Michael Crider (Hacker News):
The big story in PC gaming for the last three years has been the Steam Deck. This low-power, portable, relatively inexpensive machine is clearly something the market has been waiting for, exciting gamers and energizing PC makers to pump out imitators, like the Asus ROG Ally and the Lenovo Legion Go.
But all of these machines lack a crucial component, despite copying the Steam Deck’s hardware to a greater or lesser degree. They rely on Windows, as do almost all consumer PCs not made by Apple. And Windows just isn’t a good experience in this form factor.
Kyle Orland (Hacker News):
Almost exactly a year ago, we were publicly yearning for the day when more portable gaming PC makers could ditch Windows in favor of SteamOS (without having to resort to touchy unofficial workarounds). Now, that day has finally come, with Lenovo announcing the upcoming Legion Go S as the first non-Valve handheld to come with an officially licensed copy of SteamOS preinstalled. And Valve promises that it will soon ship a beta version of SteamOS for users to “download and test themselves.”
[…]
The lack of a Windows license seems to contribute to a lower starting cost for the “Powered by SteamOS” edition of the Legion Go S, which will start at $500 when it’s made available in May. Lenovo says the Windows edition of the device—available starting this month—will start at $730, with “additional configurations” available in May starting as low as $600.
Previously:
Game Linux Steam SteamOS Valve Windows Windows 11
Evan Carroll (via Hacker News):
On Stack Exchange, all of the contributions on the site are contributed under a license maintained by a third party called Creative Commons; Creative Commons provides a license which states that licensed content must be perpetually shareable for any purpose including modification and by anyone including for-profit ventures, so long as the work remains properly attributed. This incentivizes content creation because every contributor is working on a corpus of work which is free from royalties and modification restrictions: everyone is bettering and growing the commons by using the site.
[…]
Alas, this minimal obligation of attribution is too much for some companies which have sought to erode this right. Right now, on Stack Overflow, Luigi Magione’s account has been renamed. Despite having fruitfully contributed to the network he is stripped of his name and his account is now known as “user4616250“. As reported by one of the moderators, Zoe, on Stack Overflow.
Mangione has not actually been convicted of anything yet. Reddit, Facebook, and Instagram have deleted his accounts, but “the only one that chose to both erase him and keep the content, is Stack Exchange.” It’s not clear whether that’s legal.
The Ross Ulbricht case is even more egregious because he was convicted and his old pseudonym remains with his attribution as Ulbricht desired.
Previously:
Copyright Legal Stack Overflow Web
Dan Goodin (Hacker News):
Passkeys—the much-talked-about password alternative to passwords that have been widely available for almost two years—was supposed to fix all that. When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts.
[…]
The FIDO2 specification and the overlapping WebAuthn predecessor that underpin passkeys are nothing short of pure elegance. Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone—so much so that they can’t be considered usable security, a term I define as a security measure that’s as easy, or only incrementally harder, to use as less-secure alternatives.
[…]
Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor’s preferred choice.
[…]
At this point, I don’t know if it’s Google or Firefox that’s presenting me with this non-intuitive response. I just want to open LinkedIn using the passkey that’s being synced by 1Password to all my devices. Somehow, the mysterious entity responsible for this message (it’s Google in this case) has hijacked the process in an attempt to convince me to use its platform.
Rui Carmo:
As someone who logs in to my corporate environment daily (sometimes more than once) using passkeys, I can certainly say that they are borderline usable in very specific contexts, but a complete mess where it regards interoperability.
Dan Moren:
The fundamental problem is that while the idea of passkeys is excellent, the implementation of it has been a mess. Every platform and site seems to have its own different way of handling the process, and what should be simple has instead become extremely confusing.
[…]
And I’m not even restricting that to non-tech-savvy users. I’ve run into multiples sites where I have set up a passkey and it doesn’t work correctly. Just last night I was trying to log into iTunes Connect on my iPhone: iOS showed I had a passkey and offered to use it, but for some reason, the site kept throwing an error. Maddening.
Shriram Krishnamurthi (via Venkatesh-Prasad Ranganath):
One of my great fears of passkeys — that I have not seen anyone talk about from a usability perspective […] is helping parents with their accounts. Right now I have access to their passwords. If they switch to passkeys, it becomes a lot harder for me to impersonate.
Rick Mondello:
Yes, I’ve seen the Ars piece about passkeys, and to be honest with y’all, I’m genuinely confused by it and can use help making the feedback actionable.
I do agree that it’s a problem that websites that have adopted passkeys aren’t using them to replace passwords and one-time codes.
I acknowledge that different platforms and operating systems have different user interfaces and experiences, in general, and regarding passkeys. I’m having a hard time quantifying whether that’s even a problem.
Adam Shostack:
I think the biggest thing is to (a) ensure dialogs are clear about what software is presenting them (b) where it plans to store the key and (c) letting people configure what their preference is for passkey management.
[…]
I learned recently that this is a 1password dialog*, despite having a different icon than the 1password icon. Also there’s no icon at all in the expando version.
*Or maybe it’s a firefox dialog that’s being integrated or hijacked in some way?
Ricky Mondello:
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray?
Ricky Mondello:
I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)
Ricky Mondello (Mastodon, tweet):
Obviously, authenticating to websites isn’t an either-or binary between passwords and magic links. Passkeys — the next-generation authentication standard defined by the FIDO Alliance and W3C, with backing from all of the major platforms, browsers, and credential managers — can be layered nicely into a magic link-based system to give users a secure and fast sign-in experience without the frustrations that come with switching apps to refresh one’s email. They’re complementary technologies, because passkeys can do this in a way that seamlessly coexists with, and is in fact supported by, email magic links for people who don’t yet have a passkey, don’t want a passkey, don’t have the device stability to use passkeys, or would prefer to sign in with a magic link this one time.
[…]
My local grocery store, one of the many Albertsons companies, has taken to preferring an email magic link over my easily-AutoFilled password, and it frustrates me every single time I try to sign in. Once you’ve experienced a world where signing in to websites and apps is so seamless it requires next to no thought, while still being secure, you never want to go back.
But I also kind of love magic links, because they acknowledge — no, radically accept — some fundamental truths. […] almost all online accounts can eventually be signed into by proving possession of an email address; this is usually phrased as “forgot password?”
[…]
On iOS and Android, in notable contrast to magic links, passkeys are directly usable across web browser apps and system web view experiences.
Leon Cowle:
Color me skeptical about passkeys (sorry Ricky!). I love the idea of them. I even use them myself (where possible, which isn’t a lot). But I’ve yet to find a non-techie that’s even heard of them. But more importantly, with passwords, password managers, one-time login links via email, SMS 2FA (yuck), email 2FA, hardware 2FA (for security nerds), I can’t help but wonder if the ol’ XKCD won’t end up applying here too?
[…]
I HOPE I’M DEAD WRONG AND PASSKEYS TAKE OVER THE (auth) WORLD!
Previously:
1Password Firefox Google Chrome iOS iOS 18 iTunes Connect Mac macOS 15 Sequoia Passkeys PayPal Safari Security Web
Bruce Crumley (via Hacker News):
The increasing challenge to government agencies’ authority to regulate businesses gained momentum this week, after an appeals court suspended application of the Federal Communications Commission‘s (FCC) ruling restoring net neutrality. That stay effectively delays the court’s decision in the case until after November’s elections. No matter the results of those, however, its final fate may well be decided by the Supreme Court–whose previous rulings facilitated attacks on federal agencies in the first place.
[…]
The prohibition on ISPs offering faster services to corporate customers and individuals willing to pay more for the privilege was first imposed by the Obama Administration, revoked under Donald Trump’s presidency, then reauthorized by the FCC in April on the orders of President Joe Biden.
Brandon Vigliarolo:
The decision from the 6th Circuit Court of Appeals, filed today, formally killed the FCC’s April order that once again classified internet service providers as common carriers required to be impartial in the offering of their services regardless of what a customer was doing online.
David Shepardson:
The court cited the Supreme Court’s June decision in a case known as Loper Bright to overturn a 1984 precedent that had given deference to government agencies in interpreting laws they administer, in the latest decision to curb the authority of federal agencies.
Ben Lovejoy:
The FCC had acted in response to calls from Apple and more than 40 other tech companies to safeguard equal treatment for all.
Meg James (via Slashdot):
Despite the dismantling of the Federal Communications Commission’s efforts to regulate broadband internet service, state laws in California, New York and elsewhere remain intact.
[…]
In fact, some suggested that the Cincinnati-based 6th Circuit’s decision — along with other rulings and the U.S. Supreme Court’s posture on a separate New York case — has effectively fortified state regulators’ efforts to fill the gap.
Previously:
Federal Communications Commission (FCC) Internet Service Provider (ISP) Legal Network Neutrality Networking
