Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:yeah yeah (Score 2) 29 29

by ledow (#50019025) Attached to: RFC 7568 Deprecates SSLv3 As Insecure

Well.. personally speaking I don't expose any functionality to the net unless it can be updated, authenticated, secured, QoS'd, logged and monitored.

So pretty much all those devices shouldn't BE on the boundary of your network, the only thing standing between you and the outside world.

If you want to do that, use reverse proxies, not port-forwards, use VPN's, not opening up some cheap Chinese webcam to your home network and the random people of the Internet.

So it doesn't actually matter if they used TLS or not - they are communicating only across a secured network anyway. You may as well just HTTP or telnet into them from your VPN.

Just make sure that your frontline, Internet-facing, open-to-attack-from-the-Internet device if secured. So your VPN/firewall. And that's it.

Comment: Stubbing your toe (Score 1) 52 52

by Okian Warrior (#50013939) Attached to: The Real-Life Dangers of Augmented Reality

Stubbing one's toe is a potentially life-threatening incident.

Did the paper address this? I would think that the risk of stubbing one's toe would be much higher while wearing AR glasses.

We need more papers like this one. The complete and total characterization of all potential safety issues should be a reasonable goal before anyone is allowed to sell (or wear) one of these devices.

Maybe the FDA should issue a ban while it considers common-sense regulation (like the FAA did for drones).

Comment: Re:The Nature of Central Banks (Score 1) 338 338

by ledow (#50013459) Attached to: Greek Financial Crisis Is an Opportunity For Bitcoin

Ah, this would be the Iceland that "had to obtain emergency funding from the International Monetary Fund and a range of European countries in November 2008". And also the Iceland whose economy is "small and subject to high volatility".

The Iceland whose GDP is worth less than what the UK spend each year on weddings alone. The Iceland whose debt to other countries is actually more than 100% than that pittance of GDP.

With 3 people per square kilometre and less than the population of a medium size town in the UK (or any one single London borough).

Sorry, pal, you can make all the claims you like. The ONLY counterexample you provide is actually doing no better than anyone else, and is on a scale so small as to be statistically useless anyway.

I'm not a banker or economist, by the way, just a mathematician.

And when the Icelandic banks crashed, other countries had to compensate savers who had been using them as the Icelandic banks had zero actual protection for their customers at all. All that teaches you is that people WON'T invest in Icelandic banks because they just lose their money if it all goes wrong.

Sure, there's a point at which you have to let the banks fall over to save other things, but that's true of anything - even Greece today. We're choosing to let them collapse rather than extend more and more bailouts to them. It's just a question of scale.

An country that's got the population of Pittsburgh and the GDP less than a UK mobile phone network's entire worth is - pretty much - a nonsensical thing to extrapolate to the world economy.

Comment: Re:Randomness can't come from a computer program (Score 1) 64 64

by Bruce Perens (#50004185) Attached to: NIST Updates Random Number Generation Guidelines

Most of us do have a need to transmit messages privately. Do you not make any online purchases?

Yes, but those have to use public-key encryption. I am sure of my one-time-pad encryption because it's just exclusive-OR with the data, and I am sure that my diode noise is really random and there is no way for anyone else to predict or duplicate it. I can not extend the same degree of surety to public-key encryption. The software is complex, the math is hard to understand, and it all depends on the assumption that some algorithms are difficult to reverse - which might not be true.

Comment: Re:I Wish Mine Had Been Blocked (Score 2) 23 23

by ledow (#50002487) Attached to: Samsung To Stop Blocking Automatic Windows Updates

Or, like EVERYONE tells you to - backup your damn machine. P.S. If your backup doesn't get you back to exactly where you were last week, it's not a backup, just a bad data copy.



However, for years, people have mocked my decision to NOT have auto-updates turned on. I only press update when I know that my machine is backed up, there's a fix I need to deploy, and I have the time / willingness to do it.

No, my machine doesn't have viruses etc. (I've had precisely one in my life and that was from a demo copy of Sin on a PC magazine coverdisc - which shows you how long ago that was!) because I abide by simple security practices that mean Windows doesn't NEED to run lots of random third-party executables to do what I want.

There's a reason that MS *can't* block WSUS for business users being used to stop automatic updates for Windows 10. Because we'd tear their fucking heads off. Windows updates have caused shit like you describe since their introduction. Sure, most people won't notice, but if it only happens to 1% of computers regularly deploying updates the chances are that none of your friends will have had those problems. But similarly, with the same odds the chances are that in any large deployment AT LEAST one machine will fuck up from automatic updates every month. Fuck adding that to my IT burden.

In work the other day, one of my users was accidentally given a brief window when they could receive updates from Windows Update instead of WSUS (I'd accidentally pulled them out of the client group on WSUS while looking for a test machine). In that short opportunity, it took it upon itself to update from 8 to 8.1, thereby breaking the finance software that we use permanently. Additionally, the desktop now gets a crash in in a mp4 video dll every 10 seconds that you can't stop crashing without reverting the update associated with it. Seriously, no newer patch fixes it or I'd deploy it in a second. And I had to give them RDP to a plain Windows 8 machine to finish their finance stuff temporarily while I revert their config.

Seriously, automatic system-level updates without user interaction is the most stupid fucking idea in the history of bad ideas, not to mention not being able to PERMANENTLY say no to a particular update, and having NO proper way to system restore to a point before the update applied and stop it (in the majority of cases - I've yet to see system restore do what it promises but I've dealt with lots of users have accidentally restored their personal laptops back to factory settings or unrecoverable states using it!).

If you work in IT and haven't yet realised this, I really pity you. Servers, internet-facing services, maybe but there you have the tools to deal with this crap and STILL shouldn't be blindly pushing updates anyway.

Unmanaged clients that aren't eligible for WSUS because they are home-use? Back those fuckers up and turn off automatic Windows Update.

Comment: Re:Bad RNG will make your crypto predictable (Score 2) 64 64

by Bruce Perens (#50000917) Attached to: NIST Updates Random Number Generation Guidelines

The problem with FM static is that you could start receiving a station, and if you don't happen to realize you are now getting low-entropy data, that's a problem.

There are many well-characterized forms of electronic noise: thermal noise, shot noise, avalanche noise, flicker noise, all of these are easy to produce with parts that cost a few dollars.

Comment: Randomness can't come from a computer program (Score 2, Interesting) 64 64

by Bruce Perens (#50000905) Attached to: NIST Updates Random Number Generation Guidelines

True randomness comes from quantum mechanical phenomena. Linux /dev/random is chaotic, yes, enough to seed a software "R"NG. But we can do better and devices to do so are cheap these days.

I wouldn't trust anything but diode noise for randomness. If I had a need to transmit messages privately, I'd only trust a one-time pad.

If you can't learn to do it well, learn to enjoy doing it badly.