×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:Stupid (344 comments)

What you propose would not stop the attacker diverting users to the WRONG https site, this is especially an issue with sites that use third party payment processors. There is nothing to stop an attacker registering say "angelpay.co.uk" (an unregistered domain at the time of writing) and setting up what looks like a payment processing site there.

8 hours ago
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:Stupid (344 comments)

but the problem is that there's so many sites that don't use or need encryption, that this won't change

The problem is that there are many sites were the operators think "we don't need any encyrption" or "we only need to encyrpt specific pages" but aren't looking at the bigger picture.

For example a web store, many web stores only use ssl for their payment pages (or redirect to a third party for payment). They think this is fine as in normal operation the credit card information is encrypted but it gives plenty of scope for an active attacker to steal the credit card information.

10 hours ago
top

To Fight Currency Mismatches, Steam Adding Region Locking to PC Games

petermgreen Re:Why Steam? Why? (142 comments)

I would expect the sales will have a positive marginal profit, that is the costs directly associated with the sale will be less than the income directly associated with the sale.

Of course having a positive marginal profit on every sale does not mean you will make a profit overall (and thus be able to stay in buisness). To do that you need to cover all your fixed costs too. It's perfectly possible that selling to everyone at the russian price would not cover the fixed costs but selling to russians at that price is neverthless the way to maximise overall profit.

Trying to allocate "profit" to individual sales in a buisness dominated by upfront fixed costs is fairly meaningless.

11 hours ago
top

To Fight Currency Mismatches, Steam Adding Region Locking to PC Games

petermgreen Re:Why Steam? Why? (142 comments)

Economically speaking, this would mean that valve is selling games at 1 millionth of the usual price, but still profiting off them. Profiting so much, that they are willing to make custom software changes rather than just change the price.

The GP was exaggerating, It's actually lost about half it's value. Also steam already has code to enforce region locking on games sold through other channels and already has code to set different prices for different countries. So I would assume this was a fairly minor tweak from a technical perspective.

Sometimes I wonder why companies, especially companies selling digital goods, don't just set the price in one particular currency then let it somewhat auto-fluctuate in the other currencies according to the market. Wouldn't that be simpler for them?

Simpler? yes, more profitable? no.

The ammount people are prepared to pay for goods varies with how rich they are and with existing norms in their country. Therefore the pricepoint that balances number of sales against profit from each sale is different in different countries. This is especially true for digital goods which have negligable marginal cost to the seller.

11 hours ago
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re: Stupid (344 comments)

The problem with a system of conditionally serving http->https redirects based on known client capabilities (and serving internal links in a way that they stick with the same protocol the user used to request the page) is that once you start redirecting most of your users to https then incoming links (and unless you are really careful probablly some internal links too) will start to use https as people copy and paste the urls.

As well as the direct anoyance to users of older browsers if search engines can't follow incoming links to your site then you are going to be disadvantaged in search rankings.

13 hours ago
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:So perhaps /. will finally fix its shit (344 comments)

I see serveral reasons for a site like /. to use ssl.

1: protecting logins, with password reuse being so common every unenrypted site that allows logins is a potential way for someone with a packet sniffer to gather valuable username/password combinations. I suspect this is the main reason behind chromes proposal.
2: protecting integrity, especially on a tech news site someone could inject fake stories as a means of social engineering to get people to install malware. A similar agrument may apply to using browser vulnerabilities to push malware (though on a machine used for general web browsing https would only help there if nearly the whole web was using it). Yet another possibilty is that an attacker rewrites urls so that when people follow links from an unencrypted site to a site that is supposed to be https they get diverted either to a plain http url or to a https url the attacker controls.
3: protecting privacy, a government with oppresive plans may want to know who is active on stories related to government oppression.

Yes there is a price to be paid in terms of reduced ability for service providers to cache, in terms of more admin effort and in terms of CPU time.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:Sly (344 comments)

I wonder how many of those free certificates were potentially compromised by heartbleed because the owners don't want to pay to get new "free" certificates.

Indeed, and it's even worse than you suggested. Normally what you would want to do after a vulnerability like heartbleed that put your private key at risk* is

1: obtain a new certificate
2: install the new certificate
3: revoke the old certificate

Unfortunately as a startssl free user you can't easilly do that. Not only do revocations cost money, they also have stupid policies about duplicate certificates which mean you have to either buy the new cert from a different CA, upgrade to the paid/verified startssl tier** or incur substantial downtime by revoking the old certificate first.

I bet a lot of people just said screw it and waited until the certificate expired before rekeying (and possiblly by the time the cert did expire had forgotten about the issue and didn't rekey then either).

*AIUI heartbleed wasn't a particually easy vulnerability to actually expolit to get the key, it's not like say the Debian openssl vulnerability where the keys were unquestionablly compromised.
**a class 2 (paid/verified) cert and a class 1 (free) cert in the same name apparrently don't count as duplicates because they are issued from different intermediates and even if they did paid certs unlike free ones allow secondary names which works arround the issue.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:503 (344 comments)

That*'s certainly an issue and is why the warnings are the way they are. Possible soloutions would include a new url scheme or extending the http standard to support a starttls type scheme to allow encrypted connections with the http url scheme (the downside of the latter is it will give the attacker hints that the connection is likely to be unauthenticated).

I strongly disagree with the people who say encrypted but unauthenticated is as bad as unencrypted. Yes a targetted attack can use man-in-the-middle techniques but if anyone starts doing that on a large scale they are likely to get noticed.

*And the related issue that when you set a form submission url as https you are declaring your intent to have the form submitted over a secure connection.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

petermgreen Re:Sly (344 comments)

hmm, I can't say i've ever had any problems getting certs from them, despite usually having let the client cert expire and having to start from scratch when renewal time comes.

I've heard of people being denied certs because their site was "commercial" and they have the annoying habbit of issuing the cert to you some time before putting it on their ocsp server but I never heard anything about over-capacity before.

yesterday
top

Economists Say Newest AI Technology Destroys More Jobs Than It Creates

petermgreen Re:AI + organisations will be the real problem (632 comments)

I imagine for people already driving there won't be much change in cost. Once you've been on the road five years or so the insurance companies have a pretty good idea if you are a high risk driver or not from your records (both insurance records and traffic offense records).

Where things could get nasty is for people new to manual driving, I would think the combiantion of "inexperianced" and "wants to drive for fun rather than utility" is going to end up as a pretty high risk category. At least here in the UK it's already prohibitively expensive for a new young driver to insure a fast car and even with a basic econobox it's not unheard of for the insurance to cost more than the car (One teenager here even resorted to driving a tractor because car insurance was unaffordable,e).

Which means 50 years later there would be relatively few people on the road with sufficient manual driving experiance to get manual driving insurance at a reasonable price.

yesterday
top

Economists Say Newest AI Technology Destroys More Jobs Than It Creates

petermgreen Re:AI + organisations will be the real problem (632 comments)

If you're worried about what'll happen to driving, look at what happened to horseback riding

At least here in the UK it's still perfectly legal to ride on horseback or in a horse drawn vehicle on normal roads* at any time. It's reccomended to get training first but unlike with motor vehicles there is no legally mandated licensing requirement.

One big difference between horses and cars is that horses are high maintinance. They have to be fed, mucked out etc whether you are using them or not. Cars on the other hand can hapilly sit in a garage for months at a time. So owning a "play car" is much less of a commitment than owning a horse. I could see that changing how things play out.

*Motorways are as the name suggets for motor vehicles only.

yesterday
top

ODF Support In Google Drive

petermgreen Re:This is huge (40 comments)

Latex has it's good and bad points.

good points
maintains mental distinction between input and output
maintains a reasonable level of semantic information
reliable and reasonablly fast for large documents
produces really nice typeset output
handles equations well
handles captioning and cross-referencing well
makes a reasonable job at layout before tweaking

bad points
only a few image formats work, with traditional latex it's EPS or bust, pdflatex is a bit better but it still pretty limited with PDF being the only vector format supported (which is fun as most pdf creators don't want to create arbitary sized pdfs so you often have to print to pdf then use a seperate tool to remove the borders) and the only bitmap formats supported being png and huffman jpeg (at least in my experiance artimetic coded jpeg doesn't work and gives an unhelpful error message, that caused some head scratching)
the layout engine is reasonablly smart but not smart enough to get a layout i'm happy with without tweaking and the compile-build-view cycle gets annoying during layout tweaking.
the whole system feels like hacks built on top of hacks. The parameters to hyperef to avoid ugly boxes don't work in all versions (not sure if they work in the latest now, I certainly remember having to downgrade when working on my thesis because of this). Hyperref links go to the float caption rather than the float itself unless you add another hack package called hypcap but that in turn requires further hackery to work with custom figure types (such as figures placed by the side of the text rather than inline with it..
table handling leaves a lot to be desired requiring significant manual tweaking for any nontrivial table.
there are way too many markup sensitive characters, this means that significant editing is often required after pasting in plain text.
requires running a bunch of tools in the right order and sometimes multiple times to process a document

Thats my experiance from writing a phd thesis with the thing anyway.

2 days ago
top

Denmark Makes Claim To North Pole, Based On Undersea Geography

petermgreen Re: Unbelievable! (184 comments)

I'd guess a combination of a small population and a large petrochemical industry pushes them up in the rankings (note that the rankings in question are per-capita).

Being a small island probablly doesn't help, in particular small islands are often short on fresh water which pushed them to energy intensive desalination. It can also make it difficult to achive economies of scale in power generation.

2 days ago
top

BT To Buy UK 4G Leader EE For £12.5 Billion

petermgreen Re:Urgh BT (39 comments)

AIUI EE is currently owned by deutsche telekom and france telecom, so this is one former state monopoly telco buying a buisness off other fromer state monopoly telcos, not a takeover of an indpendent buisness.

2 days ago
top

BT To Buy UK 4G Leader EE For £12.5 Billion

petermgreen Re:BT != Bittorrent (39 comments)

Note that while " large ISP/Telco company." is not wrong it's something of an understatement. BT is the former state monopoly telco in the UK.

AIUI BT openreach (the part of BT that owns the physical lines) has an effective monopoly for about half of the UK households. For most of the rest they are competing against virgin media but virgin media don't sell wholesale. Theres a few small upstarts arround too but they tend to have negligable coverage areas.

Fortunately we have reasonablly effective regulation which allows competition at the service provider level despite the monoploy at the physical line level.

2 days ago
top

Amazon UK Glitch Sells Thousands of Products For a Penny

petermgreen Re:currency (138 comments)

Mint and chocolate combinations seem pretty common in the UK too. Personally I like them...

3 days ago
top

Waze Causing Anger Among LA Residents

petermgreen Re:Move to a gated community (593 comments)

Or ask them to eliminate the shortage of freeway road space for the number of people who want to use it at the same time, by setting the price of freeway travel at market equilibrium and adjusting the price by the hour to achieve permanent free-flow.

So at times of high demand the price of using the freeway will rise to the point it's discouraging people from using the freeway.

and you think this will help with the problem of people chosing to use local streets instead of the freeway?!

3 days ago
top

Amazon UK Glitch Sells Thousands of Products For a Penny

petermgreen Re:Hmmmm ... legality? (138 comments)

So, once the order has been placed, haven't you effectively entered into a contract for sale or something?

AIUI suppliers in general don't formally accept orders until they ship them. .

3 days ago
top

9th Circuit Will Revisit "Innocence of Muslims" Takedown Order

petermgreen Re:Different name same shit (158 comments)

AIUI in many muslim majority countries children of muslim parents are automatically deemed to be muslim and abandoning islam to take up another religion or just because you don't belive in religion at allis a serious crime (punishable by death in at least some cases).

While in christian majority countries you are generally free to chose whatever religion you like.

And then theres places like the ISIS territories where they go even further and force people of other faiths to convert to islam on penalty of death.

Yes we have some christian fundamentalist nutjobs but by and large they don't have much power.

3 days ago
top

French Cabbies Say They'll Block Paris Roads On Monday Over Uber

petermgreen Re:Sounds like they should ban the cabbies (295 comments)

Easier said than done.

Firstly it's difficult to prove who is intentionally disrupting traffic and who is just caught up in the disruption. Especially if the disruption strategy is to focus a large number of vehicles on a small area but otherwise drive normally. Secondly if the roads are gridlocked getting the cop cars and tow trucks in and out is going to be difficult.

3 days ago

Submissions

petermgreen hasn't submitted any stories.

Journals

petermgreen has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?