I'm assuming all that leveling up stuff came out of paper and pencil rpgs.

I think there was a big fashion to add rpg-like elements to every genre some years ago.

Then "add roguelike elements to every genre" became a thing.

That was standard character dev mechanics until pretty much Eve wasn't it? New ideas are hard...

Ugh, so now SMS 2-factor auth isn't even secure? One thing I've realized - with iMessage if a computer is compromised so is SMS 2FA.



Also love the support from Verizon and Coinbase. "Please call us immediately" ... "Our offices are closed until Monday morning."

Getting phone reps to compromise mobile accounts has been a known issue for years.

There was a great example of a guy who used a random string as his "high school attended" and he said to the rep "I could check, but it's a random looking string of numbers, letters, and symbols" and they accepted it no problem.

Humans suck at strong passwords and csrs need to get people off the phone fast, a recipe for social engineering...

The one thing I didn't get is how you could change your g-mail password with just a compromised phone. But I just tested and there is a rabbit hole flow you go down where you basically tell them you don't know your alt-email or any of your security questions, and eventually you can give them a new alt-email. They ask for the same phone # a half-dozen times in the flow. Like that's more secure than asking for it once. Argh.

Some crooks demoed a hardware way to break 2fa via SMS. For a few thousand bucks you can register as a cell provider, buy a piece of hardware, connect to the cell network and say "rustybrooks phone is totally connected to my tower, send all his smses to me"

I believe this was recently done to pull off a bank heist.

So just use authy for everything? Or just don't own bitcoin. At least stuff like paypal and bofa have actual fraud departments - and do refund your money although it's a PITA.

Just launched payments on our site today, holy **** that was an intense and huge amount of work. Would love to write about the design one day - geo pricing, geo billing cycles, auto updating forex rates, vat handling, discounts, multi seat handling, tying in with licensing system etc etc. Probably one of the most complicated things I've ever written but satisfying seeing the payments come in!

Well, if you're paranoid enough, you can generate 2fa keys using a hard-copy of your key, say stored as a QR. There are command line tools for it, and I think phone-based tools for it. It's more secure than counting on SMS.

But the real defense is simply to not be a target for hackers. There are 2 big targets for hackers
1. attacking infrastructure to get a huge amount of user data: nothing you can do, really, except keeping your data out of online databases
2. attacking famous/rich/other attractive targets

You, personally, are probably not enough of a target for someone to bother breaking your 2fa.

Dude I am a 2p2 celebrity.

Also that guy I never heard of was enough of a celeb apparently. Although I bet the hacker was disappointed to find only $8k worth of bitcoin.

Suzzer, the main problem with that guy was leaving the money online. Coinbase is a "hot wallet", it is lunacy to leave $8k there if that's more than you need moment to moment, and would be devastating to lose. It should be your immediate trading bankroll only, which by definition shouldn't be more than you can afford to lose. Even then, it should be protected by stronger 2FA than SMS, as should the email address. SMS 2FA is way better than nothing, tho.

It may seem non-obvious, if you aren't familiar with the tech. But basically in our world, what he did was the equivalent of "I play 25nl occasionally, transferred my life savings to Full Tilt, told the world on twitter, didn't get the RSA token.". Or "Won the Sunday million from a freeroll. Should I leave all the money on Stars for the foreseeable future, or what?". Or people using Neteller and Skrill to hold their savings, instead of somewhere sensible.

The recommendation is to transfer coins to one of your own (numerous) offline / secure "paper wallet", or a secure hardware wallet such as Ledger Nano S. But even just transferring to any wallet which is entirely under your control is a far better idea than leaving your money in the hands of a third party. In this case, he had his phone ported and was hacked that way - but there's many many ways a third party can "be hacked", most of which result in users being out money when there was no need.

Phone companies handing over accounts to social engineering is a serious problem, of course.

I'm quite a noob at crypto, so the above may be wrong...

Would be very interesting, prob make for a good HN post

More or less. SMS is vulnerable to both social engineering and technical attacks in ways that belie it being a second factor.

You can find some good discussion of this in the reaction to the NIST recommending against using SMS for 2FA last year (in draft guidelines).

So far my biggest undergrad pet peeve ever is when instructors want large projects to be able to compiled and run in whatever native environment they are grading it on.

I have a large OS project that needs to be able to run in Ubuntu with JDK 7, because that's what the TA has. No other reason. So I have to install virtualbox and run ubuntu just to compile this stupid thing. I am techno ******ed so this isn't as easy as it probably should be.

Ask the TA for a snapshot of his laptop so you can virtualize it easier, he should be able to make one without any personal stuff on it fairly easily and your job gets much easier.

that's a really good idea, but that may have already been provided, I'm not sure.

we'll find out soon if I can get it to work. I don't think I can even run the test cases on this until I get it set up.

I have been using docker for this kind of thing, because it's very fast and easy. Once you make a dockerfile, which will just be a few lines of text, you can create (and recreate) the virtual environment at will. You can give it to your classmates and they can make their own very quickly, etc. Will work for windows / osx / linux.

Speaking as someone who's been in your TAs position, what is he supposed to do when your code doesn't compile or work and your response is "well, works for me?" Requiring a specific environment seems like a fair compromise.

Also, this docker image by itself might do, since it's JDK7 inherited from ubuntu.
https://github.com/dockerfile/java/t...r/oracle-java7

I guess if you're not already using docker this is just more rabbit holes.

OK, ignore that link, that is no longer on docker hub. But there are other ones.

I use Virgin Mobile, and to get into my account, I need to answer my name, home address, security question, and give them a 6 digit pin.

If I want to update any of that, I have to login to my phone or website, enter the password, and manually reset everything.

About the only hole they have is, they can resend the 6 digit pin the phone, but good luck with the security questions. They aren't able to over-ride the system and get in.

Just wanted to point out that a silly prepaid phone that cost me $35 / month has better security than a phone company charging 4x as much. Not claiming that is bullet-proof, of course.

For more real-world example, if you lose your id, birth certificate, and social security card, it isn't that difficult to get your identification back. That's sort of the problem with security: there is no way to make it entirely waterproof, lest you lock out the legitimate players, which thankfully outnumber the bad actors.

Yea, that's fair. I just think grading should be done on the most commonly used system. For all of our classes, this is windows. It seems like all the TA's run Linux though.

Or, they could just take the source code as the submission and compile it on whatever they're running. What we're turning in is a .jar file, not code.

Virtualbox isn't about to win awards for speed but the times I have needed it I can get it to work fine.

There is a lot of help out there for it, I set one up a few weeks ago to test our install of R, R Studio and R shiny and the only real problem I had was figuring out how to configure it so I could hit the servers from a browser on the same machine. Parallels was light years ahead in usability last time I used it but I'm going to try and not spend so much of my own money on this job and see how that works out.