Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: A Problem and Its Solutions (Score 1) 29

by DERoss (#49289047) Attached to: Microsoft Blacklists Fake Finnish Certificate

It took quite a bit of searching before I could identify the specific root certificate involved. It turns out that root was already marked as "untrusted", which means I would not have been affected by this problem.

Also, the subscriber certificate involved is apparently marked as revoked in OCSP (Online Certificate Status Protocol) messages. Those who set their browsers to always confirm the validity of subscriber certificates via an OCSP server and who also set their browsers to assume a subscriber certificate is invalid if an OCSP response cannot be obtained are well protected from this problem.

Of course, for this solutions to be implemented, users must have browsers that allow root certificates to be marked "untrusted", that have an option to check certificates against OCSP servers, and that have an option to assume that a certificate is invalid if an OCSP response cannot be obtained. Mozilla-based browsers -- Firefox and SeaMonkey -- have all of those capabilities.

Comment: FUDD (Score 1) 224

by DERoss (#49241709) Attached to: California Looking To Make All Bitcoin Businesses Illegal

(FUDD = fear, uncertainty, doubt, and disinformation)

Money-transfer businesses are already regulated in California as the result of several such businesses failing. The proposed law merely adds bitcoin-transfer businesses to that category. This is a consumer-protection proposal in an attempt to prevent another Mt. Gox.

Comment: Re:As stupid as bitcoin is (Score 1) 224

by DERoss (#49241605) Attached to: California Looking To Make All Bitcoin Businesses Illegal

I believe PayPal is already registered. Any company in the business of transferring money must register. Existing California laws require this in response to a number of cases where money-transfer businesses received payments but failed to transfer them, either because they went bankrupt or were just plain frauds. The new law merely proposes to include bitcoin transfer businesses within that same regulatory framework. This is NOT blocking bitcoin transfers; this is protecting consumers who want to transfer bitcoins.

Comment: Take Immediate and Thorough Action (Score 2) 230

Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.

If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.

It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.

Comment: Wireless Disabled (Score 1) 57

by DERoss (#49078225) Attached to: Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details

I have a Netgear N300 Wireless Router Model WNR2000v2. I have no WiFi devices.

In the router manager Web pages, I unchecked the checkboxes for "Enable Wireless Router Radio" and "Turn Remote Management On". I also unchecked all of the checkboxes under "Guest Network Settings", "Wireless Settings", and "Wireless Repeating Function". The wireless LED indicator on the router is not lighted.

Therefore, I expect this is not a problem for me.

Comment: Postal Letter to the CEO (Score 1) 141

by DERoss (#48687301) Attached to: Ask Slashdot: Dealing With Companies With Poor SSL Practices?

When I have a problem dealing with a U.S. company over the Internet, I go to http://finance.yahoo.com/looku.... This site will tell me the names of the top executives and the corporate postal address of a company whose stock is publicly traded, even on the most obscure exchanges. If the company's stock is not publicly traded, I then resort to Google. Sooner or later -- yes, with some effort -- I find out who is in charge and where to mail a letter.

I compose a non-threatening, literate letter to the CEO or president of the company. I explain in layman's terms what is wrong and why I won't do business with them until the problem is fixed. While the executive likely does not even see my letter, someone in his or her office will see it -- someone who has authority to correct the situation. Occasionally, the situation is indeed fixed.

After sending the letter via the U.S. Postal Service, I wait about a week. Then, I create a Web page re-creating my letter. Yes, I name names. The situation might not be fixed, but the problem and the company are now public. I carry a significant level of liability insurance.

Comment: Frankfurt Second Worst on My List (Score 1) 91

by DERoss (#48652811) Attached to: Major Security Vulnerabilities Uncovered At Frankfurt Airport

I have flown to and from or changed planes in 26 airports. Frankfurt Airport (Rhein-Main-Flughafen, FRA) was the second-worst next to the armpit of airports, which is Kona International (KOA) in Hawai'i. Flying from Los Angeles (LAX) to Budapest (BUD) my wife and I had to change planes in FRA. With 12 security stations, only four were open. It took us over 30 minutes in line to reach a security station. Some passengers booked on our plane to BUD missed the flight because they were still stuck in line at security. No, they did not arrive at the FRA airport late; they too were merely changing planes. If you already passed through security at a prior airport, you remain within the security "shell" when changing planes in a well-designed airport and are not subject to another security check.

See my "Avoid Kona and Frankfurt Airports" at http://www.rossde.com/editoria....

Comment: A Plan without a Plan (Score 5, Interesting) 229

by DERoss (#48511735) Attached to: FBI Seizes Los Angeles Schools' iPad Documents

The iPads were distributed without any planning about accountability. No one knew who would be responsible if an iPad were lost. (Without a parent's approval, the minor student could not be held legally responsible.) No one knew who paid for repairs. No one knew what was to happen to the iPad when the student moved to a different school district. No one even knew how the iPads would be used within the curricula.

For 8 years, I was an elected school board member in a quite small but high-performing school district. At the closest, we are about 1 mile from the Los Angeles Unified School District. Ours is a rather affluent community. We do not give our students personal electronics. We make PCs available in our high school library, which also serves as a public library where adults can also use PCs.

Comment: Broken Geolocation Is Good (Score 1) 100

by DERoss (#48382787) Attached to: Ask Slashdot: Getting Around Terrible Geolocation?

I use a browser extension called Secret Agent from https://www.dephormation.org.u.... This works with Gecko-based browsers (e.g., Firefox, SeaMonkey) on Windows, Mac, and Linux systems. It sends fake HTTP headers to confuse Web servers that are trying to track my browsing activities. This causes many geolocation routines to give wrong results. I have Secret Agent set to change its faked headers on every HTTP request sent from my browser.

While composing this comment, I tested a few sites. One had me on the coast of Argentina and then (same Web site) in eastern Michigan. GeoIP thinks I am in Indonesia. Although I am indeed in southern California, JustMyIP thinks I am two counties further south. Appspot thinks I am in Palo Alto, about 350 miles north of my home. IP Address Geolocation was the closest, thinking I am in Los Angeles. I am about a five-minute walk from the Los Angeles County line but about 8 miles from the Los Angeles City limits.

Between Secret Agent and setting my cookies file to "read only", I have some limited protection from tracking.

Comment: This Primise Is Already False (Score 5, Informative) 98

by DERoss (#48378307) Attached to: Carmakers Promise Not To Abuse Drivers' Privacy

Franchised car dealers already violate this promise; and many (most?, all?) independent service garages and body shops do, too. If you take your car to a dealer for servicing, your mileage is reported to CarFax, which then reports your mileage to your car insurance. If you have an accident and do not report it to your insurance, the accident is reported by the body shop that does the repairs. CarFax pays the dealers, garages, and shops for these data; and insurance companies pay CarFax.

What is worse is that erroneous data are difficult to correct. In advance of an insurance policy renewal, I received an E-mail message asking me to use the insurance company's Web site to report my mileage. When I reported 25,065 miles, the entry was rejected with a message indicating I could not report an odometer reading less than the prior reading. On the Web site, there was a link to view the mileage history for my car. The immediately prior entry was for 241,080 miles, reported by CarFax on the date of the last routine servicing of my car. I checked the invoice for that servicing; it indicated 24,108 miles. A zero had been added to the end of the mileage, either by the dealer's service department or by CarFax! Working with both the service manager at the dealer and the local agent for the automobile insurance company, it took several phone calls over a month to obtain a correction.

  See http://www.carfax.com/, which will charge you for a report on a specific car. See also http://www.mycarfax.com/, from which you can get a free report.

Comment: OpenPGP (Score 2, Interesting) 63

by DERoss (#48322957) Attached to: The Fight Over the EFF's Secure Messaging Scoreboard

The scorecard gives negative marks for both PGP for Mac and PGP for Windows, for both "Are past comms secure if your keys are stolen?" and "Has the code been audited?" Both negative marks are quite wrong!!

Using the OpenPGP definition, decryption requires both a private key and a passphrase. If the private key is compromised but the passphrase remains safe, a file or message encrypted via OpenPGP cannot be decrypted. This depends, of course, on a lengthy passphrase that exists only in the user's head. My passphrase is over 20 characters long and contains upper-case and lower-case letters, spaces, and punctuation.

Older versions of PGP (a commercial implementation of OpenPGP) have indeed been audited. The source codes were made public. They were thoroughly examined by outsiders. And they were compiled and compared with the distributed binary code. I do not know if this is true of the latest versions, but the older versions contained no security vulnerabilities and still work quite well.

Comment: Re:Get rid of time changes and time zones! (Score 1) 613

by DERoss (#48295207) Attached to: Ask Slashdot: Where Do You Stand on Daylight Saving Time?

When everybody's carrying around a smart phone -- effectively, a computer with a GPS -- then it should be easy to calculate the actual local time, solar time, any place on Earth.

Everybody is NOT carrying around a smart phone. My wife has a dumb phone that satisfies her needs. I do not even have a dumb phone because I enjoy getting away from the phone.

A rolling disk gathers no MOS.