Security

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 81

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 407

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?
Government

Ask Slashdot: Should Users Uninstall Kaspersky's Antivirus Software? (slashdot.org) 306

First, here's the opinion of two former NSA cybersecurity analysts (via Consumer Reports): "It's a big deal," says Blake Darche, a former NSA cybersecurity analyst and the founder of the cybersecurity firm Area 1. "For any consumers or small businesses that are concerned about privacy or have sensitive information, I wouldn't recommend running Kaspersky." By its very nature antivirus software is an appealing tool for hackers who want to access remote computers, security experts say. Such software is designed to scan a computer comprehensively as it searches for malware, then send regular reports back to a company server. "One of the things people don't realize, by installing that tool you give [the software manufacturer] the right to pull any information that might be interesting," says Chris O'Rourke, another former NSA cybersecurity expert who is the CEO of cybersecurity firm Soteria.
But for that reason, Bloomberg View columnist Leonid Bershidsky suggests any anti-virus software will be targetted by nation-state actors, and argues that for most users, "non-state criminal threats are worse. That's why Interpol this week signed a new information-sharing agreement with Kaspersky despite all the revelations in the U.S. media: The international police cooperation organization deals mainly with non-state actors, including profit-seeking hackers, rather than with the warring intelligence services."

And long-time Slashdot reader freddieb is a loyal Kaspersky user who is wondering what to do, calling the software "very effective and non-intrusive." And in addition, "Numerous recent hacks have gotten my data (Equifax, and others) so I expect I have nothing else to fear except ransomware."

Share your own informed opinions in the comments. Should users uninstall Kaspersky's antivirus software?
Businesses

Ask Slashdot: How Can You Apply For A Job When Your Code Samples Suck? 407

An anonymous Slashdot reader ran into a problem when looking for a new employer: Most ask for links to "recent work" but the reason I'm leaving my current job is because this company doesn't produce good code. After years of trying to force them to change, they have refused to change any of their poor practices, because the CTO is a narcissist and doesn't recognize that so much is wrong. I have written good code for this company. The problem is it is mostly back-end code where I was afforded some freedom, but the front-end is still a complete mess that doesn't reflect any coherent coding practice whatsoever...

I am giving up on fixing this company but finding it hard to exemplify my work when it is hidden behind some of the worst front-end code I have ever seen. Most job applications ask for links to live code, not for code samples (which I would more easily be able to supply). Some of the websites look okay on the surface, but are one right click -> inspect element away from giving away the mess; most of the projects require a username and password to login as well but account registration is not open. So how do I reference my recent work when all of my recent work is embarrassing on the front-end?

The original submission's title asked what to use for work samples "when the CTO has butchered all my work." Any suggestions? Leave your best thoughts in the comments. How can you apply for a job when your code samples suck?
Books

Ask Slashdot: What Is Your Favorite William Gibson Novel? 298

dryriver writes: When I first read William Gibson's Neuromancer and then his other novels as a young man back in the 1990s, I was blown away by Gibson's work. Everything was so fresh and out of the ordinary in his books. The writing style. The technologies. The characters and character names. The plotlines. The locations. The future world he imagined. The Matrix. It was unlike anything I had read before. A window into the far future of humanity. I had great hopes over the years that some visionary film director would take a crack at creating film versions of Neuromancer, Count Zero and Mona Lisa Overdrive . But that never happened. All sorts of big budget science fiction was produced for TV and the big screen since Neuromancer that never got anywhere near the brilliance of Gibson's future world. Gibson's world largely stayed on the printed page, and today very few people talk about Neuromancer, even though the world we live in, at times, appears headed in the exact direction Gibson described in his Sprawl trilogy. Why does hardly anybody talk about William Gibson anymore? His books describe a future that is much more technologically advanced than where we are in 2017, so it isn't like his future vision has become "badly dated." To get the conversation going, we rephrased dryriver's question... What is your favorite William Gibson novel?
Android

Slashdot Asks: Does the World Need a Third Mobile OS? 304

Now that it is evident that Microsoft doesn't see any future with Windows Phone (or Windows 10 Mobile), it has become clear that there is no real, or potential competitor left to fight Android and iOS for a slice of the mobile operating system market. Mozilla tried Firefox OS, but that didn't work out either. BlackBerry's BBOS also couldn't find enough taker. Ideally, the market is more consumer friendly when there are more than one or two dominant forces. Do you think some company, or individual, should attempt to create their own mobile operating system?
Advertising

Ask Slashdot: Is Deliberately Misleading People On the Internet Free Speech? 503

Slashdot reader dryriver writes: Before anyone cries "free speech must always be free," let me qualify the question. Under a myriad of different internet sites and blogs are these click-through adverts that promise quick "miracle cures" for everything from toenail fungus to hair loss to tinnitus to age-related skin wrinkles to cancer. A lot of the ads begin with copy that reads "This one weird trick cures....." Most of the "cures" on offer are complete and utter crap designed to lift a few dollars from the credit cards of hundreds of thousands of gullible internet users. The IQ boosting pills that supposedly give you "amazing mental focus after just 2 weeks" don't work at all. Neither do any of the anti-ageing or anti-wrinkle creams, regardless of which "miracle berry" extract they put in them this year. And if you try to cure your cancer with an Internet remedy rather than seeing a doctor, you may actually wind up dead.

So the question -- is peddling this stuff online really "free speech"? You are promising something grandiose in exchange for hard cash that you know doesn't deliver any benefits at all.

Long-time Slashdot reader apraetor counters, "But how do you determine what is 'true'?" And Slashdot reader ToTheStars argues "It's already established that making claims about medicine is subject to scrutiny by the FDA (or the relevant authority in your jurisdiction)." But are other things the equivalent of yelling "fire" in a crowded movie theatre? Leave your best thoughts in the comments. Is deliberately misleading people on the internet free speech?
Security

Ask Slashdot: Share Your Security Review Tales 198

New submitter TreZ writes: If you write software, you are most likely subject to a "security review" at some point. A large portion of this is common sense like don't put plain text credentials into github, don't write your own encryption algorithms, etc. Once you get past that there is a "subjective" nature to these reviews.

What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.
Businesses

Ask Slashdot: Which Businesses Will Go Away In the Next 10 Years? (nbcnews.com) 495

AmiMoJo writes: Ten years ago NBC published a list of business types that it predicted would disappear in the following decade. Ten years later and we can see how good their fortune telling was. What businesses do you think will go away by 2027? Who is destined to become the next buggy whip manufacturer, whose demand dried up due to changing technology and a changing world?

For reference, NBC's list was: Record stores; Camera film manufacturing; Crop dusters; Gay bars; Newspapers; Pay phones; Used bookstores; Piggy banks; Telemarketing; Coin-operated arcades.

Android

Ask Slashdot: Why Would Anyone Want To Spend $1,000 on a Smartphone? 487

Last month, Apple CEO Tim Cook said the $1,000 sticker price for the base model of iPhone X, the latest flagship smartphone from the company which goes on sale next month, is "a value price for the technology that you're getting." An anonymous reader writes: I simply don't understand why anyone would want to spend such amount on a phone. Don't get me wrong. Having a smartphone is crucial in this day and age. I get it. But even a $200 phone, untethered from any carrier contract, will let you install the apps you need, will allow you to take good pictures, surf the web, and listen to music. That handset might not be as fast as the iPhone X or Samsung's new Galaxy Note 8, or it might not be able to take as great pictures, but the difference, I feel, doesn't warrant an additional $800. The reader shares a column: When considering a purchase, comparing the value a product will add to our lives, and its cost is wise. Subjective perceptions affect how we value possessions, but let's consider the practical value of how we use smartphones. Smartphones aren't used for talking as often as the phones that preceded them were. In fact, actual "phone" use ranks below messaging, web surfing, social media and other activities that dominate smartphone usage. Furthermore, statistically we use only six core apps regularly. [...] My point is, smartphones have't changed all that much relatively speaking. Sure they're bigger, faster, more powerful and have awesome cameras. But the iPhone X is fundamentally the same device the earlier iPhones were, and provides the same basic and sought after functions. It's a glass-covered rectangular slab mostly used for messaging, web-surfing, music and social media activity. An individual's perception of self, financial resources, desired or actual social position and love for tech will likely play a role in his perception of the value of a $1,000 smartphone.
Open Source

Ask Slashdot: What's The Best Open Source Hardware to Tinker With? 134

This question comes from an anonymous Slashdot reader who just got an Arduino and started tinkering with electronics: I'm quite amazed at the quality of the hardware, software, and the available tutorials and (mostly free) literature. A very exciting and inexpensive way to get a basic understanding of electronics and the art of microcontroller programming.

Now that I'm infected with the idea of Open Source hardware, I'm wondering if the Slashdot community could suggest a few more things to get for a beginner in electronics with experience in programming and a basic understanding of machine learning methods. I was looking at the OpenBCI project [Open Brain Computer Interface], which seems like an interesting piece of hardware, but because of the steep price tag and the lack of reviews or blog posts on the internet, I decided to look for something else.

Leave your best answers in the comments. What's the best open source hardware to tinker with?
Operating Systems

Ask Slashdot: Whatever Happened To the 'Year of Linux on Desktop'? 417

An anonymous reader writes: Investors, enthusiasts, and Linux distro makers have for more than a decade projected that the upcoming year will be the year of Linux on the desktop platform. But we just can't seem to get to that year for some reason. Windows continues to dominate the consumer market. Apple's macOS X is quickly gaining ground among business customers and designers, and is already ahead of Linux. Do you see Linux getting a significant boost in the desktop market in the coming years?
Software

Is Project Management Killing Good Products, Teams and Software? (techbeacon.com) 176

New submitter mikeatTB writes: "For software development, no significant developer activity is predictable or repetitive; if it were, the developers would have automated it already," writes Steven A. Lowe, Principal Consultant Developer at ThoughtWorks, via TechBeacon. "In addition, learning is essentially a nonlinear process; it involves trying things that don't work in order to discover what does work. You might see linear progress for a while, but you don't know what you don't know, so there will be apparent setbacks. It is from these setbacks that one learns the truth about the system -- what is really needed to make it work, to make it usable, and to make a difference for the users and the business. In other words, the dirty little secret of software development is that projects don't really exist. And they're killing our products, teams, and software." Lowe continues: "Projects, with respect to software development, are imaginary boxes drawn around scope and time in an attempt to 'manage' things. This tendency is understandable, given the long fascination with so-called scientific management (a.k.a. Taylorism, a.k.a. Theory X), but these imaginary boxes do not reduce underlying complexity. On the contrary, they add unnecessary complexity and friction and invite a counterproductive temptation to focus on the box instead of the problem or product. This misplaced emphasis leads to some harmful delusions: Conformance to schedule is the same thing as success; Estimation accuracy is possible and desirable enough to measure and optimize for; The plan is perfect and guarantees success; The cost of forming and dissolving teams is zero; The cost of functional silo hand-offs is zero; The bigger and more comprehensive the plan, the better; Predictability and efficiency are paramount."
Businesses

Slashdot Asks: Which IT Hiring Trends Are Hot, and Which Ones Are Going Cold? 190

snydeq writes: Recruiting and retaining tech talent remains IT's biggest challenge today, writes Paul Heltzel, in an article on what trends are heating up and what's cooling off when it comes to IT staffing. "One thing hasn't changed this year: Recruiting top talent is still difficult for most firms, and demand greatly outstrips supply," writes Heltzel. "That's influencing many of the areas we looked at, including compensation and retention. Whether you're looking to expand your team or job searching yourself, read on to see which IT hiring practices are trending and which ones are falling out of favor." What are you seeing companies favoring in the hiring market these days?
Transportation

Ask Slashdot: What Would Happen If a Hyperloop Train Failed? 736

dryriver writes: I've been following Elon Musk's Hyperloop initiative with great interest. The idea of getting from one city to another at 700 MPH without having to suffer through an airport and all that jazz is revolutionary. I'm glad that somebody is trying to innovate in the area of land travel. My question though: When conventional trains going at much slower speeds derail or crash, the result is often serious injuries or deaths. What happens if something goes wrong with a 700 MPH Hyperloop train/pod or with part of the track? Would a Hyperloop accident at that speed even be survivable?
Open Source

Ask Slashdot: What's the Best Business Model for An Open Source Developer? 87

An anonymous reader writes: I'm interested in creating really good open source software. However, unless programmers have an incentive to work on their projects for long periods, many projects are be abandoned.

There's many business models surrounding free/libre open source software: support (pay for help, or additional features), premium (pay for more advanced software), hosting (pay for using the software on someone else's servers), donation (two versions of the same app, pay because you want to be nice to the developers), etc. Not all of those business models align the interests of the developer and the customer/user in the same way: support-based models for example, benefit developers who introduce certain mistakes or delay introducing features. (In the short term. In the long run, it opens a door for competitors...) Which of those align the interests of both?

The original submission also asks if any of these models are "morally questionable" -- and if there's other business models that have proven successful for open source software. Leave your best thoughts in the comments. What's the best business model for an open source developer?
Books

Ask Slashdot: What Are You Reading This Month? 312

An anonymous reader writes: Hey folks! Could you share what are some books (or book) you're reading this month? Maybe it's the book you've already started, or you intend to begin or resume later this month? Thanks!
Cellphones

Ask Slashdot: What Can You Do With An Old Windows Phone? 169

Slashdot reader unixisc writes: While it's always been well known that Windows phones in the market have floundered, one saving grace has always been that one could at least use it for the barest minimum of apps, even if updates have stopped... Aside from a door stop or a hand me down to someone who'll use it like a dumb phone, what are your suggested uses for this phone? A music player (if the songs are on an SD card)? Games? As far as phones go, I have what I need, so for this, anything it's good for?
The original submission suggests problems connecting to wi-ifi -- something partially corroborated by complaints at Windows Central -- though Microsoft's site says they're still supporting wifi connections.

Slashdot reader thegreatbob suggested "shuffleboard puck" -- then added, "Snark aside, if you're into writing custom applications and such for them, there's probably a bootloader/root solution for you out there."

Leave your own best suggestions in the comments. What can you do with an old Windows Phone?
Privacy

Ask Slashdot: What's a Practical Response To the Equifax Breach? 217

In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Firefox

AskSlashdot: How Do You See Your Life After Firefox 52 ESR? (mozilla.org) 465

Artem Tashkinov writes: Soon to be released Firefox 56 says that out of 35+ add-ons that I have installed only a single one is a proper WebExtension which means that Firefox 57 will disable over 95% of my add-ons many of which I just cannot live without and for most of them there are simply no alternatives. This number of add-ons sound like an overkill, but actually they are all pretty neat and improve your browsing abilities. That's the reason why I'm using Firefox 52 ESR, which still fully supports XUL add-ons, however after June 2018, it will stop being supported.

Let's list the most famous ones:
  • DownThemAll is still largely irreplaceable since you can download from many parts of the internet much faster if you split the downloaded files in chunks and download them simultaneously;
  • GreaseMonkey allows you to fix or extend your favourite websites using JavaScript;Lazarus: Form Recovery has saved my time and life numerous times; it regularly backups the contents of web forms and allows to restore them after browser restart or accidental page refresh;
  • NoScript: allows you to whitelist JS execution only for websites that you really trust; JS has been used as an attack and tracking tool since its inception;
  • Status-4-Ever and Classic Theme Restorer return Firefox to the time when it was a powerful tool with its own identity and looks, and not a Chrome clone;
  • UnMHT add-on allows you to save complete web pages as a single MHT file;

So what will you do less than a year from now?


Slashdot Top Deals