Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Comment Re:Patched on 7/28 (CentOS) (Score 3, Informative) 61 61

FWIW, it seems CentOS 6 was not updated (though there is an SRPM from RHEL for it).
CentOS 5 and 7 both have the update. Example mirror:
http://mirror.atlanticmetro.ne...
http://mirror.atlanticmetro.ne...
http://mirror.atlanticmetro.ne...

I also checked the mirror status: http://mirror-status.centos.or...
And checked one that was JUST updated: http://mirror.millry.co/CentOS...
No update!!!

RHEL page on their 6.x update: https://rhn.redhat.com/errata/...

Comment Re:I don't want to be a cynic.. (Score 1) 59 59

Do you honestly think that he or his parents made a big deal about the race of the donor?

From the second link:

And, of course, the hands had to fit. Based on Zion’s needs, doctors estimated that only about 15 donors per year might meet his age, gender, skin color, and size needs.

While I don't like the tone of "honkey hands" or much of anything about that poster, apparently they did take that into account when waiting for an appropriate donor. They also evaluated him for 18 months before concluding they would go forward with this, so they apparently took whatever time was needed. I suspect (but have no idea) that there are fewer risks if the gender and race match, much as I would imagine that a matching blood type would be beneficial. On size, they allowed for +/- 20% of what they considered to be ideal.

Comment Re:settled cannon for about a decade now (Score 1) 81 81

They get no benefit from enabling or pushing a migration to Linux unless they can steal customers from nVidia/Intel that way, which seems highly unlikely.

I get the sentiment of this, but there are several scenarios where pushing people to Linux (and getting existing Linux users) would benefit them. First that comes to my mind is that users that build systems from scratch at home overlap quite a bit with Linux users, and most of those users go for best bang for the buck, which has traditionally been AMD. You can also get more enterprise-level features from AMD in consumer level cpus (ex. ECC memory support; ex. latest features (sata, usb3, etc) come to AMD motherboards first - at least traditionally). Take into account the cpu distribution in dell/hp/etc systems, which is almost all intel, and I think it makes sense to make sure their market share where they are strongest stays strong.
As you implied though, there's plenty of reason to focus on the wintel market at all costs.

Comment Re:No Compromises (Score 1) 151 151

There really aren't any NFC capable stores anywhere, and the only one I know of requires you to show a physical ID, which defeats the purpose, as it's less hassle using a card.

IMO, the marketing for NFC was completely botched. There are so many people that keep hearing "convenience" being associated with it, and anyone with half a brain can tell that is bullshit. I have to get my phone out, unlock it (hopefully nfc doesn't bypass that), possibly enable nfc (it chews battery and is a possible security risk to keep on 100% of the time), swipe it, probably click something on my phone then, then lock my phone again and put it back. Versus a magswipe credit card, where I take it out (possible out of the card slot in my phone wallet, or out of my wallet, or just out of my pocket), swipe, sign, put it away. The magswipe is also lighter, replaceable, and very cheap.

IE. the NFC conversation should avoid the "convenience" topic, not make it the focus (unless they're trying to kill it).

NFC has some very very very strong benefits over magstripe. Some implementations are better than others, and there are some trade offs (ex. apple pay versus the way google wallet did it versus chip-and-pin versus chip-and-signature). Finding out how these are implemented is difficult** and confusing. It should be the front and center selling point.

Examples of the "convenient/easy" push:

https://www.google.com/wallet/ : "An easier way to pay. Google Wallet makes it easy to pay - in stores, online or to anyone in the US with a Gmail address. It works with any debit or credit card, on every mobile carrier".

http://www.apple.com/apple-pay... : "Your wallet. Without the wallet. Paying in stores or within apps has never been easier. Gone are the days of searching for your wallet. The wasted moments finding the right card."

Come the fuck on. I've never had a problem finding my credit cards, and those "wasted moments" are less time than it takes me to unlock my phone. Even if the phone was faster somehow, it's just a minute amount of time that it's not the thing I need to be faster. It takes far longer for them to run the number (do the transaction). At restaurants (my most frequent use), I get a check and have plenty of time to ready my card before the waiter comes back, and then plenty more time before it's run. Finding my card is not the problem.

** yes, you can find the info, and a lmgtfy.com link won't suprise me, but it's not obvious or clear and no one is making it readily apparent when marketing their digital wallets. They just keep saying they are so convenient and easy.

Comment Re: Scripts that interact with passwords fields aw (Score 1) 365 365

Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform.

I like keepass, especially since there are so many ports of it to so many platforms. However, if someone is looking for something more akin to lastpass, here's a few open source ones:

https://clipperz.is/ - clipperz seems most similar IMO. It's open source and all in the browser via javascript, thought signup and site desire are a little wonky.

http://www.fpx.de/fp/Software/... - Password Gorilla (also on github: https://github.com/zdia/gorill...). It's also open source, but it's a TCL/TK application. I'm not sure what their andriod status is (there is some info on their site regarding use of HECL to port the TCL parts to android, but I don't know the status).

  https://www.passpack.com/ - Passpack works on chrome, firefox, ie, and safari. It's similar to lastpass in many ways. It's not fully open source, but they did open source a bunch of the libraries they use/made (aes/rindael, xxtea, json2, sha-256 in js, etc: https://code.google.com/p/pass... ).

https://www.passlet.com/ - passlet. The SSL cert for that site expired in 2010, so I don't think I'd use this, but it is cross platform and built according to the host-proof-hosting concepts. They open sourced their PBKDF2 methods: http://anandam.name/pbkdf2/

http://aaronboodman.com/halfno... - halfnote is just a notepad, but it's encrypted in browser, and it's open source (https://code.google.com/p/halfnote/)

All that said, I'd probably stick with keepass and/or lastpass.

Comment Re:Can email service providers do more? (Score 1) 58 58

These modifications that would affect message signatures happen in many places.

I was having a hell of a time picturing someone manually inserting malicious headers into emails via MITM attacks...

FYI, S/MIME signatures do NOT sign the email headers. For example, you can alter the "Subject" header of a valid signed message you got from somewhere else, then bounce it off to a different recipient (ie. send as if from that same person), and the recipient will see a valid signature on the message with an altered subject line. The signature is on the message body only (more specifically, it's on a mime part and everything below that, so you can forward a signed message, add your message in a new part above it, and sign the combined message with your cert while the forwarded message will retain the original and valid sig).

Here's an example of an MS Exchange bug: https://premier.microsoft.com/...

Issue Definition: Edge Transport Server mangles S/MIME encrypted payloads

That one affected their IMAP adapter. Viewing the message in MS Outlook via the Exchange protocol, the signature was valid. Viewing the same message in MS Outlook (same client) via the IMAP protocol showed an invalid signature. Their description is flawed.. it was not related to encryption, but just a message signature, which was also unrelated, as it's really just a means to detect the alteration of the message.

You won't be able to view that bug unless you have a premier account with microsoft, but if you search for it via google you'll find a little more info (mostly an email I sent to the alpine list).

This was not the only issue like this. Prior to this, similar symptoms were seen, but it was then solved by adding "SkipDigitalSignedMessageFromAttachmentFilterAgent" key to the edgetransport exchange config.

Note, these two examples don't even have anything to do with systems in transit. It's just the last hop delivery to the user, and the problem is seen via MS clients to MS servers (and also seen from other clients).

Your example of an email account that gets loads of email, especially phishing emails, and you've never seen any altered messages... how would you know? How many of those have S/MIME signatures? I've never seen a single spam/phishing email that had a valid S/MIME signature. Your example would have to be turned on its head to be valid... you'd have to be receiving a lot of legitimate and valid signed messages with no bad signature validations (or sending a LOT of signed messages, and never hearing anyone complain... but then that's quite subjective cause most people don't pay any attention to the warnings).

All it takes to ruin a cryptographic signature is adding an extra linefeed between a Text/PLAIN part and the corresponding Text/HTML part, and you'd never notice that if the message didn't have a crypto sig or you weren't checking it. IE. without a sig, you don't know that the messages you think are legit weren't tampered with (on purpose, or accidentally).

Comment Re:I don't think it's a ho-hum (Score 1) 256 256

I'm no fan of the "two party system", but a large part of the blame falls on the people and the constant repetition that this is a 2 party system, which re-enforces the doubts/beliefs that keep people from going outside the party lines.

Right now, there are 2 independents in the US Senate (out of 100). It's not a lot; I'd like that number to be higher; But it is not a zero.

It was not long ago that there was a third party presidential candidate that jockeyed for the lead in the polls throughout the election (1992, Ross Perot). He led the polls in June (39%, versus 31% for bush, and 25% for clinton). He was on all 50 state ballots. He was in the debates. He ended up with 18.9% of the popular vote.

The disbelief that a 3rd party can win is what is harming the 3rd parties the most. The majority of people I talk to do not associate strongly with republican nor democrat, but consider voting independent or 3rd party as "throwing away their vote". That mind set must change. Grow some balls and check a different box. No other changes are needed, though there's lots of other changes that would be beneficial.

IMO, the arguments get quite muddy when shifting between a country wide perspective, and a presidential perspective. They are very different beasts (ex. there isn't a standard and widely broadcast debate for every office seat, but the presidential election has one - one which, IMO, needs some overhauling ever since the LWV stopped running it, and should allow any candidate to join as long as they get on the ballot in at least 50% of the states (or some other reasonable number)).

In short, we the people of the USA need to vote honestly. As it stands, we deserve the bipartisanship that we've put in place.

Comment Re:What? (Score 4, Informative) 14 14

There is a handy link in the summary. I was curious about the same thing you are, so I clicked it, and the first sentence explains it (which should have been included in the, otherwise clickbait, summary):

Nike and Apple have agreed to settle in a class action lawsuit alleging that the two sold the Nike FuelBand fitness tracker in spite of knowing that the device’s biometrics measurements were inaccurate.

Based on the wording in the summary, I expected it to be about the "tracking" part. I was guessing that the band doesn't actually log any thing locally, so it can't be said to track anything on its own. I have no idea if that's the case or not.

Comment Re:Can email service providers do more? (Score 1) 58 58

Two AC's already mentioned GPG/PGP and google's End-to-end project, but there is a more standardized and widely available option: S/MIME signatures.

S/MIME sigs have (at least) one "problem"... they require a centralized certificate authority. However, you can get a personal S/MIME cert for free from several of the big CA's: http://kb.mozillazine.org/Gett...

That said, there are two HUGE problems with expecting this to solve the phishing problem:

1. Bad email doesn't look bad. You end up with:
a) email with a valid cryptographic signature (yay, that was definitely my boss)
b) email with an invalid signature (see item #2)
c) email without a signature (traditional email). You can't raise a big red flag on every one of these or 99% of your messages will have big red flags.

2. Messages frequently get tampered with in transit, causing the signatures to fail.
The primary purpose of cryptographic signatures is to prove that the content was not tampered with and is what that person wrote.
If the content changes, the email client MUST raise a big red flag. This shows up as MUCH WORSE than something without any sig at all.
This would be fine, except that lots of things jack with email along the way (spam filters, virus filters, attachment filters, 3rd party servers, exchange sucks, etc). Normally, those won't change things TOO significantly, but just one extra space character or newline between parts and the sig fails. It's very fragile, and since the message isn't some binary blob, servers take apart and re-assemble the message many times along its way.

The worst part about #2 is that it makes unsigned messages more reliable (in a way). I sign most of my messages, but if I'm sending something important, especially with attachments and to multiple people, I'm now prone to skip signing just to avoid having several important people get very worries about the big red exclamation point on a message saying my message may have been forged or tampered with.

IMO, S/MIME *should* be the solution (with GPG/PGP as a close second.... others will have those reversed), but we're better off moving to something else if we want that feature, especially now that webmail is so prevalent (ex. gmail)... webmail can't do S/MIME without some client side tie in, which makes it no longer "webmail".

Comment Re:I Use VLC to access all my security cams (Score 3, Insightful) 134 134

I Use VLC to access all my ONVIF-compliant security cams. Mostly Hikvision, but also many others. The only time I need ActiveX is if I am in the config, and want to play with the zones for motion detection. I do that from a VM or from the spouse's laptop. After initial setup, I never need it again.

I think the original question was poorly worded. Everyone is picking up on the s/DirectX/ActiveX/ part, and then most are giving a big WTF because most cams do (or can be configured to) output a VLC usable stream (MJPEG, h.263, etc). Maybe he really did have no clue about that, but if he used all those cams, he should be well aware that (almost) all of those will spit out a standard stream just fine.

I think you're comment hints at what he's really asking for - an "OPEN" camera that doesn't require ActiveX at all, not even for setup/config. I think that's where it gets tough. I don't know why more of them aren't more open and hackable, though I know the argument will probably be "support", but the cheap ones get returned frequently enough as it is. Edging towards the slightly more expensive side (ex. Axis), it's more stable and has easily configured streams and pulls and pushes it can do, but I'm guessing they'll be keeping as much of that closed as they can cause that's its real selling point. A cheaper, truly open, and hackable version of an Axis would be pretty awesome IMO.

Comment Become major of a place on foursquare (Score 5, Interesting) 145 145

I don't use foursquare, but a friend was bragging about being mayor at a couple places. I commented that I could be mayor in a month or two. He ended up betting me I couldn't. I warned him that it was super easy and he would be stupid for making that bet, but he still did it. That night, shortly after a few drunken minutes trying to type my password, the first cron job started running...


#!/usr/bin/perl
# call it from cron with:
# perl foursquare_checkin <location_id> <latitude> <longitude> <your_login_email> <password>
# Ex: perl foursquare_checkin 2021944 40.676141 -73.983452 foo@bar.baz 12345
my ($user,$pass) = @ARGV[3,4];
my $auth = MIME::Base64::encode("$user:$pass",'');
use MIME::Base64;
use IO::Socket;
sleep(rand()*600); # so checkins are slightly random
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
                                                                  Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005; # wobble location
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."$auth\r\nContent-length: ", length($str)+2, "\r\n\r\n$str\r\n";
my $res = <$sock>;

And yes, I know that's ugly, and there's easier and cleaner ways, but it got the job done well enough to get me mayor of a few places and really pissed off the gambler before I turned it off for good. I have no idea if this still works (ie. lack of any form of message authenticity or handshake etc), but it wouldn't surprise me if it did... feel free becoming mayor of anywhere you want (you can even checkin to places across the country and back on a regular basis and they didn't catch it). But if it no longer works, don't ask me.

Comment Re:FSF was very non-specific, and probably wrong (Score 1) 171 171

AC's post should be modded up. In case it isn't, here it is:

Uh, yes they did. Read the follow-up piece linked from the post (https://www.fsf.org/blogs/licensing/more-about-the-app-store-gpl-enforcement), and it is specific that the issue is that Apple's Terms of Service add restrictions beyond the GPL. That is prohibited by the GPL; otherwise people could completely circumvent the GPL by adding their own license on top of it to take away all of the rights granted to you by the GPL.

Comment Re:If you're using GPL code, you have no choice (Score 5, Informative) 171 171

There is no "depends on how he's using it." If it doesn't have an LGPL interface header, you MUST release the code under GPL terms to use it.

(Sorry for the Clinton-esque answer) It depends on what you mean by "use". The problem with the original question is that there's not enough information to give a useful answer.. it's just fodder to get people talking with no real goal.

You can use GPL's software all you want, modify and recompile to your hearts content, and you don't have to release jack shit - unless you then distribute that stuff, and then only if you distribute it together (you can distribute your patches on their own with any license you choose).

That said, it sounds likely that the choices that NicknamesAreStupid made regarding various sources to include may not be very good choices, and they may be incompatible with his goals. Since he specifically mentioned the GPL (and especially since he didn't say LGPL instead), these compatibility pages should help:
http://www.gnu.org/licenses/li...
http://www.gnu.org/licenses/gp...
http://www.gnu.org/licenses/gp...

The FSF (Free Software Foundation) comments on GPL works within the Apple App store is also quite relevant:
http://www.fsf.org/news/2010-0...
http://www.fsf.org/blogs/licen...
http://apple.stackexchange.com... (see 2nd answer)

Essentially, if you do not hold the copyright for the GPL'd work you are including in your iPhone App that you want to put on the Apple App Store, then you're SOL.... the App Store agreements are incompatible with that (GPL says, "You may not impose any further restrictions on the recipients' exercise of the rights granted herein", but the the Mac App Store Terms of Service explicitly add other restrictions, such as "you may only install the software on five approved devices"). You might be able to get permission from the works authors, but that permission would be to distribute said code under a non-GPL license (possibly 3 clause BSD?)

Comment Re:do I have to spell it out? (Score 1) 212 212

put the versioning file system on top of the distributed file system.

I suspect you only got modded down because of the other comments you made, but I came here to say the above, so I'm just replying to you instead.
You can also reverse that. Linux has great support for stacking block devices and file systems.

The real question then becomes, what's the best combo? I don't think you'll find one answer for that because there are so many ways to do it.

You should get your real requirements in place first, and be sure you don't include stuff that you don't actually need. For example, is client access via smb required, or is the requirement that they have access to a networked file system of some sort (ex. would webdav work), or is that not a requirement at all and they would be ok using a checkout/checkin style system or some other specific program to get/put data?

Even without those requirements, here's some items I'd suggest looking at:
* DRBD : Distributed Replicated Block Device. The docs aren't all that great, and it can be awkward to work with, but it's nice, low level, and just works for raw blocks, meaning you can stick whatever you want on it and easily have a HOT/COLD setup (hot HOT/HOT with version 8). It can work above or below LVM too.
* GlusterFS : This does file based mirroring, replication, striping, load balancing, failover, etc. One nice thing is that it can be slapped on top of an existing filesystem. The downside (IMO) is that it's file based. That means it's garbage for replicating databases (just as an example). That has its benefits though, and may fit your use case nicely. It's pretty easy to use, but has a LOT of features (including built in NFS, CIFS, and smb servers).
* git and the many git based things out there. There's a TON of stuff that falls into this category. This moves away from trying to make a filesystem do all the work, but it brings a LOT of features if you adopt one of these. The fact that every user has a full repo copy means you don't have to worry about the "server" and distribution much. YMMV and all that.
* subversion "autoversioning" with WebDAV. Mount it as WebDAV and all saves generate new revisions. You could easily later this on DRBD or Gluster.
* Dropbox et al. : most of these things have a way to share files with a group, keep local copies in sync, and provide versions to some extent. Use OwnCloud if you want to do it yourself.

"If a computer can't directly address all the RAM you can use, it's just a toy." -- anonymous comp.sys.amiga posting, non-sequitir

Working...