What gave it away? The linked "rsmiller510" or the credit at the end that said
— Ron Miller is a freelance technology journalist, blogger, FierceContentManagement editor, and contributing editor at EContent magazine.
OK, he looks like Borat. The article may not have a whole lot, but it's not that bad, and it's disclosed that it's someone's opinion. Slashdot does far worse on a regular basis.
With custom code that audit, should you bother, needs to happen once and then perhaps again when changes are made.
An open CMS is likely a moving target. Depending on the code quality and the familiarity of the audit team, an audit probably is easier, but how long is that audit really good for? What do you do when you KNOW you are running an insecure version as a hole has been found, but are not in a position to upgrade and re-audit the entire CMS? Do you get paid to keep the software updated to the latest version at all times?
It sounds very much to be like HBGary was a target who didn't feel the need to secure their own systems as well as they could have. I don't think an open or closed CMS matters that much compared to their perceived business priorities. How many open CMS products make the same mistakes of using a fast hash function like MD5? Without a salt or multiple iterations?
These problems are common. It takes more resources to fix them. Is it worth it? For them I can easily see them laughing all the way to the bank had one clueless individual not provoked Anonymous. They fired the vendor, that's probably the fix they intend on as far as their CMS goes. After all, if your admin is going to give out the passwords based on an email, does how you store it protect you?
For them the ROI of STFU was greater than fixing every best practice ignored. But they screwed that up too. I'm sure they could have screwed it up with an open CMS as well.
Perhaps biased to the point of blindness in this case.
Expensive "official" phones drives a black market. One so prolific that killers can still make calls. Except it's a matter of economics, not law. Prison officials can't monitor or restrict those calls as effectively.
Cable TV is probably economics as well. TV is cheaper than more guards. Better paid guards that are less likely to sell a cell phone to an inmate are way more expensive than TVs. But who WANTS to be a prison guard?
I won't pretend to have any easy answers to solve prison problems. I don't want to dismiss your pain either, I'd be biased too if so directly affected. Nonetheless in this case (phones) I think the prison system isn't working in societies best interest and it is fixable.
Beyond that, simply get a scanner that detects the frequencies used by cell phones, install a few of them around the prison, and when they go off if the system is properly designed it could tell a guard immediately and tell them approximately where the phone is in the jail.
I was going to argue against this, then I realized how genius it is.
The "problem" is that the guards are the ones selling the prisoners the cell phones. Alerting them wouldn't do any good... or...
Since the corrections officers like the cell phones business, the inmates utilize it (and probably hate the prices they pay, but the demand is there), and only the politicians "care". The solution is just that simple.
Sell the state/prisons a cell phone locator device (doesn't need to work, just look fancy and have proprietary/secret documentation). Politicians get to "do something". Guards get to quickly locate and resell contraband phones. Rich get richer. And if the prisoners get all uppity about human rights? Threat level red!!! Our device says someone is being bad in prison, lockdown!
And before you question my business plan, ask yourself, are you licensed by your state to provide an engineering-level quality assessment?
Yes, in fact we do. We also know how hard everyone else in your contact list worked on their Angry Birds scores. And we're selling it for big money soon.
Just kidding here, but that's my real concern with this.
you haven't seen this yet is because most malware is directed at turning a machine into a zombie
I admit to not reading the article, but this is my concern here. Is mobile malware the same definition?
I have an android phone. Permissions are such I can tell if an app wants "unneeded" permissions in some cases. An (offline, single player) game that needs no permissions, or maybe wants to have "disk access" (save a little game state) sounds safe.
On the other hand, certain apps (gmail, you name it) need lots of permissions for "legitimate" purposes. The problem is, just because an app might have good use for camera or GPS permissions, doesn't mean I can trust it to only read/store/send those values as I expect.
I'm concerned about all the "free" apps that may collect information. I don't (yet anyway) have a good way to know whether they are behaving or not. I just have to trust that they do. And certain things, like my phone number, I can't necessarily just put in fake data for.
There are lots of reports (many exaggerated) that talk about this already happening. I'm not sure to what extent, but I wouldn't doubt I've been "victimized" and just don't know it. If 2011 is the year I find out the hard way, I'm can't say it will be all that surprising.
But yeah, I don't see "regular" (desktop) malware getting substantially worse on mobile in a short time frame.
I'm not sure there's an easy fix for this either. Java applets allowed much more fine grained permissions, and it sucked ("Yes to all"). I think android is better, but I still want a way to override and (to the extent I trust the OS) have the OS enforce it.
In my state (Maryland) the law is already correct (but could be better I suppose). The problem is a (county) prosecutor can still try to bring charges, even if they won't stick, as happened with the motorcycle rider.
The "no-tax freaks" may not have accomplished much. I think it's too early to judge. But paying taxes is something everyone would like to avoid, but only the very rich are able to do.
Can we even boil this down to "no-tax freak" or "police accountability party" or something that sounds better than "anti-cop freaks"?
I don't want to pay taxes is simple. Recording the police is a little more nuanced.
It does seem like $20 words do well, but "collision" comes up a lot in slashdot discussions (hashing and such), probably less so (or in the car crash sense) for celebrity watcher sites. Advanced is rather subjective.
I wish I could say I think you are wrong. Best I can do is hope you are wrong.
The expense and risk are tricky. One things bombs have going for them is a track record. They may not always achieve your goals, but you have more history to look at.
The history here isn't good. As a software developer, I wish people wouldn't "do that" as it's a PITA to code against. People will do that, and it helps to keep me employed.
Long term, will black hats consistently win over white hats, even with things like nuclear energy? So much so that bombs become ineffective?
As an american, software developer or not, I'm not sure that's in my long term interests.
No wonder efforts to open Java stalled out a couple years ago, because along comes Google, who's willing to leverage every strength of Java, borne on Sun's back, and take it away without giving back, by walking some fine line of the letter of the law, while ignoring the spirit of the law, which is that if a company drops billions of dollars into a technology, and is trying to sell it (JavaME), they should be compensated. Why didn't Google simply make their own technology from the ground up? Because they received tremendous value from taking it. Was that not worth some compensation?
I would say they did make their own technology from the ground up, as much as Sun did anyway. Android is not compatible with JavaME, you can have floats, there's no CLDC. Android is open source, how is Google not giving back?
Sun didn't drop billions on JavaME. Java itself was open (at least to an extent) that was the spirit of the "law". Google ignored the ME part of the blueprint when building their own house, which me to removes any obligation to pay for it.
Certainly Java is a fine language. But it built on the state of art at the time, not from a void. Android does the same. Isn't Java just a "proprietary copy of a more open platform, with a few tweaks, and a cynical dodge of paying for it"?
I still don't understand what you think Google is supposed to pay for. JavaME license? Certainly Google didn't invent computers, programming or phones (and neither did Sun). Who was Sun supposed to pay for the progress they took advantage of?
It's not that I don't understand how Google benefited or how Sun contributed. I just don't understand what business model you expect.
Dalvik, because Oracle has sued over Java and not the other way around. At least, that's one way to look at it. Dalvik is apache licensed.
Can you download and use Dalvik on your desktop or server? Is it completely open source?
Yes, you could download and run it on a PC (the SDK which includes an emulator is available for Linux, Mac and Windows). If you want to boot directly into android, google doesn't provide that, but see http://www.android-x86.org/. As far as I know it's completely open source.
Or is it just a proprietary copy of a more open platform, with a few tweaks, and a cynical dodge of paying for it?
This is the part I don't understand. Pay for what?
The JVM they aren't using? The implementation of the core classes from apache? The android stuff they did themselves? What are they supposed to be paying oracle (or sun) for?
Oracle would probably prefer that Google had used J2ME and would pay fees. But they didn't choose J2ME. Oracle would probably prefer that Google had licensed the JVM. But they didn't, they wrote their own.
We want to improve citizens productivity and their willingness to work
I disagree on this point. We (or at least I) want to improve quality of life. That's not exactly the same as productivity.
I'm having trouble finding clear information on alcohol use before, during, and after prohibition. Most sources seem to say basically alcohol use was in decline prior to prohibition, usage during prohibition is unclear due to the illegality but may have gone up, and went back to about pre-prohibition levels afterward.
Given my luck finding a clear reference on alcohol usage, I'm not even going to attempt to find quality of life data. I will say fundamentally I don't think "opening the door to Marijuana is actually quite stupid". I'm not the least convinced usage will go up significantly, much less that it will lead to significantly lower productivity or quality of life in this country.
Are we really going to increase tax revenue by locking up pot smokers? Was quality of life or productivity really increased by prohibition of alcohol?
I find drupal a bit difficult to work with ("hell" if you wish).
I think my two areas of concern are:
Moving target - drupal changes a fair amount in a short amount of time. This is all relative of course, I'm primarily used to working with in house proprietary CMSes. An example would be the Form API which is nice, but changed too much between drupal 5 and drupal 6 for my preference. Or perhaps there are just too many alternate ways to do things with (for me) no good defined best practices. Whatever the primary cause, I feel like I'm still struggling with over 2 years of drupal development.
Web framework vs complete CMS - if drupal was just a framework I think things might be easier. We have pretty customized requirements such that drupal + contrib modules + css doesn't come close. Yet drupal is designed to be customized in large part through various admin screens (e.g. views). So often the default behavior seems to get in the way, something that must be reconciled with, but doesn't help much. Version control is more difficult with so much stored in the database (I'm curious how others deal with this).
Overall drupal is a PITA for me over the proprietary system it (sort of, 2 sites converted) replaced. Some people clearly like it and I think if I had more generic requirements I would too (drupal does seem pretty decent vs wordpress, joomla or other CMSes). Or perhaps if I could just say "if you want that, go ahead and do that in the admin then". As it stands, I feel like drupal is costing me more time than it is saving me, and thus the learning curve doesn't seem worth it.
Not really. The GP describes a situation where nobody pays, everyone pirates. "That" floodgate isn't open currently, it's now some pay some don't. If they push too far, I share your concerns. However if they keep pushing history as shown thus far, seems at least reasonable to debate whether that keeps the "some pay" part in the equation.
*actual customer experience may vary, especially in regards to "they"
Slashdot seems to be very U.S.-centric. Do you have any plans to be more international in your scope?
Slashdot is U.S.-centric. We readily admit this, and really don't see it as a problem. Slashdot is run by Americans, after all, and the vast majority of our readership is in the U.S. We're certainly not opposed to doing more international stories, but we don't have any formal plans for making that happen. All we can really tell you is that if you're outside the U.S. and you have news, submit it, and if it looks interesting, we'll post it.
It is worth noting that there is a Japanese Slashdot run by VA Japan. While we helped them a little in their early days, they essentially run their own content without any real involvement from us... none of us can read Kanji! There are currently no plans to do other language or nation specific Slashdot sites.
Slashdot Mirror
http://en.wikipedia.org/wiki/Trusted_Platform_Module
What gave it away? The linked "rsmiller510" or the credit at the end that said
— Ron Miller is a freelance technology journalist, blogger, FierceContentManagement editor, and contributing editor at EContent magazine.
OK, he looks like Borat. The article may not have a whole lot, but it's not that bad, and it's disclosed that it's someone's opinion. Slashdot does far worse on a regular basis.
Are the Feds really after them anyway? Other than in a recruiting sense?
"Oh, Really?" seems to work for most companies. I don't see why Google would need to use the "old company" excuse.
Yes and no.
With custom code that audit, should you bother, needs to happen once and then perhaps again when changes are made.
An open CMS is likely a moving target. Depending on the code quality and the familiarity of the audit team, an audit probably is easier, but how long is that audit really good for? What do you do when you KNOW you are running an insecure version as a hole has been found, but are not in a position to upgrade and re-audit the entire CMS? Do you get paid to keep the software updated to the latest version at all times?
It sounds very much to be like HBGary was a target who didn't feel the need to secure their own systems as well as they could have. I don't think an open or closed CMS matters that much compared to their perceived business priorities. How many open CMS products make the same mistakes of using a fast hash function like MD5? Without a salt or multiple iterations?
These problems are common. It takes more resources to fix them. Is it worth it? For them I can easily see them laughing all the way to the bank had one clueless individual not provoked Anonymous. They fired the vendor, that's probably the fix they intend on as far as their CMS goes. After all, if your admin is going to give out the passwords based on an email, does how you store it protect you?
For them the ROI of STFU was greater than fixing every best practice ignored. But they screwed that up too. I'm sure they could have screwed it up with an open CMS as well.
Perhaps biased to the point of blindness in this case.
Expensive "official" phones drives a black market. One so prolific that killers can still make calls. Except it's a matter of economics, not law. Prison officials can't monitor or restrict those calls as effectively.
Cable TV is probably economics as well. TV is cheaper than more guards. Better paid guards that are less likely to sell a cell phone to an inmate are way more expensive than TVs. But who WANTS to be a prison guard?
I won't pretend to have any easy answers to solve prison problems. I don't want to dismiss your pain either, I'd be biased too if so directly affected. Nonetheless in this case (phones) I think the prison system isn't working in societies best interest and it is fixable.
Beyond that, simply get a scanner that detects the frequencies used by cell phones, install a few of them around the prison, and when they go off if the system is properly designed it could tell a guard immediately and tell them approximately where the phone is in the jail.
I was going to argue against this, then I realized how genius it is.
The "problem" is that the guards are the ones selling the prisoners the cell phones. Alerting them wouldn't do any good... or...
Since the corrections officers like the cell phones business, the inmates utilize it (and probably hate the prices they pay, but the demand is there), and only the politicians "care". The solution is just that simple.
Sell the state/prisons a cell phone locator device (doesn't need to work, just look fancy and have proprietary/secret documentation). Politicians get to "do something". Guards get to quickly locate and resell contraband phones. Rich get richer. And if the prisoners get all uppity about human rights? Threat level red!!! Our device says someone is being bad in prison, lockdown!
And before you question my business plan, ask yourself, are you licensed by your state to provide an engineering-level quality assessment?
I think that's it. I get the impression that "can't be fixed" might well mean "no way the idiots around here are going to get that fixed".
Yes, in fact we do. We also know how hard everyone else in your contact list worked on their Angry Birds scores. And we're selling it for big money soon.
Just kidding here, but that's my real concern with this.
you haven't seen this yet is because most malware is directed at turning a machine into a zombie
I admit to not reading the article, but this is my concern here. Is mobile malware the same definition?
I have an android phone. Permissions are such I can tell if an app wants "unneeded" permissions in some cases. An (offline, single player) game that needs no permissions, or maybe wants to have "disk access" (save a little game state) sounds safe.
On the other hand, certain apps (gmail, you name it) need lots of permissions for "legitimate" purposes. The problem is, just because an app might have good use for camera or GPS permissions, doesn't mean I can trust it to only read/store/send those values as I expect.
I'm concerned about all the "free" apps that may collect information. I don't (yet anyway) have a good way to know whether they are behaving or not. I just have to trust that they do. And certain things, like my phone number, I can't necessarily just put in fake data for.
There are lots of reports (many exaggerated) that talk about this already happening. I'm not sure to what extent, but I wouldn't doubt I've been "victimized" and just don't know it. If 2011 is the year I find out the hard way, I'm can't say it will be all that surprising.
But yeah, I don't see "regular" (desktop) malware getting substantially worse on mobile in a short time frame.
I'm not sure there's an easy fix for this either. Java applets allowed much more fine grained permissions, and it sucked ("Yes to all"). I think android is better, but I still want a way to override and (to the extent I trust the OS) have the OS enforce it.
In my state (Maryland) the law is already correct (but could be better I suppose). The problem is a (county) prosecutor can still try to bring charges, even if they won't stick, as happened with the motorcycle rider.
The "no-tax freaks" may not have accomplished much. I think it's too early to judge. But paying taxes is something everyone would like to avoid, but only the very rich are able to do.
Can we even boil this down to "no-tax freak" or "police accountability party" or something that sounds better than "anti-cop freaks"?
I don't want to pay taxes is simple. Recording the police is a little more nuanced.
Maybe I'm doing it wrong, but I didn't search, I just filtered. The #2 advanced result for slashdot is the robots.txt file.
http://www.google.com/search?q=site:slashdot.org&hl=en&num=10&lr=&ft=i&cr=&safe=images&tbs=rl:1#q=site:slashdot.org&hl=en&num=10&lr=&cr=&safe=images&tbs=rl:1,rls:2&sa=X&ei=n98KTZWWFMKC8gbr_omfAQ&ved=0CIABEIoKKAI&fp=9bef8cda26d1a6ec
It does seem like $20 words do well, but "collision" comes up a lot in slashdot discussions (hashing and such), probably less so (or in the car crash sense) for celebrity watcher sites. Advanced is rather subjective.
I wish I could say I think you are wrong. Best I can do is hope you are wrong.
The expense and risk are tricky. One things bombs have going for them is a track record. They may not always achieve your goals, but you have more history to look at.
The history here isn't good. As a software developer, I wish people wouldn't "do that" as it's a PITA to code against. People will do that, and it helps to keep me employed.
Long term, will black hats consistently win over white hats, even with things like nuclear energy? So much so that bombs become ineffective?
As an american, software developer or not, I'm not sure that's in my long term interests.
Clear is a bunch of liars:
http://i.imgur.com/jTnpJ.png
That image isn't mine, but I got the same "not junk mail" from them and it is my only impression of them so far. I wasn't impressed by their mailing.
It's possible to divide the major factions that way. I'm not sure it adds any insight. Sounds like http://en.wikipedia.org/wiki/False_dilemma to me.
No really, parking meters. They started stealing the parking meters.
So every cloud has a silver lining?
Someone mentioned http://babelstudios.se/defacer/ (safari plugin to block facebook) in http://yro.slashdot.org/comments.pl?sid=1889866&cid=34391506
It has a "test it out" Like button on the page. I'm surprised it only has 36 likes. Wonder if FB periodically unlikes links they find unlikeable.
Here's my T-shirt idea:
TSA
genitalia inspection specialist
(those Female Body Inspector shirts sold, why can't this work?)
No wonder efforts to open Java stalled out a couple years ago, because along comes Google, who's willing to leverage every strength of Java, borne on Sun's back, and take it away without giving back, by walking some fine line of the letter of the law, while ignoring the spirit of the law, which is that if a company drops billions of dollars into a technology, and is trying to sell it (JavaME), they should be compensated. Why didn't Google simply make their own technology from the ground up? Because they received tremendous value from taking it. Was that not worth some compensation?
I would say they did make their own technology from the ground up, as much as Sun did anyway. Android is not compatible with JavaME, you can have floats, there's no CLDC. Android is open source, how is Google not giving back?
Sun didn't drop billions on JavaME. Java itself was open (at least to an extent) that was the spirit of the "law". Google ignored the ME part of the blueprint when building their own house, which me to removes any obligation to pay for it.
Certainly Java is a fine language. But it built on the state of art at the time, not from a void. Android does the same. Isn't Java just a "proprietary copy of a more open platform, with a few tweaks, and a cynical dodge of paying for it"?
I still don't understand what you think Google is supposed to pay for. JavaME license? Certainly Google didn't invent computers, programming or phones (and neither did Sun). Who was Sun supposed to pay for the progress they took advantage of?
It's not that I don't understand how Google benefited or how Sun contributed. I just don't understand what business model you expect.
Why is more free, Java or Dalvik?
Dalvik, because Oracle has sued over Java and not the other way around. At least, that's one way to look at it. Dalvik is apache licensed.
Can you download and use Dalvik on your desktop or server? Is it completely open source?
Yes, you could download and run it on a PC (the SDK which includes an emulator is available for Linux, Mac and Windows). If you want to boot directly into android, google doesn't provide that, but see http://www.android-x86.org/. As far as I know it's completely open source.
Or is it just a proprietary copy of a more open platform, with a few tweaks, and a cynical dodge of paying for it?
This is the part I don't understand. Pay for what?
The JVM they aren't using? The implementation of the core classes from apache? The android stuff they did themselves? What are they supposed to be paying oracle (or sun) for?
Oracle would probably prefer that Google had used J2ME and would pay fees. But they didn't choose J2ME. Oracle would probably prefer that Google had licensed the JVM. But they didn't, they wrote their own.
We want to improve citizens productivity and their willingness to work
I disagree on this point. We (or at least I) want to improve quality of life. That's not exactly the same as productivity.
I'm having trouble finding clear information on alcohol use before, during, and after prohibition. Most sources seem to say basically alcohol use was in decline prior to prohibition, usage during prohibition is unclear due to the illegality but may have gone up, and went back to about pre-prohibition levels afterward.
Given my luck finding a clear reference on alcohol usage, I'm not even going to attempt to find quality of life data. I will say fundamentally I don't think "opening the door to Marijuana is actually quite stupid". I'm not the least convinced usage will go up significantly, much less that it will lead to significantly lower productivity or quality of life in this country.
Are we really going to increase tax revenue by locking up pot smokers? Was quality of life or productivity really increased by prohibition of alcohol?
I find drupal a bit difficult to work with ("hell" if you wish).
I think my two areas of concern are:
Moving target - drupal changes a fair amount in a short amount of time. This is all relative of course, I'm primarily used to working with in house proprietary CMSes. An example would be the Form API which is nice, but changed too much between drupal 5 and drupal 6 for my preference. Or perhaps there are just too many alternate ways to do things with (for me) no good defined best practices. Whatever the primary cause, I feel like I'm still struggling with over 2 years of drupal development.
Web framework vs complete CMS - if drupal was just a framework I think things might be easier. We have pretty customized requirements such that drupal + contrib modules + css doesn't come close. Yet drupal is designed to be customized in large part through various admin screens (e.g. views). So often the default behavior seems to get in the way, something that must be reconciled with, but doesn't help much. Version control is more difficult with so much stored in the database (I'm curious how others deal with this).
Overall drupal is a PITA for me over the proprietary system it (sort of, 2 sites converted) replaced. Some people clearly like it and I think if I had more generic requirements I would too (drupal does seem pretty decent vs wordpress, joomla or other CMSes). Or perhaps if I could just say "if you want that, go ahead and do that in the admin then". As it stands, I feel like drupal is costing me more time than it is saving me, and thus the learning curve doesn't seem worth it.
That floodgate
Not really. The GP describes a situation where nobody pays, everyone pirates. "That" floodgate isn't open currently, it's now some pay some don't. If they push too far, I share your concerns. However if they keep pushing history as shown thus far, seems at least reasonable to debate whether that keeps the "some pay" part in the equation.
*actual customer experience may vary, especially in regards to "they"
To be a receptionist at many facilities, you need to have a clearance.
Yeah, I know, the article said so.
The information leads the reader to think that all 1m with TS clearance are working at the moment on nefarious projects for an evil government
That's not what I got out of it.
More specifically "AppConstants.AUTH_KEY" is the salt. But that doesn't appear to be a *random* salt.
/. FAQ: http://slashdot.org/faq/editorial.shtml#ed850
Slashdot seems to be very U.S.-centric. Do you have any plans to be more international in your scope?
Slashdot is U.S.-centric. We readily admit this, and really don't see it as a problem. Slashdot is run by Americans, after all, and the vast majority of our readership is in the U.S. We're certainly not opposed to doing more international stories, but we don't have any formal plans for making that happen. All we can really tell you is that if you're outside the U.S. and you have news, submit it, and if it looks interesting, we'll post it.
It is worth noting that there is a Japanese Slashdot run by VA Japan. While we helped them a little in their early days, they essentially run their own content without any real involvement from us... none of us can read Kanji! There are currently no plans to do other language or nation specific Slashdot sites.