Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Revoke slashdot.org's certificate ! (Score 2) 230

and very few people would check EV

That's why some browsers like Firefox checks it for you and display it right in the URL bar.
You can't miss it.

What you really need is the domain registrars to check that if sites are being registered that are similar to a company name or trademark that they have a legitimate right to use that name.

Hey, then you need to ban slashdot.org, because it's name is similar to Slash. Or to DJ Slash. Or to Fatboy Slim's song.

The problem with "check that if sites are being registered that are similar to a company name or trademark" is that it's a complex task require some thinking that it's not trivial to automate for absolutely free (and in a way that won't be trivially circumvented by attackers).
It goes beyond the point of Let's Encrypt (whose point is, as the name indicate, just to make encryption available).

Or build a chain-of-trust system where people can blacklist a bad domain by voting it down

Which isn't an easy task to do (how many - outside of /. - to use PGP on a regular basis ?) Chain-of-trust system aren't easy.

Blacklist aren't silver bullet neither : an attacker could still bank on a quick attack trying to scam as many users as possible before getting flagged.
(See all the "software to make a millionaire out of you on binary option sites !" scam that are popping every where. Site costs under a couple of hundred in stock-photos / fiverr actors / ads promotion to set up, and can manage to make a few thousands selling snake oil before getting reported and shut down).

Neither of them have anything to do with HTTPS.

Which brings us back to the point : Let's Encrypt's purpose, as it names implies, is to bring the S in HTTPS and nothing more.
It's not their job solving the certification of owner in an easy way.

Comment Business model of a free site ?! (Score 2) 230

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "blah.com" is indeed "blah.com".
(As opposed to some man-in-the-middle attacker mascarading as "blah.com" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that slashdot.org is indeed slashdot.org, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to BobsCarRepair.com is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed bobscarrepair.com
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

Nope.
There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
is
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Comment Re:Hit Job on Google? (Score 3, Interesting) 278

No, News Corp has been doing this for years. The reason is Murdoch thinks Google and Google News specifically is killing the news industry, and that the iPad will save it (or at least he thought that a few years ago). It's pure inter-corporate warfare being played out through manipulation of public opinion. The WSJ in particular are experts at it.

Comment Different level (Score 4, Informative) 98

I suggest you read up on what sudo is capable off. You can easily setup sudo via its configuration file (/etc/sudoers) that will allow users that require elevated privileges (eg. Database and Web Administrators) to do their work without needing root access.

The parent poster was referring to a different approach to security.

with sudo, you set up a list of commands that a database or web admin can run.
you limit user access by restricting which commands the user can run. But said commands will be run with root privileges.
In case of a bug in the command, you could use it for privileges escalations (*you* were only restricted to run this command. but *this command* runs as root and could do anything).

what the parent refers to is more closely related to the various "CAP_*" capabilities used in the linux kernel.
i.e.: even if you run a command as root, that command would never, even in the case of a bug, reconfigure the network interface, because the corresponding CAP_{blah} capability isn't enabled.
By carefully crafting a very precise set of capabilities that you hand out to administrative programs, you make sure that they only do what they are supposed to do, even if an attacker manage to find a way to force a program running as root to do arbitrary actions.

(It's a bit similar like how some smartphone apps come with a whitelist of API calls that you need to validate before installing : "can access your contacts list", "can access your webcam", etc. Even if the weather app get hacked, it can never be used to spy on you, because it's not whitelisted to access your mic and your cam... Well except that nowadays every single last app seems to be obliged to ask access for nearly anything (Hey, now your Weather app can automatically recognise the city you're travelling into simply by flashing the QR code of your travel ticket ! Needs cam privileges !).
Under Linux the same granularity exists, except that this done at the kernel API level, instead of the Java user libraries like on Android)

In the past few years Windows has been implementing similar restrictions. That's what the poster was referring to.

On Linux, the facility to apply this king of control exist in the kernel too (the various capabilities). But there aren't many software using them. I only know of SELinux and AppArmor. And they are not used system-wide, but only to put specific software into cages (those software for which they have rulesets).

I think this is dues to the fact that the basic user/group access rights of Unix can provide already quite some security if you take the time to organise enough granularity in your groups and memberships, instead of making everything restricted to root-only and needing thus to be root for nearly any action.

(Because of the Unix philosophy, lots of things are represented in unix as files. Therefore, lots of the actions controlled by capability can be mapped to file accesses (e.g.: to device files in /dev/ ). Putting correct group access on files can acheive the same results.
e.g.: a virtual machine might need USB passthrough. One way would be to grant the corresponding capability to it.
The way VirtualBox does it, is that it runs as "vbox" goup, and there's a script that hands out USB devices nodes with that as group access)

In practice, distributions such as Debian have been using tons of specific groups to control access to specific resources precisely, years before SELinux was a thing.

Comment IPv6 benefits (Score 1) 54

What are the reasons for an ISP to do IPv6?

There are tons of advantage of IPv6 over IPv4.
One of them being a vast supply of addresses (128bits vs. the overcrowded 32bits of IPv4).
It's auto-configured (you just plug a device into a network and it automatically gets IPv6 working. Routers directly hand out prefixes, no need to organise stuff through DHCP. In IPv6 DHCPv6 is only used to hand out configuration options)
Every device gets a single address that is routable anywhere on the internet. (No need of NATs, masquarading, and private address ranges).

People still can go to Google with IPv4, so no reason there.

...for now. As IPv4 address space gets depleted you'll soon reach the point where some machine are only IPv6 addressable, and thus some servers can only be accessed over IPv6.

They would need to invest and that is never a nice thing to do.
They need to replace a lot of hardware or at least reconfigure it and that will cost money.

Nope. The whole point of technologies like 6rd is that you deploy IPv6 as a tunnel over the IPv4 infrastructure that you already have.
No new hardware needed (beside the tunnel server), specially not needing to replace the thousands of expensive routers scattered accross the city that you cover with your services.

As a business I would also be against it.
I hope I am wrong and somebody can tell me a lot of advantages that would make them money, save them money or a combination of both.

That the problem with IPv6. There isn't a simply clear immediate money benefit. The benefit isn't ultra-short term.
The benefits are instead long-term : IPv4 is an old technology that is slowly reaching its limits (e.g.: number of available addresses) and that requires more and more layers to circumvent (e.g.: NAT to get around addresses limitation. e.g.: using relay servers on the cloud instead of devices talking p2p with each other, etc.)
From a technological point of view, we are running straight against a wall. But ISPs are complaining that they are not going make tons of money immediately by switching to IPv6 so they stay on course headed for the wall collision.

Comment End effect : No (or at least less) cloud (Score 1) 54

One very direct effect of all of the above :

You won't be required to use cloud service for every single small thing you need to talk to.
(security cameras, weather station, talking toy, etc.),
instead you can trivially access any gizmo directly over the web simply by opening it in your router/firewall.

IPv4 remote access : you need to sign up an account at their service. You gizmo and the app on your smartphone are constantly talking to this server.
This makes a big central failure point : the company server can get hacked, leading to thousands of account information leaking (see HaveIBeenPwnd for your weekly example), or if the device is insecure that's a single point from which to attack all devices. Also if the company goes belly up and the server is shut down, your gizmo becomes an expensive brick.
And these kind of server still costs a little bit of money, so either you're going to need to pay for the service. Or you're going to get ads-bombed as shit.

IPv6 remote access : you need to open a port (or a whole device) in *your* router. Your smartphone app is directly talking to your gizmo without any 3rd party getting involved.
There's no big server with a treasure trove of personal data to leak. If attackers want to hack an insecure gizmo, they need to find them one by one on the web.
Even if the company fails, you can still use your app to talk to the device, you don't rely on a 3rd party server.
There are no server costs to cover.

(Previously, similar things would have required fiddling with NAT, port forwarding and other such remapping to get done on IPv4. Trivial for most /.ers, but not necessarily with random users).

Comment in other countries (Score 1) 258

So basically all the money the government has collected as fines and penalties is distributed evenly to all taxpayers. That money was collected as compensation for crimes against society, and this way it gets distributed back to society.

That's exactly how it works in other countries (e.g.: Switzerland).
Fines don't go to the department (e.g.: to the police)
Fines go to the public spending budget, so the country has more money to do things (in addition to the tax money), or more practically, gets less indebted to do the same things...

Comment IPv6 tunneling (Score 4, Informative) 54

i will admittedly say i have no idea what sixxs is

SixXS was a free IPv6 tunneling service, so that people with only IPv4 provider can still get access to IPv6 addresses through a 3rd party.
(But more reliably than 6in4 which is dependent on the dynamic IPv4 address, and relies on volunteer servers reached though anycast).

The idea was to break the chicken-and-egg problem faced by IPv6 migration :
- content provider don't care about moving to IPv6 because nobody is using it and most people are still on IPv4
- and ISP not spending the effort to provide IPv6 to their clients, because there's no IPv6 content to justify the move.

SixXS provided a 3rd party with a very reliable way to get onto IPv6, so at least the "there are no users" excuse isn't valid anymore.

Now fast forward a decade and a half later and nowadays a lot of content providers *ARE* on IPv6 (e.g.: Google, most universities, etc.), but there are still ISP not providing IPv6 on their network (e.g.: using something like 6rd, which basically works like 6in4 but relies on official servers with fixed address that is owned and operated by the ISP),
Instead of that ISPs let the users go use SixXS, for the users who want IPv6. So rely on a free 3rd party service, instead of putting the efforts themselves to enable IPv6 for their own users as they should be doing.

So SixXS is shutting down to force ISPs to setup and listen to their users and provide IPv6, instead of deferring it to SixXS.

its sad to see them go since it was a free service, providing a service for people without means.

The thing is, SixXS was providing a service that should in theory be provided by the ISPs themselves, but some are too lazy to implement IPv6 even after almost 2 decades.

(and it's not for people without means. Technically, it's for people who have the means to pay an ISP for a connection, but said ISP is damn shit lazy and doesn't care to provide something more modern than last century's IPv4)

Comment chip on your shoulder (Score 5, Insightful) 252

Given Europe's attitude towards hate speech and how they enforce "right to be forgotten", I'm surprised that they haven't already erected a GFW at this point

...said the main living in the glorious country where the simple apparition of a nipple is considered a major mediatic catastrophe, where breast feeding is a public offense, and where anything remotely sexual is sure to traumatise the next few generations of youth. (and where nude bodies are probably terrorism-level material).

To each country and culture its own taboos.
For Germany, it might be hate speech, for France it might be "right to be forgotten", and for the USA it's anything which isn't missionary position with the sole purpose to procreate.

Beware of the nude-nipple-terrorists, America !

Comment Actually real. (Score 1) 90

now its almost as pathetic as "THIS IS THE YEAR OF LINUX!"

Yeah, go tell that to your smartphone (a huge proportion are running Android, which is running on Linux, though not on GNU userland), and/or your tablet, and to the wireless router/modem they are connecting to (it's almost impossible to find one which is not running Linux + Busybox nowadays). Not even speaking about your TV set (most SmartTV firmwares are running Linux).
Even the Intel Management Engine (the small always-on microcontroller inside the motherboard of your laptop/worktation that is used to remote adminsitration in enterprises) runs some Linux variants.

You're literally interacting daily with dozens of devices running the Linux kernel without even noticing it.

Seriously, it's been the "year of linux on everything except your desktop" for ages ago.

I swear "NINTENDO IS FINISHED! 3RD PARTY WHEN?" yet, here they are still making consoles.

Even if they are not droping their still very profitable console business, Nintendo is slowly expending to other hardware. (See their "Pokemon" IP showing up on smartphone apps - though this one was done through an external studio, Nintendo basically only providing the IP)

Comment Actually it's clever (Score 1) 122

Austin Powers-references besides, that's actually a good idea:

- 75k USD is actually indeed a very small sum. So small that Apple's PR department can easily cough it up (there are probably rounding error on Apple's marketing budget that are bigger than that) without it even going noticed in Apple's finances.
i.e.: It's pretty cheap for Apple to hand the money just to make them shut up and get them out of mind.

- 75k USD can actually means a lot in Turkey (if the hacker group are truks, as they claim) given the local buying power. The sum might seem ridiculously small to the US /. audience, but it might be comfortable enough for the hacker.

- The hackers have even said that they would accept 75k in iTunes card. That's money that will eventually get spent on Apple goods and services anyway. Apple's tax evasion special...^H financists will probably find a way to write it of as a loss and still profite out of it.

Comment Control distribution : Nope. (Score 3, Insightful) 254

If I create some original digital content should I not have the right to set the terms of use and distribution?

Nope. You should not.

In the grand scheme of things, what you should have the right to, is to be paid for the act of creation of the content.
(you should get remuneration for your work. not be entitled to use it as a rent)

But for historical reasons, the point at which money got collected was traditionally at the distribution, because back at the time when copyright laws were emerging, duplicating and distributing content was hard (if not the hardest part of the pipeline). And thus it was a happy chance that it could also help finance upstream creation.

But nowadays, once we're out of the dark ages and into the information age, with everything going digital, duplication and distribution is boringly trivial and can't be justified any more. Artists still need to get paid to create (They need to eat, after all), but the point at which the money is collected doesn't make a fucking sense anymore in the modern setting.

(Also note that a few small indie artists are moving out of this business model, and going back to older concepts of patronage. See platforms like Patreon, Tipee, etc.)

Comment What's wrong with you people ?! (Score 2) 133

What's wrong with you ?

There's a new better photovoltaic cell, that is actually produced by an actual manufacturer (Kaneka) and could soon be matched by other actual manufacturer making real cells in the real world (Panasonic and Tesla mentioned), and not simply one of those "small research team in some university lab make a small breakthrough that could increase cell effenciency. In theory. Probably within 25 years when the discovery finally reach actual production at a real-world manufacturer".

And all you people bicker about how the numbers are presented in the summary ?

What's next ? Going ape-shit crazy about some shirt that a scientist is wearing, instead of paying attention that he's announcing that they managed to land a probe on...

oh, wait!

Slashdot Top Deals

The aim of science is to seek the simplest explanations of complex facts. Seek simplicity and distrust it. -- Whitehead.

Working...