestrians in crosswalks you lose your license. If you can't stop handing over your bank account number to strangers who call you on the phone you lose all of your money. If you eat rotten food you get sick and possibly die. If you hop a fence and proceed to fall off of the cliff behind it you will most likely perish. To some extent the world inherently has sharp edges and we need to stop pretending that it doesn't because when we do that it makes the world a worse place.
Yes, they're synchronized, but I wouldn't call that "copying them out", as that to me implies somehow getting access to the raw private key or root secret bytes.
Both Apple and Google have pretty elaborate ceremonies for adding a new device to an existing account in a way that synchronizes over passkeys.
> ...as that to me implies somehow getting access to the raw private key or root secret bytes.
When passkeys were first introduced, they were 100% stuck to the device that they were created. There was absolutely no real way to copy them off. This is when proponents were -correctly- making the claim that they were immune to phishing.
When lots of users (who -notably- were not supported by whole-ass IT departments who set up and run systems that handle provisioning and enrolling new devices) started using passkeys, the correctness of the thing that many non-boosters were screaming ("You have to have a way to back these up and move them between devices!") became abundantly clear. Passkeys became something that could be copied off of devices, and proponents -correctly- switched to the claim "Passkeys are phishing resistant".
Once things switched around so that passkeys were no longer stuck on a single device, third-party managers got the ability to manage and copy passkeys. [0]
Hopefully it's now clear that the shift from "they never leave the device" to "they do leave the device" (and the consequences of this change) is what I'm talking about.
[0] At least, they will for the next five, ten years until the big players decide that it's okay to use attestation to lock them out to "enhance security".
It sounds like part of the problem is that two rather separate standards of "phishing" are getting conflated:
1. "Hi, I'm your bank, log in just like you normally do." (Passkeys immune.)
2. "Hi, I'm your bank, do something strange I've never ever asked you to do before by uploading some special files or running this sketchy program." (Passkeys just resist.)
The problem with the expansive definition is it basically starts to encompass every kind of trick or social-engineering ever.
I was reading your other blog post about storing them in bitwarden I have to disagree with this point:
> Unless you were forced to by some organisational policy, there’s no point setting up 2FA only to reduce the effective security to 1FA because of convenience features.
2FA both stored in your password manager is less secure than storing than separately, but it still offers security compared to a single factor. The attack methods you mentioned (RAT, keylogger) require your device to be compromised, and if your device is not compromised 2fa will help you.
To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.
Also I really like the style and font of your blog.
> To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.
But how is that no the entire point? If your 2FA is a proper device, like a Yubikey, the attack surface is tinier than tiny and the device ensures that your secret never leaves the device.
We did see cases of passwords managers getting compromised. We haven't seen yet a secret being extracted from a Yubikey.
So where you say you consider that your software (password manager) getting compromised is total compromise, we're saying: "as long as the HSM on a Yubikey does its job, we have actual 2FA and there cannot be a total compromise".
You're right, I should have been more clear in that I meant a local compromise of the machine running the password manager client, not the server running the password manager itself. If my sessions and all of my data can be intercepted, the yubikey 2fa seems like it's only saving me from a token "nobody can login remotely to this one service" which at that point seems pretty moot
Yubikey offers a false sense of security in that regard, unfortunately, because if your device is thoroughly 0wned and you don't know it, the attacker "just" has to wait for the victim to do something that would trigger the yubikey, and then swap in their forged request instead. Eg if the victim uses the yubikey to log into bank1 and to crypto wallet, but bank1 accounts have no money, instead of waiting for the customer to log into their crypto wallet with the yubikey, the attack software waits for the victim to log into bank1, but swaps in a request to the crypto wallet instead.
If the user's computer is pwned, you can wait for the user to log in to their bank account, then blank the screen while you send yourself all their money.
This isn't a footgun, you just have absurd security requirements.
>It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.
You simply do not need two factors with passkeys. Using passkeys is not pointless, they are vastly more secure than most combined password+2fa solutions.
There are extremely few contexts where an yubikey would be meaningfully safer than the secure element in your macbook.
To be clear. Proper 2FA, via something like a smartcard or any truly external device is still much more secure. You could have one of those factors be a passkey, that's fine, and may be a good idea.
But there are UX issues with passkeys as well, that aren't all well addressed. My biggest gripe is that there is often no way to migrate from one passkey provider to another, though apparently there may be a standard for this in the works?
Not who you are replying too. But a yubikey is not a weak factor.
In fact, it’s not even meaningfully more secure than passkey (as passkey is designed) - passkey is, however, more convenient.
So it’s more ‘one weak factor + (really times) one medium/strong factor’ vs ‘one medium/strong factor’.
Which yes, the first one is better in every way from a security perspective. At least in isolation.
The tricky part is that passkeys for most users are way more convenient, meaning they’ll actually get used more, which means if adopted they’ll likely result in more actual security on average.
Yubikeys work well if you’re paying attention, have a security mindset, don’t lose them, etc. which good luck for your average user.
if 2fa is "use the second factor that's on same device as first factor" (like when using phone apps in many cases, password + 2fa from email/sms/authenticator app on same device), I disagree.
I'm not talking about Apple passkeys here, which are NOT stored in the Secure Element to my knowledge anyway.
I don't see passkeys as a 2FA replacement. If they're only secured in software and live in memory, as is often the case with password managers, they're too easy to compromise.
> It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.
If your password manager is itself protected by two factors, I'd still call this two-factor authentication.
Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.
That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.
Someone gotta tell all these SaaS about that if so, because currently everyone is treating Passkeys as an alternative to 2FA. Take a look at how GitHub handles it for example when you use TOTP, they'll ask you to replace TOTP with passkeys.
They are an alternative to 2FA. Which means they aren't 2FA. If they were 2FA, they wouldn't be an alternative to 2FA. They'd just be 2FA.
Anyway, passkeys and FIDO broadly aren't the same thing. You can read the definition of passkeys at https://fidoalliance.org/passkeys/ or look at any of the marketing, which invariably talks about how great it is that you don't have to futz with passwords anymore.
FIDO credentials in general can obviously also be used as second factors. This is baked into the name of the original standard: U2F, Universal 2nd Factor. The specific point of passkeys though is that they're the single factor.
Many do what you describe, probably because some manager somewhere needs to tick some checkbox.
But GitHub, specifically, allows you to sign in with a passkey. On the sign-in page, there's a "sign in with passkey" link. It activates my 1Password extension, asking if I want to use my passkey. I say yes, and I'm in, I don't type anything. This also works the same way with my YubiKey.
Embedded webviews are the stupidest thing ever. Yesterday I got halfway through a checkout process, had to go back to another app to check something, and then the webview simply disappeared so I didn't bother finishing the checkout. This was on Android
Usually I open it in Chrome but for some reason I didn't realize it was a webview this time
God yes that. Our VPN client fell over the other day because the auth popup opens an embedded web browser which throws a javascript error as it's bouncing through our ID provider pages. How the fuck we got there I don't know. Everything is a gigantic Heath Robinson contraption.
I just use iOS' wallet for all of it, the only exception being if its something I 100% need to open outside of my iphone / macs. Then I go for BitWarden, turns out I dont need any apps to open outside of that sandbox, I am okay only opening these up on Mac. I can always type my password on Linux. That's what bitwarden is for anyway.
>If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.
The problem is not with passkey rather system such as iOS keeps a tight lid on how files are uploaded and retrieved from the device. There is a real disconnect between desktop and mobile file system now days.
I do use Bitwarden everywhere but a couple of times the passkey prompt doesn't show it. I think that's how I got the webview for one of my google accounts stored in iOS keychain.
Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design.
I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage.
Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini).
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.
Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.
Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not.
Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers.
TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc.
Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval.
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.
Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.
Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.
If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.
Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it?
“All of the place” meaning where? There’s only a few places you can put them and they’re all more secure than passwords so it sounds like not a huge issue.
For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"
Yes, but they're used, by design, to authenticate you.
Even revealing the fact that a given passkey exists on your device requires your active confirmation according to the spec, so unless you actually want to authenticate and click the corresponding button, the site learns nothing about you (other than that your browser theoretically supports WebAuthN, which most do these days, so that's significantly less than one bit of fingerprinting data on you).
In other words, you can't be fingerprinted by WebAuthN, unless there's a (pretty severe) bug in an implementation.
This is a pretty classic mistake most people who are in high-profile companies make. They think that some degree of appealing to people who were their erstwhile opponents will win them allies. But modern popular ethics are the Grim Trigger and the Copenhagen Interpretation of Ethics. You cannot pass the purity test. One might even speculate that passing the purity test wouldn't do anything to get you acceptance.
Personally, I wish that the political alignment I favour was as Big Tent as Donald Trump's administration is. I think he can get Zohran Mamdani in the room and say "it's fine; say you think I'm a fascist" and then nonetheless get what he wants. But it just so happens that the other side isn't so. So such is life. We lose and our allies dwindle since anyone who would make an overture to us, we punish for the sin of not having been born a steadfast believer.
Our ideals are "If you weren't born supporting this cause, we will punish you for joining it as if you were an opponent". I don't think that's the path to getting what one wants.
> political alignment I favour was as Big Tent as Donald Trump's administration is
I'm not sure how accurate this sentiment is. Your desire is to embrace your enemy without resolving the differences, and get what you want. It's not clear here if you're advocating compromise and negotiation, or just embracing for the sake of embracing while just doing what you wanted all along.
And evaluating Trump's actions against this sentiment doesn't seem to be the negotiation and compromise interpretation. Given the situation with tariffs and ICE enforcement, there is no indication of negotiation or compromise other than complete fealty/domination.
So as grandiose and noble your sentiment is, Donald Trump is hardly the epitome of it as you seem to suggest.
I think the differences in this situation were that I do not want AI used in domestic surveillance or autonomous weapons, and Anthropic holds to that position.
I think Donald Trump has pretty much let Zohran Mamdani operate without applying the kind of political pressure he has applied to other people, notably his predecessor Eric Adams. Also, I think saying "let people be your allies when they take your position" is less "grandiose and noble" than demanding someone agree on all counts before you will accept any political alignment. But it's fine if everyone else disagrees. It's possible there really just isn't a political group which will accept my views and while that's unfortunate because it means I can't get all that I want, I think it'll be okay.
One could reasonably argue that the meta-position is to either join the Republicans full-bore (somewhat unavailable to me) or to at least play the purity test game solely because that's the only way to have any influence on outcomes. If it comes to that, I'll do it.
You are making a mistake in thinking that Trump thinks of these things in political terms. Trump sees a charismatic and popular politician and he wants to associate with them on that basis alone, because Trump has a deep psychological need to be liked. Mamdani understands his psychology and is able to exploit it well by playing his own attributes to his advantage.
Politically, it's not like Trump tolerates dissent within the Republican party, he constantly threatens and berates anyone who shows defiance into submission. It's precisely because Mamdani is not in his tent and not really much of a threat to his power that he is willing to deal with him that way.
I don't understand, your position is the same as Anthropic, yet you disagree with their stance?
And I wouldn't take the case of Trump and Mamdani as the exemplar of Trump's overall behavior towards opponents. The amount of evidence to the contrary is overwhelming.
Anthropic's adherence to their stated principles was never tested and their willingness to work with DoD made it seem like they didn't stand by them strongly so I wasn't happy with that. This action shows that they are willing to lose big contracts in order to stand by their stated principles. I like that.
In any case, I think I've said all there is for me to say on the subject and everyone seems to disagree. I'll take the hint.
> he can get Zohran Mamdani in the room and say "it's fine; say you think I'm a fascist" and then nonetheless get what he wants.
Is your perception that warped? Mamdani is the one who knows how to play Trump as a fiddle, and the one who walks away with something from the exchange.
I think you are extrapolating a bit too far from an outlier data point. Trump has had several other meetings (eg. Zelenskyy) go sideways for no apparent reason.
Yes, the Trump administration is big tent of politicians who hold incompatible opinions and are allowed to stay as long as they display personal allegiance to Trump.
The way people ask for things like this is "Young people shouldn't be allowed to do X" and "Websites shouldn't be allowed to collect user data to determine if the people are underage" and so on. The intersection of all the things that "tax paying citizens" want is usually something patently absurd.
To be honest, anyone with a Claude Code subscription can just write their own in moments. My own assistant has its own email address and Apple ID and interacts primarily via a Telegram bot. I share my calendar with it and my email syncs down and is indexed, but it sends email via its own Gmail account.
The interesting part about OpenClaw is that if you give a world-class model an arbitrary number of skills then emergent behavior mimicking intelligent assistance appears. The structural pieces of that are just long-term memory, an agentic loop, a messaging system, and self-modification.
You can get something quite functional out of:
* A memory.md
* A hand-rolled agent loop (this is just "keep calling till num tries exhausted or agent says stop") - claude knows how to write openai function call syntax and codex tool call syntax
* A Telegram bot
* Access to a persistent filesystem for it to build itself skills
It can be quite expensive to run, but a trick that is supported[0] is to use a Codex subscription by getting a codex cli token and using that. OpenAI explicitly supports this, so you can just use it.
You can try to make improvements to this structure in all sorts of ways using all sorts of tools and get somewhere but this much is all you need. You really have to just give yourself 2 hours with Claude Code and a similar prompt to get somewhere. This is the first time in history that personal software has been this accessible to everyone.
Made a mistake reading this thread on Safari where I don't have the usual suspects blocked. Some guy read that this converts to paid and then a bunch of people just kept repeating it. A real lesson in how many people are simply repeating things without knowing anything.
One guy had a misunderstanding and it was corrected. The rest is saying that it's like a time limited trial at the end of which they are hoping to have you as a paid customer, which seems accurate.
I have a Chrome extension here https://overmod.org/ with some lists of likes/dislikes. But these days you can trivially reimplement it yourself without the server and just using Chrome sync (or use the extension, it has local sync as well). If you want, point Claude Code at this repo of mine https://github.com/TechnologyBrotherhood/overmod-extension and it can pretty quickly write you a copy (it doesn't actually need the reference, but it might help skip some questions).
Right? People worry about the amount of LLM slop comments appearing on hn, we humans often do an even better job of writing nonsense. Would be fascinating to see what percentage of hn users only ever read the post title and never the contents of the link.
Process substitution and calling it file redirect is a bit misleading because it is implemented with named pipes which becomes relevant when the command tries to seek in them which then fails.
Also the reason why Zsh has an additional =(command) construct which uses temporary files instead.
It's a shame that unix tools don't support file descriptors better. The ability to pass a file (or stream, or socket etc) directly into a process is so powerful, but few commands actually support being used this way and require filenames (or hostnames, etc) instead. Shell is so limited in this regard too.
It would be great to be able to open a socket in bash[^1] and pass it to another program to read/write from without having an extra socat process and pipes running (and the buffering, odd flush behaviour, etc.). It would be great if programs expected to receive input file arguments as open fds, rather than providing filenames and having the process open them itself. Sandboxing would be trivial, as would understanding the inputs and outputs of any program.
It's frustrating to me because the underlying unix system supports this so well, it's just the conventions of userspace that get in the way.
[^1]: I know about /dev/tcp, but it's very limited.
Yeah I started to design all my (sub)programs this way. If it should also be invoked by the shell, I make a wrapper program that sets the fds correctly.
Then I was slightly older and discovered that 'programs' are just text you use a 'compiler' on and not a special thing you made in Borland's Turbo C.
Then I was older and started using vim. Then older still and made HTML pages with this new thing called DHTML on Geocities. Then ActivePerl. Then a VPS. Then Wordpress. Then discovered Prolog, Eclipse for Java, Mex for C++ in Matlab, and git. Then some years later github. Then interned in SF and discovered CI/CD, Hadoop et al. and how servers look in a DC in SOMA. Then IntelliJ. Then a trading engine. And then GPT was announced. And TalkToTransformer showed the future. And then people were demoing these ugly To-Do lists it could make. And suddenly we're here today.
Every stage of software has been incredible. I don't have to `movq`. I don't have to `jstack`. If I want a TUI, the tools can construct one to my specifications in moments. It's sheer magic, man. It's a scary time (I've had a couple of what-if nightmares about Dario Amodei ruling the world with his LLMs) but it's also exciting. I think I am happiest today. We're going to do so many wonderful things for so many people now that this is so much cheaper.
Perhaps it's just the good fortune of being born at this time during this thing and riding that wave, but it feels like the world of computing has just been so full of amazing leaps forward during my life. I look back each time and I think "man, I was doing that thing when I could have been doing it so much better?". And I feel so hopeful for the future.
reply