×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Heartbleed Sparks 'Responsible' Disclosure Debate

DERoss Re:Actual Experience Against "Responsible Disclosu (176 comments)

In the end, the administrator organization for Webster's pension plan was fined by the Australian government for not having proper security for its data, for not properly testing its system, and for not detecting Webster's intrusions (even though the intrusions were very visible in the system logs). Criminal charges against Webster were never pursued.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

DERoss Actual Experience Against "Responsible Disclosure" (176 comments)

Historically, so-called "responsible disclosure" has resulted in delayed fixes. As long as the flaw is not public and causing a drum-beat of demands for a fix and a possible loss of customers, the developer organization too often treats security vulnerabilities the same as any other bug.

Worse, those who report security vulnerabilities responsibly and later go public because the fixes are excessively delayed often find themselves branded as villains instead of heroes. Consider the case of Michael Lynn and Cisco in 2005. Lynn informed Cisco of a vulnerability in Cisco's routers. When Cisco failed to fully inform its customers of the significance of the security patch, Lynn decided to go public at the 2005 Black Hat conference in Las Vegas. Cisco pressured Lynn's employer to fire him and also filed a lawsuit against Lynn.

Then there was the 2011 case of Patrick Webster, who notified the Pillar Administration (major administrator of retirement plans in Australia) of a security vulnerability in their server. When the Pillar Administration ignored Webster, he used the vulnerability to extract personal data from about 500 accounts from his own pension plan (a client of the Pillar Administration). Webster made no use of the extracted personal data, did not disseminate the data, and did not go public. He merely sent the data to the Pillar Administration to prove the existence of the vulnerability. As a result, the Pillar Administration notified Webster's own pension plan, which in turn filed a criminal complaint against Webster. Further, his pension plan then demanded that Webster reimburse them for the cost of fixing the vulnerability and sent letters to other account holders, implying that Webster caused the security vulnerability.

For more details, see my "Shoot the Messenger or Why Internet Security Eludes Us" at http://www.rossde.com/editoria....

2 days ago
top

I expect to retire ...

DERoss Already Retired (266 comments)

I retired about a month before my 62nd birthday. I delayed taking Social Security until my wife retired 2.5 years later; she delayed to a month after I started. Instead, we lived on our investments and her meager wages. She had to continue working so that we would have group health insurance through her employer. Then, we paid for continuing her health insurance via COBRA (about 6 months for me and 18 months for her). This was all per a set of spreadsheets that I developed to determine the optimum time to retire and how to finance it.

We are now in our early 70s. Our retirement investments continue to grow faster than we spend them. Until this year, we did not even spend all the dividends and interest. I expect that, by the end of this year, we will again have underspent our dividends and interest.

I manage our investments myself, relying on mutual funds. Of course, this means I am really relying on the managers of those mutual funds. However, the choice of which funds and how much to allocate to each is my own choice. For anyone interested in my investment philosophy, see my http://www.rossde.com/invest2r....

We have a very comfortable retirement. No, I was not a corporate executive, entertainer, professional athlete, or hedge fund operator. For my entire career, I either created or tested software, primarily for use by the U.S. military to operate its earth-orbiting space satellites. No, I did not work for the government; I worked for defense contractors. (See my http://www.rossde.com/retired.... for a brief history of my career.) Our retirement is successful because I understand investing and choose to be somewhat conservative (despite my liberal politics) in how I handle money that might have to last another 30 years (being from a family that is very long lived).

3 days ago
top

Slashdot Asks: How Do You Pay Your Taxes?

DERoss Paper and US Postal Service (385 comments)

U.S. and California

I have a degree in mathematics. Tax returns and their computations are merely a simple mathematical puzzle, which I easily solve.

I created two spreadsheets, one for federal income taxes and one for state income taxes. The latter is linked to the former because much of the California computations require inputs from the federal forms. Each year, I copy the prior year's spreadsheets into a new folder. I download the fill-in PDF forms for both governments and update the spreadsheets accordingly. I mark in yellow the spreadsheet cells that require new inputs; as I input those data, I remove the yellow.

California provides a Web site where I input my taxable income and filing status. The Web site tells me how much tax to pay. I wish the IRS would do the same. However, it is much easier to input into the IRS PDF files than into the California PDF files.

Since I have a large investment in a mutual fund, I can also get Turbotax for free. I download it and use it to check my spreadsheet results. I don't really like Turbotax because it requires too much irrelevant input and because it does not provide adequate capability to include explanatory attachments.

I print the PDFs and mail them via U.S. Postal Service. I never request certified or registered mail. I mailed my first tax returns when I was 16 years old. I am now 72. I have never had a mailed return go astray.

5 days ago
top

The Case For a Safer Smartphone

DERoss A Simple Solution (184 comments)

Don't change the phones. Don't change the cars. Instead, change the liability laws.

In an accident, a driver who was using a phone or other electronic communication device should be presumed to be grossly negligent. The presumption could be rebutable, but that would require the driver to prove he or she was not using any such device. With gross negligence, the law should require the automobile insurance company to cancel the driver's policy. The law should also prohibit a grossly negligent driver from collecting any insurance benefit but not prohibit the driver's victims from being compensated.

Yes, there are uninsured drivers. Where I live, the police will often confiscate their cars if they are stopped for even a minor traffic violation. Thus, there is serious incentive to be insured or else not drive.

By the way, the reason we have so many, many laws is that not enough people will do the right thing. Laws set the minimum standard for behavior. When too many individuals treat that as the maximum standard, they are inviting new laws to be passed to raise the standard.

about a week ago
top

Ask Slashdot: Should Developers Fix Bugs They Cause On Their Own Time?

DERoss Re:developers don't cause bugs, QA does (716 comments)

Wrong! A good QA process prohibits the QA team from changing anything. QA can either approve the product or else send it back to the developers. In the end, QA is paid the same. Thus, QA has no vested interest in either approving or rejecting the product.

about 2 months ago
top

Slashdot Tries Something New; Audience Responds!

DERoss Just Fix Bugs (2219 comments)

I very much like the old design. It "scans" very easily. (By "scans", I mean by the human eye and mind, not by an electronic device.)

One thing that needs to be fixed is your use of non-standard HTML and CSS. Your home page has 140 HTML errors. Your CSS has 28 errors.

Also, the yellow box that led me to this page (http://meta.slashdot.org/story/14/02/06/2329227/slashdot-tries-something-new-audience-responds) and is repeated to the top of this page says:
                        WE HEAR YOU We did tell you we wanted feedback. Hereâ€(TM)s our response.
Note the strange characters that appear in place of a simple apostrophe in "Here's".

Before you embark on a new design, make sure you are not propagating your errors.

about 2 months ago
top

Kentucky: Programming Language = Foreign Language

DERoss An Even Older Story (426 comments)

In the University of California system 50+ years ago, a PhD candidate had to pass proficiency tests in TWO foreign languages. In the 1960s, that requirement was modified to allow the candidate to substitute a computer language for one of the foreign languages.

about 3 months ago
top

Searching For Dark Matter From Deep Under an Italian Mountain

DERoss Ether (62 comments)

The more I read about dark matter and dark energy pervading the universe, the more I think about ether (also spelled "aether" or "æther"), which also was supposed to fill the universe. Dark matter and dark energy will never be found because they are as real as ether. See the Wikipedia article at http://en.wikipedia.org/wiki/A....

about 3 months ago
top

Ask Slashdot: What To Do With Misdirected Email?

DERoss It's Not Your E-mail Address, It's Your Name (388 comments)

When I receive misdirected E-mail, it almost always results from someone selecting the wrong David or wrong Ross from their address book. That is, both the intended recipient and I are both known to the sender. The sender's address book is organized by names, not by E-mail addresses.

I used to get phone calls in the middle of the night for a David Ross who was an attorney, either in private practice or in the District Attorney's office. The caller would be drunk and picked out the wrong David Ross from the phone book. Again, this was a problem with my name, not with my phone number.

There are apparently many, many David Rosses. I have met two others face-to-face, both times in doctors' offices. I have exchanged E-mail with several others. I even created a Web page about this situation at http://www.rossde.com/Ross.html.

How do I handle misdirected E-mail? On the first occasion, I reply quoting the original message. I tell the sender they have the wrong David Ross. If there is one of those caveats about condfendiality and deleting misdirected messages, I also inform the sender that such warnings are unenforceable, that the sender must bear full responsibility for ensuring correct addressing of such messages.

On subsequent instances from the same sender, I use a small application that returns the message in a format that indicates the stated E-mail address is invalid. That is, the message will appear as if bounced. If that does not work, I finally threaten to make any subsequent messages public by posting them on a newsgroup.

about 3 months ago
top

I decorate my dwelling for the winter holidays ...

DERoss Hanukkah Menorah (199 comments)

I put an electric Hanukkah menorah in a front window. It is now put away, however, because Hanukkah ended over two weeks ago.

about 3 months ago
top

Desktop Browser of Choice in 2013?

DERoss Re:agent strings... (381 comments)

With both Firefox and SeaMonkey, it is very easy to spoof agent strings, to lie to Web servers by indicating I am using some browser that I have not installed. Actually, the default configuration of SeaMonkey has the user string
          Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22.1
which says it is both Firefox and SeaMonkey.

about 4 months ago
top

Desktop Browser of Choice in 2013?

DERoss Other: SeaMonkey (381 comments)

My preferred browser is SeaMonkey. It has the same "guts" as Firefox but a different user interface that I consider far superior to Firefox. By "guts", I mean the same HTML rendering engine, the same Internet interface, the same SSL processes, and often the same third-party extensions. However, SeaMonkey allows experienced users to tailor the browser in ways that Firefox does not.

It appears that Mozilla has been slowly "dumbing down" Firefox. In the process, the developers have also gone overboard in attempting to make Firefox super-safe for users, which is the main cause of the loss of tailoring. This safety is not restricted to browsing the Web safely but also in configuring the user's own computer. This sometimes means a loss of functionality, overcome by a proliferation of third-party extensions.

Overall, many experienced users feel that Mozilla is trying to make Firefox too similar to Chrome in order to compete against Chrome. What Mozilla refuses to accept is the fact that, if a user wants Chrome, that user will install Chrome and not Firefox.

So far, Sea Monkey has been able to avoid these Firefox deficiencies.

about 4 months ago
top

Get Ready For a Streaming Music Die-Off

DERoss Free Music? Yes, That "Business Model" Does Work (370 comments)

I listen to streaming broadcasts sent over the Internet directly by radio stations. Most of these stations are non-profit, many of them part of National Public Radio. They seem not only to be surviving but even thriving. Three of the stations are sufficiently close that I can listen to them over the "airwaves". The rest of them are available only via Internet streaming.

Of course my taste in music is mostly classical, music that is still entertaining and appreciated more than a month after it is first released. In many cases, the recordings are no longer available commercially. If the cited trend in this article is true, perhaps young listeners might learn of the majesty of Beethoven, the emotion of Tchaikovsky, the joy of Gershwin.

about 4 months ago
top

Mozilla Location Service: Geolocation Lookups From Cell Towers and WiFi Data

DERoss Use SecretAgent (46 comments)

If you are using Firefox or SeaMonkey as your browser (both Mozilla-based), get the SecretAgent extension from https://www.dephormation.org.uk/SecretAgent/. Since I installed it in SeaMonkey, not only do many sites have trouble locating where I am, some sites cannot even determine on which continent I am located.

about 6 months ago
top

Cookieless Web Tracking Using HTTP's ETag

DERoss SecretAgent Extension Conflicts with PrefBar (212 comments)

For Mozilla-based browsers such as Firefox and SeaMonkey, the SecretAgent extension conflicts with the PrefBar User Agent menulist.

Because some Web sites I visit are sensitive to what user agent they see, I unchecked (disabled) the "Rotate User Agent" checkbox in SecretAgent. Then, if I used the PrefBar User Agent menulist to spoof some other browser, it kept resetting to my actual user agent. Since I consider the PrefBar capability to be very important, I removed SecretAgent. The PrefBar capability was then restored.

about 8 months ago
top

The Greatest Keyboard Shortcut Ever

DERoss Re:New Slashdot feature: RTFM Sunday! (506 comments)

Install the PrefBar extension in Firefox or SeaMonkey. Enable the Restore Tab button.

By the way, accidentally closing a tab in SeaMonkey should be rare since the X to close is at the far right of the tab bar, not on the tab. Putting the X on the tab itself has proven dangerous because it is then too easy to close a tab when trying to select the adjacent tab on the right.

about 8 months ago
top

Intel, Unisys Partner On New Range of Servers

DERoss Back in the day ... (46 comments)

I worked for Unisys and one of its predecessors for 24 years. At the time Unisys was created -- Burroughs did a hostile takeover of Univac -- the combined company had some 130,000 employees; and about half of its business was with the U.S. military. Now the company has about 22,800 employees and seems to have no military business. I stuck with the company even when they started treating salaried software professionals as if they were hourly assembly-line workers. I stuck with them when they imposed an 18-month salary freeze that did not apply to executive bonuses. I left when it was obvious that any manager who brought new work to our site would be fired.

about 8 months ago
top

"451" Error Will Tell Users When Governments Are Blocking Websites

DERoss Why not 403? (255 comments)

According to Section 10.4.4 of RFC 2616, 403 means:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

about 8 months ago

Submissions

top

Regional Concentrations of Scientists and Engineers in the United States

DERoss DERoss writes  |  about 8 months ago

DERoss (1919496) writes "The National Science Foundation has publish a research paper with the subject title, which may be found at http://www.nsf.gov/statistics/infbrief/nsf13330/. The lead paragraph contains the sentence "The three most populous states—California, Texas, and New York—together accounted for more than one-fourth of all S&E employment in the United States."

According to the 2010 census, however, those three states also contain more than one-fourth (26.5%) percent of the U.S. population. In other words, there is NO concentration beyond how the general population is concentrated."
top

Question: How do I obtain enforcement of my copyr

DERoss DERoss writes  |  more than 2 years ago

DERoss (1919496) writes "I have a personal Web site with many, many pages. One of the pages — one of my very first from before 1999 — describes the community in which I live. As with most of my Web pages, this one carries a copyright notice.

Often, my community page is plagiarized by real estate agents and brokers without my permission. Can I get the U.S. government to enforce my copyright. Or is enforcement limited to the MPAA , RIAA, and their allies."

Link to Original Source
top

PGP Vulnerability -- No Fix for Freeware Version

DERoss DERoss writes  |  more than 3 years ago

DERoss (1919496) writes "PGP Desktop — used to encrypt or digitally sign E-mail and files — contains a serious vulnerability in current versions 10.0.3 and 10.1. This vulnerability allows a signed message or file (or sometimes a signed and encrypted message or file) to be altered without invalidating the signature. This makes it impossible to use a digital signature to verify the integrity of a message or file. While many individual, non-commercial users of PGP Desktop use the freeware trial version, Symantec will not provide a fix except for the purchased version. For non-technical details, see [http://www.rossde.com/PGP/pgp_weak.html#inject]."
Link to Original Source

Journals

DERoss has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...