Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Also in the news (Score 1) 238

It is true on the consumer side, they try at least to follow the minimal requirements to be a good Windows application. the business world on the other side is awful. Applications that don't work if you install on Program Files, that you need to add write permissions to the installation directory, or that need read write permissions on server shares. This is too common on small business targeted applications that I have lost count on the ones I have seen.

A lot of Windows developers have no idea what %appdata% and %localappdata% are (and related directories with user write permissions.

Comment Re:How is this better than "phone app" 2FA (Score 3, Informative) 162

First, the app name is Google Authenticator. Second, it works with more that Gmail, I have my DNS provider, my GitHub and GitLab accounts, my Google accounts, my corporate accounts, etc all inside that application. It works on more that one site because they all support TOTP, an open algorithm, that is what the app, and many other alternatives like FreeOTP.

About what is better is the USB device that an application? The keys are stored on the device, and good devices are designed so keys are unreadable outside of it, only the generated code. Applications are vulnerable to malware on the device running it. The device ideally is less vulnerable of malware, it will be able to intercept current generated codes, but not extract the keys and generate codes themselves (unless the firmware is too buggy that it exposes the keys to the host device)

Comment Re:J2EE? (Score 4, Informative) 57

The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.

Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.

Comment Re:Is there any expectation of security? (Score 1) 48

Well, if you send a long URL, that by being long is very difficult to guess, and Twitter convert it to something so small that can be crawled, It is some kind of sharing. They should not be shorting URLs sent as direct messages, as this vulnerability shows, they are breaking the security of the long URL by shortening it.

I am not saying the Google is sharing anything. They give you a long URL that you can send to people you trust, then Twitter shorten it and that short URL can be crawled easily, au contraire of Google URL that is long enough to be treated like a password like authentication.

Slashdot Top Deals

I haven't lost my mind -- it's backed up on tape somewhere.