back to article How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse

Despite multi-factor authentication being on hand to protect online accounts and other logins from hijackings by miscreants for more than a decade now, people still aren't using it. Today, a pair of academics revealed potential reasons why there is limited uptake. Spoiler alert: it's because, apparently, there isn't enough …

  1. chuckufarley

    Wanting to use 2FA is one thing...

    ...but being able to use it is another. Almost all websites do not support it. Not even El Reg.

    1. Ole Juul
      Coat

      Re: Wanting to use 2FA is one thing...

      Not only that, but it appears that any USB device is potentially hackable because of issues with USB itself. From what I can read, that leaves cell phones for 2FA, which don't have connectivity in some buildings and areas. I'm not entirely convinced that a longer video will solve those problems.

      1. Dan 55 Silver badge

        Re: Wanting to use 2FA is one thing...

        I can read, that leaves cell phones for 2FA, which don't have connectivity in some buildings and areas.

        Why should it need connectivity, if they're doing 2FA properly it should base codes on a shared secret.

        1. DougS Silver badge

          Re: Wanting to use 2FA is one thing...

          Furthermore, the phone is something you carry with you already. I have never been interested in 2FA that uses a special device because I don't want to have one more thing to carry around and potentially lose. If it is needed to login to something for work that's fine, because I have a bag for my laptop I can put it in and won't have the laptop without the bag.

          And does anyone really expect to plug a USB device into their phone, when you take your phone with you everywhere? What are you going to do, carry it on a keychain, so you have a bunch of keys hanging out the bottom of your phone? Yeah right. That's the problem with a special device right there - it can't be universal for your computer(s) and phone/tablet.

          Since your phone ALREADY has a way of identifying yourself built in, just use that. Fooling a fingerprint reader or face scanner requires physical presence, you can't unlock the secret remotely (at least not with an iPhone, or presumably any modern Android that has an equivalent of the secure enclave) and if someone can get physical possession of my phone they can get physical possession of my USB dongle...

          1. Rich 11 Silver badge

            Re: Wanting to use 2FA is one thing...

            Furthermore, the phone is something you carry with you already.

            Speak for yourself.

            1. DCFusor Silver badge

              Re: Wanting to use 2FA is one thing...

              I don't have one (or the associated monthly bill). But I heard right here at The Reg that if you give one of the biggies (FB was named) your mobe number for 2fa, they then use it for other things, it's an excuse to data-mine.

              Frankly, I'm not vain (or rich) enough to think most of my accounts are worth the effort to run a password attack on. For those...well, yeah, I do careful management indeed. But that's not the bulk of the passwords/logins I have by a huge fat margin.

              I'm even the type to have set up a separate, small, debit card account to use online - people do have that number - but I never keep more than a couple bucks in it until just before I click the "place your order" button. Nice thing online banking and a good banker let you do. I set up the underlying account to DISABLE overdraft protection...which banks hate as they get fees from that, but...hackers, have at, most you're gonna get is around $2...while leaving some trail back to yourself. I did this because I was once hacked - and that guy did time in the greybar hotel as a result. Don't get mad...get...well, you know.

            2. Rich 11 Silver badge

              Re: Wanting to use 2FA is one thing...

              I can't believe* I got downvoted for not carrying a phone.

              It's not my fault I don't have friends who want to speak to me every second of every day, or that I don't absolutely need to speak with them at a whim, or that I don't feel a compulsion to install a Facebook app let alone use it. Unless I'm going out of town for a few days my phone is a fucking expensive alarm clock, that's all.

              *Well, alright, maybe I can.

          2. Ben Tasker Silver badge

            Re: Wanting to use 2FA is one thing...

            > And does anyone really expect to plug a USB device into their phone, when you take your phone with you everywhere? What are you going to do, carry it on a keychain, so you have a bunch of keys hanging out the bottom of your phone? Yeah right. That's the problem with a special device right there - it can't be universal for your computer(s) and phone/tablet.

            My Yubikey lives on my phone. It's got a USB interface for plugging into the PC/Laptop, and NFC support for the phone to communicate with.

            It really need not be nearly as hard as you make out.

            The problem with relying (just) on your phone is you're screwed if you break or lose it. So you already need to have a backup route. Mines a second yubikey that lives in my safe, as well as a couple of little U2F dongles that live in offsite locations

            1. JohnFen Silver badge

              Re: Wanting to use 2FA is one thing...

              "My Yubikey lives on my phone. It's got a USB interface for plugging into the PC/Laptop, and NFC support for the phone to communicate with."

              Since my phone is the least secure and trustworthy device I own and use, I don't (and won't) use it for any 2FA-related purpose.

          3. LDS Silver badge

            "Since your phone ALREADY has a way of identifying yourself built in"

            Not every phone. Usually, only the most expensive ones. You can't tie a service availability to be able to buy expensive phones too. Anyway, a phone used for too many different tasks can be compromised - and then even biometric authentication is not so secure. Sincerely, I don't like the "all eggs in one basket" approach, especially for very sensitive tasks. What could be acceptable to log-in to ElReg may not be acceptable to approve a $$$$$$$$$ transaction through my bank.

            1. DougS Silver badge

              Re: "Since your phone ALREADY has a way of identifying yourself built in"

              Who says that using your phone has to be the ONLY alternative? It is a simple "something you have" that also offers an extra level of authentication which cannot be bypassed remotely, which makes it pretty damn secure. Dunno about Android, but biometric authentication on an iPhone is VERY secure, Apple has never had an exploit against the secure enclave.

              That it is possible to fool Touch ID or Face ID is irrelevant - someone needs physical possession of my phone for that, and take the time/trouble to set things up to fool it, and that only gets the one of the two factors. They'd also need my login/password to my bank account, and hope they can use it before I can revoke that phone as a 2FA method. If they get all that I guess I deserve to have my money stolen.

              I'd feel totally comfortable using my phone as the 2FA for my bank or brokerage account. Obviously you'd need some sort of backup 2FA method since phones can break or be lost/stolen, but that's the case with every physical 2FA.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Since your phone ALREADY has a way of identifying yourself built in"

                "phones can break or be lost/stolen, but that's the case with every physical 2FA."

                Which is exactly why NO physical 2FA will work for me.

                I lose things constantly. Sometimes I find them in an hour, sometimes in a month, sometimes in three years. Shorter periods are more common, but a dozen times a day something goes missing. On a good day.

                This will happen - there is nothing I can do about it. The medical condition underlying this affects approximately 8% of the population and the percentage is increasing.

                I can remember a password - or find a copy of a sufficiently replicated encrypted data package.

                The value of the item, or its importance, or usefulness does not affect the chance of loss. My smartphone has vanished for up to a year at a time. More valuable things have been gone longer. Once it was paper documentation worth tens of thousands, and it took more than a decade to find that.

                The one thing that helps is something that is too large, too heavy, or otherwise immobile. A computer always plugged into a wall and a network and two or three monitors with cables is a good choice.

                On the other hand, every password I use is complex, unpredictable, and used for only one security domain, whether a site, a computer or an SSO authentication system.

                If someone needs 2FA to be secure, fine... just as long as the rest of us retain the ability to decline that and keep using passwords.

                Currently there are no better alternatives for many of us.

          4. gnarlymarley Bronze badge
            WTF?

            Re: Wanting to use 2FA is one thing...

            Furthermore, the phone is something you carry with you already.

            Not everyone carries a phone with them.

            Also, the phone is not as secure as you think. There is the sim card swap which means hackers can put in your number and get texted your username. Then repeat it to reset your password. So effectively by trying to implement the 2FA as it is today means less security than then without it.

            1. Dan 55 Silver badge

              Re: Wanting to use 2FA is one thing...

              SMS is not really 2FA. A TOTP client running on it is.

            2. DougS Silver badge

              Re: Wanting to use 2FA is one thing...

              The phone is perfectly secure if you use it as I described in my post (which you quoted from) rather than be stupid and use SMS. That's like saying a high security safe in a bank isn't secure, because it is possible to leave the door open.

        2. Ole Juul

          Re: Wanting to use 2FA is one thing...

          "Why should it need connectivity, ... "

          Sure, but for those of us in areas where there is no cell connectivity (most of rural Canada), we often don't have, let alone carry, a cell phone.

          Also, pardon my ignorance, but how would I connect a cell phone to my computers? Do I need to install some kind of USB wireless device? I am indeed interested in 2FA, but it seems that there are different explanations of how to do it, each with a different set of unexpressed assumptions.

          1. DougS Silver badge

            Re: Wanting to use 2FA is one thing...

            You wouldn't connect it to your computer physically. It could interface with Bluetooth, but failing that it could work just like a standalone security device, and when you open (and authenticate yourself, if you want security above the standalone security device) and it shows a 6 or 8 digit number which is good for one minute, that you will be challenged to provide to login in lieu of a password which can be easily stolen.

          2. doublelayer Silver badge

            Re: Wanting to use 2FA is one thing...

            "Also, pardon my ignorance, but how would I connect a cell phone to my computers? Do I need to install some kind of USB wireless device? I am indeed interested in 2FA, but it seems that there are different explanations of how to do it, each with a different set of unexpressed assumptions."

            There are many ways to authenticate with something physical. A good system will let you choose, which throws out some companies, unfortunately. However, a good system will look like Duo Security (I am not in any way connected with that company. I just use their product to authenticate some places. I don't administer it either, this is purely a user's view).

            With this system, you have a few options to authenticate. After you log in with your username and password, you are presented with a list of choices, so you can have multiple active options and use the one that is going to work. The options available include these:

            1. Their primary suggestion is their own mobile app. You get a push notification, but it is not connected to your phone number. You have to have an internet connection for that to work, and you authenticate by pressing a button on your phone.

            2. A code, also from their app. This is used if you don't have a connection (the code changes every thirty seconds based on a secret known to your phone, and becomes invalid afterward. Duo's is a 6-digit code that you enter on the thing you're logging into.

            3. A phone call/SMS to an approved number, meaning you can use a landline. You do have to log in with proper credentials or that won't work, but that one could be abused by a local attacker.

            4. A USB token like the ones mentioned in the article, either one that only works with Duo's system which the administrator probably has a gigantic box of, or an independent market one that works with a lot more (what I have).

            This does not require that the thing you're connecting to having or allowing a USB device, or your phone having a connection at all times. If you simultaneously don't have a smartphone, don't want a USB device, and don't have any kind of phone with service, then I don't think there are other options. Still, this means you can use the authentication using a number of paths.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Not even El Reg.

      FWIW our publishing system uses multi-factor authentication. It is mandatory: you cannot login to write, edit, publish, and manage articles without it.

      So there's hope yet it'll be rolled out to comments.

      C.

      PS: We get our little red Reg badge when we post or reply to comments via the publishing backend.

      1. Arthur the cat Silver badge

        Re: Not even El Reg.

        [MFA on El Reg's web site.]

        So there's hope yet it'll be rolled out to comments.

        Which rather defeats the option to comment anonymously. Personally I'd prefer to live with a few trolls in order to get the anonymous insider comments we occasionally have on sensitive subjects.

        1. JohnFen Silver badge

          Re: Not even El Reg.

          A assume that 2FA would not be required in any case, and that it certainly wouldn't be used for anonymous posts -- that would be impossible since there's no identity to verify with anonymous posts.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not even El Reg.

        In which case some of us will never be able to comment.

        That would be regrettable.

        1. doublelayer Silver badge

          Re: Not even El Reg.

          You have to log in to post anonymously anyway; the post is just not attributed to your account. The 2FA gets you into your account, and then you still don't have to attribute a post to you. The two seem entirely compatible.

    3. Dan 55 Silver badge

      Re: Wanting to use 2FA is one thing...

      For websites see https://www.turnon2fa.com/tutorials/ and https://twofactorauth.org/.

      Even PayPal has it but it's pretty well hidden.

      1. K.o.R
        Unhappy

        Re: Wanting to use 2FA is one thing...

        PayPal UK is SMS only as far as I can tell.

        1. Absinthe

          Re: Wanting to use 2FA is one thing...

          Paypal UK can work with 2FA. I have been using Verisign's VIP Access 2FA app for a few years with Paypal UK. I recall it was set up as a security key (rather than mobile phone), and you then need to append the six digit 2FA code to the end of your password to log in.

        2. Dan 55 Silver badge

          Re: Wanting to use 2FA is one thing...

          I followed the instructions in the link and was able to use my TOTP client for PayPal. No SMS or mobile number involved.

  2. Like Magic

    VIDEO Link

    unlike the register to leave out the link to the video - would be great to share

    1. diodesign (Written by Reg staff) Silver badge

      Re: VIDEO Link

      I'm not aware of the video being public - Iain, who wrote the piece, got the article's info from going to the researcher's presentation at RSA in SF this afternoon.

      C.

    2. IainT

      Re: VIDEO Link

      The video is apparently on Camp's account under a creative commons account. RSAC's wi-fi was so poor I couldn't find it and file. I'll ask.

      1. hammarbtyp Silver badge

        Re: VIDEO Link

        RSA WiFi is not poor, its just over secure :)

        Here's the RSA one

        https://youtu.be/UH9yWvvp4k8

        Not sure about the toothbrush bit though

  3. Blockchain commentard Silver badge

    Anyone asked Facebook about the monetary benefits* of 2FA?

    * For themselves obviously.

    1. LDS Silver badge

      Well, RSA has some monetary benefits as well, as it sells MFA systems and devices....

    2. Andy The Hat Silver badge

      Yes Facebook, here's my mobile phone number for 2FA, take it as it will increase my security.

      What? You've used the number as part of my personal profile data for your own commercial ends?

      Ok, so I'll give you my face, my fingerprint, my DNA sample ... Is there anything else you need to enhance my security? I have faith that you are not going to use them in some clandestine way too ...

      MFA in itself may rely on trust which, as we (allegedly) see with Facebook, simply isn't there.

    3. DougS Silver badge

      The real question

      Is why would anyone consider Facebook something they need to protect via 2FA? Maybe if you are a celebrity or big business that has a page followed by many people where a compromise could damage your reputation, but an individual has no reason to care.

      1. DCFusor Silver badge

        Re: The real question

        Some people are dumb enough to use "login with facebook"?

        If you can do that, then the attack surface is a little bigger.

      2. FrogsAndChips Silver badge

        Re: The real question

        Because your FB account could be used as a first step in a social engineering attack, using personal data from you or your friends.

  4. Hermann
    Black Helicopters

    The elephant in the room

    > why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication

    I am not 100% confident with Google-based stuff, especially after Nest controversy

    1. LDS Silver badge
      Big Brother

      Re: The elephant in the room

      Right. I don't trust any 2FA backend run by ads-placement-seller-and-data-slupers like Google or the like. Nor I trust any OS or app offered by the same companies for the same task.

      Not surprisingly, Facebook was caught using its 2FA system to match, identify and search people as well.

      There's also another issue: or you use different, disjointed 2FA "devices" for each "service", or if the same strong authentication is used, it uniquely identifies a user itself - and becomes a powerful tracking technique. Maybe not by the service being accessed, but the auth backend knows who is accessing what and when.

      Thereby, how many tokens/application/etc we should carry around? Do some of those devices allow for different "identities" to avoid tracking?

      1. Dan 55 Silver badge

        Re: The elephant in the room

        Right. I don't trust any 2FA backend run by ads-placement-seller-and-data-slupers like Google or the like. Nor I trust any OS or app offered by the same companies for the same task.

        Try FreeOTP+. Allows backup with export/import to/from a file.

      2. really_adf

        Re: The elephant in the room

        Thereby, how many tokens/application/etc we should carry around? Do some of those devices allow for different "identities" to avoid tracking?

        I think this is the intention, if not a requirement. See the first paragraph here: https://www.w3.org/TR/webauthn/#intro

      3. Anonymous Coward
        Anonymous Coward

        Re: The elephant in the room

        if the same strong authentication is used, it uniquely identifies a user itself - and becomes a powerful tracking technique. Maybe not by the service being accessed, but the auth backend knows who is accessing what and when.

        ==========================================================

        Which also means they will be hacked to get your information.

        Furthermore, any phone based 2FA that is not contained entirely in the phone so you can use airplane mode means that you can be physically located at login time when you contact the auth back end... lots of bad security possibilities.

        For that matter if your location information leaks, your location history can retroactively spill information when linked to authentication times.

        1. doublelayer Silver badge

          Re: The elephant in the room

          This is a real problem. I have done this by having multiple auth tokens (one for corporate systems, one for personal systems, and one that I got because you could program it to do different things). I'm planning to change the firmware on the programmable one to hold multiple keys and use a series of button activations to choose the one to use. It seems very straightforward to do, and entirely capable of that. It may be possible to replace the firmware on more typical keys as well, but I don't know for sure. Also, as a bonus, when I finish with that idea, someone who steals it will have the fun experience of trying to figure out exactly what pattern of button presses I've set for my keys. They're very hard to steal and nobody wants it that badly, but I kind of want it to happen just so I can imagine someone getting annoyed trying to use it maliciously.

  5. Anonymous Coward
    Anonymous Coward

    Office 365 MFA is fun

    I set it up for my organisation last year and, whilst the backend is merely awful (web pages that have a few lines of text, no common navigaiton structure with the rest of the O365 admin area), the setup for the desktop Outlook application is bonkers. Newer Office apps (Teams etc.) can utilise the MFA SMS / authorisation apps but Outlook needs a password. Not your O365 password, no - that would be insecure. Outlook requires a system-generated 15 character (always all letters, all lower case) one that the user then has to type or paste in; the app remembers it but they will need it (or need to generate another - multiples are allowed) if they wish to open Outlook on a second Windows device. What do MS think most users going to do with such a password?

    The whole system is a nightmare and not easy to use, never mind administer; I wouldn't blame any admin not implementing it, never mind a user for resisting it. I've only been a user of other systems (gmail, Apple, BitDefender etc. etc.) but they are all simple, intuitive and logical in comparison.

  6. teebie

    "it wasn’t usability, because we changed the instructions to make those easier"

    Alternative explanation: the new instructions still aren't good.

  7. Ben Tasker Silver badge

    > With less than 10 per cent of Gmail users logging in with two-step authentication, last time we checked, there’s clearly a long way to go

    That, in fairness, is partly Google's fault.

    They've sort of made provision for stuff you can't 2FA to log into your account - you can create a dedicated 'app password' for those. Except, that the flow is - app logs in with that password, exchanges it for a token and then uses the token going forward.

    So, if something you need to use only speaks standard compliant stuff like IMAP and POP rather than google specific authentication bollocks, you cannot have 2FA turned on on that account. Backing your mail up with getmail being a prime example.

    Which is patently fucking stupid. Yes the app password means there's a potential way to login without 2FA, but it gives limited access (i.e. just to the mail rather than to the account) and is easily revoked. Instead, you have to leave the entire account wide open across Google's services. That's Google letting perfect be the enemy of good there IMO.

    1. Dan 55 Silver badge

      I believe app passwords are compatible with the "is this you logging on now?" notification on Android and the list of 10 one-time login codes in case the phone is stolen.

      1. Ben Tasker Silver badge

        thanks, though neither help in this case. Its a cronjob that logs in to pull specific mails down into a mhonarc archive.

        Not a common use-case I admit. Google have never given a fuck about their auth scheme breaking things, even when thunderbird couldn't handle it.

        I really should just stop using them, but lack the time to sit and think a replacement through properly

        1. Anonymous Coward
          Anonymous Coward

          I really should just stop using them, but lack the time to sit and think a replacement through properly

          --------------------------------------------

          Just find an ISP that does email, that you will never use for connectivity, and that supports encrypted SMTP and IMAP and you are good.

          If your country has bad rules about privacy and monitoring, choose one in another country that doesn't.

          Use a carefully chosen no-log VPN service for all connections from your computer, and use Thunderbird with encrypted SMTP and IMAP, and enigmail/PGP where possible.

        2. nagyeger

          urm, correction.

          I've got fetchmail running via cron quite happily on 2fa'd gmail accounts.

          You just need to give your email a slightly bigger attack surface - and yes, I mean that.

          If you go to the right bit of their website and click in the right places, they issue you with an 'application password' - a medium-sized random string - for you to cut and paste into your fetchmail/grabmail/etc config file.

          It probably won't work to login via webmail, but it works for IMAP clients.

          1. Ben Tasker Silver badge

            Re: urm, correction.

            As I mentioned in the original post, I've already gone the application password route. Didn't work.

            Well, technically, it did - once. The first run was fine, and then Google stopped accepting the password (because it should then have been swapped for a token).

            Sounds like fetchmail have added support for Google's auth flow. Unfortunately there are reasons I'm using getmail and not fetchmail, though I really should revisit whether those are still valid

      2. Anonymous Coward
        Anonymous Coward

        And you are supposed to keep track of this list of one time codes exactly how?

        Sticking copies up on the refrigerator at home, the whiteboard in your office, in your wallet, and in the console of your car?

        Which then get lost, buried, or moved?

        Just let them set a good, secure password of their own design.

  8. insane_hound

    I use the toilet line in my new starter training.....

    gets a laugh / groan every month

    1. Korev Silver badge
      Joke

      Re: I use the toilet line in my new starter training.....

      Maybe the presentation's crap...

  9. Lee D Silver badge

    Just reminds me of the "You wouldn't download a car" campaign.

    Yes I would, if I damn well could. And it's just a very poor analogy in the first place.

  10. Anonymous Coward
    Anonymous Coward

    RSA still around?

    I would have thought World + Dog would dropped RSA after they were exposed for weakening all RSA systems for the US Gov, which of course ended up biting them in the arse when the OMP data was hacked due to the Exact Exploit they had RSA put in for them.......

    Trust is earned and lost by actions - RSA lost trust by putting back doors in everything, even if it was just once - which we don't know. Some how Cisco back doors haven't had the same effect - yet.

  11. JohnFen Silver badge

    Not an argument for 2FA

    That's an argument against password reuse, not an argument for 2FA.

    You know why I don't use most 2FA systems? Because they rely on service providers that I don't trust. (I do use 2FA that I run myself).

  12. Anonymous Coward
    Anonymous Coward

    What would get me to use MFA

    Five different hardware security keys, by different manufacturers, all tied to my account, I can use any of them with the same password to log in and I can revoke the others if I lose them.

    1. doublelayer Silver badge

      Re: What would get me to use MFA

      If it's a good system that supports FIDO and U2F, you should be able to do that. Naming the individual keys is a bit annoying, but it works and revoking access is easy. Then again, I'm sure that a lot of places don't bother to implement that properly.

  13. Norman Nescio Silver badge

    Resilience

    2FA is great in principle.

    In practice it is not the use of 2FA that is the problem, it is the ancillary activities, for example:

    1) How do you ensure you have a trustworthy 2FA device? What process should you follow in obtaining one to ensure it isn't bogus, loaded with hacked firmware, has a borked RNG etc?

    2) Once you have a 2FA device, what do you do if it breaks, gets lost, or malfunctions. How do you know it is malfunctioning?

    People pretty much know what to do with passwords, but the understanding around the use of 2FA devices is far less prevalent. It's just another electronic doodad that can break, or get lost. Should you let someone else have possession of it temporarily? Can you safely send it in the post to someone? Can two people share one? None of these are questions that security professionals have a problem with, but your average end user generally has a far better understanding of the issues surrounding passwords than they do of the (potential) issues surrounding multi-factor authentication.

    The fun starts when your vague and slightly forgetful relative puts their security token through the washing machine for the third time in six months and can't pay their bills until the bank supplies a new one. Or, perhaps they've encrypted some important documents and the decryption key was stored with no backup on a device that has just failed (because it went through the W/M, again). At least passwords are easy to copy and the copy can put put in an envelope and stored in your lawyer's safe, or a bank safety deposit box. I have enough trouble with someone who has no familiarity with technology, and for the life of them cannot remember the difference between the Windows logon password, the WiFi password for their home network, and their GMail password. I will need an entire pantheon of divine helpers if they are ever forced to use multi-factor authentication. It is absolutely no surprise that the take-up of multi-factor authentication is so low.

  14. John Slater
    Coat

    If you don't like puns, look away now

    This is a new highly secure procedure, henceforth to be known as Yuck Factor Authentication

  15. Anonymous Coward
    Anonymous Coward

    Two factor authentication, like biometrics, is a bad solution to a problem that can be mitigated in simpler, more reliable ways.

    1. doublelayer Silver badge

      More explanation is required for that statement. We all know about the biometrics problem (can't change them, you carry them with you where people can steal copies, etc.). Those don't apply to 2FA. So what are the problems you're referring to and what are the "simpler, more reliable ways" to fix it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019