Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: "Google Now" and "OK Google" are different (Score 1) 35

by Sits (#48654201) Attached to: Chromebook Gets "OK Google" and Intel's Easy Migration App

If you have an appropriate Android device Google Now will (apparently) display information based on your current context (e.g. if your phone learns where work and home are it might display information about traffic jams on the route home around the time it believes you will be traveling). You need a logged in Google account to use this feature.

OK Google is a way of using your voice to interact with your device (or Chrome web browser). So if I have the appropriate phone and it's been set to listen I can say "OK Google" and it will activate an app/mode where it will accept further voice input. On the Android phone I saw (and in my Chrome web browser on OS X) I can then ask it "What's the weather like?" and it pops up some weather related information and speaks back "It's ten degrees in ". Sometimes when you ask it questions just does a web search other times (on the device) it would start applications (e.g. mail) and so on. You do not need to be logged into Google to use this feature.

Comment: It's possible to beat good testing... (Score 1) 169

by Sits (#48234295) Attached to: Tetris Is Hard To Test

...but not without a price. If you can mathematically construct your program then you can prove that it is free from defects providing enough assumptions hold (the specification is correct, the tools used to build it are correct, the proof of correctness is correct, you had enough money/time/skill to do the process etc). For the time being, it's not possible to formally most programs that have already been written in mainstream languages so other techniques like testing will remain useful tools.

Comment: ShellShock checker (Score 2) 329

by Sits (#48018603) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

From Eric Blake's bug-bash post

bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

If you see anything like the following:

bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
1
2
f=1
f=() { echo 2

you're still vulnerable. There may be other issues the above does not cover.

Comment: Some C compilers already have bounds checking (Score 2) 98

by Sits (#47762927) Attached to: Project Zero Exploits 'Unexploitable' Glibc Bug

You can already ask some compilers to do what you are asking - it's just often not on in shipped builds.

At compilation time warnings can be generated for out of bounds accesses that can be determined statically. Clang has -fsanitize=bounds, GCC has -Warray-bounds.

As an Anonymous Coward pointed out, it can be hard to detect runtime allocations overruns at compilation time. For these something like Clang's AddressSanitizer (GCC has added it too will help but at a cost of both time (slow down factor of 2) and space which is why you're unlikely to find it enabled on your precompiled SSH server binary. It's true there are cheaper checks (such as GCC's FORTIFY_SOURCE) that are less thorough/specialized that are often enabled by distros.

Comment: LLVM for dynamic code generation (Score 1) 61

by Sits (#47746381) Attached to: Virtual Machine Brings X86 Linux Apps To ARMv7 Devices

My understanding is that Apple have done the work to make it viable to use LLVM for certain levels of Javascript JITing so it is now feasible to use LLVM to compile long running dynamic code. Said code needs to be long running to a) build up information about the instructions being run b) offset the overhead of compilation.

Comment: Mod parent up - applicable to gzip/deflate (Score 1) 90

by Sits (#47539363) Attached to: How Stanford Engineers Created a Fictitious Compression For HBO

Sometimes you don't even need to change the file format - optimization can be applied to already compressed gzip/deflate files (which PNG uses) which can be used to create a more optimal deflate/gzip file. See tools like DeflOpt and defluff (DeflOpt can sometimes make even zopfli encoded files smaller).

Comment: Theory says it is possible (Score 1) 415

by Sits (#47413033) Attached to: Python Bumps Off Java As Top Learning Language

Any Turing complete language can mimic any other Turing complete language (but at a price) so if your language supports condition driven loops you effectively have GOTO and IF. However if we see GOTO as syntactic sugar (and thus an efficiency optimisation/control flow obfuscator) wouldn't the combination of continuations and exceptions get you what GOTO can achieve?

Comment: If a tree falls in a forest... (Score 4, Informative) 65

by Sits (#47342109) Attached to: Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype?

Whether you consider this issue is hype depends on your answer to "if a tree falls in a forest and there's no one to observe it..." thought experiment.

The author of LZ4 has a summary with regards to LZ4 (both LZO and LZ4 are based on the LZ77 compression and both contained the same flaw) - that the issue has not been demonstrated as being exploitable in currently deployed programs due to their configuration (a rather angrier redacted original reply was originally posted). So at present this issue is severe but of low importance. If a way is found to exploit this problem on currently deployed popular programs without changing their configuration then this issue will also be of high importance but since this issue has now been patched hopefully newly deployed systems wouldn't be vulnerable.

Comment: What will happen to Moreflicks? (Score 2) 59

by Sits (#47237051) Attached to: Netflix Shutters Its Public API

Moreflicks lets you see what's available on multiple streaming services based on various "best of" lists (e.g. it's unlikely Netflix will ever tie in to the IMDB top 250 but Moreflicks does) and even has support for countries like the UK. It's sad to see an ecosystem like this being removed without replacement...

Theory is gray, but the golden tree of life is green. -- Goethe

Working...