Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Heartbleed Sparks 'Responsible' Disclosure Debate

marienf Doesn't ANYONE get it??? (188 comments)

> and not as late as it did on April 1

That must have been the most expensive April Fool's joke EVER.


about 3 months ago

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

marienf Near Zero Impact (144 comments)

> Most Linux distributions use OpenSSL for TLS.
> Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation,
> and if it doesn't, then it's not affected by this bug (one example is Google Chrome)

Agree. I've ran through everything that linked to gnutls on my distro (Arch) and although there's
quite a lot of binaries that do, most of those do not offer TLS connections (or any network connectivity at all), so my
guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.

Of those that I know actually capable of SSL/TLS connections, all (also) link to OpenSSL.

So without making a definitive statement, AFAICT this should have near zero impact on GNU/Linux.

about 4 months ago

Microsoft Circles the Wagons To Defeat ODF In the UK

marienf part of my solution below (exim4) (89 comments)

deny demime = xlsx:docx:pptx
    log_message = Message contains OOXML Attachment.
    message = We Do Not Accept OOXML (docx,xlsx,pptx) Attachments See

deny demime = dat
    log_message = Proprietary Attachment format
    message = Non-Standard Attachment Practice (winmail.dat). Please Fix Your Email System.

about 5 months ago

With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser?

marienf Re:who are we fooling? (279 comments)

> So what are you proposing instead?
I'm proposing to stop outsourcing most PKI to central authorities, making the "trust" a conscious user decision.
Now before you argue that I can remove all authorities from my browser and add exceptions as I go, this is not a solution as what I will find
is single-signed by some company I have no way of checking. If what I found was multi-signed there would be a reasonable chance of determining
a level of trust via my web of trust. e.g. I would have something to go on while making that decision.

> I think the whole point of HTTPS Everywhere is that using it is better than not using it.
Sure, but HTTPS (SSL, TLS..) is not what I have issues with. What I have issues with is using certificates single-signed by central authorities and preloading these into client software.

> As security increases, convenience decreases.
I cannot argue with that :-) I just think it's necessary.

about 6 months ago

With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser?

marienf who are we fooling? (279 comments)

> this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser
> against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.

While I certainly think it is a good idea to encrypt traffic, this statement is highly misleading or naive: Since the CA
system is *flawd by design* and every one of those "authorities" in the long list of built-in CA inside
your browser can, by negligence or choice, supply any of these and other agencies with a valid certificate for
*any hostname in the world*, initiatives like these protect your privacy only from your local sysadmin/ISP, and also
do nothing against traffic analysis.

Should a US person/company trust that "China Internet Network Information Center" isn't going to create a cert for a
US bank or company to perform a MITM attach with? Should a Chinese company trust "Wells Fargo" not to?
Should the Greeks trust "TÜRKTRUST Bilgi letiim ve Biliim Güvenlii Hizmetleri A.. (c) Aralk 2007", or the
Turks "Hellenic Academic and Research Institutions Cert. Authority"? What on earth makes you think ALL of these
companies can resists pressures to misbehave? Yet all of them are built-in to your browser and "you" trust them.

Just go to any (Cloudflare, Akamai..)-accelerated site using https and check out the certificate used to see how that works:
They are issued certificates for the customer domains they accelerate, and hence have access to all the traffic.
In essence, they do exactly what a man-in-the-middle attack would do, except on a much grander scale (and with the collusion
of the actual domain holders). The agencies can carry out such attacks from within the ISP's, and your browser would still show "green".

The Cert validation in the browsers leads to a *dangerous false sense of security* at most. This is crypto, a weakest-link business
if ever there was one, folks. It's not ALL, or SOME that need to fail in order for PKI to fail, it's ANY of them.

Surely, we can do better than that: We should get rid of all centralised security illusions. Why aren't we signing contents using our PGP
keys that at least make multiple signers possible and habitual, and, and this is the essential difference, IMHO: That *you* have made a
conscious decision to trust or mistrust, to a certain degree, by reviewing a web of trust, as in informed consent as opposed to blind paternalism
of massivly built-in, pretrusted certificates by distant companies you really have no clue about.


about 6 months ago

Ask Slashdot: Are AdBlock's Days Numbered?

marienf You sign all worthy contents using PGP (731 comments)

.. and NG adblockers (or browsers, full stop?) allow the contents according to the user's Web Of Trust ..
Chances are.. any ads that *do* get through.. will be very appropriate and welcome ..


about 6 months ago

Is the World Ready For Facial Recognition On Google Glass?

marienf blinders are effective in low light (469 comments)

Anyone know if those LED baseball caps really work? What about a can of spray paint, aimed at the Glass-hole?

This looks promising, it's an IR based 'camera blinder' that hides your face:

Dunno how effective it is against different camera types and it does require you to wear a dumb-ass headband but it looks like a promising concept.

I've been playing around with various IR LED types, such as this one, at a couple wavelengths, and I found that in darkness and twilight, you need only very few to become a huge blob of ghostly light, but in good lighting conditions, a good camera like an Axis P3367 and even some of the crappy webcams I tried will see them as merely little points of red light. So I'll integrate a bunch in my backpack's straps and on it's surface, to at least get that commute, including subways etc.. covered, but with little hope of completeness.

So the real challenge may be: can we build a device that automates lens detection, focuses a small laser on the lens in question, and keeps it there while both the lens and the wearer of the countermeasure laser move along. +1 for a switch that will briefly increase laser power to burning strength. As in using a 2W Laser diode at low power. Capability :-)

about 7 months ago

Should companies start using drones for common tasks, like package delivery?

marienf My Predator Drones Are Horny (378 comments)

My small fleet of predator drones can't wait to get their jamming signals over,
and clamps around some of those flimsy, commercial dronettes unequipped with proper
countermeasures for years to come.

I've freed some well-lit shelf space to display the various remains: Controlled descent with
a predator attached may lead to rough landings if they somehow manage keep their own motors on.

Any payload will be a nice bonus.

Still considering in-air killing techniques.. ideas welcome.

about 8 months ago

Ask Slashdot: Recommendations For Beautiful Network Cable Trays?

marienf Best Of Both Worlds? (250 comments)

They're both right: The network guy about trays being a great solution, and the office designer about trays being butt-ugly.
However, why not work some type of panelling below, rising to the sides of the trays? I'm not a designer by far, but is seems to me that
hiding the trays cannot be exceptionally difficult, and can be done with much freedom of style. And all of that should be open from the top,
and far enough from the ceiling to keep easy access.

Next, the cables coming down. The covering should accomodate cabledrops without these having to "spill over", and in a way that keeps them very accessible. simple holes? Also, the cables themselves could be surrounded by some spiral or other form, lending them style and possibly even some strength. The spiral could even be strung between the casing and the desk, making it an active element of design, rather than a trick to 'hide the ugly cable'.

the panelings could be cut/painted in a themes shape/color, of be kept elegantly simple, depending on the design of the surrounding office.


about 8 months ago

The Academy For Software Engineering: a High School For Developers

marienf Re:The education part sounds great... (56 comments)

second that.

Thie program comes with a brainwashing guarantee.
I mean: Google, Facebook and JPMorgan!

War is Peace!
Privacy is a crime!
Sell your friends!
Debt is your own fault!
Shut Up And Shop!

about 9 months ago

LG Launches Its Firefox OS Phone Fireweb for $200

marienf GeeksPhone Peak+ (91 comments)

        CPU Qualcomm Snapdragon S4 8225 1.2Ghz x2.
        UMTS 850/1900/2100 (3G HSPA).
        GSM 850/900/1800/1900 (2G EDGE).
        Screen 4.3" qHD IPS Multitouch.
        Camera 8 MP (back) + 2 MP (front).
        4 GB (ROM) and 1 GB (RAM).
        MicroSD, Wifi N, Bluetooth 2.1 EDR, Radio FM, Light & Prox. Sensor, G-Sensor, Compass, GPS, MicroUSB, Flash (camera).
        Battery 1800 mAh.

about 9 months ago

Oracle Attacks Open Source; Says Community-Developed Code Is Inferior

marienf Re:Wouldn't Java be a counterexample? (394 comments)

As opposed to Java's "write once, debug everywhere", you mean :-)

I understand where you're coming from with that comment, however.
When I tell folks I'm back to C/C++, the comments I get are mostly

"how will you get the horrible memory management right"
"you will get into trouble with POINTERS" (the last word pronounced like "ZOMBIES" in a 1970's B-movie)
"you'll get STACK OVERFLOW and you'll be hacked!"

This is mostly because all you young folks have stopped looking at C/C++ in school, and in the state they were at that point.
Today, and for at least a decade, memory management is clean and easy to use, in C++, pointers have always been a matter of
understanding how they work, to use them right, and compilers have come a very long way in warning us, and by now, not getting
your boundaries right has about the connotation of not being literate, amongst developers. In other words, it's a matter of being a proficient
developer, and that goes for Java as well.

Time has passed, the language, the standard libraries, and the developers have grown up. I'm just sad that many of us (including myself) have been
side-tracked onto someone's corporate agenda, and that we're only waking up now.

In that sense, I'm glad that Oracle bought Sun Microsystems. Sun's "Unix Veterans" Aura my have prevented many from seeing Java for what it was. Oracle, certainly awakens no such emotions :-)

about 9 months ago

Oracle Attacks Open Source; Says Community-Developed Code Is Inferior

marienf The Sad Truth About Java (394 comments)

What makes me so very sad about the Java/J2EE situation, is that so many folks have wasted so much time and energy,
and often written excellent code, to make Java/J2EE the platform that has the most comprehensive and the most advanced
set of libraries available, while remaining, in my opinion, a misguided, marketing-driven, anachronistic attempt at domination,
and a crippled language (forced GC, no delete operator).

All that wasted energy could have gone into a serious programming language and environments supporting it. If you look
at what C++ has become, I feel Java is a joke, and J2EE Application Containers are a foolish attempt at replicating the functions of an OS.
Java failed on the desktop, and is now Legacy in Enterprise environments, on the server-side. There's no future for it since young folks have moved on to more advanced languages, and old folks have stuck with C/C++ and will return to it (I know I am).

And Multiplatform? Gimme a Break! How many viable platforms do you think we have remaining, server-side? I think there's more than one (There's BSD and there's GNU/Linux, and there may one day be HURD), but guess what.. They're all "Not Unix" and therefore, easy to code for as if they were all Unix :-)

about 9 months ago

Google X Display Boss: Smartphones, Tablets, Apps Are "Mind-Numbing"

marienf Mind-numbing has a few subtle meanings (157 comments)

While I'm certainly one of those people that find it "mind-numbing" that someone would want to use tiny screens, tiny fiddly on-tiny-screen change-mode-every-3-keycaresses (can't make myself call *that* key-"stroke"s), wasting an entire hand holding the device, barely-past-modem-era-connections, modem-era-connection-reliability, etc.. in the first place, when large-screen laptops with decent keyboards and 100Mbit/s to the home and office are readily available, it can also be said that the only thing to be gained, in my view, the "mobile" aspect, reminds us of the *other* meaning of mind-numbing: It will numb your mind to be "online" and "reachable" all the time, because your mind *requires* being "offline" for its normal functioning.

Now.. driverless cars may be a solution.. give you time to daydream so your DMN can function properly, unless you spend the time "being online".. But I'm not charmed by any of the other "moonshots", either. For Glass, it's a matter of being able to take it off, and not becoming a Gargoyle. And Loon.. Are "rural areas" then to be Google's "persplex boxes" as in

to see if rural folk's albumin will leak out of their brains, as it did in the rats (sarcasm, but not quite crazy)?


about 10 months ago

The Hail Mary Cloud and the Lessons Learned

marienf Agree to simple fix, but this is OLD (99 comments)

Ow please.. This is so old.. haven't allowed pasword logins in the last decade or so..
Why on earth would anyone have allowed password logins for the last 10 years? Or: Ever?
Someone that's savvy enough to get a shell account is savvy enough to use a key pair.
It's 2013. I mean, seriously, PASSWORDS? for SSH?? You must be joking.


about 10 months ago

Ask Slashdot: Suitable Phone For a 4-Year Old?

marienf Rug Rat != Lab Rat (682 comments)

Apart from all the twisted psychosocial stuff, the attention span issues, etc..,
I believe that at this point and with this kind of research questions being asked:

(4 min and onwards - LONG) .. allowing a child anywhere near a source of modulated microwaves is irresponsible,
and for the supposedly well-informed slashdot audience, in my view borders on the criminal:

Time will tell what that kind of exposure will have done to us.. As adults, we can decide
for ourselves whether the risk is worth the benefits, but as children we cannot make such
decisions and we're supposed to have adults to protect us.
Even if you still believe that the research results are "inconclusive", and you're willing to take
the bet for yourself, this is just not a risk you take with a child!

I'd suggest you find an alternative technology..


about 10 months ago

Lockbox Aims To NSA-Proof the Cloud

marienf Re:Clown Computing!!!?? Stop already. (292 comments)

I see your point, and I also see the communications failure that is entirely my fault.

I'm writing about where I think we should take our dollar (euro.. etc).. to achieve our goals of security, safety, efficiency, privacy of our data, in the near future, you guys are writing about how this can or cannot be solved in the current situation, today. I think we should take those dollars (and those bytes) away from Big Data and towards ISP's that offer neutrality and high upload speeds, using tech like

and a web of trust + good encryption and your backup (and a lot of other things you now host somewhere) can transparently be HA over a whole bunch of machines of folks you know (and theirs on your H/W.) You don't have to pay for tier-1 storage, just duplicate more.

I believe our freedom requires the death of the C/S model, and a focus on improving the network itself to allow for full-featured P2P. Lots of little private clouds (cloudlets?) all over the Net, instead of a limited number of huge ones.


about a year ago

Lockbox Aims To NSA-Proof the Cloud

marienf Re:Clown Computing!!!?? Stop already. (292 comments)

Sure, ok, but that only means you have a well-designed backup service, and that has nothing to do with where it stores its data: It could be saving to your own device, or to devices at one or more trusted parties *of your choice*. In essence, towards devices managed by people that you have a mutual agreement or a true definable trust relationship with.

I'd like to hear *one* example of a useful application that is better off in "the cloud" than implemented with other schemes, even a bunch of VM's in your own data center. All I can think of are one-off raw-power activities using only publicly available data. And even those could be distributed if you have an adequate web of trust.

about a year ago

Lockbox Aims To NSA-Proof the Cloud

marienf Clown Computing!!!?? Stop already. (292 comments)

Can we stop pretending that "The Cloud" has actual meaning, technical relevance, etc..?
Do we really have to go back to the fracking mainframe with all our eggs into one (someone else's) basket,
and at the mercy of whatever corporate greed du jour? Your Brains! They are SOOOO CLEAN!

We have so much computing power and bandwidth in the home and office that it should be perfectly feasible
to go exactly the other way, do away with the stupid client/server model and go 100% P2P, keeping
one's own data on one's own hardware in one's own home.

ISP's that go symmetric and neutral will survive.

about a year ago



Cryptome emptied of contents (again)

marienf marienf writes  |  about two weeks ago

marienf (140573) writes "Cryptome, the original whistleblower site, shows conspicuously empty again:

---cut here---
403: Forbidden
This error message is generated when the web server is trying to access a file that does not exist or has been configured incorrectly
Troubleshooting suggestions:
Ensure that you have a valid home page defined in your website directory (example: /htdocs/index.html, /htdocs/index.php). On Unix, this is case sensitive and must be all lower case.
In your Account Manager, under Hosting Tools, click to .Reset File Permissions..
---cut here--- .. It's a strange coincidence that they promised to release >1million documents freed by Snowden this very month.. .. and that they're 20% into getting funded at Kickstarter.. Either someone fears this release, or it's the dumbest publicity stunt I've ever seen. The latter would so be very out of character with what I've seen so far from John and Deborah, that I'm convinced of the former.

I strongly suggest we slashdot (v.) the kickstarter campaign in a financial sense so they get funded ASAP -preferably a few times over- and they get it over with, publish the whole set already!

Done my bit at:

Link to Original Source


marienf has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account