Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: I'm one of the two (Score 1) 7

by gmhowell (#48887335) Attached to: Well, crap...

I think I'm one of the two who bought from Amazon. I don't care if you put it up for free. If it really bugs you that much, take the two bucks and give it to the next homeless person you see, or in the tip jar somewhere, or whatever. (Actually, I thought I said before that you could do that :)

Comment: Re:Impressive (Score 1) 79

by IamTheRealMike (#48874623) Attached to: Oracle Releases Massive Security Update

How many unauthenticated remote exploits in a HTTP stack does it take to lose a customer?

Not many, I should imagine, but your comment is irrelevant because there were no such bugs fixed in this Java update. The way Oracle describes these bugs is horribly confusing. Normally we expect "remotely exploitable without authentication" to mean you can send a packet across the network and pwn the box. If you actually check the CVEs you will see that there's only one bug like that, and it's an SSL downgrade attack - doesn't give you access to the box. All the others are sandbox escapes. If you aren't trying to sandbox malicious code then they don't affect you.

Comment: Re:But Java... (Score 1) 79

by IamTheRealMike (#48874605) Attached to: Oracle Releases Massive Security Update

Java doesn't have security holes like C or C++ .... or so I was told.

Then again, I haven't seen too many security patches for gcc or libstdc++ or glibc

You're comparing apples and oranges. The "remotely exploitable bugs" in this Java update, like all the others, are assuming you download and run malicious code in the sandbox. GCC and glibc don't have protecting you from malicious code as a goal, in fact Linux typically requires all software to be installed as root no matter what. Obviously if you never even try, you cannot fail.

The interesting story here is not so much that sandboxes have holes (look at the Chrome release notes to see how many security holes are fixed in every update), but rather than the sandbox makers seem to be currently outrunning the sandbox breakers. In 2014 Java had security holes, but no zero days at all - all the exploits were found by whitehat auditors. Same thing for Chrome, people found bugs but they were found by the good guys.

I'm not sure if this means the industry is finally turning a corner on sandboxing of mobile code or not, but it's an interesting trend.

Comment: Re:Speed Metal is love (Score 1) 121

as someone who saw Carcass and Obituary in Nov, and who is about to see Napalm Death (and Voivod, and Black Crown Initiate, and Ringworm, and ...)... WTF does your post have to do with anything?

OH!

You're saying that these intense, but short, broadcasts are examples of interstellar speed metal; a-la Napalm Death's sub-second song "You Suffer" ... ?

then say so!

Comment: Re:This has been know for a while... (Score 3, Insightful) 121

don't be a hater; it's a solid "B" effort from the parent-post. You can argue it down to a "C", but that's as far as you'll get. Lulling the reader into submission (your complaint about it taking too long) is an actual STRATEGY. Are you familiar with how certain readers can gloss over typos? That's what our beheaderaswp is using as a trapping action. Now you can also argue that the barb "never going to give" isn't worth burying with the lead-up, but while humor bursts from the unexpected there is also a joy in the familiar. I'm sorry if this attempt isn't up to your standards, but it hits the standard.

Anyone can make an omelet with eggs. The trick is to make one with none.

Working...