I always learned that states rights was an outdated racist concept that we killed off in the Civil War.
Having 50 standards was wrong when having one standard made much more sense.
The state level bureaucrats got substandard educations from State U instead of the elite Ivy League and as such were unqualified to govern effectively. Now suddenly states rights is progressive and having 50 different standards designed by morons is a good thing? Am I the only one experiencing cognitive dissonance here?
Confusion is natural for those who neglect to form arguments for or against a course of action based on actual articulable merit and instead hide behind voodoo magic, worthless ideology and dogma.
Foveated rendering? That would add further savings but I doubt it's practical. You would need a ridiculously low latency, I don't believe in it. Perhaps a very broad notion of where your eyes are looking can be used to determine which broad areas are rendered at half res.. That'd be all.
Bandwidth of present day HDMI/DP links is already something like 2000 times that of the human optic nerve and yet this is still at least 100 times short of what would actually be required to drive a VR display to the limit of human vision using current photon spamming techniques.
Regardless of challenges of Foveated rendering it WILL HAPPEN no matter what. There is no viable path forward that does not involve foveated rendering.
Well, Amazon has free shipping too if you meet the minimum order. No membership dues.
That's the whole point of Prime (the shipping portion, anyway), you get the free shipping without needing the minimum purchase.
The point is not free shipping in a vacuum. It's that Wal-Mart offers 2-DAY FREE SHIPPING. The same deal as Amazon except without prime membership requirement.
Amazon's idea of free shipping without prime means they'll sit on your order for a week before contemplating shipping it ground.
The minimum purchase threshold is not something I find valuable so I don't care and strongly disagree with assertion it's the whole point of prime. The whole point of prime in my view is 2-DAY FREE SHIPPING not circumvention of minimum order requirement. At least I've never heard anyone say they got prime because of minimum orders. They always talk about shipping speed. I'm sure for some this is a valuable consideration yet probably not for the majority of prime subs.
Another Slashdot article about Windows, and we can already see the trolls crawling out with their complaints about privacy, breakage, licensing, and other such crap.
Is your assertion anyone who "complains" about these things is a troll?
Most folks don't care about their software's freedom, just as long as it keeps working.
I keep hearing how nobody cares when the actual truth is closer to nobody knows or understands.
Yes, that means updating. Keeping your systems patched and updated is the best way to reduce attack surface, regardless of what OS you use.
Over 90% of those being owned are via social engineering not exploitation of any software vulnerabilities.
Most users sit behind a stealth mode firewall leaving much of the remaining avenue for attack in the realm of user behavior and security properties of user mode software.
I don't buy keeping Windows patched is the _best_ way. Ideally it should be a no brainer for users however bad experiences and loss of trust have consequences all around.
Don't go turning off security features thinking you're protecting your privacy...
I agree, turning them off does nothing. You actually have to firewall Windows from Microsoft to protect your privacy.
you're really just increasing the time it takes for you to be protected against new threats.
Threats that are overwhelmingly irrelevant to desktop users running non-Microsoft browsers.
Microsoft doesn't care about the porn you watch or how many hours you spend on My Little Pony forums.
Personally I don't give a fuck what Microsoft cares about. I don't want them to collect data from me period. What they do or don't do with it is totally irrelevant.
Finally, please stop complaining that your hardware from 1994 doesn't work with the new updates. I'm terribly sorry that your vendor doesn't bother to support driver APIs less than a decade old, but it's time to move on.
This is a mature market where new hardware increasingly offers little to no new value while compatibility is increasingly valuable to customers.
Simply waiving your hands saying stop I don't like this it doesn't seem fair is not likely to influence anyone's behavior.
The $99 price was already chosen with that in mind: make it cheaper means less profit, and more expensive means less subscriptions. With the new price, they know they are going to lose some subscriptions, but for them, the $100-$120 demographic they probably identified long ago isn't worth losing $20 per subscriber.
This isn't just about losing subscriptions it is also about losing sales as competitors full in the vacuum.
The Chinese supposedly built a satellite to test using this system to generate uncrackable one-time crypto pads. It's also not interceptable because if someone could listen in, they'd disrupt the measurement and the pads wouldn't match.
Quantum is identical to an infallible key agreement protocol with all of the same underlying baggage. It is no more or less valuable than that and hardly uncrackable.
No matter what all parties to the communication are required to guard classical sources of trust using classical means of leveraging that trust to authenticate the channel. All of these things are subject to classical attack.
Downturn in sales confirms smartphones are dying. In the future there will be no smartphones. Those of you who still have smartphones are dinosaurs stuck in the past.
You should start by reading chrome privacy whitepaper and controlling privacy policy.
Next I dare you to open chrome and browse to any site anywhere including exclusively local servers on your own network without chrome calling home to Google. It is impossible to prevent no matter how carefully browser is configured.
They are uniquely vindictive about it. Much of it uses primary google.com domain used by search engine for data collection without any specific subdomains so it isn't even possible to blacklist by traditional means unless you never intend on using Google search engine.
FFS even data about autocomplete fields are sent to Google. Chrome is a never ending series of ridiculous excuses to stalk everything the end user does that can't be stopped no matter what no matter how careful the user is to adjust privacy settings. Chrome intentionally engineered to violate the users privacy in every way possible.
We have easy direct evidence from ice cores accounting for last 3 million years and numerous direct and indirect proxies going back at least 2 billion years.
I would've assumed it would be aging Boomers and Gen-X'ers who would be clinging to their cash. It's so bizarre that the most digitally connected generation, is using the most archaic form of payment.
Though, I guess I can't be too shocked - I still get cashiers looking at me like I'm using voodoo magic when I use Apple pay.
Technology is a means to an end not an end on to itself.
I no longer shop Amazon. Got tired of being messed with and moved on. Would rather deal with eBay or even Walmart which provides the same two day shipping deal for free without no stinking membership fees for general "online" shopping.
Reasons I stopped using Amazon:
Ordering something in stock more often than not results in sitting on orders for a week before deciding to ship.
Not allowing purchase of random items (Including a frigging Starwars DVD) unless I joined their little prime club.
Not allowing purchase of random low value items due to failing to reach minimum order amount.
Upselling maze during checkout.
Affiliate seller feedback and rating system is intentionally designed to be worthless. I can only see 5 items at a time and can't filter by negative feedback or keywords.
Noncompetitive pricing.
Annoying search facilities with a borked relevancy filter designed to always find something often leaves me wading through page after page of nonsense only to find out Amazon doesn't have what I want.
With 5 to 6 TIMES percent of U.S. population sitting in prisons vs. European and Australian countries with similar standards of living and systems of governance I would say LEA is already doing an amazing job considering their hands are tied by "darkness".
Look how well they've done with civil assert forfeiture being so successful trend line over decades has actually managed to exceed sum total of everything reported stolen. Way to go LEA!! Truly an amazing result. Imagine would it could be if only speaking in codes unknown to LEA were outlawed.
Steady bending of sentencing to enhance plea deals as an effective means of extortion now results in a 60 to 70% disparity in jail time for the same crime for those whose only additional sin was failure to forfeit their right to jury trial.
What this country really needs is for more people to give up more of their rights so LEA can do an even better job and keep everyone even safer. We're already 5-6 times safer than everyone else....
Oh what's that you say? We're not? You mean even with all of those extra people sitting in jail U.S. is 3-4 times less safe? No... can't be... I'm shocked...
Consider the alternative: Millions of people who never installed ANY updates and had their systems compromised by spam bots, were used in DDoS attacks, or were doing something else that is a nuisance to the Internet community as a whole.
Millions of people "had their systems compromised" because they were successfully tricked into executing malware.
If all software bugs magically disappeared tomorrow nothing would change.
I don't understand what you guys want. Do you not think every web property tracks you? Do you not think Slashdot doesn't track you? There are a dozen web trackers on this website. The mind boggles!
Cross-site cyber stalking of users is no different or acceptable than spending your day following someone around all day and compiling lists of their every move.
Who does it is as irrelevant as trying to get out of a speeding ticket by pointing out instances of other speeding.
Do you not realize that the mechanism itself does actually authenticate and verify that it is talking to the correct website?
When you enroll your device with the website in the first place, mutual trust is established.
This process depends on PKI to protect the integrity of initial handshake rather than standing alone.
If initial account creation and "device enrollment" are the same things then the effective difference between providing a password and enrolling is academic otherwise see below.
Often in security sensitive situations account creation has an offline component where one must appear in person with appropriate papers or they are otherwise provided with initial credentials out of band such as when showing up for work or being given credentials in a phone conversation.
If a user puts their password into the same site and then presses their key, their actual account is still safe.
Assume someone was able to fraudulently obtain a cert for target domain. No compromise of the server has taken place.
A bad actor leverages this certificate to impersonate target domain. When "enrolling" using this authentication scheme bad actor is able to MITM the entire process giving themselves the key to your account while leaving you with a worthless paper weight of a key to the attackers system.
With a secure authentication protocol this isn't possible because password itself is used to establish proof of possession and impersonation attacks fail on the imposter certificate.
Obviously a password only serving as a local gatekeeper to locally stored private key is never compromised but this really isn't the point. The point is this source of trust can't be directly leveraged to protect the communications channel. It's exclusively a "by-proxy" scheme which requires external sources of trust to remain secure. Depending on local protection schemes it may also provide additional attack vectors for brute forcing passwords if a users device is compromised that would otherwise not even be represented in persistent storage.
Even when using token bindings the bindings themselves are divorced from underlying credentials.
Where is a 'good implementation', and why isn't it being used anywhere?
TLS mutual certificate authentication has been widely deployed in corporate environments for creeping up on two decades now.
TLS mutual password authentication using ZKP/PAKE is able to securely authenticate passwords with no information leakage and no external sources of trust. This technology is widely deployed across all the major TLS stacks.
Both sources of trust contribute to and are cryptographically bound to underlying communications channel.
Why, exactly, is it a 'poor implementation'?
Primarily it's the wrong layer. It doesn't leverage itself to secure underlying communications channel.
The security of whatever your protecting with "secure authentication" is directly dependent on the security of hundreds of globally redundant DV CAs several of which are known to be owned and operated by foreign governments. Virtually all the worlds CAs use automated indications from totally INSECURE protocols to AUTOMATICALLY issue certificates and do not even coordinate amongst themselves.
A secure authentication protocol stands alone not requiring PKI or other auxiliary sources of trust to protect integrity of authentication process.
A secure authentication protocol does NOT put the end user at risk even when they enter their passwords into the wrong site.
This scheme does nothing to support secure password authentication.
Losing your key is no different than losing/forgetting your password.
Exactly my point. The service is a stakeholder in key management.
Most Internet based 2FA schemes actually deployed today are designed to offer recovery leveraging either factor alone or even worse (see password reset questions). It isn't about enhancing security it's about enhancing your ability not to be locked out of your shit.
The fundamental reality is most Online services don't give a crap about how secure you are they care about protecting their wallets from the deleterious effects of handling "I forgot my password".
When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.
In other words reinventing client certificates poorly and mistaking it for progress.
Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.
Until you lose your key and go whining to the operators of the service.
Slashdot Mirror
Quick, what's the logo for C, Pascal, FORTRAN, or BASIC? Countries have flags and seals; languages don't.
If you asked what the logo for Perl is everyone would be able to answer.
How dare the EU disrupt this global extortion racket. Evil bastards.
The less oil and gas we avoidably use, the better it is for us all, regardless of global warming theories.
It's not better for party supply houses who have to pay more for helium.
I always learned that states rights was an outdated racist concept that we killed off in the Civil War.
Having 50 standards was wrong when having one standard made much more sense.
The state level bureaucrats got substandard educations from State U instead of the elite Ivy League and as such were unqualified to govern effectively. Now suddenly states rights is progressive and having 50 different standards designed by morons is a good thing? Am I the only one experiencing cognitive dissonance here?
Confusion is natural for those who neglect to form arguments for or against a course of action based on actual articulable merit and instead hide behind voodoo magic, worthless ideology and dogma.
Foveated rendering? That would add further savings but I doubt it's practical. You would need a ridiculously low latency, I don't believe in it. Perhaps a very broad notion of where your eyes are looking can be used to determine which broad areas are rendered at half res.. That'd be all.
Bandwidth of present day HDMI/DP links is already something like 2000 times that of the human optic nerve and yet this is still at least 100 times short of what would actually be required to drive a VR display to the limit of human vision using current photon spamming techniques.
Regardless of challenges of Foveated rendering it WILL HAPPEN no matter what. There is no viable path forward that does not involve foveated rendering.
Well, Amazon has free shipping too if you meet the minimum order. No membership dues.
That's the whole point of Prime (the shipping portion, anyway), you get the free shipping without needing the minimum purchase.
The point is not free shipping in a vacuum. It's that Wal-Mart offers 2-DAY FREE SHIPPING. The same deal as Amazon except without prime membership requirement.
Amazon's idea of free shipping without prime means they'll sit on your order for a week before contemplating shipping it ground.
The minimum purchase threshold is not something I find valuable so I don't care and strongly disagree with assertion it's the whole point of prime. The whole point of prime in my view is 2-DAY FREE SHIPPING not circumvention of minimum order requirement. At least I've never heard anyone say they got prime because of minimum orders. They always talk about shipping speed. I'm sure for some this is a valuable consideration yet probably not for the majority of prime subs.
So what you are saying is it's a game that was never free in Windows 10 to begin with making the earlier comment completely invalid? Gotchya.
You know you are a hopeless MS fanboy when you find yourself defending Microsoft making Mine sweeper and Solitaire pay apps.
Another Slashdot article about Windows, and we can already see the trolls crawling out with their complaints about privacy, breakage, licensing, and other such crap.
Is your assertion anyone who "complains" about these things is a troll?
Most folks don't care about their software's freedom, just as long as it keeps working.
I keep hearing how nobody cares when the actual truth is closer to nobody knows or understands.
Yes, that means updating. Keeping your systems patched and updated is the best way to reduce attack surface, regardless of what OS you use.
Over 90% of those being owned are via social engineering not exploitation of any software vulnerabilities.
Most users sit behind a stealth mode firewall leaving much of the remaining avenue for attack in the realm of user behavior and security properties of user mode software.
I don't buy keeping Windows patched is the _best_ way. Ideally it should be a no brainer for users however bad experiences and loss of trust have consequences all around.
Don't go turning off security features thinking you're protecting your privacy...
I agree, turning them off does nothing. You actually have to firewall Windows from Microsoft to protect your privacy.
you're really just increasing the time it takes for you to be protected against new threats.
Threats that are overwhelmingly irrelevant to desktop users running non-Microsoft browsers.
Microsoft doesn't care about the porn you watch or how many hours you spend on My Little Pony forums.
Personally I don't give a fuck what Microsoft cares about. I don't want them to collect data from me period. What they do or don't do with it is totally irrelevant.
Finally, please stop complaining that your hardware from 1994 doesn't work with the new updates. I'm terribly sorry that your vendor doesn't bother to support driver APIs less than a decade old, but it's time to move on.
This is a mature market where new hardware increasingly offers little to no new value while compatibility is increasingly valuable to customers.
Simply waiving your hands saying stop I don't like this it doesn't seem fair is not likely to influence anyone's behavior.
The $99 price was already chosen with that in mind: make it cheaper means less profit, and more expensive means less subscriptions. With the new price, they know they are going to lose some subscriptions, but for them, the $100-$120 demographic they probably identified long ago isn't worth losing $20 per subscriber.
This isn't just about losing subscriptions it is also about losing sales as competitors full in the vacuum.
For free without any membership dues. There is a $35/min order amount to qualify.
The Chinese supposedly built a satellite to test using this system to generate uncrackable one-time crypto pads. It's also not interceptable because if someone could listen in, they'd disrupt the measurement and the pads wouldn't match.
Quantum is identical to an infallible key agreement protocol with all of the same underlying baggage. It is no more or less valuable than that and hardly uncrackable.
No matter what all parties to the communication are required to guard classical sources of trust using classical means of leveraging that trust to authenticate the channel. All of these things are subject to classical attack.
Downturn in sales confirms smartphones are dying. In the future there will be no smartphones. Those of you who still have smartphones are dinosaurs stuck in the past.
Can you please elaborate? I'm using it right now.
You should start by reading chrome privacy whitepaper and controlling privacy policy.
Next I dare you to open chrome and browse to any site anywhere including exclusively local servers on your own network without chrome calling home to Google. It is impossible to prevent no matter how carefully browser is configured.
They are uniquely vindictive about it. Much of it uses primary google.com domain used by search engine for data collection without any specific subdomains so it isn't even possible to blacklist by traditional means unless you never intend on using Google search engine.
FFS even data about autocomplete fields are sent to Google. Chrome is a never ending series of ridiculous excuses to stalk everything the end user does that can't be stopped no matter what no matter how careful the user is to adjust privacy settings. Chrome intentionally engineered to violate the users privacy in every way possible.
I won't buy any desktop display or laptop less than 16:10.
What difference do small imperceptible changes to UI make while Chrome continues to stalk everyone using it?
We have easy direct evidence from ice cores accounting for last 3 million years and numerous direct and indirect proxies going back at least 2 billion years.
I would've assumed it would be aging Boomers and Gen-X'ers who would be clinging to their cash. It's so bizarre that the most digitally connected generation, is using the most archaic form of payment.
Though, I guess I can't be too shocked - I still get cashiers looking at me like I'm using voodoo magic when I use Apple pay.
Technology is a means to an end not an end on to itself.
--
#DeleteFacebook
rm -rf AS32934
I no longer shop Amazon. Got tired of being messed with and moved on. Would rather deal with eBay or even Walmart which provides the same two day shipping deal for free without no stinking membership fees for general "online" shopping.
Reasons I stopped using Amazon:
Ordering something in stock more often than not results in sitting on orders for a week before deciding to ship.
Not allowing purchase of random items (Including a frigging Starwars DVD) unless I joined their little prime club.
Not allowing purchase of random low value items due to failing to reach minimum order amount.
Upselling maze during checkout.
Affiliate seller feedback and rating system is intentionally designed to be worthless. I can only see 5 items at a time and can't filter by negative feedback or keywords.
Noncompetitive pricing.
Annoying search facilities with a borked relevancy filter designed to always find something often leaves me wading through page after page of nonsense only to find out Amazon doesn't have what I want.
General dislike of Amazon's business practices.
With 5 to 6 TIMES percent of U.S. population sitting in prisons vs. European and Australian countries with similar standards of living and systems of governance I would say LEA is already doing an amazing job considering their hands are tied by "darkness".
Look how well they've done with civil assert forfeiture being so successful trend line over decades has actually managed to exceed sum total of everything reported stolen. Way to go LEA!! Truly an amazing result. Imagine would it could be if only speaking in codes unknown to LEA were outlawed.
Steady bending of sentencing to enhance plea deals as an effective means of extortion now results in a 60 to 70% disparity in jail time for the same crime for those whose only additional sin was failure to forfeit their right to jury trial.
What this country really needs is for more people to give up more of their rights so LEA can do an even better job and keep everyone even safer. We're already 5-6 times safer than everyone else....
Oh what's that you say? We're not? You mean even with all of those extra people sitting in jail U.S. is 3-4 times less safe? No... can't be... I'm shocked...
Agile is amazing. All of our competitors should adopt it.
Consider the alternative: Millions of people who never installed ANY updates and had their systems compromised by spam bots, were used in DDoS attacks, or were doing something else that is a nuisance to the Internet community as a whole.
Millions of people "had their systems compromised" because they were successfully tricked into executing malware.
If all software bugs magically disappeared tomorrow nothing would change.
I don't understand what you guys want. Do you not think every web property tracks you? Do you not think Slashdot doesn't track you? There are a dozen web trackers on this website. The mind boggles!
Cross-site cyber stalking of users is no different or acceptable than spending your day following someone around all day and compiling lists of their every move.
Who does it is as irrelevant as trying to get out of a speeding ticket by pointing out instances of other speeding.
Do you not realize that the mechanism itself does actually authenticate and verify that it is talking to the correct website?
When you enroll your device with the website in the first place, mutual trust is established.
This process depends on PKI to protect the integrity of initial handshake rather than standing alone.
If initial account creation and "device enrollment" are the same things then the effective difference between providing a password and enrolling is academic otherwise see below.
Often in security sensitive situations account creation has an offline component where one must appear in person with appropriate papers or they are otherwise provided with initial credentials out of band such as when showing up for work or being given credentials in a phone conversation.
If a user puts their password into the same site and then presses their key, their actual account is still safe.
Assume someone was able to fraudulently obtain a cert for target domain. No compromise of the server has taken place.
A bad actor leverages this certificate to impersonate target domain. When "enrolling" using this authentication scheme bad actor is able to MITM the entire process giving themselves the key to your account while leaving you with a worthless paper weight of a key to the attackers system.
With a secure authentication protocol this isn't possible because password itself is used to establish proof of possession and impersonation attacks fail on the imposter certificate.
Obviously a password only serving as a local gatekeeper to locally stored private key is never compromised but this really isn't the point. The point is this source of trust can't be directly leveraged to protect the communications channel. It's exclusively a "by-proxy" scheme which requires external sources of trust to remain secure. Depending on local protection schemes it may also provide additional attack vectors for brute forcing passwords if a users device is compromised that would otherwise not even be represented in persistent storage.
Even when using token bindings the bindings themselves are divorced from underlying credentials.
Where is a 'good implementation', and why isn't it being used anywhere?
TLS mutual certificate authentication has been widely deployed in corporate environments for creeping up on two decades now.
TLS mutual password authentication using ZKP/PAKE is able to securely authenticate passwords with no information leakage and no external sources of trust. This technology is widely deployed across all the major TLS stacks.
Both sources of trust contribute to and are cryptographically bound to underlying communications channel.
Why, exactly, is it a 'poor implementation'?
Primarily it's the wrong layer. It doesn't leverage itself to secure underlying communications channel.
The security of whatever your protecting with "secure authentication" is directly dependent on the security of hundreds of globally redundant DV CAs several of which are known to be owned and operated by foreign governments. Virtually all the worlds CAs use automated indications from totally INSECURE protocols to AUTOMATICALLY issue certificates and do not even coordinate amongst themselves.
A secure authentication protocol stands alone not requiring PKI or other auxiliary sources of trust to protect integrity of authentication process.
A secure authentication protocol does NOT put the end user at risk even when they enter their passwords into the wrong site.
This scheme does nothing to support secure password authentication.
Losing your key is no different than losing/forgetting your password.
Exactly my point. The service is a stakeholder in key management.
Most Internet based 2FA schemes actually deployed today are designed to offer recovery leveraging either factor alone or even worse (see password reset questions). It isn't about enhancing security it's about enhancing your ability not to be locked out of your shit.
The fundamental reality is most Online services don't give a crap about how secure you are they care about protecting their wallets from the deleterious effects of handling "I forgot my password".
When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.
In other words reinventing client certificates poorly and mistaking it for progress.
Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.
Until you lose your key and go whining to the operators of the service.