They were paid for a service that they did not deliver.

They delivered exactly the same service as any other carbon credit seller, the appearance of doing soemthing while doing absolutely nothing.

Yep. This is the way to treat your crown jewels, which is what your primary email address is. At least until we finally move away from passwords and therefore from password reset flows.

That will, of course, create other problems :D

You can copy your Google Authenticator token to other devices quite easily. Of course, the more places you put the seed secrets, the more opportunity there is for someone to steal them.

They're not usernames, nor are they passwords. They have very different security properties from both, and don't fit into the username/password model.

The main difference from usernames is that usernames are not inherently bound to the person, but biometrics are. If I know your username, I can type it in and claim to be you. If I know your fingerprint, I cannot submit it to a proper fingerprint scanner (note that "proper" is carrying a lot of weight here). Said another way, in the context of a proper scanning and matching environment, biometrics do provide authentication. Very strong authentication.

This highlights, though, that all authentication value in biometrics comes from the integrity of the scanning process, which is why I said that it doesn't provide much when the scanning is done remotely, unobserved, with a scanning device under the control of the person allegedly being authenticated.

While biometrics fail as authenticators in uncontrolled environments, they fail as identifiers in nearly all contexts. The main requirement of an identifier, like a username, is that it be unique. Biometrics aren't.

Well, probably they are in some absolute sense, except for identical twins in some cases, but in practice all biometric matching is fuzzy because measuring bodies and matching them against templates is less precise than matching the bits of a username. Biometric matching is always testing whether the the livescan is close enough to the stored template under some complex distance metric. This means that given a large enough database you will get false positives. And thanks to the Birthday Paradox, this happens with a much smaller database than you might think.

To illustrate with some very rough and approximate numbers. Suppose that a biometric matching scheme has a 100,000:1 false accept rate (FAR). Suppose that this rate is absolutely consistent across individuals (pipe dream, but reality is way too complicated). So, you can think of it as a scheme that creates 100,000 pigeonholes and slots every individual into one of them. The probability of you falling into the same pigeonhole as me is 1 in 100,000. That's actually a very, very good FAR, BTW. I don't know of any commercially-available fingerprint or face systems that good.

Now, suppose I put a bunch of people in the database, and then you present your biometric and we try to identify you from the database. How many people can we put in the database and still have reasonable odds of uniquely identifying you? If we have 250 people in the database, odds are >50% that we'll hit at least one false positive. We'll match you, but also one or more others. What FAR would we need to guarantee a low probability, say 1/1000, with a database of a 1000 people? 500,000,000:1, or thereabouts. Nothing is that good.

The reason that biometrics are useful for identification in, for example, criminal trials, is that you don't (or shouldn't, anyway, it's happened, c.f. Prosecutor's Fallacy) convict a person based only on biometric evidence. You also need to have some other reason to believe they were in the vicinity, or had some motive, or something. They work extremely well as proof that an already-identified suspect was the perpetrator, though.

One other way in which biometrics are not like usernames, BTW, is that biometric scan templates are not really standardized. There are some standards, but they apply only to a subset of scanner types. In general, it is not possible to scan your fingerprint on your phone and send that to an off-device relying party for identification. It could work with face or iris imagery. Sort of. Face identification is much less precise than fingerprint. Iris could be good, I think. Also retina, except retinas change over time. Good identifiers should also be constant.

So, no, biometrics are not good identifiers. They are very strong authenticators, but only in the right contexts.

Because first world nations are spending their own money.

Excuse me? As a taxpayer I can very much assure you they are NOT spending "their own" money. They are spending the money of the citizens of those countries.

They spend either my tax money, OR by printing more money destroy the purchasing power of money I have. Either way they are spending my money.

This is equally true of almost every other use case people have dreamed up for globally distributed ledgers. Unless there is no one who can be trusted to operate a centralized transaction database, the database will always be cheaper, faster and better. And it's even fine to have a set of centralized databases that get mutually reconciled on a regular basis -- which is how the financial systems work.

The only truly good application of distributed ledgers I've seen is for transparency-related projects where you want the data to be fully public and to make it impossible for any party or even large group of parties to subvert. Things like Certificate Transparency. I expect some future systems to be stood up that focus on binary transparency, making it easy to verify in an automated way that the binaries you're running are the ones they're supposed to be and that they're reproducibly-built from a specified version of the source code.

I've yet to see any other use cases where the cost, complexity and overhead of globally-distributed ledgers is justified.

(Distributed ledgers do make a lot of sense in highly-scalable systems under the control of a single entity. For example many eventually-consistent web-scale databases are built on some form of distributed ledger.)

Almost no-one is willing to pay the extra to have the perfect thing.
They will complain it's not perfect, but they will put up with the mediocre they're willing to pay for and eventually become used to it.

Just like giving up their privacy and subject to advertising because the email or the social media or games are free.

What, in your estimation, would these "competent computer people" do, exactly?

IMO it's better to use a TOTP app on your phone. Desktop OSes are significantly less secure than mobile OSes (though still better than SMS). But, yes, any RFC-compliant TOTP generator will work.

Google Authenticator is an RFC 6238 TOTP implementation, or you can use any other compliant implementation.

My pet peeve is the use of "get" everywhere like "get out", "get away", instead of the correct terms as "leave" and "escape" for instance.
It's a decline in literacy which even professional writers display.

How do you ensure that a body part was actually scanned, rather than some bits being replayed? Biometrics provide very high security in attended contexts, e.g. where there's a security guard watching you present the body part to a scanner that is under the control of the entity who is trying to verify you. But when the scanning is done remotely, using scanning hardware that is under the control of the person being scanned, it really doesn't provide much security.

Another problem with biometrics is that body parts can get lost or damaged, locking people out of stuff. Imagine being unable to pay your bills because you got a little cut on your finger.

Biometrics have their place, they are valuable authentication tools, but they have serious limitations. They have to be combined with and backstopped by other authentication mechanisms.

Also, potentially a lot more books became available to those of us who prefer to listen rather than read. If the AI "performance" isn't too grating.

For most fiction and some types of non-fiction, I prefer audio books over the printed word, because they're more time-efficient. I read far faster than narrators read, but I mostly can't do anything else while reading. Being able to drive, mow the lawn, work on refitting my boat, etc., while consuming audio books has significantly increased the quantity of "reading" that I have time for.

I don't think so. I think it's just a mechanical reproduction of the original work, not really any different than a photocopy -- just a different tangible medium. In order to be a derived work, it would have to be a new work, i.e. some minimal amount of creativity would have to have been added, and I don't think an AI can legally add creativity. Perhaps the configuration choices of the person who set the AI up could be considered "minimal creativity". But if not, it's just a copy in a different medium.

It would just be a mechanical reproduction of the original work, so only the original work's copyright would apply.

In the case of a human narrating an audiobook, the resulting work is a derived work, and both the narrator and the author have rights to it. To copy and redistribute it you need the authorization of both.

But in this case, it's just a copy. If whoever ran the AI on it added some of their own creative choices, for example, inserting, deleting or modifying text, then it would again be a derived work. It's even possible that if the only choices they made were which voice to use and how to configure it, that might also be enough to make it a derived work. But the original author still has an interest in the derived work, so none of this works as a way to escape the original owner's rights.

Yes, same as if you ran the book through a photocopier. In both cases, as long as you kept the copy to yourself nothing would come of it. The copyright owner could technically sue you for damages, if they found out, but there would be no damages to recover.