Follow Slashdot stories on Twitter


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Booo! (Score 1) 29

Out of curiosity, does your setup provide per-user control over spam/not-spam? That is, can a user flag a false-negative as spam and a false-positive as not-spam so the filters can be automatically tuned? Ideally this would be done by simply moving things into different folders in IMAP (e.g. move something into the Spam folder, it gets flagged as spam. Move something out of the spam folder, it gets flagged as not-spam.) rather than needing a separate web interface. If so, how did you go about setting that up?

I ask because I've been looking at doing something similar, but haven't found anything that does quite what I want.

Comment Re:Signal is great (Score 1) 171

True about the desktop version. They had something that claimed to be a desktop version, but when I ran it the first thing it wanted was a mobile #. Uhh.... my desktop PC doesn't have a phone number!

Signal uses your mobile number as a unique identifier akin to a username. Even if you don't run the app on a phone, you need to give it a mobile number to actually use the service.

That said, Signal is designed to be mainly used on mobile devices. The desktop version is convenient, but isn't really meant to be the primary means of using the service.

Comment Re:Which one should you be using? (Score 1) 171

The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

Users can install multiple messaging apps. I, for one, have several: Signal, WhatsApp, Google Hangouts, Skype, etc.

So far it works fine, and most of my friends and family use Signal.

Comment Re:Why not press the switch (Score 2) 170

It's easy to know how a GPS receiver will work if there's no signal: it simply doesn't function.

But how does it function in the presence of strong jamming signals of different types? Does it produce spurious errors? False position or timing data? Does it have other issues? Can very strong signals cause damage to various components like amplifiers and the exquisitely sensitive receiver circuits?

I'm just speculating, but I suspect that they'll be doing tests of that type.

Comment Re:And what's our suggestion to friends and family (Score 1) 79

Have good, versioned backups. I like CrashPlan, as one can use it to backup to various destinations, including local systems/disks, remote systems associated with one's account, remote systems belonging to others (so long as they give permission), and for paid users, to the CrashPlan-run storage service.

All backups are encrypted so that the destinations cannot access one's data, it keeps regular versions so one can easily recover from a ransomware (or other) infection that corrupts or destroys files slowly over time, and compresses/deduplicates data to save space. I've used it for years and it's saved my bacon a few times. Their family plans are quite affordable.

(Disclosure: I am a paid CrashPlan user but otherwise have no connection, financial or otherwise, with the service.)

Comment Re:Why worry about credit cards? (Score 1) 64

I'm under no obligation to pay until the investigation and any related processes are ongoing.

Sorry, it's late. I meant to say I'm under no obligation to pay until the investigation and any related processes are complete (and I'd only need to pay if the investigation shows the charge was legitimate; obviously I'd not need to pay if the charge was fraudulent).

Comment Re:Why worry about credit cards? (Score 2) 64

That's why I essentially never use debit cards and advocate the use of credit cards: if I contest a charge on a debit card, I'm contesting whether or not I should get my own money back and, as you say, the money may be unavailable during the investigation.

With credit cards, I'm contesting if I owe the bank money and I'm under no obligation to pay until the investigation and any related processes are ongoing.

In regards to eBay, the merchants never get your credit card information. Virtually all transactions go through PayPal, which has its own buyer protection options above and beyond what your credit card offers. Things might have been different eight years ago.

Comment Re:Why worry about credit cards? (Score 3, Interesting) 64

You need to convince the bank that any transactions between its being compromised or stolen and your notifying them were not in fact yours. Good luck with that. I would not notice a fraudulent charge until the next monthly statement

I'm not sure where you live, but in the US it's quite easy: most banks allow you to simply mark one or more particular charges as fraudulent using their online banking website. Otherwise, you can report the card as lost/stolen using the website or by calling them. One time, ten years ago, they sent me a form I had to sign and mail back (at their expense) to attest that the charge was fraudulent. Took me about 30 seconds. The one other time I've reported it since then, it was all online with no paperwork. The one time the bank caught it before I did, no paperwork was necessary: they called me, described the suspicious transaction, I confirmed it was fraudulent, and they handled it from there.

There's never been any adversarial questioning or anything from the bank, it's simply routine.

But you sound as if your cards are often compromised, lost or stolen, so it's all the more suprising if your bank cancels the fraudulant charges at the drop of a hat. You must have such a reputation with them that I wonder why they don't cancel your contract instead.

It's happened to me three times in 15 years, never through any fault of my own. I'd hardly consider that "often" or somehow deserving of a "reputation". Even if it was somehow considered excessive, I find it hard to believe that a bank would drop a long-time client simply because they were frequently the victim of crime.

In each case, it's been quite obvious that the charges were unusual and fraudulent: As an example, when my card was compromised one time I lived in Arizona and I regularly made various routine charges (e.g. groceries, gas, food, etc.). It didn't really make sense that my card was used to buy $300 worth of gasoline at a gas station in Florida 20 minutes after I bought my regular groceries in Arizona, so the bank flagged the transaction and called me. Another time it was used to buy household appliances in some distant state I'd never visited to be delivered to an address I had no connection with whatsoever.

Either way, dealing with the aftermath of the fraudulent credit card usage was only the most minor inconvenience. I don't understand why people get so worked up about such things: I'd be more concerned with my name, address, and other account details getting leaked since those can't be changed as easily (if at all).

Comment Why worry about credit cards? (Score 2) 64

I've never understood why anyone worries about their credit card information when shopping online: it's literally the least-valuable information that I possess, insofar as its compromise will affect me.

I'm not liable for any fraudulent charges made with my card, and reporting mis-use is the work of a few moments (unless the bank notices it first and notifies me, in which case its even less work for me). A replacement card will be in my mailbox in a few days.

Is it a minor hassle to update the card number on file with various merchants I do business with? Certainly, and I'd rather such a situation if possible, but it's a minor inconvenience in the grand scheme of things.

Other information -- social security numbers, for example -- are much more valuable to criminals (which is dumb: there really should be some better way of identifying someone), and it's a good thing such information is only rarely needed and asked for. In general, SSNs can't be changed and it's a huge pain to recover from identity theft, but a stolen credit card? That's a minor inconvenience, at worst.

Comment Re:Unless... (Score 2) 314

The computer you bought 3-5 years ago, barring mechanical failure still meets or exceeds your needs for the most part, so why waste the money?

Indeed. I have a computer that's about 8 years old (Gigabyte-brand motherboard, Intel Core2Quad Q6600, 8GB DDR2 RAM) that I've made only some minor changes to (lots of storage, SSD boot disk, GeForce 550 Ti graphics card, etc.) that's still ticking away just fine. Turns out the Gigabyte's marketing their boards as "ultra-reliable" was accurate.

I intend to upgrade later this year to something a bit more modern (i7, more RAM, new graphics card, bigger monitor, etc.), but the need really hasn't been pressing. Since most games are released for PC and console, developers (annoyingly) target the performance level of the consoles, so the PC has no problems running them even at high graphics settings.

Either way, I won't be using Windows 10 -- I'll image the Windows 7 installation I currently have and move that over to the new system. Worst-case, I re-install Windows 7. When Win7 goes EOL I'll probably switch to Linux.

Comment Re:Can I please have an unencrypted phone? (Score 1) 47

Why not get the best of both worlds and have automated backups and an encrypted phone?

If you're not comfortable with Google's various backup options (e.g. Google Photos' cloud backup), that's fine: there's alternatives. I use BitTorrent Sync to sync the camera folders on my and my wife's smartphones with our various computers and NAS. Not only does this make it easier to share photos and video with family (I find it easier to share from a computer, rather than from a phone), but it runs continuously so there's only a few seconds between when the photo was taken and when it's available on the computers. Works incredibly well.

You can choose whether or not to sync using your cellular data or just on wifi, depending on your needs.

Comment Re:I don't understand (Score 4, Informative) 56

HTTPS provides several benefits:

- Encryption which, as you point out, keeps other parties from knowing the content of data you access. Sure, the bulk of that data may be mundane, everyday stuff that you don't really care if anyone knows about, but there's no harm in keeping it private in transit. It's the same reason you enclose letters in envelopes rather than sending postcards.

- Verifying the authenticity of the server. Domain-validated certificates offer a relatively low level of validation, but they still provide you reasonable assurance that the server you're communicating is the one operated by the actual owner of that domain name -- your connection isn't being intercepted and spoofed by some shady wifi hotspot, for example. Organization-validated and Extended Validation certificates provide higher degrees of validation, and include details (e.g. company name, location, etc.) of the entity to whom the certificate was issued.

- Tamper-resistance. All HTTPS connections provide tamper-resistance by using either HMAC or AEAD ciphersuites. This prevents third parties from altering the content. A public hotspot or your ISP may inject content, malicious or not, into unencrypted connections. HTTPS prevents this.

Considering that there's essentially no costs for using HTTPS (certificates are free or exceedingly cheap, CPUs have hardware support for AES so there's basically no overhead for encrypting data, ECDHE key exchanges are extremely fast, as are ECDSA signatures, and so present minimal load to servers. RSA signing is a bit slower for servers, but modern CPUs are fast and TLS handshakes are brief and only happen occasionally.) and many benefits, why wouldn't everyone want to secure data in transit?

Comment Re:Let's Encrypt (Score 2) 56

Certificate cost is no longer the obstacle it used to be, as a TLS certificate is free unless you need organizational validation. StartSSL and WoSign have been providing domain-validated (DV) certificates without charge to individuals for years, and automated ACME CA Let's Encrypt has been in operation for several months.

Indeed. TLS certs are, as you point out, available for free. Even if one wishes to pay for a cert, DV certs are available for a pittance: Comodo's PositiveSSL certs are available for as low as $14.97 for three years ($4.99/year) from, a reseller owned by NameCheap. I spend more getting take-out lunch one day than it'd cost to get a cert for three years. That's basically a non-issue when it comes to even the most budget-constrained websites.

Other interesting details:
- Comodo's PositiveSSL offering is one of the very few CAs that will not only sign elliptic curve certs, but will do so using a separate, all-ECC certificate chain. Their ECC root is in all major browsers, but it's cross-signed by their UserTrust RSA root for legacy users. Naturally, PositiveSSL also offers an all-RSA chain for those who prefer RSA certificates, but I thought it was cool they offer an all-ECC chain and charge the same price for ECC or RSA certs.
- StartSSL recently started signing ECC certs from their RSA chain (4096-bit root, 2048-bit intermediate). While not as quite secure as an all-ECC chain, it's fast: clients can verify the RSA signatures quickly, and the server can perform fast ECDSA signatures/ECDHE key exchanges quickly.
- WoSign uses StartPKI, StartSSL's managed-PKI offering that chains up to the StartSSL root. Nifty. I knew StartSSL has offered that for a while but I'd never seen any such intermediates in the wild before.

Full disclosure: I have no relationship with Comodo, StartSSL,, NameCheap, etc. other than being a paying user. I don't get any compensation, direct or otherwise, from mentioning them.

Comment Re:Who signs the certificates and maintains the ke (Score 3, Insightful) 56

This may be overly cynical of me, but could they be doing this to imbue the sense of improved security, while still being able to decrypt and observe the traffic themselves? For themselves as well as for the government, where the particular datacenter is located?

How is encryption of data on-the-wire relevant to the observation of data stored in their datacenters?

Whether or not they use HTTPS, Google has always been able to access the content of Blogspot-hosted blogs because Google runs Blogspot and the data resides on their servers. Adding HTTPS doesn't change that at all.

Comment Re:Smoking Man (Score 1) 117

Seriously. I'm 33 and HL2 came out when I was 21. I've got a nearly two-year-old daughter now, and I'm hoping that I'll be able to play HL3 sometime before she's old enough to play HL2.

Don't get me wrong: I love all the other Valve-produced games like the Portal series, Left 4 Dead, Team Fortress, etc., but there's a special place in my heart for the HL series.

Slashdot Top Deals

The end of labor is to gain leisure.