Categories
ranting

The Perils of 2FA

Yesterday I was sitting at a cafe near my house with my daughter, I had just finished a video call with my boss —a weekly touchpoint since my boss sits in Amsterdam and I sit in Singapore— when a guy approached me and asked if he could use my iPad.

It took a minute to understand what he wanted and why. It seems that his phone screen had died, he could receive a call, using his headset to answer it, but he could to make a call or browse his phone in any way. He wanted to log into gmail to get a contact number and use my phone to call them.

Ok, no problem I’m happy to help a guy out. So I opened up Firefox in incognito mode and loaded gmail. After the username and password were entered a two factor authentication (2FA) page opened. Google wanted the guy to enter a code that could be found on a device already logged in… that would be his phone, the one he could not access.

Google gives options to allow you to try others ways of verifying yourself; receive an code by email (not helpful if you are trying to login to that email), receive a code by text (since his phone screen didn’t work he would not be able to see the code), and others. The only one that was an option for this guys was to receive a code by voice call. Luckily he could still receive as call and pick it up using his headset.

So after a couple of minutes he was able to login and get his friends contact. I let him use my phone to call and his friend called him back so they could coordinate whatever they needed.

Glad to help a person out. But the real story here, for me, is the perils of 2FA. All the security experts out there will tell you to enable 2FA for all your logins, all the major services on the internet offer 2FA: Google, Facebook, Apple, Microsoft, Adobe, blah, blah, blah.

I’ve been using 2FA for about two decades, I believe I was issued my first physical RSA token back in 2003. Now days I have multiple software tokens on my phone – Microsoft Authenticator (for work), Adobe Access —just for creative cloud, damn you Adobe—, Authy. Google has an Authenticator, which I don’t use for anything anymore, I should delete it and most importantly 1Password for as many services as I can use it’s built in code generator.

Google and Adobe, and, to a lesser extent, Apple piss my off with their 2FA. Google and Adobe use proprietary software, I can’t add them to my 1Password for the code generation. I have to use Gmail and Adobe Account Access respectively. Gmail is the worst, I don’t use Gmail’s app for anything else, I use the built in mail app on my phone, but I have to keep Gmail on my phone just to login to Google. Adobe is nearly as bad, they have a dedicated app, it’s not even in the existing Lightroom or Creative Cloud or other Adobe apps I already have. Apple uses a push to logged in Apple devices and since I’m helplessly mired in the Apple ecosystem that’s not really a problem but how do people with only one Apple device do it?

I think 2FA is important, we hear daily about new hacks. I have been on the internet for three decades and using the same email address for almost that whole time. I was foolish, like most people, and used the same password for everything for years. That email address has appeared in many leaks, accordng to haveibeenpwned [haveibeenpwned.com] I have, in fact, been pwned 26 times. And that’s only known pwnings. My old go to password has appeared 4 times, meaning the plain text password with the hashed string is there, so if that hash shows up in another breach the hacker does not even need to break the encryption, they already know the password.

So, these days I use a password manager. I use 1Password. And while there is always a chance that they get hacked an my data get leaked I think the benefits out way the risks. I am able to set a different password for everything and I don’t have to remember them, I only have to remember one master password, I can make that as complex as I want to make it harder to crack, not worth the time of a hacker (If you want to understand how easy it is to crack passwords watch this Computerphile video [youtube.com].

1Password allows me to set 1Password as my 2FA code generator [1password.com] for sites or apps that follow the standard. You can see which sites support it here [2fa.directory] and which use proprietary solutions.

But, for all the extra security 2FA provides you have to be prepared. To make sure you have access to the code generator. If you loose your phone you still need to be able to get a code to login… I can login to 1Password on my computer but what if someone does not have a computer, only their phone? What if I’m overseas without access to my computer? What if you loose your phone so you go to use someone else’s computer to login somewhere and to get the code you need your phone? Sure, they offer other methods to verify, so you select receive code by email, but then you need a 2FA code to login to your email, but you’ve lost your phone… How deep does this rabbit hole go? When it works it’s great but I can see how this whole thing is to complicated for many people.of

This rant isn’t goin anywhere so let me explain, no, there is too much, let me sum up: Passwords suck, but we don’t have anything better yet (people are working: Alternatives to passwords [builtin.com]), 2FA is better, but there are some issues. All of this security is to complicated for most people.

Categories
quotes

Algorithmic Manipulation

The internet, […] is home to many eyes, rabbit holes, and agents of algorithmic manipulation.

Lydia Sviatoslavsky, interviewing R. U. Sirius for Spike [spikeartmagazine.com]

Categories
albums

The Cure: Glastonbury Festival 1990

This entry is a little different than the other albums [confusion.cc] I’ve posted because you can’t buy this album. At least not officially. It’s a bootleg of The Cure’s 1990 set at the Glastonbury Festival. I’m sure you can find it somewhere on the internet, but I actually bought this pre-Napster and still have the physical bootleg CDs.

In 1990 I was 12 and had never heard of The Cure. I think I first encountered The Cure a few years later when Friday, I’m in Love, from their 1992 release Wish [discogs.com], was in heavy rotation on MTV. I can remember sitting in K████’s living room every morning waiting on the school bus with K████ and M██████ and watching the music video. Good times, there are a lot of music videos from 1992/1993 burned into my memory from those mornings.

I didn’t catch The Cure bug for a few more years. In 1997, my girlfriend was big into The Cure. We listened to a lot of Cure in the car driving around. I actually bought the Glastonbury bootleg with her in a little shop on the downtown mall. It’s one of a number of bootlegs I got from the same guy. Mostly live stuff; Bush, The Chemical Brothers, Tori Amos, Jewel, Sarah McLachlan, others.

My love of The Cure long outlasted that relationship. I devoured their back catalog, and continued to follow them. It was their back catalog that really hooked me, Poronography [discogs.com], and The Walk [discogs.com] are awesome albums. But their masterpiece was Disintegration [discogs.com]; Fascination Street, Love Song, and Pictures of You, my three favorite Cure songs, all on the same album. Disintegration is Robert Smith’s masterpiece. As Tricky says in the liner notes to his 2003 entry in the Back to Mine [discogs.com] series: Robert Smith is the best love song writer in the world. All his lyrics and melodies are unbelievable. For me that’s true. While Tricky picked Lullaby for his Back to Mine playlist, I would but Love Song and Pictures of You in my top few loves songs ever.

But the live performances at Glastonbury in 1990 is the one I’ve always come back to. It’s peak Cure. It was a year after Disintegration and includes a lot of songs from that album but also an amazing selection of songs from their earlier releases. And this era, 89, 90, 91, is the perfection of The Cure’s synth-goth-post-punk-shoegaze-alternative-rock sound. Even the older songs that might have been a little ‘meh’ on the original releases here have something extra, something amazing.

I wish I could post an Apple or Spotify link, but as a it’s a bootleg they don’t have it. The best I could do would be one of the official live releases from around this time; Show is the best option. But Show released on as single CDs you only get about 80 min while the 1990 set at Glastonbury was close to two full hours with the two encores (not including the helicopter landing to evacuate some lady who was getting crushed). But I can link to this YouTube video that seems to have the whole set. It’s an hour and forty-four minutes, enjoy:

Categories
ranting

The Four Drives: Uncle Russell Edition

A while back I posted The four drives [confusion.cc] about the connection between what a history teacher once explained to me as the four drives, and the drives listed in The Consolation of Philosophy by Boethius:

My Teacher

  • Money
  • Power
  • Prestige
  • Sex

Boethius

  • Wealth
  • Power
  • Reputation
  • Fame
  • Sensual pleasure

If you consider Reputation and Fame to be two parts of Prestige then they are the same list. I wondered if my teacher was familiar with Boethius? I guess I’ll never know.

But then the other day I came across an article on Bertrand Russell called The Four Desires Driving All Human Behavior [getpocket.com] a repost of a 2015 articles on The Marginalian [themarginalian.org] in which is summarized a speech uncle Bertrand gave upon accepting the Nobel Price in Literature in 1950.

Russell lists the following drives:

  • Acquisitiveness
  • Rivalry
  • Vanity
  • Love of power

I leave it as an exercise to the reader for a full analysis of the alignment. But I will point out a few things:

First, sex makes no appearance. Maybe it’s just that 1950s or perhaps Russel thought that the it was not appropriate for a Nobel Prize acceptance speech?

Second, Acquisitiveness, in addition to being hard to spell and a ten dollar word, is a more general way of saying “wealth” or “money”. In his speech Russell defines it thus: the wish to possess as much as possible of goods, or the title to goods. So I would say Acquisitiveness = Money = Wealth.

Rivalry is interesting; it’s on the list instead of sex. Per Russell’s speech this is basically the desire to one-up or crush others: a great many men will cheerfully face impoverishment if they can thereby secure complete ruin for their rivals.

Russell lists a second tier of drives including excitement or the need to avoid boredom. This aligns with the idea that so much of modern societies problems result from bored youth, particularly bored males 18-25…

You can read Russell’s acceptance speech [nobelprize.org] in whole on the Nobel Prize site. But I warn you it’s not easy to read. Better to start with the article on The Marginalian [themarginalian.org]. Final note: The Marginalian looks like a very interesting site to explore.

Categories
albums

The Richest Man in Babylon

Artist
Thievery Corporation
Realse Date
September 30, 2002

I purchased The Richest Man in Babylon [discogs.com] sometime in late 2002 or early 2003 while I was living in Dupont Circle in DC. I purchased it at a music store that I can’t remember the name of, it was near Kramers bookstore. I spent a lot of time browsing both Kramers and that music store; several other albums I plan to cover came from there. I spent a lot of evenings and weekend afternoons sitting at Xandos reading books from Kramers and listening to albums I purchased at that music store.

I purchased The Richest Man because while I was living in Dupont I spent many evenings chilling at the Eighteenth Street Lounge [18thstlounge.com]. The Eighteenth Street Lounge, or ESL, is a story in itself. Hidden behind a plain street level door, sandwiched between a mattress store and… something else at the time. Next to the door was a brass plate that said “Eighteenth Street Lounge, Washington DC”. Opening the door and climbing the stairs led you to the best live music and DJ place in DC. The ambiance was amazing: an eclectic mix of baroque and thrift store couches and tables, damask wallpapers and exposed brick walls, light from electric candelabras and chandlers, a well stocked bar and the best sound system you can imagine.

So what’s the connection to the Richest Man in Babylon? The band, Thievery Corporation, started when one of the lounge co-owners, Rob Garza, met Eric Hilton at the ESL. ESL played a lot of Thievery Corporation music and the music that inspired them. So I went searching for the album. ESL has it’s own record label, also ESL, that besides Thievery Corporation also released other amazing artists like Federico Aubele and Les Hommes.

I purchased both The Mirror Conspiracy [discogs.com] and The Richest Man in Babylon at the same time. Richest Man became my favorite and still remains my favorite Thievery Corporation album. The music is an eclectic mix of influences, Latin American jazz and bossa nova, indian and middle eastern traditional music, with Jamaican dub most evident in the vocals. All layered over chill out electronic beats.

Any album on my best list has to be one I can, and do, listen too from start to finish, no dud songs. And Richest Man is defiantly there. From the opening sounds of Heaven’s Goona Burn Your Eyes, through to the end of Until the Morning. This is one of the best chill albums out there. The electronic beats blend with the world music precession and synth melodies providing a timeless background for the vocals. Often the vocals are non-english, like on Omid, which lend it an even more chilled out sound to me.

The best songs on the album are probably “Heaven’s Gonna Burn Your Eyes” and “The Richest Man in Babylon” followed closely by “All That We Perceive” and “Un Simple Histoire”. But have a listen from beginning to end. It’s all amazing.

Listen on Apple Music:

Listen on Spotify: