Or it's almost like the GP is pointing out that the behavior he mentions was (and still is) completely benign, and neither he nor the people around him are any the worse for it.

Both of you are wrong and so is Dustin Kirkland (whoever he is). The core of your error is in this statement:

That sentence is true, as stated, but only because it includes the word "token". Yes if you're using secret tokens for authentication, then the tokens must be secret. But exchanging secrets (or proof of possession of secrets, which is what most cryptographic authentication protocols do) is not the only way to do authentication. Not by a long shot. In fact, humans hardly ever use secrets for authentication.

How do you identify and authenticate your mom? Do you ask her for a secret password? Of course not. You use the same tools for both identifying and authenticating her, and those tools are a set of biometric markers. The same set of tools are also used in high security situations. Back when I was a security guard in the Air Force, I was trained that personal recognition is the very best form of authentication. Not only is it not necessary to check the badge of an individual you know personally, badge-checking is inferior to personal recognition for authentication (note that badge-checking may still be important for authorization, verifying that the person who has been identified and authenticated actually has permission to enter. Thus I was trained to always check the access control list before allowing someone near nuclear weapons).

With respect to user authentication in electronic contexts we generally use secrets because computers don't (or at least haven't) had the ability to use the sorts of biometric authentication that humans use quite effectively. But, when we equip them with biometric sensors, they can.

HOWEVER, this does not mean that biometrics are useful for authentication in all circumstances.

Secret-based authentication has the advantage that -- assuming the secret has sufficient entropy and can be assumed not to have leaked nor been intercepted and cannot be rerouted (note that that's a pretty long list of criteria, some of which are hard to establish) -- you don't have to worry about the possibility that the authentication could be spoofed. An attacker who doesn't know the secret can't fake knowing the secret.

Biometrics, though, are not secrets. They are public knowledge. This means that an attacker must be expected to have access to copies of our fingerprints or faces. The biometric authentication process is different, though. It does not rely on secrecy of the authenticator, but instead on non-replayability. If we can be certain that (for example) the fingerprint placed on the scanner belongs to the person we wish to authenticate, and that the stored template we match against belongs to the person we wish to authenticate, then we can perform a good authentication. The fact that the fingerprint is not secret does not matter.

Where biometrics fail is if (a) we can't be certain that the livescan data acquired from the sensor belongs to the person trying to authenticate or (b) the stored template belongs to the person we wish to authenticate. Part (a) is particularly difficult to validate in many contexts because faking the input isn't necessarily hard to do, and in some cases an attacker can even bypass the sensor entirely and simply inject a digital copy.

This doesn't mean biometrics are worthless, it just means they're only useful in certain contexts. And, again, their utility for authentication has nothing to do with their secrecy. And rotation is likewise irrelevant and silly to discuss. You need to rotate secrets because you can't be certain they have stayed secret and because if they have low-ish entropy they may have been brute forced. None of that applies to biometrics because they're not secrets and their utility as authenticators does not depend on secrecy.

Can we please kill this incorrect meme about biometrics as identifiers, not authenticators? They can be either, or both, and are used as both, by billions of people, every day, with high effectiveness and reliability. Whether or not they provide security depends on the context.

With respect to credit card payments, fingerprint and facial recognition biometrics are pretty reasonable tools. This is especially true if the sensors are provided by the retailer, and the consumer is providing a traditional electronic authentication (cryptographic challenge-response) with their smartphone or smart card. It's not quite as good if the smartphone is also providing the fingerprint scanner and camera, because in the event of an attempted fraudulent transaction that means the attacker is in control of those components.

But you also have to consider the model that is being replaced. Is fingerprint plus face recognition better than a signature which is theoretically matched by a non-expert human, but in practice never checked at all? Absolutely. Is it better than a four-digit PIN? That's debatable, but it's at least in the same ballpark.

Actually, Inbox is Gmail for power users, for people who have massive volumes of e-mail to manage. It takes a little bit of work to figure it out and set it up, but once you have, it's awesome. There are some features it lacks, like complex filters (simple filters are very easy to set up; you just move a message to a label and Inbox asks if you want to always do that. Click "yes" and you have a new filter rule), vacation auto-responder and the like, but you can always use the Gmail UI when you need to set stuff like that up.

The Inbox features that that make it great for heavy e-mail users are:

Snooze.

Many people use their e-mail inbox at least partially as a task list, especially their work e-mail. This results in having to keep e-mails that for you can't work on yet sitting in your inbox, cluttering it up and making it harder to process new e-mail. When you snooze an e-mail, it goes away until some point in the future. You can pick a date and time, or even a location (requires using the Inbox app on your mobile device). Heavy application of snooze with well-chosen times/locations lets you clear all of the stuff you can't do yet out of the way, knowing it will come back later when you can handle it.

Bundles.

Bundles are just Gmail labels, but with an additional setting that tells Inbox to group them in the inbox. This is fantastic for high-volume mailing lists. With Gmail you can get almost the same effect by setting a filter to apply a label and skip the inbox, but then you have to remember to actually go look at the label from time to time. With bundles, you get the same grouping effect but the bundles show up in your inbox so you don't forget to go look. The reason that grouping (by whichever mechanism) is useful is because when you have large volumes of email, most of which you don't actually need to read, it's much faster to scan through a list of subject lines and evaluate what's important and what isn't when you already know the context.

My process for plowing through a busy mailing list is to scan the subject lines and click/tap the "pin" icon on the few that are interesting, then "sweep" the rest. A single click or gesture archives all unpinned items in a bundle. Then I handle (or snooze until I can handle) the pinned items.

I also have a bundle (label) called "Me" that is applied by a filter that looks for my name or username in the To line or the body of the message. This helps me to be sure that I notice e-mails where people are mentioning me or asking me questions. It's the first bundle I look for every time I check my e-mail. Similarly, I have a bundle that extracts e-mails that reference my project's name. That's the second bundle I look at. Other high priority bundles are e-mails from the code review system and e-mails from the bug tracker.

Obviously there are many e-mails that mention both my project and me. That's fine; bundles are labels not folders, and it's perfectly reasonable for an e-mail to be in more than one of them. When I archive a message in one bundle, it disappears from the others. So, often I'll look at Inbox and see the "Me", project, code review and bug tracker bundles displayed, but by the time I've processed everything in the "Me" bundle, the other three have disappeared.

Delayed Bundles.

I think this vies with snooze as the killer feature of Inbox. By default, a bundle appears in the inbox whenever you receive new mail with that label. But there's lots of stuff, at least in my inbox, that I don't need to see immediately. Having low-priority stuff displayed instantly distracts me from my work, or obscures truly urgent e-mail. Also, it's more efficient to handle low-priority e-mail in bulk. So, you can specify that a bundle should only appear once per day, or once per week. Inbox will accumulate e-mail in delayed bundles and only show the bundle at the specified time.

When I start work in the morning I have a dozen or so bundles containing low-priority e-mail. I can quickly scan each of them, pinning the items I care about and sweeping the rest. I have a few bundles for purely informational mailing lists which are set to display once per week, so I only see them on Monday morning.

I'd like a little more granularity on this feature. Specifically, I'd really like to be able to set some bundles to show, say, every three hours. Then I'd only allow the highest-priority bundles to show immediately, giving me larger blocks of uninterrupted time but with the knowledge that I'll still get notified of truly urgent stuff immediately.

Consistent Interface

It took me a while to realize just how valuable this is, but it's really great that the mobile and web UIs for Inbox are virtually identical. I don't have to have two different flows for handling e-mail on mobile vs desktop. The mobile UI is a tiny bit better because of the gestures a touchscreen interface can provide, but my process for using it is the same.

One common complaint about Inbox vs Gmail is that Gmail's more compact; you can fit a lot more stuff on the screen with the Gmail UI. I find that isn't a problem, because the Inbox workflow mostly eliminates the need to scan through a big list of messages visually, looking for something in particular. The need to do that arises mostly (for me, anyway) when I'm keeping a lot of stuff hanging around in my inbox. With Inbox, I don't do that. I snooze it or I archive it, so my inbox is empty nearly all the time. If I need to find something that I've snoozed or archived, I search for it.

Bottom line: If you're a heavy user of Gmail, you should really take a good look at Inbox. Odds are you'll never go back.

Congratulations Kiwi's, you've created a regime under which all speech is now subject to state approval.

No, they don't. When everybody involved knows that they're looking at the spurious output of a young image recognition process, apologies don't, and don't need to happen.

To cite one example, ACORN staffer Clifton Mitchell was arrested and convicted (and did time) for creating fictional voters through thousands of bogus voter registrations. ACORN as an entity was fined $25k for its supervisory role in just his conduct alone. The entire organization dissolved itself while it was undergoing investigation for identical behavior in multiple states.

Really. What sort of job do you have that didn't involve showing ID in order to submit the required federal tax forms as you were hired? What sort of paycheck are you getting that doesn't involve you using an ID in order to open a bank account or cash a check? Please be specific about the people who are working full time, so hard, that not once in their entire life can they be bothered to get a form of ID. And, out of curiosity, how on earth did they find time to go register to vote, or find time TO vote? You're saying that these are people who will have their routine trips to the polling place, year after year throughout their entire lives, thwarted because they couldn't take five minutes to stop once for a free ID?

So, you're asserting that there are no elections that turn on a matter of just a handful of votes? You're actually going to say that the many local and state elections (which do things like put congressional and senate representatives into power) don't sometimes get decided by only dozens of votes? And then you're going to assert that papers like the Washington Post, who have reported on elections as recently as 2012 where in just one local review there were instances of local voters fraudulently voting twice ... that, what, the Washington Post is lying? Is that because you think the WP is part of some vast, racists, right-wing conspiracy, and manufactured the records that were produced by the election officials, showing the felony-offense fraud?

Your anxious need to trot out the ad hominem shows how much you're aware that you're BS-ing, so I don't really need to go on. You know you're looking to defend fraudulent practices that primarily favor the one party whose activists have been caught red-handed generating tens of thousands of bogus voter registrations. And you're complaining about the person who suggests it's a good ID to make fraud harder to commit. Your opening comments about how difficult it is for full time workers to stop and get an ID that the already have to have was hilarious, though, so thanks for the entertainment.

Which part? The part where left-leaning activist groups generate enormous numbers of bogus voter registrations? Among others, ACORN did just that (getting busted doing it was why they re-organized and changed their name so nobody would keep bringing it up ... and you're probably hoping nobody will remember actual criminal prosecution for those actions). Or are you saying that the coordinated efforts to talk out-of-state college students into double-voting haven't, despite extensive reporting of exactly that, occurred?

Or you could look to no less a bastion of right-wing win nuttery than the Washington Post, which reported on a review showing thousands of people registered to vote in multiple states, and in one local review, caught over 150 people crossing state boundaries just in the DC area to vote more than once on the same day.

One of the county election supervisors who took time to review information in that instance found an example of where someone had been crossing state lines and voting more than once on the same day in local and national elections for over a decade. He said that in a dozen cases he'd reviewed, the purposefulness of the election fraud was plain, and the actions were class 6 felonies.

In cases where congressional seats or governorships can turn on a mere handful of votes, it's no "pile of bull" to point out that people are deliberately, systematically taking advantage of weak ID requirements and a weak registration system in order to fraudulently corrupt elections.

I meant password, of course. Sorry, not fully awake.

Also, don't give your SSID to anyone who does or might in the future use Windows 10, or have a Windows phone.

Backwards. The Republicans know that the biggest source of bogus voter registrations, and the areas with the largest number of actively dead registered voters and turnout at polling places where the number of votes exceeds the eligible population, are in places where Democrat activists work the hardest to hold on to power. It's not that knowing people who vote are voting legally and only once isn't going to benefit Democrats, it's that such a process is counter to what liberal activist groups work so hard to put in place. Like huge efforts to get college students to register to vote where they go to school, but to also vote absentee in their home state. Stuff like that. When they pour so much work into it that it starts to show (like the thousands of bogus registrations routinely created by the former ACORN), you know they won't like having that work undone by basic truth-telling at the polling place.

If you're worried about people not knowing there's an election coming up, and not bothering to get an ID (really? you can't go to the doctor, fill a prescription, collect a welfare check, or much of ANYTHING else with already having an ID), then why not encourage the Democrats to apply the same level of effort they put into the shady practices described above, and focus it instead on getting that rare person who never sees a doctor, never gets a prescription, collects no government benefits of any kind, doesn't work (but whom you seem to suggest none the less are a large voting block) and, with YEARS to work with between elections ... just getting them an ID?

Sure they are. Because the only people who could possibly take actual offense at this would be those who, having it explained to them, still can't understand it. Those who are insisting that black people be offended by this are insisting that black people can't handle the simple information that would remove any perception of malice from the narrative.

When the apology is a completely over-wrought bit of silly nonsense rendered in response to gleeful press releases from the Big SJW industry (who desperately NEED there to be events like this, whipped hugely out of proportion, in order to have things to get sound angry about), then it's not an apology. It's a forced sacrifice on the alter of Political Correctness gone (ever more) insane. There's nothing to apologize for here, because nobody at Google sat down to create a racist process or racist results. People who can't mentally untangle the difference between intent and coincidence should just shut up ... except, they're all media darlings now, because it's fashionable to be completely irrational on that front, now.

If Google tagged me as "albino ape" or "yeti" or "Stay-Pufft Marshmallow Man" I'd think it was hilarious. Those manufacturing faux offense at this bit of completely benign nonsense are the real racists. They are the ones who are saying that black people aren't smart enough to understand the situation. As usual, the racist SJW condescension is the most actually offensive thing in the room.

You're not paying attention. These days, outcomes that have nothing to do with intention, purpose, or simple transparent standards, but which happen to lean statistically towards results not in perfect balance with skin color as a function of population (though, only in one direction) ... the process must be considered racist. The whole "disparate impact" line of thinking is based on this. If you apply a standard (say, physical strength or attention to detail or quick problem solving, whatever) to people applying to work as, say, firefighters ... if (REGARDLESS of the mix of people who apply) you get more white people getting the jobs, then the standards must surely be racist, even if nobody can point to a single feature of those standards that can be identified as such. Outcomes now retro-actively re-invent the character of whoever sets a standard, and finds them to be a racist. Never mind that holding some particular group, based on their skin color, to some LOWER standard is actually racist, and incredibly condescending. But too bad: outcomes dictate racist-ness now, not policies, actions, purpose, motivation, or objective standards.

So, yeah. The algorithm, without having a single "racist" feature to it, can still be considered racist. Because that pleases the Big SJW industry.

It's the same thinking that says black people aren't smart enough to get a free photo ID from their state, and so laws requiring people to prove who they are when they're casting votes for the people who will govern all of us are, of course, labeled as racist by SJW's sitting in their Outrage Seminar meetings. It's hard to believe things have come that far, but they have.

+1

Not to be sexist, but most women prefer jobs that include more interaction with people and less time spent in solo problem solving, so it's not terribly surprising that she does't love coding. This isn't to say there aren't women who really like coding, or even introverted women who find working with people all day to be unpleasant. There are all kinds... but on average my observation is that women prefer more human interaction.

So, assuming that your wife falls into that category, there are lots of roles in and around software development that are more people-focused. Project management requires an additional set of skills, both people skills and management skills, but it's eminently learnable, and having a technical background is very valuable -- as long as it doesn't cause her to second-guess what the developers are telling her (always a risk with PMs, and even more with those whose technical background is shallower than they think it is. There's a tendency to assume that everything they don't know how to do is easy.)

Business Analyst is another good one. It, again, requires some additional skills she probably doesn't have but can learn. Industry knowledge tends to be important, but most companies are okay with analysts learning that context on the job. She also needs to learn how to gather and document requirements. A technical background is useful there because good requirements need quite a bit more precision than most non-technical people are used to. There's also a risk; formerly-technical BAs have a tendency to overspecify. An important skill for this role which isn't so easy to learn is writing. Good BAs are excellent writers, able to concisely and accurately boil complex issues down to simple statements.

Another option that might be excellent if she can swing it is Systems or Application Architect. Companies generally want experienced, senior developers to move into these roles, but smart but less-experienced people can do it as well. Architects take the business requirements and convert them into high-level technical plans/architectures. Architects tend to spend less time interacting with people than PMs or BAs, but still quite a bit since they provide the primary interface between the technical and business teams. Architects need to have good technical skills and good "taste", meaning a good feel for what sorts of structures are easy to build, easy to maintain and flexible, and for how to intelligently trade those issues off. They also need to be good at translating technical issues into language the business people can understand. Honestly I expect that your wife probably doesn't have the depth of experience needed to make a good architect, but I thought I'd throw it out.

Another that might be good if she's a good writer and enjoys writing is technical writing. Good tech writers have greater need for writing skill than they do technical skill, but the latter is very valuable because it enables them to more quickly and accurately understand the information that needs to be documented.

In smaller companies a lot of these roles get mixed and combined with other business roles, so another good option is to look for a position that isn't necessarily directly related to software development, but could benefit from having a deeply IT-literate person.

Finally, the option that I've long thought I'd take if I ever got tired of writing code is the law. It's a lot of additional training, but I think there is a deep and growing need for attorneys who understand technology. This is especially true in the areas of patent and copyright law, but I think it applies in many areas. Of course, the law may not have any attraction whatsoever for your wife.

Whatever, I'd really encourage her to take the time to figure out what she wants to do, and do that, rather than settling for something she doesn't really like. We so much of our lives working that it's really a waste to spend it doing something we don't like.