Long Bet 382 has concluded: "Large Hadron Collider will destroy Earth."

Detailed Terms:

Prediction is correct if Earth is, as a result of operation of the collider, annihilated, reduced to much smaller volume than previously, vaporized, broken into large pieces, converted into photons, neutrinos, or other radiation, converted into exotic matter, or just unable to support life. For the purpose of the bet, Earth should be considered "destroyed" if, at the end of the term of this bet in 2018, zero human beings reside on the surface of the planet. Damage caused by attack of hostile beings is included if it is a causal result of operation of the collider. Teleporting Earth to another location or alternate universe where it is still able to support life is specifically excluded. Bet is won if whatever scientific community remains at this time, whether human, machine, or extraterrestrial, acknowledges that the "destruction" of Earth most likely resulted from the Large Hadron Collider or a product thereof (e.g. strangelet, micro black hole, etc).

Previously, previously, previously, previously, previously, previously.

Tags: , , ,

Two-factor auth and SMS hijacking

tl;dr: You ought to be using 2-factor, and you ought to be using the one-time password generator built into 1password instead of using SMS.

The "SIM porting" attack has been becoming more common and getting more press recently. Basically, it's easy for a crook to call up your phone company and get them to move your phone number to their phone. The telco is supposed to verify that it's you requesting this, but they are stupid and easily fooled.

Once the attacker is receiving your text messages, most services, even those that use 2-factor auth, will allow them to do a password reset and take over your account. My understanding is that they generally needn't have also compromised your email account first.

The fix to this is to not use SMS for your 2-factor. A better way is to use a one-time password generator. There are physical-dongle versions of these, and software versions. The way they work is, set-up involves them sharing a secret by scanning a QR code; and then the login codes are generated based on that secret, without the two ever needing to communicate again. Basically it's a clock-based PRNG with a shared seed.

Many people recommend Google Authenticator and I gave that a try, despite a deep paranoia about any software that has "Google" in its name -- which is not helped out by the fact that Authenticator was once open source, but then Google took it proprietary, which is not at all a shady and concerning move, no sir.

The problem with using that app is that if you want to use more than one device to generate your one-time codes -- say you sometimes have your phone with you and sometimes have your tablet with you but not both -- then you'd have to set them both up at the same time. You can't add a device later without losing access from all previous devices.

But it turns out that the excellent 1password includes a compatible one-time password generator that does the same thing! Instructions here. The huge benefit of this over Google Authenticator is that you can access the code generator from any device to which you are syncing your 1password vault, including your desktop.

This works with Facebook, Dropbox, Twitter, Kickstarter and Etsy.

Instagram (owned by Facebook) say they're really thinking about supporting non-SMS 2FA, really thinking about it really hard. But they still provide 2FA only via SMS.

Patreon and Ebay also only support 2FA over SMS. (Oddly, it looks like Patreon used to support OTP but stopped??)

And Twitter, of course, goes out of their way to fuck up this security feature, as is their core incompetency.

  • You can't enable 2FA at all without giving them a mobile number. You have to enable 2FA with SMS, and then you can switch to OTP.

  • After you've configured the OTP, you also have to go into the SMS setting and say "no really, don't use SMS for 2FA". Because if you don't do that, the login page will still have an option that says "Choose a different verification method" that allows your friendly neighborhood hacker the option to use your phone number anyway.

  • Just remove your phone number? Oh ho ho ho, no. Doing so turns off 2FA entirely.

Kickstarter seems to have the same bug: you can turn on OTP but you can't ever turn off SMS.

Amazon is even weirder: they let you register an OTP app, but I can't find a way to make them actually use it. They always use SMS.

In short, everything is terrible and it's a wonder that you can still log into any of your accounts at all.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , ,

EPA staff worried about toxic chemical exposure -- for Pruitt

Then-EPA Administrator Scott Pruitt's staff sought to protect him from exposure to toxic formaldehyde from an office desk last year, emails show -- just months before his top political aides blocked the release of a report on health dangers from the same chemical.

In the spring of 2017, as Pruitt was finishing the more than $9,500 redecoration of his office, a top career official in the administrator's office noticed a California warning that one of the ornate desks their boss wanted contained formaldehyde, which the state classifies as a carcinogen. [...] After seeing the warning, acting deputy chief of staff Reginald Allen reached out to Wendy Cleland-Hamnett, the career official then serving as acting head of EPA's toxic chemicals office [...]

"Sorry to bother you with this but we need some help. The desk the Administrator wants for his office from Amazon has a California Proposition 65 warning. What I am asking is can someone in your area tell us whether it is OK to get this desk for the Administrator related to the warning?" [...]

The email exchange about the desk last spring took place just months before top aides to Pruitt took steps to block a health assessment produced by another division within the agency that found the levels of formaldehyde that many Americans breathe in daily are linked with leukemia, nose-and-throat cancer and other ailments. The chemicals industry has fought the assessment, which could prompt federal and state regulators to issue new restrictions on the chemical, and could lead to class-action lawsuits. [...]

"You can add 'EPA chemical safety science' to the list of taxpayer funded benefits that Scott Pruitt kept for himself. The irony would be comical if this wasn't so dangerous. Months before Scott Pruitt blocked the EPA's report on the dangers of formaldehyde to public health, he got the benefit of EPA's safety experts looking out for his own health," Evers said in a statement.

Previously, previously, previously, previously, previously.

Tags: , , , ,

  • Previously