I often need to open Gboard app, and it'll present the "step 2" of the first run experience when it's installed by asking me to select an input method, at that time Gboard would show up as one of the installed input methods.
All I remember is that I had switched to the AOSP keyboard because the Onyx one was really bad, then someone who uses Android more told me I should try GBoard so I did that. Don't remember having to do anything special for setup so the bug must not have affected me. Hope you find a fix.
I've got a Palma 2 and I like it. It replaces the Kindle for me: fits in the pocket, more book apps, actual feed reader and read later apps, good for typing quick notes and using Anki. You can also use Terminus to ssh to a box in a pinch.
I would never think of daily driving it as a phone if it had a modem. The biggest dealbreaker is that streaming music is a pain on e-ink devices: all of the services except Apple Music (which doesn't support 2FA sign in on Android so it's useless to me) are dark mode only, and dark mode is the enemy on e-ink. Another problem is that the camera is pre smartphone level, it's really bad and with e-ink it's harder to see if the focus is good. And of course, it's running an obsolete version of Android and is continuously phoning home to China, so you probably don't want any important data on it. But as an e-reader, I strongly prefer it to the walled garden tablets.
> The biggest dealbreaker is that streaming music is a pain on e-ink devices
It's funny: I now use my eink device (Moaan) almost exclusively for music, because there's no streaming so I have to curate my playlist.
For the light theme, try poweramp or the likes that support themes.
> I would never think of daily driving it as a phone if it had a modem
I would never had purchased it if it had a modem. I like to disconnect, I don't want to be tempted by apps.
> And of course, it's running an obsolete version of Android and is continuously phoning home to China, so you probably don't want any important data on it.
I prefer the Mooan because I do not want the google play store on my devices: I can still install apps from F-Droid.
e-ink phone sized devices are excellent for a minimalistic experience: without color or a modem, you are less tempted to use apps.
I also do not want a camera: I prefer the smoother back both to put a credit card holder there, and have no temptation to take a picture.
The point about playlist curation makes sense, it's a valid way to go about it. Another app that works well on e-ink is Plexamp, which can be used for a NAS-based library as a sort of middle ground. I've been down that road though and concluded that I do prefer streaming, particularly when it comes to keeping up with today's artists who like to do digital releases almost to the exclusion of anything else.
>I like to disconnect, I don't want to be tempted by apps.
Fair, but I was specifically addressing the people who want a device that fulfills the good/essential functions of a smartphone (messaging apps, GPS, music) with less app temptation. A cell modem is essential for that use case.
> temptation to take a picture
Hah, not really an issue for me. My friends are always complaining that I go on holiday for 2 weeks and come back with 2 photos. But that would be a consideration for those that have it and for the smooth back (the Palma 2's camera is almost flush but not quite). Depending on where you are in the world, having a camera may count as essential due to prevalence of QR codes. And the Palma 2's camera is so bad it usually can't read one from more than 6 inches away. Just really wanted to emphasize whatever it cost Boox to add a camera was completely wasted.
> I've been down that road though and concluded that I do prefer streaming, particularly when it comes to keeping up with today's artists who like to do digital releases almost to the exclusion of anything else.
Yes, even with stores like supraphonline.cz I often depend on yt-dl for new songs
I wish there was a more direct way to support the work artists I like without being forced to use streaming (which I don't like)
> Hah, not really an issue for me. My friends are always complaining that I go on holiday for 2 weeks and come back with 2 photos
That's GOOD: it means we live in the moment and we enjoy the experience instead of wasting time and storage to take pictures we'll never look at ever again!
> Just really wanted to emphasize whatever it cost Boox to add a camera was completely wasted.
I could see a usecase for QR codes or for translation, but if it can't even do that I'd rather have the slick and flush back like on my Mooan
Arguably, "phishing a credential" doesn't necessarily have to mean full compromise of the credential itself.
For example, in the case of SMS-OTP, the credential is (access to) the registered phone number, yet I'd still call an attack that successfully intercepts one OTP in time to use it a successful phishing attack.
Sure, if you assume the session is scoped to allow registering a new passkey. Depends on how the application is configured. Regardless, getting the credential is different from getting a session.
Author of the blog here, I actually agree with you the subheading is quite misleading, any tips on what would be more appropriate? "Phishing PassKeys sessions using browser intents" doesn't make much sense to me
I also echo some of the other critiques, which are that passkeys are advertised as phishing resistant and not phishing proof. I do understand that the average user may not grasp the nuance, but you leaned pretty hard into the idea that phishing them should be impossible.
One last recommendation. While I do think this is quite clever and a plausible attack scenario, this relies on the out-of-band authentication scenario. Assuming I’m sitting in the coffee shop or airport and click your link, I’m not going to reach for my phone to scan the QR. I’m going to investigate deeper why the passkey isn’t working directly. If you’re lucky, I’ll assume the site has a bug in passkey authentication and fall back to more phishable creds (if the site has both).
I don’t necessarily think of this as a flaw in your attack, rather that it might muddy the waters for readers that are less familiar and don’t realize that this mode is most commonly used when you are authenticating from a non-default device or made the conscious choice not to use a synced passkey.
I'm not sure I understand what you mean here with:
> I’m not going to reach for my phone to scan the QR
The whole point of the attack is that it can be delivered without you having to scan the QR code, exploiting the fact that browsers allowed (patched) navigation to fido:/ links, initiating the BLE communication to a malicious device that is relaying the communication to the legitimate site, stealing a session. Let me know if that clears up the confusion.
As for phishing resistant/ phishing proof, to some is the same thing, nothing is "anything"-proof so I did not pay too much attention to the wording. Also I just wanted to stress the fact that although some theorized attacks were present, I had not seen anything put in practice before, which is what motivated me to prove it was not impossible.
Thanks for the feedback, will be making changes to the blog to clear up some the the things you have outlined here :)
there are a couple steps before the "1. User scans the QR code" step that readers not embedded in the passkey world might not be familiar with. People who aren't familiar with that flow aren't going to understand the what/why of scanning the qr code to begin with.
I only felt the need to leave a grumpy comment because of the word “credential”, so deleting it might help even if it leaves ambiguity. Otherwise maybe something like “attacker in the middle any site’s passkey authentication using browser intents” sounds more accurate.
Completely agree that dropping the tariffs on Chinese EVs instead would be the sensible move. Turning EVs into a culture war effigy was a horrible development for the future of the planet when the right did it, and it's no different now that the left is getting in on it. We have a technology that would be a key part of switching to clean energy, and should be doing everything possible to embrace it, but the political class has turned it into a football for their culture war game instead. Depressing stuff.
That would be totally amazing for Canadians, they are facing rising prices in so many things. The Chinese cars are half the price. I saw that BYD expects to sell 100k vehicles into Mexico this year, that's double the 50k they sold last year.
The long range PHEVs china has been building would also be ideal for Canada. Plenty of daily range even in winter and no range or infrastructure anxiety when you need more distance.
I've recently become aware of a distinction between PHEV and EREV. The PHEV doesn't have enough power alone in the electric motors to go pure EV all the time. There a mechanical transfer case where both ICE and electric motor combine their torque. The EREV is a serial combination, more like the Diesel electric trains in current use. Some examples of EREV's are the Volt, BMW i3, and the Ram charger coming out this year.
PHEV have plenty of motor power to go electric only for extended periods; the only limit is battery capacity. The key distinction is the plug in part of phev.
Mild hybrids cannot go electric only
Hybrids can go electric only for very short distance.
PHEV can go electric long distance and use wall power. Most can mechanically couple the combustion engine to the wheels and do so in certain circumstances, like long distance highway use.
EREV is an emerging term for vehicles that have a combustion engine not mechanically connected to the wheels that only drives a generator. BMW i3 is one of the oldest examples. Volt is not; it can put mechanical power to the road.
Fun fact on i3. California zero emissions rules offered more credit for vehicles with more battery range than gas, so bmw artificially limited the tank using software for i3 sold in North America. Owners can flash the euro firmware to unlock physically present tank space as usable.
You've been repeatedly posting these ideological/nationalistic flamewar comments. Can you please stop? It's tedious and not what HN conversations are for.
Edit: we've had to ask you several times already. Eventually we have to ban this sort of account. In fact it looks like I banned you the other day and then had second thoughts—but your comments since then are making me wonder whether that wasn't the right call.
I can see how my comment above is snarky. Apologies for that. I am not able to edit it (the option doesn’t appear).
But I’m surprised about the “ideological/nationalistic flamewar comments” part. A lot of current issues in the news and on HN are political and especially geopolitical. Tariffs, Nvidia chips, DOGE, Ukraine/Russia war, for example. So there will be lots of comments that are ideological or nationalistic because that’s what is at the core of these issues. I guess what I’m asking is - are substantive politely worded comments that are still “ideological” or “nationalistic” (if I am using these words the same way) allowed?
Another thought: it looks like these types of stories have stopped being removed due to flags (like the DOGE ones), and with that change I see lots of comments in those discussions that I would consider tedious or just ideological (to me anyways). But they seem to allowed to stand because they’re the popular view on HN - maybe they don’t get downvoted or flagged as much so they don’t get attention from mods. Do you think the typical flagging and voting patterns result in more moderation on the less popular views on HN?
Whoa, that's not helpful.* We have to ban users that attack others like this, regardless of how wrong the others are or you feel they are.
If you're going to respond in cases like this, please make sure you aren't breaking the site guidelines yourself, because that only makes things worse.
* btw, it also makes moderation a lot harder when people post like this. I'm not saying you need to care about that if you don't want to, but some readers might find it interesting to know: if you think that another account ought to be moderated, the worst thing you can do to inhibit that is to post an attack in the threads.
china is a better option, because they're not on our border claiming that it wouldn't be so bad if we were annexed
edit: i have friends in taiwan. EU trade partners are better than china. but US is currently the worse option, because they're directly threatening us, we're in an active trade war, and there's no ocean in between us
Oh, and Russia isn't a dictatorship at all? And Traitor Trump doesn't idolize Putin and doesn't want to give the USA (and Canada) to his lord and master?
Russia is a dictatorship and Putin needs to be replaced by a real democracy with freedoms for its people. But that has nothing to do with the discussion around Canada, US, and China. The conspiracy theory that Trump works for Putin just doesn’t make sense. It seems obvious that gestures towards Russia are just Trump bringing Russia to the table to settle the war and to pull them away from China after that.
Optional app sandboxing that does what you're talking about already exists on every major OS, disregarding Linux distributions that don't have Flatpak. Seems to me it's less a UX problem and more cultural: a critical mass of developers take the easy way and users learn to ignore the alerts. Android has the same problem with the "all files access" permission. The one platform where this works, iOS, has a totalitarian ruler that requires all apps to be sandboxed and not request gratuitous permissions.
To really get around the culture problem you would need an OS that lacks the concept of undeclared data sharing between different packages.
I've moved to using systemwide Adguard on my home PCs and Macs. It's not a solution for work devices (my employer doesn't have ads on internal websites so this is not much of an issue), but it frees me from worrying about browser APIs and having to copy my custom filters to every single browser I want to use.
I think "power steering assist" here is another technical term that misleads people who aren't car nerds. It's not some kind of lane assist feature, it's the system that makes the steering wheel easy to turn at low speeds. Anyone who's used to driving cars built after 1950 or so would not consider it an optional feature.
Grok 2's per-token prices are similar to GPT-4o, but since Grok tends to write longer responses than others, it can be significantly more expensive to use depending on the task. If xAI prices Grok 3 to compete with o1, not everyone is going to be lining up to use it even if it's a bit better than the competition. If that's how it goes, I'll be interested in the pricing for Grok 3 mini.
>While applicable to all audiences, this guidance specifically addresses “highly targeted” individuals who are in senior government or senior political positions and likely to possess information of interest to [PRC-affiliated threat actors who hacked telecom networks].
Most people are never going to be targeted by intercepts or even by SIM swaps, and would still be just as vulnerable to phishing if they switched to TOTP. If you want better protection, hardware authenticators and passkeys are the best options.
The phishing resistance isn't that straightforward in practice. It requires using browser extensions, which some people avoid for understandable reasons (poor security track record compared to everything else about password managers, and some of them just aren't very good). Many services use multiple domains (my bank has a .com, a .org, and several third-party vendor domains where you might be expected to enter your credentials), so many people who don't know how to update their password manager entries are probably in the habit of manually copying info into places where it doesn't autofill. And speaking of places where it doesn't autofill, the vast majority of mobile app developers seem to be unaware of things like autofill hints for login fields and apple-app-site-association.
