HackerTrans
TopNewTrendsCommentsPastAskShowJobs

callahad

no profile record

comments

callahad
·قبل 8 أيام·discuss
I believe koverstreet is referring to the Linux kernel Memory Management subsystem (https://docs.kernel.org/mm/index.html)
callahad
·قبل 11 يومًا·discuss
They've absolutely both changed. The initial version I saw didn't include max effort data points on the first chart, and the plot itself was much less favorable to Sonnet at high/xhigh relative to Opus, but the new chart shows them as closer competitors. Weird.
callahad
·قبل 29 يومًا·discuss
It's a silent technology, but I'd argue it has broken through in that most of us already use it daily without knowing. Figma, Google Sheets, Disney+, Prime Video, and much more all have WebAssembly somewhere in their stack.
callahad
·قبل 6 أشهر·discuss
Can you say more about what specific things you tripped over with Starling, and which bank you moved to? Worried I'll find myself in the same boat.

It does seem like Starling has gone out of their way twice to exempt GrapheneOS from their checks, but only after users complained: https://github.com/PrivSec-dev/banking-apps-compat-report/is...
callahad
·قبل 8 أشهر·discuss
Step 5.2; the browser binds the KB-JWT to the site it's on, so Site A would receive a JWT that is only valid for Site A.
callahad
·قبل 8 أشهر·discuss
> This section could easily be done by [...]

Less easily than you'd think.

You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.

Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.

Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.

> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?

Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.

Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.
callahad
·قبل 8 أشهر·discuss
I largely agree, but I still think there's a compelling argument that blinding the issuer implicitly precludes API gatekeeping or censorship. Sites wouldn't need to pre-register with any issuer, nor could the issuer refuse to provide tokens on the basis of where they'll be used.
callahad
·قبل 8 أشهر·discuss
The key mitigation is that the protocol - as envisioned - is mediated by the user agent; you as a website cannot silently fire off probes that tell you anything.
callahad
·قبل 8 أشهر·discuss
The Verified Email Protocol got renamed to BrowserID, and Persona was its reference implementation.

This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.

And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.

For historic interest, the Persona After Action Report has a few key insights from when we spun down the project: https://wiki.mozilla.org/Identity/Persona_AAR
callahad
·قبل 11 شهرًا·discuss
My understanding from looking into this two years ago is that it's hit or miss for banks (depending on if they opt into device attestation stuff), no for NFC / Google Wallet, and yes for Uber / Lyft.

Apparently the common workaround for the Google Wallet stuff is to pair a GrapheneOS phone with a stock Android smartwatch.

Edit: Here's some additional information on banking apps: https://privsec.dev/posts/android/banking-applications-compa...

Apparently the common recommendation these days is to use Curve Pay as a virtual card provider on GrapheneOS, which can then route to arbitrary underlying cards. And evidently Google Wallet does work for things that aren't payment cards (airline tickets, transit passes, etc.) on GrapheneOS.
callahad
·السنة الماضية·discuss
This covers binding Cmd+Opt+[Arrows, F, C], which is all I use:

    defaults write -g NSUserKeyEquivalents -dict-add \
        "\033Window\033Move & Resize\033Left" "@~\\U2190" \
        "\033Window\033Move & Resize\033Right" "@~\\U2192" \
        "\033Window\033Move & Resize\033Top" "@~\\U2191" \
        "\033Window\033Move & Resize\033Bottom" "@~\\U2193" \
        "\033Window\033Fill" "@~F" \
        "\033Window\033Center" "@~C"
Equivalent to manually binding in System Settings -> Keyboard -> Keyboard Shortcuts -> App Shortcuts
callahad
·السنة الماضية·discuss
Same branch as beta, but with different build flags. Add-ons don't need to be signed to be installed on DevEdition, there's a DevTools button in the toolbar by default, etc.
callahad
·قبل 4 سنوات·discuss
The UK. Or at least, Northern Ireland. You won't be in a city centre, but there are new builds on offer under that mark.