“Look to the future, because that is where you’ll spend the rest of your life.” ~George Burns
Cat Cosplay, Harry Potter
Cats can and will do whatever they want. Previously we’ve met a cat who attends school in California, another who frequents a grocery store, a busy kitty on the go who likes to ride the train, and a dutiful cat that helps run a train station in Japan. Now let’s meet Sailor, our first feline Ship’s Captain.
Captain Sailor is a Persian cat who’s been working on a Russian tourist ship since 2008. The ship cruises between Moscow and St. Petersburg and is co-captained by a human, Captain Vladimir Kotin, who also helps Sailor keep his uniform lint-free.
Sailor keeps watch on the bridge of this ship every night from midnight to 4am. He now also has a Scottish Fold subordinate named Boatswain, who is apparently often caught napping on the job:
[via My Modern Metropolis]
image credit: breibart.com
Thompson Chemists in the Soho neighborhood of New York City got some attention this week when it posted signs saying “All female customers shop tax free” and “All male customers subject to a 7% man tax.” Here’s some press coverage of the event from Gothamist:
Jolie Alony, who has owned the pharmacy for 22 years and lives in SoHo, said she wants men who shop at her store to understand the extra costs that women bear when they shop.
“We want to bring awareness on how it feels to be a woman, so the men actually get to feel it,” she said. * * * Despite what her signs say, Alony explained, men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—effectively cutting out sales tax. She’s still required to report all sales and pay out the sales tax in full, so, she said, she’s just making up the difference herself.
The policy is being run as a promotion—Alony said she’ll see how the day goes and decide if she wants to keep it in place.
Calm down SoHo friends!
As stated in the article: “men aren’t actually coughing up more than they normally would at the register; rather, she’s offering a 7 percent discount for women—“
this makes up for how women are often overcharged for over-the-counter and beauty products (on average 7% according to the NYC Department of Consumer Affairs).
This is a friendly reminder to treat your friends and neighbors as equals and to read articles in their entirety before passing judgment.
With love from your neighborhood pharmacy,
The Gothamist article says that the New York City Department of Consumer Affairs “wrote back to Gothamist to explain that there’s no legal issue with the Thompson Chemist promotion, as there isn’t a prohibition on price discrimination for goods. It is illegal, however, to discriminate in the pricing of services.” I would be surprised if it is correct that vendors can legally discriminate in price, based on the sex of the customer. The finer point is that Thompson Chemists is essentially giving a discount to women and not men by paying the women’s sales tax themselves. In other words, Thompson Chemists is still on the hook for paying to New York State the sales tax on all of the (taxable) property it sells; the store is simply choosing to cover some of the tax itself.
I love the awareness that Thompon Chemists is raising, but I do wonder if it is legal to offer discounts to one group and not the other, on the basis of sex. Or, are discounts so inherently discretionary that the law defers to the judgment of the store offering the discount? Con Law experts, please chime in.
NQN shares her favourite memes with us
They go the 'I'm Angus' which is the restaurant our dog owns.
let's go here
Girls Exposed to a Diverse Set of Scientists Shift their Assumption that They’re Mostly Men, But Boys Do Not
Eden H. sent in an exploratory study about kids’ stereotypes of scientists. The U.S. Department of Energy’s Fermilab asked 7th graders to draw and describe a “scientist” before and after visiting the lab on a class trip. They first read about the Fermilab, then came to the lab and meet with some of the scientists and talk about their work. From the Fermilab website:
What we changed for this field trip was the before and after descriptions and small group sessions for each student to meet with two of three physicists rather than one large group session. We deliberately chose a typical white male, a young female and an African American physicist. We let the students and physicist take their discussion where they wanted.
Here are some of the before-and-after pictures and descriptions (all 31 are available here):
In general, the students seemed to come away with an idea of scientists as being more like “normal” people, not just stereotypical geeks in lab coats. But some of the other changes are interesting, too. The author of a post about the study at Restructure! analyzed the before-and-after images (as best as she could identify the sex of the drawings):
- Among girls (14 in total), 36% portrayed a female scientist in the “before” drawing, and 57% portrayed a female scientist in the “after” drawing.
- Among boys (17 in total), 100% portrayed a male scientist in the “before” drawing, and 100% portrayed a male scientist in the “after” drawing.
I looked through all of them and only saw one instance (posted above) where the child changed the scientists to be clearly non-White.
Of course this is a small sample, but the results seem to reproduce what other studies have found regarding the importance of role models and gender stereotyping, in particular, that girls are more likely to imagine themselves in careers when they see women doing them. For instance, the relative lack of female professors in male-dominated departments such as engineering may play a role in discouraging women from choosing to major in such fields (as well as other factors such as steering, concerns about family/work conflicts, etc.).
Originally posted in 2010.
Gwen Sharp, PhD is a professor of sociology and the Associate Dean of liberal arts and sciences at Nevada State College.
I feel like we have very very sad sandwiches in Australia
I wondered why Barbara was suddenly eating more colourful food
The biggest thing in our daily life at the moment is FOOD .....
Hubby's Doctor has told him he has to go on an eating plan to lose weight because he is heading for more health problems if he doesn't lose weight soon.
I'm joining him on this adventure as I need to lose some weight too.....
I won't go on any more... lol ......
I'm just happy Hubby is liking it enough to plan to stick with it.... I love salad warm or cold...
I'm cooking Potato and pasta for Mum and she has a sandwich for lunch and weet bix for breakfast as she normally does ..... for us it's super low carb....
..So glad hubby is off the meal replacement shakes he was always hungry... with this plan he's not hungry at all....
... and .... he has lost 3 kg in 10 days.....
I lost 1.5 kg in this time ... loving it... xxxxx
Can't leave without a flower .....
They've got karaoke
This looks like the sort of thing I am in to
Seems like something ppl would be interested in
A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.
Mark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.
Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).
In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.
In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.
This is a fairly clever — if not novel — attack, and it’s one I’d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.
Nevertheless, text messaging codes to users isn’t the safest way to do two-factor authentication, even if some entities — like the U.S. Social Security Administration and Sony’s Playstation network — are just getting around to offering two-factor via SMS.
But don’t take my word for it. That’s according to the National Institute of Standards and Technology (NIST), which recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. By the way, NIST is seeking feedback on these recommendations.
If anyone’s interested, Sophos’s Naked Security blog has a very readable breakdown of what’s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.
“To begin with, make your password policies user friendly and put the burden on the verifier when possible,” Sophos’s Chester Wisniewski writes. “In other words, we need to stop asking users to do things that aren’t actually improving security.” Like expiring passwords and making users change them frequently, for example.
Okay, so the geeks-in-chief are saying it’s time to move away from texting as a form of 2-factor authentication. And, of course, they’re right, because text messages are a lot like email, in that it’s difficult to tell who really sent the message, and the message itself is sent in plain text — i.e. is readable by anyone who happens to be lurking in the middle.
But security experts and many technology enthusiasts have a tendency to think that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites — regardless of how many times they’re told not to do so.
Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago — consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox recently told KrebsOnSecurity that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. And Dropbox isn’t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now.
I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven’t enabled two-factor options, it’s probably because a) it’s still optional and b) it still demands too much caring and understanding from the user about what’s going on and how these security systems can be subverted.
Google recently went a step further along the lines of where I’d like to see two-factor headed across the board, by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I’ve long used and trusted — from Duo Security [full disclosure: Duo is an advertiser on this site].
For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out twofactorauth.org. And bear in mind that even if text-based authentication is all that’s offered, that’s still better than nothing. What’s more, it’s still probably more security than the majority of the planet has protecting their accounts.
I’d just finished parking my car in the covered garage at Reagan National Airport just across the river from Washington, D.C. when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side.
I had a few hours before my flight boarded, so I delayed my walk to the terminal and cut through several rows of cars to snag a video of the guy moving haltingly through another line of cars. I approached the driver and asked what he was doing. He smiled and tilted the lid on his bolted-down laptop so that I could see the pictures he was taking with the mounted cameras: He was photographing every license plate in the garage (for the record, his plate was a Virginia tag number 36-646L).
A van at Reagan National Airport equipped with automated license plate readers fixed to the roof.
The man said he was hired by the airport to keep track of the precise location of every car in the lot, explaining that the data is most often used by the airport when passengers returning from a trip forget where they parked their vehicles. I checked with the Metropolitan Washington Airports Authority (MWAA), which manages the garage, and they confirmed the license plate imaging service was handled by a third-party firm called HUB Parking.
I’m accustomed to having my license plate photographed when entering a parking area (Dulles International Airport in Virginia does this), but until that encounter at Reagan National I never considered that this was done manually.
“Reagan National uses this service to assist customers in finding their lost vehicles,” said MWAA spokesperson Kimberly Gibbs. “If the customer remembers their license plate it can be entered into the system to determine what garages and on what aisle their vehicle is parked.”
What does HUB Parking do with the information its clients collect? Ilaria Riva, marketing manager for HUB Parking, says the company does not sell or share the data it collects, and that it is up to the client to decide how that information is stored or shared.
“It is true the solution that HUB provides to our clients may collect data, but HUB does not own the data nor do we have any control over what the customer does with it,” Riva said.
Gibbs said MWAA does not share parking information with outside organizations. But make no mistake: the technology used at Reagan National Airport, known as automated license plate reader or ALPR systems, is already widely deployed by municipalities, police forces and private companies — particularly those in the business of repossessing vehicles from deadbeat owners who don’t pay their bills.
It’s true that people have zero expectation of privacy in public places — and roads and parking garages certainly are public places for the most part. But according to the Electronic Frontier Foundation (EFF), the data collected by ALPR systems can be very revealing, and in many cities ALPR technology is rapidly outpacing the law.
“By matching your car to a particular time, date and location, and then building a database of that information over time, law enforcement can learn where you work and live, what doctor you go to, which religious services you attend, and who your friends are,” the EFF warns.
A 2014 ABC News investigation in Los Angeles found the technology broadly in use by everyone from the local police to repo men. The story notes that there are little or no restrictions on what private companies that collect time- and location-stamped license plate data can do with the information. As a result, they are selling it to insurers, banks, law enforcement and federal agencies.
In Texas, the EFF highlights how state and local law enforcement agencies have free access to ALPR equipment and license plate data maintained by a private company called Vigilant Solutions. In exchange, police cruisers are retrofitted with credit-card machines so that law enforcement officers can take payments for delinquent fines and other charges on the spot — with a 25 percent processing fee tacked on that goes straight to Vigilant. In essence, the driver is paying Vigilant to provide the local cops with the technology used to identify and detain the driver.
“The ‘warrant redemption’ program works like this,” the EFF wrote. “The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.”
That’s right: Even if the contract between the state and Vigilant ends, the latter gets to keep all of the license plate data collected by the agency, and potentially sell or license the information to other governments or use it for other purposes.
I wanted to write this story not because it’s particularly newsy, but because I was curious about a single event and ended up learning a great deal that I didn’t already know about how pervasive this technology has become.
Yes, we need more transparency about what companies and governments are doing with information collected in public. But here’s the naked truth: None of us should harbor any illusions about maintaining the privacy of our location at any given moment — particularly in public spaces.
As it happens, location privacy is a considerably expensive and difficult goal for most Americans to attain and maintain. Our mobile phones are constantly pinging cell towers, making it simple for mobile providers and law enforcement agencies to get a fix on your location within a few dozen meters.
Obscuring the address of your residence is even harder. If you’ve ever had a mortgage on your home or secured utilities for your residence using your own name, chances are excellent that your name and address are in thousands of databases, and can be found with a free or inexpensive public records search online.
Increasingly, location privacy is the exclusive purview of two groups of Americans: Those who are indigent and/or homeless and those who are wealthy. Only the well-off can afford the substantial costs and many petty inconveniences associated with separating one’s name from their address, vehicle, phone records and other modern niceties that make one easy to track and find.
Merle should review radio shows
Me at dinner as you can see it's cold. I can't turn these photos., so you get a sideways view.
United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from Yahoo.com, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system.
United, like many other carriers, has long relied on a frequent flyer account number and a 4-digit personal identification number (PIN) for authenticating customers at its Web site. This has left customer accounts ripe for takeover by crooks who specialize in hacking and draining loyalty accounts for cash.
Earlier this year, however, United began debuting new authentication systems wherein customers are asked to pick a strong password and to choose from five sets of security questions and pre-selected answers. Customers may be asked to provide the answers to two of these questions if they are logging in from a device United has never seen associated with that account, trying to reset a password, or interacting with United via phone.
Some of the questions and answers United come up with.
Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).
The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at Dominos.com — waffling between “pepperoni” and “mashed potato.” (Fun fact: If you were previously unaware that mashed potatoes qualify as an actual pizza topping, United has you covered with an answer to this bit of trivia in its Frequently Asked Questions page on the security changes.)
I recorded a short video of some of these rather unique questions and answers.
United said it opted for pre-defined questions and answers because the company has found “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”
This struck me as a dramatic oversimplification of the threat. I asked United why they stated this, given that any halfway decent piece of malware that is capable of keylogging is likely also doing what’s known as “form grabbing” — essentially snatching data submitted in forms — regardless of whether the victim types in this information or selects it from a pull-down menu.
Benjamin Vaughn, director of IT security intelligence at United, said the company was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be “locked” and not asked again. He added that multiple unsuccessful attempts at answering these questions could result in an account being locked, necessitating a call to customer service.
United said it plans to use these same questions and answers — no longer passwords or PINs — to authenticate those who call in to the company’s customer service hotline. When I went to step through United’s new security system, I discovered my account was locked for some reason. A call to United customer service unlocked it in less than two minutes. All the agent asked me for was my frequent flyer number and my name.
(Incidentally, United still somewhat relies on “security through obscurity” to protect the secrecy of customer usernames by very seldom communicating the full frequent flyer number in written and digital communications with customers. I first pointed this out in my story about the data that can be gleaned from a United boarding pass barcode, because while the full frequent flyer number is masked with “x’s” on the boarding pass, the full number is stored on the pass’s barcode).
Conventional wisdom dictates that what little additional value security questions add to the equation is nullified when the user is required to choose from a set of pre-selected answers. After all, the only sane and secure way to use secret questions if one must is to pick answers that are not only incorrect and/or irrelevant to the question, but that also can’t be guessed or gleaned by collecting facts about you from background checking sites or from your various social media presences online.
Google published some fascinating research last year that spoke to the efficacy and challenges of secret questions and answers, concluding that they are “neither secure nor reliable enough to be used as a standalone account recovery mechanism.”
Overall, the Google research team found the security answers are either somewhat secure or easy to remember—but rarely both. Put another way, easy answers aren’t secure, and hard answers aren’t as useable.
But wait, you say: United asks you to answer up to five security questions. So more security questions equals more layers for the bad guys to hack through, which equals more security, right? Well, not so fast, the Google security folks found.
“When users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark,” the researchers wrote. “The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”
Vaughn said the beauty of United’s approach is that it uniquely addresses the problem identified by Google researchers — that so many people in the study had so much trouble remembering the answers — by providing users with a set of pre-selected answers from which to choose.
An infographic from Google’s research study on secret questions. Source: Google.
The security team at United reached out a few weeks back to highlight the new security changes, and in a conversation this week they asked what I thought about their plan. I replied that if United is getting pushback from security experts and tech publications about its approach, that’s probably because security people are techies/nerds at heart, and techies/nerds want options and stuff. Or at least the ability to add, enable or disable certain security features.
But the reality today is that almost any security system designed for use by tens of millions of people who aren’t techies is always going to cater to the least sophisticated user on the planet — and that’s about where the level of security for that system is bound to stay for a while.
So I told the United people that I was a somewhat despondent about this reality, mainly because I end up having little other choice but to fly United quite often.
“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” Vaughn said. “We have to start with something that is universally available to our customers. We can’t sent a text message to you when you’re on an airplane or out of the country, we can’t rely on all of our customers to have a smart phone, and we didn’t feel it would be a great use of our customers’ time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.”
Arlan McMillan, United’s chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).
“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”
Lest anyone accuse me of claiming that the thrust of this story is somehow newsy, allow me to recommend some related, earlier stories worth reading about United’s security changes: