Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Comment Re:How to avoid (Score 1) 66

The trouble is that DNS does not prevent an attacker from faking a subdomain either by a man-in-the-middle or by DNS cache poisoning. You can't prevent your web browser from accessing any non-http url unless you are willing to completely disable http connections from your computer. Any time you visit any web site it can direct your web browser to access an arbitrary, forged, plain text URL. Then, if they have succeeded in executing a MITM against you or managed to poison the DNS caches on your computer, your router, or your ISP's DNS server, they can set a cookie and use it hijack browser sessions. HTTPS Everywhere should help, provided that all of your financial institutions are supported. DNSSEC would help as well because it requires DNS responses for protected zones to be digitally signed.

Comment Re:dear clueless megacorp and mediocre middle mgmn (Score 5, Interesting) 103

The curios part about this is that this privacy leakage flaw has been know since 2012 and was reported in the media. Facebook didn't care.

Aran Khanna MADE Facebook care. I don't know if he was trolling Facebook or if he is just naive. Either way, I applaud his results.

Comment Re:Sounds Like A Scumbag Company (Score 1) 190

I agree with you about this not being a big deal. At this point it's just between two parties who both want to make money off a domain.

I don't know a whole lot about the "Anticybersquatting Consumer Protection Act", but according to Wikipedia:

In determining whether the domain name registrant has a bad faith intent to profit, a court may consider many factors, including nine that are outlined in the statute:

1 Registrant’s trademark or other intellectual property rights in the domain name;
2 Whether the domain name contains the registrant’s legal or common name;
3 Registrant’s prior use of the domain name in connection with the bona fide offering of goods or services;
4 Registrant’s bona fide noncommercial or fair use of the mark in a site accessible by the domain name;
5 Registrant’s intent to divert customers from the mark owner’s online location that could harm the goodwill represented by the mark, for commercial gain or with the intent to tarnish or disparage the mark;
6 Registrant’s offer to transfer, sell, or otherwise assign the domain name to the mark owner or a third party for financial gain, without having used the mark in a legitimate site;
7 Registrant’s providing misleading false contact information when applying for registration of the domain name;
8 Registrant’s registration or acquisition of multiple domain names that are identical or confusingly similar to marks of others; and
9 Extent to which the mark in the domain is distinctive or famous.[11]

Point by point...

1) Kneen has no relevant trademark as far as I know
2) The domain does not relate to his name
3) Kneen has not apparently used the domain commercially
4) The domain is not in use currently other than a redirect to his primary web site
5) I see no reason to think Kneen was trying to divert customers
6) Kneen may not have contacted the plaintiff, but he openly lists the site for sale on his own page. He has not, by all appearances, used the domain for a legitimate site. However, Office Space Solutions made some kind of offer to Kneen that he didn't like, giving weight to the argument that Kneen is trying to sell the domain at a profit.
7) Kneen has not tried to hide his identity
8) Kneen owns confusing domains related to Twitter and FTPAnywhere and possibly with some others I'm not familiar with.
9) The domain name is somewhat distinctive in my estimation, but not famous.

These items are not comprehensive and the courts are obviously free to consider whatever criteria they wish. Knowing how some similar cases have gone in the past, in my layman's opinion, I expect he will loose if this goes to court, but it probably wont get that far. Regardless of any potential fraudulent action by Office Space Solutions, the two parties will almost assuredly settle out of court for an undisclosed sum of money and the Internet will march on.

Comment Re:Sounds Like A Scumbag Company (Score 3, Interesting) 190

According to Kneen's web site, http://www.jasonified.com/doma..., workbetter.com is for sale. He currently has it redirecting to his primary domain name, www.jasonified.com. After looking at the list of domains he owns, including many that are Twitter related, he looks a lot like a cybersquatter.

Comment Re:Very effective, but.. (Score 1) 269

It's too bad no one has come up with a way for companies to denote what mail servers are legitimate senders on behalf of their domains...

All sarcasm aside, SPF records are easy to configure. If you (and by "you" I mean anyone reading this. I'm not directing this comment at the parent poster.) are responsible in any way for managing email for an organization, make sure the domain's SPF records are configured. Chances are your email or DNS service provider has an easy to use tool for writing the TXT record for you. Then, look into DKIM and DMARC once your SPF records are set. DEMARC has a nice reporting feature to alert you when your return addresses are being spoofed.

Comment Re:Codeword (Score 1) 479

Code words don't exist, but I'm convinced that tech support staffs keep notes on who knows what they are doing and who doesn't. After a few years at one job and having to call Dell every few months for warranty hardware replacements my calls to tech support got shorter and easier. It got to the point where it took about 10 minutes, after navigating the phone tree and waiting in the queue, for me to confirm my identity, answer a few questions, and having them send out a replacement part.

Comment Re:Government Intrusion (Score 1) 837

True, but it would not take them nearly as long to check your odometer after notifying you by mail that "You have been selected by random to have your odometer reading verified by an authorized agent of the Oregon Bureau of Motor Vehicles. You are required by law to present your vehicle at the designated BMV location on a Monday, Thursday, or alternate Saturday between the hours of 10:00 AM and 12:00 PM (weather permitting) not more than 30 days before the title holders birthday, prior to having your license tags renewed."