Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Re: Oh boy, another infection vector (Score 1) 230

by MrNaz (#48261511) Attached to: Windows 10 Gets a Package Manager For the Command Line

Perhaps you could have a two tier level of trust where repositories that are from signed approved vendors are automatically permitted, but unlisted ones require specific admin permission to install from. Of course, power users could mark an unlisted certificate as trustworthy to prevent the auth request, but it would prevent installs from silently coming in from hijacked repositories in the scenario described above.

Comment: Re: On the other hand... (Score 2) 700

by MrNaz (#48209309) Attached to: FTDI Reportedly Bricking Devices Using Competitors' Chips.

This is exactly correct. I've experienced this with a radio programming cable with a counterfeit chip supposedly from Prolific. The drivers that Windows automatically downloaded for it caused the device to not function. Rather than stuffing around with the supplier, I simply downloaded an old working driver, uninstalled the new driver, installed the old driver, and done.

Certainly not a job my mother could do, but also not the same as the OEM bricking devices, which would legally be dangerous for them as it could be argued that they were willingly causing property damage.

From a commercial point if view I think it is an appropriate measure, albeit perhaps not the most reasonable from consumers' perspectives.

Comment: Re:Next wave of phishing? (Score 1) 149

by MrNaz (#47612605) Attached to: Gmail Recognizes Addresses Containing Non-Latin Characters

I agree. The real solution is hardened authentication getting baked right into email. I'm all for UTF8 domain names and email user names, however if the email protocol suite is going to be expanded to allow for more features, then I think security should be top of that list.

Sure, for a while, domains that span multiple character sets such as hotmail.com with a Cyrillic o could be spam flagged, however what happens when (not, if, but when) legitimate domains with multiple character sets start appearing? What about domains that use characters restricted to the intersection of two character sets such that they appear to be from one but are in fact from another?

The ONLY answer to this is an email client that can associate a certificate with a domain and checks it against received email as a matter of course. This solution not only has the property of preventing domain spoofing, but also comprehensively solves the spam problem. (It didn't get done earlier because it fell foul of the "requires everyone to agree at the same time" point on that pro forma "Why your proposal won't work" sheet.)

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come." --Matt Groening

Working...