I knew where that was going before I clicked. I've met him, and we used to live in the same fairly small town. I'm also in a Facebook group composed only of Russ and rusty Brooks. Still, I'm fairly identifiable.

Sent from my Nexus 5X using Tapatalk

Yes, I have implemented it, and am actually currently doing it on an app I'm making.

But this theoretical was a little closer to home

It may not be for today, but at some point, you ought to try to implement your own auth / login / logout / session management using the least amount of libs you can while still maintaining good security practices. It would be quite eye-opening and I won't spoil the surprise for you.

Pfft don't need no libs. Store everything in a flat file, passwords in the clear, job done.

On a semi-related note... we get about 100 new signups a day. A certain percentage have trouble verifying their email. It's hard to say why. Usually, our support team handles it. For some reason, someone sent a ticket my way with 10 emails in it that were unable to verify their email.

I sat on it for a day and then looked into it. By the time I looked into it
* 5 of them managed to verify their email - I assume they found the email we sent them and clicked the link
* 2 of them does not have an email in our system. I assume he's probably just wrong about what address he signed up with. If you go look at unverified emails you find stuff like rbrooks@gmai.com and other mispellings.
* the remaining 3 are unknown.

The ticket initially asked me to just go ahead and verify all of them. My response was... "I'll be happy to, but also, this is an extremely common and effective social engineering tactic." And it is.

We are a god damn information security company, and as long as no one like me protests, we are happy to verify a user if they call or email and say it didn't work for them. The internet is well and truly ****ed.

(Also a week or 2 ago they sent out a fake phishing email and like 30% of our work force clicked on it and entered in their username and password. Literally what the ****. I would be naming and shaming those guys and if they were in *anything* other than like sales... jesus.)

I'm sure all the voting machines are safe though. o_O

Social engineering identification/prevention that worked would be so valuable.

Bruce Schneier's book on cryptography laid out secure methods of not only voting, but of verifying your own vote, like, 20 years ago. And I'm pretty sure he was just summarizing well documented research from 20 years before that. No one gives a ****.

I used to work for a company that made software to let the various parties in a real estate transaction work together. If you've ever bought a house, you probably know that a typical closing period is 30 days. We guaranteed 7 days and in many cases, could get you closed in *24 hours*

We had a secure cryptographic protocol. Every time anyone touched a document it was cryptographically signed. It was possible to prove mathematically that the holder a particular key had made a particular change. Did this make our customers feel secure? No.

What did they want/like? This was all electronic you see. No faxes or hard copies. What they liked was that they could scan in their signature as GIF or JPEG or whatever, and paste it onto these virtual documents. That way they'd be signed!

I so wish I was kidding.

I asked him to get each of these people to send him an email from their purported email address saying "hey this is joe blow from jblow@gmail.com requesting you verify my email for your site www.craptastic.com"

So far I have not heard back.

The only fallout from my comments on the ticket is that someone asked if I could help correct typos like gmai.com on email addresses.

Maybe, I said. But also, I get emails every day intended for a different rbrooks@mymailprovider.com - more than one really. At least one of them occaisonally gets mad at me and claims I have stolen his email address, because he legitimately thinks the string he types in to all the places he registers for is his email address. He thinks I hacked him or something. I've had this particular address since 1993.

Some percentage of people can not type in their email address correctly. This is not a problem solvable by software.

After doing this recently with express and passport it sounds like cruel and unusual punishment to try to do this w/o libs.

Not that it was the hardest thing ever, but those libraries do SO much for you, I really wouldn't want to try reinventing them.

I feel similarly after using mongojs for a bit (not doing anything too complicated) and then switching to mongoose - like, jesus, wtf was I doing with my life before this??

In the old days we did auth uphill in the snow both ways.

We did it *badly* but still

He is asking how or why whitespace is trimmed from a password field. The torture is my point. It doesn't hurt to learn what is going on under the hood, plus, you feel like a "real programmer" when you mange to figure it out.

I'm certainly not promoting a practice of roll your own. I've received a few too many plain password emails from a "professional security companies" and can only imagine the ignorance it took to mess that one up. Sadly, I've seen enough chosen answers on SO to have a general idea of why this happens.

That is truly sad. The worst part is that I would assume part of the problem is that legislation is behind the times. I work with a financial services company and I know there are things that still require a "wet signature" by law.

Sent from my SM-G900R4 using Tapatalk

I don't think we should do electronic voting pretty much ever. Casting votes and verifying your vote is only part of the problem. This is only the systems part of the problem as well, it basically doesn't get more accessible than marking a piece of paper.

I feel like this actually is completely solvable by software.

Stuff like what information you give out over the phone would be much more difficult, but for the 30% of employees who are vulnerable to fishing, a tool that runs on their machine that checks their inputs and prevents responding to bad emails, etc. would be totally reasonable.

With blockchain technology, we have the ability to set up a voting system that is simultaneously anonymous and unhackable with the ability to independently verify the final tally and that your own vote was counted correctly.

Well, kinda late for that. My jurisdictions have had electronic voting for years. Given that this is the case, I wish they were more secure than your average middle school library's lab computer.

I feel the same way. In Canada we basically have 3 elections that happen every ~4 years. In two of them you have only one choice to make. In the third you might have 2-3 choices to make.

But I'm not sure its as practical for Americans. In the US you have much more frequent elections and they vote for a whole crazy number of things in most of them.

My gut reaction is that there is zero chance you could get enough of the public to accept this. And even if you did, I might personally be against it because it would fuel conspiracy theory morons to brand new levels of absurdity.

That being said, I remember saying there was no way we'd have self driving cars for decades because politicians / general public would never accept it. And I think I was pretty thoroughly wrong there.

If a state already has an electronic voting booth, the blockchain voting tech could probably be designed so it's transparent to the users. Possibly even with paper votes too, not sure. I think it would be pretty cool if I could check that my own vote was recorded how I expected and that anyone with some free time and programming knowledge could verify the published results. Of course there will be plenty of idiots who forget(err in) how they vote and protest that the results are incorrect. Not sure how you resolve that problem.

Don't get too pessimistic on your SDC pessimism just yet. There are still no robot cars on the road today. As far as I know they all still have humans at the wheel outside of a few tests. Even if we eventually see robot cars without a human chaperone soon, eventually one of these cars will cause a fatal accident. That's where the real legal challenge begins. A robot car company is a much bigger lawsuit target than an individual driver. Our legal system doesn't really favor a transit system thats demonstrably safer if the liable entity is much bigger and has deeper pockets.

There's millions (probably tens of millions at this point) of miles driven on public roads with a human behind the wheel, but not doing anything. That's way more progress than I would have expected 8-10 years ago.

I don't think the lack of a human chaperone is that important to me. The technology is the same and a lot of the benefits are the same too. I also think that this comes pretty easily once we have billions of miles driven showing how much safer the cars are.

We already have a fatality from a self-driving car. It was much less of an issue that I think lots of people suspected it would be.

Sure, and this definitely becomes more important if you remove the chaperone. But until then, it's less of an issue because the manufacturers can point to the requirement that the person is always ready/able to drive.

Ah ok, I am most excited by the possibility of removing the chaperone.

Fair enough, I just feel like once the technology is being used at scale, the rest is inevitable.

I could easily see the 'chaperone' requirement staying law as people gradually get more and more lax about it. At some point `the chaperones` are reading books, watching videos, not paying attention at all. And then at some point its looked at as one of those silly old-fashioned laws that nobody enforces.

But none of that helps people that don't want to be chaperones.

could be wrong, but i think with tesla autopilot + other data it's already overwhelmingly clear that they are safer than human drivers, early as the tech is.

http://www.greencarreports.com/news/...d-by-elon-musk

TLDR: this article says there is not enough data yet to know.