Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

We Need Distributed Social Networks More Than Ello

IamTheRealMike Re:We had a distributed social network (253 comments)

If you ignore the ability to restrict personal data to particular people, news feed with intelligent ranking that tries to guess who your real friends are so you don't have to upset people who post a lot by defriending them, the ability to tag people in photos, the lack of any need for meaningless URLs and a seamless way of organising events ...... then sure. Facebook is just like the web.

2 days ago
top

Deutsche Telecom Upgrades T-Mobile 2G Encryption In US

IamTheRealMike But disabling GSM when possible is still smart (27 comments)

GSM (2G) encryption did not authenticate the cell tower, whereas UMTS (3G) and above do. Cell tower authentication should break devices like the Stingray and other forms of fake base station, unless/until governments start forcing cell carriers to hand over the signing keys for tower identities. But as devices like Stingray exist more or less exclusively to get around the warrant requirement and no carrier would assist in that way without a court order, that places the police in the awkward position of asking a judge to write an order than can only be for avoiding the same judges authority....

2 days ago
top

Debian's Systemd Adoption Inspires Threat of Fork

IamTheRealMike Re:A rather empty threat (550 comments)

The problem is that some factions in the non-systemd camp are pursuing systemd "emulation" by using shims and forks. That way you just get a second rate systemd, and it will remove any motivation from upstream projects to support anything else than system. Using Ubuntu's "logind" is a short term gain, but a strategic failure for the non-systemd camp. They need their own implementation of needed infrastructure, not just copying or emulating systemd.

It sounds a lot like the non-systemd camp have no idea what they are actually for, they only know what they are against. So this kind of thing is not surprising to hear.

The "UNIX philosophy" is an empty slogan that switches people's brains off. It sounds great, until you try and build a real system with the features modern users demand, and then it turns in to an exploding nightmare of combinatorial complexity as every program tries to abstract itself from every other program in the name of political correctness. As already noted elsewhere, the programs people use serverside Linux to actually run barely resemble the UNIX command line tools and that's for good reasons ...

4 days ago
top

Manga Images Depicting Children Lead to Conviction in UK

IamTheRealMike Re: Moral Imperialism (472 comments)

Is there really someone so stupid that they cannot tell the difference between a cartoon drawing and a real child?

There appears to be an entire united kingdom whose legal system is populated with such people.

Just FYI, the rule against illegal cartoons exists in the USA too. The Supreme Court struck down attempts to use CP laws in this way as being obvious nonsense, so Congress just went ahead and amended the law to make it explicitly illegal as opposed to implicitly illegal.

Unfortunately a lot of crap like this ends up being brought into otherwise sane legal systems thanks to pressure from the USA to "upgrade" national laws to meet the "latest standards". Japan has been pressured for years to tighten its CP laws, being publicly named and shamed etc - the primary justification for not doing so was fear of false positives. Like this one. And like the notorious cases where two teenagers can legally have sex but not photograph themselves doing it.

Fact is, politicians love being able to say they made the law tougher on paedophiles. It's a sure popularity winner. So it's inevitable you end up with idiocy like this.

4 days ago
top

The Largest Ship In the World Is Being Built In Korea

IamTheRealMike Re:Ho-lee-crap (273 comments)

South Korea is hardly the third world. If Danish shipyards can't beat them on price, why not?

5 days ago
top

JavaScript and the Netflix User Interface

IamTheRealMike Re:Why the hell... (194 comments)

The JVM is very language specific. For example it has op codes for allocating java objects. A truly cross language virtual machine doesn't have anything anywhere near that high level or specific to a particular language.

Whuuu? The JVM does not have opcodes for allocating "java" objects unless you use a very strange definition of the term - if it worked that way then how could other languages target it? The JVM has opcodes for allocating objects and calling methods on them, including opcodes like invokedynamic that exist purely to support non-Java languages like Javascript, Python, Ruby, etc.

The JVM has a really large variety of languages that target it. It's impressive. There are static languages like Java, Scala, Kotlin, Ceylon etc, there are dynamic scripting languages like JS (using the new Nashorn engine it's only about 2-3x slower than V8), there are Lisp like languages, there are implementations of Erlang and so on. And thanks to the fairly well specified "least common denominator" type system Java provides, code written in these languages can all interop pretty nicely.

If you think the JVM is language specific then I'd suggest looking at Ruby and Kotlin, two very different languages that are not much like Java, yet nonetheless both can run on top of the JVM.

about a week ago
top

South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

IamTheRealMike Re:Identification != Authentication (59 comments)

The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

For some things you can also use a SuisseID which is just a regular PKI smartcard USB dongle thingy. I have one. After installing the software, you can log in to some Swiss websites by just clicking the login button in the web page. You might have to enter a password and the dongle then signs the SSL session. It's all standards based and the certificate in the hardware is based on your legally verified identity, i.e. you show a passport at the post office and get your personalised stick through the mail a few days later.

about a week ago
top

"Double Irish" Tax Loophole Used By US Companies To Be Closed

IamTheRealMike Re: Why..... (259 comments)

There's no such thing as EU VAT, it varies by state. Now you have to take into account the inter-country differences and remit taxes to each EU country independently, for certain classes of goods.

about a week ago
top

Torvalds: I Made Community-Building Mistakes With Linux

IamTheRealMike Re:LT LP (387 comments)

Er, if you ignore things like lack of a stable driver API then sure. Lots of users would have loved one of those.

But Linus encounters fewer problems like that because he has little in the way of vision for what desktop Linux should be. His job is to make a UNIX kernel along the same lines they were being designed 30 years ago. He is largely judged by how tightly he replicates a long-dusty commercial design. Desktop Linux on the other hand has no such luxuries because old commercial UNIX was never a force on the desktop. There, it has to both forge ahead its own path, and also look to competitors like MacOS X for good ideas.

And guess what? The genesis of SystemD bears a strong resemblance to launchd, the MacOS X init system. But because that's not something you would have found in Solaris or AIX, the UNIX "community" throws a fit.

about a week ago
top

The Great Robocoin Rip-off

IamTheRealMike Re:Always a chuckle (117 comments)

I'm not especially libertarian, but I do not believe libertarianism has anything to say against dispute mediation. Bitcoin itself has the ability to do dispute mediated transactions but it's not fully fleshed out. If it was, and had been used here, a third party could have signed off on the transaction and the money could have been released, only once the machine was delivered and working.

Of course, Robocoin may have chosen not to use such a mechanism because with pre-sales, they are often spending the purchase money to actually build the machine, but that will always be extremely risky.

about two weeks ago
top

The Great Robocoin Rip-off

IamTheRealMike Re:Huge spreads on withdrawals! (117 comments)

Well, except, you know, running an bitcoin ATM in a shop is about a million times easier than getting a full blown banking license. Right now they often charge very high spreads because there's a lot of risk involved and the machines costs have to be paid down. But in theory there could be quite a bit of competition, given friendly governments and a long enough time horizon.

about two weeks ago
top

"Double Irish" Tax Loophole Used By US Companies To Be Closed

IamTheRealMike Re: Why..... (259 comments)

This is not about the "sales tax" (VAT in EU) which is typically assessed and paid in a defined jurisdiction where the sale occurs.

..... until January. It appears our glorious leaders in the EU have decided that they weren't getting enough VAT because people sell things out of low tax jurisdictions (how dare they), so now VAT on various types of digital products and services e.g. online software sales or e-books get to pay tax based on the jurisdiction of the buyer, not the seller. So if you sell software in the EU now you have no choice, essentially, but to hire an expensive middleman who handles the nightmare of filing VAT returns in every EU state. Plus you need to be able to track exactly where your customers are for tax purposes. Effectively people would get a discount for buying through a proxy so god knows how this will be implemented. Total nightmare. All driven by the desire for ever more tax.

about two weeks ago
top

Too Much Privacy: Finnish Police Want Big Euro Notes Taken Out of Circulation

IamTheRealMike Re:Not only in Finland. (314 comments)

By definition, if it's in the form of a 1000 CHF note then it's not in a Swiss bank. Nice try at painting an entire country as a bunch of criminals though.

about two weeks ago
top

London Unveils New Driverless Subway Trains

IamTheRealMike Re:I've been wondering why this took so long (127 comments)

If you read the TfL page about this that's exactly what they say their plan is - more track barriers, and allowing "current drivers to work for the rest of their careers". Of course I doubt the RMT will be willing to see itself slowly fade into the sunset via natural ageing, but they don't want to push it too far. London Underground engineering is incredibly efficient, they pack a lot of maintenances into the 3-4 hour engineering hours they get each night (the Tube never really shuts down per se). A lot of the upgrades require rehearsals in mockups of the stations, timing is so tight. If there was a sustained strike then a crapton of automation upgrades could be completed quite quickly.

about two weeks ago
top

Gmail Security Is a Problem For Tor Users In Repressive Countries

IamTheRealMike Re:Or howabout IMAP? (74 comments)

More generally, 2-step authentication disables the risk analysis based login security. If you set up 2SV then you can use your account via Tor.

However, note that - as observed in a comment below - you cannot create a Gmail account via Tor without passing phone verification. Thus if you're logging in to a Gmail account via Tor successfully that probably means it was created outside of Tor and so has some non-Tor IPs associated with it at some point.

The key point is that email and Tor don't mix, for obvious spam reasons. It's not a Google specific thing. People may wish to look into Pond, a secure messaging service designed to be used via Tor from beginning to end.

about two weeks ago
top

Systemd Adding Its Own Console To Linux Systems

IamTheRealMike Re:it solves some unicode issues (774 comments)

I haven't used desktop Linux for about a year now, but before that I used it for about a decade and in the early 2000's even did development for it, so I read this post with interest.

I feel the money quote is this one:

People on the email thread have claimed we had an agenda. That's actually certainly true, everybody has one. Ours is to create a good, somewhat unified, integrated operating system. And that's pretty much all that is to our agenda. What is not on our agenda though is "destroying UNIX", "land grabbing", or "lock-in". Note that logind, kdbus or the cgroup stuff is new technology, we didn't break anything by simply writing it. Hence we are not regressing, we are just adding new components that we believe are highly interesting to people (and they apparently are, because people are making use of it now). For us having a simple design and a simple code base is a lot more important than trying to accommodate for distros that want to combine everything with everything else. I understand that that is what matters to many Debian people, but it's admittedly not a priority for us.

For what it's worth, this paragraph makes a ton of sense to me. The biggest problem with Linux, both on the desktop and to a lesser extent on the server, was the fact that you got a basically half-baked set of components that were hardly integrated at all. Basic stuff like being able to set the timezone graphically ended up being distro specific apps / hacks because there was no API to do it, and everything was held together by giant piles of shell scripts and Python which might or might not be something you could actually contribute to or work with, but was certainly never usefully documented.

Basically, the experience of using or developing on Linux gave you the impression of a man in a slightly dishevelled, ill fitting suit. All the parts of a smart suit were there, but none of them quite fitted or lined up, and there were lots of small tears everywhere. And waaaaaay too many people liked this state of affairs because they had made "I am a UNIX user" a part of their identity and had managed to convince themselves that an OS architecture that dated from the 1970's was actually totally elite, and any attempt to reform it was "ignoring the UNIX philosophy" or some shit like that.

Result: MacOS X absolutely ate Linux's lunch on the desktop, despite the fact that Linux was free and Macs .... decidedly not free. Heck Linux didn't even make much headway against Windows, even though under Ballmer the Windows team basically sat on their ass for a decade rewriting the start menu.

From a (now) outsider looking in, this whole systemd fiasco looks a lot like Linux finally being dragged into the 21st century through the sheer willpower of one man, who has an apparently infinite ability to withstand faeces-throwing by the UNIX peanut gallery. Don't like systemd? OK, stick with Debian Stable or FreeBSD and don't get the new features. Stick it to the man and keep your "I Love *Nix" t-shirt on. Me? Between reading about GNOME 3 and systemd I'm starting to wonder if it's time to revisit Linux and give it another shot. If that community can conquer its UNIX fetish and build a modern OS, it has a lot of potential.

about two weeks ago
top

Systemd Adding Its Own Console To Linux Systems

IamTheRealMike Re:Just fucking leave it alone! (774 comments)

Yes, you're right! Theo would absolutely approve of stuffing as much random hairy code into kernel space as possible - you aren't gonna find any support for this moving-things-into-userspace nonsense in OpenBSD, that's for sure!

about two weeks ago
top

Former Infosys Recruiter Says He Was Told Not To Hire US Workers

IamTheRealMike Re:Corporate Malfeasance (293 comments)

If Infosys is in fact guilty of discriminating against American workers by refusing to hire American workers for American jobs, then such malfeasance should be punished

How do you know, though? I mean, surely any company that has an office in America and hires any non-American worker would fail your proposed test? How would international companies ever expand into the USA if hiring any non-American for an "American job" would result in their US assets being immediately liquidated?

Ultimately foreign companies have to be able to set up base and hire in other countries, and hire the people they think are best qualified. The Indian managers comment here might well be highly offensive but it doesn't actually say "don't hire American's because they're too expensive". It says "don't hire them because they suck" .... a comment that I'm afraid I've read American's making about Indian developers many many times.

about two weeks ago
top

Details of iOS and Android Device Encryption

IamTheRealMike Re:So what you're telling me (146 comments)

TrustZone-based devices also have fused per-device keys which act as the root of trust. The devices that I'm familiar with also have a hardware AES coprocessor which can load and use these per-device keys but will not reveal the actual key bits, not even to secure world code. Secure world code can request operations be performed with the keys, but not see them. Non-secure world code can't do anything except make requests of the secure world code.

I did not know this. That changes a lot - if even the TrustZone can't access the per device key directly then it would appear to give equivalent security (or actually better) to what Apple is doing.

It would be nice to know which devices implement exactly what kind of security, but it seems everything is heading in the right direction, which is very good to hear.

about two weeks ago

Submissions

top

China performing SSL MITM attacks on iCloud

IamTheRealMike IamTheRealMike writes  |  3 days ago

IamTheRealMike (537420) writes "Anti-censorship blog GreatFire has published a story claiming that SSL connections from inside China to Apple iCloud are being subject to a man in the middle attack, using a self signed certificate. Apple has published a knowledge base article stating that the attacks are indeed occurring, with example screenshots of the SSL cert error screens used by popular Mac browsers. Unfortunately, in China at least one natively produced browser called Qihoo markets itself as "secure", but does not show any certificate errors when presented with the self signed cert. Is this the next step towards China doing systematic SSL MITM attacks, thus forcing their population onto Chinese browsers that allow the surveillance and censorship to occur?"
top

Fake PGP keys for crypto developers found

IamTheRealMike IamTheRealMike writes  |  about 7 months ago

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures her key, he couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."
top

No back door in TrueCrypt

IamTheRealMike IamTheRealMike writes  |  1 year,19 hours

IamTheRealMike (537420) writes "Previously on Slashdot, we learned that the popular TrueCrypt disk encryption tool had mysterious origins and security researchers were raising money to audit it, in particular, to verify that the Windows binaries matched the source. But a part of the job just became a lot easier, because Xavier de Carné de Carnavalet, a masters student at Concordia University in Canada has successfully reproduced the binaries produced by the TrueCrypt team from their public sources. He had to install exactly the same compiler toolchain used by the original developers, to the extent of matching the right set of security updates issued by Microsoft. Once he did that, compiling the binary and examining the handful of differences in a binary diffing tool revealed that the executables matched precisely beyond a handful of build timestamps. If there's a backdoor in TrueCrypt, it must therefore be in the source code itself — where hiding it would be a significantly harder proposition. It thus seems likely that TrueCrypt is sound."
top

Are the NIST standard elliptic curves back-doored?

IamTheRealMike IamTheRealMike writes  |  about a year ago

IamTheRealMike (537420) writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is "Standards for Efficient Cryptography"), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."
top

BitCoin reaches dollar parity

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The BitCoin peer to peer currency briefly reached exchange parity with the US dollar today after a spike in demand for the coins pushed prices slightly above 1 USD:1 BTC. BitCoin was launched in early 2009, so in only two years this open source currency has gone from having no value at all to one with not only an open market of competing exchanges, but the ability to buy real goods and services like web hosting, gadgets, organic beauty products and even alpaca socks."
Link to Original Source
top

Graduate students being warned away from leak

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The US State Dept has started to warn potential recruits from universities not to read leaked cables, lest it jeopardise their chances of getting a job. They're also showing warnings to troops who access news websites and the Library of Congress and Department of Education have blocked WikiLeaks on their own networks. Quite what happens when these employees go home is an open question."
Link to Original Source
top

Julian Assange rape arrest dropped

IamTheRealMike IamTheRealMike writes  |  more than 4 years ago

IamTheRealMike (537420) writes "The BBC reports that "Swedish authorities have cancelled an arrest warrant for Wikileaks founder Julian Assange on accusations of rape and molestation. The Swedish Prosecution Authority website said the chief prosecutor had come to the decision that Mr Assange was not suspected of rape." — that was fast!"
Link to Original Source
top

BD+ resealed once again

IamTheRealMike IamTheRealMike writes  |  more than 5 years ago

IamTheRealMike (537420) writes "It's been a few months since we last checked in on how the BluRay group were doing in their fight against piracy, so it's time to see how it's going. At the time, a new generation of BD+ programs had stopped both SlySoft AnyDVD HD and the open source effort at Doom9. That was December 13th 2008. At the start of January, SlySoft released an update that could handle the new BD+ programs, meaning that BluRay discs were undecryptable for a period of about three months in total — the same length as SlySofts worst case scenario. The BD+ retaliation was swift but largely ineffective, consisting of a unique program for every BluRay master. Users had to upload log files for every new movie/region to SlySoft, who would then support that unique variant in their next update, usually released a few days later. Despite that, the open source effort never did manage to progress beyond the Winter 2008 programs and is currently stalled completely, thus SlySoft are the only group remaining. This situation remained for several months, but starting around the same time as Paramount joined Fox in licensing BD+ a new set of programs came out which have once again made BluRay discs unrippable. There are currently 19 movies that cannot be decrypted. It appears neither side is unable to decisively gain the upper hand, but one thing seems clear — only full time, for profit professionals are able to consistently beat BD+. Unless SlySoft or a licensed vendor release a BluRay player for Linux it appears the only way to watch BluRay movies on this platform will be to wait for them to become pirateable."
top

BD+ successfully resealed

IamTheRealMike IamTheRealMike writes  |  more than 5 years ago

IamTheRealMike (537420) writes "A month on from the story that BD+ had been completely broken, it appears a new generation of BD+ programs has re-secured the system. A SlySoft developer now estimates February 2009 until support is available. There's a list of unrippable movies on the SlySoft forums, currently there are 16. Meanwhile, one of the open source VM developers seems to have given up on direct emulation attacks, and is now attempting to break the RSA algorithm itself. Back in March SlySoft confidently proclaimed BD+ was finished and said the worst case scenario was 3 months work: apparently they underestimated the BD+ developers."
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "Rose George has written a fascinating tour of the sewers of London — rarely seen yet essential to life. But the sewers are in decline, with the last of the flushermen who know their inner workings about to retire. Although some of the work is now done by robots and contractors, can anything replace the experience of the men who roam the tunnels by night destroying fat blockages, searching for leaks and repairing the underground labryrinths below our cities?"
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "As one of the worlds most prolific producers of oil, Saudi Arabian production is of vital importance to maintaining our standard of living in the west. A new analysis from Stuart Staniford appears to show large, fast declines in production throughout 2006 that are uncorrelated with price, world events or OPECs own announced production cuts (in fact, no evidence for those cuts occurring is found at all). Given that the apparent steep decline (8%/year) matches the rates seen in other areas where horizontal drilling and water injection were used, and high prices give the Kingdom every incentive to produce, is this the beginning of the end for Saudi oil?"

Journals

IamTheRealMike has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?