One of the biggest issues right now, is that we have a community (doctors, scientist, researchers) who need to backup their claims with actual proof's or risk loosing their license/reputation vs a community of "gurus"/"self-healers" who don't have to backup any of their claims at all. Thus the "gurus" can make HUGE claims, that to someone sick sound much better than the conservative claims made by doctors.
Give both groups the same voice & reach, and guess who wins.
For security, the commit command will use one-time passwords. This way, even if someone gets the ordinary password of a user, they can't modify the catalog that actually appears at the site.
Yet, it was another era....:
Secure server software ($5000). This does not seem to be an absolute necessity; there are a lot of sites on the web where you can send your credit card number unencrypted, and to date there have been no reports of the numbers being stolen.
I'll explain. Most people who criticize contemporary are, usually use a combination of its just a bunch of random lines or a "5 year old could have painted that" - as if the complexity of difficulty of an art piece its what makes it valuable. But nothing is further from the truth, a simple piece, with a strong composition such as Number 17a, could look simple but its quite powerful and complex.
Let me use an analogy you can better understand. I am sure you can appreciate music. Most people who listen to the Marriage of Figaro by Mozart, can understand it's a master piece. Yet, it isn't the most difficult balad Mozart composer and many other musicians have created far more complex balads. Also a gifted 5 year old could probably learn to play it and reproduce it quite accurately. Does that diminish its value because a 5 year old can play it? It's even possible for an average 5 year old to invent a similar balad after listening to it. But could an average 5 year old create something like the Marriage of Figaro from scratch without ever hearing it? It takes a pretty special 5 year old, like Mozart to produce something like that. And its the whole composition that matters, not just a few notes - anyone can play a few notes.
The same happens with Pollock. He was the first drip painter. And while an average 5 year old could drip some paint in a canvas (play a few notes), they won't be able to create a powerful composition of colors that mirrors a full Pollock composition. Sure, there are amazing reproductions of Pollock made by very trained art forgers - yet that doesn't diminish the value of Pollock just because someone else after analyzing his technique is able to reproduce it.
The value is another story. It's worth $200M because of its size and scarcity. Pollock wasn't a big art producers and thus there aren't many paintings around. Yet there are many people who love his work and want to buy it. Supply and demand dictates the price. Sure you can buy something similar from an art forger, but its not the same, the same way that listening to a album on a set of speakers is not the same as having the artist play live for you.
Although most people will read this and think, oh more shenanigans from UBER, the reality is (and as a Colombian I know), that the government has failed for years to regulate this industry, which is regarded by all consumers as incredibly positive, and continuously has fought against this platforms in an effort to keep the taxi mafia content.
Yet, taxis in Colombia are incredibly dangerous. As a passenger you are exposed to express kidnappings, drivers that are aggressive, adultered fares systems and drive unsafely in cars that don't meet any security guidelines (a large number of passengers have died on rear-collisions given that the most common Bogota taxi has no rear-reinforcement). For decades the taxi mafia's have provided an unsafe & horrible service, when Uber & other platforms arrived, users flocked, yet by means of aggressive protests where they pretty much block the city, the taxi's have forced some parts of the government to try to curve Uber.
Uber however has fought to continue providing the service that the consumers demand, and has otherwise tried to complied with every law. This fine comes from the industry of commerce regulators, who have tried to convince the technology ministry to shut Uber down, with them refusing. I hope Uber continues to operate in Colombia and use their legal means to fight this regulators who are not operating from a consumer benefit standpoint, but rather a political fight to protect a mafia that needs to be dismantled.
Founder of Authy here. I've been thinking a lot about this lately and came to the conclusion that the only sensible way to do 2FA are U2F hardware key's. Here's why:
First, SMS 2FA. People think SIM port is uncommon, its not (i saw thousands of cases). Your cellphone number its public information - pretty much - and its not a technically difficult attack, you just need to convince a carrier to do it. Once the your SIM is migrated to the hackers possession he will hack into all your accounts before you even realized what happened.
Second, TOTP. I founded Authy with the idea that TOTP was strong enough and it is, technically, but in the wild deployments have lots of issues. Biggest one is people constantly change/loose their phones. So you end up with a update issue. At Authy we solved it by encrypting the seeds and storing them on the cloud. But today most users just copy the QR-Code, or store their TOTP key along with their passwords in the password manager. Storing your TOTP in your password manager completely defeats the point of TOTP, it just provides you with a false sense of security. Lastly, because it generates a lot of support issues when people loose their phones, services have added ways to bypass 2FA in their account recovery flows. You'll see backup codes or simply SMS as a recovery mechanism. This means your TOTP is as safe as SMS if your recovery allows it. TOTP today is so misused its just providing a false sense of security.
Third, U2F Hardware tokens. Its finally possible to do U2F to the iphone via Bluetooth and Feitan now has a key that supports it (Google sells one for project Titan). You can buy 2 keys for $50 dollars. It's impossible to missuse U2F tokens - you can't unsafely back-them up, you can't "screenshot them", etc, hardware enforces their security. They are 100% un-phishable, its impossible to trick a user into signing a login on a fake site - the key will simply not sign it, and there is no way for the user to make an "exception"(like you can if the SSL cert is invalid.). Also given the price and form factor is easy to buy 2 or 3 and have a few stored as backups. In my case I have 4 keys, 2 that I use on daily basis, and 2 I stored as safe backups. If I were to loose 2, there is no way of knowing they belong to me and tie them back to my account and I would just use the backup keys to logon, remove the lost keys and buy 2 more. No unsafe recovery keys, no unsafe backups. All my 4 keys are the exact same level of security.
Lastly, now Android allows you to use your android as 1 U2F key(new androids have secure hardware enclave specifically for this), so essentially all that users would need to do is buy 1 hardware key as backup.
If you are a service provider, I hope you consider about offering the ability to use U2F keys as secure login mechanism and enforce minimum 2 keys need to be registered - then you disable any other recovery mechanisms. THIS IS THE RIGHT WAY TO DO 2FA in 2019.
This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.
another shocker. The smell of "Chlorine" in the pools is not caused by "chlorine" but by the urine. Chlorine has no smell when mixed with water. Add urine, and you get the "Chlorine" smell thats typical of pools.
I wanted to take a quick second to dispel this myth. Although I collect watches and I have several high end pieces, including grand complications - none of them are good "investments". You will likely loose money on 99% of watches you can buy and it certainly applies 100% to all new Rolex watches. There is just a small amount of watches that actually appreciate like Patek application pieces or the Vintage Rolex Daytona ('Paul Newman) or 1980's Milgause. The chance you buy one of this is 0% unless you know what you are doing.
So your friend has a 25 year old Air King? This is not a vintage piece, it's just an old piece. Worth? $1500 - $2000 depending on condition. Secondly, in 25 years he had to service it at least 3 times. Each service cost? $400 - $800 depending on the issues. If he polished it, $500 more.
So all in he's put in $1,200 + ~$1,500 = $2,700.
Now had he place $1,200 in the S&P 500 on 1991 (exactly 25 years ago), he would have at the end of December 31 exactly $13,588 dollars (~9.78% on average per year).
I don't understand how you can say he beat the S&P many times over.
Hi An6n, Fido and U2F are really interesting to us - we are totally supportive of it and have some really great things planned around this area. Stay tuned!
Hi, good question. The reason for the phone number is that we depend on your phone number as part of your identity. Almost all 2-FA systems today use the phone number as a way to send you the code via text/phone call. If you read my blog post: blog.authy.com/twilio you'll see we decided to build our infrastructure on top of the telecom infrastructure because it was ubiquitous.
I also understand why some people don't like clouds backups. The good news is that backups are off by default and optional. If you don't need them, you can keep them disabled.