Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment In practice yes, though not in principle (Score 1) 129

Isn't the attack surface governed by the ports you open up on the Docker containers?

Although you describe a common case, it's not the general one. In principle the size of a software attack surface is given by the amount of code which is reachable through an attack conduit like a network, not by the "width" of the conduit.

For example, a given network service could be bound to just one IP address or to two, but its attack surface would remain the same despite double the size of the attack conduit. Likewise, a given service could be available on only one port or on N ports, yet its attack surface would not change despite any increases in the size of the conduit through which it can be reached.

(The attack surface is primarily a function of the amount of externally reachable code because the number of exploitable weaknesses is relatively constant per unit of code. Making the same code reachable through a wider conduit does not generally change its set of exploitable weaknesses.)

This assumes that the same code is being exposed regardless of the number of different IP address or port bindings of course. If this is not true because different functionality is offered on different ports then of course the size of the attack surface is no longer invariant.

Your observation is accurate in practice because the special case of "one port per service" is a very common one. It's worth recognizing that the general case is different though.

Comment Four technical interests (Score 4, Insightful) 1825

I'll add my +1 for putting Slashdot on IPv6 quickly, and then Sourceforge too when you have time. Virtually all ISPs, colos and hosting providers offer IPv6 already, and all the well known CDNs have done so for many years. With IPv6 uptake at 10% and growing ever faster, it's beginning to look bad for a tech site not to have IPv6 enabled. (It works perfectly, seamlessly and effortlessly, by the way.)

While many good ideas have been suggested in this thread, 4 of them stand out for me as very clear technical interests for many techies:

- Javascript optional and decreasing.
- Unicode.
- IPv6.

The huge interest in security and privacy among Slashdot readers make the first two items of special importance. It's no longer an innocent world of academics and enthusiasts like yesteryear, and readers need to protect themselves and the companies from which the site is often read with link encryption and effective script restrictions.

It's no surprise that use of NoScript is huge among the technical readership, nor that the JS orgy of was despised so much.

My best wishes for this new era of Slashdot. I'm looking forward to another (almost) two decades of interesting technical discussion. :-)

Comment Offering data to the public Internet (Score 5, Insightful) 127

An AC wrote:

People who don't secure their systems and devices are to blame for someone breaking into them?

There was no breaking in.

If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

This isn't anything like breaking and entering, nor even like someone walking through a door which you left wide open. It's much more intentional on your part than that:-- you offered data to the public by creating an unrestricted access port on the Internet, your offer was accepted when someone opened that port, and then you deliberately sent your data out to that recipient. It was your choice, before and after you made the offer to the public. Nobody can force you to send your data if you don't want to. Your system wasn't hacked to change its code to something that you did not intend.

The closest analogy I can make is to imagine yourself standing on the sidewalk in the high street, an open sweet jar in one hand, and the other hand outstretched offering sweets to passers by. The highstreet is the public Internet, and your invitingly outstretched hand is the open port. If someone takes hold of the sweet, you can still prevent it from being taken by holding tightly onto the wrapper (an access restriction, perhaps you want to check that recipients are smiling first).

But if you first offer a sweet and then release it, you don't get to complain --- it was your visible intention to hand out sweets to passers by, and nobody can read your mind, only your actions. If you don't understand this then perhaps you don't grasp how Internet protocols work, and you would be best advised to stay well clear of the Internet.

You may wish that Internet protocols worked some other way, perhaps using ESP, but they don't. They work as they were defined.

Comment Food and shelter is a basic human right (Score 1) 474

Excepting Sunlight and Loss... the Earth is a closed system.

That's like saying "Except for a few billion people, the Earth is unpopulated." The statement makes no sense because the alleged "exception" shows that the exact opposite is true. And in the case of processes on Earth, the Sun's energy input to the planet is so colossal that it determines everything else, including all resources for human activity. As a consequence, the Earth is not a closed system.

That aside, our activities on the planet are all about raising human civilization out of the barbarism that once required human labour for survival. We're well past those primitive conditions now, and basic food and shelter has become a fundamental human right in civilized countries. That's why we have social safety nets, so that the less fortunate don't starve or die of cold in the streets. A basic income for all is merely the next step in this evolution of civilization in an intelligent social species.

Starting with Europe where we have many programmes devoted to raising quality of life and improving social conditions, this is clearly one of the markers on the road ahead.

Comment Put a filter box in front of full firewall (Score 5, Interesting) 265

The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.

The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.

In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.

Fix problems that you can solve. The others are not worth your time fretting about.

Comment More interesting than what it's dropping ... (Score 3, Interesting) 220

would be to know where Debian is heading.

I'd very much like to support a distro which has clearly stated technical and societal values which mirror my own, but it's hard to distinguish exactly what Debian's values are anymore. Merely embracing GPL licensing and its values doesn't really tell you a lot, because even code with ethically questionable goals can be GPL.

Perhaps it's time for a Debian Conference in which "What do we stand for?" could be addressed and made a little more specific.

Comment Lots of interesting comments at -1 (Score 0) 78

Actually, there are plenty of rational comments in this thread, but they've all been moderated down to -1.

Why all non-favourable comments have been greeted with "nuke from orbit" is an interesting question, but it's clear that in this thread, rational discussion and dissenting opinion is not welcome.

Slashdot seems to be getting more and more like this. I've been here a long time, but I can't really say I know why it's happening. I don't. Maybe the art of nuanced discussion is disappearing from public spaces in general.

Comment Oracle confuses language and operating system (Score 5, Insightful) 457

'Android has now irreversibly destroyed Java 's fundamental value proposition as a potential mobile device operating system ,'

Java is a programming language, not an operating system. Examples of operating systems are Linux and Unix.

Nothing could have "destroyed Java's fundamental value proposition as a potential mobile device operating system" because the value proposition of Java as an operating system is zero, and always has been. It's like the value proposition of an orange to be an apple.

Oracle's nonsensical claim might be merely a case of lawyers or managers showing their ignorance of the computing subject domain or just being sloppy with their terminology, which is not uncommon. However, it gets worse.

A proprietary software package may have a calculated expectation of market share and profit if there is no competition, but this is not the case with programming languages because they always have competition from countless other languages. It is especially not the case with open source programming languages because they typically enjoy multiple implementations, and these make captive markets almost impossible to maintain.

It seems therefore that Oracle's market expectations were based on a flawed analysis.

That mistake would have made any market expectations unsafe, but any expectations were dealt a further blow by Oracle's highly abusive attempt to copyright SSO in their litigation against Google. This must have alienated practically everybody who knows anything about programming, and the likelihood is high that many Java programmers who had other languages available must have abandoned Java like the plague to avoid potential SSO copyright liability.

In other words, if anyone killed off interest in Java, it was probably Oracle themselves.

Comment Spam stems from lack of negative feedback (Score 5, Interesting) 114

Control Theory is applied mainly to electronic systems, but it's equally applicable to all systems everywhere, with no exception. That includes networking, and it even governs human systems.

It's a truism in Control Theory that a system without negative feedback is a system that is out of control. All non-trivial systems without negative feedback head towards an uncontrolled state on the slightest perturbation of initial conditions.

Email is one such system. It was designed without negative feedback back in the early days of the academic Internet before malicious actors appeared on the scene. Because there is no "cost" associated with sending an email, the system went out of control --- the primary effect of that is spam. (This "cost" has nothing to do with money.)

In Control Theory terms, "cost" is any control metric that tracks an undesired effect and reduces that effect when applied to its cause. One of the most universal undesired effects is resource consumption, and that's directly applicable to the email problem because many kinds of resources are used up by spam when it arrives at MTAs and at end-user mailboxes --- examples are CPU time, storage space, network bandwidth, end-user time, and many other things. They're all resources, and spam is the direct result of the spammer feeling no "cost" when he consumes other people's resources. There is no negative feedback being applied to his posting of spam.

"Cost" in the control theoretical sense could be many things when applied to email, for example a slowdown in the spammer's ability to post his next email proportional to the rate of sending and to the number of recipients. There are dozens of possible ways to make a spammer feel a "cost" as negative feedback for his actions, many of them leaving normal mail users entirely undisturbed by the negative feedback. Unfortunately email has none of these control methods available, and it probably never will because it's too late in the day.

One day however, a new asynchronous communication protocol will be designed to replace SMTP. It must be designed with a mechanism for negative feedback integral to the protocol and non-optional, or else the spam problem will appear again, sure as night follows day.

Note that we have many other systems out of control in computer networking, it's not just email. For example, there is no negative feedback applied to rampant abuse of user-side scripting by web pages. Web developers feel no cost regardless of how much end-user CPU, storage, or network bandwidth they employ, and since there is no negative feedback applied to their over-use, browsers typically have their CPUs pegged at 100% and the Web has turned to molasses. As techies we try to control the Web excesses with NoScript (for example) just as we try to control spam with SpamAssassin, but these are just fighting symptoms. You can't cure a disease by fighting symptoms.

This is a universal truth. No negative feedback spells trouble ahead.

Comment Mob dev is design by the least experienced (Score 1) 126

There's a problem with mobs: they gang up and lynch anyone who isn't part of the mob.

This doesn't happen just in westerns. It's been happening since the dawn of time, because it's a natural property of crowds: the least able thinkers are the ones most likely to be swayed by group-think. And one of the strongest group-think arguments is "Outsider, danger to group, kill it", which is a very effective survival M.O. for life below a certain threshold of intelligence. The combination of these two aspects of mob behaviour is predictable.

That makes TFS and TFA a bit of an exercise in wishful thinking. Development by mobs could (in theory) work well, but only in the very unlikely situation that the mob has a statistically improbable makeup in which independent thinkers are dominant and are also well informed and technically experienced. Unfortunately that scenario lies in "pigs will fly" and "hell freezes over" territory.

The perfect number in team programming is two people of similar experience, because then they can't gang up and form a lynch party. If they don't immediately agree then it creates a stalemate which can be broken only by rational explanation / defence or by terminating the pairing. It's an ideal situation, yet not too hard to arrange.

Mobs don't really have a place in intellectual endeavours, and programming is one of those.

Comment You will not be able to reach device endpoints (Score 1) 595

What will is miss?

On IPv4, you won't be able to reach the endpoints of millions of computers and other devices that have IPv6 addresses now (eg. Android always looks for IPv6 connectivity on startup). This is relevant not only in the east where new IPv4 address blocks are no longer available, but also here in the west where IPv6 deployment is continuing and accelerating.

Your "What will I miss?" question is pure IPv4 thinking, because in IPv4, NAT makes almost everything except static public servers inaccessible as individual device endpoints are typically hidden. That's a severe limitation in IPv4, and you've become conditioned by it and so you're expecting a reply involving a list of websites. It's incredibly narrow thinking.

With IPv6, a user on any random portable device can share an object with you directly, not needing to upload it to a public website first. You could be chatting with them on IRC and they write "Hey look at this wierd stuff I'm seeing on my phone", and you just point a browser or image app at their IPv6 address and bingo, you see whatever they're making available, live. You can't do that with IPv4 because there aren't enough IPv4 addresses available for every device to have one, and connections to arbitrary endpoints are typically blocked by NAT anyway.

That's why in IPv4 people have to upload stuff they want to share to public websites first, which is annoying and limits the content protocols that can be used. Applications can be much more versatile and immediate in IPv6, and you will be missing all that directly-available content if you can't reach the IPv6 endpoints of devices. It can't be done on IPv4.

Comment List of benefits of IPv6 for dumb END USERS (Score 1) 595

What are the beneficial FEATURES to dumb end users?

I'll bite, as that's a perfectly reasonable question. OK, no technical info at all in the following list, the technical answers are given in detail elsewhere.

Benefits of IPv6 for dumb (meaning non-technical) END USERS:

- All protocols work over IPv6, unlike the breakage on IPv4.
- IPv6 "just works" without user setup, great autoconfiguration.
- As many public IP addresses as you want for devices on IPv6.
- Safer because network security is built into IPv6, not optional.
- Add IPv6 to see the whole Internet, not just the IPv4 part.
- New quality of service features for stutter-free video or gaming.
- Faster networking for a better all-round user experience.

Each of these 7 benefits has a technical reason for which the corresponding improvements were added to IPv6 by design to improve on IPv4. These benefits are available to everyone, and non-technical users don't need to understand the details to enjoy the benefits.

Comment IPv6 has been working fine, no issues (Score 4, Insightful) 595

The official "switch-on for good" of IPv6 a year ago was entirely seemless in my experience. There wasn't anything to fix, as nothing was broken, and IPv6 autoconfiguration handles everything so there isn't even any setup involved, it just works. This simplicity will be a boon for non-technical users once the IPv6 rollouts gain steam.

Unfortunately the ISPs are still dragging their feet and so public rollout is slow, but it's an always upward trend, and the adoption curve is close to exponential so IPv6 will be ubiquitous before long. So many ISPs are currently planning their rollouts that there's going to be a sudden upsurge when they finally appear.

People shouldn't talk about switchover to IPv6 though, that's not how it works. IPv4 and IPv6 networks run together side by side, and you use both together. Your application (eg. browser) generally picks IPv6 if your destination is accessible on that network, or else it falls back to IPv4. This is all automatic of course. It's better described as a switch on of IPv6 by your ISP followed by your gradual increasing use, not a switchover. There is no plan to switch off IPv4. The last remnants of IPv4-only equipment could still be around and operational for decades ahead.

IPv6 works so well that I recommend everyone to get on it as soon as they can. You'll be able to see 100% of the Internet, whereas if you don't have IPv6 then you're only seeing a part of it. IPv4 is by far the larger part for now of course, but it's not all of it, and the parts you can't reach are growing daily.

Happy First Anniversary of the official turn-on, IPv6! :-)

Comment Megacorps are hostile to the open Internet (Score 4, Insightful) 69

The Internet was founded upon the idea of open interoperation between all endpoints and federation between different instances of the same service protocol (think of SMTP and globally interoperating MTAs). These concepts were so fundamental that they are mentioned explicitly in the IETF Mission Statement as their central goal.

Then Big Business came along, and they didn't like the concept of a level playing field of unhindered interoperation and federation. Now almost every large corporation is trying to fence off their little corner of the Internet into a private realm which they guard jealously. Other companies are denied interoperation unless they pay up (or it's denied entirely), and federation between like services is virtually unknown. There is no "Facebook service" which anyone can install and then be able to federate their content to and from Facebook as peers.

Virtually all of the megacorps today are behaving this way: Facebook, Google, Amazon, Yahoo, Apple, Microsoft, and so on. They all hate the open Internet, and have closed it off at the application layers of the protocol stack so that you have to be an enrolled member of their private realm to participate. The closing of APIs is par for the course as they don't want interoperation, and federation even less. TFS is spot on.

At least we still have federated SMTP and unrestricted search engines, although probably that's only because they're data mining our email and search queries. It's no longer the open Internet we once had, but more a system of feudal lords and their private domains, and everyone else is a peasant.

It's a severe regression of Internet utility, and it's of benefit only to them.

Slashdot Top Deals

It is difficult to soar with the eagles when you work with turkeys.