Assuming your friend lives in a democracy, and assuming your friend wants you randomly visiting, then if as you say your friend didn't vote on the immigration laws, tell them to be more active.
Have them write to their politi-critters. Get the law revisited. If enough of your friend's friends also agitate and your neighbors generally agree or at least don't oppose, the law will be revised -- problem solved.
If, on the other hand your friend is in the minority, and you being able to visit without immigration permition is still that important to them, they are welcome to emigrate to somewhere visits without visas are open to you.
> The Amex CEO was quoted saying something like 'the math of Costco's proposed deal didn't make sense.'
According to the 4th paragraph of the article:
“The numbers didn’t add up,” AmEx Chief Executive Officer Kenneth I. Chenault told investors last month. “We couldn’t accept their financial terms nor their contract terms, some of which would have meant taking on more risk than we were comfortable with.”
This is not a good analogy. McDonald's and Ruth's Chris are not direct competitors, they are targeting completely different markets. Android and iOS are in direct competition.
If we have to use a food analogy, I would propose Starbucks and a competing coffee shop. Almost all the major players in app development make corresponding Android and iOS versions of their apps. Imagine if Twitter or Snapchat only had an iOS or only had an Android app. Similarly, customers expect to have certain things available at all coffee shops, regardless the brand behind them: cappuccinos, flavored syrups, alternative milk choices, etc. So a better analogy would be one coffee shop chain not supplying their stores with espresso machines, or flavored syrups, or alternate milk choices... or maybe just not letting them have refrigerators at all to keep milk cold.
The prevalence of orders for highly-sweetened, cold, milk-based drinks at Starbucks almost certainly means that customers would order the same thing at similarly positioned coffee shops if it was available, and indeed most coffee shops offer such drinks now.
There is no reason to think that somehow Android users are in such a different market that they would have no interest in these apps on Android even though in almost every other case platform parity is expected from large players in the app market.
> This is not a good analogy. McDonald's and Ruth's Chris are not direct competitors, they are targeting completely different markets.
So it was good, because that was my point.
> Android and iOS are in direct competition.
Citation needed. ;-) But seriously, I don't think they are. Too many observable differences in goals and strategies across each platform for your assertion to be true.
> There is no reason to think that somehow Android users are in such a different market that they would have no interest in these apps...
On the contrary, there is every reason to think that. Outside a very narrow and limited class of tech geeks who argue on technical merits, the broader market stats point to these being very different segments with different consumer profiles valuing different things.
Analogizing McDonald's:Ruth's Chris::Android:iOS is dishonest. While I agree you can't necessarily draw that conclusion, it's like having a major (equal caliber!) seafood restaurant deciding whether to start selling steaks because Ruth's Chris is doing well. It's still apples to oranges, but it's not apples to Twinkies.
Oh come on, if you look at the major apps and games, Android gets the same things at like a six to eight month delay, if not better than that. And if you look at apps and games available on both platforms, the correlation between downloads is probably pretty good. It is nothing like apples to oranges. It's like Macintoshes to Granny Smiths.
Academic here. There is no reason why these articles should have to cost $45. Academics have to publish in name-brand journals to get recognized, and these high prices are pure rent-seeking on behalf of the publishers.
publishers need to make money too. i also dislike this anti 'rent-seeking' culture. if there is no reason for it to cost that much, start your own publishing company and give out the materials for free (or some lower price).
> start your own publishing company and give out the materials for free
There are many people that are moving exactly to this. As ever, the problem is that the market is not perfectly fluid and things like academic cultural biases, impressions of prestige, etc often do not follow the most efficient contours. Posts like the GP's are called for precisely because they call attention to this and try to shift perception.
"Use a password manager" still seems to be the right answer for frictionless logins. "Easy" is requirement #1 to get people to use a thing. In fact, using it should be easier than not using it.
If you use 1Password, it nails the password details that trip up the "shady" password managers you allude to. See this study about stealing passwords or credit cards from users of auto fill password managers:
you're removing something which people basically understand the concept of - passwords: keep them fucking secret/safe - and trying to replace it with something that is built on top of a system never meant to work that way. If your system routinely sends out OTP emails, all it takes is someone to intercept those emails on their way from your SMTP server out to the wider internet, and every fucking user is breached.
The only reason password reset links are at all acceptable is because they are used relatively rarely and it's not predictable when they will be used.
So your point is it is less secure because the same weak feature is being used more frequently?
> all it takes is someone to intercept those emails on their way from your SMTP server out to the wider internet
it doesn't matter when some user will create a reset request. Because you can do it for him, right?
There are tons of services out there generating a password for you and sending it over in plain text, which is exactly what I proposed. Do we see it heavily abused? The opposite is true - those services are more safe because they got rid of reused passwords.
Also there's a bunch of techniques i didn't describe to prevent some attacks. When user is trying to login save a secret token1 in a cookie and send token2 to their email. When the user clicks this link verify old cookies. This makes passive global wiretapping less useful (if it was your concern). Still vulnerable to more targeted attacks (enter username, wait for email, reuse cookie), but so "reset password" is.
> it doesn't matter when some user will create a reset request. Because you can do it for him, right?
only if I know the user's email address for this given service.
with your system the attacker will get a regular flow of emails like this, and can even just track the emails as they're used, so as to then use them later to create a new authenticated session without arousing the suspicions of the user.
even if an attacker was lucky enough to capture a password reset email, they either have to use it immediately (or it will become invalid) or do a later, second password reset. Either way, the user still knows at the very least that something isn't right.
> There are tons of services out there generating a password for you and sending it over in plain text
and this is fucking atrocious from a security stand point.
> Do we see it heavily abused? The opposite is true - those services are more safe because they got rid of reused passwords.
Care to name some? I'm not aware of any major service, website or application that relies on a OTP via email for primary authentication.
> Still vulnerable to more targeted attacks (enter username, wait for email, reuse cookie), but so "reset password" is.
You still don't seem to accept that knowing your account was compromised is a security feature. With your system there is potentially ZERO indication to the end user that their account has been compromised. That is FUCKING TERRIFYING to me, and that it isn't to you, is even MORE FUCKING TERRIFYING.
Please stop making claims as if you have any fucking idea about security.
> potentially ZERO indication to the end user that their account has been compromised
It's not exactly zero. For example you can generate new "security image" every time user logs in. If last time it was some cat and now it's dog, then someone logged in meanwhile. And that's, frankly, is not as terrifying to me as reused passwords.
>Please stop making claims as if you have any fucking idea about security.
I would be excited to see links to your security write ups, please share :)
You keep making suggestions on the fly which clearly shows you haven't thought this through, and can't accept that its just a fucking terrible idea.
A "security image" doesn't work if it changes every time. First off - you're putting the burden of maintaining security onto the user - how the fuck am I supposed to remember what random picture you showed me?
You can consider this entire discussion thread my fucking security write up.
The comments on your own show that anyone else who listens to you has the same reaction, so it's no surprise you resort to ad hominem attacks implying that only someone with published security write ups is qualified to call your idea fucking stupid.
I made it on the fly because "know that you've been hacked" is not important at all for regular users. They can't remember a random picture - true, but they also don't care if their password doesn't work anymore. That's all your (and everyone else's) reasoning so far. Why can't you accept that if your email was hacked you will learn about it pretty quickly anyway? (because your paypal funds are stolen).
> that only someone with published security write ups is qualified to call your idea fucking stupid
I didn't say that, your answers are on spot and questions raised are valid, however I am surprised you prioritize "password was changed" issue over entire reused passwords problem for normal users.
To make it clear: you dont care that people reuse passwords and it is a #1 problem, you only care if email account is compromised and if attackers decide to silently spy on one of your other accounts instead of getting the profit now. If that's true we just have different opinions and there's nothing to discuss here.
You keep saying that but I just don't believe you. People LOST THEIR SHIT when a heap of celebrity nude photos were leaked, and that wasn't even their own accounts or information. Major sites being breached etc are not uncommon on mainstream news reports now. But no, you're right, no one fucking cares about that.
> I am surprised you prioritize "password was changed" issue over entire reused passwords problem for normal users
> To make it clear: you dont care that people reuse passwords and it is a #1 problem, you only care if email account is compromised and if attackers decide to silently spy on one of your other accounts instead of getting the profit now.
No, not at all.
Normal users have the very real, very safe option to use a password manager. They can work across devices and solve the problems of remembering and re-using passwords. This means they can have reasonably GOOD security, and can use it EASILY.
That system (the one that exists and works right now) has the extra BENEFIT that users will know as soon as they try to access their account, if it's been compromised via a password reset attack.
Your "solution" instead pushes all immediate security onto email and the users mailbox, which you freely admit IS NOT SECURE. Any requirement for any semblance of account integrity is then pushed onto the user apparently?
So just to make sure it's crystal clear: I'm not saying password re-use is not a problem, it is. I'm saying the solution to that problem is improving the tools (i.e password management in browsers) that already exist, where necessary.