The Perils of 2FA

Yesterday I was sitting at a cafe near my house with my daughter, I had just finished a video call with my boss —a weekly touchpoint since my boss sits in Amsterdam and I sit in Singapore— when a guy approached me and asked if he could use my iPad.

It took a minute to understand what he wanted and why. It seems that his phone screen had died, he could receive a call, using his headset to answer it, but he could to make a call or browse his phone in any way. He wanted to log into gmail to get a contact number and use my phone to call them.

Ok, no problem I’m happy to help a guy out. So I opened up Firefox in incognito mode and loaded gmail. After the username and password were entered a two factor authentication (2FA) page opened. Google wanted the guy to enter a code that could be found on a device already logged in… that would be his phone, the one he could not access.

Google gives options to allow you to try others ways of verifying yourself; receive an code by email (not helpful if you are trying to login to that email), receive a code by text (since his phone screen didn’t work he would not be able to see the code), and others. The only one that was an option for this guys was to receive a code by voice call. Luckily he could still receive as call and pick it up using his headset.

So after a couple of minutes he was able to login and get his friends contact. I let him use my phone to call and his friend called him back so they could coordinate whatever they needed.

Glad to help a person out. But the real story here, for me, is the perils of 2FA. All the security experts out there will tell you to enable 2FA for all your logins, all the major services on the internet offer 2FA: Google, Facebook, Apple, Microsoft, Adobe, blah, blah, blah.

I’ve been using 2FA for about two decades, I believe I was issued my first physical RSA token back in 2003. Now days I have multiple software tokens on my phone – Microsoft Authenticator (for work), Adobe Access —just for creative cloud, damn you Adobe—, Authy. Google has an Authenticator, which I don’t use for anything anymore, I should delete it and most importantly 1Password for as many services as I can use it’s built in code generator.

Google and Adobe, and, to a lesser extent, Apple piss my off with their 2FA. Google and Adobe use proprietary software, I can’t add them to my 1Password for the code generation. I have to use Gmail and Adobe Account Access respectively. Gmail is the worst, I don’t use Gmail’s app for anything else, I use the built in mail app on my phone, but I have to keep Gmail on my phone just to login to Google. Adobe is nearly as bad, they have a dedicated app, it’s not even in the existing Lightroom or Creative Cloud or other Adobe apps I already have. Apple uses a push to logged in Apple devices and since I’m helplessly mired in the Apple ecosystem that’s not really a problem but how do people with only one Apple device do it?

I think 2FA is important, we hear daily about new hacks. I have been on the internet for three decades and using the same email address for almost that whole time. I was foolish, like most people, and used the same password for everything for years. That email address has appeared in many leaks, accordng to haveibeenpwned [] I have, in fact, been pwned 26 times. And that’s only known pwnings. My old go to password has appeared 4 times, meaning the plain text password with the hashed string is there, so if that hash shows up in another breach the hacker does not even need to break the encryption, they already know the password.

So, these days I use a password manager. I use 1Password. And while there is always a chance that they get hacked an my data get leaked I think the benefits out way the risks. I am able to set a different password for everything and I don’t have to remember them, I only have to remember one master password, I can make that as complex as I want to make it harder to crack, not worth the time of a hacker (If you want to understand how easy it is to crack passwords watch this Computerphile video [].

1Password allows me to set 1Password as my 2FA code generator [] for sites or apps that follow the standard. You can see which sites support it here [] and which use proprietary solutions.

But, for all the extra security 2FA provides you have to be prepared. To make sure you have access to the code generator. If you loose your phone you still need to be able to get a code to login… I can login to 1Password on my computer but what if someone does not have a computer, only their phone? What if I’m overseas without access to my computer? What if you loose your phone so you go to use someone else’s computer to login somewhere and to get the code you need your phone? Sure, they offer other methods to verify, so you select receive code by email, but then you need a 2FA code to login to your email, but you’ve lost your phone… How deep does this rabbit hole go? When it works it’s great but I can see how this whole thing is to complicated for many people.of

This rant isn’t goin anywhere so let me explain, no, there is too much, let me sum up: Passwords suck, but we don’t have anything better yet (people are working: Alternatives to passwords []), 2FA is better, but there are some issues. All of this security is to complicated for most people.


The Four Drives: Uncle Russell Edition

A while back I posted The four drives [] about the connection between what a history teacher once explained to me as the four drives, and the drives listed in The Consolation of Philosophy by Boethius:

My Teacher

  • Money
  • Power
  • Prestige
  • Sex


  • Wealth
  • Power
  • Reputation
  • Fame
  • Sensual pleasure

If you consider Reputation and Fame to be two parts of Prestige then they are the same list. I wondered if my teacher was familiar with Boethius? I guess I’ll never know.

But then the other day I came across an article on Bertrand Russell called The Four Desires Driving All Human Behavior [] a repost of a 2015 articles on The Marginalian [] in which is summarized a speech uncle Bertrand gave upon accepting the Nobel Price in Literature in 1950.

Russell lists the following drives:

  • Acquisitiveness
  • Rivalry
  • Vanity
  • Love of power

I leave it as an exercise to the reader for a full analysis of the alignment. But I will point out a few things:

First, sex makes no appearance. Maybe it’s just that 1950s or perhaps Russel thought that the it was not appropriate for a Nobel Prize acceptance speech?

Second, Acquisitiveness, in addition to being hard to spell and a ten dollar word, is a more general way of saying “wealth” or “money”. In his speech Russell defines it thus: the wish to possess as much as possible of goods, or the title to goods. So I would say Acquisitiveness = Money = Wealth.

Rivalry is interesting; it’s on the list instead of sex. Per Russell’s speech this is basically the desire to one-up or crush others: a great many men will cheerfully face impoverishment if they can thereby secure complete ruin for their rivals.

Russell lists a second tier of drives including excitement or the need to avoid boredom. This aligns with the idea that so much of modern societies problems result from bored youth, particularly bored males 18-25…

You can read Russell’s acceptance speech [] in whole on the Nobel Prize site. But I warn you it’s not easy to read. Better to start with the article on The Marginalian []. Final note: The Marginalian looks like a very interesting site to explore.

photography ranting

Stolen Bits & Bytes

Last week I found a few of my photos being used on a local website []. Specifically photos of the vacant house at 25 Grange Road. I never actually posted the photos here on Confusion back when I took them in 2006. I was not overly happy with them. The subject was very cool but I don’t think I captured it as well as I wanted. Anyway, you can see the full photoset on Flickr, such that it is, only 12 photos:

Abandoned: 25 Grange Rd, Singapore, May 2006 Photoset on Flickr.

It’s nice when others find my photos useful. A few small sites have used some of my photos before, even got published in a few books (here [] & here again []), the craziest usage was when the Ford Museum purchased the rights to this photo [] to hang somewhere in the museum. Always nice that someone finds my photos useful.

I release almost all of the public photos on my Flickr account under the Creative Commons Attribution License, so they are free for anyone to use including for commercial purposes. You don’t have to ask permission or let me know, sometimes people do email me via Flickr or post a comment on a photo they use, it’s nice because I can see the work. The license does requires that if you use a photo you provide an attribution, just my name (I tell people they are welcome to use “Brian Beggerly” or just “beggs”). Flickr terms require a link back to the Flickr page in addition.

In this particular case though the photos were not attributed to me, they were instead attributed to another web site. And on that site the photos are not attributed to anyone. It’s perfectly possible that someone took very similar photos to those that I took. But when I looked at the other page it contains five of the 12 photos from my photoset and there is no doubt left; they are identical, they are the same photo.

In any case, I reached out to the Smart Local site and let them know and they agreed and updated the attribution.

Before curtesy of the Wayback Machine []

I emailed the site where the photos were posted originally but no response yet. To be fair the site is no longer updated (per a banner on the site when you contact them) so maybe no one is looking at the emails. And while it’s the site that I contacted it seems most of the articles were submitted by independent writers so maybe it’s the author who didn’t add the attribution? But even if the author should have provided the attributions, the site should also a have some sort of editorial process to check that authors are attributing third party works, because it’s the publishers who are going to get the notice when an attribution is missing or wrong.

I have not heard back from the site yet. I’m not linking to them here as I don’t want to drive traffic to the site. If they reply and update the attribution I’ll add a link.

While I think information “should be free”, in the sense that I oppose companies extending copyright forever and hiding behind armies of lawyers trying to prevent people from making derivative works and taking inspiration… I also think people should give credit to other creators and respect other creators decision to charge for, or get paid for, their works. A derivative or an homage is fine, though there is a fine line between inspiration and copying.

Hum… would Picasso have supported Napster?

But credit should be given. People should have respect for the people who create, even if the creation is owned by some big, money driven, corporation. If you don’t want people stealing your work, don’t steal from others. I think this should be taught in school, to make sure everyone understands the laws and how to follow them or how to work to change them. Vote with your wallet, if the item is not worth the price being asked then don’t buy it, and don’t steal it, just don’t consume it. In a capitalist system voting with your wallet is the most effective thing you can do. And if you are able vote in election, if you disagree with the power corporations have over copyright and patents the only way to change that is to vote in politicians who will change the laws and empower regulators to enforce limits, to nominate and confirm judges who can hold the companies to account in the courts.

I am part of the Napster generation, I stole a lot of music, downloaded a lot of Warez. I don’t blame kids and college broke students for piracy, but I don’t support big corporations suing the individuals for outrageous amounts of money, I understand they want to protect their work and business but it’s the wrong message to me.

I do have an issue with adults continuing to steal long after they are old enough to know it’s wrong. When I started making a living producing work that could be stolen, computer code in my case, I came to understand that it is theft and it is wrong (even if, in my case, it was not a work that was likely to be stolen by people, I never wrote that type of software).

I deleted so much music… Today, I don’t produce anything in my career that would be pirated but I release the works I create as part of my hobby, my photographs, so that others can use it. They can use it even if I don’t like what they make from it or how they use it. Creative Commons [] tried to make this simple in the digital world with their licenses (they are 20 this year! So go and vote with your wallet, donate a few dollars). Flickr is a great source of Commons licensed works that you can use and makes it easy for it’s members to choose a CC license. But it still requires people to understand that you should respect others work.

We live in a complicated world, educate yourself and think about your actions. It does not take much effort to find a way to get others work for free, but is that how you would want others to treat a work your created? More power to you if you choose to release your work for others for free, but if you choose to charge for it or get paid by making something for someone else do you want others to steal it?

Ok, enough. It’s a complicated subject. In summary, if you are going to use someone else’s work, have some respect and learn the rules of the game, follow them. Don’t steal. Treat others works the way you want your works treated.


AI Powered Tower Defense for my Kitchen

This should win an Ignoble prize this year: scientists create AI powered laser turret that kills cockroaches []. Ignoble prizes are about things that “make people laugh, and then make them think.” I am laughing, but I am also thinking. I’m thinking someone needs to make this a reality quickly…

I need to defend my kitchen from ants. Cockroaches, not so much, but I am locked in an eternal battle with ants. I live on the ground floor or a building in the tropics and no matter how many times I win a battle with the ants they come back in a few days. They are endless, they are relentless.

I want this AI bug zapper to be a reality fast. Lasers would be awesome, I mean, who doesn’t like lasers [] (the original of that was a user bio on StackOverflow, but it’s long gone)? How cool would it be to walk into the kitchen and see little laser blasts taking our ants? Pew pew! (They should totally ad Hollywood blaster sound effects.) But without fog I guess you wouldn’t see the lasers. Add a fog machine too.

But, lasers require a lot of power… and you’ll shoot your eye out. How about we have an unholy union of Bug-a-salt [] and this AI powered bug slayer (still need the sound effects). I want to play tower defense with salt powered AI turrets in my kitchen.

I could start with them on counters and move them closer to the doors and windows, pushing back the frontline until all the territory in my kitchen is reclaimed from the ants. And then, the turrets will guard my borderlands. Creating a Maginot Line (scratch that, it failed), a DMZ around my kitchen.

Maybe we could build these on top of a robot vacuum chassis so we can have mobile salt gun bug killers, MSGBKs. Slap a camera on that and stream the video to the internet. I already have a robot vacuum and a robot mop, a robot bug zapper patrolling my house would be cool.

On the other hand, if you give an AI the ability to kill bugs, removing the human from the decision chain, are you setting the stage for the robot apocalypse? Is this how Skynet starts? Not with the military mounting machine guns on robo-dogs [] and allowing them to kill, but with a crusade against ants and cockroaches?

quotes ranting

The four drives

I am currently reading The Consolation of Philosophy [] by Boethius. And listening along to the Tolkien Professor’s [] Mythgard Academy podcast [] of their discussion.

In book two of Consolation, there is a discussion of what drives humans:

Some believe the highest good is being rich without want, so they toil to gain an abundance of wealth. Others think the good is winning the best reputation, so they seek the respect of their fellow citizens by obtaining honors. There are those who locate the highest good in the highest power. They want either to be rulers themselves or to ally themselves with those who are. To others the good seems to be the greatest fame, so they rush to spread their glorious name abroad by works of war or peace. But the largest portion measure the fruit of the good by sensual pleasure and joy. They suppose the happiest man abandons himself to pleasure. There are also those who confuse ends and means, like those who desire riches for the sake of power and pleasures, or who seek power for the sake of money or fame.

Boethius, from The Consolation of Philosophy, book 2, prose 2

This reminded me of something that a history teacher once said to me, and my whole class. I’m wondering now if they go the idea from Boethius, they never explained where it came from, and I think we were all too shocked to ask for more details. No doubt this is paraphrasing, as it was decades ago, and maybe it’s been refined over many retellings, but this is the essence of what they said:

Money, power, prestige and sex, are the four drive of the human race. Once basic needs are met, it is the desire to possess these four things that has shaped history.

History teacher who shall remain anonymous

If you have hung out with me for any significant length of time over the last three decades or so you have hear that, over coffee or beer or stronger. It has suck with me, I wonder if anyone else in the class remembers it?

Boethius actually lists five drives: wealth, reputation, power, fame and sensual pleasure, but it’s close enough. Reputation is as much of a function of the others as a goal itself. I wonder if my teacher had ever read Consolation?

Can you boil history down to money, power, prestige and sex? Probably not. But there are a lot of incidents in history, large and small, that are driven by these things. Wars over natural resources often boil down to money. Hunger for power has driven many a king, emperor or chancellor to conquest. Prestige? That’s a bit harder. But sex driving “history” is as old as the Trojan War.

There was actually a corollary to the four drives. It’s probably offensive, and it’s definitely sexist, and I debated even adding it here, since the internet never forgets and people will assume the worst about you. But for most of human history sexism was the default, and while no doubt this is a Reductio ad absurdum, it puts an interesting spin on the whole statement. Anyway, the corollary, added later by another friend is:

If you are a man; money, power and prestige are how you get sex. If you are a woman; sex is how you get money, power and prestige.

I told you it was sexist.