They've been giving it the old college try for the better part of two decades and the only website I've had to train myself not to visit is Twitch, whose ads have invaded my sightline one time too many, and I conceded that particular adblocking battle. I don't get the sense that it's high on the priority list for most sites out there (knock on wood).

Those users could even share or recommend the site to someone else who doesn't use ad blockers, so it actually makes sense to not try to battle ad blockers if you want to make your site more popular.

This makes sense for sites that rely on network effects, like forums or classified ad sites and so on. Unless they have a near monopoly or some really valuable content, they would benefit financially if they let people block their ads.

I can't back that up with data or anything, but it makes sense to me.

I once made the mistake of adding the site to the deny list of uBlock... The ads were so annoying I couldn't read the article anyway. So, never again.

Anyway, you're right in that I'll never share articles from those sites to people who don't use ad blockers.

Better title.

Mom can't figure out what they are or how to use them. They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck (yeah yeah multiple devices and paths to auth and backup codes, none of that matters). It's one further step down the attested hardware software and eyeballs path. Passwords forever, shortcomings be damned.

https://www.healthequity.com

> As of October 2025, passkey login has been fully rolled out and is now required for members with Health Savings Accounts (HSAs) and Reimbursement Accounts (RAs) who use the HealthEquity Mobile app and web experience.

https://help.healthequity.com/en/articles/11690915-passkey-f...

The FAQ is a little misleading by saying WHEN your account has a passkey this and that, but reality is that after October they made them completely mandatory, no bypass, no exceptions. 100% coverage.

Oh, and by the way, passkeys have been broken on PC/Linux when using Firefox for months:

> There Was A Problem: We encountered an error contacting the login service. Please try again in a few minutes.

Neat. You have to use Chrome or Edge.... For months, after making it mandatory...

That article does say "HealthEquity Mobile and web experience" so maybe it's just for customers who use both, I only use web.

This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.

And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.

There are also many exciting new ways you can lose your passkey that wasn't the case with a password you can remember in your mind. The person you responded to is worrying about big tech randomly banning you and making you lose access, in the meanwhile I'm mostly worried about losing the physical device containing the key. I don't think I will forget, say, my Google password unless I got Alzheimers or got hit in the head by a hammer, at which point I will have bigger problems than a lost Google account.

And let's not pretend account recovery process is always smooth and easy. They may require evidence from your other accounts you cannot access now due to the key loss. They may demand government IDs that might have been lost alongside your device. They may also just deem your recovery attempt fraudulent and ban you for no reason (which I similar to the scenario the post you are replying to desctibed.)

Personally I don't really trust companies to not do a whoopsie and permanently lock you out when you lose credentials. Especially when the company is big or hard to access in person.

For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

One advantage of passkeys is that they’re phishing resistant. They’re bound to the website that you created them for, it’s impossible to use them for a different website.

Instagram does something similar. If you have no logged in device and you reset your password, good luck getting in, cuz it wants you to log in a device "it recognizes" else it won't let you log in.

It's super sad to see all kinds of websites offering you to add a passkey when you log in.

Is this a mistake? I am already using password manager and totp for my accounts, but I am tired of dealing with passwords.

Even when using a password manager (bitwarden in my case), it just get tedious bringing out my phone, starting auth app, locating the correct account, reading 6 digit token and logging on.

Encrypting password manager database with a passkey or other authentication key on one of those yubikeys would be the mistake. Encrypting it with a separate dedicated key (or passphrase) on the same yubikey in parallel to its passkeys is fine.

My plan was to continue using bitwarden for passwords as well, but more as a break-glass mechanism that I really use. I want to use passkeys mostly for convinience.

Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?

Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.

Backup keys and recovery codes also do not solve all cases of key loss. One thing I worry about is what happens if I am traveling in a foreign country and loses my belongings. In the past if I can convince someone to let me use his computer I can at least log into my email account as long as I remember my password. If everything is passkey then I will be locked out of all my online accounts until I make it back home, assuming that I have actually properly set up the backup device and keys. Humans are not very good at making sure that backups actually work.

Is it? Maybe I'm in a bubble but feels like most people I know unlock their phone with biometrics. Sure few do that on their laptop, even less on their desktop, but I imagine that explaining it's "like unlocking your phone" would help those very numerous people (if you have metrics on biometrics on phone, please do share, genuinely curious) see that it's basically doing what they already do on more devices.

I don't know why biometric models specifically here, I'm 'niche techie' enough to have several Yubikeys, but even I don't have a biometric one.

Assuming your 2FA tokens are generated by phone, of course. But I think that's by far the most common way.

It honestly takes a minute to add a key and it's just that, a physical key.

IMHO what's risky in terms of UX and habits is precisely that most workflows do not highlight this. So people rightfully are scared of losing that 1 precious key, so they don't activate 2FA because of that. Meanwhile if the UX when they activate 2FA would clarify that they only have 1 key stored, adding a 2nd one or saving codes (most do propose that option for 2FA authenticators but not hardware passkey AFAIK) is what will make them both safe against attacked but also against their own accident (shit happens) then maybe behaviors would change.

Anyway, yes, you're right, most people don't do that or aren't even aware of it but arguably as more and more important and intimate part of our lives are online, it becomes crucial for one owns sanity to better understand how this all works.

Even for this, for grandma, this is probably still asking for a lot.

Grandma's bank will have a recovery option even if she's tossed her phone, computer and hardware token in the ocean, and then had a stroke which made her forget any passphrases or whatever: You can call the bank and physically authenticate yourself with a passport, driver's licence or some other ID. It's a bitch to do, you may have to go to an actual bank branch, but grandma will get access to her money again. Meanwhile, her access to physical mail doesn't stop just because she's forgotten some passphrase or lost her phone.

Even techy people get caught out by Google forcing 2FA, while casuals don't even consider the possibility of losing access to their email. While both the rhetorical you and grandma both should probably have a bulletproof recovery option for their email, since it will be the foundation of their digital identity, getting them to acknowledge the problem is going to be hard, and the solution, paying for a Yubikey or some other house of cards solution, is a tough sell.

Also execs can already enforce their apps only - banking apps for approving transactions are already a thing at least in europe, no fido passkey needed.

But didn't the author hint that this could get blocked?

My general read on passkeys and their implementers is that exportability is seen as a risky feature, and there's a push to make it as opaque as possible, likely through attestation or similar mechanisms.

[1]: https://github.com/keepassxreboot/keepassxc/issues/10407

Then don't use Apple's/Google's/whatever Gaia is as your passkey provider?

> Mom can't figure out what they are or how to use them.

Then do something nice for your mom and set her up with Bitwarden, 1Password or KeepassXC, which prevents the platform lock-in.

> It's one further step down the attested hardware software and eyeballs path.

None of the synchronized passkey implementations, which big tech has been pushing lately, support attestation, so this is just FUD.

Yubikeys do, but fortunately they don't seem to have the (non-enterprise) weight to make it mandatory for all passkeys.

So the guardrails (for you and me) are still there. They just stopped committing the unforced error of excluding themselves from federal procurement. Under a different administration, the requirement might change, and you might see them boasting once more on "safety."

one problem i have with this specific case and Anthropic/Claude working with the DOD is I feel an LLM is the wrong tool for targeting decisions. Maybe given a set of 10 targets an LLm can assist with compiling risks/reward and then prioritizing each of the 10 targets but it seems like there would be much faster and better way to do that than asking an LLM. As for target acquisition and identification, i think an LLM would be especially slow and cumbersome vs one of the many traditional ML AIs that already exist. DOD must be after something else.

What do you do when the government come to you and tell you that they do want that, and can back it up with threats such as nationalizing your technology? (see Anthropic)

We're back to "you might not care about politics, but that won't stop politics caring about you".

Challenge it in court. Move the company to a different jurisdiction. Burn everything down and refuse to comply.

Challenge in court is fine, even healthy.

Threatening to burn everything down and refuse to comply might well work; simply daring Trump to a game of Russian Roulette about this popping the bubble that's only just managing to keep the US economy out of recession, on the basis that he TACOs a lot, I can see it working in a way it wouldn't if he were a sane leader making the same actual demands just for sane reasons.

Move the company to a different jurisdiction? That would have worked if AI was a few hundred people and a handful of servers, as per classic examples of:

  At the height of its power, Kodak employed more than 140,000 people and was worth $28 billion. They even invented the first digital camera. But today Kodak is bankrupt, and the new face of digital photography has become Instagram. When Instagram was sold to Facebook for a billion dollars in 2012, it employed only 13 people. Where did all those jobs disappear? And what happened to the wealth that all those middle class jobs created?

But (I think) now that AI needs new data centres so fast and on such a scale that they're being held back by grid connection and similar planning permission limits, this isn't a viable response.

They can be burned down, but I think they can't realistically be moved at this point. That said, I guess it depends on how much Anthropic relies on their own data centres vs. using 3rd parties, given Amazon's announced AWS sovereign cloud in Europe?

The worst part that this article doesn't even touch on with normalizing and remapping characters is the risk your login form doesn't do it but your database does. Suddenly I can re-register an existing account by using a different set of codepoints that the login system doesn't think exists but the auth system maps to somebody else's record.

Also known as Zalgo. But it seems most renderers nowadays overlay multiple combining marks over each other rather than stack them, which makes it look far less eldritch than it used to.

While I’m sure it’s more than 0%, seems more likely that somewhere between 0% and 30% don’t feel obligated to give the inquiry anything more than the most cursory glance.

How do incentives align differently with LLMs?

I think it would be better to say that 30% of people either lack the ability to reason (inarguably true in a few cases, though I'd suggest, and hope, an order of magnitude or two less than 30%, as that would be a life-altering mental impairment) or just can't generally be bothered to, or just didn't (because they couldn't be bothered, or because they felt some social pressure to answer quickly rather than taking more than an instant time to think) at the time of being asked this particular question.

An automated system like an LLM to not have this problem. It has no path to turn off or bypass any function that it has, so if it could reason it would.

If 30% of humans on the internet can't be bothered to make an effort to answer stupid questions correctly, then one would expect AIs to replicate this behaviour. And if humans on the internet sometimes provide sarcastic answers when presented with ridiculous questions, one would expect AIs to replicate this behavior as well.

So you really cannot say they have no incentive to do so. The incentive they have is that they get rewarded for replicating human behaviour.

Some people love riddles and will really concentrate on them and chew them over. Some people are quickly burning through questions and just won't bother thinking it through. "Gotta go to a place, but it's 50 feet away? Walk. Next question, please." Those same people, if they encountered this problem in real life, or if you told them the correct answer was worth a million bucks, would almost certainly get the answer right.

But if you omit the details designed to confuse people, they're far less likely to get it wrong: "I have a rooster named Pat. Pat flies to the top of the roof and lays an egg right on the ridge of the roof. Which way will the egg roll?"

It's not about reasoning ability, it's about whether they were paying close attention to your question, or whether their minds were occupied by other concerns and didn't pay attention.

The original question used in this example does not contain a logical impossibility. This one does.

You might believe there is intrinsic sexual dimorphism among mammals and birds. You might even have overwhelming experimental and scientific evidence that proves it. But ask yourself: is it worth losing your job over?

Some roosters lay eggs.

Think basic security (password management, email phishing), H&S etc. I've ran a few of these and as soon as people hear they don't have to get it right a good portion of people just click through (to get to what matters). Nearly 10 years ago I had to make one of my security for engineers tests fail-able with penalty because the front-end team were treating it like it didn't matter - immediately their results effectively matched the backend team, who viewed it as more important.

I talked to an actor a few days ago, who told me he files his self-assessment on the principle "If I don't immediately know the answer, just say no and move on". I talked to a small company director about a year ago whose risk assessments were "copy+paste a previous job and change the last one".

Anyone who has analysed a help desk will know that its common for a good 30+% of tickets to be benign 'didn't reason' tickets.

I think the take-away is that many people bother to reason about their own lives, not some third parties' bullshit questions.

I'd look for explanations elsewhere. This was an online survey done by a company that doesn't specialize in surveys. The results likely include plenty of people who were just messing around, cases of simple miscommunication (e.g., asking a person who doesn't speak English well), misclicks, or not even reaching a human in the first place (no shortage of bots out there).

If you're interested in the user experience, it's this: https://www.reddit.com/r/MySingingMonsters/comments/1dxug04/... - apparently, some annoying ad-like interstitial that many people probably just click through at random.

The key technique in the mathematical method to answer the machine question is "theory of mind".

There is nothing “mathematical” about any of this though.

Context would be key here. If this were a question on a grade school word problem test then just say 100, as it is as specified as it needs to be. If it's a Facebook post that says "We asked 1000 people this and only 1 got it right!" then it's probably some trick question.

If you think it's not specified enough for a grade school question, then I would challenge you to come up with a version that's specified rigorously enough for any sufficiently picky interviewee. (Hint: This is not possible)

>There is nothing “mathematical” about any of this though.

Finding the correct approach to solve a problem specified in English is a mathematical skill.

Let me repeat the question again: "If 5 machines can produce 5 parts in 5 minutes, how long will it take for 100 machines?" Do you think that by adding 95 more machines they will suddenly produce the same 5 parts 95 minutes slower?

What kind of machine have you encountered where buying more of them the ones you already had started working worse?

> then I would challenge you to come up with a version that's specified rigorously enough for any sufficiently picky interviewee.

This is nonsense. The question is under specified. You don't demonstrate that something is underspecified by formulating a different well specified question. You demonstrate it by showing that there are multiple different potentially correct answers, and one can't know which one is the right one without obtaining some information not present in the question.

Let me show you that demonstration. If the machines are for example FDM printers each printing on their own a benchy each, then the correct answer is 5 minutes. The additional printers will just sit idle because you can't divide-and-conquer the process of 3d printing an object.

If the machines are spray paint applying robots, and the parts to be painted are giant girders then it is very well possible that the additional 95 paint guns make the task of painting the 5 girders quasi-instantaneous. Because they would surround the part and be done with 1 squirt of paint from each paint gun. This classic video demonstrates the concept: https://www.youtube.com/shorts/vGWoV-8lteA

This is why the question is under specified. Because both 1ms and 5 minutes are possibly correct answers depending on what kind of machine is the "machine". And when that is the case the correct answer is neither 1ms nor 5 minutes, but "please, tell me more. There isn't enough information in the question to answer it."

Note: I'm struggling to imagine a possible machine where the correct answer is 100 minutes. But I'm sure you can tell what kind of machine you were thinking of.

Let me also simplify my comment: “100 minutes” is not the correct answer to that question.

The obvious answer here is 100 minutes because it's impossible to perfectly encapsulate every real life factor. What happens if a gamma ray burst destroys the machines? What happens if the machine operators go on strike? Etc, etc. The answer is 100.

That actually would be quite feasible. Intelligence seems to be heritable and people will usually find friends that communicate on their level. So it wouldn't be odd for someone who is smarter than the general population to have friends and family who are too.

Had to be since their site lists no way to be a tester. In other words their service is a bunch of 7-13 year olds playing some loot box game.

Wonder where that is in the disclaimers.

Since most people live in social bubbles that would be a very plausible case, especially on HN.

If you're a college educated developer, with a college educated wife, and smart, well educated children, perhaps yourselves the children of college educated parents, and your social circle/friends are of similar backgrounds, you'd of course be "better than the general population".

Or by reasoning, do you mean something else?

I've seen plenty of smart people trip up or get these wrong simply because it's a random question, there's no stakes, and so there's no need to think too deeply about it. If you pause and say "are you sure?" I'm sure most of that 70% would be like "ohhh" and facepalm.

You can't really infer that from survey data, and particularly from this question. A few criticisms that I came up with off the top of my head:

- What if the number were actually 60% but half guessed right and half guessed wrong?

- Assuming the 30% is a failure of reasoning, it's possible that those 30% were lacking reason at that moment and it's not a general trend. How many times have you just blanked on a question that's really easy to answer?

- A larger percentage than you expected maybe never went to a car wash or don't know what one is?

- Language barrier that leaked through vetting? (Would be a small %, granted)

- Other obvious things like a fraction will have lied just because it's funny, were suspicious, weren't paying attention and just clicked a button without reading the question.

I do agree that the question isn't framed particularly badly, however. I'm just focusing on cognitive impairment, which I don't think is necessarily true all of the time.

The problem of "kids accessing the Internet" is a purposeful distraction from the intent of these laws, which is population-level surveillance and Verified Ad Impressions.

But laws alone won't fix this, and laws aren't necessary (except maybe a law that prevents kids from buying phones). In the article, the child's devices had parental controls, but they were ineffective. There's demand for a phone with better parental controls, so it will come, and more parents are denying access, so their kids will become less alienated.

We don't disagree on whether it is actually a problem, you just have your opinion about facts.

We also have no way to actually measure this even if we wanted to do an experiment. So comparing this very soft science to climate change is a bit out of pocket.

Sorry, WHAT? No way to measure it? My god, are we talking about the same thing? Are you sure you haven't missed past 12-24 months of increased reporting on the matter from several different angles, from cognitive skills, anxiety, sexual drive, and so on?

EOT for me.

Private actors are already offering verification as a paid service. They are accumulating vast troves of private date to offer the service.

I consider it a huge success of the Internet architects that we were able to create a protocol and online culture resilient for over 3 decades to this legacy meatspace nonsense.

> That being said, this is a 1 bit information, adult in current legislation yes/no.

If that's all it would take to satisfy legislatures forever, and the implementation was left up to the browser (`return 1`) I'd be all for it. Unfortunately the political interests here want way more than that.

https://en.wikipedia.org/wiki/Mahjong_Tiles_(Unicode_block)