Forgot your password?

Comment: Re:Actual Experience Against "Responsible Disclosu (Score 1) 170

by DERoss (#46794617) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

In the end, the administrator organization for Webster's pension plan was fined by the Australian government for not having proper security for its data, for not properly testing its system, and for not detecting Webster's intrusions (even though the intrusions were very visible in the system logs). Criminal charges against Webster were never pursued.

Comment: Actual Experience Against "Responsible Disclosure" (Score 4, Interesting) 170

by DERoss (#46787789) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

Historically, so-called "responsible disclosure" has resulted in delayed fixes. As long as the flaw is not public and causing a drum-beat of demands for a fix and a possible loss of customers, the developer organization too often treats security vulnerabilities the same as any other bug.

Worse, those who report security vulnerabilities responsibly and later go public because the fixes are excessively delayed often find themselves branded as villains instead of heroes. Consider the case of Michael Lynn and Cisco in 2005. Lynn informed Cisco of a vulnerability in Cisco's routers. When Cisco failed to fully inform its customers of the significance of the security patch, Lynn decided to go public at the 2005 Black Hat conference in Las Vegas. Cisco pressured Lynn's employer to fire him and also filed a lawsuit against Lynn.

Then there was the 2011 case of Patrick Webster, who notified the Pillar Administration (major administrator of retirement plans in Australia) of a security vulnerability in their server. When the Pillar Administration ignored Webster, he used the vulnerability to extract personal data from about 500 accounts from his own pension plan (a client of the Pillar Administration). Webster made no use of the extracted personal data, did not disseminate the data, and did not go public. He merely sent the data to the Pillar Administration to prove the existence of the vulnerability. As a result, the Pillar Administration notified Webster's own pension plan, which in turn filed a criminal complaint against Webster. Further, his pension plan then demanded that Webster reimburse them for the cost of fixing the vulnerability and sent letters to other account holders, implying that Webster caused the security vulnerability.

For more details, see my "Shoot the Messenger or Why Internet Security Eludes Us" at

Comment: Already Retired (Score 3, Informative) 238

by DERoss (#46784227) Attached to: I expect to retire ...

I retired about a month before my 62nd birthday. I delayed taking Social Security until my wife retired 2.5 years later; she delayed to a month after I started. Instead, we lived on our investments and her meager wages. She had to continue working so that we would have group health insurance through her employer. Then, we paid for continuing her health insurance via COBRA (about 6 months for me and 18 months for her). This was all per a set of spreadsheets that I developed to determine the optimum time to retire and how to finance it.

We are now in our early 70s. Our retirement investments continue to grow faster than we spend them. Until this year, we did not even spend all the dividends and interest. I expect that, by the end of this year, we will again have underspent our dividends and interest.

I manage our investments myself, relying on mutual funds. Of course, this means I am really relying on the managers of those mutual funds. However, the choice of which funds and how much to allocate to each is my own choice. For anyone interested in my investment philosophy, see my

We have a very comfortable retirement. No, I was not a corporate executive, entertainer, professional athlete, or hedge fund operator. For my entire career, I either created or tested software, primarily for use by the U.S. military to operate its earth-orbiting space satellites. No, I did not work for the government; I worked for defense contractors. (See my for a brief history of my career.) Our retirement is successful because I understand investing and choose to be somewhat conservative (despite my liberal politics) in how I handle money that might have to last another 30 years (being from a family that is very long lived).

Comment: Paper and US Postal Service (Score 3, Interesting) 385

by DERoss (#46756823) Attached to: Slashdot Asks: How Do You Pay Your Taxes?

U.S. and California

I have a degree in mathematics. Tax returns and their computations are merely a simple mathematical puzzle, which I easily solve.

I created two spreadsheets, one for federal income taxes and one for state income taxes. The latter is linked to the former because much of the California computations require inputs from the federal forms. Each year, I copy the prior year's spreadsheets into a new folder. I download the fill-in PDF forms for both governments and update the spreadsheets accordingly. I mark in yellow the spreadsheet cells that require new inputs; as I input those data, I remove the yellow.

California provides a Web site where I input my taxable income and filing status. The Web site tells me how much tax to pay. I wish the IRS would do the same. However, it is much easier to input into the IRS PDF files than into the California PDF files.

Since I have a large investment in a mutual fund, I can also get Turbotax for free. I download it and use it to check my spreadsheet results. I don't really like Turbotax because it requires too much irrelevant input and because it does not provide adequate capability to include explanatory attachments.

I print the PDFs and mail them via U.S. Postal Service. I never request certified or registered mail. I mailed my first tax returns when I was 16 years old. I am now 72. I have never had a mailed return go astray.

Comment: A Simple Solution (Score 1) 184

by DERoss (#46738455) Attached to: The Case For a Safer Smartphone

Don't change the phones. Don't change the cars. Instead, change the liability laws.

In an accident, a driver who was using a phone or other electronic communication device should be presumed to be grossly negligent. The presumption could be rebutable, but that would require the driver to prove he or she was not using any such device. With gross negligence, the law should require the automobile insurance company to cancel the driver's policy. The law should also prohibit a grossly negligent driver from collecting any insurance benefit but not prohibit the driver's victims from being compensated.

Yes, there are uninsured drivers. Where I live, the police will often confiscate their cars if they are stopped for even a minor traffic violation. Thus, there is serious incentive to be insured or else not drive.

By the way, the reason we have so many, many laws is that not enough people will do the right thing. Laws set the minimum standard for behavior. When too many individuals treat that as the maximum standard, they are inviting new laws to be passed to raise the standard.

Comment: Re:developers don't cause bugs, QA does (Score 1) 716

by DERoss (#46224517) Attached to: Ask Slashdot: Should Developers Fix Bugs They Cause On Their Own Time?

Wrong! A good QA process prohibits the QA team from changing anything. QA can either approve the product or else send it back to the developers. In the end, QA is paid the same. Thus, QA has no vested interest in either approving or rejecting the product.

Comment: Just Fix Bugs (Score 1) 2219

by DERoss (#46180911) Attached to: Slashdot Tries Something New; Audience Responds!

I very much like the old design. It "scans" very easily. (By "scans", I mean by the human eye and mind, not by an electronic device.)

One thing that needs to be fixed is your use of non-standard HTML and CSS. Your home page has 140 HTML errors. Your CSS has 28 errors.

Also, the yellow box that led me to this page ( and is repeated to the top of this page says:
                        WE HEAR YOU We did tell you we wanted feedback. Hereâ€(TM)s our response.
Note the strange characters that appear in place of a simple apostrophe in "Here's".

Before you embark on a new design, make sure you are not propagating your errors.

Comment: Ether (Score 1) 62

by DERoss (#46057393) Attached to: Searching For Dark Matter From Deep Under an Italian Mountain

The more I read about dark matter and dark energy pervading the universe, the more I think about ether (also spelled "aether" or "æther"), which also was supposed to fill the universe. Dark matter and dark energy will never be found because they are as real as ether. See the Wikipedia article at

Comment: It's Not Your E-mail Address, It's Your Name (Score 1) 388

by DERoss (#45929523) Attached to: Ask Slashdot: What To Do With Misdirected Email?

When I receive misdirected E-mail, it almost always results from someone selecting the wrong David or wrong Ross from their address book. That is, both the intended recipient and I are both known to the sender. The sender's address book is organized by names, not by E-mail addresses.

I used to get phone calls in the middle of the night for a David Ross who was an attorney, either in private practice or in the District Attorney's office. The caller would be drunk and picked out the wrong David Ross from the phone book. Again, this was a problem with my name, not with my phone number.

There are apparently many, many David Rosses. I have met two others face-to-face, both times in doctors' offices. I have exchanged E-mail with several others. I even created a Web page about this situation at

How do I handle misdirected E-mail? On the first occasion, I reply quoting the original message. I tell the sender they have the wrong David Ross. If there is one of those caveats about condfendiality and deleting misdirected messages, I also inform the sender that such warnings are unenforceable, that the sender must bear full responsibility for ensuring correct addressing of such messages.

On subsequent instances from the same sender, I use a small application that returns the message in a format that indicates the stated E-mail address is invalid. That is, the message will appear as if bounced. If that does not work, I finally threaten to make any subsequent messages public by posting them on a newsgroup.

Comment: Re:agent strings... (Score 1) 381

by DERoss (#45633929) Attached to: Desktop Browser of Choice in 2013?

With both Firefox and SeaMonkey, it is very easy to spoof agent strings, to lie to Web servers by indicating I am using some browser that I have not installed. Actually, the default configuration of SeaMonkey has the user string
          Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
which says it is both Firefox and SeaMonkey.

Comment: Other: SeaMonkey (Score 4, Interesting) 381

by DERoss (#45633879) Attached to: Desktop Browser of Choice in 2013?

My preferred browser is SeaMonkey. It has the same "guts" as Firefox but a different user interface that I consider far superior to Firefox. By "guts", I mean the same HTML rendering engine, the same Internet interface, the same SSL processes, and often the same third-party extensions. However, SeaMonkey allows experienced users to tailor the browser in ways that Firefox does not.

It appears that Mozilla has been slowly "dumbing down" Firefox. In the process, the developers have also gone overboard in attempting to make Firefox super-safe for users, which is the main cause of the loss of tailoring. This safety is not restricted to browsing the Web safely but also in configuring the user's own computer. This sometimes means a loss of functionality, overcome by a proliferation of third-party extensions.

Overall, many experienced users feel that Mozilla is trying to make Firefox too similar to Chrome in order to compete against Chrome. What Mozilla refuses to accept is the fact that, if a user wants Chrome, that user will install Chrome and not Firefox.

So far, Sea Monkey has been able to avoid these Firefox deficiencies.

Comment: Free Music? Yes, That "Business Model" Does Work (Score 0) 370

by DERoss (#45619347) Attached to: Get Ready For a Streaming Music Die-Off

I listen to streaming broadcasts sent over the Internet directly by radio stations. Most of these stations are non-profit, many of them part of National Public Radio. They seem not only to be surviving but even thriving. Three of the stations are sufficiently close that I can listen to them over the "airwaves". The rest of them are available only via Internet streaming.

Of course my taste in music is mostly classical, music that is still entertaining and appreciated more than a month after it is first released. In many cases, the recordings are no longer available commercially. If the cited trend in this article is true, perhaps young listeners might learn of the majesty of Beethoven, the emotion of Tchaikovsky, the joy of Gershwin.

You are in a maze of little twisting passages, all alike.