Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

holdenkarau Re:Not significant? (66 comments)

I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)

Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.

more than 5 years ago

Submissions

top

Sniffing browser history for art

holdenkarau holdenkarau writes  |  more than 5 years ago

holdenkarau writes "You may remember previous slashdot discussions on browser history sniffing, but there is a new kid in town doing something a bit different. web2.0collage.com uses similar browser history sniffing to determine what websites you visit and creates a collage of them. Before you get worried, it uses a list of "web2.0" sites, so the collage will (probably) be appropriate (unless you don't want your colleagues knowing about your slashdot habbits). An interesting application of potentially scary technology. For those wanting to skip the warning screen and go straight to the browser sniffing this should do the trick."
top

Yahoo! Zimbra Desktop vulnerable to MiTM

holdenkarau holdenkarau writes  |  more than 5 years ago

holdenkarau writes "After patching the its plaintext authentication gaffe, Yahoo! Zimbra desktop has hit another stumbling block in the security road. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed."
top

iPhone exposes emails in plaintext for Yahoo users

holdenkarau holdenkarau writes  |  more than 5 years ago

holdenkarau writes "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing usernames & passwords. It turns out that more than just Yahoo! Zimbra Desktop is affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames & passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead."
top

Security flaw in Yahoo mail exposes plaintext auth

holdenkarau holdenkarau writes  |  more than 5 years ago

holdenkarau writes "Yahoo!'s acquisition of opensource mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. Ironically enough, the flaw was discovered during a Yahoo "hacku" day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent hoopla about gmail exposing the names associated with accounts, this seems down right scary. So if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the oh so retro web interface."
top

Canadian Firms kick off OpenMoko developement

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau writes "Now that the OpenMoko platform has stabilized enough to provide a usable development image, things are starting to heat up. Linuxdevices&Linux.com are both reporting on the start of a port of Devicescape's connect application.Koolu (another Canadian company)is also doing development for it's W.E. phone (a branded FreeRunner). Hopefully, without the restrictiveness of cell-phone carriers we can star to see some truly innovative mobile applications come forward."
top

Commercial applications come to the OpenMoko

holdenkarau holdenkarau writes  |  more than 6 years ago

spamcakes writes "The development of the first commercial application for the OpenMoko is apparently getting underway. Devicescape, which makes a program for automatic Wi-Fi logins to networks like Starbucks, is going to be getting on the OpenMoko bandwagon. Are more commercial applications going to move to the OpenMoko platform because of its open platform? Is the restrictiveness of other platforms help push applications to the OpenMoko?"
top

Money in web 2.0? Surely you must be jokeing!

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau (1130485) writes "Monetization finally comes to the Facebook application platform with the new Wishlist application. Powered by Amazon's e-Commerce API, it enables users to share their gift desires on Facebook. By leveraging the social aspects of facebook and its increasing popularity as a place to plan events, the wishlist app hopes to capture some of the important wedding registry & wish list revenue."
top

Canadian spectrum auction ends with new carrier

holdenkarau holdenkarau writes  |  more than 6 years ago

vivalarevoluation writes "The Canadian Wireless spectrum auction has just finished, with a entrant into the Canadian cellular market. Globalive Communications won spectrum accross all provinces, with the notable exception of Quebec, and they have issued plans for the development of a new Canadian wireless company. There press release cites a study showing that Canadian prices are about 60% higher than American prices, and I'm sure some of you will Canada being the second most expensive place to buy an iphone :~ Oddly enough, it would appear that one of the investors (Orascom) in this may be behind a large North Korean construction project. Canada's Wireless industry has always been a little odd, but I'm guessing things are about to get a lot more interesting (and hopefully less expensive :))."
top

Gaping whole in gmail / google calendar user priva

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau writes "Depending on your view gmail has either a rather small or incredibly huge privacy flaw.This blog post about gmail's privacy flaw goes through the reproduction steps which can be used to get the registration name (first & last) of any gmail user (regardless of if they have Google Calendar's or not). For the majority of users, this probably isn't that important, but I know quite a few people who prefer to keep there online and personal lives seperated (and I'm guessing there are some slashdotters who also enjoy the separation)."
top

First North American OpenMoko/FreeRunners arrive

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau writes "The North American OpenMoko FreeRunners are starting to arrive. It would appear that the OpenMoko still has problems with some 3G networks, including AT&T. Although, in my own personal completely unscientific test, 2 out 3 AT&T SIM cards worked. Check out the unboxing of a complete FreeRunner (along with debug board) and my experience getting the FreeRunner up and running.Or a direct link to the pictures for those of you bored with text. If you feel brave enough to take the plunge, you can buy your own FreeRunner from the OpenMoko store."
top

World Famous research Ian Goldberg talks on OTR

holdenkarau holdenkarau writes  |  more than 6 years ago

metaoink writes "World famous security researcher and professor Ian Goldberg recently gave a talk on securing instant messaging using his invention, OTR.Instant messaging (IM) is an increasingly popular mode of communication on the Internet. Although it is used for personal and private conversations, it is not at all a private medium. Not only are all of the messages unencrypted and unauthenticated, but they are all routed through a central server, forming a convenient interception point for an attacker. With OTR users benefit from being able to have truly private conversations over IM, by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. Many slashdot readers will have probably heard of OTR which is available for Gaim/Pidgin, and this talk outlines the motivation and implementation of OTR. An XVID avi by http of the talk is available as welll as by bittorrent and some other formats"
top

Interesting Math, for Ninjas with ADD

holdenkarau holdenkarau writes  |  more than 6 years ago

holden writes "The University of Waterloo Pure & Applied mathematics club has recently digitized its short attention span math seminars. It is a series of short ~15 minute talks on different math subjects (ranging from 16 different profs of the Pythagorean theorem, to advanced combinatorics). The topics are presented in an interesting way, and should be understandable by anyone with basic grasp of math."
top

The history behind the first Faculty of Math

holdenkarau holdenkarau writes  |  more than 6 years ago

holden writes "Ralph Stanton, the man behind the founding of the first faculty of math, recently gave a talk on its unique history. The group went on to spawn a large number of spin-offs, such as Watfor,Sybase, etc. His talk looks at the politics behind starting a faculty of math, as well as the benefits and freedoms it has allowed both Mathematicians and Computer Scientists."
top

The Software Tools Business, a Microsoft View

holdenkarau holdenkarau writes  |  more than 6 years ago

holden writes "Rico Mariani, an eighteen-year veteran at Microsoft, spoke to the University of Waterloo Computer Science Club, sharing his unique take on the history of, and controversies surrounding, Microsoft and the software tools industry in general. His responses in the q&a session to free software advocates is particularly interesting. The talk bas been digitized and is now available online."
top

Protecting Privacy by Design

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau writes "Linux.com has an article on a talk entitled Privacy By Design recentlly given by Dr. Ann Cavoukian, Canada's Information and Privacy Commissioner.The talk starts of by covering the basics of privacy, and privacy law, and then moves onto the important component, how to design software that properly protects users privacy. The majourity of the time is spent on design principles, but also examines specific technologies (such as Elliptical Curve Cryptography)."
top

Privacy By Design

holdenkarau holdenkarau writes  |  more than 6 years ago

holdenkarau (1130485) writes "Canadian privacy commissioner, Dr. Ann Cavoukian, recently gave a talk entitled Privacy by Design to the University of Waterloo. The focus of the talk is how to use technology to enhance and protect privacy. Some of the technologies discussed included instant messaging, RFID tags and Elliptical Curve Cryptography (ECC). Then Dr. Cavoukian explained the "7 Privacy — Embedded Laws" followed by a discussion on a biometrics solution to encryption."
Link to Original Source
top

The future of C++ as seen by its creator

holdenkarau holdenkarau writes  |  more than 7 years ago

holden writes "In a rare public talk, C++ creator Dr. Bjarne Stroustrup discusses his ideal in programming languages, as well how he sees the next version (and beyond) of C++ developing. He explains the general selection criteria used for adding new features, some of the legacy of C++, and many other interesting topics. Especially interesting is during the Q&A he explains his views of the embrace and extend mentality some implementations, such as VC++, have taken. The talk is available as an xvid avi, mpg, and other formats."

Journals

holdenkarau has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>