What I don't get about spectre, meltdown, and now this- is why any *single user* computer cares about accessing the user's own data, regardless of what ring they are in.
Isn't this only a problem for servers and multiple user computers? Why patch user level OS for this?
Because while you may think your computer is "single user", if you are on the Internet (well the Web anyway), there are other "users" actually using your computer. These "users" are things like scripts running on web pages and any malware that you may have obtained. Sure the "user" isn't another person, but it is a process or may come from an actor that may not have good intentions. The same is actually true for any software that you install and didn't write yourself (which is most of it.) Because of this even single user computers have the concept of secure areas or sandboxes where you can run untrusted software. It may be helpful instead of thinking about multiple users, think about multiple security contexts. The issue here is that there are low level instructions normally used by software developers debugging software that allow programs in sandboxes to get out of the sandbox and apparently the documentation that describes this is not clear.
All this being said, modern operating systems *are* multi-user. Sure, one person may own the computer and only create one account on the computer, but the operating system allows you to have multiple logins.
I have older iOS devices that I sometimes go weeks at a time leaving them untouched on the shelf but I pick them up to play with once in a while.
Heck, I go on vacations greater than week a couple of times a year and since I don't want to bother with roaming, I leave my primary phone at home. I certainly don't want my USB to permanently lock out the first time I don't touch my phone for a week.
I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
Why does this feature bother you? It doesn't brick the phone, it just disables USB data until you unlock the phone, once unlocked everything is back to normal. My only issue with the feature is that the lockout should be more like 7 minutes instead of 7 days.
The discussion should really be about what preferences are for typing (what you type into your word processor) vs. typesetting (what the text looks like when printed); the two are not the same thing. When printed (or previewed, or rendered on a display for reading) the amount of space after a full stop would depend on the spacing guidelines for the font itself. When being edited, the mechanism to indicate an end of sentence (full stop) should be consistent.
Personally I use proportional fonts and I don't have detailed typesetting requirements, so I just use a single space after a full when typing and printing. If I cared or did it professionally, I would use a typesetting language in my editor where I could specifically call out if the dot I typed meant an abbreviation or a full stop. For example in TeX/LaTex the space after a dot is treated as a full stop unless you indicate otherwise. The point is if you really care about the details, you want to separate typing from typesetting because if you don't and you want to do something like change the font, you have to go back and edit your whole document.
I purchased some Pandora stock about two years ago when it appeared to be at a low and had good prospects. Yesterday's 25% increase now only has me down 24%... This is not a complaint as this sort of investment is a high risk gamble; rather it's an observation that while a 25% increase in a stock price sounds exciting, it has to be taken in context. After yesterday's pop it's about $7 a share. In 2014 it was nearly $40 a share.
A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.
Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.
Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.
In this context certificates perform two functions. 1) They provide a key pair which can be used to encrypt the connection, and 2) They provide a way to have confidence that the person / company on the other end of the network is who they say they are. Any certificate (a free self signed or Let's Encrypt certificate, or an expensive certificate from a commercial CA) can be safely used for just encryption. However if you care about validating who is on the other end self-signed certs are worthless, Let's Encrypt gives low confidence, and you have to spend a decent amount of money to obtain high confidence. What you are paying for when you purchase an expensive EV certificate is the validation process that the CA goes through and the reputation of the CA.
Note that if you control both ends of the network (and the network itself) such as your computer talking to your hardware device across your network, then a self signed or internally issued certificate is fine.
If you are opposed to this what would you want to happen instead?
Not have LCD panels? If you like devices with screens, those screens need to be manufactured somewhere, and all manufacturing will consume resources and generate pollution.
Use a cleaner manufacturing process? Cleaner manufacturing processes cost more. Are you willing to pay more for your toys and tools that use LCD panels?
Manufacture the panels somewhere else? Pushing the environmental issues elsewhere is on dubious moral ground (although we have a long history of it). Pushing the manufacturing elsewhere also puts the jobs and positive economic benefits elsewhere.
As others here have said, it's not really that much water. Personally I would prefer my second item, but I am willing to pay more for a product whose manufacturing doesn't unreasonably pollute my drinking water. My assumption is that permitting and regulatory processes will have already required the company to meet the bar of not polluting the water too much.
Clearly the city of Atlanta didn't have "proper" disaster recovery procedures in place. The interesting question is "Should they have?" From a pure financial point of view, would it have cost them more or less than $2.6 million to have put in place and regularly tested a disaster recovery procedure? I don't know the answer, but would be interested in hearing opinions. Sure, lots of people will say that "I can do backups for less than that", but an actual disaster recovery plan is way more than just doing backups. You have to test them and in the case of employee workstations you have to interrupt work. In the case of back end systems, even if they are redundant and highly available, certain kinds of restore operations will also interrupt work (an Active Directory restore for example if you are on a Microsoft platform, and whatever you are using for centralized authentication and configuration management for other platforms.) It would be interesting to see an analysis of the ongoing costs of disaster recovery plans (that can deal with a ransomware attack) vs the expected ongoing costs of such attacks.
We can debate about if and when we will have a human level AI. Personally I don't see it in my lifetime, but I am willing to listen to reasonable arguments as to why I am wrong. However as soon as you throw the term "blockchain" into the mix, especially on a topic about AI, you will lose credibility with me. What in the heck does a non-centeralized, immutable, distributed ledger technology have to do with AI? If we are talking about "The One True AI" or the Singularity, then maybe, but otherwise you are just tossing out buzzwords and hype. In my mind, you are either out of touch, trying to get attention, or both.
You must be new here, but actually there is an article attached to this story.
By UID you are newer here that I am. Anyway...
I was responding to a post that talked about incorrect news titles and reporting. I did read the article and while the article did talk about "exploding", the rest of the article didn't really support the technical definition of "explosion".
Wikipedia opens with:
"An explosion is a rapid increase in volume and release of energy in an extreme manner, usually with the generation of high temperatures and the release of gases."
There is nothing in the descriptions I have read so far that indicate that this was a fuel related explosion (which would meet the definition). It appears that a fan blade came loose and tore apart the engine. There is the concept of a mechanical explosion where pressure in a sealed container causes the container to fail violently, but loose parts flying around in a mechanical system don't really fit the definition either.
I would normally ignore bad use of the term "explosion" as it is a common term for something bad happening, but since the specific comment I was replying to talked about bad / inaccurate reporting, I figured I would add support.
without this concept it wouldn't really be a non centralized
They are rolling back the block chain to fix it. Does it sound like Verge is "non-centralised" ?
It does not, and that is part of my point. One of the primary reasons you would use a blockchain with distributed transaction verifiers (miners) is so that you are NOT centralized. If you are going to have centralized control there are much better ways to store transactional data. If you are storing value (money) in a blockchain because you "don't trust the man" but that blockchain is centralized, then you are "trusting the man". If the blockchain you are using is non-centeralized, you are "trusting the people" and when you do this "the people" (mining nodes) set the rules (for better or worse).
According to users who tracked the illegally mined funds on the Verge blockchain...
Is not what is "legal" for a blockchain what the majority of nodes maintaining the chain say is legal? If someone broadcast a "weird" transaction on the network but all of the other nodes accepted it and agreed to include it in the blockchain, isn't by definition the transaction done and considered "legal" by the network? After all the rules of the network are what the network says they are; without this concept it wouldn't really be a non centralized, distributed system.
Find those individually responsible fine them, let them feel the weight of a custodial sentence, 30 days and fine the company much more.
When looking for the "individual responsible", don't forget to consider whomever set the budget and didn't provide for enough resource to create a design, review the design, create a prototype, test the prototype with real users, perform failure analysis, make changes to the design and prototype as necessary, test those changes, etc. The root cause of many software (or any project for that matter) failures is insufficient resources being applied to solve the problem. Granted you have to balance what you spend with what you get and no one can afford a perfect system, but the true responsibility for system failures lies with those who set that balance. In other words the person who picks two out of the "Cheap, fast, good - pick two" is the really the one responsible.
Really, How hard can it be to come up with a burger flipping robot?
Setting aside for a moment the humor aspect of the parent, I think the non-sarcastic answer to this question is actually pretty interesting. If the question is really "How hard is it to automatically cook a hamburger patty?", the answer is that it's pretty easy if you get to design the whole machine in and the environment that it runs in. If you can use a wire conveyor belt and heating elements on both sides similar to how the sandwich toasters at Quizno's and Potbelly and add some stuff for grease management, you are probably set. Even if it turns out that you really need to heat from the bottom and let the patty sit in the grease, you could build something similar to how an automated tortilla cooker works. But on the other hand, if your requirement is to build a device that must operate in conjunction with an existing restaurant grill, without modifying the grill itself, and the device needs to take no more space than would a human standing in front of the grill, and this device has to safely operate around other human restaurant workers amidst the chaos of motion and activity that occurs in a small kitchen, and the device has to be as productive as a human would, the task is pretty complex and hard.
slapped the front passenger window, causing a scratch
Really? That must be really low quality glass or the person must have had some serious fingernails (claws?) in order to scratch glass. Maybe person was wearing big rings? Anyway I am curious as to how the glass got scratched or if the statement is just hyperbole.
Reading the summary again, I realize that the the title is talking about loss of power and the CNN reference is about being in the storm's path. So my math rant kind of jumped the gun. That being said, the mixing those two kinds of stats is not stellar editing. A much better title would have referred to a storm with record breaking impact.
Title says 2M and CNN says 1 in 4 Americans. Wikipedia says that the census bureau says there are around 327 million folks living here in the US. Something doesn't add up. Assuming that 2M means 2 Million, one in four would mean that there are only 8 million Americans? No CNN, I don't think that is right. 25% of 327 is about 82 - if that number was the actual impact of the storm, "82 million impacted" would be a much more interesting headline.
Let us use markdown, add unicode support, add markdown support, give it a good API.
Maybe limited unicode support (as in allowing a few select characters), but not full unicode support. While it would be nice if when people pasted in an apostrophe we wouldn't get the weird (TM) thing, it would really suck if emojis started showing up everywhere. Please, please, please keep slashdot a text only based communication system. I really don't want the discussion distracted by dancing hamburgers and piles of poo.
When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates
Those certificates are DEFINITELY compromised now.
The first to shoot themselves in the foot would be anyone who doesn't generate their own private key when they purchase a certificate. The CA is only supposed to sign the public parts of your certificate, it is not supposed to ever have access to the private key. Letting your certificate vendor create a private key (and subsequently have access to it) is unwise and insecure.
Sophos has a trusted root CA embedded in their enterprise firewalls which allows the firewall to launch man-in-the-middle attacks against clients to spy on them. That means all you have to do to launch a successful man-in-the-middle attack yourself against HTTPS traffic is to gut a Sophos firewall and find the private key embedded in it.
You would have to install the root cert certificate from the firewall CA into all your clients for that to work. In an enterprise if you want to sniff HTTPS traffic, you may chose to do this (since in an enterprise you control the client machines), but as soon as you chose to do this, you open up huge security holes.
As is not news, or should not be, if you outsource your IT to another company, you are at their mercy. Storing your data (music, movies, business data, whatever) somewhere else makes you depend on whomever owns "somewhere else". And yes, putting your personal music in "the cloud" counts as outsourcing your IT. This isn't necessarily bad as the benefits may outweigh the costs, but be sure to go in with open eyes, especially if the initial "cost" appears to be zero and even more so if you don't have a written contract that spells out how the deal can change over time.
Firefox has been racing to the bottom for the past few years, and is already almost unusable as of the latest builds. It's slow, buggy, and becoming as limited and useless as Chrome.
The faster it craters, the better, as only that will offer us the realistic prospect of a new competitor.
So what's a good alternative? I need a browser that has reasonable ad filtering and the ability to inject HTTP headers into all my requests. (I am not being snarky, it's an honest question)
Slashdot Mirror
What I don't get about spectre, meltdown, and now this- is why any *single user* computer cares about accessing the user's own data, regardless of what ring they are in.
Isn't this only a problem for servers and multiple user computers? Why patch user level OS for this?
Because while you may think your computer is "single user", if you are on the Internet (well the Web anyway), there are other "users" actually using your computer. These "users" are things like scripts running on web pages and any malware that you may have obtained. Sure the "user" isn't another person, but it is a process or may come from an actor that may not have good intentions. The same is actually true for any software that you install and didn't write yourself (which is most of it.) Because of this even single user computers have the concept of secure areas or sandboxes where you can run untrusted software. It may be helpful instead of thinking about multiple users, think about multiple security contexts. The issue here is that there are low level instructions normally used by software developers debugging software that allow programs in sandboxes to get out of the sandbox and apparently the documentation that describes this is not clear.
All this being said, modern operating systems *are* multi-user. Sure, one person may own the computer and only create one account on the computer, but the operating system allows you to have multiple logins.
I have older iOS devices that I sometimes go weeks at a time leaving them untouched on the shelf but I pick them up to play with once in a while. Heck, I go on vacations greater than week a couple of times a year and since I don't want to bother with roaming, I leave my primary phone at home. I certainly don't want my USB to permanently lock out the first time I don't touch my phone for a week. I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
Why does this feature bother you? It doesn't brick the phone, it just disables USB data until you unlock the phone, once unlocked everything is back to normal. My only issue with the feature is that the lockout should be more like 7 minutes instead of 7 days.
If it doesn't have wheels and drive on a road, it's not a car, flying or otherwise.
The discussion should really be about what preferences are for typing (what you type into your word processor) vs. typesetting (what the text looks like when printed); the two are not the same thing. When printed (or previewed, or rendered on a display for reading) the amount of space after a full stop would depend on the spacing guidelines for the font itself. When being edited, the mechanism to indicate an end of sentence (full stop) should be consistent.
Personally I use proportional fonts and I don't have detailed typesetting requirements, so I just use a single space after a full when typing and printing. If I cared or did it professionally, I would use a typesetting language in my editor where I could specifically call out if the dot I typed meant an abbreviation or a full stop. For example in TeX/LaTex the space after a dot is treated as a full stop unless you indicate otherwise. The point is if you really care about the details, you want to separate typing from typesetting because if you don't and you want to do something like change the font, you have to go back and edit your whole document.
I purchased some Pandora stock about two years ago when it appeared to be at a low and had good prospects. Yesterday's 25% increase now only has me down 24%... This is not a complaint as this sort of investment is a high risk gamble; rather it's an observation that while a 25% increase in a stock price sounds exciting, it has to be taken in context. After yesterday's pop it's about $7 a share. In 2014 it was nearly $40 a share.
A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.
Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.
Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.
In this context certificates perform two functions. 1) They provide a key pair which can be used to encrypt the connection, and 2) They provide a way to have confidence that the person / company on the other end of the network is who they say they are. Any certificate (a free self signed or Let's Encrypt certificate, or an expensive certificate from a commercial CA) can be safely used for just encryption. However if you care about validating who is on the other end self-signed certs are worthless, Let's Encrypt gives low confidence, and you have to spend a decent amount of money to obtain high confidence. What you are paying for when you purchase an expensive EV certificate is the validation process that the CA goes through and the reputation of the CA.
Note that if you control both ends of the network (and the network itself) such as your computer talking to your hardware device across your network, then a self signed or internally issued certificate is fine.
If you are opposed to this what would you want to happen instead?
As others here have said, it's not really that much water. Personally I would prefer my second item, but I am willing to pay more for a product whose manufacturing doesn't unreasonably pollute my drinking water. My assumption is that permitting and regulatory processes will have already required the company to meet the bar of not polluting the water too much.
Clearly the city of Atlanta didn't have "proper" disaster recovery procedures in place. The interesting question is "Should they have?" From a pure financial point of view, would it have cost them more or less than $2.6 million to have put in place and regularly tested a disaster recovery procedure? I don't know the answer, but would be interested in hearing opinions. Sure, lots of people will say that "I can do backups for less than that", but an actual disaster recovery plan is way more than just doing backups. You have to test them and in the case of employee workstations you have to interrupt work. In the case of back end systems, even if they are redundant and highly available, certain kinds of restore operations will also interrupt work (an Active Directory restore for example if you are on a Microsoft platform, and whatever you are using for centralized authentication and configuration management for other platforms.) It would be interesting to see an analysis of the ongoing costs of disaster recovery plans (that can deal with a ransomware attack) vs the expected ongoing costs of such attacks.
Seriously, we need a minimum wage in each area that equals what it takes to support an adult AND a single child.
Perhaps, but since it isn't currently this way, if you are only making minimum wage, maybe you shouldn't be having children.
We can debate about if and when we will have a human level AI. Personally I don't see it in my lifetime, but I am willing to listen to reasonable arguments as to why I am wrong. However as soon as you throw the term "blockchain" into the mix, especially on a topic about AI, you will lose credibility with me. What in the heck does a non-centeralized, immutable, distributed ledger technology have to do with AI? If we are talking about "The One True AI" or the Singularity, then maybe, but otherwise you are just tossing out buzzwords and hype. In my mind, you are either out of touch, trying to get attention, or both.
You must be new here, but actually there is an article attached to this story.
By UID you are newer here that I am. Anyway...
I was responding to a post that talked about incorrect news titles and reporting. I did read the article and while the article did talk about "exploding", the rest of the article didn't really support the technical definition of "explosion". Wikipedia opens with:
"An explosion is a rapid increase in volume and release of energy in an extreme manner, usually with the generation of high temperatures and the release of gases."
There is nothing in the descriptions I have read so far that indicate that this was a fuel related explosion (which would meet the definition). It appears that a fan blade came loose and tore apart the engine. There is the concept of a mechanical explosion where pressure in a sealed container causes the container to fail violently, but loose parts flying around in a mechanical system don't really fit the definition either.
I would normally ignore bad use of the term "explosion" as it is a common term for something bad happening, but since the specific comment I was replying to talked about bad / inaccurate reporting, I figured I would add support.
Did the engine actually explode? or did it just break apart? They are both serious events when you are in the air, but they are not the same thing.
without this concept it wouldn't really be a non centralized
They are rolling back the block chain to fix it. Does it sound like Verge is "non-centralised" ?
It does not, and that is part of my point. One of the primary reasons you would use a blockchain with distributed transaction verifiers (miners) is so that you are NOT centralized. If you are going to have centralized control there are much better ways to store transactional data. If you are storing value (money) in a blockchain because you "don't trust the man" but that blockchain is centralized, then you are "trusting the man". If the blockchain you are using is non-centeralized, you are "trusting the people" and when you do this "the people" (mining nodes) set the rules (for better or worse).
According to users who tracked the illegally mined funds on the Verge blockchain...
Is not what is "legal" for a blockchain what the majority of nodes maintaining the chain say is legal? If someone broadcast a "weird" transaction on the network but all of the other nodes accepted it and agreed to include it in the blockchain, isn't by definition the transaction done and considered "legal" by the network? After all the rules of the network are what the network says they are; without this concept it wouldn't really be a non centralized, distributed system.
My childhood dream of the earth opening up and swallowing bullies is actually possible!
It is possible, you just have to get the bullies to stand still for a long time.
Find those individually responsible fine them, let them feel the weight of a custodial sentence, 30 days and fine the company much more.
When looking for the "individual responsible", don't forget to consider whomever set the budget and didn't provide for enough resource to create a design, review the design, create a prototype, test the prototype with real users, perform failure analysis, make changes to the design and prototype as necessary, test those changes, etc. The root cause of many software (or any project for that matter) failures is insufficient resources being applied to solve the problem. Granted you have to balance what you spend with what you get and no one can afford a perfect system, but the true responsibility for system failures lies with those who set that balance. In other words the person who picks two out of the "Cheap, fast, good - pick two" is the really the one responsible.
Really, How hard can it be to come up with a burger flipping robot?
Setting aside for a moment the humor aspect of the parent, I think the non-sarcastic answer to this question is actually pretty interesting. If the question is really "How hard is it to automatically cook a hamburger patty?", the answer is that it's pretty easy if you get to design the whole machine in and the environment that it runs in. If you can use a wire conveyor belt and heating elements on both sides similar to how the sandwich toasters at Quizno's and Potbelly and add some stuff for grease management, you are probably set. Even if it turns out that you really need to heat from the bottom and let the patty sit in the grease, you could build something similar to how an automated tortilla cooker works. But on the other hand, if your requirement is to build a device that must operate in conjunction with an existing restaurant grill, without modifying the grill itself, and the device needs to take no more space than would a human standing in front of the grill, and this device has to safely operate around other human restaurant workers amidst the chaos of motion and activity that occurs in a small kitchen, and the device has to be as productive as a human would, the task is pretty complex and hard.
slapped the front passenger window, causing a scratch
Really? That must be really low quality glass or the person must have had some serious fingernails (claws?) in order to scratch glass. Maybe person was wearing big rings? Anyway I am curious as to how the glass got scratched or if the statement is just hyperbole.
Reading the summary again, I realize that the the title is talking about loss of power and the CNN reference is about being in the storm's path. So my math rant kind of jumped the gun. That being said, the mixing those two kinds of stats is not stellar editing. A much better title would have referred to a storm with record breaking impact.
Title says 2M and CNN says 1 in 4 Americans. Wikipedia says that the census bureau says there are around 327 million folks living here in the US. Something doesn't add up. Assuming that 2M means 2 Million, one in four would mean that there are only 8 million Americans? No CNN, I don't think that is right. 25% of 327 is about 82 - if that number was the actual impact of the storm, "82 million impacted" would be a much more interesting headline.
Let us use markdown, add unicode support, add markdown support, give it a good API.
Maybe limited unicode support (as in allowing a few select characters), but not full unicode support. While it would be nice if when people pasted in an apostrophe we wouldn't get the weird (TM) thing, it would really suck if emojis started showing up everywhere. Please, please, please keep slashdot a text only based communication system. I really don't want the discussion distracted by dancing hamburgers and piles of poo.
When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates
Those certificates are DEFINITELY compromised now.
The first to shoot themselves in the foot would be anyone who doesn't generate their own private key when they purchase a certificate. The CA is only supposed to sign the public parts of your certificate, it is not supposed to ever have access to the private key. Letting your certificate vendor create a private key (and subsequently have access to it) is unwise and insecure.
Sophos has a trusted root CA embedded in their enterprise firewalls which allows the firewall to launch man-in-the-middle attacks against clients to spy on them. That means all you have to do to launch a successful man-in-the-middle attack yourself against HTTPS traffic is to gut a Sophos firewall and find the private key embedded in it.
You would have to install the root cert certificate from the firewall CA into all your clients for that to work. In an enterprise if you want to sniff HTTPS traffic, you may chose to do this (since in an enterprise you control the client machines), but as soon as you chose to do this, you open up huge security holes.
As is not news, or should not be, if you outsource your IT to another company, you are at their mercy. Storing your data (music, movies, business data, whatever) somewhere else makes you depend on whomever owns "somewhere else". And yes, putting your personal music in "the cloud" counts as outsourcing your IT. This isn't necessarily bad as the benefits may outweigh the costs, but be sure to go in with open eyes, especially if the initial "cost" appears to be zero and even more so if you don't have a written contract that spells out how the deal can change over time.
Firefox has been racing to the bottom for the past few years, and is already almost unusable as of the latest builds. It's slow, buggy, and becoming as limited and useless as Chrome.
The faster it craters, the better, as only that will offer us the realistic prospect of a new competitor.
So what's a good alternative? I need a browser that has reasonable ad filtering and the ability to inject HTTP headers into all my requests. (I am not being snarky, it's an honest question)