Indeed. States are hugely immoral and dangerous actors. What they can do must be carefully limited and controlled. People have forgotten that in the west due to an period of relative quiet and a strong external enemy. But like all power-structures and bureaucracies, states always strive to grow their influence and level of control without limit and states always primarily serve those in power, not their citizens, unless forced to. Democracy was designed to put a control on that and allow the population to implement limits. These days, states get around that by keeping large parts of the population in fear, by a huge propaganda machine and by using secret laws and secret courts outside of public review. Unfortunately, many citizens are vulnerable to this type of attack and hence the controls do not really work anymore. Unless that trend is reversed, the next fascist catastrophe is assured because states are unable to limit themselves. The voters are the most critical element in keeping them under control and relatively benign.
Naa, we have yet to see the first woman as the perpetrator in a scandal like this. Doubtlessly, it will happen eventually, as this is not about sex but power. (If it were about sex, they could just buy time from hookers. Even though most hookers will not actually tolerate such behavior...) But it has not happened yet.
Well, the problem is serious, look at all the unsuitable people in high political and economic positions that got there by basically the same process, even if often more refined in appearance. The ones in social media are just a side-show from those that are bitter because they did not make it. The effect is well known though, and it is a kind of mental defect. It is called "Negative Attention-Seeking Behavior". It is made worse because there is another mental defect (IMO) where people actually admire the ones that are good at getting negative attention and mistake them for independent thinkers or independent people that are strong the do not need to care about anybodies opinion. Nothing could be further from the truth, of course. Just think of Kim without Donald or the other way round. Both would feel massively underappreciated.
And that is how it has always been and always will be: Men with a lot of power think they can get away with it, and women that want something from these men also think these men can get away with it. As neither will change, the problem will persist. That one or the other of these men will at some time lose most of his power and then the accusations will come flying is part of the ritual and generates a nice, temporary scandal that will change exactly nothing.
This is not a problem that can be fixed. It is one people can to be warned about, but that is it.
In particular, social media made it much more obvious, how stupid, uneducated, anti-fact, anti-rational, self-absorbed, vivious and generally failures at existing many people are by giving them a low-effort way to spread their perverted views. But leave it to a journalist to blame the messenger. Incidentally, blaming the messenger is one of the most stupid acts known.
This is the MBA "bean counter" mindset at work. Zero understanding of the risks or the subject matter, these people have been trained to squeeze out the last cent from everything that costs money. "Save a penny, lose a million (or much, much more)" is what this stupidity nowadays boils down to. There will eventually be a backlash and I hope all these morons will find themselves unemployed (hey, I can dream, can't I?) and things will change. But there will need to be a lot more catastrophes first.
The aim is not to be absolutely secure. Thinking that is a beginner's mistake. The aim is to make attacks sufficiently expensive that attackers lose interest. The easiest way to see that is to stop thinking about this as a black/white security question and use the actually correct framework of risk management.
Frequently changed passwords do not increase security. They do _decrease_ it. Smart security experts have known that for a long, long time. Those that do not understand security but only follow the rituals are clueless about this, as usual.
Incidentally, it is also better to use a complex password and write it down than to use a simple one and remember that. Most attacks on passwords are over the net and not by stealing your wallet. Of course, remembering a complex password is best and that is another reason why requiring frequent password changes is a really dumb idea.
Well, yes. Only that a "soft token" actually happens to not be a token in the sense required for 2-factor authentication, unless stored on an independent device. If you do not mind that little detail, then they are really quite convenient. Of course, just simply doing without that token would be even more convenient and cheaper and offer about the same level of security. But then, the "ritual" of 2FA would not be followed anymore and even the dumbest person might get a clue that it is not actually 2FA, but a pretend-version of the same that actually does not increase security at all.
Faking security is never a good idea. Security is subject to KISS to an exceptionally strong degree. Requiring the ritual in order to make it appear that it is 2FA, but it really is 1FA, kills all risk management on the side of the user because they have a wrong (faked) view of what is going on. It is like giving people house-keys, but you can open the door just with a blank.
Compared with pros for software tokens: - Cheap, generally free
And that is the real problem: People that are willing to give up 2FA in order to save a few cents. The fascinating thing is that the customers that buy these 1FA (which it is if it is on the same device) will strongly defend this as still being 2FA, despite it being utterly clear that it is not. We run into this regularly with customers and we routinely state that 2FA must be implemented with both factors being independent or it is not 2FA. Some customers then want that part of the report dropped (which we do, but stating that this topic was put out of scope by the customer), others get an exception from management (which has no clue what they are signing off on here) and very, very few think about it again and fix the blunder. It is absolutely no surprise we see all these data-breaches everywhere. It is pure incompetence and an extreme desire to save the last penny.
Sometimes it strikes me as similar to a bank keeping their money in a cardboard-box because a safe is too expensive. Well, banks have safes and they learned that they need them the hard way. This lesson is still in the future for 2FA, but it will be learned. It will be learned the hard way, because most people are stupid and cannot learn from history or the experience of others. You _need_ 2FA and it must be secure. There is no alternative. You must invest the money and you must do it right. Everything else is massively more expensive in the long run.
It may be called "three factor" by some vendors, but 2FA implemented in a way that deserved that name (i.e. 2 different, independent factors, so no putting them on the same device or on two not independent devices) is unbroken. The problem is elCheapo implementations that are not actually 2FA, but 1FA that simulate being 2FA.
To actually smart security experts, this has been known for a long time. The ritual-following (instead of understanding what is going on) mainstream is usually 10-20 years behind, as can be nicely seen in this case.
Here is what I do to circumvent this stupidity where still implemented: Attach a number, increase it on each enforced change and write that number on a sticker right on the device. As I have a good password before that number, this does not lower security one bit, but increases convenience massively.
... which completely negated the value of the "physical hardware". Oh, the irony!
Incidentally, 2-Factor _requires_ two different, independent devices by definition. And it only gives the added security if it is done according to the definition. Anybody claiming that it can be done on one device is essentially lying to their customers. If it is all on just one computer/phone/whatever or if the devices are not independent, for example a phone backed up to a computer, then it is not 2FA anymore. It is just more complicated 1FA. A lot of vendors make claims these days that 2FA is possible using just one device though and a lot of customers are not smart enough to see what is going on.
Indeed. They are selling an illusion. The real problem is that most people do not understand that. In the lottery, you can win big, but chances are so small that it will never happen to you. In the forms of gambling where you actually have a fair chance of winning, other limiters, like what you describe, make sure you will never win much or over a longer time.
Indeed. Incidentally, even that "doodle of Tofu" indicates you accept the receipt. It may require a witness-statement to prove it, but your acceptance is there.
Well, possibly. On the other hand, if "successful businesses" were treating their workers right, there would be no unions. This one, the capitalists caused themselves.
Until they need to demonstrate some of the skills they supposedly posses. Then they hurriedly have to move into management and basically have wasted this life.
So being expelled was exactly the right thing to do. I mean changing Fs into As? Somebody has not thought things trough one bit. Bad at studying, bad at crime and unaware of both.
What I do wonder, however, how many do this just a bit smarter and get away with it. Probably should check the grades of my students a few months after exams again to see if they are unchanged...
This is an excellent analogy. And, of course, that delusion is being carefully kept alive by those that stand to win most of it: The purveyors of copy protection schemes.
The others will not, whether they get the game cracked or do not get the game at all. The whole model used for the economics of copy protection is wrong. It is inspired by greed and a deep desire to control. It is not based on facts. The facts are that most people have a certain budget for entertainment and they cannot really exceed that. At the same time, they also have a time-budget. In the end, except for some special cases, copy protection loses you sales and loses you quite a bit of money.
Fortunately, this is far longer in the future, but they are hard at work to make that possible, at least in part.
Indeed. States are hugely immoral and dangerous actors. What they can do must be carefully limited and controlled. People have forgotten that in the west due to an period of relative quiet and a strong external enemy. But like all power-structures and bureaucracies, states always strive to grow their influence and level of control without limit and states always primarily serve those in power, not their citizens, unless forced to. Democracy was designed to put a control on that and allow the population to implement limits. These days, states get around that by keeping large parts of the population in fear, by a huge propaganda machine and by using secret laws and secret courts outside of public review. Unfortunately, many citizens are vulnerable to this type of attack and hence the controls do not really work anymore. Unless that trend is reversed, the next fascist catastrophe is assured because states are unable to limit themselves. The voters are the most critical element in keeping them under control and relatively benign.
Naa, we have yet to see the first woman as the perpetrator in a scandal like this. Doubtlessly, it will happen eventually, as this is not about sex but power. (If it were about sex, they could just buy time from hookers. Even though most hookers will not actually tolerate such behavior...) But it has not happened yet.
Well, the problem is serious, look at all the unsuitable people in high political and economic positions that got there by basically the same process, even if often more refined in appearance. The ones in social media are just a side-show from those that are bitter because they did not make it. The effect is well known though, and it is a kind of mental defect. It is called "Negative Attention-Seeking Behavior". It is made worse because there is another mental defect (IMO) where people actually admire the ones that are good at getting negative attention and mistake them for independent thinkers or independent people that are strong the do not need to care about anybodies opinion. Nothing could be further from the truth, of course. Just think of Kim without Donald or the other way round. Both would feel massively underappreciated.
And that is how it has always been and always will be: Men with a lot of power think they can get away with it, and women that want something from these men also think these men can get away with it. As neither will change, the problem will persist. That one or the other of these men will at some time lose most of his power and then the accusations will come flying is part of the ritual and generates a nice, temporary scandal that will change exactly nothing.
This is not a problem that can be fixed. It is one people can to be warned about, but that is it.
In particular, social media made it much more obvious, how stupid, uneducated, anti-fact, anti-rational, self-absorbed, vivious and generally failures at existing many people are by giving them a low-effort way to spread their perverted views. But leave it to a journalist to blame the messenger. Incidentally, blaming the messenger is one of the most stupid acts known.
This is the MBA "bean counter" mindset at work. Zero understanding of the risks or the subject matter, these people have been trained to squeeze out the last cent from everything that costs money. "Save a penny, lose a million (or much, much more)" is what this stupidity nowadays boils down to. There will eventually be a backlash and I hope all these morons will find themselves unemployed (hey, I can dream, can't I?) and things will change. But there will need to be a lot more catastrophes first.
The aim is not to be absolutely secure. Thinking that is a beginner's mistake. The aim is to make attacks sufficiently expensive that attackers lose interest. The easiest way to see that is to stop thinking about this as a black/white security question and use the actually correct framework of risk management.
Frequently changed passwords do not increase security. They do _decrease_ it. Smart security experts have known that for a long, long time. Those that do not understand security but only follow the rituals are clueless about this, as usual.
Here is a reference that nicely sums this up:
https://www.schneier.com/blog/...
Incidentally, it is also better to use a complex password and write it down than to use a simple one and remember that. Most attacks on passwords are over the net and not by stealing your wallet. Of course, remembering a complex password is best and that is another reason why requiring frequent password changes is a really dumb idea.
Well, yes. Only that a "soft token" actually happens to not be a token in the sense required for 2-factor authentication, unless stored on an independent device. If you do not mind that little detail, then they are really quite convenient. Of course, just simply doing without that token would be even more convenient and cheaper and offer about the same level of security. But then, the "ritual" of 2FA would not be followed anymore and even the dumbest person might get a clue that it is not actually 2FA, but a pretend-version of the same that actually does not increase security at all.
Faking security is never a good idea. Security is subject to KISS to an exceptionally strong degree. Requiring the ritual in order to make it appear that it is 2FA, but it really is 1FA, kills all risk management on the side of the user because they have a wrong (faked) view of what is going on. It is like giving people house-keys, but you can open the door just with a blank.
Compared with pros for software tokens:
- Cheap, generally free
And that is the real problem: People that are willing to give up 2FA in order to save a few cents. The fascinating thing is that the customers that buy these 1FA (which it is if it is on the same device) will strongly defend this as still being 2FA, despite it being utterly clear that it is not. We run into this regularly with customers and we routinely state that 2FA must be implemented with both factors being independent or it is not 2FA. Some customers then want that part of the report dropped (which we do, but stating that this topic was put out of scope by the customer), others get an exception from management (which has no clue what they are signing off on here) and very, very few think about it again and fix the blunder. It is absolutely no surprise we see all these data-breaches everywhere. It is pure incompetence and an extreme desire to save the last penny.
Sometimes it strikes me as similar to a bank keeping their money in a cardboard-box because a safe is too expensive. Well, banks have safes and they learned that they need them the hard way. This lesson is still in the future for 2FA, but it will be learned. It will be learned the hard way, because most people are stupid and cannot learn from history or the experience of others. You _need_ 2FA and it must be secure. There is no alternative. You must invest the money and you must do it right. Everything else is massively more expensive in the long run.
It may be called "three factor" by some vendors, but 2FA implemented in a way that deserved that name (i.e. 2 different, independent factors, so no putting them on the same device or on two not independent devices) is unbroken. The problem is elCheapo implementations that are not actually 2FA, but 1FA that simulate being 2FA.
To actually smart security experts, this has been known for a long time. The ritual-following (instead of understanding what is going on) mainstream is usually 10-20 years behind, as can be nicely seen in this case.
Here is what I do to circumvent this stupidity where still implemented: Attach a number, increase it on each enforced change and write that number on a sticker right on the device. As I have a good password before that number, this does not lower security one bit, but increases convenience massively.
... which completely negated the value of the "physical hardware". Oh, the irony!
Incidentally, 2-Factor _requires_ two different, independent devices by definition. And it only gives the added security if it is done according to the definition. Anybody claiming that it can be done on one device is essentially lying to their customers. If it is all on just one computer/phone/whatever or if the devices are not independent, for example a phone backed up to a computer, then it is not 2FA anymore. It is just more complicated 1FA. A lot of vendors make claims these days that 2FA is possible using just one device though and a lot of customers are not smart enough to see what is going on.
Indeed. They are selling an illusion. The real problem is that most people do not understand that. In the lottery, you can win big, but chances are so small that it will never happen to you. In the forms of gambling where you actually have a fair chance of winning, other limiters, like what you describe, make sure you will never win much or over a longer time.
Indeed. Incidentally, even that "doodle of Tofu" indicates you accept the receipt. It may require a witness-statement to prove it, but your acceptance is there.
Apparently, that simple and strikingly obvious logic is beyond the moron AC.
Well, possibly. On the other hand, if "successful businesses" were treating their workers right, there would be no unions. This one, the capitalists caused themselves.
Until they need to demonstrate some of the skills they supposedly posses. Then they hurriedly have to move into management and basically have wasted this life.
Yup. Same for higher-up in management and politics.
So being expelled was exactly the right thing to do. I mean changing Fs into As? Somebody has not thought things trough one bit. Bad at studying, bad at crime and unaware of both.
What I do wonder, however, how many do this just a bit smarter and get away with it. Probably should check the grades of my students a few months after exams again to see if they are unchanged...
This is an excellent analogy. And, of course, that delusion is being carefully kept alive by those that stand to win most of it: The purveyors of copy protection schemes.
The others will not, whether they get the game cracked or do not get the game at all. The whole model used for the economics of copy protection is wrong. It is inspired by greed and a deep desire to control. It is not based on facts. The facts are that most people have a certain budget for entertainment and they cannot really exceed that. At the same time, they also have a time-budget. In the end, except for some special cases, copy protection loses you sales and loses you quite a bit of money.
Its interpretation is questionable. It still gives you an indicator of obesity.
Counting-metrics are unsuitable to accurately describe a state-of-affairs. Too simplistic.