Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Duh (Score 1) 23

by petermgreen (#49353787) Attached to: 'Bar Mitzvah Attack' Plagues SSL/TLS Encryption

The whole internet standards process works based on "asking nicely". You can tell people they shouldn't use an option or even that by using that option they will be non-compliant with the latest version of the standard but you can't really stop them from using it if they decide that compatibility with old clients outweighs security.

Comment: Re:What's missing from this story? (Score 1) 569

dunno whereabout in europe you live but here in the UK it's still fairly common to see traditional doors/frames with only a single point lock and with the door hung so it opens inwards. A well-aimed kick, a handheld battering ram or a correctly placed crowbar will more than likely break the lock from the frame on such a door.

Comment: Re:Just another reminder to use LibreSSL (Score 1) 64

And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.

Exactly and in most cases the exception says "openssl". Does a slightly patched version from a distro still count as "openssl"? Does a forked and renamed version with substantial changes still count as "openssl"?

Comment: Re:Wait (Score 1) 128

by petermgreen (#49302753) Attached to: Why Is the Grand Theft Auto CEO Also Chairman of the ESRB?

AIUI people (and retailers) take them seriously enough that game developers typically choose an ESRB rating and then tailor the content of their game to hit it (this tailoring can happen in either direction). In particular they try very hard to avoid the AO rating as many retailers refuse to stock games that have it.
Which ESRB rating they try to hit depends on the audiance they have in mind.

There was a big blowup with GTA san andreas about a minigame that was disabled but not removed causing the ESRB to re-rate the game as AO with a subsequent replacement of most stock in the retail channel and a class-action lawsuit (though the number of members of the class who actually claimed anything was pretty small)

Comment: Re:Just another reminder to use LibreSSL (Score 2) 64

Maybe

With ssh the original project had moved to a propietary license so linux distros that only accepted free software had to go with a fork or stick with a very outdated version. With openssl the original project is still alive. So the developers of linux distros will have to have a big argument over whether the reduced security exposure outweighs the reduced feature set.

Comment: Re:Why should we care? (Score 1) 140

by petermgreen (#49284699) Attached to: Gates: Large Epidemics Need a More Agile Response

because the larger an epidemic grows the more expensive it is to deal with and the greater the chance of an infected person escaping and starting an outbreak elsewhere. The ebola epidemic got big enough to suck badly for the three main countries involved and there were a few minor outbreaks in other countries but fortunately the outbreak was contained in time to avoid any signficant outbreaks in the rest of the world.

Comment: Personally I wouldn't put my eggs in one basket. (Score 1) 295

by petermgreen (#49281925) Attached to: Ask Slashdot: Advice For Domain Name Registration?

If the shit hits the fan at a domain registrar there is a good chance your domain will remain active but with no way to reconfigure it until things are straightened out. If the shit hits the fan at a hosting provider there is a good chance your server will disappear.

So putting both at the same place seems stupid to me.

Comment: Re:Know what's worse? Cleartext. (Score 1) 132

by petermgreen (#49280225) Attached to: Researchers Find Same RSA Encryption Key Used 28,000 Times

My question is how could OpenSSL still have had this potential backdoor? Why was this not removed at first opportunity?

The trouble with removing old/weak modes is that you break interoperability with systems that only support those modes. Implementations that were limited to export modes only didn't disappear the instant the export restrictions were lifted. In some cases old versions of software stick around for many years because there is some problem that blocks upgrading.

So someone has to make the difficult call as to when the risk posed by supporting the old/weak modes outweighs the interoperability issues that will be caused by removing support for them. Inevitablly making changes is harder than doing nothing so said calls tend to err on the side of "too late" rather than "too early".

Furthermore SSL/TLS is supposed to protect against downgrade attacks. So removing support for old modes doesn't seem as urgent as it otherwise would be. Recently however we are finding that the protection against downgrade attacks is not as good as it should be.

Comment: Re:Or, it could be unrelated to actually extending (Score 2) 286

by petermgreen (#49268557) Attached to: Elon Musk Pledges To End "Range Anxiety" For Tesla Model S

The thing is with a petrol/diesel/lpg/etc powered car you can drive until the tank is nearly empty. Then at a conviniant location along the route stop, fill the fuel tank, go to the toilet, stretch grab a snack etc and be back on the road quickly. Especially if you have more than one person in the car and so can share the burden of driving this allows travelling for long periods with minimal stopped time.

With an electric car so far you can't do that. You have to go out of your way to find a charging station (which are far less common than petrol stations) and then wait a considerable time for your vehicle to charge (how long depends on the particular station but even tesla superchargers which are few and far between apparently take 40 minuites to bring the car to 80% charge)

Comment: Re:time_t (Score 1) 287

by petermgreen (#49248765) Attached to: NTP's Fate Hinges On "Father Time"

time_t has been 64 bits on every *nix system I've used for over a decade.

all widely used 32-bit linux ports still have 32-bit time_t (x32 has 64-bit time_t but that is not widely used and it's debatable whether it counts as a 32-bit system). While x86-64 is taking over on the desktop and dedicated servers many embedded systems and low cost hosted vms are still 32-bit (the latter due to the lower memory footprint).

Why in the name of any sanity at all would NTP not have been updated by now?

Afaict it has, the NTP "DATE" format provides a 32-bit era number and a 32-bit era offset number which between them provide a 64-bit seconds count. The NTP "timestamp" format uses a 32-bit seconds count but AIUI that is only supposed to be used for comparing to other nearby timestamps.

Great spirits have always encountered violent opposition from mediocre minds. -- Albert Einstein

Working...