Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Re:Wait, you have to TYPE the password??? (Score 1) 332 332

When the services go down, you can't log in to the relying sites. Luckily, core infrastructure like the account systems is a very high priority for the engineers, and the big providers have plenty of resources to keep them up -- and they do. My bank's site is down far, far more often than Google's auth servers, for example. How much more often? I don't know... I've never seen Google's auth servers down.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 332 332

Pick the top several and you'll cover nearly everyone. For the tiny percentage of users that remains, you have to either offer password auth (which means all of the work and risks of maintaining a password system, but at least when you screw it up only a tiny percentage of your users will be affected) or push them to get an account with one of the providers you support.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

Certainly some of these companies do have decent customer support -- I don't mean to imply that such issues never get resolved.

The trouble is, unless they all have good support, there is a risk involved in having automatic updates that wasn't there before.

What I honestly don't understand after all the discussions here and elsewhere in recent days is why so many people seem to be defending Microsoft's position. If they're worried about security issues not being patched, they could just as well leave updates on by default but optional, so those who know what they're doing can take steps to apply the important patches with proper testing and without risking unwanted side effects, while those who just plug in and go will probably get exactly the same result as they would with compulsory updates anyway.

As far as I can see, there is literally no reason not to do this -- which is basically status quo for most systems today -- unless someone at Microsoft has intentions that mean they would want to push an update that a clued up user/sysadmin would not want to install, which is the only time it makes a significant difference whether or not the updates are mandatory.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

In such cases it is paramount that you contact the hardware vendor and insist that they provide an updated driver to ensure that it works in your environment.

You're adorable. :-)

But seriously, the reality is that you have no power whatsoever to compel an organisation the size of say Nvidia or AMD to provide working drivers. Both provide drivers for their gaming cards that are frequently buggy as hell. Even their much more expensive professional workstation cards -- where almost the entire point is the supposedly better drivers, because the hardware is all but identical -- have all kinds of silly driver bugs that have been known to cause anything from screen glitches while using supposedly certified applications to outright system crashes.

Several people have commented in this Slashdot discussion that you can disable the driver updates within Windows update even if you can't disable other parts, though so far I haven't been able to find any official confirmation of that from a Microsoft source. Even if it's true, that in itself says something about Microsoft's awareness of the potential for forced updates to go badly wrong. :-(

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

Firstly, given that the default behavior outside of enterprise environments is to automatically install updates do we have evidence that this has been significantly problematic? If this is indeed a problem then there should be plenty of instances in the history of Windows Update.

There are plenty of previous cases where Windows Update has broken things. That's why a lot of us are so concerned. Been there, done that, spent the next several hours clearing up the mess, on occasion even resorting to physical media because the normal recovery mechanism was sufficiently b0rked that even booting that far wasn't happening.

Secondly, if the above case turns out to be valid (I'm no expert, that's why I'm asking) then is there any evidence to indicate that this would still not be resolved after a few months of deferring the update in question?

Severe problems like the ones I was thinking of above? No, to be fair to Microsoft, they have usually fixed those within a day or two. (Drivers are a different question entirely, but as we've determined, those are a different case and not entirely Microsoft's responsibility.)

But minor gremlins that mess something up for people with certain hardware or software combinations? Or updates that aren't really necessary at all, like the Win10 nag messages? I don't see any rush to get those fixed.

In any case, as the financial folks will tell you, past performance is not a reliable indicator of future behaviour. The fact is, if you trust Microsoft to get this stuff fixed and it does turn out that they can't or won't fix whatever issue is affecting you, your business is screwed. What manager or IT group wants to risk their business's ability to trade or potentially their own personal livelihood in that way, entirely unnecessarily? Why would any rational person do that, if they understand the other options available to them?

Right, so is the solution to proliferate the knowledge about how to resolve the problem or just bitch pseudonymously in web forum comments about the existence of it?

Once again, the problem isn't just this specific issue, it's the uncontrolled risk associated with allowing anyone to force software changes on a PC you rely on.

And if you think I'm only bitching about this pseudonymously on-line, you're crazy. Every business I work with (and a couple of family and friends who have asked) has been actively making plans to avoid winding up on Windows 10 for a while.

BTW, my comments on this issue are mild compared to a few I've heard when talking to the sysadmins at some of those businesses. The language some of those people used to describe Microsoft's attitude here isn't something you'd repeat in polite company, let's say.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

How is having a system that remains up to date suddenly no longer the right tool for the job?

If it was working for whatever it was needed for before the update, and it wasn't after.

The entire point of the concern here is that Microsoft can and have pushed updates that are broken, and they can and have pushed updates that a lot of users didn't want and that had nothing to do with security (like the Windows 10 nag message).

Microsoft's idea of what constitutes an important update that I should definitely deploy and my idea of what constitutes an important update that I should definitely deploy have been diverging significantly for some time. My standard policy now is that I apply security updates, and unless I have a good reason to do otherwise, that is all I deploy.

That policy was a direct result of problems caused by earlier updates, and I think if you ask around you'll find a lot of sysadmins favour a similar strategy. Even if that weren't the case, the likelihood of Microsoft increasingly pushing unwanted changes that are in their own interest more than their users' seems high given their disclosed strategic plans and business model going forward.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

Because now you're moving the goalposts. This is about forced driver updates (read the title).

The issue is bigger than that, and this story is just one early example of how forced updates could go wrong (read the summary, and for that matter numerous other discussions on this and other forums since the forced update mechanism became widely known a few days ago).

I'm happy for you that apparently the systems you use are all running Windows Enterprise, and the people who set them up and maintain them have no problem with spending time figuring out which settings to adjust to turn this stuff off. Obviously from the fact that we're having this discussion a lot of people didn't know to turn this off and got stung by it, and as I've noted repeatedly, there are analogous cases that could be just as damaging but which will not have the option to turn them off even in Pro. A lot of people are going to wind up getting hurt by this policy, even if you personally aren't one of them.

Comment Re:Wait, you have to TYPE the password??? (Score 1) 332 332

Copy/paste cache scrapers exist, and are common for browsers with bugs. Training people not to copy/paste passwords is a good idea.

You're promoting perpetuating a long-standing, widespread and hugely-damaging user security error in order to avoid a relatively obscure problem which can actually be fixed through purely technical means. Not a win.

Comment Re:OpenID Connect scales at O(n^2) (Score 1) 332 332

What you describe as a problem is actually part of the solution. The problem with classic OpenID was that it was virtually impossible to get, say 1st Bank of MyButt, to use it, because absolutely anyone could be an identity provider. I personally agree with you that classic OpenID was better in that respect, but 1st Bank of MyButt doesn't. They're hemming and hawing about letting Google manage their user's identities, but they will at least consider it.

Comment Re:Wait, you have to TYPE the password??? (Score 1) 332 332

You're actually very wrong. Long complicated passwords are horrifically impossible to remember causing people to write them down or store them in managers with simpler passwords to open the manager.

Putting them in password managers is the right thing to do.

Length is all that matters for passwords. You're better off with "thatswhatshesaid" (26 ^ 16) than "B4c0nL0v3r!" (72 ^ 11). You're 162 times better off, in fact.

26 ^ 16 = 43,608,742,899,428,874,059,776 72 ^ 11 = 269,561,249,468,963,094,528

You're wrong. Hilariously so.

The entropy of "thatswhatshesaid" is far lower than 43,608,742,899,428,874,059,776. Randall Munroe calculated correctly in the XKCD comic, of course. He didn't assume that each letter was random, he assumed he was choosing four words at random from a dictionary of a specific size (about 2048 entries == ~11 bits of entropy per word). Your password is clearly not a selection of randomly-chosen words, and even if it were, it would likely have been from a much smaller dictionary.

This highlights the danger of asking users to pick passwords... even those who think they know what they're doing are likely to screw it up. Munroe's advice in 936 was good... but I think it has mislead more people than it has enlightened.

No, it's much better to use a password manager and let a computer pick large random passwords for you.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 308 308

All true, but in general you can only defer updates for a few months even in Pro with Windows 10, or you lose the security updates as well. That change is actually worse than forcing everything on Home users immediately, IMHO, because it removes control from all the small businesses and power users who actually want/need it.

Kiss your keyboard goodbye!