Is a "Wikipedia For News" Feasible?
Crowd-sourcing content is one aspect, but I'm very much looking forward to "subscribing" to a story and getting only updates after that -- as short as possible, whether they be corrections, links to related stories, or truly new information. I can fit a lot more news into my day if I don't have to hear/read the same context/intro information each time there's an update.
Less important to me is a "ask the author" system, by which readers can suggest directions for investigative journalists to take: how is this incident related to previous ones, what's the political context for this, does anyone have any proposed solutions to the problem, has anything changed since this story was posted 6 months ago, etc. I don't necessarily want to read opinions from fellow readers, nor post my own "facts" as a citizen-journalist, I just want to prod journalists into doing more of what they already do well.
Ask Slashdot: Getting Around Terrible Geolocation?
Yeah, I was thinking this guy's got it all backwards. If MaxMind et al are already showing the right position, then the problem is the location returned by the W3C API call in his unspecified browser which depends on which location service his browser uses (possibly not the default), and whether his device is GPS-equipped.
In the absence of GPS, Firefox defaults to using Google Location Service (according to https://www.mozilla.org/en-US/... ), which is not one of the 4 "providers" listed at http://whatismyipaddress.com/ and could easily be the one database that's wrong, causing his confusion. I expect Chrome to do the same. IE may use a Microsoft-provided IP database, again separate from the four above -- I couldn't find confirmation of this.
Amazon Goes After Oracle (Again) With New Aurora Database
You might check NuoDB, as that's their target audience.
RAC was indeed pretty cool. We did have to fight with the Ops guys, though, over the advertised auto-retry feature, which was dangerous for multi-statement transactions, and the documentation (at least at the time) didn't make that clear.
Facebook and Apple Now Pay For Female Employees To Freeze Their Eggs
Thank you! I'm seeing a lot of comments here about how wonderful it is to make the choice to be a stay-at-home-mom, how great it is for the kids, and how that's not less productive than a high-paying job. But I'm not seeing the equivalent for men, that there's a tough choice between "being a dad" (stay at home dad) and "being a man" (with a job), that each male should be encouraged to make the choice that's right for him without pressure from his employer.
Smart Battery Tells You When It's About To Explode
Uh, Majel? http://en.memory-alpha.org/wik...
Obama Administration Argues For Backdoors In Personal Electronics
you'll rest easy knowing that America's roughly 80 million gun owners already have the feds and cops outgunned by a factor of around 79 to 1.
ISIS Bans Math and Social Studies For Children
Can we get verification on this? The CNN story doesn't so much as contain a picture of the flier, let alone corroboration that these were really distributed by ISIS. Is this like how, a few weeks ago, they were incorrectly accused of performing FGM? If this one is accurate, we should be able to get some evidence, if not necessarily proof...
Web Trolls Winning As Incivility Increases
You might want to read more of her stuff before you dismiss her. She's primarily using the analysis of trolls, as examples of bad behavior, to study what our culture considers good behavior, and the boundaries thereof. She asks questions like "why is it okay for Fox News to sensationalize tragic events for their own profit, but not okay for a troll to amuse himself doing the same?", or "what are the boundaries between dialogue, critique, trolling, and harassment?" She treats trolls as a symptom of a culture that permits (and sometimes encourages) the behavior. Not because we're "bad" as a culture, but because sometimes our values and attributes (free speech, devil's advocate, macho, narcissism, etc.) sometimes intersect in odd ways. I've not seen her claim that things are now worse than ever before, nor that anonymity has anything to do with it, nor that "online"-ness is even particularly important -- this is just an entry-point to a wider field of study about cultural norms and how/when we break/bend them.
Ask Slashdot: "Real" Computer Scientists vs. Modern Curriculum?
I've recently watched my wife (C++ environment) deal with a new-grad (Java-based education.) It's true that pointers are a sticking point -- in the process of being taught Java, they get taught that pointers are bad and dangerous (all hail Java for solving the problem,) and can be made only barely tolerable by using auto_ptr, but really should just be avoided. Yeah, it's a problem, sure.
But the bigger problem we have with new-grads and junior-devs, in general, is the same problem you'd have in any field: they're green. They don't test well, or at all. They don't think designs through. They don't communicate well. They ask too many questions, or maybe worse, they ask too few. They try to fix things that aren't broken. They're bad at estimating task sizes (admittedly, people rarely get much better at that even after decades.) In an attempt to not suck, they reach out for best-practices and apply them zealously and inappropriately. They can't imagine how things will fail, or be abused. They spend too much time fixing small problems, and not enough time fixing big ones. And maybe worst of all, they're under the illusion that what they learned in school ought to prepare them for the workforce, when really it just gets their foot in the door.
We, as their seniors, are the ones that should be spending the time fixing their misconceptions, fleshing our their education, filling their minds with the horrors we've seen, and setting up their work habits. When they fail, it's because we fail to do these things, usually because we brought them in too late in a project, gave them too much responsibility, and are fighting a deadline. So we "just fix it" for them, and they don't learn from the experience, while we gain nothing in terms of productivity from having them.
But if I were to nitpick their education? Databases. Recent grads have little or no understanding of relational databases. Their thinking on organizing data, in general, is fuzzy at best, which impacts more than just database code, it impacts class and API designs, often crippling whole features with incorrect cardinality. It deserves more attention in school. The rest, we can fix in production. =)
Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS
We can still break into the systems we "need" to break into, without keeping a full hand of all possible vulnerabilities. To reduce our overall exposure to risk, it makes sense to disclose most of these to vendors for patching, maybe some with a delay. Our government can buy up vulnerabilities from Exodus, then release them -- Exodus gets paid, we get somewhat better security all around, and the NSA gets a few last holes to work with.
TrueCrypt Author Claims That Forking Is Impossible
There are situations where one could sue anonymously ( http://www.legalmatch.com/law-... ), and they should still have copyright protections ( http://commons.wikimedia.org/w... ) but proving themselves to be the actual authors and have standing to sue might be difficult?
Facebook Lets Users Opt Out of Targeted Ads
Competition. Invisible Hand. Selective pressure from consumers who don't want a site with 80% screen real-estate devoted to ads, and subconsciously choose to spend their time on sites with (for whatever reason) fewer, better ads.
There are obviously limits and pressures already at play, or every site would be nothing but a wall of ads, because "more profit."
Facebook Lets Users Opt Out of Targeted Ads
I'd like to opt out of the untargeted ads. I don't so much mind relevant, possibly-useful advertising -- I don't feel like it wastes my time so much, or even, in a way, creepily insinuates I would be interested in things I'm totally not. As long as the targeted advertising is done right, I'd rather have it. The more accurate such advertising gets, the more value-per-print it can generate, and therefore the less overall advertising will be required to sustain the "free" services we use. One well-chosen ad is worth dozens of spammy ones.
Or ... could we get the big advertising systems to allow us to pay them, centrally, to remove ads across all the sites they print on? And have them just forward a portion of the money to the sites themselves, just as they would have paid them to print an equivalent number of ads, while serving me nothing but 1px placeholders?
The Sudden Policy Change In Truecrypt Explained
And other people are trying to resurrect/fork it, trying to get all the legal ducks in a row to meet the requirements of the license.
I've been curious how the original anonymous developers would be able to enforce the terms of their previous license ... even if they had some means of proving in court that they really were who they claimed to be, and had the right to sue, they would lose their anonymity in the process, which is of some value to them.
The anonymity of the developers is a double-edged sword, in this kind of product. It temporarily makes it harder for intelligence agencies (or organized crime) to put pressure on them, but long-term, is it worthwhile? Either their identities will be found out and used against them, or their continued anonymity will be used against the project by at least casting down on the trustworthiness of the project. Ownership of crypto keys (software signing keys) is a pretty good stand-in for identity, except that our laws don't have the same respect for them as for other cases of identity-theft -- they're "just data", to be handed over, and possibly abused.
(Doubting the usefulness of anonymity in no way endorses the likes of Microsoft, and their line that having an established identity entrains reputation, and the desire to protect said reputation in turn guarantees trustable software. At least with TC we have source, and a hopefully independent audit, and that's perhaps the most important piece in the end.)
Google Starts Blocking Extensions Not In the Chrome Web Store
Ugh. I'm one of those developers who would be affected, as I have custom FF extensions deployed for a mid-size client. We don't use the "Enterprise" FF though. I suppose we might have to switch, and deploy FF updates differently, just to keep the ability to run extensions (that have no business being uploaded to anyone's store, as they're entirely site-specific.)
Really, Why Are Smartphones Still Tied To Contracts?
I worked as a programmer for the sales & marketing arm of a cell company, 6 years ago. It was quite clearly stated (internally) that they wanted to get out of the subsidy business, but they couldn't. They were too small to take the risk of being the first or only to do so in their market. So long as other carriers were offering subsidies with their contracts, making the move would be suicidal. We probably weren't the only company in that situation, but unless you could come to some grand bargain, nobody was going to move first.
Heartbleed Sparks 'Responsible' Disclosure Debate
So does that mean you're suggesting the safest course would be to:
(a) tell everyone to shutdown ALL OpenSSL-backed services, urgently.
(b) after 1 day, tell everyone they can bring their 0.9.8 services back online.
(c) after 1 day, tell the remainder that it's okay to come back online, with heartbeat disabled.
(d) have the patch ready for distribution around this time.
I agree with the caution. TBD:
(1) there's the risk that telling admins to shut everything down, all versions, without telling them why, will cause them to ignore the notice
(2) while these services are shutdown, what will admins do instead? will they use insecure services because "the show must go on"?
Heartbleed Sparks 'Responsible' Disclosure Debate
Yes. You don't have to notify people of the exact flaw and how it can be exploited, to help them protect themselves while waiting for a patch. The immediate response should have been to tell people to disable heartbeat, or barring that, shutdown their affected systems. Yes, it would suck, but since you don't know for sure that the exploit is known only to the researchers, you should assume it's in the wild, and this is the only safe thing to do in the interim. (Could this be used as a form of DoS? Sure, if sysadmins get used to wholly shutting down services anytime there's a warning from anyone, or if the partial shutdown of one service in fact makes another service less secure. TBD.)
All this discussion of disclosing to OpenSSL first, letting them patch, giving distros time to get updates ready ... ignores that the moment OpenSSL goes to fix the bug, the patches are public. Attackers waiting to see a flaw in OpenSSL would be monitoring version-control regularly, to see if any given patch looked interesting. While your distros are being quietly told to get updates ready, the attackers are analyzing the patch to see what kind of bug you fixed, knowing that, because there's radio silence, sites are vulnerable.
Making a big stink about it is the only way to make sure sites actually get updated, anyway. Distros and whatnot having updates available does not get those updates installed. We don't have auto-update on any servers. As was discussed recently, many sysadmins have to submit patches to change-control boards for approval, and if there's not a furor over the issue, there's no emergency approval.
(a) a blitz identifying only the versions affected and what to do about it,
(b) a patch release sufficiently delayed to give end-users a chance to shutdown affected services,
(c) a blitz about the availability of the update, which people will care about more because they've already had to take action to protect themselves, and are possibly sitting in a shutdown state.
First Phase of TrueCrypt Audit Turns Up No Backdoors
Not only does TC do a poor job protecting my data, but when an attacker does manage to guess a user's low-entropy password, he can then try that password all over the place to see where else the user has used it
That's not at all unique to TrueCrypt. If someone guesses a user's password, it's the user's fault they used the same password elsewhere.
Password-strengthening before encryption is not the same as salting & hashing passwords for later authentication, where rainbow tables and "guessing" a password makes sense -- we're not talking about storing the resulting strengthened password where it could directly attacked ... unless, maybe, perhaps you're trying to say this is stored in-memory while the system is running, and that's the kind of attack you're trying to describe? I don't see why the strengthened password would even need to be kept in memory once it's used to unlock the real keys, which TC will need at runtime for crypto. Having to re-fetch the real keys based on the password at every i/o would be prohibitively expensive.
Adaptation From Flash Boys Offers Inside Look at High-Frequency Trading
I mostly agree with you, although the article does also mention the murkiness surrounding the "dark pools" that banks run your order through first, where they could have the opportunity to trade against you, before forwarding to exchanges. The big exchanges might be vulnerable only to the multi-exchange exploit that is the meat of this article, but the "dark pools" are implied to have their own, different shadiness going on. Sadly, this piece doesn't explore that enough -- possibly because insufficient light has been shed on the issue to date. Investigations are in order.