Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Give Obama's answers to security questions (Score 1) 241 241

You're right that it's normally easy enough to find the answers to questions like "what high school did you go to?" I make that much more secure by secretly replacing "you" with "Barak Obama".* I don't enter MY high school, I enter Obama's. I enter Obama's mother's maiden name. So anyone who goes on my Facebook** to get answers will get wrong answers.

* I actually use another famous person, not Obama.
** You won't find much on my Facebook page, because I don't use Facebook. But if I did, it wouldn't show the answers I use.

Comment: GPL specifically allows source on a different serv (Score 1) 162 162

The GPL requires that the program include an offer to provide the source code, either on a physical medium or on a server. It does NOT require that it be distributed via the same server or service that binary is on. v3 makes that very clear, saying:

        "the Corresponding Source may be on a different server (operated by you or a third party)"

Putting the binary on the App store and the source on Github is exactly what that covers - provided that in or "next to" the binary copy you make it clear where the source can be found.

Therefore, if you are distributing a binary via the app store, and distributing the source via FTP or Github, you're fine. v3 also says that you CAN distribute the source the same way that you distribute the binary, or you can distribute it using a different method. Also under either version of the GPL you can offer it on physical media.

So no, the GPL doesn't require that if the binary is delivered by mail (or app store) that the source be delivered the same way. In fact, it explicitly says the opposite.

The issue that FSF pointed out in another, more specific post, is that while Apple may not be required to do anything at all in order to conform with the GPL, they are in fact doing something. They are stating that all software distributed via the app store has certain restrictions. A more precisely fitting analogy, therefore, is post office policies about what can and cannot be shipped.

The FSF position is that the policy is an additional condition imposed by Apple which means that APPLE can't legally distribute GPL code under those conditions. That, however, takes us right back around to the question we started with. _I_ may distribute the software, as long as _I_ don't impose additional conditions. If I'm the one doing the distribution, it's legal. Apple is imposing additional conditions, but it's fine for Apple to have conditions on it's app store if they aren't the ones distributing the software. Just like the USPS has policies and conditions, which don't affect the fact that I can distribute GPL software by using USPS to do it.

Whether the person who put the app on the app store is distributing via the app store or if Apple is the one doing the distribution is murky. Viewing that phrase in isolation, a court could rule either way. However, the court will read the whole document, not just one phrase. The top of the GPL license says:

"Our General Public Licenses are designed to make sure ... that you receive source code or can get it if you want it"

Okay, so the purpose is to make sure you can get source code if you want it. That's the goal of the license agreement. Given the murky question of who is the distributor, a court should look at the purpose of the document. The purpose is to make sure people who want source code can get it. If it's freely available on Github and the app contains a link to that Github, the purpose is being fulfilled and the court should allow it.

Comment: FSF was very non-specific, and probably wrong (Score 2, Insightful) 162 162

The FSF post didn't say either what terms of the license they thought Apple was violating, nor why they think distributing via the app store is any different than distributing via the post office.

If I mail GPL software via the postal service, I have to comply with the GPL, which mainly means I have to include an offer to provide source code upon request. The postal service doesn't have to do ANYTHING regarding the license, they are a third party facilitating my distribution. It could be argued that Apple is no different- the person distributing via the app store needs to comply, Apple doesn't have to do anything to be in compliance.

By the wording of the license, it would be possible to argue either way, so a court would look at the INTENT of the license, it's PURPOSE. The gpl helpfully states it's purpose and intent right at the top - to maintain the four freedoms. As long as the freedoms are being maintained (by having source available, etc.), the court would probably rule that it's perfectly okay to distribute via the mail, ftp, email, http, or the app store.

Comment: images aren't a programming language (Score 3, Informative) 117 117

Pdf is a subset of PostScript, a turing complete programming language. It's most often used for rendering documents, but is in no way limited to that. You can program an emulator in ps and run Linux inside your pdf. Gif and jpeg are not executable code. They are just (compressed) color VALUES).

There was one security hole in one specific executable LIBRARY which processes jpegs, but jpegs themselves are not executable and therefore essentially safe. Not so for pdf.

It is hoped that pdf is slightly safer than pure PostScript, but it's not FUNDAMENTALLY safer.

Comment: except when it is, because you don't (Score 1) 91 91

You make an excellent point. A corollary is a bit of a counter-point. Sometimes you DON'T need to decrypt it, and in those cases you shouldn't be able to.

The most obvious example is passwords. You store those as salted hashes which can't be decrypted. You don't need to know what their password is, you only need to know if it's the same as what they entered or not . We can apply the same principle to data we use for fraud prevention. We want to know if this transaction attempt is coming from the same device / os / ip / location that the legitimate user normally uses. We don't have to store their previous data, only a hash so we can see if the new attempt matches or not.

The OPM didn't need to store details of the applicants' past indiscretions. They could have simply encoded it as a risk score, 1-5. That's like a hash of the narrative, in a aay, irreversible but still useful. Then people couldn't be blackmailed or outed with the information.

Comment: Navy has long done this. They hang out near foreig (Score 1) 59 59

The navy has been doing signals intelligence for a very long time. Ships communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.

The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only natural to give some of those sailors varying degrees of training in keeping your eyes and ears open while on foreign soil. Thus, the Office of Naval Intelligence has long been a significant part of our foreign intelligence capability.

Comment: Navy did signals intelligence first (Score 1) 59 59

The navy has been doing signals intelligence for a hundred years or so. Ships do two interesting things - they communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.

The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only natural to give some of those sailors varying degrees of training in keeping your eyes and ears open while on foreign soil. Thus, the Office of Naval Intelligence has long been a significant part of our foreign intelligence capability.

Comment: +- 500 miles is accurate enough (Score 1) 130 130

If you're underground or deep in a building, you're probably on wifi (or plugged in). That means we can geoip to within a 20 or 30 miles at worst, within a block in the best case (company IPs). That's far more accurate than we need to,know whether the acount holder COULD be there. What we're looking for is a transaction in southern California, folllowed 30 minutes later by one in South Carolina, then one in Mexico an hour later. We're computing whether it's possible for the account holder to travel that fast.

We then combine that other data points to score the likelihood of fraud. If it's card-present (swiped) that's lower risk than an internet transaction where they only have the card NUMBER, for example.

Comment: extremely common fraud protection (Score 4, Informative) 130 130

Many, possibly most, ecommerce sites do at least basic location checks for fraud protection and have for many years. The 20,000 or so sites which use our software have done so for at least ten years. If you're on the site from Comcast San Francisco at 10:00, then an hour later someone claiming to be you tries to initiate a transaction while in Russia, that's suspicious.

That red flag is then combined with other available information to choose from one of four possible outcomes:
The transaction is approved.
The transaction is declined.
The customer gets a call / text asking them to confirm the transaction.
Verified by Visa (tm) or the cashier calls in for manual approval.

The system works pretty well.

Note "tracking" is slightly overstating it for two reasons. First, the bank or processor checks only the location of the transaction- we don't know or care where you are if you're not attempting a transaction against an account holder's funds at the moment. Secondly, the "location" is strictly numerical longitude and latitude to see how far you are from the last location. Is it physically possible that you traveled that fast? We don't know or care if you're in a grocery store or a strip club. We only care if "you" are 4,000 miles from where you were two hours ago.

Comment: Sorry. I forgot, geothermal IS fracking (Score 1) 266 266

Sorry, I forgot fracking was invented for geothermal. That's how geothermal is done, and was done before fracking was applied to petroleum too. So I guess it's not ether / or, if you have geothermal, that means you have deep fracking.

Comment: Web developers know they'll be attacked (Score 0) 225 225

> brats who think writing a crappy web page is the same thing as writing a desktop application.

Yeah unlike desktop developers, any decent web developer KNOWS that their code will be attacked all the time, and designs it appropriately. Unlike desktop developers who throw shit on the internet (like Skype) without considering the fact that it's accepting input from unknown sources, including malicious sources.

Oh wait, you were saying that desktop developers who have never had any reason to think about security are better somehow, weren't you?

Comment: on the other hand, Rand Paul killed section 215 (Score 0) 167 167

On the other hand, Rand Paul just killed the worst parts of the Patriot Act. Hopefully it'll stay dead, or at least maimed. I don't know too much about Paul, but I think I'm going to find out more about him, from the most objective and reliable sources I can find.

Comment: that's the R party fight, libertarian or establish (Score 4, Interesting) 218 218

I can certainly see why he runs as a Republican- the current fight is between the libertarian side of the party and the remnants of the Moral Majority faction and the establishment power base. The unfortunate fact is that libertarian party candidates don't get elected to the presidency and the senate, republicans do. He therefore can accomplish a lot more by getting elected as a Republican than he could by losing a Libertarian. President Reagan largely redefined the republican party in his own image, so there's no reason Rand Paul couldn't do the same.

Of course Reagan also developed an alliance with the Moral Majority crowd in order to get elected, and that alliance affected the party platform. Moral Majority officially shut down many years ago and people are fed up with the establishment power base, so the party is ripe to be redefined again.

Many people are unenthusiastic about their work.

Working...