Forgot your password?
typodupeerror

Comment: Transitional packages (Score 1) 95

by tepples (#48228743) Attached to: OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

Of course it can. The repository maintainer can introduce a new package pwnCloud and turn ownCloud into a metapackage that requires pwnCloud. This "transitional package" pattern happens often in Ubuntu updates.

Comment: Ads would be mixed content (Score 2) 169

by tepples (#48228709) Attached to: Verizon Injects Unique IDs Into HTTP Traffic
For all users other than subscribers and karma-capped users who have checked "Disable Advertising", Slashdot is funded by advertisements. Using an HTTP ad network from an HTTPS site would be blocked as mixed content, and HTTPS support among ad networks is very new. AdSense, for example, didn't support HTTPS until September of last year.

Comment: Re:Is there a way to prevent this? (Score 1) 169

by tepples (#48228665) Attached to: Verizon Injects Unique IDs Into HTTP Traffic

Still, there is an option to sign up for just the phone plans without wireless data

Are you sure Verizon will even activate voice-only service on a smartphone? AT&T sure won't.

and use wired or satellite ISPs for internet access.

And if the DSL ILEC for your area is also Verizon, too bad.

Comment: Time and money to move to change ISPs (Score 1) 169

by tepples (#48228655) Attached to: Verizon Injects Unique IDs Into HTTP Traffic
In order to stop being a Verizon customer, someone who requires home or mobile Internet access for his way of life might have to move his family away from territory serviced by Verizon, either as the DSL ILEC or as the only wireless carrier with acceptable coverage. Consensus in comments to previous Slashdot articles is that almost nobody is willing to spend the time and money to move just to change ISPs.

Comment: Re: Paper statement surcharge (Score 1) 190

by tepples (#48228491) Attached to: Passwords: Too Much and Not Enough
Because of the low adoption of S/MIME and OpenPGP, I've seen banks send not a copy of the statement but instead a notice that a new statement can be viewed by logging in to the bank's HTTPS site. Besides, without Internet banking, how do you discover unauthorized withdrawals from your checking account before your statement, and how do you send money to individuals?

Comment: Key stretching with PBKDF2 (Score 1) 190

by tepples (#48227131) Attached to: Passwords: Too Much and Not Enough

a CPU that can manage a trillion hashes per second (easy)

A trillion (10^12) hashes per second can still check only 100 million (10^8) passwords per second if checking each requires 5000 rounds of PBKDF2. In the common PBKDF2 built on HMAC, each round is two hashes, making a 5000-round PBKDF2 take 10,000 (10^4) hashes.

Comment: The cost of great security is severe inconvenience (Score 1) 190

by tepples (#48227071) Attached to: Passwords: Too Much and Not Enough

There are infinite varieties of ways to inject a delay between login attempts, or lock out the console/IP entirely, after N failed attempts. N should be on the order of 10

At which point you may be on the wrong side of the tradeoff between security and convenience. If you have 100 subscribers behind a proxy with a single public IPv4 address, and ten of them forget one password, good luck fielding customer support calls for all of them.

Comment: Re:Computers: They can respond fast -and- slow (Score 1) 190

by tepples (#48227023) Attached to: Passwords: Too Much and Not Enough

Things like Facebook Connect, OpenID Connect and Mozilla Persona (BrowserID) are better than passwords [and] easy on the user when implemented right

The problem comes when well-known sites don't implement it right, such as by implementing only Facebook Connect and nothing else. The Huffington Post, for example, requires each commenter to have a valid subscription to mobile phone service and give a globally unique number capable of receiving SMS to Facebook.

Comment: Not all web sites offer HTTPS (Score 4, Insightful) 169

by tepples (#48226863) Attached to: Verizon Injects Unique IDs Into HTTP Traffic
And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.

Working...