Hi, thanks for the reply. For the record, I used to deploy these systems for a living.

The key is destroyed. That's the only way they can still use 3DES as the shared key, and still be FIPS compatible. When the key or card is issued, the AS generates a seed. This seed is known to both the token and the authenticator. Two other things are shared/known by both parties, the EC (Event Counter, the number of times the device has been used, randomly initialised), and the TC (Time Counter, ticks with roughly every second, most AS systems account for drift). The seed is used by both the AS and the token to generate a common (and exactly the same 3DES key).

Every time an OTP is generated, the last digit of the EC and the TC are prefixed to the actual OTP. As soon as the OTP is generated, the 3DES shared key is overwritten with a new one, which was seeded based off the previous 3DES key. The same key is never used twice to generate an OTP.

How does the server figure it out? Well, when the server receives an AA using an OTP, it looks at the first digit. It then looks up in its database what the last used EC was, say 3320, but the digit it read was a 4. It knows it has to test 3324, 3334, 3344, 3354, 3364[1], up to the upper limit before the token is considered "desynchronised". Same thing for the TC, except that this one is just current_time +/- token drift. Again, only the last digit is provided, which gives the AS two or three values max to check. Then comes the OTP, which the AS computes on the fly, for every EC/TC combination it calculated. If none match, the AA is rejected, and the token flagged.

If, however, the AS validates the AA, then it updates the EC/TC in its records, and also accounts for the drift of the token. It then also stores the new key, as defined by the EC and TC.
The token doesn't know whether the AS accepted the AA or not, which is why it overwrites its own key every single time.

AS: Authentication Server
AA: Authentication Attempt
The TC upper limit is usually 30. The EC range is roughly 1.5 minutes each way.

[1]: Say the OTP is 42000000, the in-database EC is 3320, then the AS has to run key = f( f( f( f( key, 3321), 3322), 3323), 3324). The TC is not used to generate the next key, for obvious reasons.

Most OTPs include time-based encoding, and are only usable once. The reason for this is that every time you generate an OTP, your shared key is destroyed, and a new one is generated.

Now some employee at Google just needs to check your search history from a few years ago...

A lot of credit cards in the UK have the Chip'n'Pin system, which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.

The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.

Exactly. I recently saw some news regarding a local (Toulouse, France) entrepreneur who started growing insects in a small business lot (see 24s into the video to have an idea of what it looks like). The video I initially saw was more recent, and from a different channel (can't seem to find it right now), but indicated that in a room of maybe 40 square meters, he was capable of producing in excess of 10 tonnes a month (I'm fuzzy on the actual numbers, so do not hold it against me if I'm wrong).

The price, however, was relatively prohibitive: 150euros / kg. In comparison, the average cheap meat, in France, goes for around 8-10 euros / kg for the consumer; production is about 4-5euros / kg. The price difference, as explained by the CEO in the video, comes from all the "R&D" that is being done to find new ways of consuming the insects. They're actually trying to market a cereal-bar partially made from ground insects, as it provides a massive boost in protein, without a great deal of fat, and has the "nutty" taste reported in other posts above. In the video linked to earlier, some french dude who's good with chocolate alleges the taste is closer to a cereal than it is to meat (for the dried variety), and uses it in macarons and whatnot.

Also, I recall he sells the ground stuff as "farine alimentaire", which really means "human-consumption-grade flour". If that's what they can put on the ingredients list, it's only a matter of price and efficiency before we start seeing that stuff mixed in to whatever KFC/McD is serving these days.

Then again, it's always better than horse meat?

What do you need those 4 addresses for, exactly?

Have you ever used a QRCode? Ever noticed that most algorithms don't recognise the QRCode when it's sharpest and level with your screen? Usually, you don't have the time to have the code be level, or in focus, before the algorithm picks it up.

That's because QRCode are nigh indestructible. They could add a watermark and the code would most probably still be readable (depending on the level of error correction you apply when encoding).

For example, I took one of the Wikimedia QRCode examples, and drew on it. It still worked. Then I skewed the image using MS Paint. It still worked. Then I decided to go from 172 pixels to 86 pixels (using MS Paint's resize function). It still worked (zoomed to either 100% or 200%). Then I decided to "reduce its resolution", so to speak, by resizing that reduced image to 200%, then back to 50%, then back to 200%, etc for 4 or 5 times, until I ended up with this. It still worked.

Now, I'm sure that I *wanted* this to work. There will be dozens of cases where even the most stupid tear of paper or poor lighting will prevent that QRCode from being decoded. But somehow, I don't think that YouTube's HD video encoding will be much of an issue for QRCodes.

Tested with QR Droid on a Wiko Cink King, scanning off a 23" 1080p screen.

But right before you're being put in the plane, you have an iPod strapped to you, with the earplugs forcibly integrated into your ears. There's only one song, and it loops indefinitely. Obviously, your family or next of kin will have to reimburse the government for that iPod, and the RIAA can sue the same people because you illegally listened to a song over and over again.

Also, all deportations will happen on the same day of the week, to coincide with the song.

"Friday, friday, gotta get down on friday"

There once was a man called PopeRatzo
Who got friend-zoned in college by some hoe.
So when he got to the dorm,
He took out his frustration on porn;
And forgot to update his nickname for the new pope, oh.

Well, in his defense, he never said who was going to prosper; I see no disagreement between the two statements.

Paraphrased: "The problem is most owners have no clue how to safely store a gun." Or even: "The problem is most owners have no clue how to do proper parallel parking."

Just because you give everyone access to a tool doesn't mean everyone knows how to use it. That's where education comes into play. The same way we educate individuals how to talk, or behave in society. Education is important, hence, that's why it is mandatory up to a specific level.

I'm not saying everyone needs to know how to do proper code signing, but then again, not everyone knows how to service their car. But just because some people don't know, or don't want to learn doesn't mean that everyone should be banned from servicing their car.

And there is the real problem: we use the excuse that knowledge is optional to impose restrictions on others. You may not know how your door lock works now, but if you were so inclined, you could still replace it with one of your choosing. You could learn about the mechanics and even make your own. Or you could remove it altogether. Why couldn't you do the same with the lock on your computer?

Their address is in the cloud! How do expect them to be traced?

Isn't that exactly what the US has been doing, in a way?

They just did in a way that the energy going out at one doesn't obviously look like it's fueling the money coming in at the other end.

I've recently got a Liquid Image Ego camera. It works very well, and is compatible with all the GoPro mounts.

I got the GoPro suction cup mount, and it's awesome. The plus is that it emits WiFi, which you can use with their proprietary app on Android or iOS to get a feed from the camera when it isn't recording, and adjust most so called "advanced" settings (exposure, FOV, etc). There's a 10-20 second delay with the feed, but it works fine as a viewfinder.

The battery isn't user replaceable, and I don't think it supports an external power source. The battery runs for roughly 2 hours. Footage can be recorded either in 1080p30 or 720p60. Every recording comes with a downconverted low-res version, which is actually the feed that was streamed to whatever device you had plugged on the WiFi.

The FOV is either 135 degrees or 90. This setting, however, is only changeable via the WiFi app. The buttons on the device itself only allow to power it on or off, select mode (1080p or 720p video, picture mode, etc). If you just want to start shooting, you'd basically hold the power button for a couple of seconds, wait 10 seconds for it to "boot", then press the other button to start recording. The video quality is very good, except in very low light. If there's not enough light, some silly "night mode" will kick in, which makes the image extremely blurry, and sadly, blue.

Other than the lack of night mode support, it's a superb little piece of kit. I use it mainly to film my commute to and fro work, as I'm on a motorbike. The suction cup mount works fine on non porous helmets, or on the fuel tank.

And here that poor rock just wanted to rest for a few minutes; it now got stuck in a massive identity crisis.