Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re: I thought Linux was supposed to be secure? (Score 1) 113

The lack of stable interfaces (both ABIs and APIs) mean that not only can you not upgrade the propitary bits but you can't easilly upgrade the rest of the kernel either. Your hardware drivers stop you from easilly upgrading your network stack or the code that manages privilage seperation.

Comment Re:I thought Linux was supposed to be secure? (Score 3, Interesting) 113

The problem is threefold.

Firstly lack of updates, SoC vendors are notorious for porting one or two versions of Linux, throwing it over the wall to device vendors and then doing nothing to keep it up to date. Some SoCs can be use with upstream kernels but very often with reduced functionality. The device vendors in turn add their own customisations to that kernel that the SoC vendor threw over the wall. Quickly you end up with something that cannot reasonablly be updated to a new upstream version. It is possible to some extent to backport security fixes, but it's a lot of work so it is likely to get skipped entirely or at least restricted to the most-severe vulnerabilties.

Secondly the vendors doing the work often do it without really caring about security which can lead to busting big holes in the user-security model. Remember "exynos-mem"?

Thirdly if your application layer is full of holes then attackers will be able to get whatever privilages that application has. If that is root then the attacker has full control of the device. Even if it is not root the attacker may well be able to elavate to root due to the first and second points.

Comment Re: This can't POSSIBLY go wrong! (Score 1) 85

You have to understand that these features are mainly intended to protect the bank.

For card present transactions if the merchant does everything in the most secure way the card supports the bank takes the fraud liability. If the merchant takes card not present transactions or refuses to upgrade their equipment to support EMV by the deadline the bank gives then the merchant takes the fraud liability.

Comment Re:American problem is American (Score 1) 440

The little machine I used in the UK had a mechanical timer.

Every washing machine I have seen for sale in recent years in the UK has had electronic controls (there are lots of old machines with mechanical controls still kicking around though, presumably in places where they see relatively light use).

Comment Re:This can't POSSIBLY go wrong! (Score 1) 85

Card companies are always trying to strike a balance between security and usability. Chip and pin does pretty well but it's vulnerable to theives who shoulder-surf the pin and then steal the card. It is also relatively slow (though that is partly down to crappy terminals). Contactless is far more convenient but much less secure. Chip and signature is vulnerable to inattentive operators and modified cards.

How will this option fare on conviniance and security? presumably that is what these trials are intended to find out.

Comment Re:Cool (Score 1) 130

Hoarding the addresses wasn't against any rules because when those addresses were allocated the rules didn't exist and the rules were not applied retroactively to existing allocations only to new allocations made under the new rules.

Selling the addresses might have been against rules in the past (the legal status of early allocations was never very clear) but nowadays the three biggest RIRs are open to the idea of selling IP addresses subject to some conditions. Presumably MIT came to a deal with ARIN to allow this split/sale.

The market approach to handling IP addresses is probably the least bad option at this point. As the price rises people will re-evaluate what services truly need a public IPv4 address and what services can make do with a more economical option.

Comment Re:Time to get off IPv4. (Score 1) 130

IPv6 is fundamentally not very different from IPv4. Yes there were a load of half-baked ideas from the IPv6 proponents but you don't have to use them. If you want you can use DHCPv6 in stateful mode and even use NAT66 to run IPv6 in almost exactly the same way you run IPv4. Yes there are issues with features such as port security on switches but that is because port security is in itself a hack and therefore needs to be updated for IPv6.

Running dual-stack however is a massive PITA. Basically it means you have to set everything up twice and every machine has two identities. Introducing yet another new protocol to the mess isn't going to help anything.

I think we are set up for a long and painful period where some networks are dual stack, some are v6 only, some are v4 only and the v6-only networks talk to the v4-only networks through various types of transition mechanisms.

Comment Re:Half of all IP addresses are class As (Score 1) 130

The thing is the IANA (and by extension the RIRs) only have power because the cabel of backbone operations (at least one of which owns a couple of /8 blocks) say they do. Attempting to forciblly reclaim addresses like you propose could well cause major backbone operators to tell IANA to go fuck themselves. Having different providers disagree on who is the rightful owner of addresses is not good for anyone.

Yes a market based approach means a few early adopters got a moderately large chunk of money for doing very little but it also means that "hoarded" addresses get brought into service without the use of force that could smash the Internet to peices.

Comment Re:But Why? (Score 1) 130

Because in the early days the Internet had an 8 bit network field and a 24 bit host field. So every network got what was later called a "class A" and even later called a "/8".

Some of those allocations were reclaimed when networks shut down, but MIT kept a network running continuously, so they were able to keep their allocation.

Comment Re:RTFA (Score 3, Informative) 130

The legal status of legacy allocations has never been especially clear. They were allocated before the RIRs even existed and long before anyone thought IP addreses would have any value.

In any case after arguing about it for years most of the major RIRs (ARIN, RIPE and APNIC) have allowed sale of IP addresses subject to some conditions. They have concluded that making IPv4 addresses a marketable commodity is the least-bad way to manage the post-exhaustion era.

I guess that MIT probablly cut a deal with ARIN allowing them to carve up the block into smaller sub-blocks (allowing them to sell the unused sub-blocks while keeping the used ones) in exchange for agreeing to ARIN taking a role in the address space's management.

Slashdot Top Deals

In less than a century, computers will be making substantial progress on ... the overriding problem of war and peace. -- James Slagle

Working...