Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Appeals court fails basic facts (Score 1) 56

So if you use a copy of Microsoft Office that you didn't pay for but got from "a guy", you can't have civil action against you?

I think you'll find that's not how copyright works, has ever worked or will ever work.

Because at that point, it's not really *copy*right you have to worry about, it's licensing for the original work. To copy it would have been infringement, and you're using an unlicensed copy whether you were the one to copy it or not.

The problem is exactly that judges spent too long reading the law, because that's what's enforced and convicts you, not the dictionary definition unless there is absolutely no legal definition anywhere that's been previously established by a court of law or a legal statute.

Comment Re:But what is a lie? (Score 1) 182

We're not talking about every single answer.

We're talking about when people say, in a meeting, "Well, can you justify that?" or "Why do we have to do that?" where the simple answer isn't enough and you're explicitly asked for more. And then I provide simple and complex answers simultaneously, but often at a later date (because opposite me is a pseudo-expert I respect who disagrees and his boss who knows nothing and won't understand the full thing).

At that point of asking, "normal" (non-autistic-trait) people switch off and rarely care as they've formed their opinion already, it's in opposition to yours (or they wouldn't question your reasoning), and they're asking for justification enough to change their mind. And then they don't look at it, or they do the "Oh, well, that's beyond me, I didn't read it all"... and then go on to make the decision the same way anyway because - presumably - it would make them feel foolish to be seen as taking advice, and they'd rather actually be PROVEN wrong further down the line when it's too late to backtrack.

Agreed that, by default, I provide the reasoning and answer, because it's just that often that the answer isn't enough or leads to a demand for the reasoning anyway. By the time it's got to an email chain, Yes or No won't be good enough.

But people believe that the "minutes" from a meeting are all that matters, not why those decisions were made or who made them, which is why I get things explicitly minuted in some meetings so I can go back later and, effectively, do an "I told you so". Without that explicit demand, it gets claimed that all the reasoning behind the decision was unimportant even when that reasoning is shown correct (i.e. we shouldn't have done X because Y would happen, we do X and - shock - Y happens).

And it's not even as simple as just avoiding blame / liability, or covering up, or failing to admit a weakness.

As you point out - if you trust the expert opinion you're asking for, you don't need the full explanation. I certainly have done this to those below me - "You're sure? You know how to do that? And it will solve the problem? Cool, I'll leave it with you.".

And I will happily provide Yes/No but that *is* opinion, because when it differs from theirs I'm ALWAYS asked for an explanation. In fact, being asked for my reasoning is the prime hint that I'm about to be overruled anyway.

There are many times where my boss has needed to spend upwards of £100k on my opinion. A Yes/No has sufficed, because they don't understand but they can see that it's a no-brainer to myself, even if it's hard to justify to a layman. It does happen. But when opinions differ and reasoning is required, it's ignored or needs to be so dumbed down as to be unconvincing and useless.

The second you involve other departments, staff, layers of management, etc. everything turns from Yes/No into "justify that", and then the justification ignored for a pre-made decision, and even swept under the carpet so it can't come back to bite them later. Often, you don't even find out their reasoning for overruling, which is the EXACT thing they asked you for. Even "Oh, we can't afford that much!" - that's a valid reason. When you're not prepared to give that it makes me question motives.

I've worked in several places where THE MOST ILLOGICAL decisions are made almost every day. There's literally no rhyme or reason and all those carrying out those decisions cannot see the logic behind it, even if they assume bad-actors, monetary gain, power-grabbing or whatever else as the reasoning.

As the person I am, I combat association with those types of decision by providing - on request - my reasoning. To use your code-analogy, I am "open-source". Not only do I tell you what I'm doing, I tell you why, and what else has been tried, and why that failed or isn't suitable, and why we should do things exactly THIS way.

And then, effectively, someone else buys their brother-in-law's piece of junky proprietary software and we're stuck with it and then I get blame from all corners for how we allowed it which, without stating reasoning as to why it's a bad idea in the first place, would be untraceable to anything but me not providing that reasoning and "going along with it" (really, being overruled and told to do it)..

I've had it happen for everything from £50k print contracts, to core business software. After years of dealing with people trying to push blame, or kowtow to bad decisions, and not having the social tools to combat it at the heart (which seems to involve doing it, wasting money, and hoping that you'll become mates with higher people by doing so), I provide reasoning.

Comment Re:But what is a lie? (Score 2) 182

I have the same problem.

I took to highlighting emails for "Short version" and "Long version". The only people who bother with the long version are the people with an axe-to-grind with what the email is about, people who are similarly autistic-like (yeah, I'm definitely on there somewhere too), and those with an interest in the actual fine details of that particular area.

But I work in schools so I can tell you now that, however hypocritical, the entirety of education is set up as "lies to children", in fact "lies of decreasing magnitude". At first atoms are the smallest thing. Then electrons. Then quarks. Then strings or whatever. We do it to ease them in, and allow them to understand at whatever macroscopic scale is necessary at that time.

I'm not sure it's an entirely bad method, but the phrase "You'll see later / when you get older that this isn't exactly true" doesn't HURT anyone to say and we rarely say it.

To be honest, when I'm asked to summarise, e.g. in meetings, I struggle immensely because I don't see that you can sum up anything that easily without just providing opinion rather than fact.

"So what's best, X or Y?"

I can give an impartial, fact-based, long answer.
But if you want one or the other it will be opinion unless the answer is blindingly obvious. And your opinion may differ.

The problem I get is that when opinion differs, the next question is always "Why" and despite lots of reasoning from an expert hired for exactly that purpose, there's often no convincing someone anyway.

But, as this post probably shows, I find that the REASONING for an answer is often more important than the answer itself. It tells you how much people have thought about it, how long they've been working with such things, how detailed their knowledge is, and that - ultimately - tells you whether you should be trusting their opinion against others.

I get told off for overly-long emails and posts all the time, and yet I often hold back much more than people know.

(Pity the poor guy who tried to argue Data Protection legislation with me and got a written-up explanation, with citations, all my own wording, from memory, in under an hour that took him a day to read).

Comment Re:Compact Florescents would like a word (Score 1) 169

Then it's nothing to do with the bulbs. If incandescents barely last a couple of months, you have bigger issues.

I'd honestly suggest you get a whole house filter because you're just in a really bad shape, electrically. That's not the fault of any kind of bulb, and you're probably destroying all kinds of hardware.

To be honest, a lighting circuit can generally be UPS'd quite easily and has more than one advantage (less bulbs blowing, and a backup lighting in the case of a blackout). If you replace with LEDs and UPS, you can probably run your lighting for a couple of days off even a cheap one.

What you need to find is what's killing them, though, because that's damaging all kinds of stuff down the line. I'd suggest over-voltages and surges.

Comment Re: Set up correct secondary DNS servers (Score 1) 344

Typed out a massive post. Got blocked by the lameness filter.

Removed all references to DNS, round-robin, DDoS and anything else that might be tripping it up (destroying the prose at the same time) and still got blocked.

Spent 20 minutes editing, still got blocked.

Gave up, closed Chrome window.

Basically, the target in this instance was Dyn. Secondary DNS would only help if only Dyn were targetted. The second the target is not Dyn but you (or Twitter or Microsoft), it doesn't matter how many secondaries or tertiaries you have, you still fall over.

Comment Re:DoS (Score 1) 344

That's effectively the same as applying encryption to the stream, albeit for a different purpose. Though you can rate-limit SSL requests, and require them to all be valid before you continue processing, you hit a problem either way - either you're throwing lots of time/effort at verifying the challenge yourself against a lot of bots faking it, or you're handling a lot of connections that are indistinguishable from genuine ones.

Every if you reset the counter for each unique IP (because of NAT etc. that's your only identifier), you'd have visitors from large organisations (e.g. universities) lumped together and subject to many more delays than necessary while the millions of home routers on the FOUR BILLION other IP addresses would just still be pinging you a request a minute that - by sheer weight of numbers - will still overwhelm your system.

And a Raspberry Pi, for example, operates at over 1GHz. Embedded hardware - especially video-processing like CCTV etc. - is not necessarily "not powerful" and often runs off general purpose ARM chips that can do a lot more than you think.

Plus, the attackers don't care that the devices they have taken control of, and don't own or need for any other purpose than to attack you, are delayed slightly, so long as they keep challenging your system to their utmost.

It's also just an arms race then, and I guarantee that a botnet of compromised devices has more CPU that you can ever handle at the other end to throw at such problems, even if they are doing the hard part (e.g. factorising primes) and you are doing the easy part (e.g. checking they are factors).

As speeds escalate, you'll lose the war even faster over time.

I can't see that it's a solution.

Comment Re:Make ISPs at the source responsible (Score 5, Informative) 344

They are.

No source addresses were faked here.

Just millions of "genuine", unfaked connections.

That's the "new" part of this attack. It's not trying to pretend it's anything that it isn't. It's literally just millions of devices requested advertised services and responding to their responses in the correct manner.

Imagine a DDoS of just asking for Wikipedia pages. It's hard to combat because you have no way to distinguish it from just a sudden surge of genuine traffic.

Comment DoS (Score 5, Interesting) 344

As most of this traffic was "genuine", i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it's hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.

The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.

Quite literally "please block anything from these IP's or traffic that matches this pattern".

But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.

There's no way I can see to stop something like this, where millions of random devices starting genuine full connections and responding as any other client, without just rate-limiting (which rate-limits your other genuine clients) or engaging in the packet conversation as you normally would (which would be enough to cause a DoS in itself).

Even if you can spot a pattern, it'll be changed in the next iteration, or dynamically and randomly generated in time. It's like spam-filtering at packet-speeds, and as stupendously unreliable.

Previously, it was faking source IPs, which can be solved by ISPs being required to only allow their announced ranges. Now, with just millions of valid connections, a DoS is indistinguishable from a service just suddenly becoming incredibly popular with real users.

Any method, protocol, or setup where they have to connect to you like that and you perform some kind of check or measure against their connection (even, say, setting up a TLS session) can be replicated by the botnet just as easily.

There's no solution to what is effectively "junk mail" inside a TCP/UDP packet.

Comment Re:Needs improvement (Score 1) 73

Both have been in the news in recent years for falling into obsolescence where nobody was actually checking the code properly any more (because of a lack of developers) and both retained serious security flaws for many years.

And both have much more active development on their "Libre" equivalents (LibreSSL and LibreOffice) where those kinds of things are found and fixed pretty damn quickly and all the legacy cruft that nobody was looking at, let alone maintaining, is removed.

If you haven't seen the actual cause of HeartBleed and the Apache OpenOffice vulnerabilities, I suggest you go read up.

Comment Re:Compact Florescents would like a word (Score 4, Informative) 169

Fuck knows what shit it is that you're buying, but there's a CF replacement bulb in every socket in my house and I've literally never changed one.

The outdoors one is on from dusk to 11pm all year round and is a CF. Still going.

In fact, all that's happened is that I've started replacing the CFs with LED lights - and same thing there. Not one in the bin yet. In fact I've still got a box of 20 LED bulbs which are just waiting for the CFs to die but I don't get up on a chair to change them unless they do and NOT ONE has. In the same time, I've replaced 12 halogens and about 7 incandescents.

And I'm using the cheapest thing on Amazon that I can buy in bulk and is supplied in a direct-replacement for an existing bulb-shape.

Hell, I even replaced all the tiny little high-power halogens that were popular in light fittings with bigger-but-same-output LEDs that take 1/50th the power.

I honestly don't know what junk you're using or what's wrong with your house electrics, but CF's do what they claim, and so do LEDs.

Comment Weather (Score 1) 175

Little better than random chance, then.

Pisses me off that the biggest IT investments and supercomputers exist for meteorogical purposes that perform little better than chance.

Though important, for shipping, air travel, etc. it's not THAT important to get a tiny little percentage over just looking around and thinking it's going to piss down in a moment, or sticking a box in the North that lets you guess how long until the same weather hits the South.

Just seems one enormous waste of money to me. And who exactly PAYS for their weather forecasts? Are airlines really paying millions of pounds a year to find out if the skies are going to be a bit rough?

Comment Re:Needs improvement (Score 2, Insightful) 73

I'd be MUCH more worried if said audit produced nothing at all.

The fact that the flaws are mostly in the new bootloader code - new, untested, complicated - is EXACTLY right. You don't need to use that bootloader, and TrueCrypt NEVER had that kind of bootloader (so the choice is nothing or VeraCrypt in that instance).

There is nothing to suggest that the people behind TrueCrypt were any better - their audit turned up stuff too, and that was YEARS and YEARS after their first releases. VeraCrypt code hasn't had even have that amount of time to catch up.

So I don't see a problem. I've used both. TrueCrypt is going to stop working eventually - whether that's because UEFI bootloaders become ubiquitous, which is what MS are pushing for, or some other reason.

Where security is concerned, better a project that people are actively working on (i.e. looking for, and fixing, flaws) than something that was once secure stagnating because nobody is coding on it. Take OpenSSL and OpenOffice as the prime examples of this lately.

Comment Re:UK Cell Phone with No Caps? (Score 1) 242

What? Dozens of Wifi points in the middle of a residential and commerce centre in the middle of London? And the 4G? And nobody else notices and the next-door-neighbours go about their evening with no Wifi without saying a word?

Don't think so, somehow.

You know that point, where the bollocks you made up drifts from "plausible but stupid" into "yeah, right, sure"?

Slashdot Top Deals

Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin