Conclusion: biometric properies are more like usernames, not like passwords. So, use them for identification, not authentication.
Wrong. Biometrics are lousy usernames (and lousy passwords). They're good authenticators in many situations, but the model is entirely different. http://divegeekstuff.blogspot....
Biometry is not suitable for authentication. Essentially using biometry is like using a password you cannot change, but constantly tell anybody around you.
More generally, if the information gets stolen, you can never change it.
This is true, but irrelevant. Replaceability is unnecessary for biometric security. Your biometrics wouldn't be any more (or less) secure if you could replace them.
That's why people should adopt the philosophies of "biometrics = who you are (username)"
This is also wrong. Biometrics are terrible identifiers. They have no uniqueness guarantees and cannot be matched exactly, which makes them prone to Birthday Paradox problems.
Claim:Fingerprint authentication is serious James Bond shizzle and it's totally secure.
No. No, it's not. See below.
Claim:Fingerprint authentication is insecure because you only have ten fingers, and when you've used them all you have no more new "passwords".
This is wrong, because it assumes that fingerprints (or other biometrics) are just a slightly different sort of password. They're not. Biometric authenticators are nothing at all like passwords; the security model is completely different. To understand how and why, we first need to understand the password authentication security model.
Why are passwords secure (when they are)? Passwords are secure when the attacker doesn't know them or can't guess them. That seems simple and obvious, but some subtleties arise when you think about howan attacker might acquire them. There are two primary ways: stealing copies somehow, and repeated guessing, also known as a "brute force search". These interact—in some cases the attacker can steal some information and guess the rest—and there are many methods of optimizing both, but it all boils down to getting a copy, or guessing.
Suppose the attacker has obtained a copy of your password, and you don't know it. Your security is compromised, but now the attacker has a choice. He can change your password, lock you out of your own account/device and use it for his own purposes, or he can leave your password and make covert use of your account/device/whatever. In many cases, the attacker opts for the latter approach because the former is too noticeable and the account/device often quickly gets shut down. Or suppose the attacker has obtained a copy of your password but hasn't gotten around to using it yet. In either case, changing your password shuts off the attacker's access, closing the window of vulnerability.
But there's another reason to change your password from time to time, and that's to protect it against compromise by guessing. Depending on how the system is built, what information the attacker has to start with and the attacker's resources, the attacker will be able to make guesses at some rate. If you change your password before the attacker can guess your password, the attacker has to start over. Another way to look at it is that as the attacker guesses, he gains knowledge about your password, because he knows a bunch of things it is not. When you change your password, that knowledge is invalidated.
In a nutshell: Password security derives from password secrecy, and you remove whatever knowledge the attacker has when you change it (assuming you don't just change a character or two). Another way of looking at it is that password secrecy erodes over time, and rotation restores it.
But... your fingerprints are not secret. You leave them on almost everything you touch. From a security perspective the only reasonable way to think about biometrics is that they are public information. We have to assume the attacker already has your fingerprints. In the case of smartphone or a credit card, odds are good that there are nice fingerprints on the device itself.
What does this do that libasan and clang's scan-build don't?
Fuzzing is the process of running code that accepts some user input and feeding it all sorts of bizarre garbage in an attempt to find cases the developers failed to handle. It's common to use a fuzzer in combination with something like libasan, because libasan will point make buggy codepaths fail more obviously when the fuzzer triggers them. Clang's scan-build is a static code analyzer, a completely different type of scanner.
This will allow third party ROMs to be built and released for nearly every phone much more easily. I envision the golden age of customized ROMs on the way.
It will make ROMs much easier for devices that have unlockable bootloaders (note that bootloader unlocking is completely different from carrier unlocking). But at the same time, SELinux, verified boot and other platform security improvements are making it much harder to find exploitable vulnerabilities that allow rooting/modding of phones that aren't unlockable by design.
If you want to be able to use custom ROMs, be sure to buy a device with an unlockable bootloader. All devices sold by Google are unlockable, out of the box. Other OEMs sell unlockable "developer edition" devices, but you have to be sure that you're getting the right one... and generally this means not buying a device from a wireless carrier.
>> or twice that amount ($40K), if the proceeds are donated to a charity.
1) Create some horribly insecure OSS software
2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90%
3) Integrate Google fuzz, report self and payout to, er, "charity"
4) PROFIT!
You forgot step 1.5: "Get horribly insecure OSS software to be used by a large number of people and/or be critical to global I/T infrastructure".
They're not getting paid by the record companies either; record sales haven't been profitable for artists for ages due to the way record company contracts work. The only way for artists to get paid is to go on tour; it's been like this for quite some time.
That's not universally true. It depends heavily on genre and on level of success. Multi-platinum pop artists make a lot of money on royalties (even in the era of streaming and digital sales, though not as much as they used to) and for them touring serves primarily to pump up their sales, not to generate income. Many of them lose money on touring, because they put on such extravagant, expensive shows.
For most other genres, it's the other way around, as you said. Their royalties often don't recoup their advances, thanks to clever and one-sided contracts, so they see music sales as a way to boost interest in their tours, and they make all of their real money on the road, often mostly from merchandise.
Thank you for proving my point. supraman implied that a lot of foreign governments were acting oddly submissive to US requests, in ways that could only be explained by hidden leverage, and further implied that this alleged situation is common knowledge. But I can't see any examples, and apparently you can't think of one either... and of course supraman hasn't bothered to reply, which seems to indicate that neither can he.
Yeah, I wouldn't call a country shutting down nuclear power plants and building new coal plants "progressive".
If you look here : https://www.electricitymap.org... you'll see that most of the times, Germany is not that good. Right now it is at 414 gCO2/kWh, which is worse than the US (388) and 6 times worse than France (66). Ontario, Sweden and Norway are even better but they have the advantage of a high hydro capacity.
What all the good players have in common : nuclear power of course.
And those numbers don't even take into account another element of Germany's anti-nuke idiocy: the focus on renewables has created very high electricity prices in Germany, which has contributed greatly to Germany lagging behind the rest of the rich world in adopting electric vehicles. Meanwhile, nuclear-powered France (with electricity prices half of Germany's) is the hottest market in Europe for EVs. EVs are sold in small enough numbers everywhere that they don't yet make a significant difference in carbon emissions, but the electrification of transport is still a very important issue now, because as the emissions of industry and electricity generation fall transportation threatens to become the primary emitter, and the conversion of millions of privately-owned vehicles is going to take a great deal of time. It's important to push the transition now.
That sounds to me like a problem that can be solved with good engineering and proper design, just like many of the other environmental problems. I have spent something like a minute thinking about it.......
Engineers have been thinking about the problem for decades and haven't solved it. What are the chances you solved it with little thought?
Try closer to a millenium... and they have solved it, in more or less exactly the way jandersen suggested.
Engineers have been aware of the [silting] problem for centuries. A dam built in Spain in 1394 is still operating because it was built with a gate at its base so sediment can be flushed out. Some modern dams, including the giant Three Gorges Dam in China, incorporate similar systems. But American engineers, while ingenious at storing and moving water, essentially ignored sediment.
Countries investing in renewables know perfectly well the strategy means higher prices in the short term, so prices being higher today is actually part of the strategy and by no means evidence it's "not working"
What, exactly are they trying to accomplish? If they're trying to reduce CO2 emissions, then that's a bad strategy because it encourages the use of fossil fuels for transportation. Germany is lagging far behind the rest of the rich world in adoption of electric vehicles, and with such high electricity prices we can expect that to continue.
At present, industry and electricity production are larger producers of greenhouse gases than transportation and should be reduced first. But replacing millions of vehicles will take a lot of time, so it's important to start that changeover as early as possible, while simultaneously moving to lower-emission industrial processes and power plants. Shutting down nuclear plants, the cleanest, safest form of electrical power generation yet created, while encouraging continued reliance on fossil fuels for transportation is just foolish.
You have about seventy years of respite from the GGP's view out of millennia, and you declare victory? And that's only counting the western world. Make no mistake, that view is still operative in many parts of the world. I think history may still have a few lessons to teach you. It ain't over quite yet.
It's much more than 70 years, and it's not only in the west. Most of Asia is on board. And while the ancient view still holds in some places (and in some people in all places), it's clearly moribund.
I think you meant to reply to a different post. My comments had nothing to do with monopoly questions, advertising, etc. All I said was that you could build a Google search replacement in your garage, and grow it into a Google search-beating company.
Google can have a startup take over tomorrow. They aren't doing anything in search that some guy in a garage can't do.
Exactly... except the garage would need to be a few million square meters, and the guy would need ten billion dollars to pay for all the servers to hold the caches and indexes. But other than that, sure, a guy in a garage could easily do it.
Not really. You can scrape the whole web and index it on a few beefy machines and a few terabytes of disk. What requires the massive infrastructure is answering millions of queries per second from that index.
You could build a search engine in your garage, and if you came up with algorithms that beat Google's by a significant margin you could easily find the funding to grow your infrastructure to keep up with your user base -- or you could go to one of the other giants who already has the necessary infrastructure and sell to them. Amazon's infrastructure plus a search algorithm that is sufficiently better than Google's would be a Google killer, no question about it. But you could also get the funding to grow your own.
(Disclosure: I work for Google, though not on search.)
Sadly, if we were to remove all of the automated bot-driven content, there is likely a pathetic amount of feedback being posted from actual citizens who care enough.
My perusal of the comments, as well as the numbers from the article, refute this. The bot comments seem to constitute at most half (the article says 10%) of the more than 500,000 comments received. I'll grant that John Oliver's show is probably the proximate cause of nearly all of the real comments received, but that's okay, it's still real people taking the time to speak up.
500,000 comments. Coming from a population of over 300 million citizens.
Sadly, if we were to remove all of the automated bot-driven content, there is likely a pathetic amount of feedback being posted from actual citizens who care enough.
My perusal of the comments, as well as the numbers from the article, refute this. The bot comments seem to constitute at most half (the article says 10%) of the more than 500,000 comments received. I'll grant that John Oliver's show is probably the proximate cause of nearly all of the real comments received, but that's okay, it's still real people taking the time to speak up.
I don't use Facebook or any MS product *now*, so that much is very easy.
Apple... I do have a Macbook, which I like, but I could replace it with a high-quality laptop with a good Linux distro without any qualms. I don't use any software which doesn't run on Linux.
Amazon would be tough. I buy tons of stuff from Amazon, including monthly subscribe & save items, etc. But i could do without it.
Google, heh. I use Android devices (phone, tablet, watch), and Chromebooks, and Chromecasts, and Nexus Players. I have Nest thermostats, smoke alarms and security cameras. I have a non-trivial investment in apps, books and movies on Google Play. I use Chrome, though that would be easy to change. I make heavy use of Google search & maps, though I suppose those might not be too hard to replace with Microsoft's or Apple's versions. Vast numbers of documents, spreadsheets, etc., personal and professional, are in Google Docs. The primary way I message people is via Google Hangouts (more than SMS). All of my photos are in Google Photos (though they're in other places as well). I use Drive for my offsite backups. My personal email domain is handled by GMail. That would be a PITA to move.
At the end of the day, I *could* do without any of them, but leaving Google would require a huge amount of effort and be extremely painful.
Slashdot Mirror
Conclusion: biometric properies are more like usernames, not like passwords. So, use them for identification, not authentication.
Wrong. Biometrics are lousy usernames (and lousy passwords). They're good authenticators in many situations, but the model is entirely different. http://divegeekstuff.blogspot....
Biometric is a ONLY username, not a password.
Wrong. http://divegeekstuff.blogspot....
Biometry is not suitable for authentication. Essentially using biometry is like using a password you cannot change, but constantly tell anybody around you.
Wrong. http://divegeekstuff.blogspot....
More generally, if the information gets stolen, you can never change it.
This is true, but irrelevant. Replaceability is unnecessary for biometric security. Your biometrics wouldn't be any more (or less) secure if you could replace them.
That's why people should adopt the philosophies of "biometrics = who you are (username)"
This is also wrong. Biometrics are terrible identifiers. They have no uniqueness guarantees and cannot be matched exactly, which makes them prone to Birthday Paradox problems.
Here's my screed on fingerprint / biometric security, which I'm going to post on every /. article where these incorrect ideas come up. Maybe it will help.
Claim:Fingerprint authentication is serious James Bond shizzle and it's totally secure.
No. No, it's not. See below.
Claim:Fingerprint authentication is insecure because you only have ten fingers, and when you've used them all you have no more new "passwords".
This is wrong, because it assumes that fingerprints (or other biometrics) are just a slightly different sort of password. They're not. Biometric authenticators are nothing at all like passwords; the security model is completely different. To understand how and why, we first need to understand the password authentication security model.
Why are passwords secure (when they are)? Passwords are secure when the attacker doesn't know them or can't guess them. That seems simple and obvious, but some subtleties arise when you think about howan attacker might acquire them. There are two primary ways: stealing copies somehow, and repeated guessing, also known as a "brute force search". These interact—in some cases the attacker can steal some information and guess the rest—and there are many methods of optimizing both, but it all boils down to getting a copy, or guessing.
Suppose the attacker has obtained a copy of your password, and you don't know it. Your security is compromised, but now the attacker has a choice. He can change your password, lock you out of your own account/device and use it for his own purposes, or he can leave your password and make covert use of your account/device/whatever. In many cases, the attacker opts for the latter approach because the former is too noticeable and the account/device often quickly gets shut down. Or suppose the attacker has obtained a copy of your password but hasn't gotten around to using it yet. In either case, changing your password shuts off the attacker's access, closing the window of vulnerability.
But there's another reason to change your password from time to time, and that's to protect it against compromise by guessing. Depending on how the system is built, what information the attacker has to start with and the attacker's resources, the attacker will be able to make guesses at some rate. If you change your password before the attacker can guess your password, the attacker has to start over. Another way to look at it is that as the attacker guesses, he gains knowledge about your password, because he knows a bunch of things it is not. When you change your password, that knowledge is invalidated.
In a nutshell: Password security derives from password secrecy, and you remove whatever knowledge the attacker has when you change it (assuming you don't just change a character or two). Another way of looking at it is that password secrecy erodes over time, and rotation restores it.
But... your fingerprints are not secret. You leave them on almost everything you touch. From a security perspective the only reasonable way to think about biometrics is that they are public information. We have to assume the attacker already has your fingerprints. In the case of smartphone or a credit card, odds are good that there are nice fingerprints on the device itself.
The purpo
What does this do that libasan and clang's scan-build don't?
Fuzzing is the process of running code that accepts some user input and feeding it all sorts of bizarre garbage in an attempt to find cases the developers failed to handle. It's common to use a fuzzer in combination with something like libasan, because libasan will point make buggy codepaths fail more obviously when the fuzzer triggers them. Clang's scan-build is a static code analyzer, a completely different type of scanner.
This will allow third party ROMs to be built and released for nearly every phone much more easily. I envision the golden age of customized ROMs on the way.
It will make ROMs much easier for devices that have unlockable bootloaders (note that bootloader unlocking is completely different from carrier unlocking). But at the same time, SELinux, verified boot and other platform security improvements are making it much harder to find exploitable vulnerabilities that allow rooting/modding of phones that aren't unlockable by design.
If you want to be able to use custom ROMs, be sure to buy a device with an unlockable bootloader. All devices sold by Google are unlockable, out of the box. Other OEMs sell unlockable "developer edition" devices, but you have to be sure that you're getting the right one... and generally this means not buying a device from a wireless carrier.
>> or twice that amount ($40K), if the proceeds are donated to a charity. 1) Create some horribly insecure OSS software 2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90% 3) Integrate Google fuzz, report self and payout to, er, "charity" 4) PROFIT!
You forgot step 1.5: "Get horribly insecure OSS software to be used by a large number of people and/or be critical to global I/T infrastructure".
They're not getting paid by the record companies either; record sales haven't been profitable for artists for ages due to the way record company contracts work. The only way for artists to get paid is to go on tour; it's been like this for quite some time.
That's not universally true. It depends heavily on genre and on level of success. Multi-platinum pop artists make a lot of money on royalties (even in the era of streaming and digital sales, though not as much as they used to) and for them touring serves primarily to pump up their sales, not to generate income. Many of them lose money on touring, because they put on such extravagant, expensive shows.
For most other genres, it's the other way around, as you said. Their royalties often don't recoup their advances, thanks to clever and one-sided contracts, so they see music sales as a way to boost interest in their tours, and they make all of their real money on the road, often mostly from merchandise.
Thank you for proving my point. supraman implied that a lot of foreign governments were acting oddly submissive to US requests, in ways that could only be explained by hidden leverage, and further implied that this alleged situation is common knowledge. But I can't see any examples, and apparently you can't think of one either... and of course supraman hasn't bothered to reply, which seems to indicate that neither can he.
I do work for Google, on search
I'm not sure I believe you. There are several things in your post that a person in your claimed position wouldn't say.
Electric car adaption lags behind because most people live in rented flats and most cars are parked on the road.
Same as France, but France is leading the EV charge.
Shutting down nuclear power plants makes sense because Germany still has no place to store radioactive waste.
Nonsense. Nuclear plants can continue storing the waste on site just as they have done.
Besides, an overwhelming majority of the population wants to shut nuclear power down.
Politically popular isn't the same thing as wise.
And that works pretty much all the way up - just look at the 'friendly' foreign governments bending over backwards for the US these days
For instance?
Hillary was part of the reason why Hillary was not elected.
FTFY. HTH. HAND.
Yeah, I wouldn't call a country shutting down nuclear power plants and building new coal plants "progressive".
If you look here : https://www.electricitymap.org... you'll see that most of the times, Germany is not that good. Right now it is at 414 gCO2/kWh, which is worse than the US (388) and 6 times worse than France (66). Ontario, Sweden and Norway are even better but they have the advantage of a high hydro capacity. What all the good players have in common : nuclear power of course.
And those numbers don't even take into account another element of Germany's anti-nuke idiocy: the focus on renewables has created very high electricity prices in Germany, which has contributed greatly to Germany lagging behind the rest of the rich world in adopting electric vehicles. Meanwhile, nuclear-powered France (with electricity prices half of Germany's) is the hottest market in Europe for EVs. EVs are sold in small enough numbers everywhere that they don't yet make a significant difference in carbon emissions, but the electrification of transport is still a very important issue now, because as the emissions of industry and electricity generation fall transportation threatens to become the primary emitter, and the conversion of millions of privately-owned vehicles is going to take a great deal of time. It's important to push the transition now.
That sounds to me like a problem that can be solved with good engineering and proper design, just like many of the other environmental problems. I have spent something like a minute thinking about it.......
Engineers have been thinking about the problem for decades and haven't solved it. What are the chances you solved it with little thought?
Try closer to a millenium... and they have solved it, in more or less exactly the way jandersen suggested.
Countries investing in renewables know perfectly well the strategy means higher prices in the short term, so prices being higher today is actually part of the strategy and by no means evidence it's "not working"
What, exactly are they trying to accomplish? If they're trying to reduce CO2 emissions, then that's a bad strategy because it encourages the use of fossil fuels for transportation. Germany is lagging far behind the rest of the rich world in adoption of electric vehicles, and with such high electricity prices we can expect that to continue.
At present, industry and electricity production are larger producers of greenhouse gases than transportation and should be reduced first. But replacing millions of vehicles will take a lot of time, so it's important to start that changeover as early as possible, while simultaneously moving to lower-emission industrial processes and power plants. Shutting down nuclear plants, the cleanest, safest form of electrical power generation yet created, while encouraging continued reliance on fossil fuels for transportation is just foolish.
The first video on this page at about 50s in corroborates Trump's statement that he was not under investigation. http://circa.com/politics/acco...
He said Trump and his top aides weren't a target. Perhaps Trump knew that if the investigation continued long enough, they would be.
You have about seventy years of respite from the GGP's view out of millennia, and you declare victory? And that's only counting the western world. Make no mistake, that view is still operative in many parts of the world. I think history may still have a few lessons to teach you. It ain't over quite yet.
It's much more than 70 years, and it's not only in the west. Most of Asia is on board. And while the ancient view still holds in some places (and in some people in all places), it's clearly moribund.
I think you meant to reply to a different post. My comments had nothing to do with monopoly questions, advertising, etc. All I said was that you could build a Google search replacement in your garage, and grow it into a Google search-beating company.
Two societies, one with your view, one with his. Who wins?
History shows that Rei's view wins. The GGP's view was dominant for millenia, and has lost.
Google can have a startup take over tomorrow. They aren't doing anything in search that some guy in a garage can't do.
Exactly ... except the garage would need to be a few million square meters, and the guy would need ten billion dollars to pay for all the servers to hold the caches and indexes. But other than that, sure, a guy in a garage could easily do it.
Not really. You can scrape the whole web and index it on a few beefy machines and a few terabytes of disk. What requires the massive infrastructure is answering millions of queries per second from that index.
You could build a search engine in your garage, and if you came up with algorithms that beat Google's by a significant margin you could easily find the funding to grow your infrastructure to keep up with your user base -- or you could go to one of the other giants who already has the necessary infrastructure and sell to them. Amazon's infrastructure plus a search algorithm that is sufficiently better than Google's would be a Google killer, no question about it. But you could also get the funding to grow your own.
(Disclosure: I work for Google, though not on search.)
Sadly, if we were to remove all of the automated bot-driven content, there is likely a pathetic amount of feedback being posted from actual citizens who care enough.
My perusal of the comments, as well as the numbers from the article, refute this. The bot comments seem to constitute at most half (the article says 10%) of the more than 500,000 comments received. I'll grant that John Oliver's show is probably the proximate cause of nearly all of the real comments received, but that's okay, it's still real people taking the time to speak up.
500,000 comments. Coming from a population of over 300 million citizens.
The comment period is open until August.
Now that google is dominant, websites are written with Google-ability in mind.
How does one write a website for google-ability? What would one do differently to write a bing-able web site?
Sadly, if we were to remove all of the automated bot-driven content, there is likely a pathetic amount of feedback being posted from actual citizens who care enough.
My perusal of the comments, as well as the numbers from the article, refute this. The bot comments seem to constitute at most half (the article says 10%) of the more than 500,000 comments received. I'll grant that John Oliver's show is probably the proximate cause of nearly all of the real comments received, but that's okay, it's still real people taking the time to speak up.
I don't use Facebook or any MS product *now*, so that much is very easy.
Apple... I do have a Macbook, which I like, but I could replace it with a high-quality laptop with a good Linux distro without any qualms. I don't use any software which doesn't run on Linux.
Amazon would be tough. I buy tons of stuff from Amazon, including monthly subscribe & save items, etc. But i could do without it.
Google, heh. I use Android devices (phone, tablet, watch), and Chromebooks, and Chromecasts, and Nexus Players. I have Nest thermostats, smoke alarms and security cameras. I have a non-trivial investment in apps, books and movies on Google Play. I use Chrome, though that would be easy to change. I make heavy use of Google search & maps, though I suppose those might not be too hard to replace with Microsoft's or Apple's versions. Vast numbers of documents, spreadsheets, etc., personal and professional, are in Google Docs. The primary way I message people is via Google Hangouts (more than SMS). All of my photos are in Google Photos (though they're in other places as well). I use Drive for my offsite backups. My personal email domain is handled by GMail. That would be a PITA to move.
At the end of the day, I *could* do without any of them, but leaving Google would require a huge amount of effort and be extremely painful.