Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Dissonance (Score 1) 209

Calling something a public safety issue doesn't not magically give the government authority. Forcing people to wear bubble-wrap suits would be a public safety issue, too. Do you really want to go there?

In this case, the government, on behalf, of the people, allocates a finite resource (bandwidth) to a small number of competitors (oligarchy). The government does indeed have a role in ensuring that these companies are acting in the public interest. Your analogy would apply more to something like seatbelts.

Comment Dissonance (Score 1) 209

On the one hand, TFS quotes Pai as saying enabling the FM Radios is a "public safety issue". On the other hand, he says that the government has no place in dictating carriers turn the radio on.

Until the wireless carriers are going to provide an emergency-grade SLA in return for their oligopoly using public airwaves to make money, the government does have a mandate to make sure those carriers are acting in the public's, as well as their shareholders', interests.

Comment Re:Copenhagen Interpretation (Score 1) 82

This is what people mean when they write things like "the electron can be in two places at the same time", but it is a horribly imprecise and misleading way to phrase it.

Yah, I wonder if they said something like "the electron could be in either of two places at the same time" instead if that could be more easily understood (if that phraseology doesn't break the idea of superposition in the first place).

Comment Re:Cooking (Score 2) 210

It does not record everything that is said all the time. It does listen all the time for keyword recognition, and Amazon (along with Google) store recordings that you can go in and delete, but most people don't. Wired has a pretty decent write-up. Can I prove that Echo doesn't record all speech, even when not activated? I've looked and don't see any outbound traffic when it's not activated. I suppose it could be recording stuff surreptitiously, and sneaking out the compressed voice data it's been recording all day during the brief times it is activated, but that compression would have to be really good.

Unless you do all your browsing with Tor, and use something like Lavabit for your email, if you do any commerce online, plenty of people know lots about you. Yah, Amazon knows I like to set timers, and I like to ask for the weather and news. It knows that I skip music tracks on Spotify, along with my schizophrenic taste in music. These are the least of my privacy challenges.

Oh, and my stove, it has one timer at a time, which is limiting when you are dealing with a major meal.

Comment Seems high... (Score 1) 257

Ok, I'm going to go Ad Hominen here and call B.S. I posit that the 32% number is inflated, it's referenced on a site that makes money from torrents (many of which are indeed pirated content), from a survey published by an anti-pirating firm, which makes money "fighting piracy".

I mean, come on, one third? Where did they take this survey, the California bay area? Austin? I am reasonable sure the majority of people in my neighborhood here in science-hating Texas have no idea how to set up their routers to allow torrent uploads and avoid leeching limitations. Netflix, Redbox, Amazon Prime, Hulu, Vudu, video on demand... there are just too many inexpensive ways to watch almost anything you would want to see without dealing with Torrents. Yes, we on Slashdot may use torrenting to get to anime and other foreign content we can't get legally in the US, but we are outliers.

Comment Re:What's wrong with Android uniformity? (Score 1) 212

I think the problem people have is that there are various pieces of mobile OS functionality that have been moved out of the open Android Open Source space into the proprietary Google Play space (like location). Google Play services are not free (as in beer or freedom), it's another walled garden with commercial restrictions on usage. It's not just a matter of "replace Google search, maps and other services". The Android kernel itself is a decreasing amount of the software footprint required to build mobile apps.

Comment Carrier Phones - RIP (Score 4, Informative) 198

There doesn't appear to be much of a reason to buy a carrier-bound phone anymore, especially Android.

  • Security updates are few and far between
  • Major OS updates are almost non-existent
  • Blocking of OS functionality (ex. expandable storage on SD), WI-FI calling
  • Vendor bloatware
  • And now, third-party bloatware
  • Little financial benefit (what little there ever was) in subsidization

Basically, if you want an Android phone that will remain supported, you almost have to go non-carrier Nexus

Comment Hubba hubba, hubba - who do you trust? (Score 1) 412

The whole concept of "store" in Windows 10/UWP and Android is a pain. The default Microsoft/Google store gets trusted by default. On Android (at least on my phone) you can't set up the Amazon store and delegate trust to it (i.e. anything that Amazon says is Ok is Ok with me). You have to disable security to install apps from Amazon, which isn't great. Microsoft is doing the same thing, including the awkward side-loading option.

Windows store does have an "enterprise" option if you are going to use UWP for internal enterprise apps, but you still have to have Microsoft review, which also isn't great.

In my preferred universe, Microsoft and Google (and Apple, for that matter) would allow me to set up trust to any application source (store) I want (including, of source, Steam). If the current model of application protection were applied to browsers, every website would have to get SSL certificates issues individually for each OS, because there would be no mechanism to delegate trust to Verisign, Thwate, Entrust, etc. Users (and enterprises) should be able to manage trust for non-OS related applications and files, which means that we need a mechanism to trust third-party stores.

Comment Re:What a mess (Score 2) 461

She didn't pass anything as first lady, that's not how it works. As part of the Obama administration, she did plug TPP pretty hard. But your point about Trump having a running mate who was for every free-trade deal made (including TPP), while making a major campaign issue out of how bad they are is pretty lame.

Comment Poor Post Title, Not-So-Severe Issue (Score 1) 97

The OFA outlines this issue. What they are saying is that because the Swagger is a JSON document, if you use a code generator that simply regurgitates its values without validation, you could end up with code executing in the context of whatever is consuming the API. The issue is with code generators, and not the swagger documentation .

An example they give as an attack on HTML is the following (with angle brackets instead of square ones, obviously):

"info": { "description": "[script]alert(1)[/script]",

I guess the idea is that you have used Swagger code generator to create code to call the RESTful APIs you are interested in. The code generator includes this description (which seems kind of odd) in the generated code, giving you an alert when a page including this code is loaded. They also give an example of attacking the "paths" property (which includes information on what URLs can be used to call specific APIs) which would execute code on the back end. I could see this being more a legitimate problem.

A few things though before we all freak out:

  • If you are calling APIs from a party you don't know and trust, you are doing it wrong,
  • If you are calling APIs without reviewing them and their documentation, you are doing it wrong. If you are looking at a Swagger document and somebody put in an PHP or Ruby injection attack, it will stick out like a sore thumb.
  • For vulnerability to be exploited that party you trust with your data will have to insert malicious definitions into their Swagger file, and include enough definitions to attack all of the platforms that code will be generated for.
  • Because Swagger is now an open specification (Open API), the code generators in question can be updated pretty easily,

Titles like ZDNet's "Severe Swagger vulnerability compromises NodeJS, PHP, Java" are gratuitous hyperbole. Slashdot's title is a little better because it at least refines the panic to "tools", but still not great. There is an issue here, but the internet is not going to go down in flames over this one.

Slashdot Top Deals

"Ignorance is the soil in which belief in miracles grows." -- Robert G. Ingersoll

Working...