Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:I'm still not sure (Score 4, Informative) 64

I'm still not sure how this affects me

Here's a very short version:

Cloudflare provides proxying, caching, and DDoS protection (plus other things) for a huge number of websites. This means that instead of connecting directly to a website's servers, you're instead connecting to a Cloudflare server which inspects and routes the traffic to the real website.

A bug in Cloudflare's system would occasionally result in random memory contents from the Cloudflare server incorrectly getting sent back to clients in the HTTP response stream. This memory could contain anything -- random parts of a webpage, a picture, or a username and password that was recently passed through the system.

Since these memory dumps can be (and were) captured by caching systems such as Google's cached pages, Internet Archive, etc, it's not enough that Cloudflare fix the bug -- all the cached pages must also be deleted or somehow cleared of any memory dump contents. Until this happens (and frankly, it's likely an impossible goal given the size and scope), there is the potential that your username and password for some website could be saved out in a cached copy of a Cloudflare site, there just waiting for someone to find it. Attackers can, and are, scanning all of this cached data looking for such valuable leaked memory contents.

Overall it's a major bug and huge error on Cloudflare's part, but the likelihood of it impacting you seems astronomically small.

What it does do, however, is raise questions about whether or not we should have a single company acting as a back-end gatekeeper to vast swaths of the web. It also raises the question of the responsibility of sites like the Internet Archive. Should they be required to mass-delete archived sites going back years due to this bug? There is no way to recover those past cached sites. Finally, who is responsible if this breach does get exploited? Is it Cloudflare, or the website that chose to use them?

I've never been a fan of Cloudflare from a privacy and security standpoint, and this failure on their part more or less cemented my opinion.

Comment Re:Well.. (Score 5, Interesting) 197

Agreed. This is a sad first turn -- Trump's FCC may as well have sent a letter to the major ISPs saying "Hunting season on American Internet consumers is open! No tag limit!"

I was very skeptical when Wheeler was appointed to chair the FCC, given his corporate background, but he ended up being one of the most consumer-focused and practically progressive people in Obama's government.

And now? May as well say goodbye to net neutrality.

Comment Alexa Rankings (Score 2) 85

found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled

Why do people still use Alexa? There can't be more than a tiny handful of people who still use their crappy browser toolbar and that measuring metric has always had significant selection bias. Do they have a newer, better data source, or is there just nothing better so people fall back to a name that's familiar?

It would be nice if the major ISPs would aggregate and share all that data they save for the NSA anyway with some nonprofit org for this kind of thing.

Comment Re:Wow (Score 1) 185

wouldn't shit the bed when they tried to parse a URI like moz://a in a chunk of text.

If an application blows up when it encounters :// in free-form text, I have no sympathy and neither should Mozilla. Too many things try to be cute with minimal and poorly-defined markup these days and any pushback is welcome.

Comment Re:No headphone jack ... (Score 4, Insightful) 205

Must be a shitty ploy, my brand new HTC bolt came with wired headphones.

Pushing more expensive headphones might be a bonus short-term side effect, but the real victory here is the potential of closing the analog hole for mobile devices. I fully expect someone to introduce "end to end" DRM within a year or two which will require an authenticated and encrypted connection from the source (file or stream) through the mobile processor, to the headphones. Non-compliant headphones won't be able to authenticate with the host device and therefore won't be usable with certain DRM'd media.

Don't be surprised when Apple shows more "courage" and removes the analog audio connectors from their next lineup of desktops and laptops (if they haven't already). The desktop / laptop market will swiftly follow once people accept it on mobile.

Take a look at HDCP for an example of how this has already been done elsewhere.

Comment Re: Unlimited? (Score 2) 196

What the hell does net neutrality have to do with the data limits on cellphone plans?

Moving away from unlimited and into more expensive and limited plans pushes people towards provider-sanctioned services for which the bandwidth does not count towards your monthly usage. This goes against network neutrality, even if the topic is bandwidth usage instead of transfer speed.

What the hell does Trump's winning the US Presidential election have to do with cellphone data plans?

Trump is an opponent of net neutrality.

Comment Re:Who cares? (Score 1) 238

Not to mention obscene contrast ratios (which is implied by your post, I guess) -- some claim 1,000,000:1, others seem to claim infinite.

Contrast ratios get silly and mostly pointless when you have a black that is fully non-emissive. It's the same as dividing by zero -- hence the claim for an infinite ratio.

With OLED panels, the important metrics will be brightness and color gamut.

Comment Re:Why they are slow? (Score 1, Informative) 766

You're wrong.

Actually, you are.

Even if they've already got the library disk-cached, it's actually slower to access the disk cache, and check the cache age, and verify that there isn't a newer library version (did you know the browser often goes round-trip just to check?) than it does to simply serve the library in-line.

It depends on cache control headers originally sent by the CDN, but this is usually completely false. Google can set an Expires header a year in the future and the browser will NOT do a round trip to check. That only happens if the cache control is set to must-revalidate, and few good script CDNs will do that. Aside from that, disk will always be faster than network.

Benchmark it yourself. Serve 100KB of javascript in-line, in the middle of your html file. Compare that to a separate src= js file.

Modern browsers handle inline script very differently than those pulled in via an external file, so that confounds things somewhat. But even then, the only time it matters is the first time the user goes to any page with the jQuery (or whatever) that gets loaded from Google's CDN. After that it doesn't have to transfer it until the cache expires, so it's always going to be faster than putting it inline. Besides, putting libraries inline is 100% wrong, even if you host it yourself, because it makes client caching impossible.

Comment Re:The problem is often maintenance (Score 3, Interesting) 148

Disagree. Software is not a washing machine nor a car. It does not break down over time, it is not susceptible to the elements, and it does not age in any notable way. There is literally no reason a program written and working in 1970 cannot continue to execute as well today as the day it was written. And it does! Industrial control systems, ancient government and finance mainframes, and primitive vehicle control systems all do it every day. Software doesn't rust and bit-rot is not a thing. Telling people that they need to keep their programs polished to prevent tarnish sounds like something a sketchy Geek Squad-esque computer shop might do to squeeze a hundred bucks out naive customers.

I update my software sparingly and with caution. Generally speaking, it's much more likely that usability to be lost or features broken than a serious security issue fixed. If it's a mobile app, it's much more likely that ads were added or made worse, or a feature I've used for 2 years was removed or horribly changed, or increased permissions are requested so that my personal info can be sent away to some third party than any features I actually want were added or bugs fixed.

Today's model of always-updated has some advantages but every single one is counterbalanced by the negatives. Auto-updating browsers help prevent the mire of zombies that was IE6, but it also means you're at the mercy of Microsoft, Mozilla, and Google when it comes to feature removal and their incessant need to screw around with the UI for no valid reason. Or that addon you really like and rely on suddenly stopped working because the author hasn't updated it yet.

Yes, updates to address security problems is an important topic, but all too often those updates are bundled up with all sorts of crap that few people want. It would be real nice if software companies would keep the two separate, and make it clear just what has changed between versions.

Comment Re:Satnav (Score 5, Insightful) 256

Having fun in Satnav's involuntary public beta testing program?

No worries, I'll just disable automatic updates until they sort it out.

Wait, I can't do that anymore? Oh.

Okay then, I'll just not install the optional KB3206632 update.

Wait, the only option is the December Rollup Update package? I can't disable single updates anymore? Oh.

Okay then, I'll just look for my Windows 7 installation DVD and abandon this Windows 10 shit.

Wait, they forced the same update model onto Windows 7 users? Oh.

Okay then, so Microsoft changed their update model to take away all customer control, fired most of their QA department, and now releases update after update with bugs and problems?

Well, fuck Microsoft.

Slashdot Top Deals

"What I've done, of course, is total garbage." -- R. Willard, Pure Math 430a