Hacker News new | ask | show | jobs
by Timon3 1038 days ago
It's only the same thing if you look from a very shallow angle. Stripping part of the user input to ensure it's entered by the person themselves is otherwise completely different from replacing user input with different data. One defends against a specific kind of attack, the other is a malicious attack.
1 comments
undebuggable 1036 days ago
**m **ad ** **rks **r **u **d **esn't **furiate **u. **r **curity, **ease **ll **e **ssing **aracters ** **ur **nvenience.
link
Timon3 1036 days ago
How often to you write random text into the IBAN field of your bank? Never, because it's an identification number? What a coincidence.

I mean, just think this two steps further. Hackers change input, and banks change input, so hackers == banks? But hackers also change what is displayed on the screen, and password fields change what is displayed on the screen, so hackers == password fields? Pressing my mouse button on the "reply" button changes what is displayed, so hackers == my mouse?

link
undebuggable 1036 days ago
No, my premise is very straightforward. Do not modify the text during the copy and paste workflow. Copy and paste workflow is well defined and established concept by now. That bad actors are doing it doesn't mean you should. No point in exaggerating my premise and ridiculing me.
link
Timon3 1036 days ago
> No, my premise is very straightforward. Do not modify the text during the copy and paste workflow.

That's not the premise you stated earlier. That was: "Banks and hackers do the same thing by modifying the text during the copy and paste workflow", which completely ignores what kinds of modifications are happening.

> Copy and paste workflow is well defined and established concept by now. That bad actors are doing it doesn't mean you should.

See? You're doing it again. Banks are not doing what "bad actors are doing". Banks are doing something else.

> No point in exaggerating my premise and ridiculing me.

I am not exaggerating your premise and ridiculing you, I'm continuing your logic to show its' flawed premise. You stated that "banks and hackers are doing the same thing", and the reason it's the same is due to the literal operation being the same. Why can't I extend this logically to other operations that are the same? A password field changes what is displayed compared to my input, how is that different from a hacker changing what is displayed compared to my input?

link