Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Not enough? (Score 1) 158

by heypete (#49666379) Attached to: Devices I have with a GPS reciever built in:

GPS depends on extremely precise time measurements- there's an atomic clock on each of the GPS satellites- so it's a cheap way of getting a very precise clock. If you know the correct offset between GPS time and UTC, it will be extremely accurate, too.

The GPS time-UTC offset is transmitted as part of the GPS almanac and virtually all receivers should interpret it as soon as it is received. From a cold start with an old receiver, this can take up to 12.5 minutes but most modern GPS receivers can get this in a few tens of seconds to minutes.

Comment: Re:Please explain (Score 4, Insightful) 158

by heypete (#49642833) Attached to: Devices I have with a GPS reciever built in:

I can understand two or three, but I'm at a loss for how someone could have 6 or more GPS devices. Will someone please explain how it's even possible for a normal person to have that many?

Cellphone (work+personal), tablet, fitness watch, in-car navigation system, (I'm struggling now), child/pet location device?

In addition to a few handheld navigation-type GPS receivers and one for a car, I have six individual GPS timing-grade receivers (2x Motorola Oncore UT+, 2x Trimble Resolution T, 1x Garmin GPS 18x LVC, and 1x Trimble Thunderbolt) on or around my desk.

Naturally, this isn't something a typical person has, but tinkering with such things is one of my several diverse hobbies. Several ham operators I know have a Thunderbolt or other GPS-disciplined oscillator to provide a stable frequency reference for their radios.

A few friends have GPS-based emergency rescue beacons (they often hike or climb in remote areas where phone service is not available), while others have beacons so they can find their large amateur rockets.

Comment: Re:Propagation delay (Score 4, Informative) 63

by heypete (#49642117) Attached to: Centimeter-Resolution GPS For Smartphones, VR, Drones

Nope, SA is turned off even in war zones, in fact the newest birds don't even have the SA feature.

True, Selective Availability is disabled or otherwise not available on the new satellites, but the government still retains the ability to deny GPS on a regional basis.

See :

"Why are you turning [SA] off?
A. The decision to end the degradation of civil accuracy on a global level was made by the President based on a Secretary of Defense recommendation coordinated with all applicable departments and agencies. This decision is based on the U.S. military commitment to develop and employ technologies to deny the civil services of GPS on a regional basis. Under this approach, it will be possible to deny GPS to potential adversaries in areas of operations while preserving the peaceful use of GPS services outside those areas"

That said, civilian GPS receivers are often quite a bit better, more handy, and more advanced than military ones and a lot of soldiers use them in combat areas. Sure, the military ones are more rugged and get the encrypted military-only channel with better accuracy, but sub-meter accuracy is only really needed for smart bombs and the like. It's less useful for driving a Humvee down the street somewhere or finding out how to get back to base. Handheld civil GPS receivers are typically accurate down to the 3-5 meter range, which is only slightly worse than the military ones.

Denying civil GPS signals in certain regions would almost certainly make things worse for US soldiers, so it's extremely unlikely that the military would ever do regional denial of civil GPS except in the most extreme situations. Even then it'd have limited effect because GLONASS (Russian), Compass (Chinese), and Galileo (EU) are or will soon be perfectly viable alternatives that bad guys could use for guidance.

Comment: Re:Plus RS232 (Score 1) 301

Because a lot of us out here still use that port. a LOT of advanced hardware is still RS232.

I just wish that Dell and Lenovo still offered it on their top of the line laptops that us pros use. Yes I will pay an extra $150 for a native rs232 port on my laptop.

Seconded. I routinely use RS232 for communicating with various devices. It's simple, reliable, and easy to work with. USB-to-serial adapters are ok, but I prefer native ports, particularly for things with timing-sensitive requirements.

Comment: Re: Provided your MUA supports S/MIME (Score 1) 89

by heypete (#49421497) Attached to: The Problem With Using End-to-End Web Crypto as a Cure-All

Especially compared to generating a gpg key that process is still a huge pain, requiring you to fiddle with obscure commands (seriously, the openssl command-line options read like someone sat down for half a year and thought "how can I make this as unusable as possible?").
Why isn't there a one-line program that does everything, ideally including submitting the request for signing? Plus a GUI of course, especially for Windows users.

Private keys for S/MIME certs ("client certs", more generally) are generated automatically in the browser, a CSR is generated and sent automatically to the CA for verification/signing. No command-line utilities are needed at all and the private key doesn't leave the browser. Quick, easy, and secure.

If you go through the process to get an S/MIME cert at StartSSL or other CAs, everything is handled seamlessly in the browser without the CA generating (or knowing) the private key.

Of course, StartSSL offers the function to generate the private key for *server* certs for you (which is stupid but convenient) by default but one can readily submit a CSR for signing in the normal way.

Comment: Re:gandi.net (Score 2) 295

by heypete (#49281623) Attached to: Ask Slashdot: Advice For Domain Name Registration?

Highly recommend gandi.net


Although not the cheapest (a .com with NameCheap and whois protection costs $13.57/year. With Gandi it's $15.50), I find that you get what you pay for: for an extra ~$2/year or so you get clueful staff who respond promptly and competently to issues, built-in whois protection (lots of registrars charge extra for that) that ensures that you're still the legal owner of the domain (your name is listed as the registrant, but all the contact information can be masked with Gandi's information by the whois protection), the ability to add DS records for DNSSEC (neither NameCheap nor Hover allow this), a good API if you want to do things programmatically, and a great UI. You get a free SSL cert when you register/transfer in a domain, and SSL certs can be purchased from them (they chain up to Comodo) for a reasonable price.

They support a variety of organizations, including the EFF and Debian, that do good works on-line and off-.

Also, they're located in France. This offers some protection from various US shenanigans when it comes to seizing domains (assuming the TLD is not US-based), if that's something you're worried about. It's not perfect, of course, but it's something to keep in mind.

They offer decent, anycasted DNS service. Their nodes are located in Paris, Luxembourg, and Baltimore, so they have reasonable resolution speeds in Europe and North America. Nothing fancy, but it works well. You can, of course, use any other DNS host you want (e.g. one run by your web host, a third party service like easyDNS, etc.).

They also offer three types of hosting: basic web hosting, "Simple Hosting", and VPSs. The VPSs are pretty bog-standard, so you won't see any surprises, but I find DigitalOcean to be a better value for VPSs. The "Simple Hosting" is interesting to me, as it's a sort of crossover between shared hosting and a VPS: you choose what type of instance you want (PHP, Node.js, Python, or Ruby), what database type you want (MySQL, PgSQL, or MongoDB) and how much resources you need and you get a dedicated instance of that type. Instances are managed by a hypervisor so other users on the same hardware are logically separated and don't interfere with your service. Additionally, they put a Varnish cache server upstream of your instance so it's extremely fast.

Alternatively, I recommend NearlyFreeSpeech.net for excellent hosting.

In short: Gandi is a fine registrar and I strongly recommend them.

Comment: CODE Keyboard (Score 5, Interesting) 452

by heypete (#49273569) Attached to: Ask Slashdot: Good Keyboard?

I've been using a CODE Keyboard for several months now. I really like it.

It's a mechanical keyboard using Cherry MX Clear switches, so it has a good tactile response without being super clicky. Certain settings can be changed using a DIP switch on the bottom. The keyboard uses a standard, detachable micro USB cable: cables have always been a weak spot on my keyboards, so it's nice to know I can replace it if needed.

The keys are mounted on a steel plate (not as heavy as the Model M, though) so they keyboard feels very solid.

Comment: Re:I don't get the pricing? (Score 1) 71

by heypete (#49239955) Attached to: Google Nearline Delivers Some Serious Competition To Amazon Glacier

One reason I'm about to start using Amazon Glacier for personal backups is specifically because you can't delete files. I want to put up all of my family photos and videos, and know that they will be there even if my kid installs ransomware, our house gets robbed and burns down, and I'm in a coma for six months and can't deal with trying to retrieve deleted files (along with determining the real ones vs ransom ones) in a timely manner from Dropbox or Crashplan.

You can absolutely delete files in Amazon Glacier if the access key you're using has that permission enabled. I imagine there's a surprising number of people who use their AWS root account credentials to access Glacier even though this is strongly discouraged. Even if one creates a new IAM user with access only to Glacier (so a bad guy who compromised your computer can't spin up EC2 instances), the default is for all permissions to be enabled.

Of course, you can disable the permissions to delete files: I've done that, and it works well, but it's not the default. I have a separate IAM user with list-and-delete privileges, but that is a separate user in FastGlacier and requires a password to use -- that keeps me from inadvertently fat-fingering the delete key.

Comment: Re:Honest question here (Score 1) 185

by heypete (#49156363) Attached to: Google Taking Over New TLDs

If I were an entity that had its own TLD, say .ebh, it would be nice if people could get to my site with the minimalist URL http://ebh. Is there any way to disambiguate a TLD from a nonqualified host name to make that possible?

Sure. Just end the address with a dot, which identifies the name in the URL as being absolute.

For example, http://ai./ is a site in Anguilla that uses the TLD as its own name. However, if you leave out the dot it doesn't work -- this is a bit of a pain and most TLDs won't let anyone use the TLD itself as a name.

Comment: Re:Snowden uses PGP/web of trust (Score 1) 95

by heypete (#49117911) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Snowden of course used PGP which uses the web of trust system, it works enough to protect Greenwald and Snowden from NSA snooping.

To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.

Comment: Re:Comodo are the biggest Cert issuer (Score 1) 95

by heypete (#49117903) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

Comment: Re:Comodo, shame on you! (Score 1) 95

by heypete (#49117873) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

What frigging kind of security company is Comodo? Is Comodo a security company at all?

Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable price (same price as RSA certs, typically less than $10/year), which is nice if you're interested in moving away from RSA for whatever reason.

Comment: Lesson: don't use root AWS API keys (Score 5, Interesting) 119

by heypete (#48722833) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

Comment: Re:Stupid (Score 1) 396

by heypete (#48634401) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!

Huh. I didn't know that, as I only have ever done the individual verification. It's not uncommon for someone to wear many hats (i.e., to be affiliated with several organizations). It'd certainly be nice if their system allowed for a single individual account to switch between different "identities", so that one could issue certs for themselves or any number of organizations with which they're affiliated and which they've validated with StartSSL.

Have you suggested such an improvement to them?

Oddly enough, if you don't pay anything at all ("class 1 certificates"), you can get certificates for several associations and yourself at once. Of course, then you can't get wildcards or SAN certificates, so you are forced to use SNI (more hassle to set up, and might not work with exotic browsers).

Technically, yes, but policy-wise, no: Class 1 certs are not intended for commercial use.

Wow, a place where beer is even more expensive than here in Luxembourg! But seriously, I guess the $9/year is for plain certificates, no wildcard and non SAN? In that case it would compete with StartSSL's free offering, rather than their $60 plan. If it actually does include wildcard certificates, I would be interested in details.

It's hard to directly compare the two offerings, as StartSSL charges for validation but you can issue numerous certificates at no additional cost. Other CAs charge on a per-cert basis.

As you suspected, the $9 offering from PositiveSSL is for a single, non-wildcard, non-SAN certificate. NameCheap also sells Comodo PositiveSSL multi-domain certs for $30/year for up to 100 domains, which is quite a reasonable price. Of course, those certs are domain-validated only. Organization-validated multi-domain certs start at $90/year. That's cheaper than StartSSL, but only gets you a single cert with multiple SANs. If you needed more than one, StartSSL is the more economical choice. Wildcard certs are also available, with Comodo wildcards costing $94/year.

Work expands to fill the time available. -- Cyril Northcote Parkinson, "The Economist", 1955