×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

North Korea Denies Responsibility for Sony Attack, Warns Against Retaliation

Todd Knarr I doubt it was North Korea (192 comments)

For one thing, if North Korea was capable of this sort of hack they've got more tempting targets to use that capability on. And it's just a bit too convenient, coming on the heels of a disappointing performance by Sony, for SPE to suddenly get an excuse to get out from under another apparent flop. My bet is the hack's just another in a long string of breaches by the usual gangs of malcontents, aided and abetted by corporate obliviousness to security, and various parties are just taking advantage of superficial connections for their own reasons.

yesterday
top

Staples: Breach May Have Affected 1.16 Million Customers' Cards

Todd Knarr Re:Network Level (92 comments)

There should be more isolation, yep. When I handled POS the terminals had no local storage at all, they were network booted from images on the site server and the LAN they were on had no outside access at all. The site servers were on our own wide-area network that connected them to corporate, and there were only two network segments (Development and Support) that could connect to the site servers (sites couldn't even connect to each other). Access to the Dev and Support networks from the rest of the company was highly restricted, and any unexpected access from Dev or Support netted you a phone call and/or an in-person visit from the support manager to find out what had blown up.

I can think of ways to get malware out to the POS system through all that, but all of them involve physically being in the basement of the corporate headquarters where the Support and Development department offices were located and any unknown face would've had to avoid 2 managers and 3 secretaries before being grabbed by the scruff of the neck by Cory and hustled back upstairs (because if Cory didn't recognize you you were not supposed to be down there).

yesterday
top

The GPLv2 Goes To Court

Todd Knarr Points at the end of the article (173 comments)

I'd note that the 3 points at the end of the article aren't unique to open-source software but apply to all third-party software you use in building your software. And those points are harder to address for proprietary third-party software than for open-source, because any software component may contain other components you aren't directly aware of and without the source code it's a lot harder to scan proprietary libraries to detect those included components (and it may be impossible if the included components are themselves proprietary because the people who wrote the scanner may not even know those components exist let alone have access to their code to create the necessary detection routines). Or they may be easier to address, if your license for the proprietary libraries doesn't include a right to redistribute then the answers become very simple if rather limiting and any less-restrictive licenses for other components become irrelevant.

5 days ago
top

Former iTunes Engineer Tells Court He Worked To Block Competitors

Todd Knarr Not incompatible (161 comments)

Apple argues, and Schultz agrees, that its intentions were to improve iTunes, not curb competition.

I'd note that the two alternatives aren't incompatible. It's entirely possible to intend to improve iTunes while also determining that the best way to improve it is to block all competitors from accessing it (doing that would, among other things, eliminate bugs due to incorrect accesses and malformed music files and remove an inconsistent user experience due to badly-written software from other vendors). After all, when AT&T was banning all other vendors from connecting equipment to it's phone network it was only intending to protect the network from damage due to incorrectly-designed equipment (or at least so it's testimony went). In neither case do intentions alter the end result.

about a week ago
top

Study Explains Why Women Miscarry More Males During Tough Times

Todd Knarr It's the production line (113 comments)

Times of stress/trouble usually mean a loss of population. The arithmetic's simple: one woman can bear one child every 9 months to a year, while one man can sire multiple children in that same time. That means that adding female offspring at the expense of male will make it easier to recover the population loss. And of course sacrificing the least resilient male offspring favors the ones that'll survive the longest and sire the most children. The fun question is how the mechanisms that've evolved to make this happen actually work. Figuring that out's going to keep researchers occupied for the next century or two.

about two weeks ago
top

Microsoft To US Gov't: the World's Servers Are Not Yours For the Taking

Todd Knarr Re:Hiding evidence (192 comments)

Your metaphor is off. It isn't about the court compelling you to produce the document, it's about compelling the foreign confederate to produce the document.

But in this case it's not a confederate that has the data. The servers in Ireland belong to Microsoft, not another company. Let's reduce it to a simpler case: A sues B in state court in state 1 (A lives in state 1, B is based there and the offense involved occurred there so state 1 has jurisdiction over the case). B stores older documents in a warehouse it owns in state 2. A shows that B has documents relevant to the case and that they're in that warehouse. Can the state court judge order B to produce those documents even though the documents aren't in the judge's physical jurisdiction, or must the judge punt the case to Federal court or a court in state 2 and have them handle that? My sense is that the judge can order B to produce the documents and B would be obliged to comply. If B refuses to comply then A would probably have to go through a court in state 2 if they wanted deputies to go in and seize the documents, but wouldn't if they merely wanted B sanctioned for failure to comply with the court's order.

I suspect the situation here would turn on whether or not Microsoft's operations in Ireland are a legally independent entity that could legally refuse to do what Microsoft tells it to do. I suspect Microsoft's Irish operations walk a very fine line, trying to be independent enough not to be subject to US tax laws but without being independent enough to actually be able to act independently of Microsoft.

about two weeks ago
top

Breath Test For Pot Being Developed At WSU

Todd Knarr Re:Field Sobriety Tests Anyone? (342 comments)

Agreed. If you're impaired, it shouldn't matter why you're impaired. Combine a field sobriety test with dash/body cams so there's an objective record of the actual test (so the defense can't claim the officer is exaggerating the results) and just use the blood tests as supporting evidence, eg. "Defendant failed the field sobriety test miserably. When his blood was tested during booking, the results showed the following levels of potentially-impairing substances which are consistent with and support the field test's result of "massively impaired".".

about three weeks ago
top

Music Publishers Sue Cox Communications Over Piracy

Todd Knarr Re:An act of infringement (187 comments)

That'd be true normally. However, copyright law doesn't have any provision for holding you liable for someone else's infringement unless you actually contributed directly to the infringement. Cox may have grounds for terminating your service for breach of terms of service, but a third party like a copyright holder can't avail themselves of that (they're not a party to the contract) and if they try pressuring Cox then you might well have a case against them for tortious interference with contract if Cox agrees with them and terminates your service.

That doesn't mean the copyright holder isn't without recourse. Discovery plays by a completely different set of rules, and they'd be entirely within their rights if they subpoenaed Cox for the subscriber's identity for the purposes of calling the subscriber in for a deposition to answer questions about who was using their connection when for the purposes of identifying the actual infringer. It's just that the copyright holders don't want to go through this on an individual basis because it'd cost more than they could hope to recover. However, as more than one court has pointed out, that's not the court's problem. Every plaintiff and every defendant has to make that same decision as to whether it's worthwhile pursuing or fighting a case, copyright holders aren't an exception to that.

about three weeks ago
top

Slack Now Letting Employers Tap Workers' Private Chats

Todd Knarr Re:Discovery nightmare (79 comments)

Not to be picky, but I think you're confusing "can" and "are allowed to". "can" has to do with being physically and technically able to. "are allowed to" involves things like "Is it legal?" and "Have the sysadmins been ordered to?". The admins may not for example be legally allowed to just record and scan your IM sessions for no reason, but if diagnosing a weird network problem requires capturing traffic on the wire your packets will get caught and get included in the logs regardless of what the law says (since if I knew exactly what I was looking for well enough to just capture the relevant packets I'd already have diagnosed the problem and wouldn't need to do a traffic capture) and key words in your session may catch my eye. And beyond that kind of legitimate situation, we've all seen cases where companies do things that aren't legal if they think they won't get caught or the benefits outweigh the cost of any fines they may have to pay.

OTOH, as I've reassured people, "Don't worry about it. Yeah, I can see everything if I want to. But your porn is boring unto tears and frankly my to-do list is too long already and I do not want to have to add anything more to it.".

about three weeks ago
top

Slack Now Letting Employers Tap Workers' Private Chats

Todd Knarr Discovery nightmare (79 comments)

I think if I were in Legal I'd nix this instantly as a discovery nightmare in the making. Employees start to say a lot of things, reconsider and rephrase or outright rewrite before sending the message. Often the message they didn't send is exactly the kind of thing the opponent in a lawsuit is looking for and exactly what you don't want to have to give them. If your compliance monitoring application will let you store and view those unsent, often inappropriate or ill-conceived, messages then you're going to have to cough them up during discovery or during any investigation by regulators. Worse, if any of them get out through other channels you've weakened your defense against a claim that you knew or ought to have known about them since they're in your compliance system. Better to only record the stuff that was actually sent and not have to explain your employees' private opinions.

As far as monitoring of sent messages goes, the first rule is "If you're on someone else's network, they can see everything you do.". Or, to quote Pitr, "God, root, what is difference?". If you're on the company network, don't say anything you don't want the company becoming aware of. If you need to express a private opinion without putting it on the record, do it face-to-face and verbally (especially if it involves an unflattering opinion of someone with the authority to get you fired).

about a month ago
top

Married Woman Claims Facebook Info Sharing Created Dating Profile For Her

Todd Knarr Re:Occams razor says this girl is lying (189 comments)

I've had a lot of sites (eg. MyLife, Classmates.com, LocalBlox) create profiles based on my basic info (name and such) without me ever visiting their site. It's an easy way for them to boost their "user" numbers without having to actually attract users. I can easily see a dating site doing the same thing. In fact it probably created the profile the moment the ad appeared for her and had nothing to do with her clicking the close button.

about a month ago
top

Ars Dissects Android's Problems With Big Screens -- Including In Lollipop

Todd Knarr Re:What is a tablet? (103 comments)

Exactly. On the small end of the scale you have phone-type devices which need one type of UI. On the large end you have desktop computers, which need a different type of UI. And somewhere between the 7" and 10" screen size, you have the line where you need to stop treating the device as a large phone and start treating it as a small desktop display. I put 10" on the desktop-display side of the line because small notebook computers use the just-barely-larger 11" screen with a desktop UI with no problems.

As far as competing with MS Office, I think that's because Google made the deliberate choice to stay focused on Web and mobile rather than dedicated locally-installed applications. I can't say that's bad, because while Google Docs won't replace Word it's still sufficient for 90% or more of non-corporate use and probably a lot of on-the-go corporate use as well. For most people, if you rolled them back to only the features that were available in Word 6 back in '93 they wouldn't notice anything missing so it's not like the advanced features are must-haves outside of corporate applications.

about a month ago
top

Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?

Todd Knarr Re:Caller ID spoofing (159 comments)

The problem is that there's a lot of legitimate reasons to "forge" the caller ID information. Many companies use a group of lines for outbound calls, any outbound call simply grabs the next available outbound line and uses it for the call. You don't want people calling in to those numbers though, there's no way for anyone to pick up a call on them since they don't go to an actual phone, so you set the caller ID to the correct inbound number for people to call (eg. the company's main number, or the main sales number (that gets distributed to the next available sales agent) or whatever number matches the type of outbound call) so callbacks go to the right place. And no the obvious solution won't work since the correct inbound number may not be with the same provider as the outbound line so you can't check whether the caller ID number's owned by the same entity that owns the line in use.

about a month ago
top

FCC Says Net Neutrality Decision Delay Is About Courts, Not Politics

Todd Knarr Re:Full Title II (60 comments)

Except for the Congressmen and Senators and ISP reps who're saying the FCC doesn't have the authority to change the classification to Title II. What they're probably doing, what I'd be doing, is preparing an iron-clad argument based on the statute and on case law since then that the FCC does indeed have not just the authority to decide the classification (easy, the statute explicitly says they do) but also the authority to change it at a later date (this takes more research to nail down).

about a month ago
top

ISPs Removing Their Customers' Email Encryption

Todd Knarr Re:Requiring encryption server-side (245 comments)

Problem is, this only works within your facility where you control the physical network. The moment you go outside the facility, where you have to run over physical wires that someone else controls, you're in a position where you don't (can't) know whether you can trust the people that connect things together. The trick then is to design things so you don't have to trust them. For instance I'd run things over SSL/TLS, create my own private CA and issue my own certificates for my systems, then remove everything but my own issuing certificates from the certificate stores on my network. It won't prevent an MITM attack, but it'll make it fail when Mallory can't present a certificate with a valid signature and I'll know there's an attack in progress.

about a month ago
top

ISPs Removing Their Customers' Email Encryption

Todd Knarr Re:Requiring encryption server-side (245 comments)

If any AUTH command comes in from a client over an unencrypted connection, yes it'll be rejected. This is by design, my server requires encrypted connections to the client to prevent eavesdropping on e-mail. If that command comes in over an encrypted connection, it won't be rejected.

The server also advertises TLS when receiving mail and prefers TLS when sending mail for the same reason. It'll use unencrypted server-to-server connections if the other side absolutely insists on it, but that's not it's first choice.

about a month ago
top

ISPs Removing Their Customers' Email Encryption

Todd Knarr Requiring encryption server-side (245 comments)

I dealt with this by setting my mail server up so that an authenticated connection's required for outgoing user e-mail through it, and encryption's required before the client can authenticate. The IMAP server also requires encryption and won't accept unencrypted connections. If my ISP starts pulling anything that disables encryption, my e-mail will start failing with errors. I'd recommend all mail servers be configured this way.

It's disappointing that we're increasingly having to treat our ISPs as obstructions to be worked around or opponents that need to be defeated for things to work right. We're paying them that monthly subscription to carry our traffic, we oughtn't have to jump through hoops to get our traffic carried without interference.

about a month ago
top

Apple Releases iMessage Deregistration Utility

Todd Knarr Re:No one seems to see the real privacy issue (136 comments)

No, they don't. For one thing, the problem here is that Apple's system has registered the recipient's phone as handling messages through iMessage rather than SMS, and tells the sender's phone to use iMessage. And then when the recipient's phone isn't able to receive messages via iMessage, Apple's system never tells the sender that the messages can't be delivered so the sender doesn't know to do anything. The recipient can't pick up "their" messages on their Mac because they may not own a Mac, and they no longer own their iPhone. So yes the problem's in Apple's system where it fails to detect and handle the case where text messages can't be delivered via iMessage.

If Apple were handling the edge cases, this wouldn't've become so severe that they're having to do damage control now.

about a month ago

Submissions

Todd Knarr hasn't submitted any stories.

Journals

Todd Knarr has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?