Google Authenticator "cheats" a bit by using your mobile phone to first authenticate that you aren't some password stealing hack.
Which is good enough for most sites I guess. It's also in one way more secure than SSL, as instead of the site proving itself to you; it's you proving yourself to the site. IOW if someone steels a user’s PW, SSL won't prevent the theif from logging on with it.
How does a timestamp help? You either need to ensure the client and server are in lock step, and adjust for transmission delays (impossible), or you allow a window +/- a number of seconds for the timestamp to arrive at the server, thus making replay attacks possible.
Presumably the timestamp and salt is sent along with the hashed password.
However this does not prevent phishing and code injection style attacks. That's the real problem SSL is trying to solve, namely that any site with a SSL certificate is who they claim to be, and that no one in the middle has slipped in something extra during the download.
1. This is what/tmp is for./tmp has 777 file permissions, so the requirement for setuid script execution doesn't apply to accessing it, therefore it doesn't have the problem the GP post was complaining about.
Ah, he meant "why does a webserves need to fiddle with permission bits on files?" Okay. Duno.
2. I wouldn't usually call thumbnails "junk data". They're actual data associated with your records, so they should be treated as such (IMO).
I consider it junk data as it has no real value beyond speeding up pageloads. They'll be regenerated if lost.
3. You'd get much better performance from using something like memcached rather than filesystem-based cacheing, anyway.
Perhaps, but it's not a given. The OS already does caching for you, and may do a better job deciding what needs to stay in memory than what I could throw together.
A memcache does not suddenly solve all security concerns either. The common setup is to have the memcache on a "trusted network", where anyone on the trusted network have full unrestricted access to the memcache... which is not too different from having a public temp folder on your server that anyone logged in can access.
Sorry about that. I've never used MySQLi, as you may have guessed, and that does sound awkward.
Though I did some prepared statement stuff on MySQL/MsSQL/Oracle with PHP and a wrapper lib that let me use "bind_param" for each variable. Only problems I encountered is how oracle requires params that don't have length specified to be rebound if the size increases, and of course writing SQL that works identically on three databases.
The MySQLi module makes it very hard to use a prepared statement with ? placeholders for all user-supplied pieces of data: the program has to keep three different lists in sync and use call_user_func_array(),
Sounds overcomplicated.
Just create a function that creates a string of n ", ?" that you put into the prepared statment, then do as usual.
I.e: prepare('select column from table where column in ('+create_qmarks(array_of_values.length)+')');
If you want to supply the values in an array, create a function that loops through an array and calls "bind param", or whatever MySQLi prepared statments use, for each value in the array.
Hardy difficult, and no need for "call_user_func_array" while maintaining three lists? Don't think I quite understood you there...
The amazing part is that most systems/browsers are too stupid to support this...?
That feature was common on older PC browsers. They added.com automagically.
Personally I prefer a Google search, as I've ended up on porn sites often enough.
Oh wait, IE9 still adds.com/.net/.org on webpages you've already visited and does a Google search + search suggestions otherwise. Neat. I knew that, just hadn't noticed.
I remember buying COD 4 Modern Warfare full price. It had excellent reviews, hugely popular, but the game itself sucked so much. Just a bunch of obvious triggers that spawned or stopped spawning enemies. How can anyone like that? Oh well.
Then I got Crysis. It was oodles of fun, and when I finished it I got FarCry... and it was even better. Crysis 2 was a bit of a letdown but was still much more enjoyable than Modern Warfare 3 (a gift). FarCry 2 wasn't good at all, but turns out it was made by someone else.
It looks okay. Wifi and 3g battery life is poor, but 4g is good. Java script performance is unimpressive. Camera is good, but white balance is poor and a faster CPU would help post processing. There wasn't nothing to complain about on the display. No 5Ghz wifi, but bandwidth and such is good. Speaker quality is good. And that's about it.
Their biggest complaint seems to be that the phone lacks a dual core CPU. They are apparently coming and will let the phone record video at 1024p, over 720p, and perhaps take better photos.
I got an Xbox 360 stamped with a 2005-10-07 MRF date. I assume that makes it one out of the original production run, and it has yet to have any issues beyond noise. I've also yet to hear of any getting the RRoD, but their 'boxes are at least a year newer.
I don't doubt there were an unusually high amount of xbox failures, but people with failed 'boxes are far more likely to post about on the internet.
Deleting preferences causes too many glitches, so I'm right now simply using my trusty old HTC something something smartphone. I'm sure the iPhone can be sold, as it's not tied to any operator. Then I'll do a bit more research for my next phone, instead of listening to others.
All in all, no great loss.
Except that AppleID stuff, that was bloody annoying. It kept glitching out with a server connection error at the very last step, so I had to redo the whole blasted wizard over and over until it went through. Bet it was Apple trolling me.
You're not disappointed with the iPhone, you're disappointed with Smartphones, and quite frankly you've just disabled most of the things that makes it smart to begin with.
You know, I already have a Smartphone. With touch, internet, GPS, and the list goes on. Is it so wrong to expect an iPhone to at least mach older tech? It's not like the iPhone is a whole lot better than that oldy. The only true/real advantage (to me) is that my bank has made an app for the iPhone, I can't use the old mobile's browser as it does not have java.
Weeel... I prefer leaving the phone in my jacket, as I don't use it much when I'm home, and I charge it on weekends or at work. I also like going places without bringing charger cables, as the less I have to bring with me on my travels the less I forget on my way home:-)
I seriously doubt you'll get much more battery life out of any modern smartphone - at least without disabling most of what makes it "smart"
My old Smartphone got a week when it was new. It's down to 4-5 days now. Its screen is smaller, CPU slower and what not, so it's not a fair comparison I suppose, but it did most of the stuff the iPhone does well enough. Including GPS, Wifi, 3G, Video chat, MP3, etc.
I had expect the iPhone to at least mach that old thing. It's newer tech and all that.
If you really do want to disable 3G, go into Settings>General>Network>Enable 3G
Nope, there's nothing about 3G there. Closest is "mobil nettwork" but that seems to be about the operator.
I turned off Bluetooth on the 4S as it drains battery. With that, GPS, SIRI, brightness, notifications and whatever else I could think off I pushed battery life up to a whooping 3 days.
/Disappointed with iPhone.
My sis say I should turn of 3G. It apparently drains the battery a lot, but I must be getting really old as I haven't figured how to do that, and no way will I ask her how.
Strange, slashdot allows me to moderate your post despite the fact I've posted on this topic earlier. Something new or a bug?
The worst bit with commercial software is the lack of good documentation. With commonly used open source programs a quick google is usually all you need, as other people has encountered and asked questions about whatever issue you're facing. With oracle I actually have to figure out the issues myself, and it does take longer.
For future googelers: Oracle will happily translate whatever internal charset it uses into UTF-8, you just have to set the charset when connecting. No need to look into nls_lang.
Running explain on prepared statements can crash PHP/the oracle client. Never happened on MySQL, but I assume the problem is that my old debug code isn't supplying parameters to the prepared statements.
Oracle may occasionally shut down the database for no apparent reason. It may look like the database is still running, even to an experienced admin (who's not me), as oracle itself will still be running and other databases will still work.
Oracle is slower than MySQL at establishing new connections. The workaround is to use persistent connections.
And, of course, to get the oracle client working at all I use a small script that sets an environment variable before starting apache 2.2. The client has no installer, just copy the 100MB of files to some folder and either edit PHP.ini or set that environment variable. Yes, the oracle client alone is bigger than all of MySQL. Oh, and you don't need to run any of the installation.bat files, as all they ultimately do is to copy the folder.
Finally, on the PHP side you need the very latest version of pear/MDB2/the oracle driver if you want to use MDB2 with PHP 5.3. Yes, it's beta software, and if you want to use E_STRICT you must set "static" in front of a few MDB2 method calls. You also have two oracle drivers for PHP itself to pick between, pick the 11g version. As in, 11g client, 11g PHP driver, latest beta of MDB2 and the beta MDB2 oracle driver, and you're good to go. It does not matter if the database itself is 10g or older, 11g all the way. (I believe this may be true for Linux as well).
I don't control the server. Also, I doubt you get the oracle client with a simple apt-get. I would prefer to use something else than Oracle as well, but that's where the data is stored.
Fortunatly I didn't actually need to compile anything. And if your happy with PHP 5.2 it's fairly straight forwards on Windows anyway, but for 5.3 you have to have a correctly compiled Apache 2.2 and the latest oracle client. The last bit took me a couple of hours to figure out as I wrongly assumed you needed the v.10 client for a v.10 database, and the error message made me think it was a configuration issue as it almost worked, PHP found the client, just not the database.
A couple of weeks ago I evaluated asp.net vs PHP for a web project I'm working on. Asp.net isn't bad IMO, but it quickly felt like I would have to model my website to asp.net instead of the other way around. I didn't try "doing things from scratch" though.
I ended up with Apache2/PHP 5.3/MDB2/Smarty3 and the latest oracle client. The biggest frustration with PHP is setting it up really. I haven't bothered getting line by line debugging working, for instance, but got that "for free" with asp.net. Another annoyance is that you have to make sure the various components are compiled against each other, if they're not you get cryptic errors that aren't exactly straight forward to figure out.
PHP5.3 seems to be surprisingly nice all in all. It got classes, access modifiers, exceptions and even closures now; so that you can do things pretty much the same way as one would in C#. The only annoyance is that you can't "compile" the source files, to check for syntax issues, but perhaps there are dev environments that can do just that.
Game? I thought Crysis was an overpriced graphics card benchmark;).
Sure was. Still, Crysis 2 was the best FPS I played this year... Wait, make that last year. It could have been better, but it was still good enough to play from beginning to end. Of course, Portal 2 is better still, but I don't see it as an FPS.
Worst FPS has to be RAGE. Yes, even counting Duke Nukem Forever. However it has the most effective anti piracy measure I've seen in some time. Took me days to get it from steam.
please say in the comments what news hit you the hardest this year
Of the news reported on Slashdot I think SJ death hit me the hardest. I don't follow Apple or Jobs news so his death came out of nowhere. Didn't know he had cancer or that he was dying from it.
If the Japan earthquake was reported here it wins by a huge margin. Well, there has been a lot of/. posts on the nuke plant, so I guess that or the earth quake wins out of the non-geek news.
Slashdot Mirror
Google Authenticator "cheats" a bit by using your mobile phone to first authenticate that you aren't some password stealing hack.
Which is good enough for most sites I guess. It's also in one way more secure than SSL, as instead of the site proving itself to you; it's you proving yourself to the site. IOW if someone steels a user’s PW, SSL won't prevent the theif from logging on with it.
How does a timestamp help? You either need to ensure the client and server are in lock step, and adjust for transmission delays (impossible), or you allow a window +/- a number of seconds for the timestamp to arrive at the server, thus making replay attacks possible.
Presumably the timestamp and salt is sent along with the hashed password.
However this does not prevent phishing and code injection style attacks. That's the real problem SSL is trying to solve, namely that any site with a SSL certificate is who they claim to be, and that no one in the middle has slipped in something extra during the download.
1. This is what /tmp is for. /tmp has 777 file permissions, so the requirement for setuid script execution doesn't apply to accessing it, therefore it doesn't have the problem the GP post was complaining about.
Ah, he meant "why does a webserves need to fiddle with permission bits on files?" Okay. Duno.
2. I wouldn't usually call thumbnails "junk data". They're actual data associated with your records, so they should be treated as such (IMO).
I consider it junk data as it has no real value beyond speeding up pageloads. They'll be regenerated if lost.
3. You'd get much better performance from using something like memcached rather than filesystem-based cacheing, anyway.
Perhaps, but it's not a given. The OS already does caching for you, and may do a better job deciding what needs to stay in memory than what I could throw together.
A memcache does not suddenly solve all security concerns either. The common setup is to have the memcache on a "trusted network", where anyone on the trusted network have full unrestricted access to the memcache... which is not too different from having a public temp folder on your server that anyone logged in can access.
Sorry about that. I've never used MySQLi, as you may have guessed, and that does sound awkward.
Though I did some prepared statement stuff on MySQL/MsSQL/Oracle with PHP and a wrapper lib that let me use "bind_param" for each variable. Only problems I encountered is how oracle requires params that don't have length specified to be rebound if the size increases, and of course writing SQL that works identically on three databases.
Why on Earth would you want a web-facing page to be able to manipulate files?
I use it for caching for a template engine and small thumbnails. Essentially I don't want "junk data" in the db.
The MySQLi module makes it very hard to use a prepared statement with ? placeholders for all user-supplied pieces of data: the program has to keep three different lists in sync and use call_user_func_array(),
Sounds overcomplicated.
Just create a function that creates a string of n ", ?" that you put into the prepared statment, then do as usual.
I.e: prepare('select column from table where column in ('+create_qmarks(array_of_values.length)+')');
If you want to supply the values in an array, create a function that loops through an array and calls "bind param", or whatever MySQLi prepared statments use, for each value in the array.
Hardy difficult, and no need for "call_user_func_array" while maintaining three lists? Don't think I quite understood you there...
The amazing part is that most systems/browsers are too stupid to support this...?
That feature was common on older PC browsers. They added .com automagically.
.com/.net/.org on webpages you've already visited and does a Google search + search suggestions otherwise. Neat. I knew that, just hadn't noticed.
Personally I prefer a Google search, as I've ended up on porn sites often enough.
Oh wait, IE9 still adds
so-called "smart" volume control that controls headphone volume on low settings and speaker volume on high settings
Is that for real?
:)
Gave me a laugh at least
Crytek has sucked at games from day one.
That is of course a matter of opinion.
I remember buying COD 4 Modern Warfare full price. It had excellent reviews, hugely popular, but the game itself sucked so much. Just a bunch of obvious triggers that spawned or stopped spawning enemies. How can anyone like that? Oh well.
Then I got Crysis. It was oodles of fun, and when I finished it I got FarCry... and it was even better. Crysis 2 was a bit of a letdown but was still much more enjoyable than Modern Warfare 3 (a gift). FarCry 2 wasn't good at all, but turns out it was made by someone else.
So Crysis 3 is a day 1 for me.
Quick summary:
It looks okay. Wifi and 3g battery life is poor, but 4g is good. Java script performance is unimpressive. Camera is good, but white balance is poor and a faster CPU would help post processing. There wasn't nothing to complain about on the display. No 5Ghz wifi, but bandwidth and such is good. Speaker quality is good. And that's about it.
Their biggest complaint seems to be that the phone lacks a dual core CPU. They are apparently coming and will let the phone record video at 1024p, over 720p, and perhaps take better photos.
Other than that, it's a normal Windows 7.5 phone.
I got an Xbox 360 stamped with a 2005-10-07 MRF date. I assume that makes it one out of the original production run, and it has yet to have any issues beyond noise. I've also yet to hear of any getting the RRoD, but their 'boxes are at least a year newer.
I don't doubt there were an unusually high amount of xbox failures, but people with failed 'boxes are far more likely to post about on the internet.
No no, it looks nothing like Mac OS. It does look a lot like Mac OS X though.
Deleting preferences causes too many glitches, so I'm right now simply using my trusty old HTC something something smartphone. I'm sure the iPhone can be sold, as it's not tied to any operator. Then I'll do a bit more research for my next phone, instead of listening to others.
All in all, no great loss.
Except that AppleID stuff, that was bloody annoying. It kept glitching out with a server connection error at the very last step, so I had to redo the whole blasted wizard over and over until it went through. Bet it was Apple trolling me.
You're not disappointed with the iPhone, you're disappointed with Smartphones, and quite frankly you've just disabled most of the things that makes it smart to begin with.
You know, I already have a Smartphone. With touch, internet, GPS, and the list goes on. Is it so wrong to expect an iPhone to at least mach older tech? It's not like the iPhone is a whole lot better than that oldy. The only true/real advantage (to me) is that my bank has made an app for the iPhone, I can't use the old mobile's browser as it does not have java.
Weeel... I prefer leaving the phone in my jacket, as I don't use it much when I'm home, and I charge it on weekends or at work. I also like going places without bringing charger cables, as the less I have to bring with me on my travels the less I forget on my way home :-)
Ahh, that's nice to know. Thanks.
I seriously doubt you'll get much more battery life out of any modern smartphone - at least without disabling most of what makes it "smart"
My old Smartphone got a week when it was new. It's down to 4-5 days now. Its screen is smaller, CPU slower and what not, so it's not a fair comparison I suppose, but it did most of the stuff the iPhone does well enough. Including GPS, Wifi, 3G, Video chat, MP3, etc.
I had expect the iPhone to at least mach that old thing. It's newer tech and all that.
If you really do want to disable 3G, go into Settings>General>Network>Enable 3G
Nope, there's nothing about 3G there. Closest is "mobil nettwork" but that seems to be about the operator.
I turned off Bluetooth on the 4S as it drains battery. With that, GPS, SIRI, brightness, notifications and whatever else I could think off I pushed battery life up to a whooping 3 days.
/Disappointed with iPhone.
/Embarrassed
My sis say I should turn of 3G. It apparently drains the battery a lot, but I must be getting really old as I haven't figured how to do that, and no way will I ask her how.
Strange, slashdot allows me to moderate your post despite the fact I've posted on this topic earlier. Something new or a bug?
.bat files, as all they ultimately do is to copy the folder.
The worst bit with commercial software is the lack of good documentation. With commonly used open source programs a quick google is usually all you need, as other people has encountered and asked questions about whatever issue you're facing. With oracle I actually have to figure out the issues myself, and it does take longer.
For future googelers: Oracle will happily translate whatever internal charset it uses into UTF-8, you just have to set the charset when connecting. No need to look into nls_lang.
Running explain on prepared statements can crash PHP/the oracle client. Never happened on MySQL, but I assume the problem is that my old debug code isn't supplying parameters to the prepared statements.
Oracle may occasionally shut down the database for no apparent reason. It may look like the database is still running, even to an experienced admin (who's not me), as oracle itself will still be running and other databases will still work.
Oracle is slower than MySQL at establishing new connections. The workaround is to use persistent connections.
And, of course, to get the oracle client working at all I use a small script that sets an environment variable before starting apache 2.2. The client has no installer, just copy the 100MB of files to some folder and either edit PHP.ini or set that environment variable. Yes, the oracle client alone is bigger than all of MySQL. Oh, and you don't need to run any of the installation
Finally, on the PHP side you need the very latest version of pear/MDB2/the oracle driver if you want to use MDB2 with PHP 5.3. Yes, it's beta software, and if you want to use E_STRICT you must set "static" in front of a few MDB2 method calls. You also have two oracle drivers for PHP itself to pick between, pick the 11g version. As in, 11g client, 11g PHP driver, latest beta of MDB2 and the beta MDB2 oracle driver, and you're good to go. It does not matter if the database itself is 10g or older, 11g all the way. (I believe this may be true for Linux as well).
Hmm. There's apparently an E_STRICT that's not enabled by setting E_ALL. I'll give it a try, thanks.
I don't control the server. Also, I doubt you get the oracle client with a simple apt-get. I would prefer to use something else than Oracle as well, but that's where the data is stored.
Fortunatly I didn't actually need to compile anything. And if your happy with PHP 5.2 it's fairly straight forwards on Windows anyway, but for 5.3 you have to have a correctly compiled Apache 2.2 and the latest oracle client. The last bit took me a couple of hours to figure out as I wrongly assumed you needed the v.10 client for a v.10 database, and the error message made me think it was a configuration issue as it almost worked, PHP found the client, just not the database.
A couple of weeks ago I evaluated asp.net vs PHP for a web project I'm working on. Asp.net isn't bad IMO, but it quickly felt like I would have to model my website to asp.net instead of the other way around. I didn't try "doing things from scratch" though.
I ended up with Apache2/PHP 5.3/MDB2/Smarty3 and the latest oracle client. The biggest frustration with PHP is setting it up really. I haven't bothered getting line by line debugging working, for instance, but got that "for free" with asp.net. Another annoyance is that you have to make sure the various components are compiled against each other, if they're not you get cryptic errors that aren't exactly straight forward to figure out.
PHP5.3 seems to be surprisingly nice all in all. It got classes, access modifiers, exceptions and even closures now; so that you can do things pretty much the same way as one would in C#. The only annoyance is that you can't "compile" the source files, to check for syntax issues, but perhaps there are dev environments that can do just that.
Game? I thought Crysis was an overpriced graphics card benchmark ;).
Sure was. Still, Crysis 2 was the best FPS I played this year... Wait, make that last year. It could have been better, but it was still good enough to play from beginning to end. Of course, Portal 2 is better still, but I don't see it as an FPS.
Worst FPS has to be RAGE. Yes, even counting Duke Nukem Forever. However it has the most effective anti piracy measure I've seen in some time. Took me days to get it from steam.
please say in the comments what news hit you the hardest this year
Of the news reported on Slashdot I think SJ death hit me the hardest. I don't follow Apple or Jobs news so his death came out of nowhere. Didn't know he had cancer or that he was dying from it.
/. posts on the nuke plant, so I guess that or the earth quake wins out of the non-geek news.
If the Japan earthquake was reported here it wins by a huge margin. Well, there has been a lot of
You have an Olympics every year?
It certainly does feel like it. Didn't China host the Olympics, like last year?