Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Patents

Patent Trolls On the Run But Not Vanquished Yet 56

Posted by samzenpus
from the don't-forget-the-fire dept.
snydeq writes Strong legislation that will weaken the ability of the trolls to shake down innovators is likely to pass Congress, but more should be done, writes InfoWorld's Bill Snyder. "The Innovation Act isn't an ideal fix for the program patent system. But provisions in the proposed law, like one that will make trolls pay legal costs if their claims are rejected, will remove a good deal of the risk that smaller companies face when they decide to resist a spurious lawsuit," Snyder writes. That said, "You'd have to be wildly optimistic to think that software patents will be abolished. Although the EFF's proposals call for the idea to be studied, [EFF attorney Daniel] Nazer doesn't expect it to happen; he instead advocates several reforms not contained in the Innovation Act."
GNU is Not Unix

Serious Network Function Vulnerability Found In Glibc 211

Posted by Soulskill
from the audits-finding-gold dept.
An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.
Networking

Ask Slashdot: Migrating a Router From Linux To *BSD? 403

Posted by timothy
from the hiring-a-new-traffic-cop dept.
An anonymous reader writes I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs. Question one is: which BSD? Question two: where's some good documentation regarding setting up a home router/firewall on your favorite BSD?
It's fine if the documentation is highly technical, I've written linux kernel drivers before :)
Debian

SystemD Gains New Networking Features 553

Posted by samzenpus
from the making-things-better dept.
jones_supa writes A lot of development work is happening on systemd with just the recent couple of weeks seeing over 200 commits. With the most recent work that has landed, the networkd component has been improved with new features. Among the additions are IP forwarding and masquerading support (patch). This is the minimal support needed and these settings get turned on by default for container network interfaces. Also added was minimal firewall manipulation helpers for systemd's networkd. The firewall manipulation helpers (patch) are used for establishing NAT rules. This support in systemd is provided by libiptc, the library used for communicating with the Linux kernel's Netfilter and changing iptables firewall rulesets. Those wishing to follow systemd development on a daily basis and see what is actually happening under the hood, can keep tabs via the systemd Git viewer.

Comment: "Google Now" and "OK Google" are different (Score 1) 35

by Sits (#48654201) Attached to: Chromebook Gets "OK Google" and Intel's Easy Migration App

If you have an appropriate Android device Google Now will (apparently) display information based on your current context (e.g. if your phone learns where work and home are it might display information about traffic jams on the route home around the time it believes you will be traveling). You need a logged in Google account to use this feature.

OK Google is a way of using your voice to interact with your device (or Chrome web browser). So if I have the appropriate phone and it's been set to listen I can say "OK Google" and it will activate an app/mode where it will accept further voice input. On the Android phone I saw (and in my Chrome web browser on OS X) I can then ask it "What's the weather like?" and it pops up some weather related information and speaks back "It's ten degrees in ". Sometimes when you ask it questions just does a web search other times (on the device) it would start applications (e.g. mail) and so on. You do not need to be logged into Google to use this feature.

Comment: It's possible to beat good testing... (Score 1) 169

by Sits (#48234295) Attached to: Tetris Is Hard To Test

...but not without a price. If you can mathematically construct your program then you can prove that it is free from defects providing enough assumptions hold (the specification is correct, the tools used to build it are correct, the proof of correctness is correct, you had enough money/time/skill to do the process etc). For the time being, it's not possible to formally most programs that have already been written in mainstream languages so other techniques like testing will remain useful tools.

Comment: ShellShock checker (Score 2) 329

by Sits (#48018603) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

From Eric Blake's bug-bash post

bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

If you see anything like the following:

bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
1
2
f=1
f=() { echo 2

you're still vulnerable. There may be other issues the above does not cover.

Data Storage

WD Announces 8TB, 10TB Helium Hard Drives 296

Posted by Soulskill
from the ballooning-storage-capacity dept.
Lucas123 writes: Western Digital's HGST subsidiary today announced it's shipping its first 8TB and the world's first 10TB helium-filled hard drive. The 3.5-in, 10TB drive also marks HGST's first foray into the use of shingled magnetic recording technology, which Seagate began using last year. Unlike standard perpendicular magnetic recording (PMR), where data tracks rest side by side, SMR overlaps the tracks on a platter like shingles on a roof, thereby allowing a higher areal density. Seagate has said SMR technology will allow it to achieve 20TB drives by 2020. That company has yet to use helium, however. HGST said its use of hermetically-sealed helium drives reduces friction among moving drive components and keeps dust out. Both drives use a 7-platter configuration with a 7200 RPM spindle speed. The company said it plans to discontinue its production of air-only drives by 2017, replacing all data center models with helium drives.

Comment: Some C compilers already have bounds checking (Score 2) 98

by Sits (#47762927) Attached to: Project Zero Exploits 'Unexploitable' Glibc Bug

You can already ask some compilers to do what you are asking - it's just often not on in shipped builds.

At compilation time warnings can be generated for out of bounds accesses that can be determined statically. Clang has -fsanitize=bounds, GCC has -Warray-bounds.

As an Anonymous Coward pointed out, it can be hard to detect runtime allocations overruns at compilation time. For these something like Clang's AddressSanitizer (GCC has added it too will help but at a cost of both time (slow down factor of 2) and space which is why you're unlikely to find it enabled on your precompiled SSH server binary. It's true there are cheaper checks (such as GCC's FORTIFY_SOURCE) that are less thorough/specialized that are often enabled by distros.

Comment: LLVM for dynamic code generation (Score 1) 61

by Sits (#47746381) Attached to: Virtual Machine Brings X86 Linux Apps To ARMv7 Devices

My understanding is that Apple have done the work to make it viable to use LLVM for certain levels of Javascript JITing so it is now feasible to use LLVM to compile long running dynamic code. Said code needs to be long running to a) build up information about the instructions being run b) offset the overhead of compilation.

IBM Advanced Systems Group -- a bunch of mindless jerks, who'll be first against the wall when the revolution comes... -- with regrets to D. Adams

Working...