Forgot your password?

Comment: Re:How does it secure against spoofing? (Score 1) 82

by Opportunist (#48198589) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The system you describe has been implemented often. Most often I've seen it with online games and the like where the main threat is the use of credentials by a malicious third party (i.e. some account hijacker stealing username and password, logging into your account and doing nefarious things with it). For that, you don't need a dongle. You need two synchronized devices that output the same (usually numeric) key at the same time. Basically you get the same if you take a timestamp, sign it using PKI and have the other side verify it. If you have two synchronized clocks, transmitting the signature (or its hash) suffices. That doesn't really require plugging anything anywhere, although it probably gets a lot easier and faster to use if you don't have to type in some numbers and instead have a USB key transmit it at the push of a button.

But that's no silver bullet. All it does is verify that whoever sits in front of the computer is supposedly who they claim to be and entitled to do what they're doing. It does NOT verify what is being sent, or that the content being sent is actually what this user wanted to send.

If anything, it protects Google rather than the user. Because all that system does is making whatever is done by the user of the account non repudiable. Because whatever is done, it MUST have been you. Nobody else could have done it, nobody else has your dongle.

Comment: Re:How does it secure against spoofing? (Score 1) 82

by Opportunist (#48198461) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

Technically, "real" two factor authentication, with two different channels involved, require an attacker to infect and hijack BOTH channels if he doesn't want the victim to notice it.

As an example, take what many banks did with text message as confirmation for orders. You place the order on your computer, then you get a text message to your cell phone stating what the order is and a confirmation code you should enter in your computer if the order you get as confirmation on your cellphone is correct. That way an attacker would have to manipulate both, browser output on the computer and text messages on the phone, to successfully attack the user.

In other words, it does of course not avoid the infection. It makes a successful attack just much harder and a detection of the attack (with the ability to avoid damage) much more likely.

Comment: Re:Pusher beam, not reversible tractor beam (Score 1) 60

by TheCarp (#48197555) Attached to: Australian Physicists Build Reversible Tractor Beam

Hmmm I don't understand why the distinction matters or why "tractor beam" needs to mean something so specific. At a very high level the overall effect is "I turn on the beam, and this object is moved towards me"

As long as the manipulated object is manipulated by the beam and is passive in its interaction (that is it is not appreciably changed and contributes no energy of its own that was not imparted by the beam), then "tractor beam" seems just fine to me.

whether it is some sort of attractive force or slightly heating the object asymmetrically to produce a force due to air is just implementation details and doesn't change the overall function.

Comment: How does it secure against spoofing? (Score 5, Insightful) 82

by Opportunist (#48196909) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?

A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.

Comment: Re:Recognition (Score 1) 111

by DarkOx (#48196831) Attached to: 'Microsoft Lumia' Will Replace the Nokia Brand

Yea but the hatred of Microsoft is more resentment and jealousy than anything else. Sure geeks hate them but nobody else really does. Microsoft like IBM before it represents safety in a confusing market place. Nobody every got fired for buying Microsoft, just like nobody ever got fired for buying IBM before that.

Microsoft has lost the consumer phone space, they have not yet decided they won't try but they know trying to get Teens and college kids to think their phones are 'cool' and or convince homemakers they are easy and safe would mean dislodging incumbents who have invested lots in that messaging already and have largely succeeded and are now seeing those ideas intrenched. Nokia still has come cache there; if they were going down that road they'd pick Nokia.

Microsoft is instead going with their old top down we're gonna force it on you strategy. The business mobile space has tons of companies that still don't have device deployment beyond the sales force, they have large orgs that are fleeing the Blackberry sinking ship. They can land those deals, right now all the policy management and such absolutely sucks for IOS and android; its all half backed and has more holes in it than a Swiss cheese. Microsoft is a brand you sell IT managers on. Its familiar and rule 0 of marketing is familiarity is more important than likability. People will knowingly select a brand they have had negative past experience with over the unknown.

IT manager thinking works like this: durr herp derp Samsung they make TVs; now Microsoft they make IT solutions! derp.

The truth is Windows phone probably can/will score better on their myopic score card spreadsheet too, Microsoft knows how to win the weighted decision matrix game. Which we all should know is a tool managers everywhere use to give a veneer of objectivity to their most subjective a prejudiced decisions. I look forward to the TCO whitepapers streaming from servers in 5 . 4 . 3 . 2 . 1 what relevance do the categories and metrics chosen have to do with anything; well the will have been 'scientifically' chose to make Microsoft look good.

Comment: Re:This could be really good for Debian (Score 1) 486

by ThePhilips (#48195787) Attached to: Debian's Systemd Adoption Inspires Threat of Fork

That's a feature, not a defect.

If you want a distro that develops, there's always Ubuntu or Fedora.

My point wasn't that Debian is being developed too slow. QA has never been fast.

My point is that Debian nearly always distances itself from the development and the developer community.

In other comment I also mentioned the APT. If Debian was today debating a packaging system, they would never ever opt to *develop* the APT like they did in the past, but they would take the RPM and try to live with it.

Otherwise, just look at two good examples of distros evolving: SUSE Studio and Ubuntu Launchpad. Lots of things which happen there rarely see the daylight - but they allow distro to play proactive role in bringing together the developers and users. (But of course, SUSE Studio and Launchpad are targeted at two different kinds of "developers" - first is for developers of distros and second is for the developers of the software.) That might seem superficial, but it allows distro to actually learn about the new trends and things people are doing with the software. They need much less guessing what/how to do in the next release. OTOH Debian, beside the heavily unreliable popcon, is very very much closed and unto itself.

That distance also plays role in how Debian's decisions are made. You can't roll-out something new and experimental in Debian and expect later it being adopted in Debian main. No. Because Debian wants to have a project with proven track record. And you can't get the "proven track record" *in* Debian - because the project will not be accepted without "proven track record". That is why the development happens in the Fedora, Ubuntu and SUSE. Rarely in Debian.

And why is this on-topic? Because Debian with migration to systemd would in some aspects become Red Hat, which is not something I'm particularly happy about. Because, though RH doesn't develop much of the systemd itself, it does quite a lot of work on systemd integration. Because they played role in its development. They gave the project fighting chance. And all it took for them was to say the developers: OK. At the same time, if you check history of attempts to bring upstart into Debian (which is much longer than the vs systemd discussion), Debian wasted literally years discussing, and mostly dismissing upstart because it was used by only one distribution, despite Canonical's pledge. Result? Red Hat has nurtured the systemd - and Debian has strangled the upstart.

Comment: Budgeting....always a problem (Score 1) 310

by TheCarp (#48195601) Attached to: Speed Cameras In Chicago Earn $50M Less Than Expected

I really do think Budgeting is one of the places that one has to be the most careful about creating perverse incentives.

Frankly, cities should not be using fines in budgeting, but rather, should have a designated fund for ALL fines and fees to go into, which should simply be added to next years base tax income or, used to offset an entirely unrelated portion of the budget to the fine.

In this way, while there may be a sort of general incentive to increase general revenue, but the one thing you don't want, is the budget of any department with any control over either enforcement or policy making seeing any direct effect on his budget from the making or enforcing of the policy.

Don't sweat it -- it's only ones and zeros. -- P. Skelly