Oauth 2.0 isn't all that complicated at all and to be honest it is you that should be going out and learning it not the developer. For most developers Oauth is just a library they have been told to use in order to secure their app, just like if you asked them what a syn/ack is they would also look at you dumbfounded.
Strongly disagree. I think (1) every developer who incorporates networking code (directly or through a library) should always understand exactly what the network protocol is, and (2) it's conceptually impossible to "secure" your app by incorporating something you don't understand.
Yes, I took two days out of my life to understand the OAuth2.0 for my web app. I didn't fully get to grips with the every possible OAuth2.0 flow; just the one that my app was going to use. I asked some security experts about bits that concerned me. I had been going to use a middleware library for it but discovered the only value-add provided by that library was "let you use OAuth2.0 without worrying about how it works" but that, once you understand how it works, the middleware was actually more complicated than it was worth.
Why are these infrastructure computers reachable from the Internet?
If I were a city council purchasing a heating system, and one option was 20% cheaper and and could be controlled and configured by offsite engineers even in the middle of an impenetrable blizzard, while the other one couldn't -- then choosing the first (connected to internet) is a no-brainer.
It's not a fscking TV, it's a phone, and a bezel is a feature, not a drawback. You know, an area that allows a case, (and my fingers), to have enough overlap to actually grip the phone securely
I don't get it. How do you hold your phone that you need a bezel?
Here's how I hold my phone - http://imgur.com/a/FOuhx - sort of how I hold a glass, with the bottom edge of the phone resting on my little finger, and the sides held in by my middle+ring fingers on one side and the pad of my thumb on the other. No need for a bezel.
Actually, I can't even imagine how I'd hold a phone that would need a bezel. I had a look online. Here's a study of how 1300 people hold their phones - http://alistapart.com/article/... - and it looks like none of the main holds need a bezel.
You don't have to do it yourself. Lots of people have looked at Keepass
Okay, you (1) trust those people to have audited the code, (2) trust the website is offering you a download binary built from the code that was audited by those people, (3) trust that no one malicious has snuck in a modified binary.
I trust the Lastpass employees to have audited their code, and the security professionals who recommend Lastpass. I *know* that I'm getting an authentic lastpass binary because of the way the Google and Apple store works.
It's all down to a personal question of trust. I respect that you trust the people who looked at Keepass. You should respect that I trust the employees of Lastpass. When we offer people advice, we should both be careful not to give a blanket recommendation like "it's good because it's OSS", but rather a nuanced recommendation "you should balance the convenience to you, your trust of party XYZ, and your trust of party ABC, when choosing between tools 1 and 2".
I haven't audited the code for Keepass. So my knowledge of the security of Lastpass and Keepass is equal (as it is for almost everyone else). So any advice you give to me or anyone else in my position shouldn't be based on your "knowledge" argument. And anytime you trot out your knowledge argument you should accompany it with the big caveat that it only applies to people who did steps 1-9.
PS. You said you audited the code. I assume you meant "and I also compiled it locally and I also paid $100/year apple tax (unless you're an android user and you don't share your passwords with any family members who are iOS users) and I deployed all those locally compiled binaries too."
You also can't know that your installation of Keepass is secure unless you've done steps 1-9. Have you? If the answer is no for you or anyone you're advising, then you should remove "know it is secure" from your list of arguments.
No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
Ah, now you're shifting goalposts. Your first was "you can't *know* it's secure". Now it's down to a personal trust preference. My personal trust preference is that I trust the Lastpass developers more than the Keepass developers.
"Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.
Technically true. But let's look at the equivalent Keepass steps:
1. Download source code for desktop version 2. Audit it 3. Compile it locally 4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future 5. Download source code for iOS version (say) 6. Audit it 7. Purchase $100/year Apple developer license 8. Compile it locally 9. Deploy the binary to your iOS device
Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.
Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.
Lastpass (the company) doesn't hold the keys to your kingdom. Their servers only store an encrypted blob that they (the company) can't decrypt. It only ever gets decrypted locally on your machine at the moment you type in your master password.
Why would you want Lastpass? Because (1) it's really convenient - 99% of the time you want to enter a password it's the password to a web-page, and LastPass is already there; (2) you've heard from lots of security professionals that lastpass security is adequate.
Put a good password on your account, your backups, and good grief don't use the cloud. How hard is that?
How hard is that?... pretty much impossible. Don't get me wrong. I used to use my own personal linux server for documents and photos and music. Went through three machines over fifteen years, always with RAID, always with offsite backups. I wrote a frontend to let me browse photo thumbnails quicker than google drive or onedrive.
But it was too hard to meet reasonable family needs. Too hard to share photos with (non-technical) family members. To hard to automatically upload photos+videos from my phone. Too slow to share 100mb+ videos. Too hard to share a collaborative grocery list and the like. And when a problem happened (e.g. a RAID drive failure) it happened when I was up to my neck in work duties or diaper changing or whatever. Infants and unslept spouses don't appreciate that you're spending time administering your server rather than doing your share of childcare, and don't appreciate "I need to fix up the server" as a reason for why we can't update our family grocery list or calendar or to-do list. So the server limps along on only one drive for a month, or two months, and suddenly it's too precarious or out of commission for a while.
If your use-case doesn't involve this much family sharing, or if you have the expertise and time to manage your server, then good for you. But I don't think "good grief don't use the cloud" is useful advice in general.
It looks to me like the research is mixed, but it does have possibility to affect commercial success (particularly in companies which do most of their work in one country but sell worldwide).
So a business would be IRRESPONSIBLE not to look at diversity.
I've been having a blast. I work at Microsoft on C#. But now that it's all open-source, I did things completely differently...
I had an idea for a new C# language feature (more efficient async, saves up to 90% allocation in some benchmarks). I discussed it first on github with the public. Then I forked the official C# repository into my personal github account, did all the coding live on livecoding.tv. Once it was finished I took it to the official C# Language Design Team, who approved it. And it'll be in C#7!
Who would have guessed that a free service would be abused? It's almost like there should be a word or saying for that. Oh yea, there is: Tragedy of the Commons
Tragedy of the Commons isn't about this case. Tragedy of the Commons when there's a common resource, and individual self-interest results in that resource being depleted even though that's contrary to the collective group-interest.
This doesn't apply at all in this case. The only plausible resource is "time on the tablet". It's not being depleted at any faster rate by one person using it exclusively then it would be if everyone shared time more equally.
Oh capital idea. Free wi0fi, 1gig speeds, unlimited rice pudding!
It is quite astonishing that erstwhile intelligent people still believe in the concept of "free". You will pay and pay heavily, because the government has no reason or motivation to control the overhead.
Yes, it's like that with the National Health Service in the UK.
Oh, sorry, my bad -- the UK government does a VASTLY better job controlling the overhead than does the US free market.
Is that copyrighted too? Seriously, though, why did it need to get to the court level? Why didn't the copyright flunkies say, "Sorry, prior art. Tough noogies."?
Either you've made a deliberately subtle joke by misusing three unrelated parts of Intellectual Property law (like talking about a film called "Trek Wars") or you've misunderstood all of it...
Copyright is for an original creative work, e.g. a book, a song, a creative way to order or layout existing non-copyrightable facts like a recipe. The concept of "prior art" is meaningless.
Patent is for original inventions that are non-obvious to a notional worker who's skilled in the field but has zero originality. The concept of "prior art" applies here.
Trademark is for a distinctive sign/logo/sound as used in a particular line of business. So although Nike trademarked "just do it" with the swish for their business, folk can still say "just do it" in other contexts.
Q1. I think there are good reasons to think we can detect life even with simple probes. James Lovelock explained this well with his daisyworld thought experiment. Figured that the one characteristic of life is homeostasis, and widespread life would do that to the planet itself.
Or they could show that individual variance is much larger than difference in race-based population averages. Implying that judging risk based on race is a poor predictor.
Along with lots and lots of primarily lead acid batteries for storage. You want to know where a good proportion of that lead ends up when batteries reach end of life? You want to know what lead does to the environment? The Wildlife? The People?
Ah, but no, its all pure shiny pretty warn nice solar power! Ignore the realities.
"The plant consists of five big industrial windmills and two lakes. On windy days — and there are plenty — the windmills harness the Canary Islands' Atlantic gusts. When production exceeds demand, such as at night, excess energy is used to pump water from a sea-level lake up into a natural volcanic crater half a mile uphill. When the wind dies down, the water is released down through a pipe connecting the two lakes. On its way, it passes through turbines, which generate hydro-power. Everything is connected with sensors so that within five seconds of the wind dying down, the hydro portion of the plant kicks in. For island residents, the lights don't even flicker."
I don't think the lake is made out of lead acid batteries...
This allows consumers to get a discounted Android phone in exchange for seeing ads on the lock screen. It is a great way for shoppers to save money, while Amazon makes money from the ads -- win/win
Ad spending in the US was $200billion in 2016, for a US labor force of 160mil. That's basically an annual $1200 tax on everyone for the privilege of having ads shoved in their faces.
Win / win / lose.
It's "Win" for Amazon, "Win" for consumers who get a subsidized phone, and "Lose" for consumers who pay money for advertising that gets siphoned off into the advertising middle-men and a small fraction of it trickles back down to consumers.
And hey, as tagged advertising gets better and better, reaching its final form where it only hits people who make a purchase, then each consumer will get the joy of subsidizing their own phone as well as the ad industry execs who piggy-back on top!
Slashdot Mirror
Oauth 2.0 isn't all that complicated at all and to be honest it is you that should be going out and learning it not the developer. For most developers Oauth is just a library they have been told to use in order to secure their app, just like if you asked them what a syn/ack is they would also look at you dumbfounded.
Strongly disagree. I think (1) every developer who incorporates networking code (directly or through a library) should always understand exactly what the network protocol is, and (2) it's conceptually impossible to "secure" your app by incorporating something you don't understand.
Yes, I took two days out of my life to understand the OAuth2.0 for my web app. I didn't fully get to grips with the every possible OAuth2.0 flow; just the one that my app was going to use. I asked some security experts about bits that concerned me. I had been going to use a middleware library for it but discovered the only value-add provided by that library was "let you use OAuth2.0 without worrying about how it works" but that, once you understand how it works, the middleware was actually more complicated than it was worth.
Why are these infrastructure computers reachable from the Internet?
If I were a city council purchasing a heating system, and one option was 20% cheaper and and could be controlled and configured by offsite engineers even in the middle of an impenetrable blizzard, while the other one couldn't -- then choosing the first (connected to internet) is a no-brainer.
It's not a fscking TV, it's a phone, and a bezel is a feature, not a drawback. You know, an area that allows a case, (and my fingers), to have enough overlap to actually grip the phone securely
I don't get it. How do you hold your phone that you need a bezel?
Here's how I hold my phone - http://imgur.com/a/FOuhx - sort of how I hold a glass, with the bottom edge of the phone resting on my little finger, and the sides held in by my middle+ring fingers on one side and the pad of my thumb on the other. No need for a bezel.
Actually, I can't even imagine how I'd hold a phone that would need a bezel. I had a look online. Here's a study of how 1300 people hold their phones - http://alistapart.com/article/... - and it looks like none of the main holds need a bezel.
You don't have to do it yourself. Lots of people have looked at Keepass
Okay, you (1) trust those people to have audited the code, (2) trust the website is offering you a download binary built from the code that was audited by those people, (3) trust that no one malicious has snuck in a modified binary.
I trust the Lastpass employees to have audited their code, and the security professionals who recommend Lastpass. I *know* that I'm getting an authentic lastpass binary because of the way the Google and Apple store works.
It's all down to a personal question of trust. I respect that you trust the people who looked at Keepass. You should respect that I trust the employees of Lastpass. When we offer people advice, we should both be careful not to give a blanket recommendation like "it's good because it's OSS", but rather a nuanced recommendation "you should balance the convenience to you, your trust of party XYZ, and your trust of party ABC, when choosing between tools 1 and 2".
I haven't audited the code for Keepass. So my knowledge of the security of Lastpass and Keepass is equal (as it is for almost everyone else). So any advice you give to me or anyone else in my position shouldn't be based on your "knowledge" argument. And anytime you trot out your knowledge argument you should accompany it with the big caveat that it only applies to people who did steps 1-9.
PS. You said you audited the code. I assume you meant "and I also compiled it locally and I also paid $100/year apple tax (unless you're an android user and you don't share your passwords with any family members who are iOS users) and I deployed all those locally compiled binaries too."
You also can't know that your installation of Keepass is secure unless you've done steps 1-9. Have you? If the answer is no for you or anyone you're advising, then you should remove "know it is secure" from your list of arguments.
No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
Ah, now you're shifting goalposts. Your first was "you can't *know* it's secure". Now it's down to a personal trust preference. My personal trust preference is that I trust the Lastpass developers more than the Keepass developers.
"Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.
Technically true. But let's look at the equivalent Keepass steps:
1. Download source code for desktop version
2. Audit it
3. Compile it locally
4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future
5. Download source code for iOS version (say)
6. Audit it
7. Purchase $100/year Apple developer license
8. Compile it locally
9. Deploy the binary to your iOS device
Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.
Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.
Lastpass (the company) doesn't hold the keys to your kingdom. Their servers only store an encrypted blob that they (the company) can't decrypt. It only ever gets decrypted locally on your machine at the moment you type in your master password.
Why would you want Lastpass? Because (1) it's really convenient - 99% of the time you want to enter a password it's the password to a web-page, and LastPass is already there; (2) you've heard from lots of security professionals that lastpass security is adequate.
"Less than 1% of Android phones have malware". Less than 140 million Android phones have malware.
Put a good password on your account, your backups, and good grief don't use the cloud. How hard is that?
How hard is that? ... pretty much impossible. Don't get me wrong. I used to use my own personal linux server for documents and photos and music. Went through three machines over fifteen years, always with RAID, always with offsite backups. I wrote a frontend to let me browse photo thumbnails quicker than google drive or onedrive.
But it was too hard to meet reasonable family needs. Too hard to share photos with (non-technical) family members. To hard to automatically upload photos+videos from my phone. Too slow to share 100mb+ videos. Too hard to share a collaborative grocery list and the like. And when a problem happened (e.g. a RAID drive failure) it happened when I was up to my neck in work duties or diaper changing or whatever. Infants and unslept spouses don't appreciate that you're spending time administering your server rather than doing your share of childcare, and don't appreciate "I need to fix up the server" as a reason for why we can't update our family grocery list or calendar or to-do list. So the server limps along on only one drive for a month, or two months, and suddenly it's too precarious or out of commission for a while.
If your use-case doesn't involve this much family sharing, or if you have the expertise and time to manage your server, then good for you. But I don't think "good grief don't use the cloud" is useful advice in general.
Is employee diversity really irrelevant as you claim? Or does it have a beneficial effect on the bottom line? Or a negative one?
http://www.mckinsey.com/busine...
It looks to me like the research is mixed, but it does have possibility to affect commercial success (particularly in companies which do most of their work in one country but sell worldwide).
So a business would be IRRESPONSIBLE not to look at diversity.
Why linux on Windows? ...
You want to develop on Visual Studio because it's an awesome dev environment, but bash is a much better solution for build/config scripts.
Steel
I've been having a blast. I work at Microsoft on C#. But now that it's all open-source, I did things completely differently...
I had an idea for a new C# language feature (more efficient async, saves up to 90% allocation in some benchmarks). I discussed it first on github with the public. Then I forked the official C# repository into my personal github account, did all the coding live on livecoding.tv. Once it was finished I took it to the official C# Language Design Team, who approved it. And it'll be in C#7!
https://www.livecoding.tv/ljw1...
Who would have guessed that a free service would be abused? It's almost like there should be a word or saying for that. Oh yea, there is: Tragedy of the Commons
Tragedy of the Commons isn't about this case. Tragedy of the Commons when there's a common resource, and individual self-interest results in that resource being depleted even though that's contrary to the collective group-interest.
This doesn't apply at all in this case. The only plausible resource is "time on the tablet". It's not being depleted at any faster rate by one person using it exclusively then it would be if everyone shared time more equally.
Oh capital idea. Free wi0fi, 1gig speeds, unlimited rice pudding!
It is quite astonishing that erstwhile intelligent people still believe in the concept of "free". You will pay and pay heavily, because the government has no reason or motivation to control the overhead.
Yes, it's like that with the National Health Service in the UK.
Oh, sorry, my bad -- the UK government does a VASTLY better job controlling the overhead than does the US free market.
Is that copyrighted too? Seriously, though, why did it need to get to the court level? Why didn't the copyright flunkies say, "Sorry, prior art. Tough noogies."?
Either you've made a deliberately subtle joke by misusing three unrelated parts of Intellectual Property law (like talking about a film called "Trek Wars") or you've misunderstood all of it...
Q1. I think there are good reasons to think we can detect life even with simple probes. James Lovelock explained this well with his daisyworld thought experiment. Figured that the one characteristic of life is homeostasis, and widespread life would do that to the planet itself.
Or they could show that individual variance is much larger than difference in race-based population averages. Implying that judging risk based on race is a poor predictor.
Along with lots and lots of primarily lead acid batteries for storage.
You want to know where a good proportion of that lead ends up when batteries reach end of life?
You want to know what lead does to the environment? The Wildlife? The People?
Ah, but no, its all pure shiny pretty warn nice solar power! Ignore the realities.
Did you ignore the link in thread you were replying to? Here it is again: http://www.npr.org/sections/pa...
"The plant consists of five big industrial windmills and two lakes. On windy days — and there are plenty — the windmills harness the Canary Islands' Atlantic gusts. When production exceeds demand, such as at night, excess energy is used to pump water from a sea-level lake up into a natural volcanic crater half a mile uphill. When the wind dies down, the water is released down through a pipe connecting the two lakes. On its way, it passes through turbines, which generate hydro-power. Everything is connected with sensors so that within five seconds of the wind dying down, the hydro portion of the plant kicks in. For island residents, the lights don't even flicker."
I don't think the lake is made out of lead acid batteries...
It's ILLEGAL to pay H1Bs less than the prevailing wage.
PKI... How would you share it with your desktop and cellphone and Alexa? ("local" doesnt exist...) And make it work from cellphone web browsers?
This allows consumers to get a discounted Android phone in exchange for seeing ads on the lock screen. It is a great way for shoppers to save money, while Amazon makes money from the ads -- win/win
Ad spending in the US was $200billion in 2016, for a US labor force of 160mil. That's basically an annual $1200 tax on everyone for the privilege of having ads shoved in their faces.
Win / win / lose.
It's "Win" for Amazon, "Win" for consumers who get a subsidized phone, and "Lose" for consumers who pay money for advertising that gets siphoned off into the advertising middle-men and a small fraction of it trickles back down to consumers.
And hey, as tagged advertising gets better and better, reaching its final form where it only hits people who make a purchase, then each consumer will get the joy of subsidizing their own phone as well as the ad industry execs who piggy-back on top!
In this case I disagree. Knowing anything about the business of WrkRiot beyond just "silicon valley startup" adds nothing to the story.