This is completely out of touch with the reality of the average user. The main causes of account theft continue to be phishing and data breaches which are easily exploited because most people reuse their passwords and will never stop doing so to use a password manager. Biometric passkeys are probably the only viable way to improve the situation.
Really? What about phone theft? If someone sticks you up and knows all it takes is your finger to unlock the phone, I would think they would be more tempted to do so, as it takes more or less the same level of coercion as taking the phone. And it's easier than fumbling around with a password... therein is the double edged sword...
Demanding a password introduces more error and more room for evasion than a finger, which as I said is about the same as getting the phone in the first place. You are right that in some, maybe even most cases, it may not make a difference. But when time is of the essence, additional obstacles are often simply avoided.
You also might ask who is sticking you up. For example, I believe there is fourth amendment literature re government officials that have gotten away with using an arrested persons biometrics to unlock a phone, in a manner in which compelling the release of a password would be illegal. Put another way, I can simply grab your finger or put your phone in front of your face, whereas beating you until you surrender your password is a lot harder to accomplish without creating additional consequences.
Still depends on your threat model. Not everyone lives in a place where stick-ups and random arrests are so common place that you want to inconvenience yourself 99.999% of the happy flow.
Indeed, good point. Proper threat modeling is everything.
This also explains my original reply to the ancestor comment. As I see it, most people's personal threat model essentially already accounts for data breaches to the point that they are almost irrelevant. We hear about them all the time. More and more people are learning about credit freezes or 2fa or just getting these services baked into things they already use (more banks offer free credit monitoring, 2fa is increasingly a standard). It seems like we are in a place where data breaches just become essentially background noise to the average user.
In my view then, I would personally factor in physical theft as a higher threat than "phishing and data breaches". Even if low probability to begin with.
There is also the objective question of which occurs more or incurs more damages to individuals, the answer to which I do not know. I know companies often spend a lot of money to fix problems or deal with lawsuits, but individuals don't really get compensated by that the way they would if someone who ripped your phone away from you was tackled to the ground and your property got returned. For example.
As you say though, the threat model is everything.
> For example Germany, while the country is famous for the whole splitting the garbage, I am still waiting after 20 years to see the kitchen oil recycling recipients as we have in Portugal.
Because German environmental policy is about virtue signalling to keep the plebs busy, not solving environmental problems. Nuclear power plants replaced by coal and natural gas, obsession with recycling but nothing done about disposable packaging, car regulations and city design dictated for decades by the car manufacturing lobby, combustion engine limits/bans only when said manufacturers thought they could get on the Tesla gravy train and subsequently rolled back when reality became apparent, it just goes on.
#3 is surprising, I don't remember the last time I saw a distro installer without a "just wipe the disk and set up the recommended partitions" option, and most machines usually just have 1 drive.
That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.
And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.
This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.
Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.
I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.
Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.
reply