Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Comment This is a business decision - possibly a fatal one (Score 1) 230

I can't blame the paper for going the cheapest route. I can blame them for believing patently false info fed to them by their content-management software experts and going with what they THINK is the cheapest route.

I assume their goal is to have a non-anonymous content system going forward, keep their existing comments, and keep the "comment history" of non-anonymous commenters intact and so future comments are connected to past ones made by the same person.

I also assume they want to have all of this done by a certain date and under a certain budget.

Given the short time-frame I assume the remaining work, if any, is expected to take less than a few months.

Their options are:

* Stick with their existing configuration (does not meet the criteria above)
* Dump their existing comment system and start over with a brand new one, possibly losing their entire comment history (does not meet the criteria above)
* Dump their existing comment system and NOT replace it (does not meet the criteria above)
* Keep their existing comment system as an archive but not allow any new comments (does not meet the criteria above)
* Pay $BIGBUCKS to "do the impossible" and get a system that can keep historical comments anonymized but give them what they want going forward (likely does not meet the time and budget criteria above, by a longshot)
* Pay $BIGBUCKS in direct, measurable costs of lawsuits and lost customers and $MOREBIGBUCKS in lost goodwill (likely does not meet the budget criteria above, by a longshot)

The question is, which criteria are they willing to sacrifice? If they continue on their current path, they are choosing to sacrifice the "budget" criteria. I hope they have good legal insurance and enough capital to survive the public relations nightmare that lies ahead of them, or they may wind up needing to hire a good bankruptcy lawyer.

Comment Is there a truly similar payment before 8/11/1994? (Score 1) 47

I would love to know the first cryptographically secure e-commerce transaction outside of a testbed environment. If something similar to the August 11, 1994 https: transaction occurred prior to that date, that would be worth contacting the author about. By similar, I mean a transaction in which the buyer used a cryptographically secure method to provide payment information directly to the seller, vs. using a non-secure method like email to provide payment information, using an intermediary like CompuServe or the Post Office ("cash on delivery") to manage the payment, or providing direct payment through some other means such as via telephone-voice-call/dialup-modem-direct-to-the-vendor/dedicated-data-line-direct-to-the-vendor/fax/mail/in-person/etc.

The article includes some important disclaimers not found in the summary:

* The 1971 ARPANET transaction "technically didn't count because money wasn't exchanged online: they only used the network to arrange a meeting place."

* The 1984 Videotext transation didn't count because the customer "paid for them in cash [at the time of delivery]. That's not exactly e-commerce."

Thanks to those who have already pointed out that you could buy things using Compu$erve (sorry, old habit$ die hard), Quantum Link, etc. and even via a telnet server before 1994.

Those mentioning buying things over BBSs (well, most BBSs anyways) and USENET are probably talking about using the network to arrange a purchase, not to actually conduct the purchase.

Comment Re:"Reset to factory settings" button (Score 1) 148

This. Especially for consumer devices.

The only reasons NOT to have a user-accessible "factory reset" button is if the customer specifically doesn't want one (such as for anti-theft firmware where the customer does not want the thief disabling it without entering a code or possessing a hardware "key") or where there is a legal requirement to not allow the person in possession of the device to reset it (such as an ankle-monitor used by some people on parole, probation, or out on bond awaiting criminal trial).

Except for "so cheap they are disposable" devices and perhaps devices where there are national-security or very-strong-legal implications or where the end user specifically does not want one, there should always be a "reset switch" that is accessible to factory-authorized repair shops and, ideally, legal protection against price-gouging if an end user has to take the device into a factory-authorized shop to have it "reset" due to bricking.

Comment Re:Good! 8 more years of time working correctly. (Score 1) 143

Bad. 8 more years of time not working correctly. The fundamental issue is that the atoms in the atomic clocks just doesn't care what the Earth measures. If non-programmers want to know when the sun is overhead, they can go outside and look at it.

There, fixed^H^H^H^H^Hbroke that for you. :)

Comment Special glasses (Score 1) 197

I was in a school once where a kid had special "zooming" glasses that greatly magnified a small portion of the field of vision.

Since they were probably classified as "medical devices" they probably weren't cheap, but today Google Glass or something similar probably could do the job.

I do not know how well these glasses worked when pointed at a modern computer screen (or, for that matter, a CRT).

An option like this should at least be considered. If it's not terribly expensive, it should be seriously considered.

Comment Some things shouldn't be externally accessible (Score 1) 116

Most medical devices should either be stand-alone or in a "closed network" such as a network that only includes patent-care devices in a single building and doctor-and nurse-accessible workstations around the building, but without any connection to any network or device that touches any outside network.

Exceptions like operating rooms used for tele-medicine/remote-operated-robo-surgery/etc. can be handled as special cases.

If you want to hack them, you'll need to use "out of band/side-channel" techniques like compromising the employees who have access to them or listening in on (and interpreting) the nearly-inevitable RF signals that the equipment puts on nearby wires or on the air, watching for vibrations on windows or pointing a camera to the room windows to see or "hear" the alarms or status lights as they go off, etc. Except for the "compromising the employees" bit or gaining physical access yourself, it's very hard to force a non-networked device to do your bidding except in a very rough way, such as by cutting of the power supply or triggering some condition that puts the device in a fail-safe mode.

Comment You need more Congressmen (Score 1) 400

The fun part is that there's no way to get off the list. I've now have three Congressman and a Senator from two different States tell me this.

There is a way, but 3 Congressmen and 2 Senators isn't enough.

If you had 218 Congressmen and 51 Senators and the President on your side, that might be enough, but just to be safe, get 61 Senators on your side.

They can pass a "private relief act" type of bill to remove you from the watchlist. Once the President signs it, it will be law.

Comment First off, store most data on servers (Score 1) 118

As much as is feasible, store files on the servers you have already.

I realize this may not be feasible if your "daytime bandwidth" or latency makes it impossible, but do it if you can.

I'll leave it up to others who know more than I do to answer your original question about open-source, centrally-managed, business-grade (read: vendor-supported and hack-resistant) solutions.

Oh, one more thing: this is a business. Unless you are going to dedicate a programming team to bug-fixing this and a security team to regularly audit it, spend the money on buying software from a reputable vendor who will stay on top of security bugs. Don't make the mistake of thinking "open source means fee as in beer" - if you do, you and your company will pay for it big time with the first preventable security breach.

Comment This is an ancient problem, or ancient feature (Score 1) 111

Terrorists etc. who wanted to have been able to use one-time pads or personal couriers who memorized their messages since well before modern cryptography.

Sure, it was a bit more cumbersome and not always practical, and when implemented naively, it was vulnerable to rubber-hose cryptanalysis but then again, so is an encrypted smart-phone when you have access to someone who knows the password.

So, tell me again, if bad guys will continue to have these options, why is it a good idea to weaken all other forms of cryptography to the point where they are about as useful as SHA1 with a small key (if that)?

Nothing will ever be attempted if all possible objections must be first overcome. -- Dr. Johnson