Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Responses (Score 1) 192 192

I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.

For account creation, you can do this by requiring that the user authenticate with their username and password to use the "login ticket". If they know all of the authentication details and have control of the email account, there's really no way to distinguish them from a legitimate user (from your limited perspective). That said, acquiring all of the account details (including the password) and gaining access to the user's email account in a short time window represents an attack that's only likely for an account on a very important system and you (I) wouldn't deploy such a system with email as the only means of verification.

Things are more difficult for password reset requests because the user doesn't know their login details, but that's a different scenario from the account generation one. You have to make security compromises in the name of convenience if you want a user to be able to reset their password from a link in an email alone.

Comment: Re:Responses (Score 3, Insightful) 192 192

My site, on account creation, generates a password and sends it to you in email in cleartext before putting it in the DB. In that email is a link to reset the password; you can't log into the rest of the site until you've done so. The updated password (and the original) are stored encrypted in the DB.

If anyone has a better suggestion, I'm all ears.

Seriously? Let the user enter their own password at account creation and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address (if that's even a necessary step... it isn't always).

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway? What possible benefit does that serve?

Comment: Re:This isn't as good as it sounds (Score 2) 106 106

Well, here's a good place to start. RC4 has a number of vulnerabilities and while each of them can be mitigated to a certain extent (changing keys, discarding the beginning of streams, etc), the confidence is low that implemented systems will successfully avoid all of them and not open up new vulnerabilities in the process.

Comment: Re:This isn't as good as it sounds (Score 0) 106 106

3DES isn't horridly broken. With the most commonly used keying option, it's vulnerable to a meet-in-the-middle attack, but it still provides 112 bit security. That'll start looking a little lean in the coming years, but it's still a beast to brute force.

On the other hand, RC4, SSLv3, and TLS1.0 are actually broken.

Comment: Re:Taxi licenses are crazy expensive (Score 5, Informative) 325 325

WTF have your shares got to do with your desire to deliberately trash the life savings of millions of taxi drivers in the western world?. They entered into a contract with the government...

Typically, taxi medallions aren't sold by the government anymore. They're typically sold by their previous holders and the high prices reflect their scarcity and perceived value. The market decides this value (even when they're auctioned off by the state), so there isn't any guarantee that they'll maintain that value. Any contracts that exist say nothing about limiting the supply or compensating medallion-holders for any speculative prices they paid. Buying a medallion for $800k is just as speculative as buying an $800k house or $800k worth of stock. There are no government guarantees that they will maintain value.

tl;dr... The economics of the taxi medallion situation are extremely similar to shares in a company. The "contracts" that you're referring to don't exist (at least in the form that you image).

Comment: Re:Oblig. Musk stroking (Score 1) 247 247

The so called RDF Is a simply a trustworthy brand. A brand is a promise of quality, and even though they aren't perfect, they do deliver better quality than any other manufacturer. They deliver on their promise. They beat all other companies in customer satisfaction surveys year in year out.

In our contemporary world where any sort of "promise of quality" is seen as quaint and most companies see their established brand names as something to be cashed in for executive bonuses, people are trained to not give any weight at all to brands. See the AC response for a great example of that.

Comment: Re:I hope it rolls out in more cities (Score 2) 68 68

In fact, i would very much like to see relevant & useful ads. Right now, almost none of the ads i see are useful for me.

You would very much like to see relevant & useful ads, or you would very much like to stop seeing irrelevant & useless ads?

Because while the latter is true for me and most of the people that I know, the former is not quite so popular and doesn't necessarily follow from the latter. A much more palatable way to see fewer irrelevant & useless ads would be to stop seeing so many ads altogether. The more Google's hand touches things, the less likely that is to ever happen.

Comment: Re:Perhaps this is why some places are better to l (Score 0) 108 108

Perhaps a huge component of "politeness" is the ability to personally identify with the people around you in a significant way. Most of Northern Europe has a remarkable cultural homogeneity. Denmark, for example, is occupied by around 90% people of Danish descent, and even the 10% is a relatively recent phenomenon. Even the religion of Denmark is homogeneous, with the census reporting 80% belonging to Church of Denmark. The rest of Northern Europe is similarly homogeneous, even including the UK.

So often your countryfolk seem brusque at best and just plain rude a lot of the time.

The rudest people I've ever met in my life have all been European. I'm a very polite person, so I presume it's because they knew that I was American and were unable to stir up any empathy for somebody so culturally different and "other". Perhaps it isn't valid to take your trans-cultural interaction as an accurate representation of intra-cultural interactions.

Comment: Re:Good for the consumer? (Score 2) 116 116

"Average score" is a stupid metric for comparing ratings anyway. Here's a little discussion about several different utterly wrong ways to make sense of ratings, "average score" being #2.

Your "average score" would rate a product with a single 5 star rating higher than one with 45,000 ratings averaging out to 4.999. Their "proprietary algorithm" is likely to be more useful to everybody than a bunk rating system like "average score".

Anyway, if all of the ratings go up, then you just continue to compare them to each other like you did before. It's not like anyone bases purchases on the absolute star rating of any particular product.

Comment: Re:Grand opening! (Score 1) 97 97

And they most definitely DO NOT need continuous access. The 'software' you're speaking about is simply a set of scripts to handle the domain ownership verification and certificate issue. It doesn't need access to anything but your HTTPD configuration files and/or DNS.

That's not entirely true, at least in the long term. Domain ownership verification could be done entirely through the configuration files or through access to the served content. They claim to handle revocation and reissue of certificates through their site as well, which is going to require at least some sort of polling from your server.

Comment: Re:Why oppose nuclear powered satelittes? (Score 1) 419 419

RTGs != lightweight

Depending on the mission and compared to the alternatives, yes they are very lightweight. Solar panels can quickly become much heavier once you start outfitting outer solar system probes. Also, if you need continuous operation without solar exposure, you start needing heavy batteries and power-wasting heaters. Large arrays require supports and actuators to deploy and present more failure modes.

The RTG used in Curiosity, for example, is only 45 kg, which sounds like a lot, but Spirit and Opportunity carried nearly half that mass in just batteries and panels, produced less power with them, and still needed to carry a radiothermal heater.

Distant missions like New Horizons would have been prohibitively heavy had they not used an RTG.

Steve Jobs said two years ago that X is brain-damaged and it will be gone in two years. He was half right. -- Dennis Ritchie