Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:The Dying Days of the Certificate industry (Score 1) 71

There are various attack vectors that allow spoofing of those creds without access to the private key.

What such an attacker can't likely do is answer an on-premises phone call from an extended validation CA to get a new cert for the domain in question.

Don't get me wrong -- letsencrypt is a good thing for encouraging at least the possibility of security among those who cannot afford a real CA. But no fully automated system will ever be able to offer better guarantees than a staffed-up CA (not that all staffed-up CAs actually add much value, but some do). Nor are they necessarily less likely to do what Symantec did... an internal actor could issue certs willy nilly. Breakdowns in internal checks and balances in any organization can occur. CAs will succeed or fail based on their ability to prevent them.

Comment Re:also in the news ... (Score 5, Interesting) 457

Yet supposedly if you read other articles, we are moving towards a crisis where humans find themselves in a highly automated society without enough to do, work-wise.

But then we increasingly have people so desperate for immediate financial gain they'll sacrifice their future, a technocratic wealthy elite more than happy to take the better end of that stick, and a populist movement of people so concerned about losing their jobs they'll sign on to just about any anti-immigrant platform no matter how odious.

And on the flip side, even those who welcome immigrants always add "if you are willing to work really, really hard", not just "work".

It's the overdeveloped puritanical work ethic colliding with technology colliding with economic and resource realities. What a schizophrenic nation we have become.

But rest assured, the basic human need to complain about shit will be fulfilled in abundance.

Comment Re:Contempt of the court... (Score 1) 517

I might still have a partition sitting somewhere where I played with drive encryption and then forgot the passphrase. Nothing on it but a stock Linux install, but these days you never know when some random baseless accusation is going to fly your way.

I guess we're all legally required to never forgot a drive password now. Feh.

Then again, now any disgruntled tech support guy can sabotage any PHB by just putting an encrypted partition on their desktop. They can tell the judge they didn't know it was there, and don't know the password, but I guess tough luck for them.

Comment Re:What? (Score 1) 76

I have no conspiracy theory, just a disdain for switch clustering suites. If you're talking about the vendor lock-in point, ask an SE where a standards-based inter-vendor clustering suite is on the company/industry roadmap. It's just a de-facto reality.

I haven't seen many switches lately that have a separate backplane cable for clustering. They all use their uplinks, since it only took vendors a decade or two to get cluster management packets adequately prioritized.

On ease of management I'll give you one more item: if the cluster supports hitless upgrading that's not doable through other means, and if your SLA doesn't leave you any windows that's an attractive feature. So three, three good reasons.

But unless you have only one cluster you're dealing with multiple CLI/SNMP/SDN endpoints anyway, so you might as well start automating, there will only be more over time.

"Stack resiliency" really is only applicable to HPC, and in that case you'll be using #1 from my original list anyway. The MTBF on these things is so low these days that for most purposes you are past the point of diminishing returns on any other level of reliability.

Comment Re:Another demonstration of why users need control (Score 1) 76

I'd probably say we should be utilizing 20 year old router technology.

That would be a security mistake... a lot of essential security features are younger than that. Heck, there are some switches that old where the only option for administration is through telnet. Switches that old (or new switches not properly configured, or anything in the prosumer market or lower) are pretty much an open killing field for intruders to forge, intercept, and bypass traffic.

The problem with open-sourcing these things is price and operating costs... open designs for the hardware would have to be mass-producible at the same price point as vendors have managed to achieve, and since they handle transit traffic, without open hardware, anything could be in that silicon to inject watermark CnC in packet headers or transmit timing.

So you have to be pretty damn cash-flush to spy-proof your access network... otherwise you just have to hope whoever can own your net doesn't want to and is competent enough to keep the house keys hidden from others that would.

Comment Re:That's nice, but... (Score 1) 76

Most switches support ACLs on all services, and/or on switch SVIs (if you don't have prohibitively many of those), and/or CoPP, so you can tell the switch not to talk to anything but your management stations. You just have to set things up so you can alter those ACLs en-masse when needed. No need for a firewall, really, as long as you aren't using ridiculous utilities that do not belong on a switch in the first place.

That said, there's pretty much zero reason to use telnet these days, and even the last vestiges of FTP and TFTP are starting to become unnecessary as more switch facilities are supporting SCP or (sigh) SFTP. Sigh on the latter because you really are putting a lot of trust in the other end of the connection because SFTP subprotocol code is not production quality code, even in the openSSH tree. But at least someone has to actually own the endpoint to get at it.

Comment Reasons to leave clustering enabled (Score 1) 76

1) You are using proprietary multichassis bonding
2) You need to make multiple switches look like one for licensing $$ purposes.

And that is about it. Look at any vendor's release notes and a substantial portion of the bugs are in the clustering regime. Just turn that crap off unless you need it... since inductry-wide it's a proprietary lock-in gambit and doesn't have to survive interop shootouts, there's no way the code is worth running otherwise.

Comment Re:Never had a globe? (Score 1) 319

Why does making the accurate statement "this map's projection misrepresents the proportion of countries in the northern hemisphere" make someone an SJW liberal with a PC agenda?

Because certain white people are special snowflakes who take everything personally... you can usually tell them apart by how many times they call other individuals snowflakes, since it's a form of projection.

Slashdot Top Deals

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann