Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:tracking (Score 1) 274

What's more likely to affect my daughter this year ? The government knowing I bought her, her first trycicle or her dad getting killed by a mugger for his cash ?

Well I got mugged by three guys last May and defended myself successfully. Drunk bogan morons don't need an excuse to start a fight.

The biggest advantage of going cashless is not convenience, it's SAFETY.

The world isn't a safe place. You should teach your daughter that so she is strong enough to defend herself when the time comes. Exchanging freedom for safety (apart from franklin's words on the subject) is also shown to be a path to tyranny. I'd be careful what you wish for.

identity theft and similar crimes have gone up

I've been assisting someone who has had their identity stolen. He lost his house, $800,000 and was accused and tried of fraud despite the evidence available to say that he was just a naive old person being preyed upon.

You haven't lived until you've had a body cavity search at every airport you go to.

But this is actually an improvement - because while you lose money in EITHER an identity theft or a mugging - the former probably won't get you killed or in hospital.

being raped in gaol after loosing everything you worked for all your life is not a good option either.

A change which forces a reduction in violent crime is a positive change - even if it comes with an uptick in white-collar crime.

A change which promotes state based terrorism is worse than both of those things, IMHO.

Comment Revoke's certificate ! (Score 2) 218

and very few people would check EV

That's why some browsers like Firefox checks it for you and display it right in the URL bar.
You can't miss it.

What you really need is the domain registrars to check that if sites are being registered that are similar to a company name or trademark that they have a legitimate right to use that name.

Hey, then you need to ban, because it's name is similar to Slash. Or to DJ Slash. Or to Fatboy Slim's song.

The problem with "check that if sites are being registered that are similar to a company name or trademark" is that it's a complex task require some thinking that it's not trivial to automate for absolutely free (and in a way that won't be trivially circumvented by attackers).
It goes beyond the point of Let's Encrypt (whose point is, as the name indicate, just to make encryption available).

Or build a chain-of-trust system where people can blacklist a bad domain by voting it down

Which isn't an easy task to do (how many - outside of /. - to use PGP on a regular basis ?) Chain-of-trust system aren't easy.

Blacklist aren't silver bullet neither : an attacker could still bank on a quick attack trying to scam as many users as possible before getting flagged.
(See all the "software to make a millionaire out of you on binary option sites !" scam that are popping every where. Site costs under a couple of hundred in stock-photos / fiverr actors / ads promotion to set up, and can manage to make a few thousands selling snake oil before getting reported and shut down).

Neither of them have anything to do with HTTPS.

Which brings us back to the point : Let's Encrypt's purpose, as it names implies, is to bring the S in HTTPS and nothing more.
It's not their job solving the certification of owner in an easy way.

Comment Business model of a free site ?! (Score 2) 218

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "" is indeed "".
(As opposed to some man-in-the-middle attacker mascarading as "" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that is indeed, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Comment Re:tracking (Score 2) 274

What this kind of paranoid person doesn't understand is that they can already track you to an incredible degree

Yes, because people like you were too apathetic to write a letter to politicians to say that you don't want them to do that.

and there's fuck all you can do about it, so ultimately all you're doing is arguing against having the convenience

So be a good boy and accede to their demands. Forget about defending the democracy you live in, LETS GO SHOPPING!!

Black markets exist anyway, so that's not really an argument either.

For what, your apathy? There are many democratic reasons you want cash to flow unhindered in a society that have nothing to do with criminal activities.

Comment Knoppix (though maybe not a distro) (Score 1) 325

I suggest running Knoppix from a CDROM or DVD.
Unless you specifically tell it to it's not going to change anything on your hard disk. You are not going to mess anything up by accident.
If you want to keep stuff save it to a USB disk, or even run Knoppix from a USB disk.
I've seen a lot of people who had never used linux before run knoppix with no trouble.

Comment Re:They are concerned about lost tax revenue? (Score 1) 274

Where is it written that a government *MUST* tax sales?

Because relying on import duties caused pissed off shipowners to send the Fourth Crusade to hit Constantinople and relying on a single commodity has really fucked over Venezuela. The simple, all eggs in one basket ways have been tried so if a society wants to fund infrastructure their governing body has to grab cash wherever they can find it while pissing off the minority of the people.

This also gets into the "mark of the beast" territory from Christian tradition ... religion does play a part in this

Oh fucking hell get a grip - NRA shit has rotted your brain. As for your sig, your popgun is not going to protect you from artillery deployed by the National Guard (you know the guys, the militia the second amendment is actually about and not some rifle club gone feral while run by a traitor (Oliver North)). You are free because a LOT of people around you value freedom and your popgun has nothing to do with it no matter how impressive it looks.

Comment Backhoe - public enemy number one! (Score 1) 274

It doesn't even need a disaster. In a few situations it's required no more than someone digging in the wrong place to kill a link between a city and where the funds are being processed. The trend is towards processing in less locations so fragility is increasing.
I expect a major storm hitting Manilla would fuck up the payment processing of a large number of US based banks and a few others. Consider the hard drive shortage when Bangkok got flooded only for communication.

Comment Re:tracking (Score 4, Informative) 274

For those Americans confused by the above "chop-chop" is tobacco sold outside the mainstream so not subject to very high rates of tax on over the counter tobacco products. While there is likely to be a massive black market it's probably less than the tax even just Apple avoids in Australia.

Comment Re:tracking (Score 2) 274

What this kind of paranoid person doesn't understand is that they can already track you to an incredible degree

In Australia not so much. People disappear all the time just because they don't want to be found. Sometimes (eg. battered wives with a homicidal spouse looking for them for extreme examples (which do happen)) it's not a bad thing.
I think you'll find it's not unheard of in the USA either despite efforts to track people getting onto busses etc.
There are still a lot of cash in hand jobs so it's possible to get by with no identification in a lot of places apparently.

Comment Re:I really don't understand the scale model thing (Score 1) 136

We should probably be designing things to not fail.

Testing is part of that. About the most obvious example is Edison not designing a perfect lightbulb on day one.
Refer to my post above about why aircraft scale models are still used. Simulating how the design works on a computer is still prone to producing results that diverge from reality unless you get a bit of feedback on what sort of modelling applies. Turbulent flow is a pain, laminar flow is not as simple as you would think and once things go supersonic many things that you would think are obvious get turned inside out (eg. subsonic nozzle converges, supersonic diverges such as the nozzles on the Saturn V).

Comment Re:I really don't understand the scale model thing (Score 1) 136

I really don't understand the scale model thing.

It's because fluid flow is not only computationally difficult but also the rules are all empirical with uncertain boundaries between different domains so sometimes it's not clear what equations to use. That's why there is still wind tunnel testing of scale models. Since the end product is going to be very large (and supersonic wind tunnels are very difficult things to deal with apart from very short test durations) it makes sense for the scale model to be a flyable aircraft that can reach supersonic speeds itself.

When you go to scale up, you're practically building an entirely new vehicle.

Not entirely. The model won't be a precise shrink down of the full design because it's a test of how the air will behave over the full sized design.

Comment Ya, and that will hold up... not (Score 3, Informative) 262

Here's the deal: All proprietary software has that in there as well. Every piece of software has an EULA that says they are responsible for nothing. Have a look at the MS EULA if you wish, there's all kinds of shit that supposedly limits liability, requires arbitration, etc, etc

You can say it all you like, doesn't make it true. I can write an EULA saying "By using this software you agree I get to take your first born child," and yet if I tried, I'd still go to jail because just saying it in an EULA doesn't make it so. You can't disclaim all warranties, all damages, etc by law. For some info on it look up the Uniform Commercial Code.

Ok well all that aside when it comes to an issue like this courts are not known for applying the law one way in one case, and a different way in another. They don't say "Oh we like this nice OSS" and give it one rule and "We don't like this mean commercial software" and give it another. Thus if courts find that software makers are liable for incidental data loss then it will apply to ALL software. OSS has no special get out clause. You don't get to have it both ways where OSS gets a magic liability shield just by putting something in a text document but commercial EULAs aren't worth the bits used to store them.

In fact, OSS will be MORE vulnerable. Commercial companies have lawyers to help them wrangle out of things. They also can always go the real contract route, where you sign an actual contract up front with them before buying (you see this with some enterprise software) which can enforce more stringent terms. OSS that is just distributed on the web doesn't have all that.

Comment Re:Sorry, it's time has passed (Score 2) 195

My Linux machine today can't copy to a USB hard drive without making the rest of the system unusable.

That's due to the bridge chips being a bottleneck and it impacts on everything - MS Windows, Solaris etc also act that way on the same hardware. It becomes painfully obvious on things like the Raspberry Pi (where a broadcom chip is the weakest link and used for usb, network, etc) but it applies elsewhere. That old system you describe was dealing with it in the cpu so it's much easier to divide up the load.

Slashdot Top Deals

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."