Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment Re: "Why Are We Still Using Passwords?" (Score 1) 202

As described on the SQRL page, the procedure is as follows:

1. Install and configure the SQRL authenticator app on your smartphone or tablet.
2. Carry your smartphone or tablet near your friend's computer.
3. Connect your smartphone or tablet to the Internet.
4. Navigate to the SQRL login form on your friend's computer.
5. Open the SQRL authenticator app on your smartphone or tablet.
6. Inside the app, photograph the display of your friend's computer using the camera on your smartphone or tablet.
7. In seconds, your session is authenticated, and the login form disappears.

Comment Requires Chrome; git push still needs password (Score 1) 202

[YubiKey] is what I use for Google/Gmail, Facebook, Github

How does that work?

As far as I can tell, U2F on GitHub is incompatible with Mozilla Firefox, incompatible with Edge, and incompatible with Safari. I'm not even sure it works with other Chromium forks, as the page mentions Chrome. In addition, you need to buy a supported smartphone or tablet first because U2F requires working TOTP, and you still need to generate a password for use when pushing.

Comment Re:Don't kill them, implement 2FA+ (Score 1) 202

In 2017 it's no longer acceptable to have a single factor of authentication to a system, especially with the prevalence of TOTP and Hardware key, such as YubiKey.

Which is why I find reliance by Google and Twitter on SMS as the primary second factor, with TOTP and YubiKey relegated to backup second factors, to be unacceptable. What would you recommend for working around this unacceptable situation?

Comment Services still require a mobile phone number (Score 1) 202

But have you figured out how to U2F key with Google or Twitter without first setting up mobile phone verification? Say I want to have U2F (such as YubiKey) as my primary second factor, with TOTP (such as Google Authenticator) as a backup. But services like Google and Twitter support these only as backup second factors, not primary second factors. If I try to set up one of those as a second factor on Google or Twitter, the site won't let me proceed past the mobile phone verification. I don't want to use a mobile phone as the second factor for two reasons:

U.S. pay-as-you-go carriers charge 10 cents per received text message, and services like Twitter automatically send the code as a text message to the associated mobile phone even if I have a non-SMS second factor set up.
SIM swap fraud
SMS authentication is vulnerable to social engineering in which the attacker compromises an account by arranging delivery of a replacement SIM to him.

Comment Where is Xcode for iPad? (Score 2) 180

After launching the iPad Pro [Tim Cook] asked, "Why would you buy a PC any more?"

When did he announce availability of Xcode on the iPad App Store?

Under Tim Cook it is doing nothing, and he could easily be replaced by a block of wood and you would see no impact on the company.

That's racist against Pinocchio, Tommy Timbertoes, and other wooden people. #triggered

Comment TXT editing; carrier-grade NAT (Score 1) 90

You can set up https from your ISP DNS name. (If it has one) mine is $ip.$isp

I thought you needed to be able to set up TXT records in order to use the ACME DNS challenge. I doubt an ISP lets a residential subscriber edit the domain's TXT records.

ACME also has an HTTP challenge, but you need to forward a port for that. This in turn means you need your own IP address, as opposed to carrier-grade NAT, and ISPs in less IPv4-rich countries tend to put residential subscribers behind carrier-grade NAT unless they're paying substantially more per month for "home business" service that includes a static IP.

Comment Re:Signature is just for legal reasons (Score 1) 342

it amazes me they didn't produce an EVM-via-browser standard so you could use a USB EVM port to connect a credit card to your computer.

That means you'd have to buy a computer in order to use a card. Or would the smart card reader also have USB OTG, USB type C, and Lightning plugs for use with an iPhone, Android phone, iPad, or Android tablet?

Comment Can't pay with cash outside (Score 1) 342

European gas stations don't accept cash?

Soft drink vending machines have a slot to insert bank notes (also called a "bill acceptor"). So do self checkout machines at the grocery store, change machines at the coin laundry, and fareboxes on the bus. But none of the petrol pumps I've seen has a bill acceptor.

Comment And get rate-limited by Let's Encrypt (Score 2) 90

There's no reason for skimping on your web server anymore, encryption is easy and even crappy virutal machines can serve up HTTPS without issue.

One reason is that your web server is private, and you don't own a domain.

In order to set up HTTPS traffic to the owner of a home router, printer, or NAS, its owner would first have to acquire a domain and a certificate for said device. But as I understand it, most providers of dynamic DNS on a subdomain without charge still aren't in the Public Suffix List. And if the domain in which your subdomain is registered hasn't completed the process to be added to the Public Suffix List, and 20 other customers on the same subdomain have already obtained a certificate from Let's Encrypt in the past week, Let's Encrypt will refuse to issue you a certificate on rate limit grounds. This means that even if you do buy a router, printer, and NAS with Let's Encrypt integration, you'll need to buy a domain for your home LAN and continue to renew it.

Slashdot Top Deals

"Of course power tools and alcohol don't mix. Everyone knows power tools aren't soluble in alcohol..." -- Crazy Nigel