Become a fan of Slashdot on Facebook


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Comment Re:Where is bash? (Score 1) 164

5-10 years ago I would have agreed with you. These days, IMO, it's *far* better to just run Linux in a VM if you need a Windows base OS but want access to Unix/Linux command-line tools. VirtualBox and VMWare both support mapping filesystem locations within the host environment through to guests.

Cygwin is an impressive technical achievement, but it's a nightmare to install due to the archaic packaging system and installer. Certain tools (in particular, grep) perform much more poorly than running the "normal" versions in a Linux VM. Very few people typically have it installed in a given organization, so just about anything you create with it ends up being a one-off hack for your own system, not something that can be shared.

Comment Re:Seems similar to the Wen Ho Lee case. (Score 1) 113

It sounds like the FBI was probably wrong in this case, but there really is a mind-boggling amount of sensitive/classified technology exfiltration by the Chinese government. People working for them have walked off with blueprints for nuclear submarines, brand-new fighter jets, the Space Shuttle, etc. When that sort of thing happens, and then a few months later the Chinese government shows off a new fighter jet that looks suspiciously similar to one of ours, I can't entirely fault the US government for being over-protective. If you were in their position, would you want to potentially go to war with a China that had copies of all of our fanciest weapons?

That having been said, clearly there are some additional protections required against abuse, like maybe talking to someone who actually knows anything about the field the suspect works in to make sure there is really something fishy going on.

Comment Re:They want us to make it easier for them? (Score 1) 148

If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]

It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.

Comment Re:I always figured (Score 1) 220

Not all of the TSA-approved locks have both of those features.

I have a Master padlock with a single keyway that will accept either the included key or the TSA key and no "opened" indicator.

I also have a combination lock that can be opened with the TSA 004 "key", but because the "key" is an L-shaped piece of metal, it might not be obvious to everyone that that's what the hole on the bottom is for. That one also doesn't have an "opened" indicator.

FWIW, the "opened" indicator is a bit of a joke anyway. On the one TSA lock I have which has it, it's pretty easy to prevent it from being able to pop up while the TSA part of the lock is picked, and as long as it's held down until the lock is closed again, no one would be the wiser.

Comment Re:I always assumed they were (Score 1) 220

Back in 2010, I needed to take my camera tripod with me on a flight, and there was no way it was going to fit in my carry-on. I used a cable lock and some padlocks to attach it to the inside of my suitcase so that it could be taken out and examined, but not detached from the suitcase without cutting the cable, a lock, or part of the suitcase. It worked fine for ensuring that my tripod was still there when I opened the suitcase, but a couple of other things were "accidentally" damaged by the baggage inspectors, so I always figured they didn't really appreciate the concept.

Comment Re:Yet another reason to avoid Oracle (Score 1) 229

Sony begs to differ.

At least Sony products are generally nice from a typical end-user point of view. The only Oracle products (IMO) that hold that distinction are some of the ones they acquired when they bought Sun. Their database software costs more than just about anything else on the market, and you still need to buy hokey third-party tools to manage/interact with it if you want to use anything other than a command-line.

Comment Re:fix it first (Score 1) 55

"True security is done in logs."

When your systems are generating multiple gigabytes of log data every day, you need some sort of system to turn that mass of raw data into useful information. I don't know that this system does that, but we're about ten years past the point of manual log review being a viable primary method for handling security.

Comment Re:...letmegetthisstraight (Score 1) 62

Yes, that's exactly right. I heard about this while it was still a Kickstarter-style project, and as soon as I realized that the "Loop" in the name was a reference to an induction loop, I immediately thought "well, I'll just build a larger loop, and hide that under the table the payment terminal is on, and wirelessly capture the raw track data from the card".

My second thought was "there's no way to be sure that a given customer is using the official app, or even the official hardware, so if even one bank legitimizes this, criminals are going to have a field day, because using a card-spoofing magnetic field generator will be 'normal'".

The best part is because it uses a magnetic field (instead of radio waves), there's (AFAIK) no feasible way to build a shield to limit the scope of that field. My understanding is that one could e.g. covertly install an induction loop around an entire building, and stand a reasonable chance of being able to capture all of the transactions sent via this system within that building.

The company behind it is super-sketchy, IMO. They alpha-tested the device by walking into random stores with a hidden camera and socially-engineered the salespeople into letting them "pay with [their] phone", AKA "use this total hack of a device to make a payment that could be completely unauthorized".

It's also not *guaranteed* to work. *Most* mag-stripe readers will apparently function even if no card is physically swiped, but some of them do require that a wheel be spun by the card physically swiping through the reader.

I'm beyond shocked that Visa got involved in this in a positive way (as opposed to shutting them down). The whole credit card payment model is based around salespeople being reasonably sure that the customer is paying with something that was genuinely issued by a bank. A LoopPay-style device completely circumvents that. There is no cryptographic protection as a countermeasure, like with EMV or NFC - the salespeople just have to take on faith that it's a legitimate account being used.

We already have two superior systems (NFC and EMV) being deployed. I'm completely baffled that LoopPay isn't being laughed out of business.

Comment Re:From TFA (Score 1) 211

If ping crashes, or even executes arbitrary commands because of a specially crafted command-line, it's not a security vulnerability.

That's a pretty sweeping statement to make. Most interesting security vulnerabilities (IMO) are the results of multiple smaller issues and/or design decisions that can be chained together.

For example, a lot (most?) of the Linux distributions I see have ping's SUID bit set, and it is owned by root. So, yes, ping executing arbitrary commands absolutely *can* be a security vulnerability, because I can potentially use it for local privilege escalation from non-privileged user to root.

Comment Re:Stupid/Misleading Title (Score 1) 118

You can still take recyclables to a recycler and be paid for them. Most people don't consider it worth the effort for the amount of money they'll get in return, unless they're hobos and/or they have something valuable (like copper) to sell. I had some old steel bits and pieces that I carted down to a recycler a few months ago. I got about five dollars for all of it. I was happier with that arrangement than if the steel had ended up in a landfill, but most people wouldn't have been willing to spend a few hours collecting it, driving it to the recycler, etc.

Comment Re:Heavier than air flight is impossible (Score 1) 350

Zeppelins are pretty neat, but I can see why they didn't go into widespread use. Read the history of the two that the US Navy built in the early 20th century - basically flying aircraft carriers straight out of Crimson Skies. All that's left is a single fighter plane and some mangled metal scrap (both of which can be viewed at the Smithsonian) because zeppelins don't do well in windstorms :\.

Comment Quite the meteoric rise (Score 1) 45

I find it quite amazing that you've not only been incredibly successful in the film industry, but that you've gone on to deep-sea research and plans for asteroid mining. What got you interested in moving into those fields, and was there anything other than money that enabled you to do so?
For example, you have a reputation for being able to improvise and make the most of limited resources - I am still in awe over the bridge set in Galaxy of Terror, which looks like it cost ten times the entire budget of that film. Would you say that was one of the reasons you were able to make Deepsea Challenge and the actual expedition that led up to it?

Comment Re:Requires a very high speed camera (Score 5, Informative) 142

For some reason, the person who posted the article or the Slashdot editors linked to a bad knock-off video that removed 3/4 of the details instead of the actual researchers' video. The real video makes it clear that they can also get results from a standard DSLR 60 FPS video by taking advantage of the rolling shutter effect. There's a fidelity loss, but it's a lot better than I would have expected.

Numeric stability is probably not all that important when you're guessing.