Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re: A plea to fuck off. (Score 1) 352 352

SMS-based approaches are certainly better than passwords alone; but I have a few areas of dislike for them:

They require an active cell link and a live phone, so are bad news if you are trying to log in in the bowels of some structure, with a phone that has a dead battery, or while travelling outside your non-ridiculously-priced service area. It also tends not to be a problem in practice; but SMS is 'best-effort', so if the system is being flaky then that's just too bad. Essentially, it isn't a 'second factor' at all; but a secondary channel that is assumed not to be compromised.

Then there is the matter of the site needing your phone number. For some applications, that doesn't matter: your bank already knows way more than that about you, say. For others, I'm not so enthusiastic about providing a relatively persistent, and spammable, identifier(also fairly robustly tied to me by payment data, unless I get a burner specifically for dealing with auth issues) to any lousy little website that wants it.

Finally, I'm not terribly confident about the medium-term security of SMS if it becomes a common '2 factor' authentication method. Mobile OSes tend to be a bit more locked down than desktops; but hardly infallible, and the security of SMS gateway providers(who sites using SMS auth presumably employ to interface with the phone network) is an unknown and possibly not comforting factor.

RSA fobs are ultimately an inferior option because they cannot be safely shared across multiple systems, and carrying a fistful of the things is ridiculous(plus, the pricing is usurious); but smartcard/NFC cryptographic authentication has none of these weaknesses. The hardware is cheap, it doesn't require a secondary channel to be available, certificates are relatively tiny so you can carry an enormous number of them without issue; and you can implement certificate auth with varying levels of connection with user 'identity'. On the relatively anonymous side, the user can just generate a keypair and send the public key when they create an account. Trivially handled on the client end, no interaction with outside entities. At the other extreme, hierarchical PKI systems make it possible to robustly verify the user's affiliation with a given organization if the situation requires it. The trouble, of course, is the lack of card readers/NFC pads on a lot of contemporary computers and mobile devices. A great pity.

Comment Re:And why do they still need to prove this? (Score 1) 73 73

Unfortunately, as our fine folks in the TAO group have apparently proven on multiple occasions, even people with fancy access control tend to have very little power until the package shows up at their loading dock. What happens earlier in the process is less encouraging.

Comment Re:Old news is so exciting (Score 5, Insightful) 73 73

It isn't conceptually novel; but doing a practical TEMPEST attack with nothing but a dumbphone, with a fairly unobtrusive software modification, rather than a relatively classy SDR rig or some antenna-covered fed-van is a nice practical refinement.

Really, how many 'tech news' stories are actually conceptually novel, rather than "Thing you could lease from IBM for the GDP of a small country in the 60s and 70s, or buy from Sun or SGI for somewhere between the price of a new house and the price of a new car in the 80s and early 90s, is now available in a battery powered and pocket sized device that shows ads!" Conceptual novelty has a special place, of course; but one ought not to scorn engineering refinement.

Comment Re:Brilliant (Score 1) 86 86

The trouble here is that the rest of the monitor is pedestrian as all hell(gosh Samsung, 1920x1080 on a 27 inch screen! I can practically taste the future...) and the presence of the charging widget in the stand suggests that you aren't going to be VESA mounting this one. If you really care about 'de-cluttering', you are much better off having your monitor float conveniently above your desk, not being stuck with the lousy stock stand.

At least the color scheme is atrocious.

Comment Re: A plea to fuck off. (Score 1) 352 352

It's not hard to understand why using passwords is so popular; basically all software supports it as an authentication method, it requires only hardware that you can safely assume that all your users have; and even an idiot understands it well enough to do it dangerously weakly but more or less correctly.

What is frustrating is how few even offer the ability to do anything else. There has been some uptake of shitty little cellphone-based systems(either using SMS or some 'authenticator app'); but RSA-type fobs are pretty much exclusively for accessing corporate systems(and, as a fundamental limitation of their design, they can only be securely used to authenticate against one entity; since, unlike asymmetric key systems, the authentication server must know the initialization seed values of the fob in order to validate authentication attempts, so anyone in a position to authenticate you could impersonate you anywhere else the same fob was accepted); and certificate-based auth is either something you do yourself for SSH(often without secure hardware for storing the certs) or something you basically have to do work for the DoD to encounter.

I'm actually currently in the process of trying to switch banks because, when I inquired about authentication options that weren't pitiful bullshit, they gave me what amounted to "that's adorable; add three or four factors of ten to your account with us and maybe I'll transfer you to somebody who gives a fuck." Blizzard cares more than that. FFS.

Comment Re: A plea to fuck off. (Score 4, Insightful) 352 352

The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.

Comment Re:Workstation Tests (Score 1) 75 75

Isn't that the only reason to care about this particular part? The laptop version is of interest because it has the distinction of being the fastest GPU(and probably pretty close to the fastest CPU) you can buy in any laptop too small/thin/etc. for a discrete GPU. The desktop version is just a solution looking for a problem unless the extra cache makes it better than other i7s.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 311 311

It's also not comforting that these windows update drivers are breaking all over the place; because(at least for GPUs) the ones on windows update have historically been the relatively conservative option. They are frequently behind the curve compared to the direct-from-vendor ones; but are also supposed to be the ones that aren't breaking things just to improve some benchmark score.

Comment Re:Never understood (Score 1) 428 428

Lawyers are paid to advance their employer's interests, not to achieve correctness. If one wrote up a contract that was so full of shit that the entire thing got tossed they would indeed get poor marks(this is why contracts usually insist on 'severability', so that any sections determined to be bullshit shall have no effect on the remaining sections). As long as they can avoid that, though, any advantage that they can derive by inserting scary-but-groundless language is pure gravy. If somebody doesn't know that it is baseless, or can't risk fighting about it, you get compliance without even needing the law on your side. If they do, well, it's just a severable clause, so no harm done.

It's an ugly sort of business; but pragmatic.

Comment Re:Yep (Score 4, Funny) 269 269

You guys are fucked. Enjoy your draconian regulations.

To be fair, New Zealand is the country iconic for having flightless birds that are utterly incapable of surviving against species introduced to the island. It seems only appropriate that their drone situation should be similarly flightless and delicate.

Get hold of portable property. -- Charles Dickens, "Great Expectations"