Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:I don't see the bug either (Score 4, Insightful) 18

Maybe. I think the issue (if any) lies here:

2) Get them to click on a login using Google link that sends them to google.com/continue?= (something like this)

The problem is that the Google login page will be totally legitimate. The lock icon will be green, certificate pinning will ensure all is safe/good, etc. So it's not completely unreasonable that a person who might have been suspicious (but not too suspicious to click the link) prior to this point would now decide "okay, this is legit", and continue onward... and not notice that on the fake login page they're no longer on a Google site.

So, if it's a weakness, it's one that doesn't affect totally clueless users, who could have been directed to the fake login page to begin with, and it doesn't affect clueful/careful users who check their address bar at both the real and fake login pages and know how to tell the difference. It affects only somewhat careful users who check their address bar at the real login page and then figure they're safe from there on out. Well, it also has to be a user to is willing to click a Google login link from a random, untrusted site.

So I agree it's very, very narrow. I'm not sure I agree it's not an issue. But I know the Google Security Team guys well (I work for Google, on security, though not this stuff), and they're extraordinarily paranoid (that's a good thing), so my guess is that there is some other mitigating factor that I'm not seeing, and they just haven't done a good job of communicating the rationale to the researcher, or have some reason they can't communicate it.

I have asked on an internal mailing list. If the response is something I can share here, I will.

Comment Re:How to make it cheaper? (Score 1) 54

I see the carpooling part, but the summary also mentions charging fares, not splitting costs. Presumably the car owner is for hire and accepts them, Google just uses something along the lines of "Uber Pool" and "Lyft Line" which also matches riders going in the same direction. Which isn't a differentiator at all, as the article claims.

The difference is that no the much lower fares will be too low to motivate anyone to take driving on as a job. If the fare value is so low that it doesn't even cover the full value of vehicle fuel and wear and tear, much less the driver's time, then no one will try to make money at it. Instead, it will just be a way to defray part of the cost of a journey one was making anyway. In other words, ride sharing.

Comment Re:FBI Word games (Score 1) 203

I'm glad that we have people on our side that are smarter than him.

You realize you're implicitly siding with criminals here, right? They also want to keep the FBI out of their data.

Oh, I agree with your conclusions. Banning encryption, or requiring backdoors, is a simply unacceptable level of intrusion in a democratic society. Its potential for abuse is too extreme to risk.

BUT... law-abiding citizens do also have an interest in seeing that lawbreakers are caught. Assuming we vote in people who pass appropriate laws and criminalize things that seriously and negatively affect our lives, things like murder, kidnapping, robbery, identity theft, and pot smoking (kidding!), then we really do want cops to be able to get the information needed to identify the perpetrators of crimes and to prosecute them. So we do not want a situation in which evidence is not generally available, leading to either failing to lock up a lot of people who are actively dangerous to us, or to locking up a lot of innocent people because we've had to lower the standards of evidence required for prosecution.

I'm pretty certain that we're just going to have to accept a world in which prosecutions are a lot harder, because the alternative is even worse. I also don't think it will be as bad as all that, because most criminals are stupid. It doesn't matter if the conspirators' email is encrypted when one of them posts the deed on Facebook. But I think it's important to admit that there is a real subject of debate here.

Comment Re:FBI Word games (Score 1) 203

> "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception.

Yes, but for specific limited instances and after obtaining warrants for each case. What Comey/The FBI are actually demanding is our freedom to use encryption be completely removed so that they can perform warrantless mass monitoring on a national scale.

To be fair, encryption does change the situation a bit. It creates a world where warrants do not work, not unless you can also be compelled to provide decryption keys/passwords... and even then, if the penalty for the crime you're alleged to have committed is worse than the penalty for refusing to divulge your password, you'll keep your mouth shut. Also, penalizing refusal to provide information runs into another problem (besides 5th amendment constraints): what if you legitimately can't provide the information, but can't convince the judge that you can't? How many innocent but forgetful people will we jail?

So, this really is a new world for law enforcement. On the one hand, if encryption is banned or backdoored, it gives them unprecedentedly broad and deep surveillance, potentially routine global surveillance. On the other, if encryption is legal and routine, they find themselves simply unable to get information that in decades and centuries past they could have gotten with a warrant and a search of your home/office.

There is an imperfect historical analogue: Very high security safes. In the past, people might keep possibly-incriminating evidence in a safe. If the safe was really, really good this occasionally created a situation where police could not get in because they lacked the tools and skills. Courts ruled they could not demand the combination. But the situation with encryption is different for a few reasons.

First, it's different because high-quality safes are expensive and rare. making the problem correspondingly rare. Encryption is cheap and easy.

Second, it's different because it's a pain to remember to keep all of your potentially-incriminating documents in a safe. Encryption can be automated so it's applied to everything. No need to think about it. Indeed, security advocates (like me) encourage encryption of absolutely everything, all the time.

Third, it's different because while a safe can always be cracked given enough time and effort, proper encryption is effectively invulnerable. Barring bugs in implementation, or defects in key management processes (e.g. weak passwords), we have no reason to believe anyone can break current-generation cryptographic algorithms.

So there is a real question that needs to be debated openly, in public. We need to understand the consequences of ubiquitous strong encryption on law enforcement, and we need to weigh that against privacy.

And then we need to tell the cops "Sorry, privacy wins. And even if it didn't, the sort of police state we'd need to put in place to effectively restrict secure encryption is simply unacceptable". But we should have the data, and the open, honest public debate so that everyone can come to understand what is blindingly obvious to those who already understand encryption.

Comment Re:So, really seems to be "ride-sharing" (Score 1) 54

That's what Uber was supposed to be until they became an international taxicab company

Are you sure about that? The company was launched under the name UberCab, and as far as I can tell it was a car-hailing app from the beginning. I can find no evidence it was ever a carpooling app.

It seems to me that the challenge with an actual ridesharing app is getting to critical mass. You need enough cars participating that anyone looking for a ride is likely to find someone to pick them up most of the time. That's something of a problem for a car-hailing app like Uber, but not as much because it depends only on there being a driver in the vicinity... with actual ridesharing you need to find a driver that is close enough and is going to the same place (roughly). And is willing to add a little time to their journey to pick you up and drop you off.

I suppose if they can get a substantial percentage of the Waze userbase to participate, it should work. I might do it.

Comment Re:Gut check (Score 3, Interesting) 55

As an IT person for over twenty years, I still pain at this cloud presence. Who owns your data? Google, Amazon, Microsoft?

What, specifically, are you afraid will happen?

I can see being worried about handing your business data to a service provider who may be a competitor, but are you actually competing with any of these? And would they really get enough value from looking at your data to justify the immense damage to their business if they were caught spying on customers in violation of contractual obligations? Not likely. I suppose I could see Wal-mart refusing to host their data on AWS because there's a clear competitive conflict, and Wal-mart is big enough that Amazon might want to spy on them, but those cases are pretty rare, I think.

If your concern is about data loss if the provider goes belly up or has severe problems (e.g. a data center burns to the ground) then (a) your fears are pretty misplaced with respect to AWS, Azure or GCE, and (b) you should be keeping backups regardless of whether you're running your own systems or using a provider. If your concern is about downtime, your fears are really misplaced. The big cloud providers are much better at that than you are.

I know a number of small and mid-size companies that have never operated their own data centers, or even had colos, and are extremely happy with the way that works. It makes them able to respond to changes in business much more quickly and keeps their overhead low, especially during the early phases. Sign up a huge new client and need to double your capacity? Log on and fire it up (assuming you've architected for scalability). No need to worry about floor space or purchase orders or installation schedules. Lose a huge client or find an optimization and need to cut capacity by 30%? Log on and shut it down. No need to figure out what to do about the idled equipment or floor space. These companies find it's much better to stay focused on what they do well, writing software and selling services, rather than staff up big organizations to manage data center operations.

One significant (~600-person) and quite profitable SaaS company I know doesn't own *any* computing hardware. Their computing equipment is completely BYOD, employees use their own laptops, tablets and phones (with reimbursement, so I suppose their accountants might argue they own some stuff, technically). When they had to move buildings recently (due to growth), they simply leased a new building and told everyone (those who don't telecommute) to show up at the new location the next week. The new building had cubicles and wired and wireless Internet in place (w/redundant providers), all part of the lease. They did contract some movers to haul boxes of personal items from the old building to the new one, including developers' large monitors. The CEO likes to joke that he could move the entire company to a beach-side resort in Belize and they could all continue working without the slightest interruption, as long as the resort had good Wifi.

That's a bit extreme, and there's no doubt that that level of flexibility isn't free, but it's not as expensive as you might think. Moreover, if your workload is very static, and your IT department is solid and smooth-functioning, and labor costs in your area are low, it will cost more to pay a cloud provider than to do it yourself. Or if you have particularly-sensitive data to manage (and actually know how to manage it... something that is *rarely* true in my 15 years' experience as an IT security consultant), you may need to have your own hardware. But for many, many companies, the cloud is cheaper, faster, more flexible and more secure.

Comment Re:Don't pay attention to the article and lie (Score 1) 140

Not sure if you're trolling or just displaying average ignorance from not reading the article, but if autopilot disengages the car will slow to a crawl and not go "careening out of control".

A better solution would be to pull over to the shoulder (safely changing lanes if necessary), and slow and stop there. Slowing to a crawl in traffic on a busy (but not jammed) freeway is very dangerous.

Comment Re:We Americans should hit Apple with an European (Score 1) 194

what really happens is that Apple Ireland, which pays essentially zero taxes, claims sales volumes for markets outside of ireland, knowing that regulators cannot easily disprove that Apple Ireland is not just selling absurd numbers of apple products

Not quite.

Regulators can easily tell how much revenue was generated in a given country from sales in that country. But profit is the difference between revenue and cost, and it's easy for Apple to artificially inflate the costs of the various subsidiaries. It could do this by jacking up the price the subsidiaries pay for the products they sell, but the more common approach is to license IP, such as trademarks, for amounts of money chosen to ensure that the subsidiary makes no profit, or even generates a loss where that is advantageous.

That way, the profits can be realized in a locale with low taxes, like Ireland. This does mean that all of the cash flows to those low-tax locations, and that it's then difficult to move it elsewhere (e.g. to the US) without getting a big chunk eaten up by the taxes in the destination country. This is the primary reason why the tech companies that use this Ireland scheme keep huge piles of cash (like Apple's $200B), rather than paying out dividends.

Comment Re:RAID is not backup (Score 1) 357

Must be nice. I backed up over 12 GB Sunday night, and that was only one week worth of incremental backups for my personal laptop. Over my DSL connection (soon to be retired), that would have taken two days.

That is negligible. I mean, it's not like you have to sit there and watch it. Just start it in the background... maybe limit it to use only a percentage of your bandwidth to avoid making everything else suck, and let it run.

That time difference makes the difference between me being willing to back up regularly and never backing up.

And as a result, if your house burns down you'll lose everything.

Obviously, YMMV, but I would imagine that somebody with multiple terabytes of personal data is probably either a photographer or videographer, and therefore has the same sorts of nightmare backups that I do.

Photographer. Amateur, though, so I don't generate gigabytes every week. Only some weeks.

Comment Re:The MS Merry Go Round. (Score 1) 212

Yep and I'll be advising customers to disable updates, which won't be an issue since the browser runs in a sandbox and all web pages are scanned before load.

Meanwhile all my business customers are looking at exit strategies, some looking at Apple, some looking at Linux with a Windows VM for the Windows centric software that is required. All MSFT is doing is shooting themselves in their face with this dumb shit because a desktop is not a cellphone and the shit people will put up with on a cellphone the majority will NOT put up with on a desktop. I should know as uninstalling windows 10 is frankly one of my most popular services, it even surpassed Win 8 uninstalls awhile back, its just too fucking buggy.

Comment Re:Cloud Based Backup (Score 1) 357

Say this with me folks: CLOUD STORAGE IS NOT RELIABLE NOR IS IT SECURE IN ANY WAY!!!!!

Bullshit.

Good providers are at least as reliable as your local drives. They could fail, but so could your local backups... and when your house burns down, the odds that your backup service provider dies at the same time is miniscule (barring some planet-scale catastrophe, in which case you probably won't care anyway).

As for security, encrypt if you're worried about it. Personally, there's nothing in my backup data that's particularly sensitive, so I don't bother. Most of the backup services automatically encrypt everything anyway.

Comment Re:RAID is not backup (Score 1) 357

The problem with cloud-based solutions is that the cost for backing up several terabytes of data is typically several orders of magnitude higher than building your own RAID array

Nonsense. One order of magnitude more, at most. On-line storage costs are on the order of $100 per TB per year. There's no way you can build and maintain your own solution for $1 per TB per year, which would be two orders of magnitude less. "Several" orders of magnitude would be at least four, putting you in the range of a $0.01 per TB per year. Even $10 per TB per year would be tough to reach, if you want any redundancy, and if you value your time at all -- and while you're amortizing the cost of your up-front hardware investment over several years in order to get close to that level, on-line storage costs will continue dropping, so at the end of those years the savings would be even smaller than they appear now.

Plus, backup storage which is located on-premises is inherently inferior to off-site storage, because a whole range of disasters that take out your primary storage whack your backup, too. Fireproof safes are a partial solution, but not a complete one... and not a cheap one.

No,the best approach is to use a cheap, unreliable, local backup, not bothering with bunkers or safes or even much redundancy, plus use an online service. The local copy is your normal recovery source, the online service is your final fallback.

Personally, I just replicate my data to a couple of local machines (the machines are there anyway, so throwing a little more storage in them doesn't cost much) and keep another copy on Google Drive, which is $120 per TB per year, but I managed to get 1 TB free (in perpetuity) as part of some promotion, and I currently have just under 2 TB of data that I care about (mostly photos), so my net cost is about $60 per TB per year for the online component, plus another $25 per year for an extra 4 TB drive that cost $100 and I expect to get four years out of (will probably go longer, but could die sooner).

Upload time sucks, but only for the initial upload, which I did two years ago. After that, incremental additions are pretty negligible. A full restore from the remote copy would take a long time, but I can easily get individual files on an as-needed basis. Actually, I find I use the remote copy quite frequently to grab particular photos or files on various devices, so it provides some functional value as well as disaster protection.

Comment Re:Patent indemnity (Score 1) 237

How can a license grant a patent indemnity on a patent you do not own?

You obviously can't grant licenses on patents you don't own. As a downstream recipient, you get protection from patents owned by the upstream contributors. It can't do anything to protect you from third party patents.

Also, GPL3 is somewhat nebulous on the question of whether if you write any GPLed software, everybody downstream gets indemnity for all your patents, regardless of whether you interacted w/ them or not.

I think it's quite clear. Everybody downstream gets a license for all of the patents which you use in the licensed work, regardless of whether you interacted with those parties or not. It doesn't affect any other patents you happen to own.

The only real subtlety, I think is, for downstream re-distributors, who have to grant patent licenses for code they didn't write, and those grants effectively flow upstream as well as down. Of course, the license doesn't *force* them to grant those licenses, any more than linking proprietary code to GPL'd code forces you to GPL your proprietary code. It's just that choosing not to license the patents (or GPL the relevant code) means that you have no right to distribute, so any distribution you did constituted copyright infringement. Well... in the case of patents it may also mean that you implied a license which probably means that you can ask users to either pay or stop using, but can't go after them for any past infringement. And, of course, it also means that you lose the right to use and open yourself to infringement suits for your past, present and future use.

Of course, all of that only comes into play if you intend to enforce patents against others. The clear goal of GPLv3 is to discourage software patents, which I wholeheartedly support (even though my name is on a few).

Comment Re:Given the reviews (Score 1) 461

Here is a good example from the bad old days, new games aren't USUALLY this bad but I chose this because its rather easy to see the pop in...notice how it looks like the path ahead is clear then suddenly mountains and other terrain just magically appear in front of the ship? That is pop in which is caused when a game for whatever reason is simply incapable of rendering in objects before they come close enough to the player for the player not to notice their being drawn...THAT is pop in and its irritating as hell and pretty much kills any sense of immersion in the game world.

Slashdot Top Deals

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.

Working...