Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:Downloaded 1 or more bits (Score 1) 68

The plaintiff should be required to download the entire file and to ensure that the checksum of said file matches the file offered via the plaintiff's service.

They did. That's the whole point of the "direct detection" statement. They connected to the peers in the swarm and were able to download valid (SHA1 verified) chunks of the file from the defendants.

Comment Re:from the five-days-too-late dept (Score 2) 42

Unfortunately it's the only two factor authentication system that's going to work for the public at large. It's a simple system that works with any and every cell phone on the market, with no need to (re)develop applications for multiple OSes, manage syncing those applications to a master server, and then handle user support issues when those applications break.

The problem with "proper" security is that it works against the user. Long passwords that you can't remember, SecurID tokens that you never have when you need them, and finicky fingerprint readers that are too easily fooled by fakes. And in the end, all of this just gets subverted by social engineering, calling the help desk and convincing the rube on the other end to reset the account password. Unbreakable security fails at being friendly when faced with the fallibility of users, and at the same time it's only as strong as the weakest human who has control over it.

The fact of the matter is that the only real threat to PSN users is going to be criminal gangs harvesting accounts en masse. A token two factor system, properly implemented, is going to be enough to stop that. It's security that's good enough. Otherwise you'll quickly discover first-hand how perfect can be the enemy of good.

Which is not to say I advocate poor security. But so far no one has come up with a better way to do it. It has to be universally compatible and it has to handle user failures gracefully, and there are very few ways to do that.

Comment Re:Conspicuous Silence (Score 1) 93

It's a pathetic 35 magabits per second.

Unfortunately you're not going to get much better on cable, even with DOCSIS 3.1. Upstream requires valuable low-frequency spectrum, which there's only a limited amount of and there's contention with other services (cable boxes, VoIP, etc). Meanwhile it's a nosier shared environment, so you also can't use as high of a bitrate as you can on the downstream.

Fiber is clearly better in this respect. But it's the tradeoff of using the copper already in the ground as opposed to having to dig up streets to lay down new fiber.

Comment MOD PARENT UP (Score 1) 145

The parent is spot on.

And just to add to that, until their recent run of profitability, the last time the airlines as a whole were consistently profitable was in the 1990s, before the dot-com bubble popped. Between roughly 2001 and 2011, they cumulatively lost money (the one bright spot was 2006, but of course the Great Recession hit).

http://web.mit.edu/airlines/analysis/analysis_airline_industry.html (apologies for the tiny image, but historical data more than 5 years out is typically paywalled).

It wasn't until we exited the Great Recession, airlines started charging for food and bags, and airlines did more to increase the passenger load factor (percentage of seats that are filled) to historically crazy levels that they finally became profitable as they have been in the past few years. Until then, even in decently good times, the underlying costs were pulling them down. Too many pilots and attendants drawing too high of a salary, too many flights going out less than full (i.e. too much spare capacity), etc.

So you can imagine why airlines weren't in any rush to invest in high cost, risky IT upgrade projects. When you're trying to just stay in the black, any optional cost not part of the core business (flying) is a risk.

Comment Unifiedcomplete Preference Removed (Score 1) 236

Heads up, FF 48 has removed the browser.urlbar.unifiedcomplete setting. This setting was introduced in Firefox 43 to disable the annoying Unified Complete system introduced in that build. Unified Complete is what causes the first drop-down result to be "Visit/Search With [domain]" rather than the most relevant result, as was the default before Firefox 43.

Since the preference has been removed entirely, there is no current way to get this behavior back. It would need to be fixed by an extension.

Comment Re:Vulnerabilty (Score 2) 38

Why is this considered a jailbreak (a good thing) and not lauded as a remote code execution vulnerability that it actually is. If one web page can execute code, that means another web page can execute different code, installing a backdoor to your network, etc.

Because no one uses the Vita browser. It's terrible, especially by modern smartphone standards. It's hard to seriously classify this as a threat when the odds of a Vita browser coming across a malicious site sits at just a hair above 0.0%

Comment Re:Locking out open source hardware (Score 4, Informative) 440

Thus is a move to make sure Open Source software developers and individuals cannot produce Kernel mode drivers.

No. This is a move to further prevent kernel mode malware, because it turns out trusting developers wasn't good enough. That it impacts OSS is collateral damage - and something that can be dealt with, at that - as while OSS is popular here on Slashdot, it's not much more than a blip in the wider Windows world.

The whole reason we're even going this route is that trusting developer signed drivers has proven inadequate. Microsoft started requiring developer signatures (cross-signed) in Windows 7. This significantly cut down on driver based malware, but it didn't eliminate it entirely. It just raised the barrier to entry. Instead malware authors would just eat the cost and buy a certificate, or the especially crafty/evil ones would steal another vendor's keys, as we saw with the Realtek case. Either way Microsoft has had enough of it. and hence Windows 10 requires that they sign off on all drivers so that no one can just ship a (obviously) malware-infected driver.

I don't mean to be snarky/belittling here, but if you think that Microsoft is doing this as a strike against OSS, then you haven't been paying attention to the wider world. OSS on Windows certainly exists, but OSS projects that require kernel mode drivers are exceedingly few and far between. Which is not to say that OSS isn't a threat to MS to some degree, but that threat is from Linux, not OSS projects that require a kernel mode driver running under Windows. MS's prime concern is further reducing the ability of malware to hang out in the kernel space, as once malware makes it there it becomes virtually impossible to identify, contain, and remove.

And yes, this definitely makes signing harder for everyone. By all indications that's intentional, as EV Certs make it harder to hide (you have to provide more information) and are harder to steal/fraudulently use. There are ways to work with that for OSS though, just as was the case with Windows 7, so we'll be okay. As Bruce likes to say, security is a process; it takes more than just the OS vendor to keep Windows machines secure. So this is our contribution to that process (whether we like it or not).

Comment Re:What's the big problem? (Score 1) 675

Yes its beyond the reach of most attackers to clone a chip card. Stolen card is still a problem though.

But the latter is not the problem that they even set out to solve. Fraud due to stolen cards is infinitesimal; most people don't lose their cards in a way they're easily found, and most people, when presented with a card, don't commit fraud with it. Not to say that it isn't annoying when you lose a card and someone does go on a spree, but it's always about the tradeoffs.

What chip-and-sig is designed to solve are the issues involving data breaches and duplicated cards. EMV means that retailers no longer have a vast database of all the information you need to produce a card, because part of the processing takes place on the card itself. Meanwhile good luck actually making a counterfeit EMV card, never mind getting the required information off of the original to duplicate it.

Comment Re:Linux Gaming Support (Score 1) 369

How has the way the Linux kernel is managed negatively affected proprietary graphics card drivers?

By not supporting a stable ABI and API for binary drivers. You can take a WinVista driver written in 2006 and still install it and use it today on a fully updated and supported OS. Linux doesn't offer any kind of binary compatibility remotely comparable.

Users appreciate minor OS updates not breaking their drivers. Hardware vendors appreciate not having to chase whatever direction the kernel devs are going to keep their drivers working.

Comment Sandboxing? (Score 2) 23

Perhaps I've just missed this in the reports, but is there any analysis on how this is impacted by sandboxing?

Apple tends to keep things pretty locked down and isolated, and while Stagefright was a Go Directly to Root kind of exploit, I'm curious whether this has the same risk. Can a bad TIFF file delivered via iMessage actually break out of iMessage? "Ultimately, an attack could give a hacker access to portions of a computerâ(TM)s memory" is not very descriptive here.

Side note: why the heck is anyone still supporting TIFF as a built-in image format. The TIFF standard is so complex that it has been the source of an innumerable number of security exploits over the years. It's a very risky format to support for exactly this reason.

Comment Only If You Sign Up With a Google Acccount (Score 4, Informative) 104

One thing that TFS doesn't make clear here is that this situation only occurs if you sign up for Pokemon Go with a Google account.

The game supports two different account types, either a Pokemon Trainer Club account through pokemon.com, or a Google account. Because the game is incredibly, absurdly popular right now, Nintendo is throttling Pokemon Trainer Club account creation to prevent their servers from becoming molten silicon. Which is why so many people are signing up with their Google account.

It's signing up via a Google account that causes PoGo/Nintendo to have full access to said account. Which means that if you have already signed up via the Pokemon Trainer Club, or will do so in the future, you'll be fine. It's only users signing up via the Google account system that are getting their Google accounts linked in this fashion. So the straightforward solution is to only sign up for the game with a Pokemon Trainer Club account. Which admittedly isn't super helpful due to the aforementioned throttle on Pokemon Trainer Club account creation, but there is at least a workaround.

Otherwise the iOS-centric aspect of this is a bit unusual. Obviously iOS isn't giving PoGo access to your Google account, rather it seems to be a difference in how the two apps work. It appears that the Android version of the app doesn't try to request full permissions, only the iOS version does. Why? That's a good question...

Comment Re:This is like asking "Verite 3D or 3DFX Voodoo?" (Score 1) 185

Version 1 and 2 of these things are going to be bunk. Slashdot is a mostly older nerd crowd, we've probably all been burnt as early adopters before.

I wasn't entirely sure how to respond to this post, but what you describe isn't being old. What you describe is being disinclined to try anything new. If you need someone to blaze the path for you and work out any kinks first, then that's cool. But don't confuse that with being old. Just because we're old doesn't mean we can't dive into this head-first, and in fact I think we have the advantage due to the experience we come with, having lived through the first age of VR in the early 90s.

Personally I've had a blast with the Oculus Rift CV1. It's damn near everything I wanted to do in the 90s but the technology didn't allow at the time, even in the military sims a lot of the early stuff was based on. And even if I'm not developing the hardware or the software these days, it's still fun to be a part of this, to see how things have advanced since the early days and maybe apply some of that previous experience to give developers some meaningful feedback. At this point I think I've put more time in Project Cars sight-seeing around the tracks than I have actually racing, and that's because it's such an engrossing experience.

Not that I disagree that future headsets won't be better; I think that much is obvious. But this whole thing is practically built for nerds; if you have the money and the interest, don't sit on the sidelines. Embrace the nerdiness and help shape VR. Otherwise you're just denying yourself a fun time that it used to be we could only dream of.

Comment VR Adult Interaction is the Future (Score 4, Interesting) 74

The usual jokes aside, this is going to be a part of our future. VR is going to change human sexual interaction just like ubiquitous communication devices (phones) changed social interaction. Combined with task-optimized haptics to provide the tactile feedback, and given the importance of sex (or rather, orgasm) in the human experience, and it can't not change things.

Whether it changes things for the better or the worse remains to be seen though. Japan already has a birth rate problem and this isn't going to help. Which isn't to say that the tech shouldn't exist, only that one could very easily see it as exacerbating the problem. It may very well force Japanese society (and other societies as well) to finally address the issue and enact structural change to make rearing children more desirable.

The bigger question is whether this can be meaningfully used as a tool to improve human interaction. In both Japanese and Western societies, so much emphasis is put on your first time. Maybe this improves that, reducing the massive social threshold that comes with sex and at the same time producing a generation of young adults who are more confident with sex, what they want from it, and what they expect from each other?

No matter how it ends up, it'll be interesting to see how it evolves.

Slashdot Top Deals

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.