Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment "Wer fremde Sprachen nicht kennt... (Score 5, Interesting) 274

... weiß nichts von seiner eigenen."

That's a saying in German attributed to Goethe, which means, "he who can't speak another language knows nothing about his own."

And another proverb, either Czech or Tamil in origin (or even from the mouth of Charlemagne): "Mit jeder neu erlernten Sprache erwirbst du eine neue Seele" -- "every time you learn a new language, you get another soul."

Comment Cute, but ineffective (Score 2) 369

The "first-party context" loophole is the deathknell of this thing, just as Safari's own mechanism doesn't actually protect anybody's privacy.

If you don't like tracking cookies, that's fine, but there is an infinite variety of workarounds for this so-called solution. One can easily use a URL proxy, for instance -- you click a link marked "Next Page" that actually goes to "," which sets a cookie and immediately redirects you to "" Hey presto, first-party context cookie set!

On the other hand, there's browser local storage, beacon URLs via AJAX... the list goes on and on. Hell, even if most web browsers _do_ start blocking all third-party cookies under all circumstances, the data kingpins will start offering handy little Rack and Tomcat plugins that use first-party cookies to track user behavior across the Web.

If you're a Web user who's paranoid about information leaks, you should already be using Tor and some privacy-centric web browser. But given the degree of personalization inherent in most of the 21st century Web, I have a hard time understanding why a paranoiac would use the Web at all.

Comment Re:Supernova? (Score 1) 69

This supernova took place in the galaxy Messier 95, some thirty-odd million light years from the Earth. It can't be seen with the naked eye because M95 can't be seen with the naked eye. Its absolute magnitude is 13ish, meaning that in a suburban area with light pollution you're going to need a minimum of a 12" telescope to see it at all. My brother-in-law happens to have a 12" scope with good optics, and in our area of NorCal we were barely able to make it out as a tiny pinprick of light in a slightly larger but dimmer blob of light. But it was there.

In fact SN2012aw is extraordinarily bright, and shines quite nearly as brightly as the galactic core of M95. Were this star to have blown up in the stellar vicinity (~5000LY from Earth) you would definitely be able to see it with the naked eye.

Comment Seriously? (Score 1, Interesting) 290

Are you kidding me? I mean, the EU has some pretty solid consumer and worker protection laws that I like quite a bit, but let me get this straight, they mandate the duration of warranty? Does this mean secondhand sales are illegal? What about consumer products not intended to last two years, are those just banned outright?

Nobody says you have to buy Apple's products. Your opt-out is your wallet. I'm sure there are smartphones, computers, and tablets available with more favorable terms of warranty. What is the justification for this kind of heavy-handedness?

Thank God you've got France right there, or else you might not have enough cheese to go with all that whine.

Comment Better a walled garden than a steel octagon (Score 5, Insightful) 439

I think Mr. Doctorow errs in assuming two things: 1) that there's an intrinsic value in the total openness of programmable electronic devices, and 2) that the new "walled garden" approach adopted by Apple, Microsoft et al. is somehow being done to benefit the estate of Jack Valenti (thank God the Supreme Court couldn't extend his lifetime).

Before you mod me into oblivion, hear me out.

Most people do not give a good goddamn about having control over the code execution path. In fact they don't want control because they can get confused into letting viruses and other malware execute. They want their devices to make life easier, whether that means keeping track of information or playing games to pass the time or some other convenience, and given a two-dimensional optimization choice over the convenience/freedom axis they'll pick convenience every time. And they're not wrong or stupid or evil to do so. They just don't agree with your set of principles.

And thank God for that, because I for one would not want to witness the consequences of a Melissa or Slammer-type worm infecting every Android or iOS device in the United States. We would just stop.

There will always be vigorous and enthusiastic communities centered around truly general purpose devices. You need only look to the many devices other posters here have mentioned, such as the Raspberry Pi, Arduino, and dozens of other hackables. Hell, through Amazon you can rent time on an infinite mountain of general-purpose computing if you're interested.

Let's face it -- hackers, by which I mean the folks who want to push devices to do things they were neither designed nor intended to do, are a teensy minority in the world of users.

Comment Re:Easy fix, for lazy administrators (Score 1) 281

Thanks so much for linking the slides! Just some initial thoughts:

On Slide 17, the CVE percentages are meaningless without some breakdown of installed base. If "Mac OS Server" includes everything from Rhapsody DR2 on up, then the numbers are flawed. If not, Apple might have some security issues.

Slide 28 -- I'm not particularly clear on why you would want ASLR or DEP to be configurable -- that just opens another avenue of attack. It should be always on every process all the time to be meaningfully effective.

Slide 34 -- UAC can be and frequently is turned off by stupid people, even some software vendors demand that it be disabled due to "incompatibilities". Escalation dialogs in Mac OS can't be.

Slide 38 -- you keep calling the attack on the Keychain credential store a "brute force," but it isn't -- it's a simple social engineering attack to get a password. Unfortunately the Keychain keeps (encrypted) passwords in the clear rather than hashes only, but this is so users don't forget their passwords.

Slide 53 -- "Modify existing binaries and services, which breaks signing but is generally not noticed" -- maybe in your shop, pal, not mine.

Slide 76 -- "Run your computers as little islands on a hostile network" -- FTFY

The Bonjoof hack is very clever, and demonstrates a real hole in the way Bonjour handles computer identification. In a well-managed enterprise situation I would expect it to be turned off though. I don't precisely know what it means by a "centralized" way to turn it off. That would be done in the imaging phase of deployment.

On balance the presentation seems to be just an "Apple is vulnerable too" talk, given the countless comparisons with Windows. All the clever people already knew that. The presentation seems to have been excellent in terms of breadth and thoroughness, though, and I would call it a must-read for network ITs in Mac-friendly environments.

Moral of the story? Every one of your attacks here can be mitigated structurally. In a secure environment, don't let your end users be sudoers, filter Bonjour traffic across layers, and always keep your server on a different subnet. We've been doing all that for years; combined with administrator vigilance, people should still be OK.

Comment Easy fix, for lazy administrators (Score 5, Informative) 281

defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO

There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.

To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.

Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?

Comment Re:the end of privacy? (Score 1) 278

Posting an anti-privacy rant with the name Schmidt was the first laugh.

Wow. I don't know if that's supposed to be anti-Semitic or some kind of joke about Germany passing this law (I'm Irish-American).

I'm about ready to get off this crazy train. Slashdot respects my privacy, so I can delete my account, right? OH WAIT

Comment the end of privacy? (Score 1) 278

I realize that Slashdotters in the main have a libertarian-ish bent, but you guys really need to understand that when these Web 2.0 moguls stand up and say "privacy is dead" they do have a leg to stand on. An awful lot of people the world over, especially in the US, do not fetishize anonymity to anywhere near the extent that you do. Mostly people don't give a damn because they never do anything anonymously themselves, and then on the rare occasion when they have to conjure up an opinion on the subject they're pissed off because someone calling themselves anonymous (with or without a capital A) just did something rash or obnoxious. They do not know the names Brutus and Publius. They think the Pentagon Papers was a novel by Charles Dickens, and as far as they know Voltaire's Candide is the instruction manual for the first lightbulb.

This is not to say that people don't respect anti-establishment thinking. Christ and his later student Luther, Cicero and his distant colleague Paine, and even the antithetical squawkers Ron Paul and Rachel Carson, for instance, all earned respect in their own times precisely because they were willing to stand up and let their names be associated with their opinions. They were, of course, all called nasty things for not swimming with the current like the other fishies, and at least one of them got his hands chopped off and (maybe) stuffed in his mouth by one of the people he'd been criticizing. But they've had a far longer-lasting impact on the things they wanted to try to change than any pseudonymous wag ever has.

Anonymity, of course, isn't the real issue because it's perfectly simple for anyone to install Adblock, stay off Facebook, and generally lurk in the shadows unnoticed. Every time I hear "OMG they're killing anonymity" I hear "OMG they're killing my God-given right to say or do whatever I want and avoid responsibility!" Perhaps they don't realize that this argument puts them in the company of Phoebe Prince's tormentors as much as Voltaire and the Federalists.

But this is my central complaint about libertarianism: it disingenuously ignores the consequences of conduct. Privacy, more often than not, really is a shield for misconduct. Is it your right to be unseen at a bar when you're cheating on your wife, or kissing another man, or doing whatever it is you're so ashamed of your friends and family finding out about? Well, clearly not, because you were there for some kid to take your picture and get you automagically tagged on Facebook for your wife or father confessor to find out about. So how in the hell can you get angry that it's now less easily concealed?

Privacy, I might add, is not the same thing as the right against unwarranted police and government intrusion. That particular conflation is no older than William O. Douglas. So don't accuse me of promoting a police state, because I'm not. I still believe in the 4th amendment and I still think police need to get warrants to do so much as peek in your garbage bin. The behavior we're talking about here, however, is by private actors (Facebook and Google and Apple and whoever) in relation to other private actors.

"But," some will object, "what I'm doing anonymously is morally OK but my culture doesn't tolerate it, like smoking pot or having an obscure religious viewpoint!" Did it ever occur to anyone that part of the problem with this kind of conduct is that concealment reinforces the notion that there's something bad or wrong with what's being done? Hell, if all the people who had ever smoked pot were to admit to it, either half the adult population of America would be in prison or it wouldn't be a crime to smoke pot.

Anyway, what I'm trying to say is this: anonymity and privacy are rapidly extinguishing in our culture, and though it's likely to be messy I doubt the change is going to destroy free society any more than it did to take the US off the gold standard or give women the vote. These are cultural conventions, remember, ones that other, newer values are displacing.

So, there's my rant. Mod me into oblivion for disagreeing with the current groupthink on Slashdot, or just ignore me. I'm kind of an asshole anyway. But it's not just me you're ignoring, it's your family, neighbors, and fellow citizens too.

Slashdot Top Deals

Work is the crab grass in the lawn of life. -- Schulz