Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment User Interface Hell (Score 2) 383

The user interfaces for different platforms have to be different. Otherwise you end up with Skype 7.x, where we have a UI on the desktop which has been designed for a smartphone.

Low pointing accuracy on smartphones means large targets and huge icons. Short conversations on smartphones means lots of space wasted on speech bubbles. Likely content on smartphones means emojis pop up when you're sharing code snippets, making them unreadable. Restricted input methods on smartphones means ignoring platform conventions like Ctrl+B for bold text.

Conversely, try getting 3DS Max 2017 UI onto a smart watch. Regardless of compatibility, it's simply impossibe.

Submission + - Ask Slashdot: Is there a use for a smart wall clock that displays notifications? 8

ne0phyte73 writes: There seems to be a new “smart” device every week, but the Glance Clock is a smart wall clock focused on presenting information as you need it. But beyond notifications, what else is it good for?

Here is how Techcrunch describes a couple of features: "The Glance Clock lets you wirelessly humblebrag by displaying fitness goals of you and your frenemies on the same clock face. Before heading out, you also can conveniently check the weather."

Glance says that they have an open API, so it can be connected almost to anything directly or via IFTTT. Other than a normal consumer, how else would you use it?

Comment Re:Why not a password hasher? (Score 1) 134

One issue I see with your hash is using it for sites that have piss poor password policies such as your password can't be over X characters long, or it has to contain letter, number, and limited list of symbols, etc. Your hash could possibly not match the requirements. What do you do in this case?

The final step of the hashing algorithm maps the resulting hash into a character string. The algorithm allows you to customise this mapping to use only a given subset of characters, or given length. Using this feature will require you to store this metadata in your state file, because you rarely get reminded of these password limitations at login, only at registration. Fortunately these sites are rare; the default policy of 8 characters with alpha + numeric + special – and the algorithm makes sure you have at least one of each – works fine for almost all sites.

I encourage you to download and try one of the implementations. The two I mentioned earlier implement the same algorithm, as does a Firefox version and a portable Javascript version.

Comment Re:Why not a password hasher? (Score 1) 134

With the first option, you introduce the need for some state information that you need to store and forever be able to retrieve (and possibly sync between your other devices). You now need a persistent database and you've lost any advantage over just encrypting random passphrases.

Well, maybe. But this state is not highly confidential so you can for example let Chrome store it in the cloud. In practice the number of times a password change is required is small (at least for me), so you can either brute force it (bump until you find the right password) or reset your password if this happens.

The second option starts to move you away from the simplicity or having a single passphrase to remember and eventually leads to just as complicated a situation as just memorizing different passwords for different sites. What happens as the list of compromised accounts increases and some accounts are compromised a different number of times?

Again I see your point. But I've used this system for close to a decade now and I'm only using two master passwords so far. How many passwords have you memorised in the last ten years?

I should emphasise that I wouldn't recommend using this system for everything. I have a completely different set of passwords for banking, and servers I administer, and certain other high-security things. But for general web things I access from home and work, desktop and mobile, coffee shop and library, it works really well and addresses all of the real life threat scenarios I care about. Even if I have to register a throwaway account for a throwaway website, I can still give it a real, strong password that I can recover any time later, even if I don't remember registering for that site. (For full disclosure, the only time the algorithm actually fails is when a site keeps its user database but changes its domain. Then I'll have to remember to update the site tag to the old domain.)

Comment Re:Why not a password hasher? (Score 1) 134

Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

No, you have at least two options:

1. Change the site tag. For example, on the Password Hasher Chrome extension, you can hit the "Bump" button which replaces "slashdot" with "slashdot:1" and gives you a new unique password. The new tag gets stored in the extension settings. I don't use this but it works, and would be good for sites that actually require periodic password updates.

2. Change your master password for that site only. I use a completely different master password for the two or three sites which I know may have been compromised. It's not hard to remember which ones these are.

Comment Re:Why not a password hasher? (Score 1) 134

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.

Exactly the same as an offline password manager, so no benefit.

Right, compared to an offline password manager there's no security benefit. I use KeepassX for a few high-security things like financial accounts, but find offline password managers much less convenient for everyday stuff. With a password hasher you can use a JavaScript version from anywhere. (Yes, keyloggers would be an issue. And I host my own copy to make sure it's not backdoored.)

Except this file does not need to be secure in any way.

It does. If someone has your salt and the URL of the site, and say that site gets compromised

...or they are the site owner...

so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.

First of all, in practice I don't back up the settings file anywhere, as almost all sites work fine with the default settings and the ones that don't I either remember or just reset the password for if required.

Having said that, your point is valid but not an actual concern for me. If someone wanted to waste lots of CPU power brute forcing my (long, random, high security) master password, they probably could do so. But just never reusing passwords is generally enough to limit the damage of the inevitable database leaks and hacks, which is the actual, realistic threat we're dealing with here. Never using the same password twice is the most important protective measure you can take, and hashing is, imho, the most frictionless way to do it.

You could also choose to limit any potential damage by having a few master passwords for different classes of websites.

Comment Re:Why not a password hasher? (Score 1) 134

If an attacker steals your master password they still get everything.

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm. Obviously keeping this one master password safe is extra important, but as you only need to remember one, you can probably afford to give it a bit more entropy.

Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

Except this file does not need to be secure in any way.

Comment Why not a password hasher? (Score 4, Interesting) 134

Password managers seem like an inherently terrible idea, particularly onlines ones.

Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.


Theranos Faces Congressional Inquiry Over Faulty Blood Tests (techcrunch.com) 186

An anonymous reader writes: The U.S. House of Representatives sent a letter to blood analysis startup Theranos asking for them to explain their failure in providing accurate results to patients using its proprietary blood test technology. The company has faced serious backlash after government and regulatory agencies questioned the results of their proprietary 'Edison' machine, that the company claimed could detect hundreds of diseases using a single drop of blood. Not only have the feds proposed banning founder and CEO Elizabeth Holmes and the company president Sunny Balwani from the blood-testing business for two years, but Holmes' net worth has been cut from $4.5 billion to zero. Most recently, Walgreens decided to cut ties with the company. House Democrats Frank Pallone, Gene Green and Diana DeGette sent the letter on June 30th, asking Holmes to explain what went wrong, what steps the company is taking to help medical professionals and patients who might have been affected by the manipulated results, and how Theranos plans to comply with regulators. "Given Theranos' disregard for patient safety and its failure to immediately address concerns by federal regulators, we write to request more information about how company policies permitted systemic violations of federal law," reads the letter. Theranos says it plans to clear things up with these lawmakers.

Comment Skype UI also fails UI design 101 (Score 1) 224

One of the most common requests on the Skype community forums over the last year and a half is some (any!) basic configuration options for the UI.

There's no way to get a properly compact view, there's no way to set the color of the bubbles, and the support for high-DPI screens is abysmal.

In fact, once I started looking into it, I found a whole batch of UI problems with the new "improved" 7.0 UI, which I shared on the forums and then gathered into a handy blog post:

Skype 7.0 - A new entry for the User Interface Hall of Shame?

The 7.0 UI feedback thread is the longest one on the community forums, and can be found here:


Netflix Enables Streaming Quality Control To Reign In Mobile Data Usage (hothardware.com) 69

MojoKid writes from a report on HotHardware: Netflix wants to put users in control of their mobile data usage when it comes to its iOS and Android apps. Up until today, Netflix held all the cards and adjusted video quality settings on its end (and how much cellular data was consumed) when users were on a cellular connection. Now, Netflix is opening up user-selectable settings that allow you to sip data (at the expense of video quality of course) or gulp it down if you're one of the few with an unlimited data plan. Making the adjustment is as simple as navigating to App Settings and then selecting Cellular Data Usage. From there, you will be able to select from Automatic (Default), Low, Medium, High, or Unlimited options. If you're on a Wi-Fi connection, these quality settings are disabled altogether.

Comment Starwisp (Score 4, Interesting) 381

Something like this was proposed many years ago by Robert L Forward, called Starwisp. See https://en.wikipedia.org/wiki/... for details.

The probe would be very light but extended, like a cobweb. Tiny processor/sensor nodes would exist where the wires touched. Some nodes and web filaments would undoubtedly be destroyed by dust collisions en route, but would be multiply redundant. On arrival, the probe would be tattered and torn but still functional.

Slashdot Top Deals

My sister opened a computer store in Hawaii. She sells C shells down by the seashore.