It's an extremely odd decision by the author to publish this piece. Port attacks on cryptocurrency accounts is nothing new, and outside of publishing the number ($100k!) there is nothing special about this account of events vs the countless other near identical articles that have been published on Medium on the same old attack.
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.
Moreover, why wouldn't he be using his own company's "industry-leading comprehensive secure" wallet solution which he recommends in the article, for his $100K worth of Bitcoin?
Honestly - they are a pain in the ass, its not fun having to use them vs the convenience of an exchange, I certainly procrastinated about moving mine for a long time!
It's a reminder that crypto is fundamentally dangerous due to its lack of regulation and compliance requirements, its fundamental irreversibility and lack of authority/censorship. It's a lesson we should all take to heart about what makes for a functional financial system and what doesn't. It's also a lesson about the security of phones.
IMO its great to learn about what goes well but super valuable to learn when people face-plant.
And you would have a chance (actually, be legally entitled) to recover your money as opposed to people on the internet telling you sorry for your loss.
IF someone managed to rob your account entirely through a mistake of the bank, it is the govt pointing the gun at the banks head (figuratively and literally) to give you your monetary assets.
With crypto the government can't get involved so you're screwed
The banks know this, and they don't like losing money, so they have made most of their transactions reversible. There was an article on this a few years ago exploring why bank account credentials are worth little on the black market. Basically, there isn't an easy, safe way to just steal money out of a bank account.
Traditional financial regulation and compliance is a joke and mostly security theatre from the perspective of a security engineer or cryptographers.
- credit cards with secrets printed and shared in plain sight
- hacked banks
- hacked atms
It only works because most involved are somewhat trustworthy and the damages are small enough that it’s still worth to have the system.
But the latter also seems to be true for crypto. It shifts the responsibility further to the user. Some like it because they assume they can provide better opsec than their bank (which was easy in the past). Others don’t like to take responsibility and leave it with some exchange, which in some cases even lack behind banks.
When I was a student 15 years ago my debit card was skimmed (here in the UK) and someone in the middle east completely emptied my bank account. I called my bank, they explained what had happened and what little money I had was back the very next day.
So while the infrastructure may be fundamentally insecure, quite frankly that's not my problem. If it was a crypto wallet I would have had zero legal recourse and of course never would have seen that money again - as we're seeing again and again.
I do hold some ETH but I don't see it replacing my bank anytime soon.
Ouch. Sucks to read that. For anyone who might be interested in a possible alternative to this, I keep two bank accounts with the same bank with only one being connected to my debit card. I keep a tiny balance in the account connected to the debit card so that even if I lose it, the damage is minimal. Whenever my balance is running low, I do a quick transfer via online banking.
No idea how feasible this might be in other countries, but wanted to share in case its helpful. It's really helped me have ease of mind in using my card when I've been abroad.
Doesn't stop me from attempting to dismantle any ATM though whenever I use one :')
How many hours did you spend resolving the issue? That’s your damage.
And while you were reimbursed, the damage to the whole community was still done and just covered by an insurance fee that everyone pays on every transaction.
A bank's lack of opsec isn't my problem, it's theirs. They get hacked, I still get made whole. Only in crypto is the lack of anyones opsec your problem.
> credit cards with secrets printed and shared in plain sight
This is a simplification. For all customer-present transactions cards use the secrets in a secure chip, and the transaction is authorised by the cryptographic processor in those chips signing the transaction data with a secret key. It's classic 2FA - Something you have (a card) and something you know (a PIN).
The type-in-a-number-on-a-website purchases are the weak link, and even they are usually protected by another layer of passwords (3D-secure, Verified by Visa etc).
It's quite a while (in most places outside the US) since the number on the front was the secret.
Correct, and they won't any time soon. This US is a Chip + Signature market, which still incorporates cryptographic elements on the card itself as the secret.
In a Chip + PIN transaction, the second factor is your digital PIN, whereas in the Chip + Signature transaction the second factor is your signature. It's still 2fac, but more importantly, in neither case is the secret on the front of the card.
There are three security elements aspects to the EMV standard: card duplication (your card is the real deal), cardholder verification (you are the real deal), and lending (that you still have available credit).
Having a chip prevents (or at least is intended to prevent) card skimming. EMV payments cannot be re-played, cards cannot be duplicated and neither the card nor the reader can be tampered with. The magstripe of a chip card includes a flag indicating the card has a chip so even if you duplicated the stripe, it still wouldn't work. That is a material improvement over magstripe-only cards, and the private key is embedded within the silicon in a highly tamper-resistant way. This got the US the bulk of the 'win'.
With respect to cardholder verification, the Cardholder Verification Methods range, from least to most secure (from the perspective of a bank): None (i.e. have at it), Signature, PIN and CDCVM (ApplePay, etc). The CVM is negotiated between the card and the reader on insertion (EMV) or presentation (NFC/EMV). Each of these CVMs will impact to some extent things such as how likely a transaction is to be approved vs declined, how much you're charged in interchange to make up for it, and so on.
Yes, PINs are more secure in some ways because they provide a pre-payment second factor and in some ways yield a false sense of security. For instance, if someone sees you key in your PIN, you'll have a harder time claiming fraud, and in Europe it's on you to prove that. In the US, it's on the merchant. The trade-off here is again more time. Merchants are often willing to pay a slightly higher interchange rate to get people through the line faster, and signature is unequivocally faster than Online pin (requiring another network request to decrypt/verify) and still faster than Offline pin (which only works in Europe and is capped through floor limit).
Consider this from the perspective of all the layers of security even an EMV signature payment has. Tamper-proof physical card required that cannot be cloned, tamper-proof terminal, the card yields a signed payment request to your acquirer who can flag it as fraudulent, to the issuing bank who can flag it as fraudulent, and all the way back down to the card which can itself mark your transaction as fraudulent (it's called a reversal). Then you sign. And your photograph / video is likely recorded by the merchant at the point of sale, too. PIN or no-PIN, in a low fraud rate market, the win is small but the cost in added time can be really high.
If this mattered in the US and PIN were truly advantageous, restaurants could configure their terminals to request signatures or no verification while high-ticket size merchants could still capture PINs. They could still make this change at any time, really, all the tech out there more or less supports it. During the EMV transition all this was considered, and the decision was made it wasn't worth it.
tl;dr: Sometimes the 'less secure' method get you the bulk of the security win while yielding more profit for the merchant.
Source: I worked in payments for years including during the EMV switchover :) Hope that helps!
In Europe it's more common to have an EC card, which doesn't have any necessary secrets printed in plain sight (you need a TAN to complete a transaction over 25€ or total 100€ per day).
We also have SEPA Inst which allows me to send people money instantly for no fees (atleast at my bank), faster than Bitcoin ever could.
I'm insured against the bank being hacked. I'm also insured against the ATM's being hacked.
If I'd open my bank account today and found 0€ via hacks, I'd get it all back in 99.9% of cases. If I loose my card I get back everything too.
If I loose my bitcoin wallet, I'm SOL and should be sorry for not making backups and using a multisig wallet with 2FA!
Same-day ACH took a while AFAIK because of fraud risk especially to smaller banks and credit unions, although we've moved into phase 3 of the work last year so that's happening now. I think the push-to-debit functionality pioneered by the likes of Square Cash helped hurry this along but I'm only speculating.
It's not particularly insider information, the reason America was slow to the chip card game was pragmatic. The US is a very low fraud rate market, and re-issuing all 1.43 billion credit cards [1] and 14M payment terminals [2] was going to cost an awful lot of money. Further, major industry players like McDonalds weren't interested in seeing line speeds go down at point of sale as they switch from mag stripe payments which happen real fast to EMV chip transactions which, at the time, were really slow. Think <1s for magstripe to 10s of seconds for EMV. NFC helps mitigate this, but again, dual-interface cards (EMV + NFC + Mastripe) are a few dollars a piece.
tl:dr; it wasn't until a few years ago that the cost of the transition outweighed the cost of the fraud that would be mitigated as a result.
You think of CC cards but an EC card is connected to your bank account, so you require the bank account number on the card plus a valid TAN number or the pin number of the card.
Alternatively you need a SEPA merchant account, but running fraud on that gets you sued to hell and back.
Personal email accounts also tend to leak into having access to employer systems, especially in tech. For example a lot of people use their personal email for Github, so once an attacker has access to your personal email they can move laterally into your employers private code repositories.
BitGo should be treating this as a security incident and verifying the attacker didn’t also target them.
IIRC their system with Bitfinex was a 2-of-3 key setup, with BitGo holding one key and Bitfinex, for some reason, holding two. At least that's what's stuck in my memory from Bitfinex/BitGo communications at the time, since the setup seemed to negate the point of using BotGo in the first place.
Edit: I should've clicked the link there, it says pretty much the same. It doesn't seem to me there was much left to explain - the attacker gained access to Bitfinex's keys and that was enough to withdraw. The idea of using BitGo was that a compromise of Bitfinex couldn't lead to loss of user funds, but Bitfinex holding two keys completely undermined that goal.
It's frustrating in SF where it seems like the only night time social activities are drinking-related and very few businesses outside of bars/clubs are open past 8pm or so.
One thing I love about going to Asia is the vibrant night time activities that of course includes bars but also night markets and late shopping that is as much for families as it is for bar goers.
Several years ago in San Francisco I started volunteering at a nonprofit theater, doing ticket checkin, will call, ushering, and things like that. Since then it’s grown into a much larger part of my life, and I travel all over the West Coast stage managing for cabarets, circuses, magic shows, and stuff. It’s still all volunteer, mostly low budget local artists who can’t afford to hire high-end professionals. But it’s been amazing, completely revolutionized life in San Francisco for me. Frankly it’s the main reason I haven’t left the city, as I’m kind of burned out on all the tech stuff here. But my circus friends are awesome. If you or anyone else wants to see an entirely different side of San Francisco and make some new friends in the arts community, ping me. Contact info is in my profile.
This has been what struck me the most after visiting Asia (Thailand/Bangkok) for the first time in my life, and even the 2nd time I visited there. At any point of the day or night you can do whatever you want and nobody will bat an eye. I've seen whole families having diner at 4AM in the morning while I was just walking through the city.
Now compared to my own city and country (The Netherlands), people look at me weirdly if I go for a run at 12pm at night. Even though I just got home and this is the only time I have.
It's there. You don't get a city as big and diverse as SF without plenty of things going on at night. You just need to know where to look.
I find it surprising that hardly anyone here mentions music or the arts. Shopping isn't the only nighttime social activity. Go to the theatre, play an instrument, learn to dance.
I can't help but think to myself "how does this person live here?" whenever I interact with a service worker in SF, particularly one that doesn't appear to be in school. It's not a healthy reflex but I have to admit I have that thought all the time.
The more I think about SF the more I shudder. There's an interesting video "How to Fix San Francisco" what a guy uses Google Maps to showcase the structure of the town. It was eye opening. SF is jammed packed with people. From the skyview it looks grey with streets and buildings. No nature, no parks, nothing.
But why (serious question)? Other than A) Growing up there and B) Silicon Valley bragging rights the city does not seem to have much going for it. Yet, people still live there and pay a hefty price to do-so.
The city has excellent food, art, music, and other culture. In the suburbs I can't go see a world class gallery of modern art. Or go see a musical. Or go see live jazz. Or go to a bar that specializes in modern cocktails. It is also a capital of activism and support for the LGBT community.
Cities aren't for everybody. Some people really want green spaces and SF doesn't really offer much there but to think that there are no benefits is just wrong.
"The city has excellent food, art, music, and other culture. In the suburbs I can't go see a world class gallery of modern art. Or go see a musical. Or go see live jazz. Or go to a bar that specializes in modern cocktails. It is also a capital of activism and support for the LGBT community."
You can get to SF in a short time from many suburbs. Almost everyone I know wants to be able to do these things at the drop of a hat, but rarely does these things as a percentage of time.
A lot of long time and native Bay Area residents have favorable housing situations, either by owning a family home from before the latest bubble, or by living in a rent controlled apartment or an apartment with a landlord who prefers tenant stability over chasing market rents.
Same situation in NYC, but there are many more people like this. The great majority of police, teachers, and other city workers in NYC are natives with homes bought in more affordable times, because nobody else could afford to live here on with such a low paid job.
The house I share was bought for $30,000 in the early 1980s, paid for by a single uneducated emigrient worker.
To be fair, it sounds like you haven't experienced what it is like to be a full-time academic yet. Anecdotally I hear many more complaints from friends who are in academia than in industry. Low pay, bureaucracy, and rocky path to tenure come to mind...
I’ve encountered truly rotten politics in industry, too. My experience though is about 6 summer internships and one relatively friendly PhD so maybe I have a rosy picture.
I think bureaucracy is not specific to academia but is rather something that just arises when a group of people try to coordinate work among themselves.
I think it boils down to "comparison being the thief of joy." Social media of all types are basically one giant comparison machine, and the people that are the most visible on social media are the richest/best looking/most successful etc.
I disagree 100%. It's easy to find a scapegoat but the reasons are complex, and from data we know that Millennials and Gen Z are having greater difficulty achieving basic levels of economic stability that were somewhat easier for previous generations. Students are graduating with increasing amounts of debt and entering a job market that can make it tough to pay rent if you don't have experience.
It's also easy to say things like "more people should go into STEM", which glosses over a couple parts of our reality--we do still need non-STEM employees, teachers, social workers, etc. even though they are not paid well, and even if you do graduate with STEM that doesn't mean you have skills that will land you a decent wage. Just to pick on an example, consider the choice between chemistry and chemical engineering. Both majors are STEM and seem quite similar, but chemical engineering is the one with good job prospects. Likewise, if you do something like mechanical engineering you might be expected to also do electrical and software, the employment prospects for non-generalist engineers is less than it once was.
It is honestly ludicrous to see the results of decades of economic warfare and the nonstop closing of proverbial doors of economic opportunity done by boomers and to a lesser extent gen X and then boil everything down to "Social media means more people compare their normal to everyone else's best."
It isn't that it's not true, it is! Social media sucks for mental health. It's just also true that there are many legitimate reasons to be upset. I say this as a 24 year old that has been very very lucky to have affluent parents and gone to a good university and gotten a good job. I make more money than I honestly think anyone needs at my current cost of living and yet despite this I have so many friends that are barely scraping by.
So sum the constant anxiety of basically no economic safety net, climate change (which is looking to be "how bad", not "if"), social media reminding you of these AND how much better your friends are doing.. Is it any wonder everybody feels like shit?
The issue with social media and mental health is that the topic is just being researched.
Millennials and Z's are the consumers in which that technology is being tested and we don't really know all the effects and damages that this new thing is causing on people. We sure know that it is pretty addictive and causes some damages to people who use social media mostly passive and binge on it.
Another damage that Social Media does is that now most peoples attention span is quite short, really short actually, and it doesn't help for the workflow. Add the depression(FOMO?) caused from the "comparison is the thief of joy" produced by Social Media and you have a really bad mix that will make you fill like shit on the regular basis.
I think it's a tricky one, because there are a couple of factors here.
It's not just one thing, but rather a ton of things - for example, there is social media which is a great way to see which of your 500 friends is currently on vacation right.this.second (and someone always is). While in some senses there's more opportunity than ever before for some groups (e.g. minorities / women) in the workplace, there's also more competition than ever before as more people go for these jobs.
Baby boomers and to a lesser extent, Gen X don't really understand that the economy is different for young people, in that everything that was cheap for them (housing, healthcare and education) is now grossly unaffordable, but the things that were the domain of the rich now cost next to nothing (international travel, cellphones, computers etc).
I make a lot of money (I'm 26) compared to most my age. But like most young people in San Francisco, I have a roommate. I couldn't buy a house on my own. But I could fly anywhere in the world with no worries. The housing situation will be fucked in California for the foreseeable future because politicians don't care about the poor and the vulnerable.
We look at business efficiency as a good thing (and it broadly is), but I think we don't fully account for the costs, in the inherent stress it places on us all. So we now all need a college degree to get an entry level job. That's led to a bifurcation of the economy, between those with a credential and those without.
The climate thing is tricky. I think we'll sort it out, but it is a big problem.
I'd like to know your travel agent. Or could it be that despite your very real housing woes, you're making a high salary (as you say) and don't realize that international travel is still well out of reach for most Americans?
> ... the choice between chemistry and chemical engineering. Both majors are STEM and seem quite similar, but chemical engineering is the one with good job prospects.
Anyone know why this is the case? I took chem 1 in college (in the lib arts school), and while it probably wasn't as difficult as most of my classes in the engineering school, it certainly wasn't as easy as, say, the few electives I had to take in sociology, psych, or English.
So why do chemical engineers seem to have it even better than CS or CE majors (in terms of salary and job prospects) while most lib arts chem majors are paid crap and require lots of grad school, even PHDs, to get even an entry level research or similar job in industry?
Millennials and Gen Z are having greater difficulty achieving basic levels of economic stability that were somewhat easier for previous generations
Easier than what? Their great grandparents who lived through the Great Depression? Their grandparents who lived through Stagflation of the 1970's? Or their parents who lived through the Great Recession?
Easier for members of Gen X and Baby Boomers (note that young people in the workforce during the Recession are generally classified as the older end of the Millenials).
From the Federal Reserve Board:
> Millennials are less well off than members of earlier generations when they were young, with lower earnings, fewer assets, and less wealth. For debt, millennials hold levels similar to those of Generation X and more than those of the baby boomers. Conditional on their age and other factors, millennials do not appear to have preferences for consumption that differ significantly from those of earlier generations.
Easier than Boomers and Generation X, to be clear. I'd be willing to listen to claims that Millennials / Gen Z are doing well if you have some numbers to back those claims, so please, do change my mind. I'm not really interested in lists of economic recessions that happen to have names, especially since the 2008 recession also affected Millennials.
"Keeping up with the Joneses" was an idea far before social media existed. As was worship of the wealthy and celebrities.
And the people "most visible" on social media are very specifically the people we choose to follow. Maybe we can ask why do people choose to follow so many of the "richest/best looking/most successful" people, but that's putting the cart before the horse. We could just as easily ask in the 1980's why people buy so many fashion magazines or watch Lifestyles of the Rich and Famous. This pattern of behavior transcends media formats.
I don't think it is all due to social media. America is very much seen as the 'Land of Opportunity' where people are lauded for 'pullng themselves up by their bootstraps'. Today's environment though makes that much more difficult for younger generations than it did for older ones.
Prior generations are quick to say I did it, why can't you when in reality millenials are in a completely different economic starting block in large part due to the policies and lifestyles of the boomers.
On top of the negativity being levelled at them, the simple act of trying to financially survive is exhausting.
The differences between the haves and have nots and the difficulty in becoming a 'have' without a firm economic base provided by your family is becoming greater all the time.
Or maybe just maybe the fact that I ended up having to play therapist for my sixth form and the fact that my generation is full of suicidal people willing to die for a revolution tomorrow if it came is a sign that there is something deeply wrong with our society.
Outside of tech, there are certainly industries that thrive on low-paid junior workers and get away with it because there are so many desperate for a "foot in the door" that they don't have to pay more e.g. entertainment, most D.C. gov jobs.
Game development is hell if you're not at the top.
Dealing with Hollywood is a pain if you're not dazzled by the industry. Either they're in development and their credit cards bounce, or they're in production and they want a new feature yesterday.
It'd be a wake-up call for the "technology alone, no policy needed" strain green optimism.
I'm more and more convinced that we need strong, supportive policy to transition to a carbonfree future in time to avoid the worst effects of climate change, and that the current political situation looks incredibly grim from that perspective. It's pretty common for states nowadays to pass punitive taxes on EVs as "compensation" for lost gas taxes, universally over-estimating the number of miles an EV driver typically does in a year: https://www2.greencarreports.com/news/1123069_1000-illinois-...https://cleantechnica.com/2019/05/17/whos-behind-the-war-on-...
China has incredibly supportive policy for EVs right now. From a purely industrial policy standpoint, we're close to strangling our own nascent EV industry with the sunsetting of the EV tax credit and all these new punitive state-level EV taxes. (Few Bolts are made, the Volt was recently canceled, and Tesla is struggling after having to deal with roughly a $3750 impact on their car price, soon to be increased to $5625 and then $7500... many of the rest are compliance cars or are available only in extremely limited quantities.)
If things don't change soon on the political front, it could be really bad. For the US and the world.
For those on the West Coast, well LA, we actually have access to incredible hot chicken in Howlin' Rays. The chicken definitely stays true to the Nashville original and they have the lines to prove it (peak is like 3 hours).
To give Howlin Ray's some credit, they did a pop-up night here in Nashville with 400 Degrees (one of the highest regarded places) and it was incredibly packed and successful. Next time I'm in LA, I will be at Howlin Rays!
i went to howlin rays a few times when it opened (the line was “only” 15-30 mins long then). it’s delicious but the line is way too long now to go regularly. i switched to dave’s for a while but that’s now got a long line too. luckily new options have popped up and maybe will tame those crazy lines at howlin rays eventually.
The author of the tweet that inspired the post lives in Japan, and as a first generation Taiwanese American and occasional traveler to Asia one consistent observation is that it's much more common to eat out than cook than here in the US. Kitchens are tiny in most stereotypical "big Asian cities" and eating out is cheap and options plentiful.
Point is this trend has been the case in Asia for a long time, and the only reason why I don't think it's really the case in the West is because the cost of operating a restaurant or even food truck is high enough that the cost of eating out isn't as economical as it is in Asia.
This is just guessing, but I'd think population density plays a major factor. I'm just eyeballing this list here [1], but Japan is roughly 10x as dense population wise as the US.
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.