HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jesseendahl

no profile record

Submissions

The Government Surveillance Reform Act of 2026 [pdf]

wyden.senate.gov
9 points·by jesseendahl·4개월 전·2 comments

comments

jesseendahl
·지난달·discuss
This part of their requirements for how PCC is architected directly addresses your concern:

“Verifiable transparency. Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees. But this last requirement, verifiable transparency, goes one step further and does away with the hypothetical: security researchers must be able to verify the security and privacy guarantees of Private Cloud Compute, and they must be able to verify that the software that’s running in the PCC production environment is the same as the software they inspected when verifying the guarantees.”
jesseendahl
·2개월 전·discuss
No, it is not. And if you fall in love and want to get married to someone on a student visa, your fiancée should not need to leave the country for a year or two to wait for paperwork to process. Which is one of the real world impacts of this change.
jesseendahl
·2개월 전·discuss
This is true at companies that treat security as a checkbox driven by compliance.

Not true at top-tier tech companies building software in product categories that by their nature have very high security requirements, like Fintech (e.g. Coinbase, Mercury bank, Wise).
jesseendahl
·3개월 전·discuss
There are so many bots/trolls on HN now, it's crazy.
jesseendahl
·3개월 전·discuss
What do you mean “just tap and hide a SMS”? Maybe my brain isn’t fully booted and I need more coffee, but I’m not understanding what this means.
jesseendahl
·4개월 전·discuss
This story was recently on first page of HN:

https://techcrunch.com/2026/03/18/fbi-is-buying-location-dat...

This is the bill referenced at the end of the TechCrunch article:

> Last week, Wyden and several other lawmakers introduced a bipartisan, bicameral bill called the Government Surveillance Reform Act, which among other things would require a court-authorized warrant before federal agencies can buy Americans’ information from data brokers.

Previous HN discussion about the TechCrunch story: https://news.ycombinator.com/item?id=47430797
jesseendahl
·4개월 전·discuss
You don't need to use anything from Apple/Google/Microsoft. Passkeys are just WebAuthn which is an open standard.
jesseendahl
·4개월 전·discuss
Passwords are terrible UX for old people in my experience. They try use the same password everywhere, but then password complexity requirements mean they can't use the exact same password everywhere, and then they forget which variant they used on which service, so they just end up going through the reset password flow every time they sign in. I am not convinced that's a better UX than them just using their fingerprint or face to login.
jesseendahl
·4개월 전·discuss
>They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck

This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.

And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.
jesseendahl
·5개월 전·discuss
I am not sure if you missed my earlier comment, but it's directly applicable to this point you've repeatedly made:

>If Apple believes this class of attack is no longer viable, that’s worth stating.

To say it more directly this time: they do explicitly speak to this class of attack in the keynote that I linked you to in my previous comment. It's a very interesting talk and I encourage you to watch it:

https://www.youtube.com/watch?v=Du8BbJg2Pj4
jesseendahl
·5개월 전·discuss
Apple's head of SEAR (Security Engineering & Architecture) just gave the keynote at HEXACON, a conference attended by the companies who make Pegasus such as NSO Group.

That doesn't seem like avoiding the elephant in the room to me. It seems like very much acknowledging the issue and speaking on it head-on.

https://www.youtube.com/watch?v=Du8BbJg2Pj4
jesseendahl
·5개월 전·discuss
Finneas (Billie Eilish's brother) isn't one for virtue signaling from what I've seen over the years from his posts. He keeps it very real and down to earth as far as celebrities go.
jesseendahl
·7개월 전·discuss
Both of the major smartphone companies (Google and Apple) have pretty robust account recovery processes. Are you familiar with all the options they have? Your comment gives me the impression that you are making assumptions about what would happen, instead of doing research on how it actually works.

I experienced Google's recently and it was very robust.

Even before passkeys, the average user would have major problems if Apple and Google didn't have good account recovery processes.
jesseendahl
·7개월 전·discuss
There's nothing different about using a password vs. a passkey that makes it easier or harder for vendors to lock you out. I am not sure where this misconception comes from.

Whatever process a vendor requires someone to go through in order to gain access to someone's account when they pass away remains the same whether the user previously used a password or a passkey to login.

Are you aware of any vendor that actually does have differing policies based on the account's login credential type? I'm not aware of any.
jesseendahl
·7개월 전·discuss
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.

(2) I understand you don't like the user experience. But to make a technical clarification: requiring a user action to prove there's a human involved in the login action (e.g. by clicking a button in UI or requiring Touch ID) does not necessarily mean there's another factor involved at all (MFA). What you are describing is more of a "liveness check" than a separate factor/separate credential.
jesseendahl
·7개월 전·discuss
In theory any code could be written at any time that does something good or bad. Sure.

But in reality, the people who actually work on these standards within the FIDO alliance do not want a world where every website/service makes arbitrary decisions on which password managers are allowed. That would be a nightmare.
jesseendahl
·7개월 전·discuss
The primary credential a user relies on for logging in (whether it's a password or a passkey) is pretty unrelated to the the "lockout issue". The lockout issue is really the age old question of: what happens if I can't do a normal email-based account recovery flow (aka "I forgot/lost my password/passkey").

The answer to that is stuff like this:

https://blog.google/technology/safety-security/recovery-cont...

https://support.apple.com/en-us/102641
jesseendahl
·7개월 전·discuss
People should be setting up Recovery Contacts so that they have a way of getting back into their Google account even if they lose all credentials (passwords and/or passkeys) and all their devices.

https://blog.google/technology/safety-security/recovery-cont...

I hope Google starts to push all users to setup Recovery Contacts. It would greatly reduce the likelihood of lockouts, whether using passkeys or not.
jesseendahl
·10개월 전·discuss
I legitimately wish there was an option for: "I show up for my appointments 100% of the time and I'll agree in advance to pay a giant fee if I ever don't show up, if you promise not to bother me with appointment confirmations every time".
jesseendahl
·10개월 전·discuss
Not sure why this is being downvoted. This user (palata) is correct — phishing is any attempt by an attacker to trick a user into giving up sensitive information.

For anyone who is confused:

https://www.cloudflare.com/learning/access-management/phishi...