Become a fan of Slashdot on Facebook


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Non-sequitor (Score 4, Insightful) 142

The recommendation doesn't make sense. Yes, your phone may not always be in your possession. That would rule out software authenticators too, since they reside on the same phone that may not always be in your possession. Even dedicated hardware tokens may not always be in your possession, they can be lost or stolen just like a phone. So if not being always in your possession is the criteria, then all of the NIST's recommended methods fail to meet it.

As for VoIP lines, yes they can be intercepted. They do however share one characteristic with cel-phone lines: they don't normally share a path with the network connection being authenticated except possibly at the user's ISP and computer (if the VoIP line terminates on their computer as opposed to their cel phone). That limits the ability of a single attacker to intercept and alter both paths, which is the central facet of what 2FA does.

Ultimately the only secure 2FA is a dedicated hardware token that requires biometric authentication to function. Anything less than that is insecure, the question being merely whether the insecurity reaches the point of being unacceptable.

Comment Re:Seen it a hundred times at least. (Score 4, Insightful) 77

Or it may be related to the reliability of recovering from backups. Backups are intended to recover from catastrophic failures, not mere accidental deletion of messages, so recovery of any particular message can be problematic. Even if the message was stored long enough to be caught in a backup, incremental backups mean it may take searching a month's worth of backups to find the exact one that backed up that message. Fail to scan a large enough range and you won't find the message even if it's backed up. If the message was received and then deleted before the next backup run then it may not be on any backup, and there's no way to distinguish not finding it because it wasn't backed up from not finding it because you didn't search the right set of backups. Explaining all that to ordinary users is all but impossible, so from a service-level standpoint it makes more sense to not bring backups up at all and simply say "If you deleted it, we can't recover it.". That, users can comprehend even if they don't agree with it.

A request from a court for discovery is a completely different matter not limited by the service level provided to users, so it makes sense that Yahoo may be able to produce a message in response to a discovery request that it won't recover in response to a user request simply because they don't want to argue with every user whose message never made it into a backup or who wants them to go back through 5 years worth of backups to find it.

Comment Re:The bottome line (Score 1) 269

Flywheel storage. Pretty much the equivalent of the pumped-water storage used in conjunction with hydroelectric plants. Use excess power to spin up the flywheels, use the flywheels to drive generators when you've a power deficit to make up. The companies who make diesel locomotives have lots of experience with the basic motor-generator tech needed.

Comment Employer's terms, employer's choice (Score 1) 765

It was the employer that wrote the at-will terms into the agreement. If they don't like their own terms, Not My Problem. For me it depends on two things: how satisfied or annoyed I am at my current position, and how anxious the new position is to have me start. If I'm relatively happy with my managers and co-workers and it's just that the new position's offering me better pay or different work, I'm going to push for 2 weeks notice before I start the new position just out of courtesy. If my current employer's willing to write a certain amount of notice to me into the agreement (ie. they won't let me go without at least X weeks notice), I'm definitely going to insist on giving at least that much notice before leaving. OTOH if my current employer insists on being able to let people go at any time for any reason with no notice, I'm going to be less than insistent on giving them notice. If I'm annoyed with them, and especially if the new position wants me right away, I'm not going to lose any sleep about giving them exactly as much notice as they give employees being let go (that is, none at all). The only consideration for me will be making the departure clean on my side, all my personal stuff cleared out, company data on my workstation safely backed up where my manager knows to find it if they need it, sensitive information that the company doesn't need (eg. passwords to linked-directly-to-me accounts needed for work, SSH/SSL/x.509 private keys) wiped, etc. etc..

If an employer has a problem with that, I suggest they review the idea that I'll grant them exactly the consideration they grant employees. If they don't consider their terms acceptable, it's entirely within their power to change them. If they expect me to grant them consideration without granting anything in return, I refer them to the acronym "TANSTAAFL".

Comment Service processor (Score 1) 245

It's a service processor. No big deal in itself, we had them as far back as mainframes go. The VAX-11/780 I worked on/with in college in the early 80s had a small PDP-11 (an LSI-11/23) in the bottom as a service processor. I'd be more worried about a much more direct avenue of attack: microcode updates. Every Windows system and most Linux boxes include the packages to take the latest firmware updates from Intel and AMD and download them into the CPU during system boot. If Intel wants to put something malicious into the chip, all it has to do is issue a firmware update with it and it'll get near-100% coverage. If a bad guy has the keys to sign an IME binary, they also have the keys to sign a firmware update.

Comment More likely idea: unbalanced and violent (Score 1, Troll) 404

More likely than "radicalization" is that he was simply someone with mental problems and a history of spousal abuse and violent behavior who bought into the current rhetoric (originating from Trump, Cruz, Limbaugh and other extreme right-wing sources) against the LGBT community. In his eyes it gave him an excuse to do what he wanted to do, and now we have to clean up the mess.

Comment Re:FrAgile (Score 1) 145

The problem is that in waterfall both the requirements and the timeframes are set by product owners and sales, with developer estimates of the time needed being ignored. Which is what results in developers getting fed up and deciding that "I'm willing to be accountable for meeting my estimates, meeting your estimates is your problem".

As far as having no product vision or plan, reality is that you can have a very solid product vision and plan and it'll still turn out part-way through that your customers simply don't want what you envisioned and planned on and you're going to have to change your vision and plan. That's what usually causes requirements changes, and the business has to react to that because there's no future for a business selling something the customer doesn't want to buy.

Comment Who thought it was ever a good idea (Score 4, Insightful) 132

I want to know who at Tinder thought it was a good idea to allow that age range any access at all in the first place. I know why they thought it was, but I can't imagine the idea ever ending well no matter what restrictions were placed on it (at least as far as the law's concerned anyway, I'm sure the kids thought it was a dandy idea but they don't get a say in that).

Comment PasswordSafe (Score 1) 637

I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.

Comment HTTPS is that hard to do? (Score 1, Interesting) 96

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

Comment Coding, or programming? (Score 5, Insightful) 515

I learned to code first in classes in high school (BASIC, FORTRAN, COBOL, Pascal) and then by reading the relevant books or documentation (C, C++, Lisp, Icon, Java, C#, Perl, Python, Ruby, PHP, Javascript et. al.).

The more interesting question is where developers first learned to program (a completely different skill from coding). IMO we don't need to teach children to code, we need to teach them to program. Which means first teaching them to approach problems logically and analytically, which is going to cause the loss of about 75% (my guesstimate) of the educational establishment when they can't deal with students who know how to analyze material, do independent research and call teachers on incorrect classroom material.

Comment Not user-posted content at issue here (Score 5, Insightful) 383

The liability isn't being created by user-posted content in this case. It stems from the site actually knowing about the actions of some users and failing to give notice when it could foresee that that failure would put other users at risk. It's the same principle that says that if I know of a danger on my property and fail to post notice of it or take steps to keep people out I'm liable if someone gets hurt by it. Section 230 never comes into play.

Slashdot Top Deals

"Love may fail, but courtesy will previal." -- A Kurt Vonnegut fan