Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Sucked out of an airplane? Not likely (Score 4, Informative) 236

Mythbusters tested a small bullet hole in a pressurized fuselage. The thing about pressure is it's a force per unit of area. So the larger the opening, the larger the forces involved (until the pressure is equalized). So something as small as a bullet hole doesn't result in large forces.

Aloha Airlines flight 243 lost the forward section of its fuselage. The flight attendant standing in row 2 near the front of the failed section was hit in the head by debris and fell to the floor. The flight attendant standing in row 5 near the rear of the failed section, with all the force of the cabin air behind her, was blown out by the decompression.

Airline fuselages are designed to suffer decompression only in a small section. You literally design weak sections surrounded by a lattice of strong sections, so a crack or failure cannot unzip the skin around the entire plane as it did in Aloha 243. The failure aboard Aloha is suspected to have started on the left side (one of the passengers noticed a crack by the door while boarding). And the theory is the crack failed producing a small hole. The flight attendant was blown towards the hole by outrushing air, and her body momentarily plugged the initial hole. This caused a pressure hammer from the air behind her rushing forward towards that hole blew out the entire forward cabin overhead.

Comment Revoke slashdot.org's certificate ! (Score 2) 238

and very few people would check EV

That's why some browsers like Firefox checks it for you and display it right in the URL bar.
You can't miss it.

What you really need is the domain registrars to check that if sites are being registered that are similar to a company name or trademark that they have a legitimate right to use that name.

Hey, then you need to ban slashdot.org, because it's name is similar to Slash. Or to DJ Slash. Or to Fatboy Slim's song.

The problem with "check that if sites are being registered that are similar to a company name or trademark" is that it's a complex task require some thinking that it's not trivial to automate for absolutely free (and in a way that won't be trivially circumvented by attackers).
It goes beyond the point of Let's Encrypt (whose point is, as the name indicate, just to make encryption available).

Or build a chain-of-trust system where people can blacklist a bad domain by voting it down

Which isn't an easy task to do (how many - outside of /. - to use PGP on a regular basis ?) Chain-of-trust system aren't easy.

Blacklist aren't silver bullet neither : an attacker could still bank on a quick attack trying to scam as many users as possible before getting flagged.
(See all the "software to make a millionaire out of you on binary option sites !" scam that are popping every where. Site costs under a couple of hundred in stock-photos / fiverr actors / ads promotion to set up, and can manage to make a few thousands selling snake oil before getting reported and shut down).

Neither of them have anything to do with HTTPS.

Which brings us back to the point : Let's Encrypt's purpose, as it names implies, is to bring the S in HTTPS and nothing more.
It's not their job solving the certification of owner in an easy way.

Comment Business model of a free site ?! (Score 2) 238

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "blah.com" is indeed "blah.com".
(As opposed to some man-in-the-middle attacker mascarading as "blah.com" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that slashdot.org is indeed slashdot.org, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to BobsCarRepair.com is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed bobscarrepair.com
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

Nope.
There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
is
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Comment Yes you do (Score 1) 319

You're assuming the charge here for is a failed upgrade. The charge is for a failed forced upgrade. If Microsoft had informed users with a list of new features, what would happen in the upgrade process, and a disclaimer outlining the risks present in any upgrade, I think they would've been ok.

But they didn't do that. They did nearly everything they could to force the Win 10 upgrade down people's throats, including misclassifying it as a security update, constantly pestering people who had already said they didn't want the upgrade, and breaking long-established UI paradigms like clicking the X to dismiss a dialog, to make it the same as clicking OK. Once you inadvertently authorized the upgrade, the computer would often upgrade on its own overnight without user intervention. No information, no disclaimers. If that's how you're going to treat your users, then you deserve to be fully liable for all the problems your shenanigans cause.

OSS is fine because using it is completely voluntary. An OSS project might get into trouble if, say, Ubuntu forcibly upgraded pre-existing Ubuntu systems using sysv init to systemd. But no OSS project would be crazy enough to try that with pre-existing systems. The only reason Microsoft did it was because they knew software lock-in would prevent most users frustrated by their shenanigans from fleeing to a different OS.

Comment Ya, and that will hold up... not (Score 3, Informative) 319

Here's the deal: All proprietary software has that in there as well. Every piece of software has an EULA that says they are responsible for nothing. Have a look at the MS EULA if you wish, there's all kinds of shit that supposedly limits liability, requires arbitration, etc, etc https://www.microsoft.com/en-u....

You can say it all you like, doesn't make it true. I can write an EULA saying "By using this software you agree I get to take your first born child," and yet if I tried, I'd still go to jail because just saying it in an EULA doesn't make it so. You can't disclaim all warranties, all damages, etc by law. For some info on it look up the Uniform Commercial Code.

Ok well all that aside when it comes to an issue like this courts are not known for applying the law one way in one case, and a different way in another. They don't say "Oh we like this nice OSS" and give it one rule and "We don't like this mean commercial software" and give it another. Thus if courts find that software makers are liable for incidental data loss then it will apply to ALL software. OSS has no special get out clause. You don't get to have it both ways where OSS gets a magic liability shield just by putting something in a text document but commercial EULAs aren't worth the bits used to store them.

In fact, OSS will be MORE vulnerable. Commercial companies have lawyers to help them wrangle out of things. They also can always go the real contract route, where you sign an actual contract up front with them before buying (you see this with some enterprise software) which can enforce more stringent terms. OSS that is just distributed on the web doesn't have all that.

Comment You don't want this to succed (Score 4, Insightful) 319

Even if you are a rampant MS hater, this would set a really bad precedent: That software companies could be liable for data loss caused by things only incidentally related to their software. Talk about a ripe field for bullshit lawsuits.

Don't think OSS would be immune either. The argument of "but I didn't charge for it" doesn't eliminate liability. In fact, it would be something companies could use to try and bully OSS out of existence through bullshit lawsuits.

Submission + - Judge OK's Petition for America's First 'Genderless' Person (heatst.com)

schwit1 writes: Home Culture Wars By Jillian Kay Melchior | 12:33 pm, March 25, 2017 A Portland student has become the first American to gain legal designation as “genderless”, following a ruling by a Multnomah County judge.

The March 10 decision, reported for the first time on Thursday, involved a 27-year-old who was born male but claimed to identify with no gender whatsoever. Judge Amy Holmes, who approved the petition, also last year approved a “non-binary” gender designation for another Portland resident.

The 27-year-old formerly known as Patrick Abbatiello, now legally designated agender, also got legal approval to change names, now going only by “Patch,” no surname. That name also serves as a pronoun, Patch explained to the local NBC affiliate this week.

Comment This is such a bad argument (Score 2, Interesting) 151

Every time there's a story about OSS software being less than perfect, someone always trots this tired crap out. "Oh if it isn't want you want you can just fix it!" That is complete bullshit and you should know it. If you don't, you are hopelessly naive.

First off, most people are not programmers and many do not even have the request problem solving, analytical, and mathematical skills to become one. If you aren't a programmer, you can't just go and fix software. Becoming a programmer isn't magic either, you don't go and read a book and then you are good. It takes years of experience to get proficient, and decades to really master and is something you need to spend a lot of time on. If you think you are some hot-shit programmer and you "picked it up just by reading" and "just do it in your spare time" then guess what? You aren't near as good as you think you are.

Second, even if someone is a programmer they may not have the requisite skills or knowledge to deal with a piece of software. Not all software is created equal, not all problems are the same to solve. Someone might be a programmer who's actually pretty good, but knows about making database code because that's what they do. However if they are trying to implement an algorithm for processing audio they might be lost because they don't understand how that works, it is another set of knowledge.

Finally, even if someone does have the skills, knowledge and experience to do it, maybe they just don't want to spend the time. We all have only so much time to spend in a day, maybe they are not interested in dropping a bunch of time to fix something that is to them just a tool. They'd rather pay to have one that works and spend their time on other shit.

So knock it off with the "oh it is open just do it yourself" crap. That is extremely silly, and you know it.

Comment What videos exactly? (Score 3, Insightful) 283

I've yet to see a single link to one of these "hate videos" that supposedly has these companies so pissed. While I've no doubt that there are hateful videos on Youtube (there are pretty much ALL KINDS of video on Youtube), are they actually citing specific videos here, or just reacting to vague reports that that OMG! there may be some assholes on Youtube (clutch the pearls!!)?

Comment Re:Parity? Really? (Score 1) 520

Do you think the lawyers reading the ACA legislation and the children reading Harry Potter are equal?

I'm pretty sure lawyers' reading skills outpace those of Harry Potter-age children.

Plus, the lawmakers are being very well-compensated to read legislation. It's like their one fucking job, you know?

If Trump and the GOP couldn't unravel the 3500 page health care law, how are they going to pull off reforming the tax code, which ran like twenty-three volumes (without addendums) back in the 1990s? That's not counting the judicial precedents which are now law. Hell, there's like several hundred pages of law that just governs the taxation issues related to owning racehorses.

Slashdot Top Deals

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...