Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Hardware is trusted (Score 4, Insightful) 83

It'd be nice if the next iteration of EFI had a more robust upgrade security design.

Something like this: Firmware upgrades are not possible from inside the OS. At all. Instead there's a switch on the mainboard that is only accessible when the computer has been physically opened. When that switch is on, EFI will refuse to boot any OS and all onboard SATA/SCSI controllers are physically disabled. EFI will scan every USB port* for a FAT32-formatted mass storage device containing a file with a certain filename, which is then displayed for your approval, checked and installed. While the switch is off, changing the firmware should be prevented in hardware, such as by detaching a certain line required to write to the flash chip. (Settings should be stored on an unprotected chip and can be changed while the computer is bootable.)

You're in a corporate setting and need to update 16.000 identical desktop computers all at once? Make sure the computers have an enterprise-ready mainboard that can pull the update from the network (e.g. using something similar to BOOTP). You'll still have to toggle that switch and confirm the prompt. That's as convenient as it should get; after all, if there is any chance that the firmware is modified while an OS is loaded, any successful attack on the OS leaves your firmware in a potentially compromised state.

* Yeah, I know, USB also has infectable firmware. Unfortunately, I don't know of a reasonable mass storage standard that doesn't. And making people physically swap PROM chips won't fly.

Comment: Re:But they help also (Score 2) 366

by Jesus_666 (#49291727) Attached to: Uber Shut Down In Multiple Countries Following Raids

Examples of crap in the list above: taxi drivers must know the area they operate in. Really? What does it even mean to know the area? London black cab drivers have to pass an exam called The Knowledge that requires them to memorise street maps of the city, so at least it's well defined there, but this is nonsense from the pre-GPS era. There's no need for cab drivers to do it all in their heads these days, and I'd much rather they rely on the computer which will always pick the fastest route and can't decide to take a detour because the passengers looks like a tourist.

And then the GPS makes a silly mistake as they are apt to do and the driver can't tell. From my experience, car navigation systems aren't mature enough to blindly rely on.

Another example: drivers must know the radio protocols. Why?! Uber drivers receive instructions via an intuitive smartphone app. Controlling cabs via radio is an obsolete technology yet the requirement to use it lives on.

That depends on the size of the company. If you have a one-man operation that only works via Uber, yes. If you have a dozen cabs and use both Uber and regular phone lines to get customers, having a radio is really useful.

I do agree, however, that self-employed cabbies with only one car should be exempt from that one.

Yet another example: cars must be painted a particular colour. Why? Uber cars are located using modern technology, not by watching the roads for vehicles painted in a deliberately ugly colour. This is another obsolete convention progress has made irrelevant - yet it's mandated.

It's not irrelevant for when you want to identify a parking cab as a cab. Unlike you, I don't think it's wise to completely abolish traditional cabs because some random company had a neat idea. Again, though, this is one requirement they should waive for self-employed cabbies that only work through a broker like Uber.

Then we get to the more questionable things that aren't obsolete exactly, just arguable. Why is it possible to have enough driving violations to be struck off as a cab driver, but still be allowed to drive friends and family around? Surely you're either safe enough to use the public roads, or you're not, and the commercial relationships you have with the people inside make no difference?

Because you don't spend a significant amount of time driving your friends and family around. Generally, people who don't work as drivers spend relatively little time on the road. People who earn their money by driving around have many more opportunities to screw up yet again.

People with a criminal record are banned from working as drivers? ALL crimes? What about crimes that don't involve being actually dangerous, like white collar crimes? Why can't hiring decisions like this be left to the cab companies?

I'd have to talk to a lawyer for that one but my guess is that it's tied to the reliability requirement. If you can't act in the interest of society then you're not expected to act in the interests of your passengers. It's just guesswork on my part, though.

Taxi drivers must know first aid? Presumably someone injured themselves in a cab once and some regulator thought this was a good response. What if that person injures themselves on the street? Why not require everyone to be trained in first aid? This kind of arbitrary distinction doesn't make much sense until you remember that we have these regulators sitting around with nothing better to do all day than craft rules for their tiny piece of jurisdiction.

Everyone IS required to be trained in first aid. Germany has a "duty to rescue" law and you can't get a driver's license without attending a training course on basic first aid, CPR and traffic accident rescue procedures. If you come across an accident you are required by law to stop, call the emergency hotline if possible and do your best to keep the people there alive until professional help arrives. This is also why every car in Germany is mandated to have an appropriate (and non-expired) first aid kit onboard - at least if you intend to operate it on public roads.

It's recommended that people attend a refresher course on this stuff every couple years but few people do. For professional drivers, though, the refresher course is mandated.

(And before you ask about what happens if you make things worse: When resuing someone you're immune from prosecution if you acted in good faith and your measures were in accordance with an average person's understanding of first aid. That's why we make sure that the average driver's understanding of first aid is at least semi-decent. Likewise, you won't be prosecuted if you couldn't act, e.g. because you can't stand the sight of blood. Still, you can't just drive on.)

And so on and so on. It's easy to take a reflexive "COMPANIES BAD GOVERNMENTS GOOD" position in these situations, but my experience of regulators have been that they never reform themselves .... all they ever do is add more and more requirements. Short of a company like Uber showing people how differently things can work, how would progress ever be made?

That doesn't elevate Uber above the law. If Uber has a neat business model, good on them. But that business model can't trump the law. If Uber wants the law changed because certain parts don't make sense with their model they'll have to convince the lawmakers (ie. lobby for it), not just ignore the law and then act indignant when they're busted for doing so.

That's like pirating Oracle Enterprise Database for your company because you find Oracle's prices too high and then complaining when the BSA comes knocking at your door. Oracle's prices may be high but that still doesn't make the copyright go away.

Comment: Re:But they help also (Score 2) 366

by Jesus_666 (#49290359) Attached to: Uber Shut Down In Multiple Countries Following Raids
Isn't that exactly what happened here? Uber decides that the law doesn't apply to them because they say so; the law demonstrates what happens to people who act that way. Uber's sleaziness with respect to the law is punished.

Sure, the licensing requirements in some places might be absurd but that doesn't mean we should root for Uber. A lot of regulations for taxi drivers go beyond "has paid $N"; for instance, German taxi drivers are required to know things about traffic and transportation law that most people don't and also have to prove that they actually know the area they operate in. Uber doesn't require any of this; their drivers have a regular driver's license and that's it. Most of them probably haven't even taken a first aid class in the last five years, which taxi drivers also have to (and regular drivers are encouraged to).

If Uber wanted to compete fairly they'd get in touch with the appropriate people and lobby for an overhaul of the relevant laws to account for self-employed, third-party-brokered taxi drivers that operate on a pre-arranged flat fee bidding system. Those taxi drivers would still need licenses but some parts of the law could be streamlined or made more flexible. On Uber's part all that changes is that they ask for the taxi license number when you sign up and check every five years if it's still valid. That's the way we do things in civilized society. The way Uber does it is essentially organized crime - even if only because they're an organization that brokers deals for people who violate the taxi laws of their country.

(Also, someone pointed out that in NYC you can just wave down a taxi whenever you need one, which suggests an extreme taxi density compared to most other places in the world. NYC might want to limit the number of taxis on the streets, which would explain the extreme license cost - although a more elegant approach might be to simply refuse to issue new licenses until the number of active ones has dropped. This would still work against newcomers but that's inherent to the problem.)

Comment: Re:But they help also (Score 4, Informative) 366

by Jesus_666 (#49290077) Attached to: Uber Shut Down In Multiple Countries Following Raids
IANAL but a bit of googling revealed that apparently German taxis are subject to at least these laws or parts of them: (I'll selectively paraphrase; there's quite a bite more in there.)

Personenbeförderungsgesetz (PBefG): Contains rules for passenger transportation with trams, trolleybuses and motor vehicles. Apparently trains are covered elsewhere. Only some of the rules apply because cars (vehicles that can transport up to six people including the driver) have a special exception.

Verordnung über den Betrieb von Kraftfahrunternehmen im Personenverkehr (BOKraft): Contains rules for passenger transportation companies that use trolleybuses or motor vehicles. This seems the most important one for taxi companies and covers things like vehicle maintenance, whether subcontracting is allowed, notification requirements, how to deal with lost property

The taxi-specific sections cover things like technical requirements, such as an alarm wired to the horn and lights that the driver can activate from their seat, a calibrated and illuminated taximeter or an optional bulletproof divider. Taxis must be painted with the color RAL 1015 of the RAL 840 HR palette and must have a "TAXI" sign of specific orientation and dimensions on top. They must display their taxi registration number in a specific style and place and also display the name and address of the company where the passenger can easily read them. Taxi drivers must take the shortest possible route to their target; if another route would be cheaper or faster, this has to be cleared with the passenger beforehand.

There's also some stuff in there that most people don't know - for instance, BOKraft-covered transport vehicles must have a copy of the laws governing pricing pnboard and must show them to the passenger upon request.

Berufszugangsverordnung für den Straßenpersonenverkehr (PBZugV): Contains rules on who is allowed to transport other people. People with a criminal record or a record of severe traffic law violations are banned from working as drivers; company-level misbehavior might disqualify an entire company. Companies must have enough money to keep their fleet in shape. They must regularly check whether all drivers are still qualified to work as taxi drivers.

Drivers (in order to be hirable) must have an understanding of the laws governing passenger transportation, of vehicle maintenance, of radio protocols, of certain accounting procedures and even of environmental guidelines on vehicle operation and maintenance. They must pass two written and optionaly one additional oral exam of one hour each with the local chamber of industry and commerce; alternatively, five years of work in a different BPZugV-covered company can be seen as equivalent.

Paragraph 48 Fahrerlaubnisverordnung (FeV): contains rules on taxi driver licenses. Examples: Taxi drivers must prove they know the area they operate in and that they have an appropriate understanding of first aid. If the driver is found unreliable, the license can be revoked (e.g. this once happened after a driver repeatedly refused to make short distance trips). Taxi driver licenses have to be reapplied for every five years.

Others, like the FPersG and FPersV, cover legal technicalities like when and how to have your license card with you etc. Additionally, municipalities may pass additional regulations.

So yeah, the law is pretty clear: None of the people who work for Uber are licensed to do so, thus they can't guarantee that they know about stuff like applying laws or where to drive. They can't even guarantee that the drivers aren't explicitly banned from working as drivers. Of course the law is going to come down hard on them.

If ridesharing is here to stay the law might adapt, but only by relaxing the signage requirements for very small companies. You'd still have to have a taxi driver's license, you'd still have to register the car and you'd still have to demonstrate an understanding of everything in appendix 3, PBZugV. There's no chance they'll let "But, the internet!" trump regulations that, to me, are either sensible stuff to guarantee an acceptable level of service or bureaucratic overhead to make the sensible stuff work.

+ - White House office to delete its FOIA regulations->

Submitted by Anonymous Coward
An anonymous reader writes "The White House is removing a federal regulation that subjects its Office of Administration to the Freedom of Information Act, making official a policy under Presidents Bush and Obama to reject requests for records to that office.

The White House said the cleanup of FOIA regulations is consistent with court rulings that hold that the office is not subject to the transparency law."

Link to Original Source

+ - Researchers find same RSA encryption key used 28,000 times-> 1

Submitted by angry tapir
angry tapir (1463043) writes "While scanning the Internet to see how many servers and devices are still vulnerable to the "FREAK" flaw, researchers with Royal Holloway of the University of London discovered large numbers were accepting 512-bit RSA keys — and large numbers of devices using the same public keys. In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key."
Link to Original Source

Comment: Nuclear explosion (Score 1) 1080

by Jesus_666 (#49260843) Attached to: How To Execute People In the 21st Century
Just nuke them. It has a lot of advantages:

- You can get rid of old nuclear warheads that don't operate to spec anymore. As long as they still have enough power to vaporize a group of people sitting right next to them they're fine.
- It should be fairly painless, given that the prisoners' brains quickly transition to a gaseous state.
- It's inherently flashy so everyone looking for bloody retribution can see it being served from one state over.
- It's inherently suitable for group executions, which makes it very efficient in dealing with America's large number of criminals.
- It makes you consider whether you really want that prisoner dead. If you're not willing to nuke some part of your state you probably don't want the person's death that much.

Plus, it doesn't make you look much sillier than complaining about how nobody wants to sell you equipment for killing your own citizens.

Comment: Steam Cloud to the rescue? (Score 1) 73

by Jesus_666 (#49247759) Attached to: New Crypto-Ransomware Encrypts Video Game Files
I wonder if Valve will expand the Steam Cloud in response. Steam already warns you on game launch if your savegames don't match what's in the cloud so broken savegames can be recovered as long as you don't sync. The flaw in that is that syncing happens whenever you exit the game so you'd have to force-kill Steam if you notice that everything is corrupt. (Perhaps this only applies if your game actually saved something but some games are very save-happy.)

If Valve adds a simple versioning system, even if it just offers the current version and the one before that, crypto-ransomware will become completely useless against Steam titles.

Decaffeinated coffee? Just Say No.