Hacker Newsnew | comments | show | ask | jobs | submit | login

Can you elaborate on 'specifying single states for your interactions and letting React rebuild the DOM'...

- this feels like it is a key conceptual difference but I'm not clear on what this means.

-----


What did subsequent generations of equipment use?

-----


What do you tell business owners to do when accessing their online banking?

-----


Use a machine that is used for absolutely nothing else.

-----


Wow, really good idea. Is a VM that is used for absolutely nothing else good enough?

-----


How do you define "good enough"?

The general idea is to use a machine which has minimal opportunity to be compromised through other activities. There have been known to be exploits that allow a compromised VM guest to compromise the host, and obviously if you compromise the host you can compromise all the other guests.

Using a separate VM is worse than using a separate physical machine and better than doing nothing. Whether it's "good enough" depends on who you are. Who are the plausible attackers? What do you stand to lose if it goes wrong?

-----


The VM is easily vulnerable to the host OS, so running in a VM only protects the activities you do in the VM in the sense that the software pwning the host might not be looking for it. So not really.

-----


Unless you are not using the host OS for anything _other_ than virtualization. If the host OS is used to host VMs[1], which are then used for specific tasks (casual browsing, banking, development, etc). Any exploit will be limited to the VM. This would be a pretty solid setup. It is only vulnerable to attackers that have direct access to the hardware, or have the ability to exploit the hypervisor.

[1] in other words if the host OS is used as a hypervisor, or if the host OS _is_ a hypervisor.

-----


How many of them actually do?

-----


Germany's best-selling PC magazine c't periodically distributes "Bankix" on their CD.

It's a Linux live system (with permanent storage on a USB stick) geared specifically towards online banking.

I believe that quite a few people actually use it.

Of course the hardware is the same, but you get a clean single purpose software system.

-----


> Germany's best-selling PC magazine c't periodically distributes "Bankix" on their CD.

>I believe that quite a few people actually use it.

That sounds like a great attack vector. How secure are factories where discs are pressed? Even without access to the factory you could buy a bunch of magazines and repackage them with compromised CDs.

-----


Someone would probably notice, checking the DVD against a checksum.

Repackaging it seems to be tricky, since the paper inlay is bound in the magazine, it's not just stuck on the cover or whatever. You tear it out at a perforation, leaving part of the DVD cover inside.

There are much more exposed attack vectors on online banking users, I would think.

And you can always just download the ISO and check it against the hash (and the PGP key).

-----


I've set up VMs for people with their credentials in the VM and nowhere else, and the host firewalled pretty restrictively such that that VM is pretty useless except for banking. I suspect compliance is high on systems like that.

-----


And if your bank does not do 2 factor authentication switch to another bank.

-----


Which banks actually do this? I've never encountered one.

-----


Most European banks do. Only few US banks do. Primary reason for this difference is that it's trivial to transfer money from one European bank account to any other bank account. It basically works like email, where you can just enter any destination bank account number. With US bank accounts the process is much harder, as you first need to add and confirm the second bank account (which somewhat reduces the risk of what can happen if someone gets access to your account).

-----


Here's a list of them that use Verisign's VIP: https://idprotect.vip.symantec.com/wheretouse.v

Others may use in-house solutions. Here's Bank of America's two factor solution: https://www.bankofamerica.com/privacy/faq/safepass-faq.go

We're almost to a point where the question isn't whether or not they support it, it's finding out that they have a program, clicking through tiny text links at the bottom of pages, and figuring out how yet-another-implementation works.

-----


The major ones that I've used do - Chase and Bank of America, both through sending codes over SMS to login and perform certain activities once logged in. For BoA, even if you stole my password and browser cookie (to get past the login check), you still wouldn't be able to do anything but pay my bills for me. Anything that might send money to a new destination, like creating a new billpay recipient, changing the info of one, or adding a wire transfer destination, requires an additional 2-factor code.

-----


Both my banks do (European banks, specifically Rabo and ABN/AMRO).

These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.

Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.

Separate challenges exist for logging in (read access) and transferring money.

-----


Those are common in Brazilian banks as well. At least four of the six biggest (I don't remember about the last two) do two-factor authentication.

Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.

Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).

-----


What's wrong with TANs?

-----


My American Express personal savings does. HSBC does and even allows you to enter your 2FA on a JavaScript keyboard (clicky click) if you choose to mitigate the threat of a key logger.

-----


Chase requires two factor authentication.

-----


Australia

We are a Health company http://www.oceaninformatics.com/ whose leaders created the openEHR standard, which is slowly taking over the world as the best way to do Health computing.

We have built the oceanEHR platform based on the openEHR standard, and provide this platform to others to build systems, we also build our own products and systems on this platform.

----------------

We are looking for full-stack engineers, although positions would lean to front (Html + CSS + AngularJS + Javascript + c# + asp.net MVC + DB tech) and rear (c#, core platform code, web services, integration tasks, xslt, messaging protocols, NHibernate, DB tech) - You'll probably end up learning it all over some period. We just want strong engineers who can learn anything.

----------------

We are a distributed team, with folks in Darwin, Brisbane, Sydney, Melbourne, Adelaide, UK That being said, for these development positions we are aiming for folks in Adelaide (will work from an office) or Brisbane (work from home with occasional face 2 face).

- working remotely is hard, please consider if you have the maturity to work unsupervised, and the ability to work in physical solitude without going crazy.

----------------

What your working week will look like:

- lots of new software development - some support of existing products and systems, bug fixing, enhancements - few meetings

So, if you are voracious learner, an initiative taking developer, likes hard stuff, cares about what they build, then we would love to hear from you.

Cheers,

Adam Webber

-----


Very interested in this. I am located in Perth, would you consider remote from here?

-----


Yes, get in touch.

-----


I imagine that if they have Darwinites, they can have Perthans.

-----


It appears to contain support for the Oculus Rift VR headset. http://www.oculusvr.com/

John added Rift support to Doom3 BFG and it was the primary demo when the Rift was displayed at E3 and subsequent (kickstarter) tours.

-----


Where is this code that implements the Oculus support?

-----


I created an app that uses a different approach.

http://www.twittertoplus.com/

It relies on people you follow having used http://gplus.to to create a Google+ name that matches their Twitter name.

Currently it finds about 20% of the people you follow.

-----


Even if the results are not all accurate and that relying on gplus.to may not be the best solution, I get more results with it than with migratus, which is why I added a link to your app on migratus.

-----


Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: