The scientists aren't journalists. Convince a politician to start planning for national security considerations. Tell them how it'll affect supply chains. Frame it in a way that literally anyone who has a vested interest in doing something would care about.
It is easier said than done. Politicians do not like to be disturbed by some pesky experts. Mentor Pilot discusses 2025 D.C mid-air collision[1], and finds the most disturbing reason for it: experts tried to escalate issues with too much traffic for years, but they were repeatedly told that it was "too political", so, in other words "just shut up and deal with the traffic, don't bother congressmen and congresswomen, they are too important to be bothered with limits of possible stemming from physics or engineering".
Politicians thought (and some think to this day) that climate warming is "too political" to listen to experts. Most of them will think that Atlantic current is too political, till it stops.
It is easy to say "convince a politician", but it is hard to do. Politicians think politics, and you have to be a genius among politicians to transform a game field, so some concerns of scientists became a political issue that is not possible to ignore. Geniuses among politicians as as rare as in any other discipline, the most of them will just play existing games, without even thinking of rewriting the rules of the game. BTW, when they try to rewrite, the boring old "play by the rules" might start to look pretty good.
Politics is the hardest unsolved problem the humanity faces. We could send humans to the Moon, or it seems increasingly likely we can create an AGI, but we can't make politicians to listen to the reason.
> but we can't make politicians to listen to the reason.
You're stopping too early. Politicians exist for one reason only, to get elected. If they don't get elected, they're not a politician, so everything they do is is selected with that as their fitness function.
So why won't they listen about climate change? Because the public doesn't want to be told they have to make their lives slightly worse. There are "politicians" in the UK who constantly warn about climate change. Guess what? They won't get elected.
In other words, you're blaming the symptom, not the cause. The general populous is the real reason.
I suppose they could refrain from injecting their feelings into it. The science doesn't change if it is presented as simple information and not as a warning.
So they should be more like "Atlantic currents might shut down, we'll see what happens and if it'll be good or bad" when they already can tell the effects will be pretty bad? Wouldn't that be basically burying the lede?
You'd have to ask the one who raised concern with this in the first place. What is apparent, though, is that "good or bad" is contrary to science. Science seeks to understand what is, not how you might feel about it. It is interesting that things went there.
Theoretically speaking, yes. But practically science is very interested with good and bad, because the goal of science is to bring as much good and to avert as many bad as possible. There is abstract science, there is fundamental science, which are studying things far from our everyday concerns, but even they are not free from "good and bad": ITER has all its funding, because we believe that fusion can bring a lot of good to us. Scientists cannot just forget where the money came from, and what the goal was attached to them.
But when we speak about climate science, or something else "close to Earth", then it is impossible to imagine how they may not be concerned with good and bad.
Theoretically speaking, science is looking for a truth, and any truth, but practically it seeks useful knowledge, and if you look into any scientific article, it starts with an argument that the results presented in the article are useful, and not just the authors of the article think so, but there are (were) other people too. Undergraduates are explicitly taught to write articles like that.
So medicine is not a science because it's concerned with what's "good" and what's "bad" for someone's health? I find this kind of argument principally flawed.
Many sciences are concerned with the consequences of human actions and it's hard if not impossible to describe these in meaningful ways without applying some criteria for what outcomes are good (desirable, positively evaluated) and what outcomes are bad (not desirable, negatively evaluated).
Besides, there is a whole area of science that maybe is more like engineering but is clearly worthwhile, too, even if it's not strictly a natural science only. For example, urban planning might not be a science in the strict sense but it's clearly important and involves scientific studies.
If policy makers can't get from climate scientist's an evaluation of the potential consequences of climate changes, then who else would produce these for them? Should they just make it up on the fly?
> So medicine is not a science because it's concerned with what's "good" and what's "bad" for someone's health?
It is concerned with understanding health. It is unable to decide what is "good" or "bad" as that is in the eye of the beholder. That is why medicine presents the options gleaned from the gained understanding, leaving the individual to decide for themselves what is "good" amid all the different tradeoffs. The universe has no fundamental concept of "good" or "bad". It is something humans make up. It is curious that someone who seems to have an interest in science doesn't realize that.
You're nitpicking. Medicine is concerned with what's good and bad for someone's health. Medical doctors literally advise their patients on that and evaluate the effects of actions with respect to what's good and what's bad for their health. What's good and bad for someone's health is simply one form of instrumental goodness. Other sciences evaluate in similar ways, though they are perhaps concerned with other aspects of what's good and bad. Climate scientists are not concerned with what's good and bad for mankind in some abstract philosophical way, but they should without a doubt lay out good or bad consequences of climate change. If the temperature sinks by 10 degrees Celsius in Northern Europe, that would be a bad consequence for the affected countries.
It's false and somewhat naive to claim that such evaluations play no role in science, they are a crucial part of many sciences. For instance, they're needed to find worthwhile subjects of study. Not everything is theoretical physics.
> Medical doctors literally advise their patients on that and evaluate the effects of actions with respect to what's good and what's bad for their health.
You're talking about a consultant now. Yes, consultants take scientific understanding and help translate it into what the customer wants to hear: doing their best to interpret what the other person is likely to think is "good" or "bad". Which, I will add, is not absolute. Often patients reject the doctor's opinion of what is "good". It is technically possible for someone to be both a scientist and a consultant, of course. Humans can do many things. But generally medical doctors are focused on operating consultancies alone. There usually isn't enough time in the day to be both deeply engrossed in science and other professions at the same time. Generally speaking, medical doctors are not scientists in any meaningful sense. That's literally why we call them medical doctors or physicians instead of calling them scientists... Yes, there are some exceptions, as there always is. But, to be sure, even in those exceptional cases, we don't call them scientists when they are operating in a consulting capacity.
I really don't get you stance. Of course, you can make more fine-grained distinctions and that's fine. You can claim that medical doctors act as medical scientists when they conduct studies and as doctors (consultants) in their practice with patients. But that doesn't mean the value judgments aren't part of the science.
If a seismologist has evidence that an earthquake is likely to occur in a certain area, should they not warn the public about it? I would say they clearly should, and any other view about this seems bizarre to me. I find it equally implausible to not call a seismologist who warns about an impending earthquake a scientist. They're a geophysicist or geologist. Or take an astronomer warning about a possible collision of a meteor with Earth -- astronomy is a science, so why would that person not be called a scientist?
There is a an array of scientific disciplines for whom consulting (in your sense of the word) is a frequent, though not primary part of their activity, and we certainly still call them scientists. Material science, vulcanology, epidemiology, seismology, meteorology, biology, climate science, economics,... basically any science that involves the study of processes that might have important consequences for mankind.
“Good” or “bad” is not contrary to science. For example scientists will evaluate the risks vs. benefits of a cancer treatment to determine if the benefits are worth the risk. They will do the same for vaccine efficacy etc.
Scientists are also humans with their own value judgment which is sometimes very flawed (see e.g. Richard Lynn and his race science) and sometimes with revolutionary insights that expands our shared empathy for the world around us (see e.g. Jane Godall).
Often when I hear a statement like this I see it as a thought terminating cliché. The value judgement of a scientists is often disregarded only when it is contrary (or inconvenient) to the speaker’s argument.
Who then should inject their feelings? Journalists don't care because it's too abstract, politicians don't care because it won't happen in their term, business doesn't care because there's no money to be made, and the people don't care because of all of the above people telling them to ignore it.
How exactly will waiting a year or two make this effort appear “characterized by impatience and grumpy annoyance”, as opposed to the people right now who are loudly bemoaning an engineer trying something out as an experiment?
The point was that returning a 404 for unexpected query strings doesn’t just happen to okay per the specs, but that there is significant historical precedent for doing so based on application design that was common in the past.
Are you somehow operating under the impression that volunteers are being held against their will and forced to give and/or receive free kisses to anyone who demands it?
Would you think it would be okay if someone got raped as long as they weren't being held down against their will? Just because the person doesn't leave, that doesn't mean they consent.
You’ve already managed to completely ignore multiple people who’ve tried their best to clear up your colossal and frankly easily avoidable misunderstanding of this situation. So by all means, don’t let me stop you from crashing out over an entirely imagined series of circumstances.
Which makes it even more infuriating to me when people use the MOOP map as evidence that burners leave trash everywhere and destroy the desert every year.
It’s certainly worse than not having the event in the first place, but it is quite literally better about garbage than any large scale gathering on the planet. Burners do still need to be better about leaving their trash in Reno, but even with that it’s hard to see how it’s not monumentally better than virtually anything else.
If I understand correctly, you're saying that leaving trash in Reno is bad, not that that's what people should do? I first read your comment as saying that people should leave their trash in Reno, but a sibling comment makes me think it's the opposite.
If you've been to Reno after the festival, you know what he is talking about. It's people who have removed their garbage from the desert, who then find somewhere - anywhere - to ditch a bunch of cheap tents and camping chairs used for all of a week.
Overflowing private dumpsters, leaving garbage in the rental car, just leaving it in a heap somewhere, etc. The tell tale dust gives it away. The issue isn't people who stop by the Reno waste processing facility and pay for it to be tossed, it's the people who decide to dump in the city instead of in the desert.
To be clear, what you’re supposed to do is dump your trash in places you’re allowed to dump it.
If you have a lot of trash, most economical option is often to go to the public transfer stations or landfills in the Reno area (but that only works if they are open).
Also, there are services on the side of the highway that accept trash for $N per bag. Only give your trash to someone if you can see the dumpster it’s going into and the dumpster is not full. There have been scams where people charged to accept trash and then just left it there to get blown around the desert. Alternatively, you could drive your trash all the way home and let your local utilities handle it. But when I’ve had my cargo trailer piled with leaking garbage bags I’ve wanted to get rid of it ASAP.
So, one of the problems with leaving trash in Reno is that even if you do it in a way you think is ethical, moral and correct, your trash can be part of the "Burning Man Trash Problem", things I see _every year_:
1. Burners drop trash with people offering to dispose of it for $5 a bag or so, they end up dumping it somewhere else.
2. Burners drop trash at the major hotels and casinos, who buy dumpsters to attract the burners and then people from the local area toss the dumpsters scavaging for things.
3. The normal trash dumping issues Reno has are, for two weeks a year, blamed on burners instead of the locals. I seriously doubt trash bags full of baby diapers, mail and construction debris (all examples I see on the Reno subreddit every year) are from Burning Man.
There are already legit places in Gerlach, Reno, Lakeview and Ceaderville where you can dump trash and know its going to be disposed properly, but not everyone going is really hip to spotting the trash scams and all that.
Unfortunately all this mixes with the percentage of people going to Burning Man who don't dispose of their trash respectfully and it becomes a large, hard to quantify issue.
Sorry, yes, I should have made that clearer. Burners should as a whole be better about [the fact that they] just dump their trash in Reno on the way out. It’s an enormous problem, and completely indefensible particularly given the number of cheap trash collection sites you drive past on the way out. Still, by comparison, burners are practically saints.
Going back to the event itself, I attended Lightning in a Bottle once. I was absolutely disgusted at the end of it. Entire camps quite literally just left, abandoning everything. Brand new equipment and the boxes it was sold in just left for others to deal with. And not just isolated groups either, people had done this absolutely everywhere.
There were a depressing number of people who would post something along the lines of “I just pulled the trigger! Now what am I supposed to do to fill the time?” Your take is spot on, and it’s incredibly sad the number of people we’ve created whose only source of meaning or joy in their life is their desk job.
As someone who pulled the trigger about a year ago, I feel like there’s not enough hours in the day to fill with personally enriching activities, both mentally and physically stimulating. And I feel increasingly lucky to have a life like that.
I don't understand why someone would FIRE and not already have spent years lining up all the things they will do. And the "won't you be so bored?" people. No, I'm not bored. You might be because you need someone else to tell you how to spend your hours.
Between learning new hobbies, tackling my backlog of projects in my old hobbies, taking care of my health, and spending quality time with my family, I still have more to do than I have time for. The awesome part though is that now I can do all the "must do" (family time, personal health) and "should do" (hobbies, socializing) things, and pick and choose between the "nice to do" things. When I was working, I struggled to even do the "must do" things.
The tragedy is that people who are most likely to successfully FIRE have spent so long being laser-focused on making money to FIRE, that they neglected their (hobbies, social circle, health - underline as needed), so they find themselves in such a predicament.
Personally, I'd love to FIRE. I have at least 5-10 years of personal projects in my head that I would do if I didn't have a 9-5 job. Unfortunately, graduating into a shitty 2009 market and not having nepotism connections means I am unlikely to ever FIRE outside of some expat poverty FIRE in a cheap country.
FIRE isn't about job market, you can't control that. Though in tech most people are still making quite large incomes which does help.
Rather it is about controlling expenses. The thing you can actually control. My sister's family of 5 lives on less than 50k CAD / year, because they simply must (low income) so if one is making a 100k white collar salary (for example) one can live a lifestyle higher than hers while still banking 50k/an. Etc.
That would not work well in the US with annual out of pocket healthcare expenses that can be up to $21.2k per year per family, or $10.6k per year for a single person.
Plus the monthly insurance premiums. Financial independence without a large sum of money does not make any sense, and a large sum of money comes from either inheritance, or income.
Obviously you need money and obviously you get it from income. But it is easier to reduce your expenses than to increase your income, and reduced expenses also result in excess income even with no income changes.
Yes there is a floor to this strategy. If you are going to the food bank to feed yourself because you don't have enough income you're unlikely to be able to reduce expenses enough to make this happen. But if you're lower-middle-class or above it is possible.
FIRE is definitely about income just as much as it is about being frugal and saving. Having a high income is what enables the RE part.
There is a base level beyond which you can't save much, so first order of business is maximizing your income (e.g. better job/raise/promotion) without going bananas and sacrificing your health for it.
You are talking about retirement, yet I was working with people who couldn't stand the 2-week long annual leave (which is mandatory for every under contract of employment where I live) because they had nothing to do. 30, 40 years old people. It's terrifying.
> not already have spent years lining up all the things they will do
They aren't conditioned for it. Learning to relax, enjoy nature, prioritise friends and family, et cetera aren't hard coded like walking and talking. We benefit from it. But if you never learned to do it while your brain was most plastic, you probably aren't going to change because a number added a zero.
> I don't understand why someone would FIRE and not already have spent years lining up all the things they will do.
It's a common phenomenon in those communities because many of the participants are young (the E is for Early retirement).
The common way to get to FIRE, unless hitting the lottery or getting a crazy RSU payout, is to be super frugal with a high savings rate.
Then they get to retirement and realize that doing the amazing things like traveling the world requires a lot of money. Even many hobbies start to require money. Then reading books, browsing the internet, and playing games starts to get boring when it's your entire life.
The people that make it work usually take RE to mean “recreationally employed”. They aren’t sitting on a beach. They have a challenging project they are personally obsessed with that also generates income, but the income is largely just a way to keep score for them.
It is one of my greatest hope for everyone to be able to achieve this. It would shift the workplace dynamic so much that employers would have to work harder (beyond pizza parties) to retain employees since no one would blink an eye at the thought of resigning on the spot.
Hobbies require money, but a lot of hobbies don't require very much of it.
Yeah, if your primary hobbies are skiing and golfing and traveling and rebuilding 60s cars, that's not going to come cheap. But there is no shortage of much cheaper hobbies.
> The common way to get to FIRE, unless hitting the lottery or getting a crazy RSU payout, is to be super frugal with a high savings rate.
Then they get to retirement and realize that doing the amazing things like traveling the world requires a lot of money.
Partition living expenses from hobby expenses, and once you have enough to not have to work for living expenses switch to doing just enough part-time to cover hobby expenses?
I’ve noticed some people with seemingly fulfilling hobbies stop doing them after quitting their job as well. It’s entirely possible all those hobbies are valuable precisely as something powerful to latch onto and disconnect from the day job, and seem pointless the day after quitting. Seems like you had a strong sense of identity outside of your job already before quitting. Building that could be a lot of hard work for other people (and it sometimes comes as a surprise that it even needs to be built).
I honestly don't know how someone gets to the position of being able to retire without having thought long and hard about it. Even if you get an unexpected windfall, it's probably best to keep working until you know you're mentally prepared to retire.
I think the FIRE crowd is even more likely to fall into this trap than the average wage slave. In addition to finding meaning in their day job, they're also more likely to forego short-term costs (like recreation/socialization/travel/whatever). Plus the FIRE planning itself becomes a hobby. So when they retire, they "lose" even more than the average person who might have more side interests.
I really appreciate that perspective. There’s definitely an aspect of FIRE people being more inclined to sacrifice short-term meaning in order to retire earlier, that may contribute to not having spent time actually building the life they were wanting to live free of work in the first place. And it’s a great insight that FIRE itself is in many ways a hobby, and one that you somewhat inherently “lose” once you actually go through with it.
> Your take is spot on, and it’s incredibly sad the number of people we’ve created whose only source of meaning or joy in their life is their desk job.
I worked for a silicon valley company that graciously offered its employees a month or two of unpaid vacation every five years. And people who had worked there a long while agonized over it, if they should take it, and whatever should they do with all that free time??!?
Meanwhile, my European ass and my European colleagues were so incredibly bewildered by it, because we were used to 5-6 weeks of paid vacation per year, and being used to that means you have no issues finding stuff to do outside of work.
Corporate American produces the weirdest drones ever, people are so incredibly conditioned to work work work.
If I leave a post-it note of passwords on my monitor inside a vault to which only I have access, it’s not a big deal. That’s the point of the “airtight hatch” metaphor.
I think we've moved away from the secure perimeter thinking and towards defense in depth - if that list of passwords helps you get somewhere other than the vault, removing the post-it improves security. Vaults get infiltrated all the time - and often in partial ways like being able to see into the vault but not reach in.
Defence in depth matters, but an analysis here shows that the same mechanism used to breach the outer layers (getting administrative access) can be used to breach the next layer (more thoroughly prodding Edge or Chrome to give up passwords).
Right; but in the scenario of this Tweek, you've invited someone untrustworthy into the vault and are then freaking out because they can see the post-it note of passwords. It is inherently irrational.
This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).
All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.
I think we’re largely in agreement. I do think there’s some benefit in reducing the amount of time that a password is in cleartext in memory. But it’s pretty far down the list.
> This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure
Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.
True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.
I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.
I swear, people who idolize passkey security must never travel anywhere.
PS: "just have more devices with passkeys", they invariably say.
Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.
I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!
The good thing about this is they thereby also support FIDO2 hard tokens such as Yubikey. The UI is often confusing but you can always tell it to provision the key to your Yubikey rather than the OS enclave.
That doesn't help if my machine (with only a few USB ports) gets stolen/lost with the token in it. It doesn't help if some of my devices only have USB-C and some only have USB-A. It's absolutely more annoying than letting my password manager fill things in or typing in a 6 digit code from my authenticator app.
Passkeys are password replacements that can't be breached/leaked/etc... I don't think they are necessarily supposed to replace 2-factor, however it's probably more secure than some of the weaker forms of 2-factor auth.
Given that in order to access your password manager's vault often requires 2-factor (or should at least) it's a level of security that I am comfortable with.
I take it a step further and host the password manager vault within my home network. My home network does not expose anything publicly except a WireGuard port, it's completely locked down. I have to VPN in to access the vault.
The subject here is literally websites trying to push passkeys on users. That is who is asking us to.
About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.
It's wildly obnoxious that browsers don't let you generally suppress these prompts.
And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.
We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.
I’ll be honest I’ve heard a lot of griping about passkeys but I have gone out of my way to switch over to them and have had precisely zero issues over the dozens of sites that I’ve bothered to make the switch on. Login flow is simpler and doesn’t rely on a browser extension guessing at login fields or trying to figure out when passwords change.
Me giving an example of one major website (actually, I gave two) is all that is needed to disprove your claim. I could provide plenty more examples of major websites asking me to, but I don't need to. I could provide plenty of examples of people telling people to "redo everything" with passkeys, but your own comment is literally advocating the same thing...
Please don't mischaracterize the conversation that is plainly visible for all to see. Just accept that you tried to suggest that nobody is asking users to switch to passkeys, and you were wrong. It seems like your error is that you just haven't been seeing it personally, since you switched on your own before the nagging started, and so you weren't aware of it. Well, now you are.
They literally are. You can easily google articles telling people to use passkeys for all their supported accounts. I'm not going to google it for you.
Why you are trying to claim the opposite is beyond me.
>We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.
Yeah right.
When passkeys were rolled out, I was told it's OK because "passwords are always going to be required to be an available alternative".
Now we've moved the goalposts to "it's just one website".
>Sometimes the new thing really is just better.
And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
What if I told you I was not one of the people saying that? You can’t take two different people with two different opinions and say “Look! You’ve moved the goalposts!”
If passkeys are significantly better, passwords will gradually stop existing. If passwords are, passkeys probably won’t catch on.
> And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it. If this is a sufficiently motivating use-case for you, you too can take these kinds of steps to mitigate the risk.
But since we’re playing the “what if” game, what happens if you get early onset dementia and forget your passwords? Pray tell then what?
>I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it.
So, basically, having to create and maintain a backup device to keep separately from my laptop/phone in case they get stolen, make sure I don't lose it, but carry it with me everywhere like a crucifix.
That, and still having to remember and use a password, because otherwise the thieves get control of everything once they steal my device.
Sure. That's not objectively better than passwords which don't require this sort of hassle.
At the very least because it still requires a password.
>you too can take these kinds of steps to mitigate the risk.
OK. I can. I don't want to have to do these kind of steps, or any other dance to mitigate the real risks that passwords already protect me from.
Passkeys mitigate risks which I don't run into (”what if someone learns my password?”), while introducing others.
They are a convenience for people who run the system because they off-load those risks onto users.
>But since we’re playing the “what if” game
You're playing games with contrived hypotheticals.
I've had my laptop, phone, and wallet stolen on an overseas trip.
>what happens if you [...] forget your passwords?
I click the "forgot your password?" link which every website that uses passwords has.
Having a notebook in a vault with passwords also solves this problem.
I don't get a sudden onset of dementia which causes amnesia when I travel.
But I've lost my devices and had them stolen from me overseas.
It was a big enough hassle even though I did have the passwords.
If a website only supports one passkey on one device, it's a shitty implementation. To be fair many websites have shitty implementations, so I ended up using my yubikeys to store the secret for OTP codes.
Having only one device that has authority to log into your accounts is obviously not a good security model.
Of course they are. Lots of websites are pushing it, including while using dark patterns. You need to sometimes explicitly cancel an onboarding flow to avoid Passkeys.
For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.
It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.
It takes a bit of effort, but it’s not impossible.
Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
>Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
No need to imagine!
Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.
Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.
Bonus points for having your card locked or stolen at the same time.
Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.
I don't have any passkeys on my phone or laptop. They're all on the Yubikeys.
I don't really see a difference with (some) password managers, though. If you use one of the keepasses, and you lose access to the file, you're in the same situation right?
And yeah, you're right, there is a risk of inconvenience. I'm not debating that. I just choose to organise my life in such a way that it is just an inconvenience.
It's literally at https://github.com/Joker-vD/keepassdb/raw/refs/heads/master/... in my case, plus a couple of other free hosting sites that support easy updates/reuploads, so losing access to it requires losing access to Internet — in which case you don't really need any (alright, most) of your passwords because you need Internet to connect to the services that require those passwords.
OK, fair, I never left my keepass file exposed like that when I used keepass.
If I remember correctly, 1Password still requires a "vault key" in addition to your username and password, and it was definitely too long and not used often enough for me to remember.
A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.
Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
oh lawd, yes it does come down to 'who has the power to reset your account', and very few people want to take the path of 'no one has the power' in the case of lost credentials.
Yes, but the pin uses the TPM which allows other things like only ever allowing a low number of guesses before requiring a reset of the pin (using a password or other mechanism)
>It is objectively good security, but has a ton of usability headaches yet to be really solved.
Thank you, then this is still true today?
Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.
There’s no formality. For planes with ADS-B out, it’s on when the plane is on (barring it being explicitly disabled by yanking the fuse).
Plus transponders are really convenient when you’re trying not to crash into other air traffic. Particularly in a scenario where you might be expecting ATC to be unavailable or abandoning their posts.
reply