Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Password Security: Why the Horse Battery Staple Is Not Correct

pavera Seems flawed, but what do I know? (545 comments)

It seems to me the most likely machine to be compromised is probably a user desktop. Servers and web services can implement pretty effective countermeasures against brute force attacks (3 tries and you're done for an hour, 5 tries and you're done forever). Not to mention multi-factor authentication.

Putting all of your passwords no matter how complex on a windows 7 desktop with a single (easy to remember, easy for computer to guess) password, which can be trivially retrieved with a keylogger seems like completely broken security to me. One zero day in IE, keylogger installed, access to all user passwords for all sites granted.

You're literally a single hack away from having bank accounts, social media, email, everything hacked. Or am I wrong somehow about password managers/keyloggers?

about a week ago
top

Despite Push From Tech Giants, AP CS Exam Counts Don't Budge Much In Most States

pavera A little early to judge? (144 comments)

Maybe my recollection is bad, but, wasn't the big PR push just in the last year? I know at my high school (granted, almost 20 years ago now) you had to take 2 years of CS to get into the AP course and even attempt the test. So at a minimum I would expect the PR push to show up in next year's numbers. Its going to take more time and effort than 1 year of google handing out cash to make a significant change in numbers, and its going to take a long time to really improve pass rates. You can't just throw a CS book at your average HS student and expect them to get a 5 in 6 months time.

Its going to take at least a decade to get female numbers up to parity, changing culture is hard. Its going to take at least a decade to improve pass rates because you have to start teaching CS earlier in order to have a foundation. We start teaching math in kindergarten, how many students take the AP test in calculus and how many pass?

Also, in my experience each year the tests are vastly different and have vastly different pass rates, so one year does not really mean much. My AP Chemistry test was an example, we only had a few students pass (with 3s) out of a class of 30, where the year before, 75% of this same teacher's class passed, and more than 50% got 4 or 5. The teacher after the test read through it and said our year was the hardest test she'd ever seen.

about a week ago
top

O3b Launches Four More Satellites To Bring Internet To 'Other 3 Billion'

pavera Not for home users... (80 comments)

From rtfs, it seems o3b is aimed at the ISP market. I think this could be quite neat, they are aiming at being a backbone provider for say a local wireless ISP on a tropical island, this ISP sets up their terrestrial wifi equipment, and sets up a link to o3b for backhaul.

This could transform the competitive landscape in a lot of these places where either a) becoming an ISP means signing a multi-thousands/mo deal with the 1 company that has pulled fiber under the sea for thousands of miles, or b) having no option, because the terrestrial land lines are all owned by the government run telco who has no interest in providing an upstart with bandwidth

Of course, for this utopia of competition to break out, it assumes that o3b will be charging significantly less than whoever has pulled fiber under the sea, and that government regulation in all these countries doesn't simply preclude the business model by granting unlimited monopoly power to the government run telco. I know in the 2 south american countries I've visited this second hurdle is much larger than the first... The government owns the telco, thats the only way to get internet, period.

But assuming I'm wrong about the regulatory landscape, and assuming o3b will have reasonable pricing, it almost becomes interesting to attempt to setup a wifi based ISP in some underserved country...

about 3 months ago
top

Fixing the Pain of Programming

pavera kettle, meet pot (294 comments)

I found it hilarious that the post bemoans the state of getting started with a new environment, and how it invariably requires a tutorial, and that is terrible.... And then you download their software and you're presented with a blank screen and no idea how to get started... so you turn to you guessed it.. a tutorial.

And then a tutorial that isn't even illustrated, so you can't tell what is supposed to happen with you hit cmd/ctrl+enter... I get a little checkbox next to my line of code.. I don't know what that means. Line is syntactically correct? Line executed? Line monitored by system? And it certainly doesn't provide any insight into the flow of data. I don't see a pane like I do in pycharm that lists the variables with their current values, I don't see any state.. Is that intended? I don't know, the tutorial doesn't inform me, and the environment is useless.

I don't generally use debugging tools, preferring to keep my abstractions shallow, my code small and understandable, and a test suite that can prove that my code is handling the cases its designed for correctly. In some projects, yes, complexity is a requirement, but I feel like the advent of IDEs and debuggers has only served to allow people to more easily break what is in my opinion the first rule of development:

  "Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?" - Brian Kernighan

Break systems down into small manageable parts. Write the code simply and clearly. Write tests EVERYWHERE.

about 5 months ago
top

Patent Suit Leads To 500,000 Annoyed Software Users

pavera Re:Tough, Apple (180 comments)

The problem is apple *did* implement the standard, this is a classic submarine patent. Apple is using the standard SIPS+SRTP protocol... but guess what? These guys patented it a year before it was standardized, and now its the defacto standard in everything (IP Phones, LTE, literally all voice communications now use SIP)

So these guys printed a mint by patenting something, then getting standards bodies to adopt their standards, then claiming everyone infringes by implementing the standard.

about a year ago
top

Patent Suit Leads To 500,000 Annoyed Software Users

pavera Re:My give-a-darn meter is reading negative GADs (180 comments)

By my reading, this company virnetx claims to have patented SIP... So Asterisk, grandstream, and everyone else is probably on their list as well. Anyone who setups up direct communications between 2 endpoints violates their patent.

According to what I've read, using SIP secured by TLS/SSL and SRTP was only "standardized" in 2004, 1 year after these guys patented "setting up an adhoc VPN" between two devices automatically (which is what SIPS+SRTP does) according to them.

So, I guess we'll all use VoIP again in 2023, once this patent finally expires.

about a year ago
top

Tesla Model S REST API Authentication Flaws

pavera Re:As usual, some things got left out... (161 comments)

How is it sloppy security practice? You're seriously arguing that *every* *single* *api* on the internet *must* implement oauth right now because the api *will* be reverse engineered and users will be tricked into providing their credentials directly to a third party? Even when third party apps are not authorized? Every company with an api on the net *must* provide for third party access?

Oauth doesn't provide any security anyway. Users will still be tricked into providing their credentials directly to third parties (on phishing oauth portals). Whats going to stop someone from spoofing an oauth portal, and distributing an app that redirects to said portal? User enters username/password on spoofed oauth portal, third party has creds, does nefarious deeds. Oauth provides precisely 0 security if the user is not careful.

about a year ago
top

Tesla Model S REST API Authentication Flaws

pavera Re:Those who attempt to re-create Oauth... (161 comments)

Well, I'd argue this is one such context. There is no third party, Tesla's API is not designed for third party access, its designed for Tesla app -> Tesla API communication. Adding Oauth to this workflow, just for kicks, certainly would decrease usability, as you'd get redirected to a third Tesla page, to provide your credentials and generate a token for Tesla's own app.... The facebook and twitter apps published *by those companies* don't use oauth, they ask directly for your username/password

Saying Tesla's app should use oauth is crazy. Saying that anyone who publishes an API on the internet *must* implement oauth so third parties can access the API is equally crazy.

about a year ago
top

Tesla Model S REST API Authentication Flaws

pavera Re:Those who attempt to re-create Oauth... (161 comments)

Tesla wasn't even trying to re-create Oauth, they *don't* provide third party api access. They implemented a perfectly reasonable first party api authentication mechanism. If users are inclined to give their creds to *unauthorized* third party apps then that is on the user.

Every API in the world shouldn't be *required* to provide third party access.

about a year ago
top

Tesla Model S REST API Authentication Flaws

pavera Re:Major fail for Tesla (161 comments)

The problem with the article and the sentiment you express is that this api is *not* a third party api. It is not published, it is not intended for use by third parties. Oauth is a PITA. Why would tesla setup Oauth between themselves and... themselves?

Oauth is designed to work between 3 parties, the user, the "authenticator", and a third party app that wants to access the authenticated service on behalf of the user. In this case, tesla implemented an API for their app to communicate with, so there is no third party involved, and the system wasn't designed to support third party apps. Now, intrepid hackers have reversed engineered this api, and services have begun popping up that provide "functionality" via this api, but they require you as the user to fully trust a third party that is *violating terms of service* and using an unpublished api that they've reverse engineered. If you as a user trust this third party you are foolish.

There are no Tesla approved third party apps, this API wasn't designed for use by third parties, so why would anyone expect Tesla to implement a third party authentication protocol? Is the argument really that *any* API exposed to the internet must provide access to third party apps? That seems a rather untenable position to take. Certainly its not unreasonable for Tesla to ask for your username/password in *their own app*?

I'm much more concerned about banks not implementing oauth, and the fact that there are literally millions of people handing out their banking credentials to third party apps (mint, money desktop, etc). These apps are storing much more important (and much more valuable) info than any hacked third party app to honk your horn.

about a year ago
top

Tesla Model S REST API Authentication Flaws

pavera Re:OAuth for Apps? Seriously? (161 comments)

The problem with the article is there are *no* authorized third party apps that use this API. Tesla does not provide third party access.

People have reverse engineered the api, and then if you give these third parties your credentials, they can make calls to the api and do things to your car. The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.

about a year ago
top

Google Argues Against Net Neutrality

pavera Re:No Google apologist here (555 comments)

I don't know where in the US you live, but where I live (yes in the lower 48) I've been hosting servers happily on residential connections for 13 years, using 4 different ISPs over that time frame.

Every ISP I know of here (centurylink (qwest before buyout), att, and xmission) will gladly sell you static IP addresses on residential connections. Not 1, but a block of 16 or 32 (heck xmission will give you a full class C for just $60/mo).

Why on earth would you buy a block of 16 IPs if you can't host servers on them?

Now, since its not a business class service, you wouldn't want to put anything that needs super high availability on this connection, but thats perfectly understood, I'm hosting a few personal web sites, a couple blogs, a code repository, and a minecraft server... If the rest of the country really is so seriously locked down against having a mail server in your basement, I guess I better not move ever.

about a year ago
top

Google Argues Against Net Neutrality

pavera Re:Again Slashdot Cant Read (555 comments)

I didn't see that anywhere in the linked article, but *LOTS* of ISPs will let you run a server, even comcast will sell you a static IP (for $30/mo) and let you run a server. Sure if you're filling up your upstream pipe 24/7/365 they'll probably get upset with you, but I've been running servers in my house since 2000 when I first got dsl, business servers, hosting websites (mine and other people's), hosting email, blogs, voip, code repositories, minecraft, you name it... I've been on 4 different ISPs over the 13 years, and have never had a problem (even when the ISP was qwest... well there was a reliability problem then, but not a "shut down your service" problem).

about a year ago
top

Google Argues Against Net Neutrality

pavera pretty f'ed up google (555 comments)

Well.. I used to be jealous of the google fiber cities...

Now I'm happy to live on with my 40mbps/20mbps connection with 16 static IPs and an ISP that happily lets me host servers in my basement...

(minecraft, git repos, a couple web servers, media server, encrypted voip server for friends and family.... ) All cranking away on a couple old dell servers from ebay...

seriously I wouldn't go near google fiber with that policy if they paid me to use it, in fact they couldn't pay me enough to use it (well... maybe if they paid me 6-700/mo so I could afford to colo my 2 servers in a cheapo datacenter)

about a year ago
top

Homeland Security Stole Michael Arrington's Boat

pavera Re:Importing a boat from Canada, (812 comments)

The FA clearly states the forms were all generated BY DHS... The government made a mistake generating the forms, and then wanted to force the citizen to lie and say they hadn't made a mistake.

Then they stole his boat for refusing to be complicit in a lie.

about a year and a half ago
top

Hounded By Recruiters, Coders Put Themselves Up For Auction

pavera Re:how many of the jobs didn't exist as well? (233 comments)

sure, I didn't completely understand/put together the multiple offers/engineer thing... as a previous poster pointed out. But as the previous reply stated, that basically makes the numbers meaningless so why share them at all except to brag... In that case its just a case of statistics (of the lies/damn lies variety)... They picked the biggest number they had (total value of all offers, regardless of whether all offers could be accepted) and put it next to the smallest number they had (number of engineers) to get an "ooh wow" effect.

It has nothing to do with their potential revenues as that is based on accepted offers, hence my assumption of 1 per person. It is then impossible to infer anything about how many offers each engineer got, or how much the individual offers were for (although, on average each engineer did get offers worth 350-500k/yr... just might have been spread over multiple offers). Each engineer could have received an average of 5 offers of $68k/yr each and that would hardly lead to any of the conclusions of the original article... IE that there is a labor shortage, or that companies are having a hard time finding people willing to work (or even that "there's a huge need for something better in this space").... But again you can't tell anything from these numbers without the total number of offers, or the average number of offers per engineer....

My mistake was assuming that the numbers had some meaning... Unfortunately they don't. No reason to get all uppity though, sure I made a mistake. I can own that :)

about 2 years ago
top

Hounded By Recruiters, Coders Put Themselves Up For Auction

pavera Re:seriously? not this again (233 comments)

I agree with your premise there are lots of "developers" who have worked on a project that used technology X... And realistically only a couple members of any team are producing 70-80% of the code, but the recruiting agencies and HR depts are a huge part of the problem. I am (no really) in that 5%, but I have the hardest time finding jobs, because I've worked all over the map... From designing huge networks, to automating deployment of tens of thousands of network devices, to DB design/DBA type work, to software design, development, etc both web and client based. HR departments are so keyword driven, they don't know what to do with my resume. I'm repeatedly told by recruiters "Well, this company only wants java experience, so you're out because you have other experience on your resume". Or: "Your C++ experience isn't recent enough"... Sure it was 2 years ago, I'm sure the fact that I've been integrating a large C codebase with python to make it scriptable for the last 2 years I've forgotten all my C++... (And oh no that reminds me... its now been 4 years since I used java professionally.. I'll probably never get another java job again... or is that a good thing?)

I regularly teach myself new tech, and really enjoy working in the field, but the miscommunication between development and hiring managers/outside recruiters is very painful to deal with. I shouldn't have to explain to someone who's never written a line of code that there is very little difference between all these languages, and that I know I would be productive on a project written in C, C++, Java, C#, Python, PHP, Perl, Ruby, Javascript, or SQL within 2-3 days at most. Hell, I was one of the most productive Foxpro programmers at one job I had (no I don't list foxpro on my resume) and I don't even know the language, but I could sit down in code review with the foxpro developers and find/fix bugs all over the place.

On a different note
Why is the position so "unattractive"? Because you're only offering $50k/yr for 6 days a week plus a rotating 24 hr on call day? Where's it located? is it strictly an entry level position?

about 2 years ago
top

Hounded By Recruiters, Coders Put Themselves Up For Auction

pavera Re:how many of the jobs didn't exist as well? (233 comments)

So, these companies are really bidding an average of $350-$500k/yr for developers in these auctions?

And isn't your "4 years at google and a *Standford* CS degree" just the same arbitrary requirement as a recruiter that thinks "rails" is a form of transportation?

I have 15 years of software development experience, have run 2 startups (one as CEO, one as CTO), and been a team lead or senior engineer on multiple projects at both startups and established companies. I have extensive experience with C, C++, Java, Python, PHP, Perl, Javascript, SQL, and lots more... And, I'd be just as excluded by you because my CS degree is from the University of Utah, and I haven't worked at Google as I would be by the recruiter who's never written a line of code and doesn't know that someone with my background can learn Ruby and be proficient in a week or 2 at most.

I also went to sign up on DeveloperAuction, and was disappointed that you give so much weight/prominence to github projects. I have many side projects, but not of the public nature, and I chose not to pay someone to host my source code privately when I can do that just fine myself thank you. (What self respecting software developer doesn't have 4-5 servers in their basement to host/play with personal projects?)

about 2 years ago
top

Earth Approaching Tipping Point Say Scientists

pavera Re:50-90%... They can't get any more accurate? (759 comments)

if, say its 80%, I don't think we'll double the amount of work/change we've done in the entire history of the human race in 100 years, and even if we do, we'll have 100 years to come up with new technology to mitigate our destruction... If we have 10 years, then we have to change everything today.. better park your car and get out your bike. Turn off your computer and all your lights. Better start building your mud hut.

more than 2 years ago

Submissions

top

Paul Allen the Ultimate Patent Troll

pavera pavera writes  |  more than 4 years ago

pavera (320634) writes "Paul Allen's company Interval Licensing LLC has filed a massive patent lawsuit against most of the tech heavyweights and many large e-commerce retailers. The suit alleges that Apple, Google, AOL, Office Depot, Netflix and many others infringe on 3 patents granted since 2001. These patents describe the "invention" of putting things in the peripheral vision of a user and presumably cover putting anything of an "advertising" nature outside of the main "content" area of a page. Patents in question: 6,757,682, 6,788,314, 6,034,652."
Link to Original Source
top

WikiLeaks Founder Accused of Murder

pavera pavera writes  |  more than 4 years ago

pavera (320634) writes "The US Defense department is accusing Wikileaks of "having the blood of a young soldier or Afghan family on their hands" for the recent release of 92,000 classified documents. The documents contained sensitive information including lists of Afghan informants who are cooperating with NATO forces. Now that the Taliban has all of these names, they are systematically murdering them."
Link to Original Source

Journals

top

Linux on the Desktop

pavera pavera writes  |  more than 11 years ago

I like many others here believe that the main issue with getting Linux accepted on the desktop has little to do with usability, and everything to do with the Applications that are available for the system.

The 1 Application that keeps me using windows occasionally is Quicken/Quickbooks.

Obviously the Adobe apps keep alot of people in Windows.

My thought is how many of us have sent feedback to these companies explaining why we would like to see their software available for linux, and explaining that we would be willing to purchase said software?

Here on Slashdot we have enough users to bring most web servers to the ground, could we not also bring these company's customer support and feature request departments to the ground as well?

I feel that if we really voiced our desires we could get 1 or 2 apps moved to linux that would allow many many people to switch to this wonderful platform. If Intuit simply released Quicken/Quickbooks for Linux I would have 40 instant Linux desktop users. (I own my own company providing computer consulting to small to medium sized companies, of my clients 3 have expressed strong desires to ditch MS, but cannot only because of Quicken or Quickbooks, these 3 companies account for 40 seats).

If you like my idea, please send email to any/all of the software companies whose products you would like to see ported to Linux.

Slashdot Login

Need an Account?

Forgot your password?