* Posts by Charles 9

11133 posts • joined 10 Jun 2009

LastPass now supports 2FA auth, completely undermines 2FA auth

Charles 9
Silver badge

Re: Fewer Secrets

OR they can glean your details and use that in social engineering to get better access to your more-sensitive stuff through identity theft.

0
0
Charles 9
Silver badge

Re: Banking

Unless, of course, it's an extended weekend (coming up here in the US) and/or you're far from the nearest local branch (assuming they HAVE brick-and-mortar branches)? Or worse, they refuse to believe you?

0
0
Charles 9
Silver badge

Re: Is this really 2FA?

What happens when you routinely have to handle sensitive data BUT you're also highly prone to losing things like your keys, meaning you're likely to lose the fob?

0
0
Charles 9
Silver badge

Re: Complex passwords stuck on a post it note under your desk

Unless, of course, you're MUGGED and they take advantage while in an unconscious heap.

0
0
Charles 9
Silver badge

Re: Is this really 2FA?

And what if you LOSE it? Or they break the system like in the RSA attack? People lose their keys already, let's not try to add something ELSE to lose?

0
0
Charles 9
Silver badge

Re: Non issue?

If they can pwn the point of entry, then any other kind of entry screening is moot since they still have to go through the point of entry. IOW, 2FA isn't going to work not because it's going to the same point as the pwned point of entry but because it'll have to go through the pwned point of entry anyway.

1
0
Charles 9
Silver badge

Re: Date of birth

So you say all your dates (xxxx, mm dd)?

What about all the hispanics and so on that say "dd de mm, yy" (or simply English who say "ddth of mm, yyyy")?

Anyway, the mm/dd/yyyy format is consistent with Americans and many other English speakers who say "mm ddth, yyyy".

The ISO date format is as much a mishmash of letters and dashes as any other date format. The ONLY reason it's so useful in computers is that it AUTOMATICALLY sorts dates chronologically if you perform a simple ASCII sort (to the second if you use the extended format which includes a 24-hour time).

0
0
Charles 9
Silver badge

Re: Banking

"The pin is only in my head and that card is never used outside the house."

So what happens when (not if) Murphy strikes and you FORGET your PIN?

0
0
Charles 9
Silver badge

Re: "non-cloud based managers trump all"

"However, if any of your devices with KeePass gets hit by keyloggers / slurp-happy Malware, won't you be screwed too? Example: WAGS borrows your device in the car to look up directions to 'Hotpoint'. Hotpoint site gets compromised again... Game-Over, no???"

If a point of entry gets pwned, you're screwed no matter what. Things like KeePass at least make it hard to pwn you OUTSIDE the point of entry. If LastPass gets hacked, you can get pwned outside the point of entry.

0
0
Charles 9
Silver badge

Re: Complex passwords stuck on a post it note under your desk

So what if you have a bad day and FORGET the PIN?

0
0
Charles 9
Silver badge

Re: 2FA has been broken for a while

Oh? What if they steal the secrets needed to crack the algorithm? Wasn't that what the RSA attack was about?

PS. If they pwn the login point, then no amount of security will work because it can hijack anything at the point of entry. Even OTPs.

0
0
Charles 9
Silver badge

Re: 2FA migration

One, you can't properly back up a stock phone. Two, most OTP generators are keyed to both phone and Android serial, which can change on a restore. Used to happen to me with Authy.

1
0
Charles 9
Silver badge

Re: Straightforward algorithms

Even phrases become hard to remember past say ten or twenty sites. I always put it like this: "Was it CorrectHorseBatteryStaple or DonkeyEnginePaperclipWrong?" Especially if you refuse to leave grammar clues.

0
0
Charles 9
Silver badge

Re: 256 bit AES encrypted plain text file

That's one reason people like us like KeePass. It already uses strong encryption by default, let's you a file as a key, and it's FOSS.

0
0

Google now mingles everything you've bought with everywhere you've been

Charles 9
Silver badge

Re: Paying by cash just became mandatory....

And then you find out they can track that, too. Consider "Where's George?".

0
0
Charles 9
Silver badge

Re: Another good reason to avoid Android

Only to be replaces with CHINESE bits inserted to replace them. And before you say, "Who cares?" don't forget China's busily engaged in an economic war with the West, too, so there CAN be serious consequences.

3
0

How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Charles 9
Silver badge

Re: RFID ??

"Concave or convex

To suit either sex"

But who'd use since ne'er was it clean.

3
0
Charles 9
Silver badge

Re: Other Options

So what if they take your phone and then use it to make incriminating phone calls or texts in your name?

0
0
Charles 9
Silver badge

Re: Iris scans can be done properly

"This is similar to proper fingerprint scanners which should incorporate IR Doppler to detect flowing blood under the skin."

Does that also defeat the gummy fingerprint on top of someone else's finger which would have live blood flow and everything?

2
0
Charles 9
Silver badge

Re: ... and you STILL need a strong identity

"Well, I wouldn't hire you for any job that require a strong identity - such a person would be unfit for the role, sorry."

So basically it's, "Game Over. You Lose. Better Luck Next Life." How Spartan...

Ever considered the person doesn't have to work...because he or she is retired? Old people still need to be able to access their accounts and so on, and if the last local branch closes...

3
3
Charles 9
Silver badge

Not so good for palsied or arthritic hands. As for avoiding the phone, what if the bank is branchless?

2
3
Charles 9
Silver badge

Re: Three pillars of identity

So what happens when you have a terrible memory (meaning there's little you know) and you tend to travel with little and keep losing things (meaning there's little you have) and you STILL need a strong identity?

0
6
Charles 9
Silver badge

But what if you have a terrible memory and can't remember a PIN. And yes, I know plenty of people with memories that bad, which is why they can only go to brick-and-mortar branches and use cards that don't require PINs.

0
9

India makes biometrics mandatory for all e-gov projects

Charles 9
Silver badge

But guess what education helps to do? Condition the mind to be able to do what you describe. Even in the old days, the hands-on education of skilled trades and so on conditioned the mind to be able to think out of the box for the sake of their position (adapting to changing conditions). If OTOH everyone did things by rote...

1
3
Charles 9
Silver badge

And I'm sure you realize the obvious counter.

Many in India are POOR and likely have POOR education.

Meaning in a world of "Are, Know, Have", many in India neither KNOW nor HAVE anything of value. How do you handle an identity system when the ONLY thing of value you possibly possess is something you ARE?

2
3

What's got a vast attack surface and runs on Linux? Windows Defender, of course

Charles 9
Silver badge

Re: But isn't the environment itself just as important?

Partly useless, because you can't fake PANIC. You can't fake a fire, and so on. Even the late Terry Pratchett noted it. IOW, unless people REALLY feel their life is on the line, they won't behave the same way during a drill than they will during an actual emergency. Practice isn't all you need, you ALSO need discipline: the ability to not panic when surprises DO come. Say detonate a flashbang once in a while nearby to condition people to react in desired ways.

7
10
Charles 9
Silver badge

Re: But isn't the environment itself just as important?

But the point stands. What if the exploit is a gestalt, meaning it ONLY appears in a certain environmental combination and then becomes something greater than the sum of its parts? IOW, it's like planning for an emergency: the ONLY way to really know if the plan works is to have an emergency, with all the environmental factors that ONLY come from true emergencies.

5
7

The real battle of Android's future – who controls the updates

Charles 9
Silver badge

Re: No Skins please.

There's more than one manufacturer, so there's no real supply monopoly, and since the manufacturers come from different countries (Taiwan, South Korea, etc.) with different economic incentives, they're unlikely to act in a cartel.

As for the carriers, there has always been a market for carrier-free phones, particularly in regions where common settled frequencies have been established like LTE Band III, allowing for easier carrier-jumping. Areas with more prepaid rather than postpaid carriers tend to encourage carrier-jumping and thus carrier-free phones. Even in America that trend is growing with increasing numbers of "Bring Your Own Smartphone" MVNO carriers. Most of the headliners for the past ten years or so have been offered carrier-free in some form, plus there was the iPhone which carriers were SO desperate to carry that they let Apple dictate terms for a while. So I doubt there's a real monopoly on the distribution end, either.

No, I think the real demand is strictly with the customers. Thin is in, and simplicity sells, thus closed-in slim phones win out over thicker and easier-to-grip phones with removable battery packs and expansion slots.

0
0

EU security think tank ENISA looks for IoT security, can't find any

Charles 9
Silver badge

Re: Rule zero

The existing iteration of "The Internet"

There, FTFY. The truth is, nothing known to man can ever be really secure as long as someone knows about it. Not even a One-Time Pad is proof against Rubber-Hose Cryptanalysis. The only true secret is one known to NO ONE and NO-THING (because the thing can be used by man to access it).

1
1
Charles 9
Silver badge

Re: if the mandate is that the device will ...

Especially if "setting up" requires a computer the owner may not possess.

0
1

Why Microsoft's Windows game plan makes us WannaCry

Charles 9
Silver badge

The problem behind the problem for (2) is that upgrades can be DOWNgrades, too. And if your software depends on something that WILL disappear with the upgrade (like support for the ISA bus which was dropped with Vista), then you're up against the person who's sworn to stand his ground to the death, meaning no carrot is more valuable than where he stands right now and amount of stick will make him budge. The thing is that one size can't necessarily fit all and for some, there are higher priorities than anything you can provide.

0
0

Hi! I’m Foxy! It looks like you want to run Flash. Do you need help?

Charles 9
Silver badge

Re: F off

Careful. What if they F back...without the lube?

0
0
Charles 9
Silver badge

Re: Dear BBC,

"At the moment whois shows bbci.co.uk as registered to the BBC."

As I recall, bbci is short for "BBC Interactive" and represents the BBC's earlier forays into combining television and internet to create interactive programming. It's a legitimate domain that the BBC has had for about a decade or so.

0
0
Charles 9
Silver badge

Re: Until Adobe oficially kills Flash

But what if turns out to rise again like a zombie. Without a head, so sorry, folks, the old "shoot 'em in the head" ain't gonna work.

1
1
Charles 9
Silver badge
Devil

So what happens when you really DO need Flash and you don't even know it, then? Hate to be at the Help Desk when THAT happens, especially when the caller happens to be someone high up.

0
2
Charles 9
Silver badge

Re: @adrian4

But what if Z doesn't exist? It's like with medical equipment manufacturers still using outdated operating systems to stay legally-compliant. If EVERY site that has the W you need REQUIRES the use of Flash, then you're stuck with a Hobson's Choice (as in Take It Or Leave It). Some people may be willing to walk away, but for some it can result in collateral damage, such as not being able to use a piece of computer equipment for a job which means it'll have to be replaced (a more-expensive proposition).

1
1

Supreme Court closes court-shopping loophole for patent trolls

Charles 9
Silver badge

Re: Simpler answer (Energy Co in E-Texas)

Nope, because it's likely long since expired, given internal combustion engines have been around for over a century by now.

0
0
Charles 9
Silver badge

Re: Look out Delaware!

Delaware's friendliness tends to favor factories, warehouses, and distribution centers. No sales tax among other things makes it advantageous to settle there. I believe Oregon has a similar business-friendly structure.

1
0
Charles 9
Silver badge

Re: Note the vote 0-8

I think the difference is whether or not product is exported directly to the buyer or run through some affiliate or subsidiary first. The latter can be sued directly while the former usually have to be taken to trade courts.

1
0
Charles 9
Silver badge

Re: Note the vote 0-8

An international company with no US presence couldn't be sued in the US due to lack of jurisdiction. Those kinds of cases usually go before the international trade courts which are a special case. Besides, isn't it normal for a company doing business in the US to have some sort of US presence for legal reasons?

4
0
Charles 9
Silver badge

Only if the DEFENDANT is incorporated in Delaware. That's the big thing. Patent trolls basically have to take on violators on their turf.

16
0

Kill Google AMP before it KILLS the web

Charles 9
Silver badge

Re: I like AMP

It's the PUBLISHER'S responsibility since they're in the best position to know or figure out whether or not the piece in question is true or not. Anyone else would not be in a good position to know, especially if the content is exclusive. Besides, the LEGAL liability (under libel law) fall to them, does it not?

0
0
Charles 9
Silver badge

Nope, consider Facebook and Twitter.

0
0
Charles 9
Silver badge

Re: Break them up Now!

Like breaking up AT&T really did much long-term. Besides, how do you fight a TRANSnational who can hide behind foreign sovereignty?

0
2

WannaCrypt: Roots, reasons and why scramble patching won't save you now

Charles 9
Silver badge

Re: virtual machine

And the manufacturer is NOT your friend since you can't replace the machine: it isn't yours to mess with. Remember that infamous boilerplate: Breaking this seal voids all warranties and service agreements.. It's basically an untouchable machine that's an integral (and to the manufacturer, inseparable) part of the six-to-seven-figure whole. And no, airgapping won't be an option since it has to be able to transfer the fruits of its labor, and a USB drive can pwn a machine just as easily as a network connection.

1
1

Do we need Windows patch legislation?

Charles 9
Silver badge

Re: Vendors, do your fucking jobs and fix your shit.

But what if there's no way to upgrade the OS because Vista and up DROP support for a key piece of the HARDWARE that runs the thing (like say a custom-build ISA interface card--support for ISA was DROPPED in Vista)?

0
0
Charles 9
Silver badge

Then how does it get instructions? REGARDLESS of the method, it can be an inroad to infection.

0
0
Charles 9
Silver badge

"What would have helped would have been the certification authorities requiring long term support."

Then what happens when NO ONE passes because of it? Now you have NO suppliers.

0
0
Charles 9
Silver badge

Re: What

"Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?"

Yes, because the alternative was probably buying a GBP600,000 molding machine tied to an obsolete operating system. IOW, this is what happens when EVERYONE uses commodity stuff to undercut the competition and win contracts.

0
0
Charles 9
Silver badge

Re: The answer I wanted was not there

So what happens when you need software and NO ONE is willing to provide the source, say for trade secret reasons? Do you go without or roll your own?

0
0

Forums

Biting the hand that feeds IT © 1998–2017