Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:The author doesn't understand Herbert (Score 1) 219 219

Frank is a deeper fellow than all but a few really grasp.

His books were largely philosophical treatises and it's so often disappointing to talk with people who can't see past the superficial stories that he uses to explore an element of philosophy. I'm surprised that anyone can get through the entirety of Dune without that dawning on them, but it becomes much more clear when you start reading his other works (especially those not set in sci fi settings).

Comment: Re:EVs are a PITA (Score 2) 597 597

Because the population of people that own EVs is drastically smaller than the population of people that don't own EVs. Current EV owners represent the self-selected group of people for which owning an EV is a better choice (and can afford to purchase a new car). That the vast majority of people haven't walked away from ICE cars should be an indicator that they are not an appropriate choice for most people. (And I say this as a satisfied EV owner. It works for me, but not for everybody.)

Your statement makes just as much sense as saying that there are people in Venice who own a boat and walked away from cars, so boats obviously present much less hassle than cars. My neighbor who started a roofing company replaced his sedan with a pickup truck and hasn't looked back; pickup trucks must present far fewer hassles than sedans. Do you understand context?

Comment: Re:Responses (Score 1) 243 243

I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.

For account creation, you can do this by requiring that the user authenticate with their username and password to use the "login ticket". If they know all of the authentication details and have control of the email account, there's really no way to distinguish them from a legitimate user (from your limited perspective). That said, acquiring all of the account details (including the password) and gaining access to the user's email account in a short time window represents an attack that's only likely for an account on a very important system and you (I) wouldn't deploy such a system with email as the only means of verification.

Things are more difficult for password reset requests because the user doesn't know their login details, but that's a different scenario from the account generation one. You have to make security compromises in the name of convenience if you want a user to be able to reset their password from a link in an email alone.

Comment: Re:Responses (Score 3, Insightful) 243 243

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

Seriously? Let the user enter their own password at account creation and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address (if that's even a necessary step... it isn't always).

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway? What possible benefit does that serve?

Comment: Re:This isn't as good as it sounds (Score 2) 107 107

Well, here's a good place to start. RC4 has a number of vulnerabilities and while each of them can be mitigated to a certain extent (changing keys, discarding the beginning of streams, etc), the confidence is low that implemented systems will successfully avoid all of them and not open up new vulnerabilities in the process.

Comment: Re:This isn't as good as it sounds (Score 0) 107 107

3DES isn't horridly broken. With the most commonly used keying option, it's vulnerable to a meet-in-the-middle attack, but it still provides 112 bit security. That'll start looking a little lean in the coming years, but it's still a beast to brute force.

On the other hand, RC4, SSLv3, and TLS1.0 are actually broken.

Comment: Re:Taxi licenses are crazy expensive (Score 5, Informative) 329 329

WTF have your shares got to do with your desire to deliberately trash the life savings of millions of taxi drivers in the western world?. They entered into a contract with the government...

Typically, taxi medallions aren't sold by the government anymore. They're typically sold by their previous holders and the high prices reflect their scarcity and perceived value. The market decides this value (even when they're auctioned off by the state), so there isn't any guarantee that they'll maintain that value. Any contracts that exist say nothing about limiting the supply or compensating medallion-holders for any speculative prices they paid. Buying a medallion for $800k is just as speculative as buying an $800k house or $800k worth of stock. There are no government guarantees that they will maintain value.

tl;dr... The economics of the taxi medallion situation are extremely similar to shares in a company. The "contracts" that you're referring to don't exist (at least in the form that you image).

Comment: Re:Oblig. Musk stroking (Score 1) 249 249

The so called RDF Is a simply a trustworthy brand. A brand is a promise of quality, and even though they aren't perfect, they do deliver better quality than any other manufacturer. They deliver on their promise. They beat all other companies in customer satisfaction surveys year in year out.

In our contemporary world where any sort of "promise of quality" is seen as quaint and most companies see their established brand names as something to be cashed in for executive bonuses, people are trained to not give any weight at all to brands. See the AC response for a great example of that.

Comment: Re:I hope it rolls out in more cities (Score 2) 68 68

In fact, i would very much like to see relevant & useful ads. Right now, almost none of the ads i see are useful for me.

You would very much like to see relevant & useful ads, or you would very much like to stop seeing irrelevant & useless ads?

Because while the latter is true for me and most of the people that I know, the former is not quite so popular and doesn't necessarily follow from the latter. A much more palatable way to see fewer irrelevant & useless ads would be to stop seeing so many ads altogether. The more Google's hand touches things, the less likely that is to ever happen.

Comment: Re:Perhaps this is why some places are better to l (Score 0) 108 108

Perhaps a huge component of "politeness" is the ability to personally identify with the people around you in a significant way. Most of Northern Europe has a remarkable cultural homogeneity. Denmark, for example, is occupied by around 90% people of Danish descent, and even the 10% is a relatively recent phenomenon. Even the religion of Denmark is homogeneous, with the census reporting 80% belonging to Church of Denmark. The rest of Northern Europe is similarly homogeneous, even including the UK.

So often your countryfolk seem brusque at best and just plain rude a lot of the time.

The rudest people I've ever met in my life have all been European. I'm a very polite person, so I presume it's because they knew that I was American and were unable to stir up any empathy for somebody so culturally different and "other". Perhaps it isn't valid to take your trans-cultural interaction as an accurate representation of intra-cultural interactions.

Comment: Re:Good for the consumer? (Score 2) 116 116

"Average score" is a stupid metric for comparing ratings anyway. Here's a little discussion about several different utterly wrong ways to make sense of ratings, "average score" being #2.

Your "average score" would rate a product with a single 5 star rating higher than one with 45,000 ratings averaging out to 4.999. Their "proprietary algorithm" is likely to be more useful to everybody than a bunk rating system like "average score".

Anyway, if all of the ratings go up, then you just continue to compare them to each other like you did before. It's not like anyone bases purchases on the absolute star rating of any particular product.

Comment: Re:Grand opening! (Score 1) 97 97

And they most definitely DO NOT need continuous access. The 'software' you're speaking about is simply a set of scripts to handle the domain ownership verification and certificate issue. It doesn't need access to anything but your HTTPD configuration files and/or DNS.

That's not entirely true, at least in the long term. Domain ownership verification could be done entirely through the configuration files or through access to the served content. They claim to handle revocation and reissue of certificates through their site as well, which is going to require at least some sort of polling from your server.

The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke