Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Re: RFI: Opening an account with Google without a
phone-camera (David)
2. And the winner is ... at the Defence Hackerthon (Tom Worthington)
----------------------------------------------------------------------
Message: 1
Date: Mon, 16 Feb 2026 13:37:36 +1100
From: David <[email protected]>
To: [email protected]
Subject: Re: [LINK] RFI: Opening an account with Google without a
phone-camera
Message-ID: <295206360.ifERbkFSEj@ulysses>
Content-Type: text/plain; charset="us-ascii"
On Monday, 16 February 2026 08:06:03 AEDT Roger Clarke wrote:
>> On Sunday, 15 February 2026 09:32:00 AEDT Roger Clarke wrote:
>> *Any thoughts on how a non-compliant desktop/laptop user can play* would be
>> very much appreciated.
>>
>>> On 16/2/2026 00:07, I replied:
>>> This "non-compliant desktop/laptop user" (:-) insists on certain
>>> constraints in certain circumstances, otherwise I simply part company with
>>> the organisation concerned. These include using a token for 2-level
>>> authentication where appropriate
> There's been a marked falling-away of tokens, as in separate, physical
> artefacts containing a time-based OTP generator.
>
> I had 'considerable discussions' with Rabo before they finally worked out
> there were more of us than they thought, and belatedly signed up with a new
> supplier. (Too embarrassed to go back to the previous one?).
I'd intended to refer specifically to a physical OTP device. Any form of
software OTP which runs in the same desktop/laptop as the relevant application
is surely much less secure than an SMS-based OTP (?) because a hacker who gains
access to that system can then impersonate any valid user. Worse still, it may
generate a false sense of security.
Put another way, the "something you know and something you have" principle
reduces to "something you know, full stop".
Last time I researched this matter, one .au bank actually insisted on a
physical OTP for customers with transactions over $10,000 per day but otherwise
used SMS-based OTP by default, two would provide a POTP token under varying
degrees of presure, and one simply wasn't interested. A POTP may be a
chargeable item though (~~$50?), which I suppose is fair enough.
> But wait, there's another way. Microsoft once again offers a
> computer-generated voice-call to a 'landline'/VoIP number. And the 30- or
> 90-day validity-period option, which they'd earlier removed, reappeared. So
> my desktop has been connecting with ACS fine. (Pity about the manifold
> idiocies of the SharePoint, Outlook and Teams software I have to then wrestle
> into submission).
A voice call from their server, I presume? Just checking you know (:-)...
That's well intentioned, but it's not much better. unless the VoIP bitstream is
encrypted and goes to a different Analogue Telephone Adapter (ATA) device for
decryption, not the customer's front-end router.
> I did many consultancies in authentication and to a lesser extent
> authorisation from almost three decades ago until maybe 5 years ago, and
> can't believe what an utter cockup the IT industry makes of it.
I thoroughly agree. And don't get me started on website design, or the amateur
talent evident on some, or the proliferation of "5,000 best electrical
contractors in whoop-whoop" etc. etc. websites. At this rate the Internet
free-for-all will ensure its' own demise.
Cheers!
_DavidL_
------------------------------
Message: 2
Date: Sun, 8 Feb 2026 16:36:21 +1100
From: Tom Worthington <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [LINK] And the winner is ... at the Defence Hackerthon
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Greetings from the Australian Defense Tech Hackathon close at
UNSW Canberra. The winners were announced & we assembled for a group
photo in the indoor drone range. Appropriately the photo was taken by a
drone, which then crashed into the wall. ;-)
https://blog.highereducationwhisperer.com/2026/02/and-winner-is-at-defence-hackerthon.html
--
Tom Worthington http://www.tomw.net.au
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL:
<https://mailman.anu.edu.au/pipermail/link/attachments/20260208/0cef5d84/attachment-0001.sig>
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 399, Issue 14
*************************************
