Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Honest question. (Score 1) 75 75

Can someone explain why the program handling interaction with assorted media files would be so closely linked to the rest of the system working? I understand that parsing the ghastly mess of different standard and pseudo-standard formats out there, as poorly or even maliciously interpreted by various 3rd parties, is a difficult and dangerous task; so I'm not surprised by the fact that there is a bug in the media component; but if it is known to do such a dangerous job why isn't it compartmentalized more aggressively? Why does losing the mediaserver process make a mess of the phone, rather than just causing it to mark the file that killed it as tainted, restart the process, and carry on?

Comment Re:Old news is so exciting (Score 1) 80 80

The article named the phone as the Motorola C123. Apparently that model has an atypically well-understood baseband, which is probably why it was picked; but that handset is dumb as a rock except by comparison to the utter antiques from the age of analog cellular or something. I don't even think it has one of the teeny little JREs that phones used to have.

Comment Re:Wrong question. (Score 1) 312 312

I think that it works both ways: the campaign gets face time and spending money from assorted big names in tech because of the hope that it will make programmers cheaper; but it gets buy-in from educators and parents and politicians looking for feel-good photo ops because of the hope that somehow every kid can be a well paid knowledge worker.

Compare to H1-Bs. Those are similarly favored as a way to drive labor costs down; but are more or less politically toxic; so they have none of the popular chatter. The major tech employers are in favor of both; but only one has the buzz in the other direction as well.

Comment Wrong question. (Score 3, Interesting) 312 312

These 'zOMG, everyone should STEM up and become an app entrepreneur!!!' stories aren't really about the desirability of everyone having a career in software development. They are more a reflection of the fact that plucky optimists looking for what kids should do to be successful when they grow up are...not exactly...swimming in options. Yes, they are also letting the fascination with shiny trendy things distort their perception of the options, hence the fascination with who will make the next Social Twitfriend app, rather than who will write unbelievably dull line of business stuff; but in broader strokes they aren't pushing this because it's a good idea, they are pushing it because it's an idea, and they don't have another one.

The pronouncement that 'software is eating the world' may have been a bit hyperbolic; but it sure isn't doing the life chances of people without advanced qualifications any favors. "Everyone writing apps" sounds slightly better than "Everyone selling each other securitized bullshit", so it gets more face time.

Comment Re: A plea to fuck off. (Score 1) 364 364

SMS-based approaches are certainly better than passwords alone; but I have a few areas of dislike for them:

They require an active cell link and a live phone, so are bad news if you are trying to log in in the bowels of some structure, with a phone that has a dead battery, or while travelling outside your non-ridiculously-priced service area. It also tends not to be a problem in practice; but SMS is 'best-effort', so if the system is being flaky then that's just too bad. Essentially, it isn't a 'second factor' at all; but a secondary channel that is assumed not to be compromised.

Then there is the matter of the site needing your phone number. For some applications, that doesn't matter: your bank already knows way more than that about you, say. For others, I'm not so enthusiastic about providing a relatively persistent, and spammable, identifier(also fairly robustly tied to me by payment data, unless I get a burner specifically for dealing with auth issues) to any lousy little website that wants it.

Finally, I'm not terribly confident about the medium-term security of SMS if it becomes a common '2 factor' authentication method. Mobile OSes tend to be a bit more locked down than desktops; but hardly infallible, and the security of SMS gateway providers(who sites using SMS auth presumably employ to interface with the phone network) is an unknown and possibly not comforting factor.

RSA fobs are ultimately an inferior option because they cannot be safely shared across multiple systems, and carrying a fistful of the things is ridiculous(plus, the pricing is usurious); but smartcard/NFC cryptographic authentication has none of these weaknesses. The hardware is cheap, it doesn't require a secondary channel to be available, certificates are relatively tiny so you can carry an enormous number of them without issue; and you can implement certificate auth with varying levels of connection with user 'identity'. On the relatively anonymous side, the user can just generate a keypair and send the public key when they create an account. Trivially handled on the client end, no interaction with outside entities. At the other extreme, hierarchical PKI systems make it possible to robustly verify the user's affiliation with a given organization if the situation requires it. The trouble, of course, is the lack of card readers/NFC pads on a lot of contemporary computers and mobile devices. A great pity.

Comment Re:And why do they still need to prove this? (Score 1) 80 80

Unfortunately, as our fine folks in the TAO group have apparently proven on multiple occasions, even people with fancy access control tend to have very little power until the package shows up at their loading dock. What happens earlier in the process is less encouraging.

Comment Re:Old news is so exciting (Score 5, Insightful) 80 80

It isn't conceptually novel; but doing a practical TEMPEST attack with nothing but a dumbphone, with a fairly unobtrusive software modification, rather than a relatively classy SDR rig or some antenna-covered fed-van is a nice practical refinement.

Really, how many 'tech news' stories are actually conceptually novel, rather than "Thing you could lease from IBM for the GDP of a small country in the 60s and 70s, or buy from Sun or SGI for somewhere between the price of a new house and the price of a new car in the 80s and early 90s, is now available in a battery powered and pocket sized device that shows ads!" Conceptual novelty has a special place, of course; but one ought not to scorn engineering refinement.

Comment Re:Brilliant (Score 1) 86 86

The trouble here is that the rest of the monitor is pedestrian as all hell(gosh Samsung, 1920x1080 on a 27 inch screen! I can practically taste the future...) and the presence of the charging widget in the stand suggests that you aren't going to be VESA mounting this one. If you really care about 'de-cluttering', you are much better off having your monitor float conveniently above your desk, not being stuck with the lousy stock stand.

At least the color scheme is atrocious.

Comment Re: A plea to fuck off. (Score 1) 364 364

It's not hard to understand why using passwords is so popular; basically all software supports it as an authentication method, it requires only hardware that you can safely assume that all your users have; and even an idiot understands it well enough to do it dangerously weakly but more or less correctly.

What is frustrating is how few even offer the ability to do anything else. There has been some uptake of shitty little cellphone-based systems(either using SMS or some 'authenticator app'); but RSA-type fobs are pretty much exclusively for accessing corporate systems(and, as a fundamental limitation of their design, they can only be securely used to authenticate against one entity; since, unlike asymmetric key systems, the authentication server must know the initialization seed values of the fob in order to validate authentication attempts, so anyone in a position to authenticate you could impersonate you anywhere else the same fob was accepted); and certificate-based auth is either something you do yourself for SSH(often without secure hardware for storing the certs) or something you basically have to do work for the DoD to encounter.

I'm actually currently in the process of trying to switch banks because, when I inquired about authentication options that weren't pitiful bullshit, they gave me what amounted to "that's adorable; add three or four factors of ten to your account with us and maybe I'll transfer you to somebody who gives a fuck." Blizzard cares more than that. FFS.

Comment Re: A plea to fuck off. (Score 4, Insightful) 364 364

The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.

Comment Re:Workstation Tests (Score 1) 75 75

Isn't that the only reason to care about this particular part? The laptop version is of interest because it has the distinction of being the fastest GPU(and probably pretty close to the fastest CPU) you can buy in any laptop too small/thin/etc. for a discrete GPU. The desktop version is just a solution looking for a problem unless the extra cache makes it better than other i7s.

Comment Re:NVidea's problem, not Microsoft's (Score 1) 316 316

It's also not comforting that these windows update drivers are breaking all over the place; because(at least for GPUs) the ones on windows update have historically been the relatively conservative option. They are frequently behind the curve compared to the direct-from-vendor ones; but are also supposed to be the ones that aren't breaking things just to improve some benchmark score.

Comment Re:Never understood (Score 1) 428 428

Lawyers are paid to advance their employer's interests, not to achieve correctness. If one wrote up a contract that was so full of shit that the entire thing got tossed they would indeed get poor marks(this is why contracts usually insist on 'severability', so that any sections determined to be bullshit shall have no effect on the remaining sections). As long as they can avoid that, though, any advantage that they can derive by inserting scary-but-groundless language is pure gravy. If somebody doesn't know that it is baseless, or can't risk fighting about it, you get compliance without even needing the law on your side. If they do, well, it's just a severable clause, so no harm done.

It's an ugly sort of business; but pragmatic.

Do not underestimate the value of print statements for debugging.