Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:Wait, you have to TYPE the password??? (Score 1) 346 346

When the services go down, you can't log in to the relying sites. Luckily, core infrastructure like the account systems is a very high priority for the engineers, and the big providers have plenty of resources to keep them up -- and they do. My bank's site is down far, far more often than Google's auth servers, for example. How much more often? I don't know... I've never seen Google's auth servers down.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 346 346

Pick the top several and you'll cover nearly everyone. For the tiny percentage of users that remains, you have to either offer password auth (which means all of the work and risks of maintaining a password system, but at least when you screw it up only a tiny percentage of your users will be affected) or push them to get an account with one of the providers you support.

Comment Re:Ouya was all false promises. (Score 1) 86 86

I get that prompting for a CC# at boot is not particularly friendly, but I fail to see how it is even related to being "a home console for everyone, freedom from the big publishers and for everyone to develop". Fact is very few (any?) big publishers put anything on the platform, there were tons of indie games, and you certainly can turn any box into a dev kit. Seems like they fulfilled those promises.

The fact that it was underpowered and the games didn't appeal to me is what made me sell mine (at a profit, somehow!). I don't believe anyone was screwed.

Comment Re:Wait, you have to TYPE the password??? (Score 1) 346 346

Copy/paste cache scrapers exist, and are common for browsers with bugs. Training people not to copy/paste passwords is a good idea.

You're promoting perpetuating a long-standing, widespread and hugely-damaging user security error in order to avoid a relatively obscure problem which can actually be fixed through purely technical means. Not a win.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 346 346

What you describe as a problem is actually part of the solution. The problem with classic OpenID was that it was virtually impossible to get, say 1st Bank of MyButt, to use it, because absolutely anyone could be an identity provider. I personally agree with you that classic OpenID was better in that respect, but 1st Bank of MyButt doesn't. They're hemming and hawing about letting Google manage their user's identities, but they will at least consider it.

Comment Re:Wait, you have to TYPE the password??? (Score 1) 346 346

You're actually very wrong. Long complicated passwords are horrifically impossible to remember causing people to write them down or store them in managers with simpler passwords to open the manager.

Putting them in password managers is the right thing to do.

Length is all that matters for passwords. You're better off with "thatswhatshesaid" (26 ^ 16) than "B4c0nL0v3r!" (72 ^ 11). You're 162 times better off, in fact.

26 ^ 16 = 43,608,742,899,428,874,059,776 72 ^ 11 = 269,561,249,468,963,094,528

https://xkcd.com/936/

You're wrong. Hilariously so.

The entropy of "thatswhatshesaid" is far lower than 43,608,742,899,428,874,059,776. Randall Munroe calculated correctly in the XKCD comic, of course. He didn't assume that each letter was random, he assumed he was choosing four words at random from a dictionary of a specific size (about 2048 entries == ~11 bits of entropy per word). Your password is clearly not a selection of randomly-chosen words, and even if it were, it would likely have been from a much smaller dictionary.

This highlights the danger of asking users to pick passwords... even those who think they know what they're doing are likely to screw it up. Munroe's advice in 936 was good... but I think it has mislead more people than it has enlightened.

No, it's much better to use a password manager and let a computer pick large random passwords for you.

Comment Re:I have no fear of AI, but fear AI weapons (Score 1) 274 274

Well, robbery would be a bit tougher than general mayhem. In the foreseeable future you'd probably need a human in the loop, for example to confirm that the victim actually complied with the order to "put ALL the money in the bag." Still that would remove the perpetrator from the scene of the crime. If there were an open or hackable wi-fi access point nearby it'd be tricky to hunt him down.

This kind of remote controlled drone mediated crime is very feasible now. It wouldn't take much technical savvy to figure out how to mount a shotgun shell on a quadcopter and fly it to a particular victim (if you have one). That's a lot less sophisticated than stuff terrorists do already; anyone with moderate technical aptitude could do it with off-the-shelf components. I'm sure we'll see our first non-state-actor controlled drone assassination in the next couple of years. Or maybe a hacktivist will detonate a party popper on the President or something like that.

Within our lifetime it'll surely be feasible for ordinary hackers to build autonomous systems that could fly into a general area and hunt down a particular victim using facial recognition. People have experimented with facial recognition with SBCs like the Raspberry Pi already.

You can forbid states from doing this all you want, but as technology advances the technology to do this won't be exotic. It'll be commonplace stuff used for work and even recreation.

Comment Re:Wait, you have to TYPE the password??? (Score 3, Interesting) 346 346

If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...

Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.

Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.

Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.

Comment Re:Same likely holds true... (Score 1) 245 245

The same thing could likely be said of all obtrusive advertising: it is a nuisance not a benefit.

They aren't exactly the same, because interstitial ads aren't just obtrustive, they're interfering. You can't simply mentally resolve to ignore them; if you want to continue you've got to either follow the ad or find a way to dismiss it. This presents the user with a Hobson's Choice: physically respond to the ad, or go back.

A lot depends on how motivated you are to get at the content. If it's something you've clicked out of idle curiosity, you'll back away. If it's something you really want to see you'll fight your way through. Since so much traffic on the Internet is driven by idle curiosity, the 69% figure doesn't surprise me at all. What would be interesting is to disaggregate that figure by types of target content.

Comment Re:Wesnoth isn't a game. Not really. (Score 1) 57 57

And the community doesn't respond well to these or any other criticisms. They like the random element, they don't seem to give a crap about characterisation, world build, lore or story telling.

FWIW, I'm not a member of the community. I play Wesnoth off and on for a few weeks every couple of years. I also like the random element and don't much care about characterization, world-building, lore or storytelling. Not that I don't like those things, just that Wesnoth is more of an occasional light diversion for me, so those things don't mean much.

Comment Re:Summary is wrong, management didn't "freak" (Score 1) 428 428

And why shouldn't they allow peer bombs? If the work was so great, then it more than justifies the $625 (5 people).

Sure, it does, which is why managers convert such things into spot bonuses -- which are generally several thousand dollars.

The downside of rewarding primarily with peer bonuses is that it might create a culture of doing good stuff for peers in order to collect peer bonuses rather than doing good stuff for peers because it's abstractly good to do good stuff for peers. I don't know how real it was or was not, but I have heard that some obnoxious Googlers with special skills or access or knowledge made a habit of demanding multiple peer bonuses before being willing to do some task for some other team that needed it. The "one bonus per" rule pretty much eliminates that because -- to people as well-compensated as Googlers -- a single $125 bonus isn't worth the overhead of negotiating; it's much more effective to just be "nice" and do stuff for people who need it, gathering the occasional peer bonus and lots of kudos, as well as building the network of people who will offer support at promotion time and/or help you out when you need it.

The effect is the same: it incents employees with special skills or access or knowledge to help their peers, but makes it more of a "gift economy" where everyone tries to be helpful to others in expectation of eventual good karma coming back to them, rather than one of barter and bargaining in which people jealously protect their advantages.

Comment Re:Summary is wrong, management didn't "freak" (Score 1) 428 428

Management didn't "freak". [...] Erica Baker's manager wasn't happy about it

For a Googler, your ability to reason logically, be critical and optimistic at the same time, and tersely state balanced, affect-free facts based on data, is weak.

"One front-line manager" != "management". The latter implies higher levels of company leadership.

If you have to ask how much it is, you can't afford it.

Working...