Please create an account to participate in the Slashdot moderation system


Forgot your password?
Slashdot Deals: Deal of the Day - 6 month subscription of Pandora One at 46% off. ×

Comment Re:Yes and no, but mostly no. (Score 1) 83

One, the spec is positively Byzantine. It makes OpenPGP look like a marvel of clarity. It's a very hard spec to implement correctly, and for that reason I distrust most of the S/MIME out there.

Two, S/MIME has some hardwired dependencies on SHA-1. (So does OpenPGP; S/MIME has more of them.) SHA-1 isn't looking very healthy right now. OpenPGP is migrating away from SHA-1 and the working group is actively developing a new spec. The S/MIME community isn't.

Comment Re:Yes and no, but mostly no. (Score 1) 83

The biggest problem with OpenPGP is that it doesn't protect the metadata.

It's about to. :)

Daniel Kahn Gillmor had a novel idea for how to use PGP/MIME in a creative way to extend protection to virtually all the email header information. Enigmail is implementing this, as are a few other groups. Metadata protection is coming to OpenPGP -- and very soon!

Comment Re:Yes and no, but mostly no. (Score 1) 83

Quoting myself:

And some people -- idiots who don't understand that optimizing one of these may necessarily mean pessimizing another -- smile and say, "Yes!"

You're one of those idiots: I get it. But so long as you're saying "improve everything!" I'm going to ignore you, because some of these things are incompatible.

Comment Yes and no, but mostly no. (Score 5, Insightful) 83

Yes and no, but mostly no. (ObDisclosure: I help out with Enigmail.)

  • Could we do better? Maybe. Probably. But first you'll have to define what "better" means. Some people say it means stronger crypto. Some say it means a simpler RFC. Some say it means a better user interface/user experience. And some people -- idiots who don't understand that optimizing one of these may necessarily mean pessimizing another -- smile and say, "Yes!" Honestly, when it comes to "we can do better" style criticism, my response is simple: I know we can do better -- but first you have to tell me what 'better' means.
  • But that doesn't matter. When it comes to communications security the world is divided into two camps. The first one doesn't need it right now and the second one does. If you don't need communications security right now, that gives you a great amount of luxury to sit on the sidelines and wait for something better to come along. If you do, though ... then GnuPG and Enigmail are pretty much the best thing going right now, at least when it comes to email.

  • Alternatives? What alternatives? The only alternative right now for email security is S/MIME, and that's far worse than OpenPGP. If you want to communicate using Silent Circle, go for it. Want to use OTR, be my guest. But if you need email security... "it's probably time to look into alternatives" is the kind of advice that sounds good only until you realize just how few alternatives there are, or how lousy they are.

I'll be the first to agree that GnuPG is a usability nightmare. Absolutely. If you like I'll point you towards several references in the peer-reviewed literature that show why it's so bad. But when people start talking about alternatives, I want to know which alternatives they're suggesting; when people start talking about doing it better, I want to know what better means.

Comment Re:Not to be taken seriously (Score 1) 112

I didn't say it was proven. I said it was a result. We don't have a formal proof that P != NP, but find me a single practitioner who thinks we'll find a proof of P = NP.

At some level math works on the basis of consensus. Consensus determines whether we accept a proof or reject it for omitting an important step; consensus determines which axioms we accept to be true. And so far, the consensus seems to be "BQP != NP, just like P != NP."

But yes, we're going to keep looking for the proofs. :)

Comment Re:Not to be taken seriously (Score 1) 112

Depends on what you mean by proven. It's believed about as strongly as people believe P != NP. There's zero evidence BQP can address NP-Complete (or, for that matter, even interesting parts of NP), and a lot of good reasons to believe it can't. However, a proof has been as elusive as the P != NP proof -- another thing which pretty much every CS nerd agrees to be true, but it hasn't been rigorously proven yet.

Comment Not to be taken seriously (Score 4, Interesting) 112

Quantum computers cannot solve NP-Hard or NP-Complete problems -- at least, no faster than a classical computer. This is one of the most basic results in the field, and the author keeps on making hash of it. This article should not be taken seriously if it's rife with such basic errors.

Comment Re:10 LET M$ = "Microsoft" (Score 1) 132

I was around when the M$ nickname got coined.

It was a shortening of Micro$oft. We did the same thing with the Compuserve Information Service (CIS), which charged such outrageous rates that we started calling them CI$. Replacing the "s" of rapacious firms with "$" was pretty much standard practice then -- and, at that time, nobody deserved it more than Microsoft.

Comment Re:How sad (Score 2) 132

Apparently, you missed the news from a while ago about Microsoft releasing the CLR under a free software license. Check it out.

I've been a Slashdot reader since back when it was called Chips & Dips. Back then, Microsoft deserved the M$ appellation. Today, not so much. They're cooperating a lot more with the libre software community. Now, you can either shake your fist at them and scream how they'll never be forgiven for their sins... or you can smile, extend a hand, and welcome them to the party.

The world works better if more people choose the latter. And that applies to life in general, not just Microsoft. :)

Comment Re:Other reasons (Score 1) 306

No, it wasn't like that. After graduating with a CS degree in 1998, the job offer I was planning on taking paid $25K -- or $36K in today's 2015 dollars. I wasn't happy about it, but I was happy to have an offer. At the last minute another offer came through at $35K ($50K in today's dollars), and I was the envy of that year's CS grads for getting the largest job offer. Literally no one received this "started at $40,000" business you're talking about.

Comment Re:Security is a process - not a tool (Score 1) 203

Well, in the interests of honesty I have to say the matter in '98 with the shotgun was a lot more of a chaotic mess than I made it out to be. Whenever the fecal matter strikes the rotating metal blade, there's always a whole lot more confusion than the neat after-action writeups indicate.

The incident involving the courthouse, I actually don't recall what I was carrying -- either a Glock or an FN FNP-9.

Beyond that, yes, it's factual. :)

I've never much trusted the language of patriotism or civic duty. Too often they get hijacked by scoundrels to justify their skulduggery. I like to think of it this way: I like my home, I like my neighborhood, I like my neighbors. That gives me a pretty good motivation to give a damn about them. That, to me, is all that civic virtue really is: giving a damn about the people around you.

I recommend it to everyone. Life's better if we give a damn about the people around us. :)

Comment Re:Compared to guns... (Score 1) 203

Speaking as someone who has purchased many firearms at gun shows: no commercial firearms dealer has ever sold me anything without requiring an ATF Form 4473, whatever the local equivalent state and/or municipal paperwork is, and a NICS check. No private individual has ever sold me anything without requiring a photo ID and a copy of my concealed carry permit, which guarantees that I'm not prohibited from purchasing arms.

The idea that gun shows are hotbeds of background check-free shopping is completely wrong. According to the FBI, few criminals obtain their firearms at gun shows. I suspect the reason is just simple pragmatism: there are too many cops at gun shows and too many civic-minded people who will tell the cops if they hear someone's looking for a no-paperwork sale. Then the cops get involved, ask who you are, run your ID, discover you've got a felony conviction, and *bam*, you're now under arrest.

If I was a criminal and I wanted to obtain a firearm, I'd do what the guy who stole my SIG P220 did. I left the shooting range, placed my range bag in my trunk, realized I'd left a box of ammunition inside, locked my vehicle, walked back inside, picked up the ammunition, walked outside, and discovered my hatchback's rear window had been shattered and some asshole was already fifty meters away running down the street with my range bag over my shoulder and a tire iron in his hand...

Comment Re:Security is a process - not a tool (Score 1) 203

When was the last time you actually saw someone grab a gun and go be a "first responder" to a crime? You haven't.

You seem to believe this doesn't happen. It does. I know because I was the guy with a gun.

In August 1998 a young man was getting beaten to death in my apartment's parking lot. (Whether it was their intent to kill him, I don't know. What I do know is that beating someone with a tire iron is lethal force.) One of my neighbors called 911. I went out with a 12-gauge loaded with deer slug and suggested they leave him alone. They stopped beating him. When the deputy sheriff arrived a few minutes later this young man was in bad shape, but was still alive. He's alive because I had a shotgun.

In 2006 a younger friend of mine who had been the victim of a violent rape ten years before received word that her attacker was being released from prison. The prison psychologist contacted my friend to let her know this rapist was still obsessed with her. He had a three-day window between the time he was released and the time he registered his new domicile with a local county sheriff -- three days during which my friend was intensely vulnerable. The police said they'd send a car past her place twice each shift. That was no comfort at all. But when several of her (armed and trained) friends took shifts in her home with a shotgun, she was able to rest well. (And each day she woke up to a hearty plate of eggs, bacon, toast, and a cup of hot Jamaican Blue Mountain.)

A couple of years ago a friend of mine had to testify at a trial and was afraid to walk to the courthouse for fear the defendant's friends would waylay her. She shared her fears with me. I shrugged, holstered a Glock, and walked her to the courthouse. I didn't go inside (since that would've been a violation of the law), but I handed her off to a sheriff's deputy who took her the rest of the way to the courtroom. She felt safe the entire way.

You seem to believe guns are the problem. Guns are not the problem. Guns in the hands of the irresponsible, the untrained, and the immature... now there's a problem for you, an enormous one, and one I don't have a good answer for.

But a rifle, a shotgun, or a handgun, in the hands of a responsible, mature individual who's been trained in their use and the legal statutes pertaining to violence... we genuinely are the first responders the original poster talked about. And our business is violence *prevention*, not violence. Our presence deters violence. I like that, I like that a lot.

I've got no desire to shoot anyone. Killing is a messy, disgusting business and I recommend everyone avoid it. A gunshot will involve years of nightmares, torturous soul-searching, civil lawsuits, the deceased's friends and family wanting vengeance, and every other damned thing imaginable... and that's for a 100% justified kill. There is literally no upside in shooting someone.

But preventing bad things from happening to people? I have to say... that's kind of cool. I like that. A lot.

"Love your country but never trust its government." -- from a hand-painted road sign in central Pennsylvania