Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Just my time (Score 1) 128 128

Six or so years ago I was using a (fairly cheap) Virtual Private Server as a dev/testing box for a pet project of mine.

The VPS company was bought by a larger company, and prices were to double on the next billing period. I hastily chose a new provider without doing any research. I paid for 3 months of service in advance, got the container set up the way I like, migrated all of my data over, and was up and running.

2 months in the new provider vanished, along with all of my data. I wasn't very concerned about the months worth of money I had lost by not getting the 3 months I had paid for, I think it was only about $15. "Okay," I thought. I'll just pull my data out of my nightly backups and move on. It turns out I forgot to adjust my local cron script that pulled the data over rsync to the new IP address. My backups had not been pulled in over 2 months.

Luckily it wasn't very important, as it didn't make me any month and was mostly just for fun. I ended up starting over from scratch and ended up with a better system anyway.

I learned my lesson, though.

Comment: Re:Security (Score 1) 242 242

I have yet to hear any a solution to this problem from you. So far just a repetitious whining about how what I wrote is just so horribly broken. I see even worse solutions implemented in sites that may cause even more havoc in a persons life, such as financial institutions, and government departments.

What would you do? How would it be any better? Please provide full details. If all you are going to do is bitch and whine but not bring any solutions to the table, you're even WORSE than me. At least I'm making an effort.

Comment: Re:Security (Score 1) 242 242

I see your point. We make it abundantly clear what the security questions are for upon registration, and encourage the users to answer correctly. The questions we ask are not something that would normally be found in a users inbox, and most average users do not index and archive their e-mail. I do, personally, but I archive anything older than 2 years locally on my workstation(s).

We'll consider the idea of skipping of sending a new password to the user. Thanks for your input.

Comment: Security (Score 3, Insightful) 242 242

Your first example is acceptable in my opinion, as that password was probably random and (essentially) single use. After logging in, you should immediately change the password to something you can remember.

The second example, however, is a big no-no in my books. I develop web based applications for a living. The only time we send a password over e-mail (or SMS) is when a user has locked themselves out of their account, and are using the account recovery tool to regain access. This is how we handle it:
1. Click on "Forgot Password"
2. Enter your e-mail address (and username if different from e-mail address), click "Begin Recovery"
3. Send an e-mail with a verification URL for them to continue the process, this is to confirm they actually are the owner of the email address, and also to weed out people trying to use the recovery process maliciously.
4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.
5. Upon answering the questions correctly, you will be e-mailed a single-use password you can log in with.
6. Upon logging in, you are required to change your password to something you can remember (or store in a password DB, like you should be doing).

I know it's long and cumbersome, but it works.

Comment: Re: is anyone using it? (Score 1) 147 147

If they didn't want off-network users to use it, they would firewall it to just their subnets. I get they have a very large network that is ever expanding, and it may just be easier to not lock it to their subnets, but seriously it's not that hard.

I don't use my ISPs DNS because they resolve non-existent zones to some bullshit landing page in which they try to "help" users find what they were looking for, effectively breaking DNS in my opinion.

I don't use Google's because it sucked the last time I used it (when it was new, I suppose it is probably better now). Tracking isn't a real concern of mine in terms of DNS, although I do block Google Analytics via dnsmasq on my router. I just don't trust Google. They abandon services all the time. Quite frankly, I didn't expect their resolvers to stick around this long.

I own a web hosting business. We have a few servers in a datacenter. I run my own resolvers that are locked down to my /25 subnet, they resolve off the roots, specifically d.root-servers.net, and e.root-servers.net. Get less than 2ms on those.

At home, however, Level3 is still faster than any of the roots. :-/

Comment: Re: How stupid could someone be? (Score 1) 111 111

Really depends on the nature of the software, I guess. For Malwarebytes it probably isn't the best idea, but at the same time it could easily de-reg the install ID upon uninstall.

There are various ways to do it. My example was one such way, that is all. There is no one-size-fits-all.

Comment: Re: How stupid could someone be? (Score 2) 111 111

To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

On update you validate both the key, and the installation ID.

In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

Comment: Re:BT Sync (Score 1) 107 107

Syncthing looks interesting. Even has an Android client to boot.
Thank you for sharing.

I currently use BTSync, but it seems I have problems every time I upgrade, having to recreate the shares and such. Kind of a PITA.
I also firewall it, so it doesn't sync outside of my home or office network, so, hopefully keeping any potential back doors out.

Comment: Re: Who the fuck would use something like that? (Score 1) 206 206

I personally use a KeePass 2.x database. I use it across my computers and Android phone.

For convenience, I use BitTorrent Sync to keep the file updated across devices. I have it set to only sync on the local network(s), instead of over the internet. So, all if I add or change a password at home, it will sync to my phone and laptop via the local network. When I go to my office, when my phone connects to the local wifi it will sync the file to my work computer.

I use a password and keyfile. I copied the key file over to my devices manually, and is not within the Sync share.

This is the best security:convenience ratio I could come up with.

By working faithfully eight hours a day, you may eventually get to be boss and work twelve. -- Robert Frost

Working...