Forgot your password?

Comment: ShellShock checker (Score 2) 329

by Sits (#48018603) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

From Eric Blake's bug-bash post

bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

If you see anything like the following:

bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
f=() { echo 2

you're still vulnerable. There may be other issues the above does not cover.

Comment: Some C compilers already have bounds checking (Score 2) 98

by Sits (#47762927) Attached to: Project Zero Exploits 'Unexploitable' Glibc Bug

You can already ask some compilers to do what you are asking - it's just often not on in shipped builds.

At compilation time warnings can be generated for out of bounds accesses that can be determined statically. Clang has -fsanitize=bounds, GCC has -Warray-bounds.

As an Anonymous Coward pointed out, it can be hard to detect runtime allocations overruns at compilation time. For these something like Clang's AddressSanitizer (GCC has added it too will help but at a cost of both time (slow down factor of 2) and space which is why you're unlikely to find it enabled on your precompiled SSH server binary. It's true there are cheaper checks (such as GCC's FORTIFY_SOURCE) that are less thorough/specialized that are often enabled by distros.

Comment: LLVM for dynamic code generation (Score 1) 61

by Sits (#47746381) Attached to: Virtual Machine Brings X86 Linux Apps To ARMv7 Devices

My understanding is that Apple have done the work to make it viable to use LLVM for certain levels of Javascript JITing so it is now feasible to use LLVM to compile long running dynamic code. Said code needs to be long running to a) build up information about the instructions being run b) offset the overhead of compilation.

Comment: Mod parent up - applicable to gzip/deflate (Score 1) 90

by Sits (#47539363) Attached to: How Stanford Engineers Created a Fictitious Compression For HBO

Sometimes you don't even need to change the file format - optimization can be applied to already compressed gzip/deflate files (which PNG uses) which can be used to create a more optimal deflate/gzip file. See tools like DeflOpt and defluff (DeflOpt can sometimes make even zopfli encoded files smaller).

Comment: Theory says it is possible (Score 1) 415

by Sits (#47413033) Attached to: Python Bumps Off Java As Top Learning Language

Any Turing complete language can mimic any other Turing complete language (but at a price) so if your language supports condition driven loops you effectively have GOTO and IF. However if we see GOTO as syntactic sugar (and thus an efficiency optimisation/control flow obfuscator) wouldn't the combination of continuations and exceptions get you what GOTO can achieve?

Comment: If a tree falls in a forest... (Score 4, Informative) 65

by Sits (#47342109) Attached to: Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype?

Whether you consider this issue is hype depends on your answer to "if a tree falls in a forest and there's no one to observe it..." thought experiment.

The author of LZ4 has a summary with regards to LZ4 (both LZO and LZ4 are based on the LZ77 compression and both contained the same flaw) - that the issue has not been demonstrated as being exploitable in currently deployed programs due to their configuration (a rather angrier redacted original reply was originally posted). So at present this issue is severe but of low importance. If a way is found to exploit this problem on currently deployed popular programs without changing their configuration then this issue will also be of high importance but since this issue has now been patched hopefully newly deployed systems wouldn't be vulnerable.

Comment: What will happen to Moreflicks? (Score 2) 59

by Sits (#47237051) Attached to: Netflix Shutters Its Public API

Moreflicks lets you see what's available on multiple streaming services based on various "best of" lists (e.g. it's unlikely Netflix will ever tie in to the IMDB top 250 but Moreflicks does) and even has support for countries like the UK. It's sad to see an ecosystem like this being removed without replacement...

Comment: Relevent unless you are using binary drivers (Score 5, Informative) 58

by Sits (#47188941) Attached to: Mesa 10.2 Improves Linux's Open-Source Graphics Drivers

Unless your graphics driver provides a full 3D stack (userspace GL libraries down to kernel drivers) you will be using Mesa on Linux. You are probably thinking of Mesa as purely a software renderer whereas it is also used as a frontend to open source 3D drivers and uses DRI to provide access to the hardware's acceleration.

I've yet to see binary any drivers use Mesa.

Comment: Lists and links of top Programming Books (Score 3, Informative) 352

by Sits (#47006457) Attached to: Ask Slashdot: What Should Every Programmer Read?

This is one of those questions that's going to keep being asked... Perhaps one day I'll be fast enough to get a first post on this that people actually read...

Link summary from last time:

General comments

  • A few people have volumes of Knuth's Art of Programming on their shelves (but it's harder to find people who have read all of them).
  • One of the consultants who taught at my University said that the Mythical Man Month and Peopleware were good. I've read these too and can also recommended them (although they are more about managing programmers rather than programming per se). The consultant also recommended Design Patterns (although he said not to read the book cover to cover but rather to just be aware of them so you could refer to them later).
  • I've heard the "Dragon Book" (Compilers: Principles, Techniques, and Tools I think is the 2nd edition) being talked of favourably.
  • Many people seem to recommend reading Godel, Escher, Bach (I'd say it's about mathematical thinking)...

I've noticed which book answers tend to fall a bunch of categories:

  • Books that talk about software engineering/management/teams.
  • Books that talk about programming languages.
  • Books that talk about Computer Science.
  • Books that improve your mathematical thinking.
  • Books that programmers like but aren't programming/maths at all.

If you're going to ask someone "which book?" try limit the categories they should give you an answer for...

Comment: OpenGL drivers on other platforms (Score 5, Informative) 158

by Sits (#46987073) Attached to: The Truth About OpenGL Driver Quality

There's a comment at the bottom of the article by David Poole that links to a post talking about OpenGL driver quality on desktop Linux and mobile Linux. The summary from that blog post is:

  • Vendor N closed source desktop Windows/Linux - Excellent. Near perfect.
  • Vendor X open source desktop Linux - Good. Highly responsive to bug reports but updates get to users slowly.
  • Vendor I closed source desktop Windows - Good but lacking useful features.
  • Vendor A1 closed source desktop Windows/Linux - Mediocre. Unresponsive to bug reports.
  • Vendor A2 closed source mobile - Bad. Buggy, vendor knows there are issues but doesn't fix them, driver limits performance forcing others to implement workarounds.
  • Vendor Q closed source mobile - Bad. Buggy, vendor is unresponsive to bug reports.
  • Vendor P closed source mobile - Unknown. Driver does not publicly support high enough version of OpenGL ES.

Comment: OSX GPU drivers probably not written by Apple (Score 3, Informative) 158

by Sits (#46986989) Attached to: The Truth About OpenGL Driver Quality

NVIDIA definitely write their own OSX drivers. I'm pretty sure AMD/ATI and Intel write their own OSX drivers too but these days GPU drivers are usually delivered with operating system updates (in a similar way that you can get driver updates through Windows update). Given how squeezing out GPU hardware documentation for Linux has been tough I don't think NVIDIA/AMD would be keen to help someone else write drivers that unlocked full functionality...

Comment: There HAVE been XP privilege escalations recently (Score 1) 423

by Sits (#46600433) Attached to: Ask Slashdot: Preparing For Windows XP EOL?

It's not entirely clear what you mean when you say "root exploit" but one interpretation is an exploit that when run as a regular user gives you administrator/root permissions. There have definitely been recent XP privilege escalations exploits for XP recently (e.g. CVE-2013-5065 leverages a bug in NDProxy).

Perhaps you meant "remote exploit" but also last year there was CVE-2013-3175 malformed asynchronous RPC request so another machine can attack your XP machine over the network with no user intervention. See this table of 2013 Windows XP CVE entries for a list of what MS have been patching...

If you are no longer able to keep your OS regularly patched it's no longer safe and you are better off using something else for online activities. Save XP for those appliances that have to use it and can be stringently firewalled/quarantined.

Comment: Electron microscopes not enough (Score 1) 237

by Sits (#46135469) Attached to: Now On Video: GCHQ Destroying Laptop Full of Snowden Disclosures

The "Can you recover overwritten data?" question was answered a few years ago in the paper Overwriting Hard Drive Data: The Great Wiping Controversy. The conclusion was with an electron microscope you could get 1 bit back but the chance of recovering more than that is negligible (and that is in the new barely used drive scenario).

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)