I never bought into the apple ecosystem for the exact reason of not being able to feel ownership over my own device.

However i also understand the challenges google has. They/vendors are selling consumer devices with a consumer OS on it. Not everybody is tech savvy and a fair bit of people are too easy to trick into installing things.

An alternative could be to offer two versions(perhaps on phone activation). A business like version where a business(and people on HN) get full access. MDM and all. And average Joe mamas version that comes with more guard rails activated.

I can personally live with that 24 hour wait once, if it helps protect the average people from scammers etc.

> Not everybody is tech savvy and a fair bit of people are too easy to trick into installing things.

Almost nobody is tech savvy to understand how LLMs work and how subtly and convincingly they present incorrect facts, yet they are free to use by everyone.

Here, we are talking about the same company providing both of these services - an OS where they are supposedly trying to protect their users, and LLMs where no protections are needed (just censorship).

I'm just not buying their explanation, that's just an excuse. Why? Well my wifes grandmother (80ish woman living alone) showed us something on her phone a few months ago: Big red flashing text that her phone was somehow infected and she urgently needs to call x and do y. Now how did this scam get full screen access to her phone? She installed a card game app from the Google Play Store, which showed this scam as an ad. And the little logo in the bottom gave away one more detail: The ad was delivered via Google. IMHO Google just wants to ensure Android stays under their control and they can make lots of money with it. They don't care if average Joe gets scamed (they even get a cut) and the measures they pretend to protect average Joe just don't work.

P.S.: Some speciation from my side: That ad was probably even targeted to less techsavy people power by Google.

I can understand that point, but I'd much rather vote for increased education than increased babysitting. Increased education would affect those that need it whereas increased babysitting affects everyone, including those who do not need it, and living in a society where everybody assumes you're a toddler because some people are easily gullible and ignorant is just horrible.

Just look how state works with solving all kind of problems with legislative regulations that, in the end, remove freedom of choice peace by peace. Neither you give responsibility to individuals to learn even from mistakes or take all of it. Of course because of our "safety".

You can always buy a Chinese android phone without a Gstack. Then uhm, well, you will have lots of freedom at least without having to wait 24 hours first.

yes, but we are talking about educating a billion people in developing countries. it's not just some people there, but the majority of the population. it will take a whole generation at least to fix that.

Ouch! It looks very sweet i must say. Having worked on a similar idea for a while as a side project, it does hurt to see something better coming out.

I hope we can one day compete. :)

Edit: removed the URL

Good luck with your project! The world is big enough for multiple products in the same space, no need to get discouraged.

Now i haven't dug deep into hotwired. But isn't this how we used to do it before (insert your favourite javascript SPA framework here) was a thing?

Now it's certainly not a bad thing to reflect on whether it's the right solution to throw react, etc. after every problem you have. :)

"Now might be a good time to change your password to something longer, or finally get onboard with 2FA."

If it becomes trivial to crack the passwords, then we're really left one factor. Unless we replace the password factor with something else.

Sqrl perhaps?

Cracking good (long) passwords is far from trivial (and mathematically should remain that way), the main problem is most users pick terrible passwords.

The problem: users don't want long passwords.

(Though password managers can help a lot.)

Oh, the irony...

One of my banking apps has a 10 minute logout "feature" (which can't be disabled) that pretty much guarantees you need to have a crappy, easy to remember, password if you want to use it. Add on top of this a predilection for "2FA" (aka text message) every few times you log in and the thing is basically an unusable hot mess.

(looking at you walmart moneycard)

Not trivial. You still have to break in and get /etc/passwd or the equivalent, right? And doesn't creating a unique salt for each client also help significantly?

WebAuthn is well supported across all major browsers and can be used for multifactor login without username and password.

Client certificates is also a thing.

And they are an utter PITA to use, everywhere in the stack...

We could fix that..

If it’s trivial to dump password hashes, you’re probably already left with zero factors.

For a lot of things this is true, but not for WebAuthn.

Here's what my site has on file for one of my own logins:

id: AWrNx4WDVIACFXeNDG4h6R6/ppUi8oIuXJYRwaJtOxssDZybQnu8wt6Cjdc4PqztvnSxnSgLmZGRT1BTnbZjz/M=

public key: pQECAyYgASFYIFsl5O6VHyqngNHPlNmWrjGTPjLFh1jzVnhOUJGP79yVIlgg6L2rDoH/l028WsMes+MbDU0RzM2oSdTcRq+cSwz/E/k=

friendly name: unhygienix

The only thing you can do with that data is the exact thing it's intended for, checking the user has the authenticator corresponding to that ID and wants to sign into this particular web site. Also I guess you maybe learn that this user enjoyed the Asterix comics?

You can't impersonate me using that data, any more than you can impersonate Hacker News based on the data inside its TLS certificate.

What is your opinion about using https://golang.org/pkg/net/http/httptest/#Server for end to end tests? Assuming you're testing a webserver of course.

httptest solves the problem of spinning up a new server for use in tests.

However, there are cases where you already have a server (ie. your golang program) and you want to end-to-end test the whole binary (ie. execute the binary with the given arguments and test it).

httptest is a good fit when you need a mock server in your tests. spawn is a good fit when you want to test your actual server binary.

I can't figure out what i think about it. Most of those are of no use to me anyways as a European citizen.

However were i interested in US local news i'd be sad not to be able to access them.

From the websites point of view, i guess there's not enough money to be made from people located in the European union. They are certainly not targeting a global audience. In the end, they are free to choose.

Your point is valid that giving your html tags id's are like defining global objects.

In fact some browsers give you warnings if you have two tags with the same id defined.

However this is by no means a new 'feature'. Maybe it's time to take a brush up on the DOM model.

Oh. And yes. The web technologies are a whole pile of worms in itself. Just think of the hacks that Javascript frameworks go through in order to render things just somewhat fast.

While it sounds cool i'm a bit dismayed by the naming choice as ACI in my head is short for the Application Container Image format as used by CoreOS and appc.

Why is that a dick move? What would you do if npm or github goes down tomorrow?

Vendor your dependencies if you want to make sure your own project doesn't break.

I am not affected by this. It just seems like a childish move that only hurts the users. NPM did not go against its ToS.

Neither did he.

I must admit that i was also expecting an article about Midori the web browser, only to get disappointed when opening the article.

Luckily nothing stops me from closing the article again and move on :)