Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: email != unencrypted (Score 1) 141

by lamber45 (#48688795) Attached to: Ask Slashdot: Dealing With Companies With Poor SSL Practices?
Since 2002, the STARTTLS extension to SMTP, RFC 3207, has been a standard. In this particular case, the vendor's domain appears to be hosted on Google Sites, so if the OP has a gmail account the message won't even leave Google's network until he picks up the message via HTTPS or SSL-secured IMAP.

Comment: Re:Questionable claims (Score 1) 60

by lamber45 (#48466889) Attached to: Sony To Offer Partial Refunds For PS Vita
Well, technically he still hasn't suspended deportations (or otherwise changed immigration policy) through an executive order. His "My fellow americans..." speech last Thursday was explaining a policy that the Department of Justice had told the Department of Homeland Security it could follow. He's taking credit for it for the purpose of arguing with Congress, and he would certainly veto anything that actively undoes it ("let's deport people by a random lottery", "let's deport everyone who has an anchor baby and is not yet a citizen", "let's deport everyone, Citizen or not, with a Muslim-sounding first name or an Irish-sounding last name"), but he hasn't done anything that the next President couldn't undo.

Comment: Link to law (Score 1) 256

by lamber45 (#48213421) Attached to: Michigan Latest State To Ban Direct Tesla Sales

1981 version

2014 version

Difference in clause (i):
@@ -1,7 +1,8 @@
(i) Sell any new motor vehicle directly to a retail customer other than
-through its franchised dealers, unless the retail customer is a nonprofit
+through franchised dealers, unless the retail customer is a nonprofit
organization or a federal, state, or local government or agency. This
-subdivision does not prohibit a manufacturer from providing information to
-a consumer for the purpose of marketing or facilitating the sale of new
-motor vehicles or from establishing a program to sell or offer to sell
-new motor vehicles through the manufacturer's new motor vehicle dealers.
+subdivision does not prohibit a manufacturer from providing information
+to a consumer for the purpose of marketing or facilitating the sale of
+new motor vehicles or from establishing a program to sell or offer to
+sell new motor vehicles through franchised new motor vehicle dealers
+that sell and service new motor vehicles produced by the manufacturer.

Comment: Re:Next wave of phishing? (Score 1) 149

by lamber45 (#47616027) Attached to: Gmail Recognizes Addresses Containing Non-Latin Characters
No, they're not allowing gmail accounts to use non-ASCII local parts yet. However, mail to/from other domains can have non-ASCII local part and domain name. If that other domain allows a random user to create an account "róót", that's about the extent of the possible phishing.

Comment: Re:I think it's reasonable, if it was accurate (Score 1) 276

by lamber45 (#46427515) Attached to: Should Newsweek Have Outed Satoshi Nakamoto's Personal Details?
There is value. If the creator wrote it on his free time after working 30 years in a probably thankless job he couldn't tell his family about, there's hope for me to do something similar, or at least I should advise my sons to get a good education and a stable job. On the other hand, if he was a 15-year-old kid who flunked most classes in school and spent the majority of his nights playing video games, I'd better get my sons each a latest-model gaming rig, because that ship has sailed for me.

Comment: Haven't had this issue with GMail, but with other (Score 2) 388

by lamber45 (#45928191) Attached to: Ask Slashdot: What To Do With Misdirected Email?

My GMail (and Yahoo! as well) username is (first name)(middle name)(last name), all fairly common [in fact at my current employer there are multiple matches of (first name)(last name), and my father has the same (first name)(last name) as well], and I have not had this problem with either service. Perhaps using initials instead of full names is part of it; or your last-name may have different demographic connotations.

I did, however, recently have that problem with a Comcast account. When the tech visited our home for installation, he created an account (first name)(last name) . I didn't actually give it out anywhere, yet within a few months it was filled with a hundred or so messages for someone in another state. I did try responding to one item that seemed moderately important, and whoever got the response [the help-desk of some organization] didn't seem to grasp that I had no connection with the intended recipient. Since I hadn't advertised it anywhere, it was easy to change the username, to (my first initial)(wife's first initial)(my last initial)(wife's last initial)(string of digits) While this address appears to have been reused, apparently Comcast no longer allows address reuse; I tried using a previous ID that I had used a long time ago, and it was not available.

Since you ask for advice, I recommend two courses of action:

  • 1. As long as you still have access to that address, when you receive anything that is clearly misdirected and potentially of high value, deal with it politely. Don't use a "form response", instead personalize the response to the content of the message. CC the intended recipient on the response, if you are able to divine who it is. Once you've dealt with the matter, delete the whole thread. For newsletters, try following an "unsubscribe" action, if that's not available mark as spam.
  • 2. Consider an exit strategy from your current e-mail address, no matter how much is attached to it. See the Google help posting "Change your username". For the new address, try a long nickname or full first name instead of first initial; or maybe add a string of numbers, a city your contacts will recognize, or a title. Give your important contacts plenty of advance notice, post the new address with the reasons you're switching [perhaps with a list of the confusing other identities as well] on your "old" Google+ profile. After a reasonable time (say six months or a year), delete your old account. Make sure you change your address at all the "various sites" you've registered at before doing so, in case you need to use a password reset function.

Comment: Re:Switch to an easier technology (Score 1) 399

by lamber45 (#44529823) Attached to: Ask Slashdot: How Do I Request Someone To Send Me a Public Key?
I wouldn't want to trust just the secretary of the other org. However, with public keys (HTTPS, PGP, SSH, anything else similar), it's good for the information on "how to verify" the key to be widely disseminated. For example, the org could put its key fingerprint, and a screenshot of the same as used in common applications, on an indexable part of its HTTPS-protected public website. An individual could put his PGP key fingerprint on his (paper) business card, as fine-print on his resume or CV, and in his e-mail signature. The secretary should be able to say what the key is, and how to verify that.

Comment: Makes sense (Score 1) 196

by lamber45 (#42806969) Attached to: New Secure Boot Patches Break Hibernation
Hibernation actually is a security hole. I'll ignore the kexec issue for now, but encrypted and checksummed hibernate images would be a good thing, and would be nice on a non-SecureBoot system as well. At a minumum, the hibernation image should carry a checksum of { the image data + the kernel that loaded it + relevant platform data }. That would at least prevent partially booting a suspend image with random corruption. Can SecureBoot also provide a secret key used only to encrypt the suspend image and decrypt it during boot? Or some additional data to feed into the checksum that securely identifies the platform? Or keep the suspend checksum in nonvolatile memory that can only be written to by a trusted operating system?

Who goeth a-borrowing goeth a-sorrowing. -- Thomas Tusser