Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:A word you made up? (Score 1) 97 97

It could easily be both, in which case the differentiating factor should be which came first - the made-up word domain registration or the well known name (which could also be a made up word - "googl" and "Google", for instance). Who has the most expensive lawyers aside, the responsibility for checking for pre-existing typosquatting domains ought to lie with the company, the same way it's their responsibility to make sure their intended name doesn't infringe on any existing trademarks and servicemarks. Back in 2001 I doubt too many people were even thinking about such things though.

Comment: Re:Type 4 UUIDs (Score 1) 240 240

My concern is how to keep someone between your server and the subscriber's MUA from compromising "possession", or how to establish "possession" the first time.

If you follow the same model with account creation, then you already have possession established. If someone compromises your email account, and knows your user account for this site, and knows your security answers, then yeah, you're borked. But if someone has all of that information already, I'm pretty sure you've been borked for a while and in significantly worse ways than someone having your college transcripts. ;)

I just use a PRNG. If I need it as a GUID, I request 120 random bits and format them as a type 4 UUID. Is that good enough?

"Good enough" is a question that is best answered by the asker. Security isn't a Boolean implementation. You aren't secure or insecure, you are at some level of security across a very wide range. Storing passwords in clear text is vastly more secure than having no authentication on a system at all, but it is vastly less secure than storing a hashed password. And that is vastly less secure than storing a 1-way hashed password. And even that is meaningless if you don't have a secured communication layer, or if you aren't correctly exchanging public/private keys. etc...

Are you trying to keep script kiddies from spamming your content management site with pictures of dicks, or are you trying to keep banking details, SSNs, and credit histories locked up with controlled access via the internet?

With that said, you're likely more on the 'secure' side using a v4 UUID, assuming the rest of your implementation follows the appropriate patterns.

-Rick

Comment: Re:Kids don't understand sparse arrays (Score 1) 128 128

Not necessarily. It doesn't take much math to be able to do probably 99% of the programming the world demands today. System design should probably be (and probably is) left to systems architects who have a better understanding of it than the rank and file code monkeys.

If you want to be a system designer/architect/whatever, you maybe should have a degree in software engineering. If you want to be a code monkey a diploma where they ensure that you can write Java, C, add, subtract and multiply is handy. Computer science is a different thing (I realize that "computer science" in the US actually isn't a different thing).

My computer science degree consisted of a lot of math classes and things like experimental OS design, formal proofs and complexity analysis. I was too early for all the quantum stuff they do now.

Comment: Re:Responses (Score 3) 240 240

[quote]So how do you encrypt this UUID?[/quote]

You don't. It's just a GUID or some other low collision rate hash.

[quote]And what do you send for a password reset?[/quote]

You send them a new UUID in a link. When the link is hit, the UUID resolves back to their account and they are directed to enter a new password, just like a first time user.

The combination of time (the UUID can be time boxed), activity (a successful login nullifies the UUID), and possession (control of the account's registered email address), and if you want to get really wild, knowledge of a security question, creates a scenario where there are no good purely technical solutions for the attacker.

An attacker could, in theory, create a colliding GUID for an account they know the name of (but not password), manually enter the UUID link, and set the new password (assuming there is no security question).

But if an attacker manages to consistently generate colliding GUIDs*, they have accomplished something so monumental that they should be heralded as the second coming of Steve Jobs or something.

(*Assuming the coders didn't decide to come up with their own GUID generation algorithm that is easily reverse engineered and seeded)

-Rick

Comment: Re: 200 cycles? (Score 1) 131 131

I mean, that's why you don't "purchase" a phone on a two year contract. The company gives you a "free" phone when you sign a two year contract, or a discount on a phone if you sign the contract (but the phone purchase is independent).

Maybe it's different with your company, but no cell company I've ever heard of warrants their phones for the entire contract period (unless it happens to be 1 year and the manufacturer's warranty is also 1 year).

I usually replace my phone batteries around 2 years, or a bit earlier if they need a screen replacement (as mine does now). New batteries for iPhones usually cost about $20 and take about 10 minutes to install. Five if you've got some practice.

Comment: Re:Trained vs Untrained... (Score 1) 195 195

You seem to have described the general shape of a bell curve, but you go off the rails a bit with things like "There are more people who are, statistically, absolutely average."

The mean, sometimes also called the expected value, is defined as SUM(values) / N where N is the number of values. Using that definition and the definition of a Gaussian (which is what a bell curve is) you can prove that the mean falls precisely in the middle of the distribution: there are equal numbers above and below the mean. Since results of an IQ test are distributed pretty normally, the OP is correct: half of people have an IQ that is below average (and half have an IQ that is above average). There may in fact be no individual people who are exactly average. If the measurement is continuous then this is almost certain.

That result is extensible to any symmetric distribution (of which the Gaussian is one). In fact, the reason they're called symmetric distributions is because they're symmetric about the mean.

I teach statistics, by the way.

Comment: Re:Obvious (Score 1) 195 195

"playing around with passengers" He he.

I grew up in a small town and the motor association ran driving instruction classes at the high school. Pretty much everyone took them, because they were cheap, convenient, and gave you a discount on your insurance. I think the training was over about six months, with weekly classroom sessions and a dozen or so in-car sessions. They scheduled it in the winter to make things more fun. Add to that that most of us had been driving with parental supervision since we were 14, and quite a few "unofficially" on farms since well before that.

As an adult I moved to a different province. One of my friends decided he was going to get a drivers license (at 25 or so, about average for the city). He took an hour of instruction, hopped in a car and did his test. He came back and said driving is one of the hardest things he's ever done, but he'd passed.

+ - New way to alleviate the environmental burden of discarded electronics

jan_jes writes: A report published by the U.S. Environmental Protection Agency in 2012 showed that about 152 million mobile devices are discarded every year, of which only 10 percent is recycled — a legacy of waste that consumes a tremendous amount of natural resources and produces a lot of trash made from expensive and non-biodegradable materials like highly purified silicon. Now researchers from the University of Wisconsin-Madison have come up with a new solution to alleviate the environmental burden of discarded electronics. They have developed a new biodegradable silicon transistor based on a material derived from wood, opening the door for green, flexible, low-cost portable electronics in future. They published this research in the Applied Physics Letters.

news: gotcha

Working...