but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around.
Government agencies will be worse.
And you know what? That's better than nothing. It's another layer.
Sure, we all think about "stolen laptops" when we think about these data losses, but that's not always true. Think about a remote hacking attack. Let's say a bad guy connects to the machine and starts sucking up a ZIP files labeled "Customer_Credit_Cards_2007-2008.ZIP". And the password is written down and stuck to the screen. The bad guy is on a network, can't see that password, and the file is just as unencryptable to him as it would be without the sticky note to you.
I'm just saying that you can still get some protection even from bad practices. If that stops 50% of the attackers, well, that's 50% more than we're stopping today. Is it watertight? No. Is it enough? No. Is it better? Yes.
Consistency is overrated. If there is a program that is better than all the rest, people will learn use even if it doesn't fit the exact mold of other programs.
x million iPod and iPhone users would strongly suggest otherwise. As a music player, the concepts behind iPods suck -- here's proprietary client software, we sell DRM music, our music doesn't work on any other player, can't replace the battery, higher priced than most other players with similar audio quality -- there's a lot to dislike about the iPod.
So why do so many people buy and use and love them? It's the user interface. It's intuitive, it's consistent across the platforms, it's responsive, and it's not butt-ugly. It's the part that people see and interact with that make them desire the product.
Open Source projects are starting to learn this. Ubuntu is a big success in large part because they're pushing hard for a consistent GUI experience, and making it easy to use. We hackers may think that "being the best on the inside" is enough, but for Joe Sixpack to accept it, for it to be a commercial success, it's far more important that it looks good and is easy to use. To an end user, that is performance.
Actually, there is another piece that matters even more than the apps, and that's the standardization of the user experience. Iron-fisted control of every aspect of GUI, from control placement to responses, relentless paring down to the essentials, usability labs, testing, all those details that make Apple products so popular, that's what Linux needs, and that's what Enlightenment could bring. It's an exciting prospect.
Whether or not it happens is a different question.
Years ago I had TurboTax install some flaky CD-ROM spyware (SafeDisc) that left a permanent service running on my machine that was checking every disc inserted, and interfering with my legitimate use of the drive with other programs such as Exact Audio Copy. Uninstalling their software when I was done with my taxes did not remove the SafeDisc crapware. I had to manually hunt it down and kill it.
Microsoft is begging to differ with you. Again. They're going to call the successor to Vista, "Windows 7." Not "Windows 2009", not "Windows AB", not even "Windows VII".
I'm quite surprised by this about-face. I thought the whole "Windows Server 2000" or "Office 2003" was a great marketing move. Look at the typical reaction: "Here I am in 2008, and I'm still using Visual Studio 2005 -- why haven't we upgraded to VS 2008 yet?" Yet those same people aren't complaining that their Windows XP installation should be replaced by Windows Vista.
Hmm... maybe it has nothing to do with the version numbers, after all...
While that's an interesting point, the Apples put in the schools had games, and they certainly were the first exposure to computer games that most kids had. Kids got sucked in playing the simple games, and then learned more about the operating system and programming. The novelty was a large part of the attraction.
Computer games are no longer novel. The allure of attracting a kid to a never-before-seen computer ended in the 1990s. Giving a kid a Linux box with OOo will have exactly the same appeal as giving them an XP laptop with Office. Not that I'm complaining, but it's simply not going to spark their imaginations in quite the same way.
Three Rings spamming the Elven-kings for Cialis to buy,
Seven for the Dwarf-lords to refinance their home of stone,
Nine for Mortal Men lacking in size,
One for the Dark Lord reading his pr0n
In the Land of Mordor where the Spammers lie.
One Ring to spam them all, One Ring to find them,
One Ring to fleece them all and in their greed bind them
In the Land of Mordor where the Spammers lie.
The point of spam is still as simple as it ever was: make money off of stupid people.
What's not always obvious is who is making the money, and who are the stupid people. It's not necessarily Charley and his Giant Penis pills, but rather the guy sending the emails. If he gets $1.00 to spend a million emails, at 10 billion spams per day he's making $10,000 a day. He doesn't care if Charley sells one pill or a million -- he got his money up front.
The email sender might even be fleecing the spam authors. If he bought a few dozen on the sly just to make Charley think that his spam is golden and that his sender can deliver, then Charley might just dump a bucket of money into the sender's hands.
Now in this case it looks like the spammers and the email senders were pretty closely related, and everybody including the spammers actually were making a profit selling the drugs. But in general, that doesn't have to be the case.
That strategy worked great for Apple back in the late 1970s / early 1980s. Get Apples in front of schoolchildren and by the time the IBM PC came along it was too late. Kids were already in love with the Apples, and many "stuck with what they knew." It was the most effective long term marketing move Apple ever could have made, and I doubt they even realized it at the time.
Times have changed, though, and the ability to monopolize the hearts and minds of kids with the only computer they're exposed to is long gone. Many of the kids will already have PCs at home, many will have (or at least have played) X-Boxes, PS3s, Wiis and a host of other devices, including smart phones. I don't think this can have the same social effect that Apple had on us 30 years ago, because the environment is now so different. The novelty won't be there.
Are you just a troll, or are you really that fucking stupid? I hire software engineers, and it absolutely helps me decide. If I have 10 resumes in front of me, a Master's degree in Software Engineering will move a resume to the top of the pile, and the candidate would have to interview pretty poorly to blow that chance.
A Master's degree represents an achievement that can be respected and understood not just by peers but by managers as well.
A Master's degree in Computer Science will also move your resume to the top, just below that of the software engineer. I prefer people who can build applications, and not just argue endlessly about optimizing sort routines, but a CSci degree is also a great choice.
Of course a Master's degree in Fine Art Appreciation will fill me with a sense of pity for your parents, some grudging respect for the slimy salesman who told you that degree would have value, and earn your resume a hallowed place at the very top of my trash bin accompanied by peals of derisive laughter issued by a platoon of my co-workers.
A master's degree will certainly help, as will an internship, but those will take time and money to complete.
Is it possible the development team you're working QA for is hiring? Do you have contact with the developers? Have you built a reputation as someone who catches the hard-to-find bugs and documents them well? I know I value a competent tester, and if one of the good ones came to me looking for a way up, I'd be putting in a good word for him with management. Social networking is a good place to find hidden opportunities, and if it's people you've impressed with your skills at work, so much the better.
I already have dust buildup in my closed case. It has an acrylic side panel, so it does not offer RF shielding. It has a top fan, so it doesn't offer much safety from a beverage set carelessly on top. As a matter of fact, no matter how much I wanted to I couldn't set a beverage on top of this Skeleton, so I would set it elsewhere -- this case is possibly safer as a result.
Perhaps closed cases are overrated in terms of the amount of "actual" protection they provide.
Oh, no, I have (well, had:-/ ) enough money (although I don't have a BMW yet.) I still have the arrogance.:-)
If you reread what I wrote, I said they were "more" arrogant. Sure, everyone can be arrogant to some degree, but there are a lot of components to that, including a sense of entitlement that also seems to follow the wealthy around. And if you drive around Edina (the affluent suburb I'm thinking of) you'd quickly notice that it was populated by 40,000 people, each and every one of which is convinced they are the only driver on the road. Seriously, drive north on France Avenue from 494, pass the sign saying "City of Edina", and it's like someone lit up the "now drive like a jerk" sign. Granted, that particular road leads past some fairly expensive shopping malls, but in general I think they suck much worse than the drivers in any other part of the Twin Cities. And that's saying a lot because most Minnesotans in general drive like crap no matter where they are.
Well, there are two kinds of people in the US who buy BMWs: those who love driving and scrape every last dime together to buy one, and those who have a lot of money and buy one because they are owned by other rich people. I think the rich drivers tend to be the bad drivers. In general, it seems that people with money tend to have more arrogance, and that extends throughout their social life, including driving.
In some of the most affluent suburbs around here (especially the ones noted for 'old money'), I've noticed the drivers are exceptionally bad, regardless of make. They are driven as if they were the only driver on the road.
The exception seems to be Volvo drivers. They are the most timid creatures on the road, and seem to be able to happily sit waiting to make a right hand turn until the entire rush hour is over. I believe the whole "Volvo is the safest car" idea to be a self-fulfilling prophecy: Volvos have a reputation for safety, so the overly cautious drivers flock to them and enhance that reputation. The problem is that the traffic around them is less safe because of their penchant for delay.
OK, so I'll re-ask the question. If a bank offered a card with an OTP generator and the exact same terms as your current bank, would you switch? (I'm assuming you'd switch for other reasons if the OTP bank offered you better terms.)
I'm really trying to gauge if people like you are serious about your own personal security, or if you'd rather not worry much about it and let the $50 limits on liability take care of you. I agree that it should be cheaper for you if the costs of theft are less expensive for the bank, but that's not what I'm trying to discover.
Or maybe you've already given me my answer: you care exactly 0% about the security, and 100% about the costs. And that's telling, because if a security-conscious person such as yourself isn't willing to spend an extra dime, there is no way in hell a Joe Sixpack is going to care about an OTP solution.
And I know it sounds convenient, but for security reasons you should not want the OTP to be a part of your phone. If it were integrated, there is no longer an "air gap" between your PIN entry device and a hackable machine. The OTPs that are offered by companies like Vasco have no network connections, no upgradability, and no user maintainable components. This is by design. If a hacker gets on your OTP-equipped phone and installs some kind of keysniffer, you lose.
With no external interface other than the battery, the keyboard, and the screen, the Digipass devices cannot be remotely hacked, and would have to be "hardware hacked". This is not an attack vector that scales well -- a bad guy has to physically go to each device to hack it. A phone hack could potentially be done over the network, Bluetooth, by a virus, or other malware, and attack thousands of OTPs.
The OTP card would indeed work at any ATM or cash register that takes PIN-based debit cards. You put your card in the pocket generator and generate a PIN. You then put your card in the ATM or the register where it reads your mag stripe, and enter the PIN still displayed on the pocket generator.
The ATMs or the registers don't know the real PIN, and they don't have to read the smart card. They can just use the mag stripe, and you don't have to care.
The point is now even if the ATM is run by Tony Soprano and has a card skimmer and PIN-pad skimmer built right in, they cannot reuse your PIN to authorize a second transaction. That mag stripe is useless to them.
In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.
Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.
Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.
If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them? What if their interest rate or cash-back bonuses weren't quite as competitive as your current bank?
The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.
These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.
I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.
but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around. Government agencies will be worse.
And you know what? That's better than nothing. It's another layer.
Sure, we all think about "stolen laptops" when we think about these data losses, but that's not always true. Think about a remote hacking attack. Let's say a bad guy connects to the machine and starts sucking up a ZIP files labeled "Customer_Credit_Cards_2007-2008.ZIP". And the password is written down and stuck to the screen. The bad guy is on a network, can't see that password, and the file is just as unencryptable to him as it would be without the sticky note to you.
I'm just saying that you can still get some protection even from bad practices. If that stops 50% of the attackers, well, that's 50% more than we're stopping today. Is it watertight? No. Is it enough? No. Is it better? Yes.
Consistency is overrated. If there is a program that is better than all the rest, people will learn use even if it doesn't fit the exact mold of other programs.
x million iPod and iPhone users would strongly suggest otherwise. As a music player, the concepts behind iPods suck -- here's proprietary client software, we sell DRM music, our music doesn't work on any other player, can't replace the battery, higher priced than most other players with similar audio quality -- there's a lot to dislike about the iPod.
So why do so many people buy and use and love them? It's the user interface. It's intuitive, it's consistent across the platforms, it's responsive, and it's not butt-ugly. It's the part that people see and interact with that make them desire the product.
Open Source projects are starting to learn this. Ubuntu is a big success in large part because they're pushing hard for a consistent GUI experience, and making it easy to use. We hackers may think that "being the best on the inside" is enough, but for Joe Sixpack to accept it, for it to be a commercial success, it's far more important that it looks good and is easy to use. To an end user, that is performance.
Actually, there is another piece that matters even more than the apps, and that's the standardization of the user experience. Iron-fisted control of every aspect of GUI, from control placement to responses, relentless paring down to the essentials, usability labs, testing, all those details that make Apple products so popular, that's what Linux needs, and that's what Enlightenment could bring. It's an exciting prospect.
Whether or not it happens is a different question.
Then you never got burned by DRM.
Years ago I had TurboTax install some flaky CD-ROM spyware (SafeDisc) that left a permanent service running on my machine that was checking every disc inserted, and interfering with my legitimate use of the drive with other programs such as Exact Audio Copy. Uninstalling their software when I was done with my taxes did not remove the SafeDisc crapware. I had to manually hunt it down and kill it.
Microsoft is begging to differ with you. Again. They're going to call the successor to Vista, "Windows 7." Not "Windows 2009", not "Windows AB", not even "Windows VII".
I'm quite surprised by this about-face. I thought the whole "Windows Server 2000" or "Office 2003" was a great marketing move. Look at the typical reaction: "Here I am in 2008, and I'm still using Visual Studio 2005 -- why haven't we upgraded to VS 2008 yet?" Yet those same people aren't complaining that their Windows XP installation should be replaced by Windows Vista.
Hmm... maybe it has nothing to do with the version numbers, after all...
Remember the Microsoft slogan: "Quality is job 1.1!"
While that's an interesting point, the Apples put in the schools had games, and they certainly were the first exposure to computer games that most kids had. Kids got sucked in playing the simple games, and then learned more about the operating system and programming. The novelty was a large part of the attraction.
Computer games are no longer novel. The allure of attracting a kid to a never-before-seen computer ended in the 1990s. Giving a kid a Linux box with OOo will have exactly the same appeal as giving them an XP laptop with Office. Not that I'm complaining, but it's simply not going to spark their imaginations in quite the same way.
"Paddle faster! I hear banjo music!"
Three Rings spamming the Elven-kings for Cialis to buy,
Seven for the Dwarf-lords to refinance their home of stone,
Nine for Mortal Men lacking in size,
One for the Dark Lord reading his pr0n
In the Land of Mordor where the Spammers lie.
One Ring to spam them all, One Ring to find them,
One Ring to fleece them all and in their greed bind them
In the Land of Mordor where the Spammers lie.
The point of spam is still as simple as it ever was: make money off of stupid people.
What's not always obvious is who is making the money, and who are the stupid people. It's not necessarily Charley and his Giant Penis pills, but rather the guy sending the emails. If he gets $1.00 to spend a million emails, at 10 billion spams per day he's making $10,000 a day. He doesn't care if Charley sells one pill or a million -- he got his money up front.
The email sender might even be fleecing the spam authors. If he bought a few dozen on the sly just to make Charley think that his spam is golden and that his sender can deliver, then Charley might just dump a bucket of money into the sender's hands.
Now in this case it looks like the spammers and the email senders were pretty closely related, and everybody including the spammers actually were making a profit selling the drugs. But in general, that doesn't have to be the case.
That strategy worked great for Apple back in the late 1970s / early 1980s. Get Apples in front of schoolchildren and by the time the IBM PC came along it was too late. Kids were already in love with the Apples, and many "stuck with what they knew." It was the most effective long term marketing move Apple ever could have made, and I doubt they even realized it at the time.
Times have changed, though, and the ability to monopolize the hearts and minds of kids with the only computer they're exposed to is long gone. Many of the kids will already have PCs at home, many will have (or at least have played) X-Boxes, PS3s, Wiis and a host of other devices, including smart phones. I don't think this can have the same social effect that Apple had on us 30 years ago, because the environment is now so different. The novelty won't be there.
A master's degree will certainly help...
No, it won't. Don't waste your time and money.
Are you just a troll, or are you really that fucking stupid? I hire software engineers, and it absolutely helps me decide. If I have 10 resumes in front of me, a Master's degree in Software Engineering will move a resume to the top of the pile, and the candidate would have to interview pretty poorly to blow that chance.
A Master's degree represents an achievement that can be respected and understood not just by peers but by managers as well.
A Master's degree in Computer Science will also move your resume to the top, just below that of the software engineer. I prefer people who can build applications, and not just argue endlessly about optimizing sort routines, but a CSci degree is also a great choice.
Of course a Master's degree in Fine Art Appreciation will fill me with a sense of pity for your parents, some grudging respect for the slimy salesman who told you that degree would have value, and earn your resume a hallowed place at the very top of my trash bin accompanied by peals of derisive laughter issued by a platoon of my co-workers.
A master's degree will certainly help, as will an internship, but those will take time and money to complete.
Is it possible the development team you're working QA for is hiring? Do you have contact with the developers? Have you built a reputation as someone who catches the hard-to-find bugs and documents them well? I know I value a competent tester, and if one of the good ones came to me looking for a way up, I'd be putting in a good word for him with management. Social networking is a good place to find hidden opportunities, and if it's people you've impressed with your skills at work, so much the better.
I already have dust buildup in my closed case. It has an acrylic side panel, so it does not offer RF shielding. It has a top fan, so it doesn't offer much safety from a beverage set carelessly on top. As a matter of fact, no matter how much I wanted to I couldn't set a beverage on top of this Skeleton, so I would set it elsewhere -- this case is possibly safer as a result.
Perhaps closed cases are overrated in terms of the amount of "actual" protection they provide.
Oh, no, I have (well, had :-/ ) enough money (although I don't have a BMW yet.) I still have the arrogance. :-)
If you reread what I wrote, I said they were "more" arrogant. Sure, everyone can be arrogant to some degree, but there are a lot of components to that, including a sense of entitlement that also seems to follow the wealthy around. And if you drive around Edina (the affluent suburb I'm thinking of) you'd quickly notice that it was populated by 40,000 people, each and every one of which is convinced they are the only driver on the road. Seriously, drive north on France Avenue from 494, pass the sign saying "City of Edina", and it's like someone lit up the "now drive like a jerk" sign. Granted, that particular road leads past some fairly expensive shopping malls, but in general I think they suck much worse than the drivers in any other part of the Twin Cities. And that's saying a lot because most Minnesotans in general drive like crap no matter where they are.
Well, there are two kinds of people in the US who buy BMWs: those who love driving and scrape every last dime together to buy one, and those who have a lot of money and buy one because they are owned by other rich people. I think the rich drivers tend to be the bad drivers. In general, it seems that people with money tend to have more arrogance, and that extends throughout their social life, including driving.
In some of the most affluent suburbs around here (especially the ones noted for 'old money'), I've noticed the drivers are exceptionally bad, regardless of make. They are driven as if they were the only driver on the road.
The exception seems to be Volvo drivers. They are the most timid creatures on the road, and seem to be able to happily sit waiting to make a right hand turn until the entire rush hour is over. I believe the whole "Volvo is the safest car" idea to be a self-fulfilling prophecy: Volvos have a reputation for safety, so the overly cautious drivers flock to them and enhance that reputation. The problem is that the traffic around them is less safe because of their penchant for delay.
OK, so I'll re-ask the question. If a bank offered a card with an OTP generator and the exact same terms as your current bank, would you switch? (I'm assuming you'd switch for other reasons if the OTP bank offered you better terms.)
I'm really trying to gauge if people like you are serious about your own personal security, or if you'd rather not worry much about it and let the $50 limits on liability take care of you. I agree that it should be cheaper for you if the costs of theft are less expensive for the bank, but that's not what I'm trying to discover.
Or maybe you've already given me my answer: you care exactly 0% about the security, and 100% about the costs. And that's telling, because if a security-conscious person such as yourself isn't willing to spend an extra dime, there is no way in hell a Joe Sixpack is going to care about an OTP solution.
And I know it sounds convenient, but for security reasons you should not want the OTP to be a part of your phone. If it were integrated, there is no longer an "air gap" between your PIN entry device and a hackable machine. The OTPs that are offered by companies like Vasco have no network connections, no upgradability, and no user maintainable components. This is by design. If a hacker gets on your OTP-equipped phone and installs some kind of keysniffer, you lose.
With no external interface other than the battery, the keyboard, and the screen, the Digipass devices cannot be remotely hacked, and would have to be "hardware hacked". This is not an attack vector that scales well -- a bad guy has to physically go to each device to hack it. A phone hack could potentially be done over the network, Bluetooth, by a virus, or other malware, and attack thousands of OTPs.
The OTP card would indeed work at any ATM or cash register that takes PIN-based debit cards. You put your card in the pocket generator and generate a PIN. You then put your card in the ATM or the register where it reads your mag stripe, and enter the PIN still displayed on the pocket generator.
The ATMs or the registers don't know the real PIN, and they don't have to read the smart card. They can just use the mag stripe, and you don't have to care.
The point is now even if the ATM is run by Tony Soprano and has a card skimmer and PIN-pad skimmer built right in, they cannot reuse your PIN to authorize a second transaction. That mag stripe is useless to them.
In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.
Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.
Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.
If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them? What if their interest rate or cash-back bonuses weren't quite as competitive as your current bank?
The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.
These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.
i.e. for banking.
and you expect us to trust you with security advice? Please!
I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.
Well, there's a POC linked in TFA. I tried it. It looked like it was going to work but NoScript warned me about it. Pretty cool.
NoScript is my friend.
It doesnt even have to black, nor a rectangle.
How about a pair of red stars with the words "Girls Gone Wild" written on them?