Slashdot Mirror


User: swillden

swillden's activity in the archive.

Stories
0
Comments
18,006
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 18,006

  1. Re:Google = defense contractor on Google Leads $542m Funding Round For Augmented Reality Wearables Company · · Score: 1

    Google's after the defense contractor market now...developing/marketing Glass as a consumer product was an afterthought and mostly for PR, imho

    LOL. You don't know much about Sergey Brin, do you?

  2. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    The ownership thing can be mildly obnoxious. It's fairly standard practice at Google to click the checkbox to allow all attendees to edit a meeting. Even without that, though, it's always possible to make the change on your own copy; no one else will see the change if they look, but you can add someone (or a room), and the meeting will be added to the appropriate person/room calendar. Maybe Google Calendar works a little differently externally... I wouldn't think that part would be different.

    Doesn't the Chromebox offer you the ability to type in a meeting name? That's another option on the internal system. We just go to the other room and manually enter the meeting name. Actually this was a problem a couple of years ago, but refreshes have gotten fast enough I haven't had to do that for a while, except when no one added a Hangout to begin with and we just have to make one up on the fly. Then we pick a name send it to everyone via chat or whatever, and type it into the room controller.

    As for getting the other room booked, that's easy. Just make a calendar appointment and put the room on it. Fast.

  3. Re:Why do companies insist on producing shit ? on Security Company Tries To Hide Flaws By Threatening Infringement Suit · · Score: 1

    +1

    Excellent points.

  4. Re:I'm still waiting... on Cell Transplant Allows Paralyzed Man To Walk · · Score: 1

    We keep statistics, yes, but only in the context of criminal law.

    To study, say, gun ownership as a matter of public health, as a risk factor for overall mortality, is illegal(with public funds).

    Cite?

    It seems to me that the main obstacle to such studies is detailed information on gun ownership, because mortality information is readily available, and not just from law enforcement. The CDC tracks it closely.

    In any case, I'd love to see this research done... though I suspect that I anticipate a different result than you expect.

  5. Re:Wait, wait, trying to keep up on NPR: '80s Ads Are Responsible For the Lack of Women Coders · · Score: 1

    They're both. Just like men.

    Ah, the old "If I can say it in a grammatically correct sentence, it must be true!!" fallacy.

    No. They can't be both, because the groups OP defined are mutually exclusive. Men can't be both either.

    Nonsense. Even individuals aren't only one thing. They're different things at different times and in different contexts. Further, you're talking about two large groups of people; there's clearly a lot of variation among them.

    Why would you think that women should fit neatly into one bucket or another?

    To state the obvious, because some buckets are neatly defined. For instance, a woman can only fit into at most one of these buckets: "Likes math" or "Hates math." (They could be in neither of those buckets.)

    You're a little bit closer in recognizing that women aren't all the same. Congratulations! But you're still wrong. A given woman can like some kinds of math but not others, can like math during some parts of her life but not others, can even like math in some moods but not others.

  6. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    I don't see how fumbling around with USB sticks is much better.

    I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

    Doesn't leaving the device plugged into your laptop all the time defeat the purpose of two-factor authentication? If someone steals your laptop they have your key now, same is if you left your one-time pad as a text document on the desktop.

    I addressed this in the paragraph below the one you quoted, and a bit more in the paragraph after that.

  7. Re:How does it secure against spoofing? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    The second channel will not secure a compromised channel, but it will make it easier to detect it.

    Oh, you're talking about a completely separate channel, with no joining to the primary channel? That creates its own set of problems... when the user authorizes a login, how do we bind that authorization to the login the user is attempting, rather than a login from some other location? Without a join (e.g. entering OTP from second channel into primary channel, or vice versa), the attacker just has to figure out when the user is logging in, and beat them.

    There is very little you can do to combat malware infections unless you are willing to use a second channel.

    I maintain that a second channel doesn't really help, either as defense or for detection, and you haven't suggested any way that it might.

    At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time.

    In the case of a security key no, it does not. Not in the memory of the PC. The PC and browser are merely a conduit for an authentication process that occurs between security key and server. It's actually pretty reasonable to characterize this as a second, virtual channel. It's MITM-resistant; an attacker can block the messages but can't fake, modify or replay them without failing the auth. It is also bound to the primary channel, though that binding is admittedly dependent on the PC being uncompromised. But if the PC is compromised to the level that the attacker can cause the auth plugin to lie to the security key then there is no hope of achieving any security. A separate channel definitely wouldn't help.

    And it's heaps easier to do if the interface used is a browser.

    Sure. But the goal is to create as much security as possible within the context of what people actually use. Theorizing about some completely different approach that no one would use is entertaining but pointless.

  8. Re:Wait, wait, trying to keep up on NPR: '80s Ads Are Responsible For the Lack of Women Coders · · Score: 0

    ...so today are women ndividuals who can do anything men can do and are perfectly capable of functioning in modern society to wit, choosing the career path that they want to follow out of interest, talent, and education?

    Or are they intimidatable, wilting violets incapable of exercising free will, intimidated by the faintest approbation, and unable to choose a career because some shitty 1980s movies didn't ACTUALLY show "girls doing data entry"?

    I'm just trying to keep track here. I need to know if I should treat them like plain old people, or tread delicately around their fragile sensibilities?

    They're both. Just like men.

    Why would you think that women should fit neatly into one bucket or another?

  9. Re:Toys vs tools on NPR: '80s Ads Are Responsible For the Lack of Women Coders · · Score: 2

    When computers were viewed as toys, it was acceptable for girls to have them. Once they became tools, however, they were only for boys.

    Then explain why a high percentage of programmers were women back when the only computers that existed filled rooms, cost millions of dollars and were clearly anything but toys, but once microcomputers were widely available in homes and used for playing games as much as anything, the percentage of women began to decline.

    I think you may have the right concept, but with the genders reversed.

  10. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    Oh, and BTW, thanks for the mention of Chromebox. I had to go look it up. I didn't realize Google was selling it.

    I wonder if I could get one for my home office...

  11. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    Can you elaborate on what the problems are? You described having a PC in each room... so I don't see what's difficult about uninviting one and inviting another when moving. As for the other things you mentioned... do you think there's no need at Google to find a free room at short notice, or move hurriedly from one room to another? Actually, of late at Google in Mountain View there is no finding a room at short notice or moving hurriedly... because if you didn't grab that room days in advance it's just not available. But the buildings haven't always been so overcrowded and soon won't be again.

  12. Re:How does it secure against spoofing? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 2

    What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?

    For one thing, if the tab with the malware-loaded page isn't on top, Chrome won't allow it to talk to the dongle. If there is some way to render a page that is not visible to the user but which Chrome considers sufficiently "open", that's a Chrome bug which should be fixed.

    A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.

    You should have stopped after the first sentence, because two channels doesn't help. If the machine you're using is compromised, it's no longer your machine, period. This is true regardless of the authentication method being used. That said, some authentication methods are susceptible to replay attacks... if I can compromise your machine and grab your credentials then I can log in as you from my machine. Security keys make that sort of attack very difficult, much harder than, for example, an out-of-band one-time-password. In that case, I just have to make sure I use the one-time password before you do, grabbing and submitting it before you click "Go". With a cryptographic challenge response protocol performed by a security key that's more difficult, because a secure channel is established between the authentication server (at Google) and the security key. It's still not impossible, but it's much harder.

  13. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 1

    $60 bucks? No fucking way.

    These are devices that have really only been used for enterprise security. Low volume plus low price sensitivity equals high price. As use of security keys becomes more widespread, across more enterprises and businesses, and even to consumers, that will change.

    There are other devices available now, including one that is $6. None of the others are as small as the NEO-n, so you'd have to "fumble for USB sticks" rather than leaving them plugged in all the time... but said "fumbling" really isn't that bad. Put it on your key ring, shove it in when needed.

  14. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 3, Interesting

    That's okay for you on your laptop. When you go to a conference room with a e.g. a PC set up for conference calls, and someone needs to log in to pull up the hangout, it's a different story

    The proper solution for that problem is for the conference room PC to have its own account, which is invited to the hangout, rather than logging in with some individual's account. From a security perspective, having a device that lots of people log into is a bad idea; it's an ideal target for compromise, regardless of whether or not you use 2FA.

    FWIW (not much, I suppose, since it's not generally available), the way this works at Google is that conference rooms have their own accounts and calendars. Rooms are added to meetings in a manner very similar to adding guests. Each conference room PC has a small, connected tablet computer sitting on the table that shows the room's upcoming meetings. You tap the one you want and the room joins that hangout. If someone needs to present something from their computer they just join the meeting from their computer, generally with a different URL that only shares their screen and doesn't use their camera, microphone or speakers (or they can join the hangout normally, mute their speakers, disable their mic and then go into presentation mode). All of this also works for people without Google accounts; if they're invited to a meeting they get a URL that connects them to the hangout, and they can present if needed.

    It's very slick. IMO, Google should package the solution and sell it, because it's far and away the best VC system I've seen.

  15. Re:Modern Democracy: A Prediction on Facebook To DEA: Stop Using Phony Profiles To Nab Criminals · · Score: 1

    They are standing up to government because it effects their income, not because they are being altruistic.

    And?

    When government leaders act to help the voters you can argue they're doing it only because it affects their chances of staying in power, not because they are being altruistic.

    This is called proper alignment of incentives, and it's a very, very good thing. At the end of the day, it's the only thing that keeps us moving forward. And it shouldn't be surprising that corporations like Facebook have an incentive to give users what they want, because in general profit motives are almost always closely aligned to the interests of their customers. Otherwise the customers leave -- and don't give me the crap about users being Facebook's product, not its customers. If users leave Facebook doesn't make money. The details of the mechanism are less important than that core fact.

    We're often accustomed to thinking of government as a protection from corporate power, but there's no reason at all that the reverse can't be true. Arguably, government interests are aligned with what the people say they want, while corporate interests are aligned with what people really want, as evidenced by how they spend their money. Neither alignment is perfect because it gets filtered through intermediate mechanisms, and governments and corporations are both ultimately made up of people who have their own goals, beliefs and ideals, which further distorts things.

    On that last point, I think it's important to recognize that because decisions are made ultimately by people, organizations -- government and corporate both -- actually can and do at times behave altruistically, sometimes even in opposition to the organization's stated goals(*). We should also keep in mind that organizational dynamics can and do distort or even override the goals of the individuals inside them, often resulting in a group policy which doesn't match any individual's preferences, and which may not even be logically consistent. My core point is that overly-simplified "government good/corps bad", "government bad/corps good", "The Man bad/people good" dichotomies are so inaccurate as to be completely worthless and misleading, as are beliefs that people or organizations can only do good things if they're doing them for the right reasons (or that good reasons justify bad actions, or...).

    Reality is complicated. Deal with it as it is, not as you wish it were.

    (*) Cue the pseudo-insightful but completely inaccurate post about how corporations have a legal obligation to maximize profit, which (a) isn't true in all cases and (b) doesn't matter in practice anyway because it's not enforced.

  16. Re:Where is the NFC 2-factor? on Google Adds USB Security Keys To 2-Factor Authentication Options · · Score: 4, Interesting

    I don't see how fumbling around with USB sticks is much better.

    I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

    There's an obvious downside of leaving the key plugged into your laptop, of course. If someone steals your laptop they have your key. However, in order to make use of it they have to have (or guess) your password as well, so it's really only a risk if someone is specifically targeting you, in which case they could also steal your phone. Well, it's also a problem if you use a particularly lousy password, and if you don't notice that the laptop/key are gone soon enough that you can disable the key before the attacker guesses your password.

    FWIW, Google switched to using security keys for corporate account authentication a while ago. Google's security operations team determined that the risk of theft of a security key is actually lower in practice than the risk that an employee's phone-based OTP might be phished. I would have thought that Google employees were too smart to be phished... but I suppose resistance to phishing attacks is as much about social intelligence as anything else, and Google hires a lot of socially inept people.

  17. Re:Why do companies insist on producing shit ? on Security Company Tries To Hide Flaws By Threatening Infringement Suit · · Score: 1

    The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

    This is the core issue. When evaluating what should be done you have to consider available technology... and in this case your baseline is 10-20 years ago because old systems don't get replaced very often and for new systems backward compatibility is important, as is minimizing the number of distinct products you have to manage.

  18. Re:I've said that, but Master lock and demolition on Security Company Tries To Hide Flaws By Threatening Infringement Suit · · Score: 1

    perhaps the primary goal is to not be low-hanging fruit

    Exactly. The goal is to avoid being the easiest target around.

    If bad guys wanted to work hard they'd just get a job. There are contexts in which the value of a target justifies expending a lot of effort, but they're the exception. In every case real security is all about correctly understanding the threat model and then applying adequate mitigation.

  19. Re:DeCSS on Security Company Tries To Hide Flaws By Threatening Infringement Suit · · Score: 1

    Can't say I've ever heard of [...] security by litigation.

    Then you weren't around for the DeCSS cases.

    I was... and security was not successfully achieved by litigation, nor even by ITAR restrictions. I think I still have my DeCSS t-shirt somewhere, with the code printed on the back. At the time that t-shirt was arguably an illegal munition, which of course is why it existed and why I bought it.

  20. Re:Who wants to work for Google nowadays? on The One App You Need On Your Resume If You Want a Job At Google · · Score: 1

    Never leave a job you're happy with unless you have a HELL of a good reason. Money rarely is a good reason unless its an absurd amount.

    That's your opinion, but it's not widely-held. I certainly don't agree with it, and I sincerely doubt that all of your downright genius acquaintances at Google stay out of mere inertia. It's much more plausible that they stay because they find it a better place to work than the available alternatives, for whatever combination of reasons. I do, and I've seen a lot of alternatives.

  21. Re:Who cares about performance? on Which Android Devices Sacrifice Battery-Life For Performance? · · Score: 2

    Besides gamers, who cares if it takes a few more milliseconds to launch a web browser or process an image?

    I do... because that's a few less milliseconds my CPU isn't idle, which reduces battery life.

    Seriously, does anyone understand this benchmark? I see pairs of performance and battery life numbers which seem to have no real-world meaning, so it's not at all clear to me why it makes sense to compare them. In addition, it's common that for a given set of tasks, a device with better performance will use less power because it spends more time in an idle state. The notion that devices trade off performance against battery life makes little sense in the ARM world.

    Maybe this actually does say something useful, but if so I'm too dense to see it.

  22. Re:Android on Google Releases Android 5.0 Lollipop SDK and Nexus Preview Images · · Score: 1

    The structure varies from device to device, yes. On the Nexus devices I'm most familiar with, which don't have SD card slots, there is no real sdcard partition. There is an /scdard, but it's a symlink. The advantage to not having a separate partition is not having to create a hard decision about how much to allocate to /data and how much to /scdard. This is one of the benefits of MTP over UMS that I mentioned, and it means that in terms of storage allocation you need only talk about /data, since it's the only r/w partitiion (except for actual SD cards, of course).

  23. Re:864 million bananas on The Largest Ship In the World Is Being Built In Korea · · Score: 1

    It is a convenient standard unit. Inexpensive and tasty. Can be used for measuring mass, volume, friction (obviously), and radiactivity (due to its high potassium content). A chest X-ray is equivalent to 70,000 bananas.

    Given the other sub-thread asking about the conversion to Libraries of Congress, apparently it can be used to measure data content as well.

  24. Re:Android on Google Releases Android 5.0 Lollipop SDK and Nexus Preview Images · · Score: 1

    I don't understand your comment as my Android phone from a few years back was recognised as a USB Mass storage device.

    Yes, it was. The problem with UMS is that it's a block-level protocol, not a file-level protocol. This means that when storage is mounted via UMS, the host has no way to coordinate with the target device, which is a big problem if the target device is actually operating on the file system. Basically, it's not safe to have two operating system simultaneously using the same block device.

    Because of that, when Android acted as a UMS target, it had to unmount the file system, which had all sorts of unpleasant effects on the system design. Among them, it forced the user-writable data to be partitioned into the portion that could be accessed via UMS and the portion that could not, which required guessing how large each should be. That enforced separation also added all sorts of subtle complexities to the OS, which had to take into account when /data was available and when it was not. SD cards have this same complexity, but core OS operational data isn't stored on them. Finally, it also forced the UMS-mountable data partition to be vFAT, which created many limitations around both functionality and (especially) security. /data could be ext3, or f2fs, or whatever, but MTP support is better across desktop OSes than support for random Linux file systems.

    MTP is a file-level protocol. It leaves the Android Linux kernel in charge of managing the file system and just provides an API for browsing and manipulating the files, without exposing details of the file system representation.

    UMS is like attaching your hard drive directly to another machine. MTP is like running an FTP server.

  25. Re:Who wants to work for Google nowadays? on The One App You Need On Your Resume If You Want a Job At Google · · Score: 1

    Quite a few are downright geniuses that could move anywhere and ask for a fortune, yet they're T4-T6, often making a lot less money than me, even though I couldn't dream of doing their job.

    So, why don't they move, if they're underpaid and there isn't anything different about Google?