Google site:bogleheads.org elderly scams - the list goes on and on ...
I've also got elderly relatives, and even with their pensions secure (European-style pension system), there's lots of people going after their money. Trying to prepare them for encounters with online and real world scammers is an ongoing process, e.g. by recounting the cases that I read in the news to foster mistrust.
I've lost count how often an elderly family member (who is still sharp as a tack fortunately) told me that the "police", "your beloved niece", or "Microsoft" called them.
>>I've lost count how often an elderly family member (who is still sharp as a tack fortunately) told me that the "police", "your beloved niece", or "Microsoft" called them.
It's very sobering when we realize that we too will one day be just like them.
Right now my default reaction to phone call from unknown number is to ignore it instead of picking it up. Hopefully this will stay with me as I get older.
(my parents are notably different in this default)
Caller IDs can be easily spoofed. For example, you may receive a call from what appears to be your bank's fraud department. The person on the other side of the line may warn you of some (fake) suspicious activity and "send you" a one-time security code to verify your identity. In reality, the scammer has already gained access to your email account and is now trying to log onto your bank account, for which they need the one-time code.
There is an existing scam that goes something like that. I probably got some of the details wrong.
I'm like your parent commenter and I would expand on what they call "unknown number".
I don't take calls from "unknown or unexpected caller id". I had someone call me recently that I was actually expecting to call me. But their caller id had their personal name instead of the company I expected it from so I didn't take it. They can leave a message. And they did.
If "my bank" calls me but I don't expect it, the caller id can have my bank's name all it wants. They can leave a message and I'll call them back at a number I find on my card / online.
What might work is if I was expecting my bank to call me and then a scammer calls me with bank caller id. But they'd also need to know what it's about. I've also found that if you're already in contact with large companies and they call you back they very much don't user caller id at all. All their outbound calls say "unknown number". Had this while troubleshooting a phone number transfer.
If I do expect a call from an unknown number and thus take them, I still don't take phone calls with my name. I say things like "Hello". That's it. Then they many times ask "Is this so and so" without explaining who they are, which I find pretty rude and dumb. So my answer to that is: "The question is who you are and what you want". I've had many encounters where the answer from them then makes it clear they are legitimate and they probably thought I was rude but I'd rather be rude than out of my savings. Training for when I'm 80.
by "unknown numbers", I mean "not at my address book", which is pretty small. So this excludes my bank's security department - why would it be there?
And if scammer spoofs my friend's number, I should be able to recognize it's not my friend, or at least understand thar my friend won't need my bank code.
(Sadly modern phones don't make it easy to tell if the label is from your address book or from external syatem. Adding personal prefixes to end of names, like "John (from NY2020 party)" helps a lot with this.)
It won't be phone calls. We don't trust them. Our parents / grandparents did.
It might be a brain interface pushing intrusive thoughts. Our grandkids will quietly ignore these thoughts like zen masters because they recognized spam. It might be a perfect video chat from your spouse, all spoofed by AI. People will adapt but not us because it'll be new and emerging when we're already crystalized in our patterns.
My mother bought a house in a retirement village decades ago. A few years ago she had her land line disconnected. The reason is on weekends she was getting 20 or so scam calls a day. I asked around, and everyone in the village was getting these calls. But if you went a block outside of the village it all stopped. The scammers had identified the range of phone numbers used by land lines in the village, and rang them non-stop, for months on end.
A friend of mine has an e-bike with regenerative braking using a rear hub motor.
It seems to have a recovery efficiency of about one third.
We once went up about 1200m in altitude difference, where it was completely empty. After having gone down again, it had recharged enough to work normally for the remaining 20km of our trip, driving in flat terrain.
You're downvoted, but I agree. I found it basically a hodgepodge of 80s references over a basic story with one-dimensional characters (the heroes are Very Good and the bad guy is Very Bad). I would have assumed that it's aimed at young children, if the references weren't forty years before their time.
It's not just that, but also the main protagonist is written terribly and never given any real faults or challenges to overcome. During the entire book there is never a challenge that is not resolved by the next paragraph.
The Japanese friends that he makes are grossly stereotyped and are kept one dimensional during the entire book as well.
The main character also strikes me as incredibly creepy, and to a level where he could be classified as an para-social stalker. Just comes off as being a terrible person overall.
Spielberg's movie however is fantastic and one of those rare instances where the movie truly does outrank the book.
The film even has a proper ending which in itself is hugely thought provoking and something we definitely should consider. The book, if I remember correctly, just sets up for another book.
* Population is probably (it's actually a certainty in my mind) too high to be sustainable and it is still growing,
* Governments are terrified of population decrease because of the far-reaching effects on markets and public finances and are pushing for growth.
So it is a "less solved" problem than emissions as the IEA predicts that global fossil fuel demand will peak by 2025, possibly even this year.
It might be solved in some countries in the sense that population should now be naturally decreasing because of the low birth rate but it is in fact "not solved at all" considering the second bullet point above.
As a corollary, if a person you're responsible for "goes dark" socially (due to dementia, unable to go out anymore, moved to nursing home etc), do let their friendly social circle know (friends, neighbors) that the person would still be happy about visitors.
I've seen this with a relative with dementia - many people just weren't aware that she had no contact with them anymore due to this.
Indeed. A few years ago I ran across a comparison of old photographs of rural villages (early 20th century) in central Europe vs their present day appearance, taken from similar points of view.
Two things were immediately apparent from the old photographs
- less forest
- tons of fruit trees
Fitting is also this anecdote I heard when visiting a historical mill. They had a huge linden tree in their yard, and they told us that in the olden days this was a symbol of prosperity, because the original owner showed off that they could afford to plant a useless, non-fruit-bearing - a status symbol.
Coming full circle - the best thing would be if we could plant tons of trees that also produce food - something like the baobabs https://en.wikipedia.org/wiki/Adansonia_digitata . E.g. pigs were fed oak's acorns in fall.
Exactly - there's probably a fluent transition between symbols and painting and writing and then alphabetic writing.
Territorial animals that we are, I'd add "here starts the territory of the Saber-Toothed Tiger Clan" signs to path markings as likely candidates for earliest symbolic communication.
Nice to see that the earliest examples of writing are still somewhat recognizable (as opposed to modern alphabets) - see https://en.wikipedia.org/wiki/History_of_writing - a hand, a foot, a goat or sheep.
Fun thing is, with modern technology we have regressed (advanced?) to a massive use of pictograms - a modern smartphone wielding human, in addition to the alphabet, knows at least a few hundreds or even thousands of pictograms ¯\_(ツ)_/¯
> there's probably a fluent transition between symbols and painting and writing and then alphabetic writing
I'm with you until we get to alphabetic writing, which has (to our knowledge) only been invented once. To get from other writing systems to an alphabet requires a few conceptual leaps which are much more challenging and, I would suggest, not fluent.
If it were a smooth path, we ought to have seen alphabetic scripts arise independently multiple times (as we have other forms of writing).
Not sure, but I think Hangul counts as a second invention of alphabetic writing.
If you count syllabic writing systems (which are not technically alphabetic, but are more so than Chinese, or Mayan or Egyptian hieroglyphics), there are more: Japanese hiragana and katakana, Cherokee syllabics, Pahawh Hmong, Vai (West Africa), and Linear B (and presumably Linear A).
There's also Thaana, the script used for Maldivian, which uses some Arabic script symbols, as well as Indic digits. So while it's semi-alphabetic (partly abugida), and it's derived from existing writing systems, it uses the borrowed symbols in unique ways.
There are other syllabic writing systems as well, like Inuktitut and Cree, but those were created by missionaries familiar with other writing systems.
> Not sure, but I think Hangul counts as a second invention of alphabetic writing.
It is my understanding that Hangul is believed to have been influenced by other alphabetic writing (e.g. Phagspa) which themselves descended from the original alphabet. Though it was a distinct creation, the core alphabetic idea was not independently discovered.
> If you count syllabic writing systems (which are not technically alphabetic, but are more so than Chinese, or Mayan or Egyptian hieroglyphics), there are more: Japanese hiragana and katakana, Cherokee syllabics, Pahawh Hmong, Vai (West Africa), and Linear B (and presumably Linear A).
Syllabic writing systems are significantly less powerful than the alphabet (hence why they have generally been superceded by alphabetic ones).
They have been invented multiple times, so you can argue the smooth slope goes up to syllabic writing, sure. But only once has that led to an alphabet.
> There's also Thaana
I hadn't heard of this, but Wikipedia seems to suggest it's descended from Phoenician like everything else (although it has made the step from abjad -> alphabet).
Alphabets may only have been invented once, but writing systems that have a (roughly, it's never perfect) 1:1 correspondence with the sounds of the language have been invented several times independently, e.g. in syllabaries (Japanese Kana are derived from Kanji) and abugidas. I would suggest that that conceptual leap is a much bigger one than the one of treating consonants and vowels as independent.
Syllabaries have been invented multiple times independently and an alphabet only once, which to me would suggest the alphabetic step is the harder one to make.
Why would you suggest the opposite? I'm a complete layperson in this area, so I understand my view might be quite limited.
The alternative possibility is that alphabets lend themselves much more naturally to adaptation for other languages, and so, once invented, they spread extremely fast - faster than it would take for another one to appear naturally.
Yes, that's a nice point - this adds censoring to our "data" on other writing systems. My intuition is that even if you accounted for exposure to an existing alphabet, the time-to-develop alphabet would still be much longer than for syllabaries or other writing systems, but that's a guess.
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
I have dealt with banking environment when they required SSL with at least 1-year validity on the callback API URL. Which excluded Let's Encrypt.
We were looking for a SSL provider that had > 1 year old certs AND supported ACME... for some reason we ended up with SSL.com that did support ACME for longer lasting certs; however, there was some minor incompatibilities in how kubernetes cert-manager implemented ACME and how SSL.com implemented ACME; we ended up debugging SSL.com ACME protocol implementation.
Fun. We should have just clicked once per 3 years, better than debugging third parties APIs.
No, I don't remember the details and they are all lost in my old work emails.
(Nowadays I think zerossl.com also supports ACME for >1 year certs? but they did not back then. edit: no they still don't, it's just SSL.com I think)
> I have dealt with banking environment when they required SSL with at least 1-year validity on the callback API URL
Why are (some) banks always completely clueless about these things? Validating ownership of the domain more often (and with an entirely automated provisioning set-up that has no human weak links) can only be a good thing.
Perhaps the banking sector will finally enter the 21st century in another ten years?
The banking sector usually goes with "checkbox security".
They have these really, really long lists what all needs to be secured and how. Some of it is reasonable, some of it is bonkers, there is way too much of that stuff, and it overall increases the price of any solution 10x at least.
But OTOH I can hardly blame them, failures can be catastrophic there, as they deal with real money directly and can be held liable for failures. So they don't really care about security, and more about covering their asses.
Some of it is truly bonkers and never was good practise, but much of the irritating stuff is simply out-of-date advice. The banks tend to be very slow to change unless something happens that affects (or directly threatens to affect) the bottom line, or puts them in the news unfavourably.
Of course some of it is bonkers, like HSBC and FirstDirect changing the auth for my personal accounts from “up to 9 case-sensitive alpha-numeric characters” (already considered bad practise for some years) to “6 digits”, and assuring me that this is just as secure as before…
I don't think so, because it would also imply they were also throwing away anything non-numeric, and I really hope nothing that stupid was going on. When the change happened everyone had to establish a new password.
I read it as “we have been asked to integrate an ancient system that we can't update (or more honestly in many cases: can't get the higher-ups to agree to pay to update), so are bringing out other systems down to the lowest common denominator”. That sort of thing happens too often when two organisations (or departments within one) that have different procedures, merge or otherwise start sharing resources they didn't previously.
I won't go into the idiocies banks implement. They usually have to because totally incompetent people tell them they have to.
One of the practices was pathetic to the point of being funny: you had to input specific characters of your password (2nd, 4th, 6th, etc - this was changing at each login) AND there was a short timeout. My children probably learned a few new words when I was logging in.
It is very likely, yes. After a year or so of this practice (people were writing down their password with digits under the letters to quickly match the request) the bank said that they now propose two "secure login forms" - the older one and a new, normal one.
Some time later they silently removed the first one.
The problem is more likely one of regulation than technical knowledge. Banks hire very smart people who know that a lot of what they do is bullshit, but they're paid to comply with banking and security regulations that lag a long way behind technical advances. Banks are also inherently conservative in their technical choices, and for good reason.
> I have dealt with banking environment when they required SSL with at least 1-year validity on the callback API URL. Which excluded Let's Encrypt.
I wonder if this would be an opportunity for revenue for Let's Encrypt? "We do 90-day automated-renewal certificates for free for everyone. If you're in an unusual environment where you need certificates with longer validity, we offer paid services you can use."
Probably better to keep LE / ISRG completely non-profit. Adding a profit motive has too big of a chance to end with actually security-relevant features being gated behind payment eventually.
It's less about the profit motive, and more about removing the remaining incentives to stay outside the ACME ecosystem. The funding would be to provide additional infrastructure (e.g. revocation servers for longer-lasting certificates), and to fund new such efforts.
But once there is an income stream from issuing certificates there is an incentive to increase it which will quickly find itself at odds with the primary missions of providing secure connections to as many people as possible. Making infrastructure depend on that income stream only increases that incentive. Perhaps you trust the ISRG to resist the temptaton but as far as I know they are run by humans.
There are many, many opportunities in both the business and non-profit world to make more money by screwing your customers/users, and despite that, it does not always happen. Businesses and non-profits are built on the trust of users (or built in spite of the utter lack of it, e.g. Comcast). I don't think they should be afraid to provide things users need. It is, in fact, possible to choose and keep choosing to maintain the trust of your users.
I think there's still incentive alignment here. Getting people moved from the "purchase 1 year certificate" world (which is apparently still required in some financial contexts) into the ACME-based world provides a path for making a regulatory argument that it'd be easy for such entities to switch over to shorter-lived certificates because the ACME infrastructure is right there.
AFAIK there's things like Extended Validation Certificate Verification that used to make the browser address bar look more trustworthy by making it green but I don't know if its still a thing. At least in Safari, I don't see a green padlock anywhere.
I remember our boss really wanted that green bar, so we got an extend validation certificate. What we had failed to realise is that they would only be issued to the actual legal name of your company, but not any other names you may be operating under. We had a B2C webshop, where we wanted the ev-cert, but because the B2C side of the business wasn't it's own legal entity, the cert we go issued was for our B2B name, which none of our customer customers knew and it looked like a scam.
The only good thing dealing with certificate resellers at the time was that they where really flexible in a lot of ways. We got our EV cert refunded, or "store credit" and used the money to buy normal certificates.
Chrome 77 removed the prominent green EV badge. "A series of academic research in the 2000s studied the EV UI in lab and survey settings, and found that the EV UI was not protecting against phishing attacks as intended. The Chrome Security UX team recently published a study that updated these findings with a large-scale field experiment, as well as a series of survey experiments." [1]
Extended Validation can still play a role in a corporate's IT control framework; the extended validation is essentially a check-of-paperwork that then doesn't need to be performed by your own auditor. Some EV certificates also come with some (probably completely useless) liability insurance.
> Some EV certificates also come with some (probably completely useless) liability insurance.
Warranties / insurance on SSL certificates typically only pay out if a certificate is issued improperly, often in conjunction with other conditions like a financial loss directly resulting from the misissuance. Realistically, any screwup serious enough to result in that warranty paying out would also result in the CA being abruptly removed from browser root certificate programs.
Ah yes, I too remember when COMODO was ripped out of browsers in 2011 when it came to light they gave sign-anything rights to a bunch of resellers, one of whom was hacked. And then again in 2016.
And another fun one unrelated to signing was when they tried to trademark "Let's Encrypt" in 2015.
But yes, it is not a common issue and effort would be better focused on improving site security in other ways. (unlike the rest of my comment, this line isn't sarcasm.)
Yeah that also stopped being a thing. I'm really happy how Chrome and then other browsers gradually shifted the blame to insecure websites rather than highlighting "secure" ones.
You'll still find people online clamoring EV certificates are worth anything more than $0 but you can ignore them just as well.
Huh? EV certificates are actually certifying you're the (juristical) person you're claiming to be based on ID and trade register checks, unlike Let's Encrypt certificates which only certify you're in possession of a domain. Isn't using EV certificates legally required for e-commerce web sites at least in parts of the world, and also obligatory for rolling out as MasterCard/Visa merchant by their anti-fraud requirements along with vulnerability checks and CI/site update processes being in place?
I guess the good thing there is that it's absolutely transparent that this is just a way to make you pay somebody else. Like the Jones Act (Merchant Marine Act, but everybody just calls it the Jones Act). The US government doesn't get a slice if you want to buy ships to move stuff from one part of the US to another, but it does require that you buy the ships from an American shipyard, and so those yards needn't be internationally competitive because the US government has their back.
Nobody is like "Oh, the Jones Act ensures high quality ships" because it doesn't, the Jones Act just ensures that you're going to use those US shipyards, no matter what.
Our company bans the use of letsencrypt because of the legal terms. Nobody at the CxO level will sign off on it, so we end up paying whatever to globalsign.
Doesn't necessarily have anything to do with knowing, some environments are just not worth automating or support it so badly that even paying twice or more would still be nothing compared to the annoyance. It's been getting better over the years though.
Sorry if this is a dumb question, but why? If I'm not mistaken, Let's Encrypt supports validation via DNS now so you don't even need to have a working webserver to issue a certificate. Automating a script to perform a renewal should be much simpler than headless Chrome!
If your DNS provider doesn't have an API, that seems like a separate issue but one that is well worth your organization's time if you're working in the enterprise!
I've also got elderly relatives, and even with their pensions secure (European-style pension system), there's lots of people going after their money. Trying to prepare them for encounters with online and real world scammers is an ongoing process, e.g. by recounting the cases that I read in the news to foster mistrust.
I've lost count how often an elderly family member (who is still sharp as a tack fortunately) told me that the "police", "your beloved niece", or "Microsoft" called them.
reply