Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Mitigation and alternatives (Score 1) 94

Both are fine options indeed. But you don't really need the routing core to deem the system secure. You only need to see the source of the clients to determine if you can guarantee end-to-end encryption. How the messages get routed is another story altogether, and your only concern would be metadata collection (which you should always assume it's happening anyways). I, for one, would love to see WhatsApp Erlang routing core and how do they do it, but it's more for my personal curiosity than true security.

Comment Mesh networking (Score 1) 140

IMHO, in the ideal situation, every WiFi access point should include by default a second SSID mapped to a VLAN that can allow complete traffic isolation between the personal network and the guest network. The guest network should be IEEE 802.11s-enabled to allow roaming and mesh networking, and 802.11u for interworking and authentication. In that way, emergency responders can have access to a network while protecting individual's privacy. Even nicer would be an emergency responder's network only available to them with CJDNS over those mesh networks. In that way, members can trust they are who they say the are, and all communication is encrypted.

Comment Mitigation and alternatives (Score 2) 94

Since I don't use Facebook, my number should be irrelevant to them to serve me advertisement in their platform. Furthermore, I use the anti-social plugins for browsing so they don't get my browsing history either.

If this really bothers you, Signal is a perfectly good alternative to WhatsApp, which is completely open source and with almost identical functionality. Another surprisingly good and also open source alternative is Wire, which doesn't rely on phone numbers, and it's completely multiplatform.

If you can't vote with your dollars, vote with your feet.

Comment Re:Cost of Living Tradeoffs (Score 1) 163

Mod parent up. I've seen *exactly* the same you point to virtually everywhere. But one thing I'd like to add is the perspective of the "startup", not only the large companies. They are great in luring you with big promises and massive amounts of stock options while offering crappy salaries. This also unfavorably caters to the young who can afford the gamble, and who are too naive to understand the downsides. They are not necessarily in the H1B game, but their way to keep you "at bay" is with their "at will" contracts, where a CEO can just fire you for no reason. HR is a third party outsourced company.

Comment Security is an afterthought (Score 1) 41

The IoT market is indeed insanely hot and competitive, and time-to-market can make or break a product's success. This means that the MVP version (minimum viable product), that is supposed to be just the first step in an iteration, many times ends up becoming the version that gets shipped.

It's very rare that security is considered in an MVP. Some simpler types of IoT devices (typically send-only), that rely more on the cloud back-end, may have better luck by improving the security of the cloud-based components over time, but if the device accepts input and network commands, all bets are off.

Comment Re:Seen this before? (Score 3, Interesting) 95

Not this time. I think this is an acknowledgment that they need to rethink what's important, and it's not the OS anymore. It's the Cloud (both, IaaS and PaaS), where AWS is the biggest competitor and the one to beat, reason why Azure is so strategic for Microsoft. They need to have expertise and business solutions whatever underlying OS the customer may choose. If Linux, they need to have an outstanding support for it in Azure and across all their offerings.

We may think this is the same old Microsoft, but I believe they are going through one of their biggest reinventions to date.

Comment Re:utterly pointless and ineffective (Score 5, Insightful) 556

Mod parent up. I feel more ashamed that it's actually MY congresswoman, and I will write her a note, because this is absolutely non-sensical as many have already pointed out. It will stop nothing.
I can get any low-end Android phone, put it in airplane mode and never sign up with a carrier, connect to any public WiFi network, and use a SIP client with ZRTP to connect to a server paid with Bitcoin to do my anonymous calls.
This is classic government reactive approach with no input from subject matter experts, always 10 steps behind.

Comment Insane (Score 4, Insightful) 33

May be I'm just getting old but I cannot wrap my head around these kinds of deals. Paying 100M for bullshit like that, when I can enumerate dozens of startups with amazing technology and real innovations in cloud, back-end services, automation, platform, security, etc, that can barely get a couple of millions to continue their development. The industry is ran by teens now.

Comment Re:A word to the wise (Score 1) 43

Really? has the IQ level in Slashdot gone downhill that much that you can't even do a Google search?

If you frequent this site, you will notice this community is big on privacy, and QubesOS has been for quite some time among the best options out there, since they are the only ones addressing very hard problems, like hard isolation of driver-level components in the OS, such as the USB or the Network subsystems for example. This is particularly good to mitigate against 'evil maid' type attacks and such. They achieve this using a modified version of the Xen hypervisor with lightweight VMs with a common hardened X-based interface.

These folks don't release very often, and this update has been coming for a long time, and it's very welcome. Particularly the UEFI boot support, that has blocked me to be able to install it on my private laptop.

Comment Streisand Effect of sorts (Score 1) 546

For years, many voices in tech have been screaming about lax security and privacy controls in most devices and online services. Well, this argument may end up being a Straisand Effect of sorts, by encouraging the tech community to finally rally together and develop the kind of systems where this will be a non-issue: zero knowledge, end-to-end encrypted, ephemeral IDs when we need it, plus validated, immutable, blockchain-based distributed trust systems when we choose to. Heck, right before this story in Slashdot you have the one on the release of Wire. We'll see more and more of this. The government has no idea of what they've unleashed.

Comment Re:So vague is has to be true? (Score 1) 241

What broke down here is the threat assessment model. Was there a competent team of interdisciplinary experts who reviewed the threat and concluded it was reasonably credible? then no need for a CYA, since you are doing your job.
But if this was based on the consensus of a few local folks you know, that may or may not have a respectable background to advice you, then it's on you.
First of all, if they would have a semi decent IT Security expert as part of their threat assessment team, they wouldn't even have reported that "the IP address was from Germany" since they'd know it's largely irrelevant, being most likely a Tor exit node or a VPN end point, if it didn't match a well-known origin. Instead, they'd focus on the language, plot details and other things that can reveal if this is indeed credible or not. Then they'd probably correlate with similar chatter in other places (like NY), and on and on.
I'm not sure if every major city should have one of such teams on stand-by, but at least a "service" should exist for these kinds of things so someone like a School Superintendent or a Mall Manager can tap into.

Comment Extrapolating from today (Score 2) 279

CI/CD systems will automate the heck out of everything, and there will be less and less visibility into what's running where and how.

"Cloud Native" applications designed around microservices with well-defined interfaces and running in some PaaS "somewhere" will become the norm. I sadly foresee that developers themselves will be expected to become microservices, basically expected to do one thing only, and one thing well, and forbidden to look beyond their immediate horizon of the ever rolling Agile backlog. There will be less space for creativity at the individual level, and massive invisible machine learning software running in the back-end of the datacenters will automatically generate "facts" for the suits in charge, and possibly even stories on a backlog based on those facts. In 20 years, they'll generate their own code.

Comment That's why decent PR is needed (Score 1) 278

This could be easily solved by having a single place (a web site and an app) where the scientific community at large shares with the public what's the current consensus, explained in the simplest terms possible, with links to credible resources to second level and third level of depth.

The site needs to be authoritative, and widely known as the single source from the community, so if anyone ever has a doubt, they know where to go to understand what the scientific community really think about a certain issue.

This does not mean by any means the absence of debate, or the constant change in views and information, but a place where the bulk of the community put their minor differences aside for the benefit of the common good and their own, by helping closing those gaps.

Comment Bad system design (Score 0) 111

First, SSNs themselves should not be "stored" in any database. They should be used dynamically for initial patient validation and stored as a salted hash. For that matter, you can do the same with DOB and other key identifiers that are not required for anything but for validation. Use an internal patient number as index for everything else. Second, use MAC (Mandatory Access Controls) for any app or microservice attempting to access specific portions of data. Any unauthorized attempt to access a record should be logged, and if you really want to catch the bad guys, do a transparent session forward to a honeypot with a fake database. Third, use 2 factor authentication for any remote access to the data. Fourth, all internal systems should run virtualized and accessed over VDI, no data on laptops, ever. Is it really that hard?

Comment Removes an important failsafe (Score 2) 468

I was on a business trip once going from Lima, Peru, to Arica in Chile on a 727 when the pilot announced that the navigation system in the plane was basically dead. Instead of freaking out, he lowered the altitude and he visually followed the Iquitos river and other landmarks, piloting the plane the old fashion way, taking us to the destination safely. In a windowless cockpit that would have been a non-starter. I for one, want to keep an "analog backup" as an option. Thank you.

Slashdot Top Deals

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982