Become a fan of Slashdot on Facebook


Forgot your password?
Check out the brand new SourceForge HTML5 speed test! Test your internet connection now. Works on all devices. ×

Comment Re:Please protect us from ourselves, Big Brother! (Score 1) 72

Well, it depends...

Were the sites operated in compliance with gambling laws? Were there audits to ensure that the system wasn't rigged unfairly (apart from the inherent and well-known house advantage)? Were all transactions accounted for and recorded properly?

There are a lot of regulations that make gambling a mostly-fair enterprise. Yes, you're still likely to lose, but it's entertaining to play and sometimes win. It's not entertaining to play and never have a chance of winning, and that would put the site in the "scam" category.

Comment Surface contact jack (Score 3, Informative) 767

What ever happened to Apple's patent on a magnetic jack?

The idea was that a normal headphone plug could be placed against an indentation on the phone, and the magnet would hold it fairly securely against the electrical contacts. That would allow it to be thinner and smaller than a normal jack that surrounds the plug.

I'm hopeful that these rumors of not having a headphone jack refer to a regular jack...

Comment Re:Supported/ Fuck "Supported." (Score 1) 230

My personal nightmare was three VM servers on two identical ESXi VM hosts (a primary, replicated for a hot spare), running four quad-core CPUs virtually allocated to only commit 8 cores to each VM, and each VM also got 4 GB of memory. One of those VMs ran our Exchange server. We also had a Win7 VM to run on the server, and needed to upgrade about a dozen WinXP clients to Windows 7. Several new computers had been purchased prior to this project with Win7 already installed, and they weren't going to be changed at this time. In addition, we also had several appliances that needed service accounts (like the voicemail-to-email feature on our PBX). We also wanted to move toward volume licensing, so we could avoid the spreadsheet lists of license keys.

We called our preferred software vendor, and got their Microsoft-certified Licensing Specialist (and the fact that there is such a thing is a big warning) to figure out what we needed. A different vendor gave us a different answer. We also contacted Microsoft directly, and got another different answer.

As I recall, they were, in no particular order, and with elements shuffled around by my attempts to repress the memories:

  • A boatload of device CALs, 12 copies of Windows Server 2012 (3 VMs * 2 servers * 4 processors / 2 processors per license), a special VM license for Windows 7, then several retail Win7 licenses for the desktop machines.
  • A mix of device and user CALs, 6 copies of Windows Server 2012, and individual retail upgrades for Win7.
  • Only user CALs, 3 copies of Windows Server, a volume license for all the Win7 systems.

I remember something about a suggestion to scrap our ESXi infrastructure, and running Windows Server as a Hyper-V host because that'd give us some VM allocations, too.

-if you own a software license bought outright at any time you own it in perpetuity

Unless you're using a capability of that outright-license software that is separately licensed under Software Assurance, in which case you can only use that feature while your SA entitlement is active.

-CALs are bought yearly (typically) but are "essentially" the same no matter the platform or age. There are exceptions for this (dynamics CRM end user vs admin licenses, etc) but in general it works this way

CALs do not expire, but they also do not transfer, and they do not apply to other versions. It doesn't matter that you bought too many CALs in 2008, because you'll be buying all new ones for 2012.

-Licenses are separate from support contracts, so you can opt for zero support for zero fee, or have MS premier support on-site 24/7 for a HUGE fee

Unless "support" is in the form of Software Assurance, in which case you must purchase SA to get certain volume licenses, and certain products are not available with SA, and certain products are not available without volume licensing.

You can optionally pay an annuity to get free upgrades for any software you use, but again not required

I think, again, you're referring to SA. Please tell me how to get Windows 7 Enterprise N without Software Assurance, because nobody has yet been able to accomplish that legally.

Comment Re:Government vs. Government (Score 4, Interesting) 103

Yeah, that pretty much sums it up.

Why, is that a problem?

See, these government guys are different from those government guys, who have an entirely different agenda from that government branch, because it's really coming from the authority of this government office, rather than that government office, and has an entirely different chain of command with entirely different officials from an entirely different Congressional committee.

Nobody wakes up in the morning and says "Today, I'm going to oppress my fellow citizens and make their lives worse!". Instead, all the government employees work toward the common goal of "advance America's interests", according to their specific areas of expertise. One group says build a thing because it helps America, and another group says to break it because it helps America's enemies.

Apart from paranoia, there is no reason to believe that either side isn't doing their best. If you trust that the Tor researchers (stemming from DARPA and the U.S. Navy) could possibly create a secure network, and trust that the Tor project could possibly create a secure browser, then you can trust that this browser is secure. That the government who funded it is now also trying to break it has little effect on how trustworthy the software itself actually is.

Comment Re:SubjectsInCommentsAreStupidCauseTheSubjectIsTFA (Score 2) 224

Actually, it's right there in the Constitution:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Every signed petition form and written letter is following the same legal channel as a lobbyist. A lobbyist just opens the discussion by saying "I represent this many people associated with this organization, and they have this concern". A Washington Post op-ed piece says it well:

How many remember that, in addition, the First Amendment protects a fifth freedom -- to lobby?

Of course it doesn't use the word lobby. It calls it the right "to petition the Government for a redress of grievances." Lobbyists are people hired to do that for you, so that you can actually stay home with the kids and remain gainfully employed rather than spend your life in the corridors of Washington.

Comment Re:No User Serviceable Parts inside (Score 0) 224

Oh, shush. Your rationality and insight is interrupting the Two Minutes Hate.

Clearly, it is the responsibility of manufacturers to ensure that every design they ever produce is conducive to users performing any conceivable repair or replacement operation, regardless of hazard, liability, functionality, or reason. Never mind that the manufacturer's system is only functional with the manufacturer's parts, or that there are other contracts (including service agreements) on other parts of the system... We could repair our electronics in 1985, and nothing should change since then!

Slashdot says this would have been good for good for consumers, so it must be good!

The hivemind couldn't be wrong, could it?

No, it must be a conspiracy of "Big Tech" lobbyists and corrupt politicians working to oppress the common man!

Comment Re:Supported/ Fuck "Supported." (Score 1) 230

Please never use Microsoft as a recommended licensing model. It's never the lesser evil, but I digress...

The situation is simple. The health provider is using software without a license, and the software developer refuses to issue a license. To draw an analogy, this is really little different (legally) from a book author who contracted to allow a movie studio to use his work, but now that contract is expired. The raised questions are a little more difficult, calling into question the very nature of software as a copyrightable work.

It has long been held that executing software necessarily involves copying (from disk to memory) and often modifying (in memory) the program code, and usually produces derivative works (the output). Those actions are restricted by copyright laws, and that's what you get a license for. Open-source licenses don't really change that legal standard; they just offer perpetual licenses as the norm. Without the license, it is perfectly reasonable (from a legal perspective) that the health provider would need to stop using the software. However, it may be possible that even migrating off of the platform requires those rights, so to require the health care provider to entirely cease using the copyrighted code may be unconscionable, as it causes an inordinate expense to move to something else. On the other hand, the choice to not upgrade earlier was the health care provider's, so it wasn't an act of bad faith on the software vendor's part, and wasn't unfair when the contract was written.

From the perspective of legal precedent, forcing the vendor to provide ongoing licenses would imply that license contracts no longer necessarily expire at the end of declared terms. That would mean that creation of a copyrightable asset also becomes a liability, as licensing a piece of intellectual property may make one beholden to the customer without knowing the contract balance up front. As an alternative, allowing a legal classification for "abandonware", as so many Slashdotters are calling for, is a legal minefield.To use the earlier literary analogy, should an author's characters and stories be open for anyone to use, just because the original stories are no longer being actively published at a particular moment?

Despite Slashdot's knee-jerk reaction, the answers are subtle and nuanced. Whatever happens needs to fairly balance the needs of a high-risk consumer who made poor decisions, with a high-risk producer who is refusing to accommodate a customer. I look forward to a court's decision, and fully expect that Slashdot will fail to report on it.

Comment Re:The problem with doing this... (Score 3, Informative) 30

I've worked in infosec. You couldn't be more wrong, but I'm quite happy that you are.

Infosec is one of those fields where, if you do everything right, nobody knows you're doing anything. You write the GPOs, balance user needs and security guidelines, and provide secure alternatives to user-developed horrors.

The infosec team brought you your corporate WPA2-protected wireless network, without requiring you to do anything other than connect to it. The infosec team has selected encrypted USB drives for corporate IT to hand out, rather than asking you to find your own. The infosec team rolled out the new filtering policy that blocked an emailed ransomware attack.

Those are the blue teams.

Then there are the red teams. Those are the penetration testers, who do everything that would be illegal... except the relevant laws all have a clause that says "without authorization", and they have authorizations. Nobody likes to talk about the pre-testing meeting where the boundaries are discussed and targets are defined. Saying you discuss attack vectors and target environments isn't as awesome as saying you hack into highly-secured top-secret government computers and get paid for it. That's also a part of the infosec field, though.

There are rock stars in any field. There are some folks who want to get their name out there, thinking that's the best way to a lucrative consulting job, just like there are software developers who think that writing a shiny new smartphone game will get them a job at Google. Maybe it works, and maybe it doesn't, but for those of us who would rather have a steady job doing boring information security, where every day you can actually see the mitigations working and the attacks getting blocked, infosec is still a great career choice.

Comment Re:without fear of prosecution (Score 4, Informative) 30

It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.

Testing the vulnerability is usually a crime.

Exploiting the vulnerability just to show how it works? Also a crime.

Breaking other unrelated laws to figure out the vulnerability? Also a crime.

Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.

I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.

Comment Re:makes no sense (Score 1) 176

I can't see any possible way that legally prescribed and obtained drugs can be used to prosecute someone, and I don't care if they are abusing them.

"Legally prescribed" and "legally obtained" are not necessarily the same. If you have four doctors in four states prescribing you the same medication because you're reselling them, that's illegal (being obtained under false pretenses), even though each individual prescription might be legal within its state (good faith by the doctors). As for a fishing expedition, the government is actually only explicitly prevented from "unreasonable searches". If law enforcement has can lawfully see something (like for instance, if you openly dispose of a suspiciously large number of prescription bottles), they can use that evidence against you.

Similarly, they are now asking for lawful access to the databases to find suspicious prescriptions. Even if the database access is legal, it would not be direct evidence of a crime. Rather, it would be probable cause, usable to get a warrant to do more thorough searches.

We're sure that a high number of picture messages translates to a high probability of nude selfies.

...but that's not likely probable cause. You'll need to do better than that to convince a judge.

Let's just grant ourselves the ability to access everyone's phone GPS data all the time just in case someone might be ignoring the speed limits. Too bad if Speedy wasn't the one operating the vehicle at the time you saw his GPS showing 75 in a 70 zone.

This one's closer, but to actually accuse someone of a crime, all of the crime's condition must be proven to the court. Proving that Speedy was operating the vehicle will turn out to be rather difficult, and the case would be dropped.

See where your argument starts to fall apart? If you turn a blind eye to government over-reach because you find the crime they're chasing to be abhorrent then soon they are granting themselves permission to do all sorts of other things.

I'm not suggesting any blind eyes. I'm suggesting that the justice system is actually fairly robust, and can stop most abuses, as it has for the last 250 years or so. It is, of course, constantly improving, and I am not suggesting it is perfect.

The slippery slope argument isn't trotted out so frequently because it's untrue.

Yes, actually, the Slippery Slope Fallacy is very much untrue. It is only valid in cases where a positive feedback mechanism is well-defined and with no interruption mechanism, but that's very rare in practice. In all of the examples you've given here, there are existing mechanisms in place to make abuse difficult, and prevent punishing an innocent person. That's the interruption mechanism. There's also no reason to assume that allowing the government to pursue one crime will result in bypassing the debate for their power to pursue other crimes, so there's no positive feedback.

Comment Re: This isn't a big deal, it's fucking huge. (Score 1) 86

Well, yes. Those regulations are important, and regulatory compliance is part of what must be considered when finding an appropriate implementation.

As with all regulations, get a lawyer to determine exactly what is or is not necessary. I'm not an expert on the EU laws, but I wouldn't be surprised to find that they specifically exempt lawful searches by law enforcement personnel having jurisdiction, which would permit the US government to see your US-hosted data.

Those regulations may also be a reason to segregate your data. If it's cheaper to use a US-based cloud provider, you may be able to host only your private data in the EU in compliance with privacy laws, while hosting other assets with the cheaper American provider, reducing overall expenses.

Then again, maybe the simplicity of having everything in one place is the cost-effective option, with the labor savings outweighing the expense of having unnecessary protection.

I never said the analysis would be easy. I said it must be done. Nobody else can make your decisions for you and your data.

Comment Re:This isn't a big deal, it's fucking huge. (Score 1) 86

I think you've missed the point.

Without defining the boundaries of what is "secure", you can't say something is "insecure". You have to determine what level of risk is acceptable to be "secure" before you start deciding that certain implementation options are "insecure".

To hijack your particular example, I could argue (with a suitable amount of paranoia) that Google, Microsoft, and DropBox could all inject malware into their client software to harvest encryption keys from your computer. You could put the keys on another server, but that would only add a layer of protection that a well-compensated mole could bypass.

Of course, that's rather ridiculous. We generally assume that Google, Microsoft, and DropBox are extremely unlikely to embed key-harvesting malware in their software, so we accept that remote risk and say their services are secure. By extension, then, any service that isn't compatible with client-side encryption is "insecure" in comparison.

Reining in the paranoia further, we must consider the sensitivity of the data being protected. For example, what is the actual risk that Google, Microsoft, or DropBox will be compromised (internally or externally) to access our data? Perhaps we're storing prototype designs. If stolen, there would be a business impact, but no regulatory or legal impact, and customers wouldn't be affected. In that case, it may not be worth the expense and hassle to require end-to-end encryption. While the risk is indeed higher than the fully-encrypted scenario, the risk is low enough that we can still consider the implementation to be "secure" against reasonable threats.

Leaving paranoia behind entirely, I'll reuse the example from my earlier post: a company's archive of already-released press releases. In this application, having information available to the public is a good thing, as surely you would want your company's legacy to be available for any positive public relations. Obviously, if the data is released (again), there is no negative impact to investors, customers, or your business. A cheap hosting provider may be the best option, even if their security only goes so far as a contract promising that if your repository is hacked, they'll pay for damages.

The problems with outsourcing come from a failure in properly assessing risk, or applying an existing implementation to something with different impact. For example, dropping medical records on a preexisting public-facing FTP site would be grossly insecure, but it's secure enough to use that public FTP site to host blank forms for patients and other agencies to download (and return via secure channels).

Slashdot Top Deals

Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald Knuth