Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

After trying for months to keep ahead of spam using a regex extension called AbuseFilter, I ended up realizing that Google's ReCAPTCHA was broken.

I'm still on top of SPAM, but mostly by requiring email confirmation, and by having three or four people who watch the RC feed, block bad users and delete bad content.

I switched my MediaWiki to QuestyCaptcha. Each of about a half dozen questions about classic literature links to a Wikipedia article that contains the answer.

I'll have to check out QuestyCaptcha, but I've got a lot of non-English users. Thanks for the tip!

Successful spammer registrations dropped to zero. Someone using a wiki farm wouldn't have this sort of story to tell to an interviewer.

Honestly, the story of managing load spikes and such in a VPS environment is a far, far more interesting story to tell than anti-spam techniques. Believe me, I've walked the entire path.

In other words, the "warn" method [pineight.com].


Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

SSL is considered a subscriber perk.

Ah. I thought I still had subscriber credit. I got one of those 'as thanks for...you can now use Slashdot without ads' emails. Only other time I'd seen that kind of behavior was when I was a subscriber.

For one thing, what sort of anti-spam mods and specialized markup mods do MediaWiki and phpBB farms offer?

Beyond captchas? Very probably things like mod_security, firewall rules blocking bad netblocks from accessing the server. (Doing this was the single most-effective anti-spam mechanism I ever saw.) Using DNSRBLs for realtime tracking of bad source IPs.

For another thing, it might be a custom web application, other than a popular blog, forum, or wiki, that still needs user accounts. Such an application might form part of a job seeker's portfolio to present to prospective employers who "don’t interview anyone who hasn’t accomplished anything" [techcrunch.com].

If you're building a site as part of an operating portfolio with a user base, you can certainly afford an extra IP if you need it. Right now, it doesn't cost very much. If you're merely showcasing a web application, you don't need SSL. If the potential employer is going to ding you for being vulnerable to Firesheep on a site where it doesn't matter, either you're applying for a security-related job, or the guy doing the analysis is a pedantic dick.

And if you do user accounts without TLS, you're vulnerable to Firesheep.

I've never argued otherwise. That said, there are ways to cope with things like Firesheep. Such as tying operating profiles to browser fingerprints. (There's a lot more identifying information in each HTTP request than just your User-Agent string.)

Most shared web hosts that I've looked at don't even offer SNI hosting because they cater to the IE-on-XP demographic.

Then either educate them, use a different provider, or school them by running a shared web host that does offer both SNI and IPv6, and advertise like crazy on Slashdot and Reddit.

Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

So in other words, IPv6 from the backbone to a home PC's 802.11g radio will be deployed around the time the last mainstream non-SNI PC operating system is scheduled to die anyway [microsoft.com].

Pretty much.

So how would you explain to the users that a blog, forum, or wiki is supposed to raise a serious certificate error after the user is logged in, and that HTTPS with such a serious error is safer for the user than an HTTP connection that can be Firesheeped?

Ask the gentoo guys behind bugs.gentoo.org, who use a CA whose cert isn't generally shipped, or anyone who's using a self-signed cert. I'm not here to get into an argument of over the weights, values and concerns of various degrees of encryption and authentication. For some, it's enough that passive sniffing isn't feasible. For some, that isn't enough, and you need to authenticate the server identity.

Don't ask me to make grand sweeping statements of 'X is enough security', because security is a case-by-case thing. Heck, I note that even Slashdot isn't defaulting to SSL.

The difference between $5 per month name-based shared hosting, which may put a thousand or more domains on one IPv4 address, and a VPS. You mention a $5 to $7 per month VPS plan; which provider do you recommend?

I use prgmr.com. I wouldn't put a full LAMP server on a $7/mo plan; the low-end plans wouldn't really be up to it. But, again, I could easily imagine paying that just so you can drop a squid proxy server on it listening on port 80. Have your domain point to that. Have squid serve as an accelerator proxy, pointing to your shared hosting provider. Squid can wrap your clients' connections with your SSL cert so they can't be firesheep'd on their local wireless or by their local malicious network. Granted, the connection between squid and your shared hosting provider is unencrypted, but the people on that route are far less likely to care. (so long as your VPS and shared hosting provider are in the same country).

Personal use SSL certificates have been free of charge from StartCom for some time now.

StartCom's free certs are only good for a year. You're far better spending off a dollar or two more per month than spending time every year coping with cert rollover headaches. If you can't afford that (after spending $7-10/yr for a domain), I have to wonder why you aren't using a wiki, forum or blog farm that handles these things centrally, and for free.

Is there a standard WordPress app, a standard phpBB 3 app, or a standard MediaWiki app?

There's a Wordpress app. I don't know if a MediaWiki app has cropped up, but I'd been considering writing one as an interface to my own site. I don't know if anyone's written a phpBB 3 app, but I can imagine some real benefits to it. (Imagine having your phone use the normal notification channel to inform you of PMs or replies.)

The market is in a crunch right now, with security concerns and IPv4 address depletion. It's not a pretty situation, and something has to give. Before anything else, that's going to be the IE-on-WinXP market. (IPv6 doesn't even solve the IE-on-WinXP issue, since you need to explicitly enable experimental IPv6 support to get it on WinXP)

According to Google Analytics, my site had 126,947 visits over the last month, and only 5,480 of those were from IE-on-WinXP. That's 4.3% of my traffic. I'd stop giving one whit once that's down to about IE-on-XP once it's down to about 5%, so IE-on-XP is no longer something I need to care about. Heck, I had 22,387 visits from WinXP during the same period, which tells me only one in four WinXP users are still using IE when they visit my site.

IE-on-XP is not a demographic most people need to be reaching for. And, really, if you need TLS, and you need a non-SNI circumstance, and you can't afford another $5/mo (heck, even Linode was only charging $1/IP more, last I checked), then you need to put up a donation link with something like PayPal, and get your users to help support a service you obviously can't afford to provide on your own. That's what carried my site for a couple years.

Comment Re:Internet Explorer on Windows XP (Score 1) 136

What is your plan to make it happen? Will you be breaking in to people's homes and replacing their PCs?

Nobody has to make anything happen that isn't already either planned (Microsoft will stop supporting it) or physically inevitable.

Hardware will die. Software will get screwed up. Installation media will be missing. It will become cheaper for the 'family tech guy' to get his parents something newer or different as a replacement. There will be die-hards who will want to stick with Windows who will refuse to change. Those die-hards are outside the demographic of the vast majority of website maintainers.

So it went with Amiga, Commodore64, DOS, Win3.1, OS/2, Win95, Win98, IPX, token ring, Linux ipchains, VAX. DEC Alpha. So it goes. So it shall go.

When you are done, you should make everyone stop smoking and end poverty.


Comment Re:Google only recommends SPDY with SSL/443 (Score 2) 136

Translation: SSL libraries are big and scary, SSL is big and confusing and I have no idea what the hell it does so it's bad.

Actually, the better argument I've heard is that it OpenSSL is very poorly documented. And I've heard this complaint from numerous people...to the point where some even started looking into fresh implementations.

Comment Re:IE on XP, and Android 2.x too (Score 2) 136

If you think home ISPs haven't been scrambling to catch up on IPv6, you haven't been paying attention! Comcast is rolling it out right now. DSL providers are deploying 6rd. Mobile providers are deploying. Within a year, most end-users (in the US) will have access to IPv6 from their ISP. Within two years, most end-users will have replaced their non-IPv6 CPEs with ones which support IPv6. But IPv6 isn't the only solution to the problem, either.

Right now, most small website operators should avoid TLS if they only have static content. Otherwise, they need to make a decision between supporting XP and shelling out for a dedicated IP. Me, I'd probably drop support for XP, and let the end-user click through a cert warning if that's what they're inclined to do.

How much more per month are we talking about for a dedicated IP, anyway? I know how you'd set up joe random guy with a dedicated IPv4 address using a proxy server on a $5-7/mo VPS. Seems cheap to me, especially compared to what joe already spent to get a valid SSL cert.

As far as Android...a number of websites are pushing their users to use simple apps instead of the Android browser. As a user, this annoys me, as my LG-509 doesn't have much space unless I root it and clean it...but I can see how it offers a better interface to the server, and how it changes authentication and connectivity concerns.

Comment Re:Internet Explorer on Windows XP (Score 4, Insightful) 136

By the time a replacement of HTTP 2 is standardized, XP will be fully out of support. I get flamed whenever I say this, but it will be time to let XP die. I'm considering replacing my grandmother's box with an ASUS Transformer, as that'll handle all of her needs. (*And* the rest of my family won't say 'we don't know how to reboot the router because we don't know how to use the Linux netbook you set her up with.) Quickbooks runs on Vista and Win7. Tools and other things which require Windows XP are becoming scarcer, and workarounds and alternatives are becoming cheaper.

Eventually, XP will be like that DOS box that sits in some shops...used only for some specific, very limited purposes. Any shop cheaping out and still using it in lab environments (such as call centers) can work around it by installing a global self-signed cert and using a proxy server to rewrap SSL and TLS connections. Yes, this is bad behavior. So is continuing to use XP. At some point, the rest of Internet needs to move on.

Comment Re:Citation needed (Score 2, Insightful) 198

The best thing a government can do for an economy is get out of the way. Even outside of extreme regulation, taxation and foot-dragging bureaucracies, a government that doesn't change is better than a government that changes every six months, and whose leadership announces sweeping new initiatives almost as frequently.

Nobody in their right mind wants Romney to "fix" the economy, they just want him to get out of the way.

Comment Re:One good reason... (Score 1) 793

It also allows the exception handler to make a decision about whether or not the stack should be destroyed i.e. allowing the program to continue execution from the point where the exception was thrown.

Personally, I make that decision by choosing where I put my try...catch blocks.

Here's pseudocode for a common idiom where I work for opening and parsing internal binary-format files:

bool ParseFile(fh file_handle)
    bool bRet = false; // try
        m_SomeMember = ReadValue(file_handle);
        m_SomeOtherMember = ReadValue(file_handle);
        m_YetAnotherMember = ReadValue(file_handle);
        m_AndStillAnotherMember = ReadValue(file_handle);
        bRet = true; // catch
    { // Log an error
    return bRet;

Of there's a failure between those try and catch blocks, I don't give a crap about the rest of the content of the file, or even of any temporary variables I may have created for conditional processing. ReadValue() will throw an exception, no more calls to ReadValue will be made, the catch block will do its own thing, and we'll all be very happy. Well, the user might be pissed his file is corrupt...

Slashdot Top Deals

The world is coming to an end--save your buffers!