Microsoft really needs to get a better handle with the naming conventions.
There is Microsoft Copilot, which replaced Bing Chat, Cortana and uses OpenAI’s GPT-4 and 5 models.
There is Github Copilot, the coding autocomplete tool.
There is Microsoft 365 Copilot, what they now call Office with built in GenAI stuff.
There is also a Copilot cli that lets you use whatever agent/model backend you want too?
Everything is Copilot. Laptops sell with Copilot buttons now.
It is not immediately clear what version of Copilot someone is talking about. 99% of my experience is with the Office and it 100% fails to do the thing it was advertised to do 2 years ago when work initially got the subscription. Point it a SharePoint/OneDrive location, a handful of excel spreadsheets and pdfs/word docs and tell it to make a PowerPoint presentation based on that information.
It cannot do this. It will spit out nonsense. You have to hold it by the hand tell it everything to do step by step to the point that making the PowerPoint presentation yourself is significantly faster because you don’t have to type out a bunch of prompts and edit it’s garbage output.
And now it’s clear they aren’t even dogfooding their own LLM products so why should anyone pay for Copilot?
>>Point it a SharePoint/OneDrive location, a handful of excel spreadsheets and pdfs/word docs and tell it to make a PowerPoint presentation based on that information. It cannot do this. It will spit out nonsense. You have to hold it by the hand tell it everything to do step by step to the point that making the PowerPoint presentation yourself is significantly faster because you don’t have to type out a bunch of prompts and edit it’s garbage output.
Everyone I know who use AI day-to-day is just using Copilot to mostly do things like add a transition animation to a Powerpoint slide or format a word document to look nice. The only problem these LLM products seem to solve is giving normal people a easy way to interact with terrible software processes and GUIs. And better solution to that problem would be for developers to actually observe how the average use interacts with both a computer and their program in particular.
> Microsoft really needs to get a better handle with the naming conventions.
They really won't, though; Microsoft just does this kind of thing, over and over and over. Before everything was named "365", it was all "One", before that it was "Live"... 20 years ago, everything was called ".NET" whether it had anything to do with the Internet or not. Back in the '90s they went crazy for a while calling everything "Active".
Some musings from someone who has not worked in microsoft but has in big tech.
This often happens because the people inside are incentivized to build their own empire.
If someone comes and wants to get promoted/become an exec, there's a ceiling if they work under the an existing umberlla + dealing the politics of introducing a feature which requires dealing with an existing org.
So they build something new.
And the next person does the same.
And so you have 365, One, Live, .Net, etc
Google Plus was the same. Lots of unrelated google products were temporarily branded as part of google plus for some reason, including your google account and google hangouts (meet).
To further your argument, look at the XBOX. It is impossible to tell which is the latest model by name alone. Where the playstation is simple, the latest is the 5, the previous was the 4, and the one before that was the 3.
There’s got to be solid reasons why they do this and have done so for so damn long. At the very least institutional reasons. At best, actual research that suggests they make more money this way. But as a consumer, I hate it.
Marketing has too much power. They get some hairbrained scheme to goose the numbers and just slam a mandate all the way down the org.
Is "Copilot" not getting enough clicks? Make every button say "copilot", problem solved. Marketing doesn't know or care what was there before, someone needs numbers up to get their promotion.
>> Is "Copilot" not getting enough clicks? Make every button say "copilot", problem solved. Marketing doesn't know or care what was there before, someone needs numbers up to get their promotion.
So Microsoft isn't bringing copilot to all these applications? It's just bringing a copilot label to them? So glad I don't use this garbage at home.
This is actually one of their smart decisions. "Copilot" is currently going through the corporate regulators, who know nothing about technology, but I can't buy it until they say everything is Legal.
So once we have signoff then my counterpart in Sharepoint/M365 land gets his "Copilot" for Office, while my reporting and analytics group gets "Copilot" for Power BI, while my coding team gets "Copilot" for llm assisted development in GitHub.
In the meantime everybody just plugs everything into ChatGPT and everybody pretends it isn't happening. It's not unlawful if they lawyers can't see it!
>Microsoft really needs to get a better handle with the naming conventions
Microsoft cannot and will not ever get better at naming things. It is said the universe will split open and and eldritch beast will consume the stars the day Microsoft stops using inconsistent and overlapping names for different and conflicting products.
Nadella has the golden ship taking on water right now. He has entirely botched AI top to bottom. He has screwed that up to such a degree that it would be difficult to overstate. If he doesn't correct these mistakes extremely soon, he'll unravel much of the progress he made for Microsoft and they'll miss this generation of advancement (which will be the end of their $3 trillion market cap - as the market has recently perked up to).
There is no tech giant that is more vulnerable than Microsoft is at this moment.
Most document originations will begin out of or adjacent to of LLM sessions in the near future, as everything will blur in terms of collaborating with AI agents. Microsoft has no footing (or worse, their position is terrible courtesy of copilot) and is vulnerable to death by inflection point. Windows 11 is garbage and Google + Linux may finally be coming for their desktop (no different than what AMD has managed in unwinding the former Intel monopoly in PCs).
Someone should be charging at them with a new take on Office, right now. This is where you slice them in half. Take down Office and take down Windows. They're so stupid at present that they've opened the gates to Office being destroyed, which has been their moat for 30 years.
I am no big fan of MS, and especially not a fan of W11, but you're operating under the false assumption that their users are still their most important customers.
MS's bottom line doesn't depend on how happy users are with W11, especially not power users like ourselves. W11 is just a means of selling subscriptions (office, ai, etc). The question isn't 'are users happy' it's 'will OEMs and business continue to push it?'. The answer to that is almost certainly yes. OEMs aren't going to be selling most pcs with ubuntu included any time soon. Businesses are not going to support libreoffice when MS office is the established standard.
Maybe apple could make inroads here, but they don't seem willing to give up their profit margins on overpriced hardware, and I don't think I've ever seen them release anything 'office' related that was anywhere near feature parity with MSO, and especially not cross platform.
If their whole business is based around being an established standard and making users happy is not a relevant goal, then why do anything at all? They already are an established standard, so why would they bother taking any further actions whatsoever, making any changes or rolling out any new products? Clearly they are trying to achieve something, right? So what is it?
About a year ago I had to buy a new Xbox. It took me time to figure out what model I had and what the new models are. It’s the least intuitive marketing on the market.
The craziest thing was how Microsoft took the super established brand from decades, and renamed Microsoft Office to Microsoft 365.
I'm not sure if it's named Microsoft 365 Copilot nowadays, or if that's an optional AI addon? I thought it was renamed once more, but office.com itself claims simply "Microsoft 365" sans-Copilot. https://www.office.com
Not that I disagree, but this is nothing compared to the ".NET" craze in the early 2000s. Everything had to have ".NET" in its name even if it had absolutely nothing to do with the actual .NET technology.
There was also "Active" before that, but .NET was next level crazy...
> No, there is Github Copilot, the AI agent tool that also has autocomplete, and a chat UI.
When it came out, Github Copilot was an autocomplete tool. That's it. That may be what the OP was originally using. That's what I used... 2 years ago. That they change the capabilities but don't change the name, yet change names on services that don't change capabilities further illustrates the OP's point, I would say.
To be fair, Github Copilot (itself a horrible name) has followed the same arc as Cursor, from AI-enhanced editor with smart autocomplete, to more of an IDE that now supports agentic "vibe coding" and "vibe editing" as well.
I do agree that conceptually there is a big difference between an editor, even with smart autocomplete, and an agentic coding tool, as typified by Claude Code and other CLI tools, where there is not necessarily any editor involved at all.
That's silly. Gmail is a wildly different product than it was when it launched, but I guess it doesn't count since the name is the same?
Microsoft may or may not have a "problem" with naming, but if you're going to criticize a product, it's always a good starting place to know what you're criticizing.
The confusion is when I say “I have a terrible time using Copilot, I don’t recommend using it” and someone chimes in with how great their experience with Github Copilot is, a completely different product and how I must be “holding it wrong” when that is not the same Copilot. That Microsoft has like 5 different products all using Copilot in the name, even people in this very comment section are only saying “Copilot” so it is hard to know what product they are talking about!
I mean, sure. But aside from the fact that everything in AI gets reduced to a single word ("Gemini", "ChatGPT", "Claude") [1], it's clearly not an excuse for misrepresenting the functionality of the product when you're writing a post broadly claiming that their AI products don't work.
Github Copilot is actually a pretty good tool.
[1] Not just AI. This is true for any major software product line, and why subordinate branding exists.
I specifically mention that my experience is with the Office 365 Copilot and how terrible that is and in online discussions I mention this and then people jump out of the woodwork to talk about how great Github Copilot is so thank you for demonstrating that exact experience I have every time I mention Copilot :)
GitHub Copilot is available from website https://github.com/copilot together with services like Spark (not available from other places), Spaces, Agents etc.
This absolutely sucks, especially since tool calling uses tokens really really fast sometimes. Feels like a not-so-gentle nudge to using their 'official' tooling (read: vscode); even though there was a recent announcement about how GHCP works with opencode: https://github.blog/changelog/2026-01-16-github-copilot-now-...
No mention of it being severely gimped by the context limit in that press release, of course (tbf, why would they lol).
However, if you go back to aider, 128K tokens is a lot, same with web chat... not a total killer, but I wouldn't spend my money on that particular service with there being better options!
People already do pay for it: office 365. It’s just like getting cloud storage with the subscription. OneDrive has been one of the better cloud storage options for consumers.
Also, a great use is Microsoft Forms I was surprised with the AI features. At first I just used it to get some qualitative feedback but ended up using copilot to enter questions Claude helped me create and it converted them into the appropriate forms for my surveys!
Objectives -> Claude -> Surveys (markdown) -> Copilot -> MS Forms -> Emailed.
Insights and analysis can use copilot too.
Main thing to remember is the models behind the scenes will change and evolve, Copilot is the branding. In fact, we can expect most companies will use multiple AI solutions/pipelines moving forward.
My colleague works in a functional role for a medium sized SaaS company(1000-5000 employees), working with banks, family offices, hedge funds. They use teams and copilot, they all hate it.
One thing that I don't know about is if they have an AI product that can work on combining unstructured and databases to give better insights on any new conversation? e.g. like say the LLM knows how to convert user queries to the domain model of tables and extract information? What companies are doing such things?
This would be something that can be deployed on-prem/ their own private cloud that is controlled by the company, because the data is quite sensitive.
> Microsoft really needs to get a better handle with the naming conventions.
AI really should be a freaking feature, not the identity of their products. What MS is doing now is like renaming Photoshop to Photoshop Neural Filter.
That's a great analogy, but could be taken one step further. Because Adobe would also have to rename the rest of their products to come close to what MS is doing.
By the way, why is app lowercase in "the Microsoft 365 Copilot app"? Is it not part of the trademark but even they couldn't deal with how confusing that was?
>There is Github Copilot, the coding autocomplete tool.
There is also Github Copilot, the subscription, that lets you use Anthropic, OpenAI and Google models.
This isn't a Microsoft thing, it's a big dumb corporation thing. Most big corporations are run by dumb executives who are 100% out of touch with the customer (though even if they were in touch, they wouldn't care). Their only consideration is the stock price. If adding new names to things, chanting the magic spell "AI" over and over, and claiming the new name will make them more money can cause the stock price to increase, that's what they'll do. (Making customers happy doesn't make the stock price rise; if it did, we'd all be a lot less depressed and a lot richer)
Like Microsoft Defender, which is now Defender Antivirus, or Defender for Endpoint if you have a real license. You will also get Defender for Identity, and maybe Defender for Office 365, which is probably not ASR. And Defender for Cloud, not to be confused with Defender for Cloud Apps.
I had duckduckgo return a grokapedia page for the first time. The search page has preview text making it seem like there was information so I clicked the link to check it out and it was a 404 page. What kind of SEO hack is that? Information for the crawler but nothing on the actual page?
It seems to be adding tons of articles, then some of them get deleted.
I assume it's been allocated lots of compute.
The entire model is outcompeting wikipedia on quantity per topic.
If wikipedia merges/integrates some article and Grokipedia has a
specific page for it, the search engine/LLM will get that version front and center.
Grokipedia seems to have no scope limit, so wikipedia "non-notable" entries
will be SEO-optimized towards sites with the topic-names, eventually
settling on AI content farms as primary destination.
I only have a 3B but everything I need works for me. I don’t do anything advanced with the GPIO pins, just as a headless little arm server running stuff in jails. Everything is quick. Ethernet only but network performance seems solid. Honestly feels as responsive as my amd64 desktop with 32 gb of ddr4 ram and 8 cores. My desktop has worst support for FreeBSD. No networking or graphics out of the box and significantly more work to get that “working” compared to the pi.
So is it strictly necessary to sign up for the 200 a month subscription? Because every time, without fail, the free ChatGPT, Copilot, Gemini, Mistral, Deepseek whatever chatbots, do not write PowerShell faster than I do.
They “type” faster than me, but they do not type out correct PowerShell.
Fake modules, out of date module versions, fake options, fake expectations of object properties. Debugging what they output makes them a significant speed down compared to just, typing and looking up PowerShell commands manually and using the -help and get-help functions in my terminal.
But again, I haven’t forked over money for the versions that cost hundreds of dollars a month. It doesn’t seem worth it, even after 3 years. Unless the paid version is 10 times smarter with significantly less hallucinations the quality doesn’t seem worth the price.
Not necessary. I use Claude/Chatgpt ~$20 plan. Then you'll get access to the cli tools, Claude Code and Codex. With web interface, they might hallucinate because they can't verify it. With cli, it can test its own code and keep iterating on it. That's one of the main difference.
You are exposing your lack of learning how to use the tools.
Tools like GitHub copilot can access the CLI. It can look up commands for you. Whatever you do in the terminal, it can do.
You can encode common instructions and info in AGENTS.md to say how and where to look up this info. You can describe what tools you expect it to use.
There are MCPs to help hook up other sources of context and info the model can use as well.
These are the things you need to learn to make effective use of the technology. It’s not as easy as going to ChatGPT and asking a question. It just isn’t.
Too many people never get past this low level of knowledge, then blame the tool.
GitHub Copilot has a free tier as well. The $20/month one gives you much better models though.
All I’m saying is that the vast majority of people who say that AI dev tools don’t work and are a waste of time/money don’t know how and really haven’t even made a serious attempt at learning how to use them.
To be fair there seems to be a weird dissonance between the marketing (fire your workers because AI can do everything now) and the reality (actually you need to spend time and effort and expertise to setup a good environment for AI tools and monitor them).
So when people just Yolo the ladder they don't get the results they expect.
I'm personally in the middle, chat interface + scripts seems to be the best for my productivity. Agentic stuff feels like a rabbit hole to me.
Well I am not a dev so I am just using the freely available search assist and chatbots. I am not saying the dev tools don’t work; I am saying the chatbot makes up fake PowerShell commands. If the dev tool version is better it still seems significantly less efficient and more expensive than just running “Get-Help” in the terminal from my perspective.
You are not disproving my point. You are just repeating that you don’t want to try to learn how you can actually use AI tools to help you work, but yet you still want to complain online that they are a waste of time and money.
I tried. Several times. Just quick prompting, full agentic, and all I see as a result is mostly garbage to be honest. Not even talking about the atrophy one would get skill-wise by relying on AI tools all the time.
I'm on the $20 plan with Claude. It's worth mentioning that Claude and Codex both support per token billing, if your usage is so light that $20 is not worth it.
But if you use them for more than a few minutes, the tokens start adding up, and the subscriptions are heavily discounted relative to the tokens used.
There are also API-neutral tools like Charm Crush which can be used with any AI provider with API keys, and work reasonably well (for simple tasks at least. If you're doing something bigger you will probably want to use Claude Code).
Although each AI appears to be "tailored" to the company's own coding tools, so you'll probably get better results "holding it right".
That being said, the $3/month Z.ai sub also works great in Claude Code, in my experience. It's a bit slower and dumber than actual Claude, so I just went for the real thing in the end. 60 cents a day is not so bad! That's like, 1/3 of my canned ice coffee... the greater cost is the mental atrophy I am now undergoing ;)
I haven't had an issue with a hallucination in many months. They are typically a solved problem if you can use some sort of linter / static analysis tool. You tell the agent to run your tool(s) and fix all the errors. I am not familiar with PowerShell at all, but a quick GPT tells me that there is PSScriptAnalyzer, which might be good for this.
That being said, it is possible that PowerShell is too far off the beaten path and LLMs aren't good at it. Try it again with something like TypeScript - you might change your mind.
The biggest problem I have seen with AI scrapping is that they blindly try every possible combination of URLs once they find your site and blast it 100 times per second for each page they can find.
They don’t respect robots.txt, they don’t care about your sitemap, they don’t bother caching, just mindlessly churning away effectively a DDOS.
Google at least played nice.
And so that is why things like anubis exist, why people flock to cloudflare and all the other tried and true methods to block bots.
Threads is a one way view into the fediverse and opt in too boot. Only Threads users who turn it on are visible to the wider fediverse and many instances on Mastodon de-federate from Threads anyway.
I can follow Hank Green on Threads but the interoperability basically ends there.
1. Passkey prompts asking if I want to use a phone or security key when I only have one (or neither!) registered. The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
2. Passkeys should have had the portability and flexibility that ssh keys have from the start. Making it so your grandparents can use public key cryptography and gain a significant advantage in securing their accounts in a user friendly manner should have been the priority. Seems like vendor lock-in was the goal from the start.
>The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
I disagree. It is very annoying when some service fails to show an option on the grounds that I can't use it. It makes it difficult to resolve problems. If the option is just missing, I have no way to tell whether the company doesn't provide the option, whether the company made some sort of mistake (they can't provide an email option because they lost my email), whether I made a mistake, or whether the company just has a bad UI that tries to hide the option. And don't forget the situation where I tried to google online for some help in using the UI, I found a 6 month old Reddit post showing the option, and I can't figure out if the company changed the UI in the past six months.
They should show it greyed out with a note "no key of this type registered".
That’s fair. I just meant that during logon, it is annoying to have to click through an additional prompt that doesn’t apply. But I can see where if there was an issue showing what all the options could be and if they are enabled or unavailable or you want to set it up, would be more beneficial than not.
On Mac with the security key you can just press the button on the security key before choosing a path. It only looks like a required extra step but in practice it is optional.
> Seems like vendor lock-in was the goal from the start.
Exactly. The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them. The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials. You can go from one passkey vendor to another, but you're always locked in to one passkey vendor or another.
Any credential system that makes it impossible to write something down on a piece of paper, take it to a new computer, and login to a website is just a gateway to vendor lock-in. You can manually manage your own ssh keys but for some reason not your passkeys.
As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. [EDIT: Obviously I'm talking about built-in support. I'm well aware of third-party software, so everyone can stop replying to this now, please!] You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
The passkey vendors took some good theoretical ideas, such as site-specific credentials and public-key cryptography, and totally mangled the implementation, making it hostile to everyone except themselves.
This is not true - browsers including Safari support passkeys managed by third-party password managers.
I'm using 1Password with browser extensions for Safari and Chrome on macOS and iOS and it works seamlessly with my passkeys, which are not stored in iCloud Keychain.
> you're always locked in to one passkey vendor or another.
> This is not true - Safari also supports passkeys managed by third-party password managers.
I think you know what I meant and are just being pedantic here for no good reason.
Do you think I'm unaware of 1Password? I don't want to use 1Password any more than I want to use iCloud Keychain.
Technically, pendantically, Safari "supports" anything that third-party Safari extensions support. I'm a Safari extension developer myself. But this is totally different from how Safari supports the use of passwords, which is all built in, requires no third-party software, can be local-only, allows plaintext export/import, etc.
Reading the cfx spec [1], the raw private key is exported as a base64 encoded der. I don't understand what your concern is here. It appears that any cfx export file is not tied to a specific service to service import path, but can be imported into anything, or just used locally with self written tools.
This is merely the exchange format between credential providers, which is encrypted and gatekeeped by the credential providers. None of this is exported to users.
OK I see what you mean. Having the ability to switch between vendors but not the ability to export your data locally (e.g. as plaintext keys) is a new meaning of "vendor lock-in" I hadn't considered before.
Yes. User freedom is not all-or-nothing. There are degrees, and the tech companies are coming up with fiendish new ways to lock away your data from you. So in the case of passkeys, you can technically move your data between vendors, though that can be quite inconvenient as the submitted article mentions, but nonetheless every vendor locks away your data from you, and most vendors have a financial incentive to keep your data away from you, so that you have to pay for the services.
Once "secure credential exchange" becomes supported by commercial credential managers, what's to stop someone implementing an open source password manager that implements the standard and allows local export in plaintext?
Passkeys relying parties can block providers. Tim Cappalli threatened the KeypassXC developers so.[1] The restrictions demanded now do not restrict user freedom significantly arguably. But the incentives and capabilities are clear.
OK but you'd still be able to use the open source "password manager" to export the keys - which solves the issue lapcat raised in this thread - even if relying parties blocked it for authentication, which would be a separate issue.
Someone could develop a "passkey export tool" purely for the purpose of doing credential exchange then local export.
Or are you saying the credential exchange process itself could block providers?
You misunderstood lapcat I think. They wanted Passkeys stored locally exclusively. And they wanted to be able to use them. The issues are not separate.
Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".
If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.
Always happy to chat directly if you have concerns!
The threat you relayed was more serious than the threat you made. But it is a threat when a person with influence suggests they may support a punishment.
The biggest advocates of an open ecosystem say attestation should be removed and no one should adopt Passkeys before. Is this your position now?
The concerns were clear I thought. I would be happy to discuss this publicly.
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
Avoid weasel words please. Is it possible in theory to use attestation or any other Passkeys feature ever to prevent a user to use any software they chose with any service they chose?
In theory any code could be written at any time that does something good or bad. Sure.
But in reality, the people who actually work on these standards within the FIDO alliance do not want a world where every website/service makes arbitrary decisions on which password managers are allowed. That would be a nightmare.
This is obviously kicking the can down the road, but I "solve" this problem by storing passkeys in a third-party credential manager that supports them. That way I can use them on any device that I've installed the client app or browser extension on. I have this working on Fedora, macOS, Windows, and iOS.
> The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them.
Care to cite this statement?
> As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
Yes, literally from you: "Passkeys should never be allowed to be exported in clear text." https://github.com/keepassxreboot/keepassxc/issues/10407 Also, "You absolutely should be preventing users from being able to copy a private key!"
> You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
But I want to use Apple Passwords. And I do use Apple Passwords for passwords.
What you're saying, in contrast, is that in order to use passkeys, I would be forced to change how I currently store credentials, which is not in iCloud. "You can choose any method you like, except the one you currently like" is a pernicious interpretation of "choice".
You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.
> But I want to use Apple Passwords.
You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.
> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.
It feels like this stated minimum is not your actual minimum.
Consider for example a macOS user keychain. The keychain is encrypted on disk with a user-selected password. But once you unlock the keychain with the password, you can copy and paste passwords in clear text. The keychain is not a black hole where nothing ever escapes. And I have no objection to this setup; in fact it's my current setup.
So when you say copy and paste of passkeys in clear text is not a good idea, there's nothing inherent to encrypting credentials with a user key that prevents such copy and paste. There would have to be some additional restriction.
> This is currently being defined and is almost complete.
>> no signed stamp of approval from on high
> see above. Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?
Unclear how this quoted comment relates to what I was replying to (which was about exporting / backing up your credentials).
But I'll respond.
> Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?
If a website were to block your custom software's AAGUID for some reason, you can change your AAGUID.
AAGUIDs in the consumer passkey ecosystem are used to name your credential manager in account settings so you remember where you saved your passkey.
Which I would be careful with. I can use any authenticator that the RP accepts. I could totally see a future where banks only allow certain authenticators (Apple/Google) and enforce this through AAGUID or even attStmt. Similar to the Google Play Protect situation.
At that point, those banks/services would enforce vendor lock-in on me. The reality would be: I can use iOS or Android, but not a FOSS implementation. This restriction is not possible with old-school passwords.
> The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials.
I’ll accept that the attestation parts of the protocol may have had some ulterior motives (though I’m skeptical), but not having to reveal your credential to the verifying party is the entire benefit of passkeys and hugely important to stop phishing. I think it’s disingenuous to argue that this is somehow unnecessary.
> not having to reveal your credential to the verifying party is the entire benefit of passkeys
I think you misunderstood what I was talking about. The credential exchange protocol is for exporting passkeys from one credentials manager and importing them into another credentials manager. It has nothing to do with the relying party.
It's an open protocol, you don't need to use any of the vendors. My Yubikey is a "passkey", so is my Flipper Zero. Keepass provides passkey support.
For the general public, they already rely on either Google or Apple for pretty much all of their digital life. Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
> It's an open protocol, you don't need to use any of the vendors. My Yubikey is a "passkey", so is my Flipper Zero. Keepass provides passkey support.
I don't want to use a Yubikey. It's a pain in the butt. I just want to use my Mac, with no more damn dongles.
Keepass is a vendor, and one who doesn't even have a Safari extension.
> Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
I didn't say there was anything wrong with extending this to passkeys. The problem is the lock-in, e.g., Safari requires iCloud keychain for passkeys, but not for passwords. And there is no plaintext export/import, unlike with passwords.
Nobody can convince me that passkeys are good when I buy a Mac and use the built-in Safari but can't even use passkeys to log in to websites unless I give my passkeys to a cloud sync service or have to install some third-party "solution" (for a problem that should not exist in the first place). That experience is so much worse than passwords.
All of the 3rd party credential managers I’ve used that support passkeys work with safari, and through the APIs that Apple offers the credential managers you can even pick your default CM and never think about iCloud again…
Passkeys seem to be the best solution for users whose technical chops cannot be trusted, and who are also gullible enough to be a scam / social engineering target. Which, to my mind, describes a large enough chunk of audience of most popular services.
A tech-savvy relative of such a user should help them generate rescue codes, write them on a piece of paper, and store them along with all other important documents. Ideally the paper should also read: "Call me before using any of these codes! <phone number>."
A "user agent", I suppose. The agent could identify you to online services, and it does. Remembering and typing a passphrase is often too hard (or "too hard") for some users. A passkey is better than a password like 123456 or name + year of birth, or other such "easy to remember" passwords people invent to avoid remembering a passphrase. Especially if you have a hundred logins.
A passkey basically offloads user identification to the OS (especially a mobile OS). It should not be the only way to identify though.
An ssh-style key + password is fine. A username + password + TOTP should also be fine. But 99.9% of passwords should be in a password manager anyway.
Rescue codes should always be generated and written down when activating a passkey or similar, but this requires certain discipline, some feeling of importance. And many web sites that require registration don't seem important for users, especially one-time users. What makes sense for your Google account, or your bank account, feels like too much ceremony for a low-stakes login like a random online store; losing a login to it does not feel like a big loss to many people.
I haven’t really followed things in great detail, but something that has stood out to be is the apparent linchpin that was pulled in this whole affair. Like it or not, TikTok is an American company with American employees and even running on American infrastructure and oversight that was established years ago now; not somehow the cabal in our government has simply eschewed rule of law and their own ideals, to basically strong-arm this deal because there was too much free speech, a fundamental right of Americans, which the government is legally prohibited from violating and doing so is as much of a capitol offense as it can get, violating not only the law of the Constitution, but also the rights enshrined in the Declaration of Independence.
I don’t see how a competent legal team could not shred this whole effort at disowning TikTok and at the very least make it extremely expensive politically and even to the core foundation of legitimacy of the current government in what is for some reason still called the USA in spite of gross patterns of consistent material violations of all the terms.
While technically true, these articles give context about the level of decision-making control and data access from ByteDance, as of the time of their publication.
What's changed in 2025 is that the Trump administration has illegally postponed the ban passed by Congress four times, despite the fact that the law does not allow the President to extend the ban. And, naturally, the fact that this is to facilitate purchase by a coalition of political allies.
This has less to do with anti china hawks and more to do with anti Israel content on TikTok. And information control in the US. They are openly buying out all US mainstream media and from the looks of it will probably take Warner brothers from Netflix as well.
I'm the first to say they should have been shut down the day the original deadline ran out, and if new leadership comes to the WH they should aggressively prosecute all the platforms that broke the law under promises of the corrupt DOJ (Google, Apple et al). But that's between your joke of a constitution and political leadership, it hardly sways the case one way or another.
> TikTok is an American company with American employees
Those American employees are required to basically uphold the interests of the CCP. This is done as part of an agreement around their stock grants apparently. From https://dailycallernewsfoundation.org/2025/01/14/exclusive-d... there are details on what executives of TikTok have to agree to in writing:
> “You shall comply with applicable laws and guidelines and abide by public order and good customs, the socialist system, national interests, legal rights of other citizens, and information authenticity requirements,” the purported Douyin agreement reviewed by the DCNF states.
> The document also lists a number of prohibited activities for employees, including “overthrowing the socialist system,” “inciting secession,” “undermining national religious policies, or promoting cults and superstitions,” as well as injunctions against “meaningless information or deliberate use of character combinations to avoid technical censorship.”
And in fact, they’re required to report to a ByteDance management team in China, and acknowledge that they’re employees of ByteDance (and therefore NOT the American company):
> TikTok executives also sign agreements with ByteDance consenting to digital surveillance and report to China-based leadership, according to other documents and audio recordings supporting Puris’ lawsuit.
> Other documents also seem to indicate TikTok ultimately considered Puris to be a ByteDance employee.
> While onboarding in 2019, Puris was allegedly required to sign one hiring document reviewed by the DCNF affirming: “I am a director, executive officer or general partner of ByteDance LTD.”
You wrote "All tiktok code is written by ByteDance engineers in china." While historically that might have been true in the old codebase, it isn't anymore. There is a significant TikTok office presence in South Bay, with many job listings open.
I find all this very interesting from a historical perspective because we are ramming into the control matrix that has been constructed around America for around 150 years now at minimum, the notion of universal equality; and it is causing the inevitable and predictable collapses that are caused by its inherent contradictions.
We wanted diversity and equality because it served a narcissistic ethnic group, and now that they’ve started realizing that their whole short sighted, self-serving system is turning on them, they’re blowing huge holes in it and getting ever more draconian… as is typical of narcissists, especially malicious and grandiose types of extreme narcissists.
You will not be able to convince these toes of people with things like facts, because what they promote or support is an emotional level conviction similar to a religious one. The whole China ruse itself is just a lie and the ones who used and deployed that lie for strategic ends know this. All those who promote it are just the worthless foot soldiers on a battlefield of and over the mind.
> To be clear, I’m not advocating for AI in real learning. AI is only useful right now as a stress test as it reveals how hollow adolescent work has become. If it pushes schools toward offering work with relevance, impact, and agency and away from hopeless busywork (“When will I ever use this?”), that is a win.
But how will they ever know that if they don’t go through the process? I am not saying the current way of teaching is perfect but you can’t tell what is and isn’t bullshit without some experience at some point.
We had a mandatory home economics class that taught how to balance a check book, cook, do laundry, and even how taxes worked. Yet people still thought that class was bullshit and a waste of time. Many classes such as health, gym, shop, a/v, typing, all had people blowing it off as useless stuff they will never need to know. ChatGPT turning every class into that is a nightmare future for the youth of the world. People will grow up entirely unable to think.
> We had a mandatory home economics class that taught how to balance a check book, cook, do laundry, and even how taxes worked. Yet people still thought that class was bullshit and a waste of time.
Sounds about right. This author is talking about whether the kids think the material is important as if kids have good judgement and can be trusted. But that obviously is not the case. Kids are overconfident and ignorant and have no basis at all to determine what is and isn't good learning for them.
Given that I worked with people well before the advent of LLMs who had no idea how marginal tax rates worked, it seems like we should be more aggressively pursuing this as an educational goal.
There is Microsoft Copilot, which replaced Bing Chat, Cortana and uses OpenAI’s GPT-4 and 5 models.
There is Github Copilot, the coding autocomplete tool.
There is Microsoft 365 Copilot, what they now call Office with built in GenAI stuff.
There is also a Copilot cli that lets you use whatever agent/model backend you want too?
Everything is Copilot. Laptops sell with Copilot buttons now.
It is not immediately clear what version of Copilot someone is talking about. 99% of my experience is with the Office and it 100% fails to do the thing it was advertised to do 2 years ago when work initially got the subscription. Point it a SharePoint/OneDrive location, a handful of excel spreadsheets and pdfs/word docs and tell it to make a PowerPoint presentation based on that information.
It cannot do this. It will spit out nonsense. You have to hold it by the hand tell it everything to do step by step to the point that making the PowerPoint presentation yourself is significantly faster because you don’t have to type out a bunch of prompts and edit it’s garbage output.
And now it’s clear they aren’t even dogfooding their own LLM products so why should anyone pay for Copilot?
reply