Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment Why would it reduce churn? (Score 1) 78

I just signed up for Disney+ & Hulu this month. My family made a list of the shows that have ended their seasons and that we want to watch. When we get through the list we'll cancel the service. One day when the list grows again we'll subscribe again. I don't see a reason to keep subscribing perpetually; it's not an essential item/service.

Comment Re:Simple: No Internet for children (Score 2) 80

I often wonder about this. If we don't teach our children about the dangers of the internet, aren't we just doing them a disservice that'll cause them harm later when they reach the age to have unrestricted access?

Is that the reason the age is being bumped from 13 to 16; are 14 year-olds struggling because they were never taught this?

I've had conversations with my kids (12 & 13) about how everything on the internet is permanent; assume your school teachers/principal/future employer will see mean things you say to others or posts and expect everyone will see embarrassing pictures about dumb things you've done. I've talked to them about online predators (phrased similarly to the old "don't talk to strangers" that I was taught as a kid). I've talked to them about harmful downloads (RATs/spyware) and phishing. I've allowed them to learn some hard lessons about not getting homework done because they spent too much time online (ex: 'no, you can't stay up late to finish your homework. Explain to your teacher why you were chatting with friends and couldn't finish your work."). These, and other lessons, are important for kids to learn.

Parents who have taught their kids similar things, what did you teach them?

Comment Time to do some more age verification for my kids (Score 1) 80

I police my kids when they're online. There are some online services I want my kids to be able to use. Service providers have suspended their accounts a couple of times due to their age. It's frustrating to need to add my personal info (age/credit card) to their accounts so they can use what I want them to use.

Example: We have a domain used to host our family email. It's hosted with Google Workspace. Google has terminated an account, on my domain, due to age restrictions.

Comment Re:Oh just great (Score 1) 34

I was thinking about Cloudflare. They support 2FA with security keys, so that's a plus to me. But it's a bit creepy how easily they can MitM HTTPS connections[1]. Is there something simple that can be done to prevent them intercepting all my data, even if that 'Proxied' switch is accidentally enabled?

[1] I'm aware it is a "feature", but I consider it a risk for some sites too.

Comment Re:F off github (Score 1) 171

Client certificates are still used in enterprises. There are a few downsides though:

1. Prior to TLS 1.3, client certificates were sent in the clear. Anyone watching the TLS handshake could know exactly who was using a site. TOTP/HOTP/WebAuthn have always happened after the TLS session was established, preventing this eavesdropping. This isn't a big deal for enterprise uses, but can be unwanted to users who are expecting privacy.

2. Client certificates can easily be stolen by malware on OSs that provide no isolation between user apps. If the browser running under a user's account can access the client certificate, so can malware. Most phone OSs have strong isolation between apps, and WebAuthn tokens typically require a user's touch, so the tokens are more inaccessible to malware. However, TOTP/HOTP/WebAuthn are not without their own weakness here too; malware can steal the browser's cookies on OSs that don't provide isolation between user apps.

Outlawing all USB would be difficult. Most computers rely on USB for keyboard/mouse. Most OSs today provide enterprises with a way to list the USB device classes that are allowed to be connected. Anything not listed (USB storage, for example) should be blocked by the OS.

Comment Re:I can't believe people _aren't_ using 2FA (Score 1) 171

And a yubikey is unique, so unless you have one for every single place you need 2FA it connects all those places together deanonymizing you.

When used as a FIDO token, there is still not a globally unique identifier. https://fidoalliance.org/fido-...
"FIDO technical specifications state that a FIDO device must not have a global identifier visible across websites, which prevents unwanted and unexpected re-identification of a FIDO user"

Comment No surprise here (Score 1) 10

The article doesn't say, but was Twilio using TOPT codes? This is a known weakness with TOTP codes.
https://en.wikipedia.org/wiki/...

Not every user is careful about checking they're on the correct site before entering their credentials. And I doubt any amount of education will solve this. Probably shouldn't be using these TOPT-based methods in environments like Twilio. There are other 2FA solutions that avoid this problem.

Comment Re:USE THE APP STORE! (Score 1) 50

Besides gaming apps, what technical reason is there for apps to exist? To annoy you with notifications? To have a persistent ID on your device? To ask if you'll share location in return for auto-populating the nearest store? To collect your phone number?

Companies advertise their apps a lot. But people should be pushing back on them. Apps have more privileges than a web page. And with all the spam and malware it'd be good if folks just got in the habit of adding home screen icons for mobile-optimized web sites instead.

Slashdot Top Deals

Money is truthful. If a man speaks of his honor, make him pay cash. -- Lazarus Long

Working...