Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Uhm... (Score 1) 315

Trump's relationship with the truth isn't so much interesting in that it's fairly casual; but in how self-destructive it seems to be.

People lying in order to advance their interests is an issue; but hardly unexpected or particularly abnormal. People who can't stop lying even when they'd be trivially better off keeping their mouths shut are a different matter. Something like the inagural crowd size thing: that's an idiotic lie. Trivially verifiable, hilariously petty; and completely unnecessary. He didn't lose much by it, since nobody actually seems to expect better; but he had virtually nothing to gain even if it had worked; and no reasonable expectation that it would work.

Submission + - Over 14K Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites (bleepingcomputer.com) 1

An anonymous reader writes: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites. Other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks. This number is far smaller compared to misused Let's Encrypt certs.

Assuming that current trends continue, Let’s Encrypt will issue 20,000 additional “PayPal” certificates by the end of this year, bringing the total up to 35,000 over the past two years. To blame for this situation is Let's Encrypt, who said in a mission statement it doesn't intent to police the Internet. Browser makers are also to blame [1, 2], along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.

Comment Re:Norton (Score 2) 75

The difference now is that many hackers have developed tools for MITM attacks on https.

Yes and the same tools work with a self-signed cert or with HTTP. To make them work with HTTPS and a signed cert, you need to have a compromised CA signing cert. This is still currently mostly limited to nation-state adversaries.

Comment Re:Digital Rights? (Score 1) 239

OK, but with the gaming examples you're talking about (a) a DRM system that was obviously broken and (b) DRM applied to something where you bought a permanent copy. I have much less sympathy for the content provider in those situations, and if they wind up having to refund a lot of people's money because they shipped a broken product then I still won't have much sympathy for them.

The opposite side is when you have DRM protecting a service like PPV or Netflix where you know you're not buying a permanent copy, and most people will just fire up the player and enjoy the show without ever knowing the DRM is even there. In that case, the DRM is transparent to legitimate viewers, but some form of protection is reasonable to prevent casual infringement.

As I've said throughout, there has to be a balance. DRM that breaks stuff is bad, and people who supply broken products should make good on the damage to their customers. But DRM also makes it practical to follow new and useful business models that can benefit everyone involved.

Comment Re:Norton (Score 1) 75

Step one: Any browser that cares about security MUST stop regarding https with CA certificates as any more trustworthy that self-signed certificates or plain http.

Why? Plain HTTP can be compromised by anyone on a hop between you and your destination. HTTPS with a self-signed certificate can be compromised by anyone on a hop between you and your destination, but can be detected if you do certificate pinning or certificate transparency. HTTPS with a signed cert can only be compromised with cooperation from a CA. The set of people that can compromise signed HTTPS is significantly lower than the set that can compromise self-signed HTTPS.

Comment Re:Uh.... what? (Score 2) 190

2. Collective or other shared accommodation, often combined with studies.

It's pretty common to move accommodation for each year of a degree, so this can easily be 3-4, more if you do a PhD or similar (though people often find a place for the whole of their PhD). I can remember the second and third places I lived as a student (I stayed in the same place for two years of undergrad and then for the whole of my PhD), but the first was university-owned accommodation and I don't recall the exact address - I certainly don't remember post codes for all of them.

Comment Re:"vacation" (Score 4, Insightful) 190

It's been over a decade since the US tightened the visa restrictions so that everyone wanting to come into the country as a practicing journalist must have a visa, even if they're from one of the visa-waiver countries. You can bet that if you tick that box, you're already going to come under a lot of extra scrutiny (and if you don't, but then publish anything written about your time in the USA, expect to be denied entry the next time).

Comment Re:That's stupid. (Score 2) 250

It depends on how you arrange the lights. In the UK, there's a delay in between one set of lights going red and the next going green. In a number of US cities that I've visited, one set turns green at precisely the same instant that the other turns red. This means that going through the lights as they turn red is potentially very dangerous, because you will still be crossing the intersection while cars from other directions go. Adding a small delay, larger than the grace period, would likely improve safety considerably.

The USA has 7.1 fatalities per billion km driven, whereas the UK has only 3.6. It's tempting to blame the drivers (and the difference in driving tests in the two countries lends some support to this), but the road designers have a lot to blame. The US statistics are likely even worse for in-city driving, because the totals are skewed by the fact that you can drive far further in the US without encountering another vehicle than in the UK.

Comment Re:I'm all over this (Score 1) 127

So you're saying you don't even want to watch the film, you just want to be able to talk about it later (but only in the next few days)? The problem with that idea is that it only works if you surround yourself with other keep-up-with-the-Joneses types who insist on watching the latest blockbuster as soon as it comes out and have limited other conversational topics.

Comment Re:makes suing security researchers a feature ... (Score 1) 239

Right, but why should any business give up broad legal rights like that? There needs to be a compelling argument that they get something worthwhile in return. From a commercial perspective, I just don't see one here. From the W3C's perspective, it's trying to bring some standardisation to the industry, but it's abundantly clear that major content providers will walk away and implement their own proprietary equivalents if they are backed into a corner, so the W3C has very little bargaining power to try to force the matter. (See also: Mozilla's handling of the same issue.)

Again, I have nothing against legitimate security research and responsible disclosure, but there is a reason we're talking about laws here. It's because it typically requires laws, or other regulations with statutory backing, to compel desirable behaviour when commercial pressures alone won't do it. If there's a problem with abusing provisions in the DMCA to inhibit valuable security research, that problem needs to be corrected at the same level, the DMCA, not kinda sorta worked around through some commercial agreement with a non-statutory standards organisation.

Comment Re:makes suing security researchers a feature ... (Score 1) 239

My point is that the rightsholders have those legal rights already. It's not anything the W3C is doing that provide those rights, it's laws like the DMCA.

And again, just because someone says they are a security researcher, why should they magically be above those laws? If the laws are inappropriate for some reason, they should be changed for everyone. If they are fair and reasonable, security researchers shouldn't get a pass for breaking them just because of their line of work.

In short, I think you raise valid concerns, but I think you're aiming at the wrong target.

Comment Re:Digital Rights? (Score 1) 239

I would agree that the scales were tipped too far towards creators if everyone actually played by the rules, but as we're all aware, in a world full of piracy that isn't always the case. The unfortunate result is the kind of polarised extremes you describe. The world would be a much nicer place, IMHO, if we had a culture of respecting creative work and contributing to support it, and a market for that work that operated in some reasonable and transparent way, more like what the original copyright tried to achieve rather than the modern, ever more draconian developments of the idea. If we had a more respectful culture, there would be no need for creators to waste time and money on DRM schemes, and no risk to consumers of DRM schemes going wrong. But sadly, you only have to read any discussion about copyright on a forum like this one to see how far away we currently are from that ideal.

Comment Re:I'm all over this (Score 1) 127

I don't get it. Given the choice between paying $30 now, or $1-3 in a few months once it's out on rental / streaming services, you'd pick the former? I can't think of a single film in the last decade that I've wanted to see so much that I'd pay an order of magnitude more to see it now. Plus there's a reasonable sized backlog of things that I want to watch, so even if I watch them in release order they're all available to rent cheaply by the time I get around to them.

Slashdot Top Deals

Computer Science is the only discipline in which we view adding a new wing to a building as being maintenance -- Jim Horning

Working...