@cybergibbons and that being able to quietly change something to collect passwords from careful users doesn't matter because you could set up an attack that only a user who's "not careful enough" might fall for. They don't seem to consider the idea that "my" bc-vault might request more either