It doesn't. But judicial scrutiny under a government clearly opposed to him does clear the mislabelling. And how does it even help the discussion here?
Impartiality factors less when the entire Federal government apparatus is used to investigate some one for more than a decade. Also, by that reasoning should we start believing in the principle "guilty before proven otherwise"?
> It does help the discussion here, the comment correctly points out how this literal 1984-esque action plays into the current regime's totalitarian tendencies which go way before the 2002 pogrom and of course their parent org, RSS which is a whole other can of worms.
Who decided that those riots were a progrom? That term itself is misleading.
I am not fan of this step but the problems it's designed to tackle are huge in India and it's very much an option unless there are solid alternatives.
> Impartiality factors less when the entire Federal government apparatus is used to investigate some one for more than a decade. Also, by that reasoning should we start believing in the principle "guilty before proven otherwise"?
No, it was a 3 member "Special Investigation Team" and not the "entire federal apparatus" that acquitted him. [0]
"According to R. B. Sreekumar, police officers who followed the rule of law and helped prevent the riots from spreading were punished by the Modi government. They were subjected to disciplinary proceedings and transfers with some having to leave the state. Sreekumar also claims it is common practice to intimidate whistleblowers and otherwise subvert the justice system, and that the state government issued "unconstitutional directives", with officials asking him to kill Muslims involved in rioting or disrupting a Hindu religious event." [1]
> Who decided that those riots were a progrom? That term itself is misleading.
Hundreds of historians and scholars. [2]
> I am not fan of this step but the problems it's designed to tackle are huge in India and it's very much an option unless there are solid alternatives.
There are students jailed from 2020 without a trail for protesting against CAA-NRC with the explicit purpose of a "chilling effect" against dissent. People are constantly jailed for simple memes, "hurting religious sentiments" and other vapid reasons on a daily basis and you think this is an end to the means type of situation?
If I had to wager a guess, you don't live in India, advocating for oppression you don't have to go through.
We all hate adverts, some of us don't like or can't pay. Those who pay, have access to a few publications they enjoy. It would be absurd to pay for all the publications, all the streaming services, but we don't want monopolies either. What could be a solution for this madness?
The basic idea is that you as a user can also participate in the ads bidding, and if you wins, the ad space will be replaced by a static image. To the website owner this is revenue neutral.
I'm not sure why it was discontinued. I still have fond memories of this service.
Most likely reason why it'd be discontinued is that it makes rest of the ads less valuable; so to speak.
People who can afford to & are willing to pay for something like this; tend to also be the type of people advertisers want to actually target: disposable income, willing to spend etc.
So instead of contributing to authors, you need to altruistically donate a large proportion of your money to Google in exchange for replacing a single kind of advert? Unlike some other Google products I can very easily see why this was discontinued...
You're paying for websites by viewing their ads. You're paying with unsubstantial things like attention (and bandwidth), which through Google and other Ad providers gets converted to cash for the website.
Google Contributor offered you to pay cash directly, instead of attention. The website owner gets some of that cash, same as they would if you were shown an ad.
Well, if the revenue remains the same for the author, and it also doesn't decrease for Google, it is implied that their margin will have to also be paid by the person who donates, for else the calculation will not work.
If you're in the United States, your local public library will have newspaper and magazine subscriptions, both digital and print. If your local library doesn't have what you want, you can check larger libraries in your state to see if you qualify for a library card.
Some libraries offer non-resident library cards for a fee (e.g. $50 annually for the New Orleans Public Library).
Your library will also have a wide variety of other media in its catalog, like books, DVDs, Blu-Rays, CDs, video games, maybe even art. If they don't have a piece of physical media that you want, you can request it via interlibrary loan.
It's astounding how radical the public library system is, and it exists to solve the problem you've identified.
I want RSS with micropayments. I want to consume information in my own interface, and am willing to pay. I am not willing to pay for a full subscription to a publication when I only find a few articles a year that I want to read.
I want Spotify for text, but with a business model that makes sense for all involved.
Does somebody remember the service Flattr from a decade ago? You’d set a fixed amount to pay every month. Like a subscription.
Then, this amount got distributed between the sites you visited. If you only visited one site, they would get everything. 2 different websites = 50% each. And so on. This way there were no surprises in your monthly spending. I still see this as a pretty ideal model.
There's that new thing CloudFlare has that lets you set a price for A.I. crawlers, maybe that could be used to set a price for anybody. If the price was reasonable at all I'd have my crawler pay it for maybe 300 articles a week.
If it was trivial for me to spend 5 cents for a one off article that someone recommended me, I probably wouldn't mind it at all. Payment processor fees make that essentially impossible, requiring more thought and investment in systems like Flattr to group together the small payments.
We need to decouple online payment infrastructure from the duopoly/oligopoly of private corporations that control how and when users can exchange money online.
What if it’s not so cheap, though? I think the problem is that the ad-tech industry offers publishers more than the median reader will pay, and does so reliably, while all of the alternatives mean they have to convince a whole ton of people who’ve been trained their entire lives that the internet is free to start paying non-trivial sums for previously free content.
I would like to live in a world where we do pay for what we use but I’m not sure how we get there by now.
Maybe you wouldn't mind, but nevertheless, it has been tried and didn't work. Here's how it went for Blendle, which had the New York Times, The Washington Post, The Wall Street Journal, the Financial Times, The Economist, Time, and more on board. It wasn't payment processors that killed it.
They haven't been tried plenty of times, what are you talking about? It's been discussed since the dawn of the Internet and the ideas been around since forever, but actual attempts have been very limited in scope. The rails are there though, they're just not user friendly (http://micropayments.fyi).
How about tasteful magazine-style ads interspersed in-between the article's text and meticulously inserted in a way that not even does not harm the UX/design but contributes to it. You know, like it used to be on printed media? Only in the case of the web, the ads must not be taking up most of the web page (like full-page magazine/newspaper ads), and definitely not the entire above-fold part of it.
And most importantly, the notion of paying for ads based on tracking impressions and/or any other ways of tracking users needs to die. Cue laughter from the ad-tech majority on this site.
Yes, I am adamant that advertisement contracts must not involve profiling/client-side tracking the end users and their browsers in any way. Ad agencies and news site companies/sites/what have you must work out between them (and possibly a third party) the expected amount of users that are going to see the ad and decide on price based on that, without any client-side tracking.
Well, I dunno what goals you have, but my goals include paying for the content I read and not paying for the content I don't. This is something I already do. Paying multiple parties for access to content isn't some maddening problem where the masses are crying out for a solution. Perhaps I'm utterly missing the point in this thread?
That's well and good, but I don't mean your goals for yourself. I'm asking what our goals are (or what they ought to be) for how people broadly interact with creative works which are easily copyable.
Spotify is actively hostile to artists who intend to use it for income.
Spotify allocates a finite pool of funds to be paid out to artists. Spotify pays the artists whose work they host in proportion to the percentage of the platform's streams which that work generates.
E.G., say Spotify's users streamed 10B songs in 2024. If Taylor Swift is responsible for 1B (10%) of those streams, she would be paid 10% of Spotify's artist fund for 2024.
Recently, Spotify has attracted attention for promoting "ghost music" created en masse by in-house producers. this is done with particular intensity in non-vocal music styles, like ambient and jazz. See [The Ghosts in the Machine by Liz Pelly for Harper's Magazine](https://harpers.org/archive/2025/01/the-ghosts-in-the-machin...) for more details on this.
Spotify stuffs their promoted playlists with this music, and tunes their automated recommendation features to prioritize this music.
This has the dual effect of (1) inflating the number of streams on the platform, and (2) algorithmically crushing the possibility of discovery. This means Spotify cannot be used effectively for promotion (obviously excluding the top .01% most popular artists), and whatever traffic an artist is able to drive to Spotify is devalued.
A decade ago, I was really interested in the idea of using a crypto like what Doge was at the time for this specific use case. Back then, a dogecoin was a fraction of a cent so it was a better fit than its current valuations.
Any individual page impression is only worth a few cents to the publisher anyway. I still think there's a lot of potential value in something similar as infrastructure for facilitating ultra-microtransactions on that scale that don't get completely consumed by credit card processors, etc.
I'm not going to maintain subscriptions to every news source out there, but I'd be more than happy to toss something in the tip jar from a fund I could top-up on a regular basis.
The fact that they chose to tie it to and advertise it as "get paid to see ads" is a significant turn-off in my mind even if the rest of the ecosystem theoretically works in functionally the same way.
In my mind, the entire point is to get away from advertising as a revenue stream entirely. I want to pay for the things I consume. If the advertising market has decided that my page impression is worth less than pocket change, I'd far rather just give that money to the publisher directly and avoid ads being part of the equation.
The core idea behind BAT isn't bad, but the marketing is pretty terrible if you're targeting people like me.
I think it is bad because it legitimizes bad practices of the marketing industry. "How bad could grabbing as much data from the population really be? We're sharing our profits!"
I like that idea. If you opened an article you wanted to read, you could be prompted to pay a few cents. You click "yes", funds are transferred, and you read the article.
In one of his books about intellectual property law, Lawrence Lessig quoted an unnamed French lawmaker as saying, "There are two things Americans need to understand about art: art has nothing to do with money, and the artist must be paid!"
I would be fine with ads if I could block anything that wasn't a simple static image with an obvious link that's off to the side. The software equivalent of what newspaper ads used to be.
Anything with sound or motion, or popups, or interrupts my reading or viewing, or something that notably worsens my user experience, or basically any usage of dark patterns . . . I will block with impunity.
Most news outlets publish basically the same information and only the arrangement and commentary are different. Sometimes they'll even brazenly report on other reporting, paraphrasing enough of the original article that you don't really need to read it anymore.
So one subscription can be enough. Maybe get two at a time if you don't know yet which is best and need a direct comparison.
You're sort of leaving out the fact that ABP launched its own ad network and advertisers had to pay them to get listed as 'acceptable.' It torpedoed their trustworthiness in the eyes of many.
Also, ABP made the setting silently opt-out instead of asking the users. That, and their new diametrically-opposite incentive of whitelisting ads for money made me bail from them.
If at least they had made an easy to use panel to opt-in which kinds of ads you were OK with (Text ads, static images, animated images, silent videos, etc.), it would have helped their case a lot.
I'm fine with this approach as long as it goes both ways. The media organisation's server is theirs, and if they want to put up a paywall or block clients with ad blockers, that's their prerogative.
At no point does ublock force their server to perform work it wouldn't otherwise. “Blocking clients with ad blockers” isn't a thing, there is only “send information plus instructions for the client to block itself”, and “only send information to logged in users” (and if they're incapable of choosing trustworthy users, that is not my problem).
I didn't say anything about the server doing extra work? And server-side ad insertion definitely exists, but if you want to get pedantic about the delivery mechanism, that's fine, websites have the right to bundle their content with ads and code that makes their ads more difficult to block.
You have a problem. You want to figure out a way to get people to pay for things like news, investigative reporting, art, community and positive externalities.
It's one space where I think some form of microtransaction (in the sub-cents USD) could work: I want to pay per article, not have yet another subscription in the 5-15 USD just because an article interested me.
Media consumption habits changed a lot in the Internet-era, we read articles from many different publications, and only very few of those are of interest enough for someone to spend that amount per month. Instead having a pre-paid system I could top up for paying out per read would be very attractive to me to get rid of a paywall.
I just don't want more subscriptions, we really reached saturation with this model...
Media consumption habits changed because that's how the internet was foisted on people - not necesarily because anybody made a choice or were asked what their preferences were.
After 30 years on the internet, I've gone full circle. I don't want (and won't) pay per article. 99% of the news articles I read come from a handful of trusted websites (a couple of major news outlets, a couple of local news outlets, etc.) and I don't have any problem subscribing to them. There's too much garbage on the internet, and I want the gatekeeping.
I guess that puts sites like HN in an awkward position, though. Some of the content posted here is interesting, but rarely enough that I would pay to read it on some random site. If it's important enough, it'll show up on one of the news sites I pay for.
I've gone full circle and not even internet content, I now subscribe to a few physical magazine and enjoy the act of reading them on paper, it's a very different experience than on a screen.
Similarly to my journey through ebooks back when Kindle launched, got very into it for a while but got tired of not being able to share interesting reads with friends, ended up buying physical copies of ebooks I really liked, and in the end just ditched ebooks to have only physical books on my bookshelves.
Which leaves me in this weird position on the internet, I would like to pay for some of the articles I read from publications I respect but have no need nor will to subscribe to online.
I don't subscribe (with payment) even to websites I trust for their content because I don't trust them for how they track users, and how users are (or could be) tracked everywhere by payment processors via those subscriptions.
Subscribing to a public library where diversity of content is guaranteed but tracking is not per user is fine.
It's a good question, and I can at least say something positive about every solution.
Ads let you make money long before you're big enough to compel subscriptions... but they basically make the least tech savvy people subsidize the rest of us which isn't fair.
Paywalls on everything seems fair, but it means that only some people will see things that everyone should read. Like a critical bit of investigative journalism.
Paywall + free articles per IP address (common solution) is almost good, but it requires every single content producer to polish the system, and IP address isn't the ideal fingerprint. Requiring everyone to quickly register (like Apple sign-in) seems decent, but once again now everyone has to polish this system. Though until you're big you could just use substack/wordpress/whatever.
Bundle subscriptions like Apple News is a decent solution—one of the few times I've paid for news—, but secures the domination for incumbents large enough to appear on Apple News. It doesn't answer the question for anyone else.
Microtransactions seem like they'd be a good way to throw some scraps to even tiny sites you visit once. But I think there's too much psychological overhead that isn't even worth the pennies. Like when you had to click the +1 Flattr button back in the day, even though it was a tiny donation, you'd still find yourself thinking if it was really worth it. Hmm I only read half the article, etc.
I'd partake in a microtransaction system that pays based on the percentage of the article I finished. Some assurance of high-quality journalism would be helpful.
If HN existed as pay-to-play for instance (it probably wouldn't), I wouldn't be opposed to paying based on my usage for the curation - knowing that I'm supporting the creators/authors of the content I'm enjoying. I don't think an unlimited plan makes sense - instead pay per article. I think the amount you pay per should be chosen when you create your account, not every time you open an article. I think this is most fair to the creators and consumers with the least organizational bloat.
They will eventually start pushing ads. Just like Netflix, Amazon prime, etc… Paying a subscription to prevent ads is like paying a ransom: maybe you get lucky and they don’t come back for more in the future. But most all businesses seek growth, forever, so you probably end up with a low tier of a multi-tier subscription offering with ads and increasingly poor quality and costs that go up unexpectedly year on year.
> Paywalls on everything seems fair, but it means that only some people will see things that everyone should read.
The thing is that was status quo for a long time, the paywall being either you sitting down at a restaurant/barber/some other business that already bought papers, or you buying the paper yourself. And this was a worse arrangement for newspapers; distribution costs for a physical paper are catastrophically high compared to web hosting.
I think the major issue is two-fold:
1) Papers early adoption of the Internet, putting all their content online for free, was ridiculous and unsustainable from minute one. While this is our cultural expectation, that does not mean it is remotely good business and continuing to indulge the consumer that this can be free, for even one or three or whatever arbitrary amount of articles you're willing to "give away" each month is doing nothing but devaluing your product further.
2) In conjunction with the above, if papers are to charge for their reporting again, the quality needs to go up substantially. I don't recall the last time I read an article on even a mainstream, big news organization, and didn't find just like... completely avoidable issues. Typos. Poor grammar. Lack of cited sources or even just outright incorrect information. The pace of news must be allowed to slow because good product takes time to make, and being first if your reporting is shit needs to be derided more directly.
To put it short: News needs to be comfortable to take time to dig into issues, not simply be in a mad rush to cover everything first no matter how shitty the cited information is, and it has to be ready to stand behind a paywall and just... be real with people. If you want quality news, you need to be willing to pay for it, full stop.
The only other solution I can picture is independent news organizations that are funded by the taxpayer but not beholden to the government, as an American looking at my own government right now... I mean I think it's likelier we'll cure all forms of cancer by Thursday.
Well yeah, sortof. Note that the credit card companies mostly function as tech providers for the actual banks, who get a bunch more of the money.
And there are a bunch of fixed costs that emerge in running payment networks at scale (mostly related to fraud and disputes), so micropayments are a hard sell.
Possible that someone could try again with stablecoins but I'm still sceptical it would work. Like, I'd pay for it but I already pay for a bunch of newspapers monthly.
The business model is broken, and, arguably, so too is the business environment--there's many angles from which it appears capitalism is no longer serving the public good. If we replaced it with another -ism, what might it be, and how might that support information and knowledge for the public good?
Obviously the solution is embedded video ads that float over top content that play with sound enabled by default and tiny little x button about 3 pixels wide and 50% transparent in one of the corners /s
The real answer is that we need a universal web currency, and a tracker that pays web pages on view.
There would be 2 webs. A free web, and a paid web. The paid web would set a cost per page and if you wanted to view the page you would pay the cost.
No more month to month flat fee, if you watch non-stop videos, you pay non-stop video prices.
No more unlimited anything on the paid web, but the trade off would be that there are no more ads.
Of course, the paid web would hate the existence of the free web and spend untold fortunes to destroy it, as any time you can get something for free instead of paying for it is a potential loss of income for them.
> No more unlimited anything on the paid web, but the trade off would be that there are no more ads.
The assumption that publishers wouldn't double, or triple dip is absurd. If you've read any recent magazine you'll notice half of it is advertisement. You'd essentially end up with a paid web _and_ ads.
That depends on the degree to which a nation is entangled in foreign trade and security and the threat it faces from foreign aggressors. The US of course being one the the most integrated, most meddling and most targeted nations in the world.
Averting threats from abroad is sort of important. E.g. a more capable foreign intelligence organization could have averted 9/11, and with it, an avalanche of changes in the way US citizens live and are governed.
I agree, but the CIA is quite out of line, quite a lot of times. Specifically in its current iteration, I do not see the agency being high up in the absolute requirement for the capacity to govern.
> but the CIA is quite out of line, quite a lot of times
More than other intelligence agencies? Extant or historical?
Intelligence is messy. Here. And among our enemies. We have to contain that messiness domestically, to keep it from consuming us. In that way, it's analogous to our immune system. And just like our immune system, turning it off means all the other out-of-line elements around the world now have easy pickings over you.
The CIA has been more destructive than other modern agencies because it's far reaching. It's not more evil than other ICs. Just more capable. I'm not thrilled to learn who occupies that vacuum if the CIA goes away; almost by definition, it won't be anyone benevolent.
> Some 9/11 attackers were CIA assets and protected from FBI/police scrutiny as such
Citation seriously needed. This is untrue unless the words you are using are not to be understood in any sense common to English speakers. The most generous fact based interpretation I can give it is that Saudi financiers were underscrutinized for political reasons, resulting in missed opportunities to stop the attacks. The actual attackers were not CIA nor FBI assets.
> The most generous fact based interpretation I can give it is that Saudi financiers were underscrutinized for political reasons, resulting in missed opportunities to stop the attacks.
We more or less agree. "Asset" does not mean card-carrying CIA agent.
I think if the US had an intelligence strategy priotized around protecting the homeland rather than interfering in distant lands, it is highly unlikely that 9/11 would have succeeded.
Keep in mind 9/11 was a godsend for the latter strategy. PNAC was begging for a new Pearl Harbor to increase defense/IC spending just months before it happened.
> if the US had an intelligence strategy priotized around protecting the homeland rather than interfering in distant lands, it is highly unlikely that 9/11 would have succeeded
Sure. That still doesn’t implicate the CIA in a domestic intelligence failure.
The CIA didn’t aid and abet 9/11—I frankly thought this nonsense died a decade ago.
Or it could have sit on that information in full knowledge that something like 9/11 would enable an avalanche of changes in the way US citizens are governed that increase the power of said foreign intelligence organization...
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
> My bank insists on exactly 6 numbers. Not characters, numbers.
When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).
I remember at least one major US bank saying that the reason they only allowed short passwords was indeed that it was the limit for login passwords on their mainframe.
I was sure this was complete bullshit because even if everything is handled on the mainframe a user using their online banking would not be logging on to the mainframe. The online banking password is a credential for the bank's application(s) that run on top of the mainframe's system software.
When a new customer signed up for an account the bank would not create a new mainframe user account for that user. A bank customer account would just exist in the bank's database and would be completely independent of actual mainframe user accounts. If the online banking password needed to be stored on the mainframe it would be in one of the bank's tables, not wherever that mainframe's system software stores password.
I mentioned this somewhere and someone who actually worked on bank systems commented that some banks actually really do have a mainframe user account per bank customer account.
I think that doesn't actually change my point that blaming a short online banking password limit on mainframe system software limitations is complete bullshit.
Users are not asked for their password when they use non-online banking, such as at ATMs or through a teller at the bank. This shows that the bank does have interfaces that allow performing all the normal functions a customer needs to do without the customer needing to supply a login password.
Online banking is going through a web server. They web application should be using those interfaces that don't require a customer mainframe login to work. The password the customer supplies to the web interface should be a credential for the web interface and be completely separate from any mainframe login password.
The pathways and decisions made might be unintuitive and effects can linger even after the original reasons no longer apply.
Where I work, usernames are still limited to 8 characters because some old unix platforms didn't support more than that. I'm virtually certain that none of those are still in use today, but the requirement was baked into user provisioning in ways that would be expensive to change, so they keep with it.
My hunch is that the idea that some banks have a mainframe user account per bank customer is a red herring, and that the real answer is that the customers are indeed in a separate database table. But that database is a mainframe database, and the field is a fixed width that maybe could be changed but the mainframe admins see no reason to.
As I understand it, the thing with "click the number" codes is that it is a protection against keyloggers. The numbers are usually scrambled and when you click on it, you don't send the code but the position of the numbers you clicked. So for someone to get your code, you need both a screen capture and the position of mouse clicks.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
Yup, keylogger defense. I've seen a system with a full virtual keyboard to let you type anything without hitting a key--explicitly as a security measure. Fixed keyboard, though, I've never seen one with randomized targets. Capturing everything would be an awful lot of data for malware to export so I don't think screen capture is much of a risk.
Royal Bank of Canada (at least until recently, haven't been a customer for a while) just silently truncates your password. Discovered this when I thought I saw the number of masked characters go down, and then entered my password with one less character and logged in. (This was on mobile)
I wonder if it's because they look at security more globally. Their actions probably keep lowering security for people who understand the risks and are willing to take the extra steps to protect themselves but on the other hand they probably drive up adoption of some extra security for most other folks. Or if you want to be less charitable: they were tired with dealing with support calls from a lot of tech illiterate people and decided to just sacrifice security.
But I don't see how a JS applet where you need to click on a bunch of numbers in plain view of whoever is curious to look over your shoulder helps with this. People have to type in their customer number in a regular text field anyway, so why not use the same thing for the password?
My guess is one field (password) protected from keyloggers is more secure than no fields protected from keyloggers. Although I agree it is counterproductive to limit the number of characters so much.
BNP. I used to have an account with Boursorama (which belongs to SG) and they also had the point-and-click number thing, but I think the code was a bit longer.
There was some brouhaha a few weeks ago when someone posted a screenshot on reddit about an Indian public sector bank's app refusing to run because a user had installed Firefox, and according to that bank, was a "malicious app that could steal user data".
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
Indian banks and their websites are likely among the worst in the world. The fact that many situations require printing forms, dealing with SMS-based 2FA, multiple passwords, sometimes with different requirements… I’m not surprised that many Indians still prefer the hassle of visiting a branch.
The branches are worse. Staff rotates _constantly_. Most of the new ones don't know anything, including most straightforward things people go to branches for. Almost everyone from the tellers to the branch manager is mandated to upsell/cross-sell something or the other, and in the most non-transparent way possible (so that the right people get the commission). Need a bank locker? Jack up your savings account balance. Need a credit card? Get a unit-linked insurance plan, else don't waste our time. A couple of tellers will start calling random people to sell things (in direct violation of central bank rules).
There's a certain Indian public sector banking app which won't run at all unless you give it camera, full filesystem and some other crucial permissions.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
Yeah my bank requires me to reset my password every 180 days, only accepts passwords from 6 to 11 characters, and has a whitelist of valid characters. All this leads to a situation where I want to sign in, I'm then prompted to reset my password, but the autogenerated passwords from Firefox don't actually work because they are too good, so I switch to a terminal to make up a custom password to their rediculus requirements.
If the hashing is done on the client and then sent to the server, then the server is effectively just processing as a plaintext password. If an attacker gets hold of the server password database, then they can just connect to the server and pretend to be the client and hand it the hashed password that they read from the database breach.
If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.
[0] Note, this should be difficult[1]
[1] In crypto, "difficult" should mean "impossible before the end of the universe"
No it's not. Did you ever think that you can hash something twice? Hash it once on the client, then hash and salt it server side, like normal. It means that the server never actually knows your password, but that's about all it gives you.
> It means that the server never actually knows your password
If the client is hashing it without a salt the server could simply check a Rainbow table (https://en.wikipedia.org/wiki/Rainbow_table) to know which password it is. For short inputs this could be trivial.
Sure, but I still think this is preferable to sending the password in clear text even over HTTPS. You're trusting the server doesn't do anything with the password and immediately hashes it, but it might not. It might store it, or even if it doesn't, your password will stick around in RAM for an indeterminate amount of time.
If the server is compromised in any way, passwords could be exfiltrated. Companies are, sometimes, wildly incompetent. Zoom historically stored private keys on the same server as their "encrypted" data. I would not be surprised if your password is just stored for "convenience" or some other bullshit reason and just waiting to be breached.
> Sure, but I still think this is preferable to sending the password in clear text even over HTTPS. You're trusting the server doesn't do anything with the password
My point is in both cases the server has access to the password. As I mentioned, without salt the server can get the original password (by checking the pre-computed rainbow table of hashes up to n length), so the trust issue is the same.
If this is slightly better (more obfuscated) or the same thing + a false sense of security is debatable, but I could agree.
Well no, because rainbow tables are quite small. You don't have precomputed hashes for all passwords 24 characters and under that contain numbers and symbols.
I mean, even with just letters, you're looking at 620448401733239439360000 hashes required. x 128 / 8 bytes, you're looking at ~ 9000 zettabytes. So, a few order of magnitude larger than the entire internet.
If you have a strong password, it's not comparable. In scenario one the server has the password immediately. In scenario two, it would require the heat death of the universe to precompute the hash to find out the password.
Very interesting point. I did not think of that, thanks. I was looking at the speed of calculation in different scenarios (calculated on the fly)based on which characters are part of the password and it is still very difficult, if you have a strong password. I am curious which percentage one could match just checking for hashes of common passwords, or common patterns like exclamation marks at the end. In any case it is better than the unhashed version, I agree.
> The app is intended to track stolen phones, block them and prevent them from being misused.
> India's telecom ministry confirmed the move later, describing it as a security measure to combat "serious endangerment" of cyber security.
Both android and iOS natively support tracking/blocking a lost device.
---
Approximately 50000 devices are stolen every month in India. [0] The govt wants its app on 730M phones [1].
[0] https://www.hindustantimes.com/india-news/karnataka-telangan...
[1] https://www.reuters.com/sustainability/boards-policy-regulat...