Become a fan of Slashdot on Facebook


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Soooo... (Score 5, Informative) 44 44

Like most of the up-voted posters here, I think you're missing the point. This new service isn't a Google Code replacement or a Github competitor. It's an add-on for cloud-based hosting, so people who are hosting systems on Google App Engine or Compute Engine can keep their source there as well, with nice tools for working with the code online, managing releases and even live debugging... if there's a problem with your running app you can debug it instantly. The system snapshots the live system so it's not interrupted and then gives you an online debugger so you can examine the state, step through the code, etc.

It's a value-added feature on a paid cloud hosting service, not a place to host your latest open source project. That's what Github is for.

Comment: Re:Less suspect than the others (Score 5, Interesting) 78 78

But one of the vulnerabilities I've pointed out recently to proxy maintainers is that it's become quite commonplace to host SSL based traffic on an external router or load balancer, and carry it entirely unencrypted between that load balancer and the local server. It often eases maintenance of SSL keys and allows far less expensive, small servers to handle the actual traffic and allows the cost of robust SSL services to be shared more effectively.

Google's encryption is end-to-end. It's also not SSL-based, but instead much simpler and more robust (and more efficient), though there's nothing proprietary or custom about the encryption ciphers or protocols used (Google employs lots of cryptographers who would quickly stomp on any questionable designs). I work for Google and used to do stuff related to internal network encryption though I worked on a different aspect of it, focused on securing payments data (credit card numbers, etc.).

I think it would be awesome if Google were to publish the details of its security infrastructure, which is dramatically better than anything I saw in my 15 years as a security consultant, but AFAIK that hasn't been done so I have to keep my comments vague and high-level.

I'll also point out, since I know it has been mentioned publicly, that Google didn't actually start doing all of the link encryption in response to Snowden's revelations. It was a project that was already well under way. Snowden's information did cause the project to be accelerated, though.

From what I saw, the main effect was that the tolerance for exceptions to the encryption requirement dropped basically to zero. In an enormous and complex infrastructure like Google's there are always dozens of corner cases where anything you'd like to do is really hard for one reason or another, and so big infrastructure changes tend to take years to fully deploy, to avoid requiring project teams to drop all their productive work in order to avoid breakage from the change. Snowden's data changed the encryption mandate from "You need to get this done as soon as you can" to "Encryption will be on 100% by date X, no exceptions. If you can't see how to make it work, come talk to us and we'll help." (X was single-digit weeks away).

I know one team who had to deploy a spit-and-baling-wire construction to enable their protocol to be encrypted, and then had to fight with serious performance degradation until they got a well-designed and tested replacement in place. They begged for permission to turn off encryption for a while so they could focus on building the solid replacement rather than spending their time fighting production fires caused by the interim solution... and they were denied. This was for an important production service related to financial systems, too, which gives you a good idea of how serious Google was about the encryption mandate.

Thank you, Edward Snowden!

(I want to be sure no one thinks that last line is sarcastic. It's not. At all. I think Edward Snowden is one of the great American heroes, and I think that history will eventually give him his considerable due. I don't know anyone on the team I mentioned who would disagree, either, even though it caused them some weeks of long hours and stress.)

Comment: Re:Lots of great features and no kdbus (Score 1) 111 111

I'm not sure what encryption is useful for. If my servers get hacked, they're able to read encrypted files.

You mention laptops and mobile devices, and claim that they get hacked way more often than they get lost/stolen. This is absolutely not true. Look at the many, many instances of laptops being lost or stolen with sensitive databases on them, and the ones that get reported publicly are just a tiny fraction.

It's also not necessarily the case with ext4 encryption that a box getting hacked reveals all of the data on it. Ext4 encryption allows each user account -- or even various subdirectory, IIRC -- to have its own keys. So a hacker can only get access to the directories whose keys have been loaded into memory. So the attacker has to own the box and then maintain ownership and connectivity until the data he's after has been unlocked.

You're also ignoring implementations which use hardware-based keys (HSM or similar) with other access controls on key usage, potentially even including rate limiting. So even if an attacker manages full privilege escalation and fully owns the box, he can't get access to anything encrypted unless he can satisfy the other access control requirements, and may also be rate-limited.

Malware on my Android device can read my encrypted files as soon as I get the phone properly booted.

Only if said malware can manage a privilege escalation attack. Granted that this issue is orthogonal to disk encryption, which is all about protecting against attackers with physical access to a powered down (or, to a lesser extent) locked device.

Comment: Re:Conversely (Score 1) 163 163

It should be pretty hard to obtain an expendable human in the countries where the remaining rhinos live. C4 is very stable and won't go off on impact, but a stable and long-lasting detonator would be needed.

Expendable humans are easy to find anywhere, and much easier in Africa than most places.

It's not about the stability of the explosive, or even the detonator, it's about the mechanism for triggering the detonator. It has to be sufficiently sensitive that it is certain to go off when the horn is removed, but cannot be triggered accidentally even by the enormous forces rhinos put on their horns. For that matter, getting the fake horn attachment to withstand those forces may not be trivial.

Comment: Re:Conversely (Score 1) 163 163

New idea: Give the rhinos an authentic-looking prosthetic horn with some C4 in it and a tensioned trigger wire running to the old horn stump. If some fucker cuts the horn off, BOOM.

Just means the poacher needs an expendable human, too. Those aren't particularly hard to obtain, unfortunately. And you also have to be very careful to ensure that the bomb won't go off when the rhino smacks something with its horn. Though I suppose blowing up all the rhinos will stop the poaching...

Comment: Re:Paul Ehrlich? (Score 1) 294 294

Heck, some European countries are beginning to get fairly concerned about population decline. Denmark has gone so far as to to run PSAs encouraging people to have children. Globally, it seems pretty clear that we've already passed the peak birthrate and it seems that we can expect it to continue dropping. Although births are declining the total population will continue to rise for a while because right now the world demographics are heavily weighted to the young end, so population will rise as the age distribution is "filled out". We're on course to hit a peak of about 10 billion people, sometime around 2040-2050. This assumes we don't make great breakthroughs in life extension.

Comment: Re:Motown (Score 1) 110 110

You can measure the quality of any streaming music service by typing the word "motown" into the search box. Does Motown immediately start playing? A+ Is there a list of Motown playlists? A Does something else happen? Fail.

I guess by your test, Google Music All Access gets an A, though personally I think what it does is better than immediately playing motown. What it provides is several sections: Motown artists, Motown albums, Motown songs, Motown Radio stations (similar to Spotify), Motown Playlists (apparently put together by users and shared to the world) and Motown videos, each with a selection of a half-dozen choices and a "See All" button that takes you to the rest of the matches for that section.

Not caring for Motown myself, I can't comment on the quality of the contents of the sections. It all looked pretty reasonable, though.

Relative to the points in the summary, Google also has Adele and Taylor Swift. Beatles... not so much. There are a bunch of "albums" but most of them are interviews along with a couple of albums including somewhat random songs... but none of their actual album releases. It's also possible that a couple of the music albums I see are not in the library, but were uploaded by me (you can upload your own music and it appears in the streaming service just as though it were part of the library. I think Metallica is also not in the library. I've uploaded all of their albums, so they're all there for me. It's possible I also uploaded some Adele, though there are albums I don't have so they must be from the library. And I don't own any Taylor Swift, so I'm sure all of that is from the library.

Oh, and Google Music's subscription also includes YouTube MusicKey, so whatever isn't available in the streaming service is almost certainly available there. The Beatles' music is, though not under a music license, so it's not available for download or background play.

(Disclosure: I work for Google, though I'm speaking here as a satisfied customer of the music service.)

Comment: Re:Should we trust Apple? (Score 4, Informative) 112 112

Fuck google's business model.

Really? Keep in mind that without it Google search wouldn't exist... and neither would DDG, because most of DDG's sources are other engines that are also funded by advertising. Odds are that without Google's business model you'd also be seeing a lot more, and a lot more intrusive ads. You are probably too young to remember what the commercial side of the web looked like in the mid to late 90s, but I'm sure you've seen the "one weird trick" sites with pages and pages to present a small amount of content buried in mountains of ads. That was pretty much where we were headed until targeted advertising came along.

Comment: Re:Turn off in Windows? (Score 1) 85 85

I may be unduly pessimistic about the dangers of such a "central I/O tap", because I haven't had time to look at it hard. I will, though.

So, how do you keep applications from knowing that the tap is in use? :)

That would be the easy part. There'd just be no way for them to tell.

There is no time like the present for postponing what you ought to be doing.