Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Next release codename? (Score 5, Informative) 177 177

I think the spyware has been a radioactive enough issue that any derivatives are going to make a point of cutting it out.

That said, I don't see the need. As much as I don't like what Ubuntu did with the shopping lens, I've long switched to Xubuntu anyway, which is more sanely managed. (The original reason was to get away from Unity, and their avoidance of subsequent Canonical brain damage cemented the deal.)

Significantly, when you use [KX]ubuntu, you still benefit from all the release engineering work of Ubuntu proper, including security updates---a point on which I'm a little more wary of derivatives like Mint.

Comment: Re:How would an attack happen? (Score 2) 100 100

I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it!

You'd probably have an easier time explaining it as whitelisting versus blacklisting. A developer can't hope to ever enumerate all the bad things an app should reject, so s/he should instead enumerate the much smaller set of things it should accept. Same deal if you're using a regex or whatnot to sanitize input instead of matching against a list.

Comment: Re:One-time pads (Score 1) 284 284

  • Attacker posts the malicious transfer form and performs the query to tell the bank to send out a text message.
  • Attacker displays a fake copy of the verification form where you are supposed to enter the info from the text message.
  • You read the text message, especially the part describing a $20,000 transfer to Zurich.
  • You don't enter the verification code.

Fixed that for you.

Comment: Re:How soon does it work after infection? (Score 1) 208 208

You're thinking about HIV, you're right, that takes months. The clap (ghonorhea) will show up the next day as will several others (actually, most STIs will show positive the next day). There's no cheap test that separately identifies Herpes Simplex 1 from Simplex 2, there is a cheap test that does not distinguish and will show positive if you have either.

The cheap herpes test works that quickly, too? My understanding is that HSV is harder to detect, not least because the virus isn't always being shed.

If the test is reliable, and quick to yield a positive, that would be pretty good---given that condoms don't necessarily protect against HSV, and we don't have a cure for it as yet...

Comment: How soon does it work after infection? (Score 1) 208 208

What I'd like to know is, does this test have the problem of most STD tests where you have to wait ~6 months after infection to get a positive result, since it only detects STD-antibodies (and not the STD itself) and it takes about that long for them to build up sufficiently high?

Comment: Re:NTP pool & GeoIP (Score 1) 540 540

Since you've got real stratum-1 NTP servers, you could skip the pool altogether and add them to the official NTP time server list.

AFAIU, the NTP pool is meant more for lower-stratum servers, like users on static-IP cable modems, so your machines wouldn't be doing as much good there.

Comment: Re:Perhaps a new mail header? (Score 3, Insightful) 251 251

PGP/GPG is overkill. Just drop messages that fail an SPF check. Spoofing is part of the problem here, and SPF was tailor-made to address spoofing.

If you do use PGP/GPG, you don't need an extra header for the signature; it's usually added as a small attachment, and better mail clients already pick up on that for verification.

Comment: Things that FM.fm provides that Gmail doesn't (Score 5, Informative) 135 135

  • Server-side Sieve filtering/sorting
  • File storage, optionally Web-accessible (I use this to serve up a simple, static-only Web site)
  • Various authentication options (reduced-access password, one-time logins, passwords via SMS, etc.)
  • Teh Google is not reading your mail, so you can put your tin-foil hat away :-)

People who go to conferences are the ones who shouldn't.

Working...