The Iraq war was not caused by intelligence failures. They had no evidence whatsoever that Iraq was involved with AQ. Cheney did not accept this answer, and had a squad of three nitwits go through the rejected intel pile untill they found Screwballs' testimony. "Screwball", according to the CIA's report, was a schizophrenic liar, a real piece of work, and not to be taken seriously. His 'intel' was shitcanned by the professionals.

Good enough! Cheney took the crap that his people dragged in, told Powell to shoot it at the UN, and the war's your uncle. The great bit is that since the crap story was "from the CIA", and the CIA *cannot hold press conferences* to denounce the lying sack, they knew they were going to take the hit. And did. We only know because some CIA officers walked off the job and told us about it, in real time. And were ignored, of course. War war war Iraq war terrorists Iraq war.

Cheney. Ashcroft. Wolfowitz. Rice. The four shits of the apocalypse. They did it on purpose. Three were writers of the Project for the New American Century paper, which insisted that the US take the Iranian and Iraqi oil fields for itself, to deny China and Asia access to the two giant sweet crude sources in the world, for the sole purpose of blocking their economic power.

The CIA was a victim of Cheney and his little squad of economic warriors. We failed them by not prosecuting the murderers. And it was mass murder, for Realpolitik and for cash. And don't forget, this bordered on treason, because Osama got clean away for ten years while Cheney and company were looting Iraq clean.

"Fraud protection" is just the opening pretext for this kind of service. People hare off debating retailer rights and all that, but what we are looking at here is a new commercial service which will offer a handy blacklist to any government, employer, store or random schmuck which will be used to remove internet privileges from anyone who doesn't want a giant "HERE HE IS" Google Earth arrow floating over his location. Another deanonymizer. Another goddamned bar in our prison cage. No one gets to be anonymous, or hide their location, not if they want to actually *use* the internet.

In other news, Isn't Dick Cheney's house location still classified, and removed from Google Earth? (used to be). How does that work? The rabble live in goldfish bowl, but the powerful get to remove the metadata of their very existence from the internet. This is about POWER, kids, not about vendor protection or security. Knowledge of what you do, what you say, where you are - that's power that gods have. Some people get to be gods, and spend their lives off-grid, like Cheney did, and the rest are goldfish in the gods' aquarium.

Oh, seriously, get a life.

He's 57. Ain't a noob. The attacks were like, ten years ago. They're like a bunch of evil ex-girlfriends on Facebook against whom he really needs a restraining order. No one really cares what the "community" thinks, if what you mean by that is the group that has the time and inclination to launch DDOS attacks and spam threads with "Gibson sucks" posts. I don't believe people of that disposition really matter if they're over 15 years old. Nobody even remembers what the hell he did "wrong", and frankly no one outside of that group cares - if anyone is left, as "they" should have been married and worried about male-pattern baldness and being severely overweight by now.

This methodology requires no patches. No vendor co-operation. Just a little crypto challenge. No more worrying about third parties or passwords. Session encryption is useless if they've already logged your keystrokes, or the ISP gave your keys away or provided their SSL certs to the government. Encryption is necessary, but the problem is passwords, always the passwords.

And it is an expensive hack, thanks you. Lots of time being spent on it.

SQRL doesn't present a password to any site. It provides an answer to a crypto challenge that can only be answered by the user stored password. No rainbow table is gonna get that. Rainbow tables don't contain all the numbers in the universe.

No. Read. Read.

A web site can still require any authentication it wants, including userid and password. As the proposal states, if you read it.
And, again, and again, and AGAIN, you do not need a smartphone. The challenge can be a generated URL.
Please, help out here, and read the proposal. It's quite clever, and everyone is trying to break it, find the holes. So read those first. Maybe then you can find a new hole, and then someone can get it fixed.

Read.

No. It is stored, encrypted, on the phone, or the computer, or the tablet, or the USB stick, by the user, who is responsible for its security. what "browser storage" means, I do not know. If the master key is encrypted in the usual fashion, only the user has the password necessary to unlock it, just as in Truecrypt's case. It's gotta be somewhere. This way, it doesn't exist anywhere else in the universe but that device (and anything else you can store it, encrypted, as well), so no certificate hijacker, no MITM, no ISP, no website ever has that key but you.

Not a certificate, but a means of generating session keys that are unique, and theoretically anonymous, by use of that master key. No one in the world can be you. The only drawbacks are MITM, where someone pretends to be a valid site and presents a fake challenge and then lets you in. That's up to you to police. No one else can stop you from entering a phishing site but you. The other is losing your key (!!) by losing your phone or whatever. They've come up with a revolving two-master key system, where you can revoke your master and then switch to a pre-entered (by you) new master. Further developments are open to view,and anyone can challenge or join in. But, do read first.

Idiocy indeed. Learn to read.

Indeed no. It doesn't.

no. as it has been written and said, many, many, many times, you do not need a smartphone.

The fallacy of the golden mean. The truth doesn't always lie between two extremes. He can be, and has proven to be, careful in his self-education and execution over decades. He nailed Microsoft on open sockets - *yes - he -did* - and figured out Prism as a pipe-tap rather than as a cooperative venture while everyone else was screaming and running in circles, accusing everyone of collaboration (not that there isn't, of course). I've listened to him for years. I've never known anyone so careful of his reasoning, so open to arguments, and ready to admit he is wrong and adapt to new facts. He has a podcast that provides him with excellent feedback, so facts are checked and errors corrected on the next podcast. He's polite, accomplished, and well-liked by people who listen to his show. He's a successful IT professional with good products. He's been a tireless advocate of privacy and freedom and has worked to try to find solutions to now proven security canyons. And his SQRL is no longer his baby - he gave it away for free, as in beer and speech, all open-sourced, and all the problems people have thought of are now being hammered on by people in the GRC discussion group as well as anywhere else that cares to try. If there's a hole, they'll address it. He's not the sole programmer or developer of SQRL. It's out there for anyone to work on, and soon will be a web standard. It helps to read his posts, or listen to his podcast, and not listen to "people" yakking on the internet about him. I can understand character assassination and how it is forever on the internet, but it doesn't mean that intelligent people have to bow to it. Look at what's really there, not at what people say.