Until your google account gets locked for some unknown reason and you there is 0 support and recourse. And now you can't even log into your own computer.
>If you use your own Ubuntu/Debian or even RMS certified disro same can happen. An upgrade and you see only a xorg blinking cursor.
This can be fixed yourself, whether that's hopping into a TTY or having to boot a live environment and chroot in. You aren't at the mercy of some major company's support people.
Even without fixing it you should be able to get at the files on the drive for use on another machine, or backing them up if you're gonna reinstall.
this does not mean anything logical. Billions use android. Some will be affected due to any company or ID etc.
Pretty sure you can visit your local apple store and see many people asking for shattered screen or lost iphone. They did lose their accounts.
Moreover even if you use macbook - if you lose google or apple ID situation is same. (for the majority) appstore is important. See your comment https://news.ycombinator.com/item?id=48111545#48123885 you are happy to give everything to iCloud but don't like Google?
I can also store all my data in hetzner cloud. Use chromebook only as a hardware. If Google account is blocked then use Guest session. No account needed. Your turn?
What is really amusing to me is how N months ago, the latest SOTA was incredible, but now utterly unusable. Feels like there is a model reality-distortion field in play where people can only acknowledge the flaws in retrospect.
The scary part is that codebases are getting layers of AI complexity, that it's going to cost $$$ to have the latest model decipher and make changes as no human can understand the code anymore.
Pretty soon there is no code reuse and we're burning money reinventing the wheel over and over.
Prior to the advent of LLMs, I had this concept of the 'complexity horizon' - essentially a [hand built] software system will naturally tend to get more and more complex until no-one can understand it - until it meets the complexity horizon. And there it stays, being essentially unmaintainable.
With LLMs, you can race right for that horizon, go right through, and continue far beyond! But then of course you find yourself in a place without reason (the real hell), with all the horror and madness that that entails.
> The scary part is that codebases are getting layers of AI complexity, that it's going to cost $$$ to have the latest model decipher
Isn't this a bit like old Java or IDE-heavy languages like old Java/C#? If you tried to make Android apps back in the early days, you HAD to use an IDE, writing the ridicolous amount of boilerplate you had to write to display a "Hello Word" alert after clicking a button was soul destroying.
The difference is that the complexity to achieve “Hello World” was the same for everyone, and more or less well-understood and documented. With AI, you get some different random spaghetti slop each time.
I genuinely think it's part of a psyop. If we bloat all codebases and eventually start printing the models on chips to reduce inference costs by 50-100x they'll take in massive profits from 5M line codebases instead of 350k
The difference between the "thanks" email and the "loser" email is that the second one is intentionally disrespectful.
I'm not convinced a polite but AI-written email hits the same note. At the very least it's unintentionally disrespectful, which isn't a direct challenge. Your boss doesn't care enough to write an email by hand, but also doesn't care enough to burn bridges and insult you.
> At the very least it's unintentionally disrespectful
There is ZERO CHANCE they have used ai unintentionally
> also doesn't care enough to burn bridges and insult you.
By actively using ai they are stating that you are so much beyond them that even a personal "eff you" is not worth the time. One would have to actively try and poke some personally hurtful areas to come off more insulting than use of ai.
There's a difference between your boss not caring about you (does any boss really care?) and your boss actively disliking you enough to call you a loser when they expect to gain nothing from it.
In the former case, disrespect is a side effect of laziness, while in the latter it is the whole point.
My point is that it's disrespect of the same kind as your boss forgetting your name when you've been working for them for ten years, not as being called a loser.
I don't understand — I use AI to write email particularly _because_ I care about the recipient, and am confident the resulting email will more eloquently and accurately express my feelings. I'll also often edit it afterwards to ensure it's in my voice.
Regardless, I don't think it's fair to presume that my boss doesn't case because an LLM generated the email.
^ This was written 100% by hand. Let's have Claude proofread it and make any suggestions:
I'd argue the opposite — I reach for AI because I care about the recipient. It helps me express my thoughts more precisely and eloquently than I might off the cuff, and I'll often edit the result to make sure it sounds like me.
Why are you a CEO if you are bad with words. If a CEO's work can be reduced to picking the best option from AI generated text why do they make so much money, and why would anyone chose to invest in a company that could be led by anyone picking from a list of AI responses.
It's a little less than if you got up and stood in the convenience store to pick 1 of 12 "Get Well!" cards. That's a few meaningful steps up (literally) from the 1-click eCard. The output will be a bit better for it, but more importantly, it shows more that interaction mattered for you.
The effort is meaningfully part of the output. I think many would still prefer if you scratched a couple non-perfect words yourself. I know I would. Those words are You, and if you're in a place to send me a card, what matters is that you showed up and offered Your words. The language and the card are transfer media.
In the same way....... you could go the opposite extra mile to make a very elaborate "you suck, here's your severance, loser!" message that would tip towards disrespectful :p
The problem with AI is that it tells you to say things you don't think, and can't tell you to say things which are original to you. Some things you will only say because they were presented to you by the bot. Others you won't say because they only exist in your head.
If you are bad enough with words that you can't write an authentic message, you are also bad enough with words that you won't understand the options with enough nuance to know what you are saying. The bot will put words in your mouth that aren't true.
It is generally better to write poorly and from the heart than to outsource your heart to a really big algorithm. What you accidentally say from the heart will still echo your thoughts, while the AI will not. ChatGPT can't suddenly remember the time when you and your wife went to the beach together and saw a penguin, and she was worried it wouldn't be able to reach the ocean, and then it was totally fine and she got embarrassed, but you felt really in love with her because she cared so much.
You do get how that's worse, right? The person rather spends their time arguing with the clanker than thinking about the person and putting
those thought into words, however unstructured they are.
Yeah, but communication is a two-way street. It might not matter to me that my words are unstructured, but it will to the person I'm writing to if they can't make head nor tail of what I'm saying, or worse, misunderstand it as being insulting when it isn't.
There is a whole industry built around [mis-]conception that people will take less offense on the content if it was presented differently. The predictable result is that it is actually rewriting content, not the presentation or tone. No amount of linkedinese corporate fluffery will wash off the core message that people are getting laid off unless you outright hide the message under ambiguity of double-speak like "slimming down operations", which can mean multiple things.
So essentially you have three choices:
1. Spend time writing (or have written by a copywriter) in corporate fluff dialect, where the actual message is still understandable by all parties. At the cost of appearing tone deaf.
2. Spend time reiterating with a bot that speaks some undefined sub-dialect of LLMinese where the reception of the message is unknown. At the cost of appearing even more tone deaf and insulting than a corporate cog.
3. Spend time restructuring message in genuine voice. At the cost of maybe being heard more harshly than intended.
I fail to see how option 2 can be perceived as anything but the worst, unless you assume that the target audience does not distinguish LLMinese from actual speech.
Totally agree. I don't understand why people are averse to working on their communication "soft" skills compared to other "hard" skills. People who find it hard to express themselves have my sympathy but at the same time I'm flabbergasted how they function in a team or in the workplace. Not to mention people for whom English is not the native language treating LLMs like the Star Trek universal communicator instead of helping with language acquisition.
And yeah, I know my tone is harsh and appears to lack empathy and I have only my writing skills to blame and a lack of time. That said I won't be the one to throw it in a LLM for "refinement" otherwise how would I improve? I'm not sure LLMs are to communication as are forklifts to lifting and moving stuff.
As a side note, the general advice regarding code review in my experience was not to take it personally and it's kinda funny to me for reasons I can't pin point how people (like me) have started giving unsolicited advice or criticism in regard to writing when in actuality both (code and writing) reflect personally on the human on the other side of the screen.
Anyway, I pretty much went off on my own tangent here with an apparent lack of empathy to boot but if we end up disregarding such fundamental human skills then what's to stop us from becoming dunces in a few generations? Sure, I'll add another abstraction layer even if it has a lot in common with reading tea leaves because it's not like I manually flip switches to input a program but I'll try my best to keep my individuality where it matters to me, specifically when it comes to expressing myself.
You are contradicting yourself: either presentation is not important so LLM use does not matter (as long as core message is still there), or it is important and and LLM can change how the message is received (by improving presentation or making it worse).
I don't see a contradiction. What they are saying is that no amount of non-ambiguous presentation can make poor content acceptable. They never said the presentation was meaningless.
Example: A friend has died and consolation is given. No amount of consolation makes the death a good thing for you, but there is still a difference in how that consolation is presented to you.
One group are the ones who are staying. They lose teammates, they have to restructure work and fear whether there will be another round soon, which may hit them.
And then there are customers, investors, ... who need to be assured they are not dealing with a failing company.
Security isn't black and white. If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.
If I leave a post-it note of passwords on my monitor inside a vault to which only I have access, it’s not a big deal. That’s the point of the “airtight hatch” metaphor.
I think we've moved away from the secure perimeter thinking and towards defense in depth - if that list of passwords helps you get somewhere other than the vault, removing the post-it improves security. Vaults get infiltrated all the time - and often in partial ways like being able to see into the vault but not reach in.
Defence in depth matters, but an analysis here shows that the same mechanism used to breach the outer layers (getting administrative access) can be used to breach the next layer (more thoroughly prodding Edge or Chrome to give up passwords).
Right; but in the scenario of this Tweek, you've invited someone untrustworthy into the vault and are then freaking out because they can see the post-it note of passwords. It is inherently irrational.
This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).
All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.
I think we’re largely in agreement. I do think there’s some benefit in reducing the amount of time that a password is in cleartext in memory. But it’s pretty far down the list.
> This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure
Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.
True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.
I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.
I swear, people who idolize passkey security must never travel anywhere.
PS: "just have more devices with passkeys", they invariably say.
Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.
I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!
The good thing about this is they thereby also support FIDO2 hard tokens such as Yubikey. The UI is often confusing but you can always tell it to provision the key to your Yubikey rather than the OS enclave.
That doesn't help if my machine (with only a few USB ports) gets stolen/lost with the token in it. It doesn't help if some of my devices only have USB-C and some only have USB-A. It's absolutely more annoying than letting my password manager fill things in or typing in a 6 digit code from my authenticator app.
Passkeys are password replacements that can't be breached/leaked/etc... I don't think they are necessarily supposed to replace 2-factor, however it's probably more secure than some of the weaker forms of 2-factor auth.
Given that in order to access your password manager's vault often requires 2-factor (or should at least) it's a level of security that I am comfortable with.
I take it a step further and host the password manager vault within my home network. My home network does not expose anything publicly except a WireGuard port, it's completely locked down. I have to VPN in to access the vault.
The subject here is literally websites trying to push passkeys on users. That is who is asking us to.
About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.
It's wildly obnoxious that browsers don't let you generally suppress these prompts.
And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.
We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.
I’ll be honest I’ve heard a lot of griping about passkeys but I have gone out of my way to switch over to them and have had precisely zero issues over the dozens of sites that I’ve bothered to make the switch on. Login flow is simpler and doesn’t rely on a browser extension guessing at login fields or trying to figure out when passwords change.
Me giving an example of one major website (actually, I gave two) is all that is needed to disprove your claim. I could provide plenty more examples of major websites asking me to, but I don't need to. I could provide plenty of examples of people telling people to "redo everything" with passkeys, but your own comment is literally advocating the same thing...
Please don't mischaracterize the conversation that is plainly visible for all to see. Just accept that you tried to suggest that nobody is asking users to switch to passkeys, and you were wrong. It seems like your error is that you just haven't been seeing it personally, since you switched on your own before the nagging started, and so you weren't aware of it. Well, now you are.
They literally are. You can easily google articles telling people to use passkeys for all their supported accounts. I'm not going to google it for you.
Why you are trying to claim the opposite is beyond me.
>We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.
Yeah right.
When passkeys were rolled out, I was told it's OK because "passwords are always going to be required to be an available alternative".
Now we've moved the goalposts to "it's just one website".
>Sometimes the new thing really is just better.
And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
What if I told you I was not one of the people saying that? You can’t take two different people with two different opinions and say “Look! You’ve moved the goalposts!”
If passkeys are significantly better, passwords will gradually stop existing. If passwords are, passkeys probably won’t catch on.
> And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it. If this is a sufficiently motivating use-case for you, you too can take these kinds of steps to mitigate the risk.
But since we’re playing the “what if” game, what happens if you get early onset dementia and forget your passwords? Pray tell then what?
>I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it.
So, basically, having to create and maintain a backup device to keep separately from my laptop/phone in case they get stolen, make sure I don't lose it, but carry it with me everywhere like a crucifix.
That, and still having to remember and use a password, because otherwise the thieves get control of everything once they steal my device.
Sure. That's not objectively better than passwords which don't require this sort of hassle.
At the very least because it still requires a password.
>you too can take these kinds of steps to mitigate the risk.
OK. I can. I don't want to have to do these kind of steps, or any other dance to mitigate the real risks that passwords already protect me from.
Passkeys mitigate risks which I don't run into (”what if someone learns my password?”), while introducing others.
They are a convenience for people who run the system because they off-load those risks onto users.
>But since we’re playing the “what if” game
You're playing games with contrived hypotheticals.
I've had my laptop, phone, and wallet stolen on an overseas trip.
>what happens if you [...] forget your passwords?
I click the "forgot your password?" link which every website that uses passwords has.
Having a notebook in a vault with passwords also solves this problem.
I don't get a sudden onset of dementia which causes amnesia when I travel.
But I've lost my devices and had them stolen from me overseas.
It was a big enough hassle even though I did have the passwords.
If a website only supports one passkey on one device, it's a shitty implementation. To be fair many websites have shitty implementations, so I ended up using my yubikeys to store the secret for OTP codes.
Having only one device that has authority to log into your accounts is obviously not a good security model.
Of course they are. Lots of websites are pushing it, including while using dark patterns. You need to sometimes explicitly cancel an onboarding flow to avoid Passkeys.
For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.
It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.
It takes a bit of effort, but it’s not impossible.
Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
>Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
No need to imagine!
Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.
Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.
Bonus points for having your card locked or stolen at the same time.
Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.
I don't have any passkeys on my phone or laptop. They're all on the Yubikeys.
I don't really see a difference with (some) password managers, though. If you use one of the keepasses, and you lose access to the file, you're in the same situation right?
And yeah, you're right, there is a risk of inconvenience. I'm not debating that. I just choose to organise my life in such a way that it is just an inconvenience.
It's literally at https://github.com/Joker-vD/keepassdb/raw/refs/heads/master/... in my case, plus a couple of other free hosting sites that support easy updates/reuploads, so losing access to it requires losing access to Internet — in which case you don't really need any (alright, most) of your passwords because you need Internet to connect to the services that require those passwords.
OK, fair, I never left my keepass file exposed like that when I used keepass.
If I remember correctly, 1Password still requires a "vault key" in addition to your username and password, and it was definitely too long and not used often enough for me to remember.
oh lawd, yes it does come down to 'who has the power to reset your account', and very few people want to take the path of 'no one has the power' in the case of lost credentials.
A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.
Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
Yes, but the pin uses the TPM which allows other things like only ever allowing a low number of guesses before requiring a reset of the pin (using a password or other mechanism)
>It is objectively good security, but has a ton of usability headaches yet to be really solved.
Thank you, then this is still true today?
Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.
> If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.
Having passwords on post-it notes does make certain types of attacks much easier. For instance, coworkers hacking other coworkers, or people burglarizing the office. None of which really apply to the "If an attacker gains administrative access on a terminal server" scenario.
Continuing the analogy, what Edge is doing is like leaving cash in unlocked cabinets inside a vault, and what Chrome's doing is locking those cabinets with a padlock. Sure, having the padlocks makes the cash more secure, but if someone went through all the effort into breaking the vault (terminal server), a padlock probably isn't going to stop them. This is especially true nowadays with AI coding agents and ready-made stealers available for sale online.
The way to think about security is as a system of layers, each of which filters out ever more sophisticated attackers.
We should care about all kinds of attackers, and not assume that the protections against the most sophisticated will obviate the protections against the least sophisticated.
The Swiss cheese model is what people use to sell you more 'security' related software systems that inherently involve more problems. (Also cheese is not very durable, even the kind without holes.)
That is redundancy in my book. I don’t expect holes in my GNSS devices. And if you want to be sure, bring three, because two GNSS units with different readings are not very helpful.
I don't expect holes. But both devices are exposed--something could happen to one of them. And since I like going out in the middle of nowhere I assume I either have to get myself out, or if that's impossible summon help. I don't want a single point of failure on either of these.
isn't it at risk of any code pathway that somehow allows you exceed a buffer and read memory unbounded? Then a nefarious web page could capture that? That's a huge exposure surface.
#hugops is to your coworkers, not to the nameless big-corps who can't maintain a service for paying customers. You should be raising a shitstorm when things you pay for aren't reliable or unusable.
Hot take, if it's traffic is causing issues, throttle your free-tier, pause signups, or stop giving out free things (like runner time).
reply