xkcd

[Grey_Wolf_c]

So the alt text of https://xkcd.com/903/ says "Wikipedia trivia: if you take any article, click on the first link in the article text not in parentheses or italics, and then repeat, you will eventually end up at "Philosophy""

To be honest my first thought was "there's no way that works" but I got it in 19 clicks on the first try.

It doesn't always work (the alternatives are broken links, or ending up in loops between two pages referencing each other), but there is a wikipedia metaarticle about it.

Grey Wolf

[Rockphed]

So the alt text of https://xkcd.com/903/ says "Wikipedia trivia: if you take any article, click on the first link in the article text not in parentheses or italics, and then repeat, you will eventually end up at "Philosophy""

To be honest my first thought was "there's no way that works" but I got it in 19 clicks on the first try.

Articles that follow the wiki mos pretty much always do it. I think the united states of America page is one of the exceptions.

[Personification]

So the alt text of https://xkcd.com/903/ says "Wikipedia trivia: if you take any article, click on the first link in the article text not in parentheses or italics, and then repeat, you will eventually end up at "Philosophy""

To be honest my first thought was "there's no way that works" but I got it in 19 clicks on the first try.

The real answer is that there are many loops (so it doesn't always work), but one of the most common is the one that contains philosophy.

[Kornaki]

It doesn't always work (the alternatives are broken links, or ending up in loops between two pages referencing each other), but there is a wikipedia metaarticle about it.

Grey Wolf

Ironically (?) That article does not lead to philosophy. It went through mathematics and ancient greek so I thought it was a slam dunk until it wasn't.

[Yuki Akuma]

Ironically (?) That article does not lead to philosophy. It went through mathematics and ancient greek so I thought it was a slam dunk until it wasn't.

Huh?

Getting to Philosophy
Point and click
User (computing)
Computer
Sequence
Mathematics
Quantity
Counting
Number
Mathematical object
Concept
Abstraction
Rule of inference
Logical form
Philosophy.

Did you click on "Greek" in the Mathematics article? You're not supposed to click on things in parantheses.

[Ajustusdaniel]

Articles that follow the wiki mos pretty much always do it. I think the united states of America page is one of the exceptions.

That seems intuitive- we're not on the metric system either, why should our wiki page follow the general rule?- but at the moment, unless I've missed something.:

United States of America redirects to United States
Country
State (polity)
Polity
Collective Identity
Belonginess
Emotion
Biology
Natural Science
Branches of Science
Sciences
Scientific Method
Empirical Evidence
Information
Uncertainty
Epistemology
Philosophy

[Rockphed]

That seems intuitive- we're not on the metric system either, why should our wiki page follow the general rule?- but at the moment, unless I've missed something.:

United States of America redirects to United States
Country
State (polity)
Polity
Collective Identity
Belonginess
Emotion
Biology
Natural Science
Branches of Science
Sciences
Scientific Method
Empirical Evidence
Information
Uncertainty
Epistemology
Philosophy

It was some page that was close to the USA page. It was a 3 page loop, though I think there was at least 1 redirect. And somebody might have fixed things since.

[Lord Torath]

On today's strip, the mouse-over text had me laughing out loud. Trolling the phishers.

[Kornaki]

Did you click on "Greek" in the Mathematics article? You're not supposed to click on things in parantheses.

That is exactly what I did. Thanks!

[Rockphed]

So getting public records of mortgages and such is probably feasible, but (at least in the US) there are laws that prevent people from getting them collated into a nice pile without good reason. So somebody could feasibly get a pile of voting records from my home town to figure out what street I grew up on and they might be able to get marriage records from where my parents got married to get my mother's maiden name, but getting my street combined with my mother's maiden name is pretty much impossible without me giving them to someone (or searching my mother's facebook for who her parents/siblings are, but that is just crazy talk).

[Keltest]

So getting public records of mortgages and such is probably feasible, but (at least in the US) there are laws that prevent people from getting them collated into a nice pile without good reason. So somebody could feasibly get a pile of voting records from my home town to figure out what street I grew up on and they might be able to get marriage records from where my parents got married to get my mother's maiden name, but getting my street combined with my mother's maiden name is pretty much impossible without me giving them to someone (or searching my mother's facebook for who her parents/siblings are, but that is just crazy talk).

One would assume that people interested in committing identity theft are not terribly concerned with the legality of their actions.

[Rockphed]

One would assume that people interested in committing identity theft are not terribly concerned with the legality of their actions.

The laws are supposed to stop the people who have the records from giving them out to people without a legitimate reason to have them, not just stop people without good reason to have them from getting them. As such they include severe punishments for credit reporting agencies who do not properly safeguard records.

[PhantomFox]

I know when I bought my house I started getting piles of adds for mortgage insurance that tried to look as urgent as possible, but were probably rip-offs or scams. So that info is actively being used by SOMEONE.

[Radar]

I know when I bought my house I started getting piles of adds for mortgage insurance that tried to look as urgent as possible, but were probably rip-offs or scams. So that info is actively being used by SOMEONE.

I you got them in the snail mail then it is probable, but people doing the legwork and throwing those adds in the mailboxes simply might see that someone new moved in to a house that was for sale, so they naturally assumed that mortgage was involved.

If you get those adds on the internet, there is an even simpler answer: profiling. Any search on Google, any website you look at, is providing data on your activity. It does not have to have your name on it or be viewable by anyone personally. There are algorithms right now that can easily infer a lot about you and profile the ads you see based on the your history. You might have searched for various mortgage options, house offers, transport services or furniture. All those little pieces of data tell that you are very likely to have or are about to take a mortgage, so algorithms target you with on-topic ads.

There are pretty crazy stories about this. One that I remember was about Target, as thanks to all the data analysis they do on the customers they are able to tell for example, who is pregnant and pretty accurately predict, when the baby is due.

[Cazero]

The laws are supposed to stop the people who have the records from giving them out to people without a legitimate reason to have them, not just stop people without good reason to have them from getting them. As such they include severe punishments for credit reporting agencies who do not properly safeguard records.

But they're public records. That means they're free to access and anyone can just copy them. How are you supposed to safeguard for that?

[Rockphed]

But they're public records. That means they're free to access and anyone can just copy them. How are you supposed to safeguard for that?

Some of them are public (I think who owns land falls in to this category). Some of them are only released many years after they are made (like the census). Some of them can be accessed by anyone with a valid use (so lenders can send people pre-approved offers by looking at people's profiles as happened to PhantomFox). Enforcing that last one is the purview of the FTC in the US. Other nations have different laws and agencies to do that.

[Max_Killjoy]

I you got them in the snail mail then it is probable, but people doing the legwork and throwing those adds in the mailboxes simply might see that someone new moved in to a house that was for sale, so they naturally assumed that mortgage was involved.

If you get those adds on the internet, there is an even simpler answer: profiling. Any search on Google, any website you look at, is providing data on your activity. It does not have to have your name on it or be viewable by anyone personally. There are algorithms right now that can easily infer a lot about you and profile the ads you see based on the your history. You might have searched for various mortgage options, house offers, transport services or furniture. All those little pieces of data tell that you are very likely to have or are about to take a mortgage, so algorithms target you with on-topic ads.

There are pretty crazy stories about this. One that I remember was about Target, as thanks to all the data analysis they do on the customers they are able to tell for example, who is pregnant and pretty accurately predict, when the baby is due.

Because I put my purchases at a certain grocery chain on my friend's rewards card so she gets the rewards, there have been multiple times when they've somehow concluded that we're married and soon to have a child.

Those algorithms aren't as smart as they're made out to be.

Especially the online stuff, if you block all the ways that they associate your activity cross-site.

[Kornaki]

Because I put my purchases at a certain grocery chain on my friend's rewards card so she gets the rewards, there have been multiple times when they've somehow concluded that we're married and soon to have a child.

Those algorithms aren't as smart as they're made out to be.

Especially the online stuff, if you block all the ways that they associate your activity cross-site.

That seems a bit unfair to the algorithms. They can only work with the data they get.

[Rodin]

I've never understood why mother's maiden name is considered a good security question. My mother does genealogy and can trace the family back into the 1600s. Why they think a scammer can't trace back one generation is beyond me.

Almost anything you could ask would be more difficult, yet mother's maiden name is the most common.

[Keltest]

I've never understood why mother's maiden name is considered a good security question. My mother does genealogy and can trace the family back into the 1600s. Why they think a scammer can't trace back one generation is beyond me.

Almost anything you could ask would be more difficult, yet mother's maiden name is the most common.

"Childhood best friend", "Street i grew up on" and "Name of first pet" are also terrible ones. Basically anything that can be found on facebook really.

[Grey_Wolf_c]

I've never understood why mother's maiden name is considered a good security question.

For the same reason passwords were considered a good security question. "When used right" a random password not used anywhere else is probably a decent enough security system, for small scale applications and protecting data most people aren't going to spend too much effort getting at. Equally, requiring two pieces of personal trivia they are unlikely to forget as a secondary check for password recovery works equally well (i.e. not much). It just does not scale at all - expecting human beings to come up with several dozen random passwords and rotate them is unrealistic, and expecting every service to have sufficient random trivia questions that apply broadly is equally unrealistic, as it turns out.

Grey Wolf

[Rodin]

"Childhood best friend", "Street i grew up on" and "Name of first pet" are also terrible ones. Basically anything that can be found on facebook really.

"Name of first pet" works well for me because my first pet died before the Internet existed. Or at least, it died before the Internet was widely available to the public. So you have to guess what type of pet I had and then guess its name with zero information.

I wonder how many times that security question gets broken based on regional pet names, or pet names based on breed. If you start guessing Border Collie names in Yorkshire, the odds of hitting the jackpot with "Shep" are about 1 in 1.

The best solution I've seen is to not answer the question. You have a second easier to remember password that you use to answer security questions. You don't base this off any of the common questions, but something that is unique to you which would be impossible for a scammer to find out.

[Radar]

For the same reason passwords were considered a good security question. "When used right" a random password not used anywhere else is probably a decent enough security system, for small scale applications and protecting data most people aren't going to spend too much effort getting at. Equally, requiring two pieces of personal trivia they are unlikely to forget as a secondary check for password recovery works equally well (i.e. not much). It just does not scale at all - expecting human beings to come up with several dozen random passwords and rotate them is unrealistic, and expecting every service to have sufficient random trivia questions that apply broadly is equally unrealistic, as it turns out.

Grey Wolf

So most of the internet security is equivalent to a cheap bike lock, where the general idea is that stealing the bike is not worth the effort of using a wire cutter. That makes sense actually and explains why people do use those cheap locks. Also relevant is this comics.

[Keltest]

So most of the internet security is equivalent to a cheap bike lock, where the general idea is that stealing the bike is not worth the effort of using a wire cutter. That makes sense actually and explains why people do use those cheap locks. Also relevant is this comics.

Theres a reason that, unlike in hollywood, the vast majority of actual illicit access to things comes from social engineering. No door ever designed will be as hard to break through as a solid wall, because by its very nature as a door it is designed to grant access under specific conditions. Thus, hacking mostly ends up being tricking or convincing somebody to tell you those conditions and then matching them. The human element will always be the weakest element in any security system.

[keybounce]

I've never understood why mother's maiden name is considered a good security question. My mother does genealogy and can trace the family back into the 1600s. Why they think a scammer can't trace back one generation is beyond me.

Almost anything you could ask would be more difficult, yet mother's maiden name is the most common.

I think the idea was that, back in the early days, when simple security questions were being designed, something that would stop 99% of all trouble at little to no cost was considered "sufficient".

As for passwords, and password hint/recovery questions, the biggest problem is the lack of any education on what makes a good password. For years, dumb computer systems had 8 character passwords, just because. So people kinda learned by practice to use 6-8 letter "words". There has never been any sort of education on what to use instead.

Worse, there is no common "this makes a password" in industry. Every site seems to roll their own password code, even though that's the worst security mistake you can make. Programs that require you to not use special characters, because they can be fooled by the equivalent of

Code:

" || "" == "

in whatever language you are using (note what that does if you insert it into

Code:

"$dbpass" == "$userpass"

in any scripting language that does string substitution). Programs that don't sanitize their input, in other words. Programs that can be fooled by unicode because they don't use a transparent encoding like utf-8, but have a 16- or 32- bit encoding that lets a user character contain a relevant character (such as a closing quote followed by more commands). Etc.

Since we don't have any sort of standard for "what constitutes a password", and no education for "what makes a good password", or any sort of "How to manage hundreds and hundreds of passwords" (hint: a password manager is *not* the answer, unless you want to be tied to one browser, and what happens when that browser wipes storage and forces you to start over -- ahem, Chrome), each user has to try to reinvent the hexagon when they don't even have a really round wheel.

As for security / recovery questions? There's a simple one:

Let the user specify both the question and the answer.

I can come up with something that gives me a hint to an answer, that will be indecipherable to anyone else. I can come up with dozens, if not hundreds, of such. I'm sure most people can do at least 10 such. Yet all of these sites want to ask something that even I don't know the answer to because my background is so different than typical people.

Rotating a password? That's not necessarily bad. Give users a warning that they will have to change it soon. Nope -- As soon as you log in, before you can even get to the information you wanted to get you, ** NOW, RIGHT NOW, THIS INSTANT, QUICKLY CHANGE YOUR PASSWORD BEFORE WE LET YOU SEE WHAT YOU NEED.

IN A HURRY? QUICK, STUFF ANYTHING IN, AND IT WILL AUTOMATICALLY BE SECURE BECAUSE WE ASSUME ALL PEOPLE ALWAYS KNOW A SECURE NEXT PASSWORD TO JUST USE AT ANY TIME, AND OF COURSE YOU HAVE TIME TO DO SOMETHING SECURE BEFORE GETTING THE INFORMATION THAT YOU REALLY NEED *NOW*.

Seriously: If I go onto my bank to check something about my account, that's only supposed to be a minute or so. I don't have 10 minutes to make up something new, different, memorizable, and unique enough. So it either gets written down, or I rotate among a few common "high security" passwords that I reuse at high security sites.

And that's been my solution. A few low-security passwords, a few mediums, a few highs.

I mean, we all know that password loss is because of user problems, right? End systems will always be secure, always keep that password in a proper salted hash, never in plain text, and never expose the password file, right? Never take the password data over plain http even if the webpage is https. Etc. Any leak must be the user's fault, so if someone logs in with your password, it must be your own doing and the company is not responsible, right?

Yea.

===

Side note: After observing my mother, I'm convinced that the problem starts with all these sites that say "Enter your account and password". At first, she wanted to know why all these sites wanted her chromebook information.

None of them say something like "Enter your account for oursite.com". Just "Enter your account". Like somehow, users are supposed to know WHICH account, or even IF there is an account.

It is *rare* for a site to start with "Enter your account name", then give you back something to prove that the site is who it claims to be -- such as a picture I sent to that site -- before asking for password. It isn't even usually possible (anymore) to enter a dummy bit of information on the first page, and real information on the next page.

Heck, real security would mean ** you never give the true answer on the first time, unless you do, and probably not on the second time. Maybe on the third time**.

Real security means ** assume that this is NOT really the site you want to talk to **. If you give the real information, and it's a fake site, you're in trouble. So give it junk, and if it seems to work, you know it's wrong. (Yes, MitM hacking has gotten better, so this is less likely to work -- if they can hijack your connection, they can probably talk to the real site at the same time).

What's that? "SSL will ensure this cannot happen"? Dear sweet beginner, SSL only ensures that the communication is not being spied on in the middle -- it does not guarantee that the person on the far end really is who you think it is. That can be foiled by any trusted root, anywhere in the world, that issues a bad certificate. But that will never, ever happen, right? Certainly not by any russia or china government root, right? And I haven't even looked at what DNS spoofing can do, or if you have a government mandated root DNS server that has different data.

[DavidSh]

In particular, I think "mother's maiden name" was carried over from its use as a disambiguator. When you are still assuming honesty, you can distinguish the "John Smith" whose mother was a Jones from the "John Smith" whose mother was a McGillicuddy. These days, birth date seems to be a more popular disambiguator.

[Eldan]

"Name of first pet" works well for me because my first pet died before the Internet existed. Or at least, it died before the Internet was widely available to the public. So you have to guess what type of pet I had and then guess its name with zero information.

I wonder how many times that security question gets broken based on regional pet names, or pet names based on breed. If you start guessing Border Collie names in Yorkshire, the odds of hitting the jackpot with "Shep" are about 1 in 1.

The best solution I've seen is to not answer the question. You have a second easier to remember password that you use to answer security questions. You don't base this off any of the common questions, but something that is unique to you which would be impossible for a scammer to find out.

Pet doesn't work for me. I was a spectacularly unimaginative four year old and had a guinea pig that had the same name as me.

[DavidSh]

Pet doesn't work for me. I was a spectacularly unimaginative four year old and had a guinea pig that had the same name as me.

Ah, like in the old Monty Python sketch. "Eric the Guinea Pig", only using your name instead of Eric's.

[Ibrinar]

Since we don't have any sort of standard for "what constitutes a password", and no education for "what makes a good password", or any sort of "How to manage hundreds and hundreds of passwords" (hint: a password manager is *not* the answer, unless you want to be tied to one browser, and what happens when that browser wipes storage and forces you to start over -- ahem, Chrome), each user has to try to reinvent the hexagon when they don't even have a really round wheel.

? KeePass and others are separate from your browser and just keep multiple copies of the file to be safe.

[keybounce]

? KeePass and others are separate from your browser and just keep multiple copies of the file to be safe.

That's good to know.

Now, lets say I've got both a main computer, and I use firefox and chrome. And then, I've got an iphone, that only knows safari. And I need to use a chromebook at times.

How do I manage to synchronzie all of these, so that my unrememberable, non-written down, computer trusted passwords are usable on these other machines?

The real solution is some sort of physical key ring, a USB-thingie that, just like physical house keys, unlocks accounts. Now figure out how to make that safe when used on someone else's untrusted computer.