Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:but you arent a traditional CA (Score 1) 208

The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.

Or you have more than the one subdomain that most CAs allow for $5 certs. Even with a limit of five for Let's Encrypt, it takes two certs for my main domain. Bare domain, www, images, git, homeserver, kinji, and I feek like I'm still forgetting one. A wildcard domain cert starts at two hundred bucks.

Comment Re:Never saw that coming (Score 1) 208

Does anyone remember what the point of SSL was? It's just so our users don't see the non SSL warning right?

You say that jokingly, but there's some truth to that. The need for TLS is proportional to the damage done by compromising the connection. Informational websites with no credentials do NOT need TLS, typically, and the push to add TLS more broadly has played a major role in lowering the bar for getting a cert (out of necessity), thus weakening an already weak system further.

Comment Re:Phishing is good (Score 1) 208

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.

Idiots who say you should trust a website based on its name think too much of people.

What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.

The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.

Sorry, I've never seen so many idiots at /. simultaneously.

With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.

Comment Re:but you arent a traditional CA (Score 1) 208

... phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site.

Nope. StartSSL had been issuing free low-validation certs since at least 2009, some six years before Let's Encrypt issued its first cert. The only substantive differences between Let's Encrypt and StartSSL, as far as I can tell, are:

  • Let's Encrypt didn't get bought out by a Chinese registrar who abused their signing certs in ways that caused them to become untrusted by most browser vendors.
  • Let's Encrypt forces you to use automated certificate updating by limiting the certificate duration to a ridiculously short period for no actual security benefit (and worse, in its default configuration, generates a new RSA key every time it renews the cert, which significantly weakens the security model by making key pinning impossible).
  • Let's Encrypt merely requires you to prove that you have control over the web server, rather than that you have control over the domain, which also weakens security somewhat if your server gets compromised.

But in terms of being able to get free certs for a domain that you control, there's no real difference.

Comment Re:Phishing is good (Score 2) 208

Or AutoFill. You enable AutoFill for PayPal.com, and then when your password doesn't automatically show up, you look at the URL more carefully and immediately see why.

The real threats to security are not the CAs that issue certs for sites containing PayPal in the name. The real threats are clueless sysadmins at (mostly banking) websites that insist on not allowing AutoFill and/or break their websites in ways that make AutoFill stop working when it worked before. Besides playing right into the hands of keyloggers, such actions force people to remain willing to type passwords when in reality, users should never, ever, ever type a password into a website. Ever. Seriously.

... that and browser makers, who haven't bothered to come up with a global standard for changing passwords so that users whose computers become compromised can easily reset all their passwords automatically with a single click, and also haven't bothered to come up with completely automatic plug-in update systems, thus making it easy to trick people into believing that their Flash Player or Silverlight plug-in is out of date, thus causing them to download and run a trojan horse installer that steals their password database, etc.

Comment Re:If I had my way... (Score 1) 221

All of the printer companies have a history of abusing the legal system. Lexmar just happens to the worse offender.

Really? I'm aware of Lexmark's abuse. HP abuses users in more subtle ways, but not through the legal system. I'm not aware of anything even remotely similar from Brother, Konica Minolta, or Canon, all of which IMO make much better printers than Lexmark and HP.

Frankly, I don't even understand how Lexmark is still in business.

Comment Re:FCC says wha? (Score 2) 76

It hasn't been squelched because it isn't consumer-friendly. It actually causes even bigger problems, because the obnoxious scammers have already changed their tactics, and now are using actual phone numbers that belong to other people.

About two weeks, I got a text message from somebody asking why I called them. I had not made any phone calls in nearly a day at the time, as verified on my phone. And I keep getting telemarketing calls from random assigned phone numbers in the area that belong to random individuals, all of whom are innocent victims.

It is not sufficient to ban calls from unassigned numbers. Our phone network is hopelessly insecure, dating back to the days when only trusted carriers could add calls into the system. The only way to fix this is to ensure that at every injection point, the system verifies that the call is really coming from where it claims to be coming from—one wire, one or more fixed number blocks. And because there are probably major carriers complicit with this abuse, doing this right would require some sort of authenticated source check further down the line as well. This would probably require a major rearchitecting, which is why it probably won't happen any time soon. Basically, we need the equivalent of TLS and CAs for the phone network....

Comment Re:Conflict of interest (Score 1) 255

If you enter on yellow it should be because you were going to fast and were too close to stop safely, so leaving before it turns red shouldn't be a problem.

Only if the yellow is long enough. I've seen many lights where if there's only one car at the intersection and you're turning left, you can enter on green and you'll still exit two or three seconds after the light turns red. A car approaching from behind at any speed even remotely approaching the speed limit would then enter on yellow without time to stop, but would have to slow down for you and would be unable to get out of the light until long after it turned red.

Comment Re:The social effects are much worse. (Score 1) 374

In the past, before these subsidies that distorted the pricing so horrendously, most students had to study something that brought real value. While a few dicked around in an abstract, rather useless subject like philosophy, most students studied science, engineering, mathematics, law, and medicine. These are the sorts of subjects that allow the students to, in the future, provide real value to society.

That's arguable. In our "anything that can be outsourced should be" culture, science, technology, engineering, and mathematics degrees are no longer guarantees of adding economic value, either. And not everybody is good at those subjects. In my experience as a college educator, forcing students to dedicate four years of their lives to a a subject that they hate just because it theoretically pays better after graduation is self-defeating. You end up with students that don't really want to learn the material, struggle to pick it up, and drag down the rest of the class as you try to help them keep up.

Eventually, even medicine will be mostly automated. We'll still need nurses for a while, because robotic nursing is a genuinely hard problem, but doctors could basically be replaced by IBM's Watson and a glorified secretary today. Besides being an extremely expensive career to go into, the long-term prospects are bleak. So the question you have to ask yourself is this: Do we really want to live in a society of lawyers?

Also, as others have mentioned, education used to be much more highly subsidized than it is now, even taking into account the availability of college loans (which are largely a more-expensive-to-the-student replacement for the government subsidies that used to exist). Yet people continue to choose those degree programs. Could it be that you're wrong about the value to society? Folks with degrees in the performing arts are guaranteed a menial income for the rest of their lives, but they're also doing something that they enjoy. When faced with a society of people who are getting more and more unhappy, given that happiness is a strong predictor of longevity, arguably those degree programs benefit society a great deal even before you consider that their creative output improves society directly. And many art history majors learn (either as part of their degree or on the job) how to do fundraising, which contributes greatly to the arts, and thus to society as well. AFAIK, there aren't degree programs specific to arts development in most places, so art history and music degrees are often as close as you can get.

Now I'm not going to argue that I know the value of those other degrees you mentioned. I suspect that at least for now, they mainly qualify you to be a high school guidance counselor or maybe a politician, but that's just a guess. But in my experience, the job market creates interesting opportunities based on the availability of people with specific skills. If there are enough people with those currently low-value majors, somebody (maybe even somebody who majored in one of those fields) will come up with some interesting task that those students can uniquely perform after they graduate, and society benefits from the creation of those new areas of work and study.

Finally, I would add that the purpose of college is to educate students for the sake of learning—to open their eyes to the world's possibilities. Its purpose is not to be a trade school. We don't need more cookie-cutter STEM majors who got their degrees because they pay better out of school. We need a society of people who appreciate the world in which we live, who find ways to do what they love and love what they do, who understand how to learn, who understand how to think for themselves, who understand that they live in a diverse world of people with different backgrounds, different interests, different cultures, and different perspectives. And that is far more valuable to society than being able to check "yes" in the box that says "I have a degree in science, technology, engineering, or math", and I say that as someone with a Master's in CS, but with an undergrad degree that included a double major in CS and communications, with extensive music ensemble coursework on the side. There is great value to society in degrees outside of STEM. Not all value is financial in nature.

Comment Re:Yeah, the bubble will pop long before that (Score 1) 374

Isn't that exactly the type of wasteful behavior which attributes to higher costs? If for instance classrooms were at 50% utilization for two hours between 8-5, just because everyone is doing meetings at the same time, you could reduce the number of classrooms by 10% if you simply spread meetings throughout the day.

It doesn't work that way. The reality is that students are used to being in school from about 8 to 3. They tend to resist taking classes much past that time, and by college, they tend to resist taking classes before 10 as well. Realistically, you get about five good hours during which you can teach classes, and the more classes you schedule outside those core hours, the more students will cram into the classes within those hours, so you just end up with very imbalanced sections that make it harder to teach.

And it isn't just momentum, either. Lots of students commute to their university, which means early and late classes don't work. Parents (both college students and faculty) have to pick their kids up from school. Students have part-time jobs to pay the bills. And so on.

Finally, it isn't practical to just say, "We're going to spread classes evenly throughout the day", because students need time to actually work on their homework. And that time needs to be during the day so that they can use campus facilities such as computer labs, tutoring centers, etc. It simply isn't practical for the entire day to be used for instruction, because it costs money to operate those other facilities, too, and you'd end up having to cover the cost of extending their hours dramatically if you extend the core hours for classes, which means significantly increased staffing, which ends up costing more over the long run than adding one or two extra rooms to a building.

Slashdot Top Deals

A company is known by the men it keeps.

Working...