I think Cloudflare WAF is a good product compared to other WAFs - by definition a WAF is intended to layer on validation that properly built applications should be doing, so it's sort of expected that it would reject valid potentially harmful content.
I think you can fairly criticise WAF products and the people who advocate for them (and created the need for them) but I don't think the CF team responsible can really be singled out.
Could you go into a bit more detail about this? Why is exposing devtools to the agent a problem? What's the attack vector? That the agent might do something malicious to exfil saved passwords?
The NHS does this calculus routinely using Quality Adjusted Life Years. Treatments that get more are favoured which is also how NICE decides what drugs the NHS should offer. There's obviously some utilitarianism in the decision to use QALYs but to some (including me) it seems a reasonable proxy metric to maximise.
Ultimately a sacrifice must be chosen, but I am not sure a discussion about how that should be made is necessarily fit for HN (though I'd be interested in how you'd resolve your proposed scenario).
I would offer a counterpoint: most software in existence was written by not-software-professionals in Excel (most likely poorly).
Within reason I think there is a rational basis for not having to involve software engineers for every project - especially if the SMEs with understanding of their requirements are the ones building it.
This will probably fall over in the same space as Excel spreadsheets do though, when the domain complexity outgrows it, way before anyone is able to recognise that.
The only reason the world hasn't collapsed into a giant puddle of N-squared recursive CPU execution is because Excel's limitations place natural boundaries on the blast-radius of any single SME's poorly built software before they are forced to engage someone who has at least SOME idea WTF they're doing.
I say this as someone who is much closer to the SME end of the spectrum than the Software Engineering Professional end.
Yes, if the key isn't in the TPM then it can't be sniffed. Secure boot would need to be enabled to protect against the threat model bitlocker is only good for here. Alternatively using a PIN would mean the key is only exposed once the PIN is typed (still vulnerable to a hardware attack, but requires physical modification).
A cow is in a sense a factory producing various proteins, fats, and carbs from grass. Does putting it into something "natural" reset it? I would imagine that red meat isn't a UPF by definition as it's only been through one process, but would argue that the inconsistency with fake meat clearly feeling processed is definitely interesting. Also interesting is perhaps that red meat is presumably not UPF but is carcinogenic.
In that sense a plant is as much a factory as an animal, and all foods are processed before they are harvested.
If this is an argument that "processing" isn't really a useful concept, I'll disagree, because it's clear that post-harvest processing has a very significant effect.
IIRC some of the Snowden leaks alleged that (at least at the time) domestic traffic couldn't be surveilled (but this was solved by mutual assistance across the Atlantic - the British would spy on US citizens and vice versa[1]).
VPNs seem useful to guarantee that your traffic is designated as foreign, so this might be a net gain for the intelligence services rather than a loss - the mandatory collection of ICRs only relates to IP addresses and time of access.
What you're describing as "known" was not known. If you remember, the ACLU attempted to take the government to court over the Presidential Surveillance Program several years before the Snowden Revalations. They lost because they didn't have evidence.
The government had classified evidence of their crimes making possessing evidence of them breaking the law illegal. SCOTUS ruled that they couldn't charge the government of a crime without possessing that evidence.
Snowden gave us that evidence allowing citizens to, once again, bring charges against the government in 2013 and winning the case in 2017.
Some rumors are true. Some rumors are false. Rumors do not a court case make. The Snowden Revalations do.
Most Kickstarter campaigns I get shown on FB are from third party services that just upload the Kickstarter breach list (my email is in it). Could that have happened to you?
The web extension honor system "security" model is broken because that extension that prints Hello at the top of the page might later be modified by a malicious actor to do something else [1].
I think you can fairly criticise WAF products and the people who advocate for them (and created the need for them) but I don't think the CF team responsible can really be singled out.