Posts by Charles 9 16605 publicly visible posts • joined 10 Jun 2009
"The company had to put in exceptions so some folks could clock in and out without the biometric component, because they had fingerprints that could not reliably be read."
People with excessively physical "hands on" jobs find their hands worn so smooth they can't leave consistent fingerprints. True story.
Or he could be crazed and looking to F you up or other unpleasantries. Some even do it IN BROAD DAYLIGHT, they are that crazed. Just read the news. Plus more and more "Shoot first and to hell with the questions" incidents; no witnesses. Put it this way; sometimes you may not even have ONE second to spare.
Go back to World War I and Sergeant Alvin York. He knew guns BEFORE becoming a doughboy. He finished the war a decorated hero DUE TO his sharpshooting.
PS. Japan has a honor-bound, obedient culture, thus the low crime rates (crime taints the whole family, so pressure builds). But note Switzerland has a gun culture yet their crime rates are similarly low. Again, culture plays a role. Wouldn't work in a country like the USA built on REBELLION.
It's still a problem if you're ALREADY over the tipping point...especially if that tipping point's been going progressively lower as mechanical advantage reduces the practical need for a labor force. Let's just say idle humans historically makes for trouble (think the Luddite Riots of the 19th century cranked up to 11), and don't even think about mentioning Basic Income because the only possible sources for this income will never agree to it.
"The whole 'password' scheme is hopelessly broken in the current year, and it is not the users' fault."
Now what alternatives do you propose? It seems to me that passwords are the worst out there...barring everything else. Problem is, passwords are also insufficient. Ergo, NOTHING is sufficient, and we're, to put it mildly, screwed.
"And the odds against that are? Come on, you can figure this out. Takes but a second."
Passing fair. See Birthday Problem and the fact the US alone has over 350 million people; let's not get started with Europe. The odds of at least TWO people using the same book AND scheme is better than you think.
"So a mnemonic for a password could be a date at the top or bottom of a page followed by a numeric reference to some of the words. e.g. 170116-010608 for "StartSmileEvery" or 170118-050208 for "RightTimeWhat". As long as you don't write down the codes in the book or reference which book you are using it's strong enough."
Unless someone else gets THE SAME BOOK and figures it out. It's not like those diaries are one-of-a-kind. And as they say, one slip and it's Game Over...
It's got to be some kind of mnemonic, probably from a TV show or a piece of pulp fiction. That's why it escapes me at the moment.
But serious, this article tells me that the status quo is unacceptable. What it doesn't tell us is there's any practical solution in sight. If you can't fix Stupid, you have to work around it, but if Stupid demands unicorns, then what options are left apart from taking down the Internet or turning it into a Police State?
Sorta like how Churchill stated Democracy is the worst thing out there...barring everything else. Only thing he didn't answer was whether or Democracy was acceptable, because if it isn't...
"Teach them to use a password safe. That will allocate high entropy passwords and store them. You need never even have to read and type the password.
It means you always have to use your own PC? Even better."
That's assuming they OWN a PC? What if the ONLY PCs they use are communal?
"I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information."
But you assume people are guessing passwords instead of gleaning them. Mass guessing can usually be detected and noted as an attempt at an account (and handled accordingly), but an insider picking up on someone's password (reading the Post-It, for example) is much more insidious and the reason for change policy: because there usually won't be missed guesses in the latter, and since it's already internal, it's virtually indistinguishable from real attempts.
But it's a point that ideally should never go online. Meaning breaking it would involve either pwning you local machine or cracking the algorithm. If they get your local machine, to throw a quote, "You're already dead." If they cracking the algorithm, there are bigger fish they'll be frying.
"When building such things, perhaps we should think, "What would Stalin do?""
A: Anything he damn well pleases because, in the end, an autocrat able to exert absolute power doesn't really need laws on paper ("Ink on a page."). If you're up against that, you have bigger problems—likely intractable ones at that. History shows that no government known to man can really stand up to a sociopath with a lot of charisma.
But if the SD cards starts breaking, I can at least replace it. If the internal memory of a device breaks, the device is essentially bricked. That's why I ALWAYS insist storage and battery (the two least durable parts of the device from my experience) be user-replaceable.
And no manufacturer will be interested in an open standard because they KNOW they'll lose control of it, and this is ALL about control (they want to create the next walled garden; otherwise, why give a soaring screw?).
No, what we need to do is find a way to do things on the average person's level. That is, bad memories, often without second factors, and looking for turnkey solutions that involve little more than "click here once or twice". We have to make security no more difficult than finding and using the front door key. Otherwise, people won't bother, as experience demonstrates.
"Well yes, mainly because if you work for a government department and apply common sense rather than the letter of the rules sooner or later some idiot and his a******e lawyer will start a lawsuit and your neck will be on the block."
What happens when the lawyer simply sues on the grounds of interference BY playing by the book (IOW, using the letter to defeat the spirit)? Sounds like they can get you either way.
"They called it a "personal property tax", and you pay it if your parked in the state for more than 10 days (or some other arbitrary limit), EVEN ON PRIVATE LAND."
That's because PRIVATE LAND is still COMMONWEALTH land (Virginia is legally defined a Commonwealth). Their territory, their rules. It's sort of like why you have to pay Virginia sales tax when in Virginia even when you don't live there (that's why tourtist-heavy states like Florida and Nevada rely on these instead of income taxes).
There's no law preventing it; then again, there's no law forcing it, either. And since this is a live transaction, not a payment of debt, it's between the buyer and seller to determine what's acceptable and what's not.
Legal Tender laws ONLY apply to DEBTS. And while there are no limitations in the US (most likely due to First Amendment grounds--just like burning the flag, a protest payment can be construed as speech, so any law that attempts to do this could be challenged), the UK does impose limits on what denominations you can use to pay a debt.
Because a web page is no longer just a page. That bus left LONG ago and won't be coming back even if someone were to draft an HTML6 spec with all the stuff taken out. It's what the users want (and to most users, the WWW == The Internet and they refuse to see anything else), and that's what the users will get (they outvote you). We could've done remote graphical terminals a long time ago, but now it's way too late.
The TL;DR version: websites and network people have already mastered the art of de-anonymizing you in ways that cannot be easily disguised, such as by location narrowing, click habits (which can be timed and are based on instinctive habits that are hard to break), and assorted Turing Tests to filter out chaff clickers. IOW, if they REALLY want to find you out (and there's a financial motivation to do so), they'll find ways that can't be stopped without breaking the Internet. After all, a letter normally needs a return address, and that's crucial information on its own.
Also, a print queue is never shown: only a running total of what's BEEN printed. Plus it NEVER reprints a ticket (at least, not one that's legal for turning in) unless it's a Remainder Ticket (turning in a winning multi-draw ticket with draws still to play; a Remainder Ticket is only good for the draws still to play). Jams, rare as they are, have to be resolved with the Lottery. Also, Fast Play games are never displayed: only printed, and each one is accompanied by a "cha-ching" sound effect so you can HEAR when the ticket is printed (a similar sound is played when a winner is scanned so you don't get scammed out of a winning ticket). As you can see, they go to great lengths to prevent cheating and scamming.
In the United States, gambling winnings are classed as income (definitely federal, state depends on which). Any winnings over $600 MUST be reported to the IRS (that's where Form 1099-G comes in); that's why those tickets have to be taken to regional offices. Amounts $5,000 and up are subject to withholding. And for jackpot games, you ARE allowed to take a "cash option". Think is, jackpot values are always based on annuities. You only get the listed value (minus taxes) if you take the jackpot as an annuity. Most winners, however, don't bother with it and take the immediate payout of about half the stated value (what would've gone into the annuity originally) because that gives them legal control over the money. Not only can they invest it as they see fit (usually in ways that beat the annuity rate), but it also allows for inheritance (jackpot annuities are almost universally listed as non-transferable; if you die before the annuity is up, it's void).
"We've caught (you/your family member) doing something illegal (like hacking / not paying their taxes / hurting someone in a drink driving incident / drugs / being gay in a country where it's illegal). If you help us, we can make it go away. We'd hate for it to end in a 20 year jail sentence. Bad things can happen to people in jail."
And if the reply is, "I never liked my family anyway!" Because it turns out you're talking to a Black Sheep?
But what do you use when that's the ONLY thing you have to work with? The big thing about biometrics is that, barring an injury severe enough to basically put you out of work, they'll ALWAYS be there unlike anything else you can propose. People have TERRIBLE memories so WILL forget passwords no matter what the length (heck, people forget their own names and dates of birth--I speak firsthand). Plus people frequently have to wear clothes with no pockets or lanyards so have no way to store external credentials (plus if the security is high they may not be allowed to for sake of blocking hidden recording devices).
As for recording the impulses, I thought ATMs found a way out of this by black-boxing the scanners and only emitting encrypted streams that include timestamps or other nonces so no two reads produce the same signals, defeating replay attacks.
"People used to say that kind of thing about UNIX workstations once upon a time too - "I need a proper workstation and a proper workstation application" (games are a different arena). Fine, if that's what people need, someone is going to have to pick up the bill for their hardware design and build costs, and maybe software development costs, and if it's no longer cross-subsidised from the volume market, the PHBs won't like the bill."
Thing is, the costs are pretty much already sunk with the incumbent x86 (solutions already exist), so ARM is already handicapped. And once you factor in power-chomping things like memory bandwidth which you need to feed true high-performance applications, ARM really loses its efficiency edge versus x86, leaving x86 with its incumbency advantage. In short, in order to unseat x86, ARM has to leapfrog x86 in just about all its remaining application, including things like video encoding (which is too generalized for GPU work while still memory- and FPU-intensive). They're not up there yet and will probably need a few technological leaps to catch up, and meanwhile x86 isn't sitting idle, either.
The problem with trying to get robots to turn away unwanted people for us is that the miscreants just start making smarter approaches to make sure they get the human, not the robot. Eventually, you get into Turing Test territory with potential knock-on effects (if you can make a robot that can fool any cold caller into thinking you're human, they can just turn around and use the same trick on you).
Frankly, without a way to verify the identity of ANY caller (and even then, what about pay phones?), there's no real way to effectively screen them out (because any loophole you're forced to leave will be abused).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
