Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment: Re:It all comes down to payroll (Score 1) 263

by Ash Vince (#48870373) Attached to: The Tech Industry's Legacy: Creating Disposable Employees

Hire a new FTE programmer/H1B programmer for 50% of the fired employee's salary = 50% savings.

In my experience most H1B programmers are not actually that much cheaper to hire that people already here. The real problem is that too many young geeks in the developed world are arrogant, over entitled assholes who are a pain to work with. Whereas generally that guy or girl from India or eastern europe is polite, professional and happy to work hard but without throwing a childish hissy fit when they don't get everything their own way. They just want to go to work and get paid.

Also, the best code is always produced by a team of developers who all practice things like pair programming and peer code review (every single commit should be reviewed by another member of the team). In that environment, not being an arrogant dick matters more than anything.

Comment: Re:Yep it is a scam (Score 2, Interesting) 666

by Ash Vince (#48870109) Attached to: US Senate Set To Vote On Whether Climate Change Is a Hoax

And not having access to pesticides like DDT.

Nope. The real problem is that DDT is no longer effective against mosquitos in many parts of the world as they have evolved to be immune to it. The stuff that is still effective against them is so damn toxic that it has to be used carefully in case too much gets into drinking water, makes it into the food chain in other ways or even just poisons the rivers and kills all the fish on its way to the sea.

Comment: Re:No. (Score 1) 562

by Ash Vince (#48845073) Attached to: Obama: Gov't Shouldn't Be Hampered By Encrypted Communications

If the court approves, they can just go and obtain the computers. That is already solved.

They want to listen in, not shut the conversation down so storming in anywhere armed with your court order is not a solution.

So many people here are ranting on about this but what he said is actually 100% reasonable in that he stipulated the government needing a court order. The truth is that if they can stand in front of a judge and convince him you are a legitimate target then you have very little expectation of privacy. Based on that judges say so they can legally sneak in to your home and plant listening equipment if they have information that indicates they have a chance of recording you discussing engaging in illegal activities.

A few years ago things were much simpler for them, they could ask a judge nicely and he could order a tap your phone line. Nowadays though, that does not help them as much as it used to. They can take that warrant to your ISP, get full access to all your email, and still be none the wiser about what you are discussing if you have decent encryption.

If some could come up with a perfect solution to this problem where a judge could order something decrypted and only then could government use their magic key to access it then I personally would have no problem with it, providing a few other safeguards were also in place, such as full disclosure in the case that nothing is found after 6 months or a year or something. Obviously, this magic key would also have to be bulletproof so that there was no possible other way that government or anyone else could decrypt it.

The problem is that this perfect solution is is not what government goes looking for, instead they always seem to look for something that provides us no safeguards whatsoever. So even if it is possible (which I personally doubt anyway), there is sod all chance of them ever coming up with it and if anyone else does I can seem them actually supporting it.

Comment: Re:Shouldn't this be a civil case? (Score 1) 86

by Ash Vince (#48712837) Attached to: UK Arrest Over Xbox Live and Playstation Network Outages

Then a free market capitalist consumer would be behooved to make it increasingly difficult for such unwanted additional DRM systems to exist in their market by any peaceful means neccesary, such as using that system as frequently as possible to make its operating cost higher, right?

Quite right, I would actually consider that a perfectly legitimate form of protest providing the requests were coming from actual consumers who had paid for said product. You have to actually buy something in order to be a legitimate consumer.

I bet this is not what this retard was doing though, he was most likely triggering off thousands of illegitimate calls from PC's emulating the DRM system not from consoles owned by people who had bought a game.

Also, it is worth bearing in mind that some consumers out there who buy games (like me) actually like things like DRM because I do not see why some other free loading little shit should get free access to something that I pay my hard earned wages for. If you can't afford something like a game or DVD, you should go without it as they are luxury items anyway.

Comment: Re:Shouldn't this be a civil case? (Score 4, Insightful) 86

by Ash Vince (#48711843) Attached to: UK Arrest Over Xbox Live and Playstation Network Outages

No, missuse of a computer system is a criminal offence

Generally, misusing your own computer system is not a criminal offense unless you really go to extremes. If I set my router to ping flood Sony or Microsoft all day long that generally is not a criminal offense. Previously it was said that this "Lizard Squad" attack was done by a group of people, until we have an idea of how many people were in said "squad" it will be really hard to say whether or not any one person had a meaningful role individually.

Here in the UK it probably doesn't really matter what you were actually doing, if your INTENT was to stop or prevent people engaging in a lawful activity then that is most likely a criminal offence. This is generally how our laws are written then we just let juries sort it out.

In this case we passed a law in 2006 called the Police And Justice Act. Here is an old register article about it:

Our legal system generally has intent woven into its fabric at a far deeper level than in the US so that if the CPS (Crown Prosecution Service) feel there is a reasonable likelihood of them being able to convince a jury that an individuals intent was malicious then they can drag you through the courts. In this case whether this retard is charged will probably depend on how clean his PC's were when they raided him.

You might note that I have zero sympathy for him, being susceptible to getting DDOS'd is not really a security issue worth exposing. If you throw enough traffic from a bot-net at an awful lot of sites they will go down. The simple truth is that when companies provision any sort of on-line infrastructure or offering you look and how much load it is expected to be under during normal operation then plan from there by adding a certain safety margin. In this case it sounds like this service was only going to be called each time a game was started so creating far more load then this by lots of bots pretending to start games over and over again thousands of times a minute was miles away from the intended traffic volumes.

I know some people say this vulnerability never should have existed as this phoning home is a form of DRM and this should not happen but the probably is that without it there are an awful lot of people out there who just freeload and play stuff without paying. Of course companies are going to try an make this difficult in order to stay in business, that is what capitalism dictates they must do in order to maximise shareholder returns.

I hope this guy also realises that he has utterly screwed over any chance he had in life of actually becoming a real paid security researcher with this stupid stunt. With a prior arrest on public record like this he is just not worth the risk, especially as he has not really showed any special technical skills. He will be lucky to get any sort of computer work for the next 10 years.

Comment: Re:and that's how we got the world of FIREFLY (Score 1) 265

by Ash Vince (#48664063) Attached to: Serious Economic Crisis Looms In Russia, China May Help

seriously though, the Chinese can destroy our country without setting a single boot on the ground simply through economic measures.

The problem is that would also destroy them economically at the same time as they require US consumers to buy all the crap they produce. China keep their own currency artificially low just to keep their exports going.

Comment: Re:About Fucking Time (Score 1) 435

by Ash Vince (#48628631) Attached to: In Breakthrough, US and Cuba To Resume Diplomatic Relations

You will note in the 2012 presidential election, the majority of Cuban Americans in South Florida voted for Obama; and he carried Dade, Broward, and Palm Beach counties with huge margins:

The GOP's hold on South Florida is broken; it was primarily among older Cuban who came over during the revolution. This issue has been less polarizing for their children and grandchildren. Indeed, 3rd and 4th generation Cuban-Americans have real no intention of moving back to the island and view their grandparent's property claims as a lost cause.

Add to that they might like to visit the place for a cheap holiday.

Comment: Re:Under US Jurisdiction? (Score 2) 281

by Ash Vince (#48602145) Attached to: Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google's Services

Long ago for that AC to forget about it.

And in a related note: If we have to discuss if and how to avoid supporting law enforcement, something went really, really wrong.


Who gives a shit about storing your data with google or anyone else, at this point we should be storming the Pentagon / White House / Senate en masse to demand and take real freedom. There is no terrorist threat that actually warrants this level of intrusion, our own police seem to be better at killing defenceless citizens than terrorists anyway over the last year.

Comment: Re:I bet Infosys and Tata are dancing in the stree (Score 1) 186

The United States does not have a labor shortage.

It is not about a labour shortage, it is about the race to the bottom in terms of working conditions and pay.

It sounds like broadly speaking we agree with who benefits the most from immigration though. My take on it though is that no matter what you do people from Mexico are always going to try and flock from there to the US to work, and keeping them all out is an effort doomed to failure. We have a hard anough time in Europe stopping them crossing a fairly wide sea so the poxy river you have is no barrier at all, even with all the fences around it.

The only real option is making sure that when they get here they are not able to undercut our own labour force at the bottom of the market. The best way to do that is to shift the punishment to the people who employ illegal immigrants with no work permit. Also, minimum wage laws might help too providing the punishment for breaking it as an employer suitable outweighs the benefit of cheap labour (ie: prison time). The main thrust should definitely be though that if you employ someone and do not check their legal status sufficiently you get hefty fines for the first offence then prison for any repeats.

I also have no problem with outright denying things like foodstamps to recent arrivals, I just doubt it will do the slightest thing without the measures I mention above apart from make them more desperate and so willing to work for less.

Comment: Re:I bet Infosys and Tata are dancing in the stree (Score 1) 186

How would you know that, if the government deliberately does not maintain such statistics and explicitly tells applicants, they don't need to disclose their immigration status []?

Other countries do, I doubt the US immigrants are too different to those trying to get to europe. Also, can illegals still get food stamps with no proof of residency? Here in Europe they can't but they come anyway.

It doesn't surprise me that most people believe the same way you do, as that is way it is often presented. The truth is though that is because the current situation of there being tons of people here illegally is actually better for those who want to pay as little as possible as illegal immigrants will work for less than legal immigrants as they are more desperate. That is the main reason that the parties like the republicans that represent the richest are also usually anti-imigration, they know that people will come anyway they will just work for less due to their desperation.

Comment: Re:I bet Infosys and Tata are dancing in the stree (Score 1) 186

What worries me are the very bottom — the folks, who come over here knowing, that they may be able to get foodstamps and other hand-outs, that our schools and hospitals will teach and treat them for free.

Of course is though that most recipients of footstamps and benefits are americans. Immigrants generally flock to first world countries like the US in order to work hard and lead a better life. They generally do the work that people born in the US feel is beneath them or agree to work for far less than them. They will live in smaller rooms, pay less in rent, work longer hours and generally put up with a ton of shit just because it is still better than the country they were born in.

The net result is that the people who suffer from immigrants, both illegal and legal are the sort of people who are also competing for the same dead end jobs, exactly the sort of people who feel they are entitled to those jobs just because they were born here.

Those of us who feel we are entitled to jobs because we are the best person to do the job generally have nothing to fear from immigrants, but we do have a net gain as we can get someone to work of our house, iron our shirts or do our cleaning for a fraction of what someone born in the US would charge. We also benefit from being about to go to the all night food mart to get beer or whatever at a time when most people would demand double time to go to work.

Even the H1B system is often a net benefit to us as the sort of people brought over here under those schemes often reach a glass ceiling pretty quickly and we ultimately get made their boss when they are passed over for promotion for the 5th time even though they work harder.

Comment: Re:Are you sure? (Score 1) 863

by Ash Vince (#48274409) Attached to: Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

Part of my concern is about SystemD is the scope for bugs. All the daemons that are replaced by SystemD have years of development under teams of developers. Can one expect a re-write of all these daemons by a small team with no history of working on these applications to be anywhere near free of bugs?

In my experience software with years of development has no fewer bugs that a new project if the people working on the project are good and it is not rushed.

Often software needs a rewrite every few years just so the current developers are 100% comfortable with every aspect of the code. If you have a huge legacy application it can often be more prone to bugs as the code becomes so convoluted, and often new developers to the project are scared to refactor crap out as some of the crap is important and it takes a horrible process of trial and error before you know what can be removed.

Comment: Re:Why so high? (Score 1) 223

by Ash Vince (#48234265) Attached to: Passwords: Too Much and Not Enough

In PHP 5.5 they introduced the password_hash [] function to replace this, but it has a mode that generates backward-compatible crypt() style hashes, so if you pass the wrong arguments to it, you will be generating md5 (or worse) hashes.

It might generate crypt style hashes, but it will not ever use MD5. It always uses Bcrypt at present until something better comes along. You should have read the link you posted more closely.

There are probably ways you can screw it over though so it doesn't add any security, but the defaults are pretty secure and the php manual steers you toward not changing them unless you know what you are doing.

I don't mean to sound rude (even though you did say you thought I knew "fuck all") but you really need to understand what you're doing.

Your right, but I have the advantage that all my code is peer reviewed nowadays and we also get free pen tests and advice from a really top notch security team who are world leaders in this stuff. That does mean that if I screw up this sort of stuff it is generally noticed and I then have to fix it, that certainly helps raise your game.

Comment: Re:Why so high? (Score 1) 223

by Ash Vince (#48231737) Attached to: Passwords: Too Much and Not Enough

Of course, you didn't mention salting, so I hope they told you about that too. Unsalted password hashes... about as useless as chocolate teapots.

I explicitly mentioned the password_hash function in recent versions of PHP. This does the heavy lifting for you, including generating a random salt as best it can.

That's why you do not rely on bcrypt as the only answer to the security of your passwords (I hope you use bcrypt, last time I saw PHP it still used MD5.....

What in PHP used MD5? The password_hash stuff has only been in PHP since 5.5 and only ever used bcrypt. Previously some PHP developers might have used MD5, but there was nothing built in to PHP that purported to hash passwords, it was left to developers to role that own and they often did it badly. That is not the same as saying that PHP "used" MD5 for hashing passwords though.

Comment: Re:Why so high? (Score 1) 223

by Ash Vince (#48230221) Attached to: Passwords: Too Much and Not Enough

If this is the level of comprehension of security in the web dev community, then I'm not only unsurprised at the number of hacks, but will be using a randomly-generated password for every website that asks me for a password.

As a php developer who works for a security company we generally do what the pen testers advise us to in regard to hashing passwords. Currently that is to use the password hash function in the latest versions of PHP.

Maybe the reason us dumb old web developers do not have your amazing knowledge at our disposal is because NOT hashing passwords is not exactly a recommended practice by any real security company.

Where I used to work we had a pretty crappy legacy product which did not hash the passwords in the DB. This was because the customer liked the fact that the system would mail out passwords if the user forgot them instead of making them reset it. When they got pen testing companies to test this product the pen testers always noticed this process and correctly deduced that the passwords were not hashed. This was then always raised as something that should be fixed, of course the customer always ignored this defect, they would make us fix anything else that was raised though.

We went through several pen tests over the years I worked there, by a few different companies, nobody thought have the passwords stored in plain text was a good idea. The fact that you think it a good idea suggests to me that either:

A) You are either some amazing outlier security guy miles ahead of everyone else on the planet.
B) You know fuck all

I reckon B

From Sharp minds come... pointed heads. -- Bryan Sparrowhawk