Comment Erh... I don't get it (Score 4, Insightful) 104
I mean, yes, it's true. And yes, it's interesting. But
I mean, yes, it's true. And yes, it's interesting. But
The where clause in your example does not work out as a valid authentication feature. It can be used as a flag to show that "there's something not right here", but it cannot answer one important question: Which transaction was genuine, the one in Paris or the one in Melbourne?
You can use various plausibility checks on top of it, depending on the actual application (e.g. in banking you can draw from the transaction patterns so far and flag suspicious transactions that differ greatly in target or amount) and these things are actually being done, but they have nothing to do with the basic authentication process.
There is no window of opportunity with SSH even with a new install.
Oh really? Please tell me what magic you use with SSH. Are you copying your keys over manually or something?
Because very few SMTP servers *require* the use of SSL. Some will use SSL if available, but fall back to plain text otherwise, and also usually not check the certificate. Many mail servers still don't enable SSL at all and plain text email is frequently sent across the internet.
Not just unique passwords, also use unique email addresses (eg register your own domain and use an address which includes the site name), that way you will be able to tell if a company has a breach which results in your email address being leaked to third parties, or if they sell your address intentionally.
And a lack of easily available and valid business contact information is actually illegal in many countries...
CSI is about the worst that could have happened to real life forensics. It's done more damage than any TV show in history.
The biggest problem with fingerprints is very simply that, if compromised, it's damn hard to change them, unlike passwords.
Second problem, unlike your password, you can't really help but compromise them. You leave them littered about everywhere. Every waiter can have your prints if he so chooses.
There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.
100% security is actually possible. It is just very, very expensive. And as soon as the security expense outmatches what you try to secure with it, it stops fulfilling its purpose because it becomes actually cheaper to have your security broken.
I remember back when I was still programming peopel used to say "90% of the work take 10% of the expenses, it's the other 10% that cost 90% of time and money". In security the rate is close to 98:2. You can get your system very secure at very little expense. Getting it absolutely secure costs a fortune.
Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into
What a purely coherent basis and sound philosophical foundation from which to make decisions. I'll bet you're a whole bundle of good ideas.
It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.
All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.
You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.
4 millions, 40 millions, 4 billions... does it intimidate you any more? It does not matter whether I owe someone 4 million or 4 billion bucks. It makes zero difference AT ALL. In either case I will NEVER work again, knowing that no matter what I do or how hard I even remotely would want to work, I could never pay that. And no matter what I do, I will never get to keep any of the money I earn. Instead, all such a verdict could accomplish is that I will do my best to get by with illegal work and try to do my best to match the damages to the verdict.
"Been through Hell? Whaddya bring back for me?" -- A. Brilliant