two-factor authentication

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems
by Heather Adkins , Betsy Beyer , Paul Blankinship , Ana Oprea , Piotr Lewandowski and Adam Stubblefield
Published 29 Mar 2020

Modern identity and access solutions that leverage the cloud are becoming more attractive and let you add two-factor authentication relatively quickly. Using two-factor authentication in your environment—especially for less-protected entry points like access to email—is a quick win. Two-factor authentication can also provide an added benefit: you’ll know if an attacker is still attempting to log in to accounts. These attempted logins will look like account login failures. To improve your security posture, your long-term mitigation roadmap might explore a cloud-based two-factor authentication service during short-term mitigation, and also incorporate more systematic changes, like adopting FIDO-based security keys (which we discuss in Chapter 7).

…

The attacker then signs in to the organization’s virtual private network (VPN) service using those credentials. Use two-factor authentication (such as security keys) for the VPN service. Only permit VPN connections from organization-managed systems. Lateral movement: Moving between systems or accounts to gain additional access. Attacker remotely logs in to other systems using the compromised credentials. Permit employees to log in to only their own systems. Require two-factor authentication for login to multiuser systems. Persistence: Ensuring ongoing access to compromised assets. Attacker installs a backdoor on the newly compromised systems that provides them with remote access.

…

In the past few decades, traditional spying techniques, including signals intelligence (SIGINT) and human intelligence (HUMINT), have modernized with the advent of the internet. In one famous example from 2011, the security company RSA was compromised by an adversary many experts associate with China’s intelligence apparatus. The attackers compromised RSA to steal cryptographic seeds for their popular two-factor authentication tokens. Once they had these seeds, the attackers didn’t need physical tokens to generate one-time authentication credentials to log in to the systems of Lockheed Martin, a defense contractor that builds technology for the US military. Once upon a time, breaking into a company like Lockheed would have been performed by human operatives onsite—for example, by bribing an employee or having a spy hired at the firm.

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World
by Bruce Schneier
Published 3 Sep 2018

.,” New York Times, https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html. 46Google found and disabled the worm: Alex Johnson (4 May 2017), “Massive phishing attack targets Gmail users,” NBC News, https://www.nbcnews.com/tech/security/massive-phishing-attack-targets-millions-gmail-users-n754501. 46An example of something you are is biometrics: Nary Subramanian (1 Jan 2011), “Biometric authentication,” in Encyclopedia of Cryptography and Security, Springer, https://link-springer-com/content/pdf/10.1007%2F978-1-4419-5906-5_775.pdf. 46These are things you carry with you: Robert Zuccherato (1 Jan 2011), “Authentication token,” in Encyclopedia of Cryptography and Security, Springer, https://link-springer-com.ezproxy.cul.columbia.edu/referencework/10.1007%2F978-1-4419-5906-5. 47Using two of them together: J. R. Raphael (30 Nov 2017), “What is two-factor authentication (2FA)? How to enable it and why you should,” CSO, https://www.csoonline.com/article/3239144/password-security/what-is-two-factor-authentication-2fa-how-to-enable-it-and-why-you-should.html. 47This, of course, isn’t perfect, either: Andy Greenberg (26 Jun 2016), “So hey you should stop using texts for two-factor authentication,” Wired, https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication. 47Sprint, T-Mobile, Verizon, and AT&T: Steve Dent (8 Sep 2017), “U.S. carriers partner on a better mobile authentication system,” Engadget, https://www.engadget.com/2017/09/08/mobile-authentication-taskforce-att-verizon-tmobile-sprint. 47Among other security protections: Dario Salice (17 Oct 2017), “Google’s strongest security, for those who need it most,” Keyword, https://www.blog.google/topics/safety-security/googles-strongest-security-those-who-need-it-most. 47Sticky-note passwords regularly show up: Here’s one example from 2018: Kif Leswing (16 Jan 2018), “A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note,” Business Insider, http://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1. 48Your smartphone has evolved into: Gary Robbins (23 Apr 2017), “The Internet of Things lets you control the world with a smartphone,” San Diego Union Tribune, http://www.sandiegouniontribune.com/sd-me-connected-home-20170423-story.html. 48A hacker can convince a cell provider: Steven Melendez (18 Jul 2017), “How to steal a phone number and everything linked to it,” Fast Company, https://www.fastcompany.com/40432975/how-to-steal-a-phone-number-and-everything-linked-to-it. 48They’ll reset bank accounts: Alex Perekalin (19 May 2017), “Why two-factor authentication is not enough,” Kaspersky Daily, https://www.kaspersky.com/blog/ss7-attack-intercepts-sms/16877.

…

Biometrics can be fooled with photographs, fake fingers, and the like. Phones can be hijacked to give the attacker access to the apps or text messages stored on them. In general, replacing passwords with one of these doesn’t improve things much. Using two of them together—that’s two-factor authentication—does improve security. Both Google and Facebook offer two-factor authentication via a text message on your smartphone. (This, of course, isn’t perfect, either. Some versions have been hacked.) Sprint, T-Mobile, Verizon, and AT&T are working together to come up with a similar system. In 2017, Google introduced its Advanced Protection Program for high-risk users.

…

A hacker who is monitoring a user’s computer can wait for the user to log in to a real banking website, and then manipulate what the user sees on the screen and sends to the bank in order to change, for example, the destination of bank transfers. This is called a man-in-the-middle attack, and it works even if the bank has instituted two-factor authentication. To defend against such attacks, one can monitor the system looking for signs of hacked accounts, and then use differential authentication. This would be your bank noticing that you just tried to wire $50,000 to an account in Romania that you’ve never had any financial transactions with before, and calling you to double-check before letting the transfer go through.

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
by Richard A. Clarke and Robert K. Knake
Published 15 Jul 2019

The problem of passwords won’t go away until some combination of two things happen: multifactor authentication without a password is forced on companies and their customers, or multifactor authentication becomes something that takes place seamlessly in the background. On the first front, we are starting to see more companies make the push. Banks, which are financially responsible should cyber criminals drain your bank account, have all the incentive they now need to require the use of two-factor authentication. Many are adopting “push” models that don’t require users to do anything to set up two-factor authentication. Banks validate your phone number in the background and then send a text message with a one-time code you must enter to log in to your account. Of course, there are multiple ways criminals can capture a text message and use it to log in to an account, from compromising the underlying SS7 telephone network to compromising the phones or computers that receive the text messages.

…

TAO was reorganized and merged into Computer Network Operations in 2017. Threat Actor: An entity that regularly engages in unauthorized penetration of computer networks to access and exfiltrate information or to engage in destructive activities on the network. Two-Factor Authentication (2FA): A means of proving user identity in order to be granted access to a device, application, network, or database. Two-factor authentication usually requires that users provide something they know, and prove possession of something they have. Examples of these factors are passwords (which satisfy the knowledge requirement) and one-time log-in codes sent to a user’s phone (which satisfy the possession requirement).

…

Internally, Microsoft was moving to a “smart-card system” and testing a “biometric ID-card” that would allow facial, iris, and retina recognition as a means to grant access to computing resources. Of course, this was all in 2004. Bill Gates was still Microsoft’s CEO. To his credit, and contrary to legend, he never suggested that passwords would go the way of the dodo, only that we would rely on them less. What Gates was proposing then was two-factor authentication, or even multifactor authentication: your password and a card with some sort of biometric data on it. You would type in your password, stick in your card, and the computer would read the biometric data and match it with the biometrics you were presenting (your fingerprint, iris, etc.). The obstacles were numerous.

Engineering Security
by Peter Gutmann

Other banks proposed using “a statistical assessment of transactions’ trustworthiness” as the second factor [85]. Figure 203: Two-factor authentication as defined by a US bank Some banks even defined a user name and password to be two-factor authentication, with the user name providing one level of security and the password the second [86]165. An example of one bank’s interpretation of two-factor authentication is shown in Figure 203. In other words their definition of “two-factor authentication” was “twice as much one-factor authentication”, or as one observer put it, “wish-itwas-two-factor authentication” in which users are asked to employ two-factor authentication consisting of “something they know and something else they know” [87].

…

This fact was emphasised by results in a study which found that the sharing of passwords (or more generally logon credentials) was seen as a sign of trust among coworkers, and people who didn’t allow others to use their password were seen as having something to hide and not being team players [249]. Two-factor authentication tokens make this even worse because while giving someone access to a password-protected resource typically entails having the password owner log on for you (to the point where it’s even been institutionalised in the form of the group login 156 Psychology and the 24-hour login, see “Activity-Based Planning” on page 477 for more details), with a two-factor authentication token it’s easier to just hand over the token to the requestor on the understanding that they’ll return it in good time.

…

In addition since no two tokens are alike, users would have had to contend with a mass of time-based tokens, challengeresponse calculators, PIN-activated tokens, rolling-code tokens, button-activated tokens, biometric tokens, and several other innovative but ultimately confusing variants. The situation isn’t helped by the fact that, as with smart cards, users in general didn’t understand why two-factor authentication was needed or what benefits the tokens offered [462]. Another issue that crops up with the use of two-factor authentication tokens is the common problem that the use of the second factor, which requires the presence of the token, is generally sprung on the user as an unwelcome surprise after they’ve authenticated with the first factor, typically a non-token item like a password [463].

Mastering Blockchain: Unlocking the Power of Cryptocurrencies and Smart Contracts
by Lorne Lantz and Daniel Cawrey
Published 8 Dec 2020

Make sure to verify through personally known information who you are talking to, especially if someone starts making strange requests—like asking for cryptocurrency. Two-factor authentication In addition to using a password, turning on two-factor authentication is a good idea. Two-factor authentication requires another source for verification, such as when a website sends a text message to your phone containing a code you must enter in order to access your account on the site. There are multiple ways of doing two-factor authentication, and some are more secure than others. SMS verification using an app like Authy or Google Authenticator is one way.

…

Types of attacks to watch out for include: Cell phone porting Porting is a common type of attack where someone takes over your cell phone’s number, allowing them to intercept incoming messages. This is often accomplished by calling the carrier and providing some personal information the attacker has learned. Because of the dangers of this attack vector, it’s best not to use SMS verification for two-factor authentication. A good alternative is to set up a portable VoIP phone number that supports text, like Google Voice. Phishing Phishing is a very effective way for hackers to take control of accounts (and cryptocurrency). The attacker typically claims to be from a familiar and trusted organization, like a government agency or a well-known company, and sends the user a message containing a link that encourages them to reveal personal information, such as a password.

…

Sample cold storage, embedding recovery seed onto metal (image credit: http://www.coldti.com) Tip The most common mechanism for generating a mnemonic to use as a wallet seed is BIP39, the standard for creating phrases from addresses. Cryptocurrency can and has been lost, whether a user controls their private keys or not. It’s important to use secure communication tools, set up two-factor authentication, have a PIN with a cellular carrier, and be aware of phishing. Once cryptocurrency leaves a wallet, it’s almost impossible to get it back. Mining In the beginning, cryptocurrency mining was solely a hobbyist’s pursuit. Early adopters who wanted to support the Bitcoin network downloaded and ran the Bitcoin Core software, and they were able to mine a few bitcoins here and there just by running the software on their computers.

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
by Kevin Mitnick , Mikko Hypponen and Robert Vamosi
Published 14 Feb 2017

If someone has added himself to your account, delete this forwarding e-mail address immediately. Passwords and PINs are part of the security solution, but we’ve just seen that these can be guessed. Even better than complex passwords are two-factor authentication methods. In fact, in response to Jennifer Lawrence and other celebrities having their nude photos plastered over the Internet, Apple instituted two-factor authentication, or 2FA, for its iCloud services. What is 2FA? When attempting to authenticate a user, sites or applications look for at least two of three things. Typically these are something you have, something you know, and something you are.

…

I can go to the reset page for your e-mail service and request a password reset, which, because you enabled two-factor authentication, will result in an SMS code being sent to your phone. So far, so good, right? Hang on. A recent attack on a phone used by political activist DeRay Mckesson showed how the bad guys could trick your mobile operator to do a SIM swap.18 In other words, the attacker could hijack your cellular service and then receive your SMS messages—for example, the SMS code from Google to reset Mckesson’s Gmail account that was protected with two-factor authentication. This is much more likely than fooling someone into reading off his or her SMS message with a new password.

…

If you log in to Gmail on a public terminal, and there’s a keylogger on that public terminal, some remote third party now has your username and password. If you log in to your bank—forget it. Remember, you should enable 2FA on every site you access so an attacker armed with your username and password cannot impersonate you. Two-factor authentication will greatly mitigate the chances of your account being hacked if someone does gain knowledge of your username and password. The number of people who use public kiosks at computer-based conferences such as CES and RSA amazes me. Bottom line, if you’re at a trade show, use your cellular-enabled phone or tablet, your personal hotspot (see here), or wait until you get back to your room.

Bitcoin for the Befuddled
by Conrad Barski
Published 13 Nov 2014

Be cautious; if you are able to access your hosted wallet using just a username and simple password, that is a warning sign that your provider might be vulnerable to online attacks (if you can access your bitcoins easily, so can a thief). Quality wallet service providers, such as the U.S.-based company Coinbase (which also offers convenient ways to buy bitcoins; see Chapter 4) require the use of two-factor authentication for users to access their bitcoins. Two-factor authentication requires the use of a phone, or another secondary device, in addition to a username and password. Unfortunately, because the Bitcoin world is so new, no hosted wallet provider can claim a long track record of incident-free bitcoin storage.2 For this reason, at this time we recommend that you do not trust any third parties with large amounts of bitcoins.

…

It is your own responsibility to properly vet specific companies before trusting them with your money. Before we walk you through the exact steps involved in buying bitcoins from one of these companies (see “Buying Bitcoins with Coinbase” on page 58), we first need to discuss a couple of technical concepts. One concept you absolutely need to understand is two-factor authentication, which is a way to do online transactions (as well as a framework for thinking about such transactions) that can greatly reduce your risk of getting hacked and/or robbed. Another concept we need to discuss is the difference between reversible and irreversible financial transactions. Understanding this difference helps explain why long waiting periods are often involved when acquiring bitcoins from service companies.

…

However, all of these security measures can be defeated. If you enjoy science fiction movies, you’re familiar with the myriad ways this can be done. However, you can overcome these weaknesses by organizing the many authentication methods into three main categories and then choosing two to use. This is known as two-factor authentication. The three categories are as follows: • Something you know: Your password, your first pet’s name, your signature, and so on • Something you own: A key fob, your smartphone, and so on • Something you are: Your fingerprint, your face, your eyes, your voice, and so on It turns out most of the weaknesses in each of these categories are very different.

Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat
by John P. Carlin and Garrett M. Graff
Published 15 Oct 2018

Once inside, they gained too much access too easily; the government did a poor job of segregating data and segmenting networks to limit hackers who breached one area from getting access to wider resources.* Moreover, OPM had not implemented safeguards, such as two-factor authentication, that would have made it nearly impossible for the systems to be compromised just with a username and password. While two-factor authentication was an industry best practice, many organizations resisted the complexity it added to daily use—even as Congress later berated OPM for not having two-factor authentication, Capitol Hill was operating without it as well. Since much of the attack on OPM had been done with genuine user credentials, it was particularly difficult to sort out what traffic was authentic and what was malicious.

…

The initial compromise of Reuters’ Twitter appeared relatively straightforward—the password had been cracked. In some ways, large corporate websites and social media accounts—whether they’re companies or media organizations—are uniquely vulnerable because they often eschew the two-factor authentication that’s available for regular users: it’s seen as too complicated to rely on two-factor authentication given the number of people sharing a single social media account or login, often working in different offices, remotely, or even in different time zones. Yet as news organizations strengthened their security in the wake of that attack, the SEA hackers got more creative, approaching new attack vectors that continued to surprise media companies.

…

In January, they launched three separate brute-force attacks on the company’s Bethlehem casino—running automated programs that tried thousands of possible passwords in an attempt to log in to the computer network. The Sands Casino security staff noticed, but such attempts were common, and they moved to provide additional security on the targeted accounts—requiring what is known as two-factor authentication so that cracking a password alone wouldn’t have been enough. At the time, though, the Sands Casino staff didn’t realize how badly outgunned they were against the resources of a persistent and patient foreign adversary. The company, like the vast majority of companies around the globe at that point, did not have adequate resources to fight the cyberthreat.

Pro Git
by Scott Chacon and Ben Straub
Published 12 Nov 2014

If GitHub sees any of these in commit messages in any repository on the site, it will be linked to your user now. Two Factor Authentication Finally, for extra security, you should definitely set up Two-factor Authentication or “2FA”. Two-factor Authentication is an authentication mechanism that is becoming more and more popular recently to mitigate the risk of your account being compromised if your password is stolen somehow. Turning it on will make GitHub ask you for two different methods of authentication, so that if one of them is compromised, an attacker will not be able to access your account. You can find the Two-factor Authentication setup under the Security tab of your Account settings.

…

You can find the Two-factor Authentication setup under the Security tab of your Account settings. Figure 6-7. 2FA in the Security Tab If you click on the “Set up two-factor authentication” button, it will take you to a configuration page where you can choose to use a phone app to generate your secondary code (a “time based one-time password”), or you can have GitHub send you a code via SMS each time you need to log in. After you choose which method you prefer and follow the instructions for setting up 2FA, your account will then be a little more secure and you will have to provide a code in addition to your password whenever you log into GitHub. Contributing to a Project Now that our account is set up, let’s walk through some details that could be useful in helping you contribute to an existing project.

…

Credential Storage If you use the SSH transport for connecting to remotes, it’s possible for you to have a key without a passphrase, which allows you to securely transfer data without typing in your username and password. However, this isn’t possible with the HTTP protocols – every connection needs a username and password. This gets even harder for systems with two-factor authentication, where the token you use for a password is randomly generated and unpronounceable. Fortunately, Git has a credentials system that can help with this. Git has a few options provided in the box: The default is not to cache at all. Every connection will prompt you for your username and password.

Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance
by Julia Angwin
Published 25 Feb 2014

The connection was sometimes spotty, but it made me feel a lot better than connecting to all those intrusive hotel Wi-Fi systems that force your Internet traffic through their system. I also set up double password systems—known as two-factor authentication—when it was available. On Gmail, that meant installing an app that gave me a code to enter in addition to my password. At my bank, that meant rooting around in the online settings until I found a way to require a “pin” number before authorizing any payments. But I set up those systems only at places where I didn’t have to give out my phone number. Twitter offered two-factor authentication, but only for people who are willing to receive text messages from them—so I declined. I also tried using a system called “Little Snitch” to monitor all the connections my computer was attempting to make, but quickly abandoned it.

…

Lycos Maas, Jenna MAC (media access control) mail, postal malicious software Manning, Bradley marketers market manipulation Marlinspike, Moxie Marshall, Bruce Marshall, Thurgood Marwick, Alice MaskMe Massachusetts Institute of Technology Massachusetts Registry of Motor Vehicles “mass production of bias” MATRIX program Mayer-Schönberger, Viktor McCain, John McGrath, Pat medical data Memari, Kaveh metadata “method of loci” Microsoft Microsoft Outlook Mijangos, Luis Mohamed, Gulet Monahan, Brian Monahan, Matthew money launderers Morgan, Ted mortgage data motor vehicle registries Mozilla Mozy mud-puddle test Mueller, Robert Mugshots.com Murphy, Frank Muslims Muslims Giving Back mutual surveillance MyLife.com MySpace Names Database Napolitano, Janet National Academy of Sciences National Association for the Advancement of Colored People (NAACP) National Change of Address database National Counterterrorism Center National Security Agency (NSA) auditing your data on encryption and fairness test and negative rights NeoMail Netflix Netherlands Netscape Navigator Network Associates New Digital Age, The (Schmidt and Cohen) New Hampshire Supreme Court New Yorker New York Police Department (NYPD) New York Times Nielsen Company Nigeria no-fly lists Norway NoScript Noyes, Andrew nuclear weapons nude images Obama, Barack Obama, Michelle Oberman, Ethan Ofcom OFF Pocket Off-the-Record Messaging Olsen, Matthew Omniture Omnivore’s Dilemma, The (Pollan) One Nation, Under Surveillance (Royce) 1Password online “black markets” online–off-line matching online reputation, bulletproofing Open Security Foundation OpenTable “Operational Case Jentzsch” Operation High-Rise OPK (Operative Personenkontrolle) Oppenheim, Melissa opting out Otis, James, Jr. Oulasvirta, Antti Overstock.com “Panopticon” (Bentham) Party, Boston T. See Royce, Kenneth W. passports password-management software “Password Memorability and Security” (IEEE) PasswordResearch.com passwords children and creating strong mud-puddle test two-factor authentication PatientsLikeMe.com Patriot Act pay-for-performance principle Pearl Harbor attacks Peck, Amory PeopleSmart.com Perkins Coie law firm Permissus Perry, Edward Perry, Mike PersonicX database Petraeus, David Phoenix Suns basketball team phone calls. See also cell phones international records phone number photos Picasa PNR (Passenger Name Records) Poland police political campaigns political websites Pollan, Michael pornography Postbox Precision Market Insights Prendergast, John prepaid debit cards Pretty Good Privacy (PGP) price manipulation PRISM program privacy.

…

See also airlines; border searches; no-fly lists; terrorist watch lists Traveler Redress Inquiry Program (TRIP) Treasury Department Treasury Enforcement Communications System TrueRep.com trust Truth in Caller ID Act (2010) Tsarnaev, Dzhokhar Tsarnaev, Tamerlan Twitter auditing your data on password and two-factor authentication Twombly, Linda Tynan, Dan Union Square Ventures United Kingdom United Nations Declaration of Human Rights U.S. Army U.S. citizens. See also domestic spying U.S. Congress U.S. Constitution U.S. Court of Appeals Third Circuit Fourth Circuit Fifth Circuit Sixth Circuit Ninth Circuit U.S.

The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze
by Laura Shin
Published 22 Feb 2022

Since the trading fee was 0.2 percent per trade, margin was 0.25 percent, and the exchange picked up 15 percent of interest earned from loans on the platform, they estimated the exchange was getting 0.25 percent of volume in revenue a day, which on an average day in 2016 would mean solidly in the five figures.17 They guessed—correctly, according to two people familiar with Polo’s books—that daily revenue even sometimes hit $100,000. During this time, observers say some of the owners’ choices were questionable. For instance, in the latter half of 2016, Jules and Mike were against instituting basic security features that would prevent huge swaths of customers from falling victim to hacks—a measure called two-factor authentication (2FA), which would send a code via text to customers’ phones when they tried to log in. Mike would say it was a user-experience issue, but customer service showed how having 2FA as an option would slash the huge amount of time customer service spent dealing with hacked accounts. Since Polo only had five customer service agents and wasn’t going to hire more, that one move would have enabled the existing employees to help many more users.

…

One reason for the drop was that competitors were investing in upgrades, but Polo was doing the bare minimum. Seeing competitor Kraken boast about a slew of new features, Polo employees asked, “Why are we not doing this? Why are we just letting them take our business?” One example: Kraken launched an efficient, self-service feature for two-factor authentication allowing users themselves to disable it. Even though customer service said launching a similar feature would cut a third of all open support tickets, Jules and Mike wouldn’t let Tristan work on it. (As far as most people could tell, Tristan controlled nearly every aspect of Poloniex’s code—a grasp of its intricacies wasn’t spread out among a team of people, as would be expected of an exchange transacting in billions of dollars’ worth of crypto every week.)

…

Timeline 2011 Late winter Vitalik starts learning about Bitcoin, writing for Bitcoin Weekly June 1 Gawker article, “The Underground Website Where You Can Buy Any Drug Imaginable,” is published Bitcoin price shoots up from less than $9 to almost $32 within a week August Vitalik becomes a writer for Bitcoin Magazine 2012 May Bitcoin Magazine publishes its inaugural issue Vitalik graduates from high school September Vitalik begins at University of Waterloo 2013 May Vitalik decides to take time off from school August Vitalik decides to extend his break from school September Vitalik spends a week in a squat with Amir Taaki in Milan September Vitalik spends four to six weeks in Israel; has revelation about “layer 2” functionalities on Bitcoin Early October Bitcoin price in low $100s Early November Bitcoin price in the low $200s November 4–8 Vitalik in Los Angeles November 8–December 10 Vitalik in San Francisco Mid-November Bitcoin price in the $400s, breaks through $800 Vitalik takes walk in the Presidio, where he has a technical breakthrough on Ethereum’s structure November 27 Vitalik sends Ethereum white paper to friends Bitcoin price crosses $1,000 for the first time December 10–11 Vitalik and Anthony Di Iorio attend the Inside Bitcoins conference December 19 Gavin Wood writes Vitalik December 25 Jeff Wilcke and Gavin start writing implementations of the Ethereum white paper 2014 January 1 Anthony’s Decentral opens in Toronto January 20–21 Ethereum group arrives in Miami January 25–26 BTC Miami conference Mid- to late February Jeff, Gavin, and Joe added as cofounders (announced on blog March 5) March 1 Zug crew moves into Spaceship March 5 Ethereum GmbH established in Switzerland Early April Gavin publishes the Ethereum yellow paper April 11–13 Bitcoin Expo in Toronto May 26 Skype call between Stephan Tual and Mathias Grønnebæk in Twickenham and Mihai Alisie, Taylor Gerring, Roxana Sureanu, and Richard Stott in Zug May 31–June 1 Vitalik and Gavin in Vienna; receive call from Stephan and Mathias June 3 Ethereum’s Game of Thrones Day July 9 Stiftung Ethereum created July 22 Crowdsale begins September 2 Crowdsale ends November 24–28 DevCon 0 at ETH Dev in Berlin 2015 Late February to early March Foundation meeting; decision to remove current board members and recruit “professional board” February–March Kelley Becker begins as COO of ETH Dev UG June 12 Anthony Di Iorio accused of holding one of the footballs “hostage” Mid-June Wayne Hennessy-Barrett, Lars Klawitter, and Vadim Levitin are brought on as board members Ming Chan is hired as executive director July 30 Ethereum launches ~August 1–2 Ming makes accusation against Vadim Week of August 9 Stephan tries to get Vitalik to change early contributor allocations August 10 First version of MyEtherWallet created August 15 Ethereum Foundation pays early contributors August 16 Stephan and Vitalik argue on Reddit about early contributor distributions August 18 MyEtherWallet domain name registered Mid- to late August Stephan fired August 22–23 First Ethereum Foundation board meeting ~September 2–7 Vitalik, Ming, and Casey stay at a cabin in Toronto September 11 Casey, Ming, Vitalik, Joe Lubin, Andrew Keys, and others meet at ConsenSys about DevCon 1 September 28 Vitalik publishes blog post about how Ethereum is close to running out of money Board directors send official resignation letter November 9–13 DevCon 1 in London Christoph Jentzsch demonstrates the Slock; announces the DAO Late November/early December Gavin fired 2016 January 24 ETH closes above $2 February 2 Ethcore publishes a blog post about how Parity is the fastest Ethereum client February 11 ETH closes above $6 for the first time March 2 The DAO is added to GitHub March 13 ETH hits a new high of $15.26; Vitalik feels comfortable about the Ethereum Foundation’s multiyear runway Mid-April Ming reams Hyperledger’s Brian Behlendorf in phone call April 25 Vitalik, Gavin, and others from the Ethereum Foundation announced as DAO curators April 26 Announcement about establishment of DAO.link April 29 Slock.it makes first proposal to the DAO Taylor Van Orden’s fiancé, Kevin, flips a coin to choose the DAO contract April 30 The DAO sale (“creation period”) launches May 13 Gavin resigns as curator May 14 Miscalculation of when DAO token price rises May 24 “Ethereum is the Forefront of Digital Currency” blog post by Coinbase cofounder May 25 Slock.it makes first DAO security proposal May 27 Emin Gün Sirer and paper coauthors call for a moratorium on the DAO May 28 DAO sale ends/DAO created June 5 Christian Reitwießner discovers the re-entrancy bug exploit, warns other devs about it June 9 Peter Vessenes publishes a blog post about the re-entrancy attack vector June 10 Christian also blogs about it June 11 Vitalik tweets he has been buying DAO tokens since the security news June 12 Stephan Tual publishes “No funds at risk” blog post June 14, 02:52 UTC Child DAO 59, which becomes the Dark DAO, emptied June 14, 11:42 UTC DAO attacker begins turning BTC into DAO tokens and ETH via ShapeShift in multiple transactions (until June 16) June 15, 4:26 UTC DAO attacker votes yes for proposal 59 June 17 DAO hits value of $250 million 03:34 UTC DAO attacker begins re-entrancy attack on the DAO 12:27 UTC Attacker stops draining funds Greg Maxwell emails Vitalik, “Don’t be a greedy idiot” That evening, developers later called the Robin Hood Group (RHG) consider attacking the DAO; Alex van de Sande’s internet goes down Highest day of ETH trading ever June 18, 10:21 UTC Someone purporting to be the DAO attacker publishes an open letter about how he or she “rightfully claimed 3,641,694 ether” Christoph publishes blog post laying out options Robin Hood Group has phone call discussing attempting a rescue June 19 Lefteris Karapetsas publishes a blog post explaining the options June 21 Copycat attacks begin; Robin Hood Group rescues 7.2 million ETH June 22 Lefteris writes another blog post walking through how the hard and soft forks would work RHG realizes there is a “suspected malicious actor” in the White Hat DAO June 23 Bitcoin Suisse posts a letter from the suspected malicious actor to Reddit June 24 Péter Szilágyi posts soft fork versions of Geth and Parity clients Denial-of-service (DoS) attack on soft fork discovered Soft fork called off Early to mid-July RHG conducts “DAO Wars” (re-entrancy attacks/rescues) on various mini Dark DAOs in order to make sure neither the DAO attacker nor the copycats can cash out Polo employee investigating identity of DAO attacker thinks he may have good leads on culprits July 7 Christoph publishes blog post laying out the remaining issues regarding a hard fork, including how to handle the Extra Balance July 9 Stephan publishes “Why the DAO robber could very well return the ETH on or after July 14” blog post July 10 GitHub page for Ethereum Classic (ETHC) created July 11 RHG whitelists the Dark DAO address in the curator multisig, hoping the DAO attacker will send the siphoned funds there July 16 Carbonvote shows 87 percent of voters in favor of a hard fork July 17 Vitalik publishes blog post explaining how the hard fork will happen July 20 Ethereum hard-forks Fat Finger accidentally sends 38,383 ETH to the DAO after the hard fork July 21 On BitcoinTalk, people post bids to buy “ETHC” Kraken trader emails Christoph asking to purchase his “ETHC” Gregory Maxwell emails Vitalik offering Bitcoin for his “ETHC” July 23 DAO attacker sends out “ETHC” from the Dark DAO to a grandchild DAO Ethereum Foundation devs start bashing Ethereum Classic in internal Skype chat July 24 Poloniex lists ETC Ethereum Foundation devs continue trashing ETC in internal Skype chat; a conversation screenshot is posted to Reddit July 25 Barry Silbert tweets that he bought ETC Genesis begins offering over-the-counter trading of ETC July 26 Bittrex and Kraken list ETC ETC:ETH hashing power ratio goes from 6:94 in the morning to 17.5:82.5 by late afternoon Eastern Daylight Time July 27 BTC-e publishes a blog saying most of its ETC was sent to Polo by its users Greg Maxwell emails Vitalik again about purchasing his ETC July 28 White Hat Group (WHG) rescues every last Wei of Fat Finger’s money from the DAO August 1 ETC price rising; ETH dropping Vitalik’s “I am working 100% on ETH” tweet August 2 ETH falls to $8.20, while ETC jumps to new high of $3.53, 43 percent of ETH’s market cap Bitfinex is hacked; crypto markets slump 14 percent August 5 White Hat Group starts flying into Neuchatel to work on returning ETC August 6 Call with Bitcoin Suisse August 7–8 The WHG decides to return money as ETH, not ETC August 8 The WHG receives its first legal threat, from Berger Singerman “Fat Protocols” thesis blog post published August 9 WHG/Bity deposit ETC to exchanges; deposit blocked on Polo, eventually allowed, then trading on Polo blocked August 10 By phone, second whale demands ETC, not ETH August 11 The WHG receives a second legal threat, demanding immediate refund of ETC, from MME August 12 WHG announces decision to distribute the funds as ETC August 16 WhalePanda publishes blog post “Ethereum: Chain of liars & thieves” August 18 Stephan publishes an apology August 26 Bity posts a revised ETC Withdraw Contract and announces it will be deployed August 30 Bity/WHG deploy the ETC Withdraw Contract August 31 Polo and Kraken deposit the WHG ETC into the Withdraw Contract September 6 The final ETC for the White Hat Withdraw Contract is deposited The presumed DAO attacker moves money from the grandchild Dark DAO on ETC to his or her main account, 0x5e8f September 15 The Extra Balance Withdraw Contract on Ethereum is funded September 19 DevCon 2 begins in Shanghai DoS attacks on Ethereum begin October Poloniex employees realize that new owners have been added Sometime this fall, Jules Kim grudgingly gives bitcoin bonus to Johnny Garcia Sometime mid- to late 2016, Jules and Mike Demopoulos allegedly first oppose and then finally acquiesce to adding two-factor authentication to Polo October 18 Tangerine Whistle hard fork October 25 Ethereum Asia Pacific Ltd. incorporated in Singapore DAO attacker begins moving ETC to ShapeShift November 10 Golem ICO November 22 Spurious Dragon hard fork December Jules and Mike purportedly oppose adding a know-your-customer program to Poloniex so the exchange can comply with US sanctions against Iran; finally acquiesce in first half of 2017 2017 January Early Poloniex employees sign contracts for options for equity in the company, though they are not approved by the board until April January 25 EF files for trademark on “Enterprise Ethereum” and “Enterprise Ethereum Alliance” January 31 Nine ICOs in January raise almost $67 million MEW hits one hundred thousand visitors in January Global weekly crypto trade volume hits about $1 billion January/February Jeff Wilcke collapses February 27 Enterprise Ethereum Alliance announced ETH price breaks $15 for the first time since the DAO attack Taylor Gerring’s contract is not renewed by the EF February 28 Eight ICOs in February raise just over $73 million MEW hits 150,000 visits in February Spring Poloniex owners begin seeking buyers March 11 ETH closes above $20 for the first time March 24 ETH closes above $50 for the first time March 31 Six ICOs in March raise $22 million MEW hits three hundred thousand visits in March Global weekly crypto trade volume reaches over $3 billion April 24 Gnosis ICO ends April 27 Ming upset about “volunteer” project manager April 30 Thirteen ICOs in April raise $85.5 million MEW hits 386,000 visits in April May 4 ETH closes just shy of $97 In Skype chat, Ming expresses wish to buy domain names associated with Enterprise Ethereum Alliance on the Ethereum domain name system May 22 ETH closes above $174 Consensus 2017 conference begins May 23 SEC “crypto czar” Valerie Szczepanik makes her first comments on initial coin offerings May 25 Token Summit May 26–27 Ethereum Foundation delays payment to Ethereum DEV UG May 30 ETH twenty-four-hour volume exceeds that of BTC for the first time ETH price closes just shy of $232 May 31 Basic Attention Token raises nearly $36 million in twenty-four seconds from 210 buyers Twenty-two ICOs in May raise $229 million MEW hits one million visits in May June Security issues—scams, phishing attempts, hacks—pick up Poloniex sometimes sees trading volume of $5 billion a week June 10 ETH price closes just under $338 June 12 Bancor raises $153 million ETH price closes above $401 June 14 Kelley, Ming, and Patrick Storchenegger meet; Kelley quits Mid-June to mid-July Other ETH Dev office staff—CFO Frithjof Weinert and office manager Christian Vömel—also leave June 20 Status ICO June 25 4chan post claims Vitalik is dead ETH price falls, closes above $303 June 26 EOS launches its yearlong ICO June 30 Thirty-one ICOs in June raise nearly $619 million MEW hits 2.7 million visits in June July 1–13 Tezos ICO raises $232 million July 11 ETH falls to close below $198 July 13–19 Vitalik expresses to Hudson Jameson he would like to remove Ming July 16 ETH price closes above $157 July 18 CoinDash hack July 19 First Parity multisig hack July 25 SEC DAO report Thirty-five ICOs in July raise more than $555 million MEW sees 2.6 million visits in July Early August Ethereum transaction count begins to consistently exceed that of Bitcoin August 10 Anthony Di Iorio sends legal letter to Vitalik, Ming, and Herbert Sterchi Gavin tweets to Vitalik that he could have never built Ethereum without Vitalik August 31 Forty-one ICOs in August raise nearly $438 million MEW hits 3.1 million visits in August September Weekly trading volume peaks on Polo drop to $4 billion, down from $5 billion September 11 Trader from Fidelity and senior vice president from Santander hired at Polo September 30 Sixty-two ICOs in September raise almost $533 million MEW hits 3.5 million visits in September October 27 Polkadot raises over $140 million in ICO October 27–November 1 Account presumed to be controlled by devops199 appears to conduct penetration testing, as if looking for contract vulnerabilities October 31 Eighty ICOs in October raise over $3 billion MEW sees 3.5 million visits in October November 1–4 DevCon 3 in Cancun, Mexico November 4 ConsenSys “Ming must go” email chain begins November 5 Polychain portfolio company San Pedro ceremony November 6 Second Parity multisig attack; funds frozen by devops199 November 8 Bitcoin hard fork called off November 14 Vitalik fires Ming by phone November 15 My email inquiring whether Ming has been fired November 16 Ming posts in Skype channel to “disavow the rumors” November 23 CryptoKitties soft launch November 30 Eighty-four ICOs in November raise nearly $1 billion MEW sees 4.6 million visits Early December Ming, Vitalik, and Casey meet in Hong Kong December 17 Bitcoin hits new all-time high of $20,000 Late December–early January Vitalik, Aya Miyaguchi, and Vitalik’s friends have a retreat in Thailand December 31 Ninety ICOs in December raise $1.3 billion MEW hits 7.7 million visits 2018 January 1 Friends persuade Vitalik to accelerate Ming’s departure January 4 ETH breaks past $1,000 to a little over $1,045 January 7 ETH trades at $1,153 January 8 ETH hits just under $1,267 January 9 ETH nearly hits $1,321 Around now, Vitalik sells seventy thousand of the EF’s ETH January 10 ETH reaches $1,417 January 13 ETH hits an all-time high over $1,432 The New York Times publishes “Everyone Is Getting Hilariously Rich and You’re Not” January 20 Vitalik and board meet in San Francisco to finalize transition from Ming as executive director to Aya Late January Polo employees informed Circle will be acquiring Polo January 31 Seventy-nine ICOs raise $1.28 billion MEW hits ten million visits Ming publishes farewell post on Ethereum blog Aya introduced as new executive director Glossary 51% attack a type of attack on a blockchain in which an entity or multiple collaborative entities try to take over a network by obtaining more than half the mining power 2FA see two-factor authentication account (aka address) an entity that can receive, hold, and send ether; can be owned either by a person with the private keys or by a smart contract address see account alt-coins any cryptocurrency that is like Bitcoin with just a few parameters tweaked; also used pejoratively to refer to any coin that is not Bitcoin, aka “shitcoin,” often by Bitcoin maximalists asset anything that produces economic value Bitcoin (uppercase) the first blockchain; the peer-to-peer electronic cash network that runs the software enabling the first cryptocurrency, bitcoin (lowercase), to be transferred without an intermediary bitcoin (lowercase) the first cryptocurrency, the digital asset native to the Bitcoin network, with a supply of twenty-one million, giving it characteristics of digital gold Bity a crypto exchange, based in Neuchatel, Switzerland, that helped Slock.it form a Swiss legal entity so it could take payment from the DAO and helped the White Hat Group in its attempt to return the ETC from the DAO to DAO token holders block explorer a website giving data on the transactions in a blockchain blockchain a time-stamped, distributed, decentralized, historical ledger of all the transactions on a crypto network; copies of the ledger are held on a global network of computers; it acts as a golden copy of time-stamped transactions that can replace intermediaries normally tasked with executing the transactions BTC the ticker for bitcoin carbonvote a type of vote by blockchain that does not require the voter to send coins but instead records the number of coins inside the wallet from which the vote was sent; at the end, it tallies the number of coins in the wallets that sent to the yes address versus the number of coins in the wallets that sent to the no address chain split see hard fork child DAO a new instance of the DAO created from coins sent from a parent DAO client, software the piece of software, like a desktop app, that connects a user’s computer to a service; in the case of Ethereum, the software that helped individual users run or connect to the Ethereum network CME an exchange for trading futures and options coin another word for cryptocurrency or token CoinMarketCap a popular cryptocurrency data site ranking coins by their market capitalization cold storage the most secure way of storing one’s crypto, with the private keys held offline consensus (lowercase) the desired state of a blockchain in which all nodes agree on the state of the ledger and on what transactions should be included in what order Consensus (uppercase) the largest blockchain conference, held annually in New York City by crypto-focused publication CoinDesk ConsenSys the Brooklyn-based Ethereum venture production studio founded by Joe Lubin, which created Ethereum infrastructure tools and tried to foster decentralized applications on Ethereum cryptocurrency a digital asset produced by a blockchain that is highly fungible, divisible, and transportable and whose movements can be tracked, unless the chain has built-in privacy features cryptoeconomics (aka tokenomics) the game theory that gives different actors in a crypto network the incentive to offer services on it that will keep the decentralized network alive without any company in the middle hiring employees and tasking them with specific responsibilities curator, DAO the role that would determine whether or not an English-language proposal to the DAO matched the code submitted and, if the proposal were approved, check that the Ethereum address for receiving funds belonged to the contractor cypherpunk a person or ethos advocating strong encryption and privacy-preserving technologies, often to evade government detection or surveillance or to push for sociopolitical change DAO decentralized autonomous organization; an organization managed via votes on a blockchain DAO, the the decentralized venture fund built by Slock.it that aimed to have its token holders decide to which projects it would allocate its capital dapp (decentralized application) any application built on a blockchain without an intermediary, such as a company in the center hiring for all the roles to provide all the services; it instead has built-in incentives, usually involving its native coin, to entice individuals and entities to offer those services on the network Dark DAO (also see mini Dark DAOs) child DAO 59; the child DAO into which the DAO attacker siphoned 3.64 million ETH Decentral the blockchain/decentralized application community center and coworking space in Toronto founded by Anthony Di Iorio DevCon the annual Ethereum developer conference difficulty a way of keeping a cryptocurrency mining algorithm competitive for miners such that miners will find blocks at a targeted average interval, such as ten minutes on bitcoin or twelve to fifteen seconds on Ethereum DoS attack denial of service attack; a way of hobbling a company or blockchain by spamming it, or inundating it with more requests than it can handle early contributors people who worked on Ethereum before the crowdsale East Asia Pacific Ltd. a business entity Vitalik Buterin created in Switzerland to have freedom from Ming Chan; it was used to pay the researchers on his team EEA Enterprise Ethereum Alliance, the industry organization promoting use of Ethereum in companies EF Ethereum Foundation EIP Ethereum Improvement Proposal, a technical suggestion for improving things related to the Ethereum network, such as the protocol, clients, or standards for specific types of contracts ERC-20 token a token created using a standard for new tokens on Ethereum, so called because it was the twentieth issue posted on a discussion board called Ethereum Request for Comments ETC the ticker for the ether classic price ETH the ticker for the ether price ETH Dev the German business entity (UG) created by Gavin Wood in Berlin; after the crowdsale, it hired the bulk of the developers building the protocol and C++ client Ethcore (also see Parity) the start-up Gavin Wood founded when he left the Ethereum Foundation, now called Parity Ethereum Foundation (aka EF or Stiftung Ethereum) the Swiss-based nonprofit organization tasked with stewarding the development of the Ethereum protocol Ethereum GmbH The Swiss business entity first set up for Ethereum; even after the founders decided to go with a nonprofit structure, the entity held the crowdsale and then was liquidated after the network launch Etherscan a popular “block explorer” or website offering data for the Ethereum blockchain exchange a business that enables its customers to trade one asset for another, such as BTC for ETH Extra Balance the extra people paid to the DAO for DAO tokens after the price increased from 1 ETH:100 DAO in the first half of the crowdsale to 1.05 to 1.5 ETH:100 DAO in the second half fiat currency a type of money issued by a government by decree and not backed by anything such as gold fiduciary members the group of Ethereum cofounders who would also be financially responsible FUD fear, uncertainty, doubt.

The Bitcoin Guidebook: How to Obtain, Invest, and Spend the World's First Decentralized Cryptocurrency
by Ian Demartino
Published 2 Feb 2016

Both have had millions in venture capital cash funneled into them and both aim to be the leaders in the Bitcoin space for decades to come. In any case, the benefit of web wallets is the convenience they offer. They are easily accessible from a PC or cell phone and both have very friendly UIs (user interfaces). The downside is a sacrifice in privacy and security. Two-factor authentication is available for both services and is highly recommended. “Two-factor authentication” is a term used to describe any security system that requires two pieces of information: a password and something else. That “something else” is often delivered via text messaging or through the popular cell phone apps Authy and Google Authenticator.

…

Not everyone is the really good hacker they like to portray themselves as—more on this later—but enough of them are that it is safer to assume you are encountering them all the time. As a result, always be vigilant in your security practices. If you have any significant amount of money in an online wallet, then two-factor authentication (i.e., authentication with a pair of elements such as a password and a special one-time use code) is a must. • Scams that work on the Internet in general have been carried over to cryptocurrencies as well, sometimes with a bit more sophistication. Phishing scams are common and the thieves have proven capable of spoofing legitimate Bitcoin companies’ email addresses.

Gray Day: My Undercover Mission to Expose America's First Cyber Spy
by Eric O'Neill
Published 1 Mar 2019

Simple. Infiltrating email accounts allows spies to collect credentials that provide access to particular networks they’re targeting and create virtual trusted insiders within those networks. Because most people use the same username and password over multiple accounts, and rarely activate two-factor authentication, stealing information about one account can open the doors to many others—from online bank accounts and corporate email accounts filled with valuable intellectual property to sensitive government databases. Armed with an insider account, a Russian spy could monitor government-agency systems to inform policy decisions and collect information on US defense and attack capability.

…

Podesta forwarded the email to Sara Latham, his chief of staff, and before ten a.m., his efficient staff had forwarded the email twice and received the counsel of Charles Delavan, the IT helpdesk manager for the Hillary campaign. Latham and Podesta received Delavan’s reply: This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on [for] his account. He can go to this link: https://myaccount.google.com/​security to do both. It is absolutely imperative that this is done ASAP. Delavan meant to say “this is not a legitimate email,” but damn you, autocorrect. Had he picked up the phone and had a conversation with Sara Latham or, better yet, gotten in his car and driven over to Podesta’s house, no one would have clicked on the link.

…

In Delavan’s defense, had Podesta’s team followed Delavan’s instructions to the letter, Clinton’s chief of staff would have changed his password from within Google’s secure website. Had the Clinton campaign pursued sufficient cybersecurity, Podesta would have used an internal and monitored hillaryclinton.com address that leveraged two-factor authentication and robust encryption rather than a personal Gmail account. Instead, one click changed everything. Latham included Milia Fisher, Podesta’s special assistant, on the chain, and although it is unclear whether Podesta, Fisher, or another staffer clicked on the link in the original email, the act transformed Podesta from a kingmaker to a virtual trusted insider—a compromised mole who had no knowledge of his treachery.

Practical Doomsday: A User's Guide to the End of the World
by Michal Zalewski
Published 11 Jan 2022

.* The solution has weaknesses, but also one major perk: the software is much better than humans at making sure that the password is sent only to the original site and not to a scam knock-off. If the password manager fails to fill in the login form on a seemingly familiar page, it’s a sign that something may be amiss. The final part of fraud-proofing your online presence is to sign up for two-factor authentication (2FA) for critical accounts: banks, brokerages, email providers, and the like. With 2FA enabled, any attempt to log in should require not just the password, but also the entry of a frequently changing code displayed on your phone or provided by a special key fob. Although it’s not a perfect deterrent and not all 2FA implementations are equally robust, the scheme can frustrate some opportunistic attacks—or at least give you a second chance to think about what’s going on.

…

Donner and Nicole Popovich, “Hitting (or Missing) the Mark: An Examination of Police Shooting Accuracy in Officer-Involved Shooting Incidents,” Policing: An International Journal 42, no. 3 (May 23, 2019), https://www.emerald.com/insight/content/doi/10.1108/PIJPSM-05-2018-0060/full/html/. Index Please note that index links to approximate location of each term. Numbers 2FA (two-factor authentication), 108 3M gasmaks, 177 3M respirators, 175 9-11 attacks, 26–27 9mm Luger, 214 28 Days Later, 32 .38 Special, 214 A Abine, 110 accidental injuries car accidents, 96–98 firearms, 196, 217–218 industrial accidents, 19–20, 177 statistics on, 12–13 action plan, 121–125 Acxiom, 110 addiction, 99–100 adverse judgments, 69–70 advertising industry, 110 AGI (artificial general intelligence), 42 AI winter, 42 AIDS, 32 alarm systems, 112 alcohol use, 100–101 Alinco, 188 alkaline batteries, 154–155 allergies, 150 aluminum zirconium tetrachlorohydrex gly, 149 amateur radio, 188–189 ammunition, 217 amoxicillin, 151 anesthetics miconazole nitrate, 150 animal-borne diseases, 176 antibiotics, 151 antifungal cream, 150 anti-itch cream, 150 antiperspirant, 149 antivirus programs, 106 Anytime Mailbox, 111 apocalypse, predictions of, 30–31 appliances, 152–159 APRS (Automatic Packet Reporting System), 188–189 Aquatabs, 134 Aqua-Tainer products, 133 AR-15, 215–216 Arm & Hammer, 149 Armero volcano eruption, 35 artificial intelligence, 31, 42 asteroids, 34 asthma, 150 atom bombs, 30–31, 39–40, 178–180 Augason Farms, 141 auto accidents, 96–98 auto insurance, 51–52 auto repairs, 163–164 automated billing, 51 automatic center punches, 164 Automatic Packet Reporting System (APRS), 188–189 avian flu, 26 B backyard gardens, 144 bail-ins, 22 bailouts, 68–69 baking soda, 148 ballistic vests, 129–130 bank accounts, 68–69, 76–77 banking crises, 22, 68–69 Bankrate.com, 10 Banqiao dam failure, 20 BaoFeng, 188 Barbot, Oxiris, 25 barter, 58–59, 73–74 batteries, 154–155, 163 bear spray, 171 BeenVerified, 110 Beirut nitrate explosion, 20 benzalkonium chloride (BZK) wipes, 149 benzocaine ointments, 151 The Bet (Sabin), 8 Bhopal disaster, 20 bicycles, 166 billionaires, 73 bird shot, 217 birth certificates, 166–167 Bitcoin, 66–68 Black Death, 32, 176 black holes, 35 bleeding, 151, 177 blizzards, 18 blockchain, 67 blunt instruments, 208 Bogle, John C., 80–81 bonds, 77–78 books, 191–192 bows, 208–209 brain in a jar, 42 break-ins, 111–112, 201 bromadiolone, 177 bromethalin, 177 Brooks, Max, 30 buckshot, 217 bug-out situations, 165–171 bulletproof vests, 129–130 bullets, 217 Bureau of Justice Statistics, 13 burglaries, 13, 111–112, 201 Butte fire complex, 18 BZK (benzalkonium chloride) wipes, 149 C caffeine pills, 150 California Consumer Privacy Act (CCPA), 111 California Gun Laws (Michel and Cubeiro), 196 calorie needs, 138–139 calorie restriction, 117–118 cameras, 201 camping, 167–168, 171 Canberra MRAD113, 179 candles, 154 Capital in the Twenty-First Century (Piketty), 72 car accidents, 96–98 car break-ins, 111 car insurance, 51–52 car repairs, 163–164 career planning, 91–93 cash, 49–55, 75–76 Cato Institute, 23 CB (citizens band) radios, 186 CCPA (California Consumer Privacy Act), 111 CDC (Centers for Disease Control and Prevention), 13 cell phones, 155–156, 181 cetirizine, 150 chains, 163 chainsaws, 162 Champion generators, 156 Charlie’s Soap, 149 Chernobyl Nuclear Power Plant, 20, 31 Chicago Sunday Tribune, 37–38 chlorination, 134 choking, 104 cholecalciferol, 177 Christmas Island, 33 citizens band (CB) radios, 186 class tensions, 72–73 clathrate gun hypothesis, 33 cleaning, 148 climate change, 18, 33–34 clip-on pulse oximeters, 150 CME (coronal mass ejection), 35–36 cocaine, 100 coincidence of wants, 58 coins, 59–63 collectibles, 86–87, 201 Colorado floods, 11 come-alongs, 162–163 commodity futures options, 71, 81–83 commodity money, 60 communications, 181–190 community property, 125 compensation, 50 confiscatory taxes, 72–73 constitutional carry, 206 consumer debt, 53–54 consumer lending, 63 consumer prices, 70–71 contraceptives, 150 convictions, 6–8 cooking, 158 CoreLogic, 110 coronal mass ejection (CME), 35–36 cosmic threats, 35–36 cost of living, 11 cough, 150 court fights, 69–70 coveralls, 175 COVID-19 pandemic, 25–26, 174–176 CPR procedure, 151–152 credit cards, 53–54 Cretaceous–Paleogene extinction, 34 criminal victimization, 13 crisis indicators, 124 critical decision points, 124 crony beliefs, 6–8 crossbows, 208–209 cryptocurrencies, 66–68, 84, 87 Cubeiro, Matthew D., 196 currencies, history of, 58–68 customer data, 110 cuts, 150 Cypriot debt crisis, 69, 73 D data brokers, 110 Datrex, 143 d-CON, 177 DDT (dichlorodiphenyltrichloroethane), 176 De Waal, Frans, 20 death causes of, 13 planning, 14–15, 124–125 debt, 10–11, 50, 53–54, 59–60 debt crisis, 22 Debt: The First 5000 Years (Graeber), 59 de-escalation skills, 13 defensive driving, 96–98 dehydration, 134 DeleteMe Help Center, 110 deltamethrin, 176 dental care, 151 dental picks, 151 developing countries, 33–34 dextromethorphan, 150 diarrhea, 150 dichlorodiphenyltrichloroethane (DDT), 176 Didion, Joan, 122 dietary supplements, 180 diets, 115–118 digital communications, 188–189 Digital Mobile Radio (DMR), 188 diindolylmethane (DIM), 179 dinosaurs, 34 diseases, 32–33, 173–177 dishwashing, 148 Diversey Oxivir Five 16, 176 Diversey PERdiem, 148 diversified portfolios, 88–-90 divorce, 69–70 documents, 166–167 Dogecoin, 68 dogs as burglary deterrent, 112 domestic terrorism, 26–27 driving habits, 96–98 drowning, 104 drugs, 99–101, 150 D-STAR, 188 “duck and cover,” 39 DuPont Tychem coveralls, 175 dust storms, 18 duty to retreat, 205 Dynarex, 149 E earthquake probabilities, 19 Ebola, 26, 32 economic crises, 22–24 economic hardships, 10–11 economic persecution, 72 ecosystem collapse, 34 Ehrlich, Paul R., 7–8, 30 elastic bandages, 150 electricity, 36, 152–159 electrolyte imbalance, 150 emergency ration bars, 143 emergency repairs, 162–163 EMP (electromagnetic pulse), 40–41 employment, 91–93 encephalitis lethargica, 25 Energizer Ultimate batteries, 155 entertainment, 191–192 epinephrine inhalers, 150 Epsilon Data Management, 110 Equifax, 110 equities, 79–81 escheatment, 77 eugenics, 37 eugenol, 151 evacuation, 165–171 exercise, 117–118 expenses, 51–52 Experian, 110 Expose, 176 extinction, 34 extraterrestrial life, 43 extreme weather, 18, 156–158, 168 F Facebook, 109, 110, 155 fall injuries, 98–99 false vacuum decay, 35 Family Radio Service (FRS), 186–187 farming, 137 Federal Emergency Management Agency (FEMA), 19, 132 fever, 150 fiat money, 64–65 fiction, 29–30 fighting, 113, 206 financial problems, 10–11 firearms, 196–197, 211–219 fires Butte fire complex, 18 house fires, 11, 18, 103–104 wildfires, 18, 44, 124 firewood, 158, 170 first aid, 149–152 fitness, 115–118 fixed-blade knives, 170 flashlights, 154–155 flat tires, 163 floods, 19, 147–148 floss, 151 flu, 25 fluticasone propionate, 150 FMJ (full metal jacket) bullets, 217 food-borne illness, 141–142 food preparation, 158 food security, 137–144 foraging, 168–169 foreclosures, 10–11 foreign currencies, 78–79 Forgey, William W., 152 Forster, E.

…

., 30 Rothbard, Murray, 61–62 Ruby Ridge siege, 26 Ruger LCP, 214 S Sabin, Paul, 8 sanitization, 175–176 SARS, 26 satellite communications, 182–183 savings, 10, 49–55 Savings and Loan Crisis, 22 saws, 162 scams, 106–108 Scepter brand cans, 133 Schneier, Bruce, 3 science, 30 science fiction, 29–30 security devices, 201 self-defense firearms, 211–219 legalities of, 204–206 property crime, 199–202 robberies, 113 semiautomatic pistols, 212–213 September 11 attacks, 26–27 Serenity Prayer, 43 sewers, 145–147 shelter, loss of, 11–12 shotguns, 216–217 (S)-hydroprene, 176 sieverts (Sv), 178 Sig Sauer P229, 214 Simler, Kevin, 7 situational awareness, 13, 112 skin conditions, 150 skin staplers, 150 sleeping bags and pads, 167–168 sleeping sickness, 25 slugs, 217 smallpox, 32 smoke, 177 snow chains, 163 social media, 109, 110 social unrest, 20–21 sodium dichloroisocyanurate (NaDCC) tablets, 134 soft-point ammunition, 217 SOG Seal Pup Elite, 170 solar storms, 36 SOS, 143 space weather events, 35–36 speeding, 96–97 spinosad, 176 Spokeo, 110 Springfield EMP, 214 STA-BIL, 156 stalking, 14 The Stand (King), 32 stock market, 79–81 stock options, 81–83 stockpiled foods, 140–144 stockpiling, 73–74 Stop the Bleed program, 151 storm cleanup equipment, 162–163 “A Story of a Fuck Off Fund” (Perhach), 49–50 street violence, 112–113 student loans, 50 stun guns, 205, 207 submersible pumps, 148 subscription services, 51 suffocation, 104 suicides, 196–197 supervolcanoes, 34 supply issues, 137 Svenson, Ola, 96 swine flu, 26 System Fusion, 188 system of prices, 59 T Taser pistols, 207 tech upgrades, 52 technician class license, 189 tents, 167 terrorism domestic, 26–27 fear of, 26–27 industrial accidents and, 20 statistics on, 3 Texas City Disaster, 20 thermal underwear, 156 thermonuclear war, 39–40 .38 Special, 214 3M gasmaks, 177 3M respirators, 175 3M Vetrap, 150 TIPS (Treasury Inflation-Protected Securities), 77 tires, 163 toilets, 145–147 Tomcat, 177 tools, 161–164 topical lidocaine cream, 150 totalitarian regimes, 36–39 transfer-on-death directives, 125 transportation disruptions, 12, 158–159 TransUnion, 110 travel expenses, 76 Treasury Inflation-Protected Securities (TIPS), 77 triamcinolone acetonide, 150 A True Story (Lucian of Samosata), 29 TruePeopleSearch.com, 110 28 Days Later, 32 Twitter, 109, 155 two-factor authentication (2FA), 108 two-way radios, 183–190 U umbrella policies, 88 unemployment, 10–11 unintentional injury, 12–13 unrest, 20–21 US Centers for Disease Control and Prevention (CDC), 13 US Geological Survey (USGS), 19 usury, 63 utility outages, 12 V valuables, 201 vandalism, 111 Vanguard Group, 80–81 vehicle accidents, 96–98 vehicle repairs, 163–164 vertigo, 150 vinegar, 148 violence, 13 Virex II 256, 176 virtual private network (VPN) software, 106 visa requirements, 11 vitamin C, 179 volcanoes, 34–35 vomiting, 150 Vox Magazine, 25 W Waco siege, 26 wages, 50 war, 20–21, 39–40 waste disposal, 145–147 water and water outages, 12, 131–135, 145–148, 169 WaterBrick, 133 wealth taxes, 73 weather, 18, 156–158, 168 Weathermen, 27 weight loss, 115–118 West Nile, 26 Westinghouse generators, 156 wet wipes, 149 “What Has Government Done to Our Money?”

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks
by Scott J. Shapiro

On April 18, Fancy Bear captured credentials and used them to access the DNC network and install X-Agent on thirty-three DNC computers. Fancy Bear penetrated the DCCC and DNC networks because, unlike Hillary for America, these organizations did not use two-factor authentication. Mudge, a well-known hacker who was brought on for security consultation, described his frustration: [The] biggest pushback … was surprising: They refused to require 2fa [two factor authentication]: it would be annoying … The bare minimum defense, which GOOG [Google] has made pretty easy to achieve (they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.

…

Lukashev might have learned something from this failed phishing attempt, because the next day he sent a new volley of twenty-one emails. These addresses were valid and the messages did not bounce. Perhaps he stole a contact list this time. Nevertheless, the phishing messages were ineffective. The campaign required two-factor authentication, deleted emails after thirty days, and trained staffers on how to spot phishing attempts. Robby Mook, the campaign manager, had signs of toothbrushes placed in bathrooms that read, “You shouldn’t share your passwords either.” It is ironic that a candidate who would be excoriated by some for her poor cybersecurity (“But her emails!”)

…

Since Fancy Bear had sent three waves of identical phishing messages in the past two weeks, Delavan would not have been fooled by the fake Podesta email. He probably did mean to type “This is not a legitimate email.” We should also not forget that Delavan’s response was catastrophic because Podesta had not enabled two-factor authentication on his personal Gmail account. Had Podesta been more careful, Fancy Bear could not have taken over his account—the Russian hackers wouldn’t have had the second factor. The Podesta inbox was not just a treasure trove of embarrassing messages; to switch metaphors, it was a big bucket of spear-phishing bait.

Digital Accounting: The Effects of the Internet and Erp on Accounting
by Ashutosh Deshmukh
Published 13 Dec 2005

The standard password is called one factor authentication. Passwords can be strengthened by using a two-factor authentication. In two-factor authentication, users have to present some form of identification either before they are allowed to enter passwords or concurrently with the passwords. For example, security tokens can be used along with passwords. Some security tokens display a number on the token that is synchronized with the network computer; this number changes after a fixed interval, such as 60 seconds. In a two-factor authentication, a user will have to type in this number and his/ her password to access network resources.

…

Index 393 SSL 335 Standardized Generalized Markup Language (SGML) 44 standard manifest 2 stateful inspection 351 statistical analysis 268 steganography 329 stored value cards 169 straight-through processing (STP) 299 strategic enterprise management (SEM) 308 strategic management 293 STN (SunGard Transaction Network) 299 STP (straight-through processing) 299 Structured Query Language (SQL) 19 SUNGARD 297 SunGard Transaction Network (STN) 299 SunGard Treasury System 297 supplier data interchange 18 supplier life cycle management (SLM) 193 supplier relationship management (SRM) 33, 191, 193 supplier relationship management/eprocurement 40 supplier selection strategy 194 supply chain cockpit (SCC) 248 supply chain collaboration 247 supply chain cost accounting 251 supply chain costs 251 supply chain design 235 supply chain event management (SCEM) 243 supply chain execution 237 supply chain financing costs 253 supply chain inventory costs 253 supply chain management (SCM) 33, 40, 232 supply chain monitoring 247 supply chain operations reference model (SCOR) 245 supply chain performance management (SCPM) 244 supply network planning 246 supply planning 235 symmetric encryption (private key) 346 system integrity techniques 362 SysTrust 372 T T&E (travel and entertainment )expenses 215, 219 TAD (trade acceptance drafts) 181 tags 44 target costing 254 TCP/IP 114, 353 telemarketing 137 thick client 21 thin client 21 third-party add-on products 32 three-factor authentication 343 trade acceptance drafts (TAD) 181 transaction manager 299 transaction set 93 TransactionVision 364, 367 translator 96 transportation builder 246 transportation planning 247 transportation-in and -out costs 252 travel and entertainment (T&E) expense 215, 219 treasury function 294 Trojan horses 327 trust services 372 tunneling 353 two-factor authentication 343 U UCITA (Uniform Computer Information Transactions Act) 332 UETA (Uniform Electronic Transactions Act) 332 UNIX (uniplexed information and computing system) 24 U.S. GAAP CI taxonomy 67 U.S. Patriot Act 378 UCC 200, 323 Uniform Computer Information Transactions Act (UCITA) 332 Uniform Electronic Transactions Act (UETA) 332 uniplexed information and computing system (UNIX) 24 Copyright © 2006, Idea Group Inc.

Travel While You Work: The Ultimate Guide to Running a Business From Anywhere
by Mish Slade
Published 13 Aug 2015

Good lesson to learn! "How I learned to balance work, family, and life through remote work": www.worktravel.co/buffer8 The highs and lows of 11 cities in 3 months: www.worktravel.co/buffer9 *[Two-factor authentication is a simple security feature that requires both "something you know" (like a password) and "something you have" (like your phone). For example, if you enable two-factor authentication on your Google account, you'll have to enter your password as usual, and then you'll be asked for a verification code that will be sent to your phone via text, voice call, or the Google mobile app.

Whistleblower: My Journey to Silicon Valley and Fight for Justice at Uber
by Susan Fowler
Published 18 Feb 2020

When I stood before the camera, I tried to give an elegant, pretty smile, but I couldn’t help myself: I was so excited to be there that I couldn’t help but let a goofy, giddy smile light up my face. We were ushered into a conference room and each given our own MacBook, which was set up with security and tracking software, email, two-factor authentication, and the internal chat application. (By then, I took being handed a brand-new several-thousand-dollar laptop for granted; we all did.) We briefly toured part of the floor—the Death-Star-like, black-walled cafeteria that turned into the all-hands space every Tuesday morning, the bathrooms, the IT help desk, the rows of desks and conference rooms, and a glimpse at what we were told was “the notorious war room.”

…

I declined with a laugh, then did some detective work on my own, only to find that the PI firm that she worked for dealt almost exclusively with cases in which it helped companies who were trying to discredit victims of sexual harassment and sexual assault. Meanwhile, someone was also trying to get into my social media accounts. My phone would “ding” whenever I received a two-factor authentication text belonging to my email account, my Facebook account, or my Twitter account, which meant that someone was trying to hack into my accounts. I reset my passwords. I changed my passwords frequently, and even got a second phone for 2FA texts, but it wasn’t enough. My Facebook account was hacked several times, as were several old email accounts I hadn’t used in years.

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
by Nicole Perlroth
Published 9 Feb 2021

By the time its checklist was complete, years later, Google’s mission would include one radical addition: neuter the world’s stockpiles of zero-day exploits and cyberweapons in the process. Google introduced new protocols not just for employees but for its hundreds of millions of Gmail users. The company had been toiling with a two-factor authentication system for some time—the additional security step that requires users to enter a second temporary password, often texted to their phone, whenever they log in from a strange device. Two-factor authentication—2FA for short—is still the best way to neutralize a hacker with a stolen password. And by 2010, stolen passwords were everywhere. Hackers religiously scanned the internet for weaknesses, broke into password databases, and dumped them on the dark web.

…

At CISA, Krebs dispatched his deputy, Matt Masterson, the former commissioner of the Election Assistance Commission, to go state to state, hat in hand, to plead with states and counties to scan and patch their systems for vulnerabilities, lock up voter registration databases and voter rolls, change passwords, block malicious IP addresses, turn on two-factor authentication, and print out paper backups. The pandemic had upended the election, shuttered polling places, and pushed millions more Americans to vote by mail. In some ways this made the election more secure: Mailed ballots had a built-in paper trail, but it also made the voter registration databases that much more precious.

…

., administration, foreign relations China, here, here, here, here, here Iran, here Middle East, here North Korea, here Russia, here, here, here, here Saudi Arabia, here Ukraine, here Trusted Aircraft Information Program Download Station (TADS), here Turbine robot (NSA), here Turing, Alan, here Turkey, here, here Twitter, here, here, here, here, here, here two-factor authentication (2FA), here, here Tyler Technologies, here UAE, here, here, here, here UAE Five, here Uber, here UglyGorilla, here Uighur, here Uighur Muslims, here, here, here, here Ukraine measles outbreak, here Russian invasion of, here Trump’s threats against, here Ukraine, Russian cyberattacks in election interference, here, here elections, here election systems, here factors limiting, here individuals, here infrastructure, here, here, here, here, here, here, here media attacks, here nuclear plants, here purpose, here, here Unit 8200 (Israel), here, here, here, here Unit 61398 (China), here Unit 74455 (Russia), here United Kingdom, here United States allies, hacking, here cyber-arms control agreement, China, here cyberattack preparedness, here cyber capabilities, global advantage, here Cyber Command, here, here, here, here, here cyber defense capabilities, here cybersecurity, path to, here cyberspying via U.S. companies, here cyberwar operations, here cyberweapons arsenal, here data breaches, growth in, here defense and intelligence spending, here digital vulnerability, addressing, here election interference, here moral authority, here sponsoring state terrorism, here trust deficit, here underestimating adversaries, here, here VEP (Vulnerabilities Equities Process), here, here, here, here vulnerabilities, here war in Afghanistan, here war in Iraq, here zero-day market control, here zero-day stockpile, here, here, here, here United States, foreign relations Argentina, here, here China, here, here, here, here, here, here, here, here Germany, here Iran, here, here, here, here Israel, here, here Middle East, here North Korea, here, here Russia, here, here, here, here, here, here Saudi Arabia, here Ukraine, here Universal Health Services, here vaccination debate, here, here Vault7, here Verisign, here, here Verizon, here Vincenzetti, David, here, here, here virtual private network (VPN), here VirusTotal, here, here VM Ware, here voter registration system hacks, here voter registration systems, here, here, here voting, online, here VR Systems, here Vulnerabilities Equities Process (VEP), here, here, here, here Vulnerability Research Labs (VRL), here, here Vupen, here, here, here, here Walsh, Declan, here Wang, Vera, here WannaCry (North Korea), here, here, here, here, here, here Ware, Willis H., here Ware Report, here War on Terror, here Warner, Mark, here warrantless wiretapping, here, here Washington Post, here Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, here Wasserman Schultz, Debbie, here watering-hole attacks, here, here Watters, John P., here, here, here, here, here, here Watts, Clint, here Weatherford, Mark, here WhatsApp, here, here, here, here Where’s My Node?

Spam Nation: The Inside Story of Organized Cybercrime-From Global Epidemic to Your Front Door
by Brian Krebs
Published 18 Nov 2014

Dropbox, Facebook, and Twitter offer additional account security options beyond merely encouraging users to pick strong passwords. To check if your email or social network or other communications provider allows you to supplement your account security with two-factor authentication, check out the website twofactorauth.org. If your provider is listed with a check mark, click the icon under the “Docs” column next to that provider for a link to instructions on how to configure and enable this feature. Password Madness Enabling two-factor authentication is a good way to increase your account’s security, but if you’re relying on crummy passwords to begin with, you’re still dangerously exposed. Plus, not every important service or site offers two-factor protections yet.

Docker: Up & Running: Shipping Reliable Containers in Production
by Sean Kane and Karl Matthias
Published 14 May 2023

To ensure that the bot can log in, we also need to disable two-factor authentication, which is enabled by default. To do this, click Settings at the bottom of the Administration sidebar on the left side of your browser (Figure 8-9). Figure 8-9. Rocket.Chat Administration settings The Settings screen is displayed (Figure 8-10). Figure 8-10. Rocket.Chat Accounts settings In the new text search bar, type totp, then click the Open button under Accounts. You should now see a long list of settings (Figure 8-11). Figure 8-11. Rocket.Chat TOTP settings Scroll down to the Two Factor Authentication section, expand it, and then deselect the Enable Two Factor Authentication option.

…

Rocket.Chat TOTP settings Scroll down to the Two Factor Authentication section, expand it, and then deselect the Enable Two Factor Authentication option. Once you have done this, click “Save changes.” At the top of the left side of the Administration panel, click the X to close the panel (Figure 8-12). Figure 8-12. Rocket.Chat close Administration panel In the left side panel under Channels, click “general” (Figure 8-13). Figure 8-13. Rocket.Chat general channel And finally, if you don’t already see a message in the channel that “Hubot has joined the channel,” go ahead and tell Docker Compose to restart the Hubot container. This will force Hubot to try and log into the chat server again, now that there is a user for the service to use: $ docker compose restart hubot Restarting unix_hubot_1 … done If everything went according to plan, you should now be able to navigate back to your web browser and send commands to Hubot in the chat window.

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It
by Marc Goodman
Published 24 Feb 2015

Thus use only well-known and established companies such as 1Password, LastPass, KeePass, and Dashlane, most of which work across your computer, smart phone, and tablet. In addition, many services such as Google, iCloud, Dropbox, Evernote, PayPal, Facebook, LinkedIn, and Twitter offer two-factor authentication, which involves sending you a separate onetime password every time you log on, usually via an SMS message or app directly to your mobile phone. Using two-factor authentication means that even if your password is compromised, it cannot be used without the second authentication factor (physical access to your mobile device itself). Download Download software only from official sites (such as Apple’s App Store or directly from a company’s own verified Web site).

…

Worse, Crime, Inc. organizations such as Russia’s CyberVor have amassed more than 1.2 billion user names and passwords, which they can use to unlock accounts at will. Plainly stated, our current system of just using a user name and password is utterly broken. There are some measures we can take today that will provide additional layers of protection. One example is the two-factor authentication offered by Google, Microsoft, PayPal, Apple, Twitter, and others, which combines your user name and password with something you have such as a security token, key fob, or mobile phone. Most consumer Internet companies use your smart phone as the second factor by sending you a onetime code via text message that you must also enter to gain access to your account.

…

Most consumer Internet companies use your smart phone as the second factor by sending you a onetime code via text message that you must also enter to gain access to your account. Thus even if a hacker cracked your bank account, social media service, or social media profile password, he would still need access to your phone and text message, something he would be unlikely to have if you and your phone were in New York and the hacker in Moscow. While two-factor authentication is definitely a step in the right direction, these systems can be subverted via man-in-the-middle attacks, which intercept text messages via mobile phone malware. To that end, many smart-phone companies such as Apple and Samsung are moving toward another form of two-factor security, combining something you know with something you are—such as your biometric fingerprint or voice identity.

Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet
by Joseph Menn
Published 26 Jan 2010

“One part of it that absolutely has to happen is the ‘red’ and ‘green’ Internet,” Paller said. “The red Internet is what we have now, where nobody knows you’re a dog, and with green you have absolute knowledge of who you’re dealing with.” An increasing number of authorities are sounding the same theme. “Do we need to develop an enhanced Net, with two-factor authentication [such as passwords and tokens] and secure fingerprints? These are the things we should be working toward, including changing TCP,” the basic protocol Cerf co-wrote, said former cybersecurity czar Schmidt. “I support that. We need to make a good investment in looking toward that direction, instead of fixing it for this week.”

…

State Farm Insurance Stepanenko, Roman Stepanov, Denis Stepanov, Vyacheslav Sterling, Rachelle Stern, Howard Stewart, Joe Stone, Roger Storm StormPay Stran Strause, Jonathan Straw, Jack Students for a Free Tibet Superbowl Sunday (2004) Sweden Symantec Taiwan Tambov gang Tan Dailin Team Cymru TeliaSonera Terrorism Tethong, Lhadon Texas Hold’Em Thomas, David R. Thomas, Rob Tibet Time Warner Inc. Titan Rain TiVo T.J. Maxx TJX T-Mobile Tom, Scott Top Layer Torpig Travel Channel Trend Micro Trojan horses Tsastsin, Vladimir Tucows Turner, Dayton Twitter Two-factor authentication TypePad.com Tyukanov, Anatoly “Vox,” U.K. Royal Mail Ukraine Ultimate Bet Ultimate Poker UltraDNS Corp. UN. See United Nations Underground economy CarderPlanet and denial-of-service attacks and identity theft and law enforcement and Shadowcrew and viruses and United Kingdom.

The Autonomous Revolution: Reclaiming the Future We’ve Sold to Machines
by William Davidow and Michael Malone
Published 18 Feb 2020

The banks made the same mistake again in 2017, almost sixty years after the appearance of the first plastic American Express credit card, when they announced the Zelle payment system.38 Once again, business urgency trumped security. The banks had fallen behind PayPal’s Venmo in the race to allow consumers to quickly and inexpensively transfer money between accounts. The Zelle payment system put them in the lead, but it also allowed member banks to participate with very low levels of security. Two-factor authentication was not required. Some banks did not even notify customers when transfers were initiated. Many customers only learned about Zelle when money was stolen from their accounts.39 Given the size and the importance of the banks that were backing Zelle, the high stakes of the competition, and the increasing levels of credit card theft, you would have thought the banks would have wanted to set an example for safety and security.

…

It will be a system of well-planned defensive measures. The U.S. government needs to pass laws and regulate behavior so that businesses, utilities, government institutions, and private individuals will install strong defensive measures and require their use. It will have to force lazy members of the public to use two-factor authentication. It will need to inspect banks, utilities, and businesses to ensure compliance. It will have to mandate that energy companies take steps to harden their networks, so that their pipelines do not become 3-kiloton bombs. In recent years, many have complained about regulatory over-burden. It goes without saying that the regulatory effort required to harden the country against cyber threats will be very large.

The Future of the Internet: And How to Stop It
by Jonathan Zittrain
Published 27 May 2009

Hacking a machine to steal and exploit any personal data within is currently labor-intensive; credit card numbers can be found more easily through passive network monitoring or through the distribution of phishing e-mails designed to lure people voluntarily to share sensitive information.90 (To be sure, as banks and other sensitive destinations increase security on their Web sites through such tools as two-factor authentication, hackers may be more attracted to PC vulnerabilities as a means of compromise.91 A few notable instances of bad code directed to this purpose could make storing data on one’s PC seem tantamount to posting it on a public Web site.) Finally, even without major security innovations, there are incremental improvements made to the growing arsenals of antivirus software, updated more quickly thanks to always-on broadband and boasting ever more comprehensive databases of viruses.

…

On average, therefore, in 2006 there were 7.8 million blocked phishing attempts and 887 unique phishing messages each day.” Zul-fikar Ramzan & Candid Wüest, Phishing Attacks: Analyzing Trends in 2006 (2007), www.ceas.cc/2007/papers/paper-34.pdf (emphasis added). 91. Some early versions of two-factor authentication, such as identifying a preselected picture on a bank’s Web site customized to the customer, are in fact not very secure. See Jim Youll, Why SiteKey Can’t Save You (Aug. 24, 2006), http://www.cr-labs.com/publications/WhySiteKey-20060824.pdf More promising versions require new hardware such as USB dongles or biometric readers on PCs—a fingerprint or retina scanner that can be used in addition to a password to authenticate oneself to a bank.

…

EchoStar, 103–4, 107, 108 tolerated uses, 119–22, 190–91 traffic lights: cameras at, 116–17; and verkeersbordvrij, 127–28 tragedies of the commons, 158 transclusion, use of term, 226–27 transferability, 73 transmission speed, irregularity of, 32 trial and error, learning by, 236 Trumpet Winsock, 29 trust: assumptions of, 20–21, 30–32, 39–40, 134, 135, 147; trade-offs with, 33 trusted systems, 105 Tushman, Michael, 24 Twain, Mark (Samuel Clemens), 212, 213 two-factor authentication, 53 typewriters, “smart,” 15, 19, 20, 34 unitary rights holder, 189 United States v. Am. Library Ass’n, 282–83n62 Unix operating system, 39, 132, 190 U.S. Census, 11 user-generated content, 146, 147 user ID, 32, 195 U.S. General Accounting Office (GAO), 38–39 U.S. government, research funding from, 27, 28 U.S.

The Best Business Writing 2013
by Dean Starkman
Published 1 Jan 2013

He didn’t even have to actually attempt a recovery. This was just a recon mission. Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot. This was how the hack progressed. If I had some other account aside from an Apple e-mail address or had used two-factor authentication for Gmail, everything would have stopped here. But using that Apple-run me.com e-mail account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.

…

And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz. Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

How to DeFi
by Coingecko , Darren Lau , Sze Jin Teh , Kristian Kho , Erina Azmi , Tm Lee and Bobby Ong
Published 22 Mar 2020

Argent is a non-custodial wallet that offers ease-of-use and high security, something that does not always go hand-in-hand. It does so by utilizing Argent Guardians, which are people, devices, or third-party services that can verify your identity. Examples include family and friends who are also Argent users, other hardware or Metamask wallets, or two-factor authentication services. By utilizing this limited circle of trust network, Argent is rethinking the need for paper-based seed phrase backups when recovering accounts. Argent Guardians allows you to lock your wallet and instantly freeze all funds in the event you believe your wallet has been compromised.

Remote: Office Not Required
by Jason Fried and David Heinemeier Hansson
Published 29 Oct 2013

Use a unique, generated, long-form password for each site you visit, kept by password-managing software, such as 1Password.§ We’re sorry to say, “secretmonkey” is not going to fool anyone. And even if you manage to remember UM6vDjwidQE9C28Z, it’s no good if it’s used on every site and one of them is hacked. (It happens all the time!) 6. Turn on two-factor authentication when using Gmail, so you can’t log in without having access to your cell phone for a login code (this means that someone who gets hold of your login and password also needs to get hold of your phone to login). And keep in mind: if your email security fails, all other online services will fail too, since an intruder can use the “password reset” from any other site to have a new password sent to the email account they now have access to.

Building Microservices
by Sam Newman
Published 25 Dec 2014

More or less they use the same core concepts, although the terminology differs slightly. The terms used here are from SAML. When a principal tries to access a resource (like a web-based interface), she is directed to authenticate with an identity provider. This may ask her to provide a username and password, or might use something more advanced like two-factor authentication. Once the identity provider is satisfied that the principal has been authenticated, it gives information to the service provider, allowing it to decide whether to grant her access to the resource. This identity provider could be an externally hosted system, or something inside your own organization.

…

These systems allow you to store information about principals, such as what roles they play in the organization. Often, the directory service and the identity provider are one and the same, while sometimes they are separate but linked. Okta, for example, is a hosted SAML identity provider that handles tasks like two-factor authentication, but can link to your company’s directory services as the source of truth. SAML is a SOAP-based standard, and is known for being fairly complex to work with despite the libraries and tooling available to support it. OpenID Connect is a standard that has emerged as a specific implementation of OAuth 2.0, based on the way Google and others handle SSO.

Work Rules!: Insights From Inside Google That Will Transform How You Live and Lead
by Laszlo Bock
Published 31 Mar 2015

For example, since 2013 we’ve partnered with the Berkeley County School District in South Carolina, near one of our data centers, to recruit and provide computer science and math teaching fellows to help more than 1,200 students become exposed to and interested in the fields. lxviii Two-factor authentication is a kind of security where, in addition to a password, you need a second piece of information to verify your identity. For example, when you buy gasoline you swipe your credit card and also need to enter your home zip code. Similarly, if you turn on two-factor authentication with Gmail, you’ll need your password and also a numeric code generated by your phone or other device to log in. lxix You weren’t expecting zombies, were you?

Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency
by Andy Greenberg
Published 15 Nov 2022

Hansa’s two bosses would give him a raise, but only if he agreed to become a third admin of the site. The moderator was overjoyed, immediately accepting. Then they explained that for him to become an admin, they’d have to either arrange a meeting in person or get his mailing address so that they could give him a two-factor authentication token—a physical USB stick plugged into a PC to prove his identity and keep his account secure. In his next message, the moderator’s tone suddenly changed. He explained that he had made a promise to himself that if his bosses at Hansa ever asked for his identifying information or tried to meet him in person, he would immediately quit and wipe all of the devices he had used in his moderator job.

…

That moderator’s sudden decision—a very wise one, likely saving him from a prison sentence—meant that the admins now had an opening to fill. So they began advertising that they were taking applications for a new moderator. At the end of a series of questions about qualifications and experience, they would ask “successful” applicants for their address so that they could mail them a two-factor authentication token. Some, eager for the job, handed over the locations of their homes. “Please don’t send the cops to this address hahahahahaha just kidding,” one would-be moderator wrote, as he, in fact, sent his address to the cops. “I trust you guys because Hansa support was always good and helpful.”

Mastering Blockchain, Second Edition
by Imran Bashir
Published 28 Mar 2018

This practice is known as single-factor authentication, as there is only one factor involved, namely, something you know, that is, the password and username. This type of authentication is not very secure for a variety of reasons, for example, password leakage; therefore, additional factors are now commonly used to provide better security. The use of additional techniques for user identification is known as multifactor authentication (or two-factor authentication if only two methods are used). Various authentication factors are described here: The first factor is something you have, such as a hardware token or a smart card. In this case, a user can use a hardware token in addition to login credentials to gain access to a system. This mechanism protects the user by requiring two factors of authentication.

…

This mechanism protects the user by requiring two factors of authentication. A user who has access to the hardware token and knows the login credentials will be able to access the system. Both factors should be available to gain access to the system, thus making this method a two-factor authentication mechanism. In case if the hardware token is lost, on its own it won't be of any use unless, something you know, the login password is also used in conjunction with the hardware token. The second factor is something you are, which uses biometric features to identify the user. With this method, a user's fingerprint, retina, iris, or hand geometry is used to provide an additional factor for authentication.

Learning Ansible 2 - Second Edition
by Fabio Alessandro Locati
Published 21 Nov 2016

AWS Identity and Access Management To allow you to manage users and access methods, Amazon provides the IAM service. The main features of the IAM service are: • • • • • • • Create, edit, and delete users Change user password Create, edit, and delete groups Manage users and group association Manage tokens Manage two-factor authentication Manage SSH keys We will be using this service to set up our users and their permissions. Amazon relational database service Setting up and maintaining relational databases is complex and very time-consuming. To simplify this, Amazon provides some widely used DBaaS, more specifically: • • • • • • Aurora MariaDB MySQL Oracle PostgreSQL SQL Server For each one of those engines, Amazon offers different features and price models but the specifics of each is beyond the goal of this book.

Freedom Without Borders
by Hoyt L. Barber
Published 23 Feb 2012

Information by Country. Usernet newsgroup(s)—soc.culture.(name of country). International Calling Codes. Country and city codes. Website: www.the-acr.com/ codes/cntrycd.htm. Iron Key. IronKey, maker of the world’s most secure flash drive with Internet protection services, brings the power of two-factor authentication, hardware encryption, identity management, and online privacy to consumers and businesses around the world. Job Search Overseas, UK. Telephone 44 872 870070. Fax 011 44 872 870071. Overseas Job Network. Telephone 011 44 1273 440220. Fax 011 44 1273 440229. Website: www.overseasjobs.com. Publisher of Overseas Employment Newsletter.

Confessions of a Crypto Millionaire: My Unlikely Escape From Corporate America
by Dan Conway
Published 8 Sep 2019

I’d put precautions in place, but really, who the fuck knew what type of new exploit they’d come up with? I’d heard many stories of crypto folks, savvier than me, who’d had their coins stolen by hackers, including a well-known Asian venture capitalist who’d had his phone ported to a new line, allowing the hackers to bypass his two-factor authentication. This would later surface as a scourge. Many high-profile crypto investors would suffer sophisticated hacks through phone porting, including Michael Terpin, an early crypto pioneer who lost $223 million to hackers and subsequently sued his carrier. I popped a twenty-dollar bill on the table like the guy in the movies who never cares about getting change.

Kings of Crypto: One Startup's Quest to Take Cryptocurrency Out of Silicon Valley and Onto Wall Street
by Jeff John Roberts
Published 15 Dec 2020

Typically, this occurred as a result of phishing attacks on a client’s Gmail account—similar to the one Russia directed at the Democratic political operative John Podesta prior to the 2016 election. Once a Coinbase customer’s Gmail account was compromised, the hackers could ask to reset their password and steal their crypto. Like banks and other sites, Coinbase required two-factor authentication—customers had to enter a code delivered to their phone before changing a password. Hackers found a way to get around this obstacle, however, by bribing employees at cell phone companies like AT&T. In exchange for a few dollars, a corrupt (or sometimes naive) employee would agree to change the SIM card associated with a customer’s account.

Uncanny Valley: A Memoir
by Anna Wiener
Published 14 Jan 2020

“Email is about as secure as a postcard,” he’d remind me, as we wandered between families at the farmers market in Fort Greene Park. “You don’t expect your mailman to read it, but he could.” I had listened patiently as he tried to teach me about cryptocurrencies and the promise of the blockchain, the shortcomings of two-factor authentication, the necessity of end-to-end encryption, the inevitability of data breaches. The romance didn’t last, but in its wake we had fallen into a rhythm of exchanging insecure emails on niche topics, like 1980s interface design, binary code, and public-domain art, and occasionally meeting for chaste, geriatric cultural activities.

API Marketplace Engineering: Design, Build, and Run a Platform for External Developers
by Rennay Dorasamy
Published 2 Dec 2021

Another step in their evolutionary journey was providing access via web and mobile application channels. There are countless challenges – I’ll highlight just one which probably never featured in the “lab” environment – phishing. Client login credentials could be easily socially engineered by simply calling an end user posing to be an employee of the financial institution. Mechanisms like two-factor authentication (2FA) are prevalent today – however, these were not readily available when the channel was first established. With the experience gained from establishing other channels, organizations have far more insight into potential vectors of attack. Attacks on a bank’s physical buildings and ATMs may also be easier to defend as threats are tangible.

Before Babylon, Beyond Bitcoin: From Money That We Understand to Money That Understands Us (Perspectives)
by David Birch
Published 14 Jun 2017

Imagine something like M-Pesa but run by the Bank of England. Everyone has an account and you can transfer money from one account to another using a mobile phone app (this could use the trusted execution environment (TEE) that is found in modern smartphones: a secure microchip similar to the one on your bank card) or by logging in with two-factor authentication to any one of a number of service providers that use the Bank of England API to access the accounts or by phoning a voice recognition and authentication service. Drawing on my company’s experiences from M-Pesa, the Token Administration Platform in Nigeria and other population-scale mobile-centric systems that we have advised on, I think that this API might be the single most important thing that a Brit-Pesa would deliver to the British economy.

Going Dark: The Secret Social Lives of Extremists
by Julia Ebner
Published 20 Feb 2020

Whenever his target’s protection was too strong, he resorted to hacking the accounts of their relatives or friends to access private chats. For example, the messages of the federal chairman of the Green Party Robert Habeck got leaked after his wife’s Facebook account had been hacked. The hacker even managed to crack accounts with activated two-factor authentication by calling up the customer services of Twitter and phone companies to deactivate or obtain the two-factor codes. Both political decision makers who neglected to install better cyber-protection mechanisms and the security agencies who failed to foresee such an attack share responsibility.

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
by Joseph Menn
Published 3 Jun 2019

Ted Julian, who had started as @stake marketing head before it merged with the L0pht, cofounded a company called Arbor Networks with University of Michigan open-source contributor and old-school w00w00 hacker Dug Song; their company became a major force in stopping denial-of-service attacks and heading off self-replicating worms for commercial and government clients. Song would later found Duo Security and spread vital two-factor authentication to giant firms like Google and to midsize companies as well. Song got to know cDc files and then members online before being wowed in person by the Back Orifice release. In 1999, he put out dsniff, a tool for capturing passwords and other network traffic. While Arbor was mulling more work for the government, Song quietly developed a new sniffer that captured deeper data.

Cyber War: The Next Threat to National Security and What to Do About It
by Richard A. Clarke and Robert Knake
Published 15 Dec 2010

It could be a beautiful speech, and it could make us safer. Glossary A Guide to the Cyber Warrior’s Acronyms and Phrases Authentication: Procedures that attempt to verify that a network user is who he or she claims to be. A simple authentication procedure is a password, but software can be used to discover passwords. “Two-factor” authentication is the use of a password and something else, such as a fingerprint or a series of digits generated by a fob, a small handheld device. Backbone: The Internet backbone consists in the coast-to-coast trunk cables of fiber optics, referred to as “big pipes,” run by the Tier 1 ISPs. Border Gateway Protocol (BGP): The software system by which an ISP informs other ISPs who its clients are so that messages intended for the client can be routed or switched to the appropriate ISP.

Rebooting India: Realizing a Billion Aspirations
by Nandan Nilekani
Published 4 Feb 2016

Instead of calling a central number, you could book a taxi using an app on a smartphone, track its location and arrival time via GPS, and pay via a credit card online. People were enthralled by the experience, and Uber experienced a surge in popularity. However, this auspicious beginning was soon marred by regulatory troubles. First, the Reserve Bank of India objected to Uber’s payment model, which violated the RBI mandate of a two-factor authentication for all credit card payments—designed to increase transaction security and reduce fraud. Uber initially managed to avoid this requirement by routing payments through a foreign gateway, since foreign exchange payments are exempt from the RBI’s authentication rules. However, the RBI demanded that Uber either follow the same rules that applied to India-based taxi service providers or shut shop.4 Worse was to follow.

Amazon: How the World’s Most Relentless Retailer Will Continue to Revolutionize Commerce
by Natalie Berg and Miya Knights
Published 28 Jan 2019

Additional technology developments, fuelled by the demand for more immersive and portable experiences, have included mobile-optimized websites, apps, and larger devices such as tablets, with bigger touchscreens to interact with them on and wearables. And security is also evolving from the use of myriad forgettable passwords, to single-sign-on access via Google, Facebook, etc, two-factor authentication, and biometric fingerprint and facial recognition. Likewise, retail has evolved in its use of these technology advances to make the online shopping experience as simple as possible. Amazon’s ‘click to buy’ patent revolutionized online checkout, while brands are working out how to make social shopping pay, with shoppable pins on Pinterest and WeChat’s app-within-app payments dominance in China as notable early successes.

Easy Money: Cryptocurrency, Casino Capitalism, and the Golden Age of Fraud
by Ben McKenzie and Jacob Silverman
Published 17 Jul 2023

His putative anonymity didn’t mean that people, some unknown adversary perhaps, couldn’t mess with him and make his life difficult. The first indication something was wrong came when James received an email confirming that his Twitter password had been changed. That set off an internal alarm: He hadn’t changed his password, but someone had, bypassing James’s two-factor authentication in the process. His Twitter account was hacked. And he happened to have some important (private) communications there with sources. Having kneecapped his Twitter presence, someone came for his Substack account, where he published articles about Celsius, the murky economics of celebrity NFTs, and other crypto malfeasance.

The Industries of the Future
by Alec Ross
Published 2 Feb 2016

Gox with details of transactions that had just been made. He got a rush of adrenaline and ran to his computer. His username and password on Mt. Gox had been changed. The cash in the account had been converted to bitcoins and, together with the rest of his bitcoins, had been transferred out of his account. He had used two-factor authentication (using not just a username and password but also an authentication code sent to his mobile phone) for Seals with Clubs because he thought the site seemed a little dodgy. It had not occurred to him to do the same for Mt. Gox because it was so big and ostensibly secure. Douglas fired off emails to Mt.

Cryptoassets: The Innovative Investor's Guide to Bitcoin and Beyond: The Innovative Investor's Guide to Bitcoin and Beyond
by Chris Burniske and Jack Tatar
Published 19 Oct 2017

CRYPTOASSET VAULTS One of the nice features of Coinbase is that it allows a customer to maintain an easily accessible balance of bitcoin, as well as a more illiquid but highly secure form of storage known as its Vault. Although placing bitcoin balances into the Vault enhances security, it does require two-factor authentication and time delays before withdrawal. This means that moving funds from the Vault takes 48 hours. Coinbase’s dual functionality is like having a checking and a savings account at a bank. Bitcoin that investors need to access quickly can be kept in a regular Coinbase account (the checking account), and for added security additional bitcoin can be held in a Vault account (the savings account).

Zucked: Waking Up to the Facebook Catastrophe
by Roger McNamee
Published 1 Jan 2019

Current practices caused P&G to ask if it was getting what it paid for. Unilever objected to fake news, extremist content, and the role that the platforms had played in sowing discord. Days later, journalists disclosed that Facebook had sent millions of marketing messages to phone numbers that users had provided as part of a security feature called two-factor authentication, something it had promised not to do. A storm of criticism followed, eliciting a couple of tweets from Facebook’s vice president of security, Alex Stamos, that reprised Facebook’s tin ear to legitimate criticism. Once again, a press revelation confirmed Tavis’s hypothesis about the company’s culture.

Reset
by Ronald J. Deibert
Published 14 Aug 2020

A group of researchers at Northeastern University, Princeton University, and technology website Gizmodo used real-world tests to show that Facebook used contact information, like phone numbers handed over for security reasons, for targeted advertising.60 Users submitted their phone numbers for enhanced two-factor authentication (2FA) security protocols, prompted by Facebook. But unbeknownst to the users, Facebook then used that contact information to target users for advertising. The researchers also revealed that Facebook was collecting “shadow contact information”: if a user shared their contact list and it included a phone number previously unknown to Facebook, that number would then be targeted with ads, without consent.

Nobody's Fool: Why We Get Taken in and What We Can Do About It
by Daniel Simons and Christopher Chabris
Published 10 Jul 2023

Under a red banner stating, “Someone has your password,” a short note beginning “Hi John” warned him that someone in Ukraine had hacked his Google password, and it urged him to click on a blue “change password” box. According to an AP News report, Podesta’s chief of staff forwarded the message to the campaign’s tech support personnel, who replied that the email was legitimate, provided a proper link to reset Podesta’s password, and advised him to enable two-factor authentication (so that he would have to enter a onetime code, in addition to his password, each time he wanted to log in). Although the “Hi John” email bore some indicia of an authentic email, it came not from Google but from “myaccount.google.com-securitysettingpage.tk.” The .tk at the end of the address meant it came from a territory of New Zealand.

Beautiful security
by Andy Oram and John Viega
Published 15 Dec 2009

It turned out that this financial institution had more than one client that understood the many benefits that could result from launching a federated authentication program. Not only would system costs be reduced but security would be increased, in part because the client was going to roll out a hardware, token-based solution and thus supplement its traditional username and password combination to create a two-factor authentication system. Since the project had management support from the beginning, we were able to easily pull together the necessary personnel to draft the policy. To address the combination of technical, legal, policy, and business issues, the team brought in a multidisciplined cross-departmental group of internal folks to work with my team on the legal issues.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age
by David E. Sanger
Published 18 Jun 2018

But over time, these principles have made the world more humane. Still, there are steps individuals should take to protect themselves and help to avoid becoming collateral damage. Awareness—about what phishing campaigns look like, about how to lock up home-network wi-fi routers, and about how to sign up for two-factor authentication—can help to wipe out 80 percent or so of the daily threat. If we wouldn’t leave our doors unlocked when we leave home, or the keys in the ignition of our cars, we shouldn’t leave our lives exposed on our phones, either. None of that will stop a determined, state-sponsored adversary. Houses can be protected against everyday burglars, but not against incoming ICBMs.

The New Digital Age: Transforming Nations, Businesses, and Our Lives
by Eric Schmidt and Jared Cohen
Published 22 Apr 2013

This vulnerability—both perceived and real—will mandate that technology companies work even harder to earn the trust of their users. If they do not exceed expectations in terms of both privacy and security, the result will be either a backlash or abandonment of their product. The technology industry is already hard at work to find creative ways to mitigate risks, such as through two-factor authentication, which requires you to provide two of the following to access your personal data: something you know (e.g., password), have (e.g., mobile device) and are (e.g., thumbprint). We are also encouraged knowing that many of the world’s best engineers are hard at work on the next set of solutions.

The Wires of War: Technology and the Global Struggle for Power
by Jacob Helberg
Published 11 Oct 2021

The Solarium Commission offers many sensible suggestions for increasing cybersecurity, including a third-party authority—like Energy Star assessing products for environmental impact—to certify that new technology complies with the highest cybersecurity standards. That way, when you’re buying new appliances, you’ll know whether the Chinese military could potentially hack your new Roomba or smart fridge. Workplaces—especially attractive targets like defense contractors—should enhance training to promote good cyber hygiene, including mandating two-factor authentication, requiring regular software patches, and understanding the danger posed by phishing. At the same time, the United States needs to do a much better job of recruiting tech talent. It’s hard to believe in the Valley, where talented engineers and coders are a dime a dozen, the U.S. government has more than 37,000 cybersecurity vacancies.86 Across the private sector, there are nearly half a million.87 Each one of those unfilled positions represents an unacceptable gap in our cyber armor.

Terms of Service: Social Media and the Price of Constant Connection
by Jacob Silverman
Published 17 Mar 2015

It wasn’t the first flash crash linked to automatic trading—that honor goes to the May 2010 Flash Crash, in which the Dow lost 1,000 points and swung back to equilibrium a few minutes later—but it was the first in which social media has played such an obvious role. Both Twitter and the AP were criticized for their lax security, and a few months later, Twitter introduced two-factor authentication, a security measure that should make such incidents less likely in the future. The financial industry didn’t escape scrutiny either, as some commentators, already chastened by the 2010 crash, began to consider the consequences of automated, high-frequency trading. The next frontier in sentiment analysis may be not in what we write but in what we say.

Velocity Weapon
by Megan E. O'Keefe
Published 10 Jun 2019

“Fully charged, new filters, detailed. Looks solid.” “Pop her open,” Sanda said. Tomas dialed in the request to pop the top, but the tablet threw up a red screen demanding a security override. He scratched the back of his neck. “Not sure I can break this. I’ve got Biran’s dial-in but I bet that’s two-factor authentication with his wristpad. Soon as I punch it in, he knows where we are.” “Never fear.” She shimmied him aside and punched in her own identification tag, then pressed her palm to the reader. The pad flashed green. “The major is here.” “You did not just try to rhyme.” “Hey, it’d flow better if I were a general, but I’m not getting that promotion anytime soon.”

The Practice of Cloud System Administration: DevOps and SRE Practices for Web Services, Volume 2
by Thomas A. Limoncelli , Strata R. Chalup and Christina J. Hogan
Published 27 Aug 2014

Access means that you have access to the resources needed when responding to an alert: your VPN software works, your laptop’s batteries are charged, you are sober enough to perform operations, and so on. Correcting any problems found may take time. Therefore the checklist should be activated appropriately early, or early enough to negotiate extending the current oncall person’s shift or finding a replacement. For example, discovering that your two-factor authenticator is not working may require time to set up a new one. 14.2.2 Regular Oncall Responsibilities Once the shift begins you should do...nothing special. During working hours you should work as normal but take on only tasks that can be interrupted if needed. If you attend a meeting, it is a good idea to warn people at the start that you are oncall and may have to leave at any time.

Seeking SRE: Conversations About Running Production Systems at Scale
by David N. Blank-Edelman
Published 16 Sep 2018

These days, more and more companies rely on third parties to serve a very specific function in which they specialize. This includes things like Domain Name System (DNS), Content Delivery Network (CDN), Application Performance Management (APM), Storage, Payments, Email, Messaging (SMS), Security (such as Single Sign-On [SSO] or Two-Factor Authentication [2FA]), Log Processing, and more. Any one of these resources, if not implemented properly, is a dependency that has the capacity to bring down your site. Are vendors black boxes that we don’t control? Not necessarily. As we approach working with vendors, it’s important that we apply the same suite of SRE disciplines to working with third parties in an effort to make it suck less.