Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the brand new SourceForge HTML5 speed test! Test your internet connection now. Works on all devices. ×

Comment Service processor (Score 1) 245

It's a service processor. No big deal in itself, we had them as far back as mainframes go. The VAX-11/780 I worked on/with in college in the early 80s had a small PDP-11 (an LSI-11/23) in the bottom as a service processor. I'd be more worried about a much more direct avenue of attack: microcode updates. Every Windows system and most Linux boxes include the packages to take the latest firmware updates from Intel and AMD and download them into the CPU during system boot. If Intel wants to put something malicious into the chip, all it has to do is issue a firmware update with it and it'll get near-100% coverage. If a bad guy has the keys to sign an IME binary, they also have the keys to sign a firmware update.

Comment More likely idea: unbalanced and violent (Score 1, Troll) 404

More likely than "radicalization" is that he was simply someone with mental problems and a history of spousal abuse and violent behavior who bought into the current rhetoric (originating from Trump, Cruz, Limbaugh and other extreme right-wing sources) against the LGBT community. In his eyes it gave him an excuse to do what he wanted to do, and now we have to clean up the mess.

Comment Re:FrAgile (Score 1) 145

The problem is that in waterfall both the requirements and the timeframes are set by product owners and sales, with developer estimates of the time needed being ignored. Which is what results in developers getting fed up and deciding that "I'm willing to be accountable for meeting my estimates, meeting your estimates is your problem".

As far as having no product vision or plan, reality is that you can have a very solid product vision and plan and it'll still turn out part-way through that your customers simply don't want what you envisioned and planned on and you're going to have to change your vision and plan. That's what usually causes requirements changes, and the business has to react to that because there's no future for a business selling something the customer doesn't want to buy.

Comment Who thought it was ever a good idea (Score 4, Insightful) 132

I want to know who at Tinder thought it was a good idea to allow that age range any access at all in the first place. I know why they thought it was, but I can't imagine the idea ever ending well no matter what restrictions were placed on it (at least as far as the law's concerned anyway, I'm sure the kids thought it was a dandy idea but they don't get a say in that).

Comment PasswordSafe (Score 1) 637

I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.

Comment HTTPS is that hard to do? (Score 1, Interesting) 96

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.

Comment Coding, or programming? (Score 5, Insightful) 515

I learned to code first in classes in high school (BASIC, FORTRAN, COBOL, Pascal) and then by reading the relevant books or documentation (C, C++, Lisp, Icon, Java, C#, Perl, Python, Ruby, PHP, Javascript et. al.).

The more interesting question is where developers first learned to program (a completely different skill from coding). IMO we don't need to teach children to code, we need to teach them to program. Which means first teaching them to approach problems logically and analytically, which is going to cause the loss of about 75% (my guesstimate) of the educational establishment when they can't deal with students who know how to analyze material, do independent research and call teachers on incorrect classroom material.

Comment Not user-posted content at issue here (Score 5, Insightful) 383

The liability isn't being created by user-posted content in this case. It stems from the site actually knowing about the actions of some users and failing to give notice when it could foresee that that failure would put other users at risk. It's the same principle that says that if I know of a danger on my property and fail to post notice of it or take steps to keep people out I'm liable if someone gets hurt by it. Section 230 never comes into play.

Comment Re:Air-gap (Score 1) 41

The big threat isn't that, it's a vulnerability in a server program on the zwave network that provides data from the devices that can be exploited to let you execute code on that device. Now you can load a program onto it that, rather than doing it's normal job, can connect to any of the PCs that can see that data. The PCs will see an internal connection which bypasses the router's firewall and quite possibly the PC's individual firewall if like most people you've told your PCs they're on a home network and can trust other local computers. Being able to do that only if you already have access to the inside of the house isn't particularly risky, the set of potential attackers is pretty limited. Being able to do that via WiFi, OTOH, means anybody driving by on the street could attack you and that's a whole 'nother order of risk.

Comment Air-gap (Score 3, Informative) 41

Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access. Vulnerabilities can still be exploited, but the attacker has to be inside your house to do it. A compromised PC could be used to stage an attack, but if they're compromised your PC they can control the devices directly if those are the targets and if the PC's the target they don't need to compromise the devices at that point.

For the wireless fans, I have bad news: there isn't any safe way to access IoT devices over WiFi. The connectivity-at-a-distance nature and lack of interface to configure encryption/authentication keys on the devices makes it inherently impossible.

Comment IBM PC BIOS (Score 2) 243

I'd love to see IBM take a swing at this one, seeing as the original decision that allowed non-IBM PC-compatible machines to be created turned on the question of whether creating a BIOS that exposed the exact same interface as IBM's BIOS infringed on IBM's copyright if all other code could be proven to be entirely original. Under this decision the answer would be "Yes.", and IBM would be owed damages for every single PC created using a non-IBM BIOS that had any trace of the legacy BIOS API in it (at a minimum every BIOS that wasn't completely UEFI-only).

It might also be entertaining to analyze the effects of this ruling on Oracle's use of GPL- and LGPL-licensed glibc and kernel header files in their products that run on Linux. Neither license quite directly addresses the question of copying copyrighted API declarations into object files and executables. They address linking of various sorts, and copying into source code, but this particular aspect's deemed outside the scope of the license and thus not addressed.

Comment Doesn't detect bugs (Score 1) 122

It sounds like this method doesn't identify bugs, it identifies sections of code where the programmer was under stress. Those are likely candidates for sections of code where bugs can occur, but the developer likely already knew that. It doesn't help at all in figuring out exactly what errors there are in that stretch of code, and it won't help in deciding where to test because you should already be testing all the code. If you aren't, you've got bigger problems than merely bugs in the code and you likely won't be taking advantage of this technique either. Basically, it's yet another management idea that sounds good but doesn't fix the actual problem.

Comment Re:Note to self: (Score 1) 224

Better yet, use a password which gives more combinations than a PIN code. As for storing information, Android does include that functionality in the form of device encryption. You have to enable it, but it's certainly there. Communication... S/MIME encryption should already be supported by the email app and doesn't require any intermediate servers to know your key.

For real-time chat 3rd-party apps are the only solution. I'm still looking for one based around x.509/SSL certificates, though. I don't trust home-baked encryption and none of the apps out there seem to want to discuss the details of what's underneath their promises.

Slashdot Top Deals

"I am your density." -- George McFly in "Back to the Future"