I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
I’m pretty sure YouTube’s built-in AI summary is also biased towards not “spoiling” the video.
Like if the title is a clickbait “this one simple trick to..” the ai summary
right below will summarize all the things accomplished with the “trick” but they still want you to actully click on the video (and watch any ads) to find out more information. They won’t reveal the trick in the summary.
So annoying because it could be a useful time saving feature. But what actually saves time is if I click through and just skim the transcript myself.
The ai features are also limited by context length on extremely long form content. I tried using the “ask a question about this video” and it could answer questions about the first 2 hours in a very long podcast but not the last third hour. (It was also pretty obviously using only the transcript, and couldn’t reference on-screen content)
They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.
The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.
> To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.
Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.
Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection
Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.
I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.
This is something I saw all the time. I’d look something up, knowing that there was probably an easy way to do <basic programming task> in modern c++ with one function call.
Find the stack overflow thread, answer from 10+ years ago. Not modern C++. New questions on the topic closed as duplicate. Occasionally the correct answer would be further down, not yet upvoted.
“Best practice” changes over time. I frequently saw wrong answers with install instructions that were outdated, commands that don’t function on newer OS version, etc etc.
It is not super easy to get around that tech. It used to be easier a long time ago. Apple patches the methods every time they can, and have made hardware adjustments in attempt to make it as hard as possible. A lot of these methods involve tricking the counter so it doesnt increment at all, or somehow rolling it back. If the phone isnt set to wipe after 10 attempts, tricking the timer that time has passed would be enough.
Im not sure if anyone other than Cellebrite knows the exact details of what they are doing. (If they can even unlock latest iPhones that are properly secured. I’m seeing a recent article that implies recently unlocked iPhones had biometrics enabled) I wouldn’t be surprised if their techniques involved disassembling the phone, and tampering with every connection of the chips involved, or depowering them in weird ways as they are counting attempts, or even desoldering and transferring the chips to other boards. I suspect that if apple knew and could patch the method, they would.
It’s impressive that it is so hard to get into iPhones imo. People use 6 digit passcodes to lock their entire digital life. That would be considered horrendously insecure for anything that isn’t an iPhone. You can (and should) increase it to a full password. But a lot of people don’t.
I used to run YouTube with “ad targeting” turned off.
The ads were 100% scams. Lots of AI slop. Deepfakes of celebrities pitching all sorts of scams. Lots of nsfw products and even occasionally illegal things like drugs or guns. Also lots of ads in languages I do not speak.
I recently learned that if you turn on ad targeting you can block certain ads and never see them again. So I’ve turned it on just to block the worst of the ads. But googles ad targeting still can’t target ads to me. It’s maybe only 70% scams now. But their targeting still sucks and I still get ads in foreign languages that I do not speak.
On my desktop I just use Adblock. I really try to avoid YouTube on mobile at all costs because the ads make it completely unusable.
Ah yes. “Non-existent security” is only a pesky detail that will surely be ironed out.
It’s not a critical flaw in the entirety of the LLM ecosystem that now the computers themselves can be tricked into doing things by asking in just the right way. Anything in the context might be a prompt injection attack, and there isn’t really any reliable solution to that but let’s hook everything up to it, and also give it the tools to do anything and everything.
There is still a long way to go to securing these. Apple is, I think wisely, staying out of this arena until it’s solved, or at least less of a complete mess.
Yes, there are some flaws. The first airplanes also had some flaws, and crashed more often than they didn't. That doesn't change how incredible it is, while it's improving.
Maybe, just maybe, this thing that was, until recently, just research papers, is not actually a finished product right now? Incredibly hot take, I know.
I think the airplane analogy is apt because commercial air travel basically capped out at "good enough" in terms of performance (just below Mach 1) a long time ago and focused on cost. Everyone assumes AI is going to keep getting better, but what if we're nearing the performance ceiling of LLMs and the rest is just cost optimization?
I just scrolled through my Libby history to check. I checked out 25 books in 2025. Several of them I didn't finish, so the number is closer to 15 completed books, but that's only though Libby. I also finished an entire fiction series that wasn't available on Libby, which was an additional 7 books.
Series is really what makes the number so high IMO. I read a lot of fanasy/sci-fi which is often a lot of trilogies. Reading just one trilogy puts you above the median. I have several friends that read only 3-4 books last year, but several that also read as much or more than me. Discussing the books amongst friends helps, as we recommend books to each other. Book-tok and other book-centric social-media circles are huge.
And it may seem like a lot but that was spread across an entire year. I often read a few chapters before bed each night, but it often depends on how hooked I am on the book, I make more time for it when I'm more hooked on a book, or on a deadline to return the book to the library.
Audiobooks helps carry the number higher as well. Its a lot easier to "read" a book when you can do it while doing other things. Although I prefer to sit down and dedicate time for e-books, I do listen to some audiobooks as well, and many of my friends exclusively read via audiobooks.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
reply