I'm glad Game Changer is back. I laughed so hard at the first two episodes.

You could say, they were locking... my Czech-ing account. 😎

.cz is the top-level domain for Czech Republic

Phishing email impersonating Capital One sent from OnlineAlerts--[yourname]@email.cz

Watch out for an email like this about Capital One, or any other financial site. If your account is locked, no reputable company should send you a link to enter your login information.

From my experience, real Capital One messages come from capitalone@notification.capitalone.com

To report suspicious emails to Capital One, visit capitalone.com/help-center/fraud-disputes/report-suspicious-email/. After filling out their form, forward the scam email you received to abuse@capitalone.com.

We've locked your online access.

Hi [name],

For your security, we've locked your online access due to too many unsuccessful sign-in attempts.

To sign in, you'll need to find and sign in with your existing username and password and need to reset your password after signing in.

Unlock Online Access [phishing link redacted]

1. iOS
2. Sign in to the Capital One Mobile app on your mobile device.
3. Tap your profile photo.
4. Select Security then mobile app verification.
5. Tap the toggle switch next to mobile app verification to turn this feature on.

1. Android
2. Sign in to the Capital One Mobile app on your mobile device.
3. Tap your profile photo.
4. Select Security then Manage My Devices.
5. Tap the toggle switch next to the name of the device you’re currently using.

Your safety and security are important to us. Thank you for choosing Capital One.

This one was sneaky because those numbered lists after the link seem like legitimate steps. I have never used their mobile app, but my suspicion is those steps would sign you out of the app. If you clicked the link and entered your login information, the attacker has it and could change it. Getting you to sign out of the app ensures you don't have any access at that point.

They also did a good job of including Capital One's boilerplate at the bottom of the message, including the legitimate From email and links to their Privacy Policy, Help, and Contact. The links used the click-notification.capitalone.com domain. I confirmed that matches real messages from Capital One.

To ensure delivery, add capitalone@notification.capitalone.com to your address book.

This email was sent to [email] and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

Capital One does not provide, endorse or guarantee any third-party product, service, information or recommendation listed above. The third parties listed are not affiliated with Capital One and are solely responsible for their products and services. All trademarks are the property of their respective owners.

Please do not reply to this message, as this email inbox is not monitored. To contact us, visit www.capitalone.com/help-center/contact-us.

Aside: I actually closed my Capital One account a couple months ago. They warned that eventually my online access might be turned off and they would send tax documents in the mail. At first glance, I thought that's what this message was, but realized my account was under a different email, plus @email.cz is phishy as hell.

★ https://martymcgui.re/2026/05/25/172430/

I’m working on a new search feature in indiebookclub which uses Open Library and supports cover images. It has me tinkering with the UI of the posting form and I’m interested in feedback about this first pass.

My first thought was to display the selected book information in a more compact, read-only block at the top of the form so you only have to select the status (want to read, currently reading, finished reading), then optionally add tags and other choices if you are using Micropub.

However, I still want to give people the option to update the book information before they post, so I was considering a button that would change the book information into editable fields. I experimented with various options and did not come up with anything I loved. I am now leaning towards always showing the fields with the populated values. Keep it simple.

I did make the form more compact overall: less padding inside the form fields, less vertical space between them, and a horizontal layout on larger screens (using this WCAG technique). I also moved the timezone offset field out of a collapsed details element.

For comparison, below is a screenshot of the form as it exists. There are still a few parts of it that need to be put into my mockups, like choosing ISBN or DOI.

There will still be an option to use this form without searching Open Library, so if you are using a bookmarklet or prefer to type in all the fields, that will continue to work.

I look forward to any feedback or questions!

It’s the end of an hair-a.

I started growing the facial hair in April 2020 because, hey, why not? I had no idea if I would keep it for long, but fast forward six years and I guess I liked it. I still like it today, but I thought it was time for a change, especially with summer coming.

Want to watch: Holy Rollers: The True Story of Card Counting Christians

via “Blackjack”, episode #466 of This American Life podcast

Throwback to 2009 at Steak 'n Shake with Kraz. Miss this guy. And Steak 'n Shake.

Original photo by Jon Krasnichan

Want to read: Exvangelical and Beyond: How American Christianity Went Radical and the Movement That's Fighting Back by Blake Chastain (ISBN 9780593717073)

Want to read: The Kingdom, the Power, and the Glory: American Evangelicals in an Age of Extremism by Tim Alberta (ISBN 9780063226883)

Bookmarked: Good, Standard Work: Creating the Commons

Free idea for your website: Donnie Darkmode. Like regular dark mode, but it also adds an image of a man in a rabbit costume somewhere on the page.

I ran into this odd issue when trying to add two Yubico security keys to my Google account on a Windows machine. The process on myaccount.google.com keeps prompting to “Enroll Windows Hello” in order to create passkeys.

If you want to skip the preamble, jump directly to the steps.

Whenever I clicked the “Create a passkey” button in the middle of that page, it opened the special link ms-settings:signinoptions, which opens the Windows OS settings page for sign-in options. My best guess is that Google wants the machine itself to use one of those options, but I prefer not to at this point.

I did some clicking around between the security page, two factor authentication page, and the passkeys page, both with the security key plugged in and without. I don’t remember the exact steps, but I did eventually get to the “Use another device” prompt and was able to set up the passkey on the security key. At that point, I had my first security key and my phone listed as passkeys. I wanted to add my second security key (backups!), but no matter how I tried, I could not get back to that “Use another device” prompt.

I turned to the human internet and found some threads on Reddit. This one in particular had a comment suggesting signing up for Google’s Advanced Protection Program. It is free, so it was possible, but I persisted on mostly in spite because this shouldn’t be so hard!

Fast forward through several more clicking around adventures and here is how I got it to work:

1. Visit https://myaccount.google.com/advanced-protection/onboarding and sign in
2. Scroll down and expand the section “Passkeys and security keys”
3. Select “Create passkey”
4. In the popover, select “Use another device” (screenshot below)
5. Another popover with a QR code instructs to scan with a phone or tablet. Ignore that prompt and click the “Back” button at the lower left of the popover
6. The QR popover will go away and you should see the prompt “Choose where to save your passkey for google.com”. Select “Use an external security key” (screenshot below)
7. From that point, follow the OS prompts to enter a PIN and touch the security key
8. Done! The security key now shows up in the list of passkeys

★ Publ: Crawler mitigations

I am trying out a method to reduce bot attempts on forms like on my contact page based on fluffy’s example.

On select pages, I now check for a specific cookie. If it is not found or is more than 24 hours old, then the browser redirects to the “Sentience Check” page. That page is a minimal form with a button to indicate “Yes, I am a hooman.” Submitting the form sets the expected cookie and redirects back to the original page. If Javascript is enabled, it will submit the form as soon as the page loads, so most hooman visitors will only see the intermediate page for a second and should be able to continue without issues.

Also at fluffy’s suggestion, the sentience check page returns a response code of 429: Too Many Requests with a header that indicates: retry after one hour. I have no high expectation of the bots respecting that, but maybe the lack of successful response codes will cause some to back off.

The last thing I did was add a noindex meta tag on the page, so search engines should ignore it.

If you’d like to view the page, I recommend turning Javascript off temporarily and then visiting: gregorlove.com/sentience-check/.

I am interested to see how much this will reduce bot attempts on the contact and public sign-in pages. I have had CSRF and honeypot form field protections on both for quite a while, but of course I still see a lot of attempts on them.

Depending how this goes, I might expand its usage to the “send a webmention” form and explore using it to block LLM bots.

I did consider using “I am a meat popsicle” on the button, but not everyone might get The Fifth Element reference.

If it's a required question without a "I do not wish to answer," that's unlawful.

It could potentially be they're trying to be more inclusive for equal opportunity reasons, but they should communicate clearly that the question is optional.

I added a banner to go along with my Long Covid Awareness Day post.

“International Long Covid Awareness Color Codes: Teal: #18929A, Grey: #939393, and Black: #000000”

https://www.longcovidawareness.life/graphics

Aside: I quite like this teal color. I might have to work that into my site in some places in the longer term.

Previously, Previously

I really enjoyed watching Winged Migration (2001). Some breathtaking footage of bird migrations all around the world. I was shocked how close some of the footage was and learned via Wikipedia that the filmmakers raised several species from birth so they would imprint on the staff and be accustomed to the ultralights and camera equipment.

Thanks to Fractal Kitty for the recommendation for IndieWeb Movie Club!

I ordered a dirty chai and I complimented the barista on his handwriting as he wrote out this “Chai.” As he drew the “X”, he explained he used to write “Chai XXX” since, ya know, dirty chai. Then he figured, “Why not Chai XCX?”. Much appreciated handwriting and wordplay.