Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment Re: Scripts that interact with passwords fields aw (Score 1) 349 349

Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform.

I like keepass, especially since there are so many ports of it to so many platforms. However, if someone is looking for something more akin to lastpass, here's a few open source ones: - clipperz seems most similar IMO. It's open source and all in the browser via javascript, thought signup and site desire are a little wonky. - Password Gorilla (also on github: It's also open source, but it's a TCL/TK application. I'm not sure what their andriod status is (there is some info on their site regarding use of HECL to port the TCL parts to android, but I don't know the status). - Passpack works on chrome, firefox, ie, and safari. It's similar to lastpass in many ways. It's not fully open source, but they did open source a bunch of the libraries they use/made (aes/rindael, xxtea, json2, sha-256 in js, etc: ). - passlet. The SSL cert for that site expired in 2010, so I don't think I'd use this, but it is cross platform and built according to the host-proof-hosting concepts. They open sourced their PBKDF2 methods: - halfnote is just a notepad, but it's encrypted in browser, and it's open source (

All that said, I'd probably stick with keepass and/or lastpass.

Comment Re:Can email service providers do more? (Score 1) 58 58

These modifications that would affect message signatures happen in many places.

I was having a hell of a time picturing someone manually inserting malicious headers into emails via MITM attacks...

FYI, S/MIME signatures do NOT sign the email headers. For example, you can alter the "Subject" header of a valid signed message you got from somewhere else, then bounce it off to a different recipient (ie. send as if from that same person), and the recipient will see a valid signature on the message with an altered subject line. The signature is on the message body only (more specifically, it's on a mime part and everything below that, so you can forward a signed message, add your message in a new part above it, and sign the combined message with your cert while the forwarded message will retain the original and valid sig).

Here's an example of an MS Exchange bug:

Issue Definition: Edge Transport Server mangles S/MIME encrypted payloads

That one affected their IMAP adapter. Viewing the message in MS Outlook via the Exchange protocol, the signature was valid. Viewing the same message in MS Outlook (same client) via the IMAP protocol showed an invalid signature. Their description is flawed.. it was not related to encryption, but just a message signature, which was also unrelated, as it's really just a means to detect the alteration of the message.

You won't be able to view that bug unless you have a premier account with microsoft, but if you search for it via google you'll find a little more info (mostly an email I sent to the alpine list).

This was not the only issue like this. Prior to this, similar symptoms were seen, but it was then solved by adding "SkipDigitalSignedMessageFromAttachmentFilterAgent" key to the edgetransport exchange config.

Note, these two examples don't even have anything to do with systems in transit. It's just the last hop delivery to the user, and the problem is seen via MS clients to MS servers (and also seen from other clients).

Your example of an email account that gets loads of email, especially phishing emails, and you've never seen any altered messages... how would you know? How many of those have S/MIME signatures? I've never seen a single spam/phishing email that had a valid S/MIME signature. Your example would have to be turned on its head to be valid... you'd have to be receiving a lot of legitimate and valid signed messages with no bad signature validations (or sending a LOT of signed messages, and never hearing anyone complain... but then that's quite subjective cause most people don't pay any attention to the warnings).

All it takes to ruin a cryptographic signature is adding an extra linefeed between a Text/PLAIN part and the corresponding Text/HTML part, and you'd never notice that if the message didn't have a crypto sig or you weren't checking it. IE. without a sig, you don't know that the messages you think are legit weren't tampered with (on purpose, or accidentally).

Comment Re:I don't think it's a ho-hum (Score 1) 246 246

I'm no fan of the "two party system", but a large part of the blame falls on the people and the constant repetition that this is a 2 party system, which re-enforces the doubts/beliefs that keep people from going outside the party lines.

Right now, there are 2 independents in the US Senate (out of 100). It's not a lot; I'd like that number to be higher; But it is not a zero.

It was not long ago that there was a third party presidential candidate that jockeyed for the lead in the polls throughout the election (1992, Ross Perot). He led the polls in June (39%, versus 31% for bush, and 25% for clinton). He was on all 50 state ballots. He was in the debates. He ended up with 18.9% of the popular vote.

The disbelief that a 3rd party can win is what is harming the 3rd parties the most. The majority of people I talk to do not associate strongly with republican nor democrat, but consider voting independent or 3rd party as "throwing away their vote". That mind set must change. Grow some balls and check a different box. No other changes are needed, though there's lots of other changes that would be beneficial.

IMO, the arguments get quite muddy when shifting between a country wide perspective, and a presidential perspective. They are very different beasts (ex. there isn't a standard and widely broadcast debate for every office seat, but the presidential election has one - one which, IMO, needs some overhauling ever since the LWV stopped running it, and should allow any candidate to join as long as they get on the ballot in at least 50% of the states (or some other reasonable number)).

In short, we the people of the USA need to vote honestly. As it stands, we deserve the bipartisanship that we've put in place.

Comment Re:What? (Score 4, Informative) 13 13

There is a handy link in the summary. I was curious about the same thing you are, so I clicked it, and the first sentence explains it (which should have been included in the, otherwise clickbait, summary):

Nike and Apple have agreed to settle in a class action lawsuit alleging that the two sold the Nike FuelBand fitness tracker in spite of knowing that the device’s biometrics measurements were inaccurate.

Based on the wording in the summary, I expected it to be about the "tracking" part. I was guessing that the band doesn't actually log any thing locally, so it can't be said to track anything on its own. I have no idea if that's the case or not.

Comment Re:Can email service providers do more? (Score 1) 58 58

Two AC's already mentioned GPG/PGP and google's End-to-end project, but there is a more standardized and widely available option: S/MIME signatures.

S/MIME sigs have (at least) one "problem"... they require a centralized certificate authority. However, you can get a personal S/MIME cert for free from several of the big CA's:

That said, there are two HUGE problems with expecting this to solve the phishing problem:

1. Bad email doesn't look bad. You end up with:
a) email with a valid cryptographic signature (yay, that was definitely my boss)
b) email with an invalid signature (see item #2)
c) email without a signature (traditional email). You can't raise a big red flag on every one of these or 99% of your messages will have big red flags.

2. Messages frequently get tampered with in transit, causing the signatures to fail.
The primary purpose of cryptographic signatures is to prove that the content was not tampered with and is what that person wrote.
If the content changes, the email client MUST raise a big red flag. This shows up as MUCH WORSE than something without any sig at all.
This would be fine, except that lots of things jack with email along the way (spam filters, virus filters, attachment filters, 3rd party servers, exchange sucks, etc). Normally, those won't change things TOO significantly, but just one extra space character or newline between parts and the sig fails. It's very fragile, and since the message isn't some binary blob, servers take apart and re-assemble the message many times along its way.

The worst part about #2 is that it makes unsigned messages more reliable (in a way). I sign most of my messages, but if I'm sending something important, especially with attachments and to multiple people, I'm now prone to skip signing just to avoid having several important people get very worries about the big red exclamation point on a message saying my message may have been forged or tampered with.

IMO, S/MIME *should* be the solution (with GPG/PGP as a close second.... others will have those reversed), but we're better off moving to something else if we want that feature, especially now that webmail is so prevalent (ex. gmail)... webmail can't do S/MIME without some client side tie in, which makes it no longer "webmail".

Comment Re:I Use VLC to access all my security cams (Score 3, Insightful) 133 133

I Use VLC to access all my ONVIF-compliant security cams. Mostly Hikvision, but also many others. The only time I need ActiveX is if I am in the config, and want to play with the zones for motion detection. I do that from a VM or from the spouse's laptop. After initial setup, I never need it again.

I think the original question was poorly worded. Everyone is picking up on the s/DirectX/ActiveX/ part, and then most are giving a big WTF because most cams do (or can be configured to) output a VLC usable stream (MJPEG, h.263, etc). Maybe he really did have no clue about that, but if he used all those cams, he should be well aware that (almost) all of those will spit out a standard stream just fine.

I think you're comment hints at what he's really asking for - an "OPEN" camera that doesn't require ActiveX at all, not even for setup/config. I think that's where it gets tough. I don't know why more of them aren't more open and hackable, though I know the argument will probably be "support", but the cheap ones get returned frequently enough as it is. Edging towards the slightly more expensive side (ex. Axis), it's more stable and has easily configured streams and pulls and pushes it can do, but I'm guessing they'll be keeping as much of that closed as they can cause that's its real selling point. A cheaper, truly open, and hackable version of an Axis would be pretty awesome IMO.

Comment Become major of a place on foursquare (Score 5, Interesting) 145 145

I don't use foursquare, but a friend was bragging about being mayor at a couple places. I commented that I could be mayor in a month or two. He ended up betting me I couldn't. I warned him that it was super easy and he would be stupid for making that bet, but he still did it. That night, shortly after a few drunken minutes trying to type my password, the first cron job started running...

# call it from cron with:
# perl foursquare_checkin <location_id> <latitude> <longitude> <your_login_email> <password>
# Ex: perl foursquare_checkin 2021944 40.676141 -73.983452 foo@bar.baz 12345
my ($user,$pass) = @ARGV[3,4];
my $auth = MIME::Base64::encode("$user:$pass",'');
use MIME::Base64;
use IO::Socket;
sleep(rand()*600); # so checkins are slightly random
my $sock = IO::Socket::INET->new(PeerAddr=>'', PeerPort=>80,
                                                                  Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005; # wobble location
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost:\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."$auth\r\nContent-length: ", length($str)+2, "\r\n\r\n$str\r\n";
my $res = <$sock>;

And yes, I know that's ugly, and there's easier and cleaner ways, but it got the job done well enough to get me mayor of a few places and really pissed off the gambler before I turned it off for good. I have no idea if this still works (ie. lack of any form of message authenticity or handshake etc), but it wouldn't surprise me if it did... feel free becoming mayor of anywhere you want (you can even checkin to places across the country and back on a regular basis and they didn't catch it). But if it no longer works, don't ask me.

Comment Re:FSF was very non-specific, and probably wrong (Score 1) 171 171

AC's post should be modded up. In case it isn't, here it is:

Uh, yes they did. Read the follow-up piece linked from the post (, and it is specific that the issue is that Apple's Terms of Service add restrictions beyond the GPL. That is prohibited by the GPL; otherwise people could completely circumvent the GPL by adding their own license on top of it to take away all of the rights granted to you by the GPL.

Comment Re:If you're using GPL code, you have no choice (Score 5, Informative) 171 171

There is no "depends on how he's using it." If it doesn't have an LGPL interface header, you MUST release the code under GPL terms to use it.

(Sorry for the Clinton-esque answer) It depends on what you mean by "use". The problem with the original question is that there's not enough information to give a useful answer.. it's just fodder to get people talking with no real goal.

You can use GPL's software all you want, modify and recompile to your hearts content, and you don't have to release jack shit - unless you then distribute that stuff, and then only if you distribute it together (you can distribute your patches on their own with any license you choose).

That said, it sounds likely that the choices that NicknamesAreStupid made regarding various sources to include may not be very good choices, and they may be incompatible with his goals. Since he specifically mentioned the GPL (and especially since he didn't say LGPL instead), these compatibility pages should help:

The FSF (Free Software Foundation) comments on GPL works within the Apple App store is also quite relevant: (see 2nd answer)

Essentially, if you do not hold the copyright for the GPL'd work you are including in your iPhone App that you want to put on the Apple App Store, then you're SOL.... the App Store agreements are incompatible with that (GPL says, "You may not impose any further restrictions on the recipients' exercise of the rights granted herein", but the the Mac App Store Terms of Service explicitly add other restrictions, such as "you may only install the software on five approved devices"). You might be able to get permission from the works authors, but that permission would be to distribute said code under a non-GPL license (possibly 3 clause BSD?)

Comment Re:do I have to spell it out? (Score 1) 212 212

put the versioning file system on top of the distributed file system.

I suspect you only got modded down because of the other comments you made, but I came here to say the above, so I'm just replying to you instead.
You can also reverse that. Linux has great support for stacking block devices and file systems.

The real question then becomes, what's the best combo? I don't think you'll find one answer for that because there are so many ways to do it.

You should get your real requirements in place first, and be sure you don't include stuff that you don't actually need. For example, is client access via smb required, or is the requirement that they have access to a networked file system of some sort (ex. would webdav work), or is that not a requirement at all and they would be ok using a checkout/checkin style system or some other specific program to get/put data?

Even without those requirements, here's some items I'd suggest looking at:
* DRBD : Distributed Replicated Block Device. The docs aren't all that great, and it can be awkward to work with, but it's nice, low level, and just works for raw blocks, meaning you can stick whatever you want on it and easily have a HOT/COLD setup (hot HOT/HOT with version 8). It can work above or below LVM too.
* GlusterFS : This does file based mirroring, replication, striping, load balancing, failover, etc. One nice thing is that it can be slapped on top of an existing filesystem. The downside (IMO) is that it's file based. That means it's garbage for replicating databases (just as an example). That has its benefits though, and may fit your use case nicely. It's pretty easy to use, but has a LOT of features (including built in NFS, CIFS, and smb servers).
* git and the many git based things out there. There's a TON of stuff that falls into this category. This moves away from trying to make a filesystem do all the work, but it brings a LOT of features if you adopt one of these. The fact that every user has a full repo copy means you don't have to worry about the "server" and distribution much. YMMV and all that.
* subversion "autoversioning" with WebDAV. Mount it as WebDAV and all saves generate new revisions. You could easily later this on DRBD or Gluster.
* Dropbox et al. : most of these things have a way to share files with a group, keep local copies in sync, and provide versions to some extent. Use OwnCloud if you want to do it yourself.

Comment Re:But Google Code? (Score 1) 44 44

Most of the comments here are in this vein, and that was my first thought as well, and I doubt I'll trust them to host jack for me.

That said, they're a big company; they try stuff out and see if it works; when something doesn't "work", they get rid of it... how do they go about revisiting a topic with a different (and possibly much better) approach without drawing these kinda of reactions? All I really mean is, I don't want them to stop trying... if they do get it "right", that'll could be great.

To answer my own question though... they could start by not shuttering perfectly functional projects unless really necessary; build a replacement (with an easy way to move to it) before shutting it down; and/or spin off those things more cleanly to someone else, or open source them.

Comment Re:Arrest (Score 2) 333 333

What's illegal about protesting illegal government actions? Uber is ILLEGAL in France but they continue to operate! Do you understand the concept of "protest"? The idle rich like you are SUPPOSED to be inconvenienced, it is the INTENTION that you get annoyed.

You almost sound like you're arguing with yourself...

person A) What's illegal about protesting illegal government actions?
person B) Uber is ILLEGAL in France but they continue to operate!
person A) Do you understand the concept of "protest"?

I know that doesn't totally make sense, but neither does citing the "protest" of illegal government actions while simultaneously lambasting uber continued operation simply because it's ILLEGAL. What the taxis are doing isn't really protest either - they're blocking public services, which is more like a hostage situation, blackmail, or extortion.

Personally, I can't pick a side in this debate. Both seem wrong to me as exaggerated ends of the spectrum...

UBER: it breaks a lot of the significant and good strides that were made within the various taxi systems (though that's city-specific). For example, in NYC, if you get in a taxi, the drive is required to take you wherever you want to go - even out of state. They're not allowed to kick you out. If they do, be sure to take down their badge number (which is required to be displayed prominately) and/or license plate, and report them... none of them want to get in trouble at all because it would risk losing the medalion. There's lots of other (good for the people) rules that go along with being licensed correctly. The service may be doing ok, but discrimination is actual one of its features (whether or not that gets abused).

TAXI: WTF medalion prices and artificial rarity! The exclusive club that was created can go fuck itself. Services like Uber can't comply if they wanted to.

Somewhere in the middle is where things need to be (IMO), but I have no clue how that can be accomplished. Maybe if licensed taxi services could use uber without charge (or very low charge), and they got a special badge or something within uber so one could search for official taxis if they so chose, then it'd help level the playing field (IE. allow people to choose to pick a driver that probably lacks proper insurance, licensing, etc, but also allow people to find those that do carry those credentials).

Comment Re:Why now and not at release time. (Score 5, Informative) 193 193

Of course it's a bid for profit, whether immediate or long term. Why they thought it'd give them more profit has a bunch of reasons too, which may or may not pan out.
* make people buy the new console for the new games - check, though that may not have got as much market as they hoped
* hidden feature to later steal market share (ps4 lacks backward compat... which, IMO, is dumb... xbox can enable it easier due to less significant architecture changes).
* As said below, this is NOT enabling all games to work. It doesn't even use your old game - it just uses it to verify you have it so it can get you a digital copy of the xbone version. This is not backward compat in any way - it's a port they'll give you for free, and only for ones where all the red tape is cleared and they have a copy (ie. AAA titles could refuse to port to force repurchase; small titles may not have the means; etc).

AFAICT, this is smart, though misleading, marketing, and nothing more.

Comment Re:That's fine and all (Score 2) 204 204

Except no Wifi.... but that's normal for the surface 3 on Windows 8.1 Last update borked wifi hard and I had to wipe my surface to defaults to get it back.

Except that the very link that "mystuff" provided shows that WiFi DOES work under ubuntu 14.04 on the Surface Pro 3. Where'd you get your info? Seems you just need to copy the wifi firmware into place, which is trivial (use a thumb drive). The hardest part seems to be getting the windows partition resized (forcing system files to move by using PerfectDisk).

Sometimes, too long is too long. - Joe Crowe