Become a fan of Slashdot on Facebook


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Control vs. Security (Score 1) 121

Microsoft could always, you know, fix their goddamn bugs.

Microsoft has had a long history of fixing and unfixing bugs - where one update would fix a bug, and another would undo the fix. The had a nasty WMF (Windows Metafile Format) that was patched and unpatched for 20+ years; I think they finally got it patched without any rollbacks when they patched it in Windows 8 or 8.1 (at least, that's the last time I heard about it; wouldn't surprise me if it showed up in Windows 10 again).

IOW, they have really bad patch management and QA/QE processes. It's amazing they get anything out the door at all.

Comment Re:That's why I pay to recycle monitors (Score 1) 274

As TFA says, half of them go to abandoned warehouses in the US. The other half go to Africa and India where low-paid, unprotected workers burn off the insulation and plastic parts to get the copper. I've seen articles about this in the New Scientist and elsewhere.

Well, that only works when the economics of shipping them to China/India/Africa/wherever are favorable. They've been running into issues the last few years that have made the economics turn unfavorable, so more and more they'll likely just end up in the US (or Europe - e.g near the source) somewhere.

Comment Re:Experts included (Score 1) 119

I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.

Most companies are 100 employees total, even 50 employees. So yeah - they can't. Everyone is carries multiple duties as it is.

Comment Re:It's always the CSO's responsibility (Score 1) 119

Security is the responsibility of the CSO. Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.

Realize, the vast majority of companies have (a) a president/CEO and (b) a CFO and that's their entire C-level exec suite. Moreover, when it comes to small companies, the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance to someone that has no accounting background on how to do the books.

Comment Re:IT needs to get tough (Score 1) 119

The answer to TFAs dilemna is "neither is responsible."

Actually, I'd argue both are. C-level Execs are b/c they don't often allocate sufficient fund and downplay the possibilities that things will go wrong. In essence, they are creating some risk they don't have to create simply for funding reasons, and they should own that responsibility. And the presence (or lack thereof) of a Cyber Security Officer is a C-Level Exec decision; most companies don't need one - but then, their IT manager is essentially taking on that role - realize, most companies are barely big enough for an IT department of any kind if they have one at all.

IT managers do the same thing, namely when they don't think they can get the funds to cover stuff. This goes all the way from development and ensuring developers can have the time to properly secure the systems at a code level, to ops, to security, etc. They also fail to push back on the C-level's enough to make the C-level's take them seriously about needing to fund that stuff.

On top of it all, IT project failures are common enough that often they just want to get some kind of success, regardless of the risk. But that's what happens when you have an IT industry that focuses more on art and less on engineering - like we do now.

Comment Re:Low Interest In The Public (Score 2) 216

No, he wants to scrap it. Completely.

He wants to scrap what he doesn't understand.

Nope, I want to scrap it, completely.

There's absolutely no reason for every last email user to be in a ring of trust. We only need a small percentage of people to actually verify their credentials and it's enough to spot of the NSA is playing games with the system.

Again, you demonstrate a lack of understanding how PGP/GPG web-of-trust works.

It doesn't work by trusting everyone. You assign trust on a per-person basis. That trust can extend trust if *you* choose it to.

That is to say, by default Web-of-Trust trusts no one. When you trust Bob you can assign Bob a trust rating - that rating can be "I only trust Bob" (1) or "I'll trust Bob and only those he trusts" (2 = Bob +1), or even further trusts (Bob + bob's trusts + people they trust...). You decide the trust levels, no one else. No one can assert the you trust them either. The NSA can't control who you trust either, nor can they inject themselves into a trust relationship with you. Your web-of-trust is only as big as you allow it to be.

In all honestly, web-of-trust is exactly what you described but you missed the key sharing functionality in the key servers - which, btw, only stores the public key portion of the PGP/GPG key set. You can download it, verify it's expiration date and fingerprint, and then decide whether or not trust trust it, how much, and for how long. The party you want to exchange with can do the same with your key if you uploaded it to the key server. The key server only serves as a key distribution mechanism so that you do not have to directly exchange keys in some form (email, usb in person, etc). The fingerprint is a hash of the key that can be easily read and verified (much like the sentence provided in the one example).

So yes - you are describing exactly what GPG/PGP is.

The CA trusts - managed by Verisign, Symantec, and others - puts the trust relationship in the hands of someone else. You say you trust the CA, and you inherently have to trust everyone they trust. The NSA can inject themselves into that because they can attach themselves at the CA trust level and you don't have a choice about trusting them. That's explicitly what PGP/GPG is designed to protect against.

Comment Re: no comments? (Score 1) 271

NYTimes called it the Clinton Recovery before he even took office:

Just like how Trump not only got a $2B+ in free advertising from the news media during the election but he is also being credit with the stock market surge after the election despite not having done anything at all.

Trump didn't have to do anything other than show that he wasn't going to do all the regulatory crap that Obama did, which is part of what he campaigned on. The surge in the markets since has been because of that, nothing else.

Comment Re:Big news in California... (Score 1) 457

But hey, we got more welfare and crony projects like the Bullet-CrazyTrain.

Yes, the train that will cost $68.4 billion and fulfill the same transportation demand as spending $119.0 billion on 4,295 new lane-miles of highway plus $38.6 billion on 115 new airport gates and 4 new runways ($158 billion total). Let's not build it because we need that $68.4 billion for other things, right?

May be in reality, those roads, airports, and runways will likely still get built, and the high-speed train won't be very popular because it won't actually go all that fast, in part because of the multitude of stops it has to make for all the politicians to sign on and support it, and in the end it'll still cost more than the others combined.

Comment Re:It's houses, dummy (Score 1) 490

Being able to do certain things, make certain kinds of advancements does have a link to being in the right place at the right time; but it also has to do with the attitude you have when you're there. If you don't have the "can do" attitude, then those around you won't offer you those prime choices, or you won't put yourself in situations where you can even be given those choices.

Yeah, and your attitude is as much about chance as anything else. It's one thing to know that stuff intellectually, and it's another thing to have been abandoned by one parent who was a violent alcoholic anyway and to have been essentially failed by the other parent who withdrew into a cocoon and did little but provide the absolute bare minimum financial condition not to have your children taken away and who taught you nothing whatsoever about healthy interpersonal relationships.

I grew up with few friends, was poorly socialized so I did poorly in school even when I knew the material because of the influence of the various little shitmonsters surrounding me whose parents taught them a lot more than mine did, but mostly taught them how to be selfish little fucks who liked to hurt people for amusement. Now I suffer in the networking department in multiple ways.

And yet....I grew up the target of the neighborhood bully, few friends, and chose not to be associated with people that were bad influences.

The people you *choose* to keep as friends greatly impacts your life. They can bring you up, or bring you down; but it's your choice about whom you hang out with, and how they ultimately influence you. That responsibility is yours and yours alone.

If you don't have the "can do" attitude, then those around you won't offer you those prime choices, or you won't put yourself in situations where you can even be given those choices.

I do what I can, but don't pretend it's the same for everyone. It provably is not.

Obviously you didn't do everything you could by your own account you essentially hung out with the wrong crowd - by *your* choice. Whether that's your perceived choice of "well,they were the only friends I could make" is in part to play - you had a choice to either hang with them your or not; in all likelihood the fact that you did hang with them likely limited your choices of friends as others didn't like them and didn't want to associate with you because you associated with them. So really does come down to your choices regardless of what your parents or their parents did.

Comment Re:that's becasue PGP is terrible (Score 1) 216

You're about 10 years behind the times.

I'm very aware of Outlook, and it's abilities regarding security. I was an early adopter of Outlook '97, and used it for quite a few years. I've left it behind because of (a) how difficult Microsoft made it for me to keep Outlook secure, and (b) it's just plain broken for many of my uses.

Having used other mail clients it's kind of odd that Outlook is the *only* mail client that consistently has security issues - and the *same* security issues at that. Everyone else fixes the issues and (a) doesn't keep introducing new features that reintroduce the old issues and (b) doesn't make it hard to keep your mail client secure.

So yeah...Outlook is an insecure piece of crap that is insecure by design and on purpose. There's really no other explanation for Microsoft's failure with it in that respect.

Comment Re:Low Interest In The Public (Score 1) 216

So really what you're saying is that the whole Web-of-Trust support needs a little more automation

No, he wants to scrap it. Completely.

He wants to scrap what he doesn't understand.

My point is in part that PGP/GPG is itself a really good foundation to build security upon; it's just that the tooling to support it is (a) not well known and (b) not necessarily very user friendly, especially around sharing keys. His complaint is primarily around the sharing of keys - he doesn't either know about or understand the infrastructure for PGP/GPG key sharing so he says "throw it all out".

Your example is exactly what could be done with PGP/GPG keys already with a little improvement to the existing tooling.

Comment Re:It's houses, dummy (Score 2) 490

RTFS. They're not just staying in one city, they're staying at one address. This means nobody is buying houses. It's another sign the Millennials are getting screwed.

It means, that they're still living at Mommy and Daddy's house, waiting for the world to give them the high paying dream job they "deserve" and would enjoy doing.....and it ain't happening.

Previous generations understood this, but apparently the snowflakes do not.

I'll stop you right there...

The previous generation don't understand how much of their success is built upon luck and the generation before them, they tend to be biased in attributing all of their good fortune to their own hard work - because that's human nature, when you're down it's bad luck (Gen-Y), when things are going your way it's all you (Gen-X).

Stopping you right here...

In truth it's a combination, but you can't have the hard work without first having a substantial amount of luck,

Sure you can. It's called your grades in school. It's called not allowing your kids to be put on drugs to keep them in their seats because the teacher can't take them out for recess to run off the excess energy (yeah, not Gen-Y's fault on that one). It's call doing your best regardless of the circumstances around you, and having a strong work ethic.

Sadly, BabyBoomer/Gen-Xer's didn't generally do their Gen-Y/Millennial kids any favors with the "everyone gets a trophy" and "my kid can do no wrong" and "1+1 = 3, yeah - you tried; here's a lollipop" up-bringing.

But that doesn't leave it any less on Millennials/Gen-Y to do their best and put their head down and do the job(s) they've been given/hired to do. How you treat one employer will be picked up on your interviews in the future. So yes - it is ultimately in your hands, even if your parents didn't help you much.

even if that just means being born at the right time and in the right place,

Being able to do certain things, make certain kinds of advancements does have a link to being in the right place at the right time; but it also has to do with the attitude you have when you're there. If you don't have the "can do" attitude, then those around you won't offer you those prime choices, or you won't put yourself in situations where you can even be given those choices.

You can't start a business and not advertise it, and expect money to come in from no where. You have to get out and do the hard work - get out in the business community and make your name known; find VC's and Angel Investors and convince them you have the wherewithal to "do what you say and say what you do" and make them money. And that starts by showing your boss at McD's or Arbie's or some retail shop that you can be trusted, and not goof off; that you can handle responsibility - that in turn, becomes a good reference for your *next* job wherever it may be, and that builds up over time.

Comment Re: It's houses, dummy (Score 1) 490

20% down payment has gone from about 3 months' salary to about two years'.

Back in 2005 I said that the housing market was pushing out its base market because at the time a 20% down was $50k on a small townhouse, and the base market couldn't afford to push that kind of cash down. Of course, the banks countered with Jumbo Mortgages and double loans (mortgage + secondary loan for the down payment) with variable rate interest - this in turn became a major factor in the 2008 housing bubble - which popped in part because of a 0.25 interest rate increase by the Federal Reserve, kicking in $100's of dollars extra on payments on all those variable rate loans and knocking the housing market flat on its back as a result.

But yeah - if you haven't bought in somewhere cheaper, it's going to be very hard to buy in somewhere more expensive, and the housing capitals of the US (NYC, SF, LA, W.DC, Seattle, Chicago, etc) are also the most expensive areas to live.

Comment Re:Encrypted E-mail still a pain (Score 1) 216

No it isnt.

Use Thunderbird with the Enigmail plugin.

This is still a tech site, right???

First time I really did encrypted email was with Thunderbird and EnigMail. It really isn't difficult - and my compatriots didn't even use the PGP/GPG Key servers that are out there. Apparently TFA can't figure it outs so complains.

Comment Re:that's becasue PGP is terrible (Score 1) 216

use outlook with s/mime instead, it's a ton easier, although it still does require a bit of knowledge, like clicking "sign" on "encrypt", plus exchanging signed emails ahead of time so outlook can harvest the cert

If you're using Outlook, you're part of the problem.

Outlook and Security are about as opposite as one can get on any kind of scale. Time and time again Microsoft implements a feature, that feature is found to have security issues, so people disable it; so Microsoft creates another feature of the same sort, and the process repeats. Everything you do to make Outlook secure, Microsoft finds a way to break the security.

Examples: Reading Pane vs Auto-Preview - both do the same thing. Both are security issues due to the fact that they'll auto-run any scripts (JS, VBA), html, etc that are embedded.
Try disabling Reading Pane on all your folders in Outlook. There is no "disable by default" setting, and upgrades will auto-re-enable the Reading Pane. The more folders you have the worse it gets.
Same for Auto-Preview.

So please, if you want to talk about Security and Email, please keep Outlook out of the conversation because it is the complete opposite of security.

Slashdot Top Deals

Recent investments will yield a slight profit.