Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Flaws.. (Score 4, Interesting) 72

Text messages almost always get sent to a cell phone, and in the US there really only are three or four mobile providers. If you have a phone number, you can often look up the provider in public databases, and if that doesn't work, you simply take a guess and call each of the major providers.

Time and time again, it has been shown that all mobile cell phone providers are easily attackable by social engineering. It takes very little effort to have them either redirect SMS or issue a new SIM card and mail it to a random address. And this isn't even to talk about attacks on SS7, which more well-funded adversaries can pull off.

So, now, the only real protection is whether the phone number can be found easily, if you already know the rest of the credentials. In most cases, that's unfortunately a really low hurdle.

In other words, a half way determined and experienced attacker can subvert SMS authentication, if only they have enough of an incentive to spend the effort. There are countless reports of this attack succeeding. So, it's no wonder the US government (in this case NIST) discourages the use of SMS authentication.

Fortunately, there is a modern alternative to the old token that EBay used to support. FIDO U2F tokens are cheap, you only need a single token for an arbitrary number of sites, they are provably secure against MitM and phishing attacks (something that EBay's old token didn't do), they are easy to use, they support having multiple backup tokens, and there are plenty of opensource implementations and very good documentation. There really isn't a good excuse not to implement FIDO U2F except for laziness.

Comment Re:Good luck with that, I just won't upgrade anymo (Score 1) 322

Or you could take the hit once and spend half a day writing a script that requests certificates from LetsEncrypt and pushes them to your IPMI controllers. These days, there really is no good excuse for lack of proper certificates other than either laziness or using really poorly designed consumer-grade hardware. Even ancient enterprise-grade hardware has always had support for installing custom certificates. It's really not that difficult, and it even makes your network a little more secure. How much more secure, is of course debatable, as many IPMI controllers seem to have questionable security practices in my experience.

Comment Re:I'll answer this one. (Score 1) 1001

That's honestly a little sad to hear. I would consider an introduction to computability to be part of any first-semester curriculum in computer science. Now, if you only ever learned how to write code, but not how to understand algorithms, then that's a different skillset and a different education program. You wouldn't have learned about P vs. NP, but you also would not necessarily be a great fit for the positions that I try to fill. The CS programs that I am familiar with generally don't even offer classes on programming languages. That's something they expect students to pick up on their own. So, yes, computability is probably the very first thing you learn.

No, I don't expect candidates to remember the intricate details of finite state vs. Turing machines, even if they technically learned that in their first month at school. And I don't need you to rigorously state what P vs. NP means and how to proof any of these assertions. Nobody needs this level of detail after having graduated. And if you are curious, you can always look up the Wikipedia page.

But I want you to be familiar with the high-level concept. That actually does help on the job. And if you speak the same language (i.e. you actually have heard the word NP before and know how to use it in a conversation), that'll make it so much easier to talk to your future co-workers.

Comment Re:Google string length (Score 1) 1001

I can't say I've ever received a word problem like how do you get a fox and a sheep across a river in a real work setting.

Funny you would say that :-) Yes, the actually brain teaser is pretty pointless. But this exact question happens to be the one that taught me how to learn about different graph traversal algorithms. Wow, that takes me back now. That was sometime in the 1980s.

What it lacks for as a brain teaser, it can make up by being a wonderful introductory question to a more in-depth discussion about graph traversal, heuristics, big-O behavior, pathological worst-case scenarios, and overall engineering decisions that are made when designing complex data-driven applications. Of course, nobody should be talking about foxes and sheep after the first 60 seconds. It's an ice breaker; nothing more.

Comment Re:I could not agree more (Score 1) 1001

You left out a crucial bit of information though. If you actually did well in those two years and gained real-life experience, would you actually fail any of these parts? I honestly have no idea, but you should have included this detail.

As is, your statement is similar to "spent four years in high-school, advancing every year; in the final exam, they test whether you can read, write, and multiply numbers; fail any of these three and you failed all of high-school." Yeah, duh, that would do it. It's a fundamental skill that anybody who actually performed as expected in the past few years would not even consider a challenge. It also is a basic requirement to do future tasks.

Who knows, maybe CPA exams are different. Maybe they are all full of brain teasers and of rote memorization. But you didn't say either way.

Comment Re:I could not agree more (Score 5, Insightful) 1001

I am not sure why you got downvoted.

You are absolutely correct. There are cases where bubble sort is entirely applicable and in fact preferable. I don't require a candidate to have memorized the exact implementation of bubble sort (why would they; that is in fact something you can look up). But if a candidate can meaningfully discuss performance characteristics and explain why a certain algorithm would do better or worse in a specific situation, then that's exactly what I am looking for.

It demonstrates a better understanding of how computers actually work. For some tasks, it is perfectly acceptable to treat a computer as a black box and to fully rely on very abstract high-level APIs. And there are in fact advantages to this approach. But there are plenty of problems where this results in horrible scalability problems that can never be fixed afterwards. And in this day and age, we need to know how to scale to millions or hundreds of millions of users. A software engineer who doesn't understand these concepts is not a good fit for the openings that I am looking to fill.

Comment Re:Perhaps a better method... (Score 3, Informative) 1001

I would vote you up, if I had moderator points today.

I am in full agreement. Whiteboard tests are very informative and they often are the easiest part of any interview. I usually ask candidates a problem that they can demonstrate with pencil-and-paper or with everyday objects. Yes, this could be a sorting problem, or it could be a simplified subset of long-hand multiplication, or it could be a resource pooling problem, ... . It's things that they intuitively understand how to do in the real world, and I want to see if they can transfer this simple task to something that remotely looks like working code. If they remember the basic tools and concepts of what they learned in their first semester, that certainly helps (and I am worried, if they don't remember that much), but I agree with you that rote memorization doesn't give me any useful insights. And yes, I fully expect that this is a dialog and I'll have to keep dropping hints and answer questions as we go. That's actually another thing I test for. Asking for help is good.

Same as you, I don't care about correct use of the API or of the language's syntax. Heck, I have accepted pseudo code, and I have accepted code where somebody wrote C and Java simultaneously -- with a little bit of Ruby sprinkled in for good measure.

I do expect though that candidates have a solid sense of the scale of their problem. They have to be able to explain how many resources they need and how performance goes up when there are millions, billions or even more data sets or users. This might not be needed for every job opening, but in this day and age it is needed for many -- including the ones that I do interviews for. In other words, I expect a high-level understanding of algorithms, of CS theory (e.g. big-O behavior), and of fundamental engineering concepts (e.g. estimate latency of operations, estimate caching performance, ...).

These are things we actually need for a candidate to be successful in their work. And there are literally thousands of candidates applying for each job. It only makes sense to sort through them and find the candidates who can do the work.

Comment Re:Benefits (Score 1) 158

These tend to be very highly qualified interns, though. Landing an internship that pays this well requires a grueling interview process. And most applicants have advanced degrees (typically PhD's from the more well-known universities). It is generally a good way to enter the work force. In fact, without any other job experience to show for, this is often the only way to enter the work force. And at the end of the internship, most interns will be offered a full time position.

So, if you think of the type of internship you did in highschool, when you helped restock the shelves in your local supermarket, then you are thoroughly misunderstanding the scope of these positions. A more accurate view would be that this is an extended job interview. The candidate already passed all the other requirements (i.e. great resume, multiple phone screens, multiple in-house interviews, ...), but the company isn't quite ready to extend an offer, or the candidate has stated that they still need to go back to school for another year before finally graduating.

Comment Re:In my experience (Score 1) 158

While transitioning from a J1 internship visa to an H1B employment visa is not entirely unusual, it also isn't a particularly useful strategy for the particular example that you are citing. J1 visas are limited to at most 18 months. They are only available for recent graduates or for students who are still in school. For many countries (including India), the visa holder must return to their home country for at least one year after the end of their internship program. Even if this restriction doesn't apply, transitioning to an H1B visa is difficult as there are about four times as many applicants as available visas. And there is only a single day each year, when H1B visas can be applied for. So, in the majority of cases, a J1 visa holder would need to return to their home countries after only a year or at most a year and a half. Also, requirements for H1B visas are somewhat strict. Lots of companies/employees don't even qualify.

Having said that, switching from a J1 to an H1B is an officially sanctioned and intended path to bring highly qualified graduates into the US. It just isn't a particularly easy route these days. And it is quite competitive in those cases, where the paperwork can be worked out. Employers don't get cheap labor this way. They'll have to pay a premium (including thousands of dollars in legal fees) for these qualified employees. Nobody in their right mind would do this, if they can just as easily much more cheaply hire from the local work force.

So, while your posting sounds quite inflammatory, I don't think you are fully aware of the actual facts.

Comment Who cares (Score 0, Troll) 146

Honestly, who still cares about what Consumer Reports has to say? They are certainly still entertaining, but their reviews have been so flawed for at least the last ten years as to be entirely worthless.

I don't know anything about the Tesla. So, it's conceivable that by sheer luck CR hit on some useful bits of data. But in most likelihood, it's just like all their other publications. Any time I read one of their tests for a product that I'm familiar with, they test some obscure and irrelevant detail and base their entire test on this result. Not surprisingly, good and innovative products tend to fail, and mediocre mass market products get all the praise.

It's been a recurring pattern for way too long

Comment Re:Perhaps (Score 1) 598

I know that you are joking. But an often overlooked aspect of the international system (aka metric), is the relationship between different units. It's not just the ability to easily scale a single unit up and down by adding a common prefix such as milli or mega.

For instance, 1g of water is exactly 1ml. And even complicated units like N (Newton, a measure of force) can be constructed from basic units. In this case, that would be kg*m/s^2. Note that there is no correction factor needed. You simply multiply the units. That makes physics and engineering a lot easier and less error prone.

Comment Re:Legacy service on a private LAN (Score 1) 136

You don't need a separate domain for internal services. Use your external domain and create sub domains. All your internal machines could be on and all your containers on Neither one needs to use publicly routable IP addresses, and in fact you can continue using dnsmasq (or an exquisitely DHCP server) to manage this part of your internal network.

You then operate the Let's Encrypt ACME client in DNS mode to get globally trusted SSL certificates. But nobody other than your internal machines will ever get to interact with those certificates.

Slashdot Top Deals

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants