Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
As the Web Turns 25, Sir Tim Berners-Lee Calls For A Web Magna Carta
Today marks the 25th anniversary of Tim Berners-Lee's "Information Management: A Proposal," containing the ideas that led to the World Wide Web. From its humble beginnings as a way to store linked documents at CERN to... well, you're reading this now. To celebrate, the W3C is encouraging people to post their birthday greetings. Quoting Tim Berners-Lee: "In the following quarter-century, the Web has changed the world in ways that I never could have imagined. There have been many exciting advances. It has generated billions of dollars in economic growth, turned data into the gold of the 21st century, unleashed innovation in education and healthcare, whittled away geographic and social boundaries, revolutionised the media, and forced a reinvention of politics in many countries by enabling constant two-way dialogue between the rulers and the ruled." Martin S. and JestersGrind both wrote in to note that Tim Berners-Lee is calling for the creation of a Web Magna Carta. Again Quoting Tim Berners-Lee "It's time for us to make a big communal decision," he said. "In front of us are two roads - which way are we going to go? Are we going to continue on the road and just allow the governments to do more and more and more control - more and more surveillance? Or are we going to set up a bunch of values? Are we going to set up something like a Magna Carta for the world wide web and say, actually, now it's so important, so much part of our lives, that it becomes on a level with human rights?" How has the rise of the web affected your life? Also check out the CERN line mode browser simulation of the first web site. -
How St. Louis Is Bootstrapping Hundreds of Programmers
itwbennett writes "The MOOC (massive open online course) failure rate is notoriously high — only 1% of people who take the beginning computer science programming class, CS50, that Harvard offers over the EdX online platform complete it. A new effort in St. Louis called LaunchCode is changing that — and solving the city's programmer shortage. For the past several weeks, about 300 hardy souls have been gathering in a downtown St. Louis library to listen to the CS50 lectures and work together on the various programming problem sets. But the support offered by the all-volunteer run LaunchCode doesn't end with meet space. They're also doing an end-around on the traditional coder hiring process by pairing the students who complete the course with experienced programmers in one of more than a 100 tech companies who are looking for talent." -
IAU To Uwingu: You Can't Name That Martian Crater Either
RocketAcademy writes "The International Astronomical Union has thrown a tantrum over a plan to crowdsource names for craters on Mars. The IAU gives official scientific names to craters, but it has only bothered with craters that have 'scientific significance.' The science-funding platform Uwingu has launched a campaign to come up with popular names for the remaining craters. For as little as $5, a member of the public can name one of the craters on Uwingu's map, with the proceeds going to fund space science and education. This caused the IAU to issue a statement condemning such crowdsourcing efforts. The IAU pointed out that it did allow the public to vote on names for two of Pluto's moons, in the past. In that case, however, the IAU rejected the winning name (Vulcan)." Last year, the IAU got into a spat with Uwingu over naming exoplanets. Sounds like the old name a star scam, on Mars. -
Calif. Court Orders Preservation of Disputed NSA Phone Records
An anonymous reader writes with this snippet from a report at PC World: "A court in California has prohibited the destruction of phone records collected by the government until further orders, raising a potential conflict with an order last week by the secret Foreign Intelligence Surveillance Court in Washington, D.C. Judge Jeffrey S. White of the U.S. District Court for the Northern District of California ordered Monday the retention of the call details in two lawsuits that have challenged the U.S. National Security Agency's program for the collection of telephone metadata. A number of lawsuits challenging the NSA program have been filed by privacy and other groups ... On Friday, Reggie B. Walton, presiding judge of the FISC, denied a motion from the Department of Justice that the current five-year limit for holding phone metadata should be extended indefinitely as it could be required as evidence in the civil lawsuits challenging the program." -
Apple Demands $40 Per Samsung Phone For 5 Software Patents
An anonymous reader writes "Apple and Samsung couldn't agree on a patent cross-license even though their CEOs met recently. What could be the reason (or one of the reasons) is that Apple is asking for obscenely high patent royalties. At the March 31 trial an Apple-hired expert will present to a California jury (already the third jury trial in this dispute) a damages claim of $40 per device (phone or tablet) for just a handful of software patents. The patents are related to, but don't cover all aspects and elements of, functionalities like slide-to-unlock, autocorrect, data synchronization, unified search and the famous tap-on-phone-number-to-dial feature. Google says there are 250,000 patentable inventions in a smartphone. On average, Apple wants $8 per patent per device. That would add a patent licensing bill of $2 million to each gadget. So Apple and Samsung will be back to court again later this month." -
Volkswagen Chairman: Cars Must Not Become 'Data Monsters'
Nerval's Lobster writes "While automakers from Tokyo to Detroit rush to sprinkle their respective vehicles with all sorts of sensors and screens, the chairman of Volkswagen Group has warned about the limits of data analytics for automobiles. 'The car must not become a data monster,' Martin Winterkorn told an audience at the CeBit trade show in Germany, according to Re/code. 'I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother.' At the same time, Winterkorn endorsed a closer relationship between tech companies such as IBM and the auto industry, and highlighted Volkswagen's experiments with autonomous driving—both of which will necessarily infuse automakers (and his company in particular) with more data-driven processes. The question is which policies from which entities will ultimately dictate how that data is used. Winterkorn isn't the first individual to voice concerns about how automakers (and their partners) store and analyze all that vehicle data. At this January's Consumer Electronics Show (CES) in Las Vegas, a Ford executive drew considerable controversy by suggesting that Ford collects detailed information on how customers use its vehicles. 'We know everyone who breaks the law, we know when you're doing it. We have GPS in your car, so we know what you're doing. By the way, we don't supply that data to anyone,' Jim Farley, Ford's global vice president of marketing and sales, told show attendees. Farley later attempted to clarify his statement to Business Insider, but that didn't stop a fierce debate over vehicle monitoring—and certainly hasn't stopped automakers and tech companies from collaborating over more ways to integrate data-centric features to vehicles." -
Volkswagen Chairman: Cars Must Not Become 'Data Monsters'
Nerval's Lobster writes "While automakers from Tokyo to Detroit rush to sprinkle their respective vehicles with all sorts of sensors and screens, the chairman of Volkswagen Group has warned about the limits of data analytics for automobiles. 'The car must not become a data monster,' Martin Winterkorn told an audience at the CeBit trade show in Germany, according to Re/code. 'I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother.' At the same time, Winterkorn endorsed a closer relationship between tech companies such as IBM and the auto industry, and highlighted Volkswagen's experiments with autonomous driving—both of which will necessarily infuse automakers (and his company in particular) with more data-driven processes. The question is which policies from which entities will ultimately dictate how that data is used. Winterkorn isn't the first individual to voice concerns about how automakers (and their partners) store and analyze all that vehicle data. At this January's Consumer Electronics Show (CES) in Las Vegas, a Ford executive drew considerable controversy by suggesting that Ford collects detailed information on how customers use its vehicles. 'We know everyone who breaks the law, we know when you're doing it. We have GPS in your car, so we know what you're doing. By the way, we don't supply that data to anyone,' Jim Farley, Ford's global vice president of marketing and sales, told show attendees. Farley later attempted to clarify his statement to Business Insider, but that didn't stop a fierce debate over vehicle monitoring—and certainly hasn't stopped automakers and tech companies from collaborating over more ways to integrate data-centric features to vehicles." -
Crowdsourcing Confirms: Websites Inaccessible on Comcast
Bennett Haselton writes with a bit of online detective work done with a little help from some (internet-distributed) friends: "A website that was temporarily inaccessible on my Comcast Internet connection (but accessible to my friends on other providers) led me to investigate further. Using a perl script, I found a sampling of websites that were inaccessible on Comcast (hostnames not resolving on DNS) but were working on other networks. Then I used Amazon Mechanical Turk to pay volunteers 25 cents apiece to check if they could access the website, and confirmed that (most) Comcast users were blocked from accessing it while users on other providers were not. The number of individual websites similarly inaccessible on Comcast could potentially be in the millions." Read on for the details.My first clue came when a friend of mine set up the website http://www.helpmatt.org/ and asked her friends to donate. I said the website appeared to be down; they replied back that it was working fine for other people — and I narrowed it down to Comcast DNS servers not resolving the hostname www.helpmatt.org correctly. When I accessed the same website over my Frontier DSL connection, it worked. (I had recently signed up for Comcast cable Internet to save money over DSL, but I kept my DSL connection "just in case" something went wrong. At the time, I thought maybe I was being paranoid -- how hard could it be for a cable company to just run a straight Internet connection to my house and not screw anything up? Hollow laugh.)
I put out an informal survey to my Comcast-using friends, and a few of them said they couldn't access the website either. Still, I thought, this wasn't enough evidence that it was Comcast's fault; maybe the hostname was only resolving intermittently, and just by sheer coincidence it happened to be up when all of my non-Comcast-using friends tried it? I was about to do a more formal experiment, and recruit a larger sample of testers through Amazon Mechanical Turk to test whether the site was inaccessible to other Comcast users, when the problem spontaneously fixed itself and suddenly the website became accessible 100% of the time to everyone.
But, my curiosity had been piqued. Was there something wrong with Comcast's DNS servers -- whether deliberate or not -- that was causing other websites not to resolve correctly? I wrote a perl script to take a sample of websites -- part of the same list that I had used to find websites that were mis-blocked as 'pornography' by Smartfilter — and attempt to resolve them using both Comcast's main DNS server (75.75.75.75) and one of Google's public DNS servers (8.8.8.8). (You won't be able to do this experiment yourself unless you have a Comcast Internet connection, because while Google's DNS servers accept queries from anywhere, Comcast's DNS servers will refuse queries from any IP address not assigned to one of their customers.)
The script ran through a few hundred hostnames and flagged anything that failed to resolve on Comcast but resolved correctly on Google, although most of these were false positives caused by Comcast's DNS servers being temporarily unresponsive. But after running through the list of false-positives repeatedly, I found the first website that consistently failed to resolve on my Comcast Internet connection while resolving on Google: http://www.021yy.org/.
The website is for a second-hand furniture store in Shanghai; I have no idea what the domain "021yy.org" has to do with the business. (Perhaps the IP address that the domain name resolves to used to be occupied by a different website, and that IP address was inherited by the furniture store but the old hostname still points to it.) The hostname www.021yy.org resolves to the IP address 116.251.210.33 (for *ahem* non-Comcast users, that is), which according to the Asia Pacific Network Information Centre is part of a block of IP addresses assigned to a hosting company in Singapore. I'm not blocked from accessing the IP address of the website over Comcast; I can ping and send web requests to the IP address 116.251.210.33 with no problem. Only the hostname fails to resolve. (I can still access the site by using a VPN or a proxy server.)
So, I created a survey on Amazon Mechanical Turk, asking people three questions:
- Can you access the website http://www.021yy.org/?
- If you can't access the site, what error message does your browser give you?
- What provider are you using?
and offered 25 cents to every user who filled out the survey, up to a maximum of 50 people. Amazon Mechanical Turk, if you've never used it before, lets you create low-payment tasks and outsource them to a crowd of workers. Like any simple and powerful tool, it can be used for purposes that the original creators probably never imagined (presumably including this experiment), and someday I'd like to look into the most creative and bizarre things people have done with it. (Although, in this case, it seems like the site may not have done a great job of matching this task with available workers. Only 20 people filled out my survey in the 24 hours after I created it -- surely, out of all the available Mechanical Turk workers, there were more than 20 people who would have been interested in doing a simple website accessiblity check for 25 cents?)
20 unique users filled out the survey and reported:
- Out of the 14 non-Comcast users, 100% of them were able to access the site.
- Out of 6 Comcast users, 4 of them were blocked from accessing the site, and reported errors symptomatic of DNS failures ("Oops! Google Chrome could not find www.021yy.org" or "Server not found. Firefox can't find the server at www.021yy.org").
Even with such a small sample, that's enough to conclude that it's not a coincidence. (The real question is how two out of those six Comcast users were able to access the site at all. Maybe they're in a region of the country that's assigned different DNS servers. If I did the survey again, I'd ask people to include where they were living.)
So Comcast users -- at least some of them, probably most of them -- are blocked from accessing certain websites, which are perfectly accessible to users on other providers. I "only" had to test a few hundred domain names before finding one that would consistently fail to resolve on Comcast while resolving successfully on other companies' nameservers. With hundreds of millions of distinct websites "out there," if the same proportion holds, that would suggest that there about a million or more websites similarly affected. And that's not even counting all the other sites — like helpmatt.org, and also including some of the sites in my sample — which apparently resolve 100% of the time on other providers while sometimes failing to resolve on Comcast, but where the failure was not consistent enough to use them as a test case for the Mechanical Turk survey.
Unlike, say, the kerfuffle over Comcast threatening to de-prioritize content delivery from websites that don't pay them a fee, it's unlikely that Comcast is meddling with traffic intentionally here (especially since the sites' IP addresses are not blocked). It's more of a demonstration that if a company is sufficiently big and if it's sufficiently hard to prove that a problem is being caused on their end, the problem can exist for a long time without being solved. I called Comcast tech support after I discovered that sites were blocked on their network but not on other providers, and said that the problem really needed to be brought to the attention of the higher-ups, but tech support was adamant that it was impossible for a member of the public to reach anybody higher up than the call center.
Even if the number of affected sites is huge, at least it's only a small percentage of websites — I did have to run my script on a few hundred sites before I found one that appeared to be resolving on other DNS servers but not on Comcast. But that likely would have provided scant comfort to my friends who set up the helpmatt.org site, when they were urging people to visit the site and donate, and 25% of potential visitors were unable to reach the page. When it's your website, it's kind of a big deal.
-
Interviews: Ask Larry Augustin What You Will
Former chairman of VA Software and venture capitalist, Larry Augustin, co-founded VA Research in 1993 and was one of the driving forces behind the creation of Sourceforge. VA bought Andover.net in 2000, acquiring a number of media sites, including Slashdot. He serves on the board of several companies and is currently the CEO of SugarCRM. Larry has agreed to take some time and answer your questions about the world of venture capital, open source software, and surviving the dotcom bubble. As usual, ask as many as you'd like, but please, one question per post -
Major Wikipedia Donors Caught Editing Their Own Articles
An anonymous reader writes "As reported before on Slashdot, one of the most terrible sins on Wikipedia is to edit articles for pay, or otherwise violate the 'neutral point of view' policy, per their co-founder Jimmy Wales. And yet, the Wikipedia-criticism website Wikipediocracy recently began a study showing that dozens of the Wikimedia Foundation's largest cash donors have violated that policy. Repeatedly, and wantonly. In short, they wrote articles about themselves or their companies, then gave the WMF big donations — and were not confronted about violating the NPOV policy." Do the proposed TOS changes address this? Note that they also found that many of the donors adequately documented their conflict of interest. -
Major Wikipedia Donors Caught Editing Their Own Articles
An anonymous reader writes "As reported before on Slashdot, one of the most terrible sins on Wikipedia is to edit articles for pay, or otherwise violate the 'neutral point of view' policy, per their co-founder Jimmy Wales. And yet, the Wikipedia-criticism website Wikipediocracy recently began a study showing that dozens of the Wikimedia Foundation's largest cash donors have violated that policy. Repeatedly, and wantonly. In short, they wrote articles about themselves or their companies, then gave the WMF big donations — and were not confronted about violating the NPOV policy." Do the proposed TOS changes address this? Note that they also found that many of the donors adequately documented their conflict of interest. -
Major Wikipedia Donors Caught Editing Their Own Articles
An anonymous reader writes "As reported before on Slashdot, one of the most terrible sins on Wikipedia is to edit articles for pay, or otherwise violate the 'neutral point of view' policy, per their co-founder Jimmy Wales. And yet, the Wikipedia-criticism website Wikipediocracy recently began a study showing that dozens of the Wikimedia Foundation's largest cash donors have violated that policy. Repeatedly, and wantonly. In short, they wrote articles about themselves or their companies, then gave the WMF big donations — and were not confronted about violating the NPOV policy." Do the proposed TOS changes address this? Note that they also found that many of the donors adequately documented their conflict of interest. -
Court Denies NSA Request To Hold Phone Records Beyond 5 Years
itwbennett writes "As Slashdot readers will remember, last month the U.S. government 'petitioned the court system' to let the NSA retain phone call metadata for more than 5 years, ironically 'because it needs to preserve it as evidence for the various privacy lawsuits filed against the government.' Well, the Foreign Intelligence Surveillance Court has ruled against that request. The FISC's Presiding Judge Reggie B. Walton ruled Friday (PDF) that the proposed amended procedures would further infringe on the privacy interests of U.S. persons whose 'telephone records were acquired in vast numbers and retained by the government for five years to aid in national security investigation.'" -
Sony & Panasonic Next-Gen Optical Discs Moving Forward
jones_supa writes "From last summer you might remember the Sony & Panasonic plans to bring next generation optical discs with recording capacity of at least 300GB. Various next-gen optical discs from different companies have been proposed, but this joint effort seems to be still moving forward. The disc is called simply Archival Disc and, roadmap and key specifications are out. First-wave ADs are slated to launch in summer of 2015 and will be able to hold up to 300GB of data. Archival Discs will be double-sided, so this works out to 150GB of data per side. Future versions of the technology will improve storage density, increasing to 500GB (or 250GB per side) and 1TB (500GB per side) as the standard matures." -
SXSW: Edward Snowden Swipes At NSA
Nerval's Lobster writes "In a Google Hangout with an auditorium full of South by Southwest attendees, government whistleblower (and former NSA employee) Edward Snowden suggested that encrypted communication should become more ubiquitous and easier to use for the majority of Internet denizens. 'The way we interact with [encrypted email and communications] is not good,' he said from somewhere within Russia, where he resides under the conditions of a one-year asylum. 'It needs to be out there, it needs to happen automatically, it needs to happen seamlessly.' For his part, Snowden still believes that companies should store user data that contributes directly to their respective business: 'It's not that you can't collect any data, you should only collect the data and hold it as long as necessary for the operation of the business.' He also couldn't resist some choice swipes at his former employer, accusing high-ranking intelligence officials Michael Hayden and Keith Alexander of harming the world's cyber-security—and by extension, United States national security—by emphasizing offensive operations over the defense of communications. 'America has more to lose than anyone else when every attack succeeds,' Snowden said. 'When you are the one country that has sort of a vault that's more full than anyone else's, it makes no sense to be attacking all day.'" -
Interviews: ESR Answers Your Questions
Last week you had the chance to ask ESR about books, guns, and open source software. Below you'll find his answers to those questions. What about protocols?
by Anonymous Coward
What are your feelings about protocols and file formats and keeping them open? Where do the efforts to keep protocols and file formats open and accessible to others fall on your list of priorities?
ESR: I don't think my answer will surprise you. When the function of software is defined by a requirement to be compatible with a protocol or file format, openness of the protocol or formats is even more important than the licensing status of any of the implementations around it.
The reason should be obvious. If the protocol is well documented and open, you can build open-source code to process it. On the other hand, if crucial parts are undocumented or (worse) require techniques that are under a non-royalty-free patent, *any* code touching it can have a serious problem.
There's a productive analogy with DNA and ribosomes here which I leave for the reader to fill in.
systemd
by Canek
As a long time "Unix philosophy" advocate, and in the light of the announced switch to it by Debian, Ubuntu, and basically every other major Linux distribution, what do you think of systemd, and the tight vertical integration it intends to bring as a standard plumbing for (most of) all Linux distributions?
ESR: I apologize; I haven't studied systemd in the detail that would be required for me to give a firm answer to this - it's been on my to-do list for a while, but I'm buried in other projects.
I want to study it carefully because I'm a bit troubled by what I hear about the feature set and the goals. From that, I fear it may be one of those projects that is teetering right at the edge of manageable complexity - OK as long as an architect with a strong sense of design discipline is running things, but very prone to mission creep and bloat and likely to turn into a nasty hairball over the longer term.
But this may be me being too pessimistic. I don't actually think I know yet.
here's an obvious one..
by Connie_Lingus
it's been almost 20 years since your write tCatB...i gave it a quick read and thought, "well, it *is* dated now, isn't it?" altho i am old enough to remember when its' ideas were pretty cutting edge. Given the current state of software development (ie the ease of use of PHP and the fact that, without a doubt, the cathedral model has won), what would you either like to change or add to your original thesis?
ESR: Um. What color is the sky on your planet? The one where the cathedral model has won, I mean.
What's happening on Earth is just the opposite - even where bazaar-mode development hasn't taken over, many organizations that would previously have run their projects in a cathedral style are trying really hard to flatten out hierarchies, lighten up, and co-opt the many-eyeballs effect in any way they can. This is pretty clear just from what shows up in my mailbox - and see my later response to a question about Apple, too.
I think there have been some significant shifts in methodology that would affect the book if I were writing it today. A big one is that systematic use of version control is now pervasive in a way it was not then (when CaTB was written, Subversion wasn't out of early alpha stage yet; git and hg weren't even imagined). Development workflow is now correspondingly much more centered around shared public repositories.
The effects of always being able to revert to known codebase states rapidly are subtle but very large. One obvious one is that the risk factor of exploration drops significantly. That includes the risk in taking patches from strangers.
Less obvious but just as important is how sharp version-control tools raise the effectiveness and reduce the friction cost of testing techniques. In 2001 we couldn't routinely run bisections to pinpoint bad code changes; our tools were too slow and clumsy. Now we can, and the effect is to make building good unit and regression-test suites both easier and more rewarding in defects squashed per hours invested.
The reason I'm going on about this is that, like any technique that increases our visibility into the code's behavioral space, better test suites tremendously amplify the positive effects of code review. Of course that feeds through into a differential competitive advantage for open source, because our process naturally recruits more code reviewers than closed-source shops can usually afford to hire.
Here's an example of the effect. There's a project I've led since about 2005 called GPSD, a service daemon that handles GPSes and other geodetic sensors. It's *everywhere* in mobile embedded systems, including your Android phone - we must have well over over a billion deployments by now. Yet our defect rate is so low that months go by at a time between single bug reports.
Why? Because I wrote a test suite with good coverage - and use a test strategy that relies on fast rollback capabilities I plain didn't have before modern version control. Changes in tools change the rules. It's much easier to get to the this-never-breaks level of reliability than it was when I wrote CatB, if you know what you're doing.
(For much more on this case study see my paper on the architecture of GPSD; there's a major section on engineering for high reliability.)
Open-source development has quite a few advantages over closed in exploiting this possibility - better tools, healthier culture, and just plain more developers. I think a major theme of the next decade is going to be learning to systematically capture these gains.
How to ask questions
by houstonbofh
When you wrote "How to ask questions" did you have any idea how big it would be? Or how long it would be relevant? And how do you feel that your most referenced piece of work is a howto for the clueless? :)
ESR: I'm not sure it is my most referenced piece of work. Either "How To Become A Hacker" or the Jargon File could easily be getting more hits; I haven't bothered to track this.
But supposing it is, that's OK. I expect it to be relevant for a very long time, because the newbies and the clueless are always with us.
Halloween Documents
by frdmfghtr
I recall reading (and re-reading on occasion) the Halloween Documents. Have you written anything regarding any other opponents to OSS, or perhaps a look back on them and see what the end effect of Microsoft's attempts did long term?
ESR: I haven't written a retrospective, or anything else really similar.
I think those documents had a pretty significant effect in legitimizing not buying the Microsoft lock-in. The trade press certainly thought so at the time, and the intervening decade and a half hasn't given me any reason to suppose they were wrong.
How essential is software redistribution rights?
by unixisc
One of the issues w/ Open Source has been the freedom to redistribute software downstream - be it just binaries, just source or any combination of the 2. Do you think there are any good ways for software companies who make their software open source to prevent their customers from effectively becoming their competitors - by giving away or selling cheaper what they were sold? Or is the only alternative going for a shared-source approach, as opposed to open source, where redistribution can be explicitly prohibited?
ESR: If your customers are selling your open-source software for a lower price than you are, then you're doing it wrong! You need to face the question of why you've attached a sales price to the software itself at all. I think that's a doomed approach.
You need to be thinking about monetizing that investment in a different way. The most obvious is service and consulting contracts around the code. You have the advantage there; as the originators, you are in a better position to add value to the bundle than your competitors are.
There are a couple other potential business models here, but none I can recommend without knowing more details about your situation. My advice in The Magic Cauldron is still quite relevant.
What about the new wave of proprietary programs
by necro351
So it seems these days the most effective method of DRM is a network interface, like that used by Facebook, Google, Pinterest, etc... You cannot run your own instance of Gmail or Facebook, and you certainly cannot see or modify the code. At the same time all these companies are pressuring us to push our data into their servers by not supporting or coming up with solutions that let us continue to control/manage our data on our own machines and private networks. What can open source do to stem that tide? What about open source licensing? Could webkit or Mozilla have slowed down the encroachment of Chrom/ium and its pro-Google agenda if it had more defensive licensing terms like something similar to the GPL? How do we convince hackers to hack on open-source 'website programs', like an open Gmail or an open Facebook (e.g., Diaspora)?
ESR: You're pointing at a real problem. I don't know of any near-term solutions beyond being very careful what services you allow to draw you into their web. I run my own mailserver, rather than using GMail, for exactly this reason. I don't use Facebook or Pinterest. I use G+ for nonessential things only.
I don't think defensive or reciprocal licensing can solve the problem, because it is not one created by code secrecy. The service providers are trading on real advantages of scale that they would still collect if every line of source code in their app stack were public; the value they're offering actually comes from ubiquity and synergy.
In fact I'm a little surprised they even bother maintaining code secrecy, it has nothing whatsoever to do with their value proposition. I think we're seeing a result of instinctive territoriality rather than rational thought.
I'd love to believe that projects like Diaspora are a long-term solution to the problem, but I don't - basically because no matter how attractive and ingenious your software is, it tales gobs of capital expenditure on server farms to scale up to where you're any kind of functional competition to Facebook/Google/Pinterest etc.
In the long term I think the way we'll win is if the giants have to compete with each other for business by giving their customers exit and recovery options. Google's Data Liberation Front is a positive early sign.
Linus's Law (Many Eyes) Problems
by carp3_noct3m
Hi, there is currently some debate about the many eyes theory over on HNews about why it's a fallacious argument, but in my view they have it all wrong, in that a core component of Linus's Law is that the amount of code is directly inverse to the amount of eyes that can hit all of that code (or a significant percentage). Therefore, in my eyes it is the problem of code bloat that is undermining the open source movement more than anything. For example, the Linux kernel is now at, what, 10mil+ lines of code? That's insane. Minix 3, on the other hand, is at ~15k?
What are your thoughts on this problem?
ESR: I think you raise a valid point about code bloat being a problem. On the other hand, the code-coverage effectiveness of individual developers is also rising for reasons I wrote about in response to a previous question - better tools and better testing strategies feeding back on each other in virtuous ways.
A lot of criticisms of Linus's Law (including the Hacker News thread, as far down as I read it) miss the point that "many eyeballs" isn't just about sheer volume of people reviewing code, it's about diversity of assumptions. You want people reviewing the code that don't all work for the same company and report to the same boss - people who speak different languages, different toolkits, different expertise areas.
A handful of people who think very differently may be more effective auditors than an army with identical blind-spots. By recruiting more people you're maximizing the odds of good diversity in the subgroup that actually reviews any given section of code.
I actually chuckled when I read the Hacker News thread, because I've seen this movie before after every serious security flap in an open-source tool. The script, which includes a bunch of people indignantly exclaiming that many-eyeballs is useless because bug X lurked in a dusty corner for Y months, is so predictable that I can anticipate a lot of the lines.
The mistake being made here is a classic example of Frederic Bastiat's things seen versus things unseen. Critics of Linus's Law overweight the bug they can *see* and underweight the high probability that equivalently positioned closed-source security flaws they *can't* see are actually far worse, just so far undiscovered.
That's how it seems to go whenever we get a hint of the defect rate inside closed-source blobs, anyway. As a very pertinent example, in the last couple months I've learned some things about the security-defect density in proprietary firmware on residential and small business Internet routers that would absolutely curl your hair. It's far, far worse than most people understand out there.
Friends don't let friends run factory firmware. You really do *not* want to be relying on anything less audited than OpenWRT or one of its kindred (DDWRT, or CeroWRT for the bleeding edge). And yet the next time any security flaw turns up in one of those open-source projects, we'll see a replay of the movie with yet another round of squawking about open source not working.
Ironically enough this will happen precisely because the open-source process *is* working ... while, elsewhere, bugs that are *far* worse lurk in closed-source router firmware. Things seen vs. things unseen...
Apple today
by wordtech
Your comments in The Art of Unix Programming about Apple/Mac developers being diametrically opposed to Unix developers in development style and emphases (designing simple, user-friendly interfaces from the outside in) were quite interesting. I am wondering about your perspective on Apple now. My interest is specifically in Apple's contributions to open-source (WebKit and LLVM, chiefly) and your take on those. It seems to me that Apple has done quite a bit to foster an alternative ecosystem to the GNU environment, for instance in FreeBSD's adoption of clang as their default compiler; and also it seems to to me that WebKit has supplanted Gecko as the most widely used browser framework. Curious about your viewpoint here.
ESR: In answering an earlier question I spoke of organizations that would previously have developed in a secretive cathedral mode adopting the bazaar model and open-source practices. Projects like LLVM and Webkit exemplify this trend.
The interesting thing about these projects is that they're not just facades. They really seem to welcome, not just as outside contributors but sometimes as full-time employees, people who are from the Unix-descended open-source culture (with its inside-to-out priorities) rather than interface-centric Mac guys.
That - and of course, OS X - tells us Apple's technical culture in't what it used to be. It's more Unix-influenced now, more open, has more hacker in it. Obviously that doesn't fix every problem with Apple - I'm with RMS in judging the locked-down, walled-garden design of their phones and tablets to be a very bad thing for users in the longer term - but it's movement in a good direction.
AK or AR
by gmhowell
Which is the better battle rifle, an AK-47/74 type or an AR-15/M-16/M-4 type? Please give your criteria as well as your answer. Bonus: favorite handgun platform/caliber that isn't a .45 1911.
ESR: "Better battle rifle" depends on who you're equipping, and for what. I lean towards the AR-15 because I'm from a culture that readily produces people with good marksmanship, fire discipline, and steadiness onder combat pressure. The AR-15 is the better weapon to match those traits - it rewards skill in the shooter and you can actually use it at distance.
On the other hand, if your troops are savages or bandits who can barely clean a weapon and for whom the natural mode is short-range spray'n'pray, the AK-47 is probably a better choice. It hardly rewards shooter skill at all, but handles egregious abuse under field conditions better.
As for what I like when I don't have .45ACP handy, my answer is easy and boring: .40S&W. Medium-caliber semis suit me very well. I don't mind shooting my wife's Glock .40 at all, and it's likely what I'd carry if not for John Moses Browning (peace be unto him) -
Google Chairman on WhatsApp: $19 Bn For 50 People? Good For Them!
theodp writes "Speaking at an SXSW panel, Google executive chairman Eric Schmidt emphasized that Google is 'very, very worried' about the class tensions that underlie recent Bay Area protests, where high-salaried techies have driven up rents. 'Ninety-nine percent of people have seen no economic improvement over the last decade,' he said, adding that 'the data suggest that the problem gets worse' and will become the 'number one issue in democracies around the world.' Schmidt's solution to this displacement? Foster conditions — e.g., better education, looser immigration laws, and deregulation in strictly-controlled areas like energy and telecommunications — that encourage the creation of fast-growing startups ('gazelles') that generate lots of jobs. When interviewer Steven Levy noted 'gazelles' like the 50-employee WhatsApp which was acquired by Facebook for a reported $19 billion seem to lead to more inequality, Schmidt brushed aside the apparent contradiction. 'Let us celebrate capitalism,' the tax-us-if-you-can Schmidt said, opening his arms. '$19 billion for 50 people? Good for them.' Eric, meet Tom." -
Google Chairman on WhatsApp: $19 Bn For 50 People? Good For Them!
theodp writes "Speaking at an SXSW panel, Google executive chairman Eric Schmidt emphasized that Google is 'very, very worried' about the class tensions that underlie recent Bay Area protests, where high-salaried techies have driven up rents. 'Ninety-nine percent of people have seen no economic improvement over the last decade,' he said, adding that 'the data suggest that the problem gets worse' and will become the 'number one issue in democracies around the world.' Schmidt's solution to this displacement? Foster conditions — e.g., better education, looser immigration laws, and deregulation in strictly-controlled areas like energy and telecommunications — that encourage the creation of fast-growing startups ('gazelles') that generate lots of jobs. When interviewer Steven Levy noted 'gazelles' like the 50-employee WhatsApp which was acquired by Facebook for a reported $19 billion seem to lead to more inequality, Schmidt brushed aside the apparent contradiction. 'Let us celebrate capitalism,' the tax-us-if-you-can Schmidt said, opening his arms. '$19 billion for 50 people? Good for them.' Eric, meet Tom." -
Google Chairman on WhatsApp: $19 Bn For 50 People? Good For Them!
theodp writes "Speaking at an SXSW panel, Google executive chairman Eric Schmidt emphasized that Google is 'very, very worried' about the class tensions that underlie recent Bay Area protests, where high-salaried techies have driven up rents. 'Ninety-nine percent of people have seen no economic improvement over the last decade,' he said, adding that 'the data suggest that the problem gets worse' and will become the 'number one issue in democracies around the world.' Schmidt's solution to this displacement? Foster conditions — e.g., better education, looser immigration laws, and deregulation in strictly-controlled areas like energy and telecommunications — that encourage the creation of fast-growing startups ('gazelles') that generate lots of jobs. When interviewer Steven Levy noted 'gazelles' like the 50-employee WhatsApp which was acquired by Facebook for a reported $19 billion seem to lead to more inequality, Schmidt brushed aside the apparent contradiction. 'Let us celebrate capitalism,' the tax-us-if-you-can Schmidt said, opening his arms. '$19 billion for 50 people? Good for them.' Eric, meet Tom." -
School Tricks Pupils Into Installing a Root CA
First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal." -
20 Freescale Semiconductor Employees On Missing Malaysia Airlines Flight
NeverVotedBush writes with news reported by CNN that a passenger manifest for the flight that went missing on its way from Malaysia to China indicates that "Twenty of the passengers aboard the flight work with Freescale Semiconductor, a company based in Austin, Texas. The company said that 12 of the employees are from Malaysia and eight are from China," and writes "Apparently, at least two passengers used stolen passports to board." -
SpaceX Wants To Go To Mars — and Has a Plan To Get There
mknewman writes with an article at NASA SpaceFlight which lays out the details of a plan from SpaceX to send a craft to Mars, using an in-development engine ("Raptor") along with the company's Super Heavy Lift Launch Vehicle. "Additionally, Mr. Musk also introduced the mysterious MCT project, which he later revealed to be an acronym for Mars Colonial Transport. This system would be capable of transporting 100 colonists at a time to Mars, and would be fully reusable. Article is technically dense but he does seem to follow through on his promises!" This is an endeavor that's been on Elon Musk's mind for a while. -
Amplify Education's New Intel Tablet Begs For Abuse
theodp writes "Bring it on, suggests the video for The Amplify Tablet, an Intel device (specs) developed for Rupert Murdoch's Amplify Education, which shows kids wrestling with, dropping, and even splashing the device. So is a ruggedized 10.1" device, which appears to be Amplify's answer to earlier fragility problems, the future of high-tech education? Or is go-big-or-go-home with a 27" touch screen the way to go, perhaps in some kind of next-gen-flip-top-school-desk? Or — cost be damned — are separate classroom and home devices what are really needed?" -
Amplify Education's New Intel Tablet Begs For Abuse
theodp writes "Bring it on, suggests the video for The Amplify Tablet, an Intel device (specs) developed for Rupert Murdoch's Amplify Education, which shows kids wrestling with, dropping, and even splashing the device. So is a ruggedized 10.1" device, which appears to be Amplify's answer to earlier fragility problems, the future of high-tech education? Or is go-big-or-go-home with a 27" touch screen the way to go, perhaps in some kind of next-gen-flip-top-school-desk? Or — cost be damned — are separate classroom and home devices what are really needed?" -
Mass. Legislature Strikes Back: Upskirt Photos Now Officially a Misdemeanor
Just a day after a Massachusetts court said that current state law didn't specifically address "upskirt" snapshots (and so left taking them legal in itself, however annoying or invasive), an alert Massachusetts legislature has crafted and passed a bill to fix the glitch, and gotten it signed by the governor as well. As reported by the BBC, "The bill states that anyone who 'photographs, videotapes or electronically surveils' a person's sexual or intimate parts without consent should face a misdemeanor charge. The crime becomes a felony - punishable by up to five years in prison and a $10,000 fine - if the accused secretly takes indecent photographs of anyone under the age of 18." The New York Daily News points out this bill became a law without so much as a public hearing. -
Portal 2 Incompatible With SELinux
jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction." -
KDE Releases Calligra Suite 2.8
It's not just graphics app Krita: user KDE Community writes "The Calligra team is proud and pleased to announce the release of version 2.8 of the Calligra Suite, Calligra Active and the Calligra Office Engine. Major new features in this release are comments support in Author and Words, improved Pivot tables in Sheets, improved stability and the ability to open hyperlinks in Kexi. Flow introduces SVG based stencils and as usual there are many new features in Krita including touch screens support and a wraparound painting mode for the creation of textures and tiles." KDE has also just announced the first beta of its Applications and Platform 4.13. -
Facebook To Pay City $200K-a-Year For a Neighborhood Cop
theodp writes "Valleywag reports that Facebook just bought itself a police officer and questions what kind of mechanism will be in place to make sure the officer — whose position Facebook has agreed to fund to the tune of $200K-a-year for 3 years — doesn't provide preferential protection for the social network giant and its employees. It's probably a fair question, considering that U.S. Attorney General Eric Holder made the City of New Orleans enter into a federal consent decree designed to address the 'divided loyalties' of the city's moonlighting police officers. But for now, everything's hunky-dory in Menlo Park, where Police Chief Robert Jonsen called the deal a 'benchmark in private-public partnerships.' No doubt it is, as was last week's Google-City of San Francisco deal to fund free bus passes for low- and middle-income kids. But is giving earmarked funding to facilitate self-serving city expenditures a good or bad development?" -
Satoshi Nakamoto Found? Not So Fast
Yesterday, Newsweek outed the creator of Bitcoin. Or did they? An anonymous reader tipped us to news that the account on p2pfoundation that posted the original Bitcoin paper, posted for the first time in five years simply noting "I am not Dorian Nakamoto." And the Satoshi Nakamto Newsweek claims was the creator? In an interview with the AP, he claims to have only learned of Bitcoin recently, and that his comments were taken far out of context. From the article: "He also said a key portion of the piece — where he is quoted telling the reporter on his doorstep before two police officers, 'I am no longer involved in that and I cannot discuss it' — was misunderstood. Nakamoto said he is a native of Beppu, Japan who came to the U.S. as a child in 1959. He speaks both English and Japanese, but his English isn't flawless. ... 'I'm saying I'm no longer in engineering. That's it,' he said of the exchange. 'And even if I was, when we get hired, you have to sign this document, contract saying you will not reveal anything we divulge during and after employment. So that's what I implied. ... It sounded like I was involved before with bitcoin and looked like I'm not involved now. That's not what I meant. I want to clarify that,' he said.
Newsweek writer Leah McGrath Goodman, who spent two months researching the story, told the AP: 'I stand completely by my exchange with Mr. Nakamoto. There was no confusion whatsoever about the context of our conversation -and his acknowledgment of his involvement in bitcoin.'" -
Youtube and Facebook May Be Banned In Turkey, Again
Taco Cowboy writes "Istanbul (dpa) — Turkish Prime Minister Recep Tayyip Erdogan is considering banning YouTube and Facebook after local elections at the end of this month, according to remarks carried by local media Friday. It may, or may not be related to the criticisms arising from (not-yet verified) leaked recordings of Mr. Erdogan's involvement with corruption. 'We will not let YouTube and Facebook destroy our nation. We will take measures, including closure,' said Erdogan, who has previously made comments against social media sites. YouTube had been banned in the country for two years and was recently unblocked." -
BP Finds Way To Bypass US Crude Export Ban
Hugh Pickens DOT Com writes "Bloomberg reports that the oil industry is pressuring President Barack Obama to end the 41-year-old ban on most crude exports but British Petroleum (BP) isn't waiting for a decision. The British oil giant has signed on to take at least 80 percent of the capacity of a new $360 million mini-refinery in Houston that will process crude just enough to escape restrictions on sales outside the country. 'It's a relatively inexpensive way around the export prohibition,' says Judith Dwarkin 'You can lightly ruffle the hydrocarbons and they are considered processed and then they aren't subject to the ban.' Amid a flood of new US oil, the demand for simple, one-step plants capable of transforming raw crude into exportable products such as propane is feeding a construction boom along the Gulf Coast. The first such mini-refinery, built for 1/10 the cost of a complex, full-scale refinery, is scheduled to open the first phase of its 100,000 barrel-a-day crude processing plant in July, The mini-refineries take advantage of the law that allows products refined from oil to be sold overseas, though not the raw crude itself. 'The international buyers of these products will likely need to refine them further, so this is basically a veiled form of condensate exports,' says Leo Mariani." -
Should Newsweek Have Outed Satoshi Nakamoto's Personal Details?
Nerval's Lobster writes "Newsweek's Leah McGrath Goodman spent months tracking down the mysterious founder of Bitcoin, "Satoshi Nakamoto," a name that everybody seemed to believe was a pseudonym for either a single individual or a shadowy collective of programmers. If Satoshi Nakamoto, former government contractor and model-train enthusiast, is actually "Satoshi Nakamoto," Bitcoin founder, then he's sitting atop hundreds of millions of dollars in crypto-currency. Does the article's exhaustive listing of Nakamoto's personal details place his security at risk? Many in the Bitcoin community think so, and poured onto the Web to express that opinion. The Newsweek article has raised some interesting questions about the need for thorough journalism versus peoples' right to privacy. For example, should Goodman have posted an image of Nakamoto's house and car, even though information about both would probably be relatively simple to find online, anyway?" -
Microsoft Confirms DirectX 12 Is Alive and Well, Demo Coming At GDC
MojoKid writes "Buzz has been building for the last week that Microsoft would soon unveil the next version of DirectX at the upcoming Games Developer Conference (GDC). Microsoft has now confirmed that its discussion forums at the show won't just be to discuss updates to DX11, but that the company is putting a full court press behind DirectX 12. The company responded sharply over a year ago, when an AMD executive claimed that future versions of the API were essentially dead, but it has been over four years since DX11 debuted. To date, Microsoft has only revealed a few details of the next-generation API. Like AMD's Mantle, it will focus on giving developers "close-to-metal" GPU resource access and reducing CPU overhead. Like Mantle, the goal of DirectX 12 is to give programmers more control over performance tuning, with an eye towards better multi-threading and multi-GPU scaling. Unlike Mantle, DirectX 12 will undoubtedly support a full range of GPUs from AMD, Intel, Nvidia and Qualcomm. Qualcomm's presence is interesting. With Windows RT all but moribund, Qualcomm's interest in that market may have seemed incidental. However, the fact that the company is involved with the DX12 standard could mean that the handset and tablet developer is serious about the Windows market in the long term." -
Pwnie Express Rides Again at RSA 2014 (Video)
The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.) -
Pwnie Express Rides Again at RSA 2014 (Video)
The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.) -
Pwnie Express Rides Again at RSA 2014 (Video)
The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.) -
A Tech Entrepreneur's Guide To Visiting Shenzhen
Freetronics is Australia's answer to a lot of electronic tinkerers' needs, selling items like Arduino compatible boards, cables, and specialized tools. Founder Jonathan Oxer is a (serious) electronics hobbyist himself; he talked with Slashdot last year about making ArduSats, which were then launched to the International Space Station. Now, Oxer has written an excellent guide for hobbyists who might get the chance to travel to Shenzhen, where so many of the world's electronic bits and bobs are made. As travel writing goes, it's fascinating for the sheer novelty of the place. If you actually have the chance to go, some of the advice here might save you money and time. For those of you who have been to Shenzhen, what else should visitors know? -
US Drops Link Sharing Charges Against Barrett Brown
In a followup to our story yesterday, Bismillah writes "It seems US prosecutors agree that just publishing a link doesn't amount to transmitting actual files. Brown is not out of the legal woods yet though, and still faces further charges. The EFF released this statement about the decision: 'We are relieved that federal prosecutors have decided to drop these charges against Barrett Brown. In prosecuting Brown, the government sought to criminalize a routine practice of journalism—linking to external sources—which is a textbook violation of free speech protected by the First Amendment. Although this motion is good news for Brown, the unnecessary and unwarranted prosecution has already done much damage; not only has it harmed Brown, the prosecution—and the threat of prosecution it raised for all journalists—has chilled speech on the Internet. We hope that this dismissal of charges indicates a change in the Department of Justice priorities. If not, we will be ready to step in and defend free speech.'" -
Facebook Wants To Block Illegal Gun Sales
Nerval's Lobster writes "Most of the time, Facebook allows its users to hawk goods or solicit donations on Pages or Timeline postings, comparing such activity to placing a physical note on a bulletin board at a supermarket. Now it plans on regulating users who rely on this method to sell what it calls 'regulated' items, which includes firearms. 'Any time we receive a report on Facebook about a post promoting the private sale of a commonly regulated item, we will send a message to that person reminding him or her to comply with relevant laws and regulations. We will also limit access to that post to people over the age of 18,' Facebook announced as part of the new rules. The social network will also prevent users from posting any sort of items 'that indicate a willingness to evade or help others evade the law,' which means no offers to sell firearms across state lines or without a background check. Presumably, Facebook will have filters in place that allow it to scan for such content. Facebook is a private network, of course, and not (despite its ubiquity) a public utility — meaning it can do whatever it wants with regard to Terms of Use. But that likely won't stop some people from complaining about what they perceive as the company overstepping its boundaries." -
Interview: Ask Theo de Raadt What You Will
Theo de Raadt was a founding member of NetBSD, and is the founder and leader of the OpenSSH and OpenBSD projects. He is currently working on OpenBSD 5.5 which would be the projects 35th release on CDROM. Even though he'd rather be hiking in the mountains or climbing rocks in his free time, Theo has agreed to answer any question you may have. As usual, ask as many as you'd like, but please, one question per post. -
'Data Science' Is Dead
Nerval's Lobster writes "If you're going to make up a cool-sounding job title for yourself, 'Data Scientist' seems to fit the bill. When you put 'Data Scientist' on your resume, recruiters perk up, don't they? Go to the Strata conference and look on the jobs board — every company wants to hire Data Scientists. Time to jump aboard that bandwagon, right? Wrong, argues Miko Matsumura in a new column. 'Not only is Data Science not a science, it's not even a good job prospect,' he writes. 'Companies continue to burn millions of dollars to collect and gamely pick through the data under respective roofs. What's the time-to-value of the average "Big Data" project? How about "Never?"' After the 'Big Data' buzz cools a bit, he argues, it will be clear to everyone that 'Data Science' is dead and the job function of 'Data Scientist' will have jumped the shark." -
Website Simulates Amiga OS
cyclomedia writes "The Decibel Kid — the "AudioVisual Artist" responsible for last summer's Ipswich Zelda Map — has unveiled his new website. Modeled on Amiga OS it supports changing the wallpaper, window dragging, resizing, minimizing, and that z-index shuffle button. The mobile site is a completely different beast, modeling itself as a low-res LCD." There's even a drum machine. If you're pining for the "real" thing, there's always UAE (if you can find a ROM). Update: 03/05 15:45 GMT by U L : polyp2000 pointed out a better simulation, and a simulation of Workbench 1.5. -
Website Simulates Amiga OS
cyclomedia writes "The Decibel Kid — the "AudioVisual Artist" responsible for last summer's Ipswich Zelda Map — has unveiled his new website. Modeled on Amiga OS it supports changing the wallpaper, window dragging, resizing, minimizing, and that z-index shuffle button. The mobile site is a completely different beast, modeling itself as a low-res LCD." There's even a drum machine. If you're pining for the "real" thing, there's always UAE (if you can find a ROM). Update: 03/05 15:45 GMT by U L : polyp2000 pointed out a better simulation, and a simulation of Workbench 1.5. -
Legal Motion: Hyperlinks Are Protected By the First Amendment
Barrett Brown, a journalist and the former unofficial spokesperson for Anonymous, was arrested in 2012 and charged with sharing a hyperlink that pointed to information downloaded during the Stratfor hack. His trials begin in April and May. An anonymous reader notes that his attorneys have filed a legal brief (PDF) asking for dismissal of the case, saying that Brown's First Amendment right to free speech protects his sharing of a hyperlink. They argue that "Brown did not 'transfer' the stolen information as he arguably would have done had he embedded the link on his web page, but merely created a path to files that had already been published elsewhere that were in the public domain." The brief also says the statute under which Brown is being charged does not make it clear that a link constitutes "republication" of information. They add, "This construction also significantly chills scientific research conducted by private cybersecurity researchers for the same reasons." -
Legal Motion: Hyperlinks Are Protected By the First Amendment
Barrett Brown, a journalist and the former unofficial spokesperson for Anonymous, was arrested in 2012 and charged with sharing a hyperlink that pointed to information downloaded during the Stratfor hack. His trials begin in April and May. An anonymous reader notes that his attorneys have filed a legal brief (PDF) asking for dismissal of the case, saying that Brown's First Amendment right to free speech protects his sharing of a hyperlink. They argue that "Brown did not 'transfer' the stolen information as he arguably would have done had he embedded the link on his web page, but merely created a path to files that had already been published elsewhere that were in the public domain." The brief also says the statute under which Brown is being charged does not make it clear that a link constitutes "republication" of information. They add, "This construction also significantly chills scientific research conducted by private cybersecurity researchers for the same reasons." -
Comcast Turning Chicago Homes Into Xfinity Hotspots
BUL2294 writes "The Chicago Tribune is reporting that, over the next few months in Chicago, Comcast is turning on a feature that turns customer networks into public Wi-Fi hotspots. After a firmware upgrade is installed, 'visitors will use their own Xfinity credentials to sign on, and will not need the homeowner's permission or password to tap into their Wi-Fi signal. The homegrown network will also be available to non-subscribers free for several hours each month, or on a pay-per-use basis. Any outside usage should not affect the speed or security of the home subscriber's private network. [...] Home internet subscribers will automatically participate in the network's growing infrastructure, although a small number have chosen to opt out in other test markets.' The article specifically mentions that this capability is opt-out, so Comcast is relying on home users' property, electricity, and lack of tech-savvy to increase their network footprint." Comcast tried this in the Twin Cities area, and was apparently satisfied with the results, though subscribers are starting to notice. -
Interview: Ask Eric Raymond What You Will
Author of The Cathedral and the Bazaar and The Art of Unix Programming, Eric S.Raymond (ESR) has long been an important spokesperson for the open source movement. It's been a while since we talked to the co-founder of the Open Source Initiative so ESR has agreed to give us some of his time and answer your questions. As usual, ask as many as you'd like, but please, one question per post. -
Facebook Wants Drones To Connect the Developing World
judgecorp writes "Facebook is reportedly hoping to buy drone specialist Titan Aerospace in order to provide airborne relays for Internet connectivity in developing countries, as part of its internet.org project. The solar-powered drones are classified as "atmospheric satellites" and can fly for five years. The rumoured project sounds quite similar to Google's Project Loon, which proposes using balloons for the same job." More coverage at SlashCloud, which notes that the purchase is rumored but not yet publicly confirmed. -
Facebook Wants Drones To Connect the Developing World
judgecorp writes "Facebook is reportedly hoping to buy drone specialist Titan Aerospace in order to provide airborne relays for Internet connectivity in developing countries, as part of its internet.org project. The solar-powered drones are classified as "atmospheric satellites" and can fly for five years. The rumoured project sounds quite similar to Google's Project Loon, which proposes using balloons for the same job." More coverage at SlashCloud, which notes that the purchase is rumored but not yet publicly confirmed. -
Book Review: Threat Modeling: Designing For Security
benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review. Threat Modeling: Designing for Security author Adam Shostack pages 624 publisher Wiley rating 10/10 reviewer Ben Rothke ISBN 978-1118809990 summary Invaluable guide to create a formal threat modeling program Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.
In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.
While the term threat modeling may seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.
An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.
The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.
While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.
For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.
Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.
Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.
As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.
For those that still think the topic is complex, the book references Elevation of Privilege (EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.
Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.
Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.
There are only a handful of books on this topic and Threat Modeling: Designing for Security is perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.
Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.
For those serious about the topic, Threat Modeling: Designing for Security will be one of the most rewarding information security books they could hope for.
Reviewed by Ben Rothke.
You can purchase Threat Modeling: Designing for Security from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.