But you can trick Bob into entering his credentials + using his security key on corp.bank.co.m and then use those credentials + security key interaction to log into corp.bank.com IF the security key interaction is domain agnostic (like you can do with the 2FA codes you get on your phone - if you can trick Bob into entering his password you can trick corp.bank.com into sending Bob a 2FA code which he will also give you).
U2F key interaction is not domain agnostic. That's why it's so good against phishing--it can't be collected by a fake domain to pass through to the real one.
The key requires physical feedback, the user needs to push the button when prompted by the software and that button pushing will only authorize a single authentication.
Doesn't matter. Google Analytics was used to steal ethereum seeds too (as the 'referer' also I believe). Its common to use analytics as exfiltration services -- the traffic is not as suspicious and usually https.
There's always a trail. What IP and email were used to register the accounts for the stat tracking sites? What IP was used to register the email account? What are all the IPs that ever logged into those accounts? If the email or account registration or login IPs are VPNs, what IP was behind that VPN (if the provider keeps that information)?
A server doesn't necessarily leave any more of a trail if you purchase one with a good VPN, throwaway email, and some kind of cryptocurrency.
OPSEC is a bit easier when abusing a legitimate service, but I think one of the main reasons to use these stat tracking sites is because it blends in with regular traffic very well. If your organization doesn't have SSL interception, it would be very difficult to find the .npmrc exfiltration in logs or PCAPs. This wouldn't be the case if they purchased a server or registered a domain just for this purpose, even if they used SSL, since traffic to the IP/domain alone would likely be sufficient to confirm compromise.
> There are also military specific parts of GPS that civilian receivers can't access. I don't know if military receivers are ignoring civilian signals, though.
For all intents it's a different system, the packets are encrypted, the right receiver hardware gives you vastly superior accuracy. There's civilian hardware which can use the packets without decrypting them for better accuracy, there's some patents on doing this amusingly.
I'm not really in this world, but you'd save more power by recycling aluminium cans (%5+ of US power consumption) than by killing off cryptocurrency mining.
Personally I bring everything I can to recycling points, sometimes even if it's not my own garbage. But I'm aware people don't care.
On the other side the crypto mining is not only the power consumption: it's all the hardware and it's production as well. The ASIC antminers can't be used for anything else, hard to recycle as well and they constantly need to get bigger and faster. For Ethereum, people are buying shitloads of high end GPUs.
I also don't like the idea of storing insane amount of data, hoping to find correlations to make more money, but this is also nothing I can do anything about.
The answer is a little unfortunate, even though things are said to be worth $xxxxM market cap, but the depth of the market is so shallow that the true value is near zero.
It's worthwhile to note that not a single once of the thousands of "ICO" things that have been launched in the last year have actually done anything of value. They all generate hype, raise money, and then give up and go to work on other things. It happens over and over again with no memory of the past failures, apparently.
That said I wouldn't fault you for believing that a lot of the $xM raised in x ICO just turned out to be largely the creator seeding the pot and a minority of other people buying into something "big". You could even take out a loan, there's nearly zero risk other than the operator of the ICO running with the scratch.
>It's worthwhile to note that not a single once of the thousands of "ICO" things that have been launched in the last year have actually done anything of value. They all generate hype, raise money, and then give up and go to work on other things.
I agree that many ICOs are scams, but I disagree with your statement for the following reasons:
1. Most large ICOs have not been scams, but several have failed (see theDAO). Because you choose a short time horizon (launched in the last year) it excludes both successes like the Ethereum ICO and failures like theDAO.
2. We say "They all" however most of the larger ICOs have not been scams. I only need to provide a single counter-example: look at the Brave ICO.
>It happens over and over again with no memory of the past failures, apparently.
I'd be interested in seeing some examples? What ICOs over 5 million USD in the last year were scams? For the record I don't doubt you can find some.
> It's worthwhile to note that not a single once of the thousands of "ICO" things that have been launched in the last year have actually done anything of value.
I honestly thought there was like a few of ICOs to date, and that the whole thing is like a month or two old. Does anyone track these things? A continuously updated list would be great!
Oh no, this has been going on for about a year, with increasingly more ludicrous amounts of money when random people living in exotic countries with questionable jurisdiction are starting companies and without any product, just a whitepaper (so PDF file with some nice pie charts and buzzwords) raise tens of millions of USD in exchange for blockchain tokens which then get traded on exchanges where speculators further drive up their price.
It's becoming especially more concerning now that we have one man companies raising hundreds of millions of dollars in couple of hours/days. This can't end well.
