Author Topic: Mustachian People Problems (just for fun)  (Read 5086582 times)

enki

  • 5 O'Clock Shadow
  • *
  • Posts: 28
  • Age: 40
  • Location: Michigan
Re: Mustachian People Problems (just for fun)
« Reply #2250 on: December 02, 2015, 10:52:40 PM »
I wish coloring books for adults was a thing when I was in college. (I can't bring myself to say "adult coloring book"; sounds like you are coloring porn.)

They have those
http://www.amazon.com/Porno-Coloring-Book-Stinky-Johnson/dp/061558649X

What wonders hath capitalism wrought?

G-dog

  • CM*MW 2024 Attendees
  • Senior Mustachian
  • *
  • Posts: 19054
Re: Mustachian People Problems (just for fun)
« Reply #2251 on: December 03, 2015, 01:07:22 PM »
I wish coloring books for adults was a thing when I was in college. (I can't bring myself to say "adult coloring book"; sounds like you are coloring porn.)

They have those
http://www.amazon.com/Porno-Coloring-Book-Stinky-Johnson/dp/061558649X



What wonders hath capitalism wrought?
Hahahaha! I think I would keep running out of pink, peach, tan,  and other flesh tone colors!
There is also a Fetish Coloring Book!
Edited to unfuck the quote chain - sorry about that.
« Last Edit: December 03, 2015, 03:08:06 PM by G-dog »

2ndTimer

  • Magnum Stache
  • ******
  • Posts: 4607
Re: Mustachian People Problems (just for fun)
« Reply #2252 on: December 03, 2015, 01:34:16 PM »
I recently put out the word that I was looking for used piano music to work on when I finished my beginner's book.  Everybody dug out what they had and I now have a stack of piano music two feet high.  I will never master a quarter of it.

Pooperman

  • Magnum Stache
  • ******
  • Posts: 2880
  • Age: 34
  • Location: North Carolina
Re: Mustachian People Problems (just for fun)
« Reply #2253 on: December 03, 2015, 01:45:45 PM »
I took an Amex deal for walmart.com ($15 back for spending $35) and tried to get a $50 mastercard giftcard. The transaction was reversed by walmart for some reason they won't tell me, so I can't complete the offer and get free money :(.

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Mustachian People Problems (just for fun)
« Reply #2254 on: December 03, 2015, 05:43:51 PM »
I took an Amex deal for walmart.com ($15 back for spending $35) and tried to get a $50 mastercard giftcard. The transaction was reversed by walmart for some reason they won't tell me, so I can't complete the offer and get free money :(.

Did the original charge from Walmart actually clear? Because if it didn't, you can still get your Amex offer.

Pooperman

  • Magnum Stache
  • ******
  • Posts: 2880
  • Age: 34
  • Location: North Carolina
Re: Mustachian People Problems (just for fun)
« Reply #2255 on: December 03, 2015, 07:11:49 PM »
I took an Amex deal for walmart.com ($15 back for spending $35) and tried to get a $50 mastercard giftcard. The transaction was reversed by walmart for some reason they won't tell me, so I can't complete the offer and get free money :(.

Did the original charge from Walmart actually clear? Because if it didn't, you can still get your Amex offer.

It didn't clear. I've tried again, but walmart.com is rejecting it still. :/. Not sure what to do. I emailed them, and they said it was some kind of fraud protection system that was rejecting it but they won't say why. Weird.

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Mustachian People Problems (just for fun)
« Reply #2256 on: December 03, 2015, 07:26:54 PM »
I took an Amex deal for walmart.com ($15 back for spending $35) and tried to get a $50 mastercard giftcard. The transaction was reversed by walmart for some reason they won't tell me, so I can't complete the offer and get free money :(.

Did the original charge from Walmart actually clear? Because if it didn't, you can still get your Amex offer.

It didn't clear. I've tried again, but walmart.com is rejecting it still. :/. Not sure what to do. I emailed them, and they said it was some kind of fraud protection system that was rejecting it but they won't say why. Weird.

I take it you don't actually shop at Walmart because otherwise you could just buy yourself a Walmart gift card and use it later.

You could buy a Walmart gift card and sell it for about 90% of face value to a gift card reseller (such as cardpool or cardcash). Dunno if you'd find that worth your time though.

I sell gift cards on a regular basis so it wouldn't be much extra hassle to me (though I actually shop at Walmart so I'd just get a Walmart gc if I actually had this offer)

Pooperman

  • Magnum Stache
  • ******
  • Posts: 2880
  • Age: 34
  • Location: North Carolina
Re: Mustachian People Problems (just for fun)
« Reply #2257 on: December 03, 2015, 08:15:21 PM »
I took an Amex deal for walmart.com ($15 back for spending $35) and tried to get a $50 mastercard giftcard. The transaction was reversed by walmart for some reason they won't tell me, so I can't complete the offer and get free money :(.

Did the original charge from Walmart actually clear? Because if it didn't, you can still get your Amex offer.

It didn't clear. I've tried again, but walmart.com is rejecting it still. :/. Not sure what to do. I emailed them, and they said it was some kind of fraud protection system that was rejecting it but they won't say why. Weird.

I take it you don't actually shop at Walmart because otherwise you could just buy yourself a Walmart gift card and use it later.

You could buy a Walmart gift card and sell it for about 90% of face value to a gift card reseller (such as cardpool or cardcash). Dunno if you'd find that worth your time though.

I sell gift cards on a regular basis so it wouldn't be much extra hassle to me (though I actually shop at Walmart so I'd just get a Walmart gc if I actually had this offer)

I don't shop at walmart if I can avoid it. This is a free money offer regardless and they won't accept the form of payment I need to use to complete it. Doesn't matter which GC I buy honestly, it won't work.

Daisy

  • Handlebar Stache
  • *****
  • Posts: 2263
Re: Mustachian People Problems (just for fun)
« Reply #2258 on: December 03, 2015, 09:00:07 PM »
I heard the acronym MPP today at work and immediately thought of Mustachian People Problems. I still haven't figured out what the acronym means in my work environment. A true MPP.

Missy B

  • Pencil Stache
  • ****
  • Posts: 606
Re: Mustachian People Problems (just for fun)
« Reply #2259 on: December 03, 2015, 10:23:04 PM »
My beloved 1L vintage thermos (garage sale, 50 cents) lost its vaccuum seal yesterday. All the new ones suck (I went through -3- in short order because they shatter with the slightest tap on the bottom). And it is very, very far from garage sale season.

jengod

  • Handlebar Stache
  • *****
  • Posts: 1219
  • Location: Near LAX
Re: Mustachian People Problems (just for fun)
« Reply #2260 on: December 04, 2015, 12:10:14 AM »
My beloved 1L vintage thermos (garage sale, 50 cents) lost its vaccuum seal yesterday. All the new ones suck (I went through -3- in short order because they shatter with the slightest tap on the bottom). And it is very, very far from garage sale season.

I don't know if you would consider buying new, but this one holds a whole French press of coffee and keeps it hot for literally 12 hours. I can fill it at night and open it up in the morning and it's perfect temperature. It's all stainless on the outside so maybe can't shatter?

http://www.amazon.com/gp/product/B00JFB2RA6/ref=s9_hps_bw_g79_i11

midweststache

  • Pencil Stache
  • ****
  • Posts: 666
Re: Mustachian People Problems (just for fun)
« Reply #2261 on: December 04, 2015, 07:30:09 AM »
I heard the acronym MPP today at work and immediately thought of Mustachian People Problems. I still haven't figured out what the acronym means in my work environment. A true MPP.

Masters in Public Policy? My partner has an MPP... I don't know if this is relevant to your work environment though.

lukebuz

  • Stubble
  • **
  • Posts: 225
  • Location: Bowling Green, KY
Re: Mustachian People Problems (just for fun)
« Reply #2262 on: December 04, 2015, 11:47:29 AM »
.mpp  Microsoft Project File!

Daisy

  • Handlebar Stache
  • *****
  • Posts: 2263
Re: Mustachian People Problems (just for fun)
« Reply #2263 on: December 04, 2015, 11:48:30 AM »
I heard the acronym MPP today at work and immediately thought of Mustachian People Problems. I still haven't figured out what the acronym means in my work environment. A true MPP.

Masters in Public Policy? My partner has an MPP... I don't know if this is relevant to your work environment though.


I know it wasnt that. It was some internal acronym only used in my company I am sure. :-)

Taran Wanderer

  • Handlebar Stache
  • *****
  • Posts: 1402
Re: Mustachian People Problems (just for fun)
« Reply #2264 on: December 05, 2015, 12:24:21 PM »
Management Performance Plan?

secondcor521

  • Walrus Stache
  • *******
  • Posts: 5493
  • Age: 54
  • Location: Boise, Idaho
  • Big cattle, no hat.
    • Age of Eon - Overwatch player videos
Re: Mustachian People Problems (just for fun)
« Reply #2265 on: December 05, 2015, 03:31:36 PM »
.mpp used to be the extension on Microsoft Project files I think.

Daisy

  • Handlebar Stache
  • *****
  • Posts: 2263
Re: Mustachian People Problems (just for fun)
« Reply #2266 on: December 05, 2015, 07:37:34 PM »
.mpp used to be the extension on Microsoft Project files I think.

It wasn't that either. I think I got what one of the letters was for. Definitely an internal corporate thing based on that one word.

Thanks for trying to help though.

MrDelane

  • Pencil Stache
  • ****
  • Posts: 618
Re: Mustachian People Problems (just for fun)
« Reply #2267 on: December 07, 2015, 07:13:16 PM »
Here's a Mustachian problem for you....

My credit card was stolen today and used to buy $1500 of electronics.
Luckily the fraud department caught it and froze the card.
I wound up calling the fraud department and they asked a series of questions to try to make sure it was me and not an imposter.

One of the first questions was "what is the credit limit on the card?"

I told her I had no idea and that I thought it was somewhere in the ballpark of  XX dollars, but that since I always pay it off completely at the end of every month I've never once thought to look at what the credit limit might be.  She seemed suspicious from that point forward and ultimately told me that I would have to the bank in person with my ID to clear it up.



johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Mustachian People Problems (just for fun)
« Reply #2268 on: December 07, 2015, 08:10:05 PM »
Here's a Mustachian problem for you....

My credit card was stolen today and used to buy $1500 of electronics.
Luckily the fraud department caught it and froze the card.
I wound up calling the fraud department and they asked a series of questions to try to make sure it was me and not an imposter.

One of the first questions was "what is the credit limit on the card?"

I told her I had no idea and that I thought it was somewhere in the ballpark of  XX dollars, but that since I always pay it off completely at the end of every month I've never once thought to look at what the credit limit might be.  She seemed suspicious from that point forward and ultimately told me that I would have to the bank in person with my ID to clear it up.

Ha. A Mustachian problem indeed.
I know the CL's on all my accounts, but I churn cc's and sometimes I need to shift limits between cards at the same bank to get approved for a new one.
If I didn't churn cc's, I'd be in your boat.


I'm pretty sure it's been mentioned before on this thread, but I once heard/read someone say that one time someone called their bank and had to go through some security questions. One of them was what is the overdraft fee? And this person, having never once incurred one, had no idea.
Furthermore, I fail to see how this is a security question if anybody can just look it up on the Internet, but that's neither here nor there.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2269 on: December 07, 2015, 08:20:19 PM »
Here's a Mustachian problem for you....

My credit card was stolen today and used to buy $1500 of electronics.
Luckily the fraud department caught it and froze the card.
I wound up calling the fraud department and they asked a series of questions to try to make sure it was me and not an imposter.

One of the first questions was "what is the credit limit on the card?"

I told her I had no idea and that I thought it was somewhere in the ballpark of  XX dollars, but that since I always pay it off completely at the end of every month I've never once thought to look at what the credit limit might be.  She seemed suspicious from that point forward and ultimately told me that I would have to the bank in person with my ID to clear it up.

Ha. A Mustachian problem indeed.
I know the CL's on all my accounts, but I churn cc's and sometimes I need to shift limits between cards at the same bank to get approved for a new one.
If I didn't churn cc's, I'd be in your boat.


I'm pretty sure it's been mentioned before on this thread, but I once heard/read someone say that one time someone called their bank and had to go through some security questions. One of them was what is the overdraft fee? And this person, having never once incurred one, had no idea.
Furthermore, I fail to see how this is a security question if anybody can just look it up on the Internet, but that's neither here nor there.

Can't you just login online and check?  It should also be on your last statement

MrDelane

  • Pencil Stache
  • ****
  • Posts: 618
Re: Mustachian People Problems (just for fun)
« Reply #2270 on: December 07, 2015, 08:45:38 PM »
Can't you just login online and check?  It should also be on your last statement

I could now, sure, but in the moment it was asked on the phone as something I should know off the top of my head.  I was at work at the time (I'd gotten an email alert that prompted my calling the bank), and wasn't able to login to my account in that moment.

Funny followup, I wound up going to the bank after work to clear it up.  They just want to confirm that you are who you say you are - so I wind up sitting across from a banker while she watches me call the fraud department and go through the same hoops I would have from home (same number, same automated menu).  She literally sat there for 30 minutes while I talked to someone on the phone.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2271 on: December 07, 2015, 09:13:46 PM »
Can't you just login online and check?  It should also be on your last statement

I could now, sure, but in the moment it was asked on the phone as something I should know off the top of my head.  I was at work at the time (I'd gotten an email alert that prompted my calling the bank), and wasn't able to login to my account in that moment.

Funny followup, I wound up going to the bank after work to clear it up.  They just want to confirm that you are who you say you are - so I wind up sitting across from a banker while she watches me call the fraud department and go through the same hoops I would have from home (same number, same automated menu).  She literally sat there for 30 minutes while I talked to someone on the phone.

That's annoying.  I agree it's a bad security question.  I tend to dislike most bank security questions.

serpentstooth

  • Handlebar Stache
  • *****
  • Posts: 1213
Re: Mustachian People Problems (just for fun)
« Reply #2272 on: December 07, 2015, 09:30:57 PM »
Because I grocery shop at Costco and Aldi we have a dire shortage of plastic shopping bags to line the trash cans around here.

mustachepungoeshere

  • Handlebar Stache
  • *****
  • Posts: 2404
  • Location: Sydney, Oz
Re: Mustachian People Problems (just for fun)
« Reply #2273 on: December 07, 2015, 11:36:16 PM »
Because I grocery shop at Costco and Aldi we have a dire shortage of plastic shopping bags to line the trash cans around here.

Ask people to save them for you. I save all mine (except for the few I use for rubbish) for a friend who uses them as nappy bags.

Eric222

  • Pencil Stache
  • ****
  • Posts: 902
Re: Mustachian People Problems (just for fun)
« Reply #2274 on: December 08, 2015, 06:29:38 AM »
I could work from home today, but then I'd miss my bike ride!  So, I'm going into the office...

I'm a red panda

  • Walrus Stache
  • *******
  • Posts: 8186
  • Location: United States
Re: Mustachian People Problems (just for fun)
« Reply #2275 on: December 08, 2015, 06:32:38 AM »
I am really glad my cards don't have security questions related to them.  I have no idea what my credit limit or interest rate on ANY of my cards are. I've never paid attention to either of those things.

I think my checking account has overdraft protection, but no clue if there is a fee.

nobodyspecial

  • Handlebar Stache
  • *****
  • Posts: 1464
  • Location: Land above the land of the free
Re: Mustachian People Problems (just for fun)
« Reply #2276 on: December 08, 2015, 06:41:54 AM »
I usually make up security question answers since the real data is easy to find.
Works very well until you have to answer them over the phone.

Your mothers maiden name?
Satan

Your first school?
The playboy mansion

How can I help you .....?

LennStar

  • Magnum Stache
  • ******
  • Posts: 3672
  • Location: Germany
Re: Mustachian People Problems (just for fun)
« Reply #2277 on: December 08, 2015, 02:16:38 PM »
I usually make up security question answers since the real data is easy to find.
Works very well until you have to answer them over the phone.

Your mothers maiden name?
Satan

Your first school?
The playboy mansion

How can I help you .....?

haha 100% that first part.
I once had to answer security questions and had no idea what I entered. It wasnt something important and I found the PW later on.
The problem was answered sec quests for resending the PW. Never thought anybody would do this, esp for the sort of account (forum? that ballpark).

Really, mothers name, birthday, pets name, favorite band - everything you can find out with 5 minutes googling and facebook for 50% of people?

result: for every name I write a (the same) name I have no connection with and for dates its also something unrelated. Problem solved.


Sam E

  • Stubble
  • **
  • Posts: 173
Re: Mustachian People Problems (just for fun)
« Reply #2278 on: December 08, 2015, 03:15:25 PM »
I usually make up security question answers since the real data is easy to find.
Works very well until you have to answer them over the phone.

Your mothers maiden name?
Satan

Your first school?
The playboy mansion

How can I help you .....?

haha 100% that first part.
I once had to answer security questions and had no idea what I entered. It wasnt something important and I found the PW later on.
The problem was answered sec quests for resending the PW. Never thought anybody would do this, esp for the sort of account (forum? that ballpark).

Really, mothers name, birthday, pets name, favorite band - everything you can find out with 5 minutes googling and facebook for 50% of people?

result: for every name I write a (the same) name I have no connection with and for dates its also something unrelated. Problem solved.

My solution is I create an answer algorithmically based on the question itself along with a special keyword that never changes. So if anyone figured out my algorithm they'd also need my completely unrelated keyword. The bonus of this method is that I don't have to remember my answers, I just read the question and derive the answer.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2279 on: December 08, 2015, 03:30:55 PM »
I usually make up security question answers since the real data is easy to find.
Works very well until you have to answer them over the phone.

Your mothers maiden name?
Satan

Your first school?
The playboy mansion

How can I help you .....?

haha 100% that first part.
I once had to answer security questions and had no idea what I entered. It wasnt something important and I found the PW later on.
The problem was answered sec quests for resending the PW. Never thought anybody would do this, esp for the sort of account (forum? that ballpark).

Really, mothers name, birthday, pets name, favorite band - everything you can find out with 5 minutes googling and facebook for 50% of people?

result: for every name I write a (the same) name I have no connection with and for dates its also something unrelated. Problem solved.

My solution is I create an answer algorithmically based on the question itself along with a special keyword that never changes. So if anyone figured out my algorithm they'd also need my completely unrelated keyword. The bonus of this method is that I don't have to remember my answers, I just read the question and derive the answer.

Me too -- although once someone has my keyword they could reverse engineer the algorithm.  You could add a salt to the domain and the question text and then take the first 5 digits of a hash (MD5?  Not sure what's most secure these days) and get a pretty good result but that requires having a computer with you.

I don't sweat it too much since it's way more secure than any question about my favorite book could be.

Beaker

  • Bristles
  • ***
  • Posts: 334
Re: Mustachian People Problems (just for fun)
« Reply #2280 on: December 08, 2015, 03:52:28 PM »
Me too -- although once someone has my keyword they could reverse engineer the algorithm.  You could add a salt to the domain and the question text and then take the first 5 digits of a hash (MD5?  Not sure what's most secure these days) and get a pretty good result but that requires having a computer with you.

If you're taking the first 5 digits it probably doesn't matter much what algorithm you use, because you're throwing away most of the keyspace & entropy anyway. But MD5 is dangerously weak, and has been for years. Even SHA1, the replacement for MD5, isn't considered good enough for new development anymore. But hey, bonus points for salting it!
</nerd>

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2281 on: December 08, 2015, 03:59:39 PM »
Me too -- although once someone has my keyword they could reverse engineer the algorithm.  You could add a salt to the domain and the question text and then take the first 5 digits of a hash (MD5?  Not sure what's most secure these days) and get a pretty good result but that requires having a computer with you.

If you're taking the first 5 digits it probably doesn't matter much what algorithm you use, because you're throwing away most of the keyspace & entropy anyway. But MD5 is dangerously weak, and has been for years. Even SHA1, the replacement for MD5, isn't considered good enough for new development anymore. But hey, bonus points for salting it!
</nerd>

Well there's an inherent limit to entropy in the allowed answer field.  But we're not trying to keep the NSA from cracking our security question, just some packet sniffing hobo living in your crawlspace.

Cathy

  • Handlebar Stache
  • *****
  • Posts: 1044
Re: Mustachian People Problems (just for fun)
« Reply #2282 on: December 08, 2015, 05:50:33 PM »
MD5 has weaknesses, but they are commonly misunderstood. They are also irrelevant to dragoncar's proposed use of MD5. dragoncar is just using MD5 to generate an opaque token. If you wanted to bruteforce a token generated through that method, the only algorithm you could use is exhaustion over the entire 5-hex-character search space. Knowing that the token was generated by MD5 (as opposed to another hashing algorithm that generates a hex string) would not narrow down the search space unless MD5 has a vulnerability such that certain characters were more likely to appear in the first 5 hex digits than other characters. MD5 has no such vulnerability so the use of MD5 is not relevant to the analysis of the security of dragoncar's proposal. See Bruno Rohée's reply to this Stack Overflow question.

Note that dragoncar's idea is insecure for other reasons. In this post, I comment only on the use of MD5 as opposed to another hashing algorithm.
« Last Edit: December 08, 2015, 06:07:20 PM by Cathy »

Taran Wanderer

  • Handlebar Stache
  • *****
  • Posts: 1402
Re: Mustachian People Problems (just for fun)
« Reply #2283 on: December 08, 2015, 10:47:34 PM »
Nerd watching!  Where's my popcorn?

(I speak nerd, too, just a different dialect...)

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2284 on: December 08, 2015, 11:42:14 PM »
MD5 has weaknesses, but they are commonly misunderstood. They are also irrelevant to dragoncar's proposed use of MD5. dragoncar is just using MD5 to generate an opaque token. If you wanted to bruteforce a token generated through that method, the only algorithm you could use is exhaustion over the entire 5-hex-character search space. Knowing that the token was generated by MD5 (as opposed to another hashing algorithm that generates a hex string) would not narrow down the search space unless MD5 has a vulnerability such that certain characters were more likely to appear in the first 5 hex digits than other characters. MD5 has no such vulnerability so the use of MD5 is not relevant to the analysis of the security of dragoncar's proposal. See Bruno Rohée's reply to this Stack Overflow question.

Note that dragoncar's idea is insecure for other reasons. In this post, I comment only on the use of MD5 as opposed to another hashing algorithm.

I know little about cryptography, but why is it more insecure (at least more so than reasonable alternatives?)  What we really want to guard against is the situation where your security answers for one site are compromised for whatever reason, and you don't want the attacker to be able to use your security answers on another site.  Assuming they don't know your exact algorithm (security through obscurity) I find it highly unlikely they would ever be able to determine it from the answers on one site alone.  If they have your algorithm, they could brute-force your salt with enough computing power but isn't that true of any approach?  If they don't have your algorithm, but have your answers from two sites, it might be possible to reverse engineer your algorithm, but all of the above seems to be an extraordinary use of resources just for access to one person's brokerage account (and they would still need to find a way to get your money out and untraceably to their account).  I have to find comfort in assuming someone with those resources has bigger fish to fry than little old me, and would consider my brokerage pocket change.

But I am interested in what you would choose instead.

Cathy

  • Handlebar Stache
  • *****
  • Posts: 1044
Re: Mustachian People Problems (just for fun)
« Reply #2285 on: December 09, 2015, 12:00:45 AM »
...I know little about cryptography, but why is it more insecure (at least more so than reasonable alternatives?)...

So to clarify my claim, what I meant was that there are other reasonable alternatives available that are strictly more secure but not any harder to implement. That's the sense in which your proposal could be said to be insecure. For starters, truncating the MD5 hash to 5 hex characters artificially limits the character set. Instead of doing that, you could take enough bits from the start of the hash to get 5 characters from the entire ASCII alphabet. That would maintain the same properties as your proposal -- short length of secrets, easy to derive from known data, etc. -- but be strictly better. However, this still isn't what I personally do (see below).


But I am interested in what you would choose instead.

I simply generate unique random strings of the maximum permissible length for every requested security answer or password. Every website gets its own unique strings and they are not derived from any human-memorable or deterministic values. I currently have over 500 unique tokens from using this system for many years, but it's very convenient -- when I need to log into a website, I just look up the corresponding secrets in my homegrown token management system.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2286 on: December 09, 2015, 12:15:58 AM »
...I know little about cryptography, but why is it more insecure (at least more so than reasonable alternatives?)...

So to clarify my claim, what I meant was that there are other reasonable alternatives available that are strictly more secure but not any harder to implement. That's the sense in which your proposal could be said to be insecure. For starters, truncating the MD5 hash to 5 hex characters artificially limits the character set. Instead of doing that, you could take enough bits from the start of the hash to get 5 characters from the entire ASCII alphabet. That would maintain the same properties as your proposal -- short length of secrets, easy to derive from known data, etc. -- but be strictly better. However, this still isn't what I personally do (see below).


But I am interested in what you would choose instead.

I simply generate unique random strings of the maximum permissible length for every requested security answer or password. Every website gets its own unique strings and they are not derived from any human-memorable or deterministic values. I currently have over 500 unique tokens from using this system for many years, but it's very convenient -- when I need to log into a website, I just look up the corresponding secrets in my homegrown token management system.

I like this approach, but of course the downside is that there is a single point of failure (also with any system where you need a program to generate your tokens like my MD5 example above).  I try not to get too paranoid about this stuff since if someone has a keylogger on my computer they can probably access everything I have regardless of my security (this is where multi factor authentication helps a lot).  I do have the token generator for my Interactive Brokers account.

Perhaps your token management system is a standalone device, which would be much safer than, say, an encrypted text file on your phone or computer.

BTW, when you say "not derived from ... deterministic values" do you really use something like random.org to generate "true" random bits?

Cathy

  • Handlebar Stache
  • *****
  • Posts: 1044
Re: Mustachian People Problems (just for fun)
« Reply #2287 on: December 09, 2015, 12:36:38 AM »
My experience with operations security ("opsec") is that everybody thinks they aren't a target. And they're right ... until they become a target, at which point they are woefully unprepared and are owned. (The term "owned" is a technical term in the field. ;-)) It's difficult to shore up opsec retroactively, so I advocate doing it correctly from the start. Note that I express no view on whether anybody in this thread, including dragoncar, is practicing inadequate opsec.


BTW, when you say "not derived from ... deterministic values" do you really use something like random.org to generate "true" random bits?

Using random.org for anything other than entertainment or educational purposes is a questionable idea. Among many other reasons, you have no idea how it is generating the numbers or what information it is logging. They claim to be generating the numbers in a certain way, but you have no way of verifying the truth of that claim, and no way of knowing whether the random.org website has been compromised.

The normal everyday operation of a computer involves enough stochastic and unpredictable processes to create a pool of entropy that can be used to generate truly random numbers locally. This includes, for example, measurements of photoelectric interactions in the hardware (which are basically treated as random in quantum mechanics). The interface for accessing this pool of entropy will depend on the operating system. On Linux, this entropy is available through the special file /dev/random. Windows offers a substantially similar facility through the CryptGenRandom function.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2288 on: December 09, 2015, 12:56:03 AM »
My experience with operations security ("opsec") is that everybody thinks they aren't a target. And they're right ... until they become a target, at which point they are woefully unprepared and are owned. (The term "owned" is a technical term in the field. ;-)) It's difficult to shore up opsec retroactively, so I advocate doing it correctly from the start. Note that I express no view on whether anybody in this thread, including dragoncar, is practicing inadequate opsec.


BTW, when you say "not derived from ... deterministic values" do you really use something like random.org to generate "true" random bits?

Using random.org for anything other than entertainment or educational purposes is a questionable idea. Among many other reasons, you have no idea how it is generating the numbers or what information it is logging. They claim to be generating the numbers in a certain way, but you have no way of verifying the truth of that claim, and no way of knowing whether the random.org website has been compromised.

The normal everyday operation of a computer involves enough stochastic and unpredictable processes to create a pool of entropy that can be used to generate truly random numbers locally. This includes, for example, measurements of photoelectric interactions in the hardware (which are basically treated as random in quantum mechanics). The interface for accessing this pool of entropy will depend on the operating system. On Linux, this entropy is available through the special file /dev/random. Windows offers a substantially similar facility through the CryptGenRandom function.

Well that's why I said something "like" random.org.  I'm sure you are aware of the possibility that whatever generally-available OS you are using could be compromised and logging or manipulating the output of any call to random number generation functions. (see https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf). 

Such OS and compiler issues can likely be avoided if you write your own OS in machine code using magnets and string.

But can you trust the firmware?  Hope you are Tony Stark and can build your own processor out of spare parts in a cave.

I prefer to flip a penny and write down the results, but everybody knows the NSA has installed a backdoor into the penny weighting.

Can't trust anybody these days!


Cathy

  • Handlebar Stache
  • *****
  • Posts: 1044
Re: Mustachian People Problems (just for fun)
« Reply #2289 on: December 09, 2015, 12:59:51 AM »
I won't describe all of the personal security measures I take here, but you can assume I've considered every threat and have appropriate mechanisms in place to deal with them. Some people have never been the target of a skilled adversary, but I personally do not have that luxury, as I have been the attempted target of personalised attacks from time to time. (There are some interesting stories there.) It certainly does lead to a heightened, but justified, paranoia that some people cannot relate to.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9918
  • Registered member
Re: Mustachian People Problems (just for fun)
« Reply #2290 on: December 09, 2015, 01:07:00 AM »
I won't describe all of the personal security measures I take here, but you can assume I've considered every threat and have appropriate mechanisms in place to deal with them. Some people have never been the target of a skilled adversary, but I personally do not have that luxury, as I have been the attempted target of personalised attacks from time to time. (There are some interesting stories there.) It certainly does lead to a heightened, but justified, paranoia that some people cannot relate to.

If you wrote a book "Security by Cathy," I'd totally read it.

PARedbeard

  • Stubble
  • **
  • Posts: 152
  • Location: Pennsylvania
Re: Mustachian People Problems (just for fun)
« Reply #2291 on: December 10, 2015, 10:23:28 AM »
Working with a nonprofit, we get a ton of money from the United Way for some of our kids' programs. Since they support us so much, we do a yearly drive to help raise money through employee donations out of our weekly pay. This morning, HR called to ask me if I wanted my contribution taken out all at once or a little bit every month. I told her to take it all at once. She paused and seemed confused.

"All at once?" she replied. "But you know that will make your first paycheck next year X." I told her that I did and that that would be okay. "Are you sure?" She said, "we can take it out a little at a time so it doesn't affect your income so much." Again, I told her it was fine, and that I was comfortable with having X in January."

That kept going on for a few more rounds... I was so tempted to say that I'm not living paycheck-to-paycheck (I think most of my coworkers are), but I didn't want to sound snobbish to her.

HappyMargo

  • Stubble
  • **
  • Posts: 119
  • Location: Colorado
Re: Mustachian People Problems (just for fun)
« Reply #2292 on: December 10, 2015, 03:28:31 PM »
Because I grocery shop at Costco and Aldi we have a dire shortage of plastic shopping bags to line the trash cans around here.

Outside our grocery store they keep giant bins for people to bring back all their used plastic grocery bags (perhaps to recycle?)  There's mountains of them in there!
On rare occasions, I have been known to grab a few for cleaning out the cat's litter box.

Jack

  • Magnum Stache
  • ******
  • Posts: 4725
  • Location: Atlanta, GA
Re: Mustachian People Problems (just for fun)
« Reply #2293 on: December 10, 2015, 04:20:50 PM »
(The term "owned" is a technical term in the field. ;-))

Wow, Cathy made a mistake!

(She misspelled "owned" -- it starts with a "p.")

; )

you can assume I've considered every threat

That can't possibly be true; there are unknown threats that (by definition) you could not have considered.

TrMama

  • Guest
Re: Mustachian People Problems (just for fun)
« Reply #2294 on: December 10, 2015, 04:23:34 PM »
Your employer increases their retirement matching and improves the fund selection. After the meeting where these change are presented to the employees, you get so excited you can barely sleep that night.  You tell your school age children all about the changes and how great they are over dinner.

Dollar Slice

  • Walrus Stache
  • *******
  • Posts: 9598
  • Age: 46
  • Location: New York City
Re: Mustachian People Problems (just for fun)
« Reply #2295 on: December 10, 2015, 05:09:38 PM »
Your employer increases their retirement matching and improves the fund selection. After the meeting where these change are presented to the employees, you get so excited you can barely sleep that night.  You tell your school age children all about the changes and how great they are over dinner.

I know the feeling. My boss (company owner) mentioned in passing that she might resurrect  the now-defunct 401k fund again (we used to have one when the company had another owner, he didn't hand over the keys to the 401k when he left and... well it's a long story, but we haven't had one for a while). I'm torn between "yay!" and advising her that it is a terrible idea for the company, because we've only got 3 FT employees right now and it's possible that I'm the only one that would sign up for it, and we'd be paying a ton of fees because it's not a very good plan. Must. Not. Waste. Money. But... pre-tax savings...

RelaxedGal

  • Bristles
  • ***
  • Posts: 359
  • Age: 46
  • Location: 495 corridor, Massachusetts, USA
Re: Mustachian People Problems (just for fun)
« Reply #2296 on: December 11, 2015, 11:30:38 AM »
An all employee e-mail went out yesterday reminding us that the 27th paycheck of the year will hit our bank accounts on December 31st.

I was so pissed at myself when I realized that I'd set things up to max my 401k in 26 paychecks, so nothing is going in on that 27th paycheck.  My employer only puts in a match on paychecks where I am contributing, and does not true-up at year end, so I screwed myself out of $70.88 by not looking more closely at the list of pay dates when it was posted back in January.

AlwaysLearningToSave

  • Bristles
  • ***
  • Posts: 459
Re: Mustachian People Problems (just for fun)
« Reply #2297 on: December 11, 2015, 12:16:49 PM »
An all employee e-mail went out yesterday reminding us that the 27th paycheck of the year will hit our bank accounts on December 31st.

I was so pissed at myself when I realized that I'd set things up to max my 401k in 26 paychecks, so nothing is going in on that 27th paycheck.  My employer only puts in a match on paychecks where I am contributing, and does not true-up at year end, so I screwed myself out of $70.88 by not looking more closely at the list of pay dates when it was posted back in January.

That is hilarious and definitely a MPP.  I bet many people don't max the 401(k) and they never have occasion to even think of this problem.  Even among people who max the 401(k), I bet very few would even realize they left money on the table. 

Pooperman

  • Magnum Stache
  • ******
  • Posts: 2880
  • Age: 34
  • Location: North Carolina
Re: Mustachian People Problems (just for fun)
« Reply #2298 on: December 11, 2015, 12:32:10 PM »
An all employee e-mail went out yesterday reminding us that the 27th paycheck of the year will hit our bank accounts on December 31st.

I was so pissed at myself when I realized that I'd set things up to max my 401k in 26 paychecks, so nothing is going in on that 27th paycheck.  My employer only puts in a match on paychecks where I am contributing, and does not true-up at year end, so I screwed myself out of $70.88 by not looking more closely at the list of pay dates when it was posted back in January.

That is hilarious and definitely a MPP.  I bet many people don't max the 401(k) and they never have occasion to even think of this problem.  Even among people who max the 401(k), I bet very few would even realize they left money on the table.

In the same theme, I'm missing out on $50 company match because they were too slow to put in my paperwork when I started. I'm making up the contribution, but they're still not matching it. That's like $400 future dollars I'll never have :'(.

Lski'stash

  • Pencil Stache
  • ****
  • Posts: 525
  • Age: 37
  • Location: West Michigan
    • A Teacher's Journey to FI in the Mitten State
Re: Mustachian People Problems (just for fun)
« Reply #2299 on: December 11, 2015, 06:28:20 PM »
I finally thought of something for this thread!

My husband and I are planning on downsizing this spring from a way-too-large house bought from our pre-mustachian days. We are hoping to be in a house around 1,500 sq. ft. and closer to where each of us works.

 The problem? It's actually really hard to find SMALLER houses where we are looking!