Just got this confirmed through an anonymous source at DEF CON, it has indeed been canceled. With feds no longer being welcome there simply would not be enough money made from ticket sales to pay the costs for the venue.
This reads more as an article about how the author believes that all men who approach her are potential rapists. Hitting the feminist fallacy of "All men are evil" square out of the park. This turns away most male readers, exclusive of the most valorous of white knights.
(Source: "I will begin to evaluate the possibility you will do me harm. That possibility is never 0%.")
There is also no real "guy's guide" here, there are a few pointers but they're wrapped in a "You're a rapist, Harry" hearsay stories.
Perhaps the author could have either focused more to enlightened male readers on acceptable ways to approach women (top ten lists are still popular on blogs right?), or better yet disclose where she is meeting these guys so other females can avoid encountering such douchebags.
And for those who can't find the points in the article:
* Respect women
* Dress nice
* Take subtle clues
* Don't Rape (you don't say?)
Most people who are first interacting with the DMCA law are unfamiliar with the fact it has protections against people files false notifications.
Without knowing details about this (and not providing legal advice) this may be how it would work:
If the claim is in fact BS, go lawyer up. File a counter notification, wait 10 days and your content will be put back online (unless they file an injunction to keep it offline), then you file suit against the alleged infringer for the statutory damages of $150,000 per false alleged infringement claim. Likely they'll settle out of court for some number less than their legal costs/time.
Pay your lawyer, use the rest to fund your project.
Go out for a pint, and tell the story to tell on how your project was funded by out witting a scammer.
That sounds really great, but the courts have been very lenient to those who file false DMCA notices and the burden of proof falls on you to prove that it was filed falsely intentionally.
So, I'd say, don't lawyer up yet. File the counter-notice and if they come after you, then get a lawyer and publicity.
So basically it is in the best interest of any company that is interested in filing these claims without regard for publicity to hire a complete imbecile to do it.
Plus aren't statutory damages based on the degree of harm? I think it would be hard to show 150k of harm if this was just a side project for the author.
Filing false report falls under perjury as defined in the statement on the DMCA takedown notice. This would be a criminal matter but as of yet, I don't know of one case where criminal charges have been filed.
Correct, which may also implicate any "hired guns" lawyers who send DMCA notices for crackpot clients.
In one instance I personally saw, a lawyer sent a false DMCA and they signed it under penalty of perjury for their client. This resulted in a clarification of the perjury that the lawyer may have placed themselves in, and threats to bring it up with the state bar association. Personally I doubted the guy was even accredited in the first place, but the DMCA related harassment stopped promptly.
> A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
The only part that is perjury is if you don't actually represent the client you claim to. Assuming the request isn't from a random person pretending to represent a company they don't, the request is not perjury regardless of how frivolous and unwarranted it is.
MFA and Authentication has a much larger scope than what you've brought up here. I should start by I think passwords have atrophied and should be replaced, and MFA is the best option we have to replace passwords at this time. However, MFA has flaws many people are unaware of.
I apologize for starting with a contradiction to something you state, but MFA does not neutralize most hacker threats. It only addresses authentication, it's unable to help against software compromises or user compromises -- Phishing attacks would still be effective, as the user will input a valid temporary token. What is MFA effective at preventing? Brute force password attacks, and users choosing bad passwords.
An attacker who compromises an internal system or is successful in egressing a login database will gain the session tokens for logged in users and be abel to use that to access compromised accounts (subverting the entire logged in process.)
But, you covered this, so I will digress to mentioning MFA's authentication concerns:
The "forgot password" or "lost my token" systems are always a weak link. Frankly, it's improbable (due to overhead costs) that any bulk service provider (twitter, gmail, etc...) enact a strict verification process beyond automated email/phone verification (and this has been compromised before, lookup the attack against cloudflare's google services.)
Second to the "lost password/token" attacks, there is the simple attack against the session ID/token. Remember, once you're logged in, your computer will store a token that it shares with the service to verify you are still authentication. While the token will expire, if the token is active then system will accept the session ID or token to verify you are logged in. The egress of data from the twitter login database included these session IDs. Of course, this requires a compromise of the system and not a MFA login compromise.
Finally, on your discussion of using an MFA token for every login, every time. This is actually not true in all cases. A reasonable approach most implementations use is to require MFA for logins from unknown computers/IPs, once a system is verified via MFA a user would likely have a grace period when they would have to enter only their password until that grace period expires and then they would have to verify via MFA again, this could be 1 week, 1 month or 1 year+
Of course these statements I've made are really up to the environment's configuration, ideally in a very strict environment it's expected you verify via MFA each and every time, session IDs are updated automatically with every action and users are aware of security risks. But we don't live in this security/paranoia utopia (and perhaps that's all for the better.)
Hope I've helped spark some discussions on MFA here. Bam, i'm out!
Interesting to think about. And you're right, phishing, breaches of the MFA database, and session jacking (via breaching the session database) are all big problems still.
But it's significantly more difficult to compromise certain accounts with another channel of authentication. Whether it's the initial attack vector (trying to crack some random employee's password) or secondary attack vectors (once access is gained, trying to go up a security level or compromise servers upstream, etc.), if each of those authentications require (after initial setup) a secondary device, it's just so much harder to crack.
Anyway, I think there's got to be a way to design a security system that partitions secure information. MFA secure cookies (or whatever we want to call long-term session ids associated with authenticated secondary channels), I would hope could slow down access to individual accounts.
Ideally, secure cookies get more sophisticated in the future and truly lend a 'distributed' quality to the architecture (i.e., are just one-time RSA private keys, maybe?). Thus making it very difficult to login without actual access to the device that the user setup MFA with.
Yes, this is the by far the most common answer. However, one would need to remember to bring said special cable, which at that point why don't you just remember to bring the wall wort USB adapter instead of carrying around a charge only cable?
Side benefit: wall wort USB adapters can push more amps to your device (e.g.. faster charge) than USB hosts.
Many android phones do this, however not all. This is up to the specific ROM you are running.
iOS devices have put in a phenomenal effort to secure against these attacks, including requiring encryption keys before allowing unknown computers to access the device or data.
Agreed this is an article churn for advertisement.
Recently this attack was back in the news due to NSA referencing it in a mobile device security paper.
BTW if anyone has questions about it, feel free to ask me. I'm the guy (along with friends) who was building these kiosks and deploying them at "hacker" conferences and then gave a presentation on the matter.
hm i never got it :(
and i tested the address too since i don't use it much!
i'd definitely love to chat though. an alternate just in case is jwb [at] tu [dot] nr
