When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
Why not just use Akismet.com? It works great.
My small blog was getting a modest amount of spam (about 150/day), and Akismet would miss maybe one every few months. Not bad, but having to sort through the messages in the spam queue was really annoying. I found a decent compromise: messages flagged by Akismet were presented with a captcha. If the captcha was completed successfully, the message went into the moderation queue (as it was still spammy enough to trip Akismet). If not, the message is permanently delete. This has no effect on my commenters, as they don't trip Akismet, and there hasn't been a single message to get through yet.
Probably doesn't scale to enormous sites, but works well for small ones. For what it's worth, I'm using the standard WordPress Akismet plugin and Conditional Captcha.
BigLumber.com, a site for people to arrange PGP key signing events, does something similar.
The user associates a PGP public key with their account, and the server makes sure the email address in the key and the email address in the BigLumber account match, generates a unique login URL, encrypts it to the user's public key, and sends it to their email. If the user can decrypt the email and click the login URL, they are granted access.
Simple, straightforward, and completely out of the range of capabilities of the average user, unfortunately.
My research group looks at already-known transits and gets more detailed information than the original discovery paper, but the HATnet project -- http://en.wikipedia.org/wiki/HATNet_Project -- (who discovered most of the planets we look at), uses completely automated methods. Even so, they can't look at every star, and so there's always some data that goes un-analyzed.
Very cool that this guy made this discoveries with public data.
Perhaps the benefits of using something like 1Password to generate unique/random passwords outweigh the risk/possibility of the above happening --- in the sense that it is more likely that signing up for a random website with the same email/password you used for your email account and paypal will lead to a compromise of something important.
That's precisely my logic behind using LastPass; their business is building a secure password manager. They can afford to specialize on that, while I can focus on my business.
I'm less worried about LastPass misusing my passwords than I am about bad guys compromising other sites (like Gawker) and re-using non-unique passwords. Sure, bad guys might try guessing my LastPass password, but their system locks out accounts after a few failed attempts, and I have my account set to require two-factor authentication from untrusted computers. To me, the benefits far outweigh the risks. If I had missile launch codes or other codes to critical things, I'd have to reevaluate my requirements, but for my purposes a service like LastPass fits the bill.
I have a small fire-resistant chest in my house that I use for holding important documents like passports, tax information, car service records, and the like. It'd be perfect place to keep a list of commonly-used passwords.
For work-related passwords, why not keep a paper with important passwords kept in a secure location? We have some of the root passwords for work systems written on an index card taped to the inside of the server room door; only admins have keys to the room. If a bad guy gets physical access to the room, we're already boned, so we've judged it to not be a major risk.
The point of TFA is that it isn't worth worrying about that, though... in a world where people just brute force the hash rather than trying to guess your password, there isn't really any difference in the strength of your password, whether it's "123456" or "Idtawgmp0fw@12qpTT78v!^y23".
I respectfully disagree.
To the best of my knowledge, rainbow tables for unsalted, printable-ASCII passwords are useful for passwords up to about 14 characters. Using a longer password would make it less likely that bad guys would have created rainbow tables for it. Generating tables for all passwords up to 20 characters in length would be a very large undertaking. Tables up to 30 characters would be exceedingly resource intensive.
Naturally, it would be best if sites used reasonable methods of protecting passwords (e.g. a hash composed of the username, password, and salt), but having site-unique, long passwords (whether stored at LastPass or elsewhere) does help limit the damage of any compromise.
...and any admin worth their salt will have the system lock accounts (or require some sort of two-factor authentication, like SMS) that are being attacked in such a manner.
True, but generating appropriate keys, choosing sane settings, managing keys appropriately, dealing with the Web of Trust, etc. can be quite challenging for many.
The concept of asymmetrical keys and how they work can be difficult for many to understand. It's not unheard of for users to generate a key using the intended recipient's name and email address, then try to use it to send them mail. See http://gaudior.net/alma/johnny.pdf for a usability study of an admittedly old Mac version of PGP.
I routinely use GPG, as to several of my technically-minded colleagues, but even they get frequently mixed up on some of the details.
Also, their free and paid certs are issued from different intermediate certificates that are chained back to the same root. Browsers have the root in their "trusted CA" list, but you, the server admin, need to supply the appropriate intermediate to complete the chain. They are available from http://www.startssl.com/certs/
For example, if you're using a free, Class 1 server cert, you need to configure your server to supply both the server cert and the sub.class1.server.ca.crt intermediate certificate. If you're using a paid, Class 2 server cert, you need to supply the server cert and the sub.class2.server.ca.crt intermediate.
Many CAs use such chained intermediate certs these days, so it's not uncommon.
Server certs issued by CAs have the "Not a CA" flag set. You cannot use server certs to sign other certs.
Well, I suppose you COULD, but no client worth their salt would trust them.
Some CAs offer managed-intermediate-root services where they host an intermediate root for your company and provide you with an interface for issuing/revoking/etc. certificates for your organization, but that's often overkill. It's also not cheap.
GoDaddy certs are also available for ~$13/year. Search for "godaddy ssl" on Google with AdBlock turned off, and there are ads on the side for the promotion.
Disclaimer: I have no connection, financial or otherwise, with GoDaddy or the Google ads. As far as I can tell, the ads are run by GoDaddy themselves. This is not part of any referral program, and I receive nothing in exchange for the link above.
If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.
If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.
Either way, the browser will trust the cert without warnings.
Yes, it will be more transparent to the user than using a self-signed certificate. Self-signed certificates present scary warnings, as they are not signed by a trusted CA. StartSSL-issued certs are trusted by many browsers. See http://www.startssl.com/?app=40
StartSSL certs are accepted without warnings by Android and iPhone.
They changed root certs several years ago. The new root is included in Firefox and many other browsers by default. See http://www.startssl.com/?app=40
The cert doesn't come out-of-the-box with Windows, but the first time someone visits a site with a StartSSL-issued cert and a browser that uses the Windows cert store (IE, Chrome, etc.), Windows will check with Microsoft's online cert store and download the root. This takes a few seconds, but only needs to be done once. After it gets the root from Microsoft, it keeps it locally. This works fine for regular, internet-connected systems, but on a completely isolated intranet it may be problematic.
I imagine he is...which is why he offers this service. One of the services mentioned is off-site backups in a secure location. I can't imagine a location much more secure than under a mountain in Switzerland.
I doubt that his facility would be used for the sole storage of data, but as a secondary site for backups. Then again, CrashPlan/Carbonite/Mozy offer sufficient security and redundancy for most people's needs for a lot cheaper, so I don't think there's a huge market for nuclear-hardened data centers. I could be wrong though.
OpenDNS only does the "domain helper" thing for non-registered users.
Register for an account, specify the IP address (or range) that you'll be making queries from (e.g. your home router), and you can disable all of that. I've been doing that for years with no problems. Way better than Cox's DNS service, which rewrites all TTLs to 30s.
If your home router supports dynamic DNS updating, you can have the router update OpenDNS (I use their DNS-O-Matic service, which also updates DynDNS and EveryDNS) whenever your system gets a new IP address so the settings stick with you, even if the IP address changes.
Say what you will about Flash, but it is a hell of a lot better than RealVideo and its player.
With Flash, one need only install a single browser plugin and gain access to rich multimedia (audio [e.g. Pandora], video [YouTube, Hulu, etc.], and more) with essentially no problems. Sure beats the alternative of requiring various plugins and players for each codec (e.g. QuickTime player). HTML5 is promising, but isn't there yet.
Yes, there's a lot to be desired in Flash (for my workplace, it's non-managed updates and updates requiring admin privileges), but I prefer it to the alternatives.
That said, using Flash as a website layout tool is obnoxious and stupid. Using it as a multimedia plugin/viewer, that's fine.
As bad as this would likely be, I can think of a single benefit: Adobe patches being deployable over WSUS.
At my work, I maintain the WSUS server that manages updates for a few hundred Windows PCs. Centralizing Windows Updates is a Good Thing, but we still have to send a minion around every month or so to make sure that Flash, Adobe Reader, Acrobat Pro, and non-MS browsers have all their patches. Being able to keep common threat vectors (Flash and Adobe Reader) patched easily and centrally managed would be a huge improvement. I'd imagine it being even better for larger organizations.
If a different username is on their login they start screaming for help as if they have forgotten their own names.
*sigh* This happens at work all the time.
Windows XP caches the last-used username and domain (be it the domain or the local computer name) in the login screen. We frequently do hands-on maintenance on computers and so change the "Log in to..." field from the domain to the local computer name, then use the local admin account. We can't change it back to the domain and the user's old username without knowing their password (which we don't have). Every single one of the hundreds of users we support are fine with this, and know to change the username from "administrator" back to their username, and the "Log in to..." field to the domain. This one user doesn't, and freaks out every time this happens, even claiming that "administrator" is trying to "hack" her computer. We've explained this to her a few dozen times, but it just doesn't click.
We also migrated users from using Outlook for calendar purposes and they now use Google Calendar. Again, everyone understands how this works except for this one user. We walked her through setting up a new Google Account, got her Outlook data imported, and everything was working fine. A few weeks later, the Google login cookie expired, and it prompted her for her Google Account and password. This was outside of her brain's Standard Operating Procedure, so she followed the previous steps we provided, then freaked out when "all of [her] calendar data is gone! It's been hacked! I have to type in hundreds of things all over again by hand!". Turns out she just created a new Google Account, set up the calendar again, but didn't import any of the Outlook data. Naturally, the new account didn't have her information. After finally figuring out what's going on, we had her remember her old Google Account information, log back in, and everything returned. Convincing her that her information had not been hacked and that she's likely to need to log into her Google Account at intervals in the future was difficult, but seems to have stuck.
Although the pay and benefits are nice and it's funding my time in grad school, some days I hate my job.
Well, Google *does* have a substantial database of malicious sites, spammers, etc. that they already use in their SafeBrowsing API that browsers like Chrome and Firefox use.
Presumably they'd be able to block the vast majority of such sites and check at intervals to ensure that linked sites remain non-malicious.
There's plenty of competitors who offer similar shortening services who also track users and generate statistics.
Personally, I think the tracking/statistics is kinda neat. For example, the link http://goo.gl/d2dh points to http://www.slashdot.org/, and the info page is available at http://goo.gl/info/d2dh -- I like the fact that they create a QR code for the shortened URL, which makes it easy to share with mobile users (no need to separately generate the code).
Slashdot Mirror
When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
Why not just use Akismet.com? It works great.
My small blog was getting a modest amount of spam (about 150/day), and Akismet would miss maybe one every few months. Not bad, but having to sort through the messages in the spam queue was really annoying. I found a decent compromise: messages flagged by Akismet were presented with a captcha. If the captcha was completed successfully, the message went into the moderation queue (as it was still spammy enough to trip Akismet). If not, the message is permanently delete. This has no effect on my commenters, as they don't trip Akismet, and there hasn't been a single message to get through yet.
Probably doesn't scale to enormous sites, but works well for small ones. For what it's worth, I'm using the standard WordPress Akismet plugin and Conditional Captcha.
BigLumber.com, a site for people to arrange PGP key signing events, does something similar.
The user associates a PGP public key with their account, and the server makes sure the email address in the key and the email address in the BigLumber account match, generates a unique login URL, encrypts it to the user's public key, and sends it to their email. If the user can decrypt the email and click the login URL, they are granted access.
Simple, straightforward, and completely out of the range of capabilities of the average user, unfortunately.
That is precisely what it means.
Most impressive.
Maybe by looking for planetary transits?
My research group looks at already-known transits and gets more detailed information than the original discovery paper, but the HATnet project -- http://en.wikipedia.org/wiki/HATNet_Project -- (who discovered most of the planets we look at), uses completely automated methods. Even so, they can't look at every star, and so there's always some data that goes un-analyzed.
Very cool that this guy made this discoveries with public data.
Perhaps the benefits of using something like 1Password to generate unique/random passwords outweigh the risk/possibility of the above happening --- in the sense that it is more likely that signing up for a random website with the same email/password you used for your email account and paypal will lead to a compromise of something important.
That's precisely my logic behind using LastPass; their business is building a secure password manager. They can afford to specialize on that, while I can focus on my business.
I'm less worried about LastPass misusing my passwords than I am about bad guys compromising other sites (like Gawker) and re-using non-unique passwords. Sure, bad guys might try guessing my LastPass password, but their system locks out accounts after a few failed attempts, and I have my account set to require two-factor authentication from untrusted computers. To me, the benefits far outweigh the risks. If I had missile launch codes or other codes to critical things, I'd have to reevaluate my requirements, but for my purposes a service like LastPass fits the bill.
Print them out?
I have a small fire-resistant chest in my house that I use for holding important documents like passports, tax information, car service records, and the like. It'd be perfect place to keep a list of commonly-used passwords.
For work-related passwords, why not keep a paper with important passwords kept in a secure location? We have some of the root passwords for work systems written on an index card taped to the inside of the server room door; only admins have keys to the room. If a bad guy gets physical access to the room, we're already boned, so we've judged it to not be a major risk.
The point of TFA is that it isn't worth worrying about that, though... in a world where people just brute force the hash rather than trying to guess your password, there isn't really any difference in the strength of your password, whether it's "123456" or "Idtawgmp0fw@12qpTT78v!^y23".
I respectfully disagree.
To the best of my knowledge, rainbow tables for unsalted, printable-ASCII passwords are useful for passwords up to about 14 characters. Using a longer password would make it less likely that bad guys would have created rainbow tables for it. Generating tables for all passwords up to 20 characters in length would be a very large undertaking. Tables up to 30 characters would be exceedingly resource intensive.
Naturally, it would be best if sites used reasonable methods of protecting passwords (e.g. a hash composed of the username, password, and salt), but having site-unique, long passwords (whether stored at LastPass or elsewhere) does help limit the damage of any compromise.
...and any admin worth their salt will have the system lock accounts (or require some sort of two-factor authentication, like SMS) that are being attacked in such a manner.
And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?
Actually, yes. LastPass.com makes it trivial.
I've changed most of my passwords to long, pseudo-random passwords and store them with LastPass (I also keep a backup locally, Just In Case).
Disclaimer: Although I'm a LastPass user (and pay for the Premium service), I have no other connection with the company.
True, but generating appropriate keys, choosing sane settings, managing keys appropriately, dealing with the Web of Trust, etc. can be quite challenging for many.
The concept of asymmetrical keys and how they work can be difficult for many to understand. It's not unheard of for users to generate a key using the intended recipient's name and email address, then try to use it to send them mail. See http://gaudior.net/alma/johnny.pdf for a usability study of an admittedly old Mac version of PGP.
I routinely use GPG, as to several of my technically-minded colleagues, but even they get frequently mixed up on some of the details.
Click on the "stop sign" icon for Adblock in Firefox, then select "Disable on [sitename]" or "Disable on this page only".
Of course, there's no way to know if the ad is trustworthy before loading it...
Also, their free and paid certs are issued from different intermediate certificates that are chained back to the same root. Browsers have the root in their "trusted CA" list, but you, the server admin, need to supply the appropriate intermediate to complete the chain. They are available from http://www.startssl.com/certs/
For example, if you're using a free, Class 1 server cert, you need to configure your server to supply both the server cert and the sub.class1.server.ca.crt intermediate certificate. If you're using a paid, Class 2 server cert, you need to supply the server cert and the sub.class2.server.ca.crt intermediate.
Many CAs use such chained intermediate certs these days, so it's not uncommon.
Server certs issued by CAs have the "Not a CA" flag set. You cannot use server certs to sign other certs.
Well, I suppose you COULD, but no client worth their salt would trust them.
Some CAs offer managed-intermediate-root services where they host an intermediate root for your company and provide you with an interface for issuing/revoking/etc. certificates for your organization, but that's often overkill. It's also not cheap.
GoDaddy certs are also available for ~$13/year. Search for "godaddy ssl" on Google with AdBlock turned off, and there are ads on the side for the promotion.
Direct link with their promotional code: http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo024c
Disclaimer: I have no connection, financial or otherwise, with GoDaddy or the Google ads. As far as I can tell, the ads are run by GoDaddy themselves. This is not part of any referral program, and I receive nothing in exchange for the link above.
If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.
If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.
Either way, the browser will trust the cert without warnings.
Yes, it will be more transparent to the user than using a self-signed certificate. Self-signed certificates present scary warnings, as they are not signed by a trusted CA. StartSSL-issued certs are trusted by many browsers. See http://www.startssl.com/?app=40
StartSSL certs are accepted without warnings by Android and iPhone.
They changed root certs several years ago. The new root is included in Firefox and many other browsers by default. See http://www.startssl.com/?app=40
The cert doesn't come out-of-the-box with Windows, but the first time someone visits a site with a StartSSL-issued cert and a browser that uses the Windows cert store (IE, Chrome, etc.), Windows will check with Microsoft's online cert store and download the root. This takes a few seconds, but only needs to be done once. After it gets the root from Microsoft, it keeps it locally. This works fine for regular, internet-connected systems, but on a completely isolated intranet it may be problematic.
I imagine he is...which is why he offers this service. One of the services mentioned is off-site backups in a secure location. I can't imagine a location much more secure than under a mountain in Switzerland.
I doubt that his facility would be used for the sole storage of data, but as a secondary site for backups. Then again, CrashPlan/Carbonite/Mozy offer sufficient security and redundancy for most people's needs for a lot cheaper, so I don't think there's a huge market for nuclear-hardened data centers. I could be wrong though.
They also offer online backup at the same location: http://www.mount10.ch/english/index.html
Their web design sucks, though.
I imagine the courier thing is for exceedingly sensitive information.
OpenDNS only does the "domain helper" thing for non-registered users.
Register for an account, specify the IP address (or range) that you'll be making queries from (e.g. your home router), and you can disable all of that. I've been doing that for years with no problems. Way better than Cox's DNS service, which rewrites all TTLs to 30s.
If your home router supports dynamic DNS updating, you can have the router update OpenDNS (I use their DNS-O-Matic service, which also updates DynDNS and EveryDNS) whenever your system gets a new IP address so the settings stick with you, even if the IP address changes.
I recall the pre-Flash Video days.
Say what you will about Flash, but it is a hell of a lot better than RealVideo and its player.
With Flash, one need only install a single browser plugin and gain access to rich multimedia (audio [e.g. Pandora], video [YouTube, Hulu, etc.], and more) with essentially no problems. Sure beats the alternative of requiring various plugins and players for each codec (e.g. QuickTime player). HTML5 is promising, but isn't there yet.
Yes, there's a lot to be desired in Flash (for my workplace, it's non-managed updates and updates requiring admin privileges), but I prefer it to the alternatives.
That said, using Flash as a website layout tool is obnoxious and stupid. Using it as a multimedia plugin/viewer, that's fine.
I wasn't aware that Windows 7 and the Xbox/Xbox 360 counted as "failures". Who knew?
As bad as this would likely be, I can think of a single benefit: Adobe patches being deployable over WSUS.
At my work, I maintain the WSUS server that manages updates for a few hundred Windows PCs. Centralizing Windows Updates is a Good Thing, but we still have to send a minion around every month or so to make sure that Flash, Adobe Reader, Acrobat Pro, and non-MS browsers have all their patches. Being able to keep common threat vectors (Flash and Adobe Reader) patched easily and centrally managed would be a huge improvement. I'd imagine it being even better for larger organizations.
If a different username is on their login they start screaming for help as if they have forgotten their own names.
*sigh* This happens at work all the time.
Windows XP caches the last-used username and domain (be it the domain or the local computer name) in the login screen. We frequently do hands-on maintenance on computers and so change the "Log in to..." field from the domain to the local computer name, then use the local admin account. We can't change it back to the domain and the user's old username without knowing their password (which we don't have). Every single one of the hundreds of users we support are fine with this, and know to change the username from "administrator" back to their username, and the "Log in to..." field to the domain. This one user doesn't, and freaks out every time this happens, even claiming that "administrator" is trying to "hack" her computer. We've explained this to her a few dozen times, but it just doesn't click.
We also migrated users from using Outlook for calendar purposes and they now use Google Calendar. Again, everyone understands how this works except for this one user. We walked her through setting up a new Google Account, got her Outlook data imported, and everything was working fine. A few weeks later, the Google login cookie expired, and it prompted her for her Google Account and password. This was outside of her brain's Standard Operating Procedure, so she followed the previous steps we provided, then freaked out when "all of [her] calendar data is gone! It's been hacked! I have to type in hundreds of things all over again by hand!". Turns out she just created a new Google Account, set up the calendar again, but didn't import any of the Outlook data. Naturally, the new account didn't have her information. After finally figuring out what's going on, we had her remember her old Google Account information, log back in, and everything returned. Convincing her that her information had not been hacked and that she's likely to need to log into her Google Account at intervals in the future was difficult, but seems to have stuck.
Although the pay and benefits are nice and it's funding my time in grad school, some days I hate my job.
Well, Google *does* have a substantial database of malicious sites, spammers, etc. that they already use in their SafeBrowsing API that browsers like Chrome and Firefox use.
Presumably they'd be able to block the vast majority of such sites and check at intervals to ensure that linked sites remain non-malicious.
And?
There's plenty of competitors who offer similar shortening services who also track users and generate statistics.
Personally, I think the tracking/statistics is kinda neat. For example, the link http://goo.gl/d2dh points to http://www.slashdot.org/, and the info page is available at http://goo.gl/info/d2dh -- I like the fact that they create a QR code for the shortened URL, which makes it easy to share with mobile users (no need to separately generate the code).