Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Interesting editorial comment... (Score 1) 290

It's sorta off-topic, admittedly, but...

It's interesting that the editor chose to call out the assumption of the continued existence of the closed-source software businesses, without calling out similar precepts (eg: the continued existence of money, or countries). I mean, if money ceases to exist, then doesn't the question of pricing become moot? What about an asteroid wiping out life on the planet: that would also, presumably, substantially alter the economic dynamics of software pricing.

If you're going to call out exceedingly low probability future events to exclude from consideration, why stop with just one? Alternatively, why call those out at all?

Comment Code reuse is good, but... (Score 1) 148

As has already been stated, you generally want to prefer to use a third-party library over a custom implementation, for most security-related code. This is doubly true for well-defined algorithms, which are implemented in well-tested (and preferably open source) libraries.

However... there's an inherent danger in adopting third-party libraries based on uninformed assumptions about quality, as I'm personally well acquainted with. If you have a manager who is prone to making baseless assumptions, and downloading random packages off the internet which purport to be semi-related to the current problem development is experiencing, and insisting they be integrated as the "easy" solution for that problem, you're going to end up with bad quality software (or worse).

As the saying goes: garbage in, garbage out. If you're doing software integrations based on garbage processes, you're still going to get garbage out, no matter what the quality of each third-party module.

Comment Re:Difference in work product (Score 1) 587

I was going to emphasize this too.

I can't speak for all of "tech" as an industrial area, but in software development at least, there are also substantial indirect affects from the quality of work, some of which can be difficult to measure (without someone knowledgeable auditing work). Just because something compiles and produces the expected output, does not mean it handles corner cases well, or works every time, or doesn't have undesirable side-effects, or is easy to maintain, or that the design scales, or is forward-thinking in terms of technology choices, etc., etc. Getting all of those latter things might not be important in a few specific cases (eg: creating strictly throw-away demo-ware for marketing purposes), but in most business cases, each of them has a monetary value attached, and you could certainly be justified in paying more to get them.

Also, the point about competent foreign workers is well taken as well. To re-use my analogy, it's not as if there are not skilled foreign contractors also... but those people don't hang out at Home Depot, waiting to do day labor for under-market wages, they have higher paying jobs closer to home. The people who are being rented out as "cheap" foreign labor are, in most cases, "cheap" foreign labor, and you get what you pay for. It's just that in tech, more than other industrial areas, you generally get less productive value out of rote labor (in my experience).

Comment Re:Difference in work product (Score 2) 587

This is very true. In the software industry, especially, there is a vast difference between people who are good developers, and people who are "just able to write code". For the organizations who employ a lot of the latter (either though legitimate need, or simply inability to attract and/or hire the former), outsourcing can be economically viable... as long as you are able to still stay in business, that is.

I know, anecdotally, that several "smarter" organizations who experimented with outsourcing software development for cost reduction have since "in-sourced" it back for quality purposes. I know others who would not have made that error in the first place. For those organizations, ability can still have value.

Comment Difference in work product (Score 5, Insightful) 587

Obviously this is not applicable to all tech workers, but...

In many cases, there's a fairly substantial difference in expectation of work product, both in terms of quality of work produced, and in ability to execute anything more than rote work. While it's true that those qualities may not matter for those organizations who choose to outsource tech labor, there can be a very quantifiable increase in product quality from workers who are more vested in and capable of producing a higher quality product, which can be translated into demand for higher compensation.

It's kinda the same as the difference between a certified general contractor, and a guy you pick up at Home Depot to do some work for you. You don't expect to pay the general contractor a small amount of cash under the table, and he doesn't have any need to make his rate "competitive", because he'll be able to find people willing to pay for a higher quality of skill, knowledge, and ultimately work product. There's a reason that most tech companies who outsource their high-skill labor to inexpensive countries don't stay competitive long...

That's my experience, anyway.

Comment Straightfoward solution (Score 1) 164

As with other instances where the ROI for implementing good computer security is not there, with potentially disastrous societal consequences...

Make manufacturers liable for damages if their devices are compromised for malicious purposes (DDOS, PII extraction, etc.). Make anyone collecting PII or selling a network-connected device have insurance to cover liability for losses due to security. Bam, problem solved: the insurance market will create the implied ROI (vis-a-vis reduced insurance costs), and businesses will either modify their products or behavior accordingly. The solution also side-steps most of the traditional and vexing issues with government oversight (eg: since there's no government-specified "security standard" or anything, there's no potential to make a gigantic mess of that).

It seems so obvious, but I suppose that's why it's seemingly entirely inscrutable to the people in government...

Comment Re:Cars? (Score 1) 76

This is only really bad if the remote connectivity portion is physically connected to the CAN bus, so as to affect vehicle control through remote commands, and be effectively impossible to secure well enough to prevent exploitation.

... except this is what every manufacturer does with their telematics systems, on purpose.

I guess it's only monumentally stupid if you write the software such that it can rewrite it's firmware and whole control system via remote update.

... which is what Tesla does, for "customer convenience".

Gosh, yeah, I guess this whole "remote connected car" thing is pretty monumentally idiotic. I wonder if there is some ulterior motive for the government to push such an obviously stupid system, which allows someone with access to completely remote control a vehicle with no trace of evidence or accountability...

... oh, wait, never mind, nothing to see here.

Comment One of those rare technology advances... (Score 1) 239

This is one of the rare technology advances where the government's interests align with getting the technology to be pervasive (typically, you'd have to fight and/or circumvent the government to push disruptive technology... see SpaceX, for example). That will virtually guarantee government approval for mainstream use, and probably slightly before the technology is actually safe.

It's hard to imagine a better technology for the government, though. Track everyone driving, set speeds to whatever you want, stop any car at any time for any reason (goodbye high speed chases, hello stop-and-frisk on the highway), manipulate traffic arbitrarily (you want people to not drive through your neighborhood at all? just a $100M political donation, and it's done!)... the list of benefits for the government goes on and on. If I'm the government, the quicker and more pervasively I can push automation technology which I implicitly control into every aspect of people's lives, the better.

Comment Golden Opportunity to Establish Good Policy (Score 1) 81

This would be an excellent opportunity for the government to establish a policy to improve information security for vital systems (if the government were at all inclined to establish beneficial policy... but just go with it for the hypothetical).

The FDA could offer an open, public bounty for any demonstrable vulnerability in any medical device, with a sufficiently motivational amount (say, 2x the going black market rate for desirable vulnerabilities in other areas). Then they could establish a policy of fines levied in a multiple of that amount (say, 5x) against any vendor producing or marketing a product which had the vulnerability. At current going rates, that would be maybe a $100k bounty, and a $500k fine per vulnerability. Totally legal (FDA has existing jurisdiction to do so), and a great policy.

You'd see a sea change in the industry, as it would no longer be profitable to ignore info-sec entirely. Moreover, it would be a great precedent, monetarily scales up automatically, drives research which makes everyone safer, and it could be easily applied to other industries for the same goal and effect (eg: airlines, automobiles, smart grid, vital infrastructure, etc.).

Man, things like this make me REALLY wish we had a government which wanted to do beneficial things for the people...

Comment Headline is Stupid/Wrong... (Score 2) 304

Google results are literally the definition of not racist: they are not modifying their results or algorithm on the basis of race. The results are a reflection of prevalence and linkage of content online, which may reflect a societal racism, but even that is pretty tenuous based on the data presented. A more straightforward example is that online content is representative of statistical data, and/or societal perceptions, neither of which would indicate racism per se.

Moreover, the suggested "fix" to have Google bias search results on the basis of race IS LITERALLY RACISM. The people calling for Google to "fix" their results to be an inaccurate representation of online data are literally calling for Google to employ racism in generating their search results. *boggle*

I expect the twitter-verse to be stupid... but please at least try to not reflect their stupidity on Slashdot, kthanks.

Comment Re:it's ok, but that comes with a dozen qualifiers (Score 1) 982

I'd agree with the "dozen qualifiers" analysis, FWIW. The main reason to "update" to Windows 10, such as it is, is that the support period will be longer than that of Windows 7.

(I'm assuming OP is considering an update from Windows 7, the last good version of Windows... if you have Windows 8.x for some reason, the by all means, go ahead and go to 10.)

Be ware that virtually everything new in Windows 10 is a downgrade from Windows 7, though, and you'll need to do a lot of unchecking defaults and turning off things to get it into a reasonable state. You may also find yourself annoyed, as I was, with the extra click-throughs and confusing UI with control panel items before you can get to the actual controls, the non-intuitive and frustrating behavior of UAC, and the extra advertising spam in the OS. Also, most of the touted new features will be inaccessible without giving all your data to MS (eg: no MS account login, no integrated anything).

Comment Not the only downsides... (Score 1) 381

The abstract mentions the potential for job loss and security vulnerabilities, but neglects to mention the inherent problem with ubiquitous government surveillance and control, which is inherent with a system of network-connected self driving vehicles. It may not be a concern to the majority of drivers, but since nobody has anything remotely approaching a solution to the problem of the government, that problem is not declining any time soon. Whenever the news picks up on, say, politically motivated assassinations using self-driving vehicles, there's going to be a backlash which might be hard to mitigate, even with the level of media control the government currently has. That's not to mention, of course, the non-idiotic people who will simply refuse to put themselves in that situation in the first place.

Self-driving cars might be ready for sale sooner rather than later, but there are some pretty significant challenges to wide-scale adoptions which the developers of such have not yet begun to address.

Comment Apple is ahead of the legal curve here (Score 3, Informative) 367

I'm sure this won't get much visibility, but for what it's worth...

Apple has smart lawyers, which made it odd for me to read when they were basing their primary objection on first amendment grounds, rather than the more obvious undue burden defense (and/or reference to this law, and the lack of statute which would compel them to rewrite the OS). But more recently, the government made their real strategy more clear (ie: rewrite it, or give us the code), which made Apple's strategy make more sense. Although the government cannot necessarily compel Apple to rewrite the OS code, they have much better legal footing to compel Apple to give them the OS code, and presumably could write GovOS themselves fairly trivially.

That's where the freedom of speech argument comes in: although the government can, in effect, steal Apple's code (legally), it's much more clearly established that they cannot compel Apple to "say" that it's coming from Apple (in technical terms, sign the code). Without the code signature, GovOS cannot be pushed onto, or run on, iOS devices. In essence, Apple was countering the more legally persuasive argument that the DOJ was holding back as their would-be trump card, if Apple fought the initial ruling. Well played, indeed.

For the sake of everyone in the US (and not to mention all the principles the country is founded on), I sincerely hope Apple prevails. Their forethought in legal argument gives me some hope that all is not lost, privacy-wise.

Comment Re:The real resaon for this (Score 1) 199

Common... that would take far too long. You need to issue the NSL right away, and compel the backdoor RAT to be deployed immediately. That way as soon as you identify a dissonant... uh, "terrorist", you can immediately take any and all actions through the vehicle's systems to help protect the children. Who knows, the terrorist might be in his car, driving by a school, and you had to accelerate it into that tree to protect the kids. It's national security, so you can't do anything about it.

Comment Re:Bad "news" (Score 1) 122

The second paragraph where I specify what the "study" does and doesn't indicate, based on the actual study methodology, is rank with hyperbole... how?

Perhaps you meant the third paragraph, where I speculated on an alternative explanation (in which case you might want to look up "hyperbole"). Admittedly, though, the statement that vulnerability control is laughable in Oracle products is somewhat unsubstantiated, although I assumed it was common knowledge (among the knowledgeable in the field) at this point. If not, perhaps this would be an eye-opener [into the absurdity of their culture with respect to "secure" products]: http://arstechnica.com/informa...

Slashdot Top Deals

A large number of installed systems work by fiat. That is, they work by being declared to work. -- Anatol Holt