I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
The user doesn't need to know the exact URL to confirm an interaction they've just started.
The point of the confirmation is 10% account creation and 90% confirming that the user knows their own email address and can type it in correctly. That's actually more challenging to the wider audience than you might think.
> Oh wait, never mind. I guess I won't be signing up for electricity, then?
You ~~will~~ should be picking up your phone and calling the electrical company to confirm and to tell them their links are nonsense. Couldn't bother with AI agent on phone, or 60 min waiting queue to a human? Fuck it, don't pay the bill, figure it out later.
This advice sounds like nonsense. CS has neither knowledge of what layers of enterpriseware has wrapped their links, nor the domains that software uses, nor any control over those decisions by software engineering or marketing (or perhaps even more removed, some third-party electricity account management platform that they buy as a service).
You certainly could operate on policies like this, but I think most people prefer to spend their time differently instead of arguing with strangers who don't have any way to solve your problem.
Their customer support people don't know what I mean and they especially don't have any power to change this.
The problem isn't paying the bills (I can't recall the last time I ever needed to do that manually), the problem is that pretty much every service uses trackers and shorteners. The only way to opt out is to opt out of society.
Maybe I should, but this "read the link before you click" advice isn't just geared towards hardcore privacy advocates. It hasn't worked in ages. It also doesn't help that companies like Outlook rewrite links to make them redirect through their malware scanners as well.
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
I am an early GitHub user with low 6 digit user ID (joined around 2011 with a two letter handle). I approve Mitchell's message.
It's been painful to use GitHub these days, user experience practically went down the toilet with ridiculous pains like CVEs [1][2], slow and ineffective and expensive GitHub Actions that doesn't allow local execution instead a "push & pray" workflow leading to repetitive "commit-push-wait" cycles to debug CI errors or bugs and then the absolutely horrendous Arkose Lab's Octocaptcha[3][4]. Note that only new users are encountering the Octocaptcha at account creation time, the amount of the time I wasted on solving these ridiculous visual or audio captchas are insane. I happened to need to create 3 separate accounts for the orgs that I am consulting for recently, each time it was at least 20-30 minutes to go through the account creation process. Sure it blocks some AI bots, but can't GitHub team create something that doesn't hinder the user experience?! Oh, if you have uBlock Origin or Privacy Guard on (which I did), it will take longer because each failed answer will set you back for another 5-10 mins of puzzle time!
Plus the reliability issues that Mitchell mentioned. Mona the Octocat jumped the shark in 2026. RIP.
This reminds me the 2008-2009 era where Mac OS X Leopard was running Hackintosh on Dell Mini 9 and some other netbooks.
At $349, it was almost a fully functional laptop that runs on Mac OS X (comparing to over $1000+ MacBooks or $1599 MacBook Pros)
Two friends of mine literally working remotely in an Africa trip with Dell Mini 9 and mobile hotspots and were doing video conferencing with Skype (on Wi-Fi).
Yep, started coding iOS apps on an EeePC 1000H on Snow Leopard 10.6.8 and XCode 3.1.something.
While the updates would break things, it was not more complicated than a Linux of the mid 90s to set up, especially with “hackintosh distros” like iDeneb. Surprisingly ok, given the anemic machine!
The high cost of high end DRAM (4GB+) cost skyrocketing has caused some interesting shifts:
1. Shifting Hobbyist Focus: Because hobbyists typically prefer parts under the $100 mark (so they don't "fret over breaking them"), the community is shifting away from modern, high-powered SBCs. Instead, people are moving toward:
2. Older SBC models (like the Pi 3 or 4 with lower RAM).
3. Microcontrollers (like the RP2040) which remain cheap. So Used hardware and "repurposing" old tech is retro trending again.
IMO, perhaps there will be push to make software/firmware more RAM efficient with AI assisted coding?
> To broaden my point, I think we’d find that many websites we use are doing this.
Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!
By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??
Absolutely not. At no point am I saying this is ok.
I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.
If anything, the article undersells the scale of the issue.
LOL. Same here. But the footer disclaimer and testimonials gave it away immediately:
> "We had 847 AGPL dependencies blocking our acquisition. MalusCorp liberated them all in 3 weeks. The due diligence team found zero license issues. We closed at $2.3B." - Marcus Wellington III, Former CTO, Definitely Real Corp (Acquired)
> This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services.
This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
reply