Shared posts

22 Oct 21:00

the signs as cats in halloween costumes














15 Oct 13:41


by hell-baby

14 Oct 14:07

What Happened When One NYC Pharmacy Charged Men More

by Bridget Crawford

What Happened When One NYC Pharmacy Charged Men More

Post to Twitter Post to Facebook

image credit:

Thompson Chemists in the Soho neighborhood of New York City got some attention this week when it posted signs saying “All female customers shop tax free” and “All male customers subject to a 7% man tax.” Here’s some press coverage of the event from Gothamist:

Jolie Alony, who has owned the pharmacy for 22 years and lives in SoHo, said she wants men who shop at her store to understand the extra costs that women bear when they shop.

“We want to bring awareness on how it feels to be a woman, so the men actually get to feel it,” she said. * * * Despite what her signs say, Alony explained, men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—effectively cutting out sales tax. She’s still required to report all sales and pay out the sales tax in full, so, she said, she’s just making up the difference herself.

The policy is being run as a promotion—Alony said she’ll see how the day goes and decide if she wants to keep it in place.

Thompson Chemists later posted this note on its Facebook page (see more press coverage here):

Calm down SoHo friends!

As stated in the article: “men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—“
this makes up for how women are often overcharged for over-the-counter and beauty products (on average 7% according to the NYC Department of Consumer Affairs).

This is a friendly reminder to treat your friends and neighbors as equals and to read articles in their entirety before passing judgment.

With love from your neighborhood pharmacy,
Thompson Chemists

The Gothamist article says that the New York City Department of Consumer Affairs “wrote back to Gothamist to explain that there’s no legal issue with the Thompson Chemist promotion, as there isn’t a prohibition on price discrimination for goods. It is illegal, however, to discriminate in the pricing of services.”  I would be surprised if it is correct that vendors can legally discriminate in price, based on the sex of the customer.  The finer point is that Thompson Chemists is essentially giving a discount to women and not men by paying the women’s sales tax themselves.  In other words, Thompson Chemists is still on the hook for paying to New York State the sales tax on all of the (taxable) property it sells; the store is simply choosing to cover some of the tax itself.

I love the awareness that Thompon Chemists is raising, but I do wonder if it is legal to offer discounts to one group and not the other, on the basis of sex.  Or, are discounts so inherently discretionary that the law defers to the judgment of the store offering the discount?  Con Law experts, please chime in.

Feminist Law Professors

07 Oct 17:29

Springtime Strawberry And Lime Coconut Muffins

Fergus Noodle

NQN shares her favourite memes with us

Looking for a delicious baked goods for a crowd or to pop in a lunchbox? These soft lime and coconut muffins are dairy free and full of zesty lime and creamy coconut. And the piece de resistance are the sliced and fanned strawberries on top!
10 Oct 23:56

Getting Messy With It! Rib-O-Rama Or The Best Ribs in Sydney Challenge!

Fergus Noodle

They go the 'I'm Angus' which is the restaurant our dog owns.

Looking for Sydney's best pork ribs? How about a day spent eating ribs at 10 rib places all over Sydney? That was the challenge set to my intrepid group of friends. Strap on your bibs and get your wet wipes out. It's going to get messy in here as we sample Sydney's sauciest pork ribs!
02 Oct 10:53

NSW Liberal’s Bill to kill

by Saving Our Trees
What is wrong with the Baird Liberal government? An article in today’ Sydney Morning Herald ( ) says that the Baird government will abolish the need to get a licence to kill native animals. “Last year 47,000 native animals and birds were killed in NSW by property owners using a “s121 licence”.” 47,000!  If […]
09 Oct 15:08

Barzaari, Marrickville

by Helen (Grab Your Fork)
Fergus Noodle

let's go here

If you've never had pide bread fresh from a woodfired oven you need to. Shaped into elongated boats, fresh pide is warm in the fingers and soft in the mouth, its surface of gently puffed bubbles brushed with olive oil and sprinkled with nigella seeds. It's one of the highlights at Barzaari, Marrickville's latest gustatory beacon, headed by chef and co-owner Darryl Martin whose CV includes
07 Oct 14:30

Girls Exposed to a Diverse Set of Scientists Shift their Assumption that They’re Mostly Men, But Boys Do Not

by Gwen Sharp, PhD

Flashback Friday.

Eden H. sent in an exploratory study about kids’ stereotypes of scientists. The U.S. Department of Energy’s Fermilab asked 7th graders to draw and describe a “scientist” before and after visiting the lab on a class trip. They first read about the Fermilab, then came to the lab and meet with some of the scientists and talk about their work. From the Fermilab website:

What we changed for this field trip was the before and after descriptions and small group sessions for each student to meet with two of three physicists rather than one large group session. We deliberately chose a typical white male, a young female and an African American physicist. We let the students and physicist take their discussion where they wanted.

Here are some of the before-and-after pictures and descriptions (all 31 are available here):

In general, the students seemed to come away with an idea of scientists as being more like “normal” people, not just stereotypical geeks in lab coats. But some of the other changes are interesting, too. The author of a post about the study at Restructure! analyzed the before-and-after images (as best as she could identify the sex of the drawings):

  • Among girls (14 in total), 36% portrayed a female scientist in the “before” drawing, and 57% portrayed a female scientist in the “after” drawing.
  • Among boys (17 in total), 100% portrayed a male scientist in the “before” drawing, and 100% portrayed a male scientist in the “after” drawing.

I looked through all of them and only saw one instance (posted above) where the child changed the scientists to be clearly non-White.

Of course this is a small sample, but the results seem to reproduce what other studies have found regarding the importance of role models and gender stereotyping, in particular, that girls are more likely to imagine themselves  in careers when they see women doing them. For instance, the relative lack of female professors in male-dominated departments such as engineering may play a role in discouraging women from choosing to major in such fields (as well as other factors such as steering, concerns about family/work conflicts, etc.).

Originally posted in 2010.

Gwen Sharp, PhD is a professor of sociology and the Associate Dean of liberal arts and sciences at Nevada State College. 

(View original at

04 Oct 17:12

The Sopranos Inspired Satriale's Sandwich Deli, Kensington

Fergus Noodle

I feel like we have very very sad sandwiches in Australia

"OMG honey, there's a sandwich bar in Kensington! We're getting more places to eat!" I said excitedly. Okay it was literally one new place so I perhaps shouldn't get too excited but if you're a Sopranos fan the name will ring a bell. Satriale's sandwich deli is named after the one that Tony Soprano owned in the television series. And they make New Jersey Italian style sandwiches.
28 Sep 04:53

Food Glorious Food ... 2016-9-28 ..

by Barbara Neubeck
Fergus Noodle

I wondered why Barbara was suddenly eating more colourful food

 The biggest thing in our daily life at the moment is FOOD .....

Hubby's Doctor has told him he has to go on an eating plan to lose weight because he is heading for more health problems if he doesn't lose weight soon.

I'm joining him on this adventure as I need to lose some weight too.....

.........  this is Bolognaise with Cauliflower rice.....  it was delicious...

  ...........  this is Steak with salad and a sauce from the pan juices and creme fraiche...  beautiful...

............  this is prawns (shrimp)  with Greek Salad .....I had this at the club on Monday......

.... now this one is Warm beetroot and orange slices on a  bed of chinese cabbage with walnuts and sardines.....   we all really liked this could use other fish  ......

                                                  ...   baked pork with salad....  

I won't go on any more...  lol  ......

I'm just happy Hubby is liking it enough to plan to stick with it....   I love salad warm or cold...  

I'm cooking Potato and pasta for Mum and she has a sandwich for lunch and weet bix for breakfast as she normally does ..... for us it's super low carb....
..So glad hubby is off the meal replacement shakes    he was always hungry...  with this plan he's not hungry at all....
...  and ....  he has lost 3 kg in 10 days.....  
I lost 1.5 kg   in this time ...  loving it...   xxxxx

Can't leave without a flower .....

... and a feather ......

...   have a good day ....     Barb  xxxxx                                                                                                             
28 Sep 18:40

The Whole Kit and Ka-Boodle. A Boodle Feast at Sizzling Fillo, Lidcombe

Fergus Noodle

They've got karaoke

It's a Sunday night at Sizzling Fillo restaurant in Lidcombe and it's fairly busy. The walls on one side of the restaurant have painted red bricks with blacked out areas. A wedding altar stands at the back of the karaoke stage. There's a woman wearing a tiara and sash at the head of a long table spread with banana leaves. Her table is laid with a boodle feast. So what is a boodle?
18 Sep 21:00


by hell-baby

24 Sep 21:00

culturenlifestyle: The Most Regal, Friendly and Fluffy Kitten...

by hell-baby


The Most Regal, Friendly and Fluffy Kitten In The World Is Named Aurora

Aurora is a unique and elegant cat with pristine snow white fur and sparkling blue eyes. 

Keep reading

18 Sep 18:30

Burgerlicious Ume Burger, Surry Hills

"Should we double the burger?" I say to Viggo. He looks at me slightly surprised, "Is that even a question?" he responds. We are at Ume Burger, formerly Ume restaurant a fine dining Japanese restaurant on Bourke Street in Surry Hills. And like some chefs and restaurants Ume's Kirby Craig has done a 180° turn towards more casual dining. Burgers to be exact with a Japanese bent to them.
11 Sep 17:06

Teemu, 30

“I’m wearing my most expensive shirt, a vintage Moschino and my cheapest shorts which I bought at Zeeman in Holland for 3,99 euros. The Fila shoes I bought online, because I couldn’t find any funny shoes at the stores in Finland.”

21 June 2016, Siltasaarenkatu

16 Sep 18:37

Hop to It at Hopper Kadé, Sydney

Fergus Noodle

This looks like the sort of thing I am in to

I've always said that my readers are the best. They are the most generous, non judgemental souls and when I've met them we've fallen into an easy conversation about food. Recently a Dear Reader Romany told me about a Hopper place in Sydney called Hope Kadé. Hoppers are a Sri Lankan food that are like a round crispy pancake with a slight upturned bowl edge.
11 Sep 14:23

Meatmaiden, Melbourne

by Helen (Grab Your Fork)
Fergus Noodle

Seems like something ppl would be interested in

Meat. It takes centre stage at Melbourne's Meatmaiden, showcased in a backlit display cabinet like precious jewels. Forget about Breakfast at Tiffany's. I'd rather eat my croissant with this view instead. I visited Meatmaiden a little while back on a work trip to Melbourne. Currently I'm a few days post-double wisdom teeth removal - hence the missing post from last week - and if there's one
08 Sep 01:29

The Limits of SMS for 2-Factor Authentication

by BrianKrebs

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

2faMark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

This is a fairly clever — if not novel — attack, and it’s one I’d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.

Nevertheless, text messaging codes to users isn’t the safest way to do two-factor authentication, even if some entities — like the U.S. Social Security Administration and Sony’s Playstation network — are just getting around to offering two-factor via SMS.

But don’t take my word for it. That’s according to the National Institute of Standards and Technology (NIST), which recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. By the way, NIST is seeking feedback on these recommendations.

If anyone’s interested, Sophos’s Naked Security blog has a very readable breakdown of what’s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.

“To begin with, make your password policies user friendly and put the burden on the verifier when possible,” Sophos’s Chester Wisniewski writes. “In other words, we need to stop asking users to do things that aren’t actually improving security.” Like expiring passwords and making users change them frequently, for example.

Okay, so the geeks-in-chief are saying it’s time to move away from texting as a form of 2-factor authentication. And, of course, they’re right, because text messages are a lot like email, in that it’s difficult to tell who really sent the message, and the message itself is sent in plain text — i.e. is readable by anyone who happens to be lurking in the middle.

But security experts and many technology enthusiasts have a tendency to think that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites — regardless of how many times they’re told not to do so.

Google's new push-based two-factor authentication system. Image: Google.

Google’s new push-based two-factor authentication system. Image: Google.

Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago — consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox recently told KrebsOnSecurity that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. And Dropbox isn’t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now.

I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven’t enabled two-factor options, it’s probably because a) it’s still optional and b) it still demands too much caring and understanding from the user about what’s going on and how these security systems can be subverted.

Personally, I favor app-based time-based one-time password (TOTP) systems like Google Authenticator, which continuously auto-generates a unique code via a mobile-based app.

Google recently went a step further along the lines of where I’d like to see two-factor headed across the board, by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I’ve long used and trusted — from Duo Security [full disclosure: Duo is an advertiser on this site].

For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out And bear in mind that even if text-based authentication is all that’s offered, that’s still better than nothing. What’s more, it’s still probably more security than the majority of the planet has protecting their accounts.

07 Sep 14:02

WestConnex Authority starts destruction of remnant forest

by Saving Our Trees
Some days the news is just bad & today is one of those days. The Wolli Creek Regional Park is our closest area of bushland. It is vitally important for wildlife because, really there is nowhere else that offers decent habitat for wildlife in the area.  The park, managed by the NSW National Parks & […]
06 Sep 01:46

Location Privacy: The Purview of the Rich and Indigent

by BrianKrebs

I’d just finished parking my car in the covered garage at Reagan National Airport just across the river from Washington, D.C. when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side.

I had a few hours before my flight boarded, so I delayed my walk to the terminal and cut through several rows of cars to snag a video of the guy moving haltingly through another line of cars. I approached the driver and asked what he was doing. He smiled and tilted the lid on his bolted-down laptop so that I could see the pictures he was taking with the mounted cameras: He was photographing every license plate in the garage (for the record, his plate was a Virginia tag number 36-646L).

A van at Reagan National Airport equipped with automated license plate readers fixed to the roof.

A van at Reagan National Airport equipped with automated license plate readers fixed to the roof.

The man said he was hired by the airport to keep track of the precise location of every car in the lot, explaining that the data is most often used by the airport when passengers returning from a trip forget where they parked their vehicles. I checked with the Metropolitan Washington Airports Authority (MWAA), which manages the garage, and they confirmed the license plate imaging service was handled by a third-party firm called HUB Parking.

I’m accustomed to having my license plate photographed when entering a parking area (Dulles International Airport in Virginia does this), but until that encounter at Reagan National I never considered that this was done manually.

“Reagan National uses this service to assist customers in finding their lost vehicles,” said MWAA spokesperson Kimberly Gibbs. “If the customer remembers their license plate it can be entered into the system to determine what garages and on what aisle their vehicle is parked.”

What does HUB Parking do with the information its clients collect? Ilaria Riva, marketing manager for HUB Parking, says the company does not sell or share the data it collects, and that it is up to the client to decide how that information is stored or shared.

“It is true the solution that HUB provides to our clients may collect data, but HUB does not own the data nor do we have any control over what the customer does with it,” Riva said.

Gibbs said MWAA does not share parking information with outside organizations. But make no mistake: the technology used at Reagan National Airport, known as automated license plate reader or ALPR systems, is already widely deployed by municipalities, police forces and private companies — particularly those in the business of repossessing vehicles from deadbeat owners who don’t pay their bills.

It’s true that people have zero expectation of privacy in public places — and roads and parking garages certainly are public places for the most part. But according to the Electronic Frontier Foundation (EFF), the data collected by ALPR systems can be very revealing, and in many cities ALPR technology is rapidly outpacing the law.

“By matching your car to a particular time, date and location, and then building a database of that information over time, law enforcement can learn where you work and live, what doctor you go to, which religious services you attend, and who your friends are,” the EFF warns.

A 2014 ABC News investigation in Los Angeles found the technology broadly in use by everyone from the local police to repo men. The story notes that there are little or no restrictions on what private companies that collect time- and location-stamped license plate data can do with the information. As a result, they are selling it to insurers, banks, law enforcement and federal agencies.

In Texas, the EFF highlights how state and local law enforcement agencies have free access to ALPR equipment and license plate data maintained by a private company called Vigilant Solutions. In exchange, police cruisers are retrofitted with credit-card machines so that law enforcement officers can take payments for delinquent fines and other charges on the spot — with a 25 percent processing fee tacked on that goes straight to Vigilant. In essence, the driver is paying Vigilant to provide the local cops with the technology used to identify and detain the driver.

“The ‘warrant redemption’ program works like this,” the EFF wrote. “The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.”

That’s right: Even if the contract between the state and Vigilant ends, the latter gets to keep all of the license plate data collected by the agency, and potentially sell or license the information to other governments or use it for other purposes.

I wanted to write this story not because it’s particularly newsy, but because I was curious about a single event and ended up learning a great deal that I didn’t already know about how pervasive this technology has become.

Yes, we need more transparency about what companies and governments are doing with information collected in public. But here’s the naked truth: None of us should harbor any illusions about maintaining the privacy of our location at any given moment — particularly in public spaces.

As it happens, location privacy is a considerably expensive and difficult goal for most Americans to attain and maintain. Our mobile phones are constantly pinging cell towers, making it simple for mobile providers and law enforcement agencies to get a fix on your location within a few dozen meters.

Obscuring the address of your residence is even harder. If you’ve ever had a mortgage on your home or secured utilities for your residence using your own name, chances are excellent that your name and address are in thousands of databases, and can be found with a free or inexpensive public records search online.

Increasingly, location privacy is the exclusive purview of two groups of Americans: Those who are indigent and/or homeless and those who are wealthy. Only the well-off can afford the substantial costs and many petty inconveniences associated with separating one’s name from their address, vehicle, phone records and other modern niceties that make one easy to track and find.

31 Aug 16:00

Indian Toasties | Paneer Toast

by Ganga108
A spicy toastie filled with paneer and tomato.
26 Aug 21:00


by hell-baby

29 Aug 18:17

Milo Whisky Chocolate Cake With Chocolate Fudge Frosting For Father's Day!

Looking for something delicious to make your father for Father's Day coming up? Or just looking for a kick ass cake that doesn't hold back in a rich chocolatey malt flavour? This triple layer cake is both of those things! It's an incredibly rich cake with plenty of dark chocolate enriched with whisky. And the frosting? Well it's a gorgeous, spreadable dreamy chocolate fudge frosting that is a cinch to make!
28 Aug 16:05

Aaboll Cafe, Merrylands

by Helen (Grab Your Fork)
Fergus Noodle

Hell yeah

Ethiopian restaurants in Sydney are few and far between but that makes Aaboll Cafe even more of a treasure, tucked in amongst the multicultural hubbub that is Merrylands. Walk past the cafe set-up out the front and step through to a rear dining room splashed with colour. The cheeriness of decor is matched by a warm and cheerful reception from staff, happy to lead any newcomers through their
27 Aug 18:15

Movie or TV Snackables: Chocolate Almond Popcorn

Movie or TV nights have never been as much fun than with a cup of this chocolate almond popcorn. This chocolate nut combination is a sure fire crowd pleaser and making popcorn from scratch is as simple as having a paper bag! Trust me :)
25 Aug 23:28

What's a good radio station because I'm having trouble finding one and last week..

by (Merlesworld)
Fergus Noodle

Merle should review radio shows

I have just turned the radio on and some how the station was moved and I'm on The Kyle and Jacki-O show maybe I'm too old for radio today but these two are beyond belief, the news was on so I left it there, they stuck a ad in the news never come across that before then Kyle was telling everyone about all the stuff he had stolen from hotel rooms in his life the same as Kim K he stated, why are these two not arrested and locked up for thief or do hotels just add more to their bills to cover costs makes sense to do so. Then there was a interview with Jason someone who was a singer in USA, he is 26 and done well in this field the questions were about his sex life what car he was driving not much about his music career but they did play one of his songs."Touch the sky'' it was called not bad a few swear words thrown in but that is common these days. there was a delay between the questions and the answers I know it was a overseas interview but I got the feeling he was being a bit cagy about his answers, in all honesty if someone had asked me some of those questions I would just tell them to bugger off.      
This is my shed not much floor now but with luck the floor will be back in a few months, the son and daughter in law have moved all their stuff out of the house they sold but not moved it to QLD so it's in my shed for the time being.

Their back yard and the Beer Fairy looking confused.
They have a lot of paint.
The shed was pretty full of left over building supplies
but the house is now completely empty

I always liked their entrance gate
and these stickers didn't come off but they are cute, the beer fairy really likes this mirror bet you cant't guess what it is made of.
We all got together for a meal and I caught a train there as they had hired a van with only 3 seats and the beer fairy caught the train home.
Interesting trip I encountered a steam train at Straithfield Station not seen one in years in Sydney, love the sound and sight of these trains the smell not so much, the driver blew his whistle a lot and everyone took photos.

Me at dinner as you can see it's cold. I can't turn these photos., so you get a sideways view.
24 Aug 16:13

United Airlines Sets Minimum Bar on Security

by BrianKrebs

United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system.

United, like many other carriers, has long relied on a frequent flyer account number and a 4-digit personal identification number (PIN) for authenticating customers at its Web site. This has left customer accounts ripe for takeover by crooks who specialize in hacking and draining loyalty accounts for cash.

Earlier this year, however, United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers. Customers may be asked to provide the answers to two of these questions if they are logging in from a device United has never seen associated with that account, trying to reset a password, or interacting with United via phone.

Some of the questions and answers United come up with.

Some of the questions and answers United come up with.

Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).

The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at — waffling between “pepperoni” and “mashed potato.” (Fun fact: If you were previously unaware that mashed potatoes qualify as an actual pizza topping, United has you covered with an answer to this bit of trivia in its Frequently Asked Questions page on the security changes.)

I recorded a short video of some of these rather unique questions and answers.

United said it opted for pre-defined questions and answers because the company has found “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

This struck me as a dramatic oversimplification of the threat. I asked United why they stated this, given that any halfway decent piece of malware that is capable of keylogging is likely also doing what’s known as “form grabbing” — essentially snatching data submitted in forms — regardless of whether the victim types in this information or selects it from a pull-down menu.

Benjamin Vaughn, director of IT security intelligence at United, said the company was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be “locked” and not asked again. He added that multiple unsuccessful attempts at answering these questions could result in an account being locked, necessitating a call to customer service.

United said it plans to use these same questions and answers — no longer passwords or PINs — to authenticate those who call in to the company’s customer service hotline. When I went to step through United’s new security system, I discovered my account was locked for some reason. A call to United customer service unlocked it in less than two minutes. All the agent asked me for was my frequent flyer number and my name.

(Incidentally, United still somewhat relies on “security through obscurity” to protect the secrecy of customer usernames by very seldom communicating the full frequent flyer number in written and digital communications with customers. I first pointed this out in my story about the data that can be gleaned from a United boarding pass barcode, because while the full frequent flyer number is masked with “x’s” on the boarding pass, the full number is stored on the pass’s barcode).

Conventional wisdom dictates that what little additional value security questions add to the equation is nullified when the user is required to choose from a set of pre-selected answers. After all, the only sane and secure way to use secret questions if one must is to pick answers that are not only incorrect and/or irrelevant to the question, but that also can’t be guessed or gleaned by collecting facts about you from background checking sites or from your various social media presences online.

Google published some fascinating research last year that spoke to the efficacy and challenges of secret questions and answers, concluding that they are “neither secure nor reliable enough to be used as a standalone account recovery mechanism.”

Overall, the Google research team found the security answers are either somewhat secure or easy to remember—but rarely both. Put another way, easy answers aren’t secure, and hard answers aren’t as useable.

But wait, you say: United asks you to answer up to five security questions. So more security questions equals more layers for the bad guys to hack through, which equals more security, right? Well, not so fast, the Google security folks found.

“When users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark,” the researchers wrote. “The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”

Vaughn said the beauty of United’s approach is that it uniquely addresses the problem identified by Google researchers — that so many people in the study had so much trouble remembering the answers — by providing users with a set of pre-selected answers from which to choose.

An infographic from Google's research study on secret questions. Source: Google.

An infographic from Google’s research study on secret questions. Source: Google.

The security team at United reached out a few weeks back to highlight the new security changes, and in a conversation this week they asked what I thought about their plan. I replied that if United is getting pushback from security experts and tech publications about its approach, that’s probably because security people are techies/nerds at heart, and techies/nerds want options and stuff. Or at least the ability to add, enable or disable certain security features.

But the reality today is that almost any security system designed for use by tens of millions of people who aren’t techies is always going to cater to the least sophisticated user on the planet — and that’s about where the level of security for that system is bound to stay for a while.

So I told the United people that I was a somewhat despondent about this reality, mainly because I end up having little other choice but to fly United quite often.

“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” Vaughn said. “We have to start with something that is universally available to our customers. We can’t sent a text message to you when you’re on an airplane or out of the country, we can’t rely on all of our customers to have a smart phone, and we didn’t feel it would be a great use of our customers’ time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.”

Arlan McMillan, United’s chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).

“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”

Lest anyone accuse me of claiming that the thrust of this story is somehow newsy, allow me to recommend some related, earlier stories worth reading about United’s security changes:

TechCrunch: It’s Time to Publicly Shame United Airlines’ So-called Online Security

Slate: United Airlines Uses Multiple Choice Security Questions

21 Aug 15:08

Sixpenny, Stanmore

by Helen (Grab Your Fork)
Fergus Noodle

I donno

If there's one dessert you must hunt down right now it's the black truffle St Honore at Sixpenny. Originally only available for special occasion pre-orders, the dessert was such a hit that the kitchen will now occasionally make whole ones available for the day's diners. Individual slices are available as an additional dessert course until it sells out. It always does. 2014 Sebastien Brunet
24 Aug 00:56

A Life or Death Case of Identity Theft?

by BrianKrebs

Identity thieves have perfected a scam in which they impersonate existing customers at retail mobile phone stores, pay a small cash deposit on pricey new phones, and then charge the rest to the victim’s account. In most cases, switching on the new phones causes the victim account owner’s phone(s) to go dead. This is the story of a Pennsylvania man who allegedly died of a heart attack because his wife’s phone was switched off by ID thieves and she was temporarily unable to call for help.

On Feb. 20, 2016, James William Schwartz, 84, was going about his daily routine, which mainly consisted of caring for his wife, MaryLou. Mrs. Schwartz was suffering from the end stages of endometrial cancer and wasn’t physically mobile without assistance. When Mr. Schwartz began having a heart attack that day, MaryLou went to use her phone to call for help and discovered it was completely shut off.

Little did MaryLou know, but identity thieves had the day before entered a “premium authorized Verizon dealer” store in Florida and impersonated the Schwartzes. The thieves paid a $150 cash deposit to “upgrade” the elderly couple’s simple mobiles to new iPhone 6s devices, with the balance to be placed on the Schwartz’s account.

“Despite her severely disabled and elderly condition, MaryLou Schwartz was finally able to retrieve her husband’s cellular telephone using a mechanical arm,” reads a lawsuit (PDF) filed in Beaver County, Penn. on behalf of the Schwartz’s two daughters, alleging negligence by the Florida mobile phone store. “This monumental, determined and desperate endeavor to reach her husband’s working telephone took Mrs. Schwartz approximately forty minutes to achieve due to her condition. This vital delay in reaching emergency help proved to be fatal.”

By the time paramedics arrived, Mr. Schwartz was pronounced dead. MaryLou Schwartz died seventeen days later, on March 8, 2016. Incredibly, identity thieves would continue robbing the Schwartzes even after they were both deceased: According to the lawsuit, on April 14, 2016 the account of MaryLou Schwartz was again compromised and a tablet device was also fraudulently acquired in MaryLou’s name.

The Schwartz’s daughters say they didn’t learn about the fraud until after both parents passed away. According to them, they heard about it from the guy at a local Verizon reseller that noticed his longtime customers’ phones had been deactivated. That’s when they discovered that while their mother’s phone was inactive at the time of her father’s death, their father’s mobile had inexplicably been able to make but not receive phone calls.


Exactly what sort of identification was demanded of the thieves who impersonated the Schwartzes is in dispute at the moment. But it seems clear that this is a fairly successful and common scheme for thieves to steal (and, in all likelihood, resell) high-end phones.

Lorrie Cranor, chief technologist for the U.S. Federal Trade Commission, was similarly victimized this summer when someone walked into a mobile phone store, claimed to be her, asked to upgrade her phones and walked out with two brand new iPhones assigned to her telephone numbers.

“My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft,” Cranor wrote in a blog on the FTC’s site.  Cranor’s post is worth a read, as she uses the opportunity to explain how she recovered from the identity theft episode.

She also used her rights under the Fair Credit Reporting Act, which requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. Cranor said the mobile store took about twice that time to reply, but ultimately explained that the thief had used a fake ID with Cranor’s name but the impostor’s photo.

“She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan,” Cranor wrote. “It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.”

Cranor notes that records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name.

“In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month,” she explained. “By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month.  Such thefts involved all four of the major mobile carriers.”

The reality, Cranor said, is that identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

While dealing with diverted calls can be a hassle, having your phone calls and incoming text messages siphoned to another phone also can present new security problems, thanks to the growing use of text messages in authentication schemes for financial services and other accounts.

Perhaps the most helpful part of Cranor’s post is a section on the security options offered by the four major mobile providers in the U.S. For example, AT&T offers an “extra security” feature that requires customers to present a custom passcode when dealing with the wireless provider via phone or online.

“All of the carriers have slightly different procedures but seem to suffer from the same problem, which is that they’re relying on retail stores relying on store employee to look at the driver’s license,” Cranor told KrebsOnSecurity. “They don’t use services that will check the information on the drivers license, and so that [falls to] the store employee who has no training in spotting fake IDs.”

Some of the security options offered by the four major providers. Source: FTC.

Some of the security options offered by the four major providers. Source: FTC.

It’s important to note that secret passcodes often can be bypassed by determined attackers or identity thieves who are adept at social engineering — that is, tricking people into helping them commit fraud.

I’ve used a six-digit passcode for more than two years on my account with AT&T, and last summer noticed that I’d stopped receiving voicemails. A call to AT&T’s customer service revealed that all voicemails were being forwarded to a number in Seattle that I did not recognized or authorize.

Since it’s unlikely that the attackers in this case guessed my six-digit PIN, they likely tricked a customer service representative at AT&T into “authenticating” me via other methods — probably by offering static data points about me such as my Social Security number, date of birth, and other information that is widely available for sale in the cybercrime underground on virtually all Americans over the age of 35. In any case, Cranor’s post has inspired me to exercise my rights under the FCRA and find out for certain.

Vineetha Paruchuri, a masters in computer science student at Dartmouth College, recently gave a talk at the Bsides security conference in Las Vegas on her research into security at the major U.S. mobile phone providers. Paruchuri said all of the major mobile providers suffer from a lack of strict protocols for authenticating customers, leaving customer service personnel exposed to social engineering.

“As a computer science student, my contention was that if we take away the control from the humans, we can actually make this process more secure,” Paruchuri said.

Paruchuri said perhaps the most dangerous threat is the smooth-talking social engineer who spends time collecting information about the verbal shorthand or mobile industry patois used by employees at these companies. The thief then simply phones up customer support and poses as a mobile store technician or employee trying to assist a customer. This was the exact approach used in 2014, when young hooligans tricked my then-ISP Cox Communications into resetting the password for my Cox email account.

I suppose one aspect of this problem that makes the lack of strong customer authentication measures by the mobile industry so frustrating is that it’s hard to imagine a device which holds more personal and intimate details about you than your wireless phone. After all, your phone likely knows where you were last night, when you last traveled, the phone number you last called and numbers you most frequently text.

And yet, the best the mobile providers and their fleet of reseller stores can do to tell you apart from an ID thief is to store a PIN that could be bypassed by clever social engineers (who may or may not be shaving yet).


By the way, readers with AT&T phones may have received a notice this week that AT&T is making some changes to “authorized users” allowed on accounts. The notice advised that starting Sept. 1, 2016, customers can designate up to 10 authorized users per account.

“If your Authorized User does not know your account passcode or extra security passcode, your Authorized User may still access your account in a retail store using a Forgotten Passcode process. Effective Nov. 5, 2016, Authorized Users and those persons who call into Customer Service and provide sufficient account information (“Authenticated Callers”) Will have the ability to add a new line of service to your account. Such requests, whether made by you, an Authorized User, an Authenticated Caller or someone with online access to your account, will trigger a credit check on you.”

AT&T's message this week about upcoming account changes.

AT&T’s message this week about upcoming account changes.

I asked AT&T about what need this new policy was designed to address, and the company responded that AT&T has made no changes to how an authorized user can be added to an account. AT&T spokesman Jim Greer sent me the following:

“With this notice, we are simply increasing the number of authorized users you may add to your account and giving them the ability to add a line in stores or over the phone. We made this change since more customers have multiple lines for multiple people. Authorized users still cannot access the account holder’s sensitive personal information.”

“Over the past several years, the authentication process has been strengthened. In stores, we’re safeguarding customers through driver’s license or other government issued ID authentication.  We use a two-factor authentication when you contact us online or by phone that requires a one-time PIN. We’re continuing our efforts to better protect customers, with additional improvements on the horizon.”

“You don’t have to designate anyone to become an authorized user on your account. You will be notified if any significant changes are made to your account by an authorized user, and you can remove any person as an authorized user at any time.”

The rub is what AT&T does — or more specifically, what the AT&T customer representative does — to verify your identity when the caller says he doesn’t remember his PIN or passcode. If they allow PIN-less authentication by asking for your Social Security number, date of birth and other static information about you, ID thieves can defeat that easily.

Has someone fraudulently ordered phone service or phones in your name? Sound off in the comments below.

If you’re wondering what you can do to shield yourself and your family against identity theft, check out these primers:

How I Learned to Stop Worrying and Embrace the Security Freeze (this primer goes well beyond security freezes and includes a detailed Q&A as well as other tips to help prevent and recover from ID theft).

Are Credit Monitoring Services Worth It? 

What Tax Fraud Victims Can Do

The Lowdown on Freezing Your Kid’s Credit

16 Aug 20:15


by hell-baby