Does that mean AI needs to be able to decide "what to do today"? Like wake up in the morning and decide I am going to research a problem in field X and then email all important scientist or institutions with my findings? I am not sure if we want that kind of independent agents, sounds like a beginning of a cyberpunk novel.
But without that level of autonomy it is hard to say it is more autonomous than an average human. You might not want it, but that is what humans are.
Every human every day has the choice to not go to work, has the choice not to follow the law, has a choice to... These AI doesn't have nearly as much autonomy as that.
10,000 times a day is on average 8 times a second. No way someone has 8 fixes per second, this is more like someone wanted to download a new copy every day, or every hour but they messed up milliseconds config or something. Or it's simply malicious user.
(Unrelated to main topic) Why is number of dead comments so high here? Do bots search for keywords that may increase views like "starlink" or something?
I choose to believe HN flame wars are still 100% organic. It is "just" immigration from Reddit. Ars Technica also has more trolls in comments under any Musk related topics.
You are right, 5 comments by 2 new users. But looking at "Why We Spiral", which has a similar number of comments, it has a single dead comment by an older account.
My password manager is a separate app, I always have to manually copy/paste the credentials. That's because I believed that approach to be more secure, now I see it's replacing one attack vector for another.
> I always have to manually copy/paste the credentials.
I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)
>I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)
How does that work?
If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information? If the user is using a password manager, presumably they don't reuse passwords, so the malicious website would have to guess the matching username + URL where the password applies.
If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.
Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.
Interesting questions, I can later provide more links to more indepth security resources that go over similar points if you would be interested but currently on my phone so I will just jot down some quick surface level points.
> If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information?
Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services).
It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.
> If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.
The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. Even if the direct application you are using is non-malicious, you are left hoping wherever your data ends up isn't a giant treasure trove/honeypot waiting to be compromised by attackers.
The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.
In that case it would be safer for everyone to run Qubes OS and stringently check any application added to their system.
In the end it's a balancing act between convenience and security with which striving for absolute perfection ends up being an enemy of good.
> Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.
That is true, good password managers took these steps precisely to reduce the clipboard attack surface.
Firefox also took steps in 2021 to also limit leaking secrets via the clipboard.
>Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.
Webpages can't read clipboard history, so this wouldn't apply.
I was responding to your guidance to clear your clipboard history after copying a password.
>The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised.
But clearing your clipboard after pasting passwords wouldn't protect you from this attack. That was the recommendation I disagreed with.
The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.
Yes, I agree. But that's why I think people should focus their energy on defending along trust boundaries.[0] There's no trust boundaries between applications running in the same user context on the same system. There is a trust boundary between a web app and local apps, so I think it makes sense to consider what a malicious web app can do (e.g., read the most recent clipboard contents), but we shouldn't lump web apps in with local desktop apps.
> Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.
I always manually type the emails and usernames for this reason.
just recently there was a clickjacking attack that affected most popular password manager extensions. It tricked the managers into filling passwords to random pages, worked on almost all extensions and all pages.
This doesn't seem to be "passwords on random pages", only "Personal Data + Credit Card,", passwords are domain-specific unless the website is hacked itself.
> The attacker can only steal credentials for the vulnerable domain.
The one I use (KeePassXC) is also a separate app, but there are browser extensions for the major browsers to support autofill. Of course plenty of sites don't actually work with autofill, even the browser builtin autofill, because they don't mark the form fields properly. So autofill not working is common enough that it's not a reliable red flag. Separate password managers have the advantage that they can store passwords for things other than websites, and secret data other than passwords (arbitrary files). KeePassXC's auto-type can work with any application, not just a browser.
> Of course plenty of sites don't actually work with autofill, even the browser builtin autofill, because they don't mark the form fields properly.
Can't KeePass use the autotype functionality, but still filter it by website domain/host that it gets from the extension? So basically you'll still never have to copy&paste, and any site requiring this would be a reliable red flag?
Yes, that should generally work. I'm sure someone will decide to make a page requiring a CAPTCHA in between entering the username & the password to create an exception to this case though. It's the sort of insecure-by-design nonsense banks love.
You are probably right. Still browser vendors or even extension devs can create a system where username hash and password hash are stored and checked on submit to warn for phishing. Not sure if I would trust such extension, except in case it's FF recommended and verified extension.
You can block them on dns level. That's what I did when I wanted to stop wasting time playing 2048. (Not sure how to configure DNS on phone, I was using PC to play at the time)
I have NextDNS profiles on my phone and PC that block problematic sites, as well as the settings dashboard itself to stop me touching it unless I'm on my tablet.
+1 for NextDNS.
Last week I experimented with building a Brick[0]-like solution from my Android phone, by using an old badge I had lying around acting as an NFC trigger to launch a Tasker automation that enables/disables filtering profiles in NextDNS via REST API.
It's working nicely, although it takes a while to effectively enable/disable filtering, I assume because of DNS caching on the phone.
Also sometimes I actually need YouTube/Reddit/Instagram/etc. to look up something, so for now I settled on the slightly less nuclear option of using ScreenZen[1] to make my app opening a tad bit more mindful. I sometimes found myself going around the restricted app opening count/time limits by using my iPad, but overall my mindless screen time is decreasing, so I don't stress it too much.
I don't have any issues with notifications really as I usually set them up to only receive what I deem important from the get go when I install a new app, and I also have Do Not Disturb and Routines enabled most of the time, plus a smartwatch to take a quick glimpse at messages if needed.
reply