Kurt Got Got

Original Article ↗ Hacker News Discussion ↗

Reactions to the Fly.io phishing incident & tone

  • Many readers praised the post as transparent, self-deprecating, and human; others felt the meme-y framing and jokes about a “Zoomer meme hire” read as PR spin or “unserious business” vibes.
  • Several argue the key lesson is that anyone can be phished, including highly technical people and CEOs, especially under time pressure and panic.
  • Some worry Fly.io underestimates impact on users who might have followed the scam link from the compromised account, and question potential liability.

Twitter/X as a weak link

  • Fly.io staff emphasize that core infrastructure is behind SSO with phishing-resistant MFA; Twitter/X was deliberately outside that perimeter because they “didn’t take it seriously enough.”
  • Commenters push back: even if not an operational dependency, a verified social account can be weaponized (e.g., fake “critical security vulnerability/update now” tweets) to hurt customers.
  • There’s also moral criticism of relying on Twitter/X at all, given its ownership and politics.

Password managers, autofill, and human fallibility

  • Several note that password managers can help detect phishing by refusing to autofill on mismatched domains—but only if users respect that signal and don’t copy‑paste manually.
  • Multiple anecdotes show the same failure mode: autofill doesn’t appear, users assume “buggy password manager,” and paste credentials anyway.
  • Some disable autofill deliberately to force more conscious interaction; others argue that undermines one of the strongest practical phishing defenses.

Passkeys, FIDO2, and SAML vs OIDC

  • Strong support from some for passkeys/FIDO2 as the only truly phishing‑resistant option: the credential won’t authenticate to the wrong origin no matter what the user clicks.
  • Others criticize passkeys as confusing, hard to back up, and constrained by vendor ecosystems; they point out that reset/backup flows remain phishable.
  • On SSO, Fly.io favors OIDC and refuses to implement SAML unless forced, calling SAML insecure and footgun‑laden; enterprise‑focused commenters counter that SAML’s IdP‑agnosticity is essential and widely required.

Phishing training, simulations, and user blame

  • Pen‑testers report phishing and social engineering “work every time,” including via staged USB drops.
  • A cited paper (also in the Fly.io post) says phishing training has limited real‑world effect; yet regulated industries must still run and document it.
  • Some complain corporate phishing exercises are either too obvious (teaching “vibes” instead of real skills) or so aggressive they make employees stop trusting internal email.
  • Multiple people stress that calling users “idiots” misses the core problem: systems and protocols should be secure by design, not dependent on perfect user vigilance.

USB/BadUSB and wider security design

  • Long subthread discusses rogue USB devices posing as keyboards or exploiting drivers (BadUSB, Stuxnet parallels).
  • Consensus: as long as OSes implicitly trust new HID/USB devices, a simple act like plugging in a thumb drive can be catastrophic; mitigations include stricter device whitelisting and better OS prompts.

Perception of Fly.io as a company

  • Some customers express ongoing frustration with Fly.io reliability and communications, contrasting “cool, jokey” blog tone with their desire for more conventional, boring‑reliable operations and support.
  • Others defend small‑company reality where leaders still handle operational details and argue the security posture around core infra seems solid; the mistake was treating Twitter as outside the blast radius.