Do you have an overhead rain shower? Does it drip cold water on you when you’re not using it? It may be water trapped in the pipes. A plunger will temporarily fix it.

We have a fancy shower with an overhead rain shower and a ordinary wall sprayer both controlled by the same thermostatic valve. There’s a diverter to control which head gets the water. Every time we used the sprayer the overhead would drip a tiny bit of cold water on us. Annoying!

We assumed it was a leaky diverter valve, had it replaced. Didn’t help. There’s a zillion websites wanting to sell you plumbing parts that suggest a valve is the problem. But this discussion explained the real culprit.

There’s water trapped in the pipe leading to the overhead shower. Weirdly there’s some water above the tiny holes in the showerhead, held there by air pressure. Running a hot shower in the same area changes the air pressure / flow enough that a little cold water manages to leak out.

You can test this theory by running your finger over the holes in the overhead showerhead; for me that was enough to express 10mL of water or so. To really get the water out I took a plunger to the shower head. No tight seal needed, just want to force air in and water out. I think I got 200+mL out that way.

It’s a temporary fix, next time I use the overhead the pipe will fill again. I wonder if someone sells a showerhead with some sort of permanent fix? A release valve would work but be fiddly.

Obsidian is good software for taking and organizing notes. There are many apps for this task, Obsidian is my current favorite. In the past I’ve used a text file, SimpleNote, Standard Notes, Joplin. I never used emacs org-mode nor Evernote. Obsidian works reliably and is simple yet powerful.

The core Obsidian data model is “a folder of markdown files”. That’s it, really basic, and the files are easily usable as ordinary files. There’s natural support for links between notes. There’s also a metadata option I don’t use. I appreciate it’s easy to move files in and out of Obsidian.

But where Obsidian really shines is the plugin ecosystem. I don’t actually use many plugins, just HTML export and system tray. But I appreciate the power. If you check the reddit you’ll find an enthusiast community that does a lot more complicated stuff, turning their Obsidian archives into 1000+ article infobases. Me, I just write grocery lists and blog posts.

Obsidian is not open source. They’re thoughtful about why not. (Logseq is a popular open source alternative). The core product is free and works great. I am paying $96 per year for syncing. It’s pricy but it works well and I want to support the company. You can do your own free sync but none work as easily.

I want to give a shout-out here to Simplenote, an excellent and venerable free product. And after a brief lull development started again in 2020. Kudos to Matt and Automattic for supporting that tool. I like Obsidian’s fanciness but Simplenote is pretty great.

Recently I switched to a new calorie counting app, Cronometer. I’m quite happy with it. It’s a huge improvement over MyFitnessPal (MFP) or Lose It and is not exploitative like Noom.

The key improvement with Cronometer is accuracy, particularly good data sources for nutrition information. MFP offered obviously wrong entries from random people, sapping my confidence. Also it’s quicker to log things from a trusted database.

And the app works well. Cronometer’s UI is modern and easy to use. It doesn’t display extra distractions. MFP’s insistence on scolding me about things I don’t care about was a bummer. The data sync is fast. And they have a good data export, something MFP won’t do.

I have some minor complaints. Cronometer is very excited to track macros and every single obscure nutrient (threonine, selenium?!). I really only want to track calories. Fortunately the other things don’t take up too much space. They also display ridiculous calorie precision in the diary. But that feels like a rare UI mistake, not a general design ethos.

The free version is pretty complete. The $55/year paid plan adds a bunch of stuff, the one I care about is dividing your diary up into individual meals.

I have a long history with food diaries, more off than on. Having a good app that I trust and is easy to use is important.

I got a fancy bidet toilet seat. It works fairly well and having water for washing is great. But I don’t love some details, see notes below. Mostly I wanted to share how much power the thing uses.

About 80 Watt-hours a day, or an average of 3 watts. Note this is without the seat heater. About ¼ of the power was from using the bidet actively once a day; the rest was just having it plugged in unused.

That’s very little power, like one hour of an old fashioned lightbulb per day. Or about 3 cents a day. Most bidet functions take just a few watts when operating: the pump, the fans. It uses less than a watt on standby. The big power consumption is anything with heat: the water heater, the blow dryer. Those use 200W when active but that’s not very often, the water tank seems well insulated. In theory the device can draw up to 500W but the most I saw was 250W. But then I never used the seat heater.

I don’t like the compromises involved in having the bidet be built into the seat. It’s great for retrofitting an existing toilet but it makes it bulky and the seat is uncomfortable. Having the water supply and bidet sprayer integrated into the toilet bowl must work better. I wish I at least had an elongated toilet; the washlet blocks a fair amount of the bowl.

Toto washlets come in a dizzying array of options; see here for a breakdown. Honestly all I want is warm water and an oscillating spray, the other features don’t seem so important to me. (For awhile I use one of those cheap $30 cold water doodads; it worked pretty well.) I think an instant heater is probably worth the upgrade price though; the C5 tank runs out fast and while it’s well insulated, heating on demand would be better.

Social media businesses should not charge* for APIs. If a company like Reddit or Twitter derives most of its value from content that users write for free then it must provide APIs for anyone to download and manipulate that content. While an interactive API that enables third party applications is desirable, a simple static dump is the bare minimum to fulfill the social contract (see StackOverflow or Metafilter for examples.)

Unfortunately Twitter and Reddit don’t agree. They are both rent seeking with their APIs. Their main intent is to destroy third party apps that no longer aid the company’s business goals. But they’re also trying to make a few million bucks a year licensing access to data, particularly on the back of AI training. It’s wrong.

The key thing here is social media sites don’t produce content. They merely host it. Millions of users create the content expecting it will be widely available. Locking down an API breaks that social contract.

Honestly I don’t care as much about full fledged third party clients like Apollo or Tweetbot; I like them but I understand why the companies want to kill them. What I care about more are analytics sites, things that provide interesting alternative views like a Reddit user profile or Emoji tracking. I also think it is the greater good to let AIs train for free.

*I don’t mind a site charging a nominal fee for API access. Either to cover the cost of API service itself, or more importantly to encourage API developers to be efficient when making API requests. But that's hundreds to thousands of dollars a year, not millions.

The short sighted thing about these API fees is they will harm the company in the long term. If it becomes difficult to use a proper API to get at content folks will simply screen scrape it instead. That’s bad for everyone.

I’ve been listening to the same music every night when I go to sleep 10+ years now. Weird endorsement; I’ve listened to it with more attention plenty of times too. But it’s particularly good for going to sleep; calm, interesting, and comfortably familiar.

That music is GAS, Werner Voigt’s ambient techno project (Bandcamp, Youtube). The primary collection is Nah und Fern, four albums that were made over 1996–2000. In 2017 he released a new GAS album, Narkopop. Followed in 2018 by Rausch and 2021 Die Lange Marsch (a sort of remix). I like the first four most.

Ambient music is pretty hit or miss. For every brilliant work like Music for Airports or Aphex Twin’s early music there’s a zillion gormless electronica and “earth fart” recordings that fail to inspire. Furniture music is supposed to be in the background, sure. But still high enough quality to be appreciated.

GAS succeeds. It has just enough of a beat (sometimes) to make time flow without being overwhelming like regular techno or something rhythmically complex like Autechre. The sounds are richly textured with a bit of fuzz and noise to make it organic. And I like the slightly broody or sinister tone. Not scary, but they make me happy I’m snug in my home under the blankets.

That’s the post. What are passkeys? I don’t have answers, just questions. I believe passkeys are a great idea but the tech world is doing a terrible job explaining them. Someone really needs to explain how passkeys work in Internet products. Existing descriptions aren’t sinking in, as evidenced by the confusion online. For instance this Hacker News discussion where a new Passkey product announcement is met with a bunch of basic questions about what Passkeys even are.

The tech is pretty well defined: Passkeys are a password replacement that uses WebAuthn to log you in to stuff. Companies are widely deploying them now: Apple, Google, Microsoft, 1Password. Passkeys are an industry consensus and are arriving in production very soon or already has. Great! Now then what are they really?

Here’s some questions from my perspective as an ordinary if expert Internet user. I own a few computers and phones and don’t want to trust just one company with my entire digital identity.

• What device holds my passkey(s)? Let’s assume it’s my phone.
• What software do I use for my passkeys? I trust 1Password already; can they do all my Passkeys for me? Or can my web browser hold my passkeys?
• Who issues me a passkey? Let’s say Google issues me one.
• Logging in to Google with a Google passkey is easy, right? I just unlock my phone and press a button? Awesome!
• Do I have many passkeys or just one?
• How do I log in to some other website, say my Mastodon server? Can I use my Google passkey there too? Or does my Mastodon server issue a different passkey?
• How do I log in to Google if I temporarily don’t have my phone with my passkey on it?
• How do I reset a passkey if my phone is stolen?
• How do I log in to other sites if Google goes offline or revokes my account or something?
• How do I migrate my passkeys to a new phone?
• Can I store the same passkey on several devices for convenience?
• Can that passkey be automatically synced between devices, securely?
• Can I use multiple passkeys to log in to the same account?
• Can I share a passkey with my partner so we can both log in to the thermostat?
• Can I still use passwords to log in to a site even with a passkey enabled?
• I have two factor authentication with a TOTP code generator. Does the passkey replace my password? The code? Both?
• I really want to use two factors for my bank: I don’t trust just my passkey on my phone to log in me in. How does that work?
• Can I use passkeys to log in to apps and computers? Or just web sites?
• If I own a fancy Yubikey device can I use it as a passkey? Use it to protect my passkey?
• Is there a way for me to generate a passkey myself so I don’t have to trust a company to issue it for me?
• Can I turn off passkey on a site and log in some other way?

The core of many of these questions is exactly what a passkey is. What I want to read is an article that explains the gestalt of passkeys and identity on the Internet in a way the answers to all these questions becomes clear.

My understanding from what I’ve read is that passkeys are an authentication token, basically a replacement for a single secret like a password. Naively that’d mean I’d need a different passkey for every website I log in to (just like I need different passwords). But I could be wrong. Or maybe the passkey intention is that we use federated logins, so sites like my Mastodon server use Google to help me log in with my Google passkey? (That’s an enormous business problem, if so.)

My other understanding is a lot of my questions don’t have good answers yet. Ie: revocation of a passkey or migrating to new devices. The product announcements from various companies say “trust us, that’s coming soon”. But I do not trust a company like Google or Apple to later add a feature that will make it easy for me to migrate away from their loving embrace. That stuff has to be defined and working before Passkeys are a good product for consumers and the Internet.

There really needs to be a good, clear description of Passkey as a product so questions like this aren’t being asked over and over again. I’m hopeful the folks working on this stuff understand the answers and just haven’t communicated it well.

After yesterday’s post about passkeys I got enough answers to learn how to use passkeys myself as a consumer. Here’s what I learned. If you want to try it yourself, passkeys.io is a nice demo server.

Passkeys work a lot like passwords do today. You create a different passkey for each website and use it to log in. Your passkeys are stored in what’s called a “Passkey Authenticator”, agent software on your computer. (Behind the scenes passkeys use public key systems that are better than passwords.) Your phone probably works today as a passkey authenticator but most sites don’t support passkeys yet.

Managing passkeys — backing up, migrating, sharing passkeys between devices — is still a work in progress. Android and Apple both support syncing passkeys between devices, that’s important so you can log in even if you don’t have your phone with you. Some software can also delegate. For instance Chrome on Windows will use Bluetooth to use a passkey on a nearby Android phone.

The passkey authenticator is the main user interface. The rest of this post is notes on what authenticators are available to consumers. See also this companion piece that’s a deep dive into the user experience on Android, Chromebooks, and Windows.

Apple seems the best implementation of a passkey authenticator today. It’s built in to Keychain, Apple’s existing authentication product that is pretty well designed. There’s a bunch of screenshots in this article of how the Apple experience works. My Apple-using friends say it’s pretty usable. Keychain syncs passkeys between devices via iCloud.

Android has a passkey authenticator built in called “Google Password Manager,” which already saves ordinary passwords you use in the phone’s web browser. Here’s Google’s docs for users about that and some technical notes on security. Android syncs syncs passkeys between devices. It’s also pretty usable but passkeys are Android-only, not available on desktop (yet).

Chrome on Windows or a Chromebook has passkey support. But the Chrome browser doesn’t store passkeys itself, it delegates to nearby Android devices via Bluetooth. Firefox and Edge on Windows can also do this delegation. Chrome can also delegate to Windows as the passkey authenticator instead of Android.

Microsoft Windows has an authenticator that is connected to Windows Hello, their relatively new login system. I don’t know much about it but it's what you'd use to store passkeys on your Windows machine.

1Password, the password agent, is shipping passkey support in about a month. They have a demo that actually works on Chrome and Edge. It’s nice! In theory this should be a good cross-device way to manage and sync passkeys. I'm waiting for it before adopting passkeys widely.

Dashlane, the password agent, has passkey support. Sounds like early days but usable.

Yubikey, the hardware login token, has a passkey story. I don’t know much about it, their writing points out that passkeys aren’t really anything new and they’ve been doing this kind of thing all along.

Having spent most of a day playing with passkeys my impression is they work today and are usable. My main concern is there’s no support for migrating your passkeys out of, say, Google Password Manager and in to Apple Keychain. And I fear given business realities no one is in a hurry to enable that. The other problem is how long it will take sites to adopt passkeys; we’re going to be stuck with passwords for a good long time.

I tried out Noom, the weight loss and cognitive behavioral therapy program. The app is more like CBT for upselling customers than CBT for weight loss. Now I’m hoping they’ll delete my sensitive medical data and refund the $3 they tricked me out of. (They did, quickly in response to my support email.)

I was excited to try Noom. I’ve used basic calorie counters in the past and was hoping for something better. I’m also curious about CBT. And a friend recommended it.

The account creation process goes OK at first. Then it gets more and more involved, taking 10–20 minutes to fill out the questions. There’s little UI tricks to keep you engaged: fake progress bars, questions injected at random intervals. Classic product UI hacking.

At first it told me that I’d reach my weight goal in about a year. Seemed reasonable! Then it kept shaving weeks off that as I answered questions, like I was making progress already. The conclusion it came to is that I was going to lose 18 pounds in the first month. Pretty sure that’s not possible, certainly not healthy.

Then the upselling begins. They ask some questions to find out your interests and then offer premium packages. “Folks who pay for this package lose 35% more weight” Look, I just want to try the basic thing.

It looks like a 7 day free trial but before you know it they want you to pay asserting “it costs $10 to offer a 7 day trial”. Really? They gave me a choice of what to pay from $0.50 to $18.83. I chose $3 and had to pay via PayPal / credit card; super sus they don’t just use Google Pay on the Android app.

They also try to get you to sign up your friends. They talk about how having folks involved in your program will make you more successful. Which is probably true but then immediately they’re asking for email addresses and offering discounts and gift certificates. It’s marketing, not therapy.

The whole thing was so sleazy and deceptive. Particularly for a therapy-like product. Real therapists have all sorts of ethical guidelines to stop them from exploiting their customers. Noom instead seems to be using CBT to trick customers into paying more. Gross, gross, gross.

I worked at Twitter part-time starting June 2007. I've never talked much about this in public. I'm revisiting it because of the complete disaster Elon Musk has made of Twitter. His sabotage of the company has felt personal to me. It hurts to watch him destroy something I helped create. The recent API debacle particularly stings.

Early Twitter was chaotic without enough experienced engineers. I acted as a management advisor. I helped the engineers organize and the executives work better with engineering. I did some good but I've always wished I could have done more. In retrospect, I should have committed more time. I did enjoy a long insider relationship with some of the leadership and was of some help that way.

The most useful concrete thing I did was what we called "Nelson's graphs". I made some simple measurements of performance like tweet delivery times. Post a tweet to one account and see when it shows up on another account's timeline. (Note this graph shows an average of 15 minutes!)

Simple but useful. It was a clear view of whether the site was working and ended a lot of arguments. These days we'd call this basic devops but in 2008 it was still a novel idea. My graphs kept running for several years even after they leaked to the press.

I grieve for Twitter now. I grew to love it over the years and was an enthusiastic user. Musk has ruined Twitter both culturally and technically. I suspect Twitter will survive in some new smaller, crueler form. But I've moved on to Mastodon and that's working for me.