Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49055857) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

You can encrypt with two public keys, and for decryption send it off to your two key-holding machines in turn.

Or you can go one step further and encrypt the card number with two one-time pads, store the encrypted card number and encrypted one time pads, and do the decryption by sending the pads off to be decrypted by the separately-controlled systems. Then the key-holding machines don't have access to any card data themselves.

PCI DSS even requires that no one person can have a 'key component' which gives them any knowledge of the full key. So you can't just split a key in to two halves, even if you could do the decryption. I can't help thinking that whoever wrote it really wanted to write 'just by an HSM'.

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49054055) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Symmetrically encrypted credit cards, OK, I can see it, though it's far from a silver bullet.

Symmetrically encrypting credit card numbers is tough to do within the rules unless you have a hardware security module. Under PCI DSS, the complete key used for decryption is not allowed to be within the control of one person, including the sysadmin. So, you can't have the complete key on one machine because then the sysadmin can get it (except HSMs, which prevent even the administrator from getting at the keys). You can, however, have two physically separately controlled machines, with no overlapping access rights, and use keys in both.

Then, to reduce latency, load, failure risk, etc., you can have a public key on your server and use it for encrypting card numbers during payments, and use a much more expensive and complicated process for decrypting them when you need to make refunds.

If someone has hacked your database layer, they probably have your decryption keys from the app layer too.

That's one reason for the rule. The other is to stop someone (including a sysadmin) running off with the complete key - instead, they'd have to send the encrypted data through the online decryption process. Not only is that logged (and possibly limited), it may be something that you don't have access to if, say, you've stolen a backup or decommissioned disk.

Comment: Re:It's a vast field.... (Score 1) 809

by xelah (#49054039) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

For a software architect type of position you're going to need a good overview of the techniques available for solving a business and technical problem. You don't need to know what commands to use, you certainly don't need to know the maths behind RSA, but not knowing of the existence of public key cryptography is not a good sign. It's not a difficult thing to know, it can occasionally allow you to think of design solutions you'd never have otherwise thought of, and is surely totally standard in a CS degree.

On its own maybe it's not a fatal flaw - it's never going to be hard to find a question you know the answer to but your interviewer doesn't and so it's an easy trap to overstate the importance of something like that. Probably someone else would thing the same thing about never having heard of XA distributed transactions, or Spring, or sed or somesuch. And I don't think it's a good interview technique to fish for a very specific answer; better, I think, to pose a higher level technical or business problem and interactively sketch out design decisions.

But, still, someone making high level design decisions about software should be someone curious enough to want to know what it is once they've heard of it.

Comment: Re:Double Irish? TAX ALL FOREIGNERS!!! (Score 1) 825

by xelah (#48956773) Attached to: Obama Proposes One-Time Tax On $2 Trillion US Companies Hold Overseas

An American company can make a profit in Norway using Danish workers and pay it out to a shareholder in Brazil, and yet pay US taxes. Also, you might think that corporate taxes are paid by shareholders, but mostly they come out of wages. This paper comes to a figure of 75% out of wages: http://www.sbs.ox.ac.uk/ideas-... . Why should Danish workers and Brazilian shareholders pay US taxes on work done in Norway?

Defining 'profit', never mind 'profit in country x', is difficult and this is easy to abuse. It's not progressive (it doesn't depend on the income of whoever pays it) and is one of the easier taxes to avoid.

A better system would be to use your income tax system to tax the dividends received by your residents and scrap corporate taxes. It removes a whole layer of bureaucracy, avoidance and international tax competition. With a very small number of exceptions, most people will not emigrate to avoid tax in the way that companies do. And it's fairer: labour income is far more heavily taxed than other kinds and there should be some equalization (it should, of course, be combined with equalization with taxes on interest, capital gains and so on).

Comment: Re:Great (Score 1) 602

by xelah (#48521125) Attached to: UK Announces 'Google Tax'

Damn, I'm slightly out with the first number. It should be £12074. To spend 30k on an employee you make the official salary be £26362, you pay as the employer 13.8% (£3638) on employers' national insurance contributions, then the employee pays 12% employee's national insurance and 20% income tax (£8436) on that.

What's ridiculous is that the amount in your contract (26,362) isn't equal to any of the amounts of money involved. It's not what it costs the employer to pay you (30k), it's not what you receive.

Comment: Re:Great (Score 1) 602

by xelah (#48521099) Attached to: UK Announces 'Google Tax'

It doesn't have to be done that way, an alternative is to tax corporate profits entirely as personal income when they become dividends, and not tax them at the corporate level at all. Then it's much less ambiguous which country and rate applies.

Suppose a UK company has £30k it wants to pay to you and you're already in the standard tax bracket. The total tax paid can be:

  • As an employee: 13.8%, then 12% + 20% = £12415
  • As a lender or pensioner: 20% = £6000
  • As a shareholder (very small company, from profits, no avoidance): 20% then 10% = £8400
  • As a shareholder (big company, from profits, no avoidance): 21% then 10% = £8670
  • As a shareholder (big company, corporation tax completely avoided): 10% = £3000

See how it's employees who get screwed the most? And how much variation there can be between companies?

Instead of trying to make an impossible system work, I think it'd be better to charge about 30% on all (middle level) incomes (except maybe pensions) and scrap all the other taxes, including the corporate ones.

It's where we'll end up anyway if countries continue to compete on corporate tax rate.

Comment: Re:wont last (Score 1) 287

by xelah (#48432557) Attached to: Customers Creating Fake Amazon Pages To Get Cheap Electronics At Walmart

Because the objective of price matching policies is to convert a competitors sale to your sale. If the competitor can't fulfill the order then you haven't lost a customer to them and don't need to price match.

Only partly. Traditionally, price matching was an anti-competitive measure to support prices. It says to your competitors 'don't both trying to compete on price because we'll just match you and we'll both lose'.

Comment: Re:Obviously. Dinsaurogenic Global Warming (Score 1) 695

An increase in extreme weather, on the other hand, makes gardening and farming a whole lot harder. A frost or drought at the wrong time can completely destroy your crop. You can adapt to changing conditions by growing different crops, but only if you know what the weather is likely to be like. Otherwise your frost tolerant plants get killed by drought one year and then your drought tolerant plants get killed by floods the next.

Comment: Re:Are you patenting software? (Score 1) 224

by xelah (#48157405) Attached to: Ask Slashdot: Handling Patented IP In a Job Interview?

Indeed. I suspect that he couldn't sue them, because if he'd used his IP whilst working for them he'd be implicitly giving them a licence, but that it could still cause them problems because he could withdraw the licence when he feels like it.

The situation surely shouldn't be that much different to someone who'd patented something for a previous employer, just that your employer in this case was effectively your own small business. You can't use it in your new job, and you shouldn't try to sell your old employer's stuff to them because you're supposed to be doing your job only in the interests of your new employer.

Comment: Re:Awesome (Score 2) 283

by xelah (#48110623) Attached to: Tesla Announces Dual Motors, 'Autopilot' For the Model S

So, your living costs are something very approximating twice what the monthly car cost would be, and I presume you'd be paying it for something like 5 years. That gives you a choice between 1: accelerating very fast for a few tens of seconds per day, instead of rather slower and 2: having two and a half years off work (or retiring earlier) and doing something important to you instead.

There's nothing actually illogical about preferring the first. But I think it's reasonable to call it an extreme preference.

Comment: Re:This isn't scaremongering. (Score 1) 494

by xelah (#47927319) Attached to: Scotland's Independence Vote Could Shake Up Industry

The Royal Bank of Scotland is not Scottish? It is not clear who owns it, since it is publicly traded

Isn't RBS 64% owned by the UK government? I know it was 81% earlier this year, but I think UKFI sold some.

but I don't think they would close down their HQ in Edinburgh, just because Scotland is now an independent country.

They've said they will: http://www.heraldscotland.com/...

I honestly think the EU would be fully willing to integrate Scotland from day one.

I'm sure the EU will let Scotland in. I don't think that's really the question (I really wouldn't take those who say that Scotland will be blocked seriously) - it's more about what other countries will want in return, and whether other countries with secessionist movements will want it to do it the hard way or the easy way. Countries in international bodies don't tend to agree to anything without getting something they want, even if it's not related. So, Scotland may find it hard to get all the exemptions the UK has and the budget will be up for negotiation. In theory new states are supposed to join the Euro and Schengen (which I would like but would drive UKIPers and the UK Conservatives insane), but I'm sure they'll be able to avoid that if they give something else up and take longer over it. But I imagine that the worst part for Scotland will the uncertainty whilst it's negotiated. Businesses will hate that.

Comment: Re:at least the nuclear weapons will be gone (Score 1) 494

by xelah (#47927133) Attached to: Scotland's Independence Vote Could Shake Up Industry

I would think that the UK government would not believe that an invader in Scotland would stop at the border. As such, it'd be far more likely to provoke a nuclear response to a conventional attack than, say, an invasion of Turkey (though, one would hope, NATO conventional forces would be a different matter).

Comment: Re:Economist Article is Exceedingly Precise (Score 1) 240

by xelah (#47653741) Attached to: Patents That Kill

$89 billion is surely false precision, but it's not unreasonable to put a value on lives when you have an economic decision to make. None of them work all that well, but it's better than just flailing in the dark which is the alternative.

For example, you can look at how much it would cost to save those lives another way (eg, through spending on road or rail safety or other, known, healthcare spending). This might give you a figure of a few million. But you tend to find huge discrepancies between spending in different areas - eg, much more in air and rail safety or terrorism prevention than in road safety - depending on how the public responds to those things. Refusing to put a cost on lives this way kills - governments spend huge sums on rail (eg, after the UK Hatfield rail crash) and terrorism prevention when spending a lot of it on healthcare and road safety would save more lives. eg, according to this http://www.theguardian.com/uk/... the UK government was prepared to spend three times as much (~£3m) per life saved on rail compared to road, and more like £15m in an expensive system after the crash - in effect letting 15 people die to save each one.

You can also recognize that we're not talking about certain death, we're talking about risks to life - and people implicitly put a value on risks to life all the time. Car vs train, one car vs another, a dangerous job vs a safe one, driving further to buy something more cheaply or commute from somewhere different. You can come to estimates based on how much they're prepared to spend to avoid risk. But, of course, people are quite irrational about risk and you get widely varying numbers.

And, as another commenter has said, you can estimate from economic output lost, but that's not very satisfactory. In theory it produces a minimum value (assuming that the economy isn't overproducing, spending people's time on producing things less valuable than the time). But it confuses the purpose of an economy - to give people the best quality of life it can, not to produce as much stuff as it can.

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...