Yes. But they don’t upstream. Why would they?

It... doesn't though: https://uutils.github.io/coreutils/docs/test_coverage.html

Neither this issue, which doesn't appear to be a bug at all but merely an unimplemented feature, nor the fact that uutils doesn't (yet) pass the entire testsuite, seem to me to at all be an indictment of the uutils project, merely a sign that it is incomplete. Which is hardly surprising when I get the impression it's primarily been a hobby project for a bunch of different developers. It does make me wonder about the wisdom of Ubuntu moving to it.

Anyone have a link to the patch in uutils? Curious to see that the problem and solution were.

I agree that #1 is correct, and I try to practice this; and always for anything security related (update your password, update your 2FA, etc).

Still, I don’t understand how npmjs.help doesn’t immediately trigger red flags… it’s the perfect stereotype of an obvious scam domain. Maybe falling just short of npmjshelp.nigerianprince.net.

> U2F/Webauthn key as second factor is phishing-proof. TOTP is not.

Last I checked, we're still in a world where the large majority of people with important online accounts (like, say, at their bank, where they might not have the option to disable online banking entirely) wouldn't be able to tell you what any of those things are, and don't have the option to use anything but SMS-based TOTP for most online services and maybe "app"-based (maybe even a desktop program in rare cases!) TOTP for most of the rest. If they even have 2FA at all.

Please don't copy-paste comments on HN. It strictly lowers the signal/noise ratio.

I watched a presentation from Stripe internal eng that was given I forget where.

An internal engineer there who did a bunch of security work phished like half of her own company (testing, obviously). Her conclusion, in a really well-done talk, was that it was impossible. No human measures will reduce it given her success at a very disciplined, highly security conscious place.

The only thing that works is yubikeys which prevent this type of credential + 2fa theft phishing attack.

edit:

karla burnette / talk https://www.youtube.com/watch?v=Z20XNp-luNA

Most mail providers have something like plus addressing. Properly used that already eliminates a lot of phishing attempts: If I get a mail I need to reset something for foobar, but it is not addressed to me-foobar (or me+foobar) I already know it is fraudulent. That covers roughly 99% of phishing attempts for me.

The rest is handled by preferring plain text over HTML, and if some moron only sends HTML mails to carefully dissect it first. Allowing HTML mails was one of the biggest mistakes for HTML we've ever made - zero benefits with huge attack surface.

> 1. NEVER EVER login from an email link.

I receive Google Doc links periodically via email; fortunately they're almost never important enough for me to actually log in and see what's behind them.

My point, though, is that there's no real alternative when someone sends you a doc link. Either you follow the link or you have to reach out to them and ask for some alternative distribution channel.

(Or, I suppose, leave yourself logged into the platform all the time, but I try to avoid being logged into Google.)

I don't know what to do about that situation in general.