Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:git was written when SHA-1 attacks were publish (Score 1) 156

Both happened in 2005. And SHA-2 was published 4 years earlier. So yes, the sky is not falling, and git can be made secure, but it also wasn't really wise to use SHA-1 when git was implemented, first.

As a hash function, SHA-1 was perfectly adequate for how Git works.

All Git uses SHA-1 for internally is to hash the contents of a file to turn it into a unique number. SHA-1 is a nice fast algorithm to do that, and 160 bits offers plenty of space to uniquely identify stuff. It's so good that all the other things are hashed like commits and such and then a Git repository is merely a collection of hashes. A hash at the top we call "head" which contains the SHA-1 hash representing a commit object (it's the SHA-1 hash of said object, actually). That commit object points to a few other objects, the commit before it (the old head) and the SHA1 hash of the tree object. The tree object contains a list of SHA1 hashes that represent files in the source tree, specifically the list of changed files.

What happens when there's a collision? Interestingly enough, not much. If you're trying to check in a file that collides, chances are git won't let you because a file already in the repo has the same hash. If you force the matter (you can chop your history down so a conflict isn't immeidately apparent), then remote repos that pull from you or you push to will simply ignore the conflicting file as they will just assume it references the file already in the repo (you can check out an old version and check it back in - guess what? The hashes will be identical!. You often do this if you revert).

Now, perhaps Git could be made to handle the issue a bit more gracefully if you do happen to check in a file that differs but hashes the same, but in reality it's a rare occurance. Even Linux itself which has a huge history hasn't experienced the issue.

If you want fun, see WebKit, because SVN uses SHA-1 internally and someone corrupted the master repo checking in a test case consisting of two files with the same hash (the test case was to test for SHA-1 collisions in WebKit caching code). Ironically, that repo is offline at the moment.

Comment Re:Trainspotting (Score 1) 38

has anyone seen a torrent link for Trainspotting II
I can't afford a cinema ticket

Then just wait. If you can't afford a cinema ticket, you can wait until it hits the video rental places and then rent it. If that's too expensive, and you have Netflix, you can wait for that too. If you still can't afford that, wait for it to be shown on TV for free.

Comment Re:High value items, use registered mail (Score 1) 134

Not only that, but if it's really that irreplaceable, packaging properly helps.

First off, there should be more than one address label. You'd be surprised how often the one outside the box falls off. The postal service in most first world countries is generally quite good, and will open packages on the hopes that there's something with an address inside.

If it's something that's individually wrapped (like those games should be in case the box gets soaked with water), and they're rare, it doesn't hurt to stick an address label inside the bag as well. Boxes may appear tough, but pass them through the machines and they can very well explode or tear and have their contents spill out. This ensures that as pieces are found they can be forwarded on.

Or at the very least, have a slip of paper inside having an address.

Lack of postage is never a reason to never deliver - if necessary, they'll just collect it, but for postal mail, unless it's customs or other fee, postage itself is prepaid and cancelled by the sender.

I've actually had a parcel delayed 6 weeks, because for some reason, it was shipped from the US to Brazil (!!!). Brazil post then found the misdelivered package and sent it back up to USPS who then sent it to Canada. I found a nice letter inside it saying it was from Brazil and what I could make out was "return to origin country" for re-sorting.

Comment Re:Incriminating evidence (Score 1) 126

Ah that pesky 5th amendment (along with the 4th) and the limits it puts on law enforcement. Finally a judge that seems to understand the constitution.

Not really.

The issue is similar to using a Stingray or IMSI catcher - besides getting "the crook", you're getting a bunch of innocent people who are simply bycatch.

The judge simply knows you cannot force a bunch of innocent people to become suspects simply because they were present near the location. So whether it's unlocking their phones with fingerprints, or using a Stingray/IMSI catcher indiscriminately, most of the people will be innocent and steps must be taken to protect their information and activities.

Comment Re:Only Apple cares about our privacy? (Score 1) 103

Although intriguing and saddening that they've unlocked the iPhone 6 (but not 6s?).

What's more intriguing is that, why are Android phones so easy to break?!
And why is it we never hear from Google/Microsoft wanting to protect its users against government surveillance, unlike Apple. ... I guess everyone is aware that Google is a corporate spying empire, and yet there are people here who still argue against Apple and advocate for Android spyware?

Would you advocate GMail/Hangouts over Signal/Telegram/WhatsApp ?

The interesting thing is how few details there are about how they did it. I mean, why the 6/6s and not the 6+? Given for the unlock requires physical access to the phone, it's probably something they've physically accessed.

And unfortunately, Androids are much easier to hack - back when Apple was fighting the FBI, there was over 600 iPhones needing unlocking. The number of Android phones? Only 20 or so.

First, most Android phones do not encrypt storage by default. iPhones have encrypted it by default since the 3GS (it's why a "clear everything" on an iPhone 2G/3G takes hours, while it's only seconds on models after that - the new way is to just toss the encryption key and regenerate a new key, so it takes seconds and not hours (and doesn't wear down the flash)). So one trick is to remove the eMMC chip and read it out directly. Even today most phones are still not encrypted.

Second, Android App security is good. Android itself, though, is full of security holes making it easy to break in. It doesn't help that OEMs generally screw up and make the machines even more vulnerable. And many security vulnerabilities aren't fixed because of various reasons.

Android's security is slowly improving, but ti's still pretty bad.

Comment Re:don't get confused (Score 1) 126

But as a more practical matter anyway, 10 tries of different people's fingerprints, and the phone will be wiped regardless... so there's a limit to how useful the technique would've been to begin with.

No.

On iOS, you get 3 tries to use the fingerprint reader. If you fail, it reverts to the backup security method (PIN, etc). You cannot use the fingerprint reader until the phone is successfully unlocked via this backup method.

Comment Re:Not Science, Medicine (Score 1) 320

Uh, no. This is where a good scientist keeps digging into it in order to expand our level of knowledge.

In which case your original premise that "causation is frequently so complex that it can not be deciphered with our current level of knowledge" is not correct. You cannot have it both ways: either the causation is understandable - with hard work and insight - or it is not. If it is understandable then this is what a scientist will go after because understanding is their goal. For a medical researcher establishing causation is enough which is very susceptible to random statistical flukes.

Comment Re:Conversations before Appointment (Score 1) 895

I don't see that happening in the Senate long-term.

IMO, Democrats will be running the House sooner rather than latter, for the simple reason that it's where seats are allocated proportionally to the populace - so large Democratic majorities in dense areas like the coasts do translate directly into seats there. But for Dems to take the Senate, in the age where party affiliation is the single most important question deciding whether the politician gets a vote or not, would require there to be more blue states than red states. Which, right now, means more urbanized states than rural states. And I don't think that's happening anytime soon.

Comment Might want to move providers... (Score 3, Insightful) 63

It might be a good idea to change art hosting providers then... I'm sure every artist has given deviantArt a (non-exclusive0 icense to commercially display and use the artwork shown on the site, which means Wix can use that. And chances are, they'll let customers use some of that artwork on their website, both as a hook and a retainer (because the art can only be used on Wix hosted websites without obtaining a license).

And only Wix has access to unique artwork that only Wix customers can use, so it's more attractive to join Wix.

Meanwhile, everyone who posted art on the site sees their work ripped off and used on customer's web sites.

Comment Re:Social media? (Score 4, Interesting) 179

Because really, however bad the news was, 20 years ago you'd be waiting for the nightly news to find out about it. Several decades before that, you'd be waiting for the following day's newspaper. Now, we're getting constant updates, and those updates may be causing a device in your pocket to vibrate and make noise every time something new comes out. We know that checking all of those notifications is addictive, and not checking causes stress. However, constantly feeling the need to check also causes stress. (human nature)

It's the reason we have the term "FOMO", or Fear of Missing Out. By not being attached to our phones 24/7 we fear we're going to miss big news about something (... almost always trivial in the big scheme of things).

If you hate that term, get used to it - it's a root of the term for the phobia, and as a medical diagnosis.

Comment Re:Not Science, Medicine (Score 1) 320

No, they focus on correlation because causation is frequently so complex that it can not be deciphered with our current level of knowledge.

Exactly but if they were a scientist then this is when they would stop and go and look at a different problem that they can decipher with our current level of knowledge. That is part of being a good scientist: you have to tackle things which you can ultimately understand because it is that understanding which is the goal of science. In medicine the correlation is enough: if substance X or activity Y cures ailment Z that's good medicine, why and how is of secondary importance.

Comment Re:What field are these abused H1B visa workers in (Score 1) 271

You have described everything precisely. The only thing that I would add is that for the two different "castes" within the H1B system that you have identified, there's one other difference.

People who are working for Apple, Microsoft, Intel etc are using H1B as a gateway to a green card, and ultimately to citizenship - which they can do, because H1B is explicitly "dual intent", so you can apply for a green card without getting kicked out of the country; and because there's a specific process whereby employer sponsors the employee for a green card. This isn't to say that every single H1B working for these companies will do that - but the majority will. The companies in question are generally interested in retaining employees long-term, so they do sponsor any employee who asks for green card (in fact, they will proactively push you to apply if you don't do so yourself), and will provide lawyers to handle the application for you, pay various fees etc.

People who are working for Tata, Infosys etc are not there for citizenship. It's not that they wouldn't want to - it's that those companies will generally not sponsor them. So it's really just a gig to come work in US and earn a lot of money (comparatively to what they could earn at home), and then come back rich, and with a US job on your resume.

Slashdot Top Deals

Much of the excitement we get out of our work is that we don't really know what we are doing. -- E. Dijkstra

Working...