Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - How Boing Boing Handled an FBI Subpoena Over Its Tor Exit Node->

An anonymous reader writes: Cory Doctorow has posted an account of what happened when tech culture blog Boing Boing got a federal subpoena over the Tor exit node the site had been running for years. They received the subpoena in June, and the FBI demanded all logs relating to the exit node: specifically, "subscriber records" and "user information" for everybody associated with the exit node's IP address. They were also asked to testify before a federal grand jury. While they were nervous at first, the story has a happy ending. Their lawyer sent a note back to the FBI agent in charge, explaining that the IP address in question was an exit node. The agent actually looked into Tor, realized no logs were available, and cancelled the request. Doctorow considers this encouraging for anyone who's thinking about opening a new exit node" "I'm not saying that everyone who gets a federal subpoena for running a Tor exit node will have this outcome, but the only Tor legal stories that rise to the public's attention are the horrific ones. Here's a counterexample: Fed asks us for our records, we say we don't have any, fed goes away."
Link to Original Source

Submission + - Amazon Cuts Down On Sharing Prime->

An anonymous reader writes: Tech Crunch reports that Amazon quietly rolled out changes to how their Prime subscriptions can be shared. The good news is that existing members aren't losing their current sharing setups. It used to be that Amazon would Prime subscribers share free shipping and a few other benefits with up to four other "household" members, with little restriction on what counted as a "household." The bad news: as of last weekend, Amazon now limits sharing to one other adult and four "child" profiles. The adults will need to authorize each other to use credit/debit cards associated with the account. Amazon didn't make any announcement about this, so it's unknown how long existing Prime shares will stay in effect. They could disappear when the subscription is up for renewal, or earlier if Amazon decides to crack down on it.
Link to Original Source

Comment Re: Treason - Peace on (Score 1) 111

The fun thing about this, is that the German Verfassungsschutz might well be the one that really is commiting treason, by ignoring the Verfassung (the Constitution) it is sworn to protect, and by spying illegally on German citizens. However, given the definition of treason in the German Verfassung, which might require foreign involvement, maybe not.

But then, the German Bundesnachrichtendienst (BND, same as the CIA in the USA), DID spy on German people and DID deliver the information to the NSA. Which quite clearly is treason. And the Verfassungsschutz doesn't want to investigate, which could be constructed as collusion to treason.


FirefoxOS-Based Matchstick Project Ends; All Money To Be Refunded 102

Kohenkatz writes: Matchstick, a project built on FirefoxOS that aimed to compete with Google's Chromecast, which was initially funded on Kickstarter, is shutting down and will be refunding all pledges. In a post to Kickstarter backers today, they announced that this decision was due to the difficulty of implementing the DRM components that are necessary for access to a lot of paid content. Rather than drag out the project on an unknown schedule, they have decided to end the project.

Comment Re:not bashing Kim (Score 1) 90

You offer a reasoned and objective interpretation of this encryption scheme. The part you mention about user-friendliness is important for consumer adoption of a cloud service like this, but it's also the easiest part of the architecture to compromise.

Like you, I haven't thoroughly reviewed the MEGA security architecture, but I've tested the service and can make educated guesses to how it's working. Both keys are stored on the server. The user submits a passphrase that is claimed to be used by javascript on the client side to decrypt the key used on the client side of the transaction.

As you suggest, the javascript can be modified transparently to the end user. There is no assurance to the end user that the passphrase is not sent to the server to be used by the administrator to decrypt the key (that's stored on the server) and then access the user's content.

This security is a technical fallacy. The operators are purporting it to be secure, but they knew from the beginning that the encryption depended on the goodwill of the operators. If the keys don't reside in the hands of the end-users, it's not the real encryption solution Kim Schmitt has been selling.

Comment strongest attack vector in existence (Score 2) 111

I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company.

If you work in an IT capacity, I suggest you rethink architecting your security profile based on trusting users not to click on links sending them to websites hosting malicious exploit code.

You might have the smartest CS graduates working in your organization. Each one of them has a computer-inexperienced relative whose had their email compromised in one way or another. From those compromised email accounts, messages are sent to your coworkers that can contain solicitations to view content hosted on a remote website. The possibility of your teammates following those links is especially high. Once the exploit code has hit the desktop OS, it's inside your network. If you have vulnerable routers, the attackers can use the beachhead of the first compromised desktop machine to change the DNS settings on the network router. Now, every single user in the organization is vulnerable to being redirected from "www.google.com" to "www.exploitsite.com" while they still only see the friendly google search page in their browsers when they try to do a search.

Don't trust the end users. They're the weakest member of your corporate security.


Inside the Failure of Google+ 275

An anonymous reader writes: An article at Mashable walks through the rise and fall of Google+, from the company's worries of being displaced by Facebook to their eventual realization that Google services don't need social hooks. There are quotes from a number of employees and insiders, who mostly agree that the company didn't have the agility to build something so different from their previous services. "Most Google projects started small and grew organically in scale and importance. Buzz, the immediate predecessor to Plus, had barely a dozen people on staff. Plus, by comparison, had upwards of 1,000, sucked up from divisions across the company." Despite early data indicating users just weren't interested in Google+, management pushed for success as the only option. One employee said, "The belief was that we were always just one weird feature away from the thing taking off." Despite a strong feature set, there was no acknowledgment that to beat Facebook, you had to overcome the fact that everybody was already on Facebook.

Comment Re:Startup management subsystem (Score 1) 391

If Poettering uses the same communication methods as everyone else for managing his highly used open source project, then systemd is doing this because it can only get ahead without feedback.

If, OTOH, Poettering goes so far as to organize a public conference on his project, then his project is "doing too much".

Did you ever think, perhaps, that the conference is a way to get commentary and feedback on a project that's thus far been fairly controversial (largely for ridiculous reasons by people who think sysv init is a good idea?)

Comment Re:Win10 is worse than Win8 (Score 1) 478

Good for you... most people have accepted them in return for free stuff.

Yeah, but Windows isn't free unless you're a member of their beta testing program. Windows 10 is a "free" upgrade, but that means you don't have to pay an additional fee for the update from your current version, not that you don't have to buy Windows to begin with.

I don't want any functionality that was present in Windows 7 to be ad-burdened in 10, even if it is just Freecell.


I think a better complaint would have been that this seems to be mostly a misrepresentation of what Microsoft is doing, not that "most people don't care" (so we shouldn't?)

Comment Re:List of privacy violations (Score 1) 183

From what I could see, the features that actually invade privacy are optional. The collage was highly misleading, including such things as "Windows Update being mandatory" and "Malware protection only being able to turn off temporarily" as "privacy violations" when they're actually both just things that suck.

"What people have been reduced to are mere 3-D representations of their own data." -- Arthur Miller