This resists scenarios where the machine you are running SSH from is compromised, and has a keylogger or something similar installed. SSH can't protect you from a local attacker (in fact, the SSH client binary itself could be the compromised part).
Yes, but if the server you’re logging into only accepts keys then leaking its password isn’t nearly as bad. Though I guess if your local ssh client is compromised then your local private keys are also compromised so you’d be screwed anyway (unless you are using a yubikey type of thing—I should get me one of those).
Either way, password lengths are exposed in virtually all scenarios except the Unix Terminal - and have caused 0 issues in practice. The default of hiding password inputs really is useless security theater, and always has been.
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.
Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.
So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.
Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.
But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.
This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.
Knowing password length makes it easier to crack an insecure password.
The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait.
Knowing that user passwords have to be manually keyed, I don’t think the average person will have a 37 character password set ;)
Typically they’re between 8 and 12 characters. Usually contain dictionary terms, with the first character capitalised and a numeric value at the end with an exclamation mark.
If you know a little bit of information about the individual (which you likely will if you’re in a position to shoulder surf) then you can easily guess at personal details that individual might use (kids names, favourite movie, sports team, that kind of stuff) which also helps narrow the search field too.
Now I’m not saying that this will apply for everyone. But you can see how knowing the password length combined with another piece of information suddenly increases the statistical probability of cracking some passwords.
And this comes back to my earlier point about how security isn’t about absolutes. It’s about probabilities and risk. So there isn’t going to be a universal truth about whether this decision is correct for everyone or not.
Copyright, possibly. Intellectual property more broadly, no. AI has 0 impact on trademark law, quite clearly (which is anchored in consumer protection, in principle). Patent law is perhaps more related, but it's still pretty far.
Let's aim for a max of once every year, then, over the entire USA. And once that's achieved, let's aim for once every few years. Once a decade should be good enough, you probably won't get better than that.
The EU has a much bigger population than the USA, in a smaller space, and I'd bet they're already around this number.
Well... the sicilian mafia comes to mind... the french can be quite violent too... Western Europe is not so bad either, with guns.
I guess you mean "normal" non-criminal people in the EU are not allowed to have AR-15 assault rifles in their homes, that they can use if they have mental health issues.
I personally believe that is one of the reasons the USA has so much gun violence. Get rid of the guns in people's homes and things will change for the better.
> rich people aren't really competing for the kind of housing that poor people are competing for, e.g. smaller plots with smaller homes.
This disregards basic geometry. Sure, in some rare situations you only have one small plot of land surrounded by existing construction or natural boundaries. But, in the majority of cases, you have one large plot of land, and you can either construct one big house on it, 5 smaller houses, 10 small houses, or 200 apartments in a block. The rich are absolutely competing for this lot with the poor.
And as inequality goes up, the rich can even start contemplating buying up surrounding properties, tearing down construction, and transforming a small plot into a much larger one.
By definition, if you're a vegan or vegetarian for strictly ideological reasons, you still like the taste and feel of meat. So, compared to a vegetarian or vegan who is doing it for other reasons, you're statistically far more likely to seek meat substitutes.
Now, this relies on considering people "ideological vegans/vegetarians" if their only motivation for not eating meat is ideology. This means that the huge amount of Hindu Indians who are ideologically opposed to eating meat don't count, since even without this ideological motivation, they would still have traditional and social and supply reasons to not eat meat.
On the other hand, what often happens with high level corruption cases in my country is that people go to jail for a few years, but none or next to none of the money is ever recovered. So quite a few crooked politicians and business man just accept prison as nothing more than an unpleasant bump on the way to getting extremely rich, and roll with it. So you actually need a combination of both money and personal fault for really fixing some of this.
This is said with very high authority, and nothing whatsoever to back it up. Sure, not all, nor even the majority, nor even the plurality or a large minority of gamblers resort to criminal behavior.
But what evidence do you have that only over-leveraged gamblers resort to criminal behavior? Why do you think that some rich person who bet, say, $1 million they can actually afford will not still seek to recoup their investment, especially if it only takes some bribes and threats?
> Why do you think that some rich person who bet, say, $1 million they can actually afford will not still seek to recoup their investment, especially if it only takes some bribes and threats?
Because "only bribes and threats" are crimes for which people go to jail, and most "rich people" in the west, even in our authoritarian corruption hellhole timeline, are unwilling to engage in that nonsense because the benefits don't outweigh the risks.
Do I get to demand you cite evidence here, too? Has a wealthy person ever been caught in criminal extortion trying to goose a losing position that they could cover? I don't think that's ever happened, honestly.
I mean, yeah, it's my opinion. My gut says that the "bro" markets are all overleveraged right now, there aren't any easy winning positions at the moment (even AI stock valuations seem to have topped), and now the loans are coming due. Something's going to pop, and we're all looking for proxy measurements. This is one.
Well, the Epstein files prove quite clearly that there exist rich people who perform blatantly illegal acts that can put them in jail for a looooong time, even when they don't stand to lose any money whatsoever by not committing said crimes. And they also show that said rich people generally don't face any legal consequences even when their crimes become public knowledge.
So any argument that starts from the assumption that rich people don't commit crimes for relatively low gains, and/or that they would be caught and put in jail if they did commit crimes, is obviously false.
I think the Epstein files even have specific examples of blackmail among said rich people (e.g. Epstein's letter draft to Bill Gates).
Sigh. I didn't say the wealthy don't commit crimes. I said the wealthy don't commit crimes to avoid paying routine investment losses.
Actually what I really said is that no one does this, because it's insane. So I therefore infer that the people doing this are looking at losses that are not routine, they're faced with bets they can't cover.
You're claiming that the wealthy don't value their money enough to commit crimes for them, while knowing that they value their sex drives enough to do so. I don't see how this is a tenable position.
People routinely commit crimes for money, rich and poor alike, often for relatively irrelevant sums - and very often for money they don't even have yet. The incentive to commit crimes to prevent losses is even higher, given the well established loss aversion bias in all people.
And we don't even have to discuss losses. Many people commit crimes to get money quickly, from murder to insider trading to insurance fraud. If you agree that many people would be willing to kill for a few thousand or million dollars, you have to admit they'd be willing to threaten and blackmail a newspaper editor or production crew to try to fix a bet - especially when the internet brings them anonimity, and even if they bet a small sum that they wouldn't even care to lose.
If you don't believe this, try to go to a betting place in a poorer area and offer 1000:1 odds that no one punches you in the face hard enough to break your nose (a crime which could easily land whoever does this in prison). According to you, as long as you don't allow anyone to bet more than, say, $1 on this, it should be a very safe bet for you, surely no one would be insane to risk prison time for losing just $1, right?
There is nothing that can prevent doctored screenshots of UIs from being disseminated. The only defense is not considering screenshots from random sources even evidence of anything.
>There is nothing that can prevent doctored screenshots of UIs from being disseminated.
Thanks for thinking it through. To combat this, the interface could show the attestation id prominently so that it's obviously wrong or missing something if it doesn't contain it. Something like this mockup[1] and be easily linked so 1) it would be super suspicious for someone to quote someone without linking to the attestation - and 2) people could type the attestation ID from a screenshot into the server themselves.
This would require the attesting server to keep a copy of sent email but that doesn't seem too bad. If it's been deleted, you're not willing to be quoted on it anymore. It would be voluntary.
What do you think of this idea overall? I realize that the mockup seems fake - the whole point is that it's obviously fake, because it's being hosted elsewhere and not where it says it is.
reply