I still haven't reckoned the security implications, but Bitwarden supports passkeys, you can mostly use them the same way as you do a username/password across devices.
That still means dependence on some software product to log-in to basic services. With a password, I don't need to use a software product.
What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer? What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?
What happens when password-based login is phased out because passkeys are SO much simpler...assuming the user acquiesces and signs up for a big tech company's service? Who will be able to choose then?
> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?
Even with passwords, you'd still need an application or a device for 2FA, unless you keep a pack of scratch cards with you everywhere. So unless you go out of the way to avoid 2FA or use scratch cards, I don't think this change anything from the status quo, only now you have one less thing to remember.
Well, 2FA was the first step in making devices more entrenched. Passkeys are just the next step. So, it's not exactly passkeys in isolation that is the problem, but the lock-in to technology (and big tech for most people), and passkeys being another discrete but significant step in the process.
On the contrary. Passkeys free us from complete dependence on mobile devices (and the telcos that distribute SIM cards) because passkeys can live on any number of desktop computers.
I said "passkeys free us from complete dependence on mobile devices". Complete dependence means not having other options. Passkeys give us other options - all of us, not just those of us who decide to use those options at any moment time.
If most people use their phone for login that's fine. Many people don't even have another device.
What we should push for is passkey export, migration and backup features. The most likely lever that big tech could use for lock-in is making it near impossible to move those passkeys out of their closed ecosystems.
I'm curious – if open standards such as 2FA (TOTP) and Passkeys are considered locked-in, what would be a solution in your mind for an authentication scheme that doesn't subject to the inherent problems of passwords (phishing, weak passwords, password reuse, database exposure, etc.) that fits your requirement?
If you don't currently depend on a software product for managing your passwords, then you are undoubtedly using weak or reused passwords everywhere. You absolutely should be using a password manager to store unique, complex passwords for everything, and then it's not really a big jump to upgrade to the superior user experience of Passkeys.
> With a password, I don't need to use a software product.
Formally, you still need a computing device with software that allows you to input and transmit the password, as well as any related challenges. (E.g. you may have hard time logging in on a device that doesn't have a physical or full virtual keyboard, like a TV - I literally had to grab a laptop and change password once because there was no character on the virtual keyboard that I needed to "type".)
While public-key cryptography isn't really doable on pen and paper, I don't see anything fundamentally wrong with requiring to perform some computations, as long as every step is documented and end-user fully and completely has access and owns their credentials. "You won't have a calculator^W computer" was the biggest lie from my childhood - everyone does, or can, including full control of ownership of the device if desired.
Of course, this is not the case with how Passkeys are currently implemented, as the corporate is extremely hostile against even idea of letting user to export "their" "own" keys.
> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?
Then you and the people you influence can continue to enjoy getting phished.
> What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?
For a bunch of companies/gov entities syncable passkeys aren’t secure enough. So they still need to use hardware-bound passkeys on e.g. yubikeys.
Try to read up about a subject next time before you let your imagination go wild and scare equally ignorant people away from more secure alternatives.
Your conspiracy theories even seem to push you to be against using password managers in general. I guess googling around for an offline one like KeePass that’s heavily recommended all around the internet was too hard?
KeePassXC even supports passkeys.
> Then you and the people you influence can continue to enjoy getting phished.
Yes, you are quite right (although I have never been phished). But the spirit of your answer is correct. But that was my point: there is no choice, except to be more tightly integrated into tech, which in my opinion is a horrible thing. Instead, we should lessen our dependence on technology so computer accounts aren't so important after all.
> Try to read up about a subject next time before you let your phantasy go wild and scare equally ignorant people away from more secure alternatives.
I am fully aware that passkeys are MORE secure. If you actually read my post, my argument was not TECHNOLOGICAL, but sociological: I argue merely that the tighter dependence on this technology is a bad thing sociologically, even if it is the RIGHT thing technologically.
My thesis is that passkeys are a symptom of tighter tech integration, perhaps an inevitable one. You are irate because passkeys are the better solution to a technical problem, but I nevertheless maintain that the existence of that technical problem itself is merely a side-effect of a much larger problem for society -- the dependence on a tightly-integrated vertical technology stack. So perhaps YOU should read into the subtelty of my argument before claiming that I am ignorant.
Are you intentionally ignoring the part where I provided reasons for why alternatives to the use of password managers by vendors that (supposedly) cause lock-in won’t go away?
It turns your fear into a hypothetical that you’re more than welcome to discuss but imo it’s disingenuous to frame it as the incredibly big problem you’re framing it as.
I remember when the whole OpenID/OAuth stuff started with a simple input field to login with your domain name. You could selfhost OpenID or delegate it from your homepage.
Today "distributed login" is "login with you preferred feudal lord".
If you don't want (or able) to use the 'app store app' what the options are there? What options would be when Google/Apple make a smartphone (and an app on it) a requirement, in the name of security?
No, that's not true; it's just less efficient because you have to handle more air and cool it to a lower temperature. Air in Earth's atmosphere always has significant humidity. See https://news.ycombinator.com/item?id=30716765 for some calculations.
It's reasonable to condense drinking/cooking water from air with solar energy in places that lack secure water. Not water for other purposes; you can't run a cooling tower, irrigate a field or an orchard, water a herd of cattle, or even grow a garden that way. But a household-sized dehumidifier powered by a household-sized solar panel can certainly make enough water to drink and cook rice.
On the other hand, if you live in semi-arid desert or any wetter biome, a cistern probably has a better cost-benefit ratio. Depending on your aquifer, a well may be better still.
I'm not sure whether it was due to changes in the algorithm, but at some point the logged-out front page that most people see became easily 50% outrage porn - a picture of a truck parking in two parking spaces, shaky video of someone being racist in public, most recently message conversations from horrible bosses.
When someone eventually makes an account and delves into the more niche subreddits, that's the culture that they're expecting and as more do it, it starts to change the culture of the niche subreddits as well.
Ironically the secret to reddit's success was that it was just left alone with very few changes for so long. The front page was already a dumpster fire at that stage, but a dumpster fire mostly contained to the top 20 subreddits. Now that it's more clever about pulling in posts from more niche subreddits that are doing well, or based on geolocation, it pulls people into the subreddits more which accelerates the Eternal September effect.
You don't necessarily have to choose - you can post on your own blog, then copy-paste it to Medium and set the canonical url back to your own address so you keep some of the SEO-juice.
I see a lot of people talking about reputational risk around this, but I'd be more worried about the legal implications. Most of us have contracts that grant IP of what we create to our employer at least during work hours - if you get caught doing this how do the IP implications unwind given that both your employers have the same rights to what you produced? Would it be legally equivalent to selling a bunch of IP that you never had the right to?
This whole phenomenon is just the pinnacle of the privilege that we enjoy as software developers. While warehouse or hospitality workers work two or three jobs to stay above the poverty line and have their every move tracked as they do, we choose to parlay our autonomy into occupying two well-paying jobs at the same time.
When our employers force us back into the office 5 days a week, it'll be the people who did this who made that happen.
I had a coworker try to pull the two remote jobs at once thing.
Thinking a customer was calling he answered the wrong phone and said the wrong company name, but it was actually his bosses boss.
Company fired him, and actually went so far as to threaten to sue the guy until he agreed to pay restitution (one year pay), and they told the other company who fired him. I don’t know if the other company did anything else.
Dude was a bad apple / trying to find a way to skirt every rule / do as little work as possible anyway so I suspect if push came to shove they could have proven he really hadn’t done the work he claimed and was busy not working most of the time.
I really didn’t expect they would take it that far, company didn’t need his money, but I believe someone wanted to make an example of him. Can’t blame them.
It would be great if it worked both ways. Let’s say an employee who is forced to work unpaid overtime (two jobs amount) could use power imbalance to threaten the company into paying one year of their revenue.
If his work quality is really that bad, why not fire him already? What if he was simply super lazy but with one job, why not make an example of him for other slackers?
One of my former employees related a story to me of legitimately needing the money and working two jobs in person, one day shift and one night shift. One of the two wall street employers let him work a year until it was time to payout bonuses and only then said oh we're aware you also have a job with a competitor so you're fired. This doesn't seem much different than defrauding companies by working multiple jobs remotely.
More recently a friend told me of someone he previously worked with who advised my buddy to do what he does and hire onto multiple jobs, not consulting but as an actual full time employee. Apparently this guy is a great talker and somewhat fearless, often claiming skills well out of his area of experience and just faking it until he makes it or gets fired. This guy often has four jobs at once, falling back to two or three only when he's discovered and fired. I guess if you can't actually grab a FAANG job, you may be able to fraudulently reproduce the salary in aggregate.
If the companies that hired him are satisfied with his work (quality, time delivery) and can't even tell the difference on their own, is he really doing them wrong?
In this case the company I worked for wasn’t happy, but dude was adept at moving around to avoid responsibility / not be there when the chickens came home to roost.
But other people had complained / concerns so in this case there were already issues, even if tentative.
The phone incident was more of an “ah ha” moment for the company.
As far as a developer goes I think in some instances it takes a long time to really gauge how someone is doing, more so if they are dishonest.
Yeah think we all want to be in situations where we tell our employers “it’s going to take X time” and “hit some technical hurdles will take longer” and they believe is, and I think many employers want that too…but that has risks as far as those who will abuse that trust.
Yes, assuming he signed an employment contract that disallowed this type of thing, which is very very common.
If you want your contracts to have value, you have to defend them. If you're made aware of behaviour and do nothing to solve it, that's implicitly encouraging the behaviour
>> Most of us have contracts that grant IP of what we create to our employer at least during work hours
That's an American thing. I work in Central European country, and IP that I create belongs to me until I pass the rights to my employer. Conveniently, my contract states that the act of committing my code to employer-hosted git repo is the act of giving up the copyright.
You can easily do that for two employers at the same time.
What happens if you are helping a colleague and need to share a code snippet with them? Or you suggest a change to the code during code review? How does your employer get rights to use that code?
I've never not had a contract that stated I had to get consent from my employer if I wanted to take any other job. And I get the feeling that if you got caught double-dealing like this, a company would take it seriously enough to actually sue you for a serious breach of contract. Especially if the other company is in the same industry - this creates a huge conflict of interest and the potential for data leaks, etc. IP ownership and legal issues make this a very dangerous game.
Maybe you get away with this if you're working for small companies that can't afford the legal procedures, but if you're working for a small company there's also much greater risk you'll be found out because you can't disappear into the crowd.
Right? It seems like you be very quickly in the realms of breach of contract for most high income jobs. I'm presuming this is targeted at already high income earners, because the alternative is simply a techified name for what some huge proportion of all Americans do all the time.
I'd also be intrigued about how it interacts with contracts that say everything you do/think in your spare time belongs to the company (a nonsense condition, but whatever)
What's happened to NICTA and Data61 breaks my heart, but it's a lot of words to convey something pretty simple and well understood: Data61's strategy is to create cool-sounding press releases and photo-ops for ministers, and occasionally try to sneak in some actual science around the side. Trustworthy Systems got killed because a solid record of delivering incremental impact isn't going to get in the papers the same way that announcing millions of dollars for AI development (what exactly gets done within AI isn't particularly important).
To be fair I'm not sure what options D61 management actually have - they could focus on supporting solid programmes like TS but it'll only last a year or two before the government yanks their funding, because if D61 has nothing to put in the background of a ministerial announcement then its of no value to the government at all.
I think the big difference is that Australia has managed to have zero cases for most of the last 18 months, which has allowed it to go on pretty much as normal for much of that time.
Although 170 cases is a lot less than 10,000 when you view it as a pure number, from an economic and lifestyle perspective the difference between 0 cases and 1 case is effectively more significant than 1 case and any number of cases greater than that - zero cases means that you can not only end restrictions, but also that people who normally wouldn't leave the house as long as there was any danger at all can go out and spend money without any fear of the virus.
So that's why there's so much emphasis on locking down even with only 170 cases - it's about trying to get back to zero ASAP.
There is an argument to be made for the fact that we'll have to live with covid eventually, but:
1. Vaccine numbers remain low
2. Given that people have seen lockdowns succeed in essentially ending covid before, and blame the government for both not locking down quickly enough in this outbreak and for the vaccination rollout, committing to living with covid now would be political suicide
