Please create an account to participate in the Slashdot moderation system


Forgot your password?
Slashdot Deals: Cyber Monday Sale Extended! Courses ranging from coding to project management - all eLearning deals 20% off with coupon code "CYBERMONDAY20". ×

Comment Re:w007 (Score 1) 36

never mind Wayland exists because the damned kids maintaining Xorg got tired of the cruft.

Xorg maintainers were not known for quality software engineering, in fact, it was the opposite.

I haven't looked into Wayland enough to know if it is good or bad, but there is no reason to believe these guys just because they maintained Xorg.

Comment Re:Levels of Security (Score 1) 117

This wouldn't entirely preclude layering violations, but it would certainly make them more difficult. That would improve security, but whether it improved the techniques?

Here I was referring to the fact that dependency injection and callbacks and closures often make code hard to read. Java code with threads and closures with mutable variables can be inscrutable sometimes....increasing the amount of time it takes to add features (or find bugs) by an order of magnitude or two. (Of course you can use dependency injection and callbacks and still have readable code, but a lot of times that doesn't happen).

3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

Wow. Pretty much everyone in OS software who cares?

IBM and Microsoft are players, OpenBSD is, for some types of things. Apple is; Linux people (though I think it was a DARPA project run by IBM?) were the first to implement ASLR; I think Apple was the first to ASLR absolutely everything? And to do page level executable signature verification in the paging path? Though I think they mostly did it for DRM reasons, rather than to be helpful to users. I think compiler stack probes came from the LLVM folks?

I know about ASLR and page level executable signature verification lol (and I hate page level encryption in iOS but that's another story. Incidentally, on iOS you can still easily trojan an executable by adding a shared library with a c++ static initializer to the mach "load command" section. It will get run on startup. You will need to resign, but that's usually not a problem).

Here I was asking about who is aligning page boundaries with the end of their arrays? Or is that already in GCC now? Also, who is using container in a mailbox? Because I don't think Outlook has changed this still.....

The problem I really have with his work is that it's largely academically oriented, rather than practical.

Fair enough. I haven't really looked at DJBDNS much so I can't really disagree with you.

Comment Re:Levels of Security (Score 1) 117

I'm not going to write an entire paper here on Slashdot.

You already kind of did lol. This is good stuff though. I have some follow-up questions if you don't mind:

1) How are you aware of (and able to control) lower-level things like the page size, or which functions go into which groups of pages?
2) Why is it called "container-in-a-mailbox?"
3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

As part of this, you define an interface contract: you are permitted to call down to the interfaces below yourself, and you are permitted to call across, within the same layer to auxiliary functions, but under no circumstances are you permitted to call upward.

That would ruin (or improve) a lot of modern OO techniques.

The reason I like DJB's work is because he seems to carefully think about what problems may arise every time he writes a line of code. He may not always succeed, but if you don't have that way of thinking, you will automatically fail at "identifying architectural layers for your libraries in order to abstract complexity of each layer from the layer below it," and will have bugs no matter what rules you follow.

Comment Re:Liberal misinformation (Score 1) 594

No no, I read the poll, it's irrelevant. For any political tactic, it is likely that one party will use it more than the other. Whether Republicans complain more about it recently than Democrats or 50 years, it could be flipped the other way. (Incidentally, I find it fascinating that the only media source trusted across the board was the WSJ. Not sure what to think about that.)

The biggest thing that annoys me about you is that you seem only able to see faults in the 'other' party, not in your own. That is a sign of immaturity. Wise people look hardest for faults in their own position.

Comment Re:Levels of Security (Score 1) 117

btw, I'm pretty sure you have an interesting point here when you said this:

Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

but I'm not entirely sure what you meant. Could you clarify? What other option is there besides functional decomposition?

Comment Re:15 years old? (Score 1) 391

We are no more going to replace coal with nuclear than we are going to replace it with solar.

Maybe not, but at least it's a position that is reasonable from a scientific perspective. Replacing coal with nuclear is a solution we can use right now, at relatively little cost. Solar and wind, on the other hand, are not viable solutions with current technology.

Of course, then we still have the problem of getting rid of gas cars. That's a tougher problem, but becomes more viable every day.

Comment Re:Levels of Security (Score 1) 117

The point of his system is to show that it really is possible to write secure software.

Do you really just run one qmail system and that's it? No client end, no other servers, no other services, no passwords, nothing?

The other systems should be made securely. DJB showed it's possible to write highly secure software. But fwiw it's not uncommon to only run one service on a server, especially now with VMs making it so cheap to do so. And passwords are archaic, we don't even use them with git anymore.

Comment Re:Levels of Security (Score 1) 117

I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is.

If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

That this product doesn't require ethan hunt just makes it worthless for bank vaults.

Even then, there are different levels of "hackable." Some things (like uefi) take six months of work to hack, but that's not what we're talking about here. Some of these IoT devices literally are running their own wifi server, with an open telnet port. When I say open, I mean it doesn't even have a password. This is how much these companies care about security.

We're talking about the kind of security that your neighbor kid could hack after taking a high-school networking class.

Anything cut to length will be too short.