Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Submission + - GPL Enforcement under threat. Support Conservancy fundraiser. (

Jeremy Allison - Sam writes: "Some companies have withdrawn from funding us and some have even successfully pressured conferences to cancel or prevent talks on our enforcement work. We do this work because we think that it is good for everyone in the long run, because we know it is the right thing to do, and because we know that we are in the best position to do it. But that's not enough — you have to think it's right too and show us by becoming a Supporter now."

Submission + - Software Freedom Conservancy asks for supporters

paroneayea writes: Software Freedom Conservancy has is asking people to join as supporters to save both their basic work and GPL enforcement. Conservancy is the steward of projects like it, Samba, Wine, BusyBox, QEMU, Inkscape, Selenium, and many more. Conservancy also does much work around GPL enforcement and needs 2,500 members to join in order to save copyleft compliance work. You can join as a member here.

Comment Re:Wording indicates the problem (Score 1) 137

"Lawful intercept" is a term used in telecoms to refer to a feature of a communications system that allows the police or the government or the TLAs to monitor the communications of a specific endpoint (a person or an address or a device). The implication is that there's some judicial oversight to stop the authorities from abusing it, and some security to stop anyone who isn't the authorities from gaining access to it. The term also implies that the feature is there by design - it can't (or shouldn't) "accidentally" disappear when the vendor releases an update. Just calling it "intercept" or "interception" doesn't convey what it's for and how it works.

I agree that bragging that your product has this feature (even if it's always been there) is a pretty dumb idea, regardless of what you call it. Unless your target market is no longer the users of your product, but people who want to spy on the users and who are in a position to force them to use the product...

Comment Re:.NET 5 is just what we need. (Score 2) 158

I'd be interested in learning more about the compatibility problems you're having with real apps and .net framework versions.

We know that there are ocassionally compat issues because we have large customers we work with to try and mitigate them.

There are already mechanisms built into .net for rebinding apps to use specific framework and assembly versions, e.g. the .exe.config file that you can modify without access to the application's source code.

In general, .NET 2.0 and .NET 4.0 are the two separate runtimes that you would currently need to have installed. .NET 3.5 is the newest iteration of the .net 2.0 runtime, and .NET 4.6.x is the newest iteration of the 4.0 runtime.

If you're trying to install an app and it says "i need .net 4", and you don't have .net 4 yet, I think that's working as intended. If updates to .net are breaking your apps, that's something we'd like to know about and help with.

If you have problems of the latter sort - .net updates are breaking your apps, feel free to contact me at this address and I'll see about putting you in touch with someone who can help.


Could a Change In Wording Attract More Women To Infosec? ( 291

itwbennett writes: "Information security is an endeavor that is frequently described in terms of war," writes Lysa Myers. "But what would the gender balance of this industry be like if we used more terms from other disciplines?" Just 14 percent of U.S. federal government personnel in cybersecurity specialties are women, a number startlingly close to the 14.5 percent of active duty military members who are women (at least as of 2013). By comparison, women are well represented in other STEM fields: "As of 2011, women earn 60 percent of bachelor-level biology degrees. Women also earn between 40 and 50 percent of chemistry, mathematics and statistics, and Earth sciences undergraduate degrees," writes Myers. Why the difference? Myers points to a comment from someone who taught a GenCyber camp for girls: "He found that one effective way to get girls to feel passionate about security was to create an emotional connection with the subject: e.g. the shock and distress of seeing your drone hacked or your password exposed," writes Myers.

Comment Re:I think the most ironic part is that... (Score 2) 43

I'm not in any way involved with this specific program, but I do work on VisualStudio.

It's pretty common for all kinds of software projects to take bug reports - even very detailed and thorough ones - from people who ultimately don't end up fixing the bug.

The interesting thing about finding a security bug - especially with the constraints described here - a working exploit and a white paper - it's pretty unambiguous that you've found one. You either have or you haven't.

Now, how to actually fix that bug might be a lot more nuanced.

This statement isn't made to in any way imply that a researcher who could find such a bug _couldn't_ also fix it.

Rather, some bug fixes may be preferable to others, from Microsoft's point of view. And so, my impression is - we're not looking for patches that we'd end up re-writing. We're looking for the really nasty bugs, and then we'll go off and come up with fixes that satisfy the big pile of requirements that we have [for example, performance impact]

A valid observation would be, "if these were really open source projects, anyone in the community would be able to run the same regression and performance tests that Microsoft would run, and thus be able to make perfectly valid fixes themselves"

Well, to a point. Long long ago, I found an IDE driver bug in OpenBSD and submitted a fix for it. The fix was substantially re-written by the maintainer, and, ultimately the whole subsystem was replaced in the next version anyhow.

My fix met the functional requirements, so near as I can tell. But there are things like coding style, or maybe even the personal preferences by the project maintainer(s), that can still impact how a particular patch gets rejected or modified prior to being committed.

Furthermore, I think we would hate for there to be a vuln out there that somebody knows about, but is sitting on until they can come up with a fix that they like.

So, yes, I think we really just want the vulnerability reports, well substantiated and with demonstrated exploits. Finding those things is still very much a niche skill.

Fixing them, once they are understood, and balancing those fixes with the other requirements in the system, is more bread-and-butter Microsoft engineer stuff.

fwiw, I've been at Microsoft 15 years, much of it in VisualStudio. Before that, I worked only with UNIX systems, and I've stayed up to date as a hobby.

The way we are trying to engage with Apple, Linux, and F/OSS in general is completely unlike anything we did up until just the last year or so. People I've worked with for years are suddenly diving headlong into Linux development. Arguments that I tried to make a decade ago are now being made by other people.

It's a really interesting time at the company.

Comment Re:No real place for it (Score 1) 311

I'm always on the hunt for ideal archival formats for digital media.

The ideal archival format has a few properties, ranging from most theoretical to most practical:

- a completely unencumbered specification and a completely unencumbered implementation
- a highly portable, f/oss reference implementation
- excellent quality vs. usability (e.g. lossless quality, but small to store and fast to decode)
- support in popular general purpose computing environments
- supported in popular dedicated hardware devices

FLAC gets the first few of those, but not the last one -- plenty of dedicated hardware audio players don't deal with FLAC.

Because of this, I use MP3 for audio - which theoretically gives up the first few points, but as a practical matter, those points are irrelevant, and MP3 completely dominates the industry on the last few points.

If Vorbis or FLAC or any of the things that get the first few points correct had ubiqoutous device support, I might be willing to re-rip everything into those formats for a great blend of long-term archival and easy-to-consume on any device convenience. But nothing is like that for audio.

Similarly, if I thought there was going to be a fantastic lossless image format that did everything well and was going to be massively supported and was completely unencumbered, i'd want to move everything over to it. I'd want my future digital cameras to start shooting it. I'd want my whole tool stream and whole life to just be about that format.

Submission + - The Principles of Community-Oriented GPL Enforcement (

Jeremy Allison - Sam writes: The FSF and the Software Freedom Conservancy have announced "The Principles of Community-Oriented GPL Enforcement".

"This document, co-authored with the Free Software Foundation (FSF), outlines basic guidelines for any organization that seeks to uphold copyleft licenses on behalf of the public good."

Comment Re:The next chapter (Score 1) 254

I know you're just a random slashdot poster, and I really shouldn't expect any better, but would it hurt you to look at the list of Document Foundation (the Org behind LibreOffice) and look at the list of supporters:


"Chris DiBona, Open Source Programs Manager at Google, Inc., has commented: "The creation of The Document Foundation is a great step forward in encouraging further development of open source office suites. Having a level playing field for all contributors is fundamental in creating a broad and active community around an open source software project. Google is proud to be a supporter of The Document Foundation and participate in the project".

Hint - supporters mean we fund them. I represent Google on the Board of Directors, and yes, nagging them about getting a full Android port is something I do *every* meeting.

I now return you to your regularly scheduled slashdot poster 2-minute-hate on "Big Corporations".

Comment Re:DMCA reform (Score 1) 224

I'd be surprised if it was against anti-spam laws. CAN-SPAM applies specifically to messages advertising a commercial service or product, though I suppose this tactic could fall foul of other countries' laws. I'm curious as to how you'd get around them if it did. Claim you have an existing business relationship with Vimeo because you watched a video that someone posted there?

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.