jkirsteins's comments

Malicious compliance is a thing. They're supposed to use neutral language.

> There are no rules, only consequences

I understand this as "if you're willing to suffer the consequences, then there is no rule."

E.g. a millionaire might be fine getting a speeding ticket, so that particular rule might as well not exist (except in Finland? where they scale speeding tickets to income)

Pitch looks cool, and I see you have some getting started docs.

Do you have some high-level overview of how it all fits together technically?

IIUC the tokens are stored in a backend service (available on GitHub)? Are they encrypted? How does the frontend SDK communicate with the backend, is there some OAuth flow first to the backend service, to get a user-specific key, which lets you store subsequent tokens?

To submit to the app store, you need to provide screenshots for multiple sizes.

I could take a screenshot for iPad, and I could submit to testflight -> install on my iPhone -> take a screenshot on my iPhone.

But e.g. I don't have a 5.5" iPhone, and it is mandatory to provide both 6.5" and 5.5" screenshots.

I was very excited when Apple released a way to make apps on an iPad. I use mine a lot, but was missing the ability to make stuff.

When Playgrounds 4 came out, I set myself a goal to produce an app A to Z entirely on an iPad. The code, all assets, scripts, icons, everything.

All in all, it took me about 2 months of evening hacking to get it to the app store. The app is written in SwiftUI, and additionally, I used iSh to write some scripts (bash and python) to manipulate the word lists.

The word lists were fairly tricky. To get started, I used some open-source Hunspell dictionaries I found online. Then I did some postprocessing:

  - extract the lemma form of each word (for some languages the game would be impossible without this sanitization)
  - filter for the right length
  - cross-check against an online thesaurus if the word really exists
  - remove (somewhat arbitrary) some weird words that wouldn't be fun to guess

Getting the lemma form was fairly slow on iSh, so I did this step on a DigitalOcean droplet (though still through the iPad using iSh + SSH).

For the python scripts, I used a split-screen setup: on one side I used the Buffer code editor, and on the other I used iSh. I mounted the editor filesystem into iSh, so I could simply run "python3 myscript.py" whenever I made any changes.

When I started out, I had 0 ideas about SwiftUI. It's pretty cool, but I made a lot of rookie mistakes. The worst one was using a lot of inefficient computed properties before I realized that they might be called literally hundreds of times per keypress.

What I missed the most was the ability to write tests. I ended up compromising, and writing UIs that performed a test, and then presented a green/red message about the outcome. I had dedicated "test views" that I manually inspected in the previews pane. It helped me catch some regressions, but it wasn't a great experience.

Some features were not possible (initially I wanted to have iCloud synchronization, and localization, but Playgrounds doesn't support these).

And - interestingly - while you can submit the app to the app store through Playgrounds, you have no way of generating the required screenshots on the iPad. I ended up initially faking some screenshots using Procreate (enlarging them to the right proportions). Subsequently, I wrote a view that simulated different screen sizes and could save a screenshot directly to the camera roll. This made it easy to submit new versions, as well as find actual layout issues from different size devices. All on the iPad.

Overall, the experience was very interesting. It was limiting, the screen was small, there were lots of bugs in the tools, and the previews didn't always act the same as the real deal... but it was also cool. I found the friction was very small to resume coding (i.e. if I'm in couch potato mode, my iPad is usually nearby, whereas my MacBook isn't always).

I'm now working on a different app, and while it's written mainly in Xcode now, I still use the iPad to prototype views/interactions when I can.

You can check it out on GitHub, it's open source. The main branch is migrated to Xcode, but I kept a branch, which contains the app as it was developed on the iPad.

I recently wrote a full app (Wordle clone) in SwiftUI using the iPad Playgrounds app as a personal challenge. I didn't have a lot of experience with UIKit, and literally 0 with SwiftUI.

There was definitely a lot of time spent looking why basic things are not working as expected. There are many counterintuitive things to it, I think, and some bugs.

But overall, as a newbie to iOS development, it was a fairly nice experience. I am skeptical I could've iterated/developed something complete (despite the issues) as fast with UIKit.

I only wish they made it open source. It feels like it would really benefit from being run more like the open source Swift frameworks, rather than this opaque update-once-a-year thing.

There seems to be a non-fringe sentiment that "this is pretending to care" or "you can't automate friendship", etc.

I see where it's coming from, and I agree to some extent - I wouldn't want to be contacted "for the sake of it". Feeling like it's a chore for the other person that they have to get through, in the hopes of some (maybe financial?) reward at the end of it.

However, I think this approach warrants some defense against the "I would purposefully avoid people like this" reaction.

Using myself as an example - I have considered doing something similar, and I liked the article a lot. And it's not because I "want to hack some serendipity", but because I genuinly have a hard time finding enough time for all the things that matter in life. Having a system in place doesn't mean it's fake, it means you are prioritizing this aspect of your life (i.e. you care enough) and are finding ways to fit it into everything else you have going on.

In a normal workday I spend ~9 hours in "work mode". I want to fit in ~1-2h of running every day to counteract my sedentary lifestyle. I need to spend some quality time with the immediate family (wife and kids) - let's say ~2 hours. And there are additional little everyday tasks that need to happen every day - shopping, helping kids with their homework, doing the dishes, etc.

How much time does this leave to socialize? I will occasionally think of some friend or another, and miss them. But I won't have time to reach out in the moment. And then - e.g. when the weekend comes - who do I reach out to? Do I spend every saturday just calling everybody in a row?

I enjoy catching up with my friends, but it takes a lot of energy for me. I can't feasibly reach out to everybody in a given weekend - it would leave me completely drained, and exhausted.

So I prioritize. I try to reach out to people I haven't spoken to in a longer time period. Or people I know have had some life event happen recently, etc. I try to find a way to keep in touch with most people, instead of just a few of them.

But here's my issue - it's hard to remember how to schedule who to get in touch with, and when. "Did I last talk to X 1 week or 2 weeks ago? Should I get in touch with Y instead?" etc.

Now, I could start taking paper notes, or look at my calendar, etc. But at this point I'm setting up some mental system to help me with the scheduling. Which is basically just a different (possibly less efficient) flavor of what's described in the article.

Now, maybe I'm projecting, and this doesn't apply to many others. But please consider - if you feel someone in your life is reaching out through automated means - that they might really care, and just have a hard time figuring out how to do it otherwise. If scheduling catch ups comes naturally to you, it might not to others.

(and I know the article mentions "serendipity" and is not necessarily about catching up with close friends. I think it works well for both)

iPads have a lot of good stuff, I think. I've 2x 7 year old girls, which have iPads. Generally they're limited to 1h/day, but screentime is off for:

- Codea - https://codea.io - it took a while, but eventually they found out that there's a few sample games, so they thought they'd found a loophole to "no more screentime for games". Then it took a bit longer until they realized they can tweak the source code. "Look at this, no gravity" or "Look at my high score!" (after tweaking the scores to increase in increments of 1000 instead of 1), or "Look, I changed the text messages" etc.

- Swift Playgrounds - they're not super fascinated with this, but I see them occasionally open it and noodle around.

- Procreate - they have an Apple Pencil, and any YouTube video about using Procreate is exempt from Screentime limits. This has led to a lot of amazing digital illustrations.

- Pages - just this simple built-in app is already pretty fun if kids are bored, and something is exempt from screentime. Last weekend one of them asked to go to Starbucks, because she's "writing a novel". She wrote a short story over ~5 pages, and was super proud of it.

- YouTube - in general, this is my least favorite app of theirs, and I try to police this the most. But any requests for videos where you learn things are exempt from screentime limits (case by case). E.g. Lego builds, origami, drawing instructions, "how to make slime at home" videos, etc.

This is a great question, and I'm eager to see what other creativity-fostering approaches are there. But to sum up my approach - limit screentime for mindless games, and let boredom take care of the rest.

I think it's less "factually incorrect" and more "nuanced and incomplete".

As a European that moved between countries, I was very surprised when I learned that SEPA allows a "pull" mechanism even exists. I lived 30 years in Latvia without knowing this is a feature in SEPA because every single payment is a "push" mechanism. I'm not sure if banks can turn this feature off, or if it just culturally never gained traction.

On the other hand, payments via banks are fairly widespread C2B, because every bank offers a (custom and horrible) API that merchants can implement. So users can authenticate directly with their bank as if it were PayPal, and authorize a SEPA payment to the merchant's bank account.

In fact, services that care about user identity, will often use these bank APIs to perform authentication with a high degree of confidence about the received user information.

Then I moved to France, and every bank interaction is "pull" based. While friction in Latvia came from authenticating before initiating the "push", in France the friction comes from agreeing to direct debiting, and signing various authorization slips. Sometimes electronically, but sometimes you have to send them by mail before you can start paying for a long-running service by bank (this makes it very undesirable for one-off purchases. In fact it is so cumbersome, that I prefer to pay for many services by credit card every month)

> I doubt the claims of very high fraud rate.

If I provide my account number to a service provider, they can debit it without me explicitly authorizing them (I have to sign an authorization usually, but there's nothing "technically" blocking the counterparty). I suppose that could lead to high fraud rates.

Why are you against them using an app for something they are authorized doing in a browser?

I don’t know about ReactOS but you can use Docker with wine and WiX to build MSIs without a Windows server: https://github.com/suchja/wix-toolset

This is cool that it uses U2F, but unfortunately it does not bind to the hardware, undermining the point a little bit.

In a similar vein, here's a TOTP client (unfortunately no U2F/WebAuthn) that can bind the secrets to the hardware (on TouchID Macs): https://github.com/sqreen/twofa (disclaimer: I'm the author)

It's a good teaser for the podcast, I thought. The last episode (ep 7, which covers this topic) is more than 2 hours long. It's pretty great.

Indeed. This is also mentioned at the start of the related podcast episode (see https://itunes.apple.com/gb/podcast/fall-of-civilizations-po...)

There is probably no good answer that doesn't sacrifice security. At some point you have to be willing to say "ok, I accept this risk, this is still way better than using just passwords."

Personally, I enroll multiple devices for each account where I enable 2FA (technically not a supported operation, but nobody can really tell if you scan a QR code twice).

It's technically less secure, but I think a decent compromise.

(self promo, but related to the topic at hand: since I don't have 2 phones, I made a utility to enable using T2-equipped Macs as a 2FA client that binds the keys to the hardware. You can check it out at http://github.com/sqreen/twofa)

My point is EU will adopt regulation that actively harms competition (such as GDPR), because they have different priorities (e.g. privacy, data ownership as you mentioned).

So to me it seems unfounded to say EU cares about market health and is not, in fact, just picking on FB and Google.

I am honestly curious what you think are examples of EU mechanisms fostering healthy markets. Maybe the MS case but that is the same “EU picks on US tech giant” genre.

This is a bit rose tinted outlook. GDPR does not increase competition, the amount of regulation in EU and worker protections in place raise barriers for new competitors. France has laws that prohibit new movies from being put on Netflix in order to support local distributors etc.

Not saying what the EU does is goos or bad, but painting it as pro free market competition seems unfounded.

Ask yourself, “where does the data originate?”

If the data originates offline - e.g. paperwork for an aircraft part - you still need to trust whoever puts the data on the blockchain. Are they who they say they are? Are the documents trustworthy? The blockchain ensures tracability after data is on the blockchain, but not that the initial data makes sense.

So if you need to verify these aspects manually at some point, might as well have everybody work through a regular API.

However, in case of a digital currency - e.g. bitcoin - everything is generated on-chain. There is no crossing the offline/blockchain boundary. You can verify that data was generated according to the algorithm, and how it was used afterwards. This is where a blockchain is not necessarily replacable with a simple REST API.

If you use macOS, there’s this: http://github.com/sqreen/twofa

It’s a CLI tool that generates TOTP codes (and puts them directly in the pasteboard). You can “scan” the QR code by taking a screenshot of it, and when generating codes, it’ll ask you for your password (or fingerprint, if you have a mac with TouchID)

(disclaimer: I’m the author of this)

> but then, I guess I don't think this checklist does, either.

Why do you say that? Do you think the items on the list are not useful/well prioritized? Or that most companies are not positioned/incentivized to follow most of this advice?