Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Even in Chrome it doesn't fucking work (Score 1) 190

by Jesus_666 (#48896227) Attached to: WhatsApp vs. WhatsApp Plus Fight Gets Ugly For Users

What device would you be carrying with which you expect to use a web application over Wi-Fi? Or do "normal" people still carry laptops?

I'd ask "Do 'normal' people still carry tablets?" as the tablet-on-the-go fad seems to have cooled off quite a bit. I see a lot of people with smartphones and a sizable number of people with laptops but pretty much nobody with a tablet. Tablets are commonly found in homes but they definitely don't seem to be popular for mobile computing.

This might be because tablets suck for the two things I commonly see people do with their laptops on the train: Watching movies (big stationary screen, easy to view with more than one person) and working (big screen, physical keyboard and sometimes software that has no smartphone equivalent).

Comment: Re:Choose a CMS you like (Score 2) 299

by Jesus_666 (#48874973) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
If you want to lock down the login the easiest way (besides using a nonstandard admin user with a good password) is to rename wp_login.php and write a little plugin that changes the login URL to point to the new file. There's actually a hook for that. That way all brute force attacks will get 404'd by Apache without the WordPress core getting involved, which saves a ton of resources. In case someone mounts a distributed brute force attack on you this might mean the difference between somewhat elevated traffic and the server going down. (Yes, that happened to us already. Renaming wp_login.php took us from base load of 6 with spikes of 120(!) to a base load of 1 with spikes of 3. Login limiters and fail2ban weren't nearly as effective against distributed attacks.)

XML-RPC should mainly be disabled because of pingbacks; not too long ago these could be exploited to make your site participate in a DOS attack. XML-RPC itself not a significant security risk these days. You can go for a more nuanced approach by only disabling the functions used for pingbacks (there's a hook for that too) but if you don't need XML-RPC it might be easier to just rename or delete the entire file.

Trackbacks should be disabled because of trackback spam. Yes, you can install plugins that help you deal with it but - seriously - pretty much no Wordpress-as-a-CMS user cares about trackbacks (or pingbacks, for that matter) in the first place. Disabling them means fewer hassles.

Again, these days the biggest security risk are badly-written plugins. We once had an infected WordPress where it turned out that the attacker never compromised any user account. They didn't need to because a plugin allowed them to execute PHP code on the server. They just injected their attack code directly into WordPress and could do whatever they wanted, such as displaying dodgy pharma ads without even touching the database. That's the kind of danger unreviewed plugins pose.

WordPress can be quite capable when managed correctly. Just don't make the mistake of assuming that you can just install a plugin and get new functionality without any risk. Badly-written plugins are common and they can screw you just as much as an insecure admin account can.

Comment: Re:Choose a CMS you like (Score 3, Insightful) 299

by Jesus_666 (#48873453) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
Not so fast, my friend. While I agree that the WordPress core has come a long way and is reasonably secure once hardened (such as by removing the XML-RPC and trackback files, two of the biggest attack vectors) I decidedly disagree on plugins being even remotely secure.

Some WordPress plugins are well-written and secure. Most WordPress plugins are messy and were written by people who haven't even heard of code injections. If you want your WordPress to be secure, don't use plugins. Ever. At least not without a full code review by someone who knows how to write secure code in PHP.

Seriously. Most WordPress CVEs these days are for plugins and after having seen the code of a few dozen plugins I can see why. Do not trust a WordPress plugin you have not verified yourself.

Comment: Re:Choose a CMS you like (Score 1) 299

by Jesus_666 (#48873425) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
WordPress itself is actually reasonably secure these days provided you rename wp-login.php and delete the files for XML-RPC and trackbacks (comments too if they're not needed). The plugins, however, aren't. Most WordPress plugins are written by people who know a bit of PHP and need an itch scratched, not by people who know what MVC is or how to prevent code injection. The former just makes maintenance a hassle but the latter is what gets your network pwned.

You can use (a hardened) WordPress without much issue except for poor performance when compared to plain websites. If you intend to extend it in any way, however, you really should do a full code review of every plugin you use every time it is installed or updated. That means either your customers get their WordPress without plugins and further support or you rack up the billable hours doing code reviews for them.

The company I work at is actually migrating away from WordPress because our customers demand non-core functionality and keeping the plugins reasonably secure is simply too expensive.

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48870455) Attached to: Time For Microsoft To Open Source Internet Explorer?
The problem is not really the customers themselves but the expected visitors to the site. (And yes, I'm talking about websites. Web apps follow different rules as the customer and the user are the same person.)

Generally, customers expect future visitors to use something similar to what they themselves use. If the customer uses IE8 they will assume that a significant number of visitors will also use IE8. Telling the customer to switch to Firefox is useless as they can't assume that all visitors will now also magically have switched to Firefox. The only argument that does work is if we can show to them that the IE version in question has a negligible market share.

If there was a legitimate new version of IE for old Windowses it might help in driving old versions out of the market, even if it only gets the IE diehards to upgrade. Over here in Germany we already had mainstream media telling people to stop using IE (especially after the DHS and the BSI issued warnings); we might very well see computer mags reporting on an open-sourced IE for those who can't switch. That would further reduce market share and make the day when IE8/9 can be safely ignored come sooner.

(Then all we need to do is get rid of iOS <8 and Android <4.4 and we might even be able to ditch most remaining vendor prefixes.)

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48868085) Attached to: Time For Microsoft To Open Source Internet Explorer?
Nobody cares about IE6. At least nobody who counts. As far as web design is concerned, the current shambling zombies are IE8 and IE9. Those are the ones I see people asking about and those are the ones we could get rid of if we could backport newer Trident versions.

People generally don't use these versions of IE because some internal web app requires them. They use them because they're the most recent versions available for their version of Windows. And they're not going to upgrade Windows because they don't need to; their current setup works for them and there's no business case for upgrading before something breaks.

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48867231) Attached to: Time For Microsoft To Open Source Internet Explorer?
No, the problem is exactly Microsoft and old versions of Windows. "I need this specific version of Internet Explorer for this custom intranet app" may be of relevance in big corporations but for SMEs the limiting factor is usually their Windows version.

Internet Explorer is tied to Windows. You can't install IE10 on Vista. It's simply not possible. That means that for any SME running Vista IE9 is the latest version of IE. And they expect their shiny new website to be equally shiny in IE9. And no, they aren't going to buy new computers or install a different browser because their web designer told them to. (Plus, they know full well that their new site's visitory might also run IE so "just use a different browser" won't convince them even if they do switch browsers themselves.)

If Windows 8.1 was free and had the same requirements and UI as Windows Vista you could perhaps convince some of these people to upgrade. It isn't, though, and that means that either you cater to their browser choice (which usually means the latest version of IE supported by the oldest version of Windows they run) or they'll take their business elsewhere.

Having an open Trident/Son-of-Trident would at least allow people to backport it. If the mainstream tech media reported on it word might actually reach these businesses and they might consider installing the latest OpenIE. Not all of them but perhaps enough to further drive the old-IE user base further down until we can finally declare 8 and 9 irrelevant like 6 and 7 already are. Even Microsoft wants that to happen.

Comment: Re:a better question (Score 3, Interesting) 590

by Jesus_666 (#48844925) Attached to: Why Run Linux On Macs?
The price/performance ratio for Macs has always been highly dependent on what kind of device you're getting. Since the G4 iBook (which is when I started using Macs) their notebooks have been a pretty good value for what they did, especially if you want to run some kind of unixoid without having to fiddle around or compromise on capability. Since the unibody MBP they're pretty damn robust, too.

Their desktops, on the other hand, cater exclusively to a) people who need big workstations and b) people who see a sleek form factor, no fans and fewer cables on the desk as serious value-adds. I fall into neither of these categories, which is why my desktop is built from COTS parts.

Unfortunately even the notebooks are becoming less attractive as Apple is focusing on the "I want my notebook to be as light and thin as possible" demographic at the expense of everyone else. My next notebook will still run OS X because I'm used to it but it won't come from Apple.

Comment: Re:Bar fucking barians ... (Score 2) 490

by Jesus_666 (#48780521) Attached to: In Paris, Terrorists Kill 2 More, Take At Least 7 Hostages
Doesn't this boil down to "people advocate their own way of life"? It's hardly surprising that people who have spent much or all of their lives under sharia law are basing their beliefs and opinions on that law. Just think about all the Americans who uncritically assume that freedom of speech is universally good and all the Germans who uncritically assume that suppressing national socialism trumps unrestricted freedom of speech. Turkey is a good example as great pains were taken to make Turkey a secular state. (Turkey is still rather quirky in many regards but religious nuts they're not.)

Also, your first numbers are about what those Muslims who believe sharia should be the law of the land have to say about leaving Islam. We're already talking about people who want a theocracy and their opinion on the specific case of someone leaving their religion. If we look at other numbers we see a different picture. Firstly, if we take the number of people who ask for sharia in the first place into consideration we see that the results are very regional with South Asia being the most sharia-friendly.

Even in places like Pakistan where most Muslims would like more sharia in their lives the vast majority still support religious freedom (pg. 63). As a matter of fact, the most intolerant country, Egypt, still has 77% in favor. Also note that virtually everywhere people are quite concerned about Muslim extremist groups (pg. 68) and that the only people who can muster even lukewarm approval of suicide bombings are those in very unstable regions like Palestine and Afghanistan.

If anything, the Pew study tells me that it's not a religious problem but a regional and social one. The most extreme opinions come from regions that are either politically unstable, have been dominated by extremists for decades or are Pakistan. (I don't know much about Pakistani culture so I can't tell what colors their opinions.) Also, the great Islamic crusade to convert everyone in the world is a myth. Broadly claiming that Muslims everywhere behave like telegenic extremists in particularly extremist countries is like claiming that the entire USA are like the Bible Belt and that the Westboro Baptist Church is representative of popular opinion in the States.

We have to figure out a way for everyone to get along. Painting an entire religion with broad strokes in a situation where religion is a politically charged topic is counterproductive, especially when all you have in favor of this is media coverage of extremists putting on a show for the media.

Comment: Re:Small NAS box suggestions? (Score 1) 115

by Jesus_666 (#48574961) Attached to: FreeNAS 9.3 Released
As long as you just want basic ZFS without fancy stuff like deduplication you can use an HP Microserver. I've got an N54L with four gigs of RAM, which is currently running FreeNAS 9.2 with a mirrored two-disk setup (because my budget didn't allow more then two disks when I put it together). It works just fine and didn't put a huge dent into my finances. Also nice is that there is a modding community for those things so if you want to replace the DVD drive with more fixed storage you can easily find an article by someone who has tried just that.

Newegg quotes 229 USD for one with 4 GB, which leaves ca. 250 USD for HDDs once S&H is factored in. Get two nice HDDs or perhaps three slightly worse ones. You've got four caddies to work with so future expansion is not a problem. Or put in more RAM.

Oh, and don't forget the USB drive. For FreeNAS 9.3 you'll want one with at least 8 gigs.

Comment: Re:Joyent unfit to lead them? (Score 4, Informative) 254

by Jesus_666 (#48533619) Attached to: Node.js Forked By Top Contributors
The blog is useless. I read the Github discussion on the pull request and the revert. Here's what happened:

1. A pull request containing only two very minor changes to comments in the source code was made.
2. Mr. Noordhuis rejected the pull request with a terse "Sorry, not interested in trivial changes like that."
3. A flamewar erupts about the appropriateness and neccessity of the singular "they". Mr. Noordhuis is not participating in the flamewar.
4. The pull request is forced through while the flamewar rages on.
5. Mr. Noordhuis reverts the forced landing on the grounds that it violated project policy. The revert immediately begins to accumulate a fair number of hostile comments.
6. The flamewar intensifies. Allegations are made about Mr. Noordhuis's character.
7. A joyent employee, acting in an official role and using Joyent's official blog, decided to write and publish a text about how Mr. Noordhuis is sexist and would've gotten fired from Joyent on the spot, indirectly calling Mr. Noordhuis an asshole in the process. Joyent, by not taking the text down, implicitly endorses it.
8. Mr. Noordhuis posts into the discussion to point out that the rejection/revert had been made on purely procedural grounds. He simultaneously announces that he will leave the project, which I can fully understand.

After that the flame war goes on. Some people actually point out that Joyent's behavior is highly unprofessional, which the Joyent employee disregards because "'Fired' isn't a gendered word that has larger social ramifications that careless use of pronouns does." So yes; according to Joyent, publicly calling someone so sexist that they would've been fired on the spot is less bad than using "he" in a gender-neutral role. (Bonus points for one woman in the discussion calling the whole thing a "witch burning". For the record, she was also the one person to offer a solution instead of flaming about pronouns.)

If IBM and Oracle worked remotely like that they'd be up to their ears in wrongful termination suits. And libel suits. And, depending on whether insults are an actionable offense in the relevant jurisdiction, suits about that too.

The sad thing is that early on someone offered a perfectly reasonable way of resolving the situation: Mandating the singular "they" in the project's coding guidelines and then floating changes to existing code until they can be mixed in with other refactoring commits. Of course it was completely ignored.

(For the record, I am a proponent of singular-they and I still think that the term "social justice warriors" with all its negative connotations entirely applies here. Many of the people involved completely went off the rails as soon as the pull request was rejected and immediately assumed Mr. Noordhuis to be a moustache-twirling antifeminist villain.)

Comment: Re:Simple... (Score 1) 376

by Jesus_666 (#48493007) Attached to: Ask Slashdot: IT Career Path After 35?
Not just startups run by kids. Be wary of companies run "like startups" who want to be all kinds of agile by exclusively hiring people who have started but not finished a CS degree because those people are supposedly both experienced (because all CS students are experts in all things computer) and extremely creative (because people over 25 can't keep up). Experience is considered problematic as apparently it translates into higher salaries but not higher skill.

I work in such a hellhole (well, until I'm done with my degree) and the sheer amount of stupid mistakes we're making because nobody has any kind of experience is mindboggling and is the reason why the company has been in damage control mode since 2010. The kicker? The owner of the company is in his 50s. He's still convinced that only CS students can ever be reasonable employees in the IT world.

Not just young bosses can be stupid about hiring.

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"