I can see where you are coming from, and I wouldn't be surprised if the same argument is used by the company. If that is the case. O well, I wish them well but I would never be this naive again.
There is just one point that you might have missed.
The patent work doesn't stop the moment you finish filing. In fact, almost all valuable patents will be challenged in court, which can cost a LOT of money. In those cases, the company would have to hire back the original inventors to defend them in court, for which the original inventors can charge almost an arbitrary amount of money for.
In my personal opinion, it would not be wise for the company to argue over pocket change amount of money if it risks destroying the relationship between the company and the inventor. If that is really the case, when the day comes that the company needs help, the inventor would not hesitate to charge exorbitant fee just to spite the company. I honestly believe this is why @smoyer in the other comment is still getting paid by his company even though he is no longer employed.
Last but not least, on a human level, I feel it is a bit unfair given how much extra I worked for these patents, above and beyond my call of duty. I'm not going to cry over it but it will leave me in a pretty bad mood. If I end up getting screwed over, well... let my experience serve as a lesson for rest of the aspiring inventors in similar situation in the future.
> the company would have to hire back the original inventors to defend them in court
What makes you say that? I'm genuinely curious. I'm the named inventor on a few of patents for a previous employer that were all granted after I left. It never occurred to me that they would continue to need my services (nor have they).
BTW have you asked your previous employer about the situation? My guess is that @smoyer's situation is fairly rare and the company will likely consider it a perk rather than an entitlement. It's not clear there would be any harm in asking though.
I have friends who have gone through this experience. I was pretty surprised too that the company was willing to pay so much to defend their patents. Granted... my friend's rate was fairly reasonable... I think between $500-$1000/hour in probably the early 2000s.
It really depends on the patent in the end of the day. If a company can potentially lose tens or hundreds of millions over a lost lawsuit, spending a million on legal defense would be very reasonable.
I have not talked to my employer about this. I wanted to get some collective wisdom from the HN community before approaching them. But yeah, I'll definitely give it a shot. It doesn't hurt to ask.
Good point! I'll check to see if any of my friends can get me a copy of the patent policy.
I wonder how legal it is in the state of California to bar the people from getting their reward simply because they are no longer with the company. Patent approval has nothing to do with the employment status. This seems a bit unfair to be honest.
Further, they specifically asked me for help AFTER I left the company. I agreed to help as a good-will gesture. I wish I could've clarified the reward policy back then.
Out of curiosity, I checked our policy. The people who can get monetary awards at my company are:
- active employees, and
- retired employees who retire with eligibility for retiree health benefits (my understanding is that this is, approximately, people who worked for the company for 20 years or more), if they provide requested assistance to the company to get the patent issued after their retirement.
So at my company, if you just left without having been here for a long time, they wouldn't give you the money after you left. (This is what I thought, and good to know in my case since I have a few patents in the pipeline myself...)
Furthermore, there is no mention that "this is different in California". We employ people all over the country including in California, and a lot of our policies do call out California specifically because it does have different laws, so I suspect there's nothing special about California here. (I am not a lawyer.)
A unique password, 2FA, AND a unique email address.
I use https://lastpass.com/ for generating passwords. $12/year and works on Linux & Android. Would prefer open source, but nothing else comes close. I tend to generate 32 char passwords with a mix of upper, lower, number, and special. Only a few websites insist on shorter passwords - or have character restrictions.
It does make logging in to some frequently used sites a bit of a pain (looking at you PayPal!) but I think it is worth it.
On to unique email addresses. I do this for two reasons.
1. Allows me to easily see where an email has come from & filter if necessary. I can tell if your company has leaked / lost / sold my address.
2. If I have reused a password, a database leak doesn't compromise other sites. An attacker doesn't know the login details for LinkedIn based on my GoToMyPC email.
I tend to use something like lnkdn@ mydomain / gtmypc@ ... / twttr@ ... - but if your mail provider lets you use a catch-all, it can be anything you like.
One word of warning - it really confuses people when you give the email over the phone! I usually say "I'm creating a unique email address for you so that the message doesn't go into spam. Ok? sound of me hitting random keys It's yourcompany@ ...."
KeePassX (https://www.keepassx.org/) is free and open source password manager. Having never tried LastPass I can't vouch that it's feature compatible, but it covers all my needs.
I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox (where I use 99% of my passwords). It also means I have to manually synchronise the database between phone, PC, etc.
I just keep the keepass.db file in a cloud storage folder that is synced across devices. Works perfectly and because of the encryption it hardly even matters that cloud storage is (currently) on a US server.
The "perform autotype" option in KeepassX Linux seems to work well enough for me in Firefox, Chromium and most applications (it basically seems to send <user><TAB><password><ENTER> which usually does the trick--and afaik it has some settings you can tweak when it doesnt, but I never bothered with those).
But if Lastpass works for you, that's cool. Getting to use a password manager in the first place is the most important step, IMHO.
> I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox
It does have browser integration, for both Chrome - ChromeIPass extension, and Firefox - KeeFox extension. Both extension work via KeePassHttp plugin. Works well on Arch Linux.
I meant KeePass http://keepass.info/ writing about browser integration (in my case I run it on mono), not the KeePassX. KeePassX is a very simple app in comparison with KeePass, so I prefer KeePass over KeePassX.
Now invoking it by saying genpw would generate a pseudorandom string of 16 characters length. You could specify the length by passing a parameter to it, e.g. genpw 8.
O...K... but where do you store them? How do you sync them between devices? How do you auto fill them in the browser? How do you change them when a service is compromised? How do you securely share them with other users?
LastPass does all of that. And I don't even have to drop into the terminal.
I feel like it's almost certain that Lastpass is owned, as are other popular online password stores.
No security is perfect; all you can do is make it more expensive than it's worth to the attacker.
How much would it be worth to have all the passwords to every account of every Lastpass user? Does Lastpass really have the resources and skill to protect something that valuable? Is it even possible?
Well as long as you 'feel' that way, it must be true.
Lastpass (supposedly) stores the encrypted password vault, never the decrypted. Decryption occurs on the users end. You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.
I say supposedly because I do not know of any 3rd party verification.
> You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.
That reasoning only holds if it's in fact significantly harder to compromise the software than it is to "simply break in and access Lastpass's storage". If you believe that might be possible, then the security of your password vault basically depends on the differential difficulty compared to "simply break in and compromise the login form / browser extension / update channel to make it do <whatever>".
My point is not that this would be easy, rather that if someone went as far to break in and grab the storage[0], given the sheer value of the data, the barrier to go a step further and compromise the software isn't big enough to make me go "okay well that's all right then, that might happen, but this surely won't".
The biggest difference in risk between those two scenarios is that yes some cybercriminal that is "just poking around" might easier stumble upon access and just grab the vault than to set up a compromised login form and wait--not so much more difficult but just more effort.
[0] which I agree is fair to trust Lastpass to have properly encrypted, cause if you can't trust the people you pay $12/year to keep your most sensitive data secure, then who can you trust?
I didn't make that claim; why add that attitude to an otherwise pleasant conversation?
When disagreeing, please reply to the argument instead of calling names. E.g. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Yes you did make that claim. You said that you feel there is a high likelihood that lastpass is compromised. You have no evidence or proof of this, just a gut feeling presented as some sort of fact or 'just asking questions.'
"I feel like it's almost certain that Lastpass is owned"
I use LastPass, but I'm still fearful about it. It's such a rich target, and all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server. Then they'd have access to all your accounts. They'd have to put that backdoor into the extension, but the point is, it's doable, and most people wouldn't have any way of knowing that it happened.
"LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?
No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.
The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back."
The point was "all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server" (emphasis added).
However this is more about keeping the Lastpass software secure than it is about keeping the encrypted user vaults secure. The documentation you quoted really obscures this by use of the passive voice, casting the end-user somehow as an active agent deliberately doing all the encryption/hashing and sending, implying that they are in full control :) Try this on for a change:
"LastPass says they never receive my Master Password. Doesn't the LastPass Software send it to the LastPass servers when I log in?
No, when you login to LastPass, the LastPass Software generates two things when you give it your Master Password, before the LastPass Software sends anything to the server: the password hash and the decryption key. The LastPass Software does all this locally.
The LastPass Software sends your password hash to our servers to verify you. Once verified, our server sends back your encrypted Vault. The LastPass Software only sends your hash to our server, not your Master Password that you just entered into the LastPass Software.
The LastPass Software then uses this decryption key, which should NEVER leave your computer, to decrypt your Vault once it comes back."
-
The above is IMHO a much better way to word the same documentation, since it doesn't try to gloss over a rather important part of the attack surface. It's not really fair to on the one hand congratulate a user for being security-aware enough to use a password manager, but then ignore this part. Good security software documentation should proudly present the last few exposed parts of the attack surface, especially if they are minor ones, so that a user can assess the limits of their trust--there are always limits, no sense in pretending there aren't, and it's better to know them so that the user gets to decide what they're okay with.
I am switching away from unique mail addresses … I used a mix of catch-all and plus characters:
The former reduces the efficiency of your spam filter, the later is not (fully) supported by many websites. AirBnB for example allowed me to set an mail address with a plus character, however, login did not work anymore, so I was locked out and had to create a new account … AirBnB support refused to change my mail address since they apparently did not get the plus character 'trick'.
In my experience adding the domain of the recipient often leads to problems.
Rep: "Can you verify your email address?"
Me: "er, em-verizon@example.com"
Rep: "Hey, I didn't know you worked for Verizon!"
Me: "no..."
And now the call gets excruciatingly slow and unfriendly because the rep thinks I'm trying to hack something.
Also, more than one web forum has silently binned me until I removed the domain from my email address. Had one where I could post for a few days, then the admin deleted me and sent that email address a crazy anti-spam rant thinking I was a bot.
I still like using unique email addresses but I make sure they're obscure.
I use the domain backwards e.g. nozirev@mydomain.com.Customer service agents don't notice, and it's easy for me to tell where the email was supposed to have originated.
Yep, I highly recommend LastPass as well. The password generation, sync, platform support, and browser extension features are great. It's fairly easy to setup exclusion filters for not remembering passwords, as well as controlling if matching works on the first level domain (*.domain.com) or exact host.. The former generally works well for most sites, but the latter is essential for my own domains (where I have multiple different services, accounts for testing, etc).
I've been using a catch all domain for at least 15 years. One thing I learned early is to use a subdomain, which avoids getting dictionary spam attacks.
For the last many years, I just forward it to a gmail account, where there is a corresponding filter to label it into an "accounts" group. I get essentially zero spam to this.
Also, I've had multiple times where it confused reps as well. It's kind of funny when it happens, but also sad that having "theircompany@sub.my domain.com" makes them go "oh, did you used to work here or something?".
What provider do you use that allows for catch-all? I really like GMail but the lack of support is really annoying, and a lot of sites & dump leaks are beginning to ignore the "+word" notation for email addresses.
If a lot of people start doing this thing, then it will be trivial for an attacker to figure out name+service1@domain can be changed to name+service2@domain
"service1" could be generated randomly as well, and stored along with the password in a password manager.
Another nice property of this suffix is that one can identify who gave away their email address / which site it was scraped from when receiving spam; not sure where I have seen this written down originally.
I think when spammers see a "+" they just strip everything after it down, i.e. me+spam@example.org -> me@example.org. Not to say many sites just don't accept "+" (or, worse, cease to accept such addresses).
Unique, non-guessable, machine-generated addresses are the way to go (do with emails just like password managers do with passwords), but no common person can use those, because they'll need a domain and self-hosted MDA.
Then I could just make my rand(service1) chars larger. No point in adding it to email address at all. Email leak (privacy) is an issue that this could help with but I do not see any benefit in terms of securing my account
How do you generate new emails? Say, I see a new websites I need a new email? What do you do? Is there a chrome extension that can do it with one click?
My personal domain is set to forward all email to my Gmail. Since Google is my registrar, it's expectedly simple to configure this. I haven't setup outbound addresses; services rarely need email sent to them, and replying from my Gmail hasn't caused me any problems yet.
Yeah but doesn't prevent the attack. Username is still in the email address. Ideally I'd like <domain>+<nonce>@gmail.com that forwards all to my email.
I use the excellent 1Password, syncing over WiFi with my phone as the source of truth for my vault. 2FA enabled for everything that supports it and backup codes stored physically. Works great and password managers are one of the few times when something is both more convenient and more secure.
Also, use 2FA wherever available. Google Authenticator is good enough.
Store your backup codes somewhere safe (your keepass db, for example. Although that goes a bit counter to the point of 2FA, if someone cracks your keepass db, you're pretty screwed regardless).
This is not a problem with 1Password, which syncs TOTP keys as part of your secure keychain, making it easy to use multiple devices, or even just your desktop.
Not only do you get the same issue with SMS authentication (have to set it up again when you get a new number), but on top of it SMS auth is not as readily available and has proprietary requirements (namely, you have to have a mobile number with text support, it has to be available at your current location, it may cost money, the auth service has to support whichever country code you're under, ...).
Also, as other people mentioned, it's technically possible to back up your initial seed.
SMS auth is a disgrace, when we have 2fa standards.
Using KeePassX/LastPass/1Password is a bit problematic. They become a single point of failure. Someone can get my master password (https://github.com/cxxr/lostpass) or can pwn LastPass. To improved that my passwords becomes <last_pass_gen_pass> + <random_nonce_that_i_know_how_to_generate_in_my_head> + <helper_password>
I divided accounts into tiers:
Tier0: The most important account: Macbook, Gmail, Github
Tier1: Still important, but not as much as Tier0: Youtube
Tier2: I don't really care.
Tier3: Testing accounts for local dev server: Single simple password like qwerty1234.
I just need to remember 5 passwords(Gmail, Macbook, Github, LastPass, helper password). I think this strategy gives a nice balance between connivance and security.
It's not a terrible idea, but it does fall apart if you need to change one of the passwords (say, because you were using this strategy for a number of services including gotomypc). Now you need to have multiple master passwords, or you need to increment the service name (gotomypc2?), and then you're remembering the increment as well as the service and master password.
It's a cute trick, but I don't think it really scales well for the number of accounts we tend to have these days, and the frequency with which passwords must be changed due to hacks, password aging policies, validation ("must have 1 punctuation character"), etc.
As for entropy, it's limited by the master password, and whatever obscurity the hashing and service name provide. If you have a short master password, you're not getting the as much uniqueness as you might think by looking at the length of the hash output.
In addition, I try use different E-Mail adresses whenever I sign up, a catchall makes sure they end up in the same inbox. This might not stop a sophisticated targeted attack, but it should throw off a lot of automated runs since the email they got is seemingly not used at another service. A litte obscurity to strengthen the rest of my security ;)
No, only once to decrypt the lastpass database. You can even set to only ask every 30 days, however I feel that this defeats the security features a little
I use https://www.passwordstore.org/ to generate passwords which are then encrypted using my GPG keys. My passwords directory is a git repo which I sync to GitHub. Since I don't possess a Yubikey or similar, I've stored a copy of my secret key in Protonmail.
KeePassX and Syncthing over WiFi. No browser add-ons. I decided to give it a try after the LastPass acquisition to see how feasible it was, and haven't looked back really. It helps that I'm mostly on Android mobile devices. KeePass2Android is what I use on the phone.
I use a password safe file (https://pwsafe.org/) which I then store randomly generated passwords per site and have a strong password on the safe itself.
I like this as a solution as it's not dependent on any third parties like cloud services, its pretty portable and I have a unique password per site, so I'm not really that bothered when the inevitable breaches happen.
Downside to this approach is that I have to have a device which has the password safe to hand to use it (there are clients for Windows/Linux/Mac/iOS/Android), I'm responsible for managing the file and if I lose the file + passphrase I'm stuffed :)
I have a "things I don't care about password" that's long, easy to type, and easy to remember. It's about 20 characters, which is sufficient for most services that don't have two-factor authentication, but annoying because some archaic systems STILL have a maximum password limit for ridiculous reasons that suggest one-way hashes are not being used.
Wherever two-factor is available, it's turned on. Usually through my phone, which has its own passcode and won't display text messages on my screen. I'm curious as to how secure this really is, but I suspect this is reasonably difficult enough to hack that someone would have to be targeting me specifically to be able to reliably pull my SMS token out of the air and match it up to my login before I used it within a few seconds and invalidated it. If someone decides to target me specifically, I have bigger problems.
For my email, my banking sites, and all the things that I really would rather someone else please not log into, I have a unique password. This is still long and easy to type; the only advantage of these passwords is that I am sure to not share them in any modified form anywhere else on the internet, which protects against these sorts of cross-site password theft attacks. (Even for my shared password I have a pattern that makes it uniqueish, but that pattern is simple enough that a human could probably reverse engineer it.)
The only real exception to this strategy is things that can be password-less, though that carries its own weirdness. All of my remotely-accessible SSH servers use private key authentication and have passwords enabled for sudo, but don't allow SSHing in using that password. (So they are effectively single-factor for login and userland access, which can still do a lot of damage but requires a computationally difficult key, and two-factor for root access.) This carries its own issues; I have to keep my private key files somewhere, and even if I use multiple keys for each machine I log in from, all it takes is one rogue login to hose my server. I either put all my eggs into one basket by using some sort of encrypted store, or I spread out my attack surface, increasing its complexity, and decreasing the chance that I'll have successfully patched all the holes up. I also don't like that there's no way I could reasonably memorize a private key, so the option of NOT storing it kind of doesn't exist. At best I can try to protect the key in some way.
I only use Apple on a daily basis, so I use the inbuilt iCloud Keychain which syncs my passwords across Apple devices. I use the built in password generator to generate secure passwords that are unique for each website. For the times I do log in to a PC, I can call up my passwords on my iPhone to type them in manually.
Random password, FastMail email alias, fake but plausible name and date or birth, all dumped in to 1Password.
Would love to find a credit card which allowed me to offer up fake billing details - obviously the CC provider would need to know who I was, but there's no reason who I'm paying needs to.
I simply use keepassx with the database being synced between all my devices (Linux, Windows, Android) via Syncthing. I also have a scrambled printout in my bank safe (30€/year) that I update every couple of months.
It looks like you can use it for non-commercial purposes but I imagine that they'd make money a few ways: indirectly through publicity and familiarity (the more people are used to having it, the more might use Amazon's commercial version or just Amazon stuff in general), directly (through licensing it for commercial use), and via improvements they make to their service as a result of people using the free version for non-commercial applications (better voice training and interpretation).
That's just a guess but it's similar to what Google does with AOSP and Google Android.
This might be a silly question, but why was there a fork in the first place? The article wasn't as clear on explaining that part. Can someone else elaborate on that part?
A fork on the blockchain will only ever occur if one or more nodes are operating on different rules; the danger of a fork is proportional to the number of nodes that differ on those rules, because it would waste miner resources.
Suppose Node A thinks that a block should be no larger than 1MB, but Node B thinks that a block can be as large as 2MB. When a client presents a 1.5MB block to both nodes, Node A rejects it for being too big but Node B accepts it for being small enough. Since clients and miners ask for new blocks from nodes, anyone that asks for blocks from Node A would not get the 1.5MB block, but would get it if they had asked Node B. If 10% of node agree with Node A, then the 1.5MB block could be gotten by a lot of clients and miners, but not all. If 50% agree with Node A, then you have a serious problem in which a lot of people are not going to get the 1.5MB block and a lot of miners will spend their time on it for probably no ultimate benefit.
Thus, the problem does not really begin until any miners start accepting blocks from the chain of blocks that will eventually be rejected by the network generally. Unfortunately, there is no way to tell ahead of time which is the right side of the fork, but this could last for hours. So, fork detection is critical to avoidance of wasting precious mining resources.
All Bitcoin mining clients have to be bug-for-bug compatible with every other client or else you get forks like these. I think the fork in question was caused by a miner running a recently released version (v8.0) of the software who mined a large block that was incompatible with the older versions (<0.7x) of the software.
The miners running the old software didn't recognize the block and instead created their own chain while miners with the new version were working off of that newly mined block.
I hope "living the life" means living how you want it and not really the traditional notion of living luxuriously. I personally want to start a business to have an impact and to build something other people want to use. That would be living the life for me, regardless if I'm sipping Pina Coladas on the beach by noon.
However, this might be changing too...
https://www.wsj.com/articles/chinas-stopchat-censors-can-now...