Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:LOL! (Score 1) 97

by creimer (#49198319) Attached to: Anthem Blocking Federal Auditor From Doing Vulnerability Scans

But there's no way I'd let them in my doors either.

Pray that you never get a federal job. OPM conducted my background investigation for a security clearance. My two-hour routine interview turned into a four-hour nitpicking interview. Being single and staying in the same studio apartment for nearly ten years was considered odd. Working a weekday job and a weekend job for a year, and having multiple overlapping contract jobs for several years, was odder. Not being able to remember every detail of every job I had to take since the Great Recession was oddest. When asked if you're going to commit terrorist acts against the U.S.A., always tell the truth.

Comment: Re:Ciphersuite Negotiation (Score 1) 72

by Opportunist (#49192181) Attached to: FREAK Attack Threatens SSL Clients

Again, any algo considered secure today may be rendered useless by a discovery tomorrow. That's the nature of cryptography. Time and again we have seen that what we considered "unbreakable" (within reasonable time) offered some side channel attack or an implementation flaw (or worse, as in SSL3, a design flaw that CANNOT be patched) that turned it into a useless waste of computing cycles.

You cannot "promise" that whatever protocol, implementation or procedure you offer will be secure for the next X days/weeks/years with absolute certainty. Hell, given what went down within the last 12 months, anything could blow up tomorrow.

But until it does, it is secure. Security is a bit like a scientific theory. Sound and solid and true and real... until someone comes in and proves it wrong.

Comment: Re:Free roaming sounds nice... (Score 1) 62

by Opportunist (#49192121) Attached to: EU Free Data Roaming, Net Neutrality Plans In Jeopardy

Free roaming SOUNDS nice, but it's not really a good idea for the average person.

Face it: Telcos will want to retain their revenue. One way or another. And if roaming is cut, something has to pick up the slack.

And now ask yourself who would benefit from calls across Europe costing the same as domestic calls. Hint: It ain't gonna be you with your 2 weeks vacation abroad.

Comment: Re:Alternate Bank of Canada Press Release (Score 1) 221

by Opportunist (#49190355) Attached to: <em>Star Trek</em> Fans Told To Stop "Spocking" Canadian $5 Bill

People lie. People lie under oath. Why the fuck should the waiter care about the perjury? There is nobody who could prove him wrong. And it only increases his credibility because, hey, who'd imperil his liberty over something as trivial as just keeping his job?

You would neither be the first nor would you be the last innocent person behind bars because it would have inconvenienced someone to tell the truth.

Comment: Here's a suggestion for a verdict (Score 4, Interesting) 173

by Opportunist (#49190275) Attached to: Software Freedom Conservancy Funds GPL Suit Against VMWare

Anyone found in willful and deliberate violation of the GPL showed that they have no interest in copyright or its protection. Hence they implicitly and irrevocably agree that they will not pursue anyone violating their copyright.

That should take care of this pretty quickly. You don't even have to look for GPL violations in products anymore, corporations will do that for you in the products of their competitor, hoping to kick them out of the market that way.

Comment: And this, kids, is why you configure your servers (Score 3, Insightful) 72

by Opportunist (#49176645) Attached to: FREAK Attack Threatens SSL Clients

Because clients are run by idiots. Sorry, but it's true.

Clients are run by people who look at the funny acronyms and you can watch their eyes glaze over. If they know anything about it, they will know that there are keys and these keys depend on how big the number next to them is. That there are symmetric and asymmetric keys and that 512bit can be a LOT if it's symmetric and insignificantly little if it's asymmetric is already something you won't be able to teach them.

So configure your servers, people. Configure them to ONLY accept sensible ciphers. Yes, that means that people with Internet Explorer 5 might not be able to use your page. Then inform them to fucking get a browser that was made in this millennium! These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.

Or at least I don't want to do business with you!

Comment: Re:Ciphersuite Negotiation (Score 2) 72

by Opportunist (#49176589) Attached to: FREAK Attack Threatens SSL Clients

One set of algorithms, good for the lifetime of the device... hmm... you mean, like, say, SSLv3 until about 6 months ago? If we hadn't found POODLE, it would still meet all criteria for a good, secure algo for the foreseeable future. At the very least for the lifetime of any device build within the last year (until about 6 months, of course).

There is no such thing as "guaranteed to be secure for the lifetime of a device". All it takes is to find a fundamental flaw in the algorithm (like, well, POODLE) and what was supposedly bulletproof for the next few decades crumbles like a house of cards the next day.

Don't be irreplaceable, if you can't be replaced, you can't be promoted.