Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Open source code is open for everyone (Score 1) 211

by phantomfive (#48929483) Attached to: Serious Network Function Vulnerability Found In Glibc

Most are language-independent.... no surprise to see CWE-89 (SQL injection) and CWE-78 (command line injection) in there, as well as the slough of crypto/authN/authZ-related stuff. But where are the language-dependent bugs coming from? If you drill down on the code examples for CWE-120, -131, -134, and -676, you'll see C and C++ are a re-occurring theme.

Good then we're agreed, buffer overflows are not the most common security vuln.

All we need now is for you to realize that, if someone thinks the language means they don't need to worry about security, then their code will be much more vulnerable, even if they write in Java. Once you realize that, then we will be completely agreed.

Comment Re:not the point (Score 1) 375

by phantomfive (#48929459) Attached to: Why Screen Lockers On X11 Cannot Be Secure
If you're talking about the x11 stipple functions, then they're not a reason to replace X11 either, just ignore them until no one uses them, then remove them. If people are using them, then there's a reason to not remove them.

Being old is not a reason to replace software. Being new does not make software better.

Although, if you'd like to tell me how the computing landscape has moved on significantly, I'm sure I'd be entertained to hear it.

Comment Re:Funny thing about this... (Score 1) 29

by phantomfive (#48929141) Attached to: Book Review: Designing and Building a Security Operations Center

Now this book comes out explaining that a SOC is basically just a bunch of smart (expensive) people intelligently mining data?

The hard part is finding the capable (expensive) people, even if you are willing to pay a lot. Programmers and IT guys are not hard to find in America, but capable ones are.

Comment Re:No Kidding (Score 1) 220

by phantomfive (#48928917) Attached to: Anonymous No More: Your Coding Style Can Give You Away

As the thread suggests, one advantage to different coding styles is that you can generally tell who wrote what and, if there seems to be a bug, you can track them down and tell them to fix it in that ugly mess. In our office, we have the rule that if you go around changing code style, you now own that code and are responsible for it. About the only issue we've run into is that people's styles evolve over time. So the guy right out of school may have a certain style that changes as he is exposed to more styles.

git/cvs/svn/mercurial blame can tell you who wrote whatever code. Please tell me you are using some kind of source repository.......

Comment Re:Well I guess it's a good thing... (Score 4, Interesting) 203

by phantomfive (#48928781) Attached to: Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites
Yeah, once again, compare the dross on the internet to the good things. Slashdot, Wikipedia, a bunch of corporate websites you can visit to learn about their company, restaurant websites, Linkedin seems to be a decent place to look for a job, ebay, amazon, some news websites. Slashdot and some news websites would die without advertising, but I would be willing to subscribe to those.

Now look at all the negative stuff. Buzzfeed, wired.com, all those websites that spew crap in order to attract your eyeballs. Out of all of that, are there any websites that would die without advertising, which you would also not be willing to subscribe to?

The only one I can think of is Facebook, and if that one died, it would only encourage a distributed model, where everyone essentially ran their own RSS feed for their friends to look at (or something similar).

So let the advertising die, I say, the internet will be a better place for it.

Comment Re:Well I guess it's a good thing... (Score 4, Insightful) 203

by phantomfive (#48928469) Attached to: Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites

At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

I used to agree with you, but at this point, it's too dangerous to not block ads. You never know when one of them will be malware, and it's not a risk I want to take.

Last time this conversation came up, someone suggested that the internet was better before advertising. I think there's some truth to that.

Comment Re:Something Suspicious (Score 1) 203

by phantomfive (#48928199) Attached to: Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites

How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities. And not just bugs, but zero-day exploits too. Do I need a tinfoil hat? Or is it just a tad suspicious that this one product continues to have so many vulnerabilities found in it. After all this time. After all these previous bugs.

No, it's not suspicious, it's exactly what you would expect from corporate programmers in a system that wasn't designed with security in mind.

When people try to make code secure, it's difficult. When people don't even try, it's impossible.

Comment Re:"Science"? (Score 1) 200

by phantomfive (#48927293) Attached to: Bjarne Stroustrup Awarded 2015 Dahl-Nygaard Prize

I do not believe there are ANY field studies in Meyer's book that show OOP "being better". You are welcome to prove me wrong.

I don't think so either. Furthermore, they probably wouldn't be accepted generally as OOP, because his definition of OOP is different than most people's (Java and C# still don't have support for contracts).

However, such studies do exist. I particularly like that paper, because the authors made an effort to understand the data, instead of merely giving a P value and hoping it would get published. For example, when the data allowed several alternative explanations, they interviewed the developers and managers of the projects to understand which interpretation was most realistic.

THAT is object oriented computer science.

Slashdot Top Deals

"Everyone's head is a cheap movie show." -- Jeff G. Bone

Close