Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:"IT" is on its way out (Score 2) 272

"The industry" is always saying that. I've been doing this for over 30 years, and they have never stoped saying that. That doesn't make it true.

The thing is that it's always to their advantage if more people go to school in those fields, if governments make it easier to immigrate with those skills, etc. It doesn't necessarily mean there aren't enough people qualified to do the work. It may mean that the would prefer a glut of such people so they don't have to pay very much. And it's no skin off a CxO's nose if some of the people who spent the time getting the qualifications are working at McDonald's.

Comment Re: Oh how cute! (Score 1) 42

When the Snowden stuff came out, it turned out that the NSA was tapping cables, including cables belonging to Google, and getting tons of cleartext traffic.

The article says that Google wants its own pair "to keep its traffic private". Maybe that's just a misunderstanding or misphrasing. But it doesn't inspire confidence given that they screwed up and didn't encrypt last time.

Comment Re:Ok, guilty. (Score 2) 54

If it were open source, it's still BS because you KNOW most people that use Tor aren't developers and aren't going to set up an environment to compile an extension to ensure every line of it is clean.

They also haven't read the source code for Tor or for Firefox or for the OS they're running all of it on. Package it with Tor and it's no worse than the rest of the TBB. In fact Cloudflare is trying to do it as an RFC so you could have multiple independent implementations.

Let alone what it sends to CAPTCHA to work around the problem; doing so can be used to easily identify who is using Tor to make them a target rather than the exit nodes or whatever they're called now.

If you'd read it, you'd have seen that they propose to use cryptographic blinding to prevent that. Which is the whole reason for having the extension in the first place.

What is it that they say about "a little knowledge"? There's sure a lot of that going on in this thread.

Comment Re: Identifying the user?? (Score 1) 54

Aka a cookie? So why the need for a browser extension?

Because it wants to blind the token.

NSL to CloudFlare and data slurp commencing in 5... 4... 3...

NSLs don't work that way. Even the DOJ doesn't claim they can do that with an NSL.

There is, of course, a risk in running any code. But in this case one assumes they'll publish the code.

Comment Re:Down with the CA (Score 1) 45

I honestly think that people are actively sabotaging all of the above approaches.

It's to the advantage of the existing CAs to go make trouble every time something like that comes up at the IETF or wherever. And it's to the advantage of the world's spooks to slow down any standardization that improves security, preferentially slow down the standardization of the most effective alternatives, and make sure that everything is so complicated and option-laden that you can always find a mode you can break.

I don't think there's some vast shadowy conspiracy with central control. Just a lot of players with reasons to fuck things up. Sometimes they may cooperate, but probably they mostly just engage in "leaderless sabotage".

The standards bodies/processes at least try to defend against commercial interests who want to get things they control standardized over technically better alternatives. But once they do get captured, they're hard to un-capture. And they have almost no defenses against players whose only interest is simply to make things not work. And because mentioning the possibility sounds like a conspiracy theory, it's even harder to get them to adopt such defenses.

Comment Re:It's not hard to hack a CA (Score 1) 45

Oh, I forgot the other major reason that the CA infrastructure is shit, which is that those verification standards are indeed too lax. If you can impersonate the server in the first place, you can probably fake control of the domain well enough to get a certificate. But again Let's Encrypt is no worse than any of the others.

Comment Re:It's not hard to hack a CA (Score 3, Insightful) 45

The idiots behind let's encrypt don't understand that the first and role of the public CA system is identity non-repudiation, but they issue certificates with any name to anyone who asks.

You don't have a damned clue how this stuff works, do you?

All the public CAs issue non-EV certificates based on the ability to control email and/or DNS information for domains, and most of them automate it. Their verification standards for non-EV certificates are on page 13 of

Let's Encrypt does exactly the same verification and meets those standards. Let's Encrypt is actually ahead of some of them in that it uses a published and publicly reviewed verification protocol (ACME) to check control over the DNS.

Yes, the CA infrastructure is shit, mostly because all you have to do to impersonate any domain is to find any CA you can trick. No, Let's Encrypt is not any worse than the hundreds of other CAs that the browsers trust.

Comment Re:Are you for real? (Score 1) 424

What did she do to screw up her ex's life, exactly?

She sent him a nasty message. A message that mostly said she could do fine without him, thanks. He was not in the video. The only "shame" directed at him was basically a statement that it was possible for somebody to exist and have a sex life without involving him.

Yeah, it was a bitchy thing to do, but it was a single message and there was zero chance that the whole world was going to start taunting him about it. It wasn't going to even be part of his life for more than a couple of minutes, and there was sure as hell no way that thousands of people would be on his case and forwarding it all over the Internet for years to come.

Absolutely no comparison. Not even a potential comparison. There was no chance that anything even vaguely close to what happened to her could have happened to him. Sorry.

And if it had, that would have been a bad thing too. Even if HE had somehow invited it.

Slashdot Top Deals

The unfacts, did we have them, are too imprecisely few to warrant our certitude.