>> celebration of the psychic and tangible rewards of being a maker
I once thought I'd like to be a maker too, but the thought of wriggling through sand (itchy!) and just spending most of my days chasing after the "thump, thump, thump" turned me off.
True - that's an ongoing blind spot in the security community. Those of us who work with long-lived and signed "web authentication tokens" are currently dealing with similar issues: once they are out in the wild, a lot of "performance-optimized" (highly scalable due to no central check-in/bottleneck) servers will continue to accept tokens that should have been revoked hours or days ago. (The tokens are accepted because they were signed by a trusted source and no check for revocation is done.)
>> once done there is no further benefit to https encryption
HTTPS will keep a client from pulling updates from the wrong server. If I had a client that installed ANY properly signed update, I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.
If your clients are smart enough to check the signature (including expected hash) of each patch, then you're in better shape...unless the attacker intercepts the HTTP connection used to communicate expected hashes and changes the expected hash to on that makes his bad patch seem legit.
Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.
If anyone doubted that the average Slashdot IQ was dropping, let Exhibit A be the fact that we're told these are "super fast" rather than a bitrate or other SLA. Also:
>> The company's satellites...without the need for cables.
Don't like the price? Just download it as a DRM-free PDF then.
That's pretty much how it works for movies/TV: if someone tries charging more than a couple of bucks for an HD rental, people will torrent* it instead. (* = or view a hijacked stream for live sports)
Here's how it appears to work: 1) Phishing email appears to come from one of your associates (in the "from" name as the "hhh...@mailinator.com" is the address a dead giveaway to suspicious folks) 2) You click on the link and it bounces you through a Google Oauth request, with parameters that will ask you to authorize either googledocs.gdocs.pro or googledocs.docscloud.win (either way, an attack site) 3) You click "Yes, I'd like to authorize..." 4) You end up on the attack site, and it grabs your contacts (except those with "google", "keeper" or "unty" in the name) and sends a fresh phishing email to all of them in slightly staggered batches
Basically, it's an email worm that bounces through an attack site. Fortunately it uses an Oauth2 request, so Google probably spiked it by killing the client API ID, killing some domains, and also appears to have changed something else too. If the author had been a little more subtle, he would now have backdoors into the Gmail/Gdocs of hundreds of thousands of users. Instead, by scraping/spamming all contacts, he got detected and crushed.
In other words, schools are now allowed to serve stuff that kids will actually eat again, making afternoon class teachers and any student with afterschool activities happy again.
>> you're an idiot. Also nice not having to include the cost of an OS sure that's one way to do it, if you have a KMS server or access to TechNET.
Yes, I get free Windows OS licenses as part of a wider developer license.
And yes, if you're a decent developer on ANY platform, you shouldn't be paying rack rate for use of the platform. Mature commercial platform providers (whether OS's, DB's, PaaS, etc.) know that developers like me add a shit-ton of value to their ecosystem by writing the apps that organizations actually use, so the smart ones incentivize us to stay on their platform by reducing the costs of living in their world.
>> How can you build your own laptop for less than $1000
1) Start with a solid chassis (multi-core CPU and large LCD) that's a few years old (used). 2) Max out the RAM (new) 3) Replace whatever drive's in there with SSD (new) 4) Load up a Windows OS (from your dev license pool, so free)
I built my main dev laptop (a four-year old Dell Latitude with hardware upgrades) that way for about $750 all in. I love it, and if it falls apart tomorrow, then it will cost me less than a day's work to acquire the same again.
Seems like it's priced about $700 too high. About three years ago, I was happy to shell out about $300 for a Windows 8 tablet with Office preinstalled and a bluetooth keyboard. It was just fast enough to run Civ5 in tile mode through Steam.
For dev machines I can build my own laptop (with RAM + SSD) for cheaper than $1K too, and $1K should be mostly graphics cards if it's invested in a desktop. And educational institutions on budgets are already using "disposable" Chromebooks and Android tablets that can be had for a hundred bucks so it seems unlikely Microsoft has a viable product for K-12. So again...what do you get for a $1K Surface?
I know math isn't a top subject for Slashdot editors these days, but 12 hours is 3/4 of a 16-hour day, where 16 hours is a 24-hour day minus 8 hours of sleep.
Hmmm...I'm not sure fans of net neutrality won anything here. I think the court basically said, "who cares about the legal challenge to Obama's rule, since Obama's rule is dead man walking anyway." From TFA:
>> Judge Sri Srinivasan said in a written opinion reviewing the decision "would be particularly unwarranted at this point in light of the uncertainty surrounding the fate of the FCC’s order." The FCC is set to hold an initial vote on May 18 on Pai's proposal but Srinivasan questioned why the full court should review "the validity of a rule that the agency had already slated for replacement."
I have a couple of web sites that people visit to get industry news. I use RSS to collect the official posts from a lot of the companies in those industries so I can republish them on my site. Both readers and publishers (e.g., vendors) report this is nice.
That's pretty much what RSS was designed to do...right?
Well, we did derail the whole Clinton train for a while. That has to count for something. But whether we successfully killed it, time will tell.
BTW, it looks like the Internet Archive now has most of the "Shattered" book online if you're feeling ghoulish. https://archive.org/details/ShatteredInsideHillaryClintonsDoomedCampaign
>> Doderlein suggests making light-weight add-ons in more current programming languages that only rely on COBOL for the core feature of the old systems.
Er...that's pretty much been the story since the 1990's (if not earlier) on.
>> mostly maintained by retired programming veterans
Er...if they're "maintaining" then they aren't "retired". This whole article sounds companies that whine about not being able to find skilled welders, etc. Well, open your wallet and the talent will materialize - see "IT security" for an example.
>> with let's encrypt available, there is zero reason to use http anymore
Unless you host multiple information-only web sites (e.g., read only, no CMS or forms) on a hosting plan that lets you host dozens or hundreds of small sites cheaply. The jump to move each site from http to https typically increases annual hosting fees from a dollar or two to a hundred bucks or so (since ISPs will often charge dedicated IP and/or certificate maintenance fees, even it (or especially if) you bring in a cert from a third party.
I have a couple of home computers that I still can't upgrade to "Windows 10 Anniversary Edition" - total bluescreen every time after reboot. I'm not the only one with the problem, either. I fully expect Windows 10 Creators Update to be on a similar level of crap software.
Slashdot Mirror
>> celebration of the psychic and tangible rewards of being a maker
I once thought I'd like to be a maker too, but the thought of wriggling through sand (itchy!) and just spending most of my days chasing after the "thump, thump, thump" turned me off.
>> many do not do CRL checking
True - that's an ongoing blind spot in the security community. Those of us who work with long-lived and signed "web authentication tokens" are currently dealing with similar issues: once they are out in the wild, a lot of "performance-optimized" (highly scalable due to no central check-in/bottleneck) servers will continue to accept tokens that should have been revoked hours or days ago. (The tokens are accepted because they were signed by a trusted source and no check for revocation is done.)
>> Updates should be signed in the first place
Agree but...
>> once done there is no further benefit to https encryption
HTTPS will keep a client from pulling updates from the wrong server. If I had a client that installed ANY properly signed update, I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.
If your clients are smart enough to check the signature (including expected hash) of each patch, then you're in better shape...unless the attacker intercepts the HTTP connection used to communicate expected hashes and changes the expected hash to on that makes his bad patch seem legit.
Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.
If anyone doubted that the average Slashdot IQ was dropping, let Exhibit A be the fact that we're told these are "super fast" rather than a bitrate or other SLA. Also:
:)
>> The company's satellites...without the need for cables.
I thought "wireless" was understood...in space.
>> charging more for the Ebook
Don't like the price? Just download it as a DRM-free PDF then.
That's pretty much how it works for movies/TV: if someone tries charging more than a couple of bucks for an HD rental, people will torrent* it instead. (* = or view a hijacked stream for live sports)
Here's how it appears to work:
1) Phishing email appears to come from one of your associates (in the "from" name as the "hhh...@mailinator.com" is the address a dead giveaway to suspicious folks)
2) You click on the link and it bounces you through a Google Oauth request, with parameters that will ask you to authorize either googledocs.gdocs.pro or googledocs.docscloud.win (either way, an attack site)
3) You click "Yes, I'd like to authorize..."
4) You end up on the attack site, and it grabs your contacts (except those with "google", "keeper" or "unty" in the name) and sends a fresh phishing email to all of them in slightly staggered batches
Basically, it's an email worm that bounces through an attack site. Fortunately it uses an Oauth2 request, so Google probably spiked it by killing the client API ID, killing some domains, and also appears to have changed something else too. If the author had been a little more subtle, he would now have backdoors into the Gmail/Gdocs of hundreds of thousands of users. Instead, by scraping/spamming all contacts, he got detected and crushed.
In other words, schools are now allowed to serve stuff that kids will actually eat again, making afternoon class teachers and any student with afterschool activities happy again.
http://www.washingtontimes.com/news/2014/mar/6/1m-kids-stop-school-lunch-due-michelle-obamas-stan/
>> Most people can't buy an old laptop and upgrade the components. Which is what you said you were doing, not "building a laptop".
:)
From Google search of "definition of build":
BUILD: construct by putting parts or material together over a period of time.
English, do you speak it?
>> you're an idiot. Also nice not having to include the cost of an OS sure that's one way to do it, if you have a KMS server or access to TechNET.
Yes, I get free Windows OS licenses as part of a wider developer license.
And yes, if you're a decent developer on ANY platform, you shouldn't be paying rack rate for use of the platform. Mature commercial platform providers (whether OS's, DB's, PaaS, etc.) know that developers like me add a shit-ton of value to their ecosystem by writing the apps that organizations actually use, so the smart ones incentivize us to stay on their platform by reducing the costs of living in their world.
See also: sponsored athletes in (sport).
>> How can you build your own laptop for less than $1000
1) Start with a solid chassis (multi-core CPU and large LCD) that's a few years old (used).
2) Max out the RAM (new)
3) Replace whatever drive's in there with SSD (new)
4) Load up a Windows OS (from your dev license pool, so free)
I built my main dev laptop (a four-year old Dell Latitude with hardware upgrades) that way for about $750 all in. I love it, and if it falls apart tomorrow, then it will cost me less than a day's work to acquire the same again.
>> laptop starts at $999
Seems like it's priced about $700 too high. About three years ago, I was happy to shell out about $300 for a Windows 8 tablet with Office preinstalled and a bluetooth keyboard. It was just fast enough to run Civ5 in tile mode through Steam.
For dev machines I can build my own laptop (with RAM + SSD) for cheaper than $1K too, and $1K should be mostly graphics cards if it's invested in a desktop. And educational institutions on budgets are already using "disposable" Chromebooks and Android tablets that can be had for a hundred bucks so it seems unlikely Microsoft has a viable product for K-12. So again...what do you get for a $1K Surface?
I know math isn't a top subject for Slashdot editors these days, but 12 hours is 3/4 of a 16-hour day, where 16 hours is a 24-hour day minus 8 hours of sleep.
Hmmm...I'm not sure fans of net neutrality won anything here. I think the court basically said, "who cares about the legal challenge to Obama's rule, since Obama's rule is dead man walking anyway." From TFA:
>> Judge Sri Srinivasan said in a written opinion reviewing the decision "would be particularly unwarranted at this point in light of the uncertainty surrounding the fate of the FCC’s order." The FCC is set to hold an initial vote on May 18 on Pai's proposal but Srinivasan questioned why the full court should review "the validity of a rule that the agency had already slated for replacement."
I have a couple of web sites that people visit to get industry news. I use RSS to collect the official posts from a lot of the companies in those industries so I can republish them on my site. Both readers and publishers (e.g., vendors) report this is nice.
That's pretty much what RSS was designed to do...right?
Well, we did derail the whole Clinton train for a while. That has to count for something. But whether we successfully killed it, time will tell.
BTW, it looks like the Internet Archive now has most of the "Shattered" book online if you're feeling ghoulish.
https://archive.org/details/ShatteredInsideHillaryClintonsDoomedCampaign
>> Dreamhost
Thanks for the referral. Perhaps it's time I ditched my ISP then...
>> Fucking Kill COBOL or Fucking Kill Me .... one of the two please!
The latter - it's cheaper. We just re-up'ed our IBM contract for another 2 years.
>> Doderlein suggests making light-weight add-ons in more current programming languages that only rely on COBOL for the core feature of the old systems.
Er...that's pretty much been the story since the 1990's (if not earlier) on.
>> mostly maintained by retired programming veterans
Er...if they're "maintaining" then they aren't "retired". This whole article sounds companies that whine about not being able to find skilled welders, etc. Well, open your wallet and the talent will materialize - see "IT security" for an example.
>> with let's encrypt available, there is zero reason to use http anymore
Unless you host multiple information-only web sites (e.g., read only, no CMS or forms) on a hosting plan that lets you host dozens or hundreds of small sites cheaply. The jump to move each site from http to https typically increases annual hosting fees from a dollar or two to a hundred bucks or so (since ISPs will often charge dedicated IP and/or certificate maintenance fees, even it (or especially if) you bring in a cert from a third party.
This ONE WEIRD TRICK will transfer your money to a stranger's debit card...
We must not allow a pork gap.
>> Mylan's Epic EpiPen Price Hike Wasn't About Greed -- It's Worse
>> Mylan effectively pushed Sanofi out of the US epinephrine auto-injector market
Competitor A pushes competitor B out of the market to corner the market and drive up profits, right? In other words, it's about greed, right?
I have a couple of home computers that I still can't upgrade to "Windows 10 Anniversary Edition" - total bluescreen every time after reboot. I'm not the only one with the problem, either. I fully expect Windows 10 Creators Update to be on a similar level of crap software.
>> Google is a technology company whose...products are...monetized with advertising, not an advertising company
(Trimmed for clarity.) Are you an attorney, perhaps? Anyway, here's what TFS said:
>> company will get data on how people experience and use self-driving cars -- and clues on ways to generate revenue from the technology
It seemed pretty clear they were not only talking about primary sources of revenue (ride fares), but secondary sources (e.g., advertising) as well.
The funniest thing about "Complete Streets" is the kid on the scooter about to get blindsided by the bus.