It's not much better than nothing. It basically solves "I reused my password across sites" exclusively, that's it. If you're going to go through the effort of TOTP, it seems odd that you wouldn't just use a unique password.
If you use a unique password it's questionable if it adds any value at all. Perhaps in very niche situations like "password authentication is itself vulnerable due to a timing attack/ bug" or some such thing... but we've rarely seen that in the wild.
I use a password manager and systemically use long random passwords. An attacker would need to compromise my password manager, phish me, wrench me, or compromise the site the credential is associated with to get that.
Using local only TOTP (no cloud storage or portability for me, by choice) they would have to additionally phish me, wrench me, compromise my phone, or compromise my physical security to get the code.
None of these are easy except the wrench which is high risk. My password manager had standard features which make me more phishing resistant, and together they are more challenging than either apart. For example the fact that my password manager will not fill in the password on a non associated site means I am much less likely to fill in a TOTP code on an inappropriate site. Though there are vulnerable scenarios they aren't statistically relevant in the wild and the bar is higher regardless.
Now I happen to have a FIDO key which I use for my higher security contexts but I'm a fairly low value target and npm isn't one of my high security contexts. TOTP improves my security stance generally and removing it from npmjs.org weakened my security stance there.
My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.
> My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
I agree.
> Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.
I've believe I've already written that but it is that my password manager gets compromised. It is not perfectly secure and has failure points. Given that it is separate from the second factor a successful attack against the password manager still leaves an attacker unable to login without a separate compromise of my TOTP code. Of course that can also be compromised but two compromises is strictly more difficult than one.
Right, so it's "password manager is compromised" or "password is reused", right? I'm pretty skeptical of these mattering relative to phishing, which is radically more common.
While this explicitly calls out "postinstall", I'm pretty sure it affects other such lifecycle scripts like preinstall in dependencies.
The --ignore-scripts option will ignore lifecycle scripts in the project itself, not just dependencies. And it will ignore scripts that you have previously allowed (using the "allowBuilds" feature).
There are several severe threats to honey bees which without human intervention would cause a significant number of hives to be lost.
There's the varroa mite and the things it carries like deformed wing virus, then there is the increasingly prevalent Asian hornet which European honey bees are unable to deal with, and colony collapse disorder where the bees literally disappear for reasons we current don't understand, and climate change is causing colonies to starve over the winter.
Honey bees are not going extinct tomorrow but they are not doing well.
Humans also face severe treats and are not doing well but are not going extinct tomorrow. Honeybees seems to only decline in North America, especially the USA, but as you said it’s human intervention that keeps their population booming years after years. Perhaps a decline wouldn’t be so problematic it doesn’t go to extinction? A decline in chickens population wouldn’t lead to extinction, to elaborate on the funny authors take:
> Promoting honeybee hives to save pollinators is roughly the equivalent to building more chicken farms to save bird biodiversity
The other problems you raise are important but are also a treat to others bee species and insects.
Fascinating fact. Begs the question what pollinated agriculture (squash, tomatoes, peppers, berries etc) prior to the introduction of the honeybee and the equally fascinating answer is that there were many species but all of them were SOLITARY and NON-HIVE DWELLING!
I wonder if it would be possible to experiment a bit - ban honeybee hives in a 10 mile square radius, or perhaps in that area that bans all radio transmitters. See what happens.
That depends on how you draw the line. Most would consider buffalo[0] to be native to North America, but they arrived less than 200000 years ago. If you go far enough back, no life is native to anywhere except wherever abiogenesis occurred.
Honeybees are livestock. They're no more endangered than chickens or cows. If we need more, we just breed more.
In most places honeybees are raised they couldn't even survive in the wild. Just like cows and chickens and pigs. As with most livestock, without human intervention they would probably be wiped out.
If humans didn't manage risks to livestock on an industry scale they would be at risk. It requires a constant investment from both commercial industry and government. Activities like the dept of agriculture and university ag depts have been really so good at what they do. Its like the rest of civilization has forgotten what it takes and the costs involved if we neglect the investment. Agriculture and livestock is just one foundational civilization technology where we have forgotten the significance of
What is considered livestock varies over time - chickens range from "free range and can survive in the wild" to "so fat they can't live". One guess as to which is the most common by numbers - one reason that if you do decide to have a backyard flock, go with something "more natural".
More dangerous in all these is the monoculture - a hundred years ago we would have a wide range of crops and livestock; now 90% of meat chickens are probably the same genetically; similar with cows and bananas and corn and rice and pigs, etc. That sets us up for a "wipe out 90% of chickens" risk.
Monoculture is definitely a risk, one exacerbated by megacorps and overly corporatized industry - but if you look at the history of ag departments they have introduced multiple variants and variations across crops and animals time and time again. They also work with smaller growers in communities in many ways - natural pest controls consultations for example
“Breeding more” bees is not as trivial as raising other animals, because bee reproduction depends on hive stability. Other animals are kept fully enclosed in captivity and can be artificially inseminated in some cases. Bees are semi-wild and have to be free to leave the hive to forage, and if they don’t return or if the hive collapses, you can’t “breed more.”
Fun fact: queen bees can be artificially inseminated, and most commercial queens are. Beekeepers prefer naturally-inseminated queens, because they're stronger, but "nature" can't keep up with commercial demand.
You're correct about "breeding more" not being trivial, but they do it on an industrial scale. In really broad strokes: in late winter, in preparation for pollination season, they feed their hives intensively (with sugar syrup) and add extra brood boxes for the queens to fill with eggs. Then they split the hives, leaving the old queen in one box, and adding new queens to the box(es) they take off. Voila! Double (or more) the hives.
Pollination is where commercial beekeepers earn their living, by renting out hives of bees to farmers. Honey production is not necessarily an afterthought, even though it doesn't really turn a profit - it's worth doing because you'll be putting the bees on nectar flows for the summer, anyway, so you won't have to feed them, and extracting (some of) the honey covers transportation costs - but all the money's in pollination.
I could keep going and going - queen production and hive splitting are fascinating topics on their own - but I'll stop before I risk boring people with an over-long comment. I have commercial beekeepers in my family, and I've worked (summer / vacation jobs, when I was a kid) every part of the process.
(This is all in a USA-ag context. Beekeeping is - very! - different in other parts of the world.)
It certainly does for the bees. All of the hives are in very close proximity, traveling thousands of miles on trucks, for days at a time. The bees are under a lot of stress, mites and diseases spread among them, and some hives don't make it.
Transmission to other insects? I don't know, but I kinda doubt it. Verroa mites were introduced and spread by commercial bees back in the '60s or '70s, but they're entirely endemic at this point. Some native bees are / were harmed by them, and others - based mostly on grooming behavior, actually - aren't much, or even at all, at risk. As someone above pointed out, native and honey bees mostly have different food sources, so they aren't generally in close proximity to each other. Furthermore, the bee diseases of which I'm aware are really, really specific to bees, so I doubt that, say, butterflies or ladybugs or something would be harmed by anything bees carry. I could be wrong about that, though: I'm no expert.
By far the worst threat to native insects, however, is the destruction of native plants and natural habitats. Urban encroachment and landscaping are minor factors (and please plant native plants in your yard: it's great to do), but what's harmed native plants the most has been the farming practice that comes with Roundup Ready™ and similar crops. Previously, fields grew (native) weeds, and had margins where native plants took advantage of irrigation runoff and fertilizer overspill to run wild. Now, farmers broadcast spray weed killer over everything; their genetically-modified crops are immune, but every other plant in the vicinity is destroyed.
While I'm on the subject of bees, my beekeeper uncle doesn't believe Colony Collapse Disorder is a thing. Or, rather, that it happens, but has thoroughly mundane explanations, and any kind of mystery about it has been ginned up by the media, or by beekeepers looking for compensation from the Ag Department. His explanation is that bees are fed, split, and trucked more than they ever have been. (New pesticides maybe, too, but he doesn't think they're much of a factor, since they're not sprayed during pollination times, when bees are in the fields.) All those things stress the bees, and weaken hives; weak hives (as they always have been) get taken out by wax moths and diseases.
His opinion is that old-time beekeepers haven't changed their practice, despite putting their bees under greater stress, and that young (and most amateur) beekeepers don't understand bee behavior well enough to minimize stressors or notice the signs of distressed hives. He innoculates for disease waaay more than he did forty years ago, minimizes feeding (honey is much more nutritious than sugar), and I've rolled up to bee yards ready to load the trucks, only to have him - based on his sense of the weather, and how the bees behaved when he cracked open a few hives - wave us off because the bees wouldn't cope well with moving just then. I don't know enough to evaluate his theory, but I give it credence, because his hive yields aren't any different than they have been for the last fifty years. CCD just isn't an issue for his hives.
Anyway, there's my over-long comment, and I've only got started. Bees are fascinating creatures.
There's also the massive problem of fake honey (i.e. manufactured sugar syrup illegally sold as honey), which is much cheaper than real honey and pushing actual beekeepers out of the market.
Wild honeybees adapt to deal with mites. What they struggle with are insecticides and monoculture deserts. Domesticated varieties that have been selected for productivity and placidity are the ones that haven't quickly adapted to the introduction of parasites, diseases, and predators, because they don't have to, as the humans worry about those problems.
Is that really true? My layman's understanding was that ~10-20% of the calories in a typical American diet comes from crops which need pollinators: grains (which feed livestock too), legumes, root vegetables, leafy greens, mostly can be grown without them, using self pollination or wind pollination.
I mean, of those that do require insect pollination. Apples/pear family, almonds/cherries/plums, cucumbers/melons, some others in seed production (carrots). There are only few examples where non-honeybee pollinators are needed, like tomatoes in greenhouses (otherwise wind is enough).
The number of URLs grow as more people add this tool to their website and add each other as neighbours. The tool is capable of discovering neighbouring consoles and showing URLs from there.
Not really, given that the work we do in that direction isn't exactly public. You can recreate the scenario though. Spin up a wiki of some sort, scrapers love wikis, ideally enable some form of caching, and just sit back and watch scrapers throw random shit in the URL parameters.
> Telephone company executives wondered whether the standard cord, then about three feet long, might be shortened. Mr. Karlin’s staff stole into colleagues’ offices every three days and covertly shortened their phone cords, an inch at time. No one noticed, they found, until the cords had lost an entire foot.
reply