Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Zero-days are not "back doors". (Score 1) 82

Zero-days are not "back doors".

Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.

Agreed about a 0-day flaw not necessarily being a "back-door".

You're incorrect about flawed software necessarily being the output of a bad programmer. Even the best programmers make mistakes - it's not just the nature of software, it's the nature of security - "absolutely secure systems do not exist" (Shamir's First Law). Except may death - and even then it's not certain.

Programming languages, development procedures, code auditing, and system architecture keep developing towards inherently better security. But it won't change some fundamental restrictions epitomised by Shamir's Second Law.

"To halve your vulnerability, you have to double your expenditure"
Increasing security is a case of diminishing returns. The mythically perfect integrity shell probably won't solve the problem either (Shamir's Third Law "Cryptography is typically bypassed, not penetrated").

That doesn't mean it's "game over" - it does mean that some things should never be trusted to computers because of their value. It also means that not everything can be trusted to the same computer - which is just too inconvenient (apparently).

"People" will say - but [insert OS or package here] has never been exploited. Maybe... but it's a big maybe, and very much dependant on a given point in time. It's very hard to prove it - as a mathematical proven fact. At best it's just an until-now-not-disproven fact. There's a difference.

tl;dr it's a false and dangerous assumption to propose that all flawed software is the result of bad programmers. As a technology software development is somewhere around the same stage as the first cars in relative terms (Dig me up when the car is mathematically proven secure. Good luck with that - you may find the worms have beaten you to it).

When it comes to the relative security of different OS incidence of deployment is not necessarily a good indicator. I'd propose that level of access to the OS, level of awareness and education of the operator, and relative value of exploiting the system are the main factors. i.e. Windows is not the most deployed platform - it is as a "desktop", and the average level of awareness and education of the operator is low relative to other "desktops" - and it's accessibility is low (anyone can get hold of it, a lot of people can explore it). The hypothesis seems valid as it has a relatively high number of known exploits in it's history (3 years after release the fixes take up more space than the original install) - most of them of low risk . Apply the same criteria to "Linux", allow for it's diversity, and the fact that until recently the average operator had a relatively higher level of awareness and education - then factor in the relative value of it as a target (higher) and the hypothesis also seems valid. i.e. higher skills and resources were pitted against it which meant, less exploits found (in the core system), the majority of known exploits quickly found were low risk - the higher risk ones were harder (took longer to be reported) to find.
It's just a hypothesis - and not particularly well stated, I've simplified things but I have tried to take into account factors like predictability of the core system (Windows core system is more predictable than Linux), and reporting/detecting exploits of flaws. Financial trading systems are less likely to report exploits than browsers used for banking, but I suspect greater skill and resources would be focused in a smaller amount of projects aimed at finding flaws to exploit in share trading systems or telecommunication test heads. Allowing for (possible) increased auditing and monitoring of systems that run more valuable processes Shamir's Second Law also means they are exponentially harder to protect against the attempts against them.

Maybe one day computer science will escape Shamir's Laws, and maybe one day we'll all have flying cars, and escape the fundamental laws of physics. But I wouldn't bet the bottle of aftershave my family has been gifting around every Xmas for the last four decades on it.

Comment Re: Solution: Don't Trust Anyone (within reason) (Score 1) 82

Dear coward

You missed the point. Open source acolytes pray at the feet of "free software" and don't recognize there is no "free labor" to review those scared lines of code. You see both closed source and open source people are putting their faith in something. Are the FSF lovers going to review all those lines? If not then you are hypocrites

I miss the point? And you aren't painting with a broad brush (Open source acolytes pray at the feet of "free software" ) ?!. There's term for that - confirmation bias. No surprise you don't get irony, sarcasm or satire - or "weighted decision matrix".

"You see both closed source and open source people are putting their faith in something.". I do? O'reilly? You seem to put a lot of faith in something... like the belief your "psychic powers" aren't "psychotic delusions". Thanks for your insights. They say nothing of me, and speak volumes of you. I'll go with facts instead of buying into your crystal gazing powers.

That word, hypocrite, it doesn't mean what you "thunk" it means. You've made a compelling case that you are one, with a series of assumptions you can't possibly prove about me without psychic powers (so much for fact based decisions). And then you rant about "faith". The Timber industry wants in on your eyes.

tl;dr on a scale 1 to 10 for critical thinking you score a -5. HONK HONK - you've won a Special Snowflake tour on the Mobro 4000.

Comment Re: Solution: Don't Trust Anyone (within reason) (Score 1) 82

Yes. The FSF and reviewing millions of line of source code will save your mortal souls. How about that Hearbleed vulnerability?

Insightful! I don't need no steenkin' weighted decision matrix - I'm going back to Windows ('cause it's got less code, and more eyes - and the ads are cool).

Comment Re:.GOV knew on the 28th, com'on, old news (Score 1) 68

The US Gov knew and published this on the 28th. Way to be 3 days late, an no doubt why /. is more than a dollar short.

https://www.us-cert.gov/ncas/current-activity

The "government" is proactive!. Cool.

Soon we'll all have flying cars for sure (or, flying SUVs with in-dash McD snack printers and heavy-duty conveyor belts in place of door-steps).

Comment Re: Just goes to show you UNIX SUX (Score 1) 68

No it isn't... it's one of the oldest and simplest protocols around you freetard. And the fact that BIND still has exploitable bugs on a protocol that is decades old shows how terrible freetard are at programming.

*cough* That coward was being ironic. Whether it was intentional or not is beside the point. It was nice satire too.

You'd think the version number might be a clue. Oh wait... this is /. The entrance requirement is an internet connection and a keyboard.

Instituting one of those simple math question robot checks would double the signal:noise ratio - and reduce the advertising revenue by 70% (I'm allowing for the adblock users).

Comment Re: Interesting, but budgie cage liner news (Score 1) 68

... Not opensuse

As another poster has already pointed out - that's incorrect.

But interesting anyway. Maybe Open SUSE is just a little slow because of a trickle-down from SUSE? Regardless of the reason you might consider subscribing to the opensuse-security-announce mailing list.

. At least you don't have to wait until Patch Tuesday.

Comment Re:It's coming. Watch for it.. (Score 1) 163

Everyone knows automobiles were endowed by the Creator with inalienable rights to have everyone get out of the fucking way.

Yeah right on bro! If god wanted bicycles he'd have passed road laws that said cyclist have the same rights on the road as cars, and cars have to give way to any one crossing the road (even if they're doing so illegally). Bigger cars are the answer.

You know the liberals used to make us drive behind dickheads with flags... till we run them down. No holding back progress.

Comment Interesting, but budgie cage liner news (Score 3, Informative) 68

Patched updates rolled out long before /. reported it (shock, horror).
If Debian is any guide most distros have already done the same and anyone running unattended-updates for security patches has been updated for several days (25th).

Comment Re:May you (Score 1) 330

never be falsely be accused of rape.

Agreed - because it'd be damn hard to go through the world's libraries cutting those articles out of the newpaper archives. Of course that still leaves the copies lining budgie cages, and wrapping chips - but maybe we could force people to read the subsequent retractions. After international law is passed forcing retractions to be published.

Totally different subject - but how come these laws don't seem to be forced on other search engines? Because this legislation does cover all search engines (though strangely it forgets Fffacebook - they have their own search engine so I suppose they've been served as well, right?)

Comment Re:"Truthers" don't believe in *air* (Score 1) 321

My guess has nothing to do with the facts of building 7. I was simply speculating as to why they would bring building 7 down in a controlled demolition when it never got hit by a plane (which is the official sorry by the way... It's only the "why" that's under debate). Exactly three planes were hijaked, only two made it to the target, and yet, all three buildings went down in a similar fashion. I definitely don't consider myself a conspiracy theorist, in fact I'm quite a skeptic usually. The problem is that the official story isn't logically consistent with reality, which is bothersome to me. I always feel unease with things don't add up. If buying into the official story helps you sleep at night, then more power to ya!

Speculate away. While you're at it calculate the number of charges required, how long that would take, and how difficult that would be - unless all those security guards and explosive sniffing dogs that normally patrolled were part of the plot too.

Don't forget to count all the engineers and architects in the USA when you estimate the significance of the number (who never visted the sites) who claim it couldn't have collapsed because of heat weaking the high tensile steel in the support beams.

Car manufacturers can't build shit without having to do recalls - but a conspiracy that large, and complicated goes off without a hitch. Then looks at those troofer "video proofs" again. Take the White House for example - compare the "evidence of conspiracy" with the press photos - notice how the troofers only show you selective images?

It never pays to not test what you believe. It only takes one minute to check - how hard is that?

Comment Re:Drifters (Score 1) 103

Didn't the aboriginal population of Tasmania get wiped out?

Only in the same sense that mainland aboriginals (and probably the first wave of settlers) got wiped out. The gene pool was mixed. Truganini was not the last Tasmanian aborigine. Just last "full blood", according to the methodology of the time (and terra nullius ), and current politics. e.g. it's only been recently that the Dutch were credited as the first to map Tasmania, but there is evidence that Arabs had mapped it far earlier, and the Chinese, who definitely had the technology to visit. Somewhere I had/have a reference to archaeologists finding support for a French claim that shipwreck survivors had survived on the West coast before the British created the first settlement (stone garden walls, allegedly), but the government refused to stop land clearing for housing development - so "pure blood" is hard to prove without DNA studies (which is why I asked if anyone knew of any.

And given that the Tasmanian government were perfectly happy to destroy what was possibly the world's oldest graveyard in order to build a road bridge, evidence is pretty lacking...

Sort of. The Tasmanian government is pretty determined to avoid recognising anything that might stop relentless development, or lead to a Land Rights claim.

Help! I'm trapped in a PDP 11/70!

Working...