Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Contributing fixes.. (Score 1) 142

I hope Google does do some pull requests, so this goes into Debian, and perhaps filters to Ubuntu. Done right, their changes can have a major positive effect on the entire Linux ecosystem.

They'd have to be crazy not to upstream their changes. Otherwise they'd end up with an endlessly growing pile of patches to integrate and test, every time an upstream package changes. That would quickly become unmanageable.

Comment Re:Yes! (Score 1) 254

Site developer

Yes. Not the attacker, the site developer who chose give your password to his site to an tracking company. He could have chosen to do it directly, instead he just included their content and scripts on his site, from his domain, essentially enabling them to do an XSS attack on his site without needing the "XS" part.

In general, there's very little browsers can do to prevent XSS if site developers don't build their sites correctly. What we have here is a case where site developers may have done a decent job of preventing general XSS attacks, then gave a specific attacker special privileges. In this particular case, there may be some things that browsers can do about it, now that researchers have pointed out the issue. However, that won't actually fix the general case, because sites allow these tracking networks to inject Javascript as well. If the tracking companies wanted to, they could inject Javascript that collects your username and password from the visible fields, when you type them.

The only real solution is for site developers to be careful about whose content/code they inject in their sites. When they contract with an analytics company, they should ensure that the contract contains a commitment not to snarf extra data.

Comment Re:Not sustainable? (Score 1) 158

of course it's sustainable, otherwise they would have raised the $99 yearly fee.

That doesn't follow, because customers may use the service differently on a monthly subscription, and one usage pattern may be sustainable at a given price point, but not another.

For example, users may choose to sign up when they have a bunch of stuff to order (say, right before Christmas), then cancel immediately. With the annual subscription you have the low-utilization months to balance out the high-utilization months. I suppose some people may still say "I'm ordering a bunch of stuff right now, so much that my shipping cost is >$99, I'll sign up for Prime and save some money, then cancel", but that seems far less likely than for an $11 monthly subscription.

Of course, then there are people like me. Between everyone in my house, on my Prime subscription, we not only order/get stuff almost every day, it's common that UPS and FedEx make multiple stops at my house per day. Each. That utilization pattern seems unsustainable and I'm surprised they haven't announced tiered subscription rates.

Comment Re:There are two bugs here. (Score 1) 32

#2 is a bigger problem, but realistically home routers were never designed to do those types of things. They aren't capable of doing full wirespeed packet inspection, and for 99+% of the homes this works fine at a fraction of the cost.

Huh? These are just ordinary multicast packets; the only inspection the router needs to do is to check the destination address, which they have to do with every packet they handle. It's what routers do... look at destination addresses and forward the packet on the right interface. If they can't do that at wire(less)speed, then they pretty much fail as routers. And it's not like it's difficult to handle a few hundred megabits per second with modern CPUs, even low-power ones.

Comment Re:wrong problem (Score 1) 654

Our problems are social, not scientific.

And social problems don't benefit from the application of intelligence? I think they clearly do. Not that one person is going to come up with "the solution" to long-standing, knotty social problems. And of course it's crucial that people recognize their own limitations; you can't just rewrite the behavior of people, you have to work within the framework that exists and any effort to change behavior has to be done cautiously, with a constant vigilance for unexpected effects, and by convincing people that they want to behave differently.

But intelligence is absolutely useful for all of these things.

Comment Re:fuschia ftw! (Score 1) 72

because the world needs yet another proprietary walled garden operating system that allows the manufacturer of the device to retain control over the purchaser's property.

What in the history of Google devices makes you think that this will be a walled garden? Is it the fact that all Nexus/Pixel devices have unlockable bootloaders (except those bought from Verizon, at Verizon's insistence, and Google made sure they can be unlocked when they're paid off)? Or the fact that Android has always allowed sideloading and alternative app stores? Or the fact that all ChromeOS devices -- from all manufacturers -- have had a developer mode switch? Or the fact that Google open sources all of its Android and ChromeOS code? Or the fact that Fuschia is also open source?

I mean... the story you're commenting on is about how someone downloaded the open source FuschiaOS code, compiled and built it themselves (meaning they could have modified it if they liked), and then installed and ran it on a Google Pixelbook they put in dev mode.

How do you get "walled garden" out of that?

Comment Re:Fuschia and Concerns about the Future of Linux. (Score 1) 72

1. An End to the hardware Nightmares of Linux. Linux generally is not at the mercy of Windows Drivers. Linux Drivers for Android Devices has translated well to Linux Drivers on x86 for Desktop Linux.

Huh? I don't know of a single case where Android Linux driver development has made a driver available for the desktop. Mobile device drivers are very different from their desktop counterparts.

2. Root on our devices. Our Devices are our devices. I don't care how much I paid for the Device. If I was sold a device retail and paid for it in full, its mine. I don't care if they were sold on Amazon. We all should be entitled to have root, and unlocked bootloaders on our devices we pay for.

Linux hasn't, doesn't and will never help with this. Well, except in one way: Linux is buggy enough that it has, in the past, generally been possible to find kernel vulnerabilities to enable rooting on locked-down devices. That's a really backhanded "feature", though, since if the user can exploit the vulnerability so can an attacker. You're lauding insecurity, basically.

Don't get me wrong, I'm not anti-Linux. I switched to Debian as my platform of choice in 2000, and have never regretted it. I'm an Android engineer and enjoy the fact that the underlying kernel is one that's so familiar and comfortable. OTOH, I'm a security engineer and the size and monolithic nature of Linux makes it very hard to secure.

The manufacturer can void the warranty, but thats all. So what happens when root isn't a thing because of FushciaOS?

It's becoming not a thing for Linux, too, as we make progress toward closing the vulnerabilities in Linux. Actually, to the extent that Google manages to retain greater control of devices with FuschiaOS, you're more likely to be able to take control of your device. Google has always made its Android devices (Nexus/Pixel) unlockable, and has managed to require all ChromeOS device makers to allow theirs to be unlocked as well.

Comment Re:Yes! (Score 1) 254

competent to properly secure the password database (which is fairly easy),

If they are competent, then they must be unwilling to secure it. In 2018, this worked for my experimental chrome browser , latest from Google at the time : https://it.slashdot.org/story/...

Meh. It's no surprise that browsers don't yet mitigate a barely-published attack, particularly since it's arguably not an attack at all. The browser is doing the right thing and filling username and password fields for the site that it's supposed to. The site developer is the one including hidden forms that send that data to the wrong place. Bad/buggy web sites can do all kinds of nasty things with/to the data you give to those sites. The only difference here is that the site developer doesn't realize he's added this particular nastiness, but he did make the decision to use a shady tracking service.

Creative uses of Spectre (and Meltdown or something like it as an additional help) can make it even more "fairly easy" to steal the passwords.

Again, not an issue with having a password database in your browser. An issue with entering passwords in your browser at all, of course (or potentially in any program on your computer), but not a reason to prefer typing passwords over using the browser's password keeper.

Comment Re: No need for it any more (Score 1) 299

The US federal government is explicitly allowed to have an army. It just can't get appropriations for more than two years each. The Founders were indeed worried about the oppression potential of armies (navies are a lot harder to use for oppressing populations), but realized a Federal army would be needed.

Yes, and the two-year limit on appropriations was intended specifically to make it difficult for the federal government to maintain a standing army in peacetime.

Comment Re:Phone number? SMS? (Score 2) 254

I have no idea what a Google Authenticator App is, let alone how it works, or what FIDO is or U2F. None of those things make sense, so why in the world would I ever use them?

"Do a search" the lazy nerd would say.

I'm a lazy nerd and that's not what I would say. I would say: "Go to myaccount.google.com and click on 'Signing in to Google'. It explains all of the options."

Slashdot Top Deals

Wherever you go...There you are. - Buckaroo Banzai