Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment This is where gov helps (Score 1) 164

No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

I see comments flipping out already about "how can government fix things?". Well, thru stuff like fines. I've heard the FCC is investigating IoT type vendors. If the FCC can fine companies, or even ban them from selling products in the US until they meet a minimum standard, that will have a huge effect on these companies' behavior.

So far, they make cheap crappy things with crappy firmware, and users/customers aren't tech savvy enough to know how to pick a device with better security features. In fact, there's no way for even a professional to tell from the box or specs. So the company has made their money from you before you know its bad. We need regulations and perhaps some gov/non-profit testing labs for these devices. Between regulations/fines, and some rating system to allow users to make best decisions, we can change how the market behaves.

Comment Credit Scores Big Part - also Compounding (Score 1) 334

That's 29% interest. Who out there is actually offering student loans at 29% interest?

The interest rates any bank advertises always have asterisks next to them. The 3% or 5% you see marketed is only for people making certain incomes, with perfect (800+) credit scores, etc.

Someone with lower credit (~600 or under) easily gets a "penalty" of >10%. When they apply, they don't get 3% for a loan, they get 12-15%. Yes, they get sometimes maybe 20% interest. And what are they going to do about it? They have low credit, and no one will do better. Hell, finding the bank that even gives them the 20% loan is amazing. Most people with low credit scores don't have any ability to get credit; everywhere they go, they are told they are losers because their credit score is low and no one helps them. This is why pay day loans have become a thing: banks have stopped serving an entire portion of the population that still needs loans for emergencies (the heater goes out, etc.) just like the rest of us. Except because of credit scores -- which are calculated by a proprietary formula we're not allowed to know, and are crazy hard and expensive to appeal even when the company makes a mistake -- they have to pay higher rates than the rest of us, contributing to a further debt spiral. It's really obscene and needs to end yesterday, but many elected officials such as Debbie Wasserman-Shultz prop up the industry and profit from it.

Keep in mind that low credit DOES NOT necessarily mean someone made mistakes or defaulted on debt. If you are a young then your score relies heavily on your parents, and while the young person may have done nothing wrong personally, they immediately start life with a lower credit score because of the parents' mistakes. Even if both the child and parents did all the right things, there may still trouble for them: the exact formula is proprietary and secret, but we know that things such as yearly income and how often you change jobs impact your score. In fact, NOT taking out debt and paying everything cash actually HURTS your score! If you are a waiter without debt, you still will have low credit simply because you don't make enough money. Likely because banks don't like you if you don't usually take out debt or have lots of free money to take out the debt; the credit score is NOT a measure of how trustworthy you are, but rather a measure of how likely the bank will profit off of you. Credit scores should not be used to judge people for rental properties (becoming more common) or jobs, and probably not even most loans honestly. It's a false measure.

Also, the key word is compounding interest. The on-paper rate might be 15-20% or even lower, but since the interest is then added to the balance when calculating the next interest payment, you're paying interest on interest, making the effective rate numbers like 30% or higher. So even if you pay all of your minimums, the interest can still go up! To my knowledge, there are laws protecting mortgages from this sort of behavior (and other things like balloon payments...), but student loans do not have those legal protections. (In fact, student loans are the only type of loan you can't discharge in bankruptcy. Some jerk that bought a half million dollar house he couldn't afford can get that discharged, but someone with $50k in student debt can't.) My wife had a private loan that compounded daily. This wasn't from a loan shark either but a major bank, and she and her family had excellent credit. When she made a payment, the next day she already had interest rack up, and it was compounding. She was not told that up front. No other loan does that! Not a mortgage or anything. Again, it's a disgusting industry of middle men bankers taking advantage of people with the least money and least options.

tl;dr: compounding interest means the real rate is much higher than what is advertised, and poorer people (ITT's clientelle) tend to get terrible interest rates to begin with. It's a predatory banking system that keeps the poorest of our nation that are trying to do the right thing (trying to go to school and better themselves and get better jobs, as everyone always tells them they should) in debt, so that banking executives make multi-million dollar bonuses. It's time we question bankers, and the politicians that enable and support this behavior, not the poor people they prey on.

Comment What packages don't work? (Score 0) 148

Python 2 is still maintained because developers aren't porting their code to Python 3.

It's 9 years later, at some point Python is going to have to give up on Python 3 and move on to a Python 4 that is backwards compatible with Python 2.

It's been quite some time since I've seen a python package that doesn't work with Python 3. What packages do you use that aren't Python 3 compatible, at least through six or some layer?

At this point, any libraries that haven't been updated for 9 years to handle Python 3 are likely dead projects and you should consider migrating to newer packages with appropriate bugfix and security updates, rather than delaying Python 3. Python 3 is stable and great. It's handling of strings and binary data is much more consistent. And Python3 has cool features like async io. Many large Python-based projects such as Django are phasing out Python2 support completely over the next year or two, and I believe distros like Fedora are planning on replacing the system python with Python 3 in the next couple releases. It was a slow but stable transition. I'd say it was successful, not a failure.

Comment I don't understand the text security angle (Score 2) 46

Fully agree with potential problems of requiring a cell phone: not all people that use the system will have access to cell phones or text messages, for example. There's also the question of how to update your cell phone number in the system if it changes. Krebs seems to be focused on the creation of accounts, which allows you to register a phone number and lock others out (which gets back to that updating your number thing); that seems to be a potentially big problem, considering how many security breaches have leaked our SSNs and what not. If all I need is a name and SSN to initially register and get benefits, then the system needs a better way of verifying identity before allowing to apply.

But I don't understand the text message security complaint that is "more important". Two factor auth means I need *two* things. Even if someone were to intercept the text message (which I believe is difficult, requiring special equipment and proximity to the victim, but feel free to correct me), the point of the system is that nothing can be done with that text without also knowing the password. And if someone knows your password and text messages, then no system is going to prevent an intruder. I understand that NIST is working to update the recommendation (which is a good idea), but I feel like its more safe than not using 2FA (it at least requires attackers to do much more work!), and I'm sure when the NIST guidelines are finalized, other agencies will begin the move to the new recommendation too. It seems a mountain out of a molehill. Am I missing something?

Comment Yes exactly, maths results (Score 5, Insightful) 387

But string theory is different. Although it has not been a success phenomenologically, it has led to many beautiful results in mathematics and field theory, such as Mirror Symmetry and AdS/CFT. Further research in string theory is definitely worthwhile, and Lee Smolin is unreasonably biased against it.

Yes, string theory is a bit different in that it hasn't been able to make any testable predictions, which makes it non-science. Science is based on the idea of experimental evidence, and falsifiability. It isn't science, it isn't physics.

Now it very well may have some beautiful results in mathematics. Maybe it will have applications and effects on topology, cryptography, who knows. But those things are mathematics, not science.

I tend to agree with Smolin that string theory, as currently presented (and I understand it), is not a scientific theory, even though it is interested and deserves its own mathematical research. The problem is, string theory gets the ratings, so we have more cosmologists and string theorists as professors physics, taking the few positions (and associated funding!) away from people that want to be true experimental physicists. That's where the semi-outrage is.

Comment Depends what you mean (Score 2) 443

Except Windows 10 is not a security update: the computer in question had Windows 7, which is still in extended support and will still get "proper" security updates until 2020.

Yes, Windows 7 will get security updates in the form of patches that correct already known defects. Bandaids, in some sense.

Windows 10 has a list of actual security improvements, not just bandaids. Better ASLR and DEP, better support of harddrive encryption, more secure default browser, and other goodies. Microsoft maintains a page of Windows 10 security improvements over Windows 7/8. In theory, Windows 10's features mean a reduced attack surface. Maybe it still has issues but it is certainly more hardened than Windows 7 in general.

I'm sympathetic to both sides. I don't like things being pushed on people; it's their right to decide what to do with their own property, and maybe they have special needs that require an older version of Windows (some mission-critical software is known to have bugs on 10 for example).

But I also know that Microsoft is trying to improve the security of its products and the Internet as a whole by trying to get everyone updated. They don't want Windows 7 to be a repeat of people clinging to Windows XP, clinging to old technologies that are broken when new tech/implementations are available to prevent security problems. Not just security, but also think features: new protocols might be developed that weren't supported in the old OS, and so until majority of the Internet moves on, that protocol can't be rolled out. Many computer users are pretty clueless and need automatic updates for that reason, or they'll never do it themselves, and bring down the security of the Internet as a whole. Of course, it doesn't help that Microsoft's marketing team wants to take advantage of the security updates by also collecting info and all that stuff.

I hope we can find a good balance between the competing interests soon.

Comment Loser Pays Isn't Justice (Score 1) 571

Loser pays would also make it basically impossible to sue any entity that has more money than you. The risk would be far too great, even if you had a legitimate dispute.

Let the judge award "loser pays" only after meeting a high threshold. Such as in situations where no rational person would consider it a legitimate dispute.

I agree. In the state Pennsylvania, state cases have a loser pays provision. You pay a filing fee but will get it awarded back to you if you win your case, as well as reasonable legal fees, etc. Without going into the whole crazy story, I found myself suing an old landlord for damages. While I won the initial case, the landlord was able to appeal... and appeal again after that. I couldn't keep paying the attorney fees to keep going further and so ended up settling, which cost me something like net $1500, rather than winning the $1500 in damages I was hoping for. While that may seem small to some of you, at the time I basically was making minimum wage and used my savings to do it. It wasn't sustainable. Based on that experience, I'd only go to court if I knew I was able to fight all the way to the top state courts, because that's pretty much what you're in for if your opponent has money.

If you're on minimum wage and can't pay the up front filing fees and attorney fees, you're screwed. In principle, you'd get it back -- but how are you going to get the money to initiate it in the first place? And what happens if you do end up losing? The poor in our country get no justice.

Comment Free Software Is Necessary (Score 4, Insightful) 564

This is exactly why free software (in the vein of what Richard Stallman calls for) needs to be supported. *YOU*, the user, must own complete control over your computer and the software it runs, not developers (much of the more liberal open source licenses are about developer rights, not user rights -- big difference!) or corporations.

I know many of you would object, "But I bought this computer, it's not Microsoft's!". Well I wholeheartedly agree, but the thing is, Windows being proprietary closed source means that Microsoft has a claim to intellectual property rights. Microsoft believes that you license Windows, not own it. Essentially, they still own the software on your computer. Again, I know that *you* disagree, but it kinda doesn't matter what you think -- Microsoft has money and lawyers and they push for the outcome they want. Which is to own your computer. And if they own it, they're technically allowed to do whatever they want with it, including force upgrades. That is the nature of licensing agreements -- you agree to their licensing rules, which means they can do whatever they want.

If this bothers you, switch to a free software OS. Some flavor of Linux or even BSD. Get involved in the free software community, both the technical community (making more/better free software) and the political community (that lobbies for changes to copyright law, tries to get government to adopt open standards, etc.). We have to fight back, or you can expect more behavior like this from Microsoft, Apple, etc., in the future.

Comment Yes, It is a Law (Score 1) 476

There is absolutely no law banning communism, just like there is no law saying you can't put a white sheet over your head and march down the street with the KKK.

How in the fuck is this scored Insightful?

It's Insightful because it's unfortunately true. Check out this gem of American history: the Communist Control Act of 1954. You can also download the text from the Government Publishing Office. It very explicitly states that, according to law, anyone in the Communist Party is considered to be attempting to overthrow the government, and shall be punished according to the law of Internal Security Act of 1950.

Now you might be able to make the claim that if you generally believe communist principles but aren't part of the established Party, this won't apply to you. But I think that effectively takes away your rights to organize, does it not? Still effectively a ban on the idea, if nothing else.

Comment MITRE CVE is not everything (Score 4, Informative) 34

They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

MITRE itself has a list of things it thinks deserve CVE IDs: for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.

The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).

It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.

Comment Full Text of 2nd Amendment (Score 1, Informative) 663

They absolutely were. "the right of the People to keep and bear arms shall not be infringed." That's the limit on government. They're ignoring the limit. It couldn't be any more obvious. You right to carry was infringed by coercive action of the federal government. How hard is that to figure out, really?

The full text of the 2nd Amendment is as follows:

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

So many people always forget the first half. The amendment specifically states "well-regulated", meaning it is within the powers of the federal government to regulate militias and arms. Taken in context in the 18th century, "well regulated" probably means something closer to "well trained", but still, it is obvious that arms are meant to be regulated and dispersed through trained militias, and not just any random jerk has a gun. Especially because today's guns can do substantially more damage than the guns did when the amendment was written.

I'm all for a conversation on what the appropriate level of regulation and training is. I don't think anyone really argues that guns should entirely disappear. But we need reasonable limits, not a free-for-all on weaponry, and the amendment supports that as a federal power. Please stop spreading misunderstanding.

Comment Universities expect research money (Score 2) 51

Quality education requires a chalk, a blackboard, and some notebooks (the paper kind). You don't need researchers for education — you need professors. Researchers you get for free — they are called "grad students". And as soon as they can find gainful employment, you replace them with new ones.

The purpose of a university is to teach — any research done is coincidental to that primary purpose.

I once thought as you did. Mind you, not that I'm disagreeing with you, but rather the reality of the situation.

As someone that once tried to become a professor and navigate the academic system, I can say from direct experience that you will not become a professor unless you have a very strong research resume and are involved in research (meaning, you regularly apply for and receive grants from federal government, etc.). When you interview, you come in to meet the department and explain your research interests; its not very focused on your teaching style (you have to fill out a "teaching philosophy" statement, but I think its mostly a formality). The university administration expects to see dollar signs flow in, and so the emphasis is on bringing in dollars. In your more STEM-related fields that don't have as many students (as compared to say, the business school), since you don't have enough students to bring in significant tuition dollars, they expect significant research dollars or threaten to downsize your department (yes, this happened at one university I worked at for a while).

The result of this system is that a very large amount of university professors have little to no interest in teaching (I've had a few in school that were outright hostile to the idea of teaching, and acted like children when the department assigned them classes), and the teaching actually gets shoved off on to the teaching assistants. The TAs are of course also expected to do research and work on a dissertation, so we're talking 80 hour work weeks in some scenarios, which they have to put up with in order to graduate. Big name schools aren't really worth it, particularly at the bachelor's level, because many of your classes will be taught by TAs, or if you're lucky, you will get an upperlevel class taught by a professor that thinks that teaching undergraduate classes is beneath him (again, personal experience).

In some ways, CMU's students might be better off if professors that wanted to be researchers bailed ship. In theory, people focused on teaching could be hired... but then again, I sadly know better than that. I hope it changes in the future, but right now, quality education is really at the end of the priority list for all higher education in the country. I am glad to be away from academics.

Comment Budget is required for priorities (Score 5, Insightful) 644

Given they're trying to speak on behalf of many others that like as not don't feel as they do, it seems disingenuous. Besides, nothing is stopping them from giving more if they really feel that strongly about it.

Nothing disingenuous with stating your own opinion that you'd be ok with higher taxes. The operating assumption of most politicians, especially in the GOP, is that "TAXES ARE EVIL!", so if you remind them that not everyone feels that way (at least if taxes are going to a good purpose), that's your right as a citizen. Feel free to disagree and write your own letter, but in the case of these millionaires, they wanted to point out that the assumption that all rich people don't want tax increases is wrong.

While you can write a check to the Treasury if you really felt like it, its a bit moot if there isn't an accompanying budget. What is preferable is that a tax rate is set that funds a certain budget with a set of priorities, so you know for sure that the law requires your extra tax money go to pay for education, roads, etc., rather than going into a US Treasury slush fund that is used for who knows what, including probably tax rebates for corporations that don't need them. The letter is not just asking for tax increases, but asking for a budget that prioritizes these services and raises taxes as a way to pay for it.

Comment CVSS is not always accurate (Score 1) 139

The CVSS score is a medium of 6.1 for the CVE. So this isn't as bad as Heartbleed

First, Heartbleed was actually a 5.0 base score, so this is more serious if you go strictly by CVSS score (which is not necessarily advisable). Reference.

Second, CVSS scores are based on a certain formula and small set of conditions; in particular, vulnerabilities are scored based on their immediate impact and not necessarily things that occur down the line. In other words, CVSS base scores do not include environmental metrics (There is a CVSS environmental score, but almost no one uses it except for CERT). So looking only at the base score is not always a good indication of severity; possibly its a good first approximation, but it's good to look into the details too. Since glibc is part of pretty much everything out there, this is a pretty serious issue.

Comment Languages have different features (Score 1) 121

why we can't use C++ and C++ style derivatives for compiled code (cross compiled to many platforms), and then for interpreted needs use javascript, python, or whatever floats your boat on top?

There's some interesting languages out there with other features. Haskell comes to mind, as a pure functional language. It's not just pretty syntax, but a different way of thought that provides some features and power that C++/Java style imperative languages can't match. They're so different that you need different compilers really. You can't always write a Haskell program and "translate" it to C++, certainly not without re-architecting. Of course, there may be things an object oriented style is better suited for too, but just pointing out that some languages have different paradigms and therefore contribute new ideas to software development. That sort of exploration and research I think is important. I don't think we should be so quick to assume Java/C++/Python/whatever is the only language that is ever needed (which maybe is not what you meant, so I don't mean to attack you comment, just writing a thought that popped in mind based on yours).

A large amount of the languages these days seem to be more "domain-specific", that is, not very different from some underlying language, just adding some syntactic sugar for some specific problem or complaint while ignoring other drawbacks. I suppose that iteration is good though, as its catching the most important -- and serious? -- errors and making it easier to avoid those problems. 'm partial to investigating totally new concepts to see if we can build more resilient and secure software than to keep iterating what is already known to have drawbacks, but it's probably good that we do research from both ends -- incrementally improve what we have to take away certain known bugs and get it out the door *now*, while researching new ideas that perhaps will do away with whole classes of bugs for good (as well as make more powerful software in general).

Slashdot Top Deals

My mother is a fish. - William Faulkner