Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Re:Wny did they need the certificates? (Score 1) 95

Issuing for .test and .local are strictly prohibited by the CABForum EV requirements. They will soon be outlawed for DV under the basic requirements.

What seems to have happened is that instead of issuing all test certs for test.verisign.com as the procedure manual required, they had to modify the procedure when Symantec took over and they no longer had verisign.com.

So instead of doing what they should have done and using test.symantec.com or a test domain bought for the purpose, they typed the first name that entered their head.

Comment Re:Self Signed (Score 1) 95

Actually it doesn't. DANE certificates are not self-signed for a start, they are signed by the DNSSEC key for the zone.

The problem with DANE is that you swap the choice of multiple CAs for a monopoly run by ICANN, a shadowy corporation that charges a quarter million bucks for a TLD because that is what the market will bear. What do you think the price of DANE certification will rise to if it takes off?

ICANN is the Internet version of the NFL only with greater opportunities for peculation and enrichment.

Comment Re:Wny did they need the certificates? (Score 1) 95

Damn right they should. The CPS has a long section on the use of test hardware.

The problem is that all the original team that built VeriSign have been gone for years. A lot of us left before the sale of the PKI business to Symantec. The PKI/DNS merger was not a happy or successful partnership. The original point of the merger was to deploy DNSSEC. that effort was then sabotaged by folk in IETF and ICANN which has delayed the project by at least 10 and possibly 20 years. ATLAS was originally designed to support DNSSEC.

Unfortunately, in PKI terms what VeriSign was to IBM, Symantec is to Lenovo.

They apparently remember the ceremonies we designed but not the purpose. So they are going through the motions but not the substance.

One of the main criticisms I have heard is that we built the system too well. From 1995 up to 2010 it worked almost without any issues. So people decided that they didn't need things like proper revocation infrastructure. The only recent issue the 1995 design could not have coped with was DigiNotar which was a complete CA breach.

There are some developments on the horizon in the PKI world that will help add controls to mitigate some of the issues arising since. But those depend on cryptographic techniques that won't be practical for mass adoption till we get our next generation ECC crypto fully specified.

Comment Re:What is a pre-certificate? (Score 3, Informative) 95

A pre-certificate is created for use in the Certificate Transparency system. Introducing pre-certificates allows the CT log proof to be included in the certificate presented to an SSL/TLS server.

The CT system generates a proof that a pre-certificate has been enrolled in it. The proof is then added to the pre-certificate as an extension and the whole thing signed with the production key to make the actual certificate.

If the CT system logged the actual certificate, the proof of enrollment would only be available after the certificate had been created.

Comment Re:Too little, too late (Score 5, Insightful) 262

The fact that they ship an improved version every year or so is NOT the issue here. Seriously if the new version is not a big enough improvement over the one you have, you don't need to buy it. You can keep your phone for 2 years, or 3 years, or however long you want. That is hardly "pushing it through the throats of customers". You have to have a major victim mentality to think that. I do agree though that shipping non-equivalent versions of the processor is a big deal. That's not okay.

Comment Gatekeeper (Score 4, Interesting) 66

If a user doesn't know how and can't figure out or google how to bypass Gatekeeper, they shouldn't be bypassing Gatekeeper. I'm a Mac developer and I work on a commercial application that uses a privileged helper tool which the app loads using SMJobBless and that tool is managed by launchd and executed as root. We are an identified developer and we sign our app as such. We don't distribute via the App Store and we are about to ship a new version that adds a kernel extension that I wrote. In recent versions of MacOS X, kernel extensions must be signed and they have to at least by signed by an identified developer who has applied for a kernel extension signing certificate. One of the scenarios that I pay attention to as far as security goes is that our daemon (aka "privileged helper tool") executes other processes and also controls the loading and unloading of our kernel extension. Most of those processes, and our kernel extension, are located in our application bundle. I wanted to avoid making dumb assumptions like that our application is running from a particular path, so the app communicates to the daemon via XPC and tells the daemon where the app bundle is located. The daemon doesn't just trust the app. It verifies that the app is code signed and that it is our app and that it hasn't been modified before it starts executing things or loading kernel extensions from inside the app bundle. I can easily imagine a scenario where an app could call our daemon and tell it some other location and cause us to execute malware if we didn't do this. Since I'm not a security expert, I constantly worry that someone will find a way to do this and I just hope we never become an attack vector. I do not want my product on Slashdot because of a security problem.

Comment Are the reviews useful? (Score 4, Insightful) 206

If I was planning to switch from Android to iOS, I would consider using an app like this. The question is, do the app itself work well for the use case it is advertised for? Does it actually move your data over to iOS? What data does it specifically move? What does it not move?

I don't care what kind of computers other people use. I write MacOS X software for a living. I chose MacOS X as a user and as a developer for a variety of reasons, but I recognize those reasons may no longer be current. I haven't used Windows since Vista - and my use of Vista was doing development on a cross platform Windows/Mac/Linux app I wrote. I have written software for iOS (before it was even called iOS) and some iPhone apps I've written have been commercially quite successful. I thought about writing software for Android, but I haven't because my understanding is that Android users don't (in general) spend money on apps. I don't like "freemium" apps. I prefer to charge up front or else have it free. These days, I'm really more interested in MacOS X software and Linux software.

That said, I don't care what phone you like. I am very glad there are multiple viable phone platforms. I think iOS is cool. I don't like having to ship software through the App Store. That said, I've certainly sold more through the App Store than I ever sold through other channels like Kagi.

Anyway, I'm disappointed that the conversation here isn't focused on whether the reviews are useful. That's what I would care about.

Comment Re:One small problem (Score 0) 509

Now you're lying, too. Tamir Rice never reached for a damn thing.

That's funny, the police report and all reporting on the case claim that he did. But I'm sure you have access to information that the rest of us don't. Let me guess - the ghost of Bob Marley came to you in a dream, and told you The White Man Executed Tamir, who was sitting there licking a lollipop at the time?

Comment Re:One small problem (Score 1) 509

THAT IS A LIE, AND YOU ARE A LIAR. Counterexample: Tamir Rice.

Fair enough - he forgot to mention that a small subset are idiots who went around waving a replica pistol at strangers, and then reached for it when the cops arrived.

I'm not sure that qualifies as a lie so much as a justifiable omission. Such cases do not make up a significant percentage of police shootings, since pretty much everyone with an IQ over 70 knows it's not a good idea to reach for a plastic gun when the police are pointing real ones at you.

The shortest distance between two points is under construction. -- Noelie Alito