Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:J2EE? (Score 4, Informative) 57

The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.

Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.

Comment Re:Is there any expectation of security? (Score 1) 48

Well, if you send a long URL, that by being long is very difficult to guess, and Twitter convert it to something so small that can be crawled, It is some kind of sharing. They should not be shorting URLs sent as direct messages, as this vulnerability shows, they are breaking the security of the long URL by shortening it.

I am not saying the Google is sharing anything. They give you a long URL that you can send to people you trust, then Twitter shorten it and that short URL can be crawled easily, au contraire of Google URL that is long enough to be treated like a password like authentication.

Comment Re:Is there any expectation of security? (Score 1) 48

Exactly. I know people that send long URLs generated to privately share, like Google photos and send them using Twitter direct messages, believing they are not being shared with the world and they are wrong. Those long URLs know to be relatively secure even by Bruce Schneier are being converted to short ones, and accessible to the public. There is or was a lawsuit related to that

Comment Re:Choice of OS (Score 1) 108

There could be a little truth in that, but no OS make the same mistake of letting the sender of a file decides what is executable or not (sender call it .exe or .scr and it is executable). Only Windows allow the sender to define what icon will be show for a file (sender embed a Word document icon to an executable and that is shown).

There are many ways to make phishing at non Windows users, but then some kind of vulnerability must be used (when opening a document), not a simple stupid trick of sending an executable and people confusing it for other thing. I think the most common one

Comment Re:Is this still true? (Score 1) 391

Trust automatically only the devices detected at boot time. If someone had physical access to replace them before booting then you have worse problems. If your mouse/keyboard break at the same time when plugged (less probable) just press the power button and restart with the new devices. If only one broke then use the other to authorize the replacement

Slashdot Top Deals

Remember, even if you win the rat race -- you're still a rat.