Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Re:Sure but.. (Score 1) 596

Now how can we apply this to software. Well some precautions can be taken but they generally aren't very effective. It only takes one person out of billions to figure it out and share it. So you have to weigh the costs of implementing copy restrictions which includes the man-hours to develop that code and the inconvenience to paying customers. The shrinkage rate needs to be taken into consideration. Software shrinkage would be unsustainable if you actually lost product every time but you don't. There is opportunity costs but no costs associated with replacing the product.

I have three or four apps on my Android devices which implement DRM features. Some of them are 'phone home' features. Some of them are 'buy a crypto key to activate this app instance' features. You know what? That's fine. I like these apps enough that I'll pay for them. I also like Android's "broken" model enough that I'll stick with Android; Android's "broken" model let me root my phone, clean the ROM's crap out and integrate the Dalvik cache. I can't hope to explain how much this has improved the phone's performance for me.

Given the choice between something like Android and a feature phone, I'd probably go back to a feature phone. Thankfully, Google opened the barn door, and even if Android stops being produced, alternatives like Cyanogenmod and WebOS will take its place. Given the rate hardware's getting commoditized, we're not that far off from someone like BeagleBoards coming out with devices with CDMA, WiMax and GSM modems.

Comment Re:wow (Score 3, Insightful) 158

I doubt Linus is getting more bitchy than normal. He's just had more 'popular' exposure and attention of and to his rants than normal. It's easy to guess why: Google+ gives him a lot more exposure and spread. Prior to his posting the rant against the root password requirement on Google+, I don't think I'd seen any of his opinions outside of near-fluff interview pieces or, possibly, LKML emails.

Certainly, people didn't care as much until they saw him lambast OpenSuSE developers. That got their attention and interest, and so folks like Slashdot and NetworkWorld are more likely to cover it. Heck, this kind of story is even out of character for /..

Linus only seems more bitchy because people are looking at him more.

Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

After trying for months to keep ahead of spam using a regex extension called AbuseFilter, I ended up realizing that Google's ReCAPTCHA was broken.

I'm still on top of SPAM, but mostly by requiring email confirmation, and by having three or four people who watch the RC feed, block bad users and delete bad content.

I switched my MediaWiki to QuestyCaptcha. Each of about a half dozen questions about classic literature links to a Wikipedia article that contains the answer.

I'll have to check out QuestyCaptcha, but I've got a lot of non-English users. Thanks for the tip!

Successful spammer registrations dropped to zero. Someone using a wiki farm wouldn't have this sort of story to tell to an interviewer.

Honestly, the story of managing load spikes and such in a VPS environment is a far, far more interesting story to tell than anti-spam techniques. Believe me, I've walked the entire path.

In other words, the "warn" method [].


Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

SSL is considered a subscriber perk.

Ah. I thought I still had subscriber credit. I got one of those 'as thanks can now use Slashdot without ads' emails. Only other time I'd seen that kind of behavior was when I was a subscriber.

For one thing, what sort of anti-spam mods and specialized markup mods do MediaWiki and phpBB farms offer?

Beyond captchas? Very probably things like mod_security, firewall rules blocking bad netblocks from accessing the server. (Doing this was the single most-effective anti-spam mechanism I ever saw.) Using DNSRBLs for realtime tracking of bad source IPs.

For another thing, it might be a custom web application, other than a popular blog, forum, or wiki, that still needs user accounts. Such an application might form part of a job seeker's portfolio to present to prospective employers who "don’t interview anyone who hasn’t accomplished anything" [].

If you're building a site as part of an operating portfolio with a user base, you can certainly afford an extra IP if you need it. Right now, it doesn't cost very much. If you're merely showcasing a web application, you don't need SSL. If the potential employer is going to ding you for being vulnerable to Firesheep on a site where it doesn't matter, either you're applying for a security-related job, or the guy doing the analysis is a pedantic dick.

And if you do user accounts without TLS, you're vulnerable to Firesheep.

I've never argued otherwise. That said, there are ways to cope with things like Firesheep. Such as tying operating profiles to browser fingerprints. (There's a lot more identifying information in each HTTP request than just your User-Agent string.)

Most shared web hosts that I've looked at don't even offer SNI hosting because they cater to the IE-on-XP demographic.

Then either educate them, use a different provider, or school them by running a shared web host that does offer both SNI and IPv6, and advertise like crazy on Slashdot and Reddit.

Comment Re:Who has a good VPS for $10/mo or less? (Score 1) 136

So in other words, IPv6 from the backbone to a home PC's 802.11g radio will be deployed around the time the last mainstream non-SNI PC operating system is scheduled to die anyway [].

Pretty much.

So how would you explain to the users that a blog, forum, or wiki is supposed to raise a serious certificate error after the user is logged in, and that HTTPS with such a serious error is safer for the user than an HTTP connection that can be Firesheeped?

Ask the gentoo guys behind, who use a CA whose cert isn't generally shipped, or anyone who's using a self-signed cert. I'm not here to get into an argument of over the weights, values and concerns of various degrees of encryption and authentication. For some, it's enough that passive sniffing isn't feasible. For some, that isn't enough, and you need to authenticate the server identity.

Don't ask me to make grand sweeping statements of 'X is enough security', because security is a case-by-case thing. Heck, I note that even Slashdot isn't defaulting to SSL.

The difference between $5 per month name-based shared hosting, which may put a thousand or more domains on one IPv4 address, and a VPS. You mention a $5 to $7 per month VPS plan; which provider do you recommend?

I use I wouldn't put a full LAMP server on a $7/mo plan; the low-end plans wouldn't really be up to it. But, again, I could easily imagine paying that just so you can drop a squid proxy server on it listening on port 80. Have your domain point to that. Have squid serve as an accelerator proxy, pointing to your shared hosting provider. Squid can wrap your clients' connections with your SSL cert so they can't be firesheep'd on their local wireless or by their local malicious network. Granted, the connection between squid and your shared hosting provider is unencrypted, but the people on that route are far less likely to care. (so long as your VPS and shared hosting provider are in the same country).

Personal use SSL certificates have been free of charge from StartCom for some time now.

StartCom's free certs are only good for a year. You're far better spending off a dollar or two more per month than spending time every year coping with cert rollover headaches. If you can't afford that (after spending $7-10/yr for a domain), I have to wonder why you aren't using a wiki, forum or blog farm that handles these things centrally, and for free.

Is there a standard WordPress app, a standard phpBB 3 app, or a standard MediaWiki app?

There's a Wordpress app. I don't know if a MediaWiki app has cropped up, but I'd been considering writing one as an interface to my own site. I don't know if anyone's written a phpBB 3 app, but I can imagine some real benefits to it. (Imagine having your phone use the normal notification channel to inform you of PMs or replies.)

The market is in a crunch right now, with security concerns and IPv4 address depletion. It's not a pretty situation, and something has to give. Before anything else, that's going to be the IE-on-WinXP market. (IPv6 doesn't even solve the IE-on-WinXP issue, since you need to explicitly enable experimental IPv6 support to get it on WinXP)

According to Google Analytics, my site had 126,947 visits over the last month, and only 5,480 of those were from IE-on-WinXP. That's 4.3% of my traffic. I'd stop giving one whit once that's down to about IE-on-XP once it's down to about 5%, so IE-on-XP is no longer something I need to care about. Heck, I had 22,387 visits from WinXP during the same period, which tells me only one in four WinXP users are still using IE when they visit my site.

IE-on-XP is not a demographic most people need to be reaching for. And, really, if you need TLS, and you need a non-SNI circumstance, and you can't afford another $5/mo (heck, even Linode was only charging $1/IP more, last I checked), then you need to put up a donation link with something like PayPal, and get your users to help support a service you obviously can't afford to provide on your own. That's what carried my site for a couple years.

Comment Re:Internet Explorer on Windows XP (Score 1) 136

What is your plan to make it happen? Will you be breaking in to people's homes and replacing their PCs?

Nobody has to make anything happen that isn't already either planned (Microsoft will stop supporting it) or physically inevitable.

Hardware will die. Software will get screwed up. Installation media will be missing. It will become cheaper for the 'family tech guy' to get his parents something newer or different as a replacement. There will be die-hards who will want to stick with Windows who will refuse to change. Those die-hards are outside the demographic of the vast majority of website maintainers.

So it went with Amiga, Commodore64, DOS, Win3.1, OS/2, Win95, Win98, IPX, token ring, Linux ipchains, VAX. DEC Alpha. So it goes. So it shall go.

When you are done, you should make everyone stop smoking and end poverty.


Comment Re:Google only recommends SPDY with SSL/443 (Score 2) 136

Translation: SSL libraries are big and scary, SSL is big and confusing and I have no idea what the hell it does so it's bad.

Actually, the better argument I've heard is that it OpenSSL is very poorly documented. And I've heard this complaint from numerous the point where some even started looking into fresh implementations.

Comment Re:IE on XP, and Android 2.x too (Score 2) 136

If you think home ISPs haven't been scrambling to catch up on IPv6, you haven't been paying attention! Comcast is rolling it out right now. DSL providers are deploying 6rd. Mobile providers are deploying. Within a year, most end-users (in the US) will have access to IPv6 from their ISP. Within two years, most end-users will have replaced their non-IPv6 CPEs with ones which support IPv6. But IPv6 isn't the only solution to the problem, either.

Right now, most small website operators should avoid TLS if they only have static content. Otherwise, they need to make a decision between supporting XP and shelling out for a dedicated IP. Me, I'd probably drop support for XP, and let the end-user click through a cert warning if that's what they're inclined to do.

How much more per month are we talking about for a dedicated IP, anyway? I know how you'd set up joe random guy with a dedicated IPv4 address using a proxy server on a $5-7/mo VPS. Seems cheap to me, especially compared to what joe already spent to get a valid SSL cert.

As far as Android...a number of websites are pushing their users to use simple apps instead of the Android browser. As a user, this annoys me, as my LG-509 doesn't have much space unless I root it and clean it...but I can see how it offers a better interface to the server, and how it changes authentication and connectivity concerns.

Slashdot Top Deals

You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page