Become a fan of Slashdot on Facebook


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:My FreeBSD Report: Four Months In (Score 1) 471

by WD (#48971691) Attached to: Systemd Getting UEFI Boot Loader

Yes, ZFS is amazing. But my concern about FreeBSD in general is that from an exploit mitigation perspective, it's in the dark ages. Like, maybe close to Windows XP. http://networkfilter.blogspot....

For a file server, great. But for anything that's parsing untrusted data or is exposed to the internet, I'd be concerned.

Comment: Who says that the attack is over? (Score 5, Informative) 35

by WD (#48851443) Attached to: Microsoft Outlook Users In China Hit With MITM Attack

The evidence that China was performing MITM attacks on was because of temporary use of an SSL certificate chain that wasn't signed by one of the hundreds of root CAs included with modern operating systems. (and therefore the software complained)

If the software people are using stops complaining about the SSL certificate chain, does that mean that they're not performing MITM anymore? Hell no. At the very least it means that they're just using an SSL certificate signed by one of the hundreds of trusted root CA certificates. You know, like CNNIC. The internet organization with ties to the Chinese government.

Comment: Easier said than done (Score 1) 324

by WD (#48804321) Attached to: How To Hijack Your Own Windows System With Bundled Downloads

How do you teach a non-geek to find and recognize the canonical source for a software download? Is the official VLC site? Is the right place to get 7-zip? Is the place to get the latest LibTIFF? The answer to all of these is "No", but I'd like to hear the teaching technique that allows a non-geek to come to these conclusions.

Comment: Let me get this straight... (Score 5, Insightful) 336

by WD (#47801315) Attached to: Reported iCloud Hack Leaks Hundreds of Private Celebrity Photos

1) Takes nude photos of themselves with an internet-connected device.
2) Has said photos of themselves synchronized with an internet service
3) Is surprised / outraged that said photos are accessed by somebody on the internet.

I'm not saying that those people are to blame, but rather that there is a significant disconnect between technology and users' expectations. And the companies involved aren't making things any better with their hand-waving "cloud" mumbo-jumbo.

Comment: Vulnerabilities did not increase (Score 3, Interesting) 137

by WD (#47521903) Attached to: Internet Explorer Vulnerabilities Increase 100%

Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

Comment: Re:WTF? (Score 1) 188

by WD (#46786939) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate
"High risk of leaking?" And what would the consequences of such a leak be? The affected vendors are only slightly better off than they were with how it actually turned out with Heartbleed?

When Heartbleed was disclosed, virtually no affected vendor (e.g., Ubuntu, Cisco, Juniper, etc.) had an update available. So there was a window where the vulnerability was public, but nobody had official updates from their vendor that would protect them. You are claiming that this is better than a coordinated release, where there would have been actual updates available to install?

It's not "buddies" that is being discussed here. It's the people producing the software that is affected!

Dreams are free, but you get soaked on the connect time.