What is with the quotes at the bottom of the page that sometimes have strange words in all caps?
Never figured that one out.
Didn't read that far.
I got this far, and stopped reading:
That was my last property in Belize, went up in smoke. It's a very freeing sensation to have no burdensome taxes to pay or wages for upkeep and electricity and what have you. So they did me a favor.
Sounds like it didn't come as a total surprise if you ask me. Just sayin.....
There were also a bunch of patents seized by the government, and pulled from the archives and its not at all clear that the original patent holder was adequately compensated.
In that day this was easy because the there were essentially only a one copy in existence and the archives hadn't even been microfilmed yet.
The officers were investigating a domestic disturbance, which qualifies as an exigent circumstance under California law..
Had they merely walks out an met the officers on their porch nothing would have happened.
Yet the prevented the officers from doing what the law required them to do.
Don't like that law, then get the law changed, and watch more monsters beat their wives while forbidding the police to enter.
The people you elected voted for that law, principally to protect women. If a vote were held today on that issue it would pass again, easily, because women voters outnumber men, and Ariel Castro has taught us all a lesson of what an unrestricted right to privacy in your home can bring.
Powered off is all you need. You have plenty of time to obtain a warrant on a powered off phone. Airplane mode is all you really need. Also please cite even one case where a co-conspirator wiped a phone in police custody.
Oh, don't worry, there are a plenty of other reasons that will be pushed to the front even if every drug on the planet were legalized.
We have the war on terror (where mere possession of a piece of wire makes you guilty of possession of bomb making materials) We have the war on child porn (where picks of your kids first bath makes you a child pornoghrapher) We have the war on sex crimes (where taking a wiz in an alley after too many beers makes you a sexual predator)
Police were busting down doors without warrants long before there was a drug trade.
Records are one thing, (and the Justice Department had a warrant), but your secret stuff in your phone is quite another. You expect your phone records to be less protected, because you entrust them to a phone company.
They already had him on doing a drug sale, and the cell phone was searched after he was read his rights and his items were confiscated for booking.
But in most jurisdictions, if they had taken his car while making the arrest, they would have had to get a search warrant before they started digging around in the car. It seems only proper that they get a warrant for the phone. If it makes as much sense as you seem to imply, they would have no problem getting the warrant.
Unless they suspect there evidence in the car, they don't automatically have a valid reason to search it. Even if they believe there may be a trunk full of drugs, most police agencies will get the warrant just to be sure it stands up in court, because "suspecting there is evidence" has been found to be just too big of a loop-hole and has been so often abused that it is routinely thrown out. In fact in some jurisdictions, if they seize the car/phone, all emergency situations cease at that point and there is no longer exigent circumstance to search for drugs. Bombs, maybe, but drugs or cell phone data, not so much.
As for "having him on Drug sales", I fail to see why that makes a difference. They already had is phone too. He wasn't going to be given a chance to wipe it.
There is no technical solution to phishing, but getting rid of passwords all together in favor of physical one time key generators (which are challenge/response devices) is a good start.
Here's why that doesn't work. The attack is very, very, very simple, and once you see it explained, you'll never trust those sorts of services again. A basic attack looks like this:
Attacker compromises the device and waits for user to log into Google. Attacker captures the response to the authentication request and forwards it to their own server. Attacker's server connects to Google's system and obtains credentials. Attacker displays a network error message to the user. The user logs in again to the real Google server, unaware that the first attempt was successful, just for
Here is how I know you haven't a clue what you are talking about, and why I hope you will just go away and stop pontificating:
Attacker compromises the device...
Really? Really? Just like that, compromises my cell phone, which is never out of my possession?
How is it you hand waive all that process away? And waits for the user to log into google
Again, Really? Do you even have a clue how Google authenticator works?
You don't log into google with the authenticator. You log in with some other computer over a ssl connection.
Then google asks you for a code from the authenticator app. Guess what: The app doesn't even talk to google
except at install time. You can put your phone in airplane mode and still get a code from the authenticator.
So even a compromised phone (something you seem to think is trivial, but never bother to explain) won't do you
any good because it does not contact google.
You then key this number into the computer talking to google over a ssl connection. It compares it to the
number your authenticator would have rendered for that particular 30 second window. If its good you get in
but again you are in a ssl pipe.
So you capture nothing. NOTHING.
Attacker captures the response to the authentication request and forwards it to their own server
No it doesn't, because you captured nothing. It was in an SSL pipe from some compute you don't even know about.
Further the code has been USED, and its no good any more. Its a one time code.
Further Google would see you trying to create your own connection and would immediately you to get a code off of your authenticator...
but wait, you don't have an authenticator synced with that account, and the old number is no good..
You would have to already have an ssl compromised machine in place and lure a google user into signing on via that specific machine. But wait, that wouldn't work either because google already detects this. Even Schneier does believe this would work even with National authorities forcing bogus certificates.
Even if you had a pre-compromised computer and an elaborate SSL spoofing setup in place ahead of time, on a computer that you knew I would have to log in from, you can only compromise that single session, and when you attempted to change anything so that you could log in again in the future, I would be locked out of the account, and would therefore know the account had been compromised.
So just stop hand waiving into existence imaginary compromised devices, and thereby supposing into existence the hardest part of the whole operation. If this was so easy, it would have already been done. Yet every attempt to bypass Two Factor has been done via apps that would not support Two Factor, and which required an application specific password, which in the end, is just another password.
I think that Google Authenticator tries to prevent mitm attacks by having any given token usable exactly once in addition to having a very short lifespan.
So any putative man in the middle must get to Google before you do and immediately proxy everything you want to do from that point on to prevent you from discovering the attack.
If you lose your phone you can still can log in with your emergency passwords and lock
I think you underestimate authenticator.
There are similar schemes that use a single purpose hardware fob that simply displays 6 or 8 digits with no network connectivity (just a very accurate clock).
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
They claim it was for "important accounts" but how important would the account be that was being used in a study?
Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords. That doesn't mean they reuse all passwords.
Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.
Slashdot Mirror
I'm guessing that is just Standard Ass-Covering Boilerplate(tm) to avoid Norwegian anti defamation laws.
The only "proof" of that it originated from India is... still searching and can't find anything in the article.
Probably the last-hop IP in the spear phishing mail headers.
That is the only IP address you can (somewhat) trust, because it is inserted by your own mail server.
Is it proof?, certainly not.
If India were actually behind this, why would it appear to come from India?
If someone else were doing this, wouldn't India be the obvious choice for your final leg?
What is with the quotes at the bottom of the page that sometimes have strange words in all caps?
Never figured that one out.
Didn't read that far.
I got this far, and stopped reading:
That was my last property in Belize, went up in smoke. It's a very freeing sensation to have no burdensome taxes to pay or wages for upkeep and electricity and what have you. So they did me a favor.
Sounds like it didn't come as a total surprise if you ask me. Just sayin.....
Well, there may be no need depending on the severity of its first experience.
As for sitting furniture, it's an amazingly bad idea. I'm just picturing a couch.. Kids spilling drinks. The dog pissing on it.
The kids will never learn, but I wager the dog won't piss on it more than once.
Same dudes.
Both know surviving examples will be kept by the Navy at Keyport.
There were also a bunch of patents seized by the government, and pulled from the archives
and its not at all clear that the original patent holder was adequately compensated.
In that day this was easy because the there were essentially only a one copy in existence
and the archives hadn't even been microfilmed yet.
Nice try, Godwin, but you forgot that no one had any right to privacy in the Third Reich.
Because that is the trend. Courts are fighting back against creeping totalitarianism.
And obtaining a warrant is not that big of a deal.
The officers were investigating a domestic disturbance, which qualifies as an exigent circumstance under California law..
Had they merely walks out an met the officers on their porch nothing would have happened.
Yet the prevented the officers from doing what the law required them to do.
Don't like that law, then get the law changed, and watch more monsters beat their wives while forbidding the police to enter.
The people you elected voted for that law, principally to protect women. If a vote were held today on that issue
it would pass again, easily, because women voters outnumber men, and Ariel Castro has taught us all a lesson
of what an unrestricted right to privacy in your home can bring.
Powered off is all you need. You have plenty of time to obtain a warrant on a powered off phone.
Airplane mode is all you really need.
Also please cite even one case where a co-conspirator wiped a phone in police custody.
You must live in Seattle.
Oh, don't worry, there are a plenty of other reasons that will be pushed to the front even if every drug on the planet were legalized.
We have the war on terror (where mere possession of a piece of wire makes you guilty of possession of bomb making materials)
We have the war on child porn (where picks of your kids first bath makes you a child pornoghrapher)
We have the war on sex crimes (where taking a wiz in an alley after too many beers makes you a sexual predator)
Police were busting down doors without warrants long before there was a drug trade.
Records are one thing, (and the Justice Department had a warrant), but your secret stuff in your phone is quite another.
You expect your phone records to be less protected, because you entrust them to a phone company.
That might be the most worrying thing, it actually makes sense! Sure to be overturned on appeal!
Almost certain to be ultimately upheld on appeal.
Does this work for the locks on my house? The dial on my safe?
You're asking this of guys who'll kick down your door if you don't open it fast enough and run in with weapons blazing?
Seriously?
Unless they are in hot pursuit, they will not kick down your door without a warrant.
With a warrant, they will use the City Key to open your door, especially if the warrant specifies flushable drugs.
Please don't post when drunk, M'kay?
They already had him on doing a drug sale, and the cell phone was searched after he was read his rights and his items were confiscated for booking.
But in most jurisdictions, if they had taken his car while making the arrest, they would have had to get a search warrant before they started digging around in the car.
It seems only proper that they get a warrant for the phone. If it makes as much sense as you seem to imply, they would have no problem getting the warrant.
Unless they suspect there evidence in the car, they don't automatically have a valid reason to search it. Even if they believe there may be a trunk full of drugs, most police agencies will get the warrant just to be sure it stands up in court, because "suspecting there is evidence" has been found to be just too big of a loop-hole and has been so often abused that it is routinely thrown out. In fact in some jurisdictions, if they seize the car/phone, all emergency situations cease at that point and there is no longer exigent circumstance to search for drugs. Bombs, maybe, but drugs or cell phone data, not so much.
See: http://www.aclu.org/drug-law-reform-immigrants-rights-racial-justice/know-your-rights-what-do-if-you
As for "having him on Drug sales", I fail to see why that makes a difference. They already had is phone too. He wasn't going to be given a chance to wipe it.
There is no technical solution to phishing, but getting rid of passwords all together in favor of physical one time key generators (which are challenge/response devices) is a good start.
Here's why that doesn't work. The attack is very, very, very simple, and once you see it explained, you'll never trust those sorts of services again. A basic attack looks like this:
Attacker compromises the device and waits for user to log into Google.
Attacker captures the response to the authentication request and forwards it to their own server.
Attacker's server connects to Google's system and obtains credentials.
Attacker displays a network error message to the user. The user logs in again to the real Google server, unaware that the first attempt was successful, just for
Here is how I know you haven't a clue what you are talking about, and why I hope you will just go away and stop pontificating:
Attacker compromises the device...
Really? Really? Just like that, compromises my cell phone, which is never out of my possession?
How is it you hand waive all that process away?
And waits for the user to log into google
Again, Really? Do you even have a clue how Google authenticator works?
You don't log into google with the authenticator. You log in with some other computer over a ssl connection.
Then google asks you for a code from the authenticator app. Guess what: The app doesn't even talk to google
except at install time. You can put your phone in airplane mode and still get a code from the authenticator.
So even a compromised phone (something you seem to think is trivial, but never bother to explain) won't do you
any good because it does not contact google.
You then key this number into the computer talking to google over a ssl connection. It compares it to the
number your authenticator would have rendered for that particular 30 second window. If its good you get in
but again you are in a ssl pipe.
So you capture nothing. NOTHING.
Attacker captures the response to the authentication request and forwards it to their own server
No it doesn't, because you captured nothing. It was in an SSL pipe from some compute you don't even know about.
Further the code has been USED, and its no good any more. Its a one time code.
Further Google would see you trying to create your own connection and would immediately you to get a code off of your authenticator...
but wait, you don't have an authenticator synced with that account, and the old number is no good..
You would have to already have an ssl compromised machine in place and lure a google user into signing on via that specific machine.
But wait, that wouldn't work either because
google already detects this. Even Schneier does believe this would work even with National authorities forcing bogus certificates.
Even if you had a pre-compromised computer and an elaborate SSL spoofing setup in place ahead of time, on a computer that you knew I would have to log in from, you can only compromise that single session, and when you attempted to change anything so that you could log in again in the future, I would be locked out of the account, and would therefore know the account had been compromised.
So just stop hand waiving into existence imaginary compromised devices, and thereby supposing into existence the hardest part of the whole operation.
If this was so easy, it would have already been done. Yet every attempt to bypass Two Factor has been done via apps that would not support Two Factor, and which required an application specific password, which in the end, is just another password.
I think that Google Authenticator tries to prevent mitm attacks by having any given token usable exactly once in addition to having a very short lifespan.
So any putative man in the middle must get to Google before you do and immediately proxy everything you want to do from that point on to prevent you from discovering the attack.
If you lose your phone you can still can log in with your emergency passwords and lock
I think you underestimate authenticator.
There are similar schemes that use a single purpose hardware fob that simply displays 6 or 8 digits with no network connectivity (just a very accurate clock).
Who can the know, or How can they know?
If I learn that your password is kjwrxe72 when you log into Slashdot, guess what password I will try first when I find out your email address.....
PayPal CIO wants to ditch all passwords.
He is suggesting as an alternative something from the FIDO Alliance.
It could be something as simple as the Google Authenticator that generates number that last for mere moments.
The long and the short of it: Not Much!
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
They claim it was for "important accounts" but how important would the account be that was being used in a study?
Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
That doesn't mean they reuse all passwords.
Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.