Hello Warpslide!

** On Monday 03.08.20 - 10:38, Warpslide wrote to alterego:

I follow his podcast Security Now. It focuses on computer & network security at a high level, mostly geared towards an end user's point of view.

He explains the workings of complex systems in a very accessible way.

but it seems he also has a strong negative following - havent formed
an opinion as to whether that is justified yet (not really my area
of expertise).

I've seen some of this feedback, and some of it is justified. In a
recent episode of Security Now he went on a rant about some of
renaming of terms in the computer world..

That's a recent thing that people picked up on. But for the many years
prior I don't think there is anything comparable to that.

Can you identify which episode contains the rant?

There does seem to be a smear campaign out there for some of the hosts
on the Twit network, whether or not any or all of it is true is
another question.

I heard about that too. I don't understand the necessity of that. But
Steve is not part of the management or programming at Twit. Steve is just
a willing regular guest.

The episodes where he describes the operation of SQRL where fascinating.

Despite his social boo-boo about master/slave whitelist/blacklist, he's an accomplished (or a master <g>) at efficient and effective coding.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 03 Aug 2020, Ogg said the following...

That's a recent thing that people picked up on. But for the many years prior I don't think there is anything comparable to that.

There's a particularly disturbing one where someone is blaming Leo for the death of one of his hosts. I'm not sure whether it's true or not, but still
a sad story none-the-less.

Can you identify which episode contains the rant?

It's episode 775 and begins at the 1:23:57 (~84 minute) mark in the audio.

https://twit.tv/shows/security-now/episodes/775

I like how when he's done with the rant there's an uncomfortable pause in the audio and Leo's just like: "You wanna take a break?"

Probably rather smart for Leo to not touch that. :|

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Re: Re: SQRL authentication
By: Warpslide to Ogg on Mon Aug 03 2020 06:20 pm

Can you identify which episode contains the rant?

It's episode 775 and begins at the 1:23:57 (~84 minute) mark in the audio.

https://twit.tv/shows/security-now/episodes/775

I have not listened to it, but I have read the transcript.

Actually I found it to be a source of fun.

Some people are trying to use newspeak to identify enemies and mark them for cancellation - if you don't their alternative language for your projects, you are the enemy and must be destroyed - so making fun of such mess is the least we can do.

--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Hello Arelor!

** On Monday 03.08.20 - 19:22, Arelor wrote to Warpslide:

It's episode 775 and begins at the 1:23:57 (~84 minute) mark in the audio.

https://twit.tv/shows/security-now/episodes/775

Actually I found it to be a source of fun.

Me too. It was not like a rant (filled with unrestrained passion and explosiveness) at all.

It was a very cool commentary.

Some people are trying to use newspeak to identify enemies and mark
them for cancellation - if you don't their alternative language for
your projects, you are the enemy and must be destroyed - so making fun
of such mess is the least we can do.

I concur.

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello Warpslide!

** On Monday 03.08.20 - 18:20, Warpslide wrote to Ogg:

There's a particularly disturbing one where someone is blaming Leo for the death of one of his hosts. I'm not sure whether it's true or not, but still a sad story none-the-less.

It's episode 775 and begins at the 1:23:57 (~84 minute) mark in the audio.

https://twit.tv/shows/security-now/episodes/775

I read it and listened to it. I do not perceive the "rant" aspect of it
at all. His delivery is clearly tongue in cheek. It was a nice piece of subtle humour. The people following the show on the complementary ngs
don't even refer to that bit at all.

I like how when he's done with the rant there's an uncomfortable pause in the audio and Leo's just like: "You wanna take a break?"

Probably rather smart for Leo to not touch that. :|

It was just a normal cue for the upcoming commercial. It's not like the commercial was added in a hurry to get Steve to shut up.

I think people who have reported this to you as a terrible segment on the show are overreacting over nothing.

Steve remains a well accomplished programmer and communicator in his
field. His documentation style is bar none. His brief foray into humor
was well designed too.

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 03 Aug 2020, Ogg said the following...

I read it and listened to it. I do not perceive the "rant" aspect of it at all. His delivery is clearly tongue in cheek. It was a nice piece
of subtle humour. The people following the show on the complementary
ngs don't even refer to that bit at all.

Steve referred to it in 776 himself as a rant, but I totally agree it was _intended_ as tongue in cheek. The problem is once the Twitterverse got ahold of it, it quickly descended into mob mentality.

It was just a normal cue for the upcoming commercial. It's not like the commercial was added in a hurry to get Steve to shut up.

I believe he was done his monologue bu this point, Leo usually puts his two cents into topics (not always), but I think his silence on this topic was rather telling.

I think people who have reported this to you as a terrible segment on
the show are overreacting over nothing.

Agreed, the aforementioned mob mentality.

Steve remains a well accomplished programmer and communicator in his field. His documentation style is bar none. His brief foray into humor was well designed too.

Yup, I've been listening to his show since at least 2009 & have no intentions of giving it up. Often times on risky.biz they'll discuss a topic but never
as in depth as Steve does when he does one of his "deep dives".

Another (newer) show I quite like is called "Hackable" from McAfee. It takes many of the concepts & vulnerabilities discussed in Security now and puts them into practice.

The host of the show (Geoff Siskind) speaks with Bruce Snell about various topics at the beginning of the show & the last half is where they hire some hacker or cyber security expert to demonstrate how easy it is to hack certain things like video doorbells, keyless entry & ignition in cars and even smart coffee makers & tea kettles.

It's a fun show also geared towards the end user:

https://hackablepodcast.com/episodes

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Hello Adept!

** On Tuesday 04.08.20 - 20:53, Adept wrote to Ogg:

I haven't followed Steve Gibson in years, but I think the most damning complaint I heard about his work was that SpinRite might get you some
data back, but it'll do it in such a way that'll hasten the demise of
the drive.

But I don't know if people even _use_ SpinRite at this point.

I don't follow the SecurityNow podcast as much as I used to. But when I
do, the odd program would feature a testimonial from someone who was at
their wits end dealing with a failed drive and SpinRite would restore the data from it for them.

My understanding is that SpinRite is not a regular drive maintenance
program. Instead, it is used to move good data around from apparently bad areas so that you could recover important data long enough before you
trash the drive.

I lurk in his hosted newsgroups. There are very fine technically
articulate people hanging out there.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello Warpslide!

** On Tuesday 04.08.20 - 08:44, Warpslide wrote to Ogg:

Steve referred to it in 776 himself as a rant, but I totally agree it
was _intended_ as tongue in cheek. The problem is once the
Twitterverse got ahold of it, it quickly descended into mob mentality.

It is sad when people rush to judge. I'll have to give 776 a listen.

It was just a normal cue for the upcoming commercial. It's not like
the commercial was added in a hurry to get Steve to shut up.

I believe he was done his monologue bu this point, Leo usually puts
his two cents into topics (not always), but I think his silence on
this topic was rather telling.

Leo is often fiddling around with other computers while Steve is on a 10 minute training speech. If you watch the videos you'd see that Leo is not always paying attention to Steve's cues or may not realize when Steve is
done - especially when Leo is looking away at something. Hence a pause.

A pause like that is not unusual.

Another (newer) show I quite like is called "Hackable" from McAfee.
It takes many of the concepts & vulnerabilities discussed in Security
now and puts them into practice.

[snip]

..they hire some hacker or cyber security expert to demonstrate..

Now that sounds interesting! Thanks for the heads up on that one.

I don't mind the odd podcast from this show:

https://www.smashingsecurity.com/episodes

It has a primarily humorous bent on technology SNAFUs.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello Arelor!

** On Tuesday 04.08.20 - 07:12, Arelor wrote to Ogg:

Mr. PGP guy is still around and actually deploying for-profit projects. I don't think any of those is being particularly successful.

How can you tell they are not successful?

The Blackphone looked cool in theory, but in the end it was Android
without Google, with some secure coms tools bolted on which required expensive subscriptions. I think Copperhead looked like a superior competitor on paper, and their support model sorta sucked.

Yes, it sounds very good according to the website. Not sure if I would
care for a subscription model. If I want "security", I would generally
want at the end result to be left alone.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 04 Aug 2020, Ogg said the following...

Leo is often fiddling around with other computers while Steve is on a 10 minute training speech. If you watch the videos you'd see that Leo is
not always paying attention to Steve's cues or may not realize when
Steve is done - especially when Leo is looking away at something. Hence
a pause.

A pause like that is not unusual.

This is true. It's rare that I ever watch the video, but sometimes when I
have a week off & I'm bored I'll watch live. I can't remember which episode
it was (either TWiT or Security Now) there was a brief (albeit unflattering) camera cut to Leo and he had his mouth full with lunch. So you're right in that he's not always paying attention.

Now that sounds interesting! Thanks for the heads up on that one.

I don't mind the odd podcast from this show:
https://www.smashingsecurity.com/episodes
It has a primarily humorous bent on technology SNAFUs.

Sweet, I'm actually caught up on all my podcats right now, so it's a good
time to dip my toe into a new one, thanks!

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

On 04 Aug 2020, Ogg said the following...

I lurk in his hosted newsgroups. There are very fine technically articulate people hanging out there.

I checked those out several years ago & quickly realized I was out of my element. They might as well have been speaking Greek, but they sure seemed
to be having fun.

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Hello Andre!

** On Tuesday 04.08.20 - 21:37, Andre wrote to Ogg:

Steve was the first to discover that Sony was including a rookit..

Discovering something twenty years ago doesn't make someone knowledgable
on all aspects of security, much less any current aspects of it.

It was just one example. It's not the only thing he investigated. He also proved that RealPlayer was digging around people's PCs looking for things that identify you as a user, and sending stuff back to the mothership. RealPlayer denied denied denied - or claimed it had no knowledge that it
was doing anything like that. But Steve peristed with proofs and
eventually affected RealPlayer's behaviour.

Steve seems way out of his element with MFA. We beat the snot out of current methods of MFA that are way more advanced... SQRL wouldn't
last a day under an directed attack.

I don't know what this MFA is, but I'll give you that. He studies code behaviour and shares his findings on the podcasts.

SQRL is still relatively new. He was still working on it up until a few months ago. The concept and examples were out for years, but it has only recently reached a more final form.

If you have evidences that SQRL is breakable, why not demonstrate that for him? Meanwhile, it's an open standard poised to be scrutinized and
developed by the community.

I realize that people won't take my word for it. I guess I'm not
really trying to convince anyone. I'm just saying that it should
strike people as odd that (1) no one uses SQRL, (2) no one of any reputation has written about SQRL, and (3) he doesn't seem to have
anyone of any reputation following his social media accounts.

There will be naysayers and critics for everything.

As I said.. SQRL is still new. I just noticed there are some presentation videos about it, earliest one dated Jan 2020. I'll have to watch that. I installed an early version of it on one of my PCs, but back then I wasn't sure how this SQRL was supposed to work. From what I remember, QR codes
are a salient feature, but it didn't seem to make sense to use QR codes on
a laptop when visiting sites. I admit that I didn't quite understand how
to operate it. I still don't. But since then, I see that he has demo
videos and presentations filmed at several venues. Those will help me.


--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello alterego!

** On Wednesday 05.08.20 - 12:55, alterego wrote to Andre:

(I will admit, I'm surprised it hasnt had greater adoption - but then
you might enlighten me... :)

It's still rather recent. He was developing the standard for years, but
it has only now been released.

And.. I think there is another standard (commercial) out there that claims
to do the same thing or is very similar to what Steve built. So, I wonder
if Steve's concept is poised to be overshadowed.

I did not realize he had presentation/demo videos about SQRL out now. It
will be fun to get a front-row seat to learn more how SQRL works.



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

This is true. It's rare that I ever watch the video, but sometimes when
I have a week off & I'm bored I'll watch live. I can't remember which episode it was (either TWiT or Security Now) there was a brief (albeit

This reminds me how, not long before I moved to the Bay Area, I thought about how I could reasonably go up to Petaluma and watch This Week in Tech in
person.

But by the time it would've been reasonable for me, I had stopped listening
to any of the programs. I spent much more time listening to various fiction netcasts (e.g., Great Detectives of Old Time Radio, Welcome to Nightvale, Makeshift Stories), and the only tech news thing I'd listen to is Daily Tech News Show, which has a TWIT alum.

I do think that some of the negative things I read kinda got to me. But Leo certainly has an easy, approachable style with his on-air personality.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

Re: SQRL
By: Ogg to Andre on Tue Aug 04 2020 23:35:00

I don't know what this MFA is, but I'll give you that. He studies code behaviour and shares his findings on the podcasts.

Multi-Factor Authentication. It's what SQRL is.

If you have evidences that SQRL is breakable, why not demonstrate that for him? Meanwhile, it's an open standard poised to be scrutinized and developed by the community.

Because he's so far away from getting even the basics right of current MFA, current attacks, and user behavior. He's just way off the mark, and there are plenty of currently adopted methods that work better and aren't fundamentally flawed. I don't know if any are open-source, so while there are plenty that are
free as in beer, the common ones have a privacy issue (Google/Facebook), hence why Apple stepped in with their own recently.


- Andre
--- SBBSecho 3.11-Linux
* Origin: End Of The Line BBS - endofthelinebbs.com (21:2/101)

Re: Mr. PGP guy is still around
By: Ogg to Arelor on Tue Aug 04 2020 09:51 pm

** On Tuesday 04.08.20 - 07:12, Arelor wrote to Ogg:

Mr. PGP guy is still around and actually deploying for-profit projects.

I don't think any of those is being particularly successful.

How can you tell they are not successful?

I a not affirming they are a crash. I am mentioning I *think* they are not smashing successes because I don't see them having an impact on
consuemers or the industry.

--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

On 05 Aug 2020, Adept said the following...

I do think that some of the negative things I read kinda got to me.

We all say & do things we're not proud of. I think we just need to remember that they're only human just like us.

But Leo certainly has an easy, approachable style with his on-air personality.

Exactly! I remember watching him on Tech TV back in the day & always found
him warm & approachable. There was a segment with him & Amber MacArthur
where they were talking about this new website called YouTube that somehow makes streaming video from a webpage easy. I'd love to find that episode again.

This was back around 2004 or 2005 when 3 or 5 megabit was considered "high speed" (at least in this area).

Jay

--- Mystic BBS v1.12 A46 2020/06/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

On 05 Aug 2020, Arelor said the following...

Mr. PGP guy is still around and actually deploying for-profit proje

I don't think any of those is being particularly successful.

I think there's a valid argument to say that PGP isn't successful either. There's never been widespread adopotion of it because it's extraordinarily difficult to use for the average user.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

I do think that some of the negative things I read kinda got to me.

We all say & do things we're not proud of. I think we just need to remember that they're only human just like us.

Yeah. Though I think I'm like most people on that -- most things people do aren't all that bad, so long as they're contrite about having done bad things.

I'm not quite sure where Leo fits into that, though. But I guess most of the people affected haven't gone out of their way to talk about how bad he is,
they just stop making appearances on his shows.

But not like I know anything.

MacArthur where they were talking about this new website called YouTube that somehow makes streaming video from a webpage easy. I'd love to
find that episode again.

It's interesting, seeing things like that. Like the TV hosts trying to figure out what the internet is, but more competent. Or an article that was in Boardwatch about Amazon. When they only sold books, and promised no drop shipping.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Storm BBS (21:2/108)

Re: Re: Mr. PGP guy is still around
By: Andre to Arelor on Wed Aug 05 2020 09:12 am

On 05 Aug 2020, Arelor said the following...

Mr. PGP guy is still around and actually deploying for-profit

proje

I don't think any of those is being particularly successful.

I think there's a valid argument to say that PGP isn't successful either.

There's

never been widespread adopotion of it because it's extraordinarily difficult

to use

for the average user.

- Andre

PGP is not an overly succesful product, but OpenPGP has found its niche. Lots of
developers and distribution maintainers use it to sign code. It is the default go-to
solution when you want email encryption without CAs (although in the corporate world
they usually pick a CA based solution).

--
gopher://gopher.operationalsecurity.es
--- SBBSecho 3.11-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

On 05 Aug 2020, Arelor said the following...

PGP is not an overly succesful product, but OpenPGP has found its niche. Lots of
developers and distribution maintainers use it to sign code. It is the default go-to
solution when you want email encryption without CAs (although in the corporate world
they usually pick a CA based solution).

Good points, both.


- Andre

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Runaan BBS (21:3/117)

Hello Andre!

** On Wednesday 05.08.20 - 09:12, Andre wrote to Arelor:

I think there's a valid argument to say that PGP isn't successful
either. There's never been widespread adopotion of it because it's extraordinarily difficult to use for the average user.

It seems to have gained fine traction in enterprise (business) solutions
over the years.

But for the average bloke using Windows, not so much.

Meanwhile the OpenPGP compliant GnuPG integrates very nicely in
Thunderbird with the Enigmail plugin. Super easy to use.



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello Andre!

** On Wednesday 05.08.20 - 22:09, Andre wrote to Warpslide:

Your points are all valid. But my point is simply that this isn't any
more secure than existing methods, and in some cases worse, and that
it's massively harder to deploy and use. It's just out of touch and
isn't going to see adoption.

I really like the idea that something like SQRL does away with the server having to store passwords (or their hashes). This server side
vulnerability remains the single point of weakness if a hacker gets the
data. However, using the SQRL method, the only thing the hackers can get
are the public keys - which are useless on their own.

SQRL seems to be very similar to a PGP public+private key system.

There is Wordpress plugin to support SQRL logins. That can be a big step
to getting the user aware of it and implementing it.

The https://sqrl.grc.com/ place is abuzz with experiences.



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

On 16 Aug 2020, Ogg said the following...

There is Wordpress plugin to support SQRL logins. That can be a big
step to getting the user aware of it and implementing it.

I tried it on a wordpress site I was testing. It was actually pretty neat
and somewhat "magical" when using my phone.

Jay

--- Mystic BBS v1.12 A46 2020/08/11 (Windows/32)
* Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110)

Hello alterego!

** On Monday 17.08.20 - 10:04, alterego wrote to nristen:

So you may have seen me post about SQRL of late - and I'm thinking its a pretty innovative tool.

This thread started with having an ease of use experience of logging into (in this case) BBSes without having to remember "another" password.

Well, I rewrote an SQRL backend (just to learn it in more detail) - its in PHP and I built it to run with LUMEN.

I then added SQRL to synchronet - so yes, it polls the backend, gets an SQRL link and then converts that into a QRCODE which is rendered in the terminal.

Nice. Congratulations. But isn't there supposed to be a way to just
allow the user's SQRL client do the login without the QR code too, and without the special sqrl:// link?

It's about time that something akin to a public/private key pairing would
be used for logins.

--
../|ug

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs +SQRL
By: Ogg to alterego on Sun Aug 16 2020 09:37 pm

Hey Ogg,

Nice. Congratulations. But isn't there supposed to be a way to just allow the user's SQRL client do the login without the QR code too, and without the special sqrl:// link?

No.

At the end of the day, you need to get a URL and NONCE to the SQRL client to initiate and complete authentication. The QRCode is the easy way to invoke the SQRL client. (or clicking on the URL should do it too).

Just like http(s):// is registered to the OS - to launch a browser to render web pages. sqrl:// is registered to the OS - to launch the SQRL client to resolve athentication. (The SQRL client does a https:// to the URL it gets).

...ëîåï

... An instantaneous power-supply crowbar circuit will operate too late.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Warpslide!

** On Tuesday 04.08.20 - 22:42, Warpslide wrote to Ogg:

I lurk in his hosted newsgroups. There are very fine technically
articulate people hanging out there.

I checked those out several years ago & quickly realized I was out of
my element. They might as well have been speaking Greek, but they
sure seemed to be having fun.

I got that too. But every once in a while and more often than not, you
can pick up things that would be very interesting, useful to know, or research later.

--
../|ug

--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Hello alterego!

** On Monday 17.08.20 - 10:04, alterego wrote to nristen:

Well, I rewrote an SQRL backend (just to learn it in more detail) -
its in PHP and I built it to run with LUMEN.

I then added SQRL to synchronet - so yes, it polls the backend, gets
an SQRL link and then converts that into a QRCODE which is rendered in
the terminal.

I forgot to ask.. how much code does all that entail?



--- OpenXP 5.0.45
* Origin: (} Pointy McPointFace (21:4/106.21)

Re: Calling BBSs +SQRL
By: Ogg to alterego on Sun Aug 16 2020 10:47 pm

Well, I rewrote an SQRL backend (just to learn it in more detail) -
its in PHP and I built it to run with LUMEN.
I then added SQRL to synchronet - so yes, it polls the backend, gets
an SQRL link and then converts that into a QRCODE which is rendered
in the terminal.

I forgot to ask.. how much code does all that entail?

Actually not a great deal. By design the SQRL client does most of the work...

The server side - I use php/lumen with a new library that I created: http://dev.leenooks.net/leenooks/sqrl

(I based it on another library that was created for laravel itself).

On the Synchronet side, its basically the http client that connects to php/lumen to get the SQRL URL, which it then converts to a QR code and presents
to the user. In the background, it continues to poll the server to see when the
nonce has been authorised, at which point I'll get the user's public key (which
I'll use to log the user in).

The synchronet side is here:http://dev.leenooks.net/bbs/sbbs/-/blob/ansitex/load/sqrllogin.js

(And its specific for my ANSItex implementation - but you get the idea - Oh and
its not complete yet...).

...ëîåï

... You've got to miss them to score sometimes.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 18/08/2020 9:13 a.m., alterego wrote:

So I've got it working.

Its pretty cool logging into the BBS by using the app on my
phone! Call it a fusion of 1980 and 2020

Maybe give the folks at iPage a call and promote your solution for a nice contract price.

SQRL would be so much better than this:

"As part of our ongoing commitment to further enhance security and confidentiality of ipage® users, we are implementing additional requirements for
ensuring account protection. Between now and September 14, 2020, login to ipage,
and adjust your security settings to align with the requirements outlined below (items marked Action Required):

Security Feature ipage Requirement

Password Requirements
(Action Required) • 8 character minimum (New as of 6/25! reduced from 16
character)
• Contains one upper case letter, one lower case letter, and one digit • Does not match previous 10 passwords
• Does not contain the user’s first name, last name, or ipage User ID

Security Questions and Answers
(Action Required) 5 questions will be provided. Choose two questions and establish answers for both.

Answer Requirements:
• Minimum of 3 characters
• Cannot duplicate questions or answers
• Cannot contain User ID, email
• Cannot match password

Password Expiration
(For your information) Passwords expire after 365 days
• Users will receive a reminder email 14 days prior to expiration:"
--- SBBSecho 3.11-Linux
* Origin: End Of The Line BBS - endofthelinebbs.com (21:2/101)

Re: SQRL /Re: Calling BBSs
By: August Abolins to alterego on Mon Aug 31 2020 01:21 pm

Howdy,

"As part of our ongoing commitment to further enhance security and confidentiality of ipage® users, we are implementing additional requirements for
ensuring account protection. Between now and September 14, 2020, login to ipage,
and adjust your security settings to align with the requirements outlined below (items marked Action Required):

So imagine all those "rules" - given to non technical folks - for everysite that you interact with. Painful right?

OAUTH (login via something else, like google, facebook, etc) - was created to help with that. Well it just deffered that the pain of keeping a "secure" infrastructure to somebody else. OAUTH works, but now somebody else knows who I
connect to (we want to limit what the google's of the world know we do right?) but still needs to keep my info secure (and becomes accountable when it doesnt).

SQRL illiminates a lot of those requirements - it adds new
ones (and I dont think they are too onerous). It also means *nobody* else knows
that I use a site - and the site in question doesnt necessarily need to know who I am. (But obviously would need to for payments, etc).

...ëîåï

... An idea is not responsible for the people who believe in it.
--- SBBSecho 3.11-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)