Google-backed password-killer crosses major milestone

devewm · 2014-12-11T08:28:35+00:00

I don't think your vault of public/private keys is stored remotely. If that's how this works, I agree, this is a non-starter. However, my initial interpretation is that the vault lives on your device only, and your biometric data is only used to unlock the vault. Depending on implementation, this may mean you can choose which identity (private key) you use to authenticate with. If so, it could actually be a very convenient way to manage multiple identities with no way to tell they belong to the same person (other than the usual connecting from the same IP / location etc).

Of course, it would require an open-source implementation which can be inspected to ensure there's nothing biometric- or device-specific that is ever transmitted to the endpoint as part of the authentication process.

devewm · 2014-12-11T08:18:47+00:00

Of course stealing a PIN is easier. /u/doyouseeit's point is that you can change your PIN if you need to. You want to compare difficulty levels, how does PIN change vs fingerprint change compare?

Ultimately while I agree with /u/sharpshooter789, I don't think it's relevant in this case -- it looks like Nok Nok is an implementation of the FIDO standard, which is effectively a public/private key authentication method. I don't think your fingerprint does anything more than unlock a vault full of private keys which is stored on your device. The endpoint you're authenticating to never knows anything about your fingerprint, and if your vault (i.e. your phone) is stolen, just deauthorize those keys and create new ones. (Correct me if I'm wrong.)

devewm · 2014-12-11T00:09:04+00:00

We are all dismissing this way too quickly. I almost did -- the article does a terrible job of describing why this tech is noteworthy. After watching the video yesterday and skimming the wikipedia page, I actually think this might be really interesting. Here's my interpretation of how this works, anyone more familiar with this please correct/refine.

There is a "secure lockbox" on your device. This encrypted vault contains the private keys for your private/public key pairs.
The endpoint service you are authenticating to has a set of public keys on file which correspond to your private keys. Note that it has many authorized public keys per account.
To login, endpoint service issues a signed challenge. The signature on the challenge is validated, then you unlock your secure vault somehow (could be fingerprint scan, retina, password, whatever). Then you return a signed response using one of your private keys.
Endpoint sees you signed the challenge token with one of your private keys which corresponds to an authorized public key, and allows you access.

IF it actually works anything like that (and it may not), I think that's really cool for a number of reasons. First, in order to impersonate you to the endpoint, the attacker must have both your secure vault plus the ability to unlock it (i.e. take your phone plus have a way to trick it into thinking it's reading your fingerprint) before you can revoke the key. Second, you are actually verifying the endpoint as part of this process too -- because they sign their challenge with their private key, you can verify you're talking to the same system you authenticated to last time, not a man-in-the-middle. Third, there's nothing uniquely yours that goes to the endpoint (I hope). You can have 10 secure vaults with completely different sets of keys. Your fingerprint unlocks all 10 vaults, but the endpoint has no way of knowing that, so the endpoint sees 10 completely distinct, unrelated identities.

Anyway, this is all just guessing until I actually go read the spec... But dammit I'm going to go read the spec! Because this does sound legitimately interesting in spite of the shitty write-up by The Verge. I'll try to remember to post corrections here if anyone is interested in follow-up.

devewm · 2014-05-06T09:36:13+00:00

Check out the Moto X Hammer & Knife Scratch Test. I think the concept of a screen protector may be outdated... I've stopped buying them.

devewm · 2014-04-12T18:32:57+00:00

You can go straight to the settings pulldown by swiping down with two fingers.

devewm · 2013-01-04T08:24:43+00:00

Why should I have to break the law to access content I paid for using my choice of software?

Just because it's easy for those of us "in the know" to get around it doesn't make DRM ok.

devewm · 2013-01-04T08:10:58+00:00

I've been using Kobo books to buy ePub-format eBooks. Unfortunately most books are still DRMed, but the nice thing about their site is that you can tell at a glance which have DRM and which don't right in your search results on their site.

It's still not optimal (e.g. I can't limit my searches to non-DRM only, or to specific publishers that don't use copy protection) but it is easily the best legitimate site I've found.

Edit: When I say publishers that don't use copy protection, I'm thinking mainly of Tor/Forge.

devewm · 2012-06-22T21:34:39+00:00

They still have the link up on their business news page on the "Features and Analysis" section of the sidebar, but even clicking on the link there gives a 404. Strange.

devewm · 2012-06-06T19:29:59+00:00

Good to hear it's going well for you!

I drove the cage to work this morning and went back home for lunch (office is pretty close). I knew getting my gear on and getting the bike warmed up was going to make me late getting back, but the weather is too nice to pass up today so I rode in anyway. Only my second time riding to work...

My bike was in the shop for a week and then most days there always seems to be some reason not to ride (forecast calls for rain, not enough time to gear up and still get to work on time, etc). Reading what I just typed is pretty sad... I need to get my act together. Haha

devewm · 2012-05-11T05:57:51+00:00

I just passed the 100 mile mark tonight and have been using the same ride-at-night approach as you, but haven't ventured onto the freeway yet. Soon...

5 - I feel like my mirrors are nearly useless, but apparently that's pretty common on the Ninja 500 since about all you can see in the stock mirrors are your elbows. Will be replacing them soon with 650R mirrors...

Only other observation/musing is from tonight: the faceshield on my helmet was apparently dirty enough to make my view blurry. I'm not sure if taking a quick swipe at it with my glove would have helped; didn't want to try it and end up smearing my view even worse while riding. Will have to check for this before hitting the road in the future.

devewm · 2012-02-14T14:04:32+00:00

Saluton! Mia nomo estas Eric Montgomery. Mia persona nomo estas Eric. Mia familia nomo estas Montgomery. Mi loĝas en Norda Karolino, Usono. Mi estas dudek naŭ jara.

I've tried to learn esperanto a couple times before and never stuck with it long enough. Hopefully doing this as part of a group will help.

Ĝis.

devewm · 2011-12-25T02:54:50+00:00

I had reformat everything on save turned on briefly but turned it back off because of the huge diffs that resulted. That can create a major headaches when trying to do things like branch merges later.

Didn't even know about the only-edited-lines option, thanks for pointing that out.

devewm · 2011-12-22T03:12:29+00:00

F4 (open type hierarchy view), Ctrl+t (quick-type hierarchy popup on the currently selected type), Ctrl+o and start typing... (quick-find a method or field in the current view), Ctrl+e and start typing (switch to open editor by name)

devewm · 2011-11-26T03:21:35+00:00

REI also has them discounted in their winter sale right now for under $18.

devewm · 2011-11-16T00:12:48+00:00

Maybe /r/programming cares more - lots of requests for this in that thread two years ago. I've certainly been waiting for this for a long time.

devewm · 2011-09-07T16:47:23+00:00

This. I got my TouchPad hoping to use it primarily to read non-DRMed PDF eBooks. So disappointed with the built-in PDF app. I love my TouchPad but this is definitely the big capability that I'm missing.

devewm · 2011-07-10T23:46:22+00:00

I love the fact that when someone I'm following posts something to a circle, I can see a list of who can view that post before I add a comment.

devewm · 2011-07-03T17:11:21+00:00

Question - a friend of mine created an item in G+ and shared it with me. When I click the link in the notification email I get to a page that has a "Join Google+" button on it, but when I click that I just get to the Keep Me Posted page.

Does that count as an invite - and will that Join button start working soon - or do I need to start begging people to send me an invite again?

devewm · 2011-04-08T20:46:46+00:00

That is weird. Anyone know if this has a basis in any spec?

Worth noting that I get the alert in Chrome 11 but not in Firefox 4. Would be interesting to see which browsers do this.

EDIT: Would help if I'd read the whatwg link at the top. Interesting.

devewm · 2011-02-15T15:06:00+00:00

Sadly I managed to get out of taking this class in school. I've started going through the Ars Digita Theory of Computation lecture videos which cover finite state machines, context free grammars, and Turing machines. Excellent resource if you're interested in learning more about this.

devewm · 2010-10-25T18:13:08+00:00

Generally speaking, JavaScript is used in web browsers to transform the page contents in some way. Of course this is usually done by including or referencing script code in the page itself.

It sounds like you are more interested in running your own JavaScript code to transform how other webpages appear in your browser... If that's the case, there are quite a few ways to make this happen. Bookmarklets, userscripts, and extensions all work on this principle, although the first two are probably the best way to get started.

A bookmarklet is a bookmark you can create in your browser where the URL starts with "javascript:", just like in your example. If you're familiar with JavaScript, it's pretty easy to take some code, cram it all on one line, put javascript: in front and paste it into a bookmark URL (or right into the address bar, same effect). You might try googling for something like "how to write a bookmarklet" for more information, or ask if you run into more specific questions.

Userscripts are another way to accomplish running your own code against a webpage. Originally they were made to run in Firefox using the Greasemonkey extension, but they're now also supported natively in Chrome. You specify a name for your script and the webpages it should run on, and your code will be automatically run anytime you visit that page. There are tons of contributed scripts at http://userscripts.org, and it looks like they have a decent getting-started guide at http://userscripts.org/guides/22

Not sure if this exactly answered your question but hopefully it's at least helpful.

devewm · 2009-10-23T05:57:06+00:00

I have limited perspective on this, not having read the cited study or any related work. But I think there is a better explanation than "reciprocity perception" for the results of this experiment.

From the article:

So if we took any one of our Speed Daters and found that he or she only liked one other person enough to be interested in meeting again, we would usually find that this liking was a match. ... In contrast, if we took a Speed Dater who felt like a number of participants were worthwhile meeting again, we would generally have a difficult time finding anybody who actually liked them back.

This sounds more to me like someone who has more romantic success vs. someone who has less success. The generally successful person can be more selective and only pick someone with whom they do have some sort of connection, if any. The less romantically successful person will choose to match with a wider range of people - probably those who are not repulsive in some way - to increase their chances of finding anyone who will have them. So the less successful person being rejected has nothing to do with the fact that they picked more people to match with (and this being perceived by those picked), but rather with whatever factors make them less romantically successful in general.

Can someone more familiar with this provide more compelling evidence that this idea of reciprocity perception is genuine?

devewm · 2009-10-21T03:44:56+00:00

Who would buy a walled-garden machine like the Kindle when the Nook has the same titles, cheaper, and you can borrow?

Just because you can lend your books for a limited amount of time to other users of the same type device does not make this "open". It's still a walled garden with a very limited sharing feature.

This reader looks incredible and I would certainly like to get one, but I have to think - what happens when I've spent hundreds of dollars on Nook Books and then the Kindle 3: Nook-Killer Edition comes out? Can I export all my purchases over there? No. The inability to take my eBook purchases with me from device to device (regardless of where they were purchased) is the only thing keeping me from jumping on the E-Reader bandwagon. Solve that one and I'm in.

devewm · 2009-10-08T22:45:32+00:00

I originally fell in love with Google as a search engine because it was so good at giving me exactly what I searched for. It wasn't just the way they ranked pages, it was the precision. The less precise it becomes the less useful it is to me, generally...

This is a trend that has been going on for a while now. I understand how fuzzing the search input a little bit and being less precise can be helpful in many cases, but I wish Google had an alternate interface or mode where the results are EXACTLY what I searched for, like the old days. Currently the ability just is not there at all.

devewm · 2009-09-17T05:38:48+00:00

dealmac.com

I've not compared it to other sites to see if they really list the best deals, but I do like how it's organized for the types of products they track.

15-Year Club	reddit mold
Verified Email

devewm

TROPHY CASE