Check the packaging, I suspect you'll find that technically these aren't CDs. IIRC, Philips (correctly, IMHO) refused permission to display the 'compact disc' logo on discs which had abused the audio format to defeat rippers sufficiently that the disc no longer met the Red Book standard.

A company sticking up for having the technology *work* rather than extracting maximum dollars and control from consumers? Must be an old story...

The first tech book on Unix I owned had a section on how you couldn't rely on this newfangled "vi" thing being available, or working from the console, on every system, and both taught and suggested as a default "ed", which is available everywhere.

I have recovered a very minimally-booting system with "ed" in anger. I don't want to have to do it again any time soon.

(Also had a great chapter on the joys of booting, and how to use repeated dcheck / icheck iterations to repair filesystems - unless you were on a *really* cutting-edge system that had the new "fsck" utility!)

Seems a reasonable request, although I think you can get some of the way there with 'keep me logged in', appropriate use of cookies, and the sites making sensible UX decisions about how often to authenticate.

I'm happy if my many web forum accounts only ask me to authenticate the first time on a new device, or maybe every 30, 60, 90 days. Perhaps I can browse Amazon on a cookie, but I need to authenticate again to buy something? (Above a limit?) My bank should authenticate me when I log in, and again for each transaction I make. Your thresholds might be different...

Again, skimming, but the spec seems fairly abstract in terms of "Authorization Gestures" and "Ceremonies" without mandating how these are done.

There is some mention of biometric specifics, but only (as far as I can find so far) in letting the requesting site specify acceptable false-positive and false-negative rates for the client-side Authorization Gesture.

I'm not clear yet how the site goes about validating that an Authenticator behaves as per the spec. Perhaps the onus is on the user if they use a client which lies about its ability to deal with key material securely? That would suggest we're still going to need some kind of user-education to use a robust Authenticator and not "Special Russian Business Network Keystore (with Prizes!)" that came as a drive-by install :(

It does seem to suggest that they expect out-of-band authentications to be possible. e.g. the password manager lives on your phone. When you log in from your PC, a request is sent to your phone asking if you want to allow access from the that PC (with some kind of fingerprinting info that would let you make a reasonable confirmation that you're authenticating your connection, and not a random hack attempt being made at the same time). You unlock the password manager and authenticate on the phone, and that permits the corresponding PC session to proceed, without the PC needing to have access to the password manager.

Thinking about it, I already have cases where exactly this happens, for some Apple and Blizzard sites. I don't have to copy an authentication code from my Blizzard phone app into a PC login, I just acknowledge that it's my PC trying to access right now.

They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.

Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.

The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.

This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.

When you register with a site, you and the site generate authentication keys. You swipe your fingerprint, insert your USB magic-key, or whatever to unlock the secure key store, and your authentication key is stored - either in a secure enclave, or encrypted with a totally local key that's stored in the secure enclave.

When you go back to log into that site again, you're prompted to complete the same ceremony again to unlock the key store and retrieve the material you prepared earlier.

There's some more details on top of that to make sure that:

-the site asking for your credentials is the same site you registered with
-the site can *only* ask for the credentials associated with it, not convince you to swipe / insert / whatever and go fishing in your key store for other useful credentials
-the credentials are generated correctly to have lots of length and randomness in so password-style brute-force or rainbow tables aren't applicable

and the authentications are encrypted challenge / responses, rather direct exchange of actual key material, so you try to avoid replay attacks and the like.

The only place your biometric info is ever used (if you want to use it as one of your factors) is to unlock your local key store. It's never sent across the network.

I'm nothing like enough of a cryptohead to say if the details of the proposal are right or solid, but it doesn't seem insanely wrong, and it's certainly not "OMG everyone now has my fingerprints instead of a password!"

Even without the traffic, it can still be about the commute.

I have a reasonable 9-5:30 working day, with an hour for lunch, so 37.5 hour working week, which most of the time is what it actually is.

However, I need a 5:45 alarm to be up at 6. I'm a slow mover in the morning, so that lets me shower, make and eat breakfast, feed the pets, prepare lunch, make my wife breakfast, get dressed, any other bits and pieces that need doing to be out the door around 7:30. I drive to the station to make a train around 8, to be in the office around 9.

Coming back, if I leave on the dot, and the trains aren't delayed / cancelled, I can be home between 7 and 7:30. Cook a meal, sit down and eat it, deal with the pets again and any other chores - and if I'm going to try for 7 hours sleep, I really need to be stopping whatever else I'm doing and at least getting ready for bed around 10. That's quite a squeeze on getting much else in, and it doesn't take much disruption to transport to throw the whole thing off - it can be 9 before I get in, and still have to start cooking and all the rest.

8 hours sleep? Just wouldn't be possible.

And as someone's commented further down, a "life" that's nothing but work, eat, sleep, rinse, repeat, isn't a life you can sustain indefinitely for your mental health.

Technical ebooks are far easier and cheaper to update, especially if you get them from a publisher who understands that, and does so, free of charge. (Hi PragProg! I hope others do the same...)

For me, it's iOS. Much the same as the "are Macs worth it?" debate, it boils down to whether or not you want iOS, and how much you're prepared to pay for it.

I've tried using Android, and while I can't prepare you a bullet-point list of things I especially wish were different, it just feels clunky and unintuitive to me in comparison to iOS. There's also a certain amount of group effect in that I play a number of on-line games against iOS-using friends, many of which aren't available on other platforms, or don't offer cross-platform play.

If, at the point where my iPhone 6 finally gives up the ghost, there's not an iPhone I can justify the premium on in order to get iOS, or I think the bad points of the current model outweigh the benefits of iOS, or I simply think the latest version of iOS has moved away from what I want, then I'll be open to evaluating the alternatives.

Similarly, I want macOS, and the price premium on a Mac is less to me than the value I place on my time to build a Hackintosh and keep it working. It was a close call this time around, and if there isn't either a better price / performance Mini or a useful tower option next time, I'm quite likely to go down the Hackintosh route. Not an option for phones though.

It doesn't do it *for the reasons originally stated*, to the best of my knowledge.

What it does do by default is try to pick the "best match" for the destination. I have a gmail account, which I had to have to get access to a Google calendar, and I do occasionally use as my emergency password recovery email. It's not my primary email, and it's not set up on all my devices.

At some point, Apple Mail started sending from that account if any of the people I was sending to were on gmail. It took a few days of ranting at people to please reply to my real address, not my gmail one, before I worked out I was sending stuff wrong.

Once it's picked an account, I've never seen it fall back to a different account due to delivery difficulties.

This. Every change to Facebook, and in particular to the iOS app, seems to make it a little bit harder to either get to the chronological or view, or to stay there. I couldn't care less about what's "hot", I want to see what's been posted since last time I looked.

ObOatmeal: http://theoatmeal.com/pl/senio...

Hehe - no, that we need them because we have problems (hopefully not /. posters).

Maybe I'm naive, but I still like to start from the position that the vast majority of people don't cause harm to others because they don't want to harm others, rather than out of fear of punishment. Obviously we need a certain amount of fear of punishment to dissuade those who don't fit that model.

Not seriously suggesting that the OP is some kind of psychopath, but it's kind of interesting that the thought process goes to "I'd get shot or arrested if I did that in real life", not "I wouldn't ever *want* to do that in real life".