Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Sorry, it's time has passed (Score 1) 128

OS/2 got interrupt handling exactly right. I could format a floppy, play Wolfenstein in a window, and have a mod tracker playing in the background on a 486/25. BeOS got close but was never quite as good.

My Linux machine today can't copy to a USB hard drive without making the rest of the system unusable.

It seems like Linux could still learn some tricks from these old OS's.

Comment Re: but you arent a traditional CA (Score 1) 142

Typosquatting has been a problem for twenty years and DV certs fo at least half that time. Why would this suddenly be Let's Encrypt's problem? $4.95 has never stopped phishing attacks before.

Any typosquatting solution is going to be entirely locale dependent - the only place to handle that is at the browser. Give Google and MoFo hell about never caring about this. For all I know the Khazak word for "hot pizza" looks like "citibank" but it's definitely not a job for Let's Encrypt to deny that pizza place a cert. If we insist they do, they will either fail to succeed or give up and go home. Cui bono?

Comment Re:Phishing is good (Score 1) 142

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.

Idiots who say you should trust a website based on its name think too much of people.

What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.

The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.

Sorry, I've never seen so many idiots at /. simultaneously.

With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.

Comment Re:but you arent a traditional CA (Score 1) 142

... phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site.

Nope. StartSSL had been issuing free low-validation certs since at least 2009, some six years before Let's Encrypt issued its first cert. The only substantive differences between Let's Encrypt and StartSSL, as far as I can tell, are:

  • Let's Encrypt didn't get bought out by a Chinese registrar who abused their signing certs in ways that caused them to become untrusted by most browser vendors.
  • Let's Encrypt forces you to use automated certificate updating by limiting the certificate duration to a ridiculously short period for no actual security benefit (and worse, in its default configuration, generates a new RSA key every time it renews the cert, which significantly weakens the security model by making key pinning impossible).
  • Let's Encrypt merely requires you to prove that you have control over the web server, rather than that you have control over the domain, which also weakens security somewhat if your server gets compromised.

But in terms of being able to get free certs for a domain that you control, there's no real difference.

Comment Re:Phishing is good (Score 2) 142

Or AutoFill. You enable AutoFill for PayPal.com, and then when your password doesn't automatically show up, you look at the URL more carefully and immediately see why.

The real threats to security are not the CAs that issue certs for sites containing PayPal in the name. The real threats are clueless sysadmins at (mostly banking) websites that insist on not allowing AutoFill and/or break their websites in ways that make AutoFill stop working when it worked before. Besides playing right into the hands of keyloggers, such actions force people to remain willing to type passwords when in reality, users should never, ever, ever type a password into a website. Ever. Seriously.

... that and browser makers, who haven't bothered to come up with a global standard for changing passwords so that users whose computers become compromised can easily reset all their passwords automatically with a single click, and also haven't bothered to come up with completely automatic plug-in update systems, thus making it easy to trick people into believing that their Flash Player or Silverlight plug-in is out of date, thus causing them to download and run a trojan horse installer that steals their password database, etc.

Comment Re:Uh, why? (Score 3) 128

Windows 3.1 support? That's not a relevant feature.

Not for most circumstances, no. On the other hand, there may be old legacy systems that ran on Windows 3.1 that people will want to be able to run. I don't know what the current state of compatibility is for Windows 10, but having a modern/updated OS that can run Windows 3.1 apps may be useful to someone.

Comment Re:Hit Job on Google? (Score 3, Interesting) 212

No, News Corp has been doing this for years. The reason is Murdoch thinks Google and Google News specifically is killing the news industry, and that the iPad will save it (or at least he thought that a few years ago). It's pure inter-corporate warfare being played out through manipulation of public opinion. The WSJ in particular are experts at it.

Comment This is such a bad argument (Score 3, Interesting) 135

Every time there's a story about OSS software being less than perfect, someone always trots this tired crap out. "Oh if it isn't want you want you can just fix it!" That is complete bullshit and you should know it. If you don't, you are hopelessly naive.

First off, most people are not programmers and many do not even have the request problem solving, analytical, and mathematical skills to become one. If you aren't a programmer, you can't just go and fix software. Becoming a programmer isn't magic either, you don't go and read a book and then you are good. It takes years of experience to get proficient, and decades to really master and is something you need to spend a lot of time on. If you think you are some hot-shit programmer and you "picked it up just by reading" and "just do it in your spare time" then guess what? You aren't near as good as you think you are.

Second, even if someone is a programmer they may not have the requisite skills or knowledge to deal with a piece of software. Not all software is created equal, not all problems are the same to solve. Someone might be a programmer who's actually pretty good, but knows about making database code because that's what they do. However if they are trying to implement an algorithm for processing audio they might be lost because they don't understand how that works, it is another set of knowledge.

Finally, even if someone does have the skills, knowledge and experience to do it, maybe they just don't want to spend the time. We all have only so much time to spend in a day, maybe they are not interested in dropping a bunch of time to fix something that is to them just a tool. They'd rather pay to have one that works and spend their time on other shit.

So knock it off with the "oh it is open just do it yourself" crap. That is extremely silly, and you know it.

Comment Re:Tipped over does not imply speed (Score 1) 213

Just looked at the photos and found there are three cars involved, one with serious denting.

Most notable is a skid mark leading to the less dented car, as if it's been pushed aside, and the skid mark leading to the front wheel of the Uber car, which makes it look like it slid backwards over the road surface while already on it's side. Looks odd to me.

Slashdot Top Deals

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...