How the fuck can anyone trust Bitcoin after this and the other incidents that have happened? How?
You can trust Bitcoin by learning how it works and following the proper procedures that you would if you playing with real money.
The Bitcoin system is highly resistant to "rouge" or bad actors in the system. Someone running mining software that does not follow the agreed upon rules for the system is an example of a rouge actor. When this happens the rest of the system votes down the decisions made by the rouge actors. In this case some miners were not following the system wide agreed upon protocol, generated bad data, and the rest of the system (correctly) rejected that bad data thus maintaining the integrity of the overall system as designed.
What was lost were some rewards that would normally have been paid out for operating correctly. Since the rouge actors were not operating correctly, they were not rewarded (for their invalid work). If you were hired to paint a house white and you painted it orange, would you expect to be paid? The miners did not do the work they were being paid to do. True, many miners mine within a pool and depend on the pool operator to do the right thing, but if the pool operator is not doing the right thing, it is not a flaw in Bitcoin. Lke the painting analogy, if you work for a painting company and the painting company gives you the wrong color of paint, you wouldn't expect the homeowner to pay you, if you want to get paid for your labor, your beef would be with your boss, the the homeowner.
On the transactional (non mining) side, if you are running an incomplete Bitcoin client, it is now taking longer to achieve a level of confidence that your transaction is officially as "approved" by the network. As always it is the responsibility of those making the transactions to wait an appropriate time to ensure that their transactions have been approved. This has always been the case with Bitcoin and has not changed.
If you assume that the only communication channel the company has with you is email (which is generally a pretty good assumption as multiple channels or channels that include humans are expensive), there isn't really any other choice but to send the credentials (password) in plain text.
This is not a new problem. For the entire history of secure information transmission (cryptography), one of the hardest issues to solve is the issue of initial secret (key) exchange. This problem has been around a lot longer than computers have.
To actually be secure over email you would need the end user to provide a public key when they request the password and then have the company encrypt that password with the public key. The user would then decrypt the password with their private key. This can all be done with S/MIME, but would be a pretty tall order to expect that a random user would be able to figure out how to obtain and use a personal email certificate.
You could split the password into multiple parts and send each part in a separate email or separate the account and password into different emails. These are decent options but don't really provide true security against a targeted attack (someone sniffing the network or directly accessing the email server). These do provide a reminder to the end user that security is important. I would suspect that targeted attacks are not that common.
You could try and obscure the password by making it really long garbage string or embedding it in a URL, but it still ends up being a password in plain text. These don't add any security and may instill a false sense of security.
If a second channel is not cost or support prohibitive, then a one time use text message (SMS) or automated phone message is a pretty good option.
People are still able to sell or purchase a Confederate flag. It is not illegal and I have not heard any reports of the federal or state governments suggesting that is should be illegal. What we are hearing is that major retail (and online) outlets are opting not to sell it. Opting not to sell something is a similar level of "right" as is opting to sell something (that is legal to sell).
You could argue that with the consolidation of sellers (Walmart, Amazon, etc.) there are fewer purchasing choices and that the consolidated sellers have increased influence as to what is in the marketplace, but that issue goes beyond the Confederate flag and other specific goods.
There seem to be two types of such humans: security guards for the building, who are very underpaid and unlikely to take sick days, their companies can replace them quickly. And cheeful pretty women with curves, who are still effective first contacts for making people feel welcome.
[...]
My father taught me "make friends with these people", and I *always* make friends with them and the cleaning staff. They work there, they're often treated like furniture, and they know material that the board and HR keep behind very poorly managed masks of confidentiality.
These people also typically have unbelievable levels of security accesse. They can be powerful allies.
Well your honor, not only did the defendant purchase "How to murder your spouse", he read the page on poison techniques 37 times and only read the rest of the book twice. Since the autopsy indicates death by poison as described by the page in question, I rest my case.
While poorly written, I think the author was suggesting that any model of SSD for which the Linux kernel has specific special handling logic should be avoided. In my opinion, it is not an unreasonable statement.
It probably is an unreasonable statement. If Linux has special logic to handle the drive, then someone else probably already had the problem and now there's a fix in so it probably won't happen to you.
Perhaps. But if the drive was broken and someone had to write special software to fix it, how can you be sure that it was fixed correctly and completely? Can you also be sure that the "fix" works for all versions of firmware on the drive? While you might be confident of these things, I would suggest that it would be better to use a drive that follows the standards and doesn't require special code to make it work right. Granted that as always, your mileage may vary -- and it could vary in either direction.
"we don't recommend anyone to use any SSD that is anyhow mentioned in a bad way by the Linux kernel"
???? SERIOUSLY???
While poorly written, I think the author was suggesting that any model of SSD for which the Linux kernel has specific special handling logic should be avoided. In my opinion, it is not an unreasonable statement.
Wouldn't a simple wheel odometer work just fine for this? All you're tracking is miles traveled.
No, because that's not all you're tracking. You're tracking the miles traveled *in Oregon*. Oregon can't tax anything outside Oregon, that violates the US Constitution. So they have to prove to a reasonable standard that all the mileage they're taxing was driven in Oregon.
To add, for those who haven't looked at a map, the Portland metropolitan area, which is where the bulk of population in Oregon lives, is right on the border with Washington state. A large number of people commute and and regularly travel between Oregon and Washington. Any state level taxing solution needs to account for this.
The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software."
I note that the two proprietary systems were not impacted. Of course all software has bugs and vulnerabilities without regard to open source or proprietary, but here on slashdot we like think that open source is always the better option. This is not always the case.
The phrase "almost every virtualization software" is used, but the list of items given has three pieces of software that are impacted and three that are not. In terms of virtualization systems that are in production use by business, I would think that VMware and Hyper-V would take the lion's share (as they are commercial and "supported"), thus being a candidate for "almost every". I think the phrase should have been "almost every open source virtualization software".
Great idea. My power supplier currently has rates based on TOU (Time Of Use - http://www.torontohydro.com/si...), and I'd love to be able to charge up the battery supply for my house overnight at cheap rates, then run off the battery the rest of the time.
Are your night rates less than half of your day rates? I ask because battery charging isn't 100% efficient. I don't know the charging efficiency of the Tesla packs, but many battery types are only around 50% efficient in charging. By 50% efficient, I mean when charging you put in about twice as much energy as you can take back out later.
He has a team that will be with him providing supplies as needed. So would guess he will have generators, toilet, cooking heat source,elsewhere when not using those will stay in his ball.
I didn't get that from the articles. I read the following:
This is a precarious idea. Bellini will be completely isolated, and his adopted dwelling is liable to roll or fall apart at any moment, thrusting him into the icy sea or crushing him under hundreds of tons of ice.
The article may, of course, be incorrect, but from what I have read it appears he will be alone. If he is not alone, and he has a support team, How would the support team keep safe in the event that the iceberg they are all on collapses or tips over? I ask because the article talks about how he has to spend practically all of his time in the ball because the iceberg could tip over at any moment.
Bellini will spend almost all of his time in the capsule with the hatch closed, which will pose major challenges. He’ll have to stay active without venturing out onto a slippery, unstable iceberg. If it flips, he’ll have no time to react.
I would buy that Bellini or he and his team plan to live on an iceberg as it melts and collapses and their plan to survive during the actual collapse is to take refuge in survival balls, but I have a hard time believing what the article implies to me -- that he would live for a year within and be sustained solely by a survival ball.
Bah. Missed a line. Since external power generation would need to take place outside his sphere, and he his planning on the icebrug flipping, he would need to plan on losing any equipment outside the sphere, therefore he needs to have enough stored energy inside the sphere to last at least until rescue.
So he is going to live in a 3 meter hamster ball on an iceburg for a year? I wonder what his plan to keep warm is. Putting aside the option of getting a sponsorship from Kia and waring a warm fuzzy hamster suit, I suspect there would be some serious technical challenges.
The article says that he plans on a wind generator and solar panels. This would provide energy for light, but probably not for heat. Wind and solar generation would need to take place outside his sphere (as he is "planning" on having the icebug flip over at any time.) His reliable storage (area that won't be lost if the iceburg flips) is limited to the inside of his 3 meter sphere minus his other equipment and living space. This is not much space for fuel storage (in the form batteries, combustible stuff, or calories). I would be interested in seeing what his "energy budget" is in terms of planed energy generation, storage, and use.
Green was released on Wednesday from Land O'Lakes Detention Center into the custody of his mother.
Really? From the Land 'O Lakes website:
Land O’Lakes, Inc. is one of America’s premiere member-owned cooperatives. We offer local cooperatives and agricultural producers across the nation an extensive line of agricultural supplies, as well as state-of-the-art production and business services. We also are a leading marketer of dairy-based food products for consumers, foodservice professionals and food manufacturers.
I guess they need to add "We also provide a wide variety of incarceration services."
Even an intranet should generally be untrusted. Every machine needs to be responsible for defending itself; no machine should assume that other things on the network are good actors.
Q: Why Didn’t you check this before you moved?
A: Oh, but I did. Having broadband of some kind was an absolute requirement for our new home. Before we even made an offer, I placed two separate phone calls; one to Comcast Business, and one to Xfinity. Both sales agents told me that service was available at the address. The Comcast Business agent even told me that a previous resident had already had service. So I believed them.
Another option would be to write availability of high speed internet into the purchase contract for the house - make it a condition of purchase. I took this approach to ensure I wouldn't find out after closing that my house could not get high speed Internet. My offer and contract basically said that I would buy the house if I could successfully have high speed internet installed in advance of the purchase at my cost. The seller accepted the contract, I paid the ISP (in this case DSL from the telephone company) to install the service, the ISP installed the service, and then we closed the house sale. My realtor didn't like it because it was an "unusual" offer, but I said it was a contract and I could put any conditions in it I wanted - the seller just had to agree (and did).
The TSA security theater causes more delays than bad weather.
Citation please. While I agree that the TSA is mostly annoying security theater, my personal experience has been that bad weather has delayed me in getting to my destination more that the TSA has.
I travel sometimes every week and it's a pain in the ass. Because of this I always opt out of being scanned and force the pat down.
If you travel that often, why haven't you signed up for the PreCheck program? It lets you go back to the pre 9/11 security screening procedure. Truly frequent travelers can get in the program free via their airline, otherwise the application fee is not significant with respect to other travel costs and is worth it.
I get special satisfaction in doing it especially if I haven't used deodorant that day.
You intentionally frequently travel on a plane in tight quarters with lots of other people and you opt not to use deodorant?
Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.
Says the AC. You can check my other posts to see if I have a history of shilling or not (I don't).
Believe it or not I am just a customer who is generally happy with the service. They are more expensive then the lower tier companies, but this is business travel and I am not paying for it. Their cars are generally not very interesting, but I am not a car guy and I just want to get where I am going. Sometime the cars are not new and dirty, this bugs me. But all these things are generally outweighed by the ease of the checkout process.
Anyway my point wasn't to shill for a particular company, rather to point out that I doubt the largest rental car companies are going to mess with ding and dent scams.
How about cameras at enter and exit of the rental place?
No we can't do that as it will end our ding and dent scam.
I travel for business and rent cars a couple of times a month. My experience with Hertz and Avis (top tier business targeted rental companies) has been that they don't do the ding and dent scam. If you return a car to one of these guys and it has all for tires, runs, and has no obvious accident dents, you won't get hassled. On the other hand, companies like Thrifty, Budget, and independents tend to give me the super picky inspection process when you check out and return the cars.
I did just rent from Hertz a couple of weeks ago and it had the new camera thing. It got the post it note treatment. Putting aside the new camera thing for a moment, I get really good service from Hertz. I arrive at the airport, walk to the stall number displayed on the big reader board (or in an email I receive about the time I land), get in the car, drive to the exit, show my ID, and I am on my way. No paperwork, sales attempts at upgrades, etc.
Slashdot Mirror
How the fuck can anyone trust Bitcoin after this and the other incidents that have happened? How?
You can trust Bitcoin by learning how it works and following the proper procedures that you would if you playing with real money.
The Bitcoin system is highly resistant to "rouge" or bad actors in the system. Someone running mining software that does not follow the agreed upon rules for the system is an example of a rouge actor. When this happens the rest of the system votes down the decisions made by the rouge actors. In this case some miners were not following the system wide agreed upon protocol, generated bad data, and the rest of the system (correctly) rejected that bad data thus maintaining the integrity of the overall system as designed.
What was lost were some rewards that would normally have been paid out for operating correctly. Since the rouge actors were not operating correctly, they were not rewarded (for their invalid work). If you were hired to paint a house white and you painted it orange, would you expect to be paid? The miners did not do the work they were being paid to do. True, many miners mine within a pool and depend on the pool operator to do the right thing, but if the pool operator is not doing the right thing, it is not a flaw in Bitcoin. Lke the painting analogy, if you work for a painting company and the painting company gives you the wrong color of paint, you wouldn't expect the homeowner to pay you, if you want to get paid for your labor, your beef would be with your boss, the the homeowner.
On the transactional (non mining) side, if you are running an incomplete Bitcoin client, it is now taking longer to achieve a level of confidence that your transaction is officially as "approved" by the network. As always it is the responsibility of those making the transactions to wait an appropriate time to ensure that their transactions have been approved. This has always been the case with Bitcoin and has not changed.
If you assume that the only communication channel the company has with you is email (which is generally a pretty good assumption as multiple channels or channels that include humans are expensive), there isn't really any other choice but to send the credentials (password) in plain text.
This is not a new problem. For the entire history of secure information transmission (cryptography), one of the hardest issues to solve is the issue of initial secret (key) exchange. This problem has been around a lot longer than computers have.
To actually be secure over email you would need the end user to provide a public key when they request the password and then have the company encrypt that password with the public key. The user would then decrypt the password with their private key. This can all be done with S/MIME, but would be a pretty tall order to expect that a random user would be able to figure out how to obtain and use a personal email certificate.
You could split the password into multiple parts and send each part in a separate email or separate the account and password into different emails. These are decent options but don't really provide true security against a targeted attack (someone sniffing the network or directly accessing the email server). These do provide a reminder to the end user that security is important. I would suspect that targeted attacks are not that common.
You could try and obscure the password by making it really long garbage string or embedding it in a URL, but it still ends up being a password in plain text. These don't add any security and may instill a false sense of security.
If a second channel is not cost or support prohibitive, then a one time use text message (SMS) or automated phone message is a pretty good option.
Well with the current owners and operators of Slashdot, maybe you will. But really Slashdot, do we need to drop down to clickbait?
I meant to say "fewer convenient purchasing choices".
People are still able to sell or purchase a Confederate flag. It is not illegal and I have not heard any reports of the federal or state governments suggesting that is should be illegal. What we are hearing is that major retail (and online) outlets are opting not to sell it. Opting not to sell something is a similar level of "right" as is opting to sell something (that is legal to sell).
You could argue that with the consolidation of sellers (Walmart, Amazon, etc.) there are fewer purchasing choices and that the consolidated sellers have increased influence as to what is in the marketplace, but that issue goes beyond the Confederate flag and other specific goods.
There seem to be two types of such humans: security guards for the building, who are very underpaid and unlikely to take sick days, their companies can replace them quickly. And cheeful pretty women with curves, who are still effective first contacts for making people feel welcome.
[...]
My father taught me "make friends with these people", and I *always* make friends with them and the cleaning staff. They work there, they're often treated like furniture, and they know material that the board and HR keep behind very poorly managed masks of confidentiality.
These people also typically have unbelievable levels of security accesse. They can be powerful allies.
Well your honor, not only did the defendant purchase "How to murder your spouse", he read the page on poison techniques 37 times and only read the rest of the book twice. Since the autopsy indicates death by poison as described by the page in question, I rest my case.
Apple, Monster, Beats, an ex hedge fund manager turned headphone designer... This reads like a Marvel comic with only supervillains in it.
Or the start of a joke: Apple, Monster, Beats, and an ex hedge fund manager turned headphone designer walk into a bar...
While poorly written, I think the author was suggesting that any model of SSD for which the Linux kernel has specific special handling logic should be avoided. In my opinion, it is not an unreasonable statement.
It probably is an unreasonable statement. If Linux has special logic to handle the drive, then someone else probably already had the problem and now there's a fix in so it probably won't happen to you.
Perhaps. But if the drive was broken and someone had to write special software to fix it, how can you be sure that it was fixed correctly and completely? Can you also be sure that the "fix" works for all versions of firmware on the drive? While you might be confident of these things, I would suggest that it would be better to use a drive that follows the standards and doesn't require special code to make it work right. Granted that as always, your mileage may vary -- and it could vary in either direction.
"we don't recommend anyone to use any SSD that is anyhow mentioned in a bad way by the Linux kernel"
???? SERIOUSLY???
While poorly written, I think the author was suggesting that any model of SSD for which the Linux kernel has specific special handling logic should be avoided. In my opinion, it is not an unreasonable statement.
No, because that's not all you're tracking. You're tracking the miles traveled *in Oregon*. Oregon can't tax anything outside Oregon, that violates the US Constitution. So they have to prove to a reasonable standard that all the mileage they're taxing was driven in Oregon.
To add, for those who haven't looked at a map, the Portland metropolitan area, which is where the bulk of population in Oregon lives, is right on the border with Washington state. A large number of people commute and and regularly travel between Oregon and Washington. Any state level taxing solution needs to account for this.
You win.
The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software."
I note that the two proprietary systems were not impacted. Of course all software has bugs and vulnerabilities without regard to open source or proprietary, but here on slashdot we like think that open source is always the better option. This is not always the case.
The phrase "almost every virtualization software" is used, but the list of items given has three pieces of software that are impacted and three that are not. In terms of virtualization systems that are in production use by business, I would think that VMware and Hyper-V would take the lion's share (as they are commercial and "supported"), thus being a candidate for "almost every". I think the phrase should have been "almost every open source virtualization software".
Great idea. My power supplier currently has rates based on TOU (Time Of Use - http://www.torontohydro.com/si...), and I'd love to be able to charge up the battery supply for my house overnight at cheap rates, then run off the battery the rest of the time.
Are your night rates less than half of your day rates? I ask because battery charging isn't 100% efficient. I don't know the charging efficiency of the Tesla packs, but many battery types are only around 50% efficient in charging. By 50% efficient, I mean when charging you put in about twice as much energy as you can take back out later.
He has a team that will be with him providing supplies as needed. So would guess he will have generators, toilet, cooking heat source,elsewhere when not using those will stay in his ball.
I didn't get that from the articles. I read the following:
This is a precarious idea. Bellini will be completely isolated, and his adopted dwelling is liable to roll or fall apart at any moment, thrusting him into the icy sea or crushing him under hundreds of tons of ice.
The article may, of course, be incorrect, but from what I have read it appears he will be alone. If he is not alone, and he has a support team, How would the support team keep safe in the event that the iceberg they are all on collapses or tips over? I ask because the article talks about how he has to spend practically all of his time in the ball because the iceberg could tip over at any moment.
Bellini will spend almost all of his time in the capsule with the hatch closed, which will pose major challenges. He’ll have to stay active without venturing out onto a slippery, unstable iceberg. If it flips, he’ll have no time to react.
I would buy that Bellini or he and his team plan to live on an iceberg as it melts and collapses and their plan to survive during the actual collapse is to take refuge in survival balls, but I have a hard time believing what the article implies to me -- that he would live for a year within and be sustained solely by a survival ball.
Bah. Missed a line. Since external power generation would need to take place outside his sphere, and he his planning on the icebrug flipping, he would need to plan on losing any equipment outside the sphere, therefore he needs to have enough stored energy inside the sphere to last at least until rescue.
So he is going to live in a 3 meter hamster ball on an iceburg for a year? I wonder what his plan to keep warm is. Putting aside the option of getting a sponsorship from Kia and waring a warm fuzzy hamster suit, I suspect there would be some serious technical challenges.
The article says that he plans on a wind generator and solar panels. This would provide energy for light, but probably not for heat. Wind and solar generation would need to take place outside his sphere (as he is "planning" on having the icebug flip over at any time.) His reliable storage (area that won't be lost if the iceburg flips) is limited to the inside of his 3 meter sphere minus his other equipment and living space. This is not much space for fuel storage (in the form batteries, combustible stuff, or calories). I would be interested in seeing what his "energy budget" is in terms of planed energy generation, storage, and use.
So offline mode isn't offline? This sounds like a bigger problem, than incorrect handling of a corrupt certificate.
Green was released on Wednesday from Land O'Lakes Detention Center into the custody of his mother.
Really? From the Land 'O Lakes website:
Land O’Lakes, Inc. is one of America’s premiere member-owned cooperatives. We offer local cooperatives and agricultural producers across the nation an extensive line of agricultural supplies, as well as state-of-the-art production and business services. We also are a leading marketer of dairy-based food products for consumers, foodservice professionals and food manufacturers.
I guess they need to add "We also provide a wide variety of incarceration services."
Wireless is UNTRUSTED. Even wired is UNTRUSTED.
The Internet is untrusted. Period.
Even an intranet should generally be untrusted. Every machine needs to be responsible for defending itself; no machine should assume that other things on the network are good actors.
I was expecting this to be a homeowner fail, but:
Q: Why Didn’t you check this before you moved? A: Oh, but I did. Having broadband of some kind was an absolute requirement for our new home. Before we even made an offer, I placed two separate phone calls; one to Comcast Business, and one to Xfinity. Both sales agents told me that service was available at the address. The Comcast Business agent even told me that a previous resident had already had service. So I believed them.
Another option would be to write availability of high speed internet into the purchase contract for the house - make it a condition of purchase. I took this approach to ensure I wouldn't find out after closing that my house could not get high speed Internet. My offer and contract basically said that I would buy the house if I could successfully have high speed internet installed in advance of the purchase at my cost. The seller accepted the contract, I paid the ISP (in this case DSL from the telephone company) to install the service, the ISP installed the service, and then we closed the house sale. My realtor didn't like it because it was an "unusual" offer, but I said it was a contract and I could put any conditions in it I wanted - the seller just had to agree (and did).
The TSA security theater causes more delays than bad weather.
Citation please. While I agree that the TSA is mostly annoying security theater, my personal experience has been that bad weather has delayed me in getting to my destination more that the TSA has.
I travel sometimes every week and it's a pain in the ass. Because of this I always opt out of being scanned and force the pat down.
If you travel that often, why haven't you signed up for the PreCheck program? It lets you go back to the pre 9/11 security screening procedure. Truly frequent travelers can get in the program free via their airline, otherwise the application fee is not significant with respect to other travel costs and is worth it.
I get special satisfaction in doing it especially if I haven't used deodorant that day.
You intentionally frequently travel on a plane in tight quarters with lots of other people and you opt not to use deodorant?
Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.
Smells like astroturf in here.
Says the AC. You can check my other posts to see if I have a history of shilling or not (I don't).
Believe it or not I am just a customer who is generally happy with the service. They are more expensive then the lower tier companies, but this is business travel and I am not paying for it. Their cars are generally not very interesting, but I am not a car guy and I just want to get where I am going. Sometime the cars are not new and dirty, this bugs me. But all these things are generally outweighed by the ease of the checkout process.
Anyway my point wasn't to shill for a particular company, rather to point out that I doubt the largest rental car companies are going to mess with ding and dent scams.
How about cameras at enter and exit of the rental place?
No we can't do that as it will end our ding and dent scam.
I travel for business and rent cars a couple of times a month. My experience with Hertz and Avis (top tier business targeted rental companies) has been that they don't do the ding and dent scam. If you return a car to one of these guys and it has all for tires, runs, and has no obvious accident dents, you won't get hassled. On the other hand, companies like Thrifty, Budget, and independents tend to give me the super picky inspection process when you check out and return the cars.
I did just rent from Hertz a couple of weeks ago and it had the new camera thing. It got the post it note treatment. Putting aside the new camera thing for a moment, I get really good service from Hertz. I arrive at the airport, walk to the stall number displayed on the big reader board (or in an email I receive about the time I land), get in the car, drive to the exit, show my ID, and I am on my way. No paperwork, sales attempts at upgrades, etc.