Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Business model of a free site ?! (Score 1) 205

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "" is indeed "".
(As opposed to some man-in-the-middle attacker mascarading as "" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that is indeed, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Comment Different level (Score 3, Insightful) 97

I suggest you read up on what sudo is capable off. You can easily setup sudo via its configuration file (/etc/sudoers) that will allow users that require elevated privileges (eg. Database and Web Administrators) to do their work without needing root access.

The parent poster was referring to a different approach to security.

with sudo, you set up a list of commands that a database or web admin can run.
you limit user access by restricting which commands the user can run. But said commands will be run with root privileges.
In case of a bug in the command, you could use it for privileges escalations (*you* were only restricted to run this command. but *this command* runs as root and could do anything).

what the parent refers to is more closely related to the various "CAP_*" capabilities used in the linux kernel.
i.e.: even if you run a command as root, that command would never, even in the case of a bug, reconfigure the network interface, because the corresponding CAP_{blah} capability isn't enabled.
By carefully crafting a very precise set of capabilities that you hand out to administrative programs, you make sure that they only do what they are supposed to do, even if an attacker manage to find a way to force a program running as root to do arbitrary actions.

(It's a bit similar like how some smartphone apps come with a whitelist of API calls that you need to validate before installing : "can access your contacts list", "can access your webcam", etc. Even if the weather app get hacked, it can never be used to spy on you, because it's not whitelisted to access your mic and your cam... Well except that nowadays every single last app seems to be obliged to ask access for nearly anything (Hey, now your Weather app can automatically recognise the city you're travelling into simply by flashing the QR code of your travel ticket ! Needs cam privileges !).
Under Linux the same granularity exists, except that this done at the kernel API level, instead of the Java user libraries like on Android)

In the past few years Windows has been implementing similar restrictions. That's what the poster was referring to.

On Linux, the facility to apply this king of control exist in the kernel too (the various capabilities). But there aren't many software using them. I only know of SELinux and AppArmor. And they are not used system-wide, but only to put specific software into cages (those software for which they have rulesets).

I think this is dues to the fact that the basic user/group access rights of Unix can provide already quite some security if you take the time to organise enough granularity in your groups and memberships, instead of making everything restricted to root-only and needing thus to be root for nearly any action.

(Because of the Unix philosophy, lots of things are represented in unix as files. Therefore, lots of the actions controlled by capability can be mapped to file accesses (e.g.: to device files in /dev/ ). Putting correct group access on files can acheive the same results.
e.g.: a virtual machine might need USB passthrough. One way would be to grant the corresponding capability to it.
The way VirtualBox does it, is that it runs as "vbox" goup, and there's a script that hands out USB devices nodes with that as group access)

In practice, distributions such as Debian have been using tons of specific groups to control access to specific resources precisely, years before SELinux was a thing.

Comment IPv6 benefits (Score 1) 54

What are the reasons for an ISP to do IPv6?

There are tons of advantage of IPv6 over IPv4.
One of them being a vast supply of addresses (128bits vs. the overcrowded 32bits of IPv4).
It's auto-configured (you just plug a device into a network and it automatically gets IPv6 working. Routers directly hand out prefixes, no need to organise stuff through DHCP. In IPv6 DHCPv6 is only used to hand out configuration options)
Every device gets a single address that is routable anywhere on the internet. (No need of NATs, masquarading, and private address ranges).

People still can go to Google with IPv4, so no reason there.

...for now. As IPv4 address space gets depleted you'll soon reach the point where some machine are only IPv6 addressable, and thus some servers can only be accessed over IPv6.

They would need to invest and that is never a nice thing to do.
They need to replace a lot of hardware or at least reconfigure it and that will cost money.

Nope. The whole point of technologies like 6rd is that you deploy IPv6 as a tunnel over the IPv4 infrastructure that you already have.
No new hardware needed (beside the tunnel server), specially not needing to replace the thousands of expensive routers scattered accross the city that you cover with your services.

As a business I would also be against it.
I hope I am wrong and somebody can tell me a lot of advantages that would make them money, save them money or a combination of both.

That the problem with IPv6. There isn't a simply clear immediate money benefit. The benefit isn't ultra-short term.
The benefits are instead long-term : IPv4 is an old technology that is slowly reaching its limits (e.g.: number of available addresses) and that requires more and more layers to circumvent (e.g.: NAT to get around addresses limitation. e.g.: using relay servers on the cloud instead of devices talking p2p with each other, etc.)
From a technological point of view, we are running straight against a wall. But ISPs are complaining that they are not going make tons of money immediately by switching to IPv6 so they stay on course headed for the wall collision.

Comment End effect : No (or at least less) cloud (Score 1) 54

One very direct effect of all of the above :

You won't be required to use cloud service for every single small thing you need to talk to.
(security cameras, weather station, talking toy, etc.),
instead you can trivially access any gizmo directly over the web simply by opening it in your router/firewall.

IPv4 remote access : you need to sign up an account at their service. You gizmo and the app on your smartphone are constantly talking to this server.
This makes a big central failure point : the company server can get hacked, leading to thousands of account information leaking (see HaveIBeenPwnd for your weekly example), or if the device is insecure that's a single point from which to attack all devices. Also if the company goes belly up and the server is shut down, your gizmo becomes an expensive brick.
And these kind of server still costs a little bit of money, so either you're going to need to pay for the service. Or you're going to get ads-bombed as shit.

IPv6 remote access : you need to open a port (or a whole device) in *your* router. Your smartphone app is directly talking to your gizmo without any 3rd party getting involved.
There's no big server with a treasure trove of personal data to leak. If attackers want to hack an insecure gizmo, they need to find them one by one on the web.
Even if the company fails, you can still use your app to talk to the device, you don't rely on a 3rd party server.
There are no server costs to cover.

(Previously, similar things would have required fiddling with NAT, port forwarding and other such remapping to get done on IPv4. Trivial for most /.ers, but not necessarily with random users).

Comment in other countries (Score 1) 254

So basically all the money the government has collected as fines and penalties is distributed evenly to all taxpayers. That money was collected as compensation for crimes against society, and this way it gets distributed back to society.

That's exactly how it works in other countries (e.g.: Switzerland).
Fines don't go to the department (e.g.: to the police)
Fines go to the public spending budget, so the country has more money to do things (in addition to the tax money), or more practically, gets less indebted to do the same things...

Comment IPv6 tunneling (Score 4, Informative) 54

i will admittedly say i have no idea what sixxs is

SixXS was a free IPv6 tunneling service, so that people with only IPv4 provider can still get access to IPv6 addresses through a 3rd party.
(But more reliably than 6in4 which is dependent on the dynamic IPv4 address, and relies on volunteer servers reached though anycast).

The idea was to break the chicken-and-egg problem faced by IPv6 migration :
- content provider don't care about moving to IPv6 because nobody is using it and most people are still on IPv4
- and ISP not spending the effort to provide IPv6 to their clients, because there's no IPv6 content to justify the move.

SixXS provided a 3rd party with a very reliable way to get onto IPv6, so at least the "there are no users" excuse isn't valid anymore.

Now fast forward a decade and a half later and nowadays a lot of content providers *ARE* on IPv6 (e.g.: Google, most universities, etc.), but there are still ISP not providing IPv6 on their network (e.g.: using something like 6rd, which basically works like 6in4 but relies on official servers with fixed address that is owned and operated by the ISP),
Instead of that ISPs let the users go use SixXS, for the users who want IPv6. So rely on a free 3rd party service, instead of putting the efforts themselves to enable IPv6 for their own users as they should be doing.

So SixXS is shutting down to force ISPs to setup and listen to their users and provide IPv6, instead of deferring it to SixXS.

its sad to see them go since it was a free service, providing a service for people without means.

The thing is, SixXS was providing a service that should in theory be provided by the ISPs themselves, but some are too lazy to implement IPv6 even after almost 2 decades.

(and it's not for people without means. Technically, it's for people who have the means to pay an ISP for a connection, but said ISP is damn shit lazy and doesn't care to provide something more modern than last century's IPv4)

Comment chip on your shoulder (Score 5, Insightful) 251

Given Europe's attitude towards hate speech and how they enforce "right to be forgotten", I'm surprised that they haven't already erected a GFW at this point

...said the main living in the glorious country where the simple apparition of a nipple is considered a major mediatic catastrophe, where breast feeding is a public offense, and where anything remotely sexual is sure to traumatise the next few generations of youth. (and where nude bodies are probably terrorism-level material).

To each country and culture its own taboos.
For Germany, it might be hate speech, for France it might be "right to be forgotten", and for the USA it's anything which isn't missionary position with the sole purpose to procreate.

Beware of the nude-nipple-terrorists, America !


Feds: We're Pulling Data From 100 Phones Seized During Trump Inauguration ( 226

An anonymous reader quotes a report from Ars Technica: In new filings, prosecutors told a court in Washington, DC that within the coming weeks, they expect to extract all data from the seized cellphones of more than 100 allegedly violent protesters arrested during the inauguration of President Donald Trump. Prosecutors also said that this search is validated by recently issued warrants. The court filing, which was first reported Wednesday by BuzzFeed News, states that approximately half of the protestors prosecuted with rioting or inciting a riot had their phones taken by authorities. Prosecutors hope to uncover any evidence relevant to the case. Under normal judicial procedures, the feds have vowed to share such data with defense attorneys and to delete all irrelevant data. "All of the Rioter Cell Phones were locked, which requires more time-sensitive efforts to try to obtain the data," Jennifer Kerkhoff, an assistant United States attorney, wrote. Such phone extraction is common by law enforcement nationwide using hardware and software created by Cellebrite and other similar firms. Pulling data off phones is likely more difficult under fully updated iPhones and Android devices.

Microsoft's OneDrive Web App Crippled With Performance Issues On Linux and Chrome OS ( 114

Iain Thomson, reporting for The Register: Plenty of Linux users are up in arms about the performance of the OneDrive web app. They say that when accessing Microsoft's cloudy storage system in a browser on a non-Windows system -- such as on Linux or ChromeOS -- the service grinds to a barely usable crawl. But when they use a Windows machine on the same internet connection, speedy access resumes. Crucially, when they change their browser's user-agent string -- a snippet of text the browser sends to websites describing itself -- to Internet Explorer or Edge, magically their OneDrive access speeds up to normal on their non-Windows PCs. In other words, Microsoft's OneDrive web app slows down seemingly deliberately when it appears you're using Linux or some other Windows rival. This has been going on for months, and complaints flared up again this week after netizens decided enough is enough. When gripes about this suspicious slowdown have cropped up previously, Microsoft has coldly reminded people that OneDrive for Business is not supported on Linux, thus the crap performance is to be expected. But when you change the user-agent string of your browser on Linux to match IE or Edge, suddenly OneDrive's web code runs fine. The original headline of the story is, "Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals".

Submission + - Read your Senators Browser History Comming Soon

windwalker13th writes: The US Senate just voted to roll back privacy protections for consumers of ISPs. Thus making it one step closer to allowing ISPs to sell your internet activity.
Last year researches at MIT were able to identify 90% of people in a data set from 3 months of anonymized credit card transactions If we are already able to identify who people are from anonymous credit card meta data how hard will it be to identify our senators from their internet browsing history? Certainly it would be fairly easy to determine who they are, after all they probably check their e-mail every night before going to sleep.

Senate Votes To Kill FCC's Broadband Privacy Rules ( 397

The Senate voted 50-48 along party lines Thursday to repeal an Obama-era law that requires internet service providers to obtain permission before tracking what customers look at online and selling that information to other companies. PCWorld adds: The Senate's 50-48 vote Thursday on a resolution of disapproval would roll back Federal Communications Commission rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties. The FCC approved the regulations just five months ago. Thursday's vote was largely along party lines, with Republicans voting to kill the FCC's privacy rules and Democrats voting to keep them. The Senate's resolution, which now heads to the House of Representatives for consideration, would allow broadband providers to collect and sell a "gold mine of data" about customers, said Senator Bill Nelson, a Florida Democrat. Kate Tummarello, writing for EFF: [This] would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn't be able to profit off of the information about what you search for, read about, purchase, and more without your consent. We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.

Comment Actually real. (Score 1) 89

now its almost as pathetic as "THIS IS THE YEAR OF LINUX!"

Yeah, go tell that to your smartphone (a huge proportion are running Android, which is running on Linux, though not on GNU userland), and/or your tablet, and to the wireless router/modem they are connecting to (it's almost impossible to find one which is not running Linux + Busybox nowadays). Not even speaking about your TV set (most SmartTV firmwares are running Linux).
Even the Intel Management Engine (the small always-on microcontroller inside the motherboard of your laptop/worktation that is used to remote adminsitration in enterprises) runs some Linux variants.

You're literally interacting daily with dozens of devices running the Linux kernel without even noticing it.

Seriously, it's been the "year of linux on everything except your desktop" for ages ago.

I swear "NINTENDO IS FINISHED! 3RD PARTY WHEN?" yet, here they are still making consoles.

Even if they are not droping their still very profitable console business, Nintendo is slowly expending to other hardware. (See their "Pokemon" IP showing up on smartphone apps - though this one was done through an external studio, Nintendo basically only providing the IP)

Comment Actually it's clever (Score 1) 122

Austin Powers-references besides, that's actually a good idea:

- 75k USD is actually indeed a very small sum. So small that Apple's PR department can easily cough it up (there are probably rounding error on Apple's marketing budget that are bigger than that) without it even going noticed in Apple's finances.
i.e.: It's pretty cheap for Apple to hand the money just to make them shut up and get them out of mind.

- 75k USD can actually means a lot in Turkey (if the hacker group are truks, as they claim) given the local buying power. The sum might seem ridiculously small to the US /. audience, but it might be comfortable enough for the hacker.

- The hackers have even said that they would accept 75k in iTunes card. That's money that will eventually get spent on Apple goods and services anyway. Apple's tax evasion special...^H financists will probably find a way to write it of as a loss and still profite out of it.

Slashdot Top Deals

Nothing motivates a man more than to see his boss put in an honest day's work.