Also reminded me of an article (I'm having trouble finding it) about a master key for an apartment complex that had been stolen. The article published a picture of the master key itself and then more people were able to copy the master key...
I played with this when I got my first 3D printer about 5 years ago -- I took a photo of my house key and replicated it in about a half hour. The photo was (intentionally) not a great one.
It was at that time that I started keeping all of my keys in a sleeve. Do I now need to start wearing gloves?
Not all locks are trivial to pick, but the common consumer ones are (speaking from experience -- I've been a recreational lockpicker for years).
But recreating through a photo counts as a low-skill attack. Not as low-skill as raking a lock or using bump keys, but it does make low-skill attacks viable on moderately-or-better secure locks.
> I've said it many times before. Biometrics should be used as usernames and not as passwords. You should be able to change a password.
This guidance isn't unique, though it is certainly accurate. Case in point sourced from 1999 when the differences between identification v. authentication in a biometric context were being hammered out: https://web.archive.org/web/19990508102505/http://biometrics...
I have accounts I haven't logged into for years, but still need access to. Losing access over time is not a good feature. And a 'reset' with antibiotics doesn't make sense for a bunch of reasons.
Also, password diversity is a good thing. I don't want $COMPANY_A's data breach to expose my password to $COMPANY_B
Gut biome actually changes pretty rapidly. IIRC some grad student did some kind of sequencing on his stool for a year, the the populations of different strains of bacteria would completely flip when he ate a salad one day and a cheeseburger the next.
His name was Lawrence David, but I can't quickly find the writeup that illustrates the point I'm making.
Or, we can develop solutions based on existing [proven] cryptographic primitives, with a focus of abstracting authentication / signing / encipherment functionality to an external key or secure-device.
Example: iPhone (and Andorid) both have "secure enclaves" where cryptographic keys are stored. However when you step into the basic PC/Linux realm the concept of a secure-device for key storage (TPM) is pretty non-existent outside of corporate players. We can do better, without totally going pie in the sky.
Why? If you can reliably determine that a fingerprint actually belongs to a person... it's not as if I can make my fingerprint mimic yours if I happen to come across a photo of your fingerprint... Of course, simple sensors such as phone fingerprint readers can easily be tricked, but that's an issue with that specific implementation (similarly to how you can sometimes see greasy traces of unlock pattern on phone screens), not of the general idea...
People keep forgetting that there are two parts that ought to be (as) secret (as possible) in authentication.
This is why major organisations don't allow usernames to be name_surname or nsurname. They pick random usernames. I remember when I was a student my username was a random string with characters and numbers.
This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.
> This is why major organisations don't allow usernames to be name_surname or nsurname. They pick random usernames. I remember when I was a student my username was a random string with characters and numbers.
sounds more like an artifact of early garbagey email systems than any sound security policy. certainly i've seen nothing of the sort from any organization since a VM/CMS system in the early 90's.
> This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.
this doesn't make any sense.
if i generate my passwords by a perfectly reasonable, robust procedure, and then prepend them with the string "password", and disclose this fact publicly, they become no less secure.
the username is just like a publicly announced string prepended onto your (hopefully) securely generated password.
Authentication includes both username and password. In a bank I used to work my username was a random 10 digit number. Very annoying to type all the time. The good thing is, if you want to use my account, good luck guessing both my username and my password.
Does that make sense? I do not imply that password should not be complex etc. I am merely pointing out the benefits of having a difficult to guess username.
no, it does not. just add more bits of entropy to your password if you want more "unguessability". there's no benefit to putting it into the username.
the username and password fields can be imagined as a single field; whether the entropy is at the start or end of the field makes no difference. we just split them up for database efficiency reasons. (and because the username ends up displayed some places.)
> I do not imply that password should not be complex etc.
I do understand that's not your implication
> I am merely pointing out the benefits of having a difficult to guess username.
i'm saying that if your password is good enough, it doesn't matter what your username is.
the same way that if the last 50% of your password is "good enough", it doesn't matter if you plaster the first 50% of it onto billboards.
At least in the iPhone implementation, the finger print is neither user name nor password, it is more like a session key. You have to authenticate with username and password, then you can use your fingerprint (or faceID) to access that session for a multi-day period after which you have to reauthenticate with your password.
Good explanation of a good implementation. Thanks for bringing my attention to something that's been right in front of me for years but I didn't know about.
The "victory" meaning comes from WWII, not Pokemon.
The hippie counter-culture movement in the 1960s co-opted it as the "peace" sign, but nowadays I'd argue it doesn't have much of a meaning, it's just "something people do for photos" (especially in East Asia).
The V sign with palm facing the signer in British English means something like 'Fuck off'. All sorts of quite likely spurious history about archers insulting the French at Agincourt is used as a kind of etymology.
With the palm facing the viewer it means peace now but it's rare to see it referred to as a V sign in the UK with this meaning.
In WW II Churchill used it to mean Victory not peace but apparently started out used the insulting version and had to have the difference explained to him. Not sure if that is true or just apocryphal.
There are many photos of Churchill performing the "incorrect" version, so there's at least a grain of truth in there.
No doubt the posh school he went to didn't have the grubby little oiks running round the playground flicking the V's everywhere. Or grubby little oiks for that matter. :)
I never even knew that it appears to be a peace sign in the US. In my (central European) country it is the victory sign for everyone I have talked to about it.
Combine that with physical keys copied from photos, audio surveillance by recording vibrations with a standard Web cam, movement detection through WiFi signals, first steps towards mind reading, and other creepy tech breakthroughs, it is certainly an interesting time to be alive.
[Ford] slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling amongst a bunch of receipts.
It wasn’t insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.
It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn’t even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.
Personally, I just stick the > in front even though HN doesn't apply special formatting to it. Most people are familiar with that convention, either from Markdown or from stuff like emails.
The point of pretty quote formatting is to highlight distinction between your own and borrowed text. But in this case the quote is the main content of the message, so there is no need to format it.
The modern convention for such quotations is called "copypasta": you put your quote in the beginning of your message without additional formatting, and attribute it to the author in the end of your message or in the reply to yourself, or ever in the username of account you created to post the quote (such account would be called "novelty account" because THGTTG is in fact a novel).
Attribution after the quote has additional benefit of giving people the pleasure to recognize the source of the quote themself while they read it.
> [Ford] slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling amongst a bunch of receipts.
> It wasn’t insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.
> It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn’t even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
> Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.
I actually did this for a previous employer to demonstrate that we shouldn't switch to fingerprint auth-- took a photo of the big boss holding a clear glass, which nicely highlights your fingerprint.
Heh, must be a cultural difference. The V sign they're talking about here is most common in East Asia I guess, though I see it often enough in the US. It's not a vulgar thing, and the usual position is with the palm facing the camera.
The same thing was often used as the "peace sign" in the mid/late 1900s, though these days it's not as mainstream as it used to be.
Its roots go back farther than that, and I think your interpretation (with the palm facing one's body) is older than the more modern interpretation.
Well there some argument that the inverted V (V for victory) was used in ww2 by Churchill avoid the negative connotations but in fact was trolling the Nazis.
60 comments
[ 0.08 ms ] story [ 167 ms ] threadIt was at that time that I started keeping all of my keys in a sleeve. Do I now need to start wearing gloves?
But recreating through a photo counts as a low-skill attack. Not as low-skill as raking a lock or using bump keys, but it does make low-skill attacks viable on moderately-or-better secure locks.
This guidance isn't unique, though it is certainly accurate. Case in point sourced from 1999 when the differences between identification v. authentication in a biometric context were being hammered out: https://web.archive.org/web/19990508102505/http://biometrics...
I have accounts I haven't logged into for years, but still need access to. Losing access over time is not a good feature. And a 'reset' with antibiotics doesn't make sense for a bunch of reasons.
Also, password diversity is a good thing. I don't want $COMPANY_A's data breach to expose my password to $COMPANY_B
Yes
His name was Lawrence David, but I can't quickly find the writeup that illustrates the point I'm making.
Example: iPhone (and Andorid) both have "secure enclaves" where cryptographic keys are stored. However when you step into the basic PC/Linux realm the concept of a secure-device for key storage (TPM) is pretty non-existent outside of corporate players. We can do better, without totally going pie in the sky.
This is why major organisations don't allow usernames to be name_surname or nsurname. They pick random usernames. I remember when I was a student my username was a random string with characters and numbers.
This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.
sounds more like an artifact of early garbagey email systems than any sound security policy. certainly i've seen nothing of the sort from any organization since a VM/CMS system in the early 90's.
> This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.
this doesn't make any sense.
if i generate my passwords by a perfectly reasonable, robust procedure, and then prepend them with the string "password", and disclose this fact publicly, they become no less secure.
the username is just like a publicly announced string prepended onto your (hopefully) securely generated password.
Does that make sense? I do not imply that password should not be complex etc. I am merely pointing out the benefits of having a difficult to guess username.
no, it does not. just add more bits of entropy to your password if you want more "unguessability". there's no benefit to putting it into the username.
the username and password fields can be imagined as a single field; whether the entropy is at the start or end of the field makes no difference. we just split them up for database efficiency reasons. (and because the username ends up displayed some places.)
> I do not imply that password should not be complex etc.
I do understand that's not your implication
> I am merely pointing out the benefits of having a difficult to guess username.
i'm saying that if your password is good enough, it doesn't matter what your username is.
the same way that if the last 50% of your password is "good enough", it doesn't matter if you plaster the first 50% of it onto billboards.
Sorry but this is not the case at all. Most millenials know it as a peace sign, none of them would think of pokemon.
The hippie counter-culture movement in the 1960s co-opted it as the "peace" sign, but nowadays I'd argue it doesn't have much of a meaning, it's just "something people do for photos" (especially in East Asia).
With the palm facing the viewer it means peace now but it's rare to see it referred to as a V sign in the UK with this meaning.
In WW II Churchill used it to mean Victory not peace but apparently started out used the insulting version and had to have the difference explained to him. Not sure if that is true or just apocryphal.
No doubt the posh school he went to didn't have the grubby little oiks running round the playground flicking the V's everywhere. Or grubby little oiks for that matter. :)
This is great.
https://scifi.stackexchange.com/questions/92738/what-is-the-...
Personally, I just stick the > in front even though HN doesn't apply special formatting to it. Most people are familiar with that convention, either from Markdown or from stuff like emails.
> like this
knuth:> blah blah blah
wirth:> bläh bläh bläh
Yes, there’s a better way. Please refer to the parent comment in this discussion [1].
[1] https://news.ycombinator.com/item?id=21020162
The modern convention for such quotations is called "copypasta": you put your quote in the beginning of your message without additional formatting, and attribute it to the author in the end of your message or in the reply to yourself, or ever in the username of account you created to post the quote (such account would be called "novelty account" because THGTTG is in fact a novel).
Attribution after the quote has additional benefit of giving people the pleasure to recognize the source of the quote themself while they read it.
https://en.wikipedia.org/wiki/Copypasta
> [Ford] slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling amongst a bunch of receipts.
> It wasn’t insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.
> It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn’t even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
> Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.
Give as much data as one is comfortable with, when viewing the image in a 1:1 ratio.
The same thing was often used as the "peace sign" in the mid/late 1900s, though these days it's not as mainstream as it used to be.
Its roots go back farther than that, and I think your interpretation (with the palm facing one's body) is older than the more modern interpretation.