Exactly the same. Moreover my main work machine, the one I call my "workstation", doesn't even have sound. No videos. No meetings from that one. And that's the machine to which the Yubikeys are hooked.
I've got plenty of machines, including that one shitty laptop I trust even less than the rest. Arguably the only way to operate securely is to consider that most devices in your house (and at work) are compromised and hostile, that most networks are trying to fuck you up (for example not HTTP at my home: simply none, it's not allowed) and that they're really out there to get you. And, yet, to have a setup that works.
Same things with my phones: I've got one real phone, with two apps I added to it. Country's mandatory EID app and brokerage's 2FA app. And that's it. Nothing else. Nada. Zilch. One phone, two apps. No email account. Nothing.
Then I've got another phone, with another subscription, where I've got Telegram, that app to see the targets at the shooting range (long distance shooting: there are webcams in front of targets so you can see where you hit), the home automation apps, etc. All those shitty phone apps developped by clueless devs: they go on that phone. The email? Some throwaway email account I don't care about. You can 0-day that phone: I wouldn't give a shit. And I tell people: "My name on Telegram ain't my real name" and they love it. Non-technical people: they begin to understand and they love it.
People are going to need to step up their security game big times now for I think we're in for quite a wild ride.
I know it's bad but I'm not going to say there's not some schadenfreude seeing what happens to those who were calling others "paranoid".
I mean: we're talking about people "quickly installing software (as admin/root)" on their main machine.
The road is going to be long for it's an entire shift of mindset that's now required.
Convenience vs security: you pick. Video call vs major project compromised: you pick.
The vindictive side of me hopes the cybersecurity "rug" is pulled out from underneath all these companies (new & old) who don't appreciate craftsmanship. I don't think we need regulations, but companies need to suffer when they drop the ball
Don't know about that research but I certainly have read many HN comments made by those who drank the AI kool-aid (and I write this as someone using Claude Code CLI daily) where any semblance of logical thinking was gone.
> Just like Doom-in-a-PDF, this is in equal measure incredibly impressive and utterly horrifying that it's possible.
Yes but at the same time we now have options... For example it's now totally possible to do the following:
- intercept any PDF downloaded
- send it to a sandboxed app before opening
- open it from withing the sandbox
- headlessly screenshot every page to images
- pull the pictures (one per page) out of the sandbox
- reconstruct a similar PDF from the pictures
It's not hard and it can literally be vibe coded in a few prompts (because it's really not hard).
Some people are going to say: "But PDFs aren't supposed to be PICTURES, it has to be searchable, so we want our Turing-complete, exploits-ridden, 2 GB big PDF readers running as admin/root and we insist, we repeat INSIST, to have our ability to open any unkown PDF from any proprietary PDF readers for that is the way!".
Thing is: we know have tool that can extract text from pictures too and they work perfectly fine.
So, yup, the surface attack PDFs have is utterly horrifying but we're already at a point where we can just honey-badge any potentially evil PDF into a well-behaving one.
Since a few years now I only ever use SSH private keys safely hidden behind a HSM with a tinier than tiny attack surface: Yubikeys do it for me (but other vendors would work too). My SSH keys do not have a password but when I log in using SSH, it requires me to physically touch my Yubikey (well one of my Yubikeys).
Windows has great support, surprisingly, for TPM-backed sk keys using Windows Hello and OpenSSH. Protected with physical presence and anti-hammering at the hardware level, and easy to setup by just selecting a sk type key.
I only use password keys for things that need to be scripted.
I didn't see in TFA --although I may have missed it-- where it said it was replacing the ISP's router/CPE. Anything routing traffic is a router.
At home I've got both a CPE given by my ISP and my own router that routes and bridges traffic between two LANs of mine (192. and 10.).
Moreover the lack of IPv6 inside our own LANs is, for many of us, a feature. It doesn't mean we don't have an IPv6 address: it just means we have the choice and did choose to have our own LANs on IPv4 only. And, no, I don't care that it makes some programmers at some megacorp' lives more difficult to "reach" inside my networks.
I'm the boss at my home and my router is IPv4 only.
So to look at the "unreasonable effectiveness of cash transfers" to raise a country's average, we are supposed to look at an experiment in Kenya, which is 168th in the world in GDP per capita!?
Instead of, you know, looking at how, say, western countries did actually raise the standard of living?
Western countries did not raise the standard of living using cash transfers, so of course looking at what they did won't tell you whether cash transfers are effective or not.
> I suspect it's not very significant: we're flushing a 20+ year backlog, and generally the rate at which vulnerabilities are created is lower today.
The thing is: if these new AI tools can find a backlog of old bugs, these tools can very obviously be used on code that hasn't been pushed yet. And they'll find potential bugs there too. And so the rate at which new vulns are created is soon going to be even much, much, much lower.
Now of course I'm talking about serious projects like the Linux kernel in TFA: real stuff that powers the real-world. If we're talking about OpenClaw who decided to launch a startup based on a "Write me a clone of MySpace but with a Web design from the 2020s" prompt, then all bets are off.
The nice thing with using AI tools to find bugs is that there's not much ambiguity: a bug, if proven to be a bug, has to be squashed. It doesn't matter how it was found: even the AI doubters can accept there's a bug and that something has to be done about it.
Using AI tools to fix bugs in the Linux kernel is IMO much more impressive than "Write me the 10 000th MySpace clone but using a Web design from the 2020s".
TFA's author is literally saying it may happen. He's using AI so he already caught the wave. He's augmenting himself with AI tools. He's not saying "AI will never surpass humans at writing programs". He writes:
" At this particular moment, human developers are especially valuable, because of the transitional period we’re living through."
You and GP are both attacking him on a strawman: it's not clear why.
We're seeing countless AI slop and the enshittification and lower uptime for services day after day.
To anyone using these tools seriously on a daily basis it's totally obvious there are, TODAY*, shortcomings.
TFA doesn't talk about tomorrow. It talks about today.
This reminds me of Linus Torvalds about Git, criticizing that SVN did present itself as "CVS done right" for... "It's impossible to get CVS right". Which I found incredibly funny and witty.
Is the second coming of Wordpress what we really need?
And there's money spent lobbying in Brussels (where the EU Commission is) than lobbying in the entire US.
And corrupt eurocrats are known to be very cheap whores.
reply