I mean, yes, it's true. And yes, it's interesting. But ... news?

The where clause in your example does not work out as a valid authentication feature. It can be used as a flag to show that "there's something not right here", but it cannot answer one important question: Which transaction was genuine, the one in Paris or the one in Melbourne?

You can use various plausibility checks on top of it, depending on the actual application (e.g. in banking you can draw from the transaction patterns so far and flag suspicious transactions that differ greatly in target or amount) and these things are actually being done, but they have nothing to do with the basic authentication process.

I believe that Sony is a bigger threat to me and my welfare than North Korea and the NKVD.

Oh, my. I can see where British IT can have its own special influence on any sampling of customer service policies. I'm afraid the movie "Brazil" is particularly meaningful to those of us who've worked with British Telecom as partners or as clients.

What? It doesn't matter if you're making or receiving the call, the same amount of traffic is flying through the air, and the network has to do just as much work. The negotiation part of the call is brief, it's the actual call that takes up bandwidth and it takes up the same amount no matter who makes the call. I know I said that already, but it bears repeating because you not only said what you said but you also got modded up for it.

There's lots of things which are ridiculous about cellphones in the USA but paying whether you make or take a call actually makes sense. We could argue about whether the prices are justified, but there's no technical justification for not paying for incoming calls.

When you plan for the future, you get to look smug.

Yay insurance.

Because very few SMTP servers *require* the use of SSL. Some will use SSL if available, but fall back to plain text otherwise, and also usually not check the certificate. Many mail servers still don't enable SSL at all and plain text email is frequently sent across the internet.

Not just unique passwords, also use unique email addresses (eg register your own domain and use an address which includes the site name), that way you will be able to tell if a company has a breach which results in your email address being leaked to third parties, or if they sell your address intentionally.

And a lack of easily available and valid business contact information is actually illegal in many countries...

CSI is about the worst that could have happened to real life forensics. It's done more damage than any TV show in history.

The biggest problem with fingerprints is very simply that, if compromised, it's damn hard to change them, unlike passwords.

Second problem, unlike your password, you can't really help but compromise them. You leave them littered about everywhere. Every waiter can have your prints if he so chooses.

Google Contributor (contributor.google.com) strives to come close by letting you pay a small amount for each ad it replaces.

It doesn't stop Google from collecting your information, though. They just don't serve you ads. Instead, they serve you to other corporations.

There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.

Google Contributor does absolutely nothing to stop Google from tracking anyone. In fact, it gives them additional personal information.

Maybe you didn't understand what I was saying. I want to be able to use Google services without being tracked in any way shape or form, and I'm willing to pay for the privilege. Same goes for Twitter, etc.

Until I am able to do that, I'm just going to block ads, use Blur, Privacy Badger and any tool that lets me confound Google's ability to monetize me. I am not a consumable.

100% security is actually possible. It is just very, very expensive. And as soon as the security expense outmatches what you try to secure with it, it stops fulfilling its purpose because it becomes actually cheaper to have your security broken.

I remember back when I was still programming peopel used to say "90% of the work take 10% of the expenses, it's the other 10% that cost 90% of time and money". In security the rate is close to 98:2. You can get your system very secure at very little expense. Getting it absolutely secure costs a fortune.

It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.

All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.

You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.