Pika

You are correct with this comment yea, the biggest drawback (which as acknowledged we have seen on lemmy) is the anonymous of the account. It's easy to spin up spam instances, and due to how federation works its hard to combat against it. I remember LW had an issue regarding that a bit ago with someone threatening to just keep changing domains to avoid blocking, which is indeed a problem for any of these style services. I agree at large scale, most sites are not going to want to have to put up with losing that level of control moderation side. It creates a lot of headaches and for most sites it's just easier to enforce a policy that forces disclosing PII.

tox did something similar with this outcome, but it never took off. Basically with tox each account is actually stored locally, much like how Skype did when it was p2p, but the difference is your account is actually on your device, as in if you lost your "key" you lost your account, when you connected with others, you gave your friends your TOXID which was essentially your public key signature with some added information regarding what you wanted for privacy added to it, and then your messages were relayed through a p2p DHS network. Every communication was encrypted e2e. With tox anyone could create an account with any information, but only people you added were able to message you, and visa versa. The only time you were ever publicly disclosed was during adding contacts to people you didn't already have, which helped minimize botting on it as bots wouldn't be able to message you without your ID. The issue with that method was, both parties had to be online to message each other, there was no central server to manage identity and handle users, so every connection was considered trusted since you had to manually add the person via their tox ID.

I expect this solution /could/ be moved into a centralized system for all user accounts, since the only way to add people was manually adding their private key, but I would expect that on large scale, the lack of ability to actually stop problematic users might dissuade platforms from wanting to implement it, since account creation was as easy as just clicking "create account" and no accounts were ever verified server side, which in order to do, brings back to the issue topic: Privacy vs Security

This problem isn't addressing password authentication, its the website knowing who you are and that you are legitimate. Websites that collect things such as phone numbers during account creation don't collect your PII as part of your password procedure. They collect it as a verification that you are an actual being and not a fake account/bot. The ease of being able to go through a forgot password thing is just a positive side effect.

This solution would work amazingly for logging in, there's no argument for that, but it doesn't address the elephant in the room: That the website wants to make sure you are a person/legitimate account and not a fake alias or a bot to scrape info, and when you are the only one providing that information that claim can't be verified.

This would deem troublesome yea, being said I firmly believe in separating work and home. I wouldn't be willing to use a personal number for work related activities, at least not public related activities. Being said, I have no good solution for that, at least you are being paid for the scam call I guess.

I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?

A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn't accomplish the site's goal. It's the equivalent to me handing you a piece of paper saying "I'm John Smith and this is what I use to say I'm this" which works amazing for trusted exchanges, but when the source is "just trust me bro" it doesn't solve anything for the website owner.

Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let's Encrypt became a thing.

This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.

To reliably use this setup, we would need something similar to Let's Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.

I am hopeful that an easy function that won't violate users privacy comes out, but I don't think the two topics are compatible sadly

Are internet security and internet privacy incompatible goals?

Yes. They are completely incompatible goals when anything relating to identity/being is linked to it. Examples of this could be anything from your name, to your behavioral patterns, to your phone number

Disregarding the entire possibility that ANY site is hack-able/breach-able, the issue stands that the reasons that most sites request PII is valid, for security reasons. There does not exist any valid method of ensuring users identity that does not violate users privacy. CAPTCHAS are proven inefficient, email domains are easy as a 1-2 click. Once the setup is done server side changing to a new address is as easy as changing your server settings and registering a new domain, then just pointing your MX records there. Heck depending on your postfix setup you might not even have to change server settings, if your account lookup is setup to ignore the domain and it all uses the same database. Even phone numbers have proven troublesome but its the least troublesome method available

The entire reason PII style setups are used, is because its an easy verification site side, but a hard to spoof verification customer side. Like the article says, phone numbers are hard to change for verification, many only let you change so many times in X period, and usually require some form of physical identity to register, and the ones who don't are forced such as VOIP style numbers get blocked.

We lack currently a good system aside from that, because at the end of the day, how do you prove you are who you say you are, without disclosing your identity. I personally think it should be fine to give up some PII for security purposes, but this NEEDS to be restricted only to security and should never be shared with any entity, and this includes government overreach. Alas this will never happen.

this right here. I stopped getting scam calls years ago, I stopped answering and they just eventually stopped calling. If you don't interact with the call (interact being ignore it or mute it NOT reject it) and it just goes to voicemail, they seem to eventually stop

I'm confused of how this keeps happening to people.

Like I use my phone on most sites that allow it and I've never had spam/scam calls really, but I've also explicitly unchecked the marketing boxes that appear on the signup so maybe that it.

The last instance that actually happened to me was with entering my university a few years ago for my BS degree. They 1000% sold my contact information as some part of the deans/honors list process. I reached out to them and stopped that so fast.

I didn't expect that to turn into a dad meme with the "just disappointed"

This is becoming a reoccurring trait for pypi, this should be a red flag to the maintainers of the repo site that something is wrong with their publishing process. Granted NPM has the same issues but this trait seems to have become more common on pypi from what I've seen.

Honestly what they should implement is a community based vetting process similar to a lot of art sites with their post tagging. Since most of these malicious packages are using the ideology that they want the user to accidentally install that one instead of the other, or that the package is an addon to a popular package. The implementation would be super simple. If the package name has at least 20% of another popular packages name(decided by the amount of installs it had), it flags it for manual vetting by the community. It would go into a dedicated spot on the site called "potential packages" or "pending packages" and if you are a known community member (have an established package already + not a new account) you can "ok" the package. Granted more than one ok would be needed but the ideology of this would be that commonly used tactics would be a hindrance or delayed by it.

Using this for an example. Pycord is a known major discord bot development library, this malicious script takes advantage of that by calling itself pycord-self, which makes it seem like its a selfbot addition library for pycord. Since the name contains more than 20% of the word "pycord", this process would have flagged the malicious script for manual vetting before published, which would have potentially caught the malicious intent beforehand.

This method forces malicious actors to either use a really weird name, that might catch the eye of the user ahead of time/give red flags, or just find another way to distribute the package. Legitimate packages will be slightly delayed, but they would eventually be vetted and told "yea that good".

also note: I don't mean that the package wouldn't be available by direct name(pip install X), just that the name wouldn't be available by searching the repo. If the project is installed via direct name and isn't vetted yet an alert should be displayed saying "this project is not yet vetted by the community, would you like to continue" or something similar

beep boop I am indeed a homosapian descendant of the primates. How may I assist you with your joy today?

They offer payment plans for a cell phones I'm waiting for the day that they start offering payment plans to purchase video games. They've already trialled with it with the hardware with the Xbox Series X launch with their all access pass, which don't get me wrong was a great deal but, eventually we are going to hit the point where the everyday person if they want to buy a video game is going to have to do one of those by now pay later plans through like affirm or something, which is a scary thought. As is if it gets much higher than $100 it will qualify for paypals 6-month equal financing deal if you have their credit card, if this change had been just 6 months prior it would have already been qualified for it because they just recently raised their minimum so I think it's like $120 or $140