Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:WordPress is a security problem (Score 2) 51

This why the Internet Of Things people keep talking about is going to be so awesome ! ;-)

Lot's of products are failing and it's going to get a whole lot worse soon:

Cars are my 'favorite' topic right now:

They were already warned about the problems in 2011, there was a talk at Usenix conference about it:

They did say: business models are a problem.

So maybe that's the cause.

Comment Re:Thanks anonymous reader! (Score 1) 294

This was also a 'good' one:

Maybe because I'm so aware of what is possible I've kind of given up ?

Anyway, the most likely use case for the DNS-lookup/TCP-connect and tracking would be webmail, a lot of webmail I know doesn't even have real links. They use redirects.

Comment Re:Thanks anonymous reader! (Score 1) 294

I already know what is possible and there is nothing you can do to prevent tracking or fingerprinting if all users don't use Tor and the same browser without any plugins and lots of features disabled in the browser.

Just look up HTML5 canvas fingerprinting and tracking or tracking, battery and HTML5. Those obviously don't work if you disable Javascript.

But you don't need Javascript, you can just use plain HTTP features. Look up evercookie, etag and kissmetrics. Al though there was a courtcase with Kissmetrics it's to bad that they settled. I would have loved to see a judge say: you did a very, very bad thing. Would have been great if they did that in 2013, maybe we would have a little less tracking now ?

So while I agree tracking is bad and I think we should do something about it, getting rid of it completely is going to impossible.

Comment Re:real-time adaptive video playback (Score 1) 220

but what people forget is that *adobe already succeeded*. ... what has been substituted in its place? well, sure, we can do real-time video browser-to-browser.... but the assumption is that there is "perfect conditions". perfect bandwidth. perfect connections. no drop-outs. no brown-outs. zero latency.

While bandwidth has gotten better, latency has actually gotten worse:

This makes it hard to make good working protocol which is trying to use the maximum bandwidth. Even just TCP isn't working as it's supposed to most of the time.

Your browser probably includes a WebRTC support, or soon will. And that means support for Opus, it's a state of the art free and open audio codec:

Yes, video still needs to improve and prioritizing audio still needs to be done too. This all takes time, Adobe started on this problem a long time ago.

Give it time.

Comment Re:Thanks anonymous reader! (Score 1) 294

Apache and Varnish for example won't log it, because they only logs HTTP-requests.

nginx logs it like this by default though:
IP-address - - [timestamp] "-" 400 0 "-" "-" 0.000 - - (8000 4000 10 14480) - -

But it's very normal to have such logentries in a nginx log, so I doubt anybody will look for them.

haproxy could end up logging it as well, depending on the type of settings. But usually it will be set up the proxy HTTP requests for HTTP (port 80) or HTTPS (port 443), not TCP-connections. So similar to Apache and Varnish. The default is to log nothing.

Comment Re:need moar encryption (Score 1) 124

Well, the people that build the Internet Protocols agree with you:

"Newly designed protocols should prefer encryption to cleartext operation. There may be exceptions to this default, but it is important to recognize that protocols do not operate in isolation. Information leaked by one protocol can be made part of a more substantial body of information by cross-correlation of traffic observation. There are protocols which may as a result require encryption on the Internet even when it would not be a requirement for that protocol operating in isolation.

We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.

The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic."


W3C also had a similar statement I can't seem to find right now.

W3C for example is developing policy certain features will only be available when the website uses HTTPS:

Or you want attackers to inject extra code in a webpage where you enable your webcam ? I would think not.

Comment Re:no wireless anything (Score 1) 373

They were hacking cars in 2011 through the infotainment system by just inserting a CD in the drive.

See the Usenix talk:

Nothing has changed, they are still worthless at building secure systems.

In the talk they said: it's the wrong business model.

No large car company builds their own systems, they just buy parts from other vendors as cheap as they can.

Do you suffer painful elimination? -- Don Knuth, "Structured Programming with Gotos"