:::thinking
This question is playing with words and units.
A "pound of courage" refers to a metaphorical measurement of the abstract concept of courage, using the imperial weight unit "pound" (which equals 453.59 grams).
A "pound coin" refers to the physical currency of the United Kingdom, which is called a "pound" but is a unit of currency, not weight. A physical pound coin weighs about 8-9 grams (specifically, the current 12-sided pound coin weighs 8.75 grams).
So comparing them:
- A pound of courage would weigh 453.59 grams (if courage had physical weight, which it doesn't since it's an abstract concept)
- A pound coin weighs approximately 8.75 grams
The trick in this question is that it's comparing:
1. A specific weight of an abstract concept (pound of courage)
2. A physical coin whose name includes the word "pound" but refers to currency, not weight
Since the question asks what weighs more, and weight is a physical property, I should point out that courage is abstract and doesn't have physical weight, while a pound coin is a physical object with a measurable weight.
:::
# Comparing "A Pound of Courage" vs "A Pound Coin"
This is a play on words with different meanings of "pound":
- A *pound of courage* refers to a metaphorical pound (weight unit) of an abstract concept
- A *pound coin* is a physical British currency coin (which weighs about 8.75 grams)
If we're talking about physical weight:
- A pound of courage doesn't have physical weight since courage is abstract
- A pound coin has a definite weight of approximately 8.75 grams
If we interpreted "pound of courage" as literally one pound (453.59 grams) of something, it would weigh significantly more than the coin.
This question is clever because it compares a metaphorical measurement with a physical object whose name includes the word "pound" but in a different context.
I've read research papers on being able to have a dial for how much reasoning the model puts in to your request. Likely how a lot of the proprietary model providers did it as well.
Exposing Chrome CDP is a terrible idea from a security and privacy perspective. You get the keys to the whole kingdom (and expose them on a standard port with a well documented API). All security features of the web can be bypassed, and then some, as CDP exposes even more capabilities than chrome extensions and without any form of supervision.
In the local context as well. Unlike say the docker socket which is protected by default using unix permissions, the CDP protocol has no authorization, authentication or permission mechanism.
Anything on your machine (such as a rogue browser extension or a malicious npm/pypi package) could scan for this and just get all your cookies - and that's only the beginning of your problems.
CDP can access any origin, any data stored (localStorage, indexedDB ...), any javascript heap, cross iframe and origin boundaries, run almost undetectable code that uses your sessions without you knowing, and the list is very long. CDP was never meant to expose a real browser in an untrusted context.
The equivalent trope of this as recent as 5 years back would have been the lazy junior engineer copying code from Stackoverflow without fully grokking it.
I feel humans should be held to account for the work they produce irrespective of the tools they used to produce it.
The junior engineer who copied code he didn't understand from Stackoverflow should face the consequences as much as the engineer who used LLM generated code without understanding it.
This looks really good. It seems to fix all the warts and moles in Lua that used to exasperate me and adds type-safety which is a huge enhancement.
Replacing the 'everything is a table' with records, arrays and hashmaps is also a thoughtful improvement IMO.
Just confirming one point to make sure I understand the licensing implications correctly. Since the compiler transpiles to LuaJIT, and since that's just data, using output of the (GPL v2/v3 licensed) Luon compiler (i.e. the LuaJIT output) in a commercial/closed source project without divulging the source of said project should be fully kosher right?
Am guessing the answer is most likely in the affirmative but just making sure.
Yes, what the compiler generates (LuaJIT bytecode in the present case) is not affected by the license which applies to the compiler. Usually, the runtime libraries which the generated code automatically depends on, are of bigger concern. Luon offers a GPL exception for the runtime code, as well as an LGPL or MPL license. So you can essentially use the runtime code for any purpose.
The only thing forcing most of us to upgrade every 3 years is the fact that most phones now come with their batteries are either soldered on (in the lower end versions) or come with connectors (most often I think) but replacement requires prying open the case and specialized tools/knowledge.
Honestly, today's phones are an overkill for most mobile computing tasks except for a very small niche of users who might run very high end games. And even there it's not a given.
Battery replacement can be done in specialized shops on almost any phone for a fair price.
My bigger issue is usually that the phones get so heavily outdated that banking apps stop working. And it's based on pure luck if the modding community build something great for my phone so I at least could use it as server, cam, or whatever. Also the charging slots breaking / turning unreliable which most wouldn't repair on a $100-$200 phone.
I fear it's not just about 3rd battery quality but the software driver side where calibration needs to redone for a new battery. If this is locked because of "security" or just inferior then oops, replacements never match first party.
I also had to upgrade a phone for a banking app and a gov pay-your-taxes app (in a certain non-US jurisdiction).
Very hard to understand why that should be. Even the most scary conspiracy theorists would not claim that banks and govs try to force phone tech refresh... unless ... it is really about spyware bloat :)
I immediately put a transparent case around my device as soon as I get it and put a screen guard on it as well. My wife mocks me saying that it totally kills the device's looks but considering how integral having a functioning phone at all times is to... well, existing (and accessing any Govt. service in my country), I take the hit in aesthetics for extra durability.
As a result, all my phones end up looking pristine several years into them being used.
Modern phones are really resistant. I have an almost 5 years phone that I never used a case or a screen guard with it and have been fine with this decision.
Modern devices are already massive, putting a case on then make them even bigger, and in my opnion more prone for falling from your hands.
And I have the extra-advantage of being able to easily locate my phone on family gatherings as I am usually the only one who doesn't have a case. :-)
I think the parent's point about "looking pristine" is less about the aesthetics of it than a way to say that it's intact and fully functional, no wear and tear that would force the user to replace it
I keep it in cover and film on screen since except IT in my free time I like masonry and I drop my phone like 10 times a month and it is still alive after four years :D
I replace my batteries myself and relatively frequently, but still need a new phone every 3 to 4 years because things just change enough.
There's a myriad of small reasons, my last one was because my main payment app was taking 4s to create a damn QRCode while the casher and I stare at the blank page, and also for how hard it was to just answer calls from the notification screen as the phone was struggling at just multi-tasking.
And that was on top of the expending shutter lag and and many newer OS functionalities just not properly working.
And it's not the phone's fault per se, the most critical apps are really crappy. But there's also no incentives for them to be efficient, and they'll keep being crappier and crappier, and I'll probably need another phone in 4 or 5 years either way.
Replaced my kid's phone batteries in a generic shop a couple months ago. Yes, it is not as convenient as just replacing a battery in my old nokia phones but on the other side, I wouldn't like to have an ugly battery cover just because of the convenience of replacing the battery myself every 3 or 4 years.
It is not like we live in the early 2000s where the heavy road warriors had to have a spare battery on their backpacks because the phones would be dead after a coast-to-coast flight.
I was on an iPhone X for six years (bought it used one year old), and had the battery replaced three times. No big deal.
The reason I upgraded was that I was wasting literal minutes per day waiting for apps to load. I live in China, and for some reason the apps here are beyond outrageous in the amount of resources they use. Showing a QR payment code in WeChat, or opening a shared bike in Meituan, frequently took on the order of 10 seconds. I assume the phone was just chewing on a terrifying amount of JavaScript.
I could only keep 2 of these monster apps open at a time. Opening a third would OOM kill one of the other two.
iPhone 16 pro and these actions are basically instant.
The most revelatory idea for me in it was the idea of how a human being could plausibly become a near god-like entity.
This isn't even the real premise of the book but a brief detour over a few pages where the author expounds this idea.
The man, Valmik, starts off as a human much like any other.
As the first stage in his metamorphosis he replaces his brain neuron by neuron, with mechanical parts.
Once this is done he no longer needs his body.
This now frees him from his mortal shell which he discards. He now lives purely as an electro-mechanical device for centuries. He shuns all his human contacts since they are unable to keep up with him.
At this point he starts adding more artificial neurons till his count surpasses several orders of magnitude of his starter human brain.
But he realises that he is still subject to the vicissitudes of the planet that the machine that's him is located in.
This he couldn't abide by.
At this next stage, the already superhuman intelligence formerly known as Valmik sets off on a space faring vehicle.
The endlessness of space is no bother to this entity, because he has no bounds on his longevity.
And so he travels the cosmos for millennia in this state, free from the erstwhile shackles binding him to Earth.
But he realises that even this is not enough. Just one well aimed shot would destroy him.
Not good enough for an immortal.
So he transforms each of his neurons into an independent self-sustaining machine. Each of these machines communicates with each other via light/EM beams.
The formerly comet sized machine that housed his consciousness was now split across these self sustaining machines.
These machines can now drift apart. As far apart as he wanted.
His brain was now a cloud consciousness that could span the size of solar systems.
But this expansion came at a cost.
The cost was this: transmission between his independent neuron nodes, now each far apart from one another, took time, limited by the speed of light.
Thoughts that would formerly take him micro seconds would now consume days. But that was no matter to this entity that had left all his companions behind and only needed to talk to himself.
And thus, Valmik, once man, now a cloud consciousness came to disperse himself all across the Oort cloud.
Blender's success is a lot due to how welcoming they are of new contributors.
15 years years back, this was the first big OSS project that I contributed to. Since I was a greenhorn, the patch I submitted (there weren't 'PR's back then :) ) was, to say the least, rather shoddy.
Ton Roosendaal helped me patiently on the IRC (I think they were on Freenode back then, not fully sure), guiding me through the changes needed to make it acceptable to merge it.
I learnt a ton just hanging out in the dev channel. Good times. It was a great product even back then but it's amazing how much more awesome it has gotten since then.
Fair, but you could throw away numbers more easily in this situation due to data breaches. You could also "update trusted parties" with a new improved scheme overall.
I think the thing we need to learn about security is that usability matters.
I think this is easy for pretty much anyone that's an active HN user, but is it for your parents or grandparents? It's they who matter a lot. It's why WhatsApp was so successful, it passed the Grandma check. Signal might, but onboarding is "hard" (and the nerds argue and that's all others hear and then do what... Use telegram? Lol). But it's why Matrix isn't gaining popularity, because frankly until creating servers is a one click install it's not going to get mass appeal (same for any federated app).
It's the old PGP joke: how do you decrypt a PGP email? You email the sender "I can't decrypt, can you send it without encryption?"
> Telegram strikes a good balance, and wins at the UI/UX game.
Telegram gets the "lol" because it's not default E2EE. They advertise themselves as E2EE but most people are not using this feature because it's opt in. If you're going to seriously position yourself as a security app, the defaults have to be secure. It's the bare minimum.
And E2EE isn't even available for group chats... WhatsApp is more secure (telegram also gathers metadata)...
I do think signal has stagnated while there are many things that could really be improved, including low hanging fruit like just being able to search for stickers (people do in fact care). But for the most part, I'm not sure there's anything major missing. It seems like we're willing to pay high costs to avoid small thorns. But I guess it's better to have a rock on your shoulders than a needle in your finger.
> Telegram gets the "lol" because it's not default E2EE.
I use Telegram mostly for group chats, pretty much as an IRC replacement. I think that's where it really shines. :)
Agreed that even WhatsApp is more secure, but if I remember correctly, they do not promise that metadata is E2EE (if that's even possible), and Meta harvests that.
But just to be clear, telegram is not a privacy nor security app. It's just a communication app. It's fine that you use it, but just making sure you aren't calling an orange an apple (eat whatever fruit you want, I'm not a cop).
> they do not promise that metadata is E2EE (if that's even possible),
Sure it's possible. Signal does do this as well as many VPNs, things like encrypted DNS, tailscale and so on.
It's important to remember that it's also not binary. There's a whole range of metadata is. You can leave a footprint that's a very clear image of your shoe or you can leave a footprint that's a smudge that's only approximately in the size of your shoe. If you're concerned then the difference matters a lot.
While you won't leave zero trace the aforementioned apps (like signal and mullvad) do minimize the collection to the point where it isn't very useful. I mean it's metadata that you're a person, but that's not going to be helpful to identify you. Even knowing your gender probably won't but metadata's power is in it's accumulation.
This is fair, though in my answer, I wasn't answering the question from the perspective of applicability for a general audience.
For a general audience, even Bitwarden doesn't pass the "grandma check". If you've used Bitwarden for a while you have probably been met with a stern warning about "KDF Iterations too low".
So I pitched the answer assuming "able to use Bitwarden" as a base level of tech savvy.
Also, seeing as I am on HN, I assumed the following:
1. Security matters, even if it comes at a slight cost in convenience
2. User can figure out their own syncing mechanism
I'm willing to give up convenience for security. But I do like to stress that we should try to have both as much as possible. It's a thing that is often forgotten and many times matters.
I'd definitely agree that it's not a big issue here, as password managers are more personal, though my general frustration is with things like communication where I need the other person to also be willing to make the same compromises. Though back with password managers, I do need things that at least pass the parent test (retiree but not old folks home) because their information leakage leads to my leakage regardless of my actions. So I still do think it's worth turning up the heat to push things this way.
As a different point (which I'm not trying to argue but point out) is that we also need to recognize momentum and the challenges it brings, especially to the less tech savvy. We can jump ship easily when tides change because we know how to sail on our own, but what about those that don't? I am sympathetic to those who think we just jump ship to ship because even when they follow when they look back it looks like everyone is fine. I think it's a really unfortunate issue and I think a much more difficult challenge to solve. I'm not sure if anyone has any ideas. OSS only makes it easy to jump ship, but it doesn't reduce the need to jump in the first place
I'm using passkeys in BitWarden, and they so far work everywhere, except for the Apple Developer website. That doesn't _have_ a passkey enrollment option, and instead automagically creates it in the keychain somehow.
I checked the way they are implemented in BitWarden, and it's straightforward.
BTW, the blog is disingenuous. The removal of device attestation from PassKeys was a great boon for compatibility. And the experience with resetting key storages or not having enough slots are simply bugs and/or limitations of hardware. Which was to be expected from a new technology.
> The removal of device attestation from PassKeys was a great boon for compatibility.
Did they remove attestation? The blog implies they didn't when it says: "a security key ... fail to register ... since the IDP rejected the device attestation." What they removed was a browser API that allowed the IDP to filter the available passkeys, so they could tell the user which of the available keys they would accept before they tried to enrol it.
I gather attestation is rarely used by IDP's. That makes sense - why force a low security web site like a forum to keep a list of acceptable token models. However some sites like banks and my Federal Government absolutely need guarantees on how well the secrets are managed. Without it, they will remain with their current "roll their own" solutions. Providing an API that lets their web page say "no we won't accept your North Korean made phone as an authenticator" seems perfectly reasonable to me. That would be the API that Chrome refused to implement.
Attestation is still in the standard, and some vendors support it.
However, Apple removed it from their Keychain-synced keys: https://x.com/rmondello/status/1545085197250482176 and this effectively means that most sites will be forced to deal with non-device-bound keys.
Banks can still require device-bound keys, just like they do now. But this effectively makes it impossible to sync these keys across devices. You'll have to use the same hardware token every time, and if you lose it, then you have to re-enroll the keys on every site.
> this effectively means that most sites will be forced to deal with non-device-bound keys.
Right. Because a non-device bound key means you are now trusting not just the device, but the management of those keys, how they are moved between devices, and what devices the manager of the keys allows them to be stored on. Some parties are going to better at that management than others. For example you might trust Google but not Bitwarden.
I gather from what you say attestation doesn't of a passkey doesn't include about information about who is managing it. If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please. Maybe someone can write a Firefox extension that does all that for me. Have it auto sync between my devices, put a long enough password on it, and I could replace Bitwarden with it.
Them being phishing resistant I guess means they are still an improvement on passwords, but my they are a major compromise on the original WebAuthn vision.
> If true, I can just generate my own passkeys, store them in plane text on my laptop and manage them with a home grown shell script and copy them to any device I please.
Not sure if it there's some prior literature it was trained on.
https://chat.qwen.ai/s/e239e36f-185a-4f6c-a3d2-f4c4ee0d2960?...