Yes, software-based TOTP implementations on smartphone platforms could be vulnerable to malware, but if using TOTP-based dongles, you would need to steal the dongle and possibly also know the PIN that must be used with the time-based code.
In South Africa, there have been a lot of cases of what is referred to here as 'SIM-swap fraud'. It seems that there are syndicates operating that have accomplices who have: - sufficient access to bank customer information for social engineering to re-set or change internet banking passwords and get the customers cell-phone number - access to perform a SIM-swap of the victim's number, so that they can approve actions such as adding beneficiaries, change transaction limits while also preventing customers from receiving notifications of activity on their account
So securing SS7 is not the only stwp required to fix SMS as a 2nd factor.
Why would you use spanner? It has proprietary APIs (ok, yes you can run a SELECT, but only using their database drivers if available for the language/framework you use, but not INSERT, UPDATE, DELETE etc.), isn't faster than Aurora (http://2ndwatch.com/blog/benchmarking-amazon-aurora/), and is more expensive for the same performance.
These days, Google seems to be spending more effort on PR than engineering...
This problem was resolved 3 years ago, run Xwayland, an X server for Wayland.
You assume that because the Wayland protocol isn't concerned with networl transparency that Wayland developers don't understand your use case. They do, they just don't think the network interfaces belong in the same binary as access to the display drivers.
Gitlab Community Edition has had this for about 18 months. Pull/merge requests can run automated builds including running tests, the results of which can be seen in the merge review screen. It can also be configured to auto-merge based on testing criteria (coverage, test results etc.).
"I'd say that the majority of IT is no more knowledgeable about infosec than the average developer and even frequently less knowledgeable."
Like some developers I have worked with in the past, who insist that the application user must have write access to the Java keystore? Why? Because they wrote code to import the SSL cert of any host they connect to as a trusted cert to the keystore, because they couldn't figure out how to import the CA cert with keytool (but found random java code on stackexchange that "worked" because it also disabled all certificate validation)?
I'd love to be able to use Kodi for all of my media viewing - ideally including live TV as well. If Kodi had a Netflix plugin, we'd use Kodi in place of the crappy Netflix player built into the TV.
There is flix4kodi (sourcewhich launches Chrome in full-screen, and worked for me about a year ago. But then of course you'll probably need a mouse and/or keyboard (which I don't need otherwise) to navigate inside the browser window instead of using a remote or the Kore smartphone app, and Chrome on Linux was still limited on 720p last time I tried. And since Netflix didn't really have anything I wanted to watch at the time, I haven't used it recently.
If they had an Amazon Video plugin, we'd ditch the Amazon FireTV box too. If there was a decent way to hook up a MythTV server and Kodi, then we could ditch the satellite box too. We'd be down to a couple of raspberry pis to do the lot. Sounds pretty awesome to me.
Yep, I really wouldn't mind paying for Prime Video to watch The Grand Tour, but I'm not going to watch anywhere but on my TV, and the only thing connected to it is Kodi on Linux. If Prime Video worked well on Kodi on Linux, I would definitely trial it...
I thought the PVR branch was merged into recent versions of Kodi, and I thought it supported two backends, one of which was Myth?
Yes, I too fear that the PHBs won't understand that they need to make their products at least as accessible as the "free" competition, but it does seem the Kodi team is trying to convince them.
One would have hoped that the success of accessible audio streaming might have convinced them that making video streaming more accessible would result in more money from happier customers...
They don't want to remove anything, just add options for users to stream content legally:
"âoeOur view on this is that [removing code] would not help a bit, because the code is open-source and others can easily revert it. Blocking add-ons wonâ(TM)t help since they would instantly change the addon and the block would be in vain,â Kaijser tells us.
The Kodi team feels that pirates are leeching off their infrastructure and put the entire community at risk. But, instead of taking a repressive approach they would like to see more legal content providers join their platform."
Canonical didn't suddenly do anything, they assessed the state and progress of Wayland and decided that if they wanted something done they had to do so themselves. Maybe that assessment was wrong.
Mir was announced in March 2013 (https://compute-fra.ec2.amazon.com/embassy/inspect)
Three is no question that the assessment is wrong, there was no question in March 2013 that the assessment was wrong, and within 8 months there was proof, yet Ubuntu wasted the next 3+ years investing in Mir when they could instead have helped get Wayland onto desktops sooner.
"So you want to take our rights to negotiate pay?"
No, you can negotiate. The employer just shouldn't make an offer on the assumption ypu won't take leave that is guaranteed to you in labour legislation.
"We pay about 15% more than average with the expectation that you will be dependable rather than lazy and/or unavailable."
I am dependable, productive and available during office hours or any time on an on-call rotation, except when I take my planned leave.
At 15%, your employer is really over-paying, and probably actually getting less productivity than if employees took their full leave.
"Not being able to take time off is a trade-off I'm willing to make for what I'm paid. You are demanding laws that take our rights."
Alternatively, it's protecting people like me from being abused by people like you who seem to not care about anything but work and money, and who believe that anyone who doesn't work more than 3200 hours a year is "lazy".
KDE 3 is still the best DE ever made for Linux. I really wish someone with the know-how, time, and money had kept it going the way the MATE guys did with gnome2.
Systemd is terrible and what they've been doing to Linux is also terrible.
You're assigning guilt for too many things to systemd.
No more simple ifconfig to set an ip address.
On RHEL7 and similar, net-tools is no longer installed by default, you should use the 'ip' command from iproute2, see http://lartc.org/howto/lartc.i... . ifconfig and 'route' for Linux have been on the deprecation path for years, before systemd existed.
I think since RHEL6 the Red Hat documentation and training material stopped referring to ifconfig.
You need to create a file in/etc/network/eth-whatever and add some options.
This has been the way to create persistent network configuration for years (since Red Hat 5.3).
No more "route" either, so how do you set a route?
ip route add
'ip route' is significantly better than 'route', e.g. 'ip route get ip.add.re.ss' will change your life.
Oh and the best part is things like nslookup and traceroute are not included by default!
So, install them (e.g. 'yum install bind-utils traceroute') . You can resolve names (the way most normal processes would, e.g. looking in/etc/hosts or other sources of host information as configured in/etc/nsswitch.conf) using 'getent hosts', that should be sufficient on most general-purpose servers (if you don't need to look up SRV or MX or TXT records etc.).
Neither is "man" which I had to install manually.
What distro are you talking about? This *really* has nothing to do with systemd...
Sure give me 10,000 obscure and buggy libraries but not include core utilities like nslookup? Oh and I almost forgot. On a completely idle system, systemd is using the most cpu time out of everything else. So nice of my startup manager is the top resource hog.
On an idle system that has been up for 10 minutes, systemd has consumed less than 1 second of CPU time. A *real* resource hog</sarcasm>
"I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS."
You haven't heard of Red Hat, or CentOS?
RHEL5 reached end of standard support yesterday, after just over 10 years. Extended support is available for anothwr 2.5 years: https://access.redhat.com/supp...
"Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here."
Only because you seem uninformed or too lazy to do any research.
"Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost."
Red Hat has similar options, and subscriptions on their RHEV+unlimited supported VMs gives you the same capabilities as VMWare vSphere Enterprise for less than just the vSphere licensing/SnS (so you basically get unlimitrd supported VMs for free).
I didn't compare to HyperV because MS was anal enough about licensing a Windows VM for the vCenter server (must pay per CPU-month for every CPU that could potentially run the VM) that we migrated as soon as possible to the vCenter Server Appliance because we spent almost as much licensing one Windows VM as on vSphere for a 6-machine vSphere cluster.
Of course, if you don't need support, you can run ovirt (community version of RHEV) on CentOS (or Debian) with unlimited CentOS (or Ubuntu or Debian) VMs, for no software cost. Or there are other options for containet-based clusters.
"What Amazon describes isn't really a call center, but an IVR unit (Interactive Voice Response). Even if you buy this service from Amazon, you will still need a call center with actual humans in it answering phones."
Amazon specifically provides features for those humans, so they are describing a call centre. You still need the humans, bit you don't need your own contact centre infrastructure.
"Setting up a cloud-based contact center with Amazon Connect is as easy as a few clicks in the AWS Management Console, and agents can begin taking calls within minutes."
Yes, other providers have offered hosted contact centres before, but people also offered VPS hosting before AWS launched EC2.
The features available in AWS connect sound like the ones some companies have been trying to piece together from components delivered by traditional players in the CRM industry but are usually too expensive to actually get right.
If more companies are enabled to provide the level of support Amazon amamd AWS provide, I thinl thay is a good thing...
I used CDE (and thus Motif) for many years. It may look outdated now, but it was years ahead of its time. While it may not be as usable as, say, GNOME 2 or KDE 3 were, it's actually still managed to be better to use than GNOME 3 or KDE 4+ have been.
I have seen CDE a few times (e.g. on Solaris), and found it very unusable, so much so that installing KDE or GNOME was much easier than trying to just use CDE.
While KDE 4.0 was very rough, and 4.1 only addressed the roughest edges, from 4.4 KDE has had almost complete feature-parity with KDE 3. At least they aren't applying non-optional Mac-like interfaces (where the menus are 100s of pixels away from the Window they apply to like GNOME 3). It's quite frustrating using GNOME 3 apps (about the only one I use is simple-scan, as I'm not aware of a KDE scanning app that scans to PDF).
Plasma 5 and KF5 are now also very good and quite polished.
The wikipedia definition of money[1] ("Money is any item or verifiable record that is generally accepted as payment for goods and services and repayment of debts in a particular country or socio-economic context") is basically identical to the defintion of legal tender[2] ("Legal tender is variously defined in different jurisdictions. Formally, it is anything which when offered in payment extinguishes the debt.").
The guidance document for virtual currencies by the South African treasury only refers to 'virtual currencies', never referring to them as 'money'. Virtual currencies effectively have the same (or less) standing in South Africa as (or than) external currencies (including e.g. the Zimbabwean Dollar).
So, what do bitcoin proponents claiming 'Bitcoin is classify as money' define 'money' as? Obviously something different than the rest of the population.
The document from the South African treasury about virtual currencies you linked to states:
"Due to their unregulated status, virtual currencies cannot be classified as legal tender as any merchant may refuse them as a payment instrument without being in breach of the law. In addition, virtual currencies cannot be regarded as a means of payment as they are not issued on receipt of funds. The use of virtual currencies therefore depends on the other participantâ(TM)s willingness to accept them."
So, I don't think that qualifies as being "money".
Yes, about two online shops in South Africa accept payment in Bitcoin, but I don't know how they comply with FICA regulations in this case...
"We all emigrated, by your ridiculous hypothesis, to everywhere in the world once we left Africa."
And then some of us returned to our homeland, and 300+ years later their descendants are still called "colonialists" by those who didn't emigrate, and they blame us for all of their problems (such as lack of education).
Slashdot Mirror
Yes, software-based TOTP implementations on smartphone platforms could be vulnerable to malware, but if using TOTP-based dongles, you would need to steal the dongle and possibly also know the PIN that must be used with the time-based code.
In South Africa, there have been a lot of cases of what is referred to here as 'SIM-swap fraud'. It seems that there are syndicates operating that have accomplices who have:
- sufficient access to bank customer information for social engineering to re-set or change internet banking passwords and get the customers cell-phone number
- access to perform a SIM-swap of the victim's number, so that they can approve actions such as adding beneficiaries, change transaction limits while also preventing customers from receiving notifications of activity on their account
So securing SS7 is not the only stwp required to fix SMS as a 2nd factor.
Here is a recent case of a customer losing about $20 000 this way: https://mybroadband.co.za/news...
Google searches for "SIM-swap fraud" turn up reports from the UK and other European countries.
Why would you use spanner? It has proprietary APIs (ok, yes you can run a SELECT, but only using their database drivers if available for the language/framework you use, but not INSERT, UPDATE, DELETE etc.), isn't faster than Aurora (http://2ndwatch.com/blog/benchmarking-amazon-aurora/), and is more expensive for the same performance.
These days, Google seems to be spending more effort on PR than engineering ...
This problem was resolved 3 years ago, run Xwayland, an X server for Wayland.
You assume that because the Wayland protocol isn't concerned with networl transparency that Wayland developers don't understand your use case. They do, they just don't think the network interfaces belong in the same binary as access to the display drivers.
You run an X server as a Wayland client:
https://wayland.freedesktop.or...
New to Github Enterprise?
Gitlab Community Edition has had this for about 18 months. Pull/merge requests can run automated builds including running tests, the results of which can be seen in the merge review screen. It can also be configured to auto-merge based on testing criteria (coverage, test results etc.).
"I'd say that the majority of IT is no more knowledgeable about infosec than the average developer and even frequently less knowledgeable."
Like some developers I have worked with in the past, who insist that the application user must have write access to the Java keystore? Why? Because they wrote code to import the SSL cert of any host they connect to as a trusted cert to the keystore, because they couldn't figure out how to import the CA cert with keytool (but found random java code on stackexchange that "worked" because it also disabled all certificate validation)?
There is flix4kodi (sourcewhich launches Chrome in full-screen, and worked for me about a year ago.
And of course recent posts indicate that it is no longer working :-(.
I'd love to be able to use Kodi for all of my media viewing - ideally including live TV as well. If Kodi had a Netflix plugin, we'd use Kodi in place of the crappy Netflix player built into the TV.
There is flix4kodi (sourcewhich launches Chrome in full-screen, and worked for me about a year ago. But then of course you'll probably need a mouse and/or keyboard (which I don't need otherwise) to navigate inside the browser window instead of using a remote or the Kore smartphone app, and Chrome on Linux was still limited on 720p last time I tried. And since Netflix didn't really have anything I wanted to watch at the time, I haven't used it recently.
If they had an Amazon Video plugin, we'd ditch the Amazon FireTV box too. If there was a decent way to hook up a MythTV server and Kodi, then we could ditch the satellite box too. We'd be down to a couple of raspberry pis to do the lot. Sounds pretty awesome to me.
Yep, I really wouldn't mind paying for Prime Video to watch The Grand Tour, but I'm not going to watch anywhere but on my TV, and the only thing connected to it is Kodi on Linux. If Prime Video worked well on Kodi on Linux, I would definitely trial it ...
I thought the PVR branch was merged into recent versions of Kodi, and I thought it supported two backends, one of which was Myth?
Yes, I too fear that the PHBs won't understand that they need to make their products at least as accessible as the "free" competition, but it does seem the Kodi team is trying to convince them.
One would have hoped that the success of accessible audio streaming might have convinced them that making video streaming more accessible would result in more money from happier customers ...
"Kodi's intended purpose is playing user's (local or networked) video files on their living room TV.
If DRM is added this will become impossible."
So all those smart TVs that play Netflix at 1080p and support playing almost any video over DLNA don't exist?
Read the article, they don't want to remove any features, they just want to add the possibility of legitimate strwaming options, which require DRM.
Many of their users would like that (including me), and everyone else should be unaffected.
"Supporting DRM means that the software is no longer open source nor is it for the users but for the corporations."
Firefox now supports DRM, did I miss the announent that it is no longer open source?
Read the article, they don't want to *prevent* these plugins, they just want more legitimate streaming options to be available.
Like many of their users (including me).
You didn't read the article, did you.
They don't want to remove anything, just add options for users to stream content legally:
"âoeOur view on this is that [removing code] would not help a bit, because the code is open-source and others can easily revert it. Blocking add-ons wonâ(TM)t help since they would instantly change the addon and the block would be in vain,â Kaijser tells us.
The Kodi team feels that pirates are leeching off their infrastructure and put the entire community at risk. But, instead of taking a repressive approach they would like to see more legal content providers join their platform."
Mir was announced in March 2013
Canonical didn't suddenly do anything, they assessed the state and progress of Wayland and decided that if they wanted something done they had to do so themselves. Maybe that assessment was wrong.
Mir was announced in March 2013 (https://compute-fra.ec2.amazon.com/embassy/inspect)
In November 2013, Jolla shipped it's first hardware, running Wayland.
Three is no question that the assessment is wrong, there was no question in March 2013 that the assessment was wrong, and within 8 months there was proof, yet Ubuntu wasted the next 3+ years investing in Mir when they could instead have helped get Wayland onto desktops sooner.
"So you want to take our rights to negotiate pay?"
No, you can negotiate. The employer just shouldn't make an offer on the assumption ypu won't take leave that is guaranteed to you in labour legislation.
"We pay about 15% more than average with the expectation that you will be dependable rather than lazy and/or unavailable."
I am dependable, productive and available during office hours or any time on an on-call rotation, except when I take my planned leave.
At 15%, your employer is really over-paying, and probably actually getting less productivity than if employees took their full leave.
"Not being able to take time off is a trade-off I'm willing to make for what I'm paid. You are demanding laws that take our rights."
Alternatively, it's protecting people like me from being abused by people like you who seem to not care about anything but work and money, and who believe that anyone who doesn't work more than 3200 hours a year is "lazy".
KDE 3 is still the best DE ever made for Linux. I really wish someone with the know-how, time, and money had kept it going the way the MATE guys did with gnome2.
You mean like the Trinity team?
(But, if you haven't tried KDE5 recently, you should.).
Systemd is terrible and what they've been doing to Linux is also terrible.
You're assigning guilt for too many things to systemd.
No more simple ifconfig to set an ip address.
On RHEL7 and similar, net-tools is no longer installed by default, you should use the 'ip' command from iproute2, see http://lartc.org/howto/lartc.i... . ifconfig and 'route' for Linux have been on the deprecation path for years, before systemd existed.
I think since RHEL6 the Red Hat documentation and training material stopped referring to ifconfig.
You need to create a file in /etc/network/eth-whatever and add some options.
This has been the way to create persistent network configuration for years (since Red Hat 5.3).
(And it's /etc/sysconfig/network-scripts/ifcfg-${INTF})
No more "route" either, so how do you set a route?
ip route add
'ip route' is significantly better than 'route', e.g. 'ip route get ip.add.re.ss' will change your life.
Oh and the best part is things like nslookup and traceroute are not included by default!
So, install them (e.g. 'yum install bind-utils traceroute') . You can resolve names (the way most normal processes would, e.g. looking in /etc/hosts or other sources of host information as configured in /etc/nsswitch.conf) using 'getent hosts', that should be sufficient on most general-purpose servers (if you don't need to look up SRV or MX or TXT records etc.).
Neither is "man" which I had to install manually.
What distro are you talking about? This *really* has nothing to do with systemd ...
Sure give me 10,000 obscure and buggy libraries but not include core utilities like nslookup? Oh and I almost forgot. On a completely idle system, systemd is using the most cpu time out of everything else. So nice of my startup manager is the top resource hog.
On an idle system that has been up for 10 minutes, systemd has consumed less than 1 second of CPU time. A *real* resource hog</sarcasm>
"A count is also a measure."
Only if accompanied by a unit
"I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS."
You haven't heard of Red Hat, or CentOS?
RHEL5 reached end of standard support yesterday, after just over 10 years. Extended support is available for anothwr 2.5 years:
https://access.redhat.com/supp...
CentOS 5/6/7 have the same lifecycle:
https://linuxlifecycle.com/
https://wiki.centos.org/About/...
"Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here."
Only because you seem uninformed or too lazy to do any research.
"Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost."
Red Hat has similar options, and subscriptions on their RHEV+unlimited supported VMs gives you the same capabilities as VMWare vSphere Enterprise for less than just the vSphere licensing/SnS (so you basically get unlimitrd supported VMs for free).
I didn't compare to HyperV because MS was anal enough about licensing a Windows VM for the vCenter server (must pay per CPU-month for every CPU that could potentially run the VM) that we migrated as soon as possible to the vCenter Server Appliance because we spent almost as much licensing one Windows VM as on vSphere for a 6-machine vSphere cluster.
Of course, if you don't need support, you can run ovirt (community version of RHEV) on CentOS (or Debian) with unlimited CentOS (or Ubuntu or Debian) VMs, for no software cost. Or there are other options for containet-based clusters.
"What Amazon describes isn't really a call center, but an IVR unit (Interactive Voice Response). Even if you buy this service from Amazon, you will still need a call center with actual humans in it answering phones."
Amazon specifically provides features for those humans, so they are describing a call centre. You still need the humans, bit you don't need your own contact centre infrastructure.
"Setting up a cloud-based contact center with Amazon Connect is as easy as a few clicks in the AWS Management Console, and agents can begin taking calls within minutes."
Yes, other providers have offered hosted contact centres before, but people also offered VPS hosting before AWS launched EC2.
The features available in AWS connect sound like the ones some companies have been trying to piece together from components delivered by traditional players in the CRM industry but are usually too expensive to actually get right.
If more companies are enabled to provide the level of support Amazon amamd AWS provide, I thinl thay is a good thing ...
I used CDE (and thus Motif) for many years. It may look outdated now, but it was years ahead of its time. While it may not be as usable as, say, GNOME 2 or KDE 3 were, it's actually still managed to be better to use than GNOME 3 or KDE 4+ have been.
I have seen CDE a few times (e.g. on Solaris), and found it very unusable, so much so that installing KDE or GNOME was much easier than trying to just use CDE.
While KDE 4.0 was very rough, and 4.1 only addressed the roughest edges, from 4.4 KDE has had almost complete feature-parity with KDE 3. At least they aren't applying non-optional Mac-like interfaces (where the menus are 100s of pixels away from the Window they apply to like GNOME 3). It's quite frustrating using GNOME 3 apps (about the only one I use is simple-scan, as I'm not aware of a KDE scanning app that scans to PDF).
Plasma 5 and KF5 are now also very good and quite polished.
The wikipedia definition of money[1] ("Money is any item or verifiable record that is generally accepted as payment for goods and services and repayment of debts in a particular country or socio-economic context") is basically identical to the defintion of legal tender[2] ("Legal tender is variously defined in different jurisdictions. Formally, it is anything which when offered in payment extinguishes the debt.").
The guidance document for virtual currencies by the South African treasury only refers to 'virtual currencies', never referring to them as 'money'. Virtual currencies effectively have the same (or less) standing in South Africa as (or than) external currencies (including e.g. the Zimbabwean Dollar).
So, what do bitcoin proponents claiming 'Bitcoin is classify as money' define 'money' as? Obviously something different than the rest of the population.
1. https://en.wikipedia.org/wiki/...
2. https://en.wikipedia.org/wiki/...
The document from the South African treasury about virtual currencies you linked to states:
"Due to their unregulated status, virtual currencies cannot be classified as legal tender as any merchant may refuse them as a payment instrument without being in breach of the law. In addition, virtual currencies cannot be regarded as a means of payment as they are not issued on receipt of funds. The use of virtual currencies therefore depends on the other participantâ(TM)s willingness to accept them."
So, I don't think that qualifies as being "money".
Yes, about two online shops in South Africa accept payment in Bitcoin, but I don't know how they comply with FICA regulations in this case ...
"We all emigrated, by your ridiculous hypothesis, to everywhere in the world once we left Africa."
And then some of us returned to our homeland, and 300+ years later their descendants are still called "colonialists" by those who didn't emigrate, and they blame us for all of their problems (such as lack of education).