So are TiVo DVRs. What they have in common is that their userland locks the user out of doing several classes of task.
Now that virtually all apps are moving to the Linux-powered cloud
I ride the city bus to and from my day job, and buses in my city do not provide Wi-Fi to riders. Let me know when I can run apps that have "mov[ed] to the Linux-powered cloud" during the commute without having to spend hundreds of dollars per year on a cellular Internet plan on top of what I'm already paying for Internet access at home.
Also let me know when specialized apps, such as machine-level debuggers for NES ROMs, have "mov[ed] to the Linux-powered cloud". I currently use FCEUX in Wine to step through instructions in the video games that I program for my second job.
Developer mode? More like "by turning on the device and pressing two keys as prompted, someone can erase all your unpushed work" mode.
So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites.
A site with ads but no tracking will have its own store front where advertisers can buy ad space. This process doesn't need to place third-party cookies or images on viewers' devices. Therefore, to block tracking, block the loading of resources from unaffiliated domains. Use the Public Suffix List to find which hostnames are part of the same domain, and add cookieless domains used for static resources to a whitelist if they're obviously operated by the same publisher. Yes, this breaks CDNs used to deliver widely used script frameworks, such as jQuery, but a lot of tracking haters on Slashdot also seem to think script in the browser should never have existed anyway.
So what's the difference between an advertising site and a tracking site?
A publisher* that doesn't track your browsing across multiple websites will sell its ad space directly to advertisers and host its own ads rather than handing the ad space off to a third party ad network or ad exchange. Daring Fireball and Read the Docs are examples.
* A "publisher" is a site that shows ads, and an "advertiser" is a company that pays a publisher for ad space.
It might have something to do with the fact that the Lifeline phone program (which the woman called "Obama phone") was started under Ronald Reagan and expanded to mobile phones under George W. Bush. It was already a done deal before Obama became President.
In the USA, Obamacaid (Medicaid as expanded by the ACA) and SNAP (food aid, formerly the Food Stamp Program) are available to the underemployed as well as to the unemployed.
The compression scheme you describe is equivalent to 35-bit addressing, At the trend of 18 months per density doubling associated with Gordon Moore, it buys you four and a half years. Which common types of workload are larger than 4 GB but smaller than 32 GB?
Carrier-grade or not, [being behind NAT] is not Internet. That is a content consumption service.
The world's population exceeds the number of IPv4 addresses. Therefore, it's impossible to provide Internet including IPv4 to everyone. Whom would you leave out? Or would you consider a service that allows inbound and outbound IPv6 but provides no IPv4 routing at all to be "Internet"?
Good luck fitting many dead-tree books into your carry-on weight allowance. And it can become expensive to acquire dead-tree versions of public domain or purchased ebooks if you're traveling for more than two weeks, as you will lack opportunity to return to your local public library in time to return a borrowed book.
Thirty accounts provisioned in thirty minutes, one each minute, is still technically "one at a time". But thirty accounts in thirty minutes would still be likely to activate a rate limiter. So my next question is what approximate rate you meant by "one at a time".
And if your data structures are heavy in pointers or pointer equivalents (such as unique or shared pointers), you pay for 64-bit in more data cache misses and more swaps (that is, RAM misses). Some developers tried to solve this with the "x32" ABI, which is x86-64 except pointers are 32-bit, but I don't remember that ever catching on.
You shouldn't ever have ten "legitimate" users behind one IP creating new accounts at the same time
Ever?
Say an Internet literacy class at a high school needs to provision students' accounts on various services. For example, if a Wikipedia student assignment is part of the course, students might need an account with which to edit. How would this be done?
I wasn't commenting about sites (like/.) that allow the general public to create accounts.
Thank you for clarifying. I appear to have misguessed that you were recommending that sites stop allowing the general public to create accounts through an automated process.
If a website sends a confirmation email for a login attempt, or for an attempt to create an account that already exists, then it is a mailbomb waiting to happen.
Tell that to the operator of any Internet service that uses two-factor authentication where ability to receive a code through email, SMS, or voice call is the second factor.
The argument that saying "username or password is incorrect" is silly because hackers can just try to create accounts to discover usernames only applies to systems that allow the general public to create accounts.
How else would you have preferred that Slashdot furnish you with the account JohnFen?
at LEAST have the decency to furnish the number of somebody (available 24/7/365) who CAN figure out whom they need to contact and tell them.
Is it acceptable to make this "somebody" an international call for at least some of your user base, particularly in countries where you do not have an office?
RATE LIMIT USERNAME CHECKS for example by using a Proof of Work in the browser
But how do you balance this Proof of Work so that a legitimate user with a mobile phone can complete it in a reasonable time but an attacker with a beefy GPU cannot?
Or If you try 10 usernames in 5 minutes on the signup page, then throttle or block.
How would that work if you have ten legitimate users behind one IP address logging in at the start of their workday?
I think this will really confuse people who legitimally try to sign up for a service, and don't get any feedback. That confirmation email might take a few minutes to make it to the user's Inbox. Or maybe they won't realize they will get an email confirmation.
Of course they'll get feedback.
Check your email
Signup progress: Step 2 of 3 Enter your email address > Check your email > Profile and password
We've sent an email message to jhall@freedos.example that should arrive in a few minutes. This message has the next step of how to get on board.
Click the link in the email, or enter the validation code below: [_______________]
You throttle EVERYTHING. Signups from an IP. Logins from an IP.
Good luck with that if you have a substantial number of legitimate users in countries with an insufficient allocation of IPv4 addresses. The IP address of a carrier-grade network address translation (CGNAT) appliance may represent a thousand subscribers or more. Consider what happened 11 years ago when a Wikipedia administrator inadvertently blocked editing from the entirety of Qatar.
Requiring users to log in with an email address, as opposed to a username, doesn't disclose that the account exists. If you try to create an account for an address that you do not control, you will not receive the verification message. If you try to create an account for an address that you do control and which already has an account, you'll begin a password reset instead.
Doesn't most software check username and password with a single query?
No, at least not unless the query manager supports a salted slow hash as a built-in operation. As far as I'm aware, it's more common to SELECT the user ID and password hash (consisting of a salt, PBKDF2 iteration count, and hash value) WHERE the username or email address matches. Then the application runs PBKDF2 on the salt, count, and user-provided password, and compares the result to the stored hash value. (Use slow_memcmp(), notstrncmp()!)
There are a few ways to go about it. The Congress has agreed to allow suits pursuant to the Federal Tort Claims Act of 1946 (28 USC 1346(b), 2671 et seq). For others, particularly cases involving an unconstitutional statute, the common legal fiction is to sue the Attorney General for an injunction against asserting the statute.
Slashdot Mirror
Chromebooks are Linux.
So are TiVo DVRs. What they have in common is that their userland locks the user out of doing several classes of task.
Now that virtually all apps are moving to the Linux-powered cloud
I ride the city bus to and from my day job, and buses in my city do not provide Wi-Fi to riders. Let me know when I can run apps that have "mov[ed] to the Linux-powered cloud" during the commute without having to spend hundreds of dollars per year on a cellular Internet plan on top of what I'm already paying for Internet access at home.
Also let me know when specialized apps, such as machine-level debuggers for NES ROMs, have "mov[ed] to the Linux-powered cloud". I currently use FCEUX in Wine to step through instructions in the video games that I program for my second job.
Developer mode? More like "by turning on the device and pressing two keys as prompted, someone can erase all your unpushed work" mode.
So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites.
A site with ads but no tracking will have its own store front where advertisers can buy ad space. This process doesn't need to place third-party cookies or images on viewers' devices. Therefore, to block tracking, block the loading of resources from unaffiliated domains. Use the Public Suffix List to find which hostnames are part of the same domain, and add cookieless domains used for static resources to a whitelist if they're obviously operated by the same publisher. Yes, this breaks CDNs used to deliver widely used script frameworks, such as jQuery, but a lot of tracking haters on Slashdot also seem to think script in the browser should never have existed anyway.
So what's the difference between an advertising site and a tracking site?
A publisher* that doesn't track your browsing across multiple websites will sell its ad space directly to advertisers and host its own ads rather than handing the ad space off to a third party ad network or ad exchange. Daring Fireball and Read the Docs are examples.
* A "publisher" is a site that shows ads, and an "advertiser" is a company that pays a publisher for ad space.
It might have something to do with the fact that the Lifeline phone program (which the woman called "Obama phone") was started under Ronald Reagan and expanded to mobile phones under George W. Bush. It was already a done deal before Obama became President.
In the USA, Obamacaid (Medicaid as expanded by the ACA) and SNAP (food aid, formerly the Food Stamp Program) are available to the underemployed as well as to the unemployed.
Thirty accounts done sequentially is not "at the same time."
I am aware of that. Closely spaced sequential actions don't have to be "at the same time" to activate an automatic rate limiter.
The compression scheme you describe is equivalent to 35-bit addressing, At the trend of 18 months per density doubling associated with Gordon Moore, it buys you four and a half years. Which common types of workload are larger than 4 GB but smaller than 32 GB?
Carrier-grade or not, [being behind NAT] is not Internet. That is a content consumption service.
The world's population exceeds the number of IPv4 addresses. Therefore, it's impossible to provide Internet including IPv4 to everyone. Whom would you leave out? Or would you consider a service that allows inbound and outbound IPv6 but provides no IPv4 routing at all to be "Internet"?
Good luck fitting many dead-tree books into your carry-on weight allowance. And it can become expensive to acquire dead-tree versions of public domain or purchased ebooks if you're traveling for more than two weeks, as you will lack opportunity to return to your local public library in time to return a borrowed book.
Thirty accounts provisioned in thirty minutes, one each minute, is still technically "one at a time". But thirty accounts in thirty minutes would still be likely to activate a rate limiter. So my next question is what approximate rate you meant by "one at a time".
And if your data structures are heavy in pointers or pointer equivalents (such as unique or shared pointers), you pay for 64-bit in more data cache misses and more swaps (that is, RAM misses). Some developers tried to solve this with the "x32" ABI, which is x86-64 except pointers are 32-bit, but I don't remember that ever catching on.
You shouldn't ever have ten "legitimate" users behind one IP creating new accounts at the same time
Ever?
Say an Internet literacy class at a high school needs to provision students' accounts on various services. For example, if a Wikipedia student assignment is part of the course, students might need an account with which to edit. How would this be done?
I wasn't commenting about sites (like /.) that allow the general public to create accounts.
Thank you for clarifying. I appear to have misguessed that you were recommending that sites stop allowing the general public to create accounts through an automated process.
If a website sends a confirmation email for a login attempt, or for an attempt to create an account that already exists, then it is a mailbomb waiting to happen.
Tell that to the operator of any Internet service that uses two-factor authentication where ability to receive a code through email, SMS, or voice call is the second factor.
If you are not _really_ connected to the Internet, that's a YP, not an MP.
When the majority of users of the Web have YP in some form or another, this overall imperfection becomes MP.
The argument that saying "username or password is incorrect" is silly because hackers can just try to create accounts to discover usernames only applies to systems that allow the general public to create accounts.
How else would you have preferred that Slashdot furnish you with the account JohnFen?
at LEAST have the decency to furnish the number of somebody (available 24/7/365) who CAN figure out whom they need to contact and tell them.
Is it acceptable to make this "somebody" an international call for at least some of your user base, particularly in countries where you do not have an office?
RATE LIMIT USERNAME CHECKS for example by using a Proof of Work in the browser
But how do you balance this Proof of Work so that a legitimate user with a mobile phone can complete it in a reasonable time but an attacker with a beefy GPU cannot?
Or If you try 10 usernames in 5 minutes on the signup page, then throttle or block.
How would that work if you have ten legitimate users behind one IP address logging in at the start of their workday?
I think this will really confuse people who legitimally try to sign up for a service, and don't get any feedback. That confirmation email might take a few minutes to make it to the user's Inbox. Or maybe they won't realize they will get an email confirmation.
Of course they'll get feedback.
You throttle EVERYTHING. Signups from an IP. Logins from an IP.
Good luck with that if you have a substantial number of legitimate users in countries with an insufficient allocation of IPv4 addresses. The IP address of a carrier-grade network address translation (CGNAT) appliance may represent a thousand subscribers or more. Consider what happened 11 years ago when a Wikipedia administrator inadvertently blocked editing from the entirety of Qatar.
I don't want it to be easy for people to check my email address against random websites looking for where I have accounts.
If someone tries to create an account for mightyyar@zorlonmail.example, then you'll receive the confirmation message instead of the attacker.
Requiring users to log in with an email address, as opposed to a username, doesn't disclose that the account exists. If you try to create an account for an address that you do not control, you will not receive the verification message. If you try to create an account for an address that you do control and which already has an account, you'll begin a password reset instead.
Doesn't most software check username and password with a single query?
No, at least not unless the query manager supports a salted slow hash as a built-in operation. As far as I'm aware, it's more common to SELECT the user ID and password hash (consisting of a salt, PBKDF2 iteration count, and hash value) WHERE the username or email address matches. Then the application runs PBKDF2 on the salt, count, and user-provided password, and compares the result to the stored hash value. (Use slow_memcmp(), not strncmp()!)
There are a few ways to go about it. The Congress has agreed to allow suits pursuant to the Federal Tort Claims Act of 1946 (28 USC 1346(b), 2671 et seq). For others, particularly cases involving an unconstitutional statute, the common legal fiction is to sue the Attorney General for an injunction against asserting the statute.
That is an internal network?
Yes. The resources in question are accessible only from within the library or home network, not through the Internet.