×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Yahoo DMARC Implementation Breaks Most Mailing Lists

Quick Reply Re:SPF.. (83 comments)

Currently, all mailing lists implementations break DMARC specs. At first glance it would appear that the Mailing List specs and the DMARC specs are incompatible with each other...

HOWEVER, There IS a way to be compliant with both specs.

The mailing list is just a transport agent of list messages right? Well it can also be the transport agent of how users' actual email addresses are handled, between their real email address and usernames that obfusicates their actual email address.

For example:
* User "Bob Smith" emails TESTLIST@DOMAIN.ORG

* Mailing List implementation on DOMAIN looks up "BOB.SMITH@YAHOO.COM" and determines his username to be "USER-ADF2S89T"

(more friendly usernames like "BOBSMITH-YAHOO" might also be possible if verified/allowed by the list owner, even "BOB.SMITH_AT_YAHOO.COM" could be his username if he has no intention of hiding his email address and is not scared of spam bots)

* Mailing List implementation on DOMAIN rewrites the message FROM and/or SENDER fields to "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" instead of his actual email address

* A mail transport agent is set up on MAILING-LIST-USERS.DOMAIN.ORG to forward any messages that are sent to USER-ADF2S89T to BOB.SMITH@YAHOO.COM so the author/sender are still contactable.

This is compliant with the Mailing List specs because "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" 'belongs' to John Smith (Just in the same way that JOHN.SMITH@YAHOO.COM 'belongs' to him too even though he doesn't own YAHOO.)

This will also have the following benefits:

- Actual email addresses are completely hidden from Spam Bots. This is huge. Mailing Lists are are huge source of email addresses that spam bots like to harvest.

(It may be possible to have a web interface or mailing list -request command to reveal the users' actual email address - using a CAPCHA if the requesting user is not trusted - so users can't hide behind their special address)

- List Managers might like the option for users to be able to update to their new their email address while keeping the same username(s).

(If users are representing their company, companies might like an option - maybe with the use of a TXT record on their domain - not to allow their users to do this so they can't keep 'representing' their company after they lose access to their company email address)

- This way DMARC can be freely implemented by everyone, including the mailing list server itself, so users can't spoof each other when posting to the mailing list, nor can they use their "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" address to send mail 'FROM' this address.

about two weeks ago
top

Ask Slashdot: How Can I Prepare For the Theft of My Android Phone?

Quick Reply Re:Pretty easy. (374 comments)

And getting past the PIN? And how useful would an iPhone be without Wi-Fi/Cellular Internet connectivity?

You can't even restore the firmware without it verifying with Apple. Unless it is an old model that can be defeated offline, it would be more valuable for spare parts.

about a month and a half ago
top

Nokia Announces Nokia X Android Smartphone

Quick Reply Sounds like a Niche, not a future (105 comments)

An AOSP phone without Google Play, let alone Amazon App Store or any other established Android App Store, sounds like a Niche phone for programmers/hackers.

I suspect that it is designed to succeed the legendary Maemo operating system & N900/N9 phones, than a serious attempt to build a future Operating System.

I expect that it will be highly prized among the hacker community, totally hacked to death with an onslaught of Linux-based operating systems including Ubuntu phone, Firefox OS, CyanagenMod, and Maemo itself. Maybe a few surprises with some left-field operating systems finding their way on there as well.

about 2 months ago
top

Ask Slashdot: Anti-Camera Device For Use In a Small Bus?

Quick Reply Isn't it obvious? (478 comments)

Just cover your head in tinfoil, hat shapes work best, and then they can take as many photos as they want but your brain waves remain safe

about 2 months ago
top

12-Lead Clinical ECG Design Open Sourced; Supports Tablets, Too

Quick Reply WTFPL (134 comments)

I doubt this was written by a lawyer. This might be an impediment to being picked up by a serious project because they can't take the risk that the WTFPL doesn't actually mean anything from a legal perspective.

about 5 months ago
top

Chrome Will End XP Support in 2015; Firefox Has No Plans To Stop

Quick Reply No (257 comments)

Web Developers have learnt from the past, there will never be a supported code that will be dependant on a specific version again.

Cross-compatibility and Browser Independence is a main focus that hasn't been in the past. Most websites are not locked into a particular browser, so there are more options if things go pear-shaped in a particular browser. If for example Firefox drops XP support and there is a bug with the old version, the customer can change to Chrome until another solution is put in place.

IE6 was the exception, because it was too difficult in many codebases to update it for compatibility beyond IE6 in the short term, for time(=money) reasons. As soon as the codebases were updated (or the solution replaced) to work beyond IE6, IE6 was kicked right out the door. IE6 didn't stay king because so many people loved that browser so much that they didn't want to change, it was because they HAD to keep using it for some reason. It is not uncommon for companies still relying on IE6 to have Firefox installed for general web browsing and IE6 only for the specific app they need. You can bet your ass they have retirement plans on how to eventually get off IE6 (& now also XP) altogether.

Unsupported code (eg: unmaintained websites) that won't work with new versions - Yes that is inevitable.

Supported code - No.
If it is a supported codebase - The web developer's solution would be to update it to work with the new version, not make it work with the old. If that means that it will break compatibility with the old version, then so be it, it is industry practice not to support unsupported software.

It's worth pointing out that Mozilla & Google are not supporting XP - They are supporting their browsers. If there is a problem in XP, they are not going to help you with it.

about 6 months ago
top

Open Rights Group International Says Virgin, Sky Blocking Innocent Sites

Quick Reply Re:BGP instead of DNS filtering makes more sense? (83 comments)

MitM is a Politically bad idea, not technical. If the proxy servers in the middle have enough bandwidth and resources, the performance could theoretically even be an improvement. I most certainly agree (from a Political perspective) it is a dangerously slippery slope.

From a technical perspective, it doesn't make the internet (banking, shopping, etc or other https activity) any different because a government/ISP MitM filter is no different to a Malicious Hacker MitM attack, which is already feasible. Also, I maybe wrong about HTTPS, but I believe that the Private SSL key would need to be installed on the MitM server, otherwise the MitM server would need to use a different certificate - a red flag - than the real server.

I wouldn't be surprised if government spying agencies are doing their own MitM attacks already on a BGP level, and in the case of HTTPS websites, compromise any private SSL keys they need to do it without detection.

about 6 months ago
top

LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

Quick Reply I think they are using the mobile apps (210 comments)

I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.

Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.

about 7 months ago
top

Lord Blair Calls for Laws To Stop 'Principled' Leaking of State Secrets

Quick Reply I actually agree with him (395 comments)

Well Yes and No.
No - I don't agree that the subject matter that has been actually leaked was right for governments to have done in the first place. eg: The deliberate killing of innocent civilians in Iraq. That is wrong.

Yes - I do agree that leaking information is harmful to government and beneficial to enemies, because the enemies can use what the government did wrong as a recruiting tool to gain support against them. With all the negativity against governments having all this data, I would say that it is working pretty well for the enemies of the government.

Note - Being an enemy of the government doesn't necessarily mean you have done anything wrong, it just mean that you don't agree with the governments actions. For example, the EFF is an enemy of the government, even though they are not doing anything wrong.

TL;DR - Governments should stop doing things wrong instead of hiding what they do wrong, because it is what they do in the first place that was leaked which is aiding the 'enemy' (anyone who disagrees with the government) recruit other people against the government (anyone who supports Leaking of coverups), rather than the act of leaking in itself.

about 8 months ago
top

Ask Slashdot: 4G Networking Advice For Large Outdoor Festival?

Quick Reply Why not WiFi (140 comments)

WiFi is going to be cheaper.

about 8 months ago
top

City of Johannesburg Leaks Personal Bills Online, Threatens Flaw Finder

Quick Reply How times have changed (46 comments)

5 years ago it would be considered a "Hacking" crime to bring to light such a trivial adjustment to the way you access a website by changing it's URL in a small way, but now it is grounds for class action against the operator for actual lax security.

about 8 months ago
top

Photocopying Michelle Obama's Diary, Just In Case

Quick Reply Car Analogy (218 comments)

It would be like Obama completely bugging his wife's car, not because she is under the protection of the Secret Service, but because he wants to watch everything that she is up to without her knowledge. GPS Tracking, Sound, Video, the works - he can watch her every breath.

And then when she realises that he has been spying on her, he would say "Well you wouldn't mind if you have nothing to hide! I'm just cleaning out the dirty dishes!"

about 8 months ago
top

Second SFO Disaster Avoided Seconds Before Crash

Quick Reply NO (248 comments)

"Is there a structural problem with computer-aided pilot's ability to fly visual approaches?"

No, Just Pilot error. The 777 has constantly landed at SFO everyday for years without issue and the cause of the Asiana has been well-documented.

about 9 months ago
top

Ask Slashdot: Secure DropBox Alternative For a Small Business?

Quick Reply Synology CloudStation is the closest thing. (274 comments)

Synology have been moving from the personal to the enterprise space as of late with their "DiskStation" NAS line of products. Some of their high end "NAS" boxes can get pretty powerful. There is a function of the DiskStation is called "Cloud Station", essentially a Dropbox clone.

Basically what you would be doing is having your own on-premises 'Dropbox appliance'. It is very easy to setup/integrate with it's user-friendly interface for the admin, and then all you really need to do then is forward the ports and install the client software.

about 9 months ago
top

Researchers Infect iOS Devices With Malware Via Malicious Charger

Quick Reply This Responsible Disclosure is very irresponsible (201 comments)

They should have saved this exploit for jailbreaking than to report it, comsidering the chances of an in-the-wild infection are low. Public charge stations are quite uncommon.

about a year ago
top

UK Benefits Claimants Must Use Windows XP, IE6

Quick Reply Use Firefox 1.0.3 (230 comments)

From the article, these are the following supported browsers:
Microsoft Windows XP: Internet Explorer 6.0, Netscape 7.2, Firefox 1.0.3, Mozilla 1.7.7."
Firefox is still available (Windows link) and is fairly independent from the underlying OS, so it would probably work on Vista+/Mac/Linux too (If you can find Mac/Linux links).

Still a pain to have to pick and choose browsers. It is easier for the average person to use the offline version.

Even easier for the hacker to compromise such an outdated website and input their benefits claim directly into the database tables
(and already approved for their 10 fake identities of course).

about a year ago
top

Mitigating Password Re-Use From the Other End

Quick Reply Re: Still a issue that Devs won't acknowledge (211 comments)

Then how come you are posting as VertexCortex and not Anonymous coward, still needs to be a mechanism to make sure you are VertexCortex. Ideally you should be able go hit "Login" on your browser, and your browser automatically logs you in for you while using two factor in the background (once you have already two-factored with your browser when you sat down) so Slashdot knows 1. You are VertexCortex (to load your preferences and posting abilities as your name) and 2. You have proven yourself (It doesn't need to know how, it just needs to kniw that you have)

about a year ago
top

Mitigating Password Re-Use From the Other End

Quick Reply Still a issue that Devs won't acknowledge (211 comments)

The thought process of a developer is that it is usually a user problem, and therefore it is the user that needs fixing, not the user.

The cold reality is that using passwords at all is the problem.

Passwords are an antiquated solution to a simple problem from the very start of multi-user computing. It is simple but exponentially ineffective as it scales.

The human mind is not set up to remember multiple, complex passwords. There are very few humans who are gifted with this ability to remember literally hundreds of different passwords without writing it down, I would put someone who can in the realm of an academic genius who can remember entire textbooks or recite Pi for hours before they eventually have to take a break for physical reasons.

Normal people write it down or keep it to a narrow set of passwords depending on which level of complexity the system will allow. Both bad security practice.

And passwords that expire every 45 days with annoying complexity requirments? You're going to drive users nuts trying to think of new ones each time that eventually they will come up with the simplist password the system will allow and increment by 1 each time they have to change eg: Password1, Password2, Password3, etc.

There are hacks out there, eg: KeePass and LastPass, but this is a workaround to the underlying problem. The websites that Force you to use Facebook are even worse (as they force you to handover all your personal details while you are at it, which just as easily can be used for identity fraud. Many Banks, Telcos etc. only authenticate with your DOB). OpenID is better but the implementation makes it common to sign in from the website your are trying to access, making it susceptible to being spoofed.

Realistically, we need to kill the password. Two factor authentication all the way. It needs ONE trust relationship between the user and the authenticator. This could be a user ID and a token. The authenticator can have then multiple trust relationships with participating websites.

The authenticator should only provide two data points: (1) The user ID of that website (different ID to other websites so that the user can be tracked with the same ID across websites) and (2) That the user has authenticated themselves. Thats it. Most websites don't need to know your name, DOB, Vanity username, email address or anything else about you. If they need this, ask - but only if actually required - and give the user a clear option to decline or provide only partial data.

The only thing that most websites or other computer systems need is a way to tell which user profile to load up, and that the user requesting it is really the same user. A password does not prove that,

about a year ago

Submissions

top

How much do staff really represent their company?

Quick Reply Quick Reply writes  |  more than 3 years ago

Quick Reply writes "I had the 'magical' experience of Dealing with Apple today. One of their Sales staff suggested that I buy an extra battery to store long-term until the main battery needs replacing, at the time I bought my laptop a few years ago.

Well as it turns out, the second battery isn't designed to be stored long-term as it will "expire". Now the company is point blank refusing to replace the out of warranty item, justifying that it was the product was "Misrepresented" only by one particular staff member a few years ago, and the company can't take responsibility for what a particular staff member said a few years ago.

I ask Slashdot, when a company staff member makes a mistake, is the company right to say that this was a personal mistake of an individual staff member, or should the company be taking responsibility for the mistakes of their individual staff members while doing their job?

Maybe it is just me that finds it absurd to suggest that a company representative is not really representing their company."
top

Boy killed by exploding Office Chair

Quick Reply Quick Reply writes  |  more than 5 years ago

The Land of Smeg writes "Itay News (Japanese) and Sankaku Complex are reporting that a fourteen-year-old boy was killed after the chair he was sitting on exploded, propelling sharp chairs parts into his rectum, resulting in extensive bleeding, to which he succumbed before medical attention could stem the flow.

The chair in question was a standard gas cylinder type, where the height is regulated by an adjustable cylinder containing highly pressurised gas, and it was this which exploded, sending high velocity chair parts into the posterior of the unfortunate youth.

The illustrated chair shows the severity of such a cylinder malfunction. This really makes you think, is your office chair safe?"

Link to Original Source

Journals

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...