Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment This. A judge's job is to read law, not write it (Score 3, Insightful) 203

> It's not the courts that need to side with us, it's the legislators.

Exactly. Writing law is the job of elected legislators. A ln appointed judge's job is to read and understand the law in order to apply it to a particular case.

The current law on patents, written by legislators, is that a patent controls who can "make, sell, or use" the patented invention. The "sell or use" part needs to be fixed. Judges shouldn't just ignore the law as written whenever they unilaterally decide they don't like the law.

Comment Reminds me of a certain security company (Score 2) 88

> keep on making us take require Flash - such as the one on "information security" ...
> I have to have Flash installed so I can tick off a little checkbox that says I know not to install software like Flash.

That reminds me of a certain network security company. They have all of their employees take annual security training, provided by a third-party. In order to keep track of who has done the training, employees log in to the third-party site using their Active Directory credentials - the same credentials that have access to all of the company resources, and indirectly, customer networks.

Well that's kinda stupid, employees need to be pretty careful that they don't get phished into entering their AD credentials into the wrong third-party site. They better look carefully at the URL in that email from "corporate security", right? No can do, all incoming email has URLs obfuscated by the email "security" system so you can't tell where the URL points to without clicking it.

There's literally no way for employees to know if they are sending their AD credentials to the site they are required to send them to, or sending them to a phisher.

Comment if (window.changed) { window.render() } (Score 1) 220

You shouldn't be rendering a window every few milliseconds if it hasn't changed. This:

function paint {
        if (window.changed) {

function render {
      # In Windows, most screen elements are "window"s
      for child window.children {

Not this:

while true {
              for child window.children {

Comment On $400 billion investment (lost money after infla (Score 2) 76

Amazon made $2.37 billion, on over $400 billion invested. So an owner (investor) who put in $10,000 of their retirement savings made $59. Whoohoo!

Due to inflation, $10,000 in 2015 was worth only $9,700 in 2016, so they actually LOST $241.

Yeah, "making" less money than you're losing to inflation is pretty dismal.

Comment True. Anyone who has ever called a locksmith knows (Score 1) 75

What you've said is exactly right. Anyone who has ever called a locksmith because they were locked out of their house or car understands two things:

1) They weren't able to get in without the key - it was secure.
2) The locksmith got in without a key, probably in under 2 minutes. It was not secure.

Security is a quantitative thing, not a binary thing. You can ask HOW secure something is. Asking "is it secure, yes or no?" is folly.

Standard TLS (https) is much more secure than plain text (http).

Standard TLS connections are useful in the same way that physical locks are useful - they make it unlikely that anyone will in fact defeat your security. Both *can* be defeated by a skilled person using the right tools, given they invest enough time in doing so. Both are more secure than leaving stuff wide open for any passerby to take.

Self-signed certificates are slightly more secure than plain text on a *technical* level, but because they may create an illusion of strong security where none exists, they may be less secure in practice.

We have customers using self-signed certs (without pinning) who mistakenly think the self-signed certs prevent MITM attacks, so they send sensitive data over these connections, "secured" by TLS using self-signed certs. They'd arguably be more secure overall if they understood they have no protection on those connections, so they wouldn't use them for sensitive data (or would encrypt the data before sending it over the non-secured connection). A misunderstanding of the "protection" offered by self-signed certs leads them to do something foolish.

In this regard, there is a counterpoint to what I said above about it being folly to ask "is it secure?" as a yes or no question. It may be wise to try to create a binary secure/non-secure label in order to ease understanding. Weak security can fool users into thinking it's "secure", so it may be better to either secure something strongly or not at all, so users can easily tell that it's obviously not secured.

Comment "Signed all the way". That's just a different CA (Score 2) 75

> Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority) ...
> Why, exactly, are we still fucking around with certificate authorities

Okay, so the DNS record would have a signed certificate. You'd have "the root authority" sign certificates? You would trust this authority for certificates, and this "certificate signing authority" would be better than having a certificate authority?

What you've suggested can be said more succinctly as follows:
Why aren't the people who run DNS also certificate authorities?

You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

Comment Not quite. She had $123 million when they met (Score 2) 129

His wife was an heir, along with her sister, to a hotel company which owned a chain and non-chain properties including the Beverly Hills Hotel. She got $123 million from that. When they divorced, she gave him $23 million. So there wasn't anything him giving her hundreds of millions and her giving it back.

He did pay hundreds of millions in fines and restitution. He may have managed to keep a few million in ill-gotten gains.

Comment 3 articles referencing the same statement, misunde (Score 4, Insightful) 126

The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.

What Cranor said is that there are downsides to forcing everyone to change their password every month or so.

People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.

Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.

Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).

Comment Good & bad, it'll be significant.All president (Score 1) 307

> That's even worse.
> Ambition and egotism are deadly dangerous things.

It'll be significant, for good or bad (probably both).
Keep in mind ALL presidents think that a) they should be president and b) the voters will recognize that. So a huge ego is the number one defining character trait of someone who runs for President. The second happens to be loyalty.

Trump will do things big, compared to other presidents. He'll do something good in a big a way and something bad in a big way.

Comment The teams found out 3 months ago Chrome was secure (Score 2) 144

The teams didn't just decide that morning "hey let's compete in Pwn2Own today". They prepared months in advance, testing all the browsers to see what they could do. Perhaps a month or two before the event, they decided which browser they had the best exploits for, the browser they would focus on during the actual competition.

All the teams but one learned from their testing that they wouldn't be able to hack Chrome. One team thought it was their best chance and that team failed.

Comment George Washington had a half billion dollars (Score 3, Insightful) 307

> to the tune of millions upon millions of dollars

George Washington had a half BILLION dollars (expressed in today's dollars, of course). The very same people who *wrote* the Constitution supported Washington for president, and didn't see any Constitutional issue.

One commentator at the time did see it as a *political* liability. Most people agree it is better public relations to divest, which is why most recent presidents have done so.

I don't know if Trump's business ventures will turn out to be a significant problem or not. I hope not, of course. Understanding a bit of his personality, he's always focused on the biggest, most grandiose thing. Running the United States is far grander than naming royalties on a hotel, so based on his personality I don't think he gives a shit about a hotel right now - he's running the whole COUNTRY and he's likely trying to be the most significant president in recent history. A little money is no longer an issue - he could lose half his money and still be a multi-billionaire. For him, it's about doing something HUGE, doing things that will be in high history books.

It would certainly look better if he sold off all of his businesses. I've sold two businesses, both simple, very small companies. One took three months to sell, the other took two years. I would guesstimate that given the complexity of some of Trump's hundreds of business relationships, it would take perhaps three or four years to get most of them sold off. That's an issue. I don't know that there is a particularly good solution now that he's president. I voted against him because I didn't think he should be president, but anyway now he's president and he has these business interests that aren't going to vanish - just as the early presidents did. It's certainly an optics problem. It's not a Constitutional problem, according to the people who wrote the Constitution.

Comment George Washington, Tom Jefferson, A Jackson, JFK (Score 3, Interesting) 307

> he still owns, and profits fully from, every single thing his businesses are doing, while he's President, meaning that just about anyone (including Foreign Governments) can straight up pay him money (which is grossly in violation of the constitution).

Most of the country's early presidents, including George Washington, Thomas Jefferson, and Andrew Jackson owned businesses which had customers from other countries. You have an opinion about what the Constitution means, and the people who actually wrote the Constitution disagree, they thought that when they wrote "emoluments of the office" they meant exactly what they said, emoluments - payments for holding the office, as opposed to ordinary buying and selling things at market prices. Most presidents from George Washington to John F Kennedy sold things (business) just as they bought things (shopping). It wasn't until 1965, LBJ, the presidents starting moving their business wealth into a blind trust.

Was there some constitutional amendment in 1965? I don't know of any change in the Constitution that required LBJ to do that, it just looks good politically.

Comment If it were at issue (insanity or drugs?) (Score 1) 517

> One of my past passwords was "iAmCh33seburger"; do you really think I think I'm a sandwich?

There is strong reason to believe you don't think you're a cheeseburger, despite the (weak) evidence that you have an interest in cheeseburgers. On the other hand, if through some strange set of circumstances your belief in your cheeseburgerness WERE at issue in a trial (something to do with insanity perhaps) the fact that you wrote "I am a cheeseburger" prior to the trial would be very weak evidence that you thought that. Not convincing evidence, probably, since also approximately nobody thinks they are a cheeseburger, but evidence nonetheless.

The point here is that the fifth doesn't say "compelled in any criminal case to be a BELIEVABLE witness against himself"; it says "a witness against himself". Whether or not the testimony is credible doesn't limit the fifth amendment.

Comment Same as betting on 28 on the roulette wheel (Score 1) 270

If I put $100 on 28 on roulette wheel and the ball happened to land on 28, what did I lose? It just so happened that this particular gamble worked out this time. If you bought when it was $1300 (or bet on 23) you lost money. Some people won the gamble. It's still gambling, not investment.

> Newegg accepts bitcoin so I buy random items and resell them on eBay. So yeah I take a slight loss there along with fees but come on how is that not a sound plan?

When I do work, I like to make money, not lose money. If you're going to do the work resell things on eBay, a sound plan is to buy a box of 200 widgets for $200, then sell the widgets for $2.50 each. You more than double your money as you work, rather than losing money.

Slashdot Top Deals

If I'd known computer science was going to be like this, I'd never have given up being a rock 'n' roll star. -- G. Hirst