Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Sounds like a smart move.. (Score 4, Insightful) 70

Giving your employer and/or health insurer access to your activity levels, location, etc..
After all, they have only your best interests at heart, right? I am sure Aetna has no hidden
profit based motives here..

I can only imagine that this will work out exactly like the vehicle monitoring from the vehicle
insurance industry - absolutely no issues there with data being used against the members...

Sign me up! a free/cheap gadget is worth giving away any amount of my personal information!

Comment Re:The white flag is up for OS-level security (Score 1) 146

So this is basically saying that we can no longer depend on the OS to protect us against privilege escalation attacks. The bad guys will have to concentrate on breaking out of VMs or, at least in this case, attacking through the access that the Edge VM has to system resources.

No modern OS is immune to privilege escalation attacks. Even a formally verified OS would probably still be susceptible to them due to unexpected interactions. Never mind hardware based attacks such as race conditions and rowhammer. If someone is dedicated enough, and has enough resources, sooner or later they'd find a chink in the armor.

Instead you try to do the best you can, and then you layer on defense in depth on top of that. If someone is going to break in, then you can at least slow them down and force them to fight another kind of complexity.

Comment Something deeper.. (Score 5, Interesting) 413

More likely some state actor is getting desperate to get some people inside.

Other than that this looks pretty normal. Anyone who deals with such placement knows that you get a flood of obviously fake, misleading, and just plain silly applications from certain Asian countries and groups which are not difficult to weed out but make the numbers look exactly as we are seeing here.
Other than that the ratio of actual placements looks pretty normal for someone not living on H1b slaves..

So.. Someone is putting a lot of work into creating this issue.. Which means either political or financial pressure.

Comment Re:Not enough (Score 1) 110

You're 100% right. Anything but the death penalty for a CA after thorough independent investigation send the message that this behavior will be tolerated in some fashion. That should never ever be the case with a CA in particular, or the viability of web commerce and trusted information exchange would be at substantial risk.

We have enough security problems with clients, data breaches and end user stupidity to have to deal with this.

Comment Expensive & hard to coordinate (Score 1) 110

The certificate business is big money. It's possible some companies may be able to purchase certs from multiple vendors but it adds up very quickly, and coordinating activities like expiration dates have to be aligned among the vendors which is tricky with multiple large contracts. Only the biggest companies will be able to do this, leaving the rest to single and/or smaller CAs.

Yet does that really make an entity's presence on the public Internet inherently more trustworthy? If I was to get certs from Verisign, Thawte and Let's Encrypt, that's not saying much since Let's Encrypt does DV and not EV certs. If you have a breach of one CA but not the other, who do you trust and why? What does that result even mean? Best two out of three or three of five? It's not entirely out of the realm of possibility that smaller CAs could be simultaneously compromised, which is why the larger companies mostly go to that company based in Northern Virginia that has been rock solid if nothing else.

I think smaller lesser-known entities like these Chinese CAs will be perpetually more risky to obtain certs from. It's just what it is. As you go up the chain the certs get progressively more expensive but more trusted as well. As long as there is a commercial interest in selling certs, I don't think the current situation will change. It's just another warning just like Diginotar and others have demonstrated and Mozilla is IMO being overly lenient and perpetuating the problems currently supporting the "list of trusted CAs in the browser" model.

Comment Re:Control and management (Score 1) 274

``See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data").''

This could include almost every IP address you find in your logs. Do you know the IP address of every ancillary site that the web sites you visit make connections to while you're browsing their pages? The advertisement servers? Any image servers? The external sites for comments/discussions? Now multiply that by the number of people in your family that use the internet. I haven't seen a single network-aware device that included something in the manual -- or some sort of set of instructions -- that tells you what sites it'll be connecting to on a regular basis. IMHO, we pretty much lost this battle years ago.

Comment Re:more anti-ITT FUD on slashdot (Score 1) 327

similar places also get those

again why the special focus. I'm wondering if someone with government in their pocket had competition removed or wanted to change landscape of IT education for some agenda.

Note I didn't attend ITT, don't know any employees there, had no investments in them nor anything that depends on ITT, don't even know anyone hurt by this since the ITT grads I know already have good jobs

I don't know if ITT classes worse than normal or better than normal, nor the quality of the teachers. Only know some grads that are doing very well.

Slashdot Top Deals

A freelance is one who gets paid by the word -- per piece or perhaps. -- Robert Benchley