Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Ummmm ... duh? (Score 1) 365

by TemporalBeing (#49356175) Attached to: Modern Cockpits: Harder To Invade But Easier To Lock Up

Rather than locking the co-pilot out, just shoot/stab them, and keep the door locked.

Pilots have to go through the same security checks the passengers do. Or, at least, the pilots in the US do - I've seen them in the security checkpoints several times.

They also have access to weapons on the plane, provided to them for the sole purpose of protection. Whether an axe or a pistol locked in a safe, either is sufficiently useful.

Then again, as a friend said - your car keys are enough; as is a pen or pencil. So there's plenty of tools that they could use that they are legally able to get through the security check points too.

Comment: Re:Ummmm ... duh? (Score 1, Interesting) 365

by TemporalBeing (#49356145) Attached to: Modern Cockpits: Harder To Invade But Easier To Lock Up

Much less likely, I'd be more worried about the "depressed narcissistic arsehole" overpowering the stewardess and crashing the plane anyway. I suspect (ok, assume) this is what happened to that Air Malaysia plane just over a year ago, the one which vanished without trace.

Well since we're throwing out conspiracy theories... The very lack of them finding the plane (MH370) at all means that it more than not it did not crash, but was hijacked in some form and taken elsewhere. One credible person that had access to much of the data surmized that they likely took the route north, not south where everyone insists on looking, and were able to land near or in Russian territory at a site that after years of neglect happened to have a lot of activity and rebuilding of a hangar-like building that was big enough to hold the Beoing 777.

Well, I'm not sure if they made it that far. But I said from day one that it the lack of finding the plane or any evidence that it crashed thus far lends more and more to the the flight being hijacked, and we'll likely see it next when whomever decides to crash it into a building somewhere.

Now whether the pilots were in on it, or a passenger was able to access the controls via computer connections and then override the pilots is something entirely different. In either case, if it was hijacked then it's likely backed either by a nation state (e.g Russia) or a sufficiently large well funded terrorist organization (e.g Al Qaida). Which one we'll likely never know.

Comment: Re: Centralized on GitHub! LOL! (Score 1) 113

The modding here is atrocious.

The GP is right, and you are wrong.

There is only one form of decentralization involved here.

Even if git users have their own copies of a repo, it is not trivial to share changes among more than a couple of users, especially if they are on distinct networks with firewalls and other hindrances.

That is why GitHub is used.

All true.

GitHub negates the decentralization of git in order to make it practical for real world use.

GitHub being down may not be a problem for your rinky-dink one-man JavaScript library project that nobody uses.

But for real projects with distributed teams consisting of numerous people the decentralization of git is a big problem.

GitHub is the only practical solution to the problems of decentralization.

This can actually be mitigated by several different means:

  • 1. Using multiple Git services - e.g Git Hub AND Gitorious or Public GitHub and Git Hub for Enterprises if you use private repositories
  • 2. Using your own servers as well - e.g. Qt has gitorious but also their own servers

It's just a matter of deciding where the "master" copy resides and keeping them all (hopefully automatically) in sync.

Now, this can be managed with tools like Subversion too, using replication, but it's no where near as nicely done as it is in git.

However, if you don't take the time to do the replication between several services then yes, you are risking this kind of situation.
Or, you could take advantage of this kind of replication by using the DVCS nature of git to your advantage.

Comment: Re:is this good? (Score 1) 159

OpenVMS handles invalid logons correctly. It locks out the terminal (that is, the network address) of the intruder. Why Microsoft, and most of the rest of the industry, does not understand how this is more secure and less vulnerable to DOS, I don't know.

It's usually policy based, though things like fail2ban make it easy to do for most logon methods. Even then, you cannot necessarily just use the IP address for blocking.

For instance, on your Windows system if a user locks their account, another user can come along an login (f.e support admin) and will still need to be able to validate against the domain. Once you enter into a centalized logon control that kind of things becomes a requirements. Otherwise you risk locking all your computers without any way to support them or risk severely increasing your organizations' internal help desk support load; this is often mitigated by using time period lock outs on the accounts.

So sadly there is no single, perfect solution to the issue. It's just a matter of which trade-offs are acceptable.

Comment: Re:Never going to happen (Score 1) 137

They do not and will not account for such situations because there isn't enough political power to slap the politicians in the mouth, make them look in your eye, and tell them how it is...

The powerful interests have that power which is why they get exemptions built into the system and the laws are generally tailored for their operation.

Anyone that can't do that tends to get fucked.

And as the system gets larger you have to hit the politicians in the face progressively harder to get them to pay attention.

As the system gets larger only the very largest interest get any attention at all. Which means all the less powerful interests are ignored. Outright irrelevant.

And that is a problem when entire countries or states in your government fall into that category.

No government or state can be irrelevant. And if they are then your system was poorly designed or you've grown too large for your existing system.

Not saying that is not a problem; and I don't know the comparison in EU but it's probably not much different than in the US in that SMBs (Small-Medium Businesses) make up the vast majority of businesses in the US, while no one single business has a lot of clout, there are organizations that tend to represent a majority of them and are big enough to be able to combat the larger (Large Businesses and Enterprise) organizations. In some cases, the SMBs get represented several times - between the various SMB organizations, Chambers of Commerce at different levels, etc. This is why many things - like the Family Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) - are progressive in nature in the US; if fully enforced on SMBs they would put those companies out of business entirely so they are progressive in that as the business grows in size (revenue or number of employees depending upon the law or regulation) then more things kick in. For FMLA and ADA the first things kick in at around 50 employees, more at 100, more at 500, etc.

I use FMLA and ADA b/c I'm familiar with how they kick in; however, I know there are many others that are structured similarly but use different measures. For instance, Business Licenses usually have a revenue portion associated with them so you pay X + Y*M where X is the base, Y is your pre-tax revenue, and M is the progressive multiplier based on how big Y is.

Again, I don't know how well the comparison holds up for the EU, but I imagine it's not much different.

Comment: Re:It depends (Score 1) 482

by TemporalBeing (#49347683) Attached to: No, It's Not Always Quicker To Do Things In Memory

Well, yeah, but that's not going to work consistently. Worst case is if the string is on the stack you'll smash the stack and likely have a memory access error. If it's on the heap you'll likely get the error quicker.

I wouldn't even think of writing a program in the manner in which their sample was written, but if I was trying to solve their basic "problem" there are better ways to go about it.

That depends on your program, and how much memory was allocated and when it would get detected. The OS is not going to detect anything until you try to leave the bounds of the program itself. Take the following function for instance:

void runOverBuffer(void)
char* buffer[10]; // 10 bytes
char* buffer2[1*1024*1024*1024]; // 1 GB

You can extend buffer into buffer2 without any detections going off, or even any ill-effects until you surpass buffer2 and all the other variables in the function.

Heap allocated functions are a little more tricky but even then you can produce the same kind of behavior if you really wanted to - even with the HEAP randomization, which really doesn't protect the program internally, it only protects the program from the libraries the program uses by randomizing where they are loaded.

And since you control the program, you can control the optimizations so that the only that would mess you up - by re-arranging variables - are not run.

As I pointed out elsewhere, the point is not that it's the right way to do it. It's that it is possible to do in C, just as possible as in Assembly.

Comment: Re:It depends (Score 1) 482

by TemporalBeing (#49347623) Attached to: No, It's Not Always Quicker To Do Things In Memory

If that's your idea of "extending a string" then perhaps you should be using a language which protects us from you, er, I mean you from yourself.

It was meant a counter to the GP saying that it was impossible to "extend" a string in C .

Not saying it's the correct way to do it, just that there are possibilities that the GP did not even consider, probably b/c they were taught to program using a language that protects them too much.

Comment: Re:is this good? (Score 1) 159

by TemporalBeing (#49347547) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

Between B and C, the attackers (and anyone they've sold the dump to) are busy cracking the passwords (assuming they weren't stored in plaintext) offline. They don't have to worry about being locked out after 3 fucking attempts. No one does brute force / dictionary attacks against online fucking data you clown. You take the data offline and fuck on it at full speed.

They do the brute force thing in A before they have access and time it such that they don't hit the lock outs.

For instance, most Windows systems will lock an account for 30 minutes when you hit the lockout. After 30 minutes, you're free to try again. Other systems behave similarly; most never do a true lockout.

So what do they do for A? Loop over a list, try the entry until locked out or gain access. If locked out, put it back in the queue and try again later. Move to the next entry.

If you want to observe this, just run an SSH server and monitor your logs. After the server gets noticed you'll see this happening quite a bit. Using tools like "fail2ban" help significantly, but that just means they have to hit from multiple IPs to do the same thing, which bigger cracker organizations will certainly be doing to start with any how.

Comment: Re:Never going to happen (Score 1) 137

Many of the regulations are only contextually relevant. The best example would be comparing very small farms with very large farms. The health and safety requirements for a large farm are needed. However in smaller operations they don't have the same contamination issues and so they're not relevant.

That depends on the regulation, the cause, etc. Yes there may not be as much potential for contamination, but there is still a possibility. The regulations therefore should be progressive in nature much like many other things - if you exceed X then Y applies.

You can also look at small cattle ranches and dairy operations. A small dairy farm for example can generally produce completely safe milk without pasteurization.

Actually that is a very bad example. A small dairy farm is actually more like to have certain issues than a large one. For instance, if the cattle are range fed then the propability of "bad feed" (e.g a cow eating a plant that when passed through in the milk can be dangerous to humans) goes up significantly with a smaller number of cattle to mix it together with, especially since the possibily that more cattle ate the "bad feed" goes up too. This is taken care of through homogonization; but pasteruization also has a good and equal roll even for small dairy farms.

It became a health issue when they started making much larger operations.

This lack of context is typical of the issue. You look at what is relevant in YOUR area and then you assume and project those assumptions on to everyone else.

That is sometimes fine and often it is not fine.

True, pasterization does play a bigger role in larger dairy farms where milk is more likely to sit for longer periods of time, thus breeding more bacteria, etc. That doesn't make it irrelevant for smaller dairy farms though.

But to your point, yes regulations need to be in context and implemented progressively against the size of the organization they are regulation.

Comment: Re:The consumer DID choose. (Score 1) 137

And since none of them chose B-E graded white goods, there was no demand for them and they weren't produced.

YOUR way ensures that no matter what happens, "regulation was bad!". You claim that regulation should not decide what standards you use and forbid any other because the informed consumer will decide. And if they inform the user and they decide to buy only goods that obey the standard, either they stop producing anything and "the regulation removed the choice!". If the government forced producers to continue to supply all choices, you'd whine about that enforcement too.

I should be allowed to use fake money to pay for goods, otherwise the choice of who will do business with me and sell be stuff in return for a proffer of "cash" will be removed! BAN REGULATION ON CURRENCIES!!!

Not necessarily. It's not necessarily that "none of them chose B-E graded white goods". It's that there was not enough chosing the "B-E graded white goods" that the distributors decided it was not worth it, and thereby cut off the supply of B-E graded white goods. May be the A graded white goods high a higher margin or something else that caused the distributor to prefer the A grade over the B-E grades.

In other words, it could be a false consumer choice - one that was not really given to the consumer.

I run into this a lot. There's a number of products that I use to buy but can no longer get because the distributors decided it was in their interest to carry it. The local stores then go "well the distributor doesn't have it so I can't get it for you", and so forth. It hurts products and buyers alike. It hurts the market because it artificially destroys demand that would otherwise be there.

And, to top it off, economists don't take it into account. They just assume that if there are buyers they will buy it. They don't take into account distributors artifically changing the options available to buyers.

Comment: Re:It depends (Score 2) 482

by TemporalBeing (#49337655) Attached to: No, It's Not Always Quicker To Do Things In Memory

Even if you wrote this in C in the style in which they did it the program would be slow. Since there's no way to "extend" a C string, it would require determining the length of the current string (which involves scanning the string for a null byte), malloc'ing a new buffer with one more byte, copying the old string and then adding the new character and new null byte. Scanning and copying are both going to require an operation for each byte (yeah, it could be optimized to take advantage of the computer's word length) on each iteration, with that byte count growing by "1" each time.

Actually, you can "extend" a C-style string just fine in C - just replace the NULL byte with another byte. It's a common error in C programs to miss the NULL byte.

This works because C doesn't do boundary checks and will gladly let you overwrite your stack or heap.

Unlike Java, C doesn't try to protect you from yourself.

Comment: Re:More important to me (Score 1) 193

What about all the PCs that were shipped with valid licenses, but for whatever reason, techs (such as myself) have had to install a fresh copy of Windows on the box. Could be a failed drive, or other failed hardware, or whatever, reason doesn't matter too much. The point is that it shipped with a legit copy of Windows, and often times doesn't have a recovery disk or an OEM copy of Windows. What are we supposed to do then as techs? Tell the customer "SUCKS TO BE YOU" or "GOTTA PAY FOR THE THING YOU ALREADY PAID FOR, AGAIN" - or just suck it up and install a "non-genuine" license key on the box? Are these users totally SOL out of having a genuine upgrade to Windows 10 because the previous version of Windows that shipped with the system became broken?

Because in that case you should call the computer manufacturer and get a copy of the installation disks to restore onto the new drive with.

While I'm aware most people don't, if I was buying a Windows computer, I wouldn't buy it without the restore disks for that exact reason. HP charges $19 for the disks; BestBuy will make the disks for you for a small fee too.

In the end, there is zero reason to have to re-buy the Windows OS in order to help your customers.

P.S You can only use an OEM License with an OEM installation; so a Retail installation set won't work with the OEM license on the box. If you're a support shop then you should have a copy of the OEM installation for your own uses any way. That's just good business. If you're doing it on your own for Friends and Family, then just take the extra time to get it from the OEM (e.g HP, Asus, Lenovo, etc) when you run into the issue.

Comment: Re:This is pretty common. (Score 1) 193

I've never used phone support, but yes they do offer it for Office and Windows, I'm pretty sure it's free, but time / case limited.

Not sure about Free; though they could have changed policy since last I checked (late 1990's) when it was:

  1. First 2 minutes were free
  2. $99 USD per minute after that

There's a reason why no one calls MS for support outside of Partner agreements, MSDN, etc. ;-)

Hopefully they've changed the policy since then.

Comment: Re:So easy to find (Score 1) 132

by TemporalBeing (#49276773) Attached to: Researchers Find Same RSA Encryption Key Used 28,000 Times

Just scanned the /16 next to my home broadband and found a number of repeated certificate hashes and all belonging to systems identifying themselves as

* Foscam Intelligent Technology Co,Ltd

Seems to be a network enabled camera.

Which is why I don't allow them out of my local network, and never setup their "remote access" functionality. in fact, it's explicitly disabled.

Aren't you glad you're not getting all the government you pay for now?