Become a fan of Slashdot on Facebook


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:It is "a random hash" (Score 1) 221 221

It would be bad form to reset the password when anyone clicked 'reset this accounts password' anyway. So until the link is followed, no action should be taken with regard to the account password anyway. This way a malicious person can't just denial of service a valid account by clicking 'reset my password'.

This means if an attacker is able to intercept your SMTP, they could still hijack your account through requesting a password reset at will, so it's not perfect, and yes some 2 factor authentication would be nice *if* it were an important site. Account creation needn't have this particular hole, just password reset.

If you didn't want to SMS, you could use TOTP (e.g. google authenticator is one implementation, but not the only one). Though either way that's something to potentially lose so it would be a suggestion option for those increasing security.

Comment: Re:It is "a random hash" (Score 1) 221 221

The idea is that the user set his password via (presumably) secure https. The purpose of the random hash is so that you provide the legitimate email user a transient secret that must be used *in conjunction* with the password they had chosen (or some session cookie sent via https to avoid making them log in twice when clicking on the email).

So here the password is to authenticate that the original person that accesses the site, the hash authenticates a valid email account. Both together are required to verify the account is valid. This way someone intercepting SMTP doesn't get access to hijack account and someone without a valid email can't get an account activated.

The Internet

North America Runs Out of IPv4 Addresses 267 267

DW100 writes: The American Registry for Internet Numbers (ARIN) has been forced to reject a request for more IPv4 addresses for the first time as its stock of remaining address reaches exhaustion. The lack of IPv4 addresses has led to renewed calls for the take-up of IPv6 addresses in order to start embracing the next era of the internet.

Comment: Re:systemd (Score 1) 382 382

eth0 being renamed to biosdevname and then 'consistent' device naming happened outside of systemd per se. It's one of the various questionable things that came along at about the same time as systemd, and systemd gets the blame for *all* of them, when it only brought some of it. E.g. complaining about binary logs, you can aim that square at systemd. Most of the other prominent rants commonly fired at systemd are either dbus, networkmanager, udev, or something else in reality.

The network device naming is one facet where they can't win. The ethX has problems, and so does the current state of consistent device naming (notably that if an adapter veers off into being enumerated by pci, it's probably a lost cause in all but the most extremely homogenous environment and doing those names is just causing more trouble than helping)

Comment: Re:He answered the most boring questions! (Score 3, Interesting) 162 162

I agree that Torvalds isn't the authoritative god of all that makes up a distribution and as such his opinion is one to be considered, but no the only one.

Also he speaks to the biggest fundamental controversy, the log strategy/format. I agree with Torvalds, that the capabilities of systemd are interesting, but I personally find the bathwater that comes with it troublesome enough to not want it. That and how they engage with the community at times. A lot of the other gripes about systemd are more implementation mistakes that are unintended and often addresed, but this part is very explicitly intentional and counter arguments have been dismissed out of hand.

Comment: Re:Good idea (Score 1) 106 106

Sometimes you don't have a choice in an interoperable piece of software. In an aggresive world that tosses away backwards compat in the name of security, you'd either have to toss out a bunch of perfectly ok equipment because you *can't* talk to it anymore, or stick to outdated software to protect the investment, which may have unfixed vulnerabilities because the versions that fix things also dropped support for your needs.

Comment: Re:Good idea (Score 1) 106 106

All the known broken facets of MD5 have zero applicability to HMAC usage scenario. The only part of it that weakens HMAC is that SHA256/SHA512 are more computationally expensive.

If someone knows a weakness in HMAC-MD5, it's hard to imagine it would be related to any of the known broken parts of MD5, and thus HMAC-MD5's chances of being broken might not be so different than any other HMAC use of a hash.

Yes HMAC-SHA2 is the best choice now. Now it's not a good reason to go nuts over things that use HMAC-MD5 today.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.