Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Security (Score 1) 202 202

I see your point. We make it abundantly clear what the security questions are for upon registration, and encourage the users to answer correctly. The questions we ask are not something that would normally be found in a users inbox, and most average users do not index and archive their e-mail. I do, personally, but I archive anything older than 2 years locally on my workstation(s).

We'll consider the idea of skipping of sending a new password to the user. Thanks for your input.

Comment: Security (Score 3, Insightful) 202 202

Your first example is acceptable in my opinion, as that password was probably random and (essentially) single use. After logging in, you should immediately change the password to something you can remember.

The second example, however, is a big no-no in my books. I develop web based applications for a living. The only time we send a password over e-mail (or SMS) is when a user has locked themselves out of their account, and are using the account recovery tool to regain access. This is how we handle it:
1. Click on "Forgot Password"
2. Enter your e-mail address (and username if different from e-mail address), click "Begin Recovery"
3. Send an e-mail with a verification URL for them to continue the process, this is to confirm they actually are the owner of the email address, and also to weed out people trying to use the recovery process maliciously.
4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.
5. Upon answering the questions correctly, you will be e-mailed a single-use password you can log in with.
6. Upon logging in, you are required to change your password to something you can remember (or store in a password DB, like you should be doing).

I know it's long and cumbersome, but it works.

Comment: Re: is anyone using it? (Score 1) 146 146

If they didn't want off-network users to use it, they would firewall it to just their subnets. I get they have a very large network that is ever expanding, and it may just be easier to not lock it to their subnets, but seriously it's not that hard.

I don't use my ISPs DNS because they resolve non-existent zones to some bullshit landing page in which they try to "help" users find what they were looking for, effectively breaking DNS in my opinion.

I don't use Google's because it sucked the last time I used it (when it was new, I suppose it is probably better now). Tracking isn't a real concern of mine in terms of DNS, although I do block Google Analytics via dnsmasq on my router. I just don't trust Google. They abandon services all the time. Quite frankly, I didn't expect their resolvers to stick around this long.

I own a web hosting business. We have a few servers in a datacenter. I run my own resolvers that are locked down to my /25 subnet, they resolve off the roots, specifically d.root-servers.net, and e.root-servers.net. Get less than 2ms on those.

At home, however, Level3 is still faster than any of the roots. :-/

Comment: Re: How stupid could someone be? (Score 1) 111 111

Really depends on the nature of the software, I guess. For Malwarebytes it probably isn't the best idea, but at the same time it could easily de-reg the install ID upon uninstall.

There are various ways to do it. My example was one such way, that is all. There is no one-size-fits-all.

Comment: Re: How stupid could someone be? (Score 2) 111 111

To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

On update you validate both the key, and the installation ID.

In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

Comment: Re:BT Sync (Score 1) 107 107

Syncthing looks interesting. Even has an Android client to boot.
Thank you for sharing.

I currently use BTSync, but it seems I have problems every time I upgrade, having to recreate the shares and such. Kind of a PITA.
I also firewall it, so it doesn't sync outside of my home or office network, so, hopefully keeping any potential back doors out.

Comment: Re: Who the fuck would use something like that? (Score 1) 206 206

I personally use a KeePass 2.x database. I use it across my computers and Android phone.

For convenience, I use BitTorrent Sync to keep the file updated across devices. I have it set to only sync on the local network(s), instead of over the internet. So, all if I add or change a password at home, it will sync to my phone and laptop via the local network. When I go to my office, when my phone connects to the local wifi it will sync the file to my work computer.

I use a password and keyfile. I copied the key file over to my devices manually, and is not within the Sync share.

This is the best security:convenience ratio I could come up with.

Comment: Re: Other reasons (Score 2) 306 306

Not that it's really any of your business, my wife was using the birth control pill, and it failed. It happens.

With that said, I'm glad we had our second child so close to the first. They are best friends, partners in crime. They get along very well, and will hopefully continue to be close going into the future.

Comment: Re: Other reasons (Score 1) 306 306

I was born in '88, currently 26 years of age.

Started my own business while still in highschool. Moved out on my own the summer before Grade 12. Graduated on time in 2006.

After highschool I got a job at a small-time advertising agency doing mostly graphic design and minor IT stuff. I had a feeling business wasn't going so well for the owners, and after 6 months or so, I left and focussed on growing my own business. The ad agency failed shortly after.

A while later my girlfriend (now wife) became pregnant. I jumped on job opportunity that brought in around $1200/week. My first child was born in Nov. 2009. I stuck to the job because it paid well. But I was working 12 hour days, my own business lacked my attention, and my wife became pregnant again.

I picked up a few decent sized projects under my business to bring in additional money to put away for the new baby.

The first week of January/2011 I arrived at work after a Christmas/New Years holiday. We were all brought in for a meeting and told the Government had frozen their accounts as they weren't remitting sales tax. We were all let go. My second child was born two weeks later.

I decided to try to put my attention to my business, but I wasn't able to pick business up quickly enough to keep up with the income I had been making. I worked a couple different part time jobs, from Fire Protection Inspector to Locksmith helper.

In 2013 I decided it was time to spruce up the business. I changed the business name and incorporated in 2013. I picked up a couple of good recurring paying projects from local businesses. I quit my job (the locksmith at the time) in April 2014. My wife picked up a part time (evening) job as to help supplement income on our slower months.

Since then we've continued to grow the business. I've already told my wife she can quit her job, but she's continuing because she enjoys the work and getting out of the house.

We're now looking to hire some employee's as things have been growing rather rapidly in the past year.

I did this without wasting $40,000-$70,000 on a bullshit piece of paper. I'm not saying it was easy, but kids these days need to understand that its not a requirement.

My younger brother, in contrast, went to University for technical theatre (lighting, sound, stage design, etc.). He's working as a delivery driver for pizza hut, while sitting on a mountain of debt.

Comment: Re: Desalination (Score 1) 599 599

I think the obvious solution is to force farms in the desert areas to utilize the desalination plants year round, no matter the amount of precipitation throughout California.

If they are already piping water in from other parta of the state (and surrounding states, by the sounds of it), it really wouldn't make much of a difference for them.

This solves many of the issues. Am I overlooking some reason as to why this couldn't work, or at leaste help in the drought cycles?

I live in Central Saskatchewan, Canada so please excuse my ignorance. Our biggest water issue is when Algae grows too rapidly and causes issues for our filtration plants.

Comment: Re: MariaDB because Oracle does an excrement job (Score 2) 49 49

As someone who owns a web hosting business, and recently migrated all of their servers from MySQL to MariaDB. It was the easiest transition we've ever performed. On our cPanel boxes it was done in just a couple of clicks.

MariaDB really is a drop in replacement for MySQL. They have done an awesome job ensuring its a dead simple upgrade.

We are currently looking into upgrading our DNS network. We are toying with MariaDB Galera, and PowerDNS. Our initial testing has been very positive.

Hold on to the root.

Working...