But what kind of risk would that be? For adolescents and auto insurance, it makes sense to me (higher testosterone levels, less driving experience, not yet fully developed sense of risks/consequences, fewer spouses/children who depend on their livelihood etc. etc.)
But why would fraud be more prevalent specifically in the adult content industry than the average over all the industries? Do criminals prefer working in porn than elsewhere? Why? Or do chargebacks simply occur more often due to spouses disputing a charge in an attempt to save face in front of their partner?
Adult industry is digital content that can be "purchased" and then scraped before the chargeback goes through. Now the user has all the content that the site/model/whoever offers and didn't pay anything for it; they can then share it around, resell it, whatever.
It helps that a lot of people have no respect for the people producing the content; they'll happily consume it, but they refuse to acknowledge any work that goes into it or that people should be compensated for what they've created.
Wife goes "was this you?" "no, I must have been hacked".
The stats I've seen actually did put the charge back rate is high compared to other industries.
What does seem like a scam though is, especially in the digital space, a refund is basically free. The merchant could agree in the case of any charge back the credit card company can just take it back, they won't argue, just take it. They'd even agree to pay the transaction fee.
But you can't, so you get the 20% fee, and you still get the money clawed back from you.
There’s going to be a lot of the spouse saving face chargebacks, people using stolen card numbers to download porn to avoid exposing their use to anyone else, active use of porn sites as a means of laundering funds from stolen card numbers—if you’re in an organization that does prostitution and card theft, you can use a third-party porn site to turn stolen card numbers into cash, etc.
I use `pass` on all my personal dev workstations and phone (because I happen to own YubiKeys/OpenPGP cards with my PGP key on them anyway; would probably use `age`/SOPS instead if I already hadn't committed to the PGP ecosystem).
If /usr/bin/bar wants a credential via a FOO_API_KEY environment variable, I create a /usr/local/bin/bar wrapper script like so:
#!/bin/bash
set -eu +x
if [[ -z "${FOO_API_KEY:-}" ]]; then
echo >&2 Decrypting FOO_API_KEY
FOO_API_KEY="$(pass show bar/FOO_API_KEY)"
fi
export FOO_API_KEY
exec /usr/bin/bar "$@"
Let them know. Write a letter to the CEO. And vote with your wallet and switch banks if you can. There's always a bank willing to offer you a non-app 2FA scheme.
Banks don’t do this because of profit. They do it because of decades of laws pushing in this direction. Anti-money laundering, know your customer, digitalised currency, abandoning cash, preventing tax evasion etc… it’s been getting more extensive over time.
None of the things you mentioned inherently require the user to own (and babysit) an expensive general-purpose computing device produced by tracking-obsessed adtech giants and with software obsolescence built into the product.
I think you're naively presuming the issue is simple and easy to address with a letter.
Regardless of your bank, payment systems such as Visa and Mastercard have blocked transactions involving mainstream online stores such as Steam because they unilaterally deemed some games to be problematic. You cannot fix this problem with an email.
These are two unrelated problems. One is "payment systems use imperfect heuristics in their own operations to fulfil their regulatory obligations." The problem I was referring to is "banks push 2FA onto end users but are unwilling to give them alternatives that don't involve meddling with the user's own most private and expensive device."
The latter is absolutely a thing where customers can (and should IMO) push back hard.
> These are two unrelated problems. One is "payment systems use imperfect heuristics in their own operations to fulfil their regulatory obligations."
No, they are not. You have people reliant on this software infrastructure for very basic aspects of their life such using their own money to buying whatever they feel like buying, and you have people being deprived of their rights because operators of said infrastructure actively prevent and deny their rights to do so. This has nothing to do with heuristics, and everything to do with granting people the power to dictate what you may or may not do with the things you own.
Do you think banks are using attestation gratuitously? It helps prevent a lot of fraud. You are opposing something that saves people’s savings every day just because you think it takes “freedom” away from a few hobbyists. Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?
Can you show me examples where locking down an OS has prevented fraud in banking?
Honestly, if the only way to secure your banking system is by locking down users' devices, there is something really bad going on at your end, security-wise. Your system should be secure even without locking down user hardware.
One of the threat models is that a fraudster tricks a non-technical user into installing malware, which then manipulates the user interface so that next time the user tries to send money to Bob, it actually goes to Mallory.
That's a legitimate concern, and one of the causes why PSD2 mandates that all 2FA devices must have a display that shows the user where they're about to send the money and how much.
And one of the threat models that police use in the US is tracking women suspected of going for abortions through the use of road cameras, and other surveillance methods.
Once you have the attestation in place you have no guarantee who is going to get access to data like what apps are present on your device, and there will be nothing you can do to stop it.
Meanwhile, we could educate people against common scams.
How is this not just trading one smaller bad for a bigger bad? Why is this touted as an improvement?
That's why I'm strongly against remote attestation of general-purpose hardware.
I use a handheld card reader with a display as a 2FA for my bank transactions. It shows me the transaction and, after I confirm, sends a TAN to the bank. It is not a general-purpose device but a certified, tamper-evident/-resistant black box that does just that one thing.
> Meanwhile, we could educate people against common scams.
There's a million ways you can get scammed, no matter how many hours of training you've had.
You can't educate (many) people against common scams. But people should have the freedom to opt out of surveillance in their private lives, at the risk of exposure to scams.
When online banking was first created it was an absolute chaos zone. Everyone was accessing it from desktop machines riddled with viruses and malware. There are endless stories of being discovering their life savings had been wired to Belarus by some malware running on their machine that had grabbed their banking credentials when they logged in.
> U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
Half a billion dollars, by a single guy with a single virus!
Different parts of the world came up with different solutions for this. The US made all ACH payments reversible and international wires difficult, but that just meant the receiver paid for fraud instead of the person whose machine was full of viruses. This was an obviously bad set of incentives and hacky panic-based fix. Banks elsewhere in the world settled on providing users with authenticator devices that looked like small calculators into which you could type transaction details after plugging in a smart card. Malware could still steal all your financial data but it couldn't initiate transactions.
Obviously, all this was a hack. What was needed was computers that were secure. Apple and the Android ecosystem eventually delivered this, and the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users. Firstly, it protects financial privacy and not just transaction initiation. Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer. Thirdly, adding remote attestation made no difference because that's what the calculator devices were doing anyway. Fourthly, even in the case of customers of small American banks that weren't capable enough to manage dedicated hardware rollouts, getting rid of fraud instead of pushing liability around allows for lower prices and fewer headaches.
So remote attestation is a non-negotiable requirement for digital banking of any form. When Microsoft didn't deliver most banks preferred to literally manufacture and sell their customers single-use smartcards that remotely attested by you manually copying numbers back and forth between screens. Or they hid the cost of rampant fraud in the price of other services until such a time that Apple/Google saved them.
> Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer.
The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)
In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.
I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.
Spectre doesn't work across process boundaries, so I don't think they are. You can't Spectre your way into a banking app on an iPhone. Or if you can I'd like to see it in action.
I don’t think "Spectre doesn’t work across process boundaries" is correct as stated; cross-process and cross-security-domain Spectre attacks have been demonstrated. But I agree that "a malicious app can trivially Spectre its way into an arbitrary banking app on a patched iPhone" is a much stronger claim, and I’m not aware of a public demonstration of that exact attack. My point is only that process isolation alone is not, in principle, a complete answer to Spectre-class attacks.
The only similar bug I'm aware of was Meltdown, an Intel only bug that was immediately patched with a microcode update. But Meltdown was a different bug to Spectre. Spectre is a class of attacks that's hard to solve by design, Meltdown was a specific bug that was easy to solve.
You could also open your front door with your smart phone. It would look high tech until your battery is empty.
Sometimes I see people captured by the train station unable to check out. They usually find someone with a charger but technically the formula is to fine them for not having a ticket. Then one might still need to buy a ticket to continue the journey. (bring cash)
Phones are usually empty when things [already] aren't going as planned.
Back in my iPhone days, I once got bitten by a bug where the app developer failed to raise that flag "dear OS, I'm in the middle of presenting a ticket for optical scanning, and it would be really amazing if you could just, you know, not disturb the screen with random shit for a couple seconds."
Unfortunately for me though, the turnstile that I was about to pass to exit the train station had both an optical scanner and some NFC thing lumped into the same physical module, and every time I tried to scan my ticket, the phone would raise its NFC screen and hide the 2D matrix code.
So yes, you can have a fully charged phone and a perfectly valid ticket with the latest software and still get stuck in a train station.
>....the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users.
Not 100%. A robber can force people to activate facial recognition or finger print sensors. Forcing someone to type a pin code is harder but doable. If one doesn't bring the authenticator & bank card they cant initiate transactions.
> A quick search for how leveraged acquisitions, stock-for-stock deals, financing commitments, or tender offers work would answer most of the objections.
Isn’t the assumption that it’s impossible intuitively justified if you have no background in finances? A small fish usually can’t devour a bigger fish either.
Also, all those terms you mentioned mean nothing to me. You can’t search for what you don’t know exists.
> This is unacceptable. Closing an accessibility report because the maintainers haven't touched it in months is not “tidying up”; it is hiding evidence. It effectively says that if a bug is ignored long enough, it ceases to exist.
Another perspective from a project maintainer’s point of view:
The people who own and maintain the project get to decide what the status Open and Closed means in the context of a ticket. Users do not necessarily have to agree.
For example, a project maintainer may choose to assign to a status of Open the meaning “this is untriaged or we’re actively working on it”, and Closed could mean “we have looked at this ticket and determined that no team member is going to work on it right now.” In other words, Closed does not have to mean “rejected and this decision is final” but can mean “it’s not something we’re currently working on.” These semantics might not be intuitive for everyone but can be justifiable if they help the project members organize their workload.
Thanks. It seems to be very local/incidental. The page works from the locations I can test, but I’ll check whether one edge cache or request path served a bad response.
It's supposed to Just Work on clean and rescue systems. Otherwise, it's a regression with respect to v4. The fact that it doesn't work is evidence that someone has been doing something wrong. The user at the receiving end of this clusterfuck is not that someone.
I've been playing on and off for 15 years, sometimes daily for months on end. The deepest I managed to go is level 11, and as soon as I enter the Big Room, I die. In fact, I went past level 8 for the first time this year. I've read all of the NetHack wiki back and forth. I don't have the slightest idea what I'm doing wrong or how to improve.
I'm 46 now, and if I continue that pace, I'll be dead before I even reach the bottom, let alone ascend.
Been pkaying on and off since I was 12, 38 today.. Good times. Quick tip is to play valkyrie, dip sword for excalibur, rub any lamps and wish for sdsm, and you should be good.
Also check out DCSS, amazing game, been playing for soon 40 years.
I've had them all. I’ve had wands of wishing, I die. I’ve worn blessed greased amazing technicolor Valenciaga +9001 silver patent leather dragon 2x HiDPIscale mail, I die. I step in a fucking trap, I get surrounded by a dozen killer bees, I die. Soldier ant, I die.
Good players can kill soldier ants with almost nothing, just some rocks or darts or daggers. There’s a bit of tactics to learn but the essential step is to stop bumping into enemies and learn to fight at range, use Elbereth to keep them at a distance, use doors and corridors to limit their angles of approach.
Once you learn how to kill a fast enemy (like a soldier ant) without letting it fight you in melee, you become unstoppable for the first 1/3rd of the game or so. You discover that you don’t need the best armour in the game right away, you don’t even need more than a half-decent weapon, you just need to maintain your supplies of ranged weapons (and wands).
Stepping in traps can also be avoided with the knowledge that (with 2 special exceptions) traps only generate in rooms, not corridors. Traps can be safely searched for from adjacent spaces and once discovered remain visible permanently.
I should also point out that the two enemies you mentioned that killed you have one thing in common: poisonous sting attacks. Poison has been nerfed in the latest version (5.0) and poison resistance can be acquired in game. Furthermore, some characters actually start the game with poison resistance for free!
I think I got my hands on Hack when I was 8, so I've been doing the same for, uh, 39 years. Damn. At least I was learning VI keys unintentionally, so it was somewhat educational. :)
Been on and off playing since I was 19, 63 today. Always good times. I had it in my autoexec.bat, so when I got home, and turned on my machine, I was ready to play. Always abused polymorphic traps. Sorry to see them go.
We can only guess about what's going wrong for you specifically . But I like guessing:
(extremely mild spoilers:)
- A core skill for Nethack is understanding how much danger you're in at any particular moment. Your comment about soldier ants below tells me you've made good progress here. But you need to recognize when you're in danger and how long you have to deal with that problem before you'll react appropriately.
- Nethack's dungeon isn't linear, it branches. (Think of the gnomish mines here, but there are other examples deeper.) When you're getting in over your head in one branch, go back up the stairs and switch to another one.
- When you're in immediate danger, Stop. Look through your inventory, consider your options. Think especially about wands, think about ways to write Elbereth, think about scrolls. Think about ways to use diagonal movement to your advantage to get to an escape, or a more defensible position. You have all the time in the world to think. There may not be a solution, but I've died more than a few times with more than one thing in my inventory that could have saved me.
- You need to be able to identify some things without waiting for a scroll of identify to fall into your lap. Price is the easiest way to identify the scroll of identify itself. It's also straightforward to learn to identify most useful wands: with spoilers or by experimenting. Engraving with the wand will often give you more information than zapping it. A lot of your early I'm In Danger toolkit will come from wands you've identified this way.
Good luck, have fun.
(Intermediate player, a few dozen ascensions 20 years ago.)
It's not a cheat. It's explained in the game's manual (the Official Guidebook [1], just search for Engrave).
It's been nerfed since 3.6.X as well. Now it can no longer be used for fighting, only escape, and attempting to fight while standing on it will make you "feel like a hypocrite" and deduct 5 from your alignment score.
One thing which I don't know if you've noticed (and I don't consider this a spoiler) but Nethack has level scaling. If you get levels too fast, faster than you get better gear, enemies outscale you. In my (admittedly very dated) experience a lot of the difficulty was striking that balance between exploring too quickly and lingering too long.
This being NetHack, an answer is often not as straight forward as it could be. Most of the time the level difficulty is proportional to how deep you are into the dungeon but there are levels where your experience level factors in as well.
Because most people have empathy and collective consciousness. Apart from ultra-capitalist individualists, most people choose trust and cooperations, because we're hard-wired for that and that's how species develop and thrive (see also, science).
But why would fraud be more prevalent specifically in the adult content industry than the average over all the industries? Do criminals prefer working in porn than elsewhere? Why? Or do chargebacks simply occur more often due to spouses disputing a charge in an attempt to save face in front of their partner?
reply