Shared posts

11 Nov 01:53

cat-cosplay: “Look to the future, because that is where you’ll...





cat-cosplay:

“Look to the future, because that is where you’ll spend the rest of your life.” ~George Burns

Cat Cosplay, Harry Potter

10 Nov 21:23

archiemcphee: Cats can and will do whatever they want....











archiemcphee:

Cats can and will do whatever they want. Previously we’ve met a cat who attends school in California, another who frequents a grocery store, a busy kitty on the go who likes to ride the train, and a dutiful cat that helps run a train station in Japan. Now let’s meet Sailor, our first feline Ship’s Captain.

Captain Sailor is a Persian cat who’s been working on a Russian tourist ship since 2008. The ship cruises between Moscow and St. Petersburg and is co-captained by a human, Captain Vladimir Kotin, who also helps Sailor keep his uniform lint-free.

Sailor keeps watch on the bridge of this ship every night from midnight to 4am. He now also has a Scottish Fold subordinate named Boatswain, who is apparently often caught napping on the job:

image

[via My Modern Metropolis]

24 Oct 18:27

the signs as cats in halloween costumes

horrorscopetoday:

Aries

Taurus

Gemini

Cancer

Leo

Virgo

Libra

Scorpio

Sagittarius

Capricorn 

Aquarius

Pisces

16 Oct 21:59

Photo

by hell-baby


14 Oct 23:14

What Happened When One NYC Pharmacy Charged Men More

by Bridget Crawford

What Happened When One NYC Pharmacy Charged Men More

Post to Twitter Post to Facebook

image credit: breibart.com

Thompson Chemists in the Soho neighborhood of New York City got some attention this week when it posted signs saying “All female customers shop tax free” and “All male customers subject to a 7% man tax.” Here’s some press coverage of the event from Gothamist:

Jolie Alony, who has owned the pharmacy for 22 years and lives in SoHo, said she wants men who shop at her store to understand the extra costs that women bear when they shop.

“We want to bring awareness on how it feels to be a woman, so the men actually get to feel it,” she said. * * * Despite what her signs say, Alony explained, men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—effectively cutting out sales tax. She’s still required to report all sales and pay out the sales tax in full, so, she said, she’s just making up the difference herself.

The policy is being run as a promotion—Alony said she’ll see how the day goes and decide if she wants to keep it in place.

Thompson Chemists later posted this note on its Facebook page (see more press coverage here):

Calm down SoHo friends!

As stated in the article: “men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—“
this makes up for how women are often overcharged for over-the-counter and beauty products (on average 7% according to the NYC Department of Consumer Affairs).

This is a friendly reminder to treat your friends and neighbors as equals and to read articles in their entirety before passing judgment.

With love from your neighborhood pharmacy,
Thompson Chemists

The Gothamist article says that the New York City Department of Consumer Affairs “wrote back to Gothamist to explain that there’s no legal issue with the Thompson Chemist promotion, as there isn’t a prohibition on price discrimination for goods. It is illegal, however, to discriminate in the pricing of services.”  I would be surprised if it is correct that vendors can legally discriminate in price, based on the sex of the customer.  The finer point is that Thompson Chemists is essentially giving a discount to women and not men by paying the women’s sales tax themselves.  In other words, Thompson Chemists is still on the hook for paying to New York State the sales tax on all of the (taxable) property it sells; the store is simply choosing to cover some of the tax itself.

I love the awareness that Thompon Chemists is raising, but I do wonder if it is legal to offer discounts to one group and not the other, on the basis of sex.  Or, are discounts so inherently discretionary that the law defers to the judgment of the store offering the discount?  Con Law experts, please chime in.

Feminist Law Professors

11 Oct 06:13

Springtime Strawberry And Lime Coconut Muffins

Fergus Noodle

NQN shares her favourite memes with us

Looking for a delicious baked goods for a crowd or to pop in a lunchbox? These soft lime and coconut muffins are dairy free and full of zesty lime and creamy coconut. And the piece de resistance are the sliced and fanned strawberries on top!
11 Oct 03:59

Getting Messy With It! Rib-O-Rama Or The Best Ribs in Sydney Challenge!

Fergus Noodle

They go the 'I'm Angus' which is the restaurant our dog owns.

Looking for Sydney's best pork ribs? How about a day spent eating ribs at 10 rib places all over Sydney? That was the challenge set to my intrepid group of friends. Strap on your bibs and get your wet wipes out. It's going to get messy in here as we sample Sydney's sauciest pork ribs!
10 Oct 20:47

NSW Liberal’s Bill to kill

by Saving Our Trees
What is wrong with the Baird Liberal government? An article in today’ Sydney Morning Herald ( http://bit.ly/2dxn4Bx ) says that the Baird government will abolish the need to get a licence to kill native animals. “Last year 47,000 native animals and birds were killed in NSW by property owners using a “s121 licence”.” 47,000!  If […]
10 Oct 20:46

Barzaari, Marrickville

by Helen (Grab Your Fork)
Fergus Noodle

let's go here

If you've never had pide bread fresh from a woodfired oven you need to. Shaped into elongated boats, fresh pide is warm in the fingers and soft in the mouth, its surface of gently puffed bubbles brushed with olive oil and sprinkled with nigella seeds. It's one of the highlights at Barzaari, Marrickville's latest gustatory beacon, headed by chef and co-owner Darryl Martin whose CV includes
08 Oct 10:20

Girls Exposed to a Diverse Set of Scientists Shift their Assumption that They’re Mostly Men, But Boys Do Not

by Gwen Sharp, PhD

Flashback Friday.

Eden H. sent in an exploratory study about kids’ stereotypes of scientists. The U.S. Department of Energy’s Fermilab asked 7th graders to draw and describe a “scientist” before and after visiting the lab on a class trip. They first read about the Fermilab, then came to the lab and meet with some of the scientists and talk about their work. From the Fermilab website:

What we changed for this field trip was the before and after descriptions and small group sessions for each student to meet with two of three physicists rather than one large group session. We deliberately chose a typical white male, a young female and an African American physicist. We let the students and physicist take their discussion where they wanted.

Here are some of the before-and-after pictures and descriptions (all 31 are available here):

In general, the students seemed to come away with an idea of scientists as being more like “normal” people, not just stereotypical geeks in lab coats. But some of the other changes are interesting, too. The author of a post about the study at Restructure! analyzed the before-and-after images (as best as she could identify the sex of the drawings):

  • Among girls (14 in total), 36% portrayed a female scientist in the “before” drawing, and 57% portrayed a female scientist in the “after” drawing.
  • Among boys (17 in total), 100% portrayed a male scientist in the “before” drawing, and 100% portrayed a male scientist in the “after” drawing.

I looked through all of them and only saw one instance (posted above) where the child changed the scientists to be clearly non-White.

Of course this is a small sample, but the results seem to reproduce what other studies have found regarding the importance of role models and gender stereotyping, in particular, that girls are more likely to imagine themselves  in careers when they see women doing them. For instance, the relative lack of female professors in male-dominated departments such as engineering may play a role in discouraging women from choosing to major in such fields (as well as other factors such as steering, concerns about family/work conflicts, etc.).

Originally posted in 2010.

Gwen Sharp, PhD is a professor of sociology and the Associate Dean of liberal arts and sciences at Nevada State College. 

(View original at https://thesocietypages.org/socimages)

07 Oct 05:15

The Sopranos Inspired Satriale's Sandwich Deli, Kensington

Fergus Noodle

I feel like we have very very sad sandwiches in Australia

"OMG honey, there's a sandwich bar in Kensington! We're getting more places to eat!" I said excitedly. Okay it was literally one new place so I perhaps shouldn't get too excited but if you're a Sopranos fan the name will ring a bell. Satriale's sandwich deli is named after the one that Tony Soprano owned in the television series. And they make New Jersey Italian style sandwiches.
29 Sep 02:30

Food Glorious Food ... 2016-9-28 ..

by Barbara Neubeck
Fergus Noodle

I wondered why Barbara was suddenly eating more colourful food


 Hello...
 The biggest thing in our daily life at the moment is FOOD .....

Hubby's Doctor has told him he has to go on an eating plan to lose weight because he is heading for more health problems if he doesn't lose weight soon.

I'm joining him on this adventure as I need to lose some weight too.....


.........  this is Bolognaise with Cauliflower rice.....  it was delicious...


  ...........  this is Steak with salad and a sauce from the pan juices and creme fraiche...  beautiful...

............  this is prawns (shrimp)  with Greek Salad .....I had this at the club on Monday......

.... now this one is Warm beetroot and orange slices on a  bed of chinese cabbage with walnuts and sardines.....   we all really liked this ...you could use other fish  ......

                                                  ...   baked pork with salad....  

I won't go on any more...  lol  ......

I'm just happy Hubby is liking it enough to plan to stick with it....   I love salad warm or cold...  

I'm cooking Potato and pasta for Mum and she has a sandwich for lunch and weet bix for breakfast as she normally does ..... for us it's super low carb....
..So glad hubby is off the meal replacement shakes    he was always hungry...  with this plan he's not hungry at all....
...  and ....  he has lost 3 kg in 10 days.....  
I lost 1.5 kg   in this time ...  loving it...   xxxxx


Can't leave without a flower .....



... and a feather ......


...   have a good day ....     Barb  xxxxx                                                                                                             
29 Sep 01:03

The Whole Kit and Ka-Boodle. A Boodle Feast at Sizzling Fillo, Lidcombe

Fergus Noodle

They've got karaoke

It's a Sunday night at Sizzling Fillo restaurant in Lidcombe and it's fairly busy. The walls on one side of the restaurant have painted red bricks with blacked out areas. A wedding altar stands at the back of the karaoke stage. There's a woman wearing a tiara and sash at the head of a long table spread with banana leaves. Her table is laid with a boodle feast. So what is a boodle?
28 Sep 04:32

Photo

by hell-baby




27 Sep 22:16

culturenlifestyle: The Most Regal, Friendly and Fluffy Kitten...

by hell-baby




















culturenlifestyle:


The Most Regal, Friendly and Fluffy Kitten In The World Is Named Aurora

Aurora is a unique and elegant cat with pristine snow white fur and sparkling blue eyes. 

Keep reading

20 Sep 15:18

Burgerlicious Ume Burger, Surry Hills

"Should we double the burger?" I say to Viggo. He looks at me slightly surprised, "Is that even a question?" he responds. We are at Ume Burger, formerly Ume restaurant a fine dining Japanese restaurant on Bourke Street in Surry Hills. And like some chefs and restaurants Ume's Kirby Craig has done a 180° turn towards more casual dining. Burgers to be exact with a Japanese bent to them.
18 Sep 04:21

Teemu, 30

“I’m wearing my most expensive shirt, a vintage Moschino and my cheapest shorts which I bought at Zeeman in Holland for 3,99 euros. The Fila shoes I bought online, because I couldn’t find any funny shoes at the stores in Finland.”

21 June 2016, Siltasaarenkatu

17 Sep 07:39

Hop to It at Hopper Kadé, Sydney

Fergus Noodle

This looks like the sort of thing I am in to

I've always said that my readers are the best. They are the most generous, non judgemental souls and when I've met them we've fallen into an easy conversation about food. Recently a Dear Reader Romany told me about a Hopper place in Sydney called Hope Kadé. Hoppers are a Sri Lankan food that are like a round crispy pancake with a slight upturned bowl edge.
12 Sep 00:38

Meatmaiden, Melbourne

by Helen (Grab Your Fork)
Fergus Noodle

Seems like something ppl would be interested in

Meat. It takes centre stage at Melbourne's Meatmaiden, showcased in a backlit display cabinet like precious jewels. Forget about Breakfast at Tiffany's. I'd rather eat my croissant with this view instead. I visited Meatmaiden a little while back on a work trip to Melbourne. Currently I'm a few days post-double wisdom teeth removal - hence the missing post from last week - and if there's one
08 Sep 06:58

The Limits of SMS for 2-Factor Authentication

by BrianKrebs

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

2faMark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

This is a fairly clever — if not novel — attack, and it’s one I’d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.

Nevertheless, text messaging codes to users isn’t the safest way to do two-factor authentication, even if some entities — like the U.S. Social Security Administration and Sony’s Playstation network — are just getting around to offering two-factor via SMS.

But don’t take my word for it. That’s according to the National Institute of Standards and Technology (NIST), which recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. By the way, NIST is seeking feedback on these recommendations.

If anyone’s interested, Sophos’s Naked Security blog has a very readable breakdown of what’s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.

“To begin with, make your password policies user friendly and put the burden on the verifier when possible,” Sophos’s Chester Wisniewski writes. “In other words, we need to stop asking users to do things that aren’t actually improving security.” Like expiring passwords and making users change them frequently, for example.

Okay, so the geeks-in-chief are saying it’s time to move away from texting as a form of 2-factor authentication. And, of course, they’re right, because text messages are a lot like email, in that it’s difficult to tell who really sent the message, and the message itself is sent in plain text — i.e. is readable by anyone who happens to be lurking in the middle.

But security experts and many technology enthusiasts have a tendency to think that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites — regardless of how many times they’re told not to do so.

Google's new push-based two-factor authentication system. Image: Google.

Google’s new push-based two-factor authentication system. Image: Google.

Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago — consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox recently told KrebsOnSecurity that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. And Dropbox isn’t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now.

I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven’t enabled two-factor options, it’s probably because a) it’s still optional and b) it still demands too much caring and understanding from the user about what’s going on and how these security systems can be subverted.

Personally, I favor app-based time-based one-time password (TOTP) systems like Google Authenticator, which continuously auto-generates a unique code via a mobile-based app.

Google recently went a step further along the lines of where I’d like to see two-factor headed across the board, by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I’ve long used and trusted — from Duo Security [full disclosure: Duo is an advertiser on this site].

For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out twofactorauth.org. And bear in mind that even if text-based authentication is all that’s offered, that’s still better than nothing. What’s more, it’s still probably more security than the majority of the planet has protecting their accounts.

07 Sep 22:23

WestConnex Authority starts destruction of remnant forest

by Saving Our Trees
Some days the news is just bad & today is one of those days. The Wolli Creek Regional Park is our closest area of bushland. It is vitally important for wildlife because, really there is nowhere else that offers decent habitat for wildlife in the area.  The park, managed by the NSW National Parks & […]
06 Sep 06:27

Location Privacy: The Purview of the Rich and Indigent

by BrianKrebs

I’d just finished parking my car in the covered garage at Reagan National Airport just across the river from Washington, D.C. when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side.

I had a few hours before my flight boarded, so I delayed my walk to the terminal and cut through several rows of cars to snag a video of the guy moving haltingly through another line of cars. I approached the driver and asked what he was doing. He smiled and tilted the lid on his bolted-down laptop so that I could see the pictures he was taking with the mounted cameras: He was photographing every license plate in the garage (for the record, his plate was a Virginia tag number 36-646L).

A van at Reagan National Airport equipped with automated license plate readers fixed to the roof.

A van at Reagan National Airport equipped with automated license plate readers fixed to the roof.

The man said he was hired by the airport to keep track of the precise location of every car in the lot, explaining that the data is most often used by the airport when passengers returning from a trip forget where they parked their vehicles. I checked with the Metropolitan Washington Airports Authority (MWAA), which manages the garage, and they confirmed the license plate imaging service was handled by a third-party firm called HUB Parking.

I’m accustomed to having my license plate photographed when entering a parking area (Dulles International Airport in Virginia does this), but until that encounter at Reagan National I never considered that this was done manually.

“Reagan National uses this service to assist customers in finding their lost vehicles,” said MWAA spokesperson Kimberly Gibbs. “If the customer remembers their license plate it can be entered into the system to determine what garages and on what aisle their vehicle is parked.”

What does HUB Parking do with the information its clients collect? Ilaria Riva, marketing manager for HUB Parking, says the company does not sell or share the data it collects, and that it is up to the client to decide how that information is stored or shared.

“It is true the solution that HUB provides to our clients may collect data, but HUB does not own the data nor do we have any control over what the customer does with it,” Riva said.

Gibbs said MWAA does not share parking information with outside organizations. But make no mistake: the technology used at Reagan National Airport, known as automated license plate reader or ALPR systems, is already widely deployed by municipalities, police forces and private companies — particularly those in the business of repossessing vehicles from deadbeat owners who don’t pay their bills.

It’s true that people have zero expectation of privacy in public places — and roads and parking garages certainly are public places for the most part. But according to the Electronic Frontier Foundation (EFF), the data collected by ALPR systems can be very revealing, and in many cities ALPR technology is rapidly outpacing the law.

“By matching your car to a particular time, date and location, and then building a database of that information over time, law enforcement can learn where you work and live, what doctor you go to, which religious services you attend, and who your friends are,” the EFF warns.

A 2014 ABC News investigation in Los Angeles found the technology broadly in use by everyone from the local police to repo men. The story notes that there are little or no restrictions on what private companies that collect time- and location-stamped license plate data can do with the information. As a result, they are selling it to insurers, banks, law enforcement and federal agencies.

In Texas, the EFF highlights how state and local law enforcement agencies have free access to ALPR equipment and license plate data maintained by a private company called Vigilant Solutions. In exchange, police cruisers are retrofitted with credit-card machines so that law enforcement officers can take payments for delinquent fines and other charges on the spot — with a 25 percent processing fee tacked on that goes straight to Vigilant. In essence, the driver is paying Vigilant to provide the local cops with the technology used to identify and detain the driver.

“The ‘warrant redemption’ program works like this,” the EFF wrote. “The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.”

That’s right: Even if the contract between the state and Vigilant ends, the latter gets to keep all of the license plate data collected by the agency, and potentially sell or license the information to other governments or use it for other purposes.

I wanted to write this story not because it’s particularly newsy, but because I was curious about a single event and ended up learning a great deal that I didn’t already know about how pervasive this technology has become.

Yes, we need more transparency about what companies and governments are doing with information collected in public. But here’s the naked truth: None of us should harbor any illusions about maintaining the privacy of our location at any given moment — particularly in public spaces.

As it happens, location privacy is a considerably expensive and difficult goal for most Americans to attain and maintain. Our mobile phones are constantly pinging cell towers, making it simple for mobile providers and law enforcement agencies to get a fix on your location within a few dozen meters.

Obscuring the address of your residence is even harder. If you’ve ever had a mortgage on your home or secured utilities for your residence using your own name, chances are excellent that your name and address are in thousands of databases, and can be found with a free or inexpensive public records search online.

Increasingly, location privacy is the exclusive purview of two groups of Americans: Those who are indigent and/or homeless and those who are wealthy. Only the well-off can afford the substantial costs and many petty inconveniences associated with separating one’s name from their address, vehicle, phone records and other modern niceties that make one easy to track and find.

31 Aug 22:00

Indian Toasties | Paneer Toast

by Ganga108
A spicy toastie filled with paneer and tomato.
30 Aug 00:20

Photo

by hell-baby


29 Aug 23:33

Milo Whisky Chocolate Cake With Chocolate Fudge Frosting For Father's Day!

Looking for something delicious to make your father for Father's Day coming up? Or just looking for a kick ass cake that doesn't hold back in a rich chocolatey malt flavour? This triple layer cake is both of those things! It's an incredibly rich cake with plenty of dark chocolate enriched with whisky. And the frosting? Well it's a gorgeous, spreadable dreamy chocolate fudge frosting that is a cinch to make!
29 Aug 07:23

Aaboll Cafe, Merrylands

by Helen (Grab Your Fork)
Fergus Noodle

Hell yeah

Ethiopian restaurants in Sydney are few and far between but that makes Aaboll Cafe even more of a treasure, tucked in amongst the multicultural hubbub that is Merrylands. Walk past the cafe set-up out the front and step through to a rear dining room splashed with colour. The cheeriness of decor is matched by a warm and cheerful reception from staff, happy to lead any newcomers through their
28 Aug 05:08

Movie or TV Snackables: Chocolate Almond Popcorn

Movie or TV nights have never been as much fun than with a cup of this chocolate almond popcorn. This chocolate nut combination is a sure fire crowd pleaser and making popcorn from scratch is as simple as having a paper bag! Trust me :)
26 Aug 17:31

What's a good radio station because I'm having trouble finding one and last week..

by noreply@blogger.com (Merlesworld)
Fergus Noodle

Merle should review radio shows

I have just turned the radio on and some how the station was moved and I'm on The Kyle and Jacki-O show maybe I'm too old for radio today but these two are beyond belief, the news was on so I left it there, they stuck a ad in the news never come across that before then Kyle was telling everyone about all the stuff he had stolen from hotel rooms in his life the same as Kim K he stated, why are these two not arrested and locked up for thief or do hotels just add more to their bills to cover costs makes sense to do so. Then there was a interview with Jason someone who was a singer in USA, he is 26 and done well in this field the questions were about his sex life what car he was driving not much about his music career but they did play one of his songs."Touch the sky'' it was called not bad a few swear words thrown in but that is common these days. there was a delay between the questions and the answers I know it was a overseas interview but I got the feeling he was being a bit cagy about his answers, in all honesty if someone had asked me some of those questions I would just tell them to bugger off.      
This is my shed not much floor now but with luck the floor will be back in a few months, the son and daughter in law have moved all their stuff out of the house they sold but not moved it to QLD so it's in my shed for the time being.

Their back yard and the Beer Fairy looking confused.
They have a lot of paint.
The shed was pretty full of left over building supplies
but the house is now completely empty

I always liked their entrance gate
and these stickers didn't come off but they are cute, the beer fairy really likes this mirror bet you cant't guess what it is made of.
We all got together for a meal and I caught a train there as they had hired a van with only 3 seats and the beer fairy caught the train home.
Interesting trip I encountered a steam train at Straithfield Station not seen one in years in Sydney, love the sound and sight of these trains the smell not so much, the driver blew his whistle a lot and everyone took photos.


Me at dinner as you can see it's cold. I can't turn these photos., so you get a sideways view.
25 Aug 07:14

United Airlines Sets Minimum Bar on Security

by BrianKrebs

United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from Yahoo.com, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system.

United, like many other carriers, has long relied on a frequent flyer account number and a 4-digit personal identification number (PIN) for authenticating customers at its Web site. This has left customer accounts ripe for takeover by crooks who specialize in hacking and draining loyalty accounts for cash.

Earlier this year, however, United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers. Customers may be asked to provide the answers to two of these questions if they are logging in from a device United has never seen associated with that account, trying to reset a password, or interacting with United via phone.

Some of the questions and answers United come up with.

Some of the questions and answers United come up with.

Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).

The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at Dominos.com — waffling between “pepperoni” and “mashed potato.” (Fun fact: If you were previously unaware that mashed potatoes qualify as an actual pizza topping, United has you covered with an answer to this bit of trivia in its Frequently Asked Questions page on the security changes.)

I recorded a short video of some of these rather unique questions and answers.

United said it opted for pre-defined questions and answers because the company has found “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

This struck me as a dramatic oversimplification of the threat. I asked United why they stated this, given that any halfway decent piece of malware that is capable of keylogging is likely also doing what’s known as “form grabbing” — essentially snatching data submitted in forms — regardless of whether the victim types in this information or selects it from a pull-down menu.

Benjamin Vaughn, director of IT security intelligence at United, said the company was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be “locked” and not asked again. He added that multiple unsuccessful attempts at answering these questions could result in an account being locked, necessitating a call to customer service.

United said it plans to use these same questions and answers — no longer passwords or PINs — to authenticate those who call in to the company’s customer service hotline. When I went to step through United’s new security system, I discovered my account was locked for some reason. A call to United customer service unlocked it in less than two minutes. All the agent asked me for was my frequent flyer number and my name.

(Incidentally, United still somewhat relies on “security through obscurity” to protect the secrecy of customer usernames by very seldom communicating the full frequent flyer number in written and digital communications with customers. I first pointed this out in my story about the data that can be gleaned from a United boarding pass barcode, because while the full frequent flyer number is masked with “x’s” on the boarding pass, the full number is stored on the pass’s barcode).

Conventional wisdom dictates that what little additional value security questions add to the equation is nullified when the user is required to choose from a set of pre-selected answers. After all, the only sane and secure way to use secret questions if one must is to pick answers that are not only incorrect and/or irrelevant to the question, but that also can’t be guessed or gleaned by collecting facts about you from background checking sites or from your various social media presences online.

Google published some fascinating research last year that spoke to the efficacy and challenges of secret questions and answers, concluding that they are “neither secure nor reliable enough to be used as a standalone account recovery mechanism.”

Overall, the Google research team found the security answers are either somewhat secure or easy to remember—but rarely both. Put another way, easy answers aren’t secure, and hard answers aren’t as useable.

But wait, you say: United asks you to answer up to five security questions. So more security questions equals more layers for the bad guys to hack through, which equals more security, right? Well, not so fast, the Google security folks found.

“When users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark,” the researchers wrote. “The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”

Vaughn said the beauty of United’s approach is that it uniquely addresses the problem identified by Google researchers — that so many people in the study had so much trouble remembering the answers — by providing users with a set of pre-selected answers from which to choose.

An infographic from Google's research study on secret questions. Source: Google.

An infographic from Google’s research study on secret questions. Source: Google.

The security team at United reached out a few weeks back to highlight the new security changes, and in a conversation this week they asked what I thought about their plan. I replied that if United is getting pushback from security experts and tech publications about its approach, that’s probably because security people are techies/nerds at heart, and techies/nerds want options and stuff. Or at least the ability to add, enable or disable certain security features.

But the reality today is that almost any security system designed for use by tens of millions of people who aren’t techies is always going to cater to the least sophisticated user on the planet — and that’s about where the level of security for that system is bound to stay for a while.

So I told the United people that I was a somewhat despondent about this reality, mainly because I end up having little other choice but to fly United quite often.

“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” Vaughn said. “We have to start with something that is universally available to our customers. We can’t sent a text message to you when you’re on an airplane or out of the country, we can’t rely on all of our customers to have a smart phone, and we didn’t feel it would be a great use of our customers’ time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.”

Arlan McMillan, United’s chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).

“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”

Lest anyone accuse me of claiming that the thrust of this story is somehow newsy, allow me to recommend some related, earlier stories worth reading about United’s security changes:

TechCrunch: It’s Time to Publicly Shame United Airlines’ So-called Online Security

Slate: United Airlines Uses Multiple Choice Security Questions

24 Aug 23:20

Sixpenny, Stanmore

by Helen (Grab Your Fork)
Fergus Noodle

I donno

If there's one dessert you must hunt down right now it's the black truffle St Honore at Sixpenny. Originally only available for special occasion pre-orders, the dessert was such a hit that the kitchen will now occasionally make whole ones available for the day's diners. Individual slices are available as an additional dessert course until it sells out. It always does. 2014 Sebastien Brunet