Same here, it was one that captured the vibe of the Virgin America perfectly and the only one I actually recall watching. It was directed by Jon M Chu, who subsequently directed Crazy Rich Asians, In The Heights, Wicked, and more.
Having toiled in the Google mines for almost as long a tenure as Ben before my time came in 2021, the words 'The conflict between “uncomfortable culture” and “golden handcuffs” was becoming intolerable.' could not ring any truer.
Planned or unplanned obsolescence is good for business. You are proposing regulations counter to that, so should expect counter-pressure, even for IoT makers that want to do the right thing.
By volume and impact, what devices have IoT vulnerabilities? If from large mfrs, you might expect some measure of support as that would be somewhat in their best interest, if only to preserve their brand image. My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?
Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?
Planned or unplanned obsolescence is good for business. You are proposing regulations counter to that, so should expect counter-pressure, even for IoT makers that want to do the right thing.
Great points. From one perspective, we can't afford to do this stuff; from another, we can't afford not to. If connectivity makes your life a little easier for little risk, that's one thing; if your dishwasher steals your identity and sells it online, that's another.
My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?
Another great point, but that's a snapshot of the market as it is now. We expect certain standards from some things but not others, depending on how much you depend on them, how much is at risk, and what the costs would be. Right now, under the proposal, a company is 100% free to say "I will support this for 0 days and you expect it to ship broken from the factory" -- it's just that they actually have to say that out loud.
Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?
I expect this to be a hot topic on the record. We'll see what technologists, manufacturers, consumer advocates, etc. say and try to come up with a proposal addressing stated concerns.
> Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?
Most other liabilities are inherited during an acquisition. I don't see a good reason for this to be an exception.
It would encourage acquirer's to do much more strict due diligence in this regard, which will have a natural pressure to clean up the behavior of manufacturer's that plan to seek a future exit.
Any exception to liability here seems like a get out of jail free card, for all new manufacturers seeking an exit to behave extremely badly. It also opens the door to corporate shell games, where as soon as a liability is discovered it gets acquired by a thin parent entity to dissolve that liability. I'll leave a comment to that effect as well, but it absolutely seems like this liability should survive an acquisition.
I backed the British Rail Corporate Identity Manual project on Kickstarter. It's a wonderful book. My copies were slightly damaged in transit and they were replaced. I still have the 3 slightly damaged ones (dings on the cover, mostly) and if anyone wants them you can have them for the price of postage from the US. Ping me at the email in my bio.
Wasn't this the intent behind Windows Vista - a tag-based DB-as-filesystem with hierarchical paths just one "lens" through which to view the DB? I use Google Drive this way, largely through search rather than directory-based organization, though I do also employ that for often-used collections.
Can you indicate more than only yes/no for a measure of how secure the 2FA can be?
The choice of some site's 2FA implementations are known to be problematic, such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also requiring you to allow SMS or "security questions", reducing the degree of security.
That is a great idea! I am 100% in favor of helping the users understand the security tradeoffs between the 2FA methods.
We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!
I am currently writing a series on 2FA on my site All Things Auth [1] that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.
Currently, we use the data from twofactorauth.org [2] as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!
Thanks for the positive feedback! There are 2 main articles in the 2FA series left to write (Push 2FA and U2F/WebAuthN), but there are a ton of other posts I have bouncing around in my head. Join the email list if you're interested in getting updates!
I'll definitely give your post a read too!
Have you found it effective publishing on Medium vs your own blog? I've been considering cross posting my articles for additional exposure. Curious to hear your thoughts.
Medium infinitely, Linkedin is also gaining popularity if you want/need to boost your network.
Feel free to write me via email if you’d like to talk
more, but between hn and hackernoon, with medium any of my posts gets at least a thousand reads. This one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach with my own blog.
(I'm the other half of this team. I tackle the UX/UI parts)
@encyclic, i'm curious about how you typically approach enabling 2FA.
- How do you typically choose which services to enable 2FA for?
- What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?
As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.
It's also a job far far overcompensated if you are saying job risk is what should determine pay. By your reckoning, soliders and construction workers should be the ones with the highest compensation. See http://www.bloomberg.com/graphics/2015-dangerous-jobs/
Lifetime cost of living increases, raises and medical coverage for you and your family for life, and that on top of any additional public safety job pension you get makes it really sad that police and fire who are supposed to be protecting and improving society are instead bankrupting it and making it worse by preventing funds from being used for much needed infrastructure improvements.
