If Boeing only had the foresight to hire an army of HN webshitters to design the cockpit, this disaster could have been averted.
All the controls would be on a giant touchscreen, with the fuel switches behind a hamburger button (that responded poorly and erratically to touch gestures). Even a suicidal pilot wouldn't be able to activate it.
So you need three different applications and manually moving around files to achieve a "relatively smooth" experience? I don't think this is the endorsement you think it is.
KeePass is a community project, Bitwarden is not. These are just client applications that sync and interact with the .kbdx file the community has formalized a standard on. That's why Bitwarden has a unified client application ecosystem and KeePass does not.
You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.
It's like calling out why there are two dozen email clients that speak IMAP.
Uh I know what KeePass is and how it works. The proposed "smooth" solution is - at best - clunky and inconvenient. You've missed the forest for the trees.
> You don't understand KeePass, which is fine
Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?
Yes this is being pushed on everyone, including grandma's and the tech illiterate. If the "best" solution is clunky at best, what chance to the tech luddites have?
the best solution for the technical user isn't the best solution for the non technical user. the streamlined solution for the non technical person is that they just have their phone and it has the passkey.
If you want to talk about the laptop and desktop use case, we can talk about those, but non technical people don't have laptops or desktops anymore, they got thrown out sometime after the iPhone and ipad came out, circa 2010. (sorry you didn't get invited to the conference. It was nice, Sarah brought her granddaughter and we had chips and guacamole, it was all very nice)
I disagree, it's an extremely myopic understanding of the world likely perpetuated by a sheltered Silicon Valley cabal.
There are millions of non-technical people with jobs, where they are issued a company computer.
It's conceivable they might want to access the World Wide Web on it.
Assuming they own no other devices other than a mobile phone as you suggest, they still have at least two and probably don't want to sync anything from their personal phone to a company computer.
P.S. your comment was funnier before you added the part about the gucamole
The only difference between an imagined smooth solution is the sync mechanism and a unified client application ecosystem, neither of which is really possible without a large company behind it.
I said you don't understand how KeePass works because you refer to 3 applications for 3 different OSes (2 mobile) as if they were a confusing mix of different applications, when really they're just client implementations around a single, formalized spec. And most folks don't use both iOS and Android so really there's just your choice of KeePass desktop app and one for Android or iOS.
No one says the plethora of email client choices is confusing. This is exactly the same.
This is peak HN. You behave like a douche then appeal to decorum and cry about the rules when called out about it.
> No one says the plethora of email client choices is confusing. This is exactly the same
It's absolutely not the same. No one is manually syncing files across PCs and devices so they can retrieve mail on all of them. You have zeroed in on some irrelevant pedantry and continue to ignore the big picture.
Yet you keep name-calling, so who is acting rudely?
3 different applications to access your secrets is what you focused on and now you're moving the goalposts. KeePass having 3 different client applications is what you chose to make a mountain out of, yet they're all just porcelain in front of an agreed upon standard.
Making a kbdx file accessible in Dropbox or any other cloud service does not take technical wizardry.
The downfall of passkeys is that - as was inevitable - they are horrifyingly implemented webshit.
For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.
My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.
Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?
Don't forget that a per-device passkey is the wet dream of any $MEGACORP wanting to track your habbits. Which is another reason why it is a no-go for me.
> Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.
Or, you can use a syncing service like a password manager. Both solutions work!
Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.
There is no validation when you winget whether or not the executable is from the official source or that a third party contributor didn't tamper with how it's maintained.
If you think HTTPS is performing code validation I have news for you.
HTTPS only guarantees the packets containing the unverified malicious code are not tampered with from the server to you. A server which could very well be compromised and alternate code put in its place.
You are drawing an egregious apples-to-oranges comparison here. Please re-read what you said.
You could serve digitally signed code over plain HTTP and it would be more secure than your example over HTTPS. Unfortunately there are a lot of HTTPS old wives' tales that many misinformed developers believe in.
There is 0 validation that the script that you are piping into bash is the script that you expect. Even just validating the command by copying and pasting the URL in a browser -- or using curl and piping into more/less is not enough to protect you.
> you both seem to be saying that you get whatever the server sends
Yes, but I am also saying that you can't verify that the script that is run on one machine with a pipe is the same script that runs on a second machine with a pipe.
The key part of the original statement is the server can choose to send different scripts based on different factors. A curl&bash script on machine 1 does not necessarily mean the same curl&bash script will be run on machine 2.
The tooling provided by a `curl | bash` pipeline provides no security at all.
With winget, there is at least tooling to be able to see that the same file (with the same hash) will be downloaded and installed.
There are ways to do this better, for example, check out https://hashbang.sh. It includes a GPG signature that is verified against the install script, before it is passed to curl.
The parent is talking about MITM, which is prevented with TLS and curl but not winget. They are saying curl is strictly better, not that it is impenetrable. If you trust the domain owner, you can trust curl | bash, but you can't trust winget
It's easy enough to view the manifests (eg, https://github.com/microsoft/winget-pkgs/blob/2ecf2187ea0bf1...) and arguably, is better then the protection for MITM that you would get using naked cURL & Bash, simply because there are file hashes for all of the installer files provided by a third party.
> They are saying curl is strictly better, not that it is impenetrable
Right. But it arguably is not strictly better.
> You can't trust winget
Again, this is not backed up by anything. I have trust in winget. I can trust that the manifest has at least been vetted by a human, and that the application that will be installed should be the one that I requested. I can not trust that this will happen with curl | bash. If the application that is installed is not the one that I requested, there is tooling a process to sort out why that did not happen, and a way to flag it so that it doesn't happen to other users. I don't have this with curl | bash.
curl | bash is absolutely on my very short list of “things I’ll never do” and I wince when I see it. rm -rf starting from / is another. I watched someone type in (as root) “rm -rf / home/user/folder” once. By the time I realized what had happened it was too late.
yes, fuel contamination (with effluent probably) is still very much in play as a possible factor.
unfortunately, there has been a lot of typical misdirection and wild statements out of India, like trying to preemptively clear the pilots of wrongdoing before the recorders have been read out.
most of the initial reports about the flight recorders were easily disproven as the 787 does not use an FDR/CVR but a more modern type of recorder that captures more data. which supposedly India lacks the equipment and/or knowhow to download.
the chances of an objective and transparent investigation are basically zero.
> like trying to preemptively clear the pilots of wrongdoing before the recorders have been read out.
Because as far as the pilots are concerned, they seem to have done everything by the book? Every experienced 787 pilot literally now states that it's very less likely it's due to a pilot error because it's a 787 - it's designed to mitigate any form of pilot error, even if a pilot decided to go full suicidal and crash it. Within the aviation community, it's also bad practice to put blame on the pilots by default - in fact thinking like yours (oh, pilot error!) is what led to crashes like the 737 Max, because you'd like to rather blame the human rather than the machine or the process.
> most of the initial reports about the flight recorders were easily disproven as the 787 does not use an FDR/CVR but a more modern type of recorder that captures more data. which supposedly India lacks the equipment and/or knowhow to download.
> the chances of an objective and transparent investigation are basically zero.
I can't believe you actually stated both these sentences one after the other. Yes, India does not have the equipment to read the flight recorders on the 787, which is why the DGCA already confirmed yesterday that it's sending the recorders to the US FAA.
> the 787 does not use an FDR/CVR but a more modern type of recorder that captures more data. which supposedly India lacks the equipment and/or knowhow to download
I thought there was a new lab in India that was equipped to recover data from this type of flight recorder, but in this case the recorders were being sent overseas because the extensive fire damage made the recovery process especially challenging [0]?
You don't think the proliferation of inexpensive dogshit IoT products from the Far East, running already-10-years-out-of-date versions of Linux (bonus if it has a hidden Telnet daemon with hardcoded root password!), hooked to ever-expanding 1Gbps residential fibre lines, has anything to do with it?
This represents like 75% of surveillance camera systems out there btw.
I think the increase in 1G residential connections is a bigger factor than the IoShit products. I don't think botnet node counts are getting that much bigger, but the amount of garbage each one can push certainly is.
Given the events of the last few days, it's possible the United States Government - who just dropped massive weaponry onto a target the size of a dishwasher from halfway across the world without anyone knowing - aren't the incompetent boobs your purport they are, despite their rejection of venture-backed smartphone apps.
Win-win for who exactly? Maybe we need to decentralize and AI-accelerate construction permit reporting too. Your backyard fence looks DIY and not up to code and your porch light looks like a fire hazard.
They're trialing something like that in France. There's a project that uses machine learning on aerial photography databases to search for objects in peoples' backyards, for enforcement,
Yes, and they're almost exclusively used by the worst type of vindictive chickenshit humans imaginable. I've known people affected by this, whose evil neighbors used 311 as a weapon because they simply didn't like them, and caused them tens of thousands of dollars in forced unnecessary renovations not to mention stress, for trivial violations that are widely ignored.
If only they invested in venture-backed mass surveillance apps instead