Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. just doubled that and will again, so yeah maybe on AT&T Chooses Ubuntu Linux Instead of Microsoft Windows (betanews.com) · · Score: 1

    The valuation isn't justified by their 2014/2015 revenue, but this one sale may have just doubled that revenue and more deals like it (and many smaller ones) are likely. So discussion is of a value somewhere in that general neighborhood. _I_ am not trying to buy 20% of Canonical for a billion dollars or so, but someone might, so I was generous in my comparison vs AT&T. (My point was how -small- Canonical is compared to AT&T, so I trade not to exaggerate how small they are.)

  2. I wish. See the Firefox screenshot on LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com) · · Score: 3, Informative

    Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.

  3. not exactly, see Firefox screenshot on LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com) · · Score: 4, Insightful

    The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.

    The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.

  4. Lastpass TFA actually makes the hack easier on LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com) · · Score: 2

    The way Lastpass implements 2-factor, it actually makes the hack EASIER.

  5. true, $10B buys Canonical's potential on AT&T Chooses Ubuntu Linux Instead of Microsoft Windows (betanews.com) · · Score: 1

    True, Canonical's current revenue in no way justifies a $10 billion valuation. Talk of that kind of valuation is based on their growth potential. By revenue, the importance of the AT&T deal is even more significant- AT&T is a huge customer, for a company the size of Canonical.

  6. after reading the details, this is significant on LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com) · · Score: 5, Informative

    I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.

    For anyone who doesn't care to read the details, here's the crux of the problem:

    Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

  7. too much $, but no, 3 months pay on Police Department Charging TV News Network $36,000 For Body Cam Footage (arstechnica.com) · · Score: 4, Interesting

    > the people doing the editing/redacting are already getting paid by the taxpayers. The only additional cost is the physical media

    The charge does seem a bit high, but there absolutely is some additional cost to NYPD. We can estimate that finding, ccopying, and redacting all the pieces of video might require about 400 hours. At 40 hours per week, that's 10 employee/weeks. 10 weeks of actual work is about what you'll get for three months of salary, with vacations, holidays, and sick time. So one video tech (and a lawyer?) can do this job in three months.

        NYPD didn't already hire a video tech to sit there and do nothing for three months. To get this job done, they'll need to hire someone, perhaps the new won't be the person doing the work, but the new hire might do a job that would otherwise be done by the person pulled away to do this.

    The salary of the new hire is about 65%-75% of the total cost of having them- there's also extra insurance and benefit costs, the employer's payroll taxes, unemployment taxes, worker's comp, etc. So the total cost to NYPD should be roughly equal to four months of pay for the person doing the work.

  8. BIG deal for Canonical, AT&T is 20x the size o on AT&T Chooses Ubuntu Linux Instead of Microsoft Windows (betanews.com) · · Score: 5, Interesting

    A better headline might have been:
    Canonical lands huge contract with AT&T

    AT&T is a $200 billion organization, Canonical is about $10 billion. This deal might boost Canonical's revenue by 50%.

    Also, it's a major credibility boost on Canonical's corporate resume. AT&T is a major, major company full of network experts, so it's a very significant endorsement of Canonical supporting large-scale applications. Consider Canonical trying to sell a new a customer, maybe Fisher Price or Nabisco:
    Fisher Price: How do we have confidence that your team can support services at the scale Fisher Price needs?
    Canonical rep: We run AT&T's systems, at the much larger scale they require.

  9. you described why it makes/made sense on Geoblocking, Licensing, and Piracy Make For Tough Choices at Netflix (thestack.com) · · Score: 1

    > many european sats can be picked up anywhere from ireland to turkey)

    So why would the European satellite TV company want to buy exclusive rights in the United States or Japan / East Asia, where their satellites don't cover? They wouldn't, of course. The physical reality means NBC , DirectTV, or some US company would buy US rights, and the European satellite TV company would buy US rights. Internet distribution is different. How does Netflix bid against the European satellite company? It's apples to oranges.

    I'm guessing the sats don't provide GOOD service over an area that big, but it doesn't matter. The point is, they don't service anywhere near the entire world, while Netflix does. It creates a problem.

  10. not illegal. Different countries have different st on Geoblocking, Licensing, and Piracy Make For Tough Choices at Netflix (thestack.com) · · Score: 1

    Broadcasters are limited by law to only broadcast in a specific area. It's entirely legal for a TV station in Los Angeles to buy a show, and for a different TV station in Paris to get the same show. They aren't colluding to ARTIFICIALLY divide up the market, physics says the antenna broadcast from LA can't be readily received in Paris. That's the physical reality that the entertainment industry is based on. Even NBC, ABC, and other networks only operate in the US. They are American companies, in the business of providing TV to Americans. The reason they aren't broadcasting in Syria isn't because of nefarious collusion, it's because they aren't a Syrian company and aren't organized to broadcast in Syria.

    It's the same with physical goods. Certain companies sell groceries in some countries, and other companies operate in other countries. Sometimes, one company in Europe will make an exclusive deal to sell a specific brand name of -laundry soap- in the their area, while another company sells the same brand wherever they operate. Unilever just brought a European soap brand to the US this month, in fact. Unilever isn't avoiding selling it in the Netherlands in order to jack up profits, they simply don't have facilities in the Netherlands. So they bought the rights to use that brand in the area where Unilever operates and noone else is using that brand name.

    That made sense for selling anything that requires a local presence, whether it be laundry soap or broadcast TV. Now that digital media is being purchased over the internet in huge amounts the companies will need to refactor their contracts and their ways of doing business.

  11. Oxford no longer uses the Oxford comma on Explaining the Lack of Quality Journalism In the Internet Age (gawker.com) · · Score: 1

    The serial comma is of course also known as the "Oxford comma" because Oxford, unlike other British style guides, said it should be used. Now, Oxford says it normally should NOT be used:

    University of Oxford Public Affairs Directorate Writing and Style Guide:
    Note that there is generally no comma between the penultimate item and 'and'/'or' â" this is sometimes referred to as the 'Oxford comma'

    One reason for not using it is apparent in the following dedication:
    To my mother, Ayn Rand, and God.
    With the comma, it appears Ayn Rand may be the writer's mother (an appositive).

    Without the serial comma, it's clearly not an appositive, it's a list of three people:
    To my mother, Ayn Rand and God.

    Whether or not it should be used is of course debateable, and debated. Most styles guides, however, say it should be used only if necessary to avoid ambiguity.

  12. Sell to CBS AND the French TV network on Netflix Decides To Crack Down On VPN Users (netflix.com) · · Score: 4, Insightful

    It's legacy code. It made perfect sense until a few years ago, but it now needs to be refactored. Suppose you produce a show and CBS (USA) buys the rights to air it. Obviously CBS doesn't want their competitors, such as NBC, to have the same show. So you give CBS an -exclusive- contract.

    So your show is on CBS and then the TV station in France wants to air it. CBS isn't competing in France, so they don't much care if the station in France has the same show. CBS only really cares that they have it exclusive in the United States. So that's the way contracts are written, TV networks buy exclusive rights in their country. That goes along fine for 90 years.

    After 90 years of that approach working pretty well, Netflix comes along and they want to buy the same TV shows the networks do. The production company either already has sold exclusive rights in different countries or assumes they will (they always have before). The standard model of selling rights to networks in different countries doesn't work well with Netflix, which is available from almost any country (via vpn or otherwise). Hollywood will have to adjust and right contracts differently. Probably, Netflix will have to buy WORLDWIDE rights to the shows, which will be more expensive than buying rights only in a particular service area. They'll adjust, it just takes time to overcome a century of inertia.

        Heck, the production companies are still doing something else they've done since the earliest days of TV - casting Betty White. :)

  13. true, automated tasks the main risk on OpenSSH Patches Bug That Leaks Private Crypto Keys (threatpost.com) · · Score: 3, Interesting

    That's true, the main risk is automated scripts, which don't use an agent and won't notice the odd prompt. Again though that includes large installations like Rackspace, Hostgator, etc. Anybody who has thousands of servers doesn't log into each one individually all the time, they script updates, backups, configuration, etc. And several bulk protocols including rsync, git, etc run on top of ssh.

    I'm certainly got my attention because a system I'm responsible for has one heavily fortified gateway machine which has access to many customer servers. I'm glad the bad guys didn't know about this before the good guys did, as far as we know.

  14. Siberia is 65 degrees, 2,700 km on Grisly Find Suggests Humans Inhabited Arctic 45,000 Years Ago (sciencemag.org) · · Score: 4, Informative

    The article mentions Siberia. Siberia is roughly 65 degrees north latitude, or 2,700 km from the pole. So they probably DID mean 2,000 km , which would be northern Siberia (not a warm place).

    The three countries who claim territory at 2,000 km from the pole Russia, Canada and Greenland.

  15. 20000 km from the pole on Grisly Find Suggests Humans Inhabited Arctic 45,000 Years Ago (sciencemag.org) · · Score: 0

    I'm betting it was about 20,000 km from the (south) pole. :)

  16. Affects me, the last two companies I worked for on OpenSSH Patches Bug That Leaks Private Crypto Keys (threatpost.com) · · Score: 4, Informative

    This issue affects anyone who connects to customer machines via SSH. If ANY customer machine is infected, the attacker can read my private key, which allows them to connect to and potentially infect ALL of my customers.

    Consider a hosting provider such as Rackspace or Hostgator. The Hostgator sysadmin spends his day connecting to various servers used by Hostgator customers. As soon as he logs into one server which is infected, the bad guys have his keys and can use them to infect ALL Hostgator servers, tens of thousands of servers.

  17. In complement, assume you do NOT understand it on The Best Ways To Simplify Your Code? (dice.com) · · Score: 2

    > Make sure you understand the implications of every line you change (yeah, that's slow).

    A complementary technique I used recently was to make sure I did NOT understand the code. I could understand the implications of changes, avoid any side-effects, by not trying to understand what the code did and instead applying mechanical transformations. I got a new job, working on a code base I'd never seen before. I made some significant improvements by refactoring code while making sure I didn't understand anything about what the code did. Basically, I saw something like this:

    for (i=0; i = 1_000_000_000; i++) {
            foo = 'bar';
            fi = 'bee';
            printf(foo, fi); ...
    }

    I could change that to this and know it was write, without understanding anything:
    foo = 'bar';
    fi = 'bee';
    for (i=0; i = 1_000_000_000; i++) {
            printf(foo, fi); ...
    }

    Similarly I could cut-paste blocks of code into functions, without caring what that block of code did - I only cared about which variables it accessed.

    Or when I saw this:
    cnm = get_customer_cumber()
    I could then rename the variable via search and replace to cnm to customer_number throughout the scope. I don't know or care what a customer number is, but I know "cnm" means "customer_number", so I can do that search and replace.

    So I'd say you can choose to either a) understand the code well or b) assume you don't understand it at all, and therefore make provably equivalent transformations, such as renaming, properly extracting functions and subroutines, etc. What's dangerous is when you make changes based on an imperfect understanding, when you -think_ you know what the code does, but you're wrong. You can go a long way while knowing that you don't understand it.

  18. As someone who creates that protection, not needed on Why Sharing Ransomware Code For Educational Purposes Is Asking For Trouble (betanews.com) · · Score: 1

    > On one hand I can see the point, but understanding how ransomware works may also be useful in protecting yourself against it.

    I see both sides too. As someone who authors protective software for a living (when not I'm farting around on Slashdot), I do enjoy understanding how it works. Mostly I want to understand how the OTHER malware that exploits the system and gains access with which to run the ransomware works. To do that, to write the software which protects you, I don't need the source code of the ransomware to do my job.

    I guess the best analogy I can some up with right now is that you can understand that someone can kick down your door. You can further understand that after they kick down your door, they could vandalize the inside of the house. You can protect yourself by making the door stronger, with longer screws, stronger locks, etc. You don't need to practice vandalizing the interior in order to improve the security.

    You don't even have to take a karate class in order to improve the door. In fact, a karate class would be a big waste of your time, if you're trying to improve door. Learning exactly how to most effectively kick a door is like having a detailed understanding of specific exploit code. Ransomware is like the spray paint they use to vandalize the house after they break in. For security, the chemical formula of the spray paint isn't useful.

    As a security professional, I need to understand what the weaknesses are and the general concepts of how those weaknesses are exploited. Working code to actually do damage after the weaknesses have been exploited isn't particularly useful.

  19. Opposite. Higher demand, lower supply raises price on Open Salaries: the Good, the Bad and the Awkward (yahoo.com) · · Score: 1

    When a company issues (sells) new stock, that dilutes the value of the existing stock. So company sells stock -> reduces values. When the company issues an option, they are required to later BUY stock with which to fulfill that option. If the company SELLING stock reduces the value, what do you think happens when the company BUYS stock?

    Suppose you are trading MTG cards, and there are only 10 copies of a certain card.
    You have three of ten.
    Suppose I am -required- to offer to purchase 5 of those cards. How does that effect the price at which you'll sell the card?

    Obviously, when someone is required to purchase them, that means there is more demand, and therefore the price increases.

    If I'm required to buy 5 cards, that -reduces- the number of available cards to only 5. It REMOVES those five cards from being available to others, precisely the -opposite- effect from printing 5 new cards.

    When a company gives someone a stock option, that means the company is required to later purchase shares with which to honor the option. That's an increase in demand, which INCREASES the value the stock. Precisely the opposite from the company issuing (selling) new stock, the company is -buying- stock.

    All of that said, suppose Yahoo's CEO gets an option for a thousand shares at $30, and the stock later increases to $50 per share. So the CEO made $20,000. We have these numbers:

    $50,000 Yahoo paid for the stock
    $30,000 Someone paid to exercise the option
    $20,000 profit to CEO (the "extra" money you're worried about)
    $30,000,000,000 Total value of Yahoo shares.

    Really, you're worried about $20,000 diluting $30,000,000,000? You realize the company spends more than $20,000 on floor care, right?

  20. I use responsible disclosure for open source on Why Sharing Ransomware Code For Educational Purposes Is Asking For Trouble (betanews.com) · · Score: 4, Interesting

    Many of open source projects I'm involved in use a responsible disclosure model. It has worked very well, getting most users patched a few days or a few hours BEFORE the bad guys knew how to exploit it, rather than soon AFTER they got exploited. I'll use as two examples issues I found in Wordpress and PowerDNS (used by wikipedia and other large sites).

    I found an issue with Wordpress and opened a security ticket describing the issue and my proposal for a solution. As a security ticket, it was initially visible only to the security team. Over the next 24 hours or so, it was discussed and consensus was developed regarding the right solution. Over the next 24 hours, it was tested and (quietly) pushed to the repository. On the third day, everyone who had Wordpress set to automatically update got the fix, and admins with many, many Wordpress users such as Wordpress.com were notified. So maybe 80%-90% of the Wordpress users had the update on day three. On day 4, the information became public - 24 AFTER the updates had already happened.

    Note it took a couple of days between the time the patch was ready and the time most users were protected. Had we released the patch and the information together, that would have been a day or two that the bad guys could have infected servers with persistent malware.

    Power DNS was similar, except distros needed time to compile and package the fixed version. So the issue was discussed privately, and the fix tested. Had the vulnerability been public, someone would probably have used it to take down Wikipedia, so Wikipedia was notified of the fix along with a few other very large sites. While Wikipedia was patching, Redhat, Debian, and the other distros were preparing updated packages for their users. This was roughly day three. On the morning of day #4, Debian mailed their users to let them know that a security fix was available and that had information about the vulnerability- AFTER the update was already available from Debian's servers, which was a day or two after the source patch was privately distributed to the appropriately people.

      Something else happened that day too. About an hour after the Debian security alert email went out, I had a job interview. When I told the interviewer I worked mostly with Red Hat systems, he seemed disappointed. The conversation continuedg

    "We use Debian. Do you know anything about Debian?", he asked.
    I replied "did you see that Debian security alert about an hour ago?"
    "Yeah, this one right here?" he said as he opened the email.
    Looking at the first line of the email, he saw it said "Ray Morris discovered a vulnerability ..."
    Suddenly he seemed less concerned about my knowledge of Debian. :)

  21. That's not how options work on Open Salaries: the Good, the Bad and the Awkward (yahoo.com) · · Score: 1

    It seems you may have read the definition of "stock option" but aren't clear on how they're actually used. Key people typically get stock options as part of their compensation because that means their total compensation is affected by how well the company does, specifically by the CHANGE (delta) in how it does under their leadership. They don't, however, exercise those options by buying stock at the option price. Even if they did, that wouldn't make new stock magically appear and "water down" the other stockholders. But anyway they don't use the options to by stock. Here's what they do. Suppose John is the CEO and Mary is some random investor. Three years ago John got an option at $85 and the stock is now selling at $100. John wants to cash out the option. Mary wants to buy the stock, for $100. Mary buys John's option for $15 so she can buy the stock for $85. She pays a total of $100, exactly the same as she would have paid if there was no option, for exactly the same stock. John puts the $15 in his pocket. John never owns the stock itself and he certainly doesn't cause new stock to magically appear.

  22. We actually don't WANT better ransomware on Why Sharing Ransomware Code For Educational Purposes Is Asking For Trouble (betanews.com) · · Score: 1

    You've made a cogent, though slightly misguided argument for publicizing information about software that should be improved. This article, however, is about RANSOMWARE - software written by the bad guys, who use it to do bad things. We don't WANT better ransomware. We don't want to show the bad guys how to be more effective bad guys.

    When you discover a flaw in a family of ransomware which allows you to retrieve the keys and decrypt the files which are held hostage, there is an argument to be made for releasing only the keys without explaining to the bad guys how they can write better ransomware next time.

  23. bull, you are not a victim. $275/month for 35 year on Open Salaries: the Good, the Bad and the Awkward (yahoo.com) · · Score: 1

    Less than 10% of millionaires inherited significant wealth.

    I'm currently DOING this, getting rich, and it IS working, just like it's always worked for other people who do it. It's not quick, but it works. At this point you decide which is most important to you - holding on to a mistaken belief or retiring as a millionaire. Because this is how it does work.

    Here's a calculator for you to run different scenarios, but the bottom line the calculator will tell you is that you need to EITHER save $480/month (PRETAX) for 35 years OR participate in your employer's matching program (401k etc.) As I'll explain, the monthly investment required is less than it first appears from the calculator.
    https://www.investor.gov/tools...

    Long-term returns in the overall market are 8%-9%. Short-term returns vary considerably but we don't care about that; we have a 25-40 year plan, not a 1 year plan.

    So the calculator says we need to invest $480 / month for 35 years. HOWEVER, that doesn't mean taking $480 out of your paycheck, for two reasons. First, most employers offer a matching program. You have $350 automatically invested and they'll kick in another $125. Secondly, you'll invest PRETAX. Taking $350 out of your pretax pay will only reduce your take-home pay by about $275. In summary:

    $275 reduction in take-home pay = $350 invested by you.
    Employer matches $125 = $475 invested per month.
    $475 invested at 8% for 35 years = a million dollars

    The above doesn't include inflation. You actually want to end up with MORE than a million dollars due to inflation, so take $350 paycheck reduction and after the match you'll be set.

  24. for a week. New Yorkers want their smartphones on NY Bill Would Force Decryption of Smartphones On Demand (onthewire.io) · · Score: 1

    I'm thinking the law would last about three days if the manufacturers didn't ship backdoored phones, meaning it would be illegal to sell a modern smartphone in NYC. Every customer wanting to buy a phone would be told:

      The city council made it illegal to sell modern smartphones in NYC. If you want to complain, here are the phone numbers of the council members you can call.

    Ten thousand complaint calls per day should get the council's attention pretty damn fast.

  25. Not a problem at my state agency, but we specializ on Open Salaries: the Good, the Bad and the Awkward (yahoo.com) · · Score: 1

    My last job was at a state agency. Salaries were online for everyone to see. I didn't notice any problems related to that.

    In my department, at least, each person's job was a bit unique ; nobody else did exactly what I did, so there wasn't a direct comparison. Raises (without a promotion) were quite limited because the legislature only approved 1%-2% per year merit raises for the agency, meaning almost everyone got a similar raise. To give one person a 10% raise would mean 9 other people got no raise, so that didn't happen. Only occasionally would one person not get 1%-2% because they didn't deserve a merit raise. (Cost of living adjustments were a seperate 1%-2%).