Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:For variable values of "practical" and "relevan (Score 2) 138

This can only be done with a collision attack if the CA is really, really stupid. Proper CAs should include chain-length restrictions in their certificates.

Please correct me if I'm wrong, but it appears that most CAs are really, really stupid. Here's a list of the CAs included in Firefox: https://mozillacaprogram.secur... . I split the PEMs into a pile of files, and checked them:

$ for pem in * ; do openssl x509 -text -in $pem | grep pathlen ; done
        CA:TRUE, pathlen:4
        CA:TRUE, pathlen:1
        CA:TRUE, pathlen:1
        CA:TRUE, pathlen:7
        CA:TRUE, pathlen:7
        CA:TRUE, pathlen:3
        CA:TRUE, pathlen:5
        CA:TRUE, pathlen:12
        CA:TRUE, pathlen:12
        CA:TRUE, pathlen:12
        CA:TRUE, pathlen:12
        CA:TRUE, pathlen:3
        CA:TRUE, pathlen:10
        CA:TRUE, pathlen:3

So out of 172 root CAs only 14 include any path length restrictions, and even the ones who do still allow some chaining. This is what allowed the beautiful Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate to succeed.

I don't think the SHApocalypse will be tomorrow. This was an identical-prefix attack instead of a chosen-prefix which constrains the attacker considerably, and the computation required is much higher even to generate simple collisions. However, (again, please correct me if I'm missing something) it does seem plausible that that further weaknesses will be found which provide just enough leverage to forge a signature with one of those 172 CAs, and we may eventually see a rogue sha1WithRSAEncryption CA issued.

Comment Re:One word: Cowardice (Score 1) 146

not in the same universe as what can be achieved with an external DAC

Having a phono jack does not prevent you from using an external DAC. I do it with my Android phone all the time: USB-OTG adapter + USB DAC. It switches over automatically and works great... But when I don't have a DAC and I just want to connect to a car's line-in, the 3.5mm jack is still there for me.

Comment Re:Not all rosy (Score 2) 154

I suggest you look at cgroups. Instead of relying on the processes to play nice with resources, you can specify the resources you want allocated to each user. For instance, if each user has cpu.shares=1024, then it'll fully balance - if user A starts an old firefox and it's running singlethreaded, and user B starts a new firefox and it spawns 50 processes, you'll see user A's process consuming 50% of CPU, and user B's flock consuming 1% CPU each.

In this way you specify what you want to achieve (user B doesn't steal all the CPU making life suck for user A), instead of how to achieve it (singlethreaded software, and relying on users to not run more than one copy). It's easier and more efficient.

The other cool part: this may already be set up for you. On my Ubuntu 14.04 system this is all done by default when I log in.

Comment Re:Shocking (Score 3, Interesting) 289

People perceive high-density products as high-quality, and low-density products as cheap plastic crap. Numerous products have included weights for this reason... take a look inside your mouse. People want their phones and laptops to be light so they don't have a brick in their pocket or backpack. Light * high density = low volume. They don't want to reduce the screen size, and bezels are already minimized, so the only option to reduce volume is to make it thin. Of course, once they make it thinner the advertising department will hype that feature, but the real driver is density.

Comment Re:Holy flamebait batman! (Score 1) 917

That's just over $10,000 per citizen. Is that even a subsistence wage?

It's closer than you might think. If you have a wife and two kids, that's $40,000... That's only a little under a median household income. Perhaps kids pay out less, but that raises the amount available for adults.

If you're single you pick up a couple roommates, just like people working minimum wage jobs already do.

Also, the amount paid out is related to income. If you implemented a $10,000 UBI, plus a 25% universal flat tax, you would only receive the full $10,000 if you had $0 earned income. If you're earning $40,000, your net UBI/tax is $0. With $80,000 earned income you'd have $10,000 net tax. So you're not paying out $10,000 to every citizen.

With the nice round numbers above and $57,220 income per capita, the average tax will be $(57,220 - 10,000) * 0.25 = $11805. That results in 20.6% revenue/GDP. That's a little high, but it's completely plausible. You can nudge the variables a little and end up with a very reasonable scenario.

Comment Re:Ya know... (Score 1) 116

Most Android phones are like that because most people just don't care. They're not the only option though. If you buy a bootloader-unlocked phone you can run straight-up open source software on it. You can optionally install the Google apps on top, but AOSP is a fully functional baseline setup - phone, web, mail, SMS, etc - with no lock-in. You can download the whole thing as source, build every bit yourself, and load it on your phone.

You'll want to stick to models with strong community support. Anything "Nexus" will have solid community support for a long time. Other popular models tend to have okay support for at least a few years. If you off the beaten path you can still hack and patch it yourself.

Comment Re:Microsoft is relentless in being obnoxious late (Score 2) 118

Microsoft wants you to use Edge and wants their settings to stick. Why are you obviously purposefully reverting their settings? They go out of their way to create a normal default setting and you switch it back. Many times this has happened. There's no excuse for this horseshit.

FTFY.

Comment Re:The duck quacked (Score 1) 285

I come here to see the news picked apart in the discussions, not to get the latest breaking headlines. I therefore find either a paywalled link (so I can't RTFA), or a discussion about a previous paywalled link which doesn't match the article I'm reading.

However, thank you for taking the time to answer us. I'm more optimistic for Slashdot's future knowing that you've given thought to this and are making a reasoned decision.

Comment +1 for Mairix (Score 2) 177

After trying several solutions I settled on Mairix. Searches are screaming fast (less than a second to search several hundred thousand emails), indexing is fast, it's reliable (no problems in the 5+ years I've been using it), and the search language is easy and flexible.

* I use procmail to send a copy of everything to an archive, rotated monthly
* The archive is therefore just a handful of mbox files
* I have a cron job to run "mairix -Q" every 5 minutes, and "mairix -p" nightly
* I have this in my .bashrc: "function search() { mairix -o $$ $* && mutt -f ~/Mail/$$ ; rm ~/Mail/$$ ; }"
* And here's my .mairixrc:


base=~/Mail
database=~/.mairixdb
mbox=archive-*
mformat=mbox
omit=spam

With the above, I can find:

* everything from slashdot in the last two months: search f:slashdot d:2m-
* any emails I sent containing "squishy" in the body: search f:subreality b:squishy
* messages with "password" or "passwd" or similar in the subject: search s:passw=
* get a quick summary of the search language: search -h

It's so good that I download all my email from my work Gmail account so I can search it... sometimes Google's search just isn't precise enough to find what I need.

Comment Censorship is not the answer (Score 2) 452

Creating a widespread system of censorship is not the right approach:

1) It violates the principles the United States was founded on.
2) Suppressing the free flow of information deprives people of the liberty to make their own informed decisions.
3) When other opinions are squelched, the communication channel becomes a propaganda channel and loses all credibility.
4) This infrastructure will be abused. Now, ISIS. Next, common criminals. Eventually, dissidents.

Slashdot Top Deals

There are never any bugs you haven't found yet.

Working...