Forgot your password?

Comment: Re:Security by Obscurity? (Score 1) 82

by TheRaven64 (#46831057) Attached to: OpenSSL: the New Face of Technology Monoculture
No, he's talking about mitigation, which is a well-known security practice. It's not about obscurity - you can have two or more open source implementations, but it's then harder for the same bug to be in both or all.

To give a concrete example, take a look at the DNS root zone servers operated by Verisign. They run a 50:50 mix of Linux and FreeBSD and increasingly a mix of BIND and Unbound. They use a userspace network stack on some and the system network stack on others. If someone wants to take out the root zone, they need to find exploits for each of these systems. A bug that lets you remotely crash a FreeBSD box likely won't affect Linux and vice versa. That gives them a little bit more time to find the fix (they also massively overprovision, so if someone does take out all of the Linux systems then the FreeBSD ones can still handle the load, and vice versa). If someone finds a bug in BIND then the Unbound servers will be fine.

If your web site were running a mixture of OpenSSL and something else, then it would be relatively easy to turn off the servers running OpenSSL as soon as the vulnerability is disclosed and only put them back online when they've been audited for compromises. Of course, it depends a bit on what your threat model is. If a single machine being compromised is a game-over problem, then you're better off with a monoculture (at your organisation, at least). If having all (or a large fraction) compromised is a problem, but individual compromises are fine, then it's better to have diversity.

Comment: Re:Apples and oranges (Score 1) 82

by TheRaven64 (#46831031) Attached to: OpenSSL: the New Face of Technology Monoculture
The problems with OpenSSL aren't actually in the crypto parts. libcrypto is pretty solid, although the APIs could do with a bit of work. The real problems are in the higher layers. In the case of heartbleed, it was a higher-level protocol layered on top of SSL and implemented poorly. It was made worse by the hand-rolled allocator, which is also part of libssl (not libcrypto).

Comment: Re:Is anyone surprised? (Score 1) 82

by TheRaven64 (#46830969) Attached to: OpenSSL: the New Face of Technology Monoculture
OpenSSL is quite shockingly bad code. We often use it as a test case for analysis tools, because if you can trace the execution flow in OpenSSL enough to do something useful, then you can do pretty much anything. Everything is accessed via so many layers of indirection that it's almost impossible to statically work out what the code flow is. It also uses a crazy tri-state return pattern, where (I think - I've possibly misremembered the exact mapping) a positive value indicates success, zero indicates failure, and negative indicates unusual failure, so people often do == 0 to check for error and are then vulnerable. The core APIs provide the building blocks of common tasks, but no high-level abstractions of the things that people actually want to do, so anyone using it directly is likely to have problems (e.g. it doesn't do certificate verification automatically).

The API is widely cited in API security papers as an example of something that could have been intentionally designed to cause users to introduce vulnerabilities. The problem is that the core crypto routines are well written and audited and no one wants to rewrite them, because the odds of getting them wrong are very high. The real need is to rip them out and put them in a new library with a new API. Apple did this with CommonCrypto and the new wrapper framework whose name escapes me (it integrates nicely with libdispatch), but unfortunately they managed to add some of their own bugs...

Comment: Re:What?? (Score 1) 71

by TheRaven64 (#46830929) Attached to: WhatsApp Is Well On Its Way To A Billion Users

If by 'any deal' you mean 'any contract' then they generally do come with either unlimited texting or quite a lot, but that's not true for pre-paid plans, which have made up the majority of the market for the last few years. I'm currently with Three, and they charge 3p/min for calls, 2p/min for texts and 1p/min for data - I'd have to spend a lot of time on the phone to come close to the cost of the cheapest contract plan, so they really only make sense for people who use their phone for business, or who haven't worked out that the 'free' phone that they get is really a loan at 50+% APR to buy a phone. For 2p, I can have one SMS or 2MB of data. The latter is enough to keep an IM connection open all day, so I can see the attraction of things like WhatsApp, especially since you can switch to the desktop version whenever you find the keyboard too limiting.

And that's not counting the fact that you can use WiFi when you're somewhere where roaming is expensive, which is the only reason I still have a SIP client installed on my phone: It's cheaper for me to make calls to the UK from the UK over the mobile network, but when I'm abroad (outside one of Three's Feel at Home countries) it's often a lot cheaper to use SIP. Sending text messages abroad is very expensive, but using WiFi is usually free.

Comment: Re:What?? (Score 1) 71

by TheRaven64 (#46830899) Attached to: WhatsApp Is Well On Its Way To A Billion Users
No prepaid plans in the UK come with unlimited texting. You can generally buy a bundle that includes it, but a bundle that provides more data than it's easy to use on a smartphone (without tethering) is generally cheaper and allows you to use email and the web as well as IM apps. I generally pay £1-2/month, and it costs as much in terms of data to have an entire day of IM connectivity as it does to send one SMS.

Comment: Re:And As Usual... (Score 1) 151

by Kjella (#46827191) Attached to: OnePlus One Revealed: a CyanogenMod Smartphone

For the life of me I don't understand why people consider a non-removable battery (and batteries are very prone to failures) to be a feature; I like to have spares in case I go somewhere charging is not possible or convenient or in the more likely case the original battery loses its ability to keep a charge like I've experienced with two different Li-Ion batteries.

Well, I can't speak for the failure rate but my iPhone 4 is now 3.5 years old and during Easter I used it a lot, even after a day of heavy use I still had 20% battery left. Today it's at 67% after a 2 hours of GPS tracking. For daily use it's still fine and I'm guessing will be fine for years to come. For weekends and vacations away from a charger I'm considering getting a battery pack - compared to the original 1420 mAh battery you can get a 7000-10000 mAh external charger for cheap. You put it in your backpack or luggage, plug it in where you sleep at night even if that's a remote cabin or a tent in the wilds. Or for that matter just turn off the "smart", if I kill data traffic it'll last very long as a dumb phone as I've done that abroad due to cost. Basically as long as the battery works it's not really a problem.

Comment: Re:Uh... (Score 1) 407

by Kjella (#46823649) Attached to: Supreme Court OKs Stop and Search Based On Anonymous 911 Tips

This. The NPR article seems misleading. They stopped him based on the 911 call. Which seems reasonable to me. If some moron is driving like a fool I'd really like to cops to stop him. The probable cause for the SEARCH was due to the marijuana smell. I don't think this ruling is a broad as it's being made out to be.

Well the cops did get a tip of one reckless maneuver that allegedly forced the tipper off the road. They tailed the truck for five minutes, saw no traffic violations or poor driving to collaborate the story. Then they pulled the truck over instead of being on their way. I'd agree with the dissenters, there's no reasonable suspicion of an ongoing crime - that is, drunk driving - and they pulled him over on a fishing expedition. One incident, observed by nobody but an anonymous tipper who may or may not have called it in just to be mean - I mean it's quite impressive to get a full license plate down while you're really being run off the road so some generous exaggeration may have happened. She didn't even accuse them of driving drunk, that's the court's argument that maybe they were while completely ignoring that the officers saw no sign of it.

Comment: Re:Wow (Score 1) 78

by Kjella (#46821929) Attached to: BioWare Announces <em>Dragon Age Inquisition</em> For October 7th

Or maybe you just have a pack rat obsession with owning things while the rest of us as just looking to get some entertainment. I "buy" a non-transferrable license to a DRM-locked online-tied sandbox, even a DVD which also has DRM is more liberal as I can sell, lend, play anywhere without anyone's approval or activation but even that one I can't back up or format shift legally as I expect to do with my own property. None of that is an absolute necessity though, what matters if if the value (utility, desire) exceeds the costs (money, inconvenience) and if I am confident that I'll get my money's worth from it before Steam goes under and the service disappears in a puff of smoke I come out ahead. If I desperately want to play it 10+ years down the line I suspect it will be available somehow on GOG (legally), TPB (not so legally) or whatever so it's not a "now or never" situation.

Yes, I get pretty pissed when you abuse DRM to deliver use control like unskippable commercials and region locks, crap that acts more like malware (hello StarForce) and such things but ultimately I am looking to get entertained, it's in the same class as Netflix (subscription), Spotify (subscription) not about having my documents and data trapped in proprietary products with lock-in. Realistically if Steam said all games are now a 5 year lease it'd probably not change my habits at all. If they start acting like asses I always have the option to say here are the letters F and U, I'll be sourcing my entertainment elsewhere from now on. It's not like there's a shortage or anything, particularly since it won't cost me a moral fiber to download games I used to have on Steam off TPB should that ever become necessary.

Comment: Re:openWRT runs, without wireless (Score 1) 109

by TheRaven64 (#46821465) Attached to: WRT54G Successor Falls Flat On Promises

The last time I bought a dedicated device like this, I got a PC Engines WRAP, which is similar to the boards that Soekris sells. For about £100, I got a 266MHz AMD Geode (x86) CPU, a board that could boot from a CF card, and had 3 wired sockets and 2 miniPCI slots (with an 802.11g card in one), a metal case and a couple of antennae. That was quite a few (actually, almost ten) years ago.

The first search result has a similar kit for £139, which is a bit more, but if you shop around you can probably get it for cheaper. That includes a 500MHz x86 CPU and 256MB of RAM, so it will happily run most stock *NIX distributions, or something firewall-centric like pfSense.

Comment: Re:Experimental science vs narrative science (Score 1) 535

by Kjella (#46821271) Attached to: The US Public's Erratic Acceptance of Science

Well, if we do an experiment on gravity we determine it only in a point location at a given time, the rest is extrapolation/intrapolation that gravity remains constant between locations and across time. Take two sections of forest, build greenhouses around them and pump more CO2 into one and you have a pretty good scientific experiment. Yes, putting the pieces correctly together is complicated but as long as you accept that things obey the laws of physics and chemistry and don't magically become different at a macro scale you can build bigger and bigger pieces of the puzzle from small blocks. There's no "irreducable complexity" here as the relgious like to trot out when they don't like the science.

Comment: Re:Intentional sabotage? (Score 1) 151

by TheRaven64 (#46821129) Attached to: Next-Gen Thunderbolt: Twice as Fast, But a Different Connector

That's already double what USB provides over data connections, and you shouldn't be drawing much more than that from a notebook anyhow

No, you shouldn't, but the laptop is probably drawing something on the order of 60-85W and there's no reason why it couldn't get that from a power supply in the display, rather than a separate wall wart...

Comment: Re:Thunderbolt does USB, so no. (Also PCIe and HDM (Score 1) 151

by TheRaven64 (#46821121) Attached to: Next-Gen Thunderbolt: Twice as Fast, But a Different Connector
Thunderbolt doesn't do USB, however the fact that it does PCIe means that you can run a USB controller on the other end. You wouldn't want a Thunderbolt mouse, because it would require sticking a USB controller in the mouse as well as a Thunderbolt interface and a load of PCIe bus logic. USB is nice because the client component is relatively simple and can be made very cheap. It's also nice because there are a number of standard higher-level protocols built on top of it (e.g. HID for keyboards, mice and so on, DUN for things that look a bit like modems). Thunderbolt doesn't replace USB, it's the connection that you use between your laptop and the display or docking station that has all of the USB devices plugged into it.

Comment: Re:Intentional sabotage? (Score 1) 151

by TheRaven64 (#46821105) Attached to: Next-Gen Thunderbolt: Twice as Fast, But a Different Connector
With Thunderbolt, since it can carry two DP signals, you can plug in one cable to drive two monitors. Since it also carries PCIe, you can drive a USB hub and SATA controller and NIC in one display and also connect the keyboard and mouse and an external disk and network at the same time. Having the same connector able to deliver power would mean that you'd be able to drop a phone in a dock and have it gain access to all of those things and charge, which sounds pretty compelling to me.

We're also finding it useful because you can get PCIe enclosures so we can plug FPGA boards directly into laptops, rather than needing to have a desktop sitting under the desk doing nothing except exposing a high-speed JTAG interface, but that's a fairly niche use.

Numeric stability is probably not all that important when you're guessing.