Your computer is engaging in a persistent session with the login page, using the cookie as an on-request validation token. If you don't use that computer, or you delete the cookie, you don't get the login page until you log the computer back in.
Once your computer is logged in to the login page, it's time to log yourself in to your account page. Your account session expires much more easily than the computer's login session does. The computer could conceivably remain logged-in forever (but in practice things get reset during maintenance and upgrades at the bank). You lose your personal session access whenever you close the last account window, or do not send data for several minutes.
Why? Man-in-the-middle is not trivial on SSL links.
You don't know what secret question to ask unless you've intercepted the question setup, and you can't do that unless you intercept the account setup and act as the SSL endpoint yourself, and act like you're setting up the account. But if you do that, then there's no actual account at the real bank for you to be hacking into.
Hmm. Have ten million users doing the same ten million calculations each on different data on the sever, or have the ten million users download their data and do the calculations on their own machine...which one will complete faster?
Server-side scripting is a massive bottleneck if the page has any complexity at all.
What you should be complaining about is the disastrous state of the code sent to the client side. Most of it is painfully bad.
URIs have become cumbersome. Making the net content-addressable is a big efficiency measure.
You can still give out a key that will only map to you, and return a URI that is clearly you. Or at least as clearly as happens now when someone does a Google search.
But now you're not constrained to identifying yourself with some bogus fqdn with a limiting TLD stuck on it.
As for Phishing, banks have moved to authentication systems that use graphics on the page to tell you that the password-entry box you're looking at is legit. If you don't see your predetermined secret glyph, you don't enter your password. And the glyph isn't sent until your browser and the server are connected by SSL, so it can't be sniffed and hacked into a phishing site. And it isn't sent unless your browser already has a cookie identifying it as having been validated previously, using a secret-question protocol. If you deleted the cookie, you go through the secret-question routine again.
Short of adding more layers of such things, or using in-person pre-validated biometrics over secure links, you're not getting much more security than that on the internet. Using simple, recognizable URIs won't help you, and really, just invites social engineering based on URIs that look almost legit.
People breaking into a private company is a private company's problem to prevent.
If they catch someone breaking in, they can report it to the police. Who will probably say something like "we don't do that", which is what they've told me every time I've reported a crime.
Unless the theory is wrong in a way that doesn't affect any other measurable phenomena but adds arcane terms and virgules over virgules to the equations. Then it's the sort of fiddly physics that takes the elegance out of the current theory.
As does their logic about images of people making love being bad for kids and images of violence being good for them.
Saving, no. Making, yes.
Angles of reflection for grazing incidence would not be linear with errors in size.
In other words, a 1.3% error would be a tip into the catcher's mit. A 4% error would hit the umpire in the mask.
You notice one a lot more than the other, because the effect on interactions is bigger than the input error is.
Neener.
Astute.
That is in fact what is going on. Sort of.
Your computer is engaging in a persistent session with the login page, using the cookie as an on-request validation token. If you don't use that computer, or you delete the cookie, you don't get the login page until you log the computer back in.
Once your computer is logged in to the login page, it's time to log yourself in to your account page. Your account session expires much more easily than the computer's login session does. The computer could conceivably remain logged-in forever (but in practice things get reset during maintenance and upgrades at the bank). You lose your personal session access whenever you close the last account window, or do not send data for several minutes.
I'm speaking in the original Spicoli. You can read the translations in the boxes above and below the panel.
'Nuff sed.
I think you're forgetting that "URL" is deprecated and those things in the box are now called "URIs".
Why? Man-in-the-middle is not trivial on SSL links.
You don't know what secret question to ask unless you've intercepted the question setup, and you can't do that unless you intercept the account setup and act as the SSL endpoint yourself, and act like you're setting up the account. But if you do that, then there's no actual account at the real bank for you to be hacking into.
I've never understood why all the application controls are under the "File" menu.
You mean this time someone's making money on every click, and is probably crapping their piggy-bank upon getting the article submitted to slashdot...
You mean "Edit" -> "Preferences" -> "Advanced" -> "Encryption" -> "Security Devices".
Both of which can be disabled using about:config settings.
Because Flash it also comes in Adblock configuration, which is handy for when you want to disable the default configuration.
Hmm. Have ten million users doing the same ten million calculations each on different data on the sever, or have the ten million users download their data and do the calculations on their own machine...which one will complete faster?
Server-side scripting is a massive bottleneck if the page has any complexity at all.
What you should be complaining about is the disastrous state of the code sent to the client side. Most of it is painfully bad.
well, no, actually, that's a good thing.
URIs have become cumbersome. Making the net content-addressable is a big efficiency measure.
You can still give out a key that will only map to you, and return a URI that is clearly you. Or at least as clearly as happens now when someone does a Google search.
But now you're not constrained to identifying yourself with some bogus fqdn with a limiting TLD stuck on it.
As for Phishing, banks have moved to authentication systems that use graphics on the page to tell you that the password-entry box you're looking at is legit. If you don't see your predetermined secret glyph, you don't enter your password. And the glyph isn't sent until your browser and the server are connected by SSL, so it can't be sniffed and hacked into a phishing site. And it isn't sent unless your browser already has a cookie identifying it as having been validated previously, using a secret-question protocol. If you deleted the cookie, you go through the secret-question routine again.
Short of adding more layers of such things, or using in-person pre-validated biometrics over secure links, you're not getting much more security than that on the internet. Using simple, recognizable URIs won't help you, and really, just invites social engineering based on URIs that look almost legit.
I did not attend and I have not received any emails of this type.
In case you're being thorough about data, here.
If anyone has a secret collation of all the email lists used in mass-emailings, it's Cisco.
They also know how often you accidentally use the default ".com" instead of ".org".
Your blinders are showing.
http://www.washingtonmonthly.com/archives/individual/2009_06/018561.php
http://gawker.com/5286144/the-rise-of-right+wing-violence
http://www.dailykos.com/story/2010/3/21/73725/4486
http://mnpublius.com/2010/03/gingrich-right-wing-violence-is-dems-fault/
No, the GUTEous Maximus would explain electromagnetism, the weak force, the strong force, gravity, and why anyone gives a damn about Lindsay Lohan.
Your fly is open.
You're welcome.
Seriously.
People breaking into a private company is a private company's problem to prevent.
If they catch someone breaking in, they can report it to the police. Who will probably say something like "we don't do that", which is what they've told me every time I've reported a crime.
Seriously?
You can't swing a dead theory of heat without hitting one.
They even have their own sitcom now.
Bazinga.
fucking protons, how do they work?
Well, first, a daddy proton and a mommy proton get married...
Unless the theory is wrong in a way that doesn't affect any other measurable phenomena but adds arcane terms and virgules over virgules to the equations. Then it's the sort of fiddly physics that takes the elegance out of the current theory.
Since we invented boats.