We've had only a few major redesigns since 1997; we think it's time for another.
You've had one in 2009 that was so utterly horrible that it resulted in on of two times I used the journal, in over 15 years.
No, it's not time for another. There is never a time for a redesign. There can be a need for one, but that's a totally different thing. You know, a need happens to address a problem. The very people that make this site - because people come for the articles so little the abbreviation RTFA originated here - have told you strongly that there isn't a problem that needs fixing.
The argument is "broader audience". That's a business need. That basically means "we think we can make more money off this site". Which is perfectly fine if it doesn't conflict with the needs of the audience you already have. Else what you do isn't growing the audience, it's exchanging it.
People are already talking about setting up/. replacements. People with the know-how, resources and drive to actually do it. In a time where the sentiment on this site is strong enough that it could actually gain momentum. If you still haven't realized that you're playing with a live handgrenade, you are dangerously stupid.
I'd give it a shot and see how it compares. And I say that as someone who's been active on/. since not only before it was owned by Dice, but before it was owned by anyone.
Like most people, I don't come to/. for the articles (the days where you get the obscure articles from here are long gone), but for the comments. Because despite all the whining, there are still a lot of smart people worth listening to here, and very often the comments are much more valuable than the article.
In other words: Yes, the comment section is the most important part.
It goes all ways. I've seen many security problems caused by tech people with little security understanding who didn't want to be inconvenienced. The sub-net that the developers set up for themselves because the corporate network is too restricted is often the one that is easiest to break into.
As I said: The most dangerous users are not the ones with no clue at all, but the "power users".
I disagree with you on the "most people who work in the sector have no clue" statement. People have long known about IT security issues. It's not like things like "sub7", "winnuke", "nimda", "code red", etc. weren't issues.
I should've been more clear:
There are security experts, and there is the security industry. The two occasional meet to compare notes, most of which are beyond the understanding of the later.
The security "industry" is exactly the snake-oil job you describe, for most parts. Business people with just enough understanding of security to fuck it up really well, and well-meaning techies who know just enough to complete the mess. They package security into nice products... sorry, "solutions" and sell it at incredibly inflated prices to PHBs who want nothing more than putting something with a nice name on the expense sheet and reporting to their bosses that the security problems are all solved.
Real security is a lot dirtier, less sexy, more work and more complicated than that.
Also, it includes a lot of fields that are not very technical, like cognitive sciences to understand why users act the way they do.
It's the same everywhere you look. The current state of IT security is horrible, utter and total crap, and the main reason is that most of the people who work in the sector have no clue, starting from journalists like those and consultants and... well... almost everyone else.
The reason is that much like cryptography, real security is hard. It's not something you pick up in a week course when your boss decides someone in the team needs to specialize on security. There are a great number of actual experts and over the years I've had the pleasure of meeting or working with many of them, but it's a small world and the total number of experts available world-wide is far smaller than the demand for manpower in the security "industry".
Plus it's a bikeshed problem. Lots of people know a little bit about security, so focus is given to the parts that people believe they understand, instead of the real problems. When I do consulting (I don't very much, I dislike it, but I occasional take jobs because I enjoy the problem, or the company) my metaphor for that is that in IT security, it is very easy to find someone who will sell and install you a 3-inch solid steel door with military level security locks for your front door, but very difficult to find someone who will walk around the house with you and point out the easily broken windows and the open basement door.
Here's a free business hint: When you hire a security consultant, ask them for a quick suggestion for a password policy. If you get the two decades old "at least x letters, at least 1 special character, at least 1 number", don't hire them. That bullshit was adequate on Multics systems in the 70s. Today, it will weaken your password security if you programmatically enforce it. (and yes, I have the data to back that up, but that's a short presentation and not a comment field).
So yes, these journalists are spreading bullshit. They are like the power users in a company - the nightmare of IT support. They probably know a little about security, just enough to get it wrong.
But I can tell you what it was like a decade ago. Most of the stories actually were relevant and you felt like commenting on them. The stories definitely were better. However, the comments were not. When it grew,/. acquired quite a number of famous readers with real, personal, first-hand knowledge of the topics. You didn't have many of those in the early days, aside from some hardcore tech guys. But people like NewYorkCountryLawyer were missing back then.
BMI works for many people, but not all. As in so many general statistical measures, you need to know where the limits are and if you're an exception or not.
Most people aren't. While I don't doubt that you are truthful, for everyone one of you there are twenty actually obese people who'll use a line like that as an excuse.
No. On the contrary, it's rather a counter-argument for me.
Because "social" media is anti-social. When I invite friends over for chill-out or a movie or whatever, I can either call up 6 or 7 and get 4 or 5 "ok, sounds cool, I'll be there" - or I can invite 30 on Facebook, get 10 replies, half of which are "maybe" which is just code for "not really but I don't want to look as if I don't like you" and half of the "yes" will drop out at the last moment.
Nothing beats actual personal face-to-face social interaction, period. And I say that as a nerd who at times doesn't feel like leaving the house today.
but the other piece of the puzzle is that the user has to be computer-savvy enough to know, or at least suspect, that there is a better way to accomplish a task
True, but that's easy:
"If you do the same or a very similar task repeatedly for more than 30 seconds, there is almost always a way to automate it."
I once saw someone renaming over three thousand files by hand in order to change a date format
They don't need to code. They need an IT department that doesn't have its head in its ass and is supplied with enough resources to be able to afford solving user problems like that.
Sadly, most companies run with a "lean" (read: understaffed) IT. Meaning they don't have time for anything but the essentials. But since most people in accounting, etc. don't make that much less than an IT worker, for a task like this which takes 15 minutes of time for the IT guy but could save a couple hours of work for the account (or whatever) dude, the interest of the company would clearly be that he picks up the phone, calls IT, explains his need and some IT guy does the shell magic for him quick.
Teaching everyone how to code, even basic skills, however, would cost a lot more than it's worth. Just hire two more IT guys. It's cheaper.
Yes? I run a.org domain myself, which for 10+ years was the TLD you'd pick for any site that was not a company, university or government/military entity.
Sure, these days slashdot is for-profit, but it wasn't always.
The domain name system hasn't really been meaningful in terms of descriptive for a very long time now.
True, but at least it made some sense and wasn't just a total mess of meaningless bullshit.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
We've already tried changing it for the past 20 years. The problem is that IT is largely commercial, and in the commercial world, "good enough" is enough. If it's not threatening the bottom line, then it's ok. And that's not limited to IT security. Physical security at most corporate headquarters is pathetic and only detracts non-determined break-ins. It's trivial to get hired into a position with access to even sensitive areas (say, in the cleaning crew) with no background checks. And I could say something about how finances are really handled in the corporate world, but unless you already know, you wouldn't believe me.
It's not IT security. That is just part of the bigger whole. Our entire economy is a house of cards, and since the economy has come to dominate our society (politicians have long ceased to have visions, much less actually change things, they're purely reactive), that leaks into everything.
Welcome to the end of a meaningful domain name system.
Yeah, I know they tried raping it before, but the world largely ignored.biz,.info,.aero and I even forgot what the others were. Or have you seen more than two domains in those TLDs in the recent years?
But brands, that was a gold mine. Advertisers are parasites and they will be happy to convince their marks^H^H^Hcustomers that they really, absolutely must have a fitting TLD now. And since in large corporations (that have the money), the people they talk to are also marketing dudes, it'll work.
It's a huge scam, but it'll rape the usefulness of the DNS hierarchy. Too bad we didn't put everyone within ICANN to the sword while there was still time.
While that's true, it only applies to the technology used. Script kiddies never evolve, that's what makes them script kiddies (those who do stop being one). So what their hacks lack is creativity. They apply tools they downloaded in scripts they copied for rote attacks. That's why a similarily rote defense and recovery is good enough.
Actually, I don't remember that particular story. I do, however, remember that maybe 8 or 9 years ago, there were companies still in business offering such recovery services. Don't remember the details, though. Might have depended on the age and type of drive even then.
This is why the notion "It is OKAY if we have all these backdoors and all this data collection, the only quantum computer, etc, as long as it is controlled by strong security controls, laws, regulations, oversight" is absurd.
Oh, I agree completely. But don't forget that, like any big organisation, what the NSA actually thinks internally and what it says in public statements are two very different things and in many cases there is very little connection between the two.
Now what do you think is the probability to recover even a single bit from an encrypted file?
That depends on the encryption.
In very simple terms: Some encryption methods work so that if you have one hole or wrong byte anywhere, all the rest of the file is garbage. But some other encryption methods work in blocks, so if you have an error, then that block is garbage, but the next block can be decrypted normally.
You may convince me that it works for one, two or even three rewrites. But never with 50.
For all practical purposes, even if you've done only two or three passes, the data is probably gone.
But if you want to make sure, then that's not enough. If you want to make "reasonably sure", then overwriting a few times is good enough. If you want to make really, really, sure with absolute certainty, then physically destroying the device is what you're going to do. Not because there's any practical probability left otherwise, but because you don't want to make the Alien mistake. You definitely do want to take off and nuke the site from orbit, just to be sure.
Slashdot Mirror
We've had only a few major redesigns since 1997; we think it's time for another.
You've had one in 2009 that was so utterly horrible that it resulted in on of two times I used the journal, in over 15 years.
No, it's not time for another. There is never a time for a redesign. There can be a need for one, but that's a totally different thing. You know, a need happens to address a problem. The very people that make this site - because people come for the articles so little the abbreviation RTFA originated here - have told you strongly that there isn't a problem that needs fixing.
The argument is "broader audience". That's a business need. That basically means "we think we can make more money off this site". Which is perfectly fine if it doesn't conflict with the needs of the audience you already have. Else what you do isn't growing the audience, it's exchanging it.
People are already talking about setting up /. replacements. People with the know-how, resources and drive to actually do it. In a time where the sentiment on this site is strong enough that it could actually gain momentum. If you still haven't realized that you're playing with a live handgrenade, you are dangerously stupid.
I'd give it a shot and see how it compares. And I say that as someone who's been active on /. since not only before it was owned by Dice, but before it was owned by anyone.
Like most people, I don't come to /. for the articles (the days where you get the obscure articles from here are long gone), but for the comments. Because despite all the whining, there are still a lot of smart people worth listening to here, and very often the comments are much more valuable than the article.
In other words: Yes, the comment section is the most important part.
It goes all ways. I've seen many security problems caused by tech people with little security understanding who didn't want to be inconvenienced. The sub-net that the developers set up for themselves because the corporate network is too restricted is often the one that is easiest to break into.
As I said: The most dangerous users are not the ones with no clue at all, but the "power users".
I disagree with you on the "most people who work in the sector have no clue" statement. People have long known about IT security issues. It's not like things like "sub7", "winnuke", "nimda", "code red", etc. weren't issues.
I should've been more clear:
There are security experts, and there is the security industry. The two occasional meet to compare notes, most of which are beyond the understanding of the later.
The security "industry" is exactly the snake-oil job you describe, for most parts. Business people with just enough understanding of security to fuck it up really well, and well-meaning techies who know just enough to complete the mess. They package security into nice products... sorry, "solutions" and sell it at incredibly inflated prices to PHBs who want nothing more than putting something with a nice name on the expense sheet and reporting to their bosses that the security problems are all solved.
Real security is a lot dirtier, less sexy, more work and more complicated than that.
Also, it includes a lot of fields that are not very technical, like cognitive sciences to understand why users act the way they do.
after having read tonight's even *more* lame, unhelpful, patronizing and disappointing Slashdot Beta feedback thread
Strange, that must've fallen through my filters somehow. Where is it?
It's the same everywhere you look. The current state of IT security is horrible, utter and total crap, and the main reason is that most of the people who work in the sector have no clue, starting from journalists like those and consultants and... well... almost everyone else.
The reason is that much like cryptography, real security is hard. It's not something you pick up in a week course when your boss decides someone in the team needs to specialize on security. There are a great number of actual experts and over the years I've had the pleasure of meeting or working with many of them, but it's a small world and the total number of experts available world-wide is far smaller than the demand for manpower in the security "industry".
Plus it's a bikeshed problem. Lots of people know a little bit about security, so focus is given to the parts that people believe they understand, instead of the real problems. When I do consulting (I don't very much, I dislike it, but I occasional take jobs because I enjoy the problem, or the company) my metaphor for that is that in IT security, it is very easy to find someone who will sell and install you a 3-inch solid steel door with military level security locks for your front door, but very difficult to find someone who will walk around the house with you and point out the easily broken windows and the open basement door.
Here's a free business hint: When you hire a security consultant, ask them for a quick suggestion for a password policy. If you get the two decades old "at least x letters, at least 1 special character, at least 1 number", don't hire them. That bullshit was adequate on Multics systems in the 70s. Today, it will weaken your password security if you programmatically enforce it. (and yes, I have the data to back that up, but that's a short presentation and not a comment field).
So yes, these journalists are spreading bullshit. They are like the power users in a company - the nightmare of IT support. They probably know a little about security, just enough to get it wrong.
yeah, I feel like Jamie some days :-)
But I can tell you what it was like a decade ago. Most of the stories actually were relevant and you felt like commenting on them. The stories definitely were better. However, the comments were not. When it grew, /. acquired quite a number of famous readers with real, personal, first-hand knowledge of the topics. You didn't have many of those in the early days, aside from some hardcore tech guys. But people like NewYorkCountryLawyer were missing back then.
Personally, I'm using Zite on my iPad and it does have about half the interesting stories on /. a day or two before they show up here.
I still come here for the other half, though.
Wow.
It's like seing a unicorns.
get off my lawn, youngster.
BMI works for many people, but not all. As in so many general statistical measures, you need to know where the limits are and if you're an exception or not.
Most people aren't. While I don't doubt that you are truthful, for everyone one of you there are twenty actually obese people who'll use a line like that as an excuse.
No. On the contrary, it's rather a counter-argument for me.
Because "social" media is anti-social. When I invite friends over for chill-out or a movie or whatever, I can either call up 6 or 7 and get 4 or 5 "ok, sounds cool, I'll be there" - or I can invite 30 on Facebook, get 10 replies, half of which are "maybe" which is just code for "not really but I don't want to look as if I don't like you" and half of the "yes" will drop out at the last moment.
Nothing beats actual personal face-to-face social interaction, period. And I say that as a nerd who at times doesn't feel like leaving the house today.
A third is nice, but at which date will they exceed world population?
The confusion in the public eye, intentionally created by some, is between the actual authors/creators and the copyright holders.
They are often not the same.
I've also written a much longer reply to John's Editorial on my own forum.
but the other piece of the puzzle is that the user has to be computer-savvy enough to know, or at least suspect, that there is a better way to accomplish a task
True, but that's easy:
"If you do the same or a very similar task repeatedly for more than 30 seconds, there is almost always a way to automate it."
I once saw someone renaming over three thousand files by hand in order to change a date format
They don't need to code. They need an IT department that doesn't have its head in its ass and is supplied with enough resources to be able to afford solving user problems like that.
Sadly, most companies run with a "lean" (read: understaffed) IT. Meaning they don't have time for anything but the essentials. But since most people in accounting, etc. don't make that much less than an IT worker, for a task like this which takes 15 minutes of time for the IT guy but could save a couple hours of work for the account (or whatever) dude, the interest of the company would clearly be that he picks up the phone, calls IT, explains his need and some IT guy does the shell magic for him quick.
Teaching everyone how to code, even basic skills, however, would cost a lot more than it's worth. Just hire two more IT guys. It's cheaper.
no
next question?
As you type this, on slashdot.org
Yes? I run a .org domain myself, which for 10+ years was the TLD you'd pick for any site that was not a company, university or government/military entity.
Sure, these days slashdot is for-profit, but it wasn't always.
The domain name system hasn't really been meaningful in terms of descriptive for a very long time now.
True, but at least it made some sense and wasn't just a total mess of meaningless bullshit.
As with most things, the proper balance and context matter.
When you're in the countryside or suburbs, leaving your door unlocked is probably cool. When you live in the center of a large city, less so.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
We've already tried changing it for the past 20 years. The problem is that IT is largely commercial, and in the commercial world, "good enough" is enough. If it's not threatening the bottom line, then it's ok. And that's not limited to IT security. Physical security at most corporate headquarters is pathetic and only detracts non-determined break-ins. It's trivial to get hired into a position with access to even sensitive areas (say, in the cleaning crew) with no background checks. And I could say something about how finances are really handled in the corporate world, but unless you already know, you wouldn't believe me.
It's not IT security. That is just part of the bigger whole. Our entire economy is a house of cards, and since the economy has come to dominate our society (politicians have long ceased to have visions, much less actually change things, they're purely reactive), that leaks into everything.
Welcome to the end of a meaningful domain name system.
Yeah, I know they tried raping it before, but the world largely ignored .biz, .info, .aero and I even forgot what the others were. Or have you seen more than two domains in those TLDs in the recent years?
But brands, that was a gold mine. Advertisers are parasites and they will be happy to convince their marks^H^H^Hcustomers that they really, absolutely must have a fitting TLD now. And since in large corporations (that have the money), the people they talk to are also marketing dudes, it'll work.
It's a huge scam, but it'll rape the usefulness of the DNS hierarchy. Too bad we didn't put everyone within ICANN to the sword while there was still time.
While that's true, it only applies to the technology used. Script kiddies never evolve, that's what makes them script kiddies (those who do stop being one). So what their hacks lack is creativity. They apply tools they downloaded in scripts they copied for rote attacks. That's why a similarily rote defense and recovery is good enough.
Actually, I don't remember that particular story. I do, however, remember that maybe 8 or 9 years ago, there were companies still in business offering such recovery services. Don't remember the details, though. Might have depended on the age and type of drive even then.
This is why the notion "It is OKAY if we have all these backdoors and all this data collection, the only quantum computer, etc, as long as it is controlled by strong security controls, laws, regulations, oversight" is absurd.
Oh, I agree completely. But don't forget that, like any big organisation, what the NSA actually thinks internally and what it says in public statements are two very different things and in many cases there is very little connection between the two.
Now what do you think is the probability to recover even a single bit from an encrypted file?
That depends on the encryption.
In very simple terms: Some encryption methods work so that if you have one hole or wrong byte anywhere, all the rest of the file is garbage. But some other encryption methods work in blocks, so if you have an error, then that block is garbage, but the next block can be decrypted normally.
You may convince me that it works for one, two or even three rewrites. But never with 50.
For all practical purposes, even if you've done only two or three passes, the data is probably gone.
But if you want to make sure, then that's not enough. If you want to make "reasonably sure", then overwriting a few times is good enough. If you want to make really, really, sure with absolute certainty, then physically destroying the device is what you're going to do. Not because there's any practical probability left otherwise, but because you don't want to make the Alien mistake. You definitely do want to take off and nuke the site from orbit, just to be sure.