Forgot your password?

Comment: Re:Metaphor (Score 1) 232

by rabtech (#46790069) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

While you are technically correct, the reality is that the most serious security vulnerabilities are almost all directly related to buffer overruns (on read or write), allowing an attacker to read or write arbitrary memory. Everything else is a second-class citizen by comparison; denying service by causing Apache to repeatedly crash is far lower priority than compromising all traffic and stealing credentials.

So when we look at that class of serious problems, we find that managed memory languages completely eliminate them.

Relying on people to "just drive better" is an automatic failure. We design everything from signs/road markings to cars themselves around the idea that relying on humans to be perfect is pure idiocy, so we need to create affordances that lower cognitive load, along with automatic systems that attempt to avoid collisions and mitigate their consequences when they occur.

Similarly, just relying on programmers to never make mistakes is guaranteed to lead to more exploits like Heartbleed. It's pure stupidity.

If OpenSSL were written in Rust or C#, it wouldn't be quite as fast, but we wouldn't be looking at years of government spies completely negating SSL, forcing all webservers on the *entire* internet to replace their SSL keys, instantly obsoleting hardware that can't be upgraded, exposing user's data (including login credentials) to attackers thus requiring EVERY FUCKING USER ON THE INTERNET TO CHANGE THEIR PASSWORDS.

Was the tiny performance benefit worth what we have now paid for it?

Of course we're going to continue using C and getting burned over and over and over. Who needs air bags? Just drive better.

Comment: Re:do they have a progressive view? (Score 1) 326

by dublin (#46789179) Attached to: Detroit: America's Next Tech Boomtown

I would die first before moving to texas. most of my friend also feel the same.

in all my life, I have never heard anyone EXCITED about moving to texas, at least for tech. sure, there is tech there but only for those that can stomach the texas lifestyle and redneck attitudes.

the outright racism and bible-belt feel just is not compatible with many techies' view of what a good living area should offer.

Wow, I'd say that post pretty much serves as a prime example of how to beclown oneself while simultaneously establishing oneself as a bigot of the first degree!

There's a reason that 3 of the top 10 cities of the US are in Texas today, and Austin's rising with a bullet, showing staggering 6.6% growth, a substantial portion of which is tech, although way too much of that is the social/mobile bubble. (Austin is #11 today, Detroit is 18, FWIW...) Yeah, pretty tolerable weather, awesome food and music, really nice people (yep, even "bible-belt rednecks"), a great tech scene w/o the backstabbing attitude, entrepreneurial dynamism and focus on results, Formula 1/SxSW/ACL - why would anyone even consider working here? If there's a weak spot in Texas, BTW, it's Austin, mostly because of its "progressive" dedication to regulating the crap out of everything they can. (Don't get me started about permits here - smart people start or move their companies nearby, not in, Austin...)

Oh, and a friend of mine from Detroit (who happens to be black) told me years ago (when he had been in Texas only a few months) that not only was he shocked to find that there were actually far fewer racists in Texas than in Michigan, but that he preferred even those racists because "at least here in Texas and the South, you know when people have a racist bias!" He didn't find that to be true in Detroit, his home town, despite the fact that he came from a fairly well-connected family (his Mom was in the state congress), which insulated him from some of the racial bias in the first place...

Comment: Re:Nonsense (Score 1) 287

by dublin (#46788325) Attached to: Ask Slashdot: System Administrator Vs Change Advisory Board

Wow, there's a LOT of negativity and assuming that the CAB is only a bureaucratic, bad thing. (It may be, but hear me out - it shouldn't be, and if it is, you can help change that...)

I think part of the problem here could be that the OP is assuming that no good can come from this.

If the CAB is doing its job, then it should be *helping* to determine which patches to apply, why, and when, based on taking into account the hardware, software, networking, and application environments and the "risk" a patch represents to each. That kind of support is a real net plus to a sysadmin. Note that it's implicit that the CAB is either doing or facilitiating this extra work, not just dumping it on the admin. (In that case, it's not really a board, but the worst sort of bureaucratic assemblage holding authority but no responsibility by dictating policy to be implemented by others who have responsibility without authority.)

Yes, this *is* a lot of work, and it *may* be justified, especially if there's been a history of being bitten by patches that were more of less blindly applied simply because a vendor or package owner/author posted them.

As with all process issues, the important thing to understand is "*WHY* are we doing this?" That questions is frequently answered the best by answering other related questions, including, "Is this the best way?", and "How else could we achieve the same goal?" , and perhaps even more important in winnowing down the answers from that one - "What could we do that's 'close enough' in benefits, but way easier to implement and support?"

Asking the right questions is *really* important!

Comment: Re:ARM laptop, please? (Score 1) 109

by dublin (#46776363) Attached to: Intel Pushes Into Tablet Market, Pushes Away From Microsoft

Why on earth should I really care what kind of CPU is in my laptop, *especially* if the OS runs on either x86 or ARM?

I think the whole point of the discussion here is that both hardware architectures and OS choices are becoming increasingly fungible, and that trend may only accelerate...

I'm with you on the quality digitizer/touchscreen, though...

Comment: Re:Is it dead? (Score 1) 109

by dublin (#46776329) Attached to: Intel Pushes Into Tablet Market, Pushes Away From Microsoft

Yep, and you need a 30-100 MB app for pretty much every little task you do. A good OS, built the right way, provides a strong set of basic tools that can be used together to do almost anything the user wants. Personally, I *do* want a real OS on a tablet - because there are just way too many real-world tasks that tablets either can't do at all or can only do with ridiculous levels of complexity and frustration. Real filesystems are just the beginning. FWIW, I'd rank the usability of tablet OSes for real-world use as first, Full Windows, then WinRT closely followed by IOS, with Android bringing up the rear. If there were a Chrome tablet (and WHY ISN"T THERE?), it would likely fall between the two Windows versions, and Ubuntu could well grab the lead if they can find any good hardware to optimize for...

Mark Shuttleworth and the rest of the Ubuntu guys get this, and that's why they're plowing ahead no matter the naysayers. Also, "full-fat" doesn't necessarily mean actually fat - IIRC, the first Unix System 7 CAD workstation I used had 4 MB of RAM, a huge 40 MB hard disk, and a stunning 1 MIP 68K processor with an incredible 1280x1024 display. Today's mobile processors have compute power only found in supercomputers not many years ago. Look at Puppy to see how slim you can make a "full-fat" Linux OS, even with a modern kernel and apps...

BTW, no OS exists in today's tablet/GUI world to let you easily snap together your own tools from a rich set of components - that requires GUI integration of the stream/operator paradigm as implemented in UNIX (but with different syntax and semantics making the gozintas and gozouttas intuitive), transparently merged with the browser and able to leverage not only local, but also remote web assets and applications. Add touch and non-touch dynamic gestural interfaces, and you've really got something...

Comment: Re:Is it dead? (Score 2) 109

by dublin (#46776173) Attached to: Intel Pushes Into Tablet Market, Pushes Away From Microsoft

Microsoft is really onto something with the whole Surface Pro idea, and It boggles my mind that not a single one of the "regular" OEMs have managed to build anything even in the same league. This product alone is justification for Microsoft being in the non-peripheral hardware business, despite the OEM friction it undoubtedly causes.

The Surface Pro is further proof that Steve Jobs was flat wrong when he said of iPad competitors, "If you see a stylus, they blew it!"

First of all, a quality digitizer pen is not a stylus. Second, and far more importantly, there are *really* good reasons why we gave up drawing and writing with rocks and fingers, and started using sticks, brushes, and pens instead...

Comment: Re:ARM is the new Intel (Score 0) 109

by dublin (#46776091) Attached to: Intel Pushes Into Tablet Market, Pushes Away From Microsoft

Windows on the tablet is pretty darn attractive - I've tried iPad, Android and Windows RT tablets, and *ALL* of them are missing things you really need. (Decent local filesystems and the ability to *fully* support the Internet, even for ugly-ass things like Flash and PDF, as well as reasonable printing support (RT only supports new printers) aren't optional.

BTW, this is really an argument for a full OS, not specifically for Windows. Good hardware for a full Ubuntu tablet (not Nexus crap, which is designed for a crippled OS like Android) could be a game-changer, too...

I've got a friend who says the Surface Pro 2 is not only the best tablet out there, but also quite simply the best and most useful computing device of *any* kind he's ever owned, especially with the docking station.

If Microsoft sees fit to build a Surface Pro 3 with the same awesome digitizer (required for quality sketching and/or artwork), more/cheaper storage, at least 8 GB of RAM and a 13-14" Pixel-like screen, at roughly the same weight as the Pro 2, I'll be standing in line to throw more money at them than I've spent on a computer in years...

Comment: Re:This was positive (Score 1) 580

by dublin (#46761557) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

So there was a bug in OpenSSL. Big bug, yes, but that's not the reason it was (and still is!) a big problem.

The genesis of the big problem is one of monoculture, not only of OpenSSL being the dominant SSL implementation, but probably more importantly, the fact that pretty much all Internet security that is accessible and matters to ordinary users is SSL/TLS in the first place.

If you think this is bad, imagine what happens if the fundamantals of SSL itself are compromised: What would we replace it with? How, considering this is effectively the only secure connection technology available across all common OSes and embedded devices? How long would that take? (Years, at least, I'd wager...)

What we need is more flexible security methods in the first place, and open, standard implementations (like OpenSSL, but growable) that can allow us to proactively extend security methods as the net matures, and *quickly* address bug-based vulnerabilities when that approach fails. (Note that this may require the implementation of some kind of standard "secuirity code VM", so new code and new methods can be easily distributed even to older systems that may not be fully supported anymore. And no, I'm not glossing over things like limits on code space, memory, and the like, nothing will allow every system to be upgraded, but we do need some way to allow and authenticate that (while preventing bad guys, including governments, from using the mechanism to create weaknesses.))

Comment: App fatigue is real... (Score 1) 163

by dublin (#46751751) Attached to: The Best Parking Apps You've Never Heard Of and Why You Haven't

I was talking with a fairly large group of tech-savvy friends here in Austin the other day, and it was nearly unanimous - the last thing we ever want is another damn app to download, constantly whine for updating, and try to find among the other 200 crap apps on our phones or tablets. We coined this rising level of disgust "App Fatigue"...

Web apps could conceivably be a decent alternative, but only if someone gives me Settings option checkboxes labelled,

[ ] Never, ever, show me the crippled mobile version of any website at all, as long as I live., (preferred) or maybe,

[ ] Always lie to web servers so they think this is a desktop computer with a real browser. Because it's more powerful than my desktop computer, and has a real browser.

Comment: Re:Why would I work for free to make Apple rich? (Score 1) 266

by jeremyp (#46745333) Attached to: Apple's Spotty Record of Giving Back To the Tech Industry

Not true.

GPL doesn't restrict people from using the software any way they want.

Yes it does. I just downloaded a copy of Gnu Readline. I want to use it as in my new proprietary application that will make me $$$$$. Does the licence restrict me from using it in that way? Yes. That is by design and I do not criticise the developers for making that decision.

Which matters - let me know how trying to run Apple on non-apple hardware without paying for a license goes, in comparison to a GPL'd OS.

That is also by design and I do not criticise Apple for making that choice.

Comment: Re:Whatever you may think ... (Score 5, Insightful) 445

by jeremyp (#46723863) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

Two reasons:

The idea that many eyes make all bugs shallow is a myth. Even most programmers don't bother auditing the open source code they download. I bet most of them don't really look beyond the API documentation.

Also, OpenSSL is one of the worst code bases you'll ever set eyes on. It's poorly documented and so complex, it'll make your eyes bleed.

Comment: Yet again C bites us in the ass (Score 4, Insightful) 303

by rabtech (#46690135) Attached to: OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

Yet again, C's non-existent bounds checking and completely unprotected memory access lets an attacker compromise the system with data.

But hey, it's faster.

Despite car companies complaining loudly that if people just drove better there would be no accidents, laws were eventually changed to require seatbelts and airbags because humans are humans and accidents are inevitable.

Because C makes it trivially easy to stomp all over memory we are guaranteed that even the best programmers using the best practices and tools will still churn out the occasional buffer overflow, information disclosure, stack smash, or etc.

Only the smallest core of the OS should use unmanaged code with direct memory access. Everything else, including the vast majority of the kernel, all drivers, all libraries, all user programs should use managed memory. Singularity proved that was perfectly workable. I don't care if the language is C#, Rust, or whatever else. How many more times do we have to get burned before we make the move?

As long as all our personal information relies on really smart people who never make mistakes, we're doomed.

Comment: Re:Not enough data (Score 1) 175

by jeremyp (#46682375) Attached to: Linux Developers Consider On-Screen QR Codes For Kernel Panics

I have a better idea: how about just keeping things how they are. People using mobile phones to take a photo of a stack trace + register dump mostly works reliably (barring wobbly hands).

^^ This.

Add a bit of OCR software and you have a system that can both be read by humans without the aid of special software and by computers to produce textual output with a bit of special software (you need a bit of special software anyway for QR codes, so you don't lose anything).

Comment: Let's get some clarity here (Score 2) 564

by rabtech (#46672035) Attached to: Was Eich a Threat To Mozilla's $1B Google "Trust Fund"?

Eich was not fired. He chose to resign. Maybe he did so because he cares about the foundation and didn't want to be a distraction. Maybe he was told he'd better resign or they would lose their funding and have to lay everyone off. We don't know, but the insinuations of the original story are out of line for implying so. The truth is we just don't know.

This isn't some free speech issue or some form of inquisition trying to purge the unbelievers.

Eich chose to wade into a controversial issue by making political donations (after all, a conservative majority of SCOTUS claims money == speech). Those "free speech" statements offended a bunch of people and he chose to resign rather than drag the non-profit Mozilla foundation through an ordeal over it.

Anyone in a leadership position is certainly free to make any statements or support any political cause they want. Employees, customers/donors, etc are also free to loudly complain or refuse to associate with the organization if they disagree. That comes with the territory. We wouldn't give Eich a pass if he were sending checks to neo-Nazi organizations. A leader always takes a risk that they'll piss people off by taking a stance. He was CTO of Mozilla at the time, he knew what the consequences could be and made the donation anyway.

A few decades ago it was accepted that blacks and whites shouldn't intermarry. Even some people who campaigned for civil rights still held such a view. If Eich were donating to a group promoting a constitutional amendment to outlaw interracial marriages almost none of you would be wringing your hands over free speech. Everyone would laugh at him for being a dumbass and move on with their lives.

Freedom of speech is not freedom from consequences. Even if someone faces no offical sanctions for speaking out, they can certainly be excluded socially, even to the point of being driven out of the organization. That's how human group dynamics have always worked since we were grunting at each other and throwing pointy sticks.

Furthermore, technology has always been intertwined with personalities, politics, and the like. Only very rarely is it always 100% about the pure technology. You can write the best code in the world but if you can't play nice with others you run the risk of your code languishing in obscurity.

Social norms are changing; you can change with them, you can keep your mouth shut about it, or you can fight for the status quo. Each of those courses of action has risk associated with them. Eich chose to fight for the status quo, then chose to stick by his guns when it pissed a lot of people off, including a lot of the very people his organization depends on to contribute money and code from their own good will! That has consequences and it always has.

At these prices, I lose money -- but I make it up in volume. -- Peter G. Alaquon