Where's the second factor in that? It's a temporary code and a... ??
Your ordinary username and password.
In addition to the code-by-SMS, one can also use any RFC 6238-compatible OTP program (Google makes one for iOS/Android/Blackberry called, unsurprisingly, Google Authenticator) to generate time-based one time passwords. Very handy.
I actually use the Google Authenticator PAM module (it doesn't call home to Google or anything, it's just a local authentication module) for authenticating to SSH on a few servers I run -- normally I'd use public key auth, but it's not suitable in that particular case. Useful for helping reduce dictionary attacks.
If I understand correctly, for the vast majority of traffic they provide ordinary DNS resolver service.
When you attempt to access something on their list of stuff-that-needs-to-be-proxied (e.g. Netflix, Hulu, etc.) their DNS servers don't return the canonical result, but instead point toward proxy servers run by unblock-us. Data is then automatically proxied as needed.
HBO's online offerings are only available to subscribers in the United States who are also customers of a specific list of cable/satellite TV companies.
That doesn't really help the subscriber in Australia or Europe. Why are those customers unable to stream/download content that their American counterparts can? Why are the same shows delayed by days or weeks in non-US countries?
I've been using Firefox for years and I've seen it steadily improve. Sure, there's been some odd UI decisions (FF2 had the URL bar on SSL-secured sites colored yellow which made it obvious when one was visiting a secured site. The next version didn't. Up until recently, SSL-secured sites had a blue "secured" indicator to the left of the URL bar while EV sites had a green indicator. The blue indicator has been removed in FF14 and the green one is less distinct.), but overall the browser has improved.
At first, the rapid release cycle was annoying but that was mostly because the browser required admin rights on Windows to update. Chrome avoids this by having the update process run under the system account in the background. Newer versions of FF do this as well so updates are considerably less obnoxious and my concerns with the rapid release cycle are eliminated (though I still think the numbering scheme is a bit annoying).
I've found Firefox to be the most consistently-good browser out there. Recent improvements in JavaScript processing have made Firefox just as fast (if not faster) than Chrome on my system, plug-ins work consistently better than Chrome, and memory usage has gone down significantly in more recent versions.
Sure, the other browsers (Chrome, Opera, etc.) are pretty good and I really don't have any major complaints about them (though the lack of x.509 client certificate generation in Chrome is problematic; Firefox/NSS has supported this for eons.), but I continue to use Firefox as my primary browser and don't really see any reason to change at this point.
All the arguments against the UN could equially be made of the US. Additionally it's not at all clear to me why I have to pay an American company to maintain my.com registration. Certainly there's no indication it was chosen as being the best value for money.
The.com registry (VeriSign) charges $7.85/year for registration at the wholesale level (plus an $0.18 ICANN fee), regardless of if you're Joe Schmoe Blogger or Google. That seems like a pretty reasonable expense for maintaining a registry of 100+ million domain names with 100% uptime since it was founded.
Would it be nice if it cost a bit less? Sure. I'm still not that worried about it -- the fee is less than I paid for lunch yesterday and the savings of a dollar or two in terms of an annual registration are basically not even worth discussing in terms of practical savings.
VeriSign certainly seems to know how to handle the registry side of things pretty well, and I don't really see any technical or financial reasons why I should be concerned./I never thought I'd be in a position to defend VeriSign, but in this case they seem to be doing a darn good job.
How much time does it take to verify someone's information in the Nigerian prince scheme? I thought it was "Send me your bank account info" and if you sent them something else, they'd just ignore it. I'm surprised research indicates they'd save much time filtering out the smart people.
For the most part, the Nigerian scammers aren't interested in "pulling" money from your account via direct debit or whatever. Rather, they lure you into sending them money through otherwise-legitimate means like Western Union. Such methods are essentially anonymous and irreversible.
They are a non-profit organization whose sole purpose is to support the infrastructure of the Internet. They build open-source software (like BIND and implementations of DHCP). Sorry, but you really should research before you spout off.
Off the top of my head, I can think of only a few organizations in the world who have the know-how and ability to run a large-scale DNS system properly. ISC is at the top of that list. IMHO, the FBI chose wisely.
Because that is ambiguous. If something happened at:59.817, do you know which of the two "59" seconds it took place in? No. What if two events happen, one at:59.817 and:59.923 -- which one is first? You don't know if the 59.817 one took place in the first or second 59th second. Bad things can happen if systems have ambiguous time, particularly if time appears to stand still or go backwards.
A better option would be to insert a leap second at one particular minute, wait one minute, then insert a second leap second. Of course, having two leap seconds in such a short period would be unusual.
Wasn't it space the main factor that made people adopt gmail in the first place ?
Yes, years ago. When Gmail first came out and offered 1GB of storage, large numbers of people changed: at the time Hotmail only offered about 2MB (yes, MB) of free storage and a bit more for paid users. That additional space was a major game-changer.
These days it's less of an issue: my mother never deletes or sorts her email (she's got thousands of messages piled up in her inbox -- she reads and replies to incoming mail as needed but just leaves read mail in the inbox -- not ideal, I know, but that's how she works) and she's only using about 10% of her storage. I keep my email box well-pruned and even with heavy usage I'm only using about 5%.
I'm more concerned about spam filtering and security (Gmail offers two-factor authentication, HTTPS-by-default, etc.) these days.
The problem with this approach is that it ties you to your ISP. When you move or they get bought in ten years, you have to try to recall EVERYONE who has your email address, and convince them to update their address books.
This. ISP-provided email is a form of vendor lock-in.
Personally, I avoided the issue by buying my own domain years ago and using it for my email. Google Apps provides the backend for it now, but I can switch off them to a different provider (including my own server) within the time it takes for DNS TTLs to expire (24 hours or so) without needing to change my address. Very convenient.
Hover's a pretty well-known, well-regarded domain registrar. FWIW, I've heard only good things about them.
Most of my domains are with GANDI and I've been quite happy with them. Their site Doesn't Suck and they support a lot of ccTLDs, which is nice. Otherwise I'd definitely consider Hover.
You're barking up the wrong tree. Most companies use email as one means of communicating among employees, and most companies use email to communicate with recipients at *other* companies. That's a whole lot of traffic that Google et al don't need to snoop on, unless said company's CTO is braindead.
Does Google use their "snooping" for anything other than delivering more targeted ads? It's not like they're reading users email and stealing corporate secrets or anything.
Sure, there's plenty of reasons to run internal mail servers, but Gmail provides a great service that meets the needs of a large number of users, businesses, universities, etc. If they didn't, they wouldn't be as big as they are.
The university I used to work for moved ~30,000 student email accounts to Google Apps for Universities. It authenticates using the university's locally hosted authentication system. Saved them a huge amount of support hassles, servers, storage, electricity, bandwidth, etc. and those resources could then be used on other useful projects.
And in fact, there's little reason for even your grandma to be on gmail. An inhouse Linux router/mail server combo would be perfect for intra-family messaging. If the GNU freedom box project can get off the ground, we'll begin to have a real alternative to the corporate overlords.
My parents like Gmail because it provides tons of space, good searching facilities, excellent spam filtering, and a built-in web-based chat/voice/video client so they can easily click two buttons and be chatting with my sister or me. Yes, it's possible to setup something similar on one's own, but it's (a) a hassle and (b) likely to be not as cleanly integrated as Gmail, which is a big turn-off for non-technical users.
Same here. I've had my own domain since 1999. Over the years I've had mail provided by a number of services (at one point having it hosted on a server under my desk at home). When Google Apps came out (in what, 2006?) I switched to them and have been with them since.
I get enormous amounts of spam (these days it's around 4,000 messages a month. A few years ago it was in the 30,000-40,000/month range.) so dealing with spam filtering was a massive hassle. Gmail's filters are outstanding, and maybe 1-2 spams slip through per month. They're usually novel attempts to avoid filtering and are quickly blocked. Google's trivial "mark this message as spam" button makes things quite easy. The support for IMAP, POP, and Exchange ActiveSync is nice too, as is their XMPP support (both with a separate client and their web-based one). I'm a heavy user of email (but routinely delete rather than archive messages) and am only using about 5% of the total storage space allocated to me as a free user.
Gmail's also been doing quite well on the security front: their accounts support two-factor authentication using open standards and their service defaults to using HTTPS (with ephemeral ECDH key exchange, no less!).
My parents, who are not very technical people, have used Gmail for years and have been quite satisfied. I'm pleased that the system choses sane defaults to help keep them secure.
Sure, I *could* set up and run my own email server, but why bother? High availability costs money and time, servers are not cheap, I'd have to pay for electricity/network connectivity for an underutilized system, and I'd have to constantly be fending off spammers and other baddies. I'd rather use my time to do something else that's more productive.
The new GPS satellites no longer have Selective Availability capabilities, or so the government claims (and I have no reason to disbelieve them on this subject).
Considering that GPS is widely relied upon for aviation, land, and marine navigation, surveying, public safety, and precision timekeeping, I suspect that it would be very unlikely for the government to turn SA or otherwise degrade the accuracy of GPS.
Doesn't pretty much every modern browser support client-side workarounds that prevent BEAST? I know OpenSSL's supported it for years.
I suspect that the "vulnerable to BEAST" issues will disappear once OpenSSL releases (and the various distros distribute) a version that supports TLS 1.1 and 1.2, neither of which are vulnerable.
anyone ever try to use hotmail in non-IE browsers or chat on msn via trillian?
Er, yes. It works fine.
I don't think I've ever had problems with Hotmail and non-IE browsers since the service was founded. Of course, I usually just use Hotmail for throwaway junk accounts but I've never had any issues.
I don't use Trillian, but Pidgin works fine with MSN chat.
Microsoft has done some shady things in the past, but it'd seem rather foolish for them to screw around with their major services like Hotmail and MSN Chat...
OpenVPN is another option, and that works quite well. It can also be configured to route all traffic, not just things which support proxies.
Setting it up the first time is not the most trivial thing in the world, but it's not hard. Just be sure to change the RSA and DH-parameter scripts to generate 2048-bit keys (or higher, if you feel the need) rather than the default 1024.
Windows: Microsoft Security Essentials. It's free, non-obnoxious, and works well. The Windows Firewall is fine. No need for extra stuff. Linux: There aren't really any noteworthy Linux-specific viruses that affect desktop systems. Keep things up to date. For server systems, things like tripwire are handy to see if things are getting modified. The built-in firewall is again excellent. Hosts File: DO NOT SUMMON APK.
As I mentioned previously, after a few hours to settle NTP can match time to my GPS clock (which provides PPS output and NMEA sentences over serial) with a jitter of 15 microseconds on Linux (Ubuntu Server 10.04).
Using only the NMEA sentences over serial without PPS, jitter increases to ~250 milliseconds, roughly 16,000x more. Sure, it's "only" a quarter second, but still. It might be good enough for internal use but I wouldn't provide a public time server with a USB GPS clock.
Since USB receivers don't provide PPS output and the USB controller polls devices at intervals (rather than responding to serial interrupts), there's no way for a USB receiver to come close to the precision of a PPS-based serial connection.
Slashdot Mirror
Where's the second factor in that? It's a temporary code and a... ??
Your ordinary username and password.
In addition to the code-by-SMS, one can also use any RFC 6238-compatible OTP program (Google makes one for iOS/Android/Blackberry called, unsurprisingly, Google Authenticator) to generate time-based one time passwords. Very handy.
I actually use the Google Authenticator PAM module (it doesn't call home to Google or anything, it's just a local authentication module) for authenticating to SSH on a few servers I run -- normally I'd use public key auth, but it's not suitable in that particular case. Useful for helping reduce dictionary attacks.
If I understand correctly, for the vast majority of traffic they provide ordinary DNS resolver service.
When you attempt to access something on their list of stuff-that-needs-to-be-proxied (e.g. Netflix, Hulu, etc.) their DNS servers don't return the canonical result, but instead point toward proxy servers run by unblock-us. Data is then automatically proxied as needed.
HBO's online offerings are only available to subscribers in the United States who are also customers of a specific list of cable/satellite TV companies.
That doesn't really help the subscriber in Australia or Europe. Why are those customers unable to stream/download content that their American counterparts can? Why are the same shows delayed by days or weeks in non-US countries?
I've been using Firefox for years and I've seen it steadily improve. Sure, there's been some odd UI decisions (FF2 had the URL bar on SSL-secured sites colored yellow which made it obvious when one was visiting a secured site. The next version didn't. Up until recently, SSL-secured sites had a blue "secured" indicator to the left of the URL bar while EV sites had a green indicator. The blue indicator has been removed in FF14 and the green one is less distinct.), but overall the browser has improved.
At first, the rapid release cycle was annoying but that was mostly because the browser required admin rights on Windows to update. Chrome avoids this by having the update process run under the system account in the background. Newer versions of FF do this as well so updates are considerably less obnoxious and my concerns with the rapid release cycle are eliminated (though I still think the numbering scheme is a bit annoying).
I've found Firefox to be the most consistently-good browser out there. Recent improvements in JavaScript processing have made Firefox just as fast (if not faster) than Chrome on my system, plug-ins work consistently better than Chrome, and memory usage has gone down significantly in more recent versions.
Sure, the other browsers (Chrome, Opera, etc.) are pretty good and I really don't have any major complaints about them (though the lack of x.509 client certificate generation in Chrome is problematic; Firefox/NSS has supported this for eons.), but I continue to use Firefox as my primary browser and don't really see any reason to change at this point.
All the arguments against the UN could equially be made of the US. Additionally it's not at all clear to me why I have to pay an American company to maintain my .com registration. Certainly there's no indication it was chosen as being the best value for money.
The .com registry (VeriSign) charges $7.85/year for registration at the wholesale level (plus an $0.18 ICANN fee), regardless of if you're Joe Schmoe Blogger or Google. That seems like a pretty reasonable expense for maintaining a registry of 100+ million domain names with 100% uptime since it was founded.
Would it be nice if it cost a bit less? Sure. I'm still not that worried about it -- the fee is less than I paid for lunch yesterday and the savings of a dollar or two in terms of an annual registration are basically not even worth discussing in terms of practical savings.
VeriSign certainly seems to know how to handle the registry side of things pretty well, and I don't really see any technical or financial reasons why I should be concerned. /I never thought I'd be in a position to defend VeriSign, but in this case they seem to be doing a darn good job.
...or you could just get your own domain name and not worry about the availability of specific addresses ever again.
I'm not a Muslim but I had read that in many cases allowances can be made: people observe the fast between sunrise and sunset in Mecca.
A similar exception was made when the first Muslim astronaut was in space. Wired has an interesting writeup on the subject.
How much time does it take to verify someone's information in the Nigerian prince scheme? I thought it was "Send me your bank account info" and if you sent them something else, they'd just ignore it. I'm surprised research indicates they'd save much time filtering out the smart people.
For the most part, the Nigerian scammers aren't interested in "pulling" money from your account via direct debit or whatever. Rather, they lure you into sending them money through otherwise-legitimate means like Western Union. Such methods are essentially anonymous and irreversible.
They are a non-profit organization whose sole purpose is to support the infrastructure of the Internet. They build open-source software (like BIND and implementations of DHCP). Sorry, but you really should research before you spout off.
Not to mention running the F root name server. They really know DNS.
Off the top of my head, I can think of only a few organizations in the world who have the know-how and ability to run a large-scale DNS system properly. ISC is at the top of that list. IMHO, the FBI chose wisely.
NTP certainly can step the clock rather than slew it, but this is not recommended.
If NTP can't keep a reasonably-thermally-stable system in sync, it's almost certainly because that system is broken in some horrible way.
Because that is ambiguous. If something happened at :59.817, do you know which of the two "59" seconds it took place in? No. What if two events happen, one at :59.817 and :59.923 -- which one is first? You don't know if the 59.817 one took place in the first or second 59th second. Bad things can happen if systems have ambiguous time, particularly if time appears to stand still or go backwards.
A better option would be to insert a leap second at one particular minute, wait one minute, then insert a second leap second. Of course, having two leap seconds in such a short period would be unusual.
Small world. I had no idea you were on slashdot -- we briefly met a few years back for a Thawte notarization.
Anyway, good to know you guys are still around and doing stuff like this.
Wasn't it space the main factor that made people adopt gmail in the first place ?
Yes, years ago. When Gmail first came out and offered 1GB of storage, large numbers of people changed: at the time Hotmail only offered about 2MB (yes, MB) of free storage and a bit more for paid users. That additional space was a major game-changer.
These days it's less of an issue: my mother never deletes or sorts her email (she's got thousands of messages piled up in her inbox -- she reads and replies to incoming mail as needed but just leaves read mail in the inbox -- not ideal, I know, but that's how she works) and she's only using about 10% of her storage. I keep my email box well-pruned and even with heavy usage I'm only using about 5%.
I'm more concerned about spam filtering and security (Gmail offers two-factor authentication, HTTPS-by-default, etc.) these days.
The problem with this approach is that it ties you to your ISP. When you move or they get bought in ten years, you have to try to recall EVERYONE who has your email address, and convince them to update their address books.
This. ISP-provided email is a form of vendor lock-in.
Personally, I avoided the issue by buying my own domain years ago and using it for my email. Google Apps provides the backend for it now, but I can switch off them to a different provider (including my own server) within the time it takes for DNS TTLs to expire (24 hours or so) without needing to change my address. Very convenient.
Hover's a pretty well-known, well-regarded domain registrar. FWIW, I've heard only good things about them.
Most of my domains are with GANDI and I've been quite happy with them. Their site Doesn't Suck and they support a lot of ccTLDs, which is nice. Otherwise I'd definitely consider Hover.
You're barking up the wrong tree. Most companies use email as one means of communicating among employees, and most companies use email to communicate with recipients at *other* companies. That's a whole lot of traffic that Google et al don't need to snoop on, unless said company's CTO is braindead.
Does Google use their "snooping" for anything other than delivering more targeted ads? It's not like they're reading users email and stealing corporate secrets or anything.
Sure, there's plenty of reasons to run internal mail servers, but Gmail provides a great service that meets the needs of a large number of users, businesses, universities, etc. If they didn't, they wouldn't be as big as they are.
The university I used to work for moved ~30,000 student email accounts to Google Apps for Universities. It authenticates using the university's locally hosted authentication system. Saved them a huge amount of support hassles, servers, storage, electricity, bandwidth, etc. and those resources could then be used on other useful projects.
And in fact, there's little reason for even your grandma to be on gmail. An inhouse Linux router/mail server combo would be perfect for intra-family messaging. If the GNU freedom box project can get off the ground, we'll begin to have a real alternative to the corporate overlords.
My parents like Gmail because it provides tons of space, good searching facilities, excellent spam filtering, and a built-in web-based chat/voice/video client so they can easily click two buttons and be chatting with my sister or me. Yes, it's possible to setup something similar on one's own, but it's (a) a hassle and (b) likely to be not as cleanly integrated as Gmail, which is a big turn-off for non-technical users.
Same here. I've had my own domain since 1999. Over the years I've had mail provided by a number of services (at one point having it hosted on a server under my desk at home). When Google Apps came out (in what, 2006?) I switched to them and have been with them since.
I get enormous amounts of spam (these days it's around 4,000 messages a month. A few years ago it was in the 30,000-40,000/month range.) so dealing with spam filtering was a massive hassle. Gmail's filters are outstanding, and maybe 1-2 spams slip through per month. They're usually novel attempts to avoid filtering and are quickly blocked. Google's trivial "mark this message as spam" button makes things quite easy. The support for IMAP, POP, and Exchange ActiveSync is nice too, as is their XMPP support (both with a separate client and their web-based one). I'm a heavy user of email (but routinely delete rather than archive messages) and am only using about 5% of the total storage space allocated to me as a free user.
Gmail's also been doing quite well on the security front: their accounts support two-factor authentication using open standards and their service defaults to using HTTPS (with ephemeral ECDH key exchange, no less!).
My parents, who are not very technical people, have used Gmail for years and have been quite satisfied. I'm pleased that the system choses sane defaults to help keep them secure.
Sure, I *could* set up and run my own email server, but why bother? High availability costs money and time, servers are not cheap, I'd have to pay for electricity/network connectivity for an underutilized system, and I'd have to constantly be fending off spammers and other baddies. I'd rather use my time to do something else that's more productive.
The new GPS satellites no longer have Selective Availability capabilities, or so the government claims (and I have no reason to disbelieve them on this subject).
Considering that GPS is widely relied upon for aviation, land, and marine navigation, surveying, public safety, and precision timekeeping, I suspect that it would be very unlikely for the government to turn SA or otherwise degrade the accuracy of GPS.
Not for long, though.
Doesn't pretty much every modern browser support client-side workarounds that prevent BEAST? I know OpenSSL's supported it for years.
I suspect that the "vulnerable to BEAST" issues will disappear once OpenSSL releases (and the various distros distribute) a version that supports TLS 1.1 and 1.2, neither of which are vulnerable.
anyone ever try to use hotmail in non-IE browsers or chat on msn via trillian?
Er, yes. It works fine.
I don't think I've ever had problems with Hotmail and non-IE browsers since the service was founded. Of course, I usually just use Hotmail for throwaway junk accounts but I've never had any issues.
I don't use Trillian, but Pidgin works fine with MSN chat.
Microsoft has done some shady things in the past, but it'd seem rather foolish for them to screw around with their major services like Hotmail and MSN Chat...
Evidently one can also try connecting to the suspected Tor node in question and seeing if it "speaks Tor" -- this utility appears to use that method.
My understanding is that's what the Chinese are doing to detect bridge nodes, though I very well could be wrong.
OpenVPN is another option, and that works quite well. It can also be configured to route all traffic, not just things which support proxies.
Setting it up the first time is not the most trivial thing in the world, but it's not hard. Just be sure to change the RSA and DH-parameter scripts to generate 2048-bit keys (or higher, if you feel the need) rather than the default 1024.
Windows: Microsoft Security Essentials. It's free, non-obnoxious, and works well. The Windows Firewall is fine. No need for extra stuff.
Linux: There aren't really any noteworthy Linux-specific viruses that affect desktop systems. Keep things up to date. For server systems, things like tripwire are handy to see if things are getting modified. The built-in firewall is again excellent.
Hosts File: DO NOT SUMMON APK.
As I mentioned previously, after a few hours to settle NTP can match time to my GPS clock (which provides PPS output and NMEA sentences over serial) with a jitter of 15 microseconds on Linux (Ubuntu Server 10.04).
Using only the NMEA sentences over serial without PPS, jitter increases to ~250 milliseconds, roughly 16,000x more. Sure, it's "only" a quarter second, but still. It might be good enough for internal use but I wouldn't provide a public time server with a USB GPS clock.
Since USB receivers don't provide PPS output and the USB controller polls devices at intervals (rather than responding to serial interrupts), there's no way for a USB receiver to come close to the precision of a PPS-based serial connection.