From some reports, Apple has always had this capability and selectively used it. The Recovery Key was something you could do on your own, but you could potentially also convince an Apple tech to escalate it and go through an identity-proving process.
What's clear is that people routinely lost or didn't write down their Recovery Key, and one has to intuit it was an ongoing problem and stress for users who enabled "two-step." In this new version, Apple ostensibly could be social engineered, but note that Apple will only engage in account recovery *to a registered phone number*. So you can't call at random, get a random CS person, and do it. You have to apply, they call back (from a team dedicated to it) and only to a number that's registered to the Apple ID account in question.
I spent many hours and many emails with a good accountant, and he advised me not to launch a Kickstarter late in the year! However, there was no better time, and I had to work around the cash-flow issue, as I describe.
The state taxation issue was my fault. I had, in fact, budgeted to spend *more* on tax than I actually owed. So I wouldn't have come up short. Based on my communication with the state, I expect that I would pay different rates on parts of the Kickstarter, and potentially pay up to about 5% to the state in tax. In the actual event, it was about 1.5%.
However, I should have better understand the issue of destination addresses so that I had properly collected that information from everyone. That's something that I've now heard from many other crowdfunding projects about, too.
Further, at least Washington State requires you pay in-state retail business and occupation tax plus sales tax on all sales for which you cannot account for the destination. That can be a huge tax bill.
Thanks, much! Really, I wrote the article in part as a public service, not to be full of myself, because so many people I know have these questions. I have some answers, lots of questions, and lots of places to point people for planning. The commenters here can be awful at times (some are great, thanks!), but they're dwarfed by the number of people who are reading the article.
"aaaaand I'm guessing your compensation is at least partially based on clicks.": Our compensation is based on producing new content that people want to read; clickbait doesn't get us anywhere, because it doesn't turn into people reading the articles, but clicking and leaving. It also earns us anger, which doesn't help foster regular readers. Also, a 4,000-word article about tax issues is usually *not* traditional clickbait under any reasonable definition...
"That's nice, but you're not a lawyer or a tax attorney so my advice is to stop pretending like you are one before someone in a position of authority takes notice."
I love how people who didn't read the article out themselves so clearly!
Absolutely correct in one regard, but some very large business also run on cash if don't make stuff that's inventoried.
I did research it (and mention it in the article) and discuss it with my accountant. Because the publication doesn't really qualify for accrual accounting, it would have invited scrutiny (or worse) had I switched to accrual to get advantageous accounting rules for a specific project.
I researched this and discussed it with my accountant. My accountant said that switching cash-basis business to accrual for the sole purpose of deferring taxes for something that isn't part of its routine business could be met with scrutiny and penalties —and be disallowed.
And the IRS rules make it clear that you can't simply align revenue and expenses. It has a number of examples in which it's clear that in a Kickstarter, the revenue couldn't all be deferred, although the expenses might be allowed to be taken in 2013 if contracts were signed and other tests made.
Thanks, TheGavster! For me, I had sufficient cash flow and overall income from the main business relative to the size of the Kickstarter that we could have weathered it if we hadn't had a perfect alignment as we did.
I don't mean to sound totally hapless. I had put a reserve of cash away for taxes and estimated *too high* for the state taxes as it turned out. But I didn't plan as thoroughly as I should have, and I have seen this bite a lot of other people I know, too.
If it's interesting and useful, and I submit it under my name, and it gets posted to the home page by people with full awareness, it seems like you're engaging in meta-moderation within a thread.
I don't post B.S. to Slashdot; I've been using it since it started (not under this ID at the very beginning). The moderators and other tools prevent useless stuff from rising to the top.
I completely understand that! But it's difficult to say "clickbait" if you haven't visited the site.
Medium is no panacea, and this is a period when they're spending money to figure stuff out before they plug in a revenue pipe (see public statements by Ev Williams). However, you're seeing a ton of links to Medium because it's got a great front-end for writing and publishing. I've been working with Web-based content-management systems (CMSes) and sadly wrote a few myself for nearly 18 years, since the first formal ones arose. And Medium is pretty fantastic for writers and publishers.
I think it's very good for readers, because it doesn't have cruft. It's words, no ads, photos/video well presented. So people have raced to write there if they don't want to use blogging software because it's just the story.
Yes, there are a lot of SEO marketing types writing stuff at Medium. But there's a lot of good work (not tooting my own horn as I'm about 0.001% of the content of Medium) that's there, too.
It's difficult to claim "clickbait" when there are no ads!
I wrote the article in this link, and edit a publication called The Magazine. Medium pays us to write new content and post archived material from our publication to their site while they learn about what people read. They're looking at a lot of data (which anyone who uses the site, even as a blog platform, can see in the stats page) to figure out whether people read entire articles, etc.
I wrote 4,000 words from months of dealing with tax and business issues related to Kickstarter. I didn't realize that would be considered *thrilling clickbait headlines*. Instead, I though Slashdot readers, among others, would be a likely audience working in and around crowdfunding, and might like to get some information before launching one about the tax and accounting side of things.
The "multiuser blog" is a collection of related articles, some of them run by publications like mine.
On fees: fees are generally charged, but they are tiny. However, all those involved in Bitcoin (including miners and software developers I spoke with) know that fees will rise and mechanisms are being created to make that simpler. The production of Bitcoins will halve in 2016, and miners are, over time, expected to derive the rewards that drive investment and operation of the system's functions (operating nodes, mining, "burying" transactions in the block chain, all interrelated) from fees rather than coins.
If you read Andreessen's piece and my essay, you'll see that he properly discusses essentially counterfeit payment from one party to another, but doesn't address fraudulent payment and the infrastructure to ensure that the party paying owns the funds used to pay. That is, if Bitcoins are stolen and used to pay for goods, a merchant faces the same trouble as if cash were stolen and used to pay. Except cash can be untraceable, and Bitcoin transactions can be tracked, even if the party isn't directly known who engaged in the transaction. Law enforcement could prove funds are stolen even if they can't recover the goods or services purchased with the funds, and clawback the funds from the seller/merchant.
None of that is addressed in Andreessen's essay, in which he proposes that Bitcoin by having very low or no fees on Bitcoin-to-Bitcoin transactions removes the necessity for any per-transaction fees as are charged to deal with fraud and overhead in a credit-card system.
Most merchants are going to be more likely to deal with an intermediary Bitcoin operator who will handle transactions on their behalf and charge a fee for chargebacks and theft recovery.
The point of this article, which I wrote, is both to inform people of the practical aspects of 802.11ac, and also to deal with the disappointment. Average users, to whom these products are marketed in sound bites, may be upgrading because they think "faster is better!" This is to provide a realistic case for what 802.11ac will offer in Apple's version (and everyone's).
Outdated opinion on 5 GHz. The channels 149 and higher can broadcast at 20 times the signal strength of channels 36 to 48, and Apple and others have been boosting power progressively over the years. I can see it around me in my home and the last office I had: you can see a lot of 5 GHz now because of newer devices, where before, I only saw 2.4 GHz. That's anecdote, but fire up iStumbler or a Windows equivalent (aircrack-ng?) and see what I mean.
I'm never sure if Slashdot commenters read the original article or the blurb.
In the article, which I wrote, I explain the precise degree of risk, who is at risk, and how to mitigate.
* Recommending software: I did not write the article about 1Password Pro; Joe Kissell did.
* I do not receive a share of advertising revenue, nor is any my writing for any of many publications based on advertising revenue. I receive a fixed fee arranged in advance. Only the publication knows whether or not advertising was justified.
* Attacked on his income: Neither the publication TidBITS or me personally have any income issues associated with the sale of any security software.
This article was for normal folks, not security experts, and tried to explain in clear terms how to disable (for instance) any PIN-based access or switch away from a numbers-only passwords.
The criticism here seems both misplaced, conspiracy oriented, and not based on a reading of the article.
1. If you're having trouble with WPA2, it's an implementation issue. There's no reason that WPA2 shouldn't work as well or better than WPA. In some silicon, AES-CCMP encryption can work faster than TKIP. Check for firmware upgrades on adapters and APs.
2. TKIP keys cannot be extracted by any known methods. Short TKIP and AES-CCMP passphrased-based keys are vulnerable to brute-force dictionary attacks, typically based on precomputed common SSIDs. A key of 10 or more characters is probably fine; 20 random characters is beyond computation in this universe. 63 is just silly.
3. The TKIP exploits are particular to AES-CCMP and don't recover the key, nor does any particular key length prevent the exploit. The exploits rely on a set of givens (such as 802.11e/WMM being available and enabled on a router), but this latest exploit that I link to uses the integrity checksum to extract a packet delivered to a client in the right circumstances.
4. This attack could be weaponized, but it's a proximity attack, so the yield is very very low in such attacks.
That only works for short passwords using dictionary words and common alternatives--typically eight characters or fewer. Yes, you can get precomputed dictionaries for common SSIDs, and you can even use a new service to do some computation.
However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.
TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.
That's not as limited as it sounds. There are perhaps hundreds of millions of routers running versions of embedded Linux, and WMM/802.11e may be enabled by default on many of those!
I wrote a long article for Ars Technica nearly a year ago that looked at the past, present, and future. The reality hasn't changed much since then.
Most so-called municipal Wi-Fi projects involved a handful of companies absorbing all the initial network cost in exchange for some to no city business and access to citizens for coverage. EarthLink, MetroFi, Kite, and AT&T were the most prominent. EarthLink got out of the business; AT&T still does some metro-scale networking (Riverside), and MetroFi and Kite shut down.
There are a ton of networks run entirely or nearly so for public safety and/or municipal purposes that have been very successfully in Oklahoma City and elsewhere.
The final standard simply confirms what's been shipping in the market in largely unchanged form for over two years. The Wi-Fi Alliance has been certifying devices against a stable draft since 2007. There's no such thing as "pre-standard" devices in this category. Either they have a Wi-Fi seal for Draft N or they don't.
My analysis about how the 802.11n stuff works related to an iPod touch, such as explaining what single-stream 802.11n means as a media server is here at TidBITS. The iFixIt tear down is here.
I've looked through the comments, and I cannot tell whether anyone has read the paper linked or is commenting on the summary. The summary, derived from news coverage, is incorrect.
The exploit works only to recover a single MIC encryption key which is distinct for each packet. It allows a packet intended for a client to be falsified, but the packet has to be short and mostly known, like an ARP packet. The researchers require that they act as a physical man in the middle, as a relay between an access point and a client, where the client cannot receive signals from the access point.
It's very clever, but it doesn't involve breaking TKIP per se; it has nothing to do with key recovery for network encryption.
TidBITS system guy here. Sorry for the troubles. We had a glitch in our Apache min/max/spare/etc settings that was triggered for the first time by Slashdot traffic. (A combination of a new method to zoom images and AJAX produced a very high set of spawned children for each new visitor.)
Slashdot Mirror
These aren't encrypted files. These are data to which they already have access (iCloud Drive, contacts, calendars, and purchases).
From some reports, Apple has always had this capability and selectively used it. The Recovery Key was something you could do on your own, but you could potentially also convince an Apple tech to escalate it and go through an identity-proving process.
What's clear is that people routinely lost or didn't write down their Recovery Key, and one has to intuit it was an ongoing problem and stress for users who enabled "two-step." In this new version, Apple ostensibly could be social engineered, but note that Apple will only engage in account recovery *to a registered phone number*. So you can't call at random, get a random CS person, and do it. You have to apply, they call back (from a team dedicated to it) and only to a number that's registered to the Apple ID account in question.
I spent many hours and many emails with a good accountant, and he advised me not to launch a Kickstarter late in the year! However, there was no better time, and I had to work around the cash-flow issue, as I describe.
The state taxation issue was my fault. I had, in fact, budgeted to spend *more* on tax than I actually owed. So I wouldn't have come up short. Based on my communication with the state, I expect that I would pay different rates on parts of the Kickstarter, and potentially pay up to about 5% to the state in tax. In the actual event, it was about 1.5%.
However, I should have better understand the issue of destination addresses so that I had properly collected that information from everyone. That's something that I've now heard from many other crowdfunding projects about, too.
Further, at least Washington State requires you pay in-state retail business and occupation tax plus sales tax on all sales for which you cannot account for the destination. That can be a huge tax bill.
Thanks, much! Really, I wrote the article in part as a public service, not to be full of myself, because so many people I know have these questions. I have some answers, lots of questions, and lots of places to point people for planning. The commenters here can be awful at times (some are great, thanks!), but they're dwarfed by the number of people who are reading the article.
"aaaaand I'm guessing your compensation is at least partially based on clicks.": Our compensation is based on producing new content that people want to read; clickbait doesn't get us anywhere, because it doesn't turn into people reading the articles, but clicking and leaving. It also earns us anger, which doesn't help foster regular readers. Also, a 4,000-word article about tax issues is usually *not* traditional clickbait under any reasonable definition...
"That's nice, but you're not a lawyer or a tax attorney so my advice is to stop pretending like you are one before someone in a position of authority takes notice."
I love how people who didn't read the article out themselves so clearly!
Absolutely correct in one regard, but some very large business also run on cash if don't make stuff that's inventoried.
I did research it (and mention it in the article) and discuss it with my accountant. Because the publication doesn't really qualify for accrual accounting, it would have invited scrutiny (or worse) had I switched to accrual to get advantageous accounting rules for a specific project.
I researched this and discussed it with my accountant. My accountant said that switching cash-basis business to accrual for the sole purpose of deferring taxes for something that isn't part of its routine business could be met with scrutiny and penalties —and be disallowed.
And the IRS rules make it clear that you can't simply align revenue and expenses. It has a number of examples in which it's clear that in a Kickstarter, the revenue couldn't all be deferred, although the expenses might be allowed to be taken in 2013 if contracts were signed and other tests made.
Thanks, TheGavster! For me, I had sufficient cash flow and overall income from the main business relative to the size of the Kickstarter that we could have weathered it if we hadn't had a perfect alignment as we did.
I don't mean to sound totally hapless. I had put a reserve of cash away for taxes and estimated *too high* for the state taxes as it turned out. But I didn't plan as thoroughly as I should have, and I have seen this bite a lot of other people I know, too.
It's more like the lottery.
If it's interesting and useful, and I submit it under my name, and it gets posted to the home page by people with full awareness, it seems like you're engaging in meta-moderation within a thread.
I don't post B.S. to Slashdot; I've been using it since it started (not under this ID at the very beginning). The moderators and other tools prevent useless stuff from rising to the top.
So.
I completely understand that! But it's difficult to say "clickbait" if you haven't visited the site.
Medium is no panacea, and this is a period when they're spending money to figure stuff out before they plug in a revenue pipe (see public statements by Ev Williams). However, you're seeing a ton of links to Medium because it's got a great front-end for writing and publishing. I've been working with Web-based content-management systems (CMSes) and sadly wrote a few myself for nearly 18 years, since the first formal ones arose. And Medium is pretty fantastic for writers and publishers.
I think it's very good for readers, because it doesn't have cruft. It's words, no ads, photos/video well presented. So people have raced to write there if they don't want to use blogging software because it's just the story.
Yes, there are a lot of SEO marketing types writing stuff at Medium. But there's a lot of good work (not tooting my own horn as I'm about 0.001% of the content of Medium) that's there, too.
It's difficult to claim "clickbait" when there are no ads!
I wrote the article in this link, and edit a publication called The Magazine. Medium pays us to write new content and post archived material from our publication to their site while they learn about what people read. They're looking at a lot of data (which anyone who uses the site, even as a blog platform, can see in the stats page) to figure out whether people read entire articles, etc.
I wrote 4,000 words from months of dealing with tax and business issues related to Kickstarter. I didn't realize that would be considered *thrilling clickbait headlines*. Instead, I though Slashdot readers, among others, would be a likely audience working in and around crowdfunding, and might like to get some information before launching one about the tax and accounting side of things.
The "multiuser blog" is a collection of related articles, some of them run by publications like mine.
On fees: fees are generally charged, but they are tiny. However, all those involved in Bitcoin (including miners and software developers I spoke with) know that fees will rise and mechanisms are being created to make that simpler. The production of Bitcoins will halve in 2016, and miners are, over time, expected to derive the rewards that drive investment and operation of the system's functions (operating nodes, mining, "burying" transactions in the block chain, all interrelated) from fees rather than coins.
If you read Andreessen's piece and my essay, you'll see that he properly discusses essentially counterfeit payment from one party to another, but doesn't address fraudulent payment and the infrastructure to ensure that the party paying owns the funds used to pay. That is, if Bitcoins are stolen and used to pay for goods, a merchant faces the same trouble as if cash were stolen and used to pay. Except cash can be untraceable, and Bitcoin transactions can be tracked, even if the party isn't directly known who engaged in the transaction. Law enforcement could prove funds are stolen even if they can't recover the goods or services purchased with the funds, and clawback the funds from the seller/merchant.
None of that is addressed in Andreessen's essay, in which he proposes that Bitcoin by having very low or no fees on Bitcoin-to-Bitcoin transactions removes the necessity for any per-transaction fees as are charged to deal with fraud and overhead in a credit-card system.
Most merchants are going to be more likely to deal with an intermediary Bitcoin operator who will handle transactions on their behalf and charge a fee for chargebacks and theft recovery.
Now, c'mon, grizzled veteran (like myself?).
The point of this article, which I wrote, is both to inform people of the practical aspects of 802.11ac, and also to deal with the disappointment. Average users, to whom these products are marketed in sound bites, may be upgrading because they think "faster is better!" This is to provide a realistic case for what 802.11ac will offer in Apple's version (and everyone's).
Outdated opinion on 5 GHz. The channels 149 and higher can broadcast at 20 times the signal strength of channels 36 to 48, and Apple and others have been boosting power progressively over the years. I can see it around me in my home and the last office I had: you can see a lot of 5 GHz now because of newer devices, where before, I only saw 2.4 GHz. That's anecdote, but fire up iStumbler or a Windows equivalent (aircrack-ng?) and see what I mean.
I'm never sure if Slashdot commenters read the original article or the blurb.
In the article, which I wrote, I explain the precise degree of risk, who is at risk, and how to mitigate.
* Recommending software: I did not write the article about 1Password Pro; Joe Kissell did.
* I do not receive a share of advertising revenue, nor is any my writing for any of many publications based on advertising revenue. I receive a fixed fee arranged in advance. Only the publication knows whether or not advertising was justified.
* Attacked on his income: Neither the publication TidBITS or me personally have any income issues associated with the sale of any security software.
This article was for normal folks, not security experts, and tried to explain in clear terms how to disable (for instance) any PIN-based access or switch away from a numbers-only passwords.
The criticism here seems both misplaced, conspiracy oriented, and not based on a reading of the article.
1. If you're having trouble with WPA2, it's an implementation issue. There's no reason that WPA2 shouldn't work as well or better than WPA. In some silicon, AES-CCMP encryption can work faster than TKIP. Check for firmware upgrades on adapters and APs.
2. TKIP keys cannot be extracted by any known methods. Short TKIP and AES-CCMP passphrased-based keys are vulnerable to brute-force dictionary attacks, typically based on precomputed common SSIDs. A key of 10 or more characters is probably fine; 20 random characters is beyond computation in this universe. 63 is just silly.
3. The TKIP exploits are particular to AES-CCMP and don't recover the key, nor does any particular key length prevent the exploit. The exploits rely on a set of givens (such as 802.11e/WMM being available and enabled on a router), but this latest exploit that I link to uses the integrity checksum to extract a packet delivered to a client in the right circumstances.
4. This attack could be weaponized, but it's a proximity attack, so the yield is very very low in such attacks.
That comment is halfway between troll and truth.
That only works for short passwords using dictionary words and common alternatives--typically eight characters or fewer. Yes, you can get precomputed dictionaries for common SSIDs, and you can even use a new service to do some computation.
However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.
TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.
That's not as limited as it sounds. There are perhaps hundreds of millions of routers running versions of embedded Linux, and WMM/802.11e may be enabled by default on many of those!
I wrote a long article for Ars Technica nearly a year ago that looked at the past, present, and future. The reality hasn't changed much since then.
Most so-called municipal Wi-Fi projects involved a handful of companies absorbing all the initial network cost in exchange for some to no city business and access to citizens for coverage. EarthLink, MetroFi, Kite, and AT&T were the most prominent. EarthLink got out of the business; AT&T still does some metro-scale networking (Riverside), and MetroFi and Kite shut down.
There are a ton of networks run entirely or nearly so for public safety and/or municipal purposes that have been very successfully in Oklahoma City and elsewhere.
The final standard simply confirms what's been shipping in the market in largely unchanged form for over two years. The Wi-Fi Alliance has been certifying devices against a stable draft since 2007. There's no such thing as "pre-standard" devices in this category. Either they have a Wi-Fi seal for Draft N or they don't.
Sorry, I didn't properly include the link.
My analysis about how the 802.11n stuff works related to an iPod touch, such as explaining what single-stream 802.11n means as a media server is here at TidBITS. The iFixIt tear down is here.
I've looked through the comments, and I cannot tell whether anyone has read the paper linked or is commenting on the summary. The summary, derived from news coverage, is incorrect.
The exploit works only to recover a single MIC encryption key which is distinct for each packet. It allows a packet intended for a client to be falsified, but the packet has to be short and mostly known, like an ARP packet. The researchers require that they act as a physical man in the middle, as a relay between an access point and a client, where the client cannot receive signals from the access point.
It's very clever, but it doesn't involve breaking TKIP per se; it has nothing to do with key recovery for network encryption.
TidBITS system guy here. Sorry for the troubles. We had a glitch in our Apache min/max/spare/etc settings that was triggered for the first time by Slashdot traffic. (A combination of a new method to zoom images and AJAX produced a very high set of spawned children for each new visitor.)
This is a funny day at Slashdot. +3 guffaw points.
Actually, I was thinking chalcogenide could be a good new name for a mixed drink. Maybe grenadine, liquid oxygen, and something fizzy.