Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Last Chance - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Comment Re:This is why you call your bank before tourism (Score 2) 345

Another Chase fan here. Just after I arrived in Ireland for a two-week vacation this past May, I get a notice from Chase that they're canceling my card due to (actual) fraud and sending me a new one. Except that I was depending on the Chase card while I was in Ireland. Their CS was extremely helpful and suggested a setup where they'd authorize card-present transactions while I was in Ireland but block others (unless I explicitly authorized them.) (And then I was embarrassed when my card was declined in Ulster, but that was my fault because I wasn't in Ireland anymore - and they had asked what other countries I would be in.)

American Express has also been good about fraud detection and alerting me instantly, though on a previous European trip I noticed a whole slew of bogus charges to my card using a number that had been canceled two cards ago. Their explanation was that if it came through a processor that had done a valid transaction before (which had been the case), they'd let it go. No big deal to get it taken care of.

Comment Re:Scripts that interact with passwords fields aws (Score 1) 365

n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.

I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...

Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.

The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)

Comment Re:Scripts that interact with passwords fields aws (Score 2, Insightful) 365

Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)

Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)

Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.

Comment Re:Scripts that interact with passwords fields aws (Score 5, Interesting) 365

LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.

I agree with the article - blocking password managers lowers security.

Comment Re:The VMS Common Language Environment (Score 1) 484

Free advice is worth every cent, Steve. Wasn't that you?


I should also have mentioned that the common language environment meant that mixed-language applications were far easier than on most other operating systems. How about mixing BASIC, RPG II, Pascal, Fortran and Ada? Easy.

Comment The VMS Common Language Environment (Score 1) 484

I'll admit that I am biased, as a former VMS developer for DEC, but in my opinion VMS did one thing right from the start that I have not seen any other OS duplicate before or since - the Common Language Environment. VMS defined a common calling and exception handling standard that was used by all of the 20+ programming languages supported on VMS. The system services and the common run-time library were usable from all of the languages. Yes, many of the languages needed extensions to support things such as "pass by descriptor", but it was done in a consistent fashion. There was also a naming standard that separated system and user namespaces to avoid namespace collisions. This was all documented in the standard VMS manuals and was designed to be extended as needed.

This also meant that pretty much all of the system library routines were language-independent and there were large collections of these that could be called from most languages. For a long time, Windows had something close to this with the Windows API, but in recent years it's been shifting to C++ class libraries that shut out other languages.

Comment So this is what is behind "Aurora" (Score 3, Interesting) 228

I just finished reading an ARC (Advanced Reader Copy) of Robinson's latest novel "Aurora", not yet published, which is about a generation starship sent out to colonize a planet orbiting Tau Ceti. Mild spoiler - the colonists find it's much harder than anyone anticipated. I found it a bit of an odd take given Robinson's Mars trilogy (to be honest, I made it to about a third of the way through Blue Mars and gave up) which seemed far more optimistic. Now I know why. Unfortunately, pessimism doesn't sell as well as optimism, so I don't have great hopes for commercial success of Aurora. Oh, and if you weren't transfixed by Red/Green/Blue Mars, you probably won't care for Aurora either.

Comment Re:someone explain for the ignorant (Score 3, Interesting) 449

Yes, in fact they can, and this has happened in Europe. One problem with C&P is the "offline PIN" mode which doesn't exchange data with the bank. In the UK, at least, the consumer is liable for any fraud with a C&P card as it is assumed that if the PIN was entered correctly it was by the cardholder. In the US, all the card issuers assume liability for fraud, no matter what, so there is less incentive to require a PIN.

The article you linked to is informative, but as the US transitions to EMV, it will become harder for thieves to use magstripe cards.

As I noted earlier, the biggest benefit of EMV, with or without PIN, is that merchants and payment processors aren't holding on to vast quantities of card numbers, and card skimming becomes far more difficult.

Comment Re:someone explain for the ignorant (Score 4, Informative) 449

Chip yes, PIN, no. In the US, "Chip-and-signature" is what we get, with extremely rare exceptions. It is more secure than the magstripe to stop massive hacks such as Home Depot and Target, but does nothing to stop stolen card fraud. Note that if your card does not support chip-and-PIN (it can support it even if it's not the default, but US banks aren't doing this), then you can't use the card at many automated kiosks (train stations, etc.) outside the US.

I disagree with the summary that contactless goes along with the chip - it doesn't. There are some banks offering contactless payment cards, but this is not common right now.

Comment Re:Use FairPoint, avoid Comcast (Score 1) 214

I agree 100% with Okian Warrior here - I'd do without rather than buy service from Comcast. I have the FairPoint fiber service that used to be FiOS and it works well, but if it's not already run on your street you'll never get it. For TV go satellite - I use DirecTV.

One, hopefully temporary, hitch is that Fairpoint workers have been on strike for several weeks, slowing down installs and repairs.

Really, FairPoint nowadays isn't a bad company to do business with. They're focused on staying in business and aren't interested in meddling with your Internet content.

Comment Been there, done that (Score 5, Informative) 214

This is not new for Verizon at all - they have been shedding their landline and FiOS business for years. Back in 2007 they abandoned Maine, New Hampshire and Vermont, selling off the business to FairPoint Communications, a tiny North Carolina company that struggled for years to overcome billing system issues. FairPoint announced then that they would not be expanding the fiber Internet service (FiOS TV never got started here) and the service has been static since then. (On the positive side, my bill hasn't increased since 2007!)

Even in Massachusetts, where Verizon still operates FiOS TV, they announced a couple of years back that they would not expand service to more areas. This tripe about Net Neutrality is just a convenient smokescreen for what they've been planning all along.

Some programming languages manage to absorb change, but withstand progress. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982