Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Why do Mozilla use the HTTPS CA system for this ? (Score 1) 45

Surely signing extensions and signing software updates use two different certs and either cert is uses the existing HTTPS SSL/TLS CA system for that ?

Mozilla are a company that clearly deals with and understand X.509 certificates, so surely anything they do themselves where they control both the distribution and verification they use their own CA.

The only purpose of the "trusted CA" system is to issue certificates where there are three parties involved, a mutually trusted CA, a server (that needs to verify its legitimacy) and a client (that needs a mechanism to verify the servers legitimacy). But there is only 1 party involved with Mozilla extension and Mozilla browser software updates (although thats not completely true to OS vendor might also be involved for OS level code signing).

So while the might use HTTPS under that system, the payload it carried is also signed right ? And that verification process is using a CA system that only Mozilla control ?

Comment Re:Revoked the keys, but is this still exploitable (Score 1) 67

Isn't there OCSP stapling now ?

The HTTPS webserver asks the OCSP server for a signed by CA & timestamped message every few hours to validate the certificate serial it is using is still valid (i.e. the certificate has not been revoked by CA).

The HTTPS webserver then provides this extra bit of signed information to the browser during the TLS handshake.

So now the load on the OCSP scales better (by website, not by all web users), has minimal latency impact (just the extra bytes in the handshake), no out-of-band communication from browser to OCSP server is needed at all.

Hopefully when SPDY or HTTP/2.0 is running even the bytes in the handshake can be reduced to nothing by higher reuse of a single TCP connection to multiplex and also if the client has a recent TLS sessionID that is represented to the server. You'd think they can optimize the extra bytes away and speed up the handshake for the 2nd .. Nth reconnection for HTTPS to the webserver.

In the case of PC software though I would expect there to be multiple channels for getting OCSP data and only one channel needs to work to validate firmware/driver is still usable. But I'm sure there are other issues with invalidating important drivers for graphics/network that would be more like a nag screen every day to get you to reinstall driver.

Comment Re:They don't want Skylake to be fast (Score 1) 99

Yes I'm sure you are correct, but... the lower TCO is in using consumer drives, they have lower replacement warranty periods but they must actually be lasting significantly well enough that the cheapest cost per month to ownership is in consumer drives.

This presumes you have factored in costs to replace, diagnose, deal with issues that might crop up more often due to partial/complete failure in units. I guess the mean variation is within 150%, when the consumer drive is 2 year warranty, the cost of replacement doesn't seem that high if you are doing it every 3.5 years.

Comment Re:Comparative local economies screw this up badly (Score 1) 755

It has to be the same amount of money for everybody.

It is upto society to reorganise itself around making that situation work. For example people would move out of London to a place where they can be that is within their budget. London would suffer from lack of workers for such tasks and proper supply/demand would start to take place.

Actually I can not believe this as many foreign workers are happy to be 10 to a house taking shifts on using bedrooms or sharing beds. But then maybe these people would also not be eligible for this payment, until they have many years of their own taxes paid into the system on record when formally completing a naturalization process.

I agree people in prison do not get the allowance, well they do, but it is forced to be spent on the cost of their stay. Which brings up another point that society should not treats its prisoners better than its regular citizens. A state income improves the citizens situation but I think prisoners should have a more harsh basic existence behind what state income can provide.

Another real issue is if everyone gets lower wages (but fixed state income amount), so the total is same or higher. Will the cost of buying bread and water increase ? Thus the purchasing power of the state income is reduced. Where and how will an equilibrium be met?

Comment Re: 4/5 in favor (Score 1) 755

Well if things stay as-is they will be paid more, they will get state income and their regular wages,

What remains to be seen is if the wages element of those low skilled menial jobs actually declines over time. As the tax collection is increased to cover the costs in some other areas and those low skilled jobs need to equalize their global worth because other countries (without a state income) are not subject to that higher taxation. So for Finland to remain competitive maybe those menial wages need to decrease, but you get state income on top.

It would be hoped that all governments would simply laws/taxation such that implementing them (especially when using IT) can be done more easily and therefore the administrative costs are reduced. But then there can be a lot of politicians enjoying the gravy train created by the more complex situation.

Comment Re: 4/5 in favor (Score 1) 755

Doesn't Finland have public personal tax records/reporting. That is anyone can lookup anyone else personal tax records?

I presume this also helps limit unreported income, since people living a lifestyle beyond their tax record information can be vetted by everyone and investigated. I presume this allows things like linking in ownership of expensive assets property/car to the individuals tax history, because all different government agencies have access to more information since it is public.

Comment Re:High-frequency trading=respctable insider tradi (Score 1) 113

Just transaction tax everything, in an inversely scaled amount to the time between you buying/selling that same kind of item.

So if you buy, buy, buy, wait a month, then sell, sell, sell, you don't pay much/any transaction tax.

But if you buy, sell, buy, sell, buy, sell, you get transaction taxed to extinction.

Now make it so you publish your sell price for a whole hour, before you finalize trades for it.

Now make it so that you cancel too many sell orders, compared to those that made it to the end of the hour but may (or may not) not have receive any buying offers, you get a charge applied.

Now make it so that the all buyers making offers get a pro-rata split of the shares being sold.

Now increase transaction taxes when the number of shares in the selling order is lower than the number of buyers. An exercise for the sell to predict how large in volume the sell order needs to be to not get penalized here.

All this to take the money out of the transaction part, and place it back into the, I'm holding this stock, so I'm taking a risk the business will do well in the future, compared to holding cash.

So the next question, who gets to spend the transaction taxes and on what ? Government coffers, as the people effectively permit this activity to go on under the protection of the state. Other suggestions ?

Comment Re:Not entirely wrong. (Score 1) 229

The problem is those people ("script kiddies") do not have a support contract with Oracle, so would not be publishing it via the official support channels back to the vendor. They would use other mechanisms that increase their e-peen among their peers (of other "script kiddies").

For me the issue here is what is the definition of reverse engineering and how do I ensure it does not happen ? For example if I were to simply use a standard debugger of my own code that was running in conjunction with an Oracle product, how do I stop my debugger from entering into the realm of reverse engineering. Since a debugger does not understand the legal boundaries, it just reported on activities going in inside the machine representation of the code.

Comment Re:Piss off- text of her blog which was taken down (Score 1) 229

> "Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs..."

But they are not trying to derive the source code.

They are debugging their own problem and they are happy to work directly with Java bytecode and CPU assembly language to do this. They are not trying to reconstruct Java lanaguage of C/C++ language code from machine optimized code.

Now my debugger automatically goes into this detail for me, I can see Java bytecode (by opening a *.class file) and I can see CPU assembly language (when using 'gdb'). So while I do not work with Oracle products I find it hard to see how there is a breach of this clause in the terms, for this to be the case Oracle need proof in the form of a copy of my attempt (or success) to derive source code.

So the problem is the debuggers used against Oracle systems are already performing the operations to "disassemble" and "decompile" the machine optimized representation (that you supplied) of the original source coed. But they are not doing this for the purpose of trying to derive the source code, but to explain a set of circumstance that are a genuine problem to the customer.

Comment Re: Can we quit pretending that it's car "sharing" (Score 1) 231

There is in the UK.

* All motor vehicle insurance (private, commercial, passenger service vehicle) policies that are active are on a database, coverage dates are known also all other basic details as you'd expect.

* Ministry of Transport tests (yearly or more frequent vehicle road worthy and safety tests).

* Road fund licenses (a yearly tax based on size, CO2 emissions, type and purpose of vehicle use that is intended to fund highway maintenance although we have very heavy fuel taxation over 70% and VAT on top of that).

* Driver and Vehicle Licensing Agency, this government body manages vehicle identification, registration plate issuing, ownership. It also regulate driver license categories, you need to pass specific tests for car, motorbike, minibus, small lorry, large lorry, coach/bus driver. Some of these tests are good until old age, some need to be refreshed, some have mandatory medical fitness tests.

These things are all updated in near real-time to all agencies that use the information to monitor and regulate traffic. With the number of road traffic cameras in the UK it is expected many of these to be hooked upto monitor usage of a license plate.

Everything is regulated for consumer safety.

To be a taxi driver you need a vehicle registered for that purpose (and therefore subject to stricter MOT safety testing),
You need a driver with a suitable license to carry other passengers, so basically clean enough without problematic endorsements,
You probably need a criminal background check and other such public safety checks,
You need suitable insurance for the vehicle and number of passengers.

Then you can work as a Taxi driver and work for "Hire or Reward conveying passengers in a vehicle".

So now can Uber work? It costs time and money to get and maintain all these things above. This is why you pay a higher fare.

Comment Re:What about "legitimate" use? (Score 1) 155

Yes there is a formal procedure you have to follow, just having a prescription is not enough.

You need to have that kind of medical evidence for need; and request in advance and gain approval from your sporting bodies testing organisation.

Such as and their TUE (Therapeutic Use Exemption) process

Slashdot Top Deals

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken