Slashdot Mirror


User: tepples

tepples's activity in the archive.

Stories
0
Comments
68,260
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 68,260

  1. Re: Do not want on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    What's the difference between a website getting the user to click "Allow Bluetooth from this site" and a website getting the user to click "Download and install this native application"? Both have the possibility that it "doesn't produce the result it said it would. Or where a user might not carefully read a dialog from the OS."

  2. How well does Bluetooth work in a Linux VM? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    Client software that needs to be manually installed by the user onto their machine

    Which is useless if the client software isn't made for a particular user's PC's operating system, as I mentioned earlier. One way to use applications made for a different operating system is through a virtual machine. How easily can a Linux guest access Bluetooth devices paired to the host?

  3. Re:If not web, then what OS-independent platform? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    Native apps don't usually have comments and data from other untrusted users that would by trying attacks like XSS against me.

    Not even a mail user agent?

  4. Re:HTTPS only. Again. on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    An internal CA solves the narrow "developer on a home LAN" issue because a web developer is presumably tech-savvy enough to generate a root certificate and install it on the machine running Chrome. Thank you for your answer.

    Am I allowed to ask a second question about other problems with an HTTPS-only policy that I foresee, related to a home server appliance intended for use by less tech-savvy users on a home LAN? Or would that be moving the goalposts?

  5. Re: Do not want on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    Because there's never been any malware that tricks the user into clicking on something?

    Such malware exists as web applications. Such malware also exists as native applications. What's the substantial difference there?

    Or browser exploits that bypass the security subsystem?

    Windows desktop apps and Linux X11 apps don't have a "security subsystem" in the first place: they run with full access to your entire user account. As I understand it, that's why some GNU/Linux distributions are trying to replace X11 with Wayland or Mir, because X11 is hard to isolate.

  6. Chrome's sandbox on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 2

    Native apps can be walled off by lightweight virtualization technologies

    Google Chrome already runs inside a sandbox that provides something akin to the "lightweight virtualization" you suggest.

    or even simply separate user accounts enforced at the kernel level.

    So if a home PC has five users, one for each member of the household, and 50 apps installed, would it need 250 user accounts, one for each member of the Cartesian product of users and apps?

  7. I can choose NOT to run a closed-source app.

    Likewise, you can choose NOT to run a closed-source web app using the LibreJS extension. It's made for Firefox; I'm not aware of a counterpart for Chrome yet.

  8. Re: Do not want on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 2

    Google's page about this new feature states that a site cannot use Bluetooth until the user clicks:

    User Gesture Required

    As a security feature, discovering nearby Bluetooth devices with navigator.bluetooth.requestDevice must be called via a user gesture like a touch or mouse click.

    Did you click to enable "porns ads blasting out of your sound bar"? Did you click to enable "your Skype chats being intercepted by blackmailers"? DId you click to enable "websites that can keylog your friend's BT keyboards"?

  9. "Managed" in what way? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    The internet is a cesspool of fetid, rotting miasma, and you want it to be able to control real world things with no managed server in between?

    You mention a "managed server". Could you describe an architecture involving a "managed server" that you would find acceptable?

  10. HTTPS only. Again. on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 3, Interesting

    Another day, another new web API that's impractical to test across a home or small office LAN, just like Service Workers before it.

    you'll naturally want to find (or create) a website that uses the tech in the first place.

    I have one machine on my home LAN that I want to use as a server, and another machine that I want to use as the client. But from Google's page about this new feature:

    HTTPS Only

    Because this experimental API is a powerful new feature added to the Web, Google Chrome aims to make it available only to secure contexts. This means you’ll need to build with TLS in mind.

    It recommends running python -m SimpleHTTPServer on localhost. But that fails if the web server and web browser are running on separate machines, which might be the case if the machine that you are using as a web server to test your app, such as a Raspberry Pi board, is incapable of running Google Chrome or incapable of connecting to Bluetooth devices.

    I personally enjoy GitHub Pages for demo purposes.

    That's fine for demos that have reached the stage where they are ready for public consumption. I'm referring to the stage before that.

    To add HTTPS to your server you’ll need to get a TLS certificate and set it up. Be sure to check out the Security with HTTPS article for best practices there. For info, you can now get free TLS certificates with the new Certificate Authority Let’s Encrypt.

    Let's Encrypt issues certificates only for domains that have either A. publicly reachable dynamic DNS or B. a publicly reachable HTTP server. Neither of these is likely to apply to a machine on a home or small office LAN.

  11. Re:If not web, then what OS-independent platform? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1

    Also emulators exist (yes, WINE is an emulator, it's just not emulating hardware).

    Have you had a good experience using Bluetooth devices in applications in Wine, such as a Fitbit device's sync application? AppDB reports Fitbit as "Garbage" because sync does not work.

  12. Re:If not web, then what OS-independent platform? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 1, Insightful

    I won't accept a browser that should be SAFE, touching things it should not.

    Yet I infer that you'll accept a native application, which presumably has even greater privileges to access the data in your user account, over a web application running inside a web browser's sandbox. How are native applications more secure than web applications?

  13. If not web, then what OS-independent platform? on Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) · · Score: 0

    Would you rather lose the use of an application entirely because you own a Mac and the developer owns a Windows PC or vice versa?

  14. Re:Life of a corporation is 25 years on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    But, of course no works are authored by corporations.

    A corporation is considered the author of "a work prepared by an employee within the scope of his or her employment" (17 USC 101). This "scope of his or her employment" is for the courts to decide based on several factors, though the statute does list situations in which works commissioned by the client of a contractor are deemed made for hire: "as a contribution to a collective work, as a part of a motion picture or other audiovisual work, as a translation, as a supplementary work, as a compilation, as an instructional text, as a test, as answer material for a test, or as an atlas, if the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire." For most works of authorship intended for publication, "other audiovisual work" is a big enough loophole to drive a lane-straddling bus through, as a work often forms part of a promotional video.

    Instead, corporations pay people to author things and transfer copyright rights to the corporation. That means that the individual terms apply to the work.

    This called an "assignment", and you are correct that an assignment does not change the term. A work made for hire assigned to another publisher retains the term for a work made for hire, and an individual work retains the term for an individual work. Thus a single derivative or collective work may contain elements used under "work made for hire", assignment, exclusive license, or nonexclusive license. This makes the overall copyright term often impractical to calculate, especially near expiry a century later once records of authorship have been lost.

  15. N before M except when it's cash on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    The difference is that M comes before N in one and after in the other. "Renumeration" is N-M, as in "NuMber". "Remuneration" is M-N, as in "MoNey".

  16. Copy = physical object in which a work is fixed on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    Of course, it could be argued that the content is physically stored on the physical disk.

    This in fact is the view that the U.S. copyright statute takes: a "copy" or "phonorecord" is defined as a physical object in which a work of authorship is fixed.

  17. Re:This is already a huge compromise on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    sort of like the choice between patent and trade secret

    Some aspects of a single product are patented; other aspects are trade secrets. For example, MPEG-4 AVC in general is patented, but specific techniques used to improve encoding quality or decoding efficiency are trade secrets.

  18. Chargebacks on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    I want DRM'd money to spend on DRM products.

    That already exists. Credit card payments are subject to chargeback, and PayPal payments are subject to PayPal's purchase protection policy. Both give the buyer several months to report a seller who refuses to correct issues with a product that is not as described.

  19. Life of a corporation is 25 years on EFF Asks FTC To Demand 'Truth In Labeling' For DRM (techdirt.com) · · Score: 1

    The current near-perpetual extensions of copyright isn't 'kicking the can for future generations'. It's granting virtually eternal copyright by redefining 'lifetime' in corporate terms.

    In the U.S. copyright statute, the effective lifetime of a corporation is 25 years after a work is first published.

    • Copyright in a work of individual authorship subsists until 70 years after the end of the calendar year in which the last surviving author dies.
    • Copyright in a work published before 1978 or a work made for hire subsists until 95 years after the end of the calendar year of first publication (or for 120 years after the end of the calendar year of creation if not published within 25 years).

    Prior to the Copyright Term Extension Act of 1998, the numbers were different (50, 75, and 100 respectively), but the difference was the same.

  20. Re: Hypocrisy on Google: Unwanted Software Is Worse Than Malware (thestack.com) · · Score: 1

    If you sell your phone that you cannot root and use the money to buy a phone that you can root, the second phone will almost certainly have less CPU, RAM, and storage. Is it still an upgrade?

  21. Re:More probable cause to break down your door on UK Copyright Extension On Designed Objects Is 'Direct Assault' On 3D Printing (arstechnica.com) · · Score: 1

    Exploiting the work of others without compensation

    A monopoly for 25 years is still "compensation".

  22. Re:Android Debugging Bridge PULL command on 900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com) · · Score: 1

    Because the hosts file is inside /system, the device needs to be rooted in order to adb push a modified version. And that's if Android's networking stack even uses it; this comment claims that at least some versions do not.

  23. Android needs a different kind of APK on 900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com) · · Score: 1

    Just because Android's package format is called "APK" doesn't mean you can use a hosts file. A workaround is to use a firewall app with a DNS filter, and then plug your hosts file into that. I haven't tried NoRoot Firewall to see whether it supports a hosts file, but it does show that a firewall is possible without rooting.

  24. Re:Chalk one up for iOS on 900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com) · · Score: 1

    In the 1980s when Apple was busy suing DRI over GEM, XFree86 didn't exist yet.

  25. Re: Chalk one up for iOS on 900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com) · · Score: 3, Interesting

    First, Google Play Store has a filter called Bouncer that attempts to detect known malicious attacks in APKs. Second, if a malicious app does slip past Bouncer, it can be reported to Google.