Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:Entitled much? (Score 1) 41

I think it's the very fact that you can(and probably should; at least to some degree) do more or less exactly that is what makes this report seem so hysterical.

It's not like it's false that some Yandex software dude will probably cooperate if the FSB tap him on the shoulder and suggest that it's exciting and mandatory; while John Smith, corn-fed American patriot, is at least going to require some sweet-talking; but if you are just blindly grabbing 'package that some dude put on NPM' your problems are far deeper, and much less exciting, than nation-state sabotage. Even when doing their absolute best; programmers make mistakes all the time; so if the project is basically one dude who maybe debugs his own code if it's too broken you have basically no reason to suspect that innocent vulnerabilities are getting caught; along with the risks posed by the relatively frequent compromises of dev credentials on the various repositories, and the risk that you'll be left unsupported if the random guy gets hit by a bus or finds a new hobby and just walks away.

It's fun to pretend that tedious, labor-intensive, problems don't exist by focusing on sexy threats instead; so I'm not surprised that a 'security' vendor would be working this angle; but, fundamentally, if you are just grabbing random garbage off a repository every time one of your junior devs even thinks too hard about docker you are doing it wrong.

It also seems a bit silly because, if your real problem is nation state adversaries rather than nobody actually looking because it seems like it works and why try harder it would likely be relatively trivial for the trojan horse project to add 'legitimacy'. You want multiple maintainers because we can't trust Sinister Yuri to police himself? Ok, it doesn't take a terribly impressive intelligence agency to conjure up a few additional contributors who make changes to the project from North American or western European IPs and time zones and have a thin but plausible trail of assorted tidbits that suggest that they are consultants or employees of random little companies in friendly nations. You call that a security check?

Comment Entitled much? (Score 3, Insightful) 41

"As a whole, the open source community should be paying more attention to this risk and mitigating it."

So, if I'm understanding this right, the solution is for more people to work for free so I can just blindly grab whatever; not for the people already getting their software for nothing to care even slightly about their dependencies?

Comment Re:Explain something to me. Like I'm an idiot. (Score 0) 94

for people without redundant systems set up.

Your point? That would be most people by a huge margin.

OneDrive offers
- protection against local hardware failure.
- protection gainst loss in a laptop theft or loss situation
- protection against loss in a fire/flood, catastrophe situation unless you have remote offsite backups (*)
- protection against ransomware
- protection against accidental data overwrite and other common user errors
- simplified data migration to a new device (especially good for people without IT... but its handy for IT too if, people can just sign into a freshly imaged laptop and go)

vs...
- increases risk of disclosure in a cloud breach or phishing attack

(* and if you DO have current remote offsite backups you are probably using the cloud to facilitate that anyway.)

That's not to minimize the risk of a cloud breach... but you need to properly assess your risk profile. Data stored locally can also be targeted and ex-filtrated, the risk is generally smaller, but it remains, especially if its valuable enough to target.)

And I know plenty of people who have had devices break or get stolen many times and lost valuable data, or lost data in an automated low effort ransomware attack (and targeted high effort attacks too)...Point is: for a lot of people, probably even the large majority of people, cloud storage is very much a net positive.

Comment Re:Isn't it a private organization (Score 2) 136

That's my question also. What law gives politicians and prosecutors the right to stick their fingers into the Wiki org?

For the sake of argument suppose the Wiki managers and paid editors are flaming biased bigots; that alone is not enough to prosecute an org. KKK is allowed to exist.

Can anyone name a specific law by identification and clause number?

Comment Re:on the shoulders of mud-submerged giants (Score 1) 19

Smart managers experiment to see if their grand ideas hold water. They could select a few offices for pilot project cutting and see how they do. Only if it's successful should they then widen the scope.

However, in this case Google is probably bleeding money and have to do something to trim the budget. This approach makes it look like a strategic re-org to investors instead of mere shrinking, and newbie investors often fall for gimmicks.

Slashdot Top Deals

Live within your income, even if you have to borrow to do so. -- Josh Billings

Working...