Bluesky feeds are still server-side (due to needing to process all of the available posts to generate the feed) but at least you can choose which ones to use and people can make their own, which is an improvement over a single app-provided algorithmic feed.
The distro package in question here is a Fedora-specific Flatpak, not the Fedora-specific RPM distro package version. From my understanding, it is missing things like patented codecs which then causes bug reports to be filed with upstream, OBS, instead of the ones responsible for the package, Fedora.
Fedora has its own Flatpak repo as the default instead of Flathub (which has the official OBS package from the upstream developers).
I think their point was that it's less phishable from the perspective of needing the attacker to try logging into the site with it in realtime instead of being able to just store the password for some later time. The needed concurrency makes it more difficult (if only slightly).
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
From my understanding, it didn't scan all of the files on the device, just the files that were getting uploaded to Apple's iCloud. It was set up to scan the photos on the device because the files were encrypted before they were sent to the cloud and Apple couldn't access the contents but still wanted to try to make sure that their cloud wasn't storing anything that matched various hashes for bad content.
If you never uploaded those files to the cloud, the scanning wouldn't catch any files that are only local.
Your understanding is correct, as was/is the understanding of people critical of the feature.
People simply don't want their device's default state to be "silently working against you, unless you are hyperaware of everything that needs to be disabled". Attacks on this desire were felt particularly strongly due to Apple having no legal requirement to implement that functionality.
One also can't make the moral argument that the "bad content" list only included CSAM material, as that list was deliberately made opaque. It was a "just trust me bro" situation.
> People simply don't want their device's default state to be "silently working against you
That was the misconception of what was happening though.
Nothing happens on your device. Only when it gets to the cloud. It just puts a flag on the picture in question to have the cloud scan it.
Which is exactly what happens before Apple suggested it and happens now. Except it does it for all your files.
> One also can't make the moral argument that the "bad content" list only included CSAM material, as that list was deliberately made opaque. It was a "just trust me bro" situation.
CSAM database is run by Interpol. What evidence do you have that they are not being honest?
The scanning and matching is performed on your own device, against a copy of the databases which is encrypted to protect apple and their data providers against accountability for its content. The result of that match is itself encrypted, owing to the fact that the database is encrypted. On upload the query is decrypted and if there are above a threshold matches the decryption keys to all your content are revealed to apple.
Your phone is your most trusted agent-- it's a mandatory part of your life that mediates your interactions with friends, family, lovers, the government, your doctors, your lawyers, and your priest. You share with it secrets you would tell no other person. It's always with you, tracking your location and recording your activities. And in many cases its use is practically mandated. I think it's inappropriate for such a device to serve any interest except your own.
While it is true that the original proposal operated only on images that you would upload to icloud many people assumed the functionality would be applied more widely over time. This article seems to have proved that point: Apple is now applying essentially the same scanning technology (this time they claim the databases is of "landmarks") to otherwise entirely local photos.
My message was an informal argument. Apple has proposed and (now) applied the same spyware technology to their desktop/laptop operating system as well. But for most people in the US their phone absolute does occupy that most-trusted niche. For better or worse. The fact that this trust may currently be ill-advised is all the more reason people should demand change that makes it possible.
> If a government wanted to enforce it then none of what Apple suggested mattered.
Perhaps you live in a dicatorship. If so, I'm sorry. In the united states the power of the government is limited by the constitution. The kind of automated surveillance performed nominally 'consensually' via corporations would be unambiguously unlawful for the government to perform.
A law by the government requiring proactive scanning of photos would in fact make the whole situation worse in the US because there would need to be a warrant if the government is requiring the scan. As long as it's voluntary by the company and not coerced by the government, they can proactively scan.
A passkey is a synced, discoverable WebAuthn credential. While many implementations protect the private keys with additional security measures like secure enclaves or TPMs, it's not required. If you want to use an implementation that doesn't use those types of lock-ins, even when they're there to protect your credentials, you can. Multiple software-only implementations exist.
Generally attestation is not supported outside of enterprise contexts and Apple for example doesn't support it without mobile device management policies being applied to the device.
You can make your own backups of passkeys from your password manager.
I believe you are confusing ones that are stored in software or syncable (Passkeys) with the hardware backed credentials (platform authenticators).
> I believe you are confusing ones that are stored in software or syncable (Passkeys) with the hardware backed credentials (platform authenticators).
The problem is that the protocol allows websites to require use of the latter. If the two were indistinguishable to the website, then passkeys would be a good thing.
