I can see a new house style with either a second building like an external garage or an isolated room with its own door, with a fridge/freezer just for Amazon or other deliveries. One door would be for the deliveryperson to drop off the goodies, and another person could just open it up when inside to get stuff. That way, if the lock was forced or compromised, it wouldn't mean access to the entire house.
I can't prove a human is more random than a good RNG on an Intel chip, but I will assert that taking the sum of both produces a random number pool better than each separately. Using user input is how Linux, BSD, and other operating systems kept their random number pool going for a while, until hardware RNGs became common in CPUs.
Basic security principles state that biometrics are best used for a "username", as opposed to a "password". The true "password" would be something you type in.
However, with mobile devices, there is a "good enough" factor, so fingerprint scanners are used. This has worked well so far, although with Android, one can have some apps be PIN protected, so a fingerprint scan couldn't have access to the entire phone and its contents.
Is biometrics a dead end? With more sophisticated scanners to get usable points of data and ways to make it harder to forge them with a gummi bear, curved photo, or other items, they can help. However, for "true" security, they are, at best, just one factor of authentication.
I know this isn't possible, but maybe businesses should have a separate domain that they can federate out to contractors. For example, keep dell.com for core stuff, then have a second domain, dellstuff.com that Dell could hand contractors foo.dellstuff.com, bar.dellstuff.com, etc. This way, if bar.dellstuff.com has issues, it is obvious who the contractor is, and there isn't a need to keep adding new domains. This way, if it doesn't come from dell.com or dellstuff.com, it is almost certainly a fake.
Initially seed it by asking the user to wiggle the mouse or bang on the keyboard at random (similar to how TrueCrypt gets random values), then using a high speed timer (python timeit, etc.) to grab microsecond or higher timestamps, SHA-512 the timestamps (SHA is mainly used as a bit blender), and toss those in the pool. It isn't perfect, but combined with a hardware RNG, it should be good enough for most things.
BTC and cryptocurrencies are relatively new, shiny, and edgy. The problem is that there are tiers of currencies:
At the bottom tier are items that can be used and traded. Ammo is the ideal currency in this department, since it is fungible (for the most part, assuming factory stuff.)
Once there are some laws or governance in place to minimize cheating, precious metals come to mind, as they have intrinsic value.
From there, pieces of paper that can be redeemed for precious metals, so one doesn't have to carry currency around.
Once you get stable governments, fiat currency becomes possible. This allows for capital to expand.
After you get stable governments, good communication world-wide and solid storage, cryptocurrencies can be used.
However, like Mazlow's Pyramid, if something happens, like communications or power going out, the currencies that are higher level will wind up being useless.
That money should be sunk into R&D. Chasing tulips may be popular, but for long term gains, being being able to be steps ahead in research, even if it is stuff that sits on a shelf for decades, will ensure things go well in the long term, regardless of the fickleness of the market.
This. The currency may be worth something, but converting it to something you can use to buy stuff is hard. At least with the humble dollar, I can buy almost anything. Some places, if I offer to pay in BTC, I'd have a good chance of getting the local sheriff called on me.
There are many ways to dispose of the dead. Cremation is ideal because any bacteria, viruses, prions, or other stuff are incinerated and can't infect others. Plus, a columbarium can hold a lot more urns than a cemetery can hold cold ones.
For a lot of people, it is the opposite. Being able to encrypt or destroy someone's files is far more lucrative than getting root or Administrator rights.
What is new is the per user/per process granularity (although it really isn't new, as it has been in SELinux for years). This is important, although attacks via IAP mechanisms like Microsoft DDE can jump this... however it is a step in the right direction.
My LastPass Authenticator (which uses Google's TOTP) can be set to require a fingerprint or PIN. Wonder if that could be considered 3FA. Maybe add some geofencing so it can only be unlocked in a certain area... 4FA now.
I really wonder how secure LastPass is. It supports a nice list of 2FA options, so if a blackhat managed to, via a Flash based keylogger, or some other means, get the LastPass password, they still wouldn't be able to get the data. However, if LastPass is really compromised, the web extension could (in theory) be written to log the password and send it somewhere, and the blackhat could just decode data blobs that they managed to get passwords for.
Then there are other password managers. 1Password and mSecure require you to use their cloud, when before, they would piggyback on an existing cloud provider [1]. Neither even does 2FA, other than 1Password demanding a special code in addition to your password. LastPass has proved their security is decent (so far), but the other ones seem like smoke and mirrors to me.
[1]: Piggybacking on Box, GDrive, or DropBox is decently secure, especially if one had a strong sync password, or the password manager used public keys for each device, and when you added a device, another device would be required to "introduce" the new one. That way, there would be either no way to brute force, or the attacker would be brute-forcing a very long password.
For maximum security, the best password manager is KeePass, locally stored. However, one has to make compromises if they want the ability to sync with devices.
U2F is too falliable. It assumes I always have a USB port available on a machine, and this may not be the case. Plus, with Google Authenticator TOTP seeds, I can back them up, so if I lose a device, I can restore them to something new [1].
Maybe the solution is to have a TOTP protocol which takes the time, and instead of hashing it with the seed, does some crypto operation with a public key to sign it, and hash it down to six digits, where the six digits can be validated by the server. Of course, the hard part is the fact that you can't really sign something with just six digits. For backups, you just back up the private key instead of the shared secret seed.
The 2014 Mac Mini was a downgrade, going from four cores to two. I'm hoping Apple can do a refresh of the Mini to make it attractive, but still reasonably priced.
I wish Apple could come out with a Mac Mini at a decent price point, with a modern CPU architecture. That, and refresh it yearly, so we are not dealing with 2014 tech in 2017.
Or toss the tests and actually have courses that are useful to kids. Things like personal finance (balancing a checkbook), civics/government, actual sex ed (where more than abstinence is taught), how to deal with police and not wind up in juvi or adult prison, and so on. Stuff that actually matters in life, especially because for most students, high school is it for education... so might as well make it a way for someone to enter a trade and get a meaningful, skilled job, as opposed to graduating to nothing.
It took multiple acts of $DEITY to get a chip onto cards here in the US. Chip-and-PIN should have been deployed back in 2015, or else merchants would take the financial responsibility. I have yet to encounter a merchant that actually uses a PIN for the credit card side. A lot of stores still have the chip reader taped over, and one still swipes their card.
I wish the US could join the rest of the civilized world here. Chip-and-PIN for card present transactions, and for other stuff, it would be nice to have a little e-Ink display with a button that can be used with the card's PIN to ensure security for card not present transactions, similar to how SecurID cards work.
Dell was the only vendor with working docking stations. The nice thing about them was the fact that they could handle a lot of insertion/removal cycles, where ports like USB or others would wind up breaking over time, assuming someone on the road who constantly docks and undocks.
I'm guessing USB-C docks are the way of the future, but there is something nice about just plopping the machine on a dock, having it do everything else, then mashing an eject button and heading out.
Before Apple had IAP, you paid a few dollars for a game, and got a decent amount of levels. Often, there was a sequel, so you spend $3.99 or so, bought that.
Then came IAP. Games which were challenging but fun became a lot harder, in order to force people to buy powerups to beat the game, or the game would have a delay if you lost... of course, you could pay something to have the delay removed. Additional levels? More dosh. Even a basic tower defense game became so loaded with costly powerups that the whole genre wound up collapsing.
If I want Farmville, I'll play Farmville. The whole gaming genre has been so polluted by this P2W crap that it just isn't worth the time, and since older games that have not been recompiled for 64 bit which haven't been updated are wiped off Apple's App Store, what is worth playing is pretty hard to find.
Oddly enough, I'm seeing Dell start to be what Apple was, especially with their new Latitude models. Some of Dell's items are better MacBook Pros than Apple's offerings, especially because they include much-needed ports.
Of course, there is the customer service difference, but with Dell, the trick is to buy the business class, and their pro level of support, and it is decent.
It definitely isn't fun when using vi... However, I've used a Lenovo laptop a couple years back that had a similar touchbar, and that was even worse, as they decided to move the caps lock and "\" key somewhere random as well. After that experience, the Apple touchbar isn't that bad.
Agreed. Because it is a shared secret and MITM-able if the SSL link is not present, it isn't perfect. However, it is far better than 99.99% of what is out there. The ideal is definitely the U2F token, but oftentimes, one may not be at a place where they can plug that in.
This also is a deal-breaker for me, since I use a program called Boxcryptor with Google Drive and other cloud services. I like packing my own parachute and having my own encryption layer.
How about FIDO U2F and the Google Authenticator ( RFC 6238 and RFC 4226)? The six digit TOTP code has been proven across many, many sites (I use it on Microsoft's, Amazon's, gmail's, and many others.)
What would be nice would be a dedicated PDA-like device with a camera for reading QR codes, a touch screen for inputting codes by hand, a charge-only USB interface, and a SD card interface for backing up the OTP seeds. The device never sees, nor cares about the Internet, and is only connected to a USB cable to get power.
Slashdot Mirror
I can see a new house style with either a second building like an external garage or an isolated room with its own door, with a fridge/freezer just for Amazon or other deliveries. One door would be for the deliveryperson to drop off the goodies, and another person could just open it up when inside to get stuff. That way, if the lock was forced or compromised, it wouldn't mean access to the entire house.
I can't prove a human is more random than a good RNG on an Intel chip, but I will assert that taking the sum of both produces a random number pool better than each separately. Using user input is how Linux, BSD, and other operating systems kept their random number pool going for a while, until hardware RNGs became common in CPUs.
Basic security principles state that biometrics are best used for a "username", as opposed to a "password". The true "password" would be something you type in.
However, with mobile devices, there is a "good enough" factor, so fingerprint scanners are used. This has worked well so far, although with Android, one can have some apps be PIN protected, so a fingerprint scan couldn't have access to the entire phone and its contents.
Is biometrics a dead end? With more sophisticated scanners to get usable points of data and ways to make it harder to forge them with a gummi bear, curved photo, or other items, they can help. However, for "true" security, they are, at best, just one factor of authentication.
FaceID means Apple has the "courage" to not to not worry about a fingerprint scanner, so more real estate used for the display on the phone.
How about a compromise... stick the fingerprint scanner on the back. Everyone is happy now.
I know this isn't possible, but maybe businesses should have a separate domain that they can federate out to contractors. For example, keep dell.com for core stuff, then have a second domain, dellstuff.com that Dell could hand contractors foo.dellstuff.com, bar.dellstuff.com, etc. This way, if bar.dellstuff.com has issues, it is obvious who the contractor is, and there isn't a need to keep adding new domains. This way, if it doesn't come from dell.com or dellstuff.com, it is almost certainly a fake.
Initially seed it by asking the user to wiggle the mouse or bang on the keyboard at random (similar to how TrueCrypt gets random values), then using a high speed timer (python timeit, etc.) to grab microsecond or higher timestamps, SHA-512 the timestamps (SHA is mainly used as a bit blender), and toss those in the pool. It isn't perfect, but combined with a hardware RNG, it should be good enough for most things.
BTC and cryptocurrencies are relatively new, shiny, and edgy. The problem is that there are tiers of currencies:
At the bottom tier are items that can be used and traded. Ammo is the ideal currency in this department, since it is fungible (for the most part, assuming factory stuff.)
Once there are some laws or governance in place to minimize cheating, precious metals come to mind, as they have intrinsic value.
From there, pieces of paper that can be redeemed for precious metals, so one doesn't have to carry currency around.
Once you get stable governments, fiat currency becomes possible. This allows for capital to expand.
After you get stable governments, good communication world-wide and solid storage, cryptocurrencies can be used.
However, like Mazlow's Pyramid, if something happens, like communications or power going out, the currencies that are higher level will wind up being useless.
That money should be sunk into R&D. Chasing tulips may be popular, but for long term gains, being being able to be steps ahead in research, even if it is stuff that sits on a shelf for decades, will ensure things go well in the long term, regardless of the fickleness of the market.
This. The currency may be worth something, but converting it to something you can use to buy stuff is hard. At least with the humble dollar, I can buy almost anything. Some places, if I offer to pay in BTC, I'd have a good chance of getting the local sheriff called on me.
There are many ways to dispose of the dead. Cremation is ideal because any bacteria, viruses, prions, or other stuff are incinerated and can't infect others. Plus, a columbarium can hold a lot more urns than a cemetery can hold cold ones.
For a lot of people, it is the opposite. Being able to encrypt or destroy someone's files is far more lucrative than getting root or Administrator rights.
What is new is the per user/per process granularity (although it really isn't new, as it has been in SELinux for years). This is important, although attacks via IAP mechanisms like Microsoft DDE can jump this... however it is a step in the right direction.
My LastPass Authenticator (which uses Google's TOTP) can be set to require a fingerprint or PIN. Wonder if that could be considered 3FA. Maybe add some geofencing so it can only be unlocked in a certain area... 4FA now.
I really wonder how secure LastPass is. It supports a nice list of 2FA options, so if a blackhat managed to, via a Flash based keylogger, or some other means, get the LastPass password, they still wouldn't be able to get the data. However, if LastPass is really compromised, the web extension could (in theory) be written to log the password and send it somewhere, and the blackhat could just decode data blobs that they managed to get passwords for.
Then there are other password managers. 1Password and mSecure require you to use their cloud, when before, they would piggyback on an existing cloud provider [1]. Neither even does 2FA, other than 1Password demanding a special code in addition to your password. LastPass has proved their security is decent (so far), but the other ones seem like smoke and mirrors to me.
[1]: Piggybacking on Box, GDrive, or DropBox is decently secure, especially if one had a strong sync password, or the password manager used public keys for each device, and when you added a device, another device would be required to "introduce" the new one. That way, there would be either no way to brute force, or the attacker would be brute-forcing a very long password.
For maximum security, the best password manager is KeePass, locally stored. However, one has to make compromises if they want the ability to sync with devices.
U2F is too falliable. It assumes I always have a USB port available on a machine, and this may not be the case. Plus, with Google Authenticator TOTP seeds, I can back them up, so if I lose a device, I can restore them to something new [1].
Maybe the solution is to have a TOTP protocol which takes the time, and instead of hashing it with the seed, does some crypto operation with a public key to sign it, and hash it down to six digits, where the six digits can be validated by the server. Of course, the hard part is the fact that you can't really sign something with just six digits. For backups, you just back up the private key instead of the shared secret seed.
The 2014 Mac Mini was a downgrade, going from four cores to two. I'm hoping Apple can do a refresh of the Mini to make it attractive, but still reasonably priced.
I wish Apple could come out with a Mac Mini at a decent price point, with a modern CPU architecture. That, and refresh it yearly, so we are not dealing with 2014 tech in 2017.
Or toss the tests and actually have courses that are useful to kids. Things like personal finance (balancing a checkbook), civics/government, actual sex ed (where more than abstinence is taught), how to deal with police and not wind up in juvi or adult prison, and so on. Stuff that actually matters in life, especially because for most students, high school is it for education... so might as well make it a way for someone to enter a trade and get a meaningful, skilled job, as opposed to graduating to nothing.
It took multiple acts of $DEITY to get a chip onto cards here in the US. Chip-and-PIN should have been deployed back in 2015, or else merchants would take the financial responsibility. I have yet to encounter a merchant that actually uses a PIN for the credit card side. A lot of stores still have the chip reader taped over, and one still swipes their card.
I wish the US could join the rest of the civilized world here. Chip-and-PIN for card present transactions, and for other stuff, it would be nice to have a little e-Ink display with a button that can be used with the card's PIN to ensure security for card not present transactions, similar to how SecurID cards work.
Dell was the only vendor with working docking stations. The nice thing about them was the fact that they could handle a lot of insertion/removal cycles, where ports like USB or others would wind up breaking over time, assuming someone on the road who constantly docks and undocks.
I'm guessing USB-C docks are the way of the future, but there is something nice about just plopping the machine on a dock, having it do everything else, then mashing an eject button and heading out.
Before Apple had IAP, you paid a few dollars for a game, and got a decent amount of levels. Often, there was a sequel, so you spend $3.99 or so, bought that.
Then came IAP. Games which were challenging but fun became a lot harder, in order to force people to buy powerups to beat the game, or the game would have a delay if you lost... of course, you could pay something to have the delay removed. Additional levels? More dosh. Even a basic tower defense game became so loaded with costly powerups that the whole genre wound up collapsing.
If I want Farmville, I'll play Farmville. The whole gaming genre has been so polluted by this P2W crap that it just isn't worth the time, and since older games that have not been recompiled for 64 bit which haven't been updated are wiped off Apple's App Store, what is worth playing is pretty hard to find.
I can see this becoming worse, especially with encrypted media extensions that obfuscate the presence of a mining tool under the guide of DRM.
Oddly enough, I'm seeing Dell start to be what Apple was, especially with their new Latitude models. Some of Dell's items are better MacBook Pros than Apple's offerings, especially because they include much-needed ports.
Of course, there is the customer service difference, but with Dell, the trick is to buy the business class, and their pro level of support, and it is decent.
It definitely isn't fun when using vi... However, I've used a Lenovo laptop a couple years back that had a similar touchbar, and that was even worse, as they decided to move the caps lock and "\" key somewhere random as well. After that experience, the Apple touchbar isn't that bad.
Agreed. Because it is a shared secret and MITM-able if the SSL link is not present, it isn't perfect. However, it is far better than 99.99% of what is out there. The ideal is definitely the U2F token, but oftentimes, one may not be at a place where they can plug that in.
This also is a deal-breaker for me, since I use a program called Boxcryptor with Google Drive and other cloud services. I like packing my own parachute and having my own encryption layer.
How about FIDO U2F and the Google Authenticator ( RFC 6238 and RFC 4226)? The six digit TOTP code has been proven across many, many sites (I use it on Microsoft's, Amazon's, gmail's, and many others.)
What would be nice would be a dedicated PDA-like device with a camera for reading QR codes, a touch screen for inputting codes by hand, a charge-only USB interface, and a SD card interface for backing up the OTP seeds. The device never sees, nor cares about the Internet, and is only connected to a USB cable to get power.
The closest to this we have now is an iPod Touch.