Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Can allow specific license changes (any version of (Score 1) 72

There are many ways to allow for the possibility that the license may need to be changed in the future, without allowing just anyone to pick any license they choose.

The standard GPL license has a clause allowing the code to be distributed under the current license *or any future version* of the GPL license.

One could ask permission to distribute it under any OSI-approved license. I've received that permission before, the author granted me permission to use "any open source license", and the OSI list is reasonable, third-party definition of which licenses qualify as "any open source license".

One could say that the license may be changed be unanimous agreement of the foundation board of directors, by 2/3rds vote of recent contributors, or some other planned method.

Comment Estoppel by acquiescence and laches (Score 2) 72

> I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

If they got the notice, estoppel by acquiescence may apply. "Estoppel by acquiescence" means one may not sue later if you were given a clear opportunity to object and chose to not object in any way. Georgia v. South Carolina is a well-known case. Georgia had legal claim to certain land based on a treaty. For many years, South Carolina treated it as part of South Carolina, levying taxes in the area, etc.Georgia did not object during these many years. Later Georgia attempted to assert their claim to the area. The court ruled that Georgia's failure to object for many years barred the action - their silence was basically implied permission.

A related concept is laches. Laches means you have to assert your rights in a reasonable time frame, or not at all - an author who files suit regarding the license change ten years from now will probably be barred by laches.

Comment This. A judge's job is to read law, not write it (Score 3, Insightful) 221

> It's not the courts that need to side with us, it's the legislators.

Exactly. Writing law is the job of elected legislators. A ln appointed judge's job is to read and understand the law in order to apply it to a particular case.

The current law on patents, written by legislators, is that a patent controls who can "make, sell, or use" the patented invention. The "sell or use" part needs to be fixed. Judges shouldn't just ignore the law as written whenever they unilaterally decide they don't like the law.

Comment Reminds me of a certain security company (Score 2) 89

> keep on making us take require Flash - such as the one on "information security" ...
> I have to have Flash installed so I can tick off a little checkbox that says I know not to install software like Flash.

That reminds me of a certain network security company. They have all of their employees take annual security training, provided by a third-party. In order to keep track of who has done the training, employees log in to the third-party site using their Active Directory credentials - the same credentials that have access to all of the company resources, and indirectly, customer networks.

Well that's kinda stupid, employees need to be pretty careful that they don't get phished into entering their AD credentials into the wrong third-party site. They better look carefully at the URL in that email from "corporate security", right? No can do, all incoming email has URLs obfuscated by the email "security" system so you can't tell where the URL points to without clicking it.

There's literally no way for employees to know if they are sending their AD credentials to the site they are required to send them to, or sending them to a phisher.

Comment if (window.changed) { window.render() } (Score 1) 229

You shouldn't be rendering a window every few milliseconds if it hasn't changed. This:

function paint {
        if (window.changed) {

function render {
      # In Windows, most screen elements are "window"s
      for child window.children {

Not this:

while true {
              for child window.children {

Comment On $400 billion investment (lost money after infla (Score 2) 76

Amazon made $2.37 billion, on over $400 billion invested. So an owner (investor) who put in $10,000 of their retirement savings made $59. Whoohoo!

Due to inflation, $10,000 in 2015 was worth only $9,700 in 2016, so they actually LOST $241.

Yeah, "making" less money than you're losing to inflation is pretty dismal.

Comment True. Anyone who has ever called a locksmith knows (Score 1) 77

What you've said is exactly right. Anyone who has ever called a locksmith because they were locked out of their house or car understands two things:

1) They weren't able to get in without the key - it was secure.
2) The locksmith got in without a key, probably in under 2 minutes. It was not secure.

Security is a quantitative thing, not a binary thing. You can ask HOW secure something is. Asking "is it secure, yes or no?" is folly.

Standard TLS (https) is much more secure than plain text (http).

Standard TLS connections are useful in the same way that physical locks are useful - they make it unlikely that anyone will in fact defeat your security. Both *can* be defeated by a skilled person using the right tools, given they invest enough time in doing so. Both are more secure than leaving stuff wide open for any passerby to take.

Self-signed certificates are slightly more secure than plain text on a *technical* level, but because they may create an illusion of strong security where none exists, they may be less secure in practice.

We have customers using self-signed certs (without pinning) who mistakenly think the self-signed certs prevent MITM attacks, so they send sensitive data over these connections, "secured" by TLS using self-signed certs. They'd arguably be more secure overall if they understood they have no protection on those connections, so they wouldn't use them for sensitive data (or would encrypt the data before sending it over the non-secured connection). A misunderstanding of the "protection" offered by self-signed certs leads them to do something foolish.

In this regard, there is a counterpoint to what I said above about it being folly to ask "is it secure?" as a yes or no question. It may be wise to try to create a binary secure/non-secure label in order to ease understanding. Weak security can fool users into thinking it's "secure", so it may be better to either secure something strongly or not at all, so users can easily tell that it's obviously not secured.

Comment "Signed all the way". That's just a different CA (Score 2) 77

> Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority) ...
> Why, exactly, are we still fucking around with certificate authorities

Okay, so the DNS record would have a signed certificate. You'd have "the root authority" sign certificates? You would trust this authority for certificates, and this "certificate signing authority" would be better than having a certificate authority?

What you've suggested can be said more succinctly as follows:
Why aren't the people who run DNS also certificate authorities?

You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

Comment Not quite. She had $123 million when they met (Score 2) 129

His wife was an heir, along with her sister, to a hotel company which owned a chain and non-chain properties including the Beverly Hills Hotel. She got $123 million from that. When they divorced, she gave him $23 million. So there wasn't anything him giving her hundreds of millions and her giving it back.

He did pay hundreds of millions in fines and restitution. He may have managed to keep a few million in ill-gotten gains.

Comment 3 articles referencing the same statement, misunde (Score 4, Insightful) 126

The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.

What Cranor said is that there are downsides to forcing everyone to change their password every month or so.

People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.

Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.

Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).

Comment Good & bad, it'll be significant.All president (Score 1) 307

> That's even worse.
> Ambition and egotism are deadly dangerous things.

It'll be significant, for good or bad (probably both).
Keep in mind ALL presidents think that a) they should be president and b) the voters will recognize that. So a huge ego is the number one defining character trait of someone who runs for President. The second happens to be loyalty.

Trump will do things big, compared to other presidents. He'll do something good in a big a way and something bad in a big way.

Comment The teams found out 3 months ago Chrome was secure (Score 2) 146

The teams didn't just decide that morning "hey let's compete in Pwn2Own today". They prepared months in advance, testing all the browsers to see what they could do. Perhaps a month or two before the event, they decided which browser they had the best exploits for, the browser they would focus on during the actual competition.

All the teams but one learned from their testing that they wouldn't be able to hack Chrome. One team thought it was their best chance and that team failed.

Comment George Washington had a half billion dollars (Score 3, Insightful) 307

> to the tune of millions upon millions of dollars

George Washington had a half BILLION dollars (expressed in today's dollars, of course). The very same people who *wrote* the Constitution supported Washington for president, and didn't see any Constitutional issue.

One commentator at the time did see it as a *political* liability. Most people agree it is better public relations to divest, which is why most recent presidents have done so.

I don't know if Trump's business ventures will turn out to be a significant problem or not. I hope not, of course. Understanding a bit of his personality, he's always focused on the biggest, most grandiose thing. Running the United States is far grander than naming royalties on a hotel, so based on his personality I don't think he gives a shit about a hotel right now - he's running the whole COUNTRY and he's likely trying to be the most significant president in recent history. A little money is no longer an issue - he could lose half his money and still be a multi-billionaire. For him, it's about doing something HUGE, doing things that will be in high history books.

It would certainly look better if he sold off all of his businesses. I've sold two businesses, both simple, very small companies. One took three months to sell, the other took two years. I would guesstimate that given the complexity of some of Trump's hundreds of business relationships, it would take perhaps three or four years to get most of them sold off. That's an issue. I don't know that there is a particularly good solution now that he's president. I voted against him because I didn't think he should be president, but anyway now he's president and he has these business interests that aren't going to vanish - just as the early presidents did. It's certainly an optics problem. It's not a Constitutional problem, according to the people who wrote the Constitution.

Comment George Washington, Tom Jefferson, A Jackson, JFK (Score 3, Interesting) 307

> he still owns, and profits fully from, every single thing his businesses are doing, while he's President, meaning that just about anyone (including Foreign Governments) can straight up pay him money (which is grossly in violation of the constitution).

Most of the country's early presidents, including George Washington, Thomas Jefferson, and Andrew Jackson owned businesses which had customers from other countries. You have an opinion about what the Constitution means, and the people who actually wrote the Constitution disagree, they thought that when they wrote "emoluments of the office" they meant exactly what they said, emoluments - payments for holding the office, as opposed to ordinary buying and selling things at market prices. Most presidents from George Washington to John F Kennedy sold things (business) just as they bought things (shopping). It wasn't until 1965, LBJ, the presidents starting moving their business wealth into a blind trust.

Was there some constitutional amendment in 1965? I don't know of any change in the Constitution that required LBJ to do that, it just looks good politically.

Slashdot Top Deals

A company is known by the men it keeps.