Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 348 348

Trial and error, I expect. Look at what other sites do. I realize that this isn't a very good answer. There isn't a good answer, just bad answers that are still better than passwords. Classic OpenID isn't the answer because users don't know how to use it and many RPs don't trust random providers. But as a practical matter providing login with, say, Google, Facebook, Yahoo and AOL will give better than 95% of your users the ability to log on with better security than the password-based model you'd build, and do it just by clicking a couple of buttons.

If you find that your user base tends to have an account with some other provider (no, I can't tell you how to find out who your users are or what they use), then add that.

Comment Re:Wow, end of an era. (Score 1) 144 144

He was saying that the SS10 could handle 512 MB in 1992, at time when the best PCs were maxed out at 32 MB or so.

The SS10 takes proprietary memory, and I know there was a firmware update that allowed it to use larger (32 MB, I think) sticks at some point. Ultimately, I don't think there was any way to put 512MB into a SS10 in 1992, even if the machine did eventually support it. I think 128 MB was more likely, though even that's very good for a desktop box back then.

As for 128MB simms in 1992, I have my doubts. This chart doesn't really try to list *everything* that was available, but even so -- it doesn't list 128 MB sticks until 1999. (It doesn't mention 64 MB sticks until 1999 as well, so clearly, it's missing some stuff.)

According to this, there were 64 MB SIMMs available in 1995 for a massive price -- $2600 each. (I didn't try to find the ad itself, however.)

Comment Re: A plea to fuck off. (Score 1) 348 348

SMS-based approaches are certainly better than passwords alone; but I have a few areas of dislike for them:

They require an active cell link and a live phone, so are bad news if you are trying to log in in the bowels of some structure, with a phone that has a dead battery, or while travelling outside your non-ridiculously-priced service area. It also tends not to be a problem in practice; but SMS is 'best-effort', so if the system is being flaky then that's just too bad. Essentially, it isn't a 'second factor' at all; but a secondary channel that is assumed not to be compromised.

Then there is the matter of the site needing your phone number. For some applications, that doesn't matter: your bank already knows way more than that about you, say. For others, I'm not so enthusiastic about providing a relatively persistent, and spammable, identifier(also fairly robustly tied to me by payment data, unless I get a burner specifically for dealing with auth issues) to any lousy little website that wants it.

Finally, I'm not terribly confident about the medium-term security of SMS if it becomes a common '2 factor' authentication method. Mobile OSes tend to be a bit more locked down than desktops; but hardly infallible, and the security of SMS gateway providers(who sites using SMS auth presumably employ to interface with the phone network) is an unknown and possibly not comforting factor.

RSA fobs are ultimately an inferior option because they cannot be safely shared across multiple systems, and carrying a fistful of the things is ridiculous(plus, the pricing is usurious); but smartcard/NFC cryptographic authentication has none of these weaknesses. The hardware is cheap, it doesn't require a secondary channel to be available, certificates are relatively tiny so you can carry an enormous number of them without issue; and you can implement certificate auth with varying levels of connection with user 'identity'. On the relatively anonymous side, the user can just generate a keypair and send the public key when they create an account. Trivially handled on the client end, no interaction with outside entities. At the other extreme, hierarchical PKI systems make it possible to robustly verify the user's affiliation with a given organization if the situation requires it. The trouble, of course, is the lack of card readers/NFC pads on a lot of contemporary computers and mobile devices. A great pity.

Comment Slashdot summary, as usual, misses the point (Score 5, Informative) 81 81

If we're going to talk about Callaway's Points of Fail, and create a link in the Slashdot summary that *looks* like it takes you to that list, then perhaps there should actually be a link to the list.

Callaway's original Points of Fail blog post.

You know, instead of the usual Slashdot way of pointing to an article wrapper that talks briefly about some of the points and then eventually links to the real list.

Comment Re:And why do they still need to prove this? (Score 1) 68 68

Unfortunately, as our fine folks in the TAO group have apparently proven on multiple occasions, even people with fancy access control tend to have very little power until the package shows up at their loading dock. What happens earlier in the process is less encouraging.

Comment Re:Old news is so exciting (Score 5, Insightful) 68 68

It isn't conceptually novel; but doing a practical TEMPEST attack with nothing but a dumbphone, with a fairly unobtrusive software modification, rather than a relatively classy SDR rig or some antenna-covered fed-van is a nice practical refinement.

Really, how many 'tech news' stories are actually conceptually novel, rather than "Thing you could lease from IBM for the GDP of a small country in the 60s and 70s, or buy from Sun or SGI for somewhere between the price of a new house and the price of a new car in the 80s and early 90s, is now available in a battery powered and pocket sized device that shows ads!" Conceptual novelty has a special place, of course; but one ought not to scorn engineering refinement.

Comment Re:Whats left unsaid... (Score 1) 116 116

The FCC can't strike down a state law. They can argue in court against it or work towards its repeal. They aren't that powerful.

I'm going to have to leave this now, but as a parting shot: The Washington post explicitly says that the FCC does indeed have the power to "preemt" state law (direct quote). (As I understand it without having to go via a court, though I assume that the state can sue the FCC if they want to appeal the decision).

Is this a mischaracterisation of the actual legal process?

Comment Re:Wait, you have to TYPE the password??? (Score 1) 348 348

When the services go down, you can't log in to the relying sites. Luckily, core infrastructure like the account systems is a very high priority for the engineers, and the big providers have plenty of resources to keep them up -- and they do. My bank's site is down far, far more often than Google's auth servers, for example. How much more often? I don't know... I've never seen Google's auth servers down.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 348 348

Pick the top several and you'll cover nearly everyone. For the tiny percentage of users that remains, you have to either offer password auth (which means all of the work and risks of maintaining a password system, but at least when you screw it up only a tiny percentage of your users will be affected) or push them to get an account with one of the providers you support.

Comment Re:Or let us keep our hard-earned money (Score 1) 543 543

There is no such thing as an idiot proof flat tax.

Businesses by their nature have very complicated taxes. We'll let them write off a $45,000 truck to deliver product but not a $45,000 mercedes (unless you are in the limo business in which case, you might be able to after all).

Wealthy people, by their nature, have very complicated taxes. Is this a business trip or a holiday? Is this a business lunch or a personal lunch?

We can reduce the loopholes (temporarily) but corporate bought representatives will put them right back in. The flat tax by it's nature is either regressive OR has a massive deduction for everyone which means many of the poorest won't be paying taxes (just like now).

Each share of the national spending last year was $10,000 for every baby, child, senior, and working person. It's about $20,000 if you restrict it to adults who have earnings. That means- unless people can earn well over $20,000 there is not point in working under a totally flat tax. Which means it must be progressive (you have to take money from those who have money to pay).

AND it ignores state and local taxes which are currently higher on the poor than the middle class and higher on the middle class than on the wealthy in every single state. In some states, it's 12.9% for the poorest but under 1% for the wealthiest.

Comment Re:Wow, end of an era. (Score 1) 144 144

I was asking about the Sparcstation 10, not a PC.

Wikipedia says "The SS10 can hold a maximum of 512 MB RAM in eight slots", so that means we need 64MB modules for it, and I'm not sure they were available yet in 1992.

I've got a SS20 in my garage, and it's got 208 MB of memory -- which wasn't too bad at all, "back in the day" anyways.

Comment Re:Wait, you have to TYPE the password??? (Score 1) 348 348

Copy/paste cache scrapers exist, and are common for browsers with bugs. Training people not to copy/paste passwords is a good idea.

You're promoting perpetuating a long-standing, widespread and hugely-damaging user security error in order to avoid a relatively obscure problem which can actually be fixed through purely technical means. Not a win.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 348 348

What you describe as a problem is actually part of the solution. The problem with classic OpenID was that it was virtually impossible to get, say 1st Bank of MyButt, to use it, because absolutely anyone could be an identity provider. I personally agree with you that classic OpenID was better in that respect, but 1st Bank of MyButt doesn't. They're hemming and hawing about letting Google manage their user's identities, but they will at least consider it.

If you have to ask how much it is, you can't afford it.