@glyph@mastodon.social avatar

glyph

@glyph@mastodon.social

he/him

You probably heard about me because I am the founder of the Twisted python networking engine open source project. But I’m also the author and maintainer of several other smaller projects, a writer and public speaker about software and the things software affects (i.e.: everything), and a productivity nerd due to my ADHD. I also post a lot about politics; I’d personally prefer to be apolitical but unfortunately the global rising tide of revanchist fascism is kind of dangerous to ignore.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

gvwilson, to random
@gvwilson@mastodon.social avatar

As a follow-up: http://dx.doi.org/10.1145/2509578.2509584 and https://doi.org/10.1145/2983990.2984018 showed that most of Git's user hostility is inessential: it is possible to design a provably more humane interface using the same data representation. However, the authors found it impossible to displace Git in practice even with a better (and backward-compatible) tool: as soon as people started searching for help online (which everyone does) they were sucked back into the swirling vortex of despair that is brand-name Git. 1/

glyph,
@glyph@mastodon.social avatar

@gvwilson it was wonderful to read while it lasted, though

glyph, to random
@glyph@mastodon.social avatar

listening to some of Austin Allred's previous lies about Lambda School now that the CFPB enforcement action has clarified what was really going on, contemplating the similarities to Theranos, and wondering if "fake it till you make it" (always at least lightly problematic) has metastasized into something more like "defraud until they applaud" in SV

glyph,
@glyph@mastodon.social avatar
glyph, to random
@glyph@mastodon.social avatar

Some days it’s an achievement just to make it through.

kcase, to random
@kcase@mastodon.social avatar

I find it sad that our industry has trained so many people to expect that a free trial is going to automatically convert into some sort of payment when the trial ends, unless they somehow cancel the trial.

(In all of our apps at @OmniGroup, the trial simply ends and you're no longer able to edit content unless/until you decide to unlock the app by making a purchase. There's nothing you need to cancel. And you can still view any content you created during the trial.)

glyph,
@glyph@mastodon.social avatar

@harpaa01 @kcase I do find the behavior sleazy but I try to spare empathy for the people who do it. When you are pushing, pushing to make your numbers, to break even, to avoid layoffs, and you finally get enough traction to get within striking distance but you’re not quite there, you can get pretty desperate, and a lot of app developers end up in that liminal space often. You start optimizing stuff, a dark pattern juices your numbers by 5%, maybe you can make it to 11% with just one more…

glyph,
@glyph@mastodon.social avatar

@harpaa01 @kcase companies that are making money hand over fist and still do this are beneath contempt though.

davidism, to python
@davidism@mas.to avatar

Python has seen significant performance improvements in the last few releases. MarkupSafe has a C extension to speed up operations, but it's now slower in many cases than the plain Python implementation. Having a C extension increases the difficulty of maintenance, builds, releases, and installs. I'm wondering if it's time to drop the speedups. https://github.com/pallets/markupsafe/issues/433

glyph,
@glyph@mastodon.social avatar

@davidism @freakboy3742 I am very curious what happens if you mypyc or cythonize the python?

foone, to random
@foone@digipres.club avatar

He'd get in endless arguments and canceled almost immediately (not to mention the weird shit he'd get caught liking), but I would have liked to have seen Robert A. Heinlein with a Twitter account.

glyph,
@glyph@mastodon.social avatar

@foone I am thinking about this and I really could imagine him being a total nightmare or a delightful eccentric, even odds. Would we get “stranger in a strange land” Heinlein or “starship troopers” Heinlein I wonder

gvwilson, to random
@gvwilson@mastodon.social avatar

Not a subtoot of anyone in particular, but I don't we need more surveys of what software engineers or research software engineers or data scientists do or what tools they use. I think studies of what tactics they have used to change the organizations they're in and how well those have or haven't worked would be a lot more interesting and useful.

glyph,
@glyph@mastodon.social avatar

@gvwilson seems like more of a “yes, and” situation to me. Tooling trends are interesting for a whole bunch of reasons. I can’t think of many areas of sw eng where I would want less data. (Although if we had to give up a few tools surveys to get at some of the data you are suggesting it would certainly be a worthwhile trade)

danilo, to random
@danilo@hachyderm.io avatar

So the CFPB has Lambda School and Austin Allred dead to rights as scammers

Allred, noted crook, is not allowed to do anything like student lending for ten years

https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-coding-boot-camp-bloomtech-and-ceo-austen-allred-for-deceiving-students-and-hiding-loan-costs/

glyph,
@glyph@mastodon.social avatar

@danilo holy shit! Always seemed a little dodgy but this is way worse than I had imagined

mcc, to random
@mcc@mastodon.social avatar

I have literally implemented SRP at both the client and server side but I am still unable to figure out, if I were to purchase or set up a "Passkey", what exactly I would have, or how it would work, or which computers, web browsers or web sites I should expect it to work with

glyph,
@glyph@mastodon.social avatar

@irenes @mcc a lot of effort has been put into import/export, portability and sharing among the various platform auth managers, including third party tools like 1password, so I don’t think they are trying to keep people in the walled garden this way

glyph,
@glyph@mastodon.social avatar

@mcc yes, this precise scenario is what webauthn is designed to prevent, since it’s (by definition) phishable. If you had to manually type in the domain name it might work but that introduces a truly untenable number of unicode problems for non-ascii domain names and so is a non-starter globally

glyph,
@glyph@mastodon.social avatar

@filippo @irenes @mcc they did hardware tokens first in fact. Although their official developer documentation doesn’t really treat these as “passkeys” and it steers you towards the native cloud-synced version, I believe they do that because it’s inherently impossible to back up a hard token, you just need to buy multiples and keep them in separate secure physical locations and they don’t want to be recommending that to most users or allowing them to set up a fatal SPOF for a critical account

glyph,
@glyph@mastodon.social avatar

@irenes @filippo @mcc the steering is relatively gentle and if you know what you want, you can click the appropriate radio button in the prompt and get it. This use case is definitely supported.

glyph,
@glyph@mastodon.social avatar

@mcc @irenes yes, unlikely that you can change their minds given that even I disagree with you, and I have no particular corporate motivation here :). (There’s a reason I said “they’re here” rather than tagging them, though, no need to drag them in if the discourse would not be productive)

glyph,
@glyph@mastodon.social avatar

@mcc while we are quibbling about certain details, fundamentally I really agree with you. There’s a paternalism about the whole process that I am deeply ambivalent about. Like it’s extremely difficult and annoying to get normies to understand the stakes, and so “just use passkeys it’s easy” can feel like the right message, but there is a significant issue with user education that we can’t just skip over.

glyph,
@glyph@mastodon.social avatar

@mcc and so we end up in a situation where users need a simple, accessible explanation for how the whole auth flow works, from factor requirements to verification to account reset to what happens when a user dies, but neither the platform vendors nor site operators will explain any of it because it’s boring, and they certainly won’t explain it in standardized and consistent ways. In the absence of that documentation it’s almost impossible to explain the stakes and thus motivate users.

glyph,
@glyph@mastodon.social avatar

@mcc Worried about getting locked out of all your accounts if you lose your phone, because you only have one device like most people? Don’t worry, it’s associated with your account. You can probably reset your password, right? Somehow? There’s a kbase about it. And you can always export to Chrome. How do you do that? Is there a place for you to practice this before committing to it in a way that might lose you access to all your banks? No, look, here’s the button, look at the screenshot again

glyph,
@glyph@mastodon.social avatar

@mcc so, you know. Just use passkeys. It’s fine. Click this button. Do you not know where the button is? Look at this screenshot. Nevermind that this is a screenshot of a UI that an actual website has to prompt you to see, and every website has different terminology for this and puts it in a different submenu if they even support it at all. Did you not see the button? Let me refer you to the screenshot again without reference to any particular site and tell you how great passkeys are.

glyph,
@glyph@mastodon.social avatar

@filippo @djc @irenes @mcc wait when you say “discoverable” do you mean like in the CTAP2 sense? Like a resident key? This is a whole new, third sense that I had not previously heard! Passkeys terminology is not doing great 🤣

glyph,
@glyph@mastodon.social avatar

@mcc despite all of this I actually do think that webauthn is pretty great technology and users should invest in onboarding onto it, and probably even get some physical tokens for their key accounts given the amount of control that computer communication systems have over our lives and the very real and horrible toll of phishing, but, fucking hell is it frustrating to deal with as a social construct

glyph,
@glyph@mastodon.social avatar

@mcc @filippo @djc @irenes whether it's desirable or not, this is a huge surprise to me, I don't think I've ever seen a site do this without me entering a username first

glyph,
@glyph@mastodon.social avatar

@mcc @filippo @djc @irenes Is there an example site that does this kind of enumeration? I feel like I've gotta be top 0.01% of the population in terms of buy-in on these standards and I have 0 resident keys on my various hard tokens as far as I can tell

glyph,
@glyph@mastodon.social avatar

@filippo @djc @irenes @mcc fwiw engineers building anything even vaguely related to u2f/fido/fido2/webauthn/passkeys (myself included, honestly) are the furthest down this rabbit hole out of any population I've ever interacted with: https://xkcd.com/2501/

glyph,
@glyph@mastodon.social avatar

@filippo @djc @irenes @mcc I did a poll on twitter in 2022 when google was starting to work on / talk about their implementation; consensus among implementors was "I guess some users might think 'passkey' still means the hardware device, but most people should understand it's the cloud version", but among even my followers almost half thought "passkey" was Apple-specific branding https://twitter.com/glyph/status/1563310487642615809

  • All
  • Subscribed
  • Moderated
  • Favorites
  • lostlight
  • GTA5RPClips
  • magazineikmin
  • thenastyranch
  • khanakhh
  • mdbf
  • Youngstown
  • slotface
  • Durango
  • ethstaker
  • rosin
  • InstantRegret
  • kavyap
  • DreamBathrooms
  • provamag4
  • everett
  • tacticalgear
  • normalnudes
  • cisconetworking
  • osvaldo12
  • cubers
  • Leos
  • tester
  • provamag3
  • anitta
  • modclub
  • JUstTest
  • relationshipadvice
  • All magazines