Posts by Charles 9

Re: Passwords are rubbish and a single point of failure

And what if people don't routinely carry a second factor with them (say they hate cell phones)?

Re: Advice please

WHY do people need to change their passwords periodically if people follow the best practice of using a different password for each and every site? If the password's been breached, it won't work anywhere else, and odds are the password gets breached before ANYONE knows about it, making the while "change the password" exercise moot as odds are the criminal will change the password THEMSELVES once they have it--to block backhacking.

IOW, with password managers and different passwords for every site, it's either too early to worry about or too late to do anything to fix it, with no middle ground.

Re: Advice please

But it seems the "least bad" solution there is for someone with a bad memory. Unless you're saying the least bad solution still isn't good enough...

"Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now."

Only thing is, we're realizing all these "least bad" solutions are not acceptable. So we need an alternative that is better than the least bad solution out there, and we need it soon before the whole house of cards collapses in on itself.

Re: Attitudes to risk

"Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft."

But you could always have motivated enemies out to target you specifically or one who just feels like putting forth extra effort, like you say, so as to steal an identity and milk it for all its worth (one big haul versus many little ones) much like sociopathic stalkers who groom their victims over time.

Re: Advice please

So what happens when a zero-day drops a keylogger onto one of the devices and nabs your master password?

Re: 987654321

No, because people know there are numbers above 31 and start looking for other sources of numbers. Clocks and times provide up to 60 in this case, and years can cover any lottery spread there is right now.

Re: I didn't expect this.

"In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative."

What if someone produced a true reductio ad absurdum that showed that anything other than passwords is provably worse than passwords, which we know to be unacceptable because people can have bad memories. Then I have to wonder where we go from there...

Re: circumvent

"I do think the zero alcohol limit for new drivers is a good idea though"

You can't set the bar lower than .02 BAC because that's about the NATURAL level for your average human (are there really people like Vimes who have a naturally low BAC that makes them a bit knurd by nature). And a low bar would really suck for a person with a high natural BAC or who regularly uses mouthwash...

No, I expect them to be led by the hand into a trap. As a comedian once said, "You can't fix Stupid," yet Stupid happens to comprise a significant portion of your customer base. So you're surrounded by hopeless idiots in search of unicorns, and you're pretty much stuck in a "The Customer is Always Right" situation as your job depends on it.

I just had a thought. What if someone coded a browser Dilbert-style, ignoring the stupid who demand this and that bloat and instead of telling them honesty what is happening simply lying to them every time they try to do something stupid. Say they want to go to a site that wants Flash to start an exploit, the browser can say, "I'm sorry, but the site you're trying to reach doesn't speak Internet correctly and cannot be reached. Recommend looking somewhere else. And yes, there IS another place to find it; this is the Internet, after all." IOW, you can't fix Stupid, so the best thing you can do is deflect it like you would with a PHB.

Re: What really gets me fuming

Well, you have to decide what's worth your money? Wade through ads or pay through the nose since it seems so critical to your client's business. Since they seem to have you, as they say, by the wossnames.

Re: Don't Block it, Dump it.

"Allow the "Blocker" to simply Remove (or never download in the first place) the code that the User objects to."

How are you going to know what the code is you need to dump unless you download the code to inspect it in the first place? And due to perverse motivation, you can't expect the server to do this for you.

"I kinda wish Mozilla had stuck to this philosophy, which is what I think they started out with."

Stupid struck. As in stupid users who demand their content yet aren't smart enough to find the needed extensions, leaving them with a dilemma: accommodate them and bloat your code or see your customer base defect to the competition. When the customers demand bloat, damn the consequences, what do you do?

Re: Would it be feasible to make a modular browser?

"And stream code libraries on demand to enable rare feature sets when they are encountered?"

Code may be platform-dependent and could be hijacked by a Man in the Middle.

Re: Dubious

"Leaving aside considerations about the cloud being a good or bad thing, if you need a network aware app that also provides rich interactivity, that leaves you with a few options. Locally-installed software, apps a la iOS/Android. Or a browser-based app with JS and SVG/Canvas support."

Who not just make a protocol specifically for the purpose? Or why not use something specifically built for interactivity like VNC? Then again, these require persistent connection and the current Internet spec only allows for ~65,000 ports in use at a time, a fair chunk of which are already reserved.

The thing is, as others have noted, HTTP was intended to be a non-interactive protocol to start with. Why did it get usurped into a two-way protocol?

Re: Swiss Army Knife

That "odd thing with the hole in it" is a punch: specifically a leather punch IIRC. The eye in it (and the groove) I believe is so it can double as a needle for mending or darning.

Re: Just Nuke the Ad Slingers

Don't think it'll work. Ad slingers and lawyers are like cockroaches. Odds are they'd survive a nuke...

Until the LACK of a module loaded opens a security hole (which is a problem in and of itself). Or they find another exploit that enables them to ENABLE the module they want willy-nilly. The only way to block THAT is for the module to not exist AT ALL. And even then, they'll probably just drop them using whatever secure channels they've been able to usurp. For some adversaries, money and technology are no objects.

And yes, flabby and lazy is the way to go, because you learn the "one thing" you're expected to do...is EVERYTHING.

As for Linux, NO until they can get their gaming act together better. Tried it. Ended up with headaches.

Re: Just curious ... how many commentards here

"But 'something you know' is likely to remain the strongest element of any 2FA system. I for one am not ready to give up my password."

But what about all those people with bad memories for whom "something they KNOW" is likely not an option? That's the big bug-a-boo about passwords: it relies on something that for many people is very finicky and at plenty of times may not be reliable enough.

Re: How can this possibly work?

Turn it OFF before you go to the bathroom and it engages the lockscreen. Bet you have to prove yourself again before it'll unlock, and that can be done quickly enough. And yes, they can use the camera.

Re: Biometrics

But for people with bad memories, passwords are not an option. At least, normally, you can't lose your fingers...

Re: Just curious ... how many commentards here

"Passwords however cannot be forcibly extracted from your brain by any means short of torture. They are easily changed if you suspect a breach."

Unless you're TRICKED, and the trickster changes the password ahead of you to block you regaining control...

Re: Time to move away from Android to something else then?

Apple's no better in the privacy department, BB10's being dropped, and Sailfish is Not Ready For Prime Time.

So you're saying there's a passing fair chance someone who could be a person's identical twin down to voice, speech, and motion mannerisms can pass for you on a given night? I'd like to see the actual odds of this...

Re: Just curious ... how many commentards here

MMM, YUP! Passwords and stuff stolen ALL THE TIME. Plus people have bad memories, too.

Re: Lack of Common Sense

"which really means they want technology that is sophisticated enough to be magic. consumers want to be able to have their phones, financials and abodes only open to themselves and those they allow without having to do anything or know anything. That last might make a good metric of customer acceptance."

That's pretty much what they want because for many people what they ARE is ALL THEY HAVE. They have poor memories so don't KNOW anything and all they HAVE is the phone so they don't have anything else to authenticate with.

Re: Once again...

But for many people that's ALL THEY HAVE. So they're all you have to work with. If you say that's not acceptable, then you're saying these people CAN'T be secure and that they're a lost cause. Sounds like you need another idea that doesn't rely on memories or things that may not be present.

Re: Too stupid for security

But what if biometrics is ALL YOU HAVE?

Re: Lost in a foreign country....

You're halfway around the world. They're ASLEEP, they don't answer the phone, and you're on a deadline...

Re: Someone explain to me...

There are 435 Representatives in Washington, each representing a certain chunk of the country. Each one gets directly elected by those constituents, and it's an election year, meaning ALL of them need to stump for their votes. Meanwhile, each district has their varying concerns on which their elections will pivot, so these Representatives ask their more influential friends to help. The basic formula went, "I'll help you get this done if you vote for the greater bill that enables everything."

The House tried to establish rules limiting this practice since other voters noted it to be an element of corruption, but they found it to be a necessary evil. Those lesser representatives had no motivation to vote for controversial bills otherwise, putting important bills in jeopardy and lowering Congress's approval rating as a whole due to a climate of nothing happening because of the lack of corruption (of course, this never influences the local elections much--there it's always Somebody Else's Problem).

You see, that's the thing about governing by committee like this. Each member has its own motivations and rarely do they honestly come together when the motion to be passed is a "necessary evil" one (structurally necessary but very unpopular--tax reforms, for example). About the only time they come together is when some kind of crisis (like 9/11) hits. 200+ years of experience seems to indicate this is just basic human condition at work. It's not something that can be easily solved which is why corruption tends to show up in ANY form of human government imaginable.

Re: Missing the real point

"Most PHB's don't have the technical understanding to realize that, and most IT staff aren't good at explaining complex problems to people who don't have a technical background."

No, it's more that PHB's aren't willing to listen. All they care about is, "We need X, Y, and Z--of which at least one is a Unicorn--done, yesterday--and yes, he DOES mean yesterday." The instant you say "here's why" your speech is auto-DEtranslated into something like Xhosa, meaning they never hear or understand the why of it, and it's like that everywhere so jumping ship may just mean jumping into a worse situation.

Re: Currents

Yeah, the same problem wind turbines generate: once you suck out the power from that current, there's less down the line. I don't think the UK would be too thrilled if Florida's experiment with the Gulf Stream sucks most of the energy out of it, leaving little to warm the English waters...

Re: 67 per cent figured a 50,000-gruess-strong password was good enough

You forget social engineering and identity theft. They can use data from the less-valuable sites to make inroads into the more-valuable stuff. So since just about ANY site can be a stepping stone, you may have to assume your least valuable site is as important as your most valuable one (since breaking the former can lead to breaking the latter).

Re: Hmm.

Compared to the phones of the time it was pretty big. Before the iPhone came along, iPhones tended to have small screens with those jog wheels. Plus most phones on the market were feature phones. Finally, the other touch screens were single-touch resistive where the iPhone was the first mass-market phone with multi-touch capacitive, meaning they set the trend for things like two-fingered scroll and touch-to-zoom.

To those who are downvoting: show a way you can do with with an ARM architecture (such that you can swap out eveything INCLUDING the CPU, GPU, memory, and screen, and STILL maintain much-needed power efficiency. Oh, AND not break existing compatibility, which last I checked on ARM relies on initramfs which in this case is closely tied to the hardware which on an ARM-based system is usually on fixed, non-standardized memory map?