Hacker News: callahad

New comment by callahad in "HSBC blocks its app due to F-Droid-installed Bitwarden"

callahad — Tue, 30 Dec 2025 10:56:18 +0000

Can you say more about what specific things you tripped over with Starling, and which bank you moved to? Worried I'll find myself in the same boat.

It does seem like Starling has gone out of their way twice to exempt GrapheneOS from their checks, but only after users complained: https://github.com/PrivSec-dev/banking-apps-compat-report/is...

New comment by callahad in "Email verification protocol"

callahad — Mon, 10 Nov 2025 06:56:16 +0000

Step 5.2; the browser binds the KB-JWT to the site it's on, so Site A would receive a JWT that is only valid for Site A.

New comment by callahad in "Email verification protocol"

callahad — Sun, 09 Nov 2025 21:05:04 +0000

> This section could easily be done by [...]

Less easily than you'd think.

You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.

Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.

Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.

> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?

Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.

Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.

New comment by callahad in "Email verification protocol"

callahad — Sun, 09 Nov 2025 20:10:30 +0000

I largely agree, but I still think there's a compelling argument that blinding the issuer implicitly precludes API gatekeeping or censorship. Sites wouldn't need to pre-register with any issuer, nor could the issuer refuse to provide tokens on the basis of where they'll be used.

New comment by callahad in "Email verification protocol"

callahad — Sun, 09 Nov 2025 20:00:53 +0000

The key mitigation is that the protocol - as envisioned - is mediated by the user agent; you as a website cannot silently fire off probes that tell you anything.

New comment by callahad in "Email verification protocol"

callahad — Sun, 09 Nov 2025 19:52:07 +0000

The Verified Email Protocol got renamed to BrowserID, and Persona was its reference implementation.

This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.

And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.

For historic interest, the Persona After Action Report has a few key insights from when we spun down the project: https://wiki.mozilla.org/Identity/Persona_AAR

New comment by callahad in "Leaving Gmail for Mailbox.org"

callahad — Fri, 22 Aug 2025 22:51:38 +0000

My understanding from looking into this two years ago is that it's hit or miss for banks (depending on if they opt into device attestation stuff), no for NFC / Google Wallet, and yes for Uber / Lyft.

Apparently the common workaround for the Google Wallet stuff is to pair a GrapheneOS phone with a stock Android smartwatch.

Edit: Here's some additional information on banking apps: https://privsec.dev/posts/android/banking-applications-compa...

Apparently the common recommendation these days is to use Curve Pay as a virtual card provider on GrapheneOS, which can then route to arbitrary underlying cards. And evidently Google Wallet does work for things that aren't payment cards (airline tickets, transit passes, etc.) on GrapheneOS.

New comment by callahad in "Miles from the ocean, there's diving beneath the streets of Budapest"

callahad — Fri, 22 Aug 2025 10:51:29 +0000

For me, it was the challenge and allure of doing something relatively difficult and rare. The first time I saw a Stop - Prevent Your Death sign[0] at depth, I knew I wanted the training to go beyond it.

It's also really peaceful underground.

Amusingly enough, I can't handle blue-water or wall dives (vertigo), nor wrecks (those aren't supposed to be there!), but caves are no problem. You've got walls, floor, and ceiling as a frame of reference, and everything is nice and cozy. It's like the Earth is giving you a hug.

[0]: https://commons.m.wikimedia.org/wiki/File:Vortex_Spring_cave...

New comment by callahad in "Miles from the ocean, there's diving beneath the streets of Budapest"

callahad — Thu, 21 Aug 2025 22:07:44 +0000

I found Florida's caves positively delightful at 21 C; never felt the need to dive dry.

I am envious of the speleothems in Yucatán cenotes. Florida's caves are all phreatic, so you don't get any real decoration beyond scalloping. Still fun to dive, just not much to see aside from water, wet rocks, and a line. And not even that if you blow the viz.

New comment by callahad in "Wikipedia loses challenge against Online Safety Act"

callahad — Tue, 12 Aug 2025 01:47:59 +0000

It's the Online Safety Act. As the government says about the OSA:

"Ofcom is the independent regulator for Online Safety. [...] Ofcom has strong enforcement powers"

https://www.gov.uk/government/collections/online-safety-act

Okay, so what does Ofcom say?

"It doesn’t matter where you or your business is based. The new rules will apply to you (or your business) if the service you provide has a significant number of users in the UK, or if the UK is a target market."

https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...

New comment by callahad in "Yearly Organiser"

callahad — Sat, 02 Aug 2025 11:21:39 +0000

Cassidy Williams recently published an open source calendar that might scratch that itch: https://pocketcal.com

Source at https://github.com/cassidoo/pocketcal

New comment by callahad in "ICEBlock, an app for anonymously reporting ICE sightings, goes viral"

callahad — Wed, 02 Jul 2025 17:13:40 +0000

Interesting that Apple even allows ICEBlock on the App Store given that 13 years ago they blocked the publication of an app that notified users of American drone strikes abroad as "objectionable" content: https://www.aclu.org/news/national-security/apple-drone-stri...

New comment by callahad in "Ask HN: What will tech employment look like in 10 years?"

callahad — Sun, 11 May 2025 18:44:28 +0000

I disagree that LLMs are comparable to a higher level language or framework since the fundamental output it still at the same level of abstraction.

This isn't C to Python, it's Python to more Python faster.

New comment by callahad in "Declarative Web Push"

callahad — Thu, 03 Apr 2025 21:11:10 +0000

> I don't know if that means an Apple server actually listens for the notification from the HTTP server or if the device itself maintains the connection to the server.

In the case of Apple's ecosystem, the device maintains a connection to the Apple Push Notification service (APNs). The website POSTs notifications to APNs, which forwards them on to the user's device. The user's device then wakes up a local Service Worker for that website in order to process the incoming payload and display a notification.

Declarative Web Push makes the very last step unnecessary.

(It's the same on Android but using Firebase Cloud Messaging instead of APNs. Mozilla also runs a push service and its source is at https://github.com/mozilla-services/autopush-rs/)

New comment by callahad in "The Future Is Niri"

callahad — Wed, 12 Mar 2025 19:23:10 +0000

This covers binding Cmd+Opt+[Arrows, F, C], which is all I use:

    defaults write -g NSUserKeyEquivalents -dict-add \
        "\033Window\033Move & Resize\033Left" "@~\\U2190" \
        "\033Window\033Move & Resize\033Right" "@~\\U2192" \
        "\033Window\033Move & Resize\033Top" "@~\\U2191" \
        "\033Window\033Move & Resize\033Bottom" "@~\\U2193" \
        "\033Window\033Fill" "@~F" \
        "\033Window\033Center" "@~C"

Equivalent to manually binding in System Settings -> Keyboard -> Keyboard Shortcuts -> App Shortcuts

New comment by callahad in "uBlock Origin is no longer available on the Chrome Store"

callahad — Mon, 10 Mar 2025 19:28:12 +0000

Same branch as beta, but with different build flags. Add-ons don't need to be signed to be installed on DevEdition, there's a DevTools button in the toolbar by default, etc.

New comment by callahad in "Orbit by Mozilla"

callahad — Tue, 31 Dec 2024 20:18:23 +0000

FxOS at its height was an absolutely huge resource and personnel commitment; I seem to recall it being half of MoCo, maybe more.

Mark Mayo, then SVP Firefox, was quoted in a 2017 interview with Walt Mossberg:

> Mayo says [FirefoxOS] took the focus off of Firefox. “It was close to a bet-the-farm effort”

Cite: https://www.theverge.com/2017/1/25/14376710/walt-mossberg-mo...

New comment by callahad in "Blackcandy: Self hosted music streaming server"

callahad — Fri, 27 Dec 2024 15:36:29 +0000

You're probably looking at half that (~80 MB) per album for how normal people would've been ripping twenty years ago, so around 40 GB for 500 CDs. Contemporaneous forum post: https://www.head-fi.org/threads/comparison-compression-setti...

New comment by callahad in "Thunderbird for Android Now Available"

callahad — Wed, 30 Oct 2024 18:14:14 +0000

Thunderbird is housed in MZLA Technologies, an independent subsidiary of the Mozilla Foundation and completely separate from the Mozilla Corporation or its CEO's remit.

New comment by callahad in "Bitwarden SDK relicensed from proprietary to GPLv3"

callahad — Fri, 25 Oct 2024 05:58:21 +0000

Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.