Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Londoners Tracked By Advertising Firm's Trash Cans

darthflo Re:Cell phones must stop broadcasting MAC addresse (189 comments)

And, btw, you SHOULD use encryption to browse wikipedia.

Great advice, and not only for the reason you stated. Several recent attacks (BEAST, CRIME, BREACH) will use unencrypted connections originating from your browser to discover information transmitted in its encrypted connections.

1 year,9 days
top

Londoners Tracked By Advertising Firm's Trash Cans

darthflo Re:Cell phones must stop broadcasting MAC addresse (189 comments)

Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL.

There are a bunch of ways of working around and/or breaking SSL. Please read up on ssl stripping and the recent series BEAST/CRIME and BREACH. The former will terminate an ssl connection early, rewriting all links and references from http to https. The latter will place an agent script in any http pages requested and use cross-domain requests to disclose secure information.

I think I'll stick with what the IEEE working group came up with[...]

Parent posts' only requirement was to enable network discovery without clients broadcasting probe requests. As long as no hiden SSIDs are involved, this functionality is widely available. Windows (XP and up, as far as I'm aware) will only send probe requests if it is configured to connect to a network with a hidden SSID. iOS is severely broken, Android (again, as far as I'm aware) a bit less so.
Long story short: You don't need to send out your MAC address to discover broadcasting networks. You need it to join them, which is an entirely different matter.

1 year,9 days
top

Java Zero-Day Vulnerability Rolled Into Exploit Packs

darthflo Re:Just remove Java and get it over with (193 comments)

I never heard of anyone getting rooted over a voice-only phone call.

Hi. (Online) Security Officer for a large bank here. I deal with Phishing, Malware and the likes on a daily basis. You are partially right: Most of the attacks we observe tend to rely on an online vector. However, mixed-media has seen a great rise throughout 2012, the most popular attack being phishing coupled with voice-only phone calls.
From our point of view, we can bring a lot of defense mechanisms into our online services, while phone-based authentication isn't quite up to scratch. Leaving phone-based attacks aside, simply forging your signature on a payment order tends to be easier than obtaining access to your online banking account.

That being said: I don't work for your bank and am not aware about its security deployment. If you are interested in banking online but worried about security, shop around and compare security mechanisms. Whenever possible, favor two-factor solutions whose secondary factor is some device that is not connected to your computer (e.g. PhotoTAN, Flickering or a card reader); avoid mTAN and any variations of printed code matrices.

about a year and a half ago
top

Congressman Introduces Bill To Ban Minting of Trillion-Dollar Coin

darthflo Re:Can't America get its acts together ? (1059 comments)

This sums up the real problem nicely:
"A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the Public Treasury. From that moment on, the majority always votes for the candidate promising the most benefits from the Public Treasury with the result that a democracy always collapses over loose fiscal policy always followed by dictatorship."
-- Alexander Fraser Tyler

But it can. If the population of that democracy is well-educated and far-sighted enough to realize how voting itself money from the Public Treasury would undermine the very basis of their community, it may just last. Case in point: Switzerland, whose employment law already dictates a minimum of four weeks' paid vacation per year recently held a public vote whether said minimum should be extended to six weeks'. The result? 67% of the voting public disliked the idea, a resounding no.

about a year and a half ago
top

My favorite resolution for the new year:

darthflo Re:WUXGA (266 comments)

If you make it large enough, most people will be happy with a single monitor. I'm a sucker for high resolutions and tend to be very wasteful with screen estate, yet just last week put one screen of my triple head setup (30" 2560x1600, flanked with 20" 1200x1600 in portrait mode on each side) into storage and rarely turn on the remaining 20" screen. 30" and WQXGA will do fine for most purposes.

about a year and a half ago
top

How the Eurograbber Attack Stole 36M Euros

darthflo Re:Dumb users (57 comments)

Not that dumb, actually:

Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

Only after entering their cell details, users will get an SMS directing them to a ZeuS mobile package. That text was solicited (seconds before, by the user themselves), though, and the banking app actually prompts for a confirmation code that'll only be displayed if the user installs said app.

All in all some naiveté is required, but to me, the whole setup is insidious and intricate enough not to ring any alarm bells in your average user.

about a year and a half ago
top

Does Windows Phone 7 Have a Data Transmission Bug?

darthflo Re:Data plan limits are a scam (202 comments)

What I want is a committed rate and the option to pay in advance for a higher committed rate.

My cell's data plan includes 500 MB of data per month. That's not a lot, but it's enough for my push E-Mail, some browsing, Android Market downloads and whatnot. Each month spans a duration of some 2.5 Million seconds. If I had a commited rate, my data plan would be equivalent to (less than) 200 bps. A 2 MB Download would take three hours. Downloading Skype (at some 15 MB) would take approximately a day. And actually using Skype, I might transmit a second of audio every ten and receive another every other ten seconds.
I prefer to download Skype in a minute and tone back the data use for the rest of the day. Or use the bandwidth I won't be using while asleep for an hour-long call while I'm awake. Long story short, there's a reason server(-style) bandwidth is sold and metered in mbps and consumer bandwidth is sold in GB/month: completely different usage patterns.

more than 3 years ago
top

In France, Hadopi Reporting Begins, With (Only) 10,000 IP Addresses Per Day

darthflo Re:Carte blanche (376 comments)

Oh come on, people, please. Have a bit of imagination. Telephone systems and printed CAPTCHAS? This is the precise situation interpretive dance was invented for. Also, since this is France: mimes!

more than 3 years ago
top

Security Lessons Learned From the Diaspora Launch

darthflo Re:A Snippet from the Criticism (338 comments)

That snipped looks bad. But, if the model was implemented right*, it may be close to best practice.
Rails allows you to overload functions. Ideally, Album#destroy would check if the current user is allowed to delete the object and either delete itself or ignore the request if the user isn't authorized to delete it. Implementing security checks at the model level has the great advantage of limiting all security-related functions to a single, easily audit-able, consistent code path. The snippet still lacks reporting for permission (or missing album) errors, so it's not really nice, but possibly still secure.
Additionally, photos_controller could be using a before_filter checking if the user is authorized to do whatever he's trying to do. Given the snippet, a matching filter function would have to be rather strange, but it could be done.

* Two problems: The code lacks any exception handling and, as far as I know, relying on the user credentials gathered from the session object in a model is not considered best (or even good) practice. This could be somewhat mitigated if Album#destroy were to allow an optional parameter providing a user [id].

more than 3 years ago
top

The Many Iterations of William Shatner

darthflo Re:This is cool (152 comments)

(Spoiler alert)

The first paragraph of page 4 answers the question of gender. It's quite fun to get through the first three pages assuming the opposite and finding some aspects of that dynamic quite odd.

more than 3 years ago
top

HDMI Labeling Requirements Promise a Stew of Confusion

darthflo Re:Those names are a mistake (396 comments)

Consumers would be far better off if the labelling was required to carry the standard name (HDMI 1.3 or HDMI 1.4 with whatever add-on) and a URI pointing to the standards documentation.

Even simpler: Require the (required/tested) bandwidth to be printed on all devices and cables. Cables would be advertised as capable of 5, 10.2 or however many Gbps, devices would sport a table along the lines of 720p = 4 Gbps, 1080i = 6 Gbps, 1080p = 8 Gbps, 1080p60+3D (highest quality) = Over 9000 Gbps. To pick a cable, consumers could look at the packaging, manual or sticker on their devices, pick the greatest mode both devices support and buy a cable capable of at least that throughput. Problem solved, maximum compatibility achieved.

about 4 years ago
top

Chevy Volt Not Green Enough For California

darthflo Re:I'm puzzled (384 comments)

That was either a couple of decades ago or they eased up on you because of the pre-existing license. As of now, you'll take a written exam consisting of some 40 questions, most about road signs, some about the right of way on strange intersections. Passing that grants you a learner's permit with which you're expected to take about 15 lessons of driver's ed and a mandatory training programme spanning some three evenings before taking the actual exam of some 45 minutes of driving around with an examiner in the passenger seat who will be watching you quite critically.
Passing that, you get a license for three years during which you'll have to visit two whole days of training. Finally, at the end of those three years, if you haven't had your license withdrawn, you'll finally get the definitive one. Total cost starts at at least $1k (just exam fees and trainings), usually around $2-3k (including driver's ed).

about 4 years ago
top

Valve Apologizes For 12,000 Erroneous Anti-Cheating Bans

darthflo Re:Customer service (202 comments)

[...] for 12,000 people, eliminating any chance that they will pay Valve for it [...]

They actually seem to have handed out two copies to every affected account, i.e. 24'000 copies total. If even half of the gift ones end up with people who'll play them, Valve gets an 18'000 player boost to their L4D2 community and 18'000 people who might potentially mention L4D2 to their friends and invite them for a round of play.
Valve gets goodwill by the truckload, a large expansion of their player base and tons of inexpensive (but highly valuable word-of-mouth) marketing, those affected by the ban get a free game to play and one to give away -- everybody wins.

about 4 years ago
top

How Big Is Your Primary Display?

darthflo Re:dual-screen setups... (375 comments)

Does not. Windows will gladly do everything related to screen rotation, including adjusting ClearType.
Just be sure to configure them through the Screen Resolution application in your Control Panel, not the driver configuration window. Tested in 7, for other versions: Upgrade and run whatever legacy apps you've around in a VM.

about 4 years ago
top

How Big Is Your Primary Display?

darthflo Re:dual-screen setups... (375 comments)

now he has a three-monitor setup with that in the middle and the dual 2007FPs on the sides.

Same here, except with two NEC 2080UXis flanking an HP LP3065. The 20" panel width quite perfectly matches the 30" panel's height, and the awesome mounts of the NECs allow for rotating and matching to the center display with, well, no work at all.
You'll need four DVI channels, though. Two (through a dual-link cable and plug) for the 30" and one each for both 20" displays. I'm not sure if you could handle them both through a dual-link interface, so i threw in a second video card and attached a 1920x1080 projector, which brings the whole system to just above 10 MPixels of display space on 4 sq meters or so.

about 4 years ago
top

How Big Is Your Primary Display?

darthflo Re:Size is not as important as resolution (375 comments)

20" UXGA displays do have one advantage to 21.3"s: Rotate 'em by 90 degrees and they neatly flank a 30" WQXGA display. 4960x1600 perfectly lined up Pixels is what awesome looks like.
And if you arrange them right (20", 30", 20" side-by-side), you get a huge center area for whatever you're focusing on plus enough screen real estate for whatever you're monitoring in the background (Or need to have an occasional look at.)

about 4 years ago
top

Facing 16 Years In Prison For Videotaping Police

darthflo Re:If you've nothing to hide... (878 comments)

In a working direct democracy, the government cannot pass legislation that'll piss a majority of the people off. Unfortunately, and that's not even limited to the US of A, a lot of people are amazingly stupid. But to get back to your examples:

How about another tax hike

Roads, schools, firemen and, well, every other public service need funding. If backed by valid reasons, few people will contest a tax hike.

how about making driking and driving laws so strict that using mouthwash 10 minutes before driving to work will put you over the legal limit

You don't get convicted on a breathalyzer readout (not in Europe, anyways. The strange things you folks overseas do are, well, strange). You'll get taken to the nearest hospital, lose a couple drops of blood and with a bit of a delay you'll be on your way without a charge. Use an alcohol-free mouthwash before your next important appointment and you're good. And again, most people prefer a couple of mouthwash-related blood alcohol tests to hordes of drunk people in control (or lack thereof) of two tons of speeding metal each. Cars are dangerous. Operating dangerous machinery while drunk is deadly.

how about the war on drugs and the laws against certain harmless ones like Pot

That one is quite sad. Basically it boils down to dumb people being afraid of things they don't understand. It's not entirely the politicians' fault, though. Check the voting records of, say, Switzerland, where public votes have been had: the disappointing turnout was some 65% of naysayers. Broaden your horizon: pot consumers tend to be in the 15-30 age bracket, and there's a whole bunch of voters aged 30+ and lots of them don't see a reason to legalize.

how about all the regulations that drive up the costs of consumer goods

Can you spell Nanny State? A lot of people do and really like the concept of it. In any case, it's easier to just regulate everything than find a great balance; and it's easier to just nod things through than propose a better alternative.

how about the laws about speed on straight roads in the middle of nowhere with no traffic

As far as I know, none of the satellite-based have left their trial stages. Save for those, you're good to go: as long as you are concentrated enough to see and react to any speeding cams, patrol cars and wild life from far enough, none of these will bother you. It's quite logical: If you speed only as much as you can actually handle, you won't be arrested because you'll already have slowed down to the speed limit in the event of a checkpoint. If you couldn't manage that, you were demonstrably going faster than you can handle and should get ticketed.
In any case, speeding cams get approval ratings of around 70% in the UK. Speed limits probably even higher. This is not the government working against you, it's the government working for the majority of voters.

about 4 years ago
top

Mozilla Bumps Security Bug Bounty To $3,000

darthflo Re:Insulting? (73 comments)

You're probably thinking of these. Not quite $3000, but 0x$1 is a start.

more than 4 years ago
top

HSBC Bank Sends Activated Debit Cards Through Mail

darthflo Re:tell em how you feel... (220 comments)

The card companies hate that.

They don't. They get around 2-3% of every transaction, which is quite enough to make them very profitable. Of course, charging you 15% APR on way too much credit is even more profitable, but not required. If you want to piss them off (and can take a bit of a dive in your credit score), take up one of the numerous "0% APR over 12 months" offers and clear the card right out. Expect to be charged $5 per withdrawal, so head to the bank counter and get those $10k or whatever you're approved for in one swoop instead of ten transactions at the ATM. Deposit all of it into a high-yield savings account (2-3% are quite realistic) or, if you're feeling really ballsy, stocks*. After a year, pay off your $10k in credit card debt and keep the $2-300. Or, if you've gotten another "0% APR" offer, get it and use it to pay off the other card, netting you another 12 months of interest-free capital to play with; totalling $400-$650 with no risk or associated cost.

Oh, and 'cause this is slashdot, we'll need a car analogy: Paying off in full at the end of the month is like hailing a taxi, having it drive to the airport and not tipping: very much okay. Aggregating debt is like taking the taxi at the very back of the row at a train station, having yourself driven to the airport and tipping generously. What I've described above is catching the cab at the front of the line (after the driver has been waiting in there for an hour or so), having yourself driven around the block, getting out after half a mile and not tipping. Heh.

* Stocks are very profitable for long-term investments. If, after a year, your portfolio has not made any progress, you will be deeper in the shitter than you'd be if you'd have stuck to your own cash. You will not be breaking even against a 15% APR on your capital. Do NOT invest more in stocks than you have on hand and can spare. Mortgages, nest eggs and retirement savings (after passing 50 or so) are not in that group.

more than 4 years ago
top

Proximity Sensor Presents Latest iPhone 4 Issue

darthflo Re:Next please! (446 comments)

[...] now bitch how badly WIn 7 runs on a 2008 netbook...

Win 7 runs very satisfyingly on my 2006 (February even) T60p. With all the Aero nonsense of Vista and the useful additions 7 added. I'd say it's about as snappy as XP ever was.

more than 4 years ago

Submissions

top

Favourite measurement of length?

darthflo darthflo writes  |  more than 4 years ago

darthflo (1095225) writes "- Metric (metres)
- Imperial (leagues, miles, furlongs, chains, rods, feet, links, inches)
- Planck lengths
- Ångströms
- AUs
- Parsecs
- Light years/minutes/seconds
- Libraries of Congress (on paper)
- Other (specified below)"

Journals

darthflo has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>