The death stroke for these types of projects seems to be lack of funding. This project is sponsored by nlnet[0] providing between 5k - 50k EU per year. Let's hope this gets additional resources.
As a note, it appears to use Elastic's 2.0 license preventing selling software that includes this library [1]
Passwordless is going to be great. Though, this is just for unlocking your bitwarden account.
Real cross-device passwordless is likely coming in the next year or so. WebAuthn/Passkey is in its 3rd public working draft[1] and once finalized, we'll likely start to see it across sites. Most devices, browsers and managers have added or are adding support for it: Apple, Microsoft, Google, Auth0, Duo, 1Password, etc. If you haven't seen it, Auth0's demo is helpful[2].
Passkeys are definitely the future, and I think will eventually eliminate a lot of phishing attempts and other insecurity caused by passwords. I'm hoping that we will eventually see transferable, secure identities that you can use to log in anywhere, rather than having to constantly create account credentials for everything.
As a side note, if you want to try out passkeys now and don't want to tie it to your device, I would like to plug my solution, Bulwark Passkey (https://bulwark.id). It's open source, allows you to export your credentials if you want, and supports all browsers since it emulates a virtual USB device.
My apologies; I open-sourced VirtualFIDO awhile ago but only open-sourced the actual frontend (Bulwark Passkey) about a week ago, and I forgot the license. It should be MIT licensed now.
The threat vector for your passkeys being stolen is the same as current passwords, that's true (because they're just in some syncing database), but it solves many issues that are the leading cause of account compromise these days, mainly phishing and reused passwords.
So, for me, there is no real upside, other than not needing to click "generate password" in my password manager.
What downsides are there? E.g, will it work on rooted phones? Will apps start adding mandatory pin numbers on top (like they do for biometrics), or will Google/Apple's app stores disallow it? How do I "log out" to avoid tracking without being implicitly logged back in? What happens if I routinely wipe my browser settings? Can I use some other person's computer to login in a pinch? (Such as when my phone is off network?)
In principle, browser and os vendors could work through all these "niche" use cases, but I'll be pleasantly surprised if they actually did.
Heya! I just tried installing Bulwark on my Windows 10 machine. Install went fine, but when I try to run the app, I get the Admin privilege prompt, and then.... nothing. No sign of the program crashing, or any kind of error.
Ah, that is odd. If you don't mind, could you go to %AppData%/Bulwark Passkey and taking a look at main.log or device.log and see if you see any errors in there? I would really appreciate it!
Edit: I was able to reproduce the issue; it looks like WebView2 (which Bulwark Passkey relies on) is already installed on Windows 11 but not on Windows 10. I released a new version on https://bulwark.id that has that WebView now embedded in the app itself, would you mind downloading that and seeing if that works? Thank you for the report!
I released it a week ago. It's moving along pretty well! The USB emulation method works well, as it can support any browser. So far, I haven't gotten too much push back from the more hardcore security crowd, since I'm upfront about the fact that it is a software implementation.
Personally, I think that the main blocker for adoption of passkeys is ease of use, as if you can't transfer your credentials either off of your device or away from your Apple/Google/etc account, then I think it will be a hard sell to users.
Sadly, the demo didn’t seem to work on my devices. Tried it on desktop Chrome and my Android phone (Galaxy S22); Chrome says that a "notification was sent" to the phone, but there’s nothing. Seems like it’s supposed to work wirelessly, but I didn’t have any success via a USB cable either. Android Chrome does react to it, and shows that it’s connected, but desktop Chrome’s dialog keeps just spinning until it times out.
Wireless is over BLE, so your motherboard needs to be recent enough to have it, or if you have one of those Intel PCIe wi-fi adapters, the USB2 cable should be plugged in to a header on the motherboard (the wifi functionality is pure PCIe, but for some reason Bluetooth is over USB).
It’s an Intel Wi-Fi 6 AX200, which should have BLE support; I use BLE game controllers with it all the time. But it’s weird that it doesn’t work with a USB cable either, even when using the motherboard headers. I’m on Linux (Fedora), not sure if that matters or not.
Yeah. Andrew Wakefield was stripped of his medical license in 2010 for publishing fraudulent research and it was later discovered that he was paid to discredit the MMR vaccine.[0]
And yet, ~10% of Americas still believe the study. [1]
In the linked study, 10% said they believed vaccines caused autism, and while they were not asked whether they accepted Wakefield’s claims, presumably just about all who did were included within that group. 45% said they were unsure, leaving open the important question of which way they would go when faced with a choice.
In the linked study, 10% said they believed vaccines caused autism, and while they were not asked if they accepted Wakefield’s claims, presumably just about all who do were in that group. 45% said they were unsure whether vaccines caused autism, leaving open the important question of which way they would go when faced with a choice.
Attention is not the problem; it's the lack of accountability. Social platforms care about engagement, not quality of content (there's virtually no mechanism to incentivize content meets any standard of quality other than what can be measured in the moment).
Quality is subjective, but there’s no accountability about harmful or illegal content either, so platforms don’t only promote “general purpose” spam, but actively harmful content that intentionally seeds outrage or encourages violence as that generally leads to more engagement.
While I don’t find the arguments in the article compelling (ie population increases are good as they lead to growth), enabling humans to live forever has a more dire consequence: an acceleration of the inequality gap.
Death provides a natural mechanism to reset wealth and power. Without it, power will accumulate to those who already have it, forever.
A powerful businessman living forever isn't the same thing as inheriting his son. Children rarely follow in the footsteps of their fathers. What if Warren buffet lived forever, for example? He's very good at saving money and investing. He'll eventually just have a large portion of the wealth that exists
Hans is clearly cheating. Comparing his past games against what an engine would do is pretty damning. Chess engines are far superior to players and the best players in the world top out in the high 70s percent correlations (Magnus averages around 70%).
Hans has a string of games at 100% correlation[0], meaning he's playing perfect games. Past players who achieved this later went on to admit to cheating[1]. Magnus knows this because he owns part of chess.com and presumably sees the data.
Magnus has a lot riding on his statement. He wouldn't make it unless he was sure.
It's cherry-picked games and it doesn't compare to the "engine correlation" of other high ranked players against similar opponents. I would not rely on it as evidence that Hans is "clearly cheating."
She says that the ROI probability calculation is wrong, which is the last part of her video and a separate topic.
The part about correlations has not been retracted AFAIK. I agree that there's a need for a baseline though, there is one example on her recent twitter feed but more samples are needed to get a better picture.
No it's not. Just the probability calculation had a few flaws.
The string of 100% games, esp. in the few tournament games he needed a win, is decisive. Note that he played a lot of games in each tournament on the 70% level, to fool statistics.
When I was younger, I spent many, many hours playing one particular video game. I became a “known cheater” at the game, despite never actually cheating (I’d cheated at other games in my early teens, but had since given up that lifestyle).
I can recall several players on discussion boards analysing my statistics and explaining how I was clearly cheating because it was impossible for a human to play like me. Humans, they said, just weren’t that accurate.
One cheat-detection algorithm even “caught” me one day, and I was promptly banned from that server. Confused about what had happened, I sought out the server documentation online so I could see what they had used to “detect” me. My crime, it turns out, was scoring too many kills per second.
I keep this in mind whenever I see another person accused of something similar. Sometimes people have just put in more effort and study than we choose to comprehend.
In one of my high school computer classes we'd often set up UT2003 LAN games. I was once called a cheater by someone sitting behind me who, at any point, could have directly observed my every move and corresponding input. I was baffled and amused at the same time. People that lose games have plenty of incentive to claim their opponent is cheating.
On the other hand, as my skill level increased in FPS games it became more and more obvious when one of my opponents was cheating. So IMO you can trust Magnus' ability to accurately estimate the chance of Hans cheating, but you can't trust his motivations for making the claim.
Aside: When you combine high skill levels with cheats that were designed first and foremost to avoid detection, it becomes almost impossible to do detect them. For example in FPS games "aim-bots" are crude compared to "hit-scanners" that simply auto-trigger when your crosshair happens to pass over a valid target. Combine a hit scanner with a player who already has top tier accuracy, and you get super-human accuracy. Let the player enable and disable the hit scanner in real time and they control exactly how accurate they are without any conspicuous appearances. You'd have to (externally) record and sync the monitor's output with a camera that monitors their mouse movements, and even then you'd need EXTREMELY accurate timing - most likely a capture rate higher than the monitor refresh rate.
Chess has a rating system, and we know what the best humans rate out at compared to the best chess engines, and we know the likelihood of lower ranked players beating higher ranked ones, just depending on how much difference there is, and where in the ratings the two players are. Chess is not some video game one person perfected playing.
The parent said they were accused of cheating at a game because they played it enough to perfect it, which isn't something humans can achieve with chess. Even the best chess engines don't play perfect chess, they just play at such a high level that no human can beat them.
At any rate, a 19 year old ranking a couple hundred points below the world champion for the past decade isn't going to have enough practice to use that as an excuse. So no, it's not the same thing.
Outlier players exist in every game, probably because of normal distribution.
Federer for tennis, Carlsen for chess, Serral for SC2 and dorkwood for his game.
The only way to certify their level is through strictly controlled competitions. eSports and chess do the same.
My most pro game experience was Battlefield 2 and I'd go on a public 64 player server and score most kills with only the knife. Thing is: My team mates and other pros were capable of doing the same. No pro would accuse us of cheating, just the average Joe's.
I saw something about a runner being disqualified because they moved 9 hundredths of a second after the gun. Ten hundredths is permitted but nine is not.
It’s not impossible to believe someone could be just a sliver faster.
Ten hundredth is what’s impossible plus a generous safety margin. If you are under it’s definitely a false start. If you are just over, it was most likely a false start but you were lucky this time.
It is extremely unlikely that a human being can hear a sound and move their foot within 100ms. Based on what we know of the brain and nervous system, it's most likely that anyone who reacts under 120ms has jumped the gun.[1]
In case anyone is curious, the starting times for the first five runners at the 110mH event at the 2022 World Championships were (in milliseconds) 99, 108, 109, 124, and 126.
While I personally disagree with the comment I am replying to regarding reaction times under 120ms, the issue at this World Championships was more likely that the reaction timing was wrong ...
Agreed. His ELO improvement alone is evidence enough imo.
His rating plateaued around 2300 from end of 2015 to mid 2018. Then in the last 2 years, I believe his improvement from 2400 to 2700 is the most rapid in history.
If you compare his rating with other young players like Duda, Firouzja, Gukesh - then his rating increase looks very unique.
I'm not aware of any chess prodigies that have followed a trajectory quite like this. So maybe Hans is an unusual talent. Or maybe, he's receiving computer assistance.
Daniel Rensch and others have said that Magnus has not seen chesscom cheating algorithms or lists. It had been a rumor in the chess world for a while that Hans has cheated before
He hasn't been officially shown but that doesn't mean that someone in the know hasn't leaked it to him. He's deeply connected and respected in the chess world.
Further, even if he didn't see it people notice when GMs get bans as their accounts turn inactive (which they had in this case).
Titles are just titles. An executive's role changes dramatically as a company scales. CTOs in a 5-person startup are vastly different than CTO at companies with even 100 people (much less 10k or 100k). Great CTOs are capable leaders and will hire more experienced engineers they can rely on.
> One of the key roles of your company’s engineering leadership is to balance working on new features versus maintaining quality and squashing bugs.
Even at companies with 100 engineers, if the CTO is focused on software bugs, there are larger issues at play (i.e., talent density is too low, poor prioritization by product, etc.).
Aditya[0] seems has experience here, but he's likely addressing the market of early-stage startups where he advises.
Much appreciated! I have a half-finished branch with the mac status bar timer, but there were issues getting it to look just the way I wanted. Hope to get that in eventually.
As a note, it appears to use Elastic's 2.0 license preventing selling software that includes this library [1]
[0] https://nlnet.nl/project/JSON-Joy/
[1] https://github.com/streamich/json-joy/blob/master/LICENSE