Yup, that “what can I start in 10min” question really ruins a lot of productivity.

I don’t think that is true. Not much at Google really bought into the UUID hype. At least not for internal interfaces. But really there is no difference between a UUID v4 and a large random number. UUID just specifies a standard formatting.

It is true, don’t do it.

Even at huge companies like Google, lots of stuff was keyed on your email address. This was a huge problem so Google employees were not allowed to change their email for the longest time. Eventually they opened it up by request but they made it very clear that you would run into problems. So many systems and services would break. Over time I think most external services are pretty robust now, but lots of internal systems still use emails (or the username part of it) and have issues.

IIUC Google accounts now use a random number as the key. But there are still places where the email is in use, slowly being fixed at massive cost.

I thought that was the problem at first too. But unless there are fields that are searchable but not visible at all to end users I have definitely found many cases where the term (and no stemmed version of it etc…) was in the listing.

Not to mention that Amazon search is happy to ignore most of the words in your search. So you end up sorting through pages of results that don’t match. Absolutely infuriating and one of the reasons that Amazon is my last choice now. Someone decided that it was unacceptable to show “no matching results” and lost my business.

What I do is take a capture of the page, then if they haggle on the refund I can clearly show that the product is not the one I ordered.

Most credit card issuers don’t issue credit cards to random apps by solo developers.

I would pay a lot of money to see Nintendo’s conniption over having to allow home brew and non-approved software on their game consoles. I would love to release emulators for older Nintendo consoles for the Switch so that they don’t get to keep charging people again to play old games on newer consoles.

1. I can usually pull out my phone faster than taking a card out of my wallet.
2. Phone-based cards typically have significantly higher limits than physical cards. (I can tap hundreds of dollars with my phone, only about $100 on my card.)
3. The phone needs to be unlocked which is safer than the card which just needs to be tapped with no other authentication.
4. One less thing to carry around.

Because to implement this you need to negotiate with individual credit card issuers. Basically how this works is that your phone is being issued a virtual card with the keys locked inside the phone’s HSM. Then it can be used to make NFC payments just like any physical card. So you need 1. contracts with many card providers, 2. card issuance processes with these providers 3. huge amounts of compliance bureaucracy. At the end of the day it isn’t really worth it unless you are a huge company and expect to have tons of users or see it as an essential feature of your phone OS.

It’s not “inherently insecure” at least not to that degree. (Once could argue that lack of E2EE is insecure.) If you stand up an unrelated instance you shouldn’t be able to access private messages that don’t relate to an account on your instance. So only bugs in your instance, or your conversation partner’s instance, will be able to leak those messages.

I thought Apple implemented push notifications? Or did they just say they would? Either way you can file the bug with them I think.

Or wait until they allow you to install a browser that isn’t dragging it’s feet.

I wrote my own. I aimed for a different UX than most services. For my use case I have a few devices that I often share files between. So opening the tool on both devices was a bit annoying. Instead you select the file on the first device and you get a push notification on the other. Then the transfer is done over WebRTC (locally if possible). All communication is done end-to-end encrypted and over your browser’s push service.

Hosted: https://filepush.kevincox.ca/

Source: https://gitlab.com/kevincox/filepush

The problem with Yubikey is that it doesn’t have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn’t scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can’t log in with the new key or get completely locked out when I lose that key and get a second replacement.

Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn’t need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.

1. Salt doesn’t matter if your password is unique.
2. If they can download data via SQL injection having them log in probably doesn’t matter that much.
3. If they can dump your password/hash they can likely also dump the TOTP secret.
4. A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.

It is also worth noting that Firefox Sync is end-to-end encrypted. So the amount of data the server gets is quite minimal. (This is unlike the sync of a lot of other major browsers.) So unless you want to hide your IP and activity times from the host self-hosting isn’t critical.

I am willing to help with moderate. I have minimal existing moderation experience but have a long posting history and online presence.

I will not be able to commit enough time to be a sole moderator, but can help out as part of a team.

There are dozens of first-person shooters but people love porting Doom to every device. Winamp is memes and nostalgia, I would bet that people would port it just for fun.

Yeah, just jump in.

To get started it is best to keep Windows around, then if you need to get something done urgently you can go back to what you know then figure out how to do it in Linux later. Dual-booting is probably the best option if you are gaming as GPU passthrough can be difficult to get great performance. That is the approach I took a long time ago and then at some point I realized that I hadn’t booted into Windows for months and just deleted the partition.