* Posts by Daniel Feenberg

16 publicly visible posts • joined 14 Jun 2008

Snowflake lets admins make MFA mandatory across all user accounts

Daniel Feenberg

Re: Great idea

DUO has other methods for the 2nd factor. It can send 10 OTP to a cell phone via SMS or it can make a voice call to any phone with touch tone buttons and request a PIN. The later is interesting because it is secure against a stolen phone or phone number.

Your password hygiene remains atrocious, says NordPass

Daniel Feenberg

Apparently the data do not come from their customers, but from downloads of hacked passwords posted to public databases. See https://haveibeenpwned.com/

Microsoft to kill off third-party printer drivers in Windows

Daniel Feenberg

business reasons for annoying policies

The current system had important business justifications when it got started For Microsoft, having a different driver for every printer model helped discourage use other operating systems. Since many printer vendors would only provide a Windows driver, it made OS2 and Linux second-class operating systems. That helped Windows go from "dominant" to "monopoly". For printer vendors, having their name on the list of drivers that popped up when you started to install a printer was a little advertisement for their brand. A truly compatible printer wouldn't need a new driver, but the user might not realize it was supported via another vendor's driver.

HP Inc slurps Teradici to get better at delivering remote PCs

Daniel Feenberg

anonymous coward no doubt means RDP - Remote Desktop Protocol which Microsoft provides free for Windows and OSX under the name RDC- Remote Desktop Connection. or mstsc. The cMS client also works with Linux servers xrdp software. We use it extensively. It is OK, much better than most MS products and better than the free as in speech alternatives we have tried, but everyone tells us there are security risks that require a VPN or tunnel which users do find complicated. The Teradici website provides no suggestion of how that software might differ from RDC.

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped

Daniel Feenberg

A better way to use a phone as a second factor

Duo Security offers a variation on the phone as second factor. One of their authentication options is to make a voice call to your phone, and ask for a pin to be entered on the phone keypad. Wrong pin, no login. This means that a stolen phone or SIM won't work to authenticate. It also means that landlines will work as a second factor.

iFixit surgeons dissect Apple's pricey Mac Pro: Industry standard sockets? Repair diagrams? Who are you and what have you done to Apple?

Daniel Feenberg

why sockets?

The motherboard has sockets because this is a low-volume item and the factory will make a year's supply of motherboards in an afternoon,. Apple doesn't want to buy CPUs a year in advance.

Uni credential-swiping hack campaign linked to Iranian government

Daniel Feenberg

Re: um...

It depends on how the 2FA is implemented. If the 2nd factor is a dongle, or an SMS message use as a second password you are absolutely on point. If the second factor is a voice call to your phone, and you respond with a PIN on the phone keypad, then the protection is real. The intruder would have to intercept the phone call and know the PIN to succeed. The difference is that the second factor requires two-way communication on the alternate channel. So the MITM on only one channel won't work. The intruder may be able to steal your phone number, but he still needs the PIN.

Oh, baby! Newborn-care website leaves database of medics wide open

Daniel Feenberg

Not necessarily confidential

In the US, at least, the MD's name and billing ID number are not confidential, but are matters of public record and available in public databases. I don't know about email addresses. This might be a bug, but it isn't a scandal.

PayPal patches bone-headed two factor authentication bypass

Daniel Feenberg

Re: 2fa choices

An alternative to SMS is to have the server make a voice call to the user, and accept a PIN from the user's keypad. DUO Security offers a system like this and given a suitable modem I think it wouldn't be difficult to do oneself. This also overcomes the objection that a phone number can be stolen (redirected to another phone) without stealing the physical phone, by social engineering the wireless company. Without the PIN, just receiving the call wouldn't authorize access.

Hey, tech industry, have you noticed Amazon in the rearview?

Daniel Feenberg

There is a reason for everything

Recently Dell refused a purchase order from me, because I had raised the quantity from 6 to 7 (and kept the same unit price). They had to send another quote, which for some reason had a lower price. So they should have accepted the first PO.

I do know why vendors ignore potential customers that call them (as opposed to the potential customers that they cold call). It is because sales people believe that the only reason you would call them is that you have bad credit with your current vendor.

Giant solar-powered aircraft to begin cross-country flight

Daniel Feenberg

Re: The video is wrong.

The Alcock and Brown flight was from Newfoundland to Ireland, the Lindberg flight was from New York to Paris, which is about twice as far. The prize offered was for the later route. If the video says "first transatlantic flight" it is wrong, but the xenophobic conclusion of the OP is unjustified.

Dutch unleash intelligent robot bins: No ID, no rubbish

Daniel Feenberg

Re: Rubbish bins - a novel idea

In the US nearly all urban areas have weekly free trash collection, but a few charge by the bag or by the month (usually limited to two cans/household/week). But some don't do anything. One that doesn't collect rash is Wellesley Massachusetts which is one of the wealthiest communities in the states. In that town the residents have to take their own trash to the dump, and each Saturday morning at the dump is a prominent social event with much gossiping and sometimes speechifying by candidates.

Only the most law abiding communities can sustain charging by weight or volume - otherwise it would result in litter.

Intel 510 250GB Sata 3 SSD

Daniel Feenberg

Unanswered questions about wear leveling

More important than the relatively small speed differences among SSDs is the quality of the wear leveling. It seems likely to me that this varies greatly, and that the variation could be sufficient to be relevant. I don't see an easy and optimal technique, so there must be various methods, with various properties. At these prices, I'd like to know more.

DVLA off-road system seriously off-message

Daniel Feenberg


would smeone like to explain what this is about to a North American reader? Is it something to do with preventing the spread of hoof-in-mouth?

Boy band sings praises of Windows 7

Daniel Feenberg

Just how big is it?

Do they use a 160 GB disk because they wanted to give atendees something nice, or is that the smallest drive that will hold Windows 7?

AVG scanner blasts internet with fake traffic

Daniel Feenberg

Not a deluge yet

On our rather esoteric web site (www.nber.org) that browser string accounts for 5% of the last week's 5.04 million hits. So it isn't killing us yet, but then what fraction of their users have upgraded so far? It certainly seems tempting to serve up an error page to the user, asking that they disable the "feature", should they eventually select one of our pages.

Why should they be scanning pages before the user clicks? Perhaps they don't have the proper hooks into the browser? Or don't know how to use them?

Daniel Feenberg