Follow Slashdot stories on Twitter


Forgot your password?

Comment Re:Great! Now if only they would make upgrades eas (Score 1) 70

"viewing inside ssl encrypted transactions (which should be illegal but hey)"

So it has a convenient interface for MITMing SSL sessions... Ugh.

Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?


Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.

Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only way they can MiTM SSL is to put their own root cert on your computer.

Comment Re:Great! Now if only they would make upgrades eas (Score 1) 70

You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?

That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.

Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.

But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probably a good sign that it's not the right fit for you. But don't try to blame someone else for your own shortcomings when you somehow assume that a 100 word Slashdot post is a complete feature description and that it will describe your own (unstated) use case.

Comment Re:Great! Now if only they would make upgrades eas (Score 1) 70

They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.

Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.

You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.

You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.

I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.

If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do unattended upgrades automatically.

Comment Re:Great! Now if only they would make upgrades eas (Score 1) 70

Just providing another opinion on why someone would choose cisco over free alternatives.

Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.

Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.

Comment Re:Great! Now if only they would make upgrades eas (Score 1) 70

The reason that people use things like Cisco, is that the integration is easier.

The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.

Comment Re:Great! Now if only they would make upgrades eas (Score 5, Informative) 70

In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.

You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...

I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.

How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.

Comment Re:So what should we do? (Score 1) 562

The shove to park normally works. There's an "easy" press up and a "hard" press up. The problem is if you do it a little softly you go into neutral instead.... I had it happen to me once when I went to open the door and the car started rolling... It is very easy to drive this car if you pay attention and it took no special instruction during the test drive or for relatives.

You just gave us special instruction to push more firmly into Park, and said that when you didn't follow those special instructions yourself, you accidentally left the car in neutral -- had you been parked on a hill, you may have lost control of the car. Why wouldn't you tell relatives about it before they drive the car? Don't you like them?

Sounds like it *does* need special instruction and without that instruction, it's a hazard to those that aren't familiar with it.

Comment Re:So what should we do? (Score 1) 562

Yet every new Prius driver I know of (including myself) spends the first 10 minutes trying to figure out how to make it work.
One neighbour got it into reverse and then backed it down the street one inch at a time while trying to figure out how to go forward again.
Once learnt it is simple and intuitive and obvious but not at the beginning.
Which of course means it is not intuitive and obvious at all - just simple.

The PRNDL shifter isn't intuitive either -- why do you pull it backwards to go forwards, and push it forwards to go backwards? It's just so ubiquitous that everyone knows how it works.

Comment Re:So what should we do? (Score 5, Insightful) 562

And if you're never allowed to move their cheese, you could never effect "progress" could you. Sometimes you have to move their cheese, and sometimes you have to let "this kind of stuff" happen. Sometimes you even have to do it with very small incremental changes. Since you used the helpdesk reference, perhaps just like the small incremental changes in every iterations of Windows.

You can move the cheese, but don't replace it with a box of poison that looks just like the cheese.

If they want to change the UI for a shifter, they should make it completely different, not make something that looks, and superficially feels the same while in actuality it's quite different. What they did is akin to wanting to have a joy-stick instead of a steering wheel, but instead of just putting in an obvious joystick, they made it look just like a steering wheel.

Comment Re:Oops (Score 1) 654

Fourth option: have lightweight unobtrusive ads.

I only started using ad-blocker when ads became a draw on performance.

Me too, the straw that broke the camels back for me was a website that started up a full page interstitial ad a few seconds after reaching the site - I'd start reading the article, then have to wait for an animated interstitial to load... then about half the time, I'd click on the tiny close box in the corner, but would miss it and the advertiser's site would load. That's when I turned on Adblock.

I kept the "allow unobtrusive ads" box checked with adblock, so I still see some limited set of ads (though I think Google is the only place I see those ads).

There's no way I'm paying $52/year to read Wired when I only go there a half dozen times a year. What I would be willing to do is fund a micropayment account, and then pay sites a few cents per page view to replace the revenue they'd get from ads.

Comment Sounds familar (Score 5, Interesting) 277

Sounds a lot like what happened to the company that tried to run ferry service between the islands, the government supported the company and helped them start up, 2 years (and several lawsuits) later a judge shut them down because whatever law was passed by the government was against Hawaii's constitution.

In December 2008, environmental groups and the company returned to court for an appeal of the previous ruling. On March 16, 2009 the Hawaii Supreme Court ruled that allowing the Superferry to operate prior to completion of the environmental study was unconstitutional.[37] The company immediately suspended service and laid off its 236 employees.

Hundreds of jobs and hundreds of millions of dollars of investment lost.... and probably hundreds of millions of future investments lost because investors won't invest in infrastructure when they have no assurance that when the government says "we need this, do it", that they really mean it.

I actually had tickets to ride the boat, but the company had already shut down before my trip.

Comment Re:Stupid design (Score 1) 136

Current doesn't kill silicon, voltage does. Example, you take an LED. It's a red one that runs at 2V. You can probably dump 3-4x that voltage through it without a resistor, and it won't care as long as the polarity is correct and it has adequate heat sinking. Now, this same LED has a reverse breakdown voltage. Many LEDs now days have native protection about double their nominal operative voltage. So for this LED, it can take upwards of ~4V reverse polarity. You give it 5V or higher in reverse, you will destroy the p-n junction.

This knowledge is what is used to design LED arrays which can run natively off wall power without any power driver circuitry.

V+ and GND are power supply rails, are you claiming that an external device can overdrive the computer (or USB chipset's) power supply without sending enough excess current through it that would trip the fuse?

Slashdot Top Deals

We all like praise, but a hike in our pay is the best kind of ways.