Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Unrealistic for you, maybe (Score 1) 544

Right now, one of the things that is trending, is groups of doctors that cover full range of the human anatomy are banding together and selling shares in health club type pay x annually and you're covered for most of your health needs.

Huh, that's a novel idea! I'm so glad that someone came up with a great way of making things work in the 21st century!

Since these "health club shares" are so exclusive, let's call the annual payment a "premium" because it's so awesome. Of course, we can't have someone who pays this "premium" going to the doctor too much, so we'll charge them a small amount every time they see the doctor. Let's call this a "cooperative payment" .. no, that's too long... "co-payment" is much better! Now, of course, this group of doctors is going to need a name. Because we're trying to keep everyone in good health, instead of calling this a "health club" because that sounds too much like a gym, let's call this a "good-health-keeping club"... no too long again... "health maintenance club" is much better. But wait, this group of doctors is so large, it's not really a "club", more like an "organization".

You know what I just described? Freaking INSURANCE (specifically, an HMO)!! It's not new or novel! Now, here's what was happening pre-ACA:

OK, now that we have our "club", we don't want anybody to actually USE our doctors and make us pay more than we're collecting annually, so we won't let anyone in who has ever had a heart attack, stroke, cancer, or currently has diabetes (type I or II, don't care), is overweight, has high cholesterol, is over 55 or smokes. Now, to make sure that we don't pay too much, we're only going to provide $50,000/year of coverage, after that, you're on your own, and we won't pay for more than $250,000 over your lifetime. Oh, and although we're a comprehensive network for all of your health care needs, we won't cover you for having a baby, get depressed, or need most specialty care. Also, since only half of our subscribers are women, we aren't going to make everyone pay for those icky women's exams, so we won't pay for those either. Basically, you can see your family doctor (make sure to pay your co-payment up front, please!) and then it's on the streets for you!

Does that sound like an awesome way of going about things? Note that all of the above exclusions/limitations are REAL riders that I have PERSONALLY experiences with insurance pre-ACA.

I love how someone can take an old idea, repackage it and then "this will save all of our problems!!"

Comment Re: LUKS (Score 2) 151

That sounds really complex, and potentially expensive as the number of devices scales. Also, fragile and difficult to maintain.

The easiest way is just use LUKS and a secure passphrase.

If you want to restrict knowledge of the passphrase to admins but allow users to reboot, that's a harder problem. However, If you have a TPM chip, you can use it to secure a random LUKS passphrase that unlocks only in a verified clean boot. You'll need trustedGRUB and tpm-luks, but it does secure against fairly sophisticated attacks. It even allows someone to have physical access to the machine WITHOUT having total access.

If you're concerned about the CIA/NSA/FBI/TLA coming into your space and performing a cold boot attack, this won't help, but then again, there are very few technological defenses against a determined nation state adversary.

Comment Re: Play Audio on Linux? (Score 2) 164

If only there were a way to define a generic way to tell if two "things".... let's call them "objects".. relate to each other when doing sorting. Then, for each "object", you could compare it to another "object" and see if it is less than, greater than, or equal to the other.

I know, we can make a generic "function" of an "object", and call it.... "less". If you're in a sane language (sorry, Java), you could even use the "<" symbol to compare two "objects". Then, any sort algorithm can use this function to compare two "objects" and figure out where it should go in the list.

Then, we can put this algorithm in some sort of "library"... maybe a "standard library" in which sort algorithm developers can implement different sorting methods. Then the programmer uses this "standard library" to sort his/her list of "objects".

Apologies to anyone who's using C and actually DOES need to implement their own sort, but if you're using literally any language developed in the past 30 years, you have no business implementing your own sort function outside of a homework assignment. The only potential exception to this is if you are in fact a developer of sorting algorithms, and all 3 of them know who they are.

Comment Re:No (Score 2) 220

Not necessarily. Think about Edward Snowden, who had to pass through all kinds of security to get access to the data that he leaked. Would it have been easier for him to go to Initech and be their lead sysadmin, leaking all of their proprietary data? Certainly, but the perceived reward to him wasn't worth the risk of doing that. However, his perceived reward in leaking the NSA documents was so great that he undertook a concerted effort to undermine the many levels of security they had in place.

Note: I'm not advocating for/against Snowden. Just using him as an example that not every person goes for the lowest hanging fruit.

Comment Re:It's the base assumption that its invalid (Score 1) 392

It's my understanding of current case law (IANAL) that a combination to a safe is considered "testimony," and thus protected under the 5th amendment. A safe key, on the other hand is not (this is why I specifically chose a combination). Of course, nothing prevents the police from going to the manufacturer for help in opening the safe, though nothing obligates the safe manufacturer to help.

On a related note, if your passphrase is "I totally killed those 3 guys on October 26, 2006", that's probably testimony that would (SHOULD) be protected under the 5th amendment.

Besides, nobody can FORCE anything from your mind ( notwithstanding). The worst they can do is throw you in jail until you comply (or they get bored). Worst case, they convict you for "obstruction of justice" or some similar nonsense. If you're facing a surefire Murder 1 conviction if you do reveal your key, there's simply not much incentive to help out; you'd have to weigh the value of the unencrypted data with the consequences of not revealing your key.

For historical examples, see the origins of "pressing for an answer": If you entered a plea, the trial could continue, and if convicted, they killed you AND took all your property (leaving your family destitute). If you never entered a plea, you simply died under the weights, but your family got to keep your estate. So, standing mute was a rational decision if you knew there was enough evidence to convict because the punishment for not entering a plea (death) was better than being convicted (death AND bankruptcy).

Comment Re:It's the base assumption that its invalid (Score 5, Insightful) 392

Safes can be opened ... with a warrant.

Absolutely. However, I don't believe that anyone is compelled to divulge the combination to a safe; rather law enforcement hires someone to forcibly open the safe. If they can't open the safe without destroying the contents inside, that's just too bad.

There's no reason to make smartphones that can't be searched ... with a warrant.

You can absolutely search my encrypted smartphone with a warrant. How much information you'll get out of it without my key is debatable, but nobody gets to know my passwords (aka combination). If the police are able to crack the encryption, good for them. However, I'll continue to trust math to keep my secrets safe.

That type of encryption is for the government, not for joe six-pack.

The problem with that thinking is it leaves you open to spying from everyone, not just the government. Let's assume we allow some cryptosystem that has a back door / master key. To implement the system, you have to publish the specs which will be viewable to all (don't get me started on export control; it'll get out). Someone much smarter than you or I will realize the back door and exploit it to snoop on highly sensitive encrypted traffic... say online banking. Then joe six-pack gets a little pissed when he finds out that his bank account was raided and now he has no money. Oh, and since it was his password that was used to withdraw all that money, the bank won't be returning that money.

So, how does joe six-pack feel about broken encryption now?

Comment Re:One time pad (Score 1) 128

That said, you could probably use a synchronized random number generator as the shared pad data.

No; a true OTP is NOT the same as pseudo-random OTP. For an illustration of this concept, let's assume that your adversary knows your algorithm for generating the pads but has no information about the shared secret between you and your partner. To make things easier on your opponent, let's assume that he knows that you plan to encrypt a 1GB plain-text ASCII file.

In the case of a true OTP, you and your partner must share 1GB of data securely. Because the pad is truly random, any 1GB ciphertext is equally likely, so your opponent must consider every combination of 1GB, meaning 2^(8e10) equally likely ciphertexts. This is basically secure for all eternity. Also complicating the matter is that for a given ciphertext, all plaintexts are equally likely. So, the opponent doesn't know if you said "Attack the beach at noon" or "Attack the beach at dawn" or "jcfpeb k,spq djte96bslg1Hw"

Now, in the case of a pseudo-random OTP, let's assume that the seed of your PRNG is 32 bits, so you only have to share a very small secret securely. However, there are now only 2^(32) possible ciphertexts that the opponent needs to check. This is a much more practical problem, and he can use some simple checks to see if the decrypted message "makes sense", and choose the most likely plaintext.

In reality, nobody uses a OTP because if you can securely communicate the length of the pad, you can just as easily communicate the entire message. What is used instead is public-key encryption where your partner can encrypt a message, but only you can decrypt it. Of course, this is a few orders of magnitude harder than symmetric encryption, which is why you'll typically use the public-key encryption to share a disposable secret key, which is then used to seed a symmetric encryption method (your pseudo-random OTP would be one of those). In reality, this is still pretty secure, as the key is typically in the range of 128+ bits, meaning a key space of 2^128 for a brute-force attack, which is still pretty infeasible. However, it is not completely 100% secure against any decryption as a One-Time pad is.

Comment Re:Multi-factor is the only right way (Score 3, Informative) 123

NO! A million times no!

Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your account.

The hack of fingerprint databases illustrates this. For example, someone with access to the hacked OPM databse can steal/copy your smartcard and can now impersonate you at will if you've relied on Smartcard + Fingerprints. Now, "something you have" could certainly be your fingerprint, but 2-factor auth is NOT "something you have" and "something else you have." Just like the bank's "security questions" are not two-factor auth, because they're "something you know" and "something else you know."

Comment Re:Negotiating when desperate (Score 3, Insightful) 583

The only exception is if you're 15 years old and it's literally your first job, and in that case it's probably appropriate that the offer is for minimum wage.

So, if I'm 21 and graduating from college, I'm supposed to have enough saved to be able to turn down that first offer? I don't know about you, but I worked >50 hours / week in college (making between $10 - $20/hr at various jobs in early 2000's), and I barely kept the tuition bills paid. Granted, I basically had no debt coming out of college, which put me ahead of a lot of my peers, but I wasn't in any position to say no to a job offer and live on my luxurious (non-existent) savings.

Now that I'm ~15 years out, I do have the freedom to turn down job offers, but it's because I started out with no debt and have been able to save. For those starting off in the hole, saying "no" is a luxury they won't have for a LONG time.

Comment Re:bullshit (Score 2) 212

Reminds me of warnings on grape juice concentrate sold during prohibition: "After dissolving the brick in a gallon of water, do not place the liquid in a jug away in the cupboard for twenty days, because then it would turn into wine."

Could we get something similar: "After downloading the code, do not remove lines 33-67 of Encrypt.c, as this will disable the legally mandated NSA back doors"

Comment Re:Of course they're giving a 6-year transition (Score 1) 259

Well, of COURSE I didn't resell the license - that would be silly! I sold a license, but I had to pay a royalty to my wholly-owned Irish subsidiary for selling the license. It's complete coincidence that the royalty rate is 99% of the gross sales on the licenses. Thus, you can only tax me on the 1% profit that I made on that license, and that's BEFORE I deduct anything else (I'm sure I can find 1% to expense somewhere else - furniture depreciation sounds like a good idea!).

It's kinda like capital gains tax. If I sell $100 worth of MS stock, I'm not taxed on $100. Rather, I'm taxed on the difference between what I paid for it and what I got for it. If I paid $90 for that stock, I only owe taxes on $10 of capital gains income. Things get really tricky when selling for a loss, but I don't want to complicate the matter.

I know it's an oversimplification, but that's essentially the tricks that they're using. When you remove all of the accounting mumbo jumbo, it reveals the tricks for what they are: dirty, slimy ways to avoid paying taxes. (That being said, all the tricks are legal, and if I could use the tricks, I would use them to the fullest extent allowed by law as well).

Comment Re:Of course they're giving a 6-year transition (Score 1) 259

Actually, from my understanding of the loophole works this way:

MS sells a license to use Windows for $100 in Colorado. This is counted as US income. However, in the US, we don't tax revenue, we tax profit. This means that if MS had expenses of $100 for that particular license, then it would owe no US income tax on that sale. Conveniently, they have a wholly-owned subsidiary based in Ireland (but headquartered in the Cayman Islands) that is willing to sell that license for precisely $100. And just like that, no US corporate income tax for ANY license!

Granted, you now need a way to get out of the Irish income tax (which is lower than US income tax), and that's where the Dutch Sandwich comes into play. I know I'm oversimplifying things, but when you can set up new companies and transfer the "assets" for essentially the cost of a few lawyers and filing fees, avoiding taxes becomes pretty easy.

Comment Re:Fine! (Score 1) 365

How can you have a standard like that if it doesn't dictate teaching methods? This is especially true for math where you don't just regurgitate the correct answer. The method is a part of the correct answer. For that you pretty much have to "dictate the teaching method".

Actually, math is probably the LAST subject where you want to "dictate the teaching method". There are over 10 ways to prove the Fundamental Theorem of Algebra; all of them are "correct" and give the answer. By dictating the teaching method, you are stating that all other proofs are incorrect, which is patently wrong.

It doesn't matter how you get 62 + 36 = 98. You can draw squares and lines, column addition, grouping by 5's, or counting on your fingers! All are valid ways of finding the answer. Some may be more efficient than others, which can impact your ability to get through all of the questions, but as long as you get the right answer, it doesn't matter how.

It's like saying "We have a programming problem, please use C to solve it". Any programmer worth his salt would walk away immediately. C may be the right approach, or the best approach could be Java, PHP, or even LISP. It's better to teach multiple methods of doing something simple, so that way when you get to something complex, you have the skills to solve it AND (more importantly) the skills to know what tool to use.

Slashdot Top Deals

One good reason why computers can do more work than people is that they never have to stop and answer the phone.