rmondello

rmondello , 2 hours ago to random

Just this week I’ve heard people on two different podcasts talking about how in macOS Tahoe, AutoFill of verification codes received in Messages or Mail work in more Mac apps than before, including popular web browsers. The people seemed very happy about it.

I just wanna say that people talking about this brings me joy, because I worked hard and did unspeakable things to get that to work.

rmondello , 20 days ago to random

gonna start referring to ai abstinence as rawdogging thought

rmondello , 28 days ago to random

prompt injection is when you take your hormones on time

rmondello , 2 months ago to random

A lot of feedback I’ve gotten on my post about passkeys from yesterday is about fears around a passkey sync provider account becoming “locked” or otherwise invalid.

If your passkey sync fabric provider can remotely nuke your saved passkeys from instances of the app running on your devices or otherwise make the data inaccessible, that’s genuinely horrible and unacceptable. I would never recommend a person use that software and cloud support. It calls peer-driven end-to-end encrypted sync and common sense into question.

Personally, I’d never use a passkey manager that had that property. I certainly wouldn’t contribute my time and attention to building such a manager. I’m also not familiar with a single passkey manager with that property. It is a serious leap to assume that sync being turned off deletes data on devices or otherwise makes it inaccessible.

If a sync provider can delete your data from your devices, you don’t own your data. They do. If you cannot export your data from apps from that service to another app, then you don’t own your data.

These values that I hold personally are why I’m proud to work with individuals in standards bodies to design and build out data export and import. My recent conference keynote about passkeys took a long moment to celebrate the industry-wide collaboration to ensure people always own their data, even if they switch apps or platforms.

rmondello , 2 months ago to random

“I think I know how to use passwords securely, so passkeys are annoying and nobody should use them.” is tech-speak for, “I don’t care about the online account security of other people.”, or more succinctly, “I don’t care about other people.”

People overestimate their competence and underestimate the cost of phishing and credential stuffing. Individuals having to learn to use password management software and be vigilant against phishing is an industry failure, not a personal success.

rmondello , 3 months ago to random

I love Mastodon.

rmondello , 3 months ago to random

Slightly longer term, replace your Ring camera, too.
https://indieweb.social/@willowbl00/115469939022845823

rmondello , 3 months ago to random

“Billionaires are spending outrageous sums to stop Mamdami.” is an incredible endorsement.

molly0xfff , 3 months ago to random

how many cumulative hours will i spend infuriated at the loose connection on my keyboard before i finally spend the ten minutes to resolder it? stay tuned

rmondello , 4 months ago to random

things are, uhhh, getting weird on bluesky

molly0xfff , 5 months ago to random

Bloomberg has filed their opposition to Justin Sun’s renewed motion for emergency relief, arguing they never promised not to publish the information he and his team provided to them. They also argue that his demands they remove the article about him and prevent them from publishing a second one would violate the First Amendment.

#JustinSun

ALT

rmondello , 5 months ago to random

Anyone see these? How are they asking to verify one’s account? Does it involve submitting account credentials?
https://indieweb.social/@indiewebadmin/115112564435233227

rmondello , 7 months ago to random

why do we put up with discord

rmondello , 7 months ago to random

By listening to lots and lots of feedback, I’ve learned that if someone’s main experience with passkeys is with a password manager that doesn’t natively integrate into the OS it’s running on — instead, one that hijacks web browser API — they’re far, far more likely to think they’re not a great user experience.

Some browser extensions that replace the built-in OS experiences have done so much harm to how technologists view the technology.

I’m not saying that third-party, independent, cross-platform apps are bad. They’re fantastic! What I’m saying is that they should integrate into the native bindings to be a data source for all web browsers and apps on a platform. Nobody wants a credential that only works in web browsers and not other native apps.

rmondello , 7 months ago to random

“It was also reported that employees at Ring will have to show proof that they use AI in order to get promoted.” https://www.eff.org/deeplinks/2025/07/amazon-ring-cashes-techno-authoritarianism-and-mass-surveillance

rmondello , 7 months ago to random

so I’m reading the Wikipedia page for a song called "Ai Scream!” because I needed to know whether it was made in part by “AI” because I was feeling guilty for enjoying it after seeing it in a campaign fancam reposted on Bluesky by Kat Abughazaleh

^ long sentence dreamed up by the utterly deranged

rmondello , 7 months ago to random

iOS 26 (and OSes 26 in general) add an OS-facilitated way to securely migrate your passkeys, passwords, and other data saved in one password manager app to another. The details here are super interesting and are covered in the WWDC25 video “What's new in passkeys” (https://developer.apple.com/videos/play/wwdc2025/279). The rest of this post includes a summary of part of that video and other publicly-available information. (I am not breaking any kind of news here.)

• Data is sent from one app to the other without exporting any kind of file to a filesystem. This means it can’t accidentally be accidentally uploaded to an attacker attempting to compromise one or all of your accounts.
• There’s an OS API that password manager apps call to export their data. Then, securely and out-of-process, users select which app to send the data to. They are reminded of the scope of the data, and authentication with local biometrics or their passcode to confirm sending the data.
• The destination app is not revealed to the source app.
• Remember that crappy unstandardized CSV format for migrating passwords between password managers? It’s going to be a thing of the past, because…
• The data sendable via the API is explicitly based on the “Credential Exchange Format” (https://fidoalliance.org/specifications-credential-exchange-specifications/) standard. This standard is being developed in the FIDO Alliance, the standards body working on passkeys, but the spec covers far more than passwords and passkeys. In fact, it was co-developed by 1Password, Dashlane, and others. There’s a collection of Swift structs in the SDK implementing the standard, with as few modifications as possible.
• The data format part of the API is versioned so it can evolve as the Credential Exchange Format does.

I know it’s taken some time for this to come to fruition, but I hope that delivering a phishing-resistant credential migration process based on open standards (with a credential format standardized for the first time!) makes up for the delay. As I have said since day 1, your passkey data is yours. Passkeys are not a form of “vendor lock-in”.

rmondello , 7 months ago to random

This is what motivates me. https://theonion.com/study-97-of-average-americans-day-spent-retrieving-6-digit-codes/

rmondello , 7 months ago to random

Every weekend should be a three day weekend.

rmondello , 7 months ago to random

You cannot carry all of the pain of the world. It will break you unless you channel it into helping people and finding joy.

rmondello , 9 months ago to random

What do you do when you aren’t feeling like yourself and would like to feel like yourself again?

rmondello , 11 months ago to random

You know, Windows XP never had “AI”.

rmondello , 1 year ago to random

You know, I’m starting to think that switching to Signal won’t solve all of my problems.

rmondello , 1 year ago to random

Does anyone ever shorten “404 Media” to just “404” when discussing it? Like, after saying “404 Media” a few times, shorten to “404”? Or would it be more natural or otherwise preferable to write out “404 Media” every time?

molly0xfff , 1 year ago to random

I wonder if Coinbase routinely calls up newsrooms to try to blackball people who criticize them, or if I'm just special

#Coinbase #crypto #cryptocurrency

Francesca Fiorentini: I wanted to ask you because... uh not you Elon... uh but you, Molly, because you talked about Coinbase. Which, if people don't know, it's the trading platform where I... then I this is where I end. But like crypto is traded. Um so my question is that... they they got kind of hurt over some of your reporting! In fact our very own uh Paige, who's a journalist as well, uh cited your... used your sourcing, and they got mad they like phoned her up and were like "don't listen to Molly". And she's like "what? what's going...?" Molly White: Really? Francesca Fiorentini: Yes, truly this happened. Molly White: That's crazy. Francesca Fiorentini: So what kind of heat are you getting from your reporting?

molly0xfff , 1 year ago to random

pro tip: name your organization something that sounds terrible to sue

#FTX #crypto #cryptocurrency

ALT

rmondello , 1 year ago to random

Joy Division implies the existence of Joy Multiplication.

rmondello , 1 year ago to random

“I disagree with Kamala’s position on the war in Gaza. How can I vote for her?”

This video from Bernie Sanders is good. https://www.youtube.com/watch?v=Vf5MThSniiY

molly0xfff , 1 year ago to random

planned to do some writing today but i seem to be coming down with a cold and the words just aren't coming out. tea and rimworld it is.

when i started my newsletter i thought about trying to publish on a scheduled cadence (e.g. "every thursday"), but i have to say i am very glad i didn't. by now my subscribers still trust that i publish regularly, but i don't have to try to force things if life gets in the way.

Daojoan , 1 year ago to random

I’m going to start replying to everything like I’m on Hacker News. Unhappy with Congress? Why don’t you just start a new country and write a constitution and secede? It’s not that hard once you know how. Actually, I wrote a microstate in a weekend using Rust.

rmondello , 1 year ago to random

Over on Bluesky, Anil Dash asks:
> Has anybody switched from a standalone 2FA app like Google Authenticator or Authy to Apple’s Passwords app? Looking for folks who have actual experience with it and how it works.

Link: https://bsky.app/profile/anildash.com/post/3l4ruwfyicb2u

I replied, but if anyone else has actual experience with this and how it works, please go help him out! My reply, which includes instructions for migrating from Google Authenticator: https://bsky.app/profile/rmondello.com/post/3l4s6na2xhc2s

rmondello , 1 year ago to random

thinking about him

ALT

rmondello , 1 year ago to random

What password manager would you recommend to someone who uses primarily Android and Windows? I know it’s not the one I help make. :)

Google Password Manager? Bitwarden?

rmondello , 1 year ago to random

‘Damn, Remember COVID?’ Says Woman Unaware She Has It Right Now https://reductress.com/post/damn-remember-covid-says-woman-unaware-she-has-it-right-now/

rmondello , 1 year ago to random

It’s really telling to me that society sees students protesting as a problem that needs to be solved.