kent.dickey - Slashdot User

Comment Re:e9af4cb49c97162d6be3ea8c6ca90a46 (Score 1) 170

by kent.dickey on Wednesday December 16, 2009 @02:17AM (#30454518) Attached to: Gravatars Can Leak Users' Email Addresses

I'm not sure if you were sarcastic or not, but your email address is at gmail, and I'm gonna mention Fight Club, and there's no I in team. Do you want me to post your email address more plainly?

So, yeah, posting email hashes is only a little bit safer than posting the full text.

Getting Through the FOSS License Minefield 96

Posted by timothy on Tuesday August 25, 2009 @10:03AM from the well-it's-more-like-a-small-blackberry-thicket dept.

dotancohen writes "Here's an exercise: Write a GPLed server for solving Freecell that the graphical game would communicate with using TCP/IP or a different IPC mechanism. Easy, right? Except for that pesky licensing bit. Our own Shlomi Fish gives an overview of the various options in picking up a licence for one's FOSS project, and tries to give some guidelines choosing one."

Comment Some attack suggestions (Score 1) 175

by kent.dickey on Tuesday March 03, 2009 @06:32PM (#27057485) Attached to: Google NativeClient Security Contest

I browsed the PDF, and it seems they have some trampoline code in the first 64KB of memory that has unsafe instructions that allow that code to do more dangerous things. The idea is that the untrusted code can only interface with the trampoline code, which checks that nothing funny is going on, then it interacts with the real OS.

I see a primary weakness is that they support threads. Start a thread, and have it try to interfere with another thread calling the trampoline code. Basically, mess about with the "stack" trying to get it to jump to a non-32-byte boundary. The trampoline code seems to be a very weak spot, and attacking it seems like the easiest area to go after. It's very difficult to make the trampoline code safe from attacks from other threads in the same address space (it actually may not be possible to make it bullet proof). Try to attack the trampoline to make failing security checks into passing ones--the idea is the trampoline code has to store data somewhere--just try to modify it.

I think they may have some weaknesses in mmap, mprotect, etc.--they need to check these calls very carefully. Try to remap the trampoline code to another address (which would then be vulnerable). Try to map in a library over the trampoline code. The PDF itself said they check open() carefully, but then not read()...this shows they are probably being too clever and not defensive enough.

Another area is create races--is it possible to provide one copy of the code to the checker, and another copy actually gets loaded into memory? This is surprisingly difficult to get right, but depends a great deal on how they load code (or, rather, how the code is presented to them in the first place, I guess by a browser).

Note that any check the trampoline code makes might be bypassable by a clever thread, which changes the data after the sandbox check is complete but before the OS call is made. OS calls which take in buffers probably don't "snapshot" the data to protect it being changed by threads, so there may be a large window in which threads can break the sandbox security (the security check passed, but then a thread changes the data to unsafe values before the OS acts on it).

And of course, try to break out of the sandbox by exposing OS-level bugs or just extreme events such as opening too many files, overflowing structures, to create a way out of the sandbox.

If you have time to try all of the above, enjoy your $512.

Comment Re:There is a reason (Score 1) 633

by kent.dickey on Wednesday July 09, 2008 @11:40AM (#24118559) Attached to: Linguistic Problems of GPL Advocacy

This is called "clean room" engineering.

However, it is my understanding there is no settled legal basis for this extreme view. Can you cite any court cases where copying concepts from code was considered illegal even though the copy differed significantly? And where it was ruled that a clean-room technique would have been valid?

I think the closest analogy which seems pretty settled is book authorship. If I write a book about a girl, her dog, a scarecrow, and a tin man heading to Oz to meet a wizard, etc., then I have a good chance of losing a copyright infringement claim by the owners of the Wizard of Oz. Even if I didn't read the book, and if only a 3rd party told me the broad outline of the story. Unless it's funny. (Which is true--parody is an exception).

However, lots of people write books inspired by other books, even "borrowing" characters, and generally this is OK. It doesn't matter whether you read the book or not, or whether some 3rd party told you the story.

Submission + - Man With Missing Brain Employed As Bureaucrat

Submitted by

mbstone

on Thursday July 26, 2007 @01:23AM

mbstone writes: "In a medical story to be published in next week's Lancet, doctors say a 44 year-old French civil servant leads a normal life despite CT and MRI scans that show that his brain is 'virtually absent.' The civil servant is said to have an IQ of 75 despite his brain's grey and white matter being 'completely crushed against the sides of his skull.'"

Submission + - Would you buy an OLPC, if you had to paid extra...

Submitted by VoxVeritas on Thursday July 26, 2007 @01:00AM

VoxVeritas writes: How much would you pay for an OLPC laptop, if the extra money you paid would buy one for a worthy child? It seems to me that it would be a good way to get more machines into the hands of kids that need them by charging enough to sell them to geeks like us, so that for each OLPC sold would buy a machine for a child that needs one. Plus, imagine all the free software development that the program would get. The BBC has a pretty good article about the OLPC. http://news.bbc.co.uk/2/hi/technology/6679431.stm _ How much would you pay $200, $250, $300 or $333(if it came with a Mr. Wizard Laptop bag)?

Submission + - What's Keeping US Phones in the Stone Age?

Submitted by knapper_tech on Thursday July 26, 2007 @12:47AM

knapper_tech writes: After seeing the iPhone introduction in the US, I was totally confused by how much excitement it generated in the US. It offered no features I could see beyond my Casio W41CA's capabilities. I had a lot of apprehension towards the idea of a virtual keypad and the bare screen looked like a scratch magnet. Looks aren't enough. Finally, the price is rediculous. The device is an order of magnitude more expensive than my now year-old keitai even with a two-year contract.

After returning to the US, I've come to realize the horrible truth behind iPhone's buzz. Over the year I was gone, US phones haven't really done anything. Providers push a miniscule lineup of uninspiring designs and then charge unbelievable prices for even basic things like text messages. I was greeted at every kiosk by more tired clamshells built to last until obselescense, and money can't buy a replacement for my W41CA. I finally broke down and got a $20 Virgin phone to at least get me connected until I get over my initial shock. In short, American phones suck, and iPhone is hopefully a wakeup call to US providers and customers. Why is the American phone situation so depressing?

Before I left for Japan about a year ago, I was using a Nokia 3160. It cost me $40 US and I had to sign a one year contract that Cingular later decided was a two-year contract. I was paying about $40 a month for service and had extra fees for SMS messages.

After I got to Kyoto, I quickly ended up at an AU shop and landed a Casio W41CA. It does email, music, pc web browsing, gps, fm radio, tv, phone-wallet, pictures (2megapixel), videos, calculator etc. I walked out of the store for less than ¥5000 (about $41) including activation fees, and I was only paying slightly over ¥4000 (about $33) per month. That included ¥3000 for a voice plan I rarely used and ¥1000 for effectively unlimited data (emails and internet).

Perhaps someone with more knowledge of the costs facing American mobile providers can explain the huge technology and cost gap between the US and Japan. Why are we paying so much for such basic features?

At first, I thought maybe it was something to do with network infrastructure. The US is a huge land area and Japan is very tiny. However, Japan would have lots of towers because of the terrain. Imagine something like Colorado covered in metropolitan area. Also, even though places like rural New Mexico exist, nobody has an obligation to cover them, and from the look of coverage maps, no providers do. Operating a US network that reaches 40% of the nation's population requires nowhere near reaching 40% of the land area. The coverage explanation alone isn't enough.

Another possibility was the notion that because Americans keep their phones until they break, phone companies don't focus much on selling cutting edge phones and won't dare ship a spin-chassis to Oklahoma. However, with the contract life longer, the cost of the phone could be spread out over a longer period. If Americans like phones that are built to last and then let them last, the phones should be really cheap. From my perspective, they are rediculously priced, so this argument also fails.

The next exlpanation I turned to is that people in the US tend to want winners. We like one ring to rule them all and one phone to establish all of what is good in phone fashion for the next three years. However, Motorola's sales are sagging as the population got tired of dime-a-dozen RAZR's and subsequent knockoffs. Apparently, we have more fashion sense or at least desire for individuality than to keep buying hundreds of millions of the same design. Arguing that the US market tends to gravitate to one phone and then champion it is not making Motorola money.

At last I started to wonder if it was because Americans buy less phones as a whole, making the cost of marketing as many different models as the Japanese prohibitive. However, with something like three times the population, the US should be more than enough market for all the glittery treasures of Akiba. What is the problem?

I'm out of leads at this point. It's not like the FCC is charging Cingular and Verizon billions of dollars per year and the costs are getting passed on to the consumer. Japanese don't have genetically superior cellphone taste. I remember that there was talk of how fierce mobile competition was and how it was hurting mobile providers' earnings. However, if Japanese companies can make money at those prices while selling those phones, what's the problem in the US? It seems to me more like competition is non-existent and US providers are ramming yesteryear's designs down our throats while charging us an arm and a leg! Someone please give me some insight.

Submission + - Are Mobile Phone Masts Responsible For Illness?

Submitted by drewmoney on Wednesday July 25, 2007 @08:55PM

drewmoney writes: According to a major UK study, symptoms of illness caused by mobile phone masts is "all in the mind".

Excerpts from http://news.bbc.co.uk/2/hi/health/6914492.stm

Dozens of people who believed the masts triggered symptoms such as anxiety, nausea and tiredness could not detect if signals were on or off in trials.

However, the Environmental Health Perspectives study stressed people were nonetheless suffering "real symptoms".

Campaign group Mast Sanity "http://www.mastsanity.org/" said the results were skewed as 12 people in the trials dropped out because of illness.

Feed Video Games: After the Months of Marketing Comes the Day of Reckoning (nytimes.com)

From feed by nytfeed on Sunday January 14, 2007 @11:12PM

The list of Top 10 selling console games of 2006 includes a mixture of sequels and newcomers; some well regarded games didn’t make it at all.

Slashdot Top Deals