Slashdot Mirror


User: tepples

tepples's activity in the archive.

Stories
0
Comments
68,260
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 68,260

  1. Re:Trust-busting might be a good idea on Switzerland Moves Toward a Universal Phone Charger Standard (vice.com) · · Score: 1

    the Sherman Act doesn't apply to governments

    A city is incorporated, and corporations are legal persons, and the Sherman Act states "Every person who shall monopolize..." so what in the text of the statute or in case law exempts municipal corporations?

  2. Half-donkeyed auditing on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    I didn't even go so far as to say no scripts, I said 3rd party scripts.

    I misunderstood your post. Others have used the term "third-party scripts" to include any script not on the same domain as the page itself, such as the script for serving ads itself.

    You can make all the stupid animated punch the duck ads you want, and give the script to the ad network to audit and host.

    A third-party script hosted by the ad network is unlikely to get audited well unless it's used by a substantial number of different advertisers. That's what I meant by a "standardized format to represent canvas animations": an ad network could afford to put effort into auditing a script that plays such a format.

    Why does it need to be hosted on an unknown 3rd party domain, subject to being replaced at a whim with exploit code?

    The exploit code is actually an obfuscated part of the original ad itself, hosted by the ad network, because the ad network did a half-donkeyed job of auditing it.

  3. Re:Authenticator is something else to carry on Coin Teams With MasterCard In Wearable Payments Push (thestack.com) · · Score: 1

    If you mean you could leave your card a home, or lose it

    I meant leaving the reader at home. Readers are in every shop but not already in every cell phone or every computer.

  4. If non-EV means unsafe, not much is safe on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    Green bar is safe, the rest is not.

    By that metric, Google, Facebook, Amazon, SourceForge, and GNU are unsafe because they're not EV. (I just checked.) Twitter, GitHub, Mozilla, and Outlook/Hotmail are safe though. eBay has a green bar on those few pages it does serve with HTTPS, but it's unsafe because many pages redirect from HTTPS to HTTP.

    But can a site run as a hobby, as opposed to a full-time business, be made "safe"?

  5. Neither Google, Facebook, nor Amazon is EV on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    The certificates for www.google.com, facebook.com, and www.amazon.com aren't EV either.

    In theory, certificates of full-time for-profit companies ought to be at least organization-validated. But apart from Comodo Dragon, most browsers don't do much to distinguish a domain-validated certificate from an organization-validated one.

  6. Does an advertiser trust a publisher's stats? on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    But for some reason, the interwebs is somehow different

    It is different. On the web, unlike in print, advertisers demand accurate view counts and accurate click counts. A web publisher that hosts advertisers' ads on its own site has an incentive to fraudulently inflate these. An ad network, on the other hand, is theoretically a neutral party and competing with other ad networks to offer analytics that are no less accurate than those of other ad networks. So how likely is an advertiser to trust reach statistics provided by a publisher compared to those provided by a well-known ad network?

  7. NoScript, MITM of the crypto script, and Firesheep on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 3, Informative

    If it is only a small part of data, that actually needs encryption — the password and the credit card number — you can do that (using the well-known and studied protocols) in JavaScript.

    What you describe is similar to what Tloz proposes in the question "How to replace SSL/TLS?". But using client-side script to encrypt passwords has three drawbacks:

    • It breaks on machines whose owners have configured them not to run JavaScript. But perhaps people who refuse to enable JavaScript can be filed with the "web sites ought to be static and apps ought to be native" extremists.
    • It leaves the server hosting the script itself open to compromise by a man in the middle.
    • Once the password is set, an HTTP cookie is normally set to mark subsequent HTTP requests as authenticated. But this leaves the site open to a "Firesheep"-style session cookie cloning attack.
  8. Re:Applies to All Non-EV Certificates on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    Whether or not talking to that domain in the first place is a good idea is out of scope.

    Detractors of domain-validated certificates disagree with this statement on grounds that most non-technical users won't notice the typo in "BankOfArnerica.com".

  9. Comodo Dragon warning for DV certs on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    Devices running the Comodo Dragon browser visibly distinguish DV from OV certificates. I don't know if it still does, but it at least used to present an interstitial page for DV certificates that resembles other browsers' interstitial for an unknown CA.

    It may not be safe to exchange information with this site

    The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

  10. Animated GIF does not compensate for motion on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    Good old-fashioned gifs can animate without use of a script.

    Each frame of an animated GIF has to include all pixels that have changed since the last frame. They can't compensate for motion, which means text fading in or sliding in from the side will bloat the file larger than a script+keyframes approach would. And with ad networks recognizing the realities of a pay-per-bit market for Internet access, advertisers will prefer a format that fits a more attractive ad into the same file size.

  11. There is no such standardized ad format yet on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format.

    Because only scripts can animate "an image" and "some text" on a <canvas> element. Ideally, the advertiser would author the animation and export a set of data that represents keyframes, and a publicly auditable script hosted by the ad network would use this data to present the animation. But to my knowledge, there is as of yet no such standardized format to represent canvas animations.

  12. Re:Why the emphasis on Lets Encrypt? on Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) · · Score: 1

    It used to be, one had to prove being "a legitimate business" to obtain an SSL certificate.

    True, TLS certificates were originally supposed to be organization-validated. But in the original model, how was the hobbyist operator of a web site supposed to protect passwords of the site's users from eavesdropping?

  13. A stopped clock is right twice a day.

  14. Re:By harmonizing to whose term? on CBS, Others Sued For Copyright Infringement Over "Soft Kitty" In Big Bang Theory (arstechnica.com) · · Score: 1

    I can't see Canada, whose copyright term is still the Berne minimum life plus 50 years, agreeing to harmonize to Mexico as a condition of NAFTA II.

  15. However signatories to the Berne convention (which defines international copyright law and to which the US is a signatory) are all supposed to have a standard (at life +70) copyright.

    Since when? The last time i checked, Berne was life plus 50, and only post-Berne treaties have extended the minimum beyond that.

  16. Re:Authenticator is something else to carry on Coin Teams With MasterCard In Wearable Payments Push (thestack.com) · · Score: 1

    If readers became standard which they would if everybody paid this way then their would be no issue, the reader could even be wireless.

    But it'd still be something to have forgotten at home or to have misplaced.

  17. Re:Logging in as root momentarily on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    It does ask for a password for root, an unprivileged user, and a password for that user. But when I installed Debian 8 "jessie" about a month ago, I don't remember seeing any indication that if I left the root password blank, it would instead install and configure sudo.

  18. Things end up discontinued on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    I don't mind being in the minority.

    The problem with being in the minority is that the products on which you rely are likely to end up discontinued. A minority preferred 10-inch low-cost laptop PCs, but they were discontinued at the end of 2012.

  19. By harmonizing to whose term? on CBS, Others Sued For Copyright Infringement Over "Soft Kitty" In Big Bang Theory (arstechnica.com) · · Score: 2

    make no mistake, copyrights in mid industrialized countries are now effectively infinite.

    How so?

    The 1998 extension was enacted soon after the European Union had standardized copyright at life plus 70, following the term then in place in Germany. The Supreme Court in Eldred v. Ashcroft justified the 1998 extension by being careful to distinguish harmonizing to the EU from what has since come to be called "perpetual copyright on the installment plan". But because the EU is still at life plus 70, Congress won't be able to use the EU again. To which other industrialized country's copyright term would a subsequent U.S. copyright term extension harmonize?

  20. Pre-1978 works are like those made for hire on CBS, Others Sued For Copyright Infringement Over "Soft Kitty" In Big Bang Theory (arstechnica.com) · · Score: 1

    U.S. copyright in individual works published before 1978 subsists for the same duration as that in works made for hire: 95 years.

  21. Helium or Carbonite? on Google Fixes Rooting Vulnerabilities In Android (csoonline.com) · · Score: 1

    Just to be sure, did you mean ClockworkMod Helium (formerly Carbon), or did you mean Carbonite? I'm guessing Carbonite is responsible for the rename to Helium.

  22. External peripheral makers love OS X on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    I refuse to use iOS because Apple has root, not me.

    People who disagree with the maker of a phone or game console having root are unfortunately outnumbered.

    Manufacturers will continue to avoid OSX for the same reason they do now: all OSX hardware is built by one company.

    All internal hardware is built by one company. But through USB and Thunderbolt, Apple has provided plenty of space outside the case for third-party peripherals. A lot more peripheral packaging advertises support for OS X than for "Linux" (presumably GNU/Linux).

  23. GNU/Linux or Android? on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    Richard Stallman was right about one thing.

    If Windows disappeared, then manufacturers would release drivers primarily for Linux, and applications would be written primarily for Linux.

    By "Linux" did you mean GNU/Linux or Android? Because I've already seen a lot of application developers forgo a Windows desktop application in favor of one for Android. (Case in point: Try signing up for an account to comment on Instagram pictures or chat with WhatsApp users without a major smartphone sometime.) And if GNU/Linux, then why it and not OS X or iOS?

  24. Because network effects on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    The quality-of-life for everyone on the planet would improve by an order of magnitude if we could EOL Microsoft entirely and move on to a FOS OS

    Why do you care what anyone uses?

    Because without a broad user base on a Free operating system, developers of applications and hardware peripherals are unlikely to spend much effort on making their products compatible with a Free operating system.

  25. Logging in as root momentarily on Internet Explorer 8, 9, and 10 Reach End-of-Life Next Week (thenextweb.com) · · Score: 1

    Do you log in to your Linux boxes as root and do everything as a super user?

    Some Debian users do. Debian doesn't set up sudo by default, instead expecting users to log in as root using a password chosen during installation. They log in as root, make changes, and log out. Ubuntu, on the other hand, doesn't create a root password during installation but instead sets up sudo to create a similar elevation flow to OS X and Windows 6+.