Target's Data Breach Started With an HVAC Account 232
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
Car Analogy Time! (Score:2, Funny)
Re: (Score:3)
My mother was a Beta, you insensitive clod!
Network segmentation (Score:5, Insightful)
why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network
Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...
Re:Network segmentation (Score:5, Insightful)
Re:Network segmentation (Score:5, Insightful)
No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.
I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.
The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.
Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?
Re: (Score:2)
Re:Network segmentation (Score:5, Interesting)
My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.
I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.
Re: (Score:3)
I call shenanigans. This type of breach shouldn't be remotely possible if the cardholder data environment (CDE) was behind a proper firewall as per the PCI specifications. That means that anything that stores card data has a VERY short whitelist of what it may communicate with, and then only on the bare-minimum of ports. And no, just a VLAN won't cut it there. All of the registers, card readers, internal servers, switches, etc on which the card data flows are required to be firewalled both inbound and o
Analytics (Score:2, Interesting)
They probably have it all on one network so they can easily correlate the data. HVAC settings will influence purchases and a smart store is dynamically setting temperature to maximize sales volume, although within certain constraints.
Re: (Score:2)
It doesn't have to be on the same network to easily correlate data.
You pull from many locations to one to correlate data.
Re:Network segmentation (Score:5, Insightful)
In most companies, someone poking around would have their access clamped shut by an internal IPS, with SMS messages going out to admins via the IDS.
I'm sure there has to be a perfectly justifiable way to explain this, but almost any corporate network tends to be well segmented, with finance being the most locked down of any area [1]. Unless the internal fabric got compromised, this shouldn't have happened unless it was an attack with a lot of collusion from parties inside the organization.
[1]: One place I worked at had the machines in finance completely disconnected from the Internet, and were separated from each other (no file sharing possible unless going through the company servers.) If people wanted to browse the Web, they used Citrix receivers and a terminal server, which was configured to not let files in or out. Said machines were not just locked down via AD, but used both BitLocker (to keep the machines from being booted from other media) and DeepFreeze [2] to help ensure that if malware did get on the boxes, it wouldn't persist. All data was stored on remote machines. So far, AFIAK, these precautions did a good job at keeping bad guys out.
[2]: DeepFreeze isn't 100%, but it does come in handy as an additional tool for a locked down environment to keep things clean.
#insert
Re: (Score:3)
When I worked at IBM, management of the IDS for the IRS was outsourced to India.
[John]
Re: (Score:3)
Maybe I've not seen an example of this, but there is a point where a I've not seen any meaningful enforcement of these regulations, be it PCI-DSS3, HIPAA, FERPA, Sarbanes-Oxley, or others. For example, from what has been shown in previous examples, PCI is almost a joke and given lip service at best. Tokenization of card numbers? Yeah, right.
Are these laws even relevant these days, since they don't seem to be actually heeded?
I wonder about replacing the existing penalties with taxes. A firm can ignore a
In MY experience ... (Score:2)
I have gone through this exact same "logic" at places where I've worked. It's impossible to explain to some people that ... while the person putting in X may be completely honest you are depending upon that person to have as good security practices as you have.
Except that that person does not have any idea of what network security is. Or computer security.
But it will make it easier if vendors X, Y and Z have remote access to their systems which are on the production network.
It will be more difficult if we h
Re: (Score:2)
and wouldn't that be the purpose of ACL's and firewalls? you can share the same physical network but with proper ACL's you shouldn't be able to access the financial segment of the network from the hvac segment.
what purpose does any of the hvac machines need on the financial side of the network? any traffic going between the two (in either direction!) should be blocked and send up red flags.
Re: (Score:2)
Sure you can put ACLs are switch ports and you can do layer two firewalls; in general you don't. Usually if you have a switch that can do ACLs you have a switch that can also do routing, so you can segment the network as well for little cost. That segment makes the broadcast domains smaller. Usually that leads to better performance. If you are doing layer 2 firewalls its usually in the data center. Doing it on the plant floor would probably just create lots a problems for protocols like ARP, and if it
Re: (Score:3)
In general, yes. But the situation should not arise where you have to firewall a vendor's system because it should not be touching your production network in the first place. It's adding risk when it is not necessary.
Yes, it should. You are correct.
But this doesn't have to
Re: (Score:3)
It's not even necessarily that. The HVAC may or may not have had access into the "real" system, but it, at minimum, allowed them a foothold from which to perform penetration testing .
I remember implementing a change to our security because a chain that broke ultimately because some local SQL express SA accounts were open (on workstations, with 3rd party products that required local SQL express), which allowed further and further enumeration that ultimately ended with the discovery of a domain admin's crede
Re: Network segmentation (Score:5, Insightful)
The stupid part is that the HVAC controllers were not vlanned off to their own segment, only connected to HVAC-monitoring computers and a VPN gateway for just this function, but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.
Re: (Score:2)
That's why they should have their own Internet connection coming in. They should NEVER touch the production network. There's just too much risk (as shown by Target).
Re: (Score:2)
But a Target store doesn't get its network rewired very often, and doesn't get the HVAC cables rewired ever (for some multi-year definition of "ever"). There's really no good reason for those to not be on their own separate physical switch, but if you're going to use a shared switch, it still isn't that hard. You just lock those ports to a nonstandard VLAN, disable tagged VLAN access for those ports, and leave all the other ports on the default VLAN, and you're done. Oh, and label the cables, and stick
Re: (Score:2)
Re: (Score:2)
The only segmentation required is for WiFi and publicly visible servers, like web and email. And "segmentation" isn't really defined in the PCI specs, so it's very, very fuzzy. Remote access to any part of the network is explicitly allowed (provided it's encrypted) if it's needed. And that's the thing about PCI - almost anything can be an exception based on the needs of the business. When the choice is between keeping the network secure and losing an important customer, even Visa and MasterCard get real pra
Re: (Score:3)
Non compliance is about more than transaction fees. It also who determines pays when there is a breach. If Target is non-compliant, they are 100% responsible for all investigation and remediation costs (as well as any fraud committed using the compromised card numbers). In this case, according to TFA, that's up to $420 million, with only $160 million in insurance. A $260 million write-off probably won't put Target out of business, but it'll sure piss off the shareholders when it shows up in the annual repor
Such as? (Score:2)
Maybe this is why we have the beta (Score:5, Funny)
Re: (Score:3)
well, even if they swapped plus and minus on the power supply or turned the switch from SUCK to BLOW, I'm not sure it would improve the beta, any.
Re: (Score:2)
So, if I understand you correctly, you are saying that Dark Helmet designed the Slashdot Beta?
Re: (Score:2)
At least Target didn't change their website after fucking up so badly
HVAC vendor has network access to the POS system? (Score:5, Funny)
Re: (Score:2)
Not as good as the one about self-destructing chips, still pretty good
That's how it always happens (Score:2)
The weakest link won't be the shiny titanium front door.
DiceNews for Dicks (Score:3)
Rename the beta site and call it "DiceNews for Dicks". Then load it up with stories about the Deport Justin Beiber Movement http://www.google.com/url?sa=t... [google.com] and news for Kardashian stories https://www.google.com/search?... [google.com]
Leave Slashdot alone!
Community Was Right (Score:2)
Watch 'Community' on NBC. You'll see that the HVAC people are the hidden power in our civilization. Be very afraid.
Re: (Score:2)
turn off javascript (Score:2)
turn of javascript for slashdot.org, fsdn.com, googleadservices.com and truste.com.
problem solved.
Re: (Score:2)
Re: (Score:2)
turn of javascript for slashdot.org, fsdn.com, googleadservices.com and truste.com.
problem solved.
Don't forget to block third-party cookies!
"Been slashdot'd" takes on a whole new meaning... (Score:5, Insightful)
Re: (Score:2)
I was thinking something similar, but it was more like being destroyed by the very community that you were trying to court... out of an unwillingness to heed the warnings from that same community.
Target breech was bad, but not as bad as /. BETA! (Score:2)
Did the software have fixed passwords / users? (Score:2)
Did the software have fixed passwords / users?
Some software needs an fixed login to work.
Slashdot Beta (Score:5, Insightful)
Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.
Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.
I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.
Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.
Writing, wall, see it, hope you have negotiated a nice severance package.
Re: (Score:2)
So what you are saying here is that slashdot is fucking more people than DICE and Target combined? Cowboy Neal needs to verify this... I think the number is higher.
Why HVAC contractor has network access (Score:2)
Re:Why HVAC contractor has network access (Score:5, Informative)
Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.
Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.
I kinda think the Beta is awesome. (Score:2, Interesting)
I honestly don't understand what the fuss is about.
Re: (Score:2)
Tried moderating there yet?
I just bought myself a year of Reddit Gold (Score:2)
Because the /. beta can't even properly suck on my nuts :(
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
Re: (Score:2)
If the problem persists, and all other options have been tried, contact the site administrator.
Hello?
Loyal readers trolling Slashdot protesting beta .. (Score:2)
Dice can't see it, since they are new here (he he)...
The most loyal long time most avid readers of Slashdot, are not trolling the site, in protest of the failed beta. Never thought I would see the day ...
Where is GNAA, Natalie Portman grits, and frist prost when you need them!
Let me explain ...
I have been a regular visitor to Slashdot for around 15 years. For that, I get the checkbox to disable ads, though I browse with Javascript disabled so my browser does not slow down.
I come here for the discussions, an
Re: (Score:3)
There is always the approach of calling Dice Holdings. Their telephone number is 212-725-6550.
Beta, NO! (Score:2)
common user / pass are easier with contract / subs (Score:2)
common user / pass are easier to work with and manage when you are dealing with contracts / subs even more so in an area like hvac where the workers are not IT people and you have field work that can get subbed out to local firms now giving each tech there own login can be hard to keep track of and you have to deal with lock outs do to expiring passwords as they may need to use them day to day.
How did they pass the audit? (Score:2)
It's not immediately clear why Target would have given an HVAC company external network access,..
They probably have access to the network because the heating and AC for the stores is centrally controlled, like it is at Walmart, for instance. That's not a suprise. ... or why that access would not be cordoned off from Target's payment system network."
This is definitely the bigger question. PCI is pretty clear about this. My next question is, how did they pass the audit?
Slashdot Beta sucks (Score:5, Informative)
I've emailed them... they ignore... the more they ignore the quicker their downfall.
Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.
PS. I've been a slashdotter for 7+ years.
Re: (Score:2)
You've a lower UID than me and I'm sitting at 13y. I've provided feedback, months ago when this was alpha and again yesterday when they made this announcement.
Beta is def better than alpha was. Commenting is infinitely better on Beta than Alpha. But it's STILL incredibly backward compared to Classic. Slashdot is literally the only site (besides dedicated forums) where comments are worth doing. I suspect what's happening is Alpha was shit, developers feel like they've addressed the problems in Beta but peopl
Was about to read the story. (Score:2)
But then Beta was switched on and I quickly turned away. :(
POS Network Segregation... (Score:2)
One of my accounts has remote web accessible thermostats and the site share's a single public static IP, but my intranet is split between 3 different lan segments with the POS segment isolated. Looks like it might be NSA preferred level of effective security configuration...
Umm... no network activity alerts? (Score:2)
I get that Target might've forced their IT department to take the cheap way out and forgo a nice, isolated building management system. That's out of their control.
But how could they not notice the spike in network traffic as data was being sent to the hackers?
They should know how much bandwidth their terminals are chewing up on average, how many transactions are occurring, approximately how much data should be crossing the network per transaction and have an eye out for a sudden burst of outgoing data headi
Re: (Score:3)
By saving money on the monitoring system.
Such a thing only happens when someone put put in the effort to have a monitoring system. It doesn't happen by magic. Easy to set up in many cases but not there unless someone had set it up.
Re:FUCK BETA (Score:5, Informative)
**NOW WITH LINE BREAKS**
Please post this to new articles if it hasn't been posted yet.
On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.
Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.
If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.
We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]
Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss the Beta - Vote up the Fuck Beta stories
Keep this up for a few days and we may finally get the PHBs attention.
Re: (Score:2)
It will soon change to: "as our audience migrates". Keep up the discussion outside of their moderation power over on reddit: http://www.reddit.com/r/social... [reddit.com]
Re:"...as we migrate our audience..." (Score:4, Informative)
Believe me, there's no confusion about the immensity of the community's contribution to the site.
Re:"...as we migrate our audience..." (Score:4, Informative)
Than why are you pulling a microsoft and ignoring your community? Your community /is/ your product. Like microsoft forcing metro with Windows 8 the beta site isnt functional and you insist on ignoring the very hands that feed you. Without your community slashdot is just another has been website.
Re: (Score:2, Informative)
The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.
I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.
Re:"...as we migrate our audience..." (Score:5, Informative)
I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.
You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.
Re: (Score:2)
I disagree. The beta site needs to go. If it becomes the default it will just drive people who can't be bothered to switch every time or who are new and don't know you can switch. It's that bad, that broken.
Soulskill, what is actually wrong with the classic layout that needs such a radical change to fix? Why can't you implement improvements on that platform?
Re: (Score:2)
I don't envy your position; nobody likes being a spokesman in front of an angry mob. Thank you for keeping things calm.
Here's the situation: you've got an old codebase which you'd like to get rid of, and an old userbase which you'd like to keep. Unfortunately they're part and parcel, and it's sounding like divorcing the two isn't much of an option. The question thus comes down to which is more important.
If I may ask: has anyone in the userbase specifically requested that classic view support be dropped?
I
Re: (Score:2)
No, of course not. And make no mistake, we'd love to leave the classic site around in perpetuity for those who prefer it.
But it does take engineering resources to maintain. Maybe not a lot, but not a trivial amount either. There are a number of concerns here; eventually, something about the old site will break, and we'll have to dedicate engineering time to fixing it. Whenever we roll out a new features on t
Re: (Score:2)
Do you think you're talking to children h
Re: (Score:3)
If only you hadn't wasted all that effort building a broken beta site, and had instead focused on improving the classic site.
Out of interest, what drove the decision to start over with a new layout and code base instead of trying to improve what you had? Is the Classic code really that bad or something? I remember when the mobile site launched and one of the developers listed all the cool technologies they were trying to shoehorn in to it, so it really just seems like a desire to pad their CVs and play with
Re: (Score:2)
But that's essentially what you're doing - the switch may be flipping in slow motion, but it's flipping none the less. All the pious corporatespeak to the contrary doesn't change that one bit. You claim to regard the community, while completely *disregarding* them.
Re:"...as we migrate our audience..." (Score:4, Interesting)
The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.
Soul, I know you are in a difficult position, having been told to do spin control for a furious userbase. But you don't have to insult our intelligence. Redirects to beta were going on well before this, and the sentiment hasn't changed. It's been negative from the moment people started getting redirected. Management has been ignoring the users from day one under the notion that they'll like it once they get used to it, and hey, look at how Facebook changes things and people complain, but keep using Facebook.
But your seniors don't seem to understand that this isn't Facebook. This isn't a site for the general population, and it's not irreplaceable nor without intense competition. There are thousands of internet forum sites out there, many of whom have the same target audience. I do not buy the argument for one second that management was ignorant of the poor opinion held of it's new "beta".
I get that they bought the house and now they want to repaint it so it's "theirs", but they've gone too far. Very far too far. They have failed to understand their target audience completely, believing that we're just like any other of the dozens of assets they hold in their portfolio, and it'll homogenize with the rest if they just stay the course.
It won't. They're going to tank their investment and once the users bail, they won't come back. They'll be like the MySpace of the IT world: It was popular at one time, but now it's a ghost website nobody cares about, just another content aggregation website, and not even a particularly valuable one. Nobody wants to see this happen... apparently, except for the senior management. We've spoken clearly, and unequivocably, in every possible way, that this is a bad decision. We've been doing this for days, and have received no indications from these people that they've even noticed.
Do we have to set fire to the facilities they live in? DDoS all their sites? I mean, really, Soulskill... we've exhausted every avenue to let these people know "Hey dudes, train coming. Train. Big train. Honk honk. Motherfucking train, on the mother fucking tracks, coming your way. TRAIN." ... And they seem to be content to just lay there like some drunk and wait for it to run them over.
If this is how it has to be, fine. But at least tell us that if Slashdot goes tits up someone on the Dice board of directors is getting shit-canned... because otherwise, the nerd rage that has built up here is going to find other, less pleasant, ways of extracting their pound of flesh from Dice. If you think the Slashdot Effect on other websites is bad... wait until a hundred thousand pissed off IT people each sitting on massive bandwidth pipes, decide to ping the SS Dice Fail Boat. It will not be pretty.
Re: (Score:2)
The thing that is most frustrating to me is that is seems that many of the complaints brought up when the Beta first went public [slashdot.org] persist. Looking back at the feedback in that comment section, there are a lot of specific criticisms of the site. It wasn't general complaining, but pointing out stuff that should be fixed. Lots of that went ignored.
I wrote an email back in October with some feedback, and I wrote another today. The company has had five months to fix some pretty basic things and listen to feedbac
Re: (Score:2)
Believe me, there's no confusion about the immensity of the community's contribution to the site.
Join us! Give yourself to the Dark Side. It is the only way you can save your friends. Yes, your thoughts betray you. Your feelings for them are strong. And we have cooler spaceships and better dialogue.
Re: (Score:2)
Believe me, there's no confusion about the immensity of the community's contribution to the site.
That's a bit of an understatement. Without the community, there is no Slashdot. So why do you think the community exists in the first place?...
Beta hinders that style of conversation. Yes, the chaos does create a lot of noise, but some of that "noise" is valuable. Some of the best posts I've ever seen on Slashdot ... whether
Re:"...as we migrate our audience..." (Score:5, Insightful)
There are readers and contributors. Slashdot acknowledges some people as meaningful contributors by allowing them to disable ads. So, yes. We contributors ARE paying to use the site by offering our content. We're not giving the content for free, we get compensated in the form of a site that lives up to our high standards. So, when the compensation fails to be adequate, we must be vocal. We understand that we can stop using the "free" site at any time. We become vocal in hopes it doesn't have to come to that.
Re: (Score:2)
Re:"...as we migrate our audience..." (Score:5, Insightful)
Well, aren't you just an entitled little shit.
Do you not understand his argument, or are you really just an asshole? The value of Slashdot that keeps old-timers coming back, and brings new people in, is the content... and virtually all of that content is created and moderated by the users. Yes, the site itself is valuable as well, but only because it enables a certain style of discussion and fosters a particular kind of community, all built around that user content.
When the site no longer enables the discussion and fosters the community that is Slashdot, it ceases having any value. People will leave. The quantity, quality, and very nature of the content will change... and as that continues, more people will leave. Now you're into a potentially unstoppable death spiral, and whatever remains will be just a pale image of the greatness that once existed.
Do you expect us to keep our mouths shut? We don't want to see Slashdot die! Even if an alternative pops up somewhere, it won't have all the history that this site has. Losing all of that will be tragic.
Re: (Score:2)
Excellent comment. OTOH, my cynical side is suspicious of how tone-deaf the site owners seem to be. It makes me wonder if the following item was on an NSA todo list somewhere:
Destroy Slashdot. After those damned Snowden leaks the Slashdot community seems to be united against us. As long as they were divided and bickering, they were not a threat.
Re:"...as we migrate our audience..." (Score:5, Informative)
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.
Re: (Score:2, Insightful)
Where do people get this strange notion that the hosters of free services should never receive negative feedback?
They provide the service for free because they want people to use it (usually for ad revenue, though there are other motivations). If people don't like it, they won't use it. Providing negative feedback informs the providers that something is driving users away, which suggests changes that could increase usage, which is ultimately what the provider wants.
Receiving something for free does not ne
Re:"...as we migrate our audience..." (Score:5, Insightful)
This is very true. Please keep the feedback coming. The more constructive, the better.
Re:"...as we migrate our audience..." (Score:5, Informative)
This is very true. Please keep the feedback coming. The more constructive, the better.
Kill Slashdot Beta and start from scratch.
That is a constructive suggestion, and absolutely doable.
Re: (Score:2)
The day that Slashdot Beta becomes the default Slashdot is the day I stop coming to Slashdot.
Re:"...as we migrate our audience..." (Score:5, Informative)
This is very true. Please keep the feedback coming. The more constructive, the better.
I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.
But since you asked, I'd recommend:
Keep the Classic Slashdot.
Re: (Score:2)
The Beta leaves much to be desired and seems like it is change for the sake of change.
Quit trying to be what other sites are being and stay true /.'s roots.
Re: (Score:2)
I tried telling you once already that there is no longer any way to see replies to your posts, making discussion impossible and the comment section unusable.
But if you're using beta, I guess you wouldn't know, because you never saw that you got a reply.
Re: (Score:2)
Okay,
Please make a discussion system like D1 available, even if it has to be limited to some table that won't flow the page to accomodate the rest of the new page layout.
Re: (Score:2)
What more can we say than we like the current system better? The Beta fails in many ways - hiding post times, hiding UID, making it hard to navigate "up", and so on.
Why fix what isn't broken? I still browse with the original no-JavaScript layout, just a page of comments and no "live" controls. It's great; it's just the way I like it. I like "reply to this" as a plain old link that I can middle-click on to compose a reply in a new tab. I like the fact that the entire comment tree is pre-expanded and I d
Re: (Score:2)
Oh, I don't know, probably the people complaining about the people complaining about beta are Dice Employees. Wouldn't suprise me.
Re: (Score:2)
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
You do realize that even subscribers to Slashdot are getting the shaft here too? Some people actually are paying for Slashdot, so shut the F*** up about this kind of reasoning and learn a bit about what people are complaining about.
Re: (Score:2)
There's a lot of hate from Anonymous Coward for critics of beta.
I hope this isn't Dice astroturfing their own site.
Re: (Score:2)
Freely? We do get marketed to. See the ads scattered all over /.
Re: (Score:2)
Since Slashdot without comments is more or less pointless, we actually are paying, it just isn't with money.
If a website is a commodity, then our user generated content and comments are likewise a commodity. On some sites this contribution is pretty marginal, but on Slashdot it's the basis of the entire business model.
Since Slashdot profits from the userbase contributions, that means those contributions have a value.
So yes, I pay, though the contributions are probably not worth a lot ;)
Re:"...as we migrate our audience..." (Score:4, Insightful)
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
Well, I provide content by commenting, and I improve the quality of content by moderating. For nothing. Without people like me doing that, Slashdot ceases to exist.
Re: (Score:2)
Is it really so bad? (Score:2)
Re: (Score:2)