Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment "pass" (aka (Score 1) 415

In as tech, Linux, and retro community as Slashdot, I give a particular shout to "pass" ( Takes a little time to realize how simply powerful it is. And, it's literally nothing but GPG, Git, and a long but easy-to-read Bash script. Also, works really, really well for a team that needs a secrets vault. Back when we did that with KeePass, we'd always get out of sync. Now? It's a git-merge, just like the code.

Want more advanced security than that? My teams' GPG keys (and SSH keys for Git) are on a smartcards (Yubikeys to be specific) which means the actual private keys are never on our (day to day) computers.

In the broader sense of the question, yes, you should use a password manager. I have 300+ passwords (and password-like little bits of info). All different, all randomly generated. I never forget one. Not sure how you do that without a pw manager.

Comment Re:Monopolies hurt everyone but (Score 1) 89

"That sort of thing" stopped, technically, in 1996 by federal law. No, really.

Here's the NYC cable franchise agreements:

Inconveniently, they're non-searchable PDFs. But, go read em. Every one of them is a non-exclusive franchise agreement, because exclusive ones have been illegal since the Telecoms act of 1996. True story.

Now, reality on the ground is that 'overbuilding' has basically lead to bankruptcy every time it's every been tried due to the huge first-mover advantage. And, it's not that government is blameless... they'll usually demand 100% coverage of a region not pick-n-choose customers. But, it's wrong to say that the Franchise Agreements are exclusive.

Comment Get with it cloud providers. And network providers (Score 1) 150

Every time I see a "new big features" announcement from the big 3-5 cloud vendors (AWS, Google, Azure, etc). I keep hoping that one or the other is going to really buy in to IPv6. And I keep being disappointed.

There are some ways to get them playing moderately nicely with IPv6 (especially if you're buying load-balancing services from them), but most of their networks are IPv4 internal-routing subnets.

Meanwhile, the middle range VM places (Linode, DigitalOcean, etc) are far more IPv6 friendly. My understanding is that is because they use standard commercial networking gear. While the biggest clouds (AWS, Google, etc) have totally custom network stacks which trade affordable performance for full feature sets.

Between the cloud vendors poorly supporting IPv6 and insanity like the Cogent-v-Hurricane split of the IPv6 internet (holy crud... it's SEVEN years now since Hurricane baked Cogent that cake begging them to peer with the world's largest IPv6 network... and it's still broken), it's amazing IPv6 has as much traffic as it does.

Comment Re:Grandma don't do no registries (Score 1) 220

Grandma on the other hand likely had no issue what so ever. Windows 8 was really easy for someone to pick up and use. However it was a jarring screwup for the power user.

My take: Windows 8 (esp. pre-8.1) was, arugably, a decent UI for a total blank slate user. It was a mildly annoying UI for a hard-core power user. It was, however, a complete and total disaster for the hundreds of secretaries and teachers I was dealing with at the time who were just barely computer savvy, but had at that point accumulated 15-20 years of hard-earned "Start Menu like this, click this/double-click that, files work this way" folk wisdom, and Win8 broke rather a lot of that.

Comment Re:PGP signature (Score 2) 152

What even totally zero-web-of-trust PGP gives you over "here's your .tgz, here's the SHA1 from the same server" is reproducibility. I can't 100% acertain that key 0xDEADBEEF really is the Apache Tomcat project signing key unless I know someone who knows someone. But, I *could* verify that the Tomcat tarballs I downloaded three and six months ago and the one I downloaded today were in fact signed by someone with same key 0xDEADBEEF, so if their site has been hacked it's a very long-running hack.

Comment Yet the 101 still sells (Score 3, Interesting) 551

Interesting coming from a company that will sell you a 3y9m old machine today ( Reports are that they still sell rather a lot of them, because they're upgradable, repairable, and work just fine.

As for me, my 2010 MBP literally came out of a garbage skip. Found it with a bulging/burst lithium battery (far from an Apple-only issue). $50 worth of eBay grey market battery later, and I have a pretty solid machine for XCode and Mac testing. If it weren't for that, I just wouldn't test or dev anything for Macs. Couldn't afford to.

Comment Re:wait, is this a siri issue or an apple pay issu (Score 1) 223

The Samsung Pay magnetic induction method is patented tech, from a company called LoopPay which Samsung bought.

AFAIK, they aren't licensing it to any other manufacturers at this time, because it gives them a clear distinctive advantage in an otherwise pretty-commodity marketplace.

NFC is also hugely more secure.

Comment Re:Two ways (Score 1) 167

Newer Yubikeys (Yubikey 4) allows up to 4k RSA keys, as well as some elliptic-curve keys. Mind you, smartcard-based 2048-bit RSA encryption is wildly better encryption than 99.9% of the world. Especially if you're not really thwarting the NSA, 2k is FINE.

But in general you're absolutely right. Carrying around an easily copied keyfile is really no spectacular increase in security. Smartcards (where the decryption step happens on a completely separate micro-micro-processor, right there inside the same physical chip as the memory) is by far the best answer we've got.

As for the question on safekeeping? The extreme paranoia method is to generate your keys on a totally airgapped (no network) old laptop and save the backup private keys in an encrypted volume. Then copy the private keys onto a smartcard/Yubikey for daily use (most smartcards allow a one-way push of a private key from PC->smartcard, but no retrieval of the private key).

Comment Penny wise... pound... what was that again? (Score 1) 168

What does a decently-spec'd MBP or non-Apple equivalent and a mid-grade commercial IDE cost these days? $2k at the most?

Even if you are hiring 18-year-olds in rural South Dakota, you are looking at $50k a year ($35k salary + other direct costs), the $2k is *nothing*. 16GB laptops, SSDs, giant screens, and huge backup arrays are close to nothing.

Don't be that cheap guy. Don't work for that cheap guy. If you are you own boss and are the one cheaping out on your own self... look in a mirror, do a Stuart Smalley Daily Affirmation and step away from cheapness-first.

Where does this penny-pinching come from in IT? I think I know where it comes from, because I was there. Let's take a random year like 1989. A new 'fancy' machine, like, say a Mac IIci with a color monitor was over $10,000 ($20k in 2016 dollars). No joke. Half a year's salary. If you were able to do much of the same stuff on a cobbled-together PC/AT clone for a third of the price, you were ahead. Great. I grew up poor, with a bunch of nerdy poor friends, and we were scrambling to put together thrown-out old Zenith 8088s. Great.

It's not 1989. Especially when you compare, say, a two-year-old Thinkpad for under $500 to 'making things work, mostly' on a slightly cheaper Chromebook (I'd want the former, no question)? It's Just. Not. Worth. It.

You want your developer to have the oomph to play with VMs and Docker and whatever cool crap comes out tomorrow.

As for everything else? With all my tooling scripted up and in version control, I can go from an Ubuntu iso to basically fully operational in about 90 minutes. Might suck a lot more with Windows fiddle-twiddling (especially if you're not big enough for images and domain-centric centralized management). Syncing, teamwork, and deployment are already covered... and it's not the IDE's bailiwick.

Comment Re:Come on (Score 2) 720

Right with you there. Look, I've been a Linux user, one way or the other, for even a little longer than that (Slashdot ID checks out). I've been whatever-coexisting with Windows for the last decade or so. The period where sound and wifi were sucking on Linux (and IE ruled the web) coincided with me having enough income to buy new-out-of-box laptops. So, grew to live in a Windows desktop, Linux server peace. Actually didn't hate Win8/8.1 for my own needs (though I agree it was a UI disaster for non-power-users).

Between the Win10 spycrap and the nag screens, though, I finally said 'fark it'. I'm back to 100% desktop Linux, 100% of the time, for the first time in over a decade. It's really, really refreshing.

Comment So then... why bother with the bloody paper tapes? (Score 5, Insightful) 288

If it's legally impossible to request a review of them, why bother with creating and storing the paper tapes in the first place?

Which leads, I guess, to the next question. If it's legally impossible to review an election, why bother holding them in the first place?

Comment CD-ROM via the TI-99 dead-ender community (Score 1) 136

Early 1995, still in high school. I was in a small town in Kansas. Absolutely disconnected from the pre-web internet. No BBSes or anything that wouldn't be a long-distance call. And my parents were fairly poor (okay... lower-middle income but horrible with money), so no long distance.

But geeky. My dad bought into the TI-99 after TI pulled out of the home computer industry because he could buy a computer for $50. There was a whole community of people who did fairly amazing things with 15-year-old hardware well into the mid-1990s (heck, there's still a few around today, like old Atari/Amiga/Apple ][, etc groups). One day, along with the shareware TI 5-1/4" floppies that we were mailing around with other users, there was a Slackware CD. I had recently scrounged together a 486 that was capable of running it. And Bob's your uncle.

Comment Use mine 20+ times a day (Score 3, Informative) 88

Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.

Comment Re:What we need is,,, (Score 2) 190

As said above, SSA doesn't have any sort of biometric verification of "who you are".

And, as said above, your SSN shouldn't be used as an identifier. If we need a common citizen ID number, fine, but it shouldn't be anything but identifying (i.e., effectively public knowledge).

It's the gorram 21st century. We've had public-key encryption figured out for over 30 blessed years now. Most people in the first world are carrying around several crypto smartcard devices already (EMV compatible credit cards and other smartcard tech).

Much of the world now has ID cards with cryptographic chips in them. When you open a line of credit, you prove, through RSA/elliptic-curve signatures that you are YOU via your ID chip. If you lose your ID, it gets put on the centralized revoke list, the issuing agency goes through whatever in-person process to verify you are you, and gives you a new ID. This can extend to online purchasing, online voting, etc, etc.

But, we're so freaked out about government black helicopters that we just accept the whole fraud thing as inevitable.

Comment Re:Consider the alternative question (Score 1) 496

Is it, though? It was infinitely easier to carefully (okay, obsessively) portion out the 1700 kCal per day I could eat and maintain just-under-obese status when I was single and nearly a hermit. Married (to a gal with better metabolism than me), there's simply endless, "hey, I made cookies" or "hey, I'm just springing on you that we're going out with friends for fish-n-chips tonight" temptations.

Slashdot Top Deals

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"