Bradford Mint
-
Posts
297 -
Joined
-
Last visited
Content Type
Forums
Blogs
Knowledge Base
Posts posted by Bradford Mint
-
-
6 minutes ago, AyelaNewLife said:
Indeed there isn't. I remember reading about a case where a German politician's fingerprints had been pulled off a photograph and used to fool a fingerprint scanner. In real life, not in a Mission Impossible movie.
However, that is no reason to keep doors unlocked. A security system doesn't have to be flawless to be worthwhile, simply raising the effort bar needed will have a massive positive effect. If it only works half the time, you've just halved the number of breaches. Surely that's worth the effort?
Further to this, a finger print is not a password, it is nothing more than a PIN replacement in that just like other biometrics, it serves to unlock access to a credential which CAN be used to authenticate.
Cloning a fingerprint has been demonstrated as have other attacks on other biometrics but you still need the device with the actual credential in order to continue. It's not just a case of taking a picture of someones fingerprint off the internet, etching a bit of metal and making a latex print and then immediately getting logged in on your local PC with finger print reader to every system that person has which are actually in secure premises.
As you rightly say, the purpose is to alter the current status which is that anyone with the knowledge of just username/password (of which one is public already), can use that information from anywhere in the world.
-
Nobody has ever said it should be compulsory.
-
17 minutes ago, Solar Legion said:
I really wish there was a "groan" button right about now....
Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into.
Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort.
I'm a bit yes and no on this one. They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch. Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities.
As for filtering? That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required. You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic.
Whether it's worth it? I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN. Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.
-
1
-
-
To be honest, I thought the viewer was using HTTPS but my chat is secure anyway - I don't login!
-
1
-
-
2 minutes ago, Love Zhaoying said:
Wouldn’t chat be “secure enough” if chat is over HTTPS instead of HTTP?
That was my thought.
-
1
-
-
4 hours ago, Callum Meriman said:
Most nation states are capable of it in one form or another.
I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.
Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.
I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.
Yes although it also depends on what is to be exfiltrated and how. For example, extracting only crypto key material or credentials or even keystrokes and sending them via LiFi for example would be far more covert than trying to send to China via IP.
Supply chain intercept is a real concern, especially where the root of trust has to be implemented in a country that is not trusted and ironically that tends to include the USA too as far as most of Europe goes.
-
1
-
-
2 hours ago, Callum Meriman said:
It's my understanding that chat is still unencrypted UDP and able to be seen by everyone who can tap into a router between you and the Lab. This includes at a minimum: the Chinese, the Russians, Mossad, and the all of the Five Eye Countries.
Yeah but the Chinese don't bother to tap in. It's easier for them to just add covert sniffing hardware to the motherboards at the factory.
-
2
-
-
1 minute ago, Ethan Paslong said:
clearly proved again.. you only want to hear yourself.
Huh? I asked questions, nine to be exact, I solicited your responses which you've chosen not to provide. *shrugs*
-
25 minutes ago, Ethan Paslong said:
because some, don't see the need for it. It makes entering SL more complicated, while the current system proved to be OK. A esier solution would be that the ones that want more protection just more often change their pw.
As soon mr Mint than responds those are flat earth supporters is just a proof he doesn't respect other opinions and only his is valid.
it has to, it must, .... no to all of those.My suggestion : LL makes traders/merchant accounts, the ones that want can subscribe to that for lets say... 25 usd a month for more protection and security.
ok so let me break this down for you:-
Changing passwords regularly is against the best practice advised. Yes you read that correctly!
Changing a password AFTER the account has had thousands of $ drained, tell me how that works? How has that worked for the victims of other such attacks?
As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair?
Just because some don't see the need for it, lets look at that one again...
If you own a house, do you have house insurance? Why? Has it ever fallen down or been burgled?
Have you ever been on a holiday and taken out holiday insurance? Why?
My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?
-
Not at all but in both cases, in the face of evidence to the contrary and best practice, it's just odd to suggest otherwise and that's what I struggle to understand here.
-
2
-
1
-
-
Ah adopting the "because it hasn't happened" is always the best strategy, you're using the clover leaf methodology again.
Yeah, my car didn't get stolen when I accidentally left it unlocked in an airport car park, therefore that demonstrates that there's no need to lock a car because it doesn't get stolen. Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat.
I'm also pretty sure that most organisations that hadn't previously been breached had quite a wake up call when it finally happened. Do you have any idea just how long this distinguished list of high profile breaches is?
The attitudes here are just confusing, it's almost as bad as the flat earth debates.
-
2
-
1
-
-
2 minutes ago, Fionalein said:
There is just one problem with that argument - it is inversible: If 2FA is entirely optional it is no use - if it is enforced: who tells us others would not stop investing - don't underestimate the casual users who just pay small amounts - they still are the bulk of paying users - hassle them enough and they might get more reluctant.
2FA should be optional from the platforms perspective if the risk is to the customer. The risk is to the customer and therefore should be available to those who would wish to reduce their risk. Because the risk is not owned by LL, there's no interest.
To repeat: For those who pass thousands of $ through SL, additional account security should be an option. (It should be an option for those who don't pass large sums too but just because the majority don't, doesn't negate the desire by those who do!)
-
2
-
1
-
-
2 hours ago, Ethan Paslong said:
proof of your statements please.....
A valid question and about as valid as asking "proof that more people would use SL if there was more <insert favourite topic of choice>" but actually irrelevant to those who do have thousands of $ passing through SL where the account security is weak and would prefer something that provided stronger protection of their assets.
-
1
-
-
1 hour ago, DarkRavenWolfie said:
if you use common sense and a basic antivirus/firewall, your billing info IS safe
bonus points if you get sms confirmation of your bank transactions
And just say that LL suffered a breach and the user database was compromised? How does your common sense and clover leaf help you there?
Let me give you some recent examples:-
British Airways
Experian
Facebook
You'd think they would be up to scratch with their security maybe? The list of data breaches is ready to find and security is best performed by implement a layered approach instead of treating it like a blind faith.
-
8 minutes ago, bigmoe Whitfield said:
I think a jira would be proper as a suggestion if this wants to become a reality.
Been there for years.
-
Selene, I don't argue with your perspective at all and I agree that some of the SL stores, like their RL equivalents are a work of art. However, that doesn't mean I can find what I want any faster and I have been known to go into the hardware store, see the queue and then pull out my phone, go to their online site, choose "Click and Collect" and I jump the queue - because that's how their sales system works and i'm only interested in the transaction, not the pretty shelf layout.
The customer is always right (except when they're wrong)
-
2 minutes ago, Selene Gregoire said:
If the store isn't attractive, customers are less likely to enter, or make purchases.
All I can say is "that depends".
I don't go into the local hardware shop to buy stuff because it's pretty.
-
1 minute ago, Selene Gregoire said:
I wish more people cared enough to make the majority of their purchases in world.
Sometimes the issue is that the customer experience is lost though because the vendor creates what they feel is experience enhancing but in reality, it's a pain in the proverbial. Requiring visitors to trawl through a store because the owner thinks it looks cool when in reality it just frustrates, leaving the customer performing camera gymnastics just to buy something. In frustration, some just give up and leave.
If you want to create something pretty, a store isn't necessarily the place for it.
-
1
-
-
5 hours ago, Drake1 Nightfire said:
If LL were to suddenly say "HEY GUYS!!! Here is a free vendor system that works just like Capervend!"
1. Caspervend could possibly sue them for breach of contract. There is a reason LL doesn't make and sell clothing, houses, furniture, Skins, Avatars, and the like. They would be in direct competition with their customer base.
??Breach of *what* contract? Where is the contract that LL have that says they won't make anything? They have already been in competition with their customer base before in one form or another.
An LL vendor system was on the cards for Direct Delivery phase 2 but it didn't happen and yes, they wanted to take a percentage cut of each sale, not exactly unfair but not a compelling reason to move other than for those who had no existing vendor system. Only then might it have made sense to offer a vendor system that hooked directly into inventory based delivery.
-
Noooo, on ice cream.
-
1
-
-
Another fun fact:
Cornetto is Italian for a croissant.
Which is just totally stupid as anyone who knows the walls ice-cream advert.
"Justa one Cornetto...give eeet to mee, delicious ice cream... From eeeetaleeee."
Nowhere is it about a flipping croissant and just doesn't work.
-
Ruined, the moment you put chocolate on it (if it's sauce anyway)
-
They had ice cream too
-
Oh but the episode with the wall of glory is just epic
-
1
-
Facebook
Instagram
Twitter
YouTube
Flickr
Is SL chat now secure from 3rd party?
in General Discussion Forum
Posted
Just to point out that I think she said she didn't want to use a VPN.
(Plus, the university may not pass the VPN traffic - unknown to us at this point)