irenes

irenes, 1 month ago

@josh corporations would always prefer not to have to get involved in large-scale societal issues, even when those issues aren't politicized, for the very simple reason that it's cheaper not to

irenes, 1 month ago

@JenYetAgain we hear he toots as he pleases, too

irenes, 1 month ago

@mcc @nfagerlund this is where we usually get into our whole thing about literate programming and how it's a good idea and should be used more, but it's not a complete solution to the larger problem

irenes, 1 month ago

@mcc @nfagerlund if humanity is going to change this dynamic where somebody needs to understand the complexity and that ends up being the limit on our collective abilities, we need to attain a standard of code quality where everyone can forget about it for fifty years, and yet someone can re-learn easily when a changing situation requires it to be changed

irenes, 1 month ago

@nfagerlund @mcc well one criterion is that you need to never, ever lose track of documentation or version control metadata...

irenes, 1 month ago

@nfagerlund @mcc but also.... the connections to lower and higher layers need to be clear, it needs to be possible to re-discover that there even IS a layer there

irenes, 1 month ago

@mcc oh. well that's upsetting.

irenes, 1 month ago

@gwynnion sigh it was predicting the past, after all. the tech changes every decade but it's happened before, elsewhere. "the future's already here, it's just not evenly distributed."

irenes, 1 month ago

@gwynnion we're always impressed by people who are able to see these things clearly, "beforehand"

irenes, 1 month ago

@paulrickards oh very cool. we don't think we've seen generative plotter art that plays with the CMYK primaries like that before

irenes, 1 month ago

@paulrickards oh how gorgeous! yes, we'll take a look :)

irenes, 1 month ago

@mcc yes, that is our understanding as well

irenes, 1 month ago

@glyph @mcc (as historical context in case it helps with deciphering the politics, Google is on the "include physical tokens" side of that divide; Microsoft and Apple are on the cloud side)

irenes, 1 month ago

@mcc @glyph yes, we believe the conflict of interest and potential ecosystem-lock-in that you're hinting at is exactly what's going on

irenes, 1 month ago

@mcc @glyph essentially it's a bit of standards judo where the hardware token people built the public awareness and momentum for change, and now in committee the cloud people and OS vendors are redirecting that momentum to their own benefit

irenes, 1 month ago

@glyph @mcc yeah it's

good faith, yes, everyone believes in what they're doing

the thing is, our Google experience taught us that even people who want what's best for humanity and practice being self-critical can be substantially influenced by the biases that come with being embedded in a corporate structure. management dictates and profit incentives start to feel like laws of nature, rather than things that people invented...

irenes, 1 month ago

@glyph @mcc we were personally influenced in that way. we wouldn't trust ourselves if we were still in a corporate environment, so we definitely don't trust anyone else :)

irenes, 1 month ago

@glyph @mcc or rather, we trust the intentions and expertise of all the individual contributors on this stuff. the ones we know are good people

we don't necessarily trust their judgement, not on the larger implications of these decisions

irenes, 1 month ago

@glyph @filippo @mcc yes. fail-closed is pretty harsh, and there are good reasons most people don't do it. there are also good reasons some of us do do it.

irenes, 1 month ago

@mcc no, yeah, we don't think there is either, or else we'd be doing it. besides, the fundamental choices you and we both take issue with aren't the ones made by ICs, they're probably made by SVPs.

irenes, 1 month ago

@glyph @mcc @filippo @djc sigh we have exactly one (it's for accessing a friend's infrastructure). not really our preferred configuration, U2F was better.

we've been avoiding adding more because we don't want to fill up our smartcards' storage, but the browser tooling is there to do so at this point and the big sites appear to do it by default for new hardware tokens.

irenes, 1 month ago

@filippo @mcc @glyph @djc the existing implementations quite literally do use passkeys rather than U2F when both are available. SOMEbody thinks they are replacements.

irenes, 1 month ago

@filippo @mcc @glyph @djc sigh, sorry, you're new to the discussion (and thanks for answering!) so we should re-state the context in which we mean that

specifically when adding a new credential, if FIDO2 mode is available it gets used instead of U2F with no opportunity for intervention

irenes, 1 month ago

@jonny one thing we will advise is for irreplaceable stuff like that, don't design a system that's going to fail closed in common situations. we came very close to total device loss in a house fire some years ago... make sure you have some sort of off-site backup, even if it's a flash drive left with a family member. (use a drive meant to be removable, not one that might lose its contents if it goes without power for too long.)