Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re: What's the point? (Score 1) 68

by rickb928 (#48939015) Attached to: Microsoft Launches Outlook For Android and iOS

The plan where I work is to roll out first IOS and then Android apps to securely run corporate email, calendar, etc (?) Over the VPN. Then kill the BES servers.

Security is a very big deal here. That's why the mobile apps are taking so long to be finished. BES is no longer worth the money, and we all want to use our own phone anyways.

Comment: Re:pot and kettle (Score 1) 167

by rtb61 (#48938117) Attached to: Microsoft To Invest In Rogue Android Startup Cyanogen

There is a whole wikipedia article on the machinations of M$ http://en.wikipedia.org/wiki/C..., then there is Embrace, extend and extinguish Embrace, extend and extinguish and there is also Fear, uncertainty and doubt http://en.wikipedia.org/wiki/F..., with M$ having a reputation for having mastered it. So the fellows at M$ were pretty naughty but that seems pretty much typical for major corporations when they become dominant, they just automatically turn into a great big old bag of exploitative dicks until they end up being sufficiently punished by the market. They of course try to fend this off, normally seeking government assistance to protect their position via the application of hoards of corrupt lobbyists.

Eventually once sufficiently punished and managed largely replaced they can sometimes come good although they can never ever be trusted as a dominant player again. There is of course no harm in using them to weaken other players who have gained dominance, maintaining a balance in suppliers being important.

Basically over sized corporations are just a really, really bad idea and breaking them up and keeping them small often serves everyone far better.

Comment: Re:why does anybody feel safe purchasing from them (Score 1) 58

by codeButcher (#48938081) Attached to: Alibaba Face Off With Chinese Regulator Over Fake Products

Yet, you need to learn the story of Alibaba and the 40 thieves.

Alibaba was a woodcutter and not a thief.

Before you get too high and mighty, you might want to remember that Ali Baba stole from those 40 thieves which is what eventually got his brother killed (because of his own greed) and almost got Ali Baba killed as well. So the OP calling Ali Baba a thief is 100% accurate.

So, a destroyer of Arabia's once-lush forests, and trafficker in innocent slave girls. (Also: muslim, which excuses all the previous.)

Why yes, the previous was supposed to be in jest, thanks for asking.

Comment: Re:Now using TOR after WH threats to invade homes (Score 1) 282

by causality (#48937501) Attached to: EFF Unveils Plan For Ending Mass Surveillance

Name calling is not shunning or shaming. It is attaching the person and not the argument and therefore has no place on civil discourse.

By the way, now that I re-read this during a spare moment and once again think about it, I can again respond to you in what I hope to be a worthy way, yet this time focus on a different dimension of the thing at hand.

I would ask you to consider, simply, this other and possibly alien point of view: the "name-calling" types are simply enacting the lower (or if you like, "gutter") form of an idea that is nonetheless technically true. The name-callers are merely those who recognize this but also have a need to make you look worse in order that they know better, or otherwise focus on what they think is wrong with you, with little or no serious constructive suggestion concerning what precisely is wrong with your view and how better to regard the situation. Liike the thinking individuals, they see what the problem is; otherwise, they lack the clarity and objectivity to identify the problem and suggest a sensible solution. By contrast, they're simply bitching. But even those people are correctly identifying that somethng is amiss. They're just the least clever and easiest to ridicule among those who all arrive at the same conclusion.

Comment: Re:So... (Score 1) 143

by Chas (#48937085) Attached to: FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

This is where the whole notion of risk management comes into play.

Now, if you're a world famous nuclear scientist working on spurting-edge fusion power experiments, a stupid-rich CEO of an unpopular company or a politician with even more dirty laundry than your AVERAGE political hack, you're probably a FAR bigger target than "Joe Familyguy".

I'm not saying "don't secure your shit.

But at some point, the risk/return equation simply becomes unacceptable for most people.

Technically, if you disassembled your machine, broke it down to component parts, sealed each part inside an air/water-tight safe (a different safe for every part), and buried each part in a location only known to you in a concrete and rebar cage. Your shit would be REALLY fucking secure.

But actually using the system (let alone accessing the data) becomes an unacceptable hassle.

So, at some point, there's ALWAYS tradeoffs between security and usability. ALWAYS. Anyone telling you different is selling you a line of high-grade BULLSHIT.

Comment: Re:Xscreensaver (Score 1) 364

by gringer (#48937009) Attached to: Why Screen Lockers On X11 Cannot Be Secure

why are you letting jwz do your thinking for you?

An alternative, related question, why are you saying things without references?

I don't have a good knowledge of the intricacies of screen locking and controlling input devices, so I have to refer to others who I consider to share my general view point, but who appear to be more knowledgeable in a particular area. This is a very common approach in research, and separates out the people who have their own theories based purely on anecdotal evidence from the people who build on the theories and evidence of other research.

My observation is that almost every program has bugs, and the number of bugs increase (in a non-linear fashion) with the size of a project. Bugs in software that deals with authentication are particularly serious, because a bug may be exploitable to give someone privileges that they would otherwise not have (see toolkit discussion).

If you disagree, please address why security is something that should be handled by screensavers, instead of the display manager.

I don't feel that I need to do this, because it has already been addressed in the toolkit discussion. You're giving off the impression that you haven't actually read the toolkit discussion. Please provide some other evidence why the arguments put forward by JWZ are incorrect (preferably something other than "he is a pretentious idiot, so he's wrong"). Anyway, because you're giving this impression, I feel it necessary to post more of that discussion here:

So, you want xscreensaver to invoke the "unlock dialog" program and wait for a response. The unlocker would use a GUI toolkit, and would be linked against the various security libraries. Perhaps the way it would work is that it would print either "yes" or "no" on stdout, depending on whether a password was correctly entered. Were it to crash, the daemon would take that that to mean "no"...

In fact, this approach would actually reduce the number of libraries (and thus, lines of code) in the daemon itself, since the daemon would not need to link against things like PAM and crypto. That's a good thing.

So that doesn't sound hard so far, except that the xscreensaver daemon has the keyboard grabbed. It's pretty important that it hold that grab, because otherwise keystrokes tend to go "through" the xscreensaver window and reach random desktop windows underneath.

This [raises] the question of, how do the keystrokes get to the unlock dialog at all? That's a difficult question. Understanding how to do that right requires a lot of knowledge about X (which I have) but also probably a lot of knowledge about foreign-language input methods and screen readers and other accessibility-ware (which I do not have.) ...

In the current system, where the same process is the creator of both the screen-blanking window and the unlock dialog, this is not a problem: that process gets all the events it wants. But when they are in different processes, we need a way for the keyboard and mouse events to get to the process driving the unlock dialog. So you'd like to transfer the grabs from the xscreensaver daemon to the unlock dialog, and then transfer them back afterward. Unfortunately, there is no way to transfer grabs atomically in X. ...

Another possibility is for the xscreensaver daemon to keep its grabs, meaning that all keyboard and mouse events would go to it; but then for it to use XSendEvent() to generate synthetic events on the lock dialog window. That is, the xscreensaver daemon would read a KeyPress, and then would simulate an exact duplicate of that KeyPress on the lock dialog window.

[arguments against this: Applications can tell the difference between real and synthetic events, so might reject synthetic events as a security measure. Input methods need to be embedded in the dialog, rather than as a separate window] ...

In Summary

Making the xscreensaver unlock dialog securely use a toolkit is difficult, but possible, were a knowledgeable person to do the work. If the work were done well (by which I mean: clearly commented and documented, and with obvious attention paid to the security implications) I would be happy to incorporate those changes into the xscreensaver distribution.

Making the unlock dialog also be able to take advantage of accessibility tools is probably a lot harder. I don't know how much harder, because I'm not an accessibility expert. But anyone intending to implement that had better be both an expert on accessibility, and well versed in secure X11 programming, because the security implications of getting it wrong would be dire indeed.

Comment: Re:Add noise (Score 1) 82

by gweihir (#48936887) Attached to: Georgia Institute of Technology Researchers Bridge the Airgap

It is not. A Faraday cage is great for shielding a static E field (for this, it is perfect if made form a perfect conductor or you wait infinitely long), but it does exactly nothing for shielding the B part. Hence a Faraday cage _weakens_ electromagnetic radiation, but it does not block it completely. What you need is proper EM-shielding, which can be accomplished with any conducting material, but effect is dependent on thickness.

It is fascinating though that you think a Faraday cage would give you 100% reliable protection, when it does no such thing. This exemplifies the real problem with IT security: Too many people that think they know what they are talking about, when in fact they have no clue.

Factorials were someone's attempt to make math LOOK exciting.