Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Re:So, UEFI is a good thing now? (Score 5, Interesting) 471

by Wyzard (#48970027) Attached to: Systemd Getting UEFI Boot Loader

First of all, UEFI is more than Secure Boot. UEFI has been standard on PCs for the past few years, and on Macs ever since they switched to x86. Secure Boot is just a feature of some newer UEFI implementations.

Second, Secure Boot is a legitimate security feature that helps to protect against boot-time malware. There's nothing inherently evil about it. The controversy is over who should have the power to decide which OS is considered trustworthy and allowed to boot: the owner of the computer, or the vendor of the OS that came preinstalled on the computer?

Naturally, you don't want to buy a computer that doesn't let you choose which OS you trust. But if you have a computer that does give you that choice, why not take advantage of it? Seems to me that it's good to have hardware vendors see increased demand for machines that support securely booting the OS of your choice, as opposed to those where you just have to disable Secure Boot entirely if you want to run something other than Windows.

Comment: Re:Java sandboxing helped in this case (Score 1) 127

by Wyzard (#47563921) Attached to: Old Apache Code At Root of Android FakeID Mess

Not quite.

First, sandboxing in Android isn't done at the Java level, it's done at the OS level, by running each app under a different UID and letting the kernel take care of enforcing what that UID is (and isn't) allowed to do. It's the same system that prevents different users on a "conventional" Linux system from accessing each other's private files. This is why Android apps can load and run native code (via JNI) without needing any special security permission or exemption. Native code is still in the sandbox.

Second, the real danger in this flaw isn't malicious apps tricking the user, it's malicious apps tricking other apps. Android's permissions system includes a feature called "signature-level permissions" which allows apps that are signed by the same publisher to grant each other permissions that aren't available to apps signed by other publishers. This bug means that a malicious app can pretend to be signed by Company X in order to gain signature-level permissions to interact with actual Company X apps in privileged ways. Depending on the app, this may allow access to sensitive data.

+ - Give Us Your Tired, Your Poor, Your FB Engineers

Submitted by theodp
theodp writes: ReadWrite's Brian Hall observes that — surprise — Mark Zuckerberg's immigration fix favors Facebook. 'Fairly or not,' writes Hall, 'by repeatedly linking the larger immigration issue with 'the Internet,' as Zuckerberg does in his [Washington Post] editorial, he appears less concerned with America's future — or even the future of those children residing in the U.S. illegally — and more with boosting the value of his own Internet concern.', the self-described 'diverse' political group formed by Zuckerberg and other Silicon Valley luminaries, also raised an eyebrow from immigrant Om Malik. 'What I hate is the focus put on a specific immigration issue [H-1B visas],' Malik wrote. 'I don't buy that just because an immigrant works on an algorithm make her more important.' BTW, the Terms of Service for indicates that you're really using the website '', apparently one of a number of sites operated by an organization called the 'Campaign for Innovation.' This entity in turn appears to be linked to the 'March for Innovation' ('it’s a no brainer to keep and attract brain power in America'), which enjoys support from many of the same members of Zuckerberg's ratpack, as well as groups like the 'Partnership for a New American Economy' (aka, whose co-chairs include Steve Ballmer, Michael Bloomberg, and Rupert Murdoch. On its website, RenewOurEconomy boasts it's been successfully getting newspapers to run its Op-Eds for years. With all that lobbying muscle (and what some might call Astroturfing), it's really no surprise that Silicon Valley on Tuesday scored what the NY Times called its biggest win yet in Washington with a proposed overhaul of immigration law that 'shifts the emphasis in immigration policy from one that prioritized family ties to one that will prioritize professional degrees.'

Comment: Wait for Haswell (Score 4, Informative) 260

by Wyzard (#42223025) Attached to: Ask Slashdot: Best Laptop With Decent Linux Graphics Support?

If you can wait awhile longer before buying, Intel's upcoming Haswell processor is reported to have significantly improvied graphics performance, and Intel GPUs are well-supported with free drivers in Linux and Xorg. They're less-powerful than NVIDIA and AMD GPUs, but should be fine unless you need to play high-end games on high quality settings.

Comment: Re:but its Java? (Score 2) 154

by Wyzard (#41997283) Attached to: Google Targets Android Fragmentation With Updated Terms For SDK

Apps can be written to use new features where available but degrade gracefully where they're not.

Every app has both a "minimum SDK version" that identifies which version of Android it requires, and a "target SDK version" that identifies the latest version of Android that it knows about. At runtime, the app can check which version it's actually running on, and enable or disable features as appropriate.

If an app is is run on an Android version newer than the app's "target", the OS itself will do whatever's needed to be backward-compatible with the target version. The developer can update the app and change the target version in order to take control of any new features and differences.


Facebook Testing the Want Button 147

Posted by samzenpus
from the do-not-want dept.
redletterdave writes "Facebook already knows what you 'Like.' Soon, it may ask you what you 'Want'. Tom Waddington, a Web developer for the craft website Cut Out + Keep, discovered that Facebook has included code for a disabled 'Want' button within the Javascript of its list of social plug-ins. The code was released to the Facebook Javascript SDK last Wednesday, but Waddington discovered the disabled button among other embedded tags, including 'degrees,' 'social context' and 'page events.' Waddington says the 'Want' button would work with Open Graph projects that use the tag 'products.'"

Comment: Re:Fork it, then (Score 1) 403

by Wyzard (#40009619) Attached to: Mozilla Leaves Out Linux For Initial Web App Support

As I recall, Mozilla was willing to grant Debian a license for the Firefox trademark, but they weren't willing to grant it recursively to all Debian users who might want to make (and distribute) their own modified versions of the code they got through Debian. Since Debian doesn't accept licenses that are specific to Debian (DFSG #8), Debian couldn't accept Mozilla's offer of a Firefox trademark license, and thus had to rename it.

The discussions at the time — this is based on my memory from reading the list archives — were all about the fact that Debian applies patches to the code; I don't think the logo issue came about until later.

Comment: Re:Its a trap!! Dont do it! (Score 1) 340

by Wyzard (#38350204) Attached to: Site Offers History of Torrent Downloads By IP

Looks like it shares more than that. The source for the login button is:

<fb:login-button perms="user_likes,user_about_me,email,user_hometown,user_relationship_details,user_location,user_website,user_work_history" onlogin="oRRQ.login();">

The site has no legitimate need for all that info if it just wants to know that you're a real person.

Comment: But is the data actually transmitted anywhere? (Score 5, Interesting) 322

by Wyzard (#38212960) Attached to: Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

Comment: Re:More proof opt-in is the ONLY way to do it righ (Score 1) 134

by Wyzard (#37929620) Attached to: Carbonite Privacy Breach Leads To Spam

The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.

That's the intended usage of the list of hashes: for each address that the marketer already has, they can determine whether it's the address of an existing customer so they can exclude it from the ad campaign. No technological measures can avoid the fact that if you want an advertiser to exclude your customers from an ad campaign, you have to give them a way to determine who your customers are. Only trust (and trustworthiness) can resolve that.

But hashing the list would at least prevent the marketer from learning new addresses that they didn't already know about, so it's better than giving them the raw list.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors