Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×

Comment: Re:WTF (Score 1) 531

Even if (in theory) they aren't downloading my browsing history and it is my browser making the requests they can deduce what sites I must be browsing to request such "suggestions."

According to the bug report for this feature, the intent is that any suggestion would be triggered by multiple visited sites, so this wouldn't reveal exactly which sites you had visited. Still, it obviously does leak some information.

Comment: Re:Is it on the main download page? (Score 4, Insightful) 216

by Ben Hutchings (#49728373) Attached to: Trojanized, Info-Stealing PuTTY Version Lurking Online
I know that's the official site, but:
  • I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
  • And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
  • Finally, I have to trust that no-one has cracked a 1024-bit PGP key.

I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.

Comment: Re:systemd (Score 1) 442

by Ben Hutchings (#49555157) Attached to: Debian 8 Jessie Released

A win for rude, pushy and obnoxious people who shouted loudest and longest and ignored everyone else...

Well that's what I see from the systemd detractors, not its proponents. They're still shouting loudly, in the comments on every article even tangentially related to it. Of course they are being ignored by systemd proponents and most neutral parties because they mostly repeat the same myths and slurs.

Comment: Re:not enough noise over systemd (Score 1) 442

by Ben Hutchings (#49554187) Attached to: Debian 8 Jessie Released

A true free and open process would be to include a choice at installation/upgrade time between the choices. If I do have a choice on the web server, on the DNS server, on the mail server, even on the kernel, on the shell that I deliver for my users [...]

You can't choose any of those through the installation GUI. All of them require a custom pre-seeded install or post-install action.

If you upgrade an x86 system, both systemd and sysvinit will be installed and you can select sysvinit from the GRUB menu.

Comment: Re:If It Ain't Broke, Don't Fix It! (Score 1) 209

by Ben Hutchings (#49473373) Attached to: Linux Getting Extensive x86 Assembly Code Refresh
Because it wasn't tested well enough? For example, in the case of the system call entry path, Andy Lutomirski found a bunch of bugs over the past few months - including CVE-2014-4508, CVE-2014-9090 and CVE-2015-2830. His changes for 4.1 include the addition of regression tests as well as cleaning up that code.

Comment: Re:Good. +1 for Google. (Score 1) 176

Yet all the browsers consider unencrypted connections more secure than connections encrypted with a self signed certificate.

No. They consider that entering or following a link to an 'https:' URL means that you expect a secure connection. In this context, a self-signed certificate that has not been whitelisted is an error.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...