Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment But then who audits the auditors? (Score 1) 181

The solution is pretty simple, but often skipped:
1) The reason for every search should be required and logged by the searcher. ...
2) The logs be randomly spot-checked by an auditor(s) who verifies the reasons given by interviewing the person(s) who searched.

But to check it the auditors need detailed access to the records. So who audits THEM?

This kind of question has been asked repeatedly since at least the Roman Empire.

(The U.S. answer to "Who guards the guardians?" , at least for direct abuse of person under color of law, is the Fourth and Fifth amendments and the "fruit of the poisoned tree" doctrine: Fail to follow the law and you don't get a conviction, because misbehaving police are FAR more of a problem for the population than even a lot of violent private-enterprise crooks going back to work. But while it does reduce the incentive, it doesn't block the behavior.)

Comment The invisible hand strikes. (Score 4, Interesting) 124

Not one organization I have ever worked for has seriously cared about IT security.

When it comes to rolling out new products, ignoring security is the norm.

This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.

This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.

Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.

I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.

Comment Re:Why not coax? (Score 1) 154

And the reason you cannot do this with radio is that the noise from the transmitter is greater than the received signal.

Actually you CAN manage it with radio - very difficultly, with very careful antenna design.

But the combined antenna has to be far from anything that reflects, absorbs, or just phase-shifts any substantial amount of the transmitted signal energy. If not, the discontinuity destroys the careful balance that nulls out the transmitted signal at the receiver. That gets you back to the "transmitter shouts in the receiver's ear much louder than the distant communications partner" case. So it's not very practical in the real world.

Comment Re:Why not coax? (Score 1) 154

Coax is half-duplex too

No, it's not.

With proper impedance matching networks and reasonable termination at the ends of a run you can send separate signals at the same frequency/band of frequencies down a cable in each direction. (Impedance discontinuities DO reflect some of the signal going one way back the other way, causing some interference. But even that can be "tuned out" by suitable corrections if it's too severe to just ignore.)

You can do it on a balanced pair, too. Telephones have done this with audio for more than a century, and I recall encountering a simple hack to do it all the way down to DC back in the days of discrete-transistor logic. (And it has nothing to do with two wires being involved, either. With N (= any power of 2) conductors and "phantoming" you can have up to N-1 balanced and one unbalanced two-way transmission lines on N wires.

Time Domain Reflectometry does this to FIND and MEASURE discontinuities in a cable, essentially firing a pulse down the cable and listening to the reflections, radar-style.

Yahoo!

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 72

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.

Comment Re:Coming from Detroit (Score 1) 76

There is no security on the CAN communications of any modern vehicles that I know of. Any person connected to the bus can masquerade as anyone else.

That's why Tesla has several layers of bus, with firewalls between them, inside each car.

Get on one of the buses, you get to tweak the stuff on THAT bus. But you have to convince a firewall you're cool (i.e. doing something the firewall recognizes as legitimate) before it forwards your transaction to anything on even an adjacent bus.

Comment Not quite the end of the story. (Score 1) 326

In most countries the government is in charge of health care and they have a VERY easy way to regulate price gouging such as this. In any single payer system the national health service basically sets the price they are willing to pay and that's what it costs. End of story.

Well, not quite.

In any price control regime, the authority sets the price, and there are three options:
  1. They HAPPEN to hit the "market clearing" price on the nose.
  2. They set the price lower.
  3. They set the price higher.

1. is a small target, and very hard to get right even if you're trying. (Even market economies only get there by constant feedback in the form of purchase decisions.) Further, there are strong political pressures on regulators on where to set prices, so they aren't even trying. So 1 just doesn't happen.

2. means the consumer gets gouged. (But now he can't go to some competitive supplier to get the product or service at a better price. EVERYBODY who is selling is selling at that price. So the gouging is institutionalized. The only way to get a lower price is to apply pressure to the regulators (see 1.) or go to a black market (with lots of risks, including issues of quality, reliability, contract enforcement, and bad encounters with law enforcement and the rest of the legal system).

3. is where the regulators usually end up. But a price lower than market-clearing means suppliers chose to spend their resources supplying something else, so the supply dries up. You could buy it at a sale price IF you could buy it at all. But it isn't available, so you can't buy it at any price.

A free market has its own problems. For starters, with a single supplier (a monopoly) market forces encourage gouging. With two suppliers they encourage an approximately even division of the market (a duopoly) and, again, gouging, with only price signals, not collusion, to coordinate their behavior. The incentive to engage in competition that drives the prices down to market-clearing level doesn't appear until there are three players, and doesn't become strong until there are four or more.

(Unfortunately, US regulations generally have a built-in assumption that two suppliers are "competition". Thus you get things like the landline/cable internet duopoly, or the built-into-channel-allocations local duopoly (collapsing to local monopolies) of the early, analog, cellphone system.)

Comment Knew a math professor without eyes ... (Score 1) 69

Back in the 1970s I was an undergraduate at a highly-ranked math department. One of the professors there had no eyes. (It was a birth defect - they had not formed, and his face was slightly collapsed where they should have been.)

When a student would try to skip doing some part of a rigorous proof by substituting a geometric drawing, the other profs would ask "How would you explain it to [him]?".

This guy was VERY good. But he had a "blind spot" occasionally when a graphic analogy would have pointed him to some existing proof that would apply. (I recall once when he was discussing some bottleneck in what he was working on and another professor pointed out that the troublesome piece of the problem was equivalent to an angle trisection with compass and ruler.)

AT&T

AT&T and Comcast Helped Elected Official Write Plan To Stall Google Fiber (arstechnica.com) 84

An anonymous reader quotes a report from Ars Technica: As the Nashville Metro Council prepares for a final vote to give Google Fiber faster access to utility poles, one council member is sponsoring an alternative plan that comes from ATT and Comcast. The council has tentatively approved a One Touch Make Ready (OTMR) ordinance that would let a single company -- Google Fiber in this case -- make all of the necessary wire adjustments on utility poles itself. Ordinarily, Google Fiber must wait for incumbent providers like ATT and Comcast to send construction crews to move their own wires, requiring multiple visits and delaying Google Fiber's broadband deployment. The pro-Google Fiber ordinance was approved in a 32-7 preliminary vote, but one of the dissenters asked ATT and Comcast to put forth a competing proposal before a final vote is taken. The new proposal from council member Sheri Weiner "call[s] for Google, ATT, Comcast and Nashville Electric Service to create a system that improves the current process for making utility poles ready for new cables," The Tennessean reported last week. "Weiner said ATT and Comcast helped draft the resolution she proposes." Weiner told Ars that she asked ATT and Comcast to propose a resolution. "I told them that I would file a resolution if they had something that made sense and wasn't as drastic as OTMR," Weiner told Ars in an e-mail today, when we asked her what role ATT and Comcast played in drafting the resolution. Weiner said she is insisting on some changes to the resolution, but the proposal (full text) was submitted without those changes. When asked why she didn't put her suggested changes in the version of the resolution published on the council website, Weiner said, "I had them [ATT and Comcast] submit it for me as I was out of town all last week on business (my day job)." Weiner said an edited resolution will be considered by the council during its next meeting. Weiner's plan could stall the OTMR ordinance and -- though it might improve Google Fiber's current situation -- would not provide the quick access to poles sought by Google Fiber and most council members. However, Weiner said she is willing to support OTMR later on if her proposal doesn't result in significant improvements.
Democrats

Computer Specialist Who Deleted Clinton Emails May Have Asked Reddit For Tips (usnews.com) 612

An anonymous reader quotes a report from U.S. News and World Report: An army of reddit users believes it has found evidence that former Hillary Clinton computer specialist Paul Combetta solicited free advice regarding Clinton's private email server from users of the popular web forum. A collaborative investigation showed a reddit user with the username stonetear requested help in relation to retaining and purging email messages after 60 days, and requested advice on how to remove a "VERY VIP" individual's email address from archived content. The requests match neatly with publicly known dates related to Clinton's use of a private email server while secretary of state. Stonetear has deleted the posts, but before doing so, the pages were archived by other individuals. "ARCHIVE EVERYTHING YOU CAN!!!!" a person wrote on a popular thread on the Donald Trump-supporting subreddit r/The_Donald, as the entries disappeared. There are several reasons to believe the reddit user is indeed Combetta, who was granted immunity by the Justice Department during its investigation of Clinton's private server after he deleted a large number of emails. The evidence connecting Combetta to the account is circumstantial, but also voluminous. The inactive website combetta.com is registered to the email address stonetear@gmail.com, a search of domain registration information using the service whois.com indicates. An account for a person named Paul Combetta on the web bazaar Etsy also has the username stonetear. And, perhaps most damningly, there are the dates. Stonetear posted to reddit on July 24, 2014: "Hello all- I may be facing a very interesting situation where I need to strip out a VIP's (VERY VIP) email address from a bunch of archived email that I have both in a live Exchange mailbox, as well as a PST file. Basically, they don't want the VIP's email address exposed to anyone, and want to be able to either strip out or replace the email address in the to/from fields in all of the emails we want to send out..." U.S. News and World Reports adds: "On July 23, 2014, the House Select Committee on Benghazi had reached an agreement with the State Department on the production of records, according to an FBI report released earlier this month on the bureau's probe of her email use." Stonetear submitted an additional post to reddit on Dec. 10, 2014 that reads: "Hello- I have a client who wants to push out a 60 day email retention policy for certain users. However, they also want these users to have a 'Save Folder' in their Exchange folder list where the users can drop items that they want to hang onto longer than the 60 day window. All email in any other folder in the mailbox should purge anything older than 60 days (should not apply to calendar or contact items of course). How would I go about this? Some combination of retention and managed folder policy?"

UPDATE 9/19/2016: Slashdot reader NotInHere points out that there is a Slashdot user named "StoneTear" as well.

Slashdot Top Deals

Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin

Working...