And cookies. But yes, you're right that they don't necessarily have to wait for the user to log in to Google unless that's the only site they care about and the user has not yet logged in to that site. (And apologies for my bad grammar for saying "log into" as well.)

If that were the case, then a single failed login (because of network congestion, for example) would prevent you from ever logging in again. Nobody destroys the shared key. They prevent using passwords twice by using an authentication server that marks the last successful login time and won't let you use a time-based authentication token generated on or before that time stamp (or some similar technique).

The way time-based auth usually works is that either the shared key is hashed with some sort of time stamp or the shared key is used as one of the inputs to a PRNG function whose other input is the number of 30 second periods since some arbitrary time in the past. Given the same key and the same time, the two endpoints can generate the same pair of values, and the authentication server can compare the received value with the expected value. In the latter case, it also typically compute one period before and one period after the current one, to allow for clock drift.

CryptoCard devices do the same basic thing, as I understand it, but the second input is the number of times the button has been pressed. On the server side, it computes the next n possible values after the last one successfully used (where IIRC n is configurable by the server administrator) and if any of them match, that becomes the last one successfully used going forward.

Either way, once that key is compromised (or in the case of CryptoCard, the key plus the number of times you've pushed the button), the system breaks down. This is why your IT department won't give you a copy of the private key associated with your dongle.... :-)

Here's how I know you don't know what you're talking about: All of the things I've talked about have happened already.

Really? Really? Just like that, compromises my cell phone, which is never out of my possession?

A smartphone? You bet. There have been at least two jailbreaks (read "root compromises) for iOS that were triggered by simply going to a web page. In those particular cases, the user knew that he/she was going to a website that did this, but it could just as easily be done surreptitiously.

Nobody bothers to root Android that way because there are generally easier ways to do it, but that doesn't mean it is impossible or even more difficult than it was for iOS. Nor is there any reason to believe that identity thieves do not already have such techniques in their arsenal.

And waits for the user to log into google Again, Really? Do you even have a clue how Google authenticator works? You don't log into google with the authenticator. You log in with some other computer over a ssl connection.

First, that's not necessarily true. Most users do use their phones as browsers, too, which means the device is often the same piece of physical hardware.

Second, even when you do have a proper physical separation between the authenticator and the browser, the only thing it changes is which attacks are relevant:

• If the computer is the compromised device, attacks 1, 2, and 3 are possible.
• If the mobile phone is the compromised device, attack 4 is possible.

In short, the separation is mostly a security no-op.

Even if you had a pre-compromised computer and an elaborate SSL spoofing setup in place ahead of time

Once the endpoint of an SSL/TLS link is compromised, you don't need any spoofing. You can drop an extra self-signed anchor cert into the appropriate trusted anchors list, and you're trusted. There's nothing elaborate about it. It's downright trivial. I can throw together a proof of concept in about three minutes.

For that matter, once the endpoint is compromised, you can just tweak it to display the little lock icon while sending data in the clear. SSL and TLS are worthless if the endpoint is compromised. Completely worthless.

But wait, that wouldn't work either because google already detects this.

Correction. Chrome detects this, but only if the user is running Chrome and that copy has not been modified by the attacker. Once the computer is compromised, you cannot rely on that, either. Any attacker capable of compromising the computer is also capable of compiling a copy of Chrome with those checks disabled. Besides, even if those checks could magically be made impossible to remove, they would still only effectively guard against attack #2, which still means the security hole is wide enough to drive an Abrams tank through it.

It is not possible to detect a man-in-the-middle attack where one of the endpoints is compromised. Period. You're trying to argue against one of the most fundamental tenets of computer security here. There is exactly one way to guarantee that a transaction is secure, and that requires either cryptographic signing or some other form of cryptographic authentication between two trusted endpoints.

Assuming the servers are secure (which isn't 100% certain, but it's sort of an unavoidable assumption), the remaining piece is a hardware device that is not field programmable, that has a screen to show information about a transaction, buttons to authorize or cancel that transaction, and a simple communication protocol, with code that has been proven to be bug free using formal verification techniques. Anything less than that is at best only trivially more secure than passwords.

You owe me a new keyboard.

What needs to be done, as a minimum, is something like Password Hasher (the firefox plugin) needs to be built into each browser.

That protects against what is probably the least interesting situation—when the user's password to one site is silently compromised by attacking that site, and the user used that same password on another site. First, it assumes that the user's password is weak enough to be readily cracked by someone hammering on the password database (which if it is salted properly, is unlikely). Second, it ignores the reality that most passwords are not compromised by server-side security holes; they're compromised by client-side security holes—keyloggers, etc.

To use a car analogy, this is like putting an un-pickable lock on a car to protect your expensive radio, but leaving the factory glass windows untouched.

I think that Google Authenticator tries to prevent mitm attacks by having any given token usable exactly once in addition to having a very short lifespan.

Here's why that doesn't work. The attack is very, very, very simple, and once you see it explained, you'll never trust those sorts of services again. A basic attack looks like this:

1. Attacker compromises the device and waits for user to log into Google.
2. Attacker captures the response to the authentication request and forwards it to their own server.
3. Attacker's server connects to Google's system and obtains credentials.
4. Attacker displays a network error message to the user. The user logs in again to the real Google server, unaware that the first attempt was successful, just for somebody else.

Elapsed time: tens of milliseconds after the user logs in. A slightly more sophisticated attack looks like this:

1. Attacker compromises the device and waits for user to log into Google.
2. Attacker captures the response to the authentication request and forwards it to their own server.
3. Attacker's server connects to Google's system and obtains credentials.
4. Attacker masquerades as a forwarder for Google's server so that the user is completely oblivious.

Elapsed time: tens of milliseconds after the user logs in. And if the service you're logging into works the way most services do, an even simpler attack looks like this:

1. Attacker compromises the device and waits for user to log into Google.
2. Attacker steals the cookies that Google stores on the user's system and uses them on another machine.

Elapsed time: zero milliseconds after the user logs in. But the best one of all is this:

1. Attacker compromises the device and steals the private key used to generate the authentication token.
2. Attacker logs in at will. From anywhere. At any time. Forever and ever.

Elapsed time: zero milliseconds after the device is first compromised or GA is first installed.

All four techniques are 100% transparent and are 100% effective attacks against software-generated time-based authentication schemes. The first two are 100% effective against hardware tokens used for time-based authentication, too. In fact, even if Google upped the ante and made the authenticator be interactive, where the Google servers sent a unique nonce that had to be encoded along with the time stamp, this scheme would still not be significantly stronger. The only change required to the first two schemes would be adding one additional step—telling the attacker's server to issue a request to Google and pass that request nonce to the compromised client. And the third and fourth schemes would continue working as-is. This is why time-based authentication is basically worthless unless the endpoint is trusted (and at this point, I'm growing more and more convinced that users should assume that their endpoints are not trusted).

The reality of the matter is that time-based authentication schemes are an anachronism. When they were first conceived by RSA in the mid-1980s, they were not intended for general users. They were intended to protect against precisely one threat—an attacker with a very specific target watching a user type in his or her password from a distance. They work well for that purpose. They can be compromised once by any attacker who gains control over the system where the authentication token is being entered, even if hardware tokens are involved, and they are permanently compromised by any attacker who gains control over the system where the secret key is stored. The reason there haven't been very many new implementations of time-based authentication since the 1990s is that such schemes just aren't particularly useful against modern attacks. They give the illusion of security without actually adding any. Well, unless you're worried about your roommate seeing you enter your password.

Put another way, creating a secure authentication scheme where the endpoint is compromised is fundamentally impossible for precisely the same reason that perfect DRM is fundamentally impossible. Alice is also Eve and Mallory. Food for thought.

Sigh. Ignore the first sentence in the second paragraph. This is what over-editing does.

Yes, lots of weak passwords are guessed by automated bots. This tends to affect websites like Facebook, message boards, etc., where the maximum possible damage is fairly limited and mostly harmless. By contrast, most people's bank account passwords are not "12345".

Not for important accounts, though. For things like banks, the password rules generally are already strong enough to make guessing problematic unless you know your victim, and to some degree, even then. It is far easier to make a virus that compromises millions of machines and looks at what letters the users just typed, or injects spyware into their browsers to detect which of those virtual PIN number pad buttons the user clicked, or whatever. Instead of an attack on a specific person that requires research, you can successfully compromise thousands or even millions of people. Why spend a high amount of effort per target when you can spend almost none and get similar results?

This, of course, ignores attacks on the infrastructure itself (e.g. attacking a credit card processor to steal credit/debit card numbers en masse or installing a card skimmer on an ATM). Those sorts of attacks also seem to be pretty popular, but they don't have much to do with passwords.

The FIDO stuff sounds like a whole lot of expensive extra technology with no real benefit over a password. A finger swipe is a replayable event just as much as a password or PIN.

The Google Authenticator is conceptually okay in theory, but in practice, AFAIK, it too becomes a gaping security hole as soon as your mobile device gets compromised.

If you want something stronger than passwords, it must have the following criteria:

1. Immune to replay attacks. Done correctly, this means that each authentication request must have a unique ID that must be signed or otherwise combined with some shared secret in a secure way.
2. Immune to man-in-the-middle attacks. Each request for authentication must be signed by the requestor so that the user can be certain that he/she is not agreeing to do something other than what is intended. Each response from the user must include at least a hash of the original request.
3. Immune to device compromise. The most common way that computer security is breached is through password sniffers or other compromise of the user's computer or mobile device. If you cannot trust the device that is performing the authentication, you cannot trust the action being performed, and all security goes out the window, including existing measures for preventing MITM and replay attacks, such as SSL/TLS.

None of these schemes I've seen so far address #3, and as a result, none of them are significantly more secure than typing letters at random and pasting the resulting password into a text file on your Desktop. They try to address problems that don't actually exist, while failing to address the root of the problem, which is that computers, mobile devices, etc. are not inherently secure.

For example, Google Authenticator uses a time-based token. This tries to avoid replay attacks by limiting the period during which an attack is possible. That doesn't work very well, though, unless you can delay an attacker's ability to sniff that token. This means that you have to prevent a MITM attack. As soon as the device is compromised, SSL and TLS are no longer capable of preventing a MITM attack, so the entire scheme falls apart.

Anything short of a non-networked device communicating with your computer over a very simple protocol (think "formal verification" here) is not a major win, IMO. And it can't be something silly like touching a smart card to an RFID reader, either, because the reader could perform more than one transaction, and you would have no way of knowing that you just bought some farmer in Iowa a new tractor alongside that DVD from Amazon. No, you really need a physical screen and a button on the device saying, "Do you agree to transfer $258,000 to Bank of Nigeria?" in order to significantly improve things. Anything short of that is just wasting a lot of time and expense without addressing the real problem—that if you can't trust the endpoint, you can't trust the message. Start by developing a truly trusted endpoint. After that, the entire problem becomes fairly trivial.

I, for one, am 100% gung-ho about having a 3rd-party in the 'cloud' handling every single one of my packets so that they can balance them between my connections!

There are already lots of third parties handling each of your packets. I'm not sure why one extra router would be a cause for concern.

I don't agree on the megapixel thing. As far as I can tell, consumers as a whole never cared about megapixels except as a means of helping them choose between two cameras that were otherwise basically indistinguishable. I don't know anyone who ever said, "I want to buy a new camera because it has more megapixels." They bought new cameras because their old ones started having problems, or occasionally because they saw photos from other people's digital cameras that looked better. Indeed, this is the norm when it comes to hardware. People buy new hardware when the old hardware stops working or starts to look worn out.

Now the marketing people pushed megapixels because it was the only thing they had to differentiate one cheap camera from the next, but in the end, that didn't matter because as far as consumers are concerned, there's a point at which it becomes "good enough". When cell phone cameras got to be "good enough", almost everyone stopped buying and using low-end cameras. As a result, the most popular cameras currently on the market, at least as far as the number of pictures taken, are all either some model of iPhone or some model of DSLR. Everything else is very nearly lost in the noise (or at least the long tail).

What this says is that the people who actually cared about picture quality before still do (and use DSLRs), because their goal is to take photos. Everyone else takes photos using whatever they have handy, same as they always did, and they upgrade when their old cell phone breaks or when they see somebody's new cell phone and realize that it is much better than theirs was. The only real difference is that they now carry one fewer devices than they did before.

As for the Hi-Fi thing, that's pretty much the same situation. It's not that it was a fad so much as that good quality sound takes up a lot of space, so a lot of folks switched to smaller speakers once they got "good enough" even if they didn't sound quite as good. The audiophiles still take the time to tune their rooms, buy good quality speakers, etc. Everyone else buys whatever is cheap at the time because they need something to do a particular job. It just so happens that whatever is popular tends to also be cheap, because of economies of scale. :-)

96.9% of the people in India (1.18 billion people) live on less than $5 per day (adjusted for purchasing power.) Confiscating 100% of Bill Gates wealth will only give each of them a one time payment of $61.61, less than a month of income.

The upshot of realizing these things is that you see that wealth disparity is a pretend problem, and the closest thing it is to a real problem is the fact that so many people can be so easily fooled into droning on about it like it actually was a problem.

That's specious reasoning for two reasons.

First, the only useful measure of wealth is a local one, because most commerce occurs locally. The people in India don't pay American prices for food, shelter, clothing, etc., so Bill Gates being rich doesn't affect them significantly. The more interesting question is what his wealth would do if redistributed to the poorest people in his own country, where there are a quarter as many people, and where only about 15% of those are living in poverty relative to the rest of Bill Gates's home country.

Second, your argument assumes only a single ultra-wealthy person. When you actually look at real numbers instead of your strawman assumptions, the reality is very different from what you're presenting. Here are the cold, hard facts:

• If you took away all the wealth of just the Forbes 400 (the richest 400 people in the U.S.) and redistributed it, you could give $35,000 apiece to every single American living below the poverty line. That's enough to wipe out their debt entirely and put them on the road to financial recovery.
• If you extend that to the top 1% of Americans, you would have enough to give every American currently living below the poverty line nearly a million dollars apiece—enough for them to retire right now and live off the interest for the rest of their lives while still making about as much per year as they currently do!

Frankly, wealth is even more unequally distributed in the U.S. today than it was in the days leading up to the French Revolution. The only reasons things aren't as bad as they were then are because we have a middle class, we allow people other than the top couple of percent to own land, and we are geographically large enough to be resistant to local droughts that would cause famine in a country as small as France. Those differences make the wealth disparity no less real, though.

I'm not suggesting that it's time to behead the top 1% and redistribute their wealth, but clearly we cannot afford to ignore the problem indefinitely.

About half as much power as a low-current LED.

A trillion apples is a roughly 4.5-apple-thick layer of large apples covering all of Manhattan.

Now that I've said that, it's easy to conceptualize it. In fact, you've already visualized it in your mind, and if you're from anywhere other than Manhattan, you're also probably thinking that it sounds like a good idea.

For actual bartending work involving complex cocktail production, where the bartender needs to have extremely high perception, flexibility, stability, control in mixing the drinks in just the perfect timing, temperature, amount, AND on top of that being social and friendly with ability to reply to the drinkers who sit at the bar?

Well, except for that last part, I'd expect the robots to immediately do a better job. The last part can be handled by an ordinary member of the wait staff without lots of experience at tending bar. This doesn't really remove the need for the people, but it does remove the need for the training and experience, which means the pay is likely to go down.