Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:meanwhile (Score 1) 342

by xelah (#49290165) Attached to: UK Chancellor Confirms Introduction of 'Google Tax'

To back this up, here's a paper on the effect of corporate taxes on wages: http://www.sbs.ox.ac.uk/ideas-...

It says that a $1 increase in corporate taxes reduces the wage bill by $0.75.

However, exactly where the taxes fall is quite opaque and estimates vary a lot. That's one reason politicians can't/won't get rid of the taxes: everybody thinks someone else pays them.

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49055857) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

You can encrypt with two public keys, and for decryption send it off to your two key-holding machines in turn.

Or you can go one step further and encrypt the card number with two one-time pads, store the encrypted card number and encrypted one time pads, and do the decryption by sending the pads off to be decrypted by the separately-controlled systems. Then the key-holding machines don't have access to any card data themselves.

PCI DSS even requires that no one person can have a 'key component' which gives them any knowledge of the full key. So you can't just split a key in to two halves, even if you could do the decryption. I can't help thinking that whoever wrote it really wanted to write 'just by an HSM'.

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49054055) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Symmetrically encrypted credit cards, OK, I can see it, though it's far from a silver bullet.

Symmetrically encrypting credit card numbers is tough to do within the rules unless you have a hardware security module. Under PCI DSS, the complete key used for decryption is not allowed to be within the control of one person, including the sysadmin. So, you can't have the complete key on one machine because then the sysadmin can get it (except HSMs, which prevent even the administrator from getting at the keys). You can, however, have two physically separately controlled machines, with no overlapping access rights, and use keys in both.

Then, to reduce latency, load, failure risk, etc., you can have a public key on your server and use it for encrypting card numbers during payments, and use a much more expensive and complicated process for decrypting them when you need to make refunds.

If someone has hacked your database layer, they probably have your decryption keys from the app layer too.

That's one reason for the rule. The other is to stop someone (including a sysadmin) running off with the complete key - instead, they'd have to send the encrypted data through the online decryption process. Not only is that logged (and possibly limited), it may be something that you don't have access to if, say, you've stolen a backup or decommissioned disk.

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49054039) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

For a software architect type of position you're going to need a good overview of the techniques available for solving a business and technical problem. You don't need to know what commands to use, you certainly don't need to know the maths behind RSA, but not knowing of the existence of public key cryptography is not a good sign. It's not a difficult thing to know, it can occasionally allow you to think of design solutions you'd never have otherwise thought of, and is surely totally standard in a CS degree.

On its own maybe it's not a fatal flaw - it's never going to be hard to find a question you know the answer to but your interviewer doesn't and so it's an easy trap to overstate the importance of something like that. Probably someone else would thing the same thing about never having heard of XA distributed transactions, or Spring, or sed or somesuch. And I don't think it's a good interview technique to fish for a very specific answer; better, I think, to pose a higher level technical or business problem and interactively sketch out design decisions.

But, still, someone making high level design decisions about software should be someone curious enough to want to know what it is once they've heard of it.

Comment: Re:Double Irish? TAX ALL FOREIGNERS!!! (Score 1) 825

by xelah (#48956773) Attached to: Obama Proposes One-Time Tax On $2 Trillion US Companies Hold Overseas

An American company can make a profit in Norway using Danish workers and pay it out to a shareholder in Brazil, and yet pay US taxes. Also, you might think that corporate taxes are paid by shareholders, but mostly they come out of wages. This paper comes to a figure of 75% out of wages: http://www.sbs.ox.ac.uk/ideas-... . Why should Danish workers and Brazilian shareholders pay US taxes on work done in Norway?

Defining 'profit', never mind 'profit in country x', is difficult and this is easy to abuse. It's not progressive (it doesn't depend on the income of whoever pays it) and is one of the easier taxes to avoid.

A better system would be to use your income tax system to tax the dividends received by your residents and scrap corporate taxes. It removes a whole layer of bureaucracy, avoidance and international tax competition. With a very small number of exceptions, most people will not emigrate to avoid tax in the way that companies do. And it's fairer: labour income is far more heavily taxed than other kinds and there should be some equalization (it should, of course, be combined with equalization with taxes on interest, capital gains and so on).

Comment: Re:Great (Score 1) 602

by xelah (#48521125) Attached to: UK Announces 'Google Tax'

Damn, I'm slightly out with the first number. It should be £12074. To spend 30k on an employee you make the official salary be £26362, you pay as the employer 13.8% (£3638) on employers' national insurance contributions, then the employee pays 12% employee's national insurance and 20% income tax (£8436) on that.

What's ridiculous is that the amount in your contract (26,362) isn't equal to any of the amounts of money involved. It's not what it costs the employer to pay you (30k), it's not what you receive.

Comment: Re:Great (Score 1) 602

by xelah (#48521099) Attached to: UK Announces 'Google Tax'

It doesn't have to be done that way, an alternative is to tax corporate profits entirely as personal income when they become dividends, and not tax them at the corporate level at all. Then it's much less ambiguous which country and rate applies.

Suppose a UK company has £30k it wants to pay to you and you're already in the standard tax bracket. The total tax paid can be:

  • As an employee: 13.8%, then 12% + 20% = £12415
  • As a lender or pensioner: 20% = £6000
  • As a shareholder (very small company, from profits, no avoidance): 20% then 10% = £8400
  • As a shareholder (big company, from profits, no avoidance): 21% then 10% = £8670
  • As a shareholder (big company, corporation tax completely avoided): 10% = £3000

See how it's employees who get screwed the most? And how much variation there can be between companies?

Instead of trying to make an impossible system work, I think it'd be better to charge about 30% on all (middle level) incomes (except maybe pensions) and scrap all the other taxes, including the corporate ones.

It's where we'll end up anyway if countries continue to compete on corporate tax rate.

Comment: Re:wont last (Score 1) 287

by xelah (#48432557) Attached to: Customers Creating Fake Amazon Pages To Get Cheap Electronics At Walmart

Because the objective of price matching policies is to convert a competitors sale to your sale. If the competitor can't fulfill the order then you haven't lost a customer to them and don't need to price match.

Only partly. Traditionally, price matching was an anti-competitive measure to support prices. It says to your competitors 'don't both trying to compete on price because we'll just match you and we'll both lose'.

Comment: Re:Obviously. Dinsaurogenic Global Warming (Score 1) 695

An increase in extreme weather, on the other hand, makes gardening and farming a whole lot harder. A frost or drought at the wrong time can completely destroy your crop. You can adapt to changing conditions by growing different crops, but only if you know what the weather is likely to be like. Otherwise your frost tolerant plants get killed by drought one year and then your drought tolerant plants get killed by floods the next.

Comment: Re:Are you patenting software? (Score 1) 224

by xelah (#48157405) Attached to: Ask Slashdot: Handling Patented IP In a Job Interview?

Indeed. I suspect that he couldn't sue them, because if he'd used his IP whilst working for them he'd be implicitly giving them a licence, but that it could still cause them problems because he could withdraw the licence when he feels like it.

The situation surely shouldn't be that much different to someone who'd patented something for a previous employer, just that your employer in this case was effectively your own small business. You can't use it in your new job, and you shouldn't try to sell your old employer's stuff to them because you're supposed to be doing your job only in the interests of your new employer.

Comment: Re:Awesome (Score 2) 283

by xelah (#48110623) Attached to: Tesla Announces Dual Motors, 'Autopilot' For the Model S

So, your living costs are something very approximating twice what the monthly car cost would be, and I presume you'd be paying it for something like 5 years. That gives you a choice between 1: accelerating very fast for a few tens of seconds per day, instead of rather slower and 2: having two and a half years off work (or retiring earlier) and doing something important to you instead.

There's nothing actually illogical about preferring the first. But I think it's reasonable to call it an extreme preference.

Comment: Re:This isn't scaremongering. (Score 1) 494

by xelah (#47927319) Attached to: Scotland's Independence Vote Could Shake Up Industry

The Royal Bank of Scotland is not Scottish? It is not clear who owns it, since it is publicly traded

Isn't RBS 64% owned by the UK government? I know it was 81% earlier this year, but I think UKFI sold some.

but I don't think they would close down their HQ in Edinburgh, just because Scotland is now an independent country.

They've said they will: http://www.heraldscotland.com/...

I honestly think the EU would be fully willing to integrate Scotland from day one.

I'm sure the EU will let Scotland in. I don't think that's really the question (I really wouldn't take those who say that Scotland will be blocked seriously) - it's more about what other countries will want in return, and whether other countries with secessionist movements will want it to do it the hard way or the easy way. Countries in international bodies don't tend to agree to anything without getting something they want, even if it's not related. So, Scotland may find it hard to get all the exemptions the UK has and the budget will be up for negotiation. In theory new states are supposed to join the Euro and Schengen (which I would like but would drive UKIPers and the UK Conservatives insane), but I'm sure they'll be able to avoid that if they give something else up and take longer over it. But I imagine that the worst part for Scotland will the uncertainty whilst it's negotiated. Businesses will hate that.

In Nature there are neither rewards nor punishments, there are consequences. -- R.G. Ingersoll

Working...