It's good to be back in the actual Centre for Computing History! They're still closed to the public right now for obvious reasons, but have a look in the description for a link to them and their fundraiser to help them get through the closure!
@@theophrastusbombastus8019 If it's "snitches get stitches" that is learned, it's probably not the police that he's running from. Also, I'm picturing him running clutching his stomach running out that scenario.
"No way to check that the President wasn't ... being coerced." I always assumed that there was not only a "correct" code on the Biscuit, but that there was also a coercion code, basically telling the recipient that "this source is compromised, disregard further signals from this source."
We had this at a safe in a store I worked. If you typed in a pin containing double zero it would open the safe but also send an alarm to the security company + the Police.
ANGRC series crypto-radios (1970's tech) had a similar thing; lots of operator sequences could lead to auto-destruct! Any one of a dozen combinations of control settings will release the magic smoke from all the transistors. Hell, using the damn thing while driving on a bumpy road could start auto-destruct! The paranoia around these things being compromised was intense! OK, memory being what it is, it likely wasn't AN/GRC that I was thinking about...
Damn computers just need to learn to listen better. I threaten mine with violence whenever it doesn't do what I want. Doesn't seem to accomplish much but it does make me feel better...
Many years ago my department manager had a poster behind her desk: I hate this damned computer, I wish that they would sell it; It never does quite what I want, but only what I tell it.
It should be "computers will only do what you or the manufacturers say." The ones who built the operating system also get a say in what your computer can and can't do, and the manufacturers have precedence over the end user... unless you have an open source operating system like linux, but why would you torture yourself like that?
You know he's still mad about getting in trouble in high school... We all have that one thing we did super long time ago that doesn't matter anymore but you still wish you didn't do it
This video is a masterclass in story-telling and public speaking. Tom started off with Reagan and a tense situation with a nuclear crisis, hooking the listener/viewer. Told them all about how multi factor authentication works and concluded by giving closure to the original story, while also articulating the big takeaways and caveats.
Tom the picture of the phone at 4:30 was really smart The video went live at 4PM, so if you watched it when it came out you were at that point at 16:04, the exact time on the phone This is why I love your vids
"they can't do what you mean" (7:42). When I was a young programmer, I was complaining about a stupid bug (of my own creation) that I was chasing, and my boss said "Oh, you forgot to put in the DOWHATIMEAN instruction", with a silly smile. Someday, maybe...
5:25 ah, yes the RSA key chain SecurID. Those were the times when you got the little token generator out of the pocket, saw it has 3 bars left, hastily put it in, only for it to expire the moment you hit enter.
I actually watched the video of you attempting to remove your fingerprints. When you did the joke at the end with the stove you genuinely got me, so good on you Tom
You actually can check if the president is under duress. There are keywords for duress that could be passed along in the conversation. It requires that both people know the keywords and act on them though.
Yes yes yes! Thank you for encouraging people to take security more serious! And doing what you do best, giving some history and explaining it well. Love your videos Tom 🙂
3:50 is something that is kind of already being done, Tom. Some companies are starting to use ML algorithms to track your keyboard and mouse behavioral patterns to identify that it is you that is inputting them. They usually use proceed to use phone identification when you fail that test.
Yes, I've had 3D secure authentication ask for an SMS code, and then ask me to type my email address with the way I typed it apparently being a form of identification
One way to improve the scenario where a computer doesn't know if you are being forced to authenticate is to have a duress code. In the biscuit example, one of the codes means "launch," but a different position actually means "I am under duress, do not follow my orders, send help." The President knows the position of both codes. Whoever's doing the forcing can't know ahead of time if the President is using the launch code or the duress code. That still doesn't stop a President who is not sane, and the attackers may be able to threaten to do horrible things if they discover that the duress code has been used, so it's not perfect, but detecting the use of the duress code will take time, making the attack harder.
Always interesting to see a non-biometric expert (or is it biometric non-expert) comment on biometrics. There are systems developed that can detect if it is a real finger or face that is presented to a sensor or if it is a copy (like the lifted fingerprint or a printed face image or even a video played). And I am not a science fiction writer, but I can also tell you that behavioural biometrics as an authentication factor work extremely well. For example keystroke dynamics gives you a "free" second factor when somebody types their password. Performance might not be as good as for biological biometrics (like fingerprint and face), but you can capture this behaviour continuously. You can then use behavioural biometrics actually to remove access if you have left your computer unguarded and it is taken over after you have used your 2-factor authentication to log on.
This series could have been enough for the students of the computer science high school where I taught math this year to ace their finals. But, alas, almost no one had any interest in studying. (I write from Italy btw)
The old way is know your signature and have your signet ring. You use your signet with sealing wax to impress the seal of your house onto the page. Also served as a anti-tampering device because it is hard to get the wax to readhere to paper once it had been broken off.
I got you beat on the teacher password thing.. when I was in school I had the password to the main grades database, and yes, I did go snooping around in it and had the ability to change or delete any or all grades, or could assign different students to different classes... The password was "Jupiter"
I think what puts a lot of people off from using two factor authentication is the annoyance and inconvenience, and some people are willing to sacrifice cyber security for said convenience.
Tom: "Science fiction writers have also imagined complicated AI systems that can learn someone's behavior patterns over time and recognize them..." This is kinda happening right now. Fraud departments in banks and credit-card companies analyze transactions data to find suspicious purchases. They also probably use machine learning to deal with vast amount of data being collected.
Can confirm. They do use mashine learing to find malicious transactions, often it gets then forwardet to a human for additional verification. Also, I can tell my phone to learn the specific way I walk and to always be unlocked, when it has recently been in my pocket. (it looks for patterns in the accelerometer data that I generate when I walk) I dont do that for various reasons, but I could have an annoyingly strong password that I get asked sometimes (to force me to memorize it) and to mostly unlock without a password if it thinks it has been in my pocket recently, but to always ask, when its not in my pocket.
and this is why i type my credit information every time i make an online purchase rather than save it to my browser. maybe i’m lazy elsewhere (coughpaswordcough) but not my bank info
The problem with these hardware factors is: They potentially undermine anonymity. When I use the same token (i.e. FIDO2 or YubiKey etc) with different services, having different "nicknames" there, and *not* wanting the server operators to know that it's the same person behind both accounts, using the same hardware token is a potential security risk. Yes, with Amazon or eBay or any shopping website, they need to know my identity, because they need to obtain payments from me and they need to know an address where to send the goods I bought, *but* companies like Google, Facebook or Twitter do not. I don't use anything from them that requires payment - or if I would, then I'd have to have a completely separate account, or even device in the case of a phone, in order to use that, because letting them know who I actually am while I use their services is completely out of option.
And they always want to know your phone number. My actual bank doesn't because, as Tom explained, it's not the most secure way of using a phone for 2FA. So those sites constantly bugging you to turn on 2FA continues to feel like they're just trying to collect as much of your data as possible.
@@thriceandonce They don't know it's the same device generating the token, though. They only know that the token is valid based on the secret key they sent to token generator.
@@clonkex Don't most 2FA's require giving a phone number? I haven't come across one where you could just use any random phone as long as you have some sort of authentication app installed on it and somehow confirmed that that's the device you want to use for authentication.
Seegal Galguntijak exactly ,I have no sim in my phone , I don’t wish to be contactable anywhere I go , now PayPal are saying I have to have a mobile when I have a perfectly good landline
Fun fact, if you are using steam , you should ALWAYS have a 2 factor authentication, it is really easy to find a password, but the phone message, well thats another story... Thankfully steam has some limitations for those not using 2 factor which can indeed protect your account....
When I worked at a popular, now-mostly-defunt toy retailer, I shoulder surfed a bunch of managers' usernames and passwords so that I could get bad customers to leave quicker.
Two reasons why I don't use it: 1) When I loss my phone with my old prepaid SIM in it, my accounts no longer allow me to login using my new phone because I can't do two factor authentication via SMS. It needs my old number. I was locked out for more than 6 months of trying to convince the tech support that it is really me, the owner of the account. 2) I am renting a room and it is on underground basement. The cellular data can't reach my room. So if I'm gonna need to login into my account, I have to go out to receive the SMS OTP.
You can’t change your fingerprint, I tried once. Referring to the can you change your fingerprints with pineapple video. It’s good to see Tom Scott acknowledging his past.
Dissected a flower in a biology class once and the skin on my finger tips peeled away for weeks and were somewhat scarred even after they’d fully healed. Idk if it was necessarily the flower but the doctor told me it was a chemical burn. I’d not touched anything chemical really, and the doctor said it’s possible to get chemical burns from plants, so it’s possible that the alkaline fluid from the flower burned off my fingerprints. That said, my fingerprints eventually returned as my fingertips continued to heal and scars fade.
Tom: "You can't change that... I, tried once..." People only watching new videos: "You tried once?? I don't understand-" Me: "I do. _I understood that reference..._ "
You're likely receiving phishing emails...don't log in using links in emails, always type the main website into your browser and then navigate to your account.
One of my mates at school got the fileserver password by putting the Econet transceiver in one of the computer lab's BBC micros into promiscuous mode and sniffing it off the wire while the teacher typed it on from across the room, which is _kind_ of like looking over someone's shoulder, except better.
Problem is many commercial sites don’t do proper 2 factor authenticating and insist on weak 1.5 factor authentication which leads to a false sense of security from the user and the company. Sending a code to a person by email or sms is NOT two factor as there is a high chance the email or SMS can be intercepted or redirected.
I like Apple’s system of sending a message to your phone where you type in a pin given on the website you’re logging into along with a physical position on a map
Dancing Rain if you don’t have internet on your phone than you probably don’t on your computer either. And if your battery is dead you can just plug your phone in to charge
@@keco185 Interesting assumption. Wrong, but interesting. I have family in the rural united states, where internet access generally works, but cell phone reception is terribly unreliable. And the more mountainous or remote a rural area you're in the worse cell phone reception gets. In addition, I'm guessing you've never had a cell phone suddenly decide it doesn't want to take a charge any more. They can and do malfunction from time to time.
@@keco185 bold of you to assume I have an apple iPhone. But more importantly, text messages don't go through the internet, they go through the cell network.
3:20 Objection! Ain't no high tech needed to lift fingerprints well enough to fool fingerprint readers. Unless you consider adhesive tape "high tech"...
Funny story, One day I was trying to change my bio on roblox, but I had settings pin enabled, but I had forgot it, so I moved on and I was suddenly logged out, when I tried to log back in, it said my password was wrong, in points of crisis, I'm a logical thinker, so I quickly changed my password via email, I then checked to see if anything had changed, and funny enough the only thing that had happened was my settings pin was removed. I'm still confused, as the hacker went through a password, my email and my Settings PIN.
The What You Have authentication is the worst. So many things require you to not have money, but to have things that need money, and when you're poor, getting locked out of something is the last thing you need to happen. I got locked out of my PayPal for 7 months because someone tried to break into it and I couldn't afford to pay my phone bill the whole time until I finally borrowed my brother's phone to let me call up and prove it was me. All because I don't have a licence (no car so what's the point?) or a birth certificate (not exactly a convenient item to hang onto) or a passport (an expensive document when I don't travel because poor?). Then hey, I was finally able to get in and pay for my phone bill.
I'm a systems engineer, don't use Yubikey or smart cards. They're very vulnerable and Google hands out Yubikey so that should tell you something. RSA or vendor-specific authenticator apps are the way to go
3:49 "science fiction writers have alos imagined complicated artificial intelligence systems that can learn someone's behaviour patterns over time and recognise them" I mean actually banks already do something similar, but only for larger purchases, if you make a large purchase that it deems unusual it'll pause the transaction and they'll contact you, to verify you did it. not always though.
The lesson wasn't "Don't do it, but keep your mouth shut." That's like the true lesson of the story of the boy who cried wolf: never tell the same lie twice.
@Squant Because parents (instead of grandparents) are now of the generation who learned that computers can't do what you mean. And now they're frustrated because the computers are BAD at guessing what they mean because we're used to being much more explicit than the average.
@@bartonseagrave9605 Their generation did. But that's like saying Werner Von Braun's generation built rockets, ergo everyone of that generation is a rocket scientist.
"Signatures can be forged" is an understatement. 99% of people who require a signature for anything have actually no idea what your signature looks like, and it's practically a formality.
Another bad thing about signatures is that yours changes over time. If they actually used them to verify identity, you could be denied even if it were you. I worried about this when I voted by mail in the last election. The signature on file with the election officials is from high school. My signature has changed drastically since then.
Signatures and initials have moreso become a thing for those that are relevant, like when accepting a package from a delivery guy. If any of my neighbours go onto their app in case the delivery guy was too lazy to put in a card saying hey, it's dumped at this address they can see my NS with a squiggly line and know it's at my house.
It's good to be back in the actual Centre for Computing History! They're still closed to the public right now for obvious reasons, but have a look in the description for a link to them and their fundraiser to help them get through the closure!
Time traveler
Big chonk
"4 days ago"
Why does this say 4 days ago if it just came out 🤔
If u unlist the video , then u can leave a comment for later
"Some kind of nerd who wanted to learn something for fun" is probably the same kind of person as 90% of Tom's subscribers
me
Yep. This is why I posses a set of lock picks.
Exactly fits me.
Mhm.
That's exactly who I am
"What I learned was 'keep your mouth shut'" - Tom Scott, telling a secret to his 2.9 million subscribers
And the lesson I learned was not 'don't do it', it was 'snitches get stitches' - Tom Scott, on the run from the Police, circa 2021
And it’ll probably be seen by more than 2.9 Million people
That is the actual secret. Know when to keep your mouth shut.
@@theophrastusbombastus8019 If it's "snitches get stitches" that is learned, it's probably not the police that he's running from.
Also, I'm picturing him running clutching his stomach running out that scenario.
@@hotaru8309 Have you been paying attention to the news lately?
Haha! I remember that pineapple video!
ahahaha hey cody
It’s really him!
I didn’t know if anyone else was going to! That was a while ago!!
Cody!
I watched it 10 minutes ago
"No way to check that the President wasn't ... being coerced."
I always assumed that there was not only a "correct" code on the Biscuit, but that there was also a coercion code, basically telling the recipient that "this source is compromised, disregard further signals from this source."
We had this at a safe in a store I worked. If you typed in a pin containing double zero it would open the safe but also send an alarm to the security company + the Police.
@@UA-camAdministrator we told you not to tell anyone!
@@ahreuwu *laughs in robbery*
ANGRC series crypto-radios (1970's tech) had a similar thing; lots of operator sequences could lead to auto-destruct!
Any one of a dozen combinations of control settings will release the magic smoke from all the transistors.
Hell, using the damn thing while driving on a bumpy road could start auto-destruct!
The paranoia around these things being compromised was intense!
OK, memory being what it is, it likely wasn't AN/GRC that I was thinking about...
@@pirobot668beta sounds very cool. Wonder how much equipment we have of these killswitches in today.
"Computers can only do what you say, they can't do what you mean" is probably my favorite quote now.
Damn computers just need to learn to listen better. I threaten mine with violence whenever it doesn't do what I want. Doesn't seem to accomplish much but it does make me feel better...
@@zwenkwiel816 Yes Mr.President, we found him do we launch the missile?
Many years ago my department manager had a poster behind her desk:
I hate this damned computer,
I wish that they would sell it;
It never does quite what I want,
but only what I tell it.
It should be "computers will only do what you or the manufacturers say." The ones who built the operating system also get a say in what your computer can and can't do, and the manufacturers have precedence over the end user... unless you have an open source operating system like linux, but why would you torture yourself like that?
@@zwenkwiel816 I'm hoping your computer isn't named HAL, otherwise you're going to be having some real problems.
"You can't exactly change it, I tried once"
*Glasses-wearing, Pineapple-consuming, Long-haired war flashbacks*
YES!!!
pineapple on finger go brrr brrr
Tom: * Talking about Nuclear Weapons *
*The Basics*
Yo bro!
@@arijitdas7526 Akihito Gang, let's go!
Ew, Akkey...
@@PageantNicholas256 oo... Houtarou Oreki kun.
@@arijitdas7526 how's ur bf Hiroomi, Akkey kun?
You know he's still mad about getting in trouble in high school...
We all have that one thing we did super long time ago that doesn't matter anymore but you still wish you didn't do it
One thing! my bloody list is in the hundreds, and I haven’t even finished school
trust me, as you get older, you'll regret more things that you didn't do than those you did!
I don't have any such thing
cough
3:28 Look at the PC in the background! The subtle Easter eggs like this are amazing
This video is a masterclass in story-telling and public speaking. Tom started off with Reagan and a tense situation with a nuclear crisis, hooking the listener/viewer. Told them all about how multi factor authentication works and concluded by giving closure to the original story, while also articulating the big takeaways and caveats.
"Computers can't stop you from asking for terrible things."
Quit looking at my search history Tom.
Too late it's been leaked on the 'net, I'm reading it now! ooooo did you really buy those?! Cheeky! Hehe 😇🤣
@@smartroadbiker women humor
@@thetabs57 incel humour
Tom the picture of the phone at 4:30 was really smart
The video went live at 4PM, so if you watched it when it came out you were at that point at 16:04, the exact time on the phone
This is why I love your vids
For me it's 11am ;-;
I totally didn't catch that. While timezones make it not a thing for a lot of places, for the UK timezone, its freaking brilliant.
These easter eggs will forever be loved
It says 16:05 at 5:00 :0
It also is 16:05 at the 5 minuite mark and has today's date correct
"they can't do what you mean" (7:42). When I was a young programmer, I was complaining about a stupid bug (of my own creation) that I was chasing, and my boss said "Oh, you forgot to put in the DOWHATIMEAN instruction", with a silly smile.
Someday, maybe...
1:54 'password: CORblimey1926' a true British gentleman
oh yea...!
Wow, that's my password too!
1926?
Can someone explain?
@@Menon9767 blimey is a British expletive
5:25 ah, yes the RSA key chain SecurID. Those were the times when you got the little token generator out of the pocket, saw it has 3 bars left, hastily put it in, only for it to expire the moment you hit enter.
Ive watched this video a bunch of times and I've just noticed the edit in the PET screen with the pineapple video. Great work. Kudos
Gets done telling us exiting story about cold war era*
"Don't worry, I'll talk about your stupid mundane phone now."
This guy’s delivery is so good.
Thank you, I just enabled 3 factor authentication for my nuclear weapons apparatus!
I actually watched the video of you attempting to remove your fingerprints. When you did the joke at the end with the stove you genuinely got me, so good on you Tom
You actually can check if the president is under duress. There are keywords for duress that could be passed along in the conversation. It requires that both people know the keywords and act on them though.
In the mid 90s, my uncle told me "A computer is only as smart as you are." and the last part of this video reminded me of that. So thank you for that.
Yes yes yes! Thank you for encouraging people to take security more serious!
And doing what you do best, giving some history and explaining it well.
Love your videos Tom 🙂
3:27
"I've tried"
That video is 10 years old🤣
Briefly having the monitor in the background "play" the pineapple video when you talked about falling to remove your fingerprints was a nice touch!
"I tried once"
*flashbacks to tom trying to get rid of his fingerprints using pineapple and sandpaper*
That was painful to watch
Sitting here without phone and locked out of my accounts.
10/10 would recommend, it's fool proof
3:20 nice a callback to the pineapple fingerprint video
3:50 is something that is kind of already being done, Tom. Some companies are starting to use ML algorithms to track your keyboard and mouse behavioral patterns to identify that it is you that is inputting them. They usually use proceed to use phone identification when you fail that test.
Yes, I've had 3D secure authentication ask for an SMS code, and then ask me to type my email address with the way I typed it apparently being a form of identification
That’s just recaptcha
One way to improve the scenario where a computer doesn't know if you are being forced to authenticate is to have a duress code.
In the biscuit example, one of the codes means "launch," but a different position actually means "I am under duress, do not follow my orders, send help." The President knows the position of both codes. Whoever's doing the forcing can't know ahead of time if the President is using the launch code or the duress code.
That still doesn't stop a President who is not sane, and the attackers may be able to threaten to do horrible things if they discover that the duress code has been used, so it's not perfect, but detecting the use of the duress code will take time, making the attack harder.
Always interesting to see a non-biometric expert (or is it biometric non-expert) comment on biometrics. There are systems developed that can detect if it is a real finger or face that is presented to a sensor or if it is a copy (like the lifted fingerprint or a printed face image or even a video played). And I am not a science fiction writer, but I can also tell you that behavioural biometrics as an authentication factor work extremely well. For example keystroke dynamics gives you a "free" second factor when somebody types their password. Performance might not be as good as for biological biometrics (like fingerprint and face), but you can capture this behaviour continuously. You can then use behavioural biometrics actually to remove access if you have left your computer unguarded and it is taken over after you have used your 2-factor authentication to log on.
This 8 minute video taught me more info than a whole day in school
American schools... pfff... try Scandinavian schools bro xD you learn everything and no homework
This series could have been enough for the students of the computer science high school where I taught math this year to ace their finals. But, alas, almost no one had any interest in studying.
(I write from Italy btw)
2:50 You learned the correct lesson here Tom
“Be good, if not be good at it, if you get caught give them a name just not yours or mine”
The old way is know your signature and have your signet ring.
You use your signet with sealing wax to impress the seal of your house onto the page.
Also served as a anti-tampering device because it is hard to get the wax to readhere to paper once it had been broken off.
"The Lesson I learned was to keep your mouth shut" - Gleefully telling millions of people about it
Never seen that red shirt before
Oscar Sanderson don’t think you can see your reflection in a comment
shit's maroon
dude you're supposed to write a comment, not just your full name
@Oscar Sanderson bad
I got you beat on the teacher password thing.. when I was in school I had the password to the main grades database, and yes, I did go snooping around in it and had the ability to change or delete any or all grades, or could assign different students to different classes...
The password was "Jupiter"
I think what puts a lot of people off from using two factor authentication is the annoyance and inconvenience, and some people are willing to sacrifice cyber security for said convenience.
3:27
Tom: "I tried once"
Me: *pineapple flashback intensifies*
"computers can only do what you say. They can't do what you mean"
As a tech advisor for a broadband company. I wish this was more know .
Tom: "Science fiction writers have also imagined complicated AI systems that can learn someone's behavior patterns over time and recognize them..."
This is kinda happening right now. Fraud departments in banks and credit-card companies analyze transactions data to find suspicious purchases. They also probably use machine learning to deal with vast amount of data being collected.
And isn't this how ReCAPTCHA works? They can detect if your input is human enough.
Can confirm. They do use mashine learing to find malicious transactions, often it gets then forwardet to a human for additional verification.
Also, I can tell my phone to learn the specific way I walk and to always be unlocked, when it has recently been in my pocket. (it looks for patterns in the accelerometer data that I generate when I walk) I dont do that for various reasons, but I could have an annoyingly strong password that I get asked sometimes (to force me to memorize it) and to mostly unlock without a password if it thinks it has been in my pocket recently, but to always ask, when its not in my pocket.
Gait detection to analyse and match your way of moving/walking
and this is why i type my credit information every time i make an online purchase rather than save it to my browser. maybe i’m lazy elsewhere (coughpaswordcough) but not my bank info
You can’t change your fingerprints “I tried once”
Oh boy do I remember that video
The problem with these hardware factors is: They potentially undermine anonymity. When I use the same token (i.e. FIDO2 or YubiKey etc) with different services, having different "nicknames" there, and *not* wanting the server operators to know that it's the same person behind both accounts, using the same hardware token is a potential security risk. Yes, with Amazon or eBay or any shopping website, they need to know my identity, because they need to obtain payments from me and they need to know an address where to send the goods I bought, *but* companies like Google, Facebook or Twitter do not. I don't use anything from them that requires payment - or if I would, then I'd have to have a completely separate account, or even device in the case of a phone, in order to use that, because letting them know who I actually am while I use their services is completely out of option.
And they always want to know your phone number. My actual bank doesn't because, as Tom explained, it's not the most secure way of using a phone for 2FA. So those sites constantly bugging you to turn on 2FA continues to feel like they're just trying to collect as much of your data as possible.
@@thriceandonce They don't know it's the same device generating the token, though. They only know that the token is valid based on the secret key they sent to token generator.
@@clonkex Don't most 2FA's require giving a phone number? I haven't come across one where you could just use any random phone as long as you have some sort of authentication app installed on it and somehow confirmed that that's the device you want to use for authentication.
Seegal Galguntijak exactly ,I have no sim in my phone , I don’t wish to be contactable anywhere I go , now PayPal are saying I have to have a mobile when I have a perfectly good landline
@@clonkex In case of OTP, that's true. But with FIDO2, I wouldn't bet on it.
Fun fact, if you are using steam , you should ALWAYS have a 2 factor authentication, it is really easy to find a password, but the phone message, well thats another story... Thankfully steam has some limitations for those not using 2 factor which can indeed protect your account....
When I worked at a popular, now-mostly-defunt toy retailer, I shoulder surfed a bunch of managers' usernames and passwords so that I could get bad customers to leave quicker.
Two reasons why I don't use it:
1) When I loss my phone with my old prepaid SIM in it, my accounts no longer allow me to login using my new phone because I can't do two factor authentication via SMS. It needs my old number. I was locked out for more than 6 months of trying to convince the tech support that it is really me, the owner of the account.
2) I am renting a room and it is on underground basement. The cellular data can't reach my room. So if I'm gonna need to login into my account, I have to go out to receive the SMS OTP.
You can’t change your fingerprint, I tried once. Referring to the can you change your fingerprints with pineapple video. It’s good to see Tom Scott acknowledging his past.
Dissected a flower in a biology class once and the skin on my finger tips peeled away for weeks and were somewhat scarred even after they’d fully healed. Idk if it was necessarily the flower but the doctor told me it was a chemical burn. I’d not touched anything chemical really, and the doctor said it’s possible to get chemical burns from plants, so it’s possible that the alkaline fluid from the flower burned off my fingerprints. That said, my fingerprints eventually returned as my fingertips continued to heal and scars fade.
"Hey Tom how do you solve 2+2?"
- *Explains quantam mechanics*
"I tried once" - a reference to the pineapple juice video a while ago. That was a REALLY good reference
3:27 now that's a throwback Tuesday :D
"It was close"
*close his fists*
This part gave me goosebumps
That callback to the pineapple video made me chuckle
Tom: "You can't change that... I, tried once..."
People only watching new videos: "You tried once?? I don't understand-"
Me: "I do. _I understood that reference..._ "
I was expecting some password only manager app advert at the end. I was surprised there is none of it.
Your a legend my dude
Tom: computer can only do what you say
Hal 9000: am I a joke to you
ubisoft has sent me emails saying "new login activity from iran and mongolia" but when i login in the states i get an email saying suspicious activity
that's probably not good
It probably thinks you're Iranian or Mongolian now lmao
You're likely receiving phishing emails...don't log in using links in emails, always type the main website into your browser and then navigate to your account.
One of my mates at school got the fileserver password by putting the Econet transceiver in one of the computer lab's BBC micros into promiscuous mode and sniffing it off the wire while the teacher typed it on from across the room, which is _kind_ of like looking over someone's shoulder, except better.
password at
1:53 is CORblimey1926
2:03 is MakesSense!
"And when the only input device to your computer is a keyboard, a password absolutely makes sense"
Password being typed on screen "MakesSense!"
'You can't change your fingerprints....uh....I tried...once...'
*memories rush back*
Problem is many commercial sites don’t do proper 2 factor authenticating and insist on weak 1.5 factor authentication which leads to a false sense of security from the user and the company. Sending a code to a person by email or sms is NOT two factor as there is a high chance the email or SMS can be intercepted or redirected.
2:05: The password in the corner of the screen is "MakesSense!"
"Well, if it gets leaked, you can't change your fingerprints... I TRIED ONCE" DAAAYYUUMMNN that pineapple video lmao
90% of the comments are about the fingerprint. Love to see that originality.
5:54 „You - that’s not ideal” ~Tom Scott 2k20
i found that concision very succinct
Tom: If your finger print gets leaked, you can't really change it, i've tried, once.
Me: oh wow that brings back memories
2:48 that’s the real take away from this video. No truer words have ever been spoken
I like Apple’s system of sending a message to your phone where you type in a pin given on the website you’re logging into along with a physical position on a map
Until your battery dies. Or you lose signal. Or your phone gets shut off for any number of reasons.
Dancing Rain if you don’t have internet on your phone than you probably don’t on your computer either. And if your battery is dead you can just plug your phone in to charge
@@keco185 Interesting assumption. Wrong, but interesting. I have family in the rural united states, where internet access generally works, but cell phone reception is terribly unreliable. And the more mountainous or remote a rural area you're in the worse cell phone reception gets.
In addition, I'm guessing you've never had a cell phone suddenly decide it doesn't want to take a charge any more. They can and do malfunction from time to time.
Dancing Rain so you have a house with internet but an iPhone doesn’t use that internet?
@@keco185 bold of you to assume I have an apple iPhone.
But more importantly, text messages don't go through the internet, they go through the cell network.
3:20 Objection! Ain't no high tech needed to lift fingerprints well enough to fool fingerprint readers. Unless you consider adhesive tape "high tech"...
Funny story, One day I was trying to change my bio on roblox, but I had settings pin enabled, but I had forgot it, so I moved on and I was suddenly logged out, when I tried to log back in, it said my password was wrong, in points of crisis, I'm a logical thinker, so I quickly changed my password via email, I then checked to see if anything had changed, and funny enough the only thing that had happened was my settings pin was removed. I'm still confused, as the hacker went through a password, my email and my Settings PIN.
Rubber hose decryption rarely fails!
The What You Have authentication is the worst. So many things require you to not have money, but to have things that need money, and when you're poor, getting locked out of something is the last thing you need to happen.
I got locked out of my PayPal for 7 months because someone tried to break into it and I couldn't afford to pay my phone bill the whole time until I finally borrowed my brother's phone to let me call up and prove it was me. All because I don't have a licence (no car so what's the point?) or a birth certificate (not exactly a convenient item to hang onto) or a passport (an expensive document when I don't travel because poor?).
Then hey, I was finally able to get in and pay for my phone bill.
"you can't exactly change it... i've tried once"
*[intense pineapple flashbacks]*
I'm a systems engineer, don't use Yubikey or smart cards. They're very vulnerable and Google hands out Yubikey so that should tell you something. RSA or vendor-specific authenticator apps are the way to go
3:49 "science fiction writers have alos imagined complicated artificial intelligence systems that can learn someone's behaviour patterns over time and recognise them" I mean actually banks already do something similar, but only for larger purchases, if you make a large purchase that it deems unusual it'll pause the transaction and they'll contact you, to verify you did it. not always though.
i find your story about the teachers password funny. Same exact thing happened to me in highschool. Told someone and that was my downfall
on the teacher's password thing, it is worth noting that there is a saying for that: it aint illegal until you're caught
You're
@@garrysmith1029 bruh
My signature can’t be forged because I’m constantly changing it because I can never decide
3:26 with pineapple
The lesson wasn't "Don't do it, but keep your mouth shut."
That's like the true lesson of the story of the boy who cried wolf: never tell the same lie twice.
*Among Us:*
At 1:54 the password that showed up was corblimey1926
I commonly use three factor authentication. Username/password and authentication code, which I must obtain by inputting my fingerprint. Quite secure.
7:00 massive subtweet of the current possessor of the nuclear codes
@tom scott we would love a video about benfords law
"There was no way to check that the President was sane"
PepeLaugh ohnonononononono
2:25 nice touch
The password for Dr Corbató was corblimey 1962
I legitimately thought the title said why you should not turn on two factor authentication
For those wondering, the password at 1:55 is either these 2:
CORbIbimey1926 (with the capital i)
or
CORblbimey1926 (with the lowercase l)
"computers can only do what you say, they can't do what you mean"
i wish my parents would finally learn this
When i was watching the video (the last minutes) i scrolled to the comments and when i was reading it was synced with the video itself
@Squant Because parents (instead of grandparents) are now of the generation who learned that computers can't do what you mean. And now they're frustrated because the computers are BAD at guessing what they mean because we're used to being much more explicit than the average.
Didn't grandparents invent computers?
@@bartonseagrave9605 Their generation did. But that's like saying Werner Von Braun's generation built rockets, ergo everyone of that generation is a rocket scientist.
Parents can't do either
I swear Tom Scott is just that dude who can make you smile with a random fact any time
I know!
Yea
Yes!
OF WHAT?
day
"Signatures can be forged" is an understatement. 99% of people who require a signature for anything have actually no idea what your signature looks like, and it's practically a formality.
Another bad thing about signatures is that yours changes over time. If they actually used them to verify identity, you could be denied even if it were you. I worried about this when I voted by mail in the last election. The signature on file with the election officials is from high school. My signature has changed drastically since then.
I can't even forge my own signature
Signatures and initials have moreso become a thing for those that are relevant, like when accepting a package from a delivery guy. If any of my neighbours go onto their app in case the delivery guy was too lazy to put in a card saying hey, it's dumped at this address they can see my NS with a squiggly line and know it's at my house.
@@YingwuUsagiri that's a ridiculously specific edge case and I wouldn't be able to tell you the signature/initials of half my neighbors
JOKES ON YOU MY SIGNATURE IS A LIL DOOFLE I MADE
"So the moral of the story is to not do the bad thing?"
"No. The moral is to not tell people you did the bad thing."
But what's actually moral is to avoid doing the bad thing altogether.
I thought of a bad thing i'd done that I had kept a secret and almost used it as an example here like a dumbass
@@arvaneret_329 but is just knowing a teacher's password a "bad thing"?
Dont do the bad thing and if you be bad and did it do not be worst and dont tell anybody
@@arvaneret_329 "It isn't illegal if you don't get caught" - A friend of mine from middle school
The great thing about computers: they do exactly what you say.
The terrible thing about computers: they do EXACTLY what you say.
Computers are the second dumbest thing that computer scientist have to deal with on a daily basis
😳
@Bounze You had to explain the joke.
It's like a douchebag genie who takes your words too literally.
@Bounze the number one being the users was implied. You kind of killed the joke by explaining the punchline.
That truly is all we ever learn as children: Not “don’t do it” just “don’t get caught”
Exactly!
Or at least have a very good excuse for innocently doing wrong ready
I think that is the lesson that punishment entails. If you make someone suffer for doing something deemed wrong they just learn not to be caught.
I don’t quite get what you mean. We’re taught not to do ‘bad’ things are we not?
@@ayhamshaheed7740 It's what we are told but not what we learn.