Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: tried and failed... and prior art anyway (Score 1) 100

by lkcl (#49758065) Attached to: Cute Or Creepy? Google's Plan For a Sci-Fi Teddy Bear

hang on... didn't bunnie huang do the "chumby", and didn't barbie try doing something like this - putting an interactive wifi and mic aspect into one of their barbie dolls... with a huge back-lash as a result? so (a) why is there an expectation that this will succeed (b) why was the patent granted when there is clear prior art???

Comment: Re:471 million? You may want to think about that. (Score 2) 246

by metlin (#49756021) Attached to: California Votes To Ban Microbeads

471 million potatos is a lot of potatos.
471 million .2mm bits of plastic is enough to cover in plastic all of the living rooms in California.
Wait - no - one living room. Or about a dinner-plates worth a day.

Every day. That's the difference.

Even assuming that it's a dinner plate sized amount of pollution, over two decades, you are looking at 7300 dinner plates. Only, broken into little chunks, easily consumed by aquatic life and smothering plants, clogging pipes etc.

Comment: debian digital signing and the GPG keyring (Score 2) 94

by lkcl (#49749449) Attached to: NSA Planned To Hijack Google App Store To Hack Smartphones

this is why debian has the GPG key-signing parties, and why all packages are GPG-signed by the package maintainer when they compile it, why the ftp masters sign the package when it's uploaded, and why the release files which include the checksums of all the packages are also GPG-signed. under this scenario there are an extremely limited number of extremely paranoid methods by which debian may be compromised. even the scenario of "cooperation between long-term sleeper agents within debian's ranks" would have a one-shot opportunity to get away with introducing malicious code, following the discovery of which their GPG keys would be revoked, the perpetrators kicked out of debian, their packages pulled immediately pending a review, and the already-effective procedures reviewed to involve multi-person GPG signing that would make it even harder for compromise to occur in the future.

now, if you recall, there was an announcement a couple of years back that the development of Mozilla's B2G was declared to be "open" to all, so i contributed with a thorough security-conscious review of how to do package distribution. it turns out that Mozilla is *NOT* open - at all. several other contributors have learned that the Mozilla Foundation is in direct violation of its charter.

basically, the Mozilla Foundation *completely* ignored the advice that i gave - which was that the use of SSL as a distribution mechanism would be vulnerable to *exactly* the kinds of attacks that we see the NSA attempting to do on google. they went so far as to enact censorship, preventing and prohibiting me from pointing out the severe security flaws inherent in their chosen method of package distribution. i remain deeply unimpressed with many aspects of so-called "open-ness" of well-funded software libre projects.

Comment: correlation between gravity and length of day (Score 1) 94

http://iopscience.iop.org/0295...

just to throw an appropriate spanner in the works, it's worthwhile mentioning the above article which notes a significant statistical correlation between variations in the measurement of the effect known as "gravity", and the (appx) 6.5 year cyclic variation of the earth's length of day.

now, before you go all "ooer" or "waah! gravity varies! we're all gonna dieeee spinning off into space", it's worthwhile pointing out that the author mentions, in the conclusion, that there *might* be some sort of unknown systemic errors in (a) how gravity is measured (b) how the length of day is measured which *happen* to coincide and give the *impression* that there is a statistical correlation between gravitational variation and the length of the earth's day. he does however state that in light of how the measurements are taken it would seem to be very unlikely that there are such systemic errors.

so, anyway, the point is: gravity appears not to be as simple as we assumed, hence why some long-distance space probes (Pioneer for example) have anomalous unexplained behaviour.

Comment: In particular, NO redundancy. Reliability drops. (Score 5, Informative) 223

Losing data goes with the territory if you're going to use RAID 0.

In particular, RAID 0 combines disks with no redundancy. It's JUST about capacity and speed, striping the data across several drives on several controllers, so it comes at you faster when you read it and gets shoved out faster when you write it. RAID 0 doesn't even have a parity disk to allow you to recover from failure of one drive or loss of one sector.

That means the failure rate is WORSE than that of an individual disk. If any of the combined disks fails, the total array fails.

(Of course it's still worse if a software bug injects additional failures. B-b But don't assume, because "there's a RAID 0 corruption bug", that there is ANY problem with the similarly-named, but utterly distinct, higher-level RAID configurations which are directed toward reliability, rather than ONLY raw speed and capacity.)

Cellphones

Pre-Orders Start For Neo900 Open Source Phone 134

Posted by timothy
from the hello-operator dept.
New submitter JoSch1337 writes: After a year and a half of development, the Neo900 project now opened its web shop for the down payments of binding pre-orders for either a full Neo900 phone or the bare circuit board to upgrade an existing Nokia N900. The up-front down payment is necessary to now secure expensive "risk parts" like the modem, 1GB RAM and N900 cases. Thus, without pre-ordering now, there might not be enough parts left after the first batch.

The Neo900 is the spritual successor of the Nokia N900. The new circuit board can be placed into an existing N900 for better specs (faster CPU, more RAM, LTE modem) than the original device while still maintaining fremantle (maemo 5) backwards compatibility. Alternatively, a fully assembled phone can be purchased as well. The Neo900 will be fully operational without any binary blob running on the main CPU. While the modem still requires a non-free firmware, it is completely decoupled from the rest of the device (think of a LTE usb stick you put in your laptop) and can reliably be monitored or switched off by the operating system.

You can follow the development of the project in the maemo forum, read about the specs of the device or consult the FAQ

Comment: Re:How does one tell the difference? (Score 4, Insightful) 103

Well, the Anthropologists may know what they are doing but the guy taking photos of the tools certainly isn't helping matters. Why can't he take a picture of something that actually resemble a tool? Better yet, why the reporter can't explain briefly why this chunk of rock pictured can be considered a tool?

That's why you should read the original papers rather than secondary articles by reporters who may or may not know their subject. The article in the May 21 issue of Nature will probably be more informative.

Comment: NetUSB=proprietary. Is there an open replacement? (Score 2) 70

It happens I could use remote USB port functionality.

(Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)

So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)

Comment: Opportunity to detect MITM attacks? (Score 4, Interesting) 71

by Ungrounded Lightning (#49737679) Attached to: 'Logjam' Vulnerability Threatens Encrypted Connections

I skimmed the start of the paper. If I have this right:

  - Essentially all the currently-deployed web servers and modern browsers have the new, much better, encryption.
  - Many current web servers and modern browsers support talking to legacy counterparts that only have the older, "export-grade", crypto, which this attack breaks handily.
  - Such a server/browser pair can be convinced, by a man-in-the-middle who can modify traffic (or perhaps an eavesdropper-in-the-middle who can also inject forged packets) to agree to use the broken crypto - each being fooled into thinking the broken legacy method is the best that's available.
  - When this happens, the browser doesn't mention it - and indicates the connection is secure.

Then they go on to comment that the characteristics of the NSA programs leaked by Snowden look like the NSA already had the paper's crack, or an equivalent, and have been using it regularly for years.

But, with a browser and a web server capable of better encryption technologies, forcing them down to export-grade LEAKS INFORMATION TO THEM that they're being monitored.

So IMHO, rather than JUST disabling the weak crypto, a nice browser feature would be the option for it to pretend it is unpatched and fooled, but put up a BIG, OBVIOUS, indication (like a watermark overlay) that the attack is happening (or it connected to an ancient, vulnerable, server):
  - If only a handful of web sites trip the alarm, either they're using obsolete servers that need upgrading, or their traffic is being monitored by NSA or other spooks.
  - If essentially ALL web sites trip the alarm, the browser user is being monitored by the NSA or other spooks.

The "tap detector" of fictional spy adventures becomes real, at least against this attack.

With this feature, a user under surveillance - by his country's spooks or internal security apparatus, other countries' spooks, identity thieves, corporate espionage operations, or what-have-you, could know he's being monitored, keep quiet about it, lie low for a while and/or find other channels for communication, appear to be squeaky-clean, and waste the tapper's time and resources for months.

Meanwhile, the NSA, or any other spy operation with this capability, would risk exposure to the surveilled time it uses it. A "silent alarm" when this capability is used could do more to rein in improper general surveillance than any amount of legislation and court decisions.

With open source browsers it should be possible to write a plugin to do this. So we need not wait for the browser maintainers to "fix the problem", and government interference with browser providers will fail. This can be done by ANYBODY with the tech savvy to build such a plugin. (Then, if they distribute it, we get into another spy-vs-spy game of "is this plugin really that function, or a sucker trap that does tapping while it purports to detect tapping?" Oops! The source is open...)

Comment: Re:Schizo (Score 2) 319

by American AC in Paris (#49726361) Attached to: Battle To Regulate Ridesharing Moves Through States

Then Uber comes along and creates a way to share a ride and the driver benefits a little bit as well.

Uber drivers aren't sharing a damned thing. They're charging for a service. That's called doing business, and if you want to do business, you need to follow certain rules, just like anything else in life. You can't just jump up and say "nuh-uh, this is sharing!" when you're really requiring people to pay you before you "share" anything.

If I open a gas station and call it a "fuel sharing service", does that mean that I get to bypass all those pesky rules and regulations for making sure my tanks don't leak into the ground? Or that I don't need to spend all that extraneous money to install safety cutoff switches (like anyone ever -uses- those, amirite?)

Comment: "Ridesharing" (Score 4, Insightful) 319

by American AC in Paris (#49725617) Attached to: Battle To Regulate Ridesharing Moves Through States

If y'all are still telling yourselves that services like Uber and Lyft are "rideshares", you're not paying attention, and haven't been for a long time.

Ridesharing suggests that people are sharing a ride from point A to point B--that is, they're both going that way, and thus are going to slug together to save gas/cost.

Uber and Lyft are effectively taxi services that uses an app instead of a dispatcher. The driver seeks out a fare, starts the timer, drives the fare to their destination, and then seeks out another fare.

The driver is not "sharing" anything, nor is the passenger. This is a taxi service.

Overflow on /dev/null, please empty the bit bucket.

Working...