Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×

Comment Re:Do we really want Google... (Score 1) 190

They are doing no such thing. [...] PPAPI (Chrome / Opera), NPAPI (Firefox due to be phased out), and ActiveX (IE due to be phased out).

Did you just rebut my claim that plugin support is being phased out by mentioning three incompatible plugin systems, two of which are end-of-life? Neither Firefox, Microsoft Edge (nor Safari for that matter) are slated to gain PPAPI support.

PPAPI plugins are only supported in Chrome and its variants, and usage is dismal. Of plugins that were most popular just two years ago, neither Silverlight (end-of-life), Unity Webplayer (end-of-life), the Google Earth plugin, Java, the Google Hangouts plugin nor the Facebook Videos plugin are available as PPAPI. PPAPI is in practice an internal Chrome API to be used with built-in modules (not plugins) such as Flash, the PDF viewer and NaCL.

All the above mentioned plugins are being supplanted by various HTML 5 features, with the possible exception of Java (which is just dying, as an in-browser technology). The native browser features aren't all there yet; Unity's native WebGL offering is still struggling with audio and video fidelity, but the gap is closing quickly. Already, Unity reports that compiling C# to .NET IL, IL to C++, and then C++ to asm.js JavaScript, and executing the result in Firefox, yields slightly better performance than executing the original IL in the (admitedly, somewhat dated) Mono runtime normally used in Unity.

Comment Re:Do we really want Google... (Score 1) 190

"Flash gets special treatment due to its market share, but make no mistake, the browser manufacturers are looking to kill it as soon as reasonably possible, too." If this is true, it's only because they've found more obtrusive and abusive ways to advertise to us that are more difficult to block.

The elimination of plugins is happening for entirely technical reasons. Microsoft obviously has their own Silverlight plugin, support for which is also gone in their latest browser.

HTML 5 is the future, also for ads. AdBlock etc. handle them without problems.

Comment Re:Do we really want Google... (Score 4, Informative) 190

Like it or not, all the major browsers are phasing out plugin support. Microsoft and Chrome has already dropped support for plugins other than Flash, and Mozilla is about to do the same. Flash gets special treatment due to its market share, but make no mistake, the browser manufacturers are looking to kill it as soon as reasonably possible, too.

Comment Re:Do what Amazon did... (Score 1) 69

Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

I think they said they had it down to 6k?

Amazon's package depends on OpenSSL. What they've essentially done is to build an OpenSSL version that's 6k bigger than the existing monster.

Comment Re:No more! (Score 1) 69

Before complaining about mbed TLS's GPLv2 license, you should probably be aware that OpenSSL uses its own application-specific license, which is not OSI approved. The license contains an advertising clause similar to the original BSD license; that makes OpenSSL both GPL-incompatible and a general PITA to work with.

In fact, I'd wager that almost every time OpenSSL is redistributed, it's done in violation of the license. When was the last time you saw a product advertising that "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit"? That text has to appear whenever you advertise any OpenSSL-based crypto functionality.

The license is technically libre, but only by the skin of its teeth...

Comment Re:Expect an updated U.S. travel advisory. (Score 1) 28

At least if you do it you're pampered and it's safe, unless you act out (say run to one particular statue and piss on it, or grope a female soldier)

Right. According to the above mentioned Travel Warning from the U.S. State Department, the following then qualifies as "acting out" and can be cause for arrest:

* involvement in unsanctioned religious and/or political activities (whether those activities took place inside or outside North Korea)
* unauthorized or unescorted travel inside North Korea
* unauthorized interaction with the local population, including unauthorized attempts to speak directly to North Korean citizens
* exchanging currency with an unauthorized vendor
* taking unauthorized photographs
* shopping at stores not designated for foreigners

(The warning then goes on to say that "If DPRK authorities permit you to keep your cell phone upon entry into the country, please keep in mind that you have no right to privacy in North Korea and should assume your communications are monitored." So at least some things are just like in the US.)

Comment Re:Over think (Score 4, Informative) 152

The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

Comment Re:So how does this work? (Score 3, Interesting) 152

What you're proposing sounds like Kamouflage (PDF link from TFA), with only 1 decoy password set (Kamouflage suggest 10,000); and suffers from the problem of generating plausible fake master passwords without revealing anything about the real master password, as mentioned by the authors of NoCrack.

What the NoCrack authors try to achieve is a solution where every incorrect guess at the master password still provides a set of (incorrect but at least sometimes plausible) passwords. A bit like a one-time pad, which is the only provably secure encryption, because brute-forcing the key yields all the possible plain texts (both the correct and all the incorrect ones). Of course, the problem with the one-time pad is that the key length matches the plain text length, which would completely eliminate the benefit of a password manager. Additionally, as noted in TFA, authorized users might not like the idea that making a typo when entering the master password yields (seemingly) correct passwords. :-)

I'm not convinced the NoCrack authors have actually succeeded, as they claim, but can nevertheless recommend the NoCrack paper (PDF), since it discusses pros of cons of the approach and alternatives.

Comment Re:How many other flaws (Score 5, Informative) 173

Some facts about the U.S. justice system:

* The Reid technique is widely used for interrogations, a technique notorious for its effectiveness in enticing false confessions.
* Only 5 % of convicted felons had their case tried in court; the rest make a plea bargain (typically under threats of excessively long prison sentences and/or the death penalty).
* Judges are elected, subjecting them to the whims of public opinion and making them more politicians than impartial legal officials.
* At least 4 % of people sentenced to death in the U.S. are innocent.
* The U.S. incarcerates more people than any other country in the world, not just relative to the population size, but in absolute numbers.
* U.S. private prisons sees $3+ billion in annual revenue... Not that that has anything to do with the above issues, I'm sure.

The U.S. justice system is broken in so many ways, I'm certainly forgetting some things.

Comment Re:My question about international data collection (Score 2) 200

ES said that if my gmail account was moved overseas on an international server, then the NSA could have a copy of my account even if there were no international sources/targets. Is that true or false?

That's true. While theoretically the NSA is not allowed to monitor communications between two american citizens, in practice, any communication leaving the country is simply assumed to involve a foreigner and is thus up for grabs. This "inadvertent" capture of american communications is in fact standard operating procedure:

The government has set a dismally low bar for concluding that a potential surveillance target is, in fact, a foreigner located abroad. By default, targets are assumed to be foreign. That's right, the procedures allow the NSA to presume that prospective targets are foreigners outside the United States absent specific information to the contrary—and to presume therefore that those individuals are fair game for warrantless surveillance.

Comment Re:FMH (Score 5, Interesting) 128

I've seen an example that works: The Danish film and video game rating system.

It differs from e.g. the US system in a number of ways:

* It's run by an independent government-sponsored organization, not the industry.
* For children not accompanied by an adult, the highest rating is "15 and older".
* Children ages 7 and up can see any movie if accompanied by an adult, no matter the rating.
* The board is charged only with determining if a film could be psychologically damaging to a typical child. They do not judge the "morals" and message of the film.
* The board features actual child development experts. As such, they know that cursing and nudity is not harmful to children, and if that's all the film contains, it will be rated "All audiences".

Example: "Harold & Kumar Go to White Castle".

USA (MPAA): 17+ (unless accompanied by an adult) due to "strong language, sexual content, drug use and some crude humor".

Denmark: 7+ recommended (but all ages admitted) due "strange and threatening persons, assaults, fights and accidents [...] all in a comedic context" (a context which could be lost on very young children).

To quote the ratings board:

The Media Council classifies films based on a perspective purely concerning harmfulness. The classification decision shall be made on the basis of an assessment of whether a film is considered harmful for children in that particular age group. When classifying films, we look at film effects, depictions of grievous loss, degree of realism, possibility of identification, inclusion of redemption within the course, genre and the expected media competences of the age group in question.

The Media Council’s view on child protection is that
* Children can manage a good thrill.
* Children are not likely to fall to pieces by the slightest push.
* Children are active users of media and, therefore, already in an early age, they have accumulated both media competencies and experiences.
* Media are good resources in children’s everyday life.
* It is acceptable that films frighten, though, only to a certain limit. The Media Council sets these limits.

Comment Re:I'm one of those engineers... (Score 2) 341

we havnt even fixed the train crash issues yet... and how hard could that be :)

Not that hard. Automatic train operation is a solved problem; a properly installed, modern ATO system is safer than the best human driver, better at following time tables, and even has significantly lower energy consumption. In fact, many ATO mass transit lines cannot be run manually (without cutting down on the number of departures); human drivers are not able to keep up with the amount of traffic managed by the ATO.

An ATO will not stop the train if there's an unregistered person or vehicle on the tracks (or if the tracks are gone entirely, e.g. due to flooding). But then, the braking distance for a passenger train at speed is high enough that a human won't be able to stop it either.

Also, ATO systems may have a higher false-positive rate than manual systems... e.g. stopping the train because an umbrella has fallen on the tracks (to take a concrete example from the Copenhagen Metro). But that's an availability issue, not a safety issue. (And as noted, humans aren't able to keep up during normal operation, so the ATO still wins on availability overall.)

Full disclosure: I work with ATO systems.

The reason computer chips are so small is computers don't eat much.

Working...