Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Tweak The Topic (Score 1) 160

But the truth is, the easier it is for terrorists to conduct attacks, the more of them there will be in the future (why not?).

It was easier in the past, and there weren't more of them then. Terrorism isn't cosmic inflation; it doesn't just spring magically from the laws of physics.

I could as easily argue that you create more terrorists by alienating people with heavy handed policing (why not?).

The folks sworn to protect us are probably decent for the most part

What does that have to do with anything? Decent people get caught up in all kinds of bad things. A lot of terrorists are probably decent in the same sense, just brainwashed about something they think is More Important(TM).

and they do not want to fail, no matter what.

That's what makes them dangerous. The fact that they have enormous resources and public support is what makes them more dangerous than terrorists.

But with every attack there will be more and more people pressure to protect their kids, etc., and this will cost money/freedoms too. "So what's the answer?",

Tell the idiots to suck it up and get over it.

Doing nothing will not work.

You're right. That would leave the present abuses untouched. We need to roll back about the last 17 years of this BS.

Comment Re:Has it been programmed to lie? (Score 1) 29

That is, of course, the whole point.

Once they spend however many years it takes to work the bugs out of this sort of thing, the obious hope is that it will be able to lie to you much better than a human could, because it will never, ever have any of the tells a human does... but it will be able to send the signals that trick your monkey brain into thinking it's your friend. Better yet, it will be good at misleading you without technically lying. It will never forget to upsell, and it won't just be following a fixed script. It will be superb at manipulating you to get the maximum amount of money out of you, and it will never, ever feel remorse at talking you into a bad deal, no matter how obviously poor and naive you are.

Not just at car dealerships, either. The creepiest thing so far along those lines is the cloud-connected talking Barbie doll.

Comment Re:Not JVM (Score 1) 172

As a user, having seen the kind of code that's actually offered for me to use, I don't want it to be any easier than it absolutely has to be to leak memory. It can be really easy to drop a cyclic reference, or conversely really hard to keep track of when you have them. The programmers writing phone apps have shown that they're not up to that kind of challenge.

In this day and age, programmers shouldn't have to think about the internals of the runtime. Stuff should just work. And I'm willing to take a performance hit for that if need be.

Comment Re:Seriously?? (Score 3, Informative) 307

  1. Battery life is what started this. Battery life on pagers is better than battery life on any phone, even the simplest. And replacement batteries are everywhere.
  2. Coverage is better inside buildings and in other hard to reach places. Many posters mentioned this before you posted.
  3. Somebody already replied to you about "secure areas".
  4. One-way pagers, at least, don't track or report your location; the page is just broadcast over the whole coverage area.
  5. Pagers can be physically smaller than any phone.
  6. Somebody further down mentioned the reliability advantages of being on a totally separate network from the cell network. You CAN have both.
  7. Pager software is simpler and therefore at least possibly more secure, even than the simplest phones.
  8. Pager hardware is slightly cheaper, which may matter if you expect you might break it.

Comment Re:.. visiting a web-site running as an onion ser. (Score 1) 37

Actually, when you configure a hidden service on Tor, you have a choice of where the traffic coming out of the tunnel will go. You can send it to any address on the host, or even to another host.

But it's easy to forget that 127.0.0.1 isn't necessarily the best choice. And, worse, the Tor project's example configuration uses it.

It's actually usually better to run the server on a separate machine from the Tor process, anyway, for a lot of reasons.

Comment Fuck 'em (Score 1) 172

I've been running open WiFi for over a decade now, and I don't mean to stop. And the load is very low, by the way; I've only had one problem and was able to resolve that very quickly.

But if my connection is going to be loaded in any way by random people, I'll be damned if my ISP is going to get paid for it. I already pay them for that bandwidth.

Not that I'd ever use those particular ISPs anyway... one reason being that their contracts tend to try to tell me I can't run open WiFi.

Comment Re:No questions linger (Score 0) 78

That's dumb.

There are going to be spooks out there trying to subvert any major company. Probably spooks from more than one place. They will pressure the bosses. They will pressure peons without telling the bosses. They will penetrate. They will infiltrate. They will do it to everybody. That is what spooks do.

And they'll get success more or less at random. And that's on top of all the "organic" bugs they will find and exploit.

And people move between these companies all the time.

The strangest thing about this Juniper back door is how obvious it was. Maybe it was a rookie agent.

The lesson you need to take from this is that you can't really trust anything against certain adversaries unless you built it yourself. And then you can't trust the parts. So if the spooks are your worry, you'd better defend in depth and keep off the radar.

Comment Re:Why we need access to the *complete* set of cod (Score 1) 128

If you control a network interface, you can generally control the entire system, because those chipsets have DMA access to the internal memory of the rest of the computer. You may have to do some work to figure out how to find and corrupt the OS data structures, but you have access to everything.

If the owner of the system is very lucky, there'll be an IOMMU (without a back door) and the OS will have programmed that IOMMU to do something useful. But you can't rely on either, especially in embedded devices.

Also, the driver for that chip is very unlikely to be hardened against the chip sending back exploits. The driver will distrust the network data (and won't process them very much anyhow), but it's going to assume that, say, an offset in a chip register is a valid value.

Comment Re:This is really a regulatory problem (Score 1) 115

"using equipment long past their usable life span"

You realize that phrase is self-contradictory, right?

Windows XP and IE6 support SHA-2.

You realize that PC operating systems aren't the big problem, right?

users know the exact risks and are either working around them or living with them (and unlikely to be browsing Facebook anyway).

Facebook disagrees with your assessment of what people are using to browse Facebook, and is doing a lot of work to support those out of date systems.

Comment Re:This is really a regulatory problem (Score 1) 115

Actually yes. Hiding the costs is not OK and externalizing them is worse.

In this particular case, though, it might actually be cheaper to just upgrade all the affected devices than to screw around with some of the proposed workarounds. It's not free for, say, Facebook to come up with whatever weird fallback hack they're pushing. By the time you add up the costs of everybody having to deploy that kind of crap, it would almost certainly be cheaper just to fund somebody to fix most or all of the affected devices. It might or might not be hard to raise the capital to do that. But as it stands you can't do it anyway, because there are a bunch of other barriers in the way.

Comment This is really a regulatory problem (Score 0) 115

Manufacturers dump stuff on the market and never update it. Therefore poor people who can't afford to completely replace their devices can't use new crypto. Therefore either those people are screwed by being cut off, or the entire world is screwed by broken crypto. Note that this situation damages third parties.

The right answer is for governments to do their job and set some rules in the marketplace. I suggest these:

If you sell something, you are responsible for its software in perpetuity. You will release timely updates at no charge. When you stop releasing updates, even if it's been 50 years and even if the reason is that you're going out of business completely, you will unlock the devices and release full source code, documentation, and any necessary tool chain. You will also waive any IPR you have that might impede somebody else from releasing updates. And no, it is not enough to just let Grandma off in her village compile her own update; you have to let anybody who wants to distribute to her.

That's criminal law. If you don't do those things, those responsible for making that decision will go to prison. AND you will be civilly liable to anybody who's damaged by your failure.

Another possible item: If you own something and connect it to the Internet, you are civilly responsible for due diligence. Those updates the manufacturer provides? If you don't install them, and don't isolate the device properly, and your device gets used to hurt somebody else, you pay all their costs. Your un-updated phone got used to hack Intel? Hope you have liability insurance...

Comment Re:Can I bid on the cash cops seized without warra (Score 1) 63

I don't see where any of the items on the auction site actually link to their history. The only links like that are the couple of links that were in the news story.

You're going to have everything from the actual proceeds of crimes people were actually convicted of, to things closely related to such crimes, to stuff taken with criminal convictions, but under punitive statutes that are designed to confiscate basically all of somebody's property (and effectively impose unconstitutional excessive fines under a different name), to stuff taken under civil standards of evidence and procedure that don't remotely approach "due process".

How are you going to tell the difference?

Slashdot Top Deals

Garbage In -- Gospel Out.

Working...