Our Premier is on a rampage to "fix" our economy by selling off all of our Provincially owned utility companies (or "crown corps", power, heat, telephone companies). They keep cutting funds from Health Care, Education, and Infrastructure. Our current deficit (around $1.2 Billion) is entirely our current government's problem, as they didn't have much of a deficit when they gained power in 2008.
We're actually looking into moving out to Nova Scotia. Better health care programs (my son is a Type 1 Diabetic), better co-pay insurance, similar housing prices, similar cost of living to SK, and just a "little" more snow during the winter.
I commented the below comment in the last/. post about DST:
As someone even more North than you (Canadian Prairies), it doesn't make any sense... sun is still down when most people go to work, and sun goes back down again before most people are done work.
Shifting it an hour really has no benefit when you only get 7 hours of daylight in the winter.
In the Summer it's opposite. Sun comes up between 5-6 am, sets around 10pm.
With that said, where I live, we don't have DST and I'm damn glad we don't.
It's largely a regional thing, based on where you are geographically. This is why generalized discussions about DST don't make sense. Everyone lives in different area's both on the horizontal and vertical axis.
In other words, your experience is not my experience. How about we quit arguing about it and get on with our lives?
You will hit a limit if you're paying $4 a month for a shitty web host to run your businesses critical infrastructure.
I own a web hosting business, but even I know when a professional mail service is necessary, and I run mail servers for many of my clients.
Also, $1000/yr for the parent poster to add/remove a few users is $83.33/month on average. That's a lot for doing a whole lot of nothing.
My clients pay about a $1 a mailbox per month. They have the ability to add and remove their own users, so I rarely get a call. My mail servers are in a cluster across three datacenters. Each mailbox receives around 10GB on average, though its adjustable/negotiable based on the clients needs.
As someone even more North than you (Canadian Prairies), it doesnt make any sense... sun is still down when most people go to work, and sun goes back down again before most people are done work.
Shifting it an hour really has no benefit when you only get 7 hours of daylight in the winter.
In the Summer it's polar opposite. Sun comes up between 5-6 am, sets around 10pm.
With that said, where I live, we don't have DST and I'm damn glad we don't.
It's largely a regional thing, based on where you are geographically. This is why generalized discussions about DST don't make sense. Everyone lives in different area's both on the horizontal and vertical axis.
In other words, your experience is not my experience. How about we quit arguing about it and get on with our lives?
I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.
I just bought a new laptop in November. Has an Intel 7265 Wifi chip.
On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.
It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.
I whitelisted the MAC, then started the install. When I rebooted after installing, I couldn't connect to the network. I thought I either didn't compile in the right kernel module, or I missed something.
Turns out it was NetworkManager trying to make my life more secure. Fortunately you can configure a fixed MAC for specific Wireless networks.
How usable is this flow to inexperienced users, who may not understand tabs? My grandmother sure doesn't, despite my attempts to teach her about them.
I understand your concern. If utilizing user session storage, it could (should?) be built to allow the user to navigate away from the page, and then come back to it. In fact, this is how my sites handle it provided the time limit does not run out. Depending on your session implementation and browser, the session may be lost if the browser is closed. Prompting for the code and displaying a countdown timer should caution the user enough to not close the window.
And how usable is this flow to users of smartphones, whose comparatively small displays don't make the existence of other open tabs obvious?
Most, I guess not all, people will not be using their web browser to check their e-mail when on a mobile device. You will still be able to minimize the browser, open your e-mail/sms client, select and copy the code to clipboard, then switch back to the browser to paste the code.
Unfortunately links being sent via email can be snooped between the service that is sending the link, and your mailbox.
With that link, it opens a window to hijack your account from anywhere if it's not bound to your browser session. Most are not because you will get too many complaints when the user tries to open the link on their mobile phone, or from an email client that opens the link in a different browser, and the user receives an Invalid Reset Link error. Then they can't figure out why they cannot reset their password, and contact support.
When forced to answer security questions, I generate a random multi-word answer and store that in answer in my password manager. Unfortunately that just makes it a weird backup password that I have no idea if or when it might become relevant.
I do this as well. I don't really see another option when websites (and banks are the worst for it) require them for Registration.
In today's world where people are monitored so closely (and people spew out just as much on social media), many of these answers are just a search away.
Strong password/passphrase enforcement (10+ characters), 2 factor authentication, and proper salting/hashing and storage on the server side are more important.
I'm also willing to bet these security questions are not stored securely, so when their DB gets compromised then all of that information is out in the open.
We also need to get away from sending new passwords and reset links by email. E-mail is not a secure protocol. An attacker could hijack your account if there is someone snooping either between the server and your email provider, or your email provider and your email client.
I've recently revisited many of my sites to rebuild the password reset option to something more secure. It's actually simpler than sending a reset link.
1) You need secure session storage that is not susceptible to session hijacking (ie. don't use PHP's built in session handler)
2) Generate a reset code (I use 12 character uppercase alphanumeric code)
3) Store the reset code in the session, and store an expiration time of 30 minutes. We store it in the session to keep it available without passing it along on the page in any way. There are other ways to do this, but if you have a secure session storage, may as well use it. It also has the added benefit of allowing the user to navigate away and come back to it. The expiration time ensures this process is completed in a timely manner.
4) Send the code to the user via email (or SMS). Do not send a link!
5) Prompt the user to enter the code directly on that page. I also display a countdown timer written in Javascript to really hit home that this needs to be done quickly to prevent abuse or attacks.
6) Upon entering the proper code, and verifying it on the server side, allow the user to create a new password.
This solves MITM attacks, as you're not sending a link. By forcing the user to keep their browser/tab open and entering the code directly on the page, we are ensuring only the person who initiated the password reset is the only one to create new password. By sending the code to an email account or mobile phone you have on record, we are verifying they are the account owner.
Now, with that said, this does not solve the issue of stolen email accounts or stolen mobile devices. However, if that is the case, you probably have bigger issues on your plate.
There are other very reliable ways of catching automated bots. They are stupid, and make many mistakes that are easy enough to catch even without Javascript.
The real issue is firms hiring people for less than a buck an hour to spam crap. It's impossible to stop without impeding real users... so where do you draw the line?
As it is reCAPTCHA gets in the way more than it should. You're probably better off without it.
1) shitty developers that don't understand how to actually build web applications anymore. They rely on 10 different monolithic libraries to render a simple page that basic html/css would do fine without the JS.
2) stupid bosses that want to track every touch you make, every link you click, and every scroll you make. Each action needs to phone home every time you do one of those things.
3) poor optimization on the browser side. Honestly Firefox runs freaking great on my two year old Android based device. On the other hand, Apple devices have exactly one browser engine you can use. I suspect they keep it bloated and slow to push developers to build "Apps" so they can get their cut of the revenue.
I develop custom, web based, business software for a living. Mobile accessible and mobile friendly are a necessity these days, and I somehow manage to pull It off without any of the performance issues you mentioned above.
The truth is that binaries packaged to run on a wide range of hardware misses out on many modern day optimizations.
I use Funtoo/Gentoo because I like the flexibility and the ability to configure everything, the additional performance is simply an added bonus. If I wanted to depend on an OS vendor to make decisions for me, how is that any different from just using Windows?
I have exactly one device in my house that can read these so-called Deee Veee Deeeezz, and it's no where near my TV.
It's in my office Computer, and I honestly do not know if it still works. The last time I used it was to burn a Win XP ISO with some special drivers slipstreamed in. Wow, that was quite a while ago.
What they realized is they can make more money licensing their few shows to the competition (CraveTV, owned by Bell), without the overhead of having to run a internet based streaming media service.
Shaw now advertises the CraveTV service to their customers. I'm guessing they are getting paid for that, too.
MS Edge at least mostly complies with web standards. That's what matters to me.
So many less issues with projects rendering or behaving differently and having to include kludge code just to keep the clients/users happy.
With that said I still nearly exclusively use Firefox and occasionally Chromium for development testing. I also use Linux so many other browsers are not possible to use, and the others I just don't trust.
I can guarantee that if you compile it yourself, with optimized CFLAGS and CXXFLAGS, that Firefox and Chromium will come out ahead of the poorly optimized builds that get released by the non-open source browsers.
Personally I use compiled versions on my Funtoo Laptop and Workstation. Yes they take some time to compile but if you only upgrade twice a year it's not so bad. Upgrading every release would simply be too much. My CFLAGS are nothing crazy: "-march=native -Os -pipe"
There is also the added benefit that I've never had a build crash on me since I started using builds compiled to my hardware capabilities.
Exactly. There are legitimate uses to be able to change your CID number.
I use a combination of VOIP.ms and MultiTel.net. Toll free is with VOIP.ms, and my local number is with MultiTel.
I don't currently use a PBX, but I've been considering it. I only have a single SIP phone (Cisco SPA-303) at my desk. If I'm away I set the Call Forward option to my cell and it works quite well.
I've also considered mixing in Twilio as well. They have some really useful features (TwiML, etc). I currently use Twilio for Telephone Number verification on one of my businesses. When a customer registers, they need to confirm their e-mail address and telephone number (send a code by Voice or SMS that they need to type into the website) to be able to place any orders. It severely cuts down on fraud.
I have a two numbers for my business. I use VOIP for a number of reasons, mostly cost and flexibility.
I have a Toll Free (888) number, and a local number.
My numbers are with two different providers. The reason is that I started with just a toll free because it was not possible to get a local number. A few years later I found a different provider that has numbers for my area.
The provider of my Toll Free has cheaper outgoing calls, so I use them exclusively for outgoing calls.
My local number is simply pointed at my inbound SIP address at the first provider.
One of the reasons I got a local number is when I make an outgoing call with my 888 number, some people are hesitant to pick up, and some businesses simply block it. One of my clients is a University in New York, and I was not able to call them.
So I set my outbound call display number as my local number, that is mine, but the provider has no way of internally verifying it is mine. It is quite useful in many cases to be able to advertise my outgoing number as one that isn't with that provider.
With that said, one thing that Twilio does right is call the number you are claiming to own, and asks you to enter a code to verify that you at least have access to it. It's a pretty good middle ground to ensure someone isn't abusing someone elses number.
Slashdot Mirror
It's not all it's cracked up to be.
Our Premier is on a rampage to "fix" our economy by selling off all of our Provincially owned utility companies (or "crown corps", power, heat, telephone companies). They keep cutting funds from Health Care, Education, and Infrastructure. Our current deficit (around $1.2 Billion) is entirely our current government's problem, as they didn't have much of a deficit when they gained power in 2008.
We're actually looking into moving out to Nova Scotia. Better health care programs (my son is a Type 1 Diabetic), better co-pay insurance, similar housing prices, similar cost of living to SK, and just a "little" more snow during the winter.
I commented the below comment in the last /. post about DST:
As someone even more North than you (Canadian Prairies), it doesn't make any sense... sun is still down when most people go to work, and sun goes back down again before most people are done work.
Shifting it an hour really has no benefit when you only get 7 hours of daylight in the winter.
In the Summer it's opposite. Sun comes up between 5-6 am, sets around 10pm.
With that said, where I live, we don't have DST and I'm damn glad we don't.
It's largely a regional thing, based on where you are geographically. This is why generalized discussions about DST don't make sense. Everyone lives in different area's both on the horizontal and vertical axis.
In other words, your experience is not my experience. How about we quit arguing about it and get on with our lives?
Seasons are relative, too.
We're in the middle of a snow storm. It was -30 deg C here today.
We generally get snow storms until the last week of May, sometimes into June.
Then summer (up to +45 deg C) until mid-late September and then we get crappy weather again.
Honestly time the sun rises and sets in the fall and spring doesn't matter when its too cold to be outside anyway.
No such thing as unlimited.
You will hit a limit if you're paying $4 a month for a shitty web host to run your businesses critical infrastructure.
I own a web hosting business, but even I know when a professional mail service is necessary, and I run mail servers for many of my clients.
Also, $1000/yr for the parent poster to add/remove a few users is $83.33/month on average. That's a lot for doing a whole lot of nothing.
My clients pay about a $1 a mailbox per month. They have the ability to add and remove their own users, so I rarely get a call. My mail servers are in a cluster across three datacenters. Each mailbox receives around 10GB on average, though its adjustable/negotiable based on the clients needs.
As someone even more North than you (Canadian Prairies), it doesnt make any sense... sun is still down when most people go to work, and sun goes back down again before most people are done work.
Shifting it an hour really has no benefit when you only get 7 hours of daylight in the winter.
In the Summer it's polar opposite. Sun comes up between 5-6 am, sets around 10pm.
With that said, where I live, we don't have DST and I'm damn glad we don't.
It's largely a regional thing, based on where you are geographically. This is why generalized discussions about DST don't make sense. Everyone lives in different area's both on the horizontal and vertical axis.
In other words, your experience is not my experience. How about we quit arguing about it and get on with our lives?
I guess you could also go the other way, and use Linux as the host machine, and put Windows in the VM.
Depending on exactly what you are doing, you could run Linux in a VM on the same machine.
I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.
I just bought a new laptop in November. Has an Intel 7265 Wifi chip.
On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.
It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.
I whitelisted the MAC, then started the install. When I rebooted after installing, I couldn't connect to the network. I thought I either didn't compile in the right kernel module, or I missed something.
Turns out it was NetworkManager trying to make my life more secure. Fortunately you can configure a fixed MAC for specific Wireless networks.
I guess I should clarify that when I say prompt, I don't mean a pop-up prompt box in javascript (that blocks execution, waiting for a response).
I mean simply an input field to put the code into.
How usable is this flow to inexperienced users, who may not understand tabs? My grandmother sure doesn't, despite my attempts to teach her about them.
I understand your concern. If utilizing user session storage, it could (should?) be built to allow the user to navigate away from the page, and then come back to it. In fact, this is how my sites handle it provided the time limit does not run out. Depending on your session implementation and browser, the session may be lost if the browser is closed. Prompting for the code and displaying a countdown timer should caution the user enough to not close the window.
And how usable is this flow to users of smartphones, whose comparatively small displays don't make the existence of other open tabs obvious?
Most, I guess not all, people will not be using their web browser to check their e-mail when on a mobile device. You will still be able to minimize the browser, open your e-mail/sms client, select and copy the code to clipboard, then switch back to the browser to paste the code.
Unfortunately links being sent via email can be snooped between the service that is sending the link, and your mailbox.
With that link, it opens a window to hijack your account from anywhere if it's not bound to your browser session. Most are not because you will get too many complaints when the user tries to open the link on their mobile phone, or from an email client that opens the link in a different browser, and the user receives an Invalid Reset Link error. Then they can't figure out why they cannot reset their password, and contact support.
The only way around this, securely, is in the method I mentioned in this comment below.
When forced to answer security questions, I generate a random multi-word answer and store that in answer in my password manager. Unfortunately that just makes it a weird backup password that I have no idea if or when it might become relevant.
I do this as well. I don't really see another option when websites (and banks are the worst for it) require them for Registration.
In today's world where people are monitored so closely (and people spew out just as much on social media), many of these answers are just a search away.
Strong password/passphrase enforcement (10+ characters), 2 factor authentication, and proper salting/hashing and storage on the server side are more important.
I'm also willing to bet these security questions are not stored securely, so when their DB gets compromised then all of that information is out in the open.
We also need to get away from sending new passwords and reset links by email. E-mail is not a secure protocol. An attacker could hijack your account if there is someone snooping either between the server and your email provider, or your email provider and your email client.
I've recently revisited many of my sites to rebuild the password reset option to something more secure. It's actually simpler than sending a reset link.
1) You need secure session storage that is not susceptible to session hijacking (ie. don't use PHP's built in session handler)
2) Generate a reset code (I use 12 character uppercase alphanumeric code)
3) Store the reset code in the session, and store an expiration time of 30 minutes. We store it in the session to keep it available without passing it along on the page in any way. There are other ways to do this, but if you have a secure session storage, may as well use it. It also has the added benefit of allowing the user to navigate away and come back to it. The expiration time ensures this process is completed in a timely manner.
4) Send the code to the user via email (or SMS). Do not send a link!
5) Prompt the user to enter the code directly on that page. I also display a countdown timer written in Javascript to really hit home that this needs to be done quickly to prevent abuse or attacks.
6) Upon entering the proper code, and verifying it on the server side, allow the user to create a new password.
This solves MITM attacks, as you're not sending a link. By forcing the user to keep their browser/tab open and entering the code directly on the page, we are ensuring only the person who initiated the password reset is the only one to create new password. By sending the code to an email account or mobile phone you have on record, we are verifying they are the account owner.
Now, with that said, this does not solve the issue of stolen email accounts or stolen mobile devices. However, if that is the case, you probably have bigger issues on your plate.
Just my $0.02
Having been in web development for over 15 years, I can tell you there are some very reliable ways to catch any kind of form submission SPAM.
As stated, there is a point where the bots are not possible to catch, as they emulate exactly how people do it (or they are paid spammers).
You come to a point of diminishing returns, and start to irritate real users.
CAPTCHA's are a bandaid solution for lazy developers.
reCAPTCHA is useless.
There are other very reliable ways of catching automated bots. They are stupid, and make many mistakes that are easy enough to catch even without Javascript.
The real issue is firms hiring people for less than a buck an hour to spam crap. It's impossible to stop without impeding real users... so where do you draw the line?
As it is reCAPTCHA gets in the way more than it should. You're probably better off without it.
The issue is 3 things in my opinion:
1) shitty developers that don't understand how to actually build web applications anymore. They rely on 10 different monolithic libraries to render a simple page that basic html/css would do fine without the JS.
2) stupid bosses that want to track every touch you make, every link you click, and every scroll you make. Each action needs to phone home every time you do one of those things.
3) poor optimization on the browser side. Honestly Firefox runs freaking great on my two year old Android based device. On the other hand, Apple devices have exactly one browser engine you can use. I suspect they keep it bloated and slow to push developers to build "Apps" so they can get their cut of the revenue.
I develop custom, web based, business software for a living. Mobile accessible and mobile friendly are a necessity these days, and I somehow manage to pull It off without any of the performance issues you mentioned above.
Because I've never seen that before...
The truth is that binaries packaged to run on a wide range of hardware misses out on many modern day optimizations.
I use Funtoo/Gentoo because I like the flexibility and the ability to configure everything, the additional performance is simply an added bonus. If I wanted to depend on an OS vendor to make decisions for me, how is that any different from just using Windows?
Use a sane OS and that shouldn't be a problem.
I have exactly one device in my house that can read these so-called Deee Veee Deeeezz, and it's no where near my TV.
It's in my office Computer, and I honestly do not know if it still works. The last time I used it was to burn a Win XP ISO with some special drivers slipstreamed in. Wow, that was quite a while ago.
I lied... Shomi was owned by Shaw and Rogers. But my point still stands: Bell is still much, much bigger than the two of them combined.
Shomi was solely from Shaw Communications.
What they realized is they can make more money licensing their few shows to the competition (CraveTV, owned by Bell), without the overhead of having to run a internet based streaming media service.
Shaw now advertises the CraveTV service to their customers. I'm guessing they are getting paid for that, too.
Bell is much, much bigger than Shaw.
MS Edge at least mostly complies with web standards. That's what matters to me.
So many less issues with projects rendering or behaving differently and having to include kludge code just to keep the clients/users happy.
With that said I still nearly exclusively use Firefox and occasionally Chromium for development testing. I also use Linux so many other browsers are not possible to use, and the others I just don't trust.
I can guarantee that if you compile it yourself, with optimized CFLAGS and CXXFLAGS, that Firefox and Chromium will come out ahead of the poorly optimized builds that get released by the non-open source browsers.
Personally I use compiled versions on my Funtoo Laptop and Workstation. Yes they take some time to compile but if you only upgrade twice a year it's not so bad. Upgrading every release would simply be too much. My CFLAGS are nothing crazy: "-march=native -Os -pipe"
There is also the added benefit that I've never had a build crash on me since I started using builds compiled to my hardware capabilities.
Exactly. There are legitimate uses to be able to change your CID number.
I use a combination of VOIP.ms and MultiTel.net. Toll free is with VOIP.ms, and my local number is with MultiTel.
I don't currently use a PBX, but I've been considering it. I only have a single SIP phone (Cisco SPA-303) at my desk. If I'm away I set the Call Forward option to my cell and it works quite well.
I've also considered mixing in Twilio as well. They have some really useful features (TwiML, etc). I currently use Twilio for Telephone Number verification on one of my businesses. When a customer registers, they need to confirm their e-mail address and telephone number (send a code by Voice or SMS that they need to type into the website) to be able to place any orders. It severely cuts down on fraud.
I long for the day that we can universally use DANE with SSL/TLS Certificates, and cut out the Certificate Authorities.
I have a two numbers for my business. I use VOIP for a number of reasons, mostly cost and flexibility.
I have a Toll Free (888) number, and a local number.
My numbers are with two different providers. The reason is that I started with just a toll free because it was not possible to get a local number. A few years later I found a different provider that has numbers for my area.
The provider of my Toll Free has cheaper outgoing calls, so I use them exclusively for outgoing calls.
My local number is simply pointed at my inbound SIP address at the first provider.
One of the reasons I got a local number is when I make an outgoing call with my 888 number, some people are hesitant to pick up, and some businesses simply block it. One of my clients is a University in New York, and I was not able to call them.
So I set my outbound call display number as my local number, that is mine, but the provider has no way of internally verifying it is mine. It is quite useful in many cases to be able to advertise my outgoing number as one that isn't with that provider.
With that said, one thing that Twilio does right is call the number you are claiming to own, and asks you to enter a code to verify that you at least have access to it. It's a pretty good middle ground to ensure someone isn't abusing someone elses number.