Forgot your password?
typodupeerror

Comment: Re:I'm still waiting... (Score 1) 122

by swillden (#48199813) Attached to: Cell Transplant Allows Paralyzed Man To Walk

We keep statistics, yes, but only in the context of criminal law.

To study, say, gun ownership as a matter of public health, as a risk factor for overall mortality, is illegal(with public funds).

Cite?

It seems to me that the main obstacle to such studies is detailed information on gun ownership, because mortality information is readily available, and not just from law enforcement. The CDC tracks it closely.

In any case, I'd love to see this research done... though I suspect that I anticipate a different result than you expect.

Comment: Re:How does it secure against spoofing? (Score 1) 107

by Opportunist (#48199749) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

No, there is no guarantee that the user will not use a mobile phone to access his online banking (and the idiocy of some banks pushing out mobile apps for online banking doesn't actually improve security in that area either).

You can't make the user secure. You can only offer it to him and hope that he's intelligent enough to accept it.

Comment: Re:Wait, wait, trying to keep up (Score 1) 459

by swillden (#48199585) Attached to: NPR: '80s Ads Are Responsible For the Lack of Women Coders

They're both. Just like men.

Ah, the old "If I can say it in a grammatically correct sentence, it must be true!!" fallacy.

No. They can't be both, because the groups OP defined are mutually exclusive. Men can't be both either.

Nonsense. Even individuals aren't only one thing. They're different things at different times and in different contexts. Further, you're talking about two large groups of people; there's clearly a lot of variation among them.

Why would you think that women should fit neatly into one bucket or another?

To state the obvious, because some buckets are neatly defined. For instance, a woman can only fit into at most one of these buckets: "Likes math" or "Hates math." (They could be in neither of those buckets.)

You're a little bit closer in recognizing that women aren't all the same. Congratulations! But you're still wrong. A given woman can like some kinds of math but not others, can like math during some parts of her life but not others, can even like math in some moods but not others.

Comment: Re:Where is the NFC 2-factor? (Score 1) 107

by swillden (#48199561) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

I don't see how fumbling around with USB sticks is much better.

I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

Doesn't leaving the device plugged into your laptop all the time defeat the purpose of two-factor authentication? If someone steals your laptop they have your key now, same is if you left your one-time pad as a text document on the desktop.

I addressed this in the paragraph below the one you quoted, and a bit more in the paragraph after that.

Comment: Re:How does it secure against spoofing? (Score 1) 107

by swillden (#48199163) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The second channel will not secure a compromised channel, but it will make it easier to detect it.

Oh, you're talking about a completely separate channel, with no joining to the primary channel? That creates its own set of problems... when the user authorizes a login, how do we bind that authorization to the login the user is attempting, rather than a login from some other location? Without a join (e.g. entering OTP from second channel into primary channel, or vice versa), the attacker just has to figure out when the user is logging in, and beat them.

There is very little you can do to combat malware infections unless you are willing to use a second channel.

I maintain that a second channel doesn't really help, either as defense or for detection, and you haven't suggested any way that it might.

At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time.

In the case of a security key no, it does not. Not in the memory of the PC. The PC and browser are merely a conduit for an authentication process that occurs between security key and server. It's actually pretty reasonable to characterize this as a second, virtual channel. It's MITM-resistant; an attacker can block the messages but can't fake, modify or replay them without failing the auth. It is also bound to the primary channel, though that binding is admittedly dependent on the PC being uncompromised. But if the PC is compromised to the level that the attacker can cause the auth plugin to lie to the security key then there is no hope of achieving any security. A separate channel definitely wouldn't help.

And it's heaps easier to do if the interface used is a browser.

Sure. But the goal is to create as much security as possible within the context of what people actually use. Theorizing about some completely different approach that no one would use is entertaining but pointless.

Comment: Re:Wait, wait, trying to keep up (Score 0) 459

by swillden (#48198973) Attached to: NPR: '80s Ads Are Responsible For the Lack of Women Coders

...so today are women ndividuals who can do anything men can do and are perfectly capable of functioning in modern society to wit, choosing the career path that they want to follow out of interest, talent, and education?

Or are they intimidatable, wilting violets incapable of exercising free will, intimidated by the faintest approbation, and unable to choose a career because some shitty 1980s movies didn't ACTUALLY show "girls doing data entry"?

I'm just trying to keep track here. I need to know if I should treat them like plain old people, or tread delicately around their fragile sensibilities?

They're both. Just like men.

Why would you think that women should fit neatly into one bucket or another?

Comment: Re:Toys vs tools (Score 2) 459

by swillden (#48198943) Attached to: NPR: '80s Ads Are Responsible For the Lack of Women Coders

When computers were viewed as toys, it was acceptable for girls to have them. Once they became tools, however, they were only for boys.

Then explain why a high percentage of programmers were women back when the only computers that existed filled rooms, cost millions of dollars and were clearly anything but toys, but once microcomputers were widely available in homes and used for playing games as much as anything, the percentage of women began to decline.

I think you may have the right concept, but with the genders reversed.

Comment: 80s movies? Really? (Score 3, Interesting) 459

by Opportunist (#48198887) Attached to: NPR: '80s Ads Are Responsible For the Lack of Women Coders

So it's also the 80s movies to blame that women are not interested in careers like soldier, spy, pilot, policeman (apology, -woman), archaeologist, exorcist, karate fighter,...

Has anyone ever looked closer at the 80s? The 80s were not a geek decade. The only movie I can remember where geeks were not just the comic foil (ok, even in that one they were) was "Revenge of the nerds". The whole "engineering geeks" were no role model in 80s movies, and even less so in TV series. Whenever they were in some prominent role, they were the little sidekick of the actual hero. Be it Automan's creator Walter, who was mostly a comic sidekick (ok, the show wasn't that memorable, but the special effects were great for its time) or Street Hawk's Norman who was some timid, beancounter-ish scaredy-cat. The geek roles were at best meant to make the hero shine some more.

Actually, the only engineer role I can remember that was allowed to be superior in areas to the hero and be more than a nuisance to him was that of Bonnie in Knight Rider.

A woman.

Comment: Re:How does it secure against spoofing? (Score 1) 107

by Opportunist (#48198737) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The second channel will not secure a compromised channel, but it will make it easier to detect it.

There are various defenses against replay attacks, most of them relying on keys being tied to the current time and only being valid NOW but neither before nor after. But that is only good against a replay, it is quite useless when the attacker is manipulating your own communication. That has been the staple of attacks against banking software since the advent of the OTPs, and the only sensible defense against that is actually a two channel communication. Out of band one way transmission (i.e. sending a OTP to the customer to use in the transaction) doesn't help here.

There is very little you can do to combat malware infections unless you are willing to use a second channel. At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time. And if nothing else, this is where it will be manipulated.

And it's heaps easier to do if the interface used is a browser. You can literally pick and choose just where you want to mess with the data.

Comment: Re:How does it secure against spoofing? (Score 1) 107

by Opportunist (#48198661) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

Ok, using what frequency? As far as I'm aware the whole spectrum that could be used by 3G is owned by some telcos and considering just how expensive using those freqs is they will hardly be so nice to let you use them for a little bit. They'll want to see money for that!

Comment: Re:How does it secure against spoofing? (Score 1) 107

by Opportunist (#48198589) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The system you describe has been implemented often. Most often I've seen it with online games and the like where the main threat is the use of credentials by a malicious third party (i.e. some account hijacker stealing username and password, logging into your account and doing nefarious things with it). For that, you don't need a dongle. You need two synchronized devices that output the same (usually numeric) key at the same time. Basically you get the same if you take a timestamp, sign it using PKI and have the other side verify it. If you have two synchronized clocks, transmitting the signature (or its hash) suffices. That doesn't really require plugging anything anywhere, although it probably gets a lot easier and faster to use if you don't have to type in some numbers and instead have a USB key transmit it at the push of a button.

But that's no silver bullet. All it does is verify that whoever sits in front of the computer is supposedly who they claim to be and entitled to do what they're doing. It does NOT verify what is being sent, or that the content being sent is actually what this user wanted to send.

If anything, it protects Google rather than the user. Because all that system does is making whatever is done by the user of the account non repudiable. Because whatever is done, it MUST have been you. Nobody else could have done it, nobody else has your dongle.

Comment: Re:How does it secure against spoofing? (Score 1) 107

by Opportunist (#48198461) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

Technically, "real" two factor authentication, with two different channels involved, require an attacker to infect and hijack BOTH channels if he doesn't want the victim to notice it.

As an example, take what many banks did with text message as confirmation for orders. You place the order on your computer, then you get a text message to your cell phone stating what the order is and a confirmation code you should enter in your computer if the order you get as confirmation on your cellphone is correct. That way an attacker would have to manipulate both, browser output on the computer and text messages on the phone, to successfully attack the user.

In other words, it does of course not avoid the infection. It makes a successful attack just much harder and a detection of the attack (with the ability to avoid damage) much more likely.

Money will say more in one moment than the most eloquent lover can in years.

Working...