Heartbleed Sparks 'Responsible' Disclosure Debate
In the end, the administrator organization for Webster's pension plan was fined by the Australian government for not having proper security for its data, for not properly testing its system, and for not detecting Webster's intrusions (even though the intrusions were very visible in the system logs). Criminal charges against Webster were never pursued.
Heartbleed Sparks 'Responsible' Disclosure Debate
Historically, so-called "responsible disclosure" has resulted in delayed fixes. As long as the flaw is not public and causing a drum-beat of demands for a fix and a possible loss of customers, the developer organization too often treats security vulnerabilities the same as any other bug.
Worse, those who report security vulnerabilities responsibly and later go public because the fixes are excessively delayed often find themselves branded as villains instead of heroes. Consider the case of Michael Lynn and Cisco in 2005. Lynn informed Cisco of a vulnerability in Cisco's routers. When Cisco failed to fully inform its customers of the significance of the security patch, Lynn decided to go public at the 2005 Black Hat conference in Las Vegas. Cisco pressured Lynn's employer to fire him and also filed a lawsuit against Lynn.
Then there was the 2011 case of Patrick Webster, who notified the Pillar Administration (major administrator of retirement plans in Australia) of a security vulnerability in their server. When the Pillar Administration ignored Webster, he used the vulnerability to extract personal data from about 500 accounts from his own pension plan (a client of the Pillar Administration). Webster made no use of the extracted personal data, did not disseminate the data, and did not go public. He merely sent the data to the Pillar Administration to prove the existence of the vulnerability. As a result, the Pillar Administration notified Webster's own pension plan, which in turn filed a criminal complaint against Webster. Further, his pension plan then demanded that Webster reimburse them for the cost of fixing the vulnerability and sent letters to other account holders, implying that Webster caused the security vulnerability.
For more details, see my "Shoot the Messenger or Why Internet Security Eludes Us" at http://www.rossde.com/editoria....
I expect to retire ...
I retired about a month before my 62nd birthday. I delayed taking Social Security until my wife retired 2.5 years later; she delayed to a month after I started. Instead, we lived on our investments and her meager wages. She had to continue working so that we would have group health insurance through her employer. Then, we paid for continuing her health insurance via COBRA (about 6 months for me and 18 months for her). This was all per a set of spreadsheets that I developed to determine the optimum time to retire and how to finance it.
We are now in our early 70s. Our retirement investments continue to grow faster than we spend them. Until this year, we did not even spend all the dividends and interest. I expect that, by the end of this year, we will again have underspent our dividends and interest.
I manage our investments myself, relying on mutual funds. Of course, this means I am really relying on the managers of those mutual funds. However, the choice of which funds and how much to allocate to each is my own choice. For anyone interested in my investment philosophy, see my http://www.rossde.com/invest2r....
We have a very comfortable retirement. No, I was not a corporate executive, entertainer, professional athlete, or hedge fund operator. For my entire career, I either created or tested software, primarily for use by the U.S. military to operate its earth-orbiting space satellites. No, I did not work for the government; I worked for defense contractors. (See my http://www.rossde.com/retired.... for a brief history of my career.) Our retirement is successful because I understand investing and choose to be somewhat conservative (despite my liberal politics) in how I handle money that might have to last another 30 years (being from a family that is very long lived).
Slashdot Asks: How Do You Pay Your Taxes?
U.S. and California
I have a degree in mathematics. Tax returns and their computations are merely a simple mathematical puzzle, which I easily solve.
I created two spreadsheets, one for federal income taxes and one for state income taxes. The latter is linked to the former because much of the California computations require inputs from the federal forms. Each year, I copy the prior year's spreadsheets into a new folder. I download the fill-in PDF forms for both governments and update the spreadsheets accordingly. I mark in yellow the spreadsheet cells that require new inputs; as I input those data, I remove the yellow.
California provides a Web site where I input my taxable income and filing status. The Web site tells me how much tax to pay. I wish the IRS would do the same. However, it is much easier to input into the IRS PDF files than into the California PDF files.
Since I have a large investment in a mutual fund, I can also get Turbotax for free. I download it and use it to check my spreadsheet results. I don't really like Turbotax because it requires too much irrelevant input and because it does not provide adequate capability to include explanatory attachments.
I print the PDFs and mail them via U.S. Postal Service. I never request certified or registered mail. I mailed my first tax returns when I was 16 years old. I am now 72. I have never had a mailed return go astray.
Is Crimea In Russia? Internet Companies Have Different Answers
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
The Case For a Safer Smartphone
Don't change the phones. Don't change the cars. Instead, change the liability laws.
In an accident, a driver who was using a phone or other electronic communication device should be presumed to be grossly negligent. The presumption could be rebutable, but that would require the driver to prove he or she was not using any such device. With gross negligence, the law should require the automobile insurance company to cancel the driver's policy. The law should also prohibit a grossly negligent driver from collecting any insurance benefit but not prohibit the driver's victims from being compensated.
Yes, there are uninsured drivers. Where I live, the police will often confiscate their cars if they are stopped for even a minor traffic violation. Thus, there is serious incentive to be insured or else not drive.
By the way, the reason we have so many, many laws is that not enough people will do the right thing. Laws set the minimum standard for behavior. When too many individuals treat that as the maximum standard, they are inviting new laws to be passed to raise the standard.
Ask Slashdot: Should Developers Fix Bugs They Cause On Their Own Time?
Wrong! A good QA process prohibits the QA team from changing anything. QA can either approve the product or else send it back to the developers. In the end, QA is paid the same. Thus, QA has no vested interest in either approving or rejecting the product.
Slashdot Tries Something New; Audience Responds!
I very much like the old design. It "scans" very easily. (By "scans", I mean by the human eye and mind, not by an electronic device.)
One thing that needs to be fixed is your use of non-standard HTML and CSS. Your home page has 140 HTML errors. Your CSS has 28 errors.
Also, the yellow box that led me to this page (http://meta.slashdot.org/story/14/02/06/2329227/slashdot-tries-something-new-audience-responds) and is repeated to the top of this page says:
WE HEAR YOU We did tell you we wanted feedback. Hereâ€(TM)s our response.
Note the strange characters that appear in place of a simple apostrophe in "Here's".
Before you embark on a new design, make sure you are not propagating your errors.
Kentucky: Programming Language = Foreign Language
In the University of California system 50+ years ago, a PhD candidate had to pass proficiency tests in TWO foreign languages. In the 1960s, that requirement was modified to allow the candidate to substitute a computer language for one of the foreign languages.
Searching For Dark Matter From Deep Under an Italian Mountain
The more I read about dark matter and dark energy pervading the universe, the more I think about ether (also spelled "aether" or "æther"), which also was supposed to fill the universe. Dark matter and dark energy will never be found because they are as real as ether. See the Wikipedia article at http://en.wikipedia.org/wiki/A....
Ask Slashdot: What To Do With Misdirected Email?
When I receive misdirected E-mail, it almost always results from someone selecting the wrong David or wrong Ross from their address book. That is, both the intended recipient and I are both known to the sender. The sender's address book is organized by names, not by E-mail addresses.
I used to get phone calls in the middle of the night for a David Ross who was an attorney, either in private practice or in the District Attorney's office. The caller would be drunk and picked out the wrong David Ross from the phone book. Again, this was a problem with my name, not with my phone number.
There are apparently many, many David Rosses. I have met two others face-to-face, both times in doctors' offices. I have exchanged E-mail with several others. I even created a Web page about this situation at http://www.rossde.com/Ross.html.
How do I handle misdirected E-mail? On the first occasion, I reply quoting the original message. I tell the sender they have the wrong David Ross. If there is one of those caveats about condfendiality and deleting misdirected messages, I also inform the sender that such warnings are unenforceable, that the sender must bear full responsibility for ensuring correct addressing of such messages.
On subsequent instances from the same sender, I use a small application that returns the message in a format that indicates the stated E-mail address is invalid. That is, the message will appear as if bounced. If that does not work, I finally threaten to make any subsequent messages public by posting them on a newsgroup.
I decorate my dwelling for the winter holidays ...
I put an electric Hanukkah menorah in a front window. It is now put away, however, because Hanukkah ended over two weeks ago.
Desktop Browser of Choice in 2013?
With both Firefox and SeaMonkey, it is very easy to spoof agent strings, to lie to Web servers by indicating I am using some browser that I have not installed. Actually, the default configuration of SeaMonkey has the user string
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
which says it is both Firefox and SeaMonkey.
Desktop Browser of Choice in 2013?
My preferred browser is SeaMonkey. It has the same "guts" as Firefox but a different user interface that I consider far superior to Firefox. By "guts", I mean the same HTML rendering engine, the same Internet interface, the same SSL processes, and often the same third-party extensions. However, SeaMonkey allows experienced users to tailor the browser in ways that Firefox does not.
It appears that Mozilla has been slowly "dumbing down" Firefox. In the process, the developers have also gone overboard in attempting to make Firefox super-safe for users, which is the main cause of the loss of tailoring. This safety is not restricted to browsing the Web safely but also in configuring the user's own computer. This sometimes means a loss of functionality, overcome by a proliferation of third-party extensions.
Overall, many experienced users feel that Mozilla is trying to make Firefox too similar to Chrome in order to compete against Chrome. What Mozilla refuses to accept is the fact that, if a user wants Chrome, that user will install Chrome and not Firefox.
So far, Sea Monkey has been able to avoid these Firefox deficiencies.
Get Ready For a Streaming Music Die-Off
I listen to streaming broadcasts sent over the Internet directly by radio stations. Most of these stations are non-profit, many of them part of National Public Radio. They seem not only to be surviving but even thriving. Three of the stations are sufficiently close that I can listen to them over the "airwaves". The rest of them are available only via Internet streaming.
Of course my taste in music is mostly classical, music that is still entertaining and appreciated more than a month after it is first released. In many cases, the recordings are no longer available commercially. If the cited trend in this article is true, perhaps young listeners might learn of the majesty of Beethoven, the emotion of Tchaikovsky, the joy of Gershwin.
Mozilla Location Service: Geolocation Lookups From Cell Towers and WiFi Data
If you are using Firefox or SeaMonkey as your browser (both Mozilla-based), get the SecretAgent extension from https://www.dephormation.org.uk/SecretAgent/. Since I installed it in SeaMonkey, not only do many sites have trouble locating where I am, some sites cannot even determine on which continent I am located.
Cookieless Web Tracking Using HTTP's ETag
For Mozilla-based browsers such as Firefox and SeaMonkey, the SecretAgent extension conflicts with the PrefBar User Agent menulist.
Because some Web sites I visit are sensitive to what user agent they see, I unchecked (disabled) the "Rotate User Agent" checkbox in SecretAgent. Then, if I used the PrefBar User Agent menulist to spoof some other browser, it kept resetting to my actual user agent. Since I consider the PrefBar capability to be very important, I removed SecretAgent. The PrefBar capability was then restored.
The Greatest Keyboard Shortcut Ever
Install the PrefBar extension in Firefox or SeaMonkey. Enable the Restore Tab button.
By the way, accidentally closing a tab in SeaMonkey should be rare since the X to close is at the far right of the tab bar, not on the tab. Putting the X on the tab itself has proven dangerous because it is then too easy to close a tab when trying to select the adjacent tab on the right.
Intel, Unisys Partner On New Range of Servers
I worked for Unisys and one of its predecessors for 24 years. At the time Unisys was created -- Burroughs did a hostile takeover of Univac -- the combined company had some 130,000 employees; and about half of its business was with the U.S. military. Now the company has about 22,800 employees and seems to have no military business. I stuck with the company even when they started treating salaried software professionals as if they were hourly assembly-line workers. I stuck with them when they imposed an 18-month salary freeze that did not apply to executive bonuses. I left when it was obvious that any manager who brought new work to our site would be fired.
"451" Error Will Tell Users When Governments Are Blocking Websites
According to Section 10.4.4 of RFC 2616, 403 means:
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.