Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment windows 7 it is then (Score 1) 314 314

I guess this means I'm sticking with Windows 7 on whatever good hardware supports it. The situation with Windows 8 and 10 is ridiculous. Microsoft knew what their *profitable* users wanted out of the platform. Windows 8 immediately resulted in a list of problems. They had old problems, as author noted, going way back. The best thing to do is keep what works, eliminate problems, add functions to make it easier to use, try some new things as OPTIONS, and continue to roll in profit from satisfied users. The Start Menu issue alone makes it look like Microsoft is intentionally trying to piss its users off. Meanwhile, Mac OS X and certain Linux distro's continue improving while remaining easy to use and (esp for Mac OS X) quite consistent.

Microsoft was known to copy anything better. They need to do that again for sane and consistent UI. Far as different devices, Apple's method worked so copy it: one product for desktops and one with touch-oriented UI for mobile/tablets. You can keep many of the dev tools, libraries, kernel functions, and so on the same to reduce duplication. They already do that for Xbox with even more coming now that it's x86. The problem is so friggin' simple to solve that it's amazing Microsoft hasn't figured it out, esp as it combines their two top qualities: leveraging what you already have to pinch pennies; copying successful stuff the competition does.

Comment Re:DO-254 (Score 1) 104 104

Very interesting that you do DO-254. My background was high assurance and I studied a lot of DO-178B stuff in the process. I didn't work in that market but it generated many high-quality components applicable to other areas. What they pulled off in terms of features amenable to assurance/certification also gave me a guess at what the next project with similar complexity would pull off. Also how I discovered SPARK and Astree. :)

My recent focus is on clean-slate, secure hardware with two aspects being ensuring hardware correctness and preventing subversion. I've come up with a lot of methods applicable to what HW people have taught me of their flows. Safety- and security-critical have considerable overlap in terms of verification from defect reduction to testing to traceability. I'd be very curious to hear of what flow you use for HW (esp ASIC) design in DO-254 space. I appreciate the memo as it's a good start on the subject and will help my own work. Still curious if there is a write-up by anyone on specific flow and what methods worked best on what problems past what's published on HW development in general.

Comment Re:What's special here?? (Score 1) 104 104

Good work. Be sure to check out my comment below referencing a few things you might be interested in. You clearly know enough about this subject to assess their value. Any information is appreciated. Trying to get numerous opinions from HDL, synthesis, and bitstream mod crowds.

Comment more OSS FPGA tools (Score 2) 104 104

This is cool stuff. Here's some other stuff I found recently for anyone interested in messing with bitstreams, creating an open-source FPGA, or doing hardware more easily. Hardware designers feedback is appreciated.

Open Source Bitstream Generation without R.E. or license violations:

Archipelago - an open-source FPGA with toolflow support:

Cx, open-source, hardware & synthesis language:

QFlow Open-source Flow from behavioral synthesis to detail routing:

Have fun people! Especially building on the first two. I'd appreciate experienced people telling me how good the Cx system is for (a) people doing FPGA with high-level synthesis tools and/or (b) beginners using behavioral verilog wanting something better.

Comment want GamerGate's side with evidence? (Score 1) 557 557

I was a neutral party, too, who couldn't make sense of it. Most published evidence supported the claims of the feminists but strangely didn't mention much about the other side. Not objective at all. Least that was some kind of evidence. So, I challenged a bunch of pro-GamerGate people with that evidence and demanded they do more than troll or ask for us to take it on faith. One sent me this vid that shows feminist hypocrisy with evidence from her own game, points out these are entertainment products based on demand (which includes women!), and has other rational points supporting GamerGate's position:
(Really makes the feminists opposing look like BS pushers esp as a commenter here pointed out Brianna also breaks their own rules in games.)

Another link I received was from the "Factual Feminist:"
(She actually backed her claims with evidence that contradicts the claims of the feminists opposing gamergate. She also showed that their own studies cooked the books a bit.)

On top of it, out of millions of gamers, they've only got a relatively tiny number of people making threats. That means vast majority of gamers are *not* making threats. Yet, they talk like rape and death threats over right to abuse females is the only thing going on here. If anything, what I see here is a group of people (i.e. Brianna & co) calling out a whole segment of society (including women!) as evil, claiming to eliminate their market, making provably false statements, and being hated as a result. Who wouldn't have seen that response coming.... Ignoring the claims I see here like faking stuff, the basic analysis of anti-GamerGate's own claims and games *they* make show these women are deceitful, hypocritical pricks who deserve whatever *verbal* hate they get. It's called Internet Justice. Best to just not do the crime and especially against what's allegedly your own customers/demographic.

Comment Re:crypto war 3.0 you mean? (Score 1) 91 91

You have points on the 0-days being on the lower end compared to pervasive backdoors. Far as worst compromise, it's actually NSA compromising insane numbers of hosts using automated QUANTUM hits and drones via WiFi attacks. Much worse than manual stuff FBI does. That they continue to subvert things with little challenge is in their favor, as well. Far as crypto, NSA promoted strong algorithms while hiding all the ways their implementation could be busted (eg side channels). AES was actually more prone to these than some others. They also had the methods and tech to design nearly bulletproof stuff (eg Type 1, EAL6-7, TEMPEST). That they deliberately kept us in the dark and made those difficult to impossible to get weakened our security posture greatly across the board. They could've subsidized a few guards, VPN's, and endpoints to give us a chance but had other, devious ideas.

Anyway, your critique might be right on us *mostly* winning on the crypto side. Yet, they won in most other respects in being on top. I guess I need to change the claim to match that. Maybe the NSA's War on Security, starting when they killed the high assurance market (below). Crypto War would be battles within the greater framework. Main war still going on obviously. Recently being challenged by private parties and especially DARPA-funded research (eg, CHERI). Gotta love DARPA: enemy's R&D organization will probably give us our best chances of defeating them. :)

Comment Re:crypto war 3.0 you mean? (Score 1) 91 91

"Bullshit. One of the most interesting things to come out of the Snowden revelations was the discovery that the NSA doesn't have any secret ways into properly done crypto -- Schneier even noted as much in his interview with Snowden."

I think you missed the whole point: NSA has been secretly beating many crypto you cite for years with a myriad of bypasses. They piled up attacks on applications, OS's, firmwares, and so on. They have it to the point that it's automated with QUANTUM. Linux's fragmentation gave non-mainstream distro's certain protection. I did that directly in previous work in what I called Security via Diversity. Academia has re-discovered that concept and regularly publishes it under banner "moving target." Yet, most people could've been smashed by NSA this entire time without realizing it.

So, after NSA *lost*, they waited for an opportunity. 9/11 provided it. Then, they started tapping the Tier 1 providers, intercepting whole datacenters worth of stuff, covert partnerships with U.S./foreign companies, coercive relationships with FBI support, infiltration of foreign companies/sites, weakening of crypto standards, insertion of 0-day's, deliberately leaving in 0-days, and buying up even more 0-days + attack kits for automated use. The combination of Snowden leaks and Equation Group report show they have utterly been dominating their opponents... without them even knowing... for over a decade.

In short, they went to war on everything (see BULLRUN) in secret, they won enough to create a "golden age of surveillance," and post-Snowden we're launching a new set of battle with new criteria to stop them. That's a... third... fight. Strange how security experts can say a quasi-military organization attacked, hacked, and subverted almost everything in wide use without saying they lost a war to them. They did loose. Many of us told them exactly what they were hitting pre-Snowden given it had to be anything in a system that ran code or could be reached by code (obvious eh?). We were told various things: too paranoid; that's impractical; nobody is reporting those hacks so they aren't happening; FBI & NSA are saying in public they can't do that. And on and on. They talked like they were safe on their FOSS & "secured" Windows boxes while they were getting stomped for years on end.

So, if anyone's calling bullshit, it's me on mainstream INFOSEC industry and security "experts" who didn't see this shit coming despite me outlining it nicely for years. My framework still exists (below) showing all the rigor it takes at every layer to stand a chance at beating them. Secure code or good crypto apps aren't enough. My framework is taken right out of the government's requirements for the ultra-secure systems (Type 1, EAL6/7) they use at most sensitive sites but won't let us have. Want to eliminate risk in your software and stick it to NSA? The opportunity is right there below waiting for your effort.

Comment crypto war 3.0 you mean? (Score 2) 91 91

I keep saying we should call it the Third Crypto Wars because NSA + GHCQ already won the Second. They did that in a secret war on all systems and cryptography with aid from post-9/11 legislation. The Snowden leaks attest to what they accomplished. Most crypto out there doesn't deliver on its claims because they backdoored, weakened, or bypassed (endpoints) it. Now, from a position of dominance, NSA and FBI are launching a Third War on Crypto which is a mixture of public (see article) and secret (try to see TPP). This is an attempt to automatically achieve what they currently work hard for. We're not going to stand a chance of winning this third round if we don't acknowledge they already won the second. And did it without hardly anyone noticing pre-Snowden. That's how bad our current position is and why we need to fight that much harder for strong security across the whole stack.

Note: I've only seen a few strong constructions ever posted on Slashdot or most other IT news sites. *Those* kinds of things don't get popular. NSA etc love that. It's why the majority doesn't stand a chance whether using proprietary or FOSS. Rare exceptions to that.

Nick P

Comment my plot (Score 2) 57 57

So, how did you all like mine [1]? The goal was to show the danger of their double standard: they get ironclad security; we get backdoors. They argue that anonymity, encryption, and security can be the end of the country. I argue that, if true, then it's also a confession on their part. ;)


Comment NSA won't flinch (Score 1) 135 135

Many countries are SIGINT partners with the NSA (see Fourteen Eye's etc). They share data. They almost all use vulnerable systems of the type the NSA can hit directly. Hence, data in Ireland isn't safe from the NSA by any means. It might also be used in mass collection that NSA gets to share. Der Spiegel has been reporting a lot of that sort of thing in Germany, for instance. The only well-connected, democracies listed in Snowden documents as resisting NSA cooperation were Iceland and Switzerland. Move your data there in partnership with citizens and in a way that benefits their cities. That should knock out the legal attacks. Then, you need EAL7+ security on all your systems with good supply chain and updates. Good luck with that part. ;)

Nick P, High Assurance Security Engineer/Researcher

Comment Re: Cuz Minix Dude Was A Old Guy (Score 1) 469 469

Nah, he was too busy working on hard problems (eg seemless distributed computing) so that others could implement them in production. Linus eventually followed his advice with a distributed VCS (git), although it's a nightmare to use compared to Andy's stuff. And Andy eventually applied his principles to build "a production kernel, maintained version compatibility, and evolved that kernel over time." I referenced Minix 3 in my original post you strawmanned. Despite only 2-3 people working for a year, it was already more reliable than Linux systems on the same hardware. Linus's approach produced systems so unreliable for so many years that I wouldn't even use them for production systems. When I did, I had to cluster them.

Gotta wonder what we'd be using if volunteers and corporations put a billion dollars worth of effort into microkernel, capability, or HLL (eg Oberon System) designs instead of Linux. The self-healing, process isolation by default, and easy extension properties alone would've been worth it. Linus and the mass market desired the opposite. So, we have unreliable, hard to maintain, insecure machines. NSA should thank them all.

Comment Re: Cuz Minix Dude Was A Old Guy (Score 5, Insightful) 469 469

He built a teaching OS, a cool ass distributed OS (Amoeba), a good WAN solution on top of it (Globe), and much later the self-healing UNIX-comcompatible Minix 3. That was all while he taught thousands of students how to build shit right. Andy is anything but lazy.

Comment Re:WebSockets (Score 1) 234 234

re Mac. Depended on the toolset. Certain 4GL's, GUI generators, and PGUI's targeted Windows + Mac (+ others). The portable scripting languages, like Tcl/Tk, had simpler interfaces but great portability. My route was first a custom generator that automatically generated the GUI side from a VB6 form's data and BASIC code I typed in. Later, with Flash taking off and my 3D interests, I redid my concept to target OpenGL: a standard graphic system that worked on both mainstream OS's and most high-end UNIX's too. If it had OpenGL, my tools could put a beautiful interface on it. Back when I had my tools... (sigh)

Note: programmers hated on me endlessly for using VB6 or a console BASIC at all. Yet, type safety, 1 s tool loading, 1 s compile-to-run, RAD GUI, and plugin for converting it to C++ GUI seemed like productivity heaven. Esp on a 200Mhz P2 w/ 64MB RAM. And my shit never crashed by the time I generated C++. Only imported, C++ libraries did lol.

re WebSockets. In theory, maybe. I'd have worried about the same legacy issue as you. It will certainly improve web app performance. Remember, too, that you have a whole browser to protect and manage. Single purpose applications using only specific files or API's can be protected with Mandatory Access Control, inline reference monitors, and whatever else you dream up. Browser is *never* that easy, as Chrome shows despite excellent architecture. Also, native apps let you use protocols such as UDT to eliminate overhead of HTTP and slowdowns/issues of TCP. Finally, if a browser was *absolutely* required, my compromise was putting a proxy in front of it that (a) spoke efficiently/securely to my server app and (b) trasnlated HTTP/HTML requests and responses to/from browser. I'll fake HTTP/TCP/IP rather than do real thing any chance I get. :)

Nick P

Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it. -- Perlis's Programming Proverb #58, SIGPLAN Notices, Sept. 1982