Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Interesting question. Trust Iran to arrest them? (Score 1) 256

There is an interesting philosophical question when it comes to US citizens.

> if there is enough evidence to arrest them I'm sure the foreign government will do so.

Suppose Richard Reid, the shoe bomber, had escaped to Iran. Should we not declare that we don't want him on any US-bound airliners? I know I don't want a known terrorist on the same plane _I_ am on. Would Iran arrest him for us? Maybe.

We do know that at least SOME of the people on the no fly lists HAVE been arrested for terrorism related offenses. They did their time and got out, or one juror felt there wasn't proof beyond a reasonable doubt. There might still be enough evidence to say we don't want them flying on on an airliner, without even going through US security first.

Again, the other list, the terrorism watch list, is much more concerning to me, especially because of the number of people on it.

Comment the same as any service - reputation, etc. (Score 1) 102

You ask "why would they" sign up for a notification service that costs $120 / year. I suppose it's like just about any other online purchase - it comes down to the reputation of the seller. Why would you buy a computer on Dell.com, when you can't see the product before you buy it? You'd make that decision based on Dell's reputation, and any previous dealings you had with the company.

The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other professionals they know would report that our service worked well for them. When we identify a compromised account, we tell the owner of the sites which account(s) are known to be compromised and where we found the compromised account information if it's being publicly traded on a cracker board. Also we provide tools they can use to analyze activity on the account and see for themselves that people in Russia and China are trying to use the account or whatever.

A customer uses this service and tools and it works well for them. Six months later, someone in a Slashdot posts asks "how can I can tell if my site's password database has been compromised?" Other Slashdot users reply "the tools 'raymorris' supplies worked well for me". So pretty much like any other online purchase.

Comment haha. MD5 is similar (Score 1) 62

That's true, and funny. It does remind me of another, more well-known "almost got it" attack. For MD5 collisions you keep adding data to the end, getting closer and closer to a match. In fact, that's how the whole hack works. You can't know what will match, but you can generate something that is closer to match. Keep getting closer to match until you happen to actually match.

Comment Unproven, but plausible. Our reputation was plenty (Score 1) 102

We used to provide a similar service to web sites. We had many millions of compromised accounts. We didn't offer any services to consumers. The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other webmasters they know would report that our service worked well for them. That was sufficient that most customers would add that service or not based on what I recommended for their particular site. In general, on a site making over $5,000 / month it might make sense to spend $5 / month on the extra security. For sites making less than $1,000 / month, I'd suggest they put their limited resources elsewhere and check back in a year. In between, it depends on the type of site. Some are attacked more than others, and a compromise is likely to be more costly on some than on others.

Comment we offered a similar service, it costs to operate (Score 1, Interesting) 102

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.

Indeed, we used to operate a similar service, and many companies were excited to sign up at just $49 / year. Often, the bad guys get the entire password database, so being alerted to that right away is valuable. I designed our system many years ago and it was somewhat expensive to operate. Crackers compromise new sites every day, so you have to be constantly finding and processing newly compromised accounts. Over time, it became more costly to cover a smaller percentage of compromised accounts, so we advised more and more sites not to buy it, until at some point we just stopped offering the service pending a redesign.

Using different types of resources that are available now, it's possible to run such a system more efficiently. I have a design in mind, but I haven't implemented it yet. If I do, it will likely be priced pretty close to $120 / year. We won't make crazy profits at that price point because it'll cost us $2,800 / year to operate. We'll need about 25 sites to sign up just to break even, and that doesn't include the time spent developing the new system. For a site with $300,000 / year in revenue, $120 will be a great value. For a site with $3,000 / year in revenue, it wouldn't make sense for them to get it.

Comment Re:he went on to say open source can't be used com (Score 1) 101

He went on about it for a while, so it's not a case of mispeaking, of saying the wrong word. When he said commercial companies aren't allowed to use open source software, I think he meant exactly what he said. That's a lie, of course, but it certainly seems he knew what he was saying.

A vote might well go 48% - 52% or something like that. BallmeBallmeer can swing it from 48/52 to 51/49. Ballmer's 3% share is enough to swing many, if not most, votes.

Comment Good question. 280 US citizens or residents (Score 1) 256

> If you don't have enough evidence to arrest somebody, how do you justify putting them on the [no fly] list in the first place?

That's a question I'd like answered. I did find out that about 280 people on the list are US residents or citizens, so that gives us some sense of the level of threat required. Many more people have the same name as someone on the list, and therefore have to go through extra hassle. The number of people on the no fly list doubled in 2012.

> That is right up there with seizing and selling off assets before you even get a conviction
  If there is actual evidence then arresting them makes even more sense. The only reason to put them on a no-fly list would be if you are trying to arrest them, and just want to ensure they don't blow up a plane before you get a chance to do so.

Doing a few minutes of research, I learned that the no fly list doesn't actually stop them from flying. It's a list of people not allowed to fly INTO the US, or out of the US. It doesn't apply to domestic flights. I would say that a nation has the right to deny entry for any reason whatsoever. I don't have to justify why I don't invite someone into my house, and the US doesn't have to justify why we don't invite a certain person into the country. Not letting people leave is a little different. However, it seems that most often no-fly people are indeed arrested if they try to leave the country, so apparently there is cause for arrest - law enforcement would have preferred to wait longer before arresting them.

Based on what I've learned this morning, it seems the process needs improvement, particularly in regard to false positives, but there probably are about 280 people who really SHOULD be on that list. The other list, the terrorism watch list, is much, much larger.

Comment he went on to say open source can't be used commer (Score 4, Informative) 101

> wasn't talking about open source in general

Quoting Ballmer:
        If you use any open-source software, you have to make the rest of your software open source

He went on to claim software written for or by the government shouldn't be open source because commercial companies are not allowed to use open source software.

Comment embrace and extend vs extinguish, apparently (Score 2) 101

The parent company says open source is "a cancer".
The subsidiary he works for says open source is what MS does, sign a NDA and you can see the documentation.
Also, the subsidiary says, open source is when MS buys a trade group to have their patented format voted as a standard.

That's the difference.

Comment circumvention not related to copyright of the manu (Score 1) 273

Under DMCA, trading in circumventing protection measures is unlawful.
The scope has some mechanism that controls access to the copyright protected software on the scope. Circumventing that is a DMCA violation, absent an exclusion.

That has nothing whatsoever to do with the copyright of the owner's manual. The circumvention is unlawful because DMCA says circumvention is unlawful, period. It's not that it is unlawful because it uses a number that is also mentioned in the owner's manual. The owner's manual doesn't matter - circumvention is unlawful because DMCA says so.

DMCA isn't that long of a law, if you care to simply read it and see what it says. You seem to be perfectly capable of reading and thinking about what you read.

Comment A couple citations for you. Phone book not (c) (Score 2) 273


If you were a lawyer, you might start by reading the law (statute).
  102 . Subject matter of copyright: In general ...
  b) In no case does copyright protection ... extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery
from http://www.copyright.gov/title...

Also 499 U.S. 340, 345 "[n]o author may copyright his ideas or the facts he narrates."

If the wording of the statutes are unclear, you would look at how the court has interpreted it. Feist v Rural was a Supreme Court case in which someone made an unauthorized copy of somebody else's phone directory. A list of phone numbers is simply facts, not a work of original authorship, the defendant claimed, and the court agreed.

The court ruled "In no event may copyright extend to the facts themselves".

Comment Most computers can use QT, can't use .NET (Score 1) 59

Most hardware sold last year can run QT, and does not run Microsoft.net. "already been fought, and won, by Microsoft". How exactly is having a minority (and falling) market share "won"?

Here's a copy of QT that will run on most of the hardware sold last year:

Where's the .Net that will run on more than a small portion of currently sold hardware?

Comment copyright doesn't protect facts, protects paragrap (Score 1) 273

Copyright doesn't give them control over a fact. "The SKU for feature X isyyyyyyyy" is a fact, and therefore not protectable. If hackaday had copied and pasted paragraphs of prose from the manual, that would have been copyright infringement because copyright protects a unique expression.

If the manual had a table of SKU numbers and the article had a list, there's no copyright infringement because it's a different, unique expression.

Slashdot Top Deals

Help stamp out Mickey-Mouse computer interfaces -- Menus are for Restaurants!