Forgot your password?
typodupeerror

Comment: Re:Honestly, when will people learn? (Score 1) 98

by Wrath0fb0b (#47765693) Attached to: Project Zero Exploits 'Unexploitable' Glibc Bug

An acquaintance recently posted "Six Stages of Debugging" on his g+ page. (1. That can't happen, 2. That doesn't happen on my machine, 3. That shouldn't happen, 4. Why does that happen? 5. Oh, I see, and 6. How did that ever work). Doesn't an software dev who has been working for more than about three years go straight to No. 4?

Absolutely true for debugging. But there's a few steps you missed.

Somewhere near 3-4: Ok, how bad would it be if that happened? Does it recover without user intervention (i.e. service crashes and cron restarts it)? Does it recover with user intervention ("did you turn it off and back on?)? Does it lose user data (oh poop)?

The question here (which is altogether not trivial) is exactly this: "how bad would it be if we wrote an extra '\0' somewhere"? And what geohot did was answer that in the most productive way possible - by actually showing with a real example that the impact is major and permanent. If you aren't explicitly doing assessment of the impact of your bugs for schedule/priorities then you must be doing it implicitly somehow because most projects have more bugs than coders/time.

There's another step you missed, happens probably at step 10 or 11 and probably not by the developer that fixes the bug -- given the impact and the risk of the fix, when/how should this be deployed? Should it be backported to the stable releases? Do we have to ping everyone downstream? Is this so bad we should post on /. telling everyone to pull the emergency fix ASAP or else zombie Putin will kill Natalie Portman?

Again, if you aren't doing this step explicitly, it's either happening implicitly or else you are just letting it land whenever/however.

Comment: Re:The only good thing (Score 1) 511

The (heartless) thing about it is that drugs are not too different from many other things in society that are used by rich and poor alike but harm the latter much more.

The rich are far more likely to own firearms than the poor and far less likely to shoot someone or be shot.
The rich buy far more alcohol than the poor but are far less likely to drive drunk or be alcoholics .
The rich do far more drugs than the poor but are far less likely to become non-functional addicts.
The rich are far more likely to waste their education on party schools than the poor but are less likely to suffer the career consequences.
The rich and the poor engage in about the same amount of premarital sex but the former are less likely to have kids out of wedlock.
The rich gamble more often than the poor but are far less likely to become chronic gamblers.

To my mind, this suggests that the ultimate cause of these problems isn't the particular vices, but rather the cultural and economic context around them that causes them to be destructive. We should work at fixing that context, along with providing opportunity and support for everyone to work towards their own success, rather than wasting our time on proximate causes.

Comment: Under two minutes of bullshit (Score 4, Insightful) 69

by Wrath0fb0b (#47515771) Attached to: Robot With Broken Leg Learns To Walk Again In Under 2 Minutes

Hey, I can make all kinds of tasks faster by precomputing much of the work and then looking it up in a table. Congratulations, you've (re)discovered another instance of a Space/Time tradeoff.

Now, in particular what they've done is still wicked cool -- it's a great idea to perform may millions of simulations ahead of time so that at runtime (heh) you can quickly draw on that data to adapt. It would be perfectly good research even without the over-the-top claim that they've somehow made the work faster as opposed to cleverly pre-computing much of it.

But that's research -- you do something neat and then you make a ridiculous overstatement to generate buzz ...

Comment: Re:Trusting a binary from Cisco (Score 5, Informative) 194

by Wrath0fb0b (#47515705) Attached to: Firefox 33 Integrates Cisco's OpenH264

No. In fact it's absurdly difficult to reliably create reproducible builds. Debian has been working on this since at least 2009 (afaict) and has been plowing through issues but you still can't get an identical Kernel as the .deb. Heck, it was 8 weeks just for the Tor browser.

It's not just the compilation tools, it's the entire build environment that needs to be homogenized. All kinds of components will insert uname/hostname and paths into the binary, filesystems list the contents of a directory in undefined order, timestamps and permissions are embedded into tarballs and documentation, different locale produces other weirdness.

tl;dr: it's much harder than just installing an identical version of clang and hitting make.

[ And, as an aside, this goes back decades. The infrastructure around builds was never designed with reproducibility as a design goal. We are basically retrofitting this new requirement on decades of legacy code that never even considered that we would want such a thing ... ]

Comment: Re:Why are the number of cabs [artificially] limit (Score 5, Insightful) 92

by Wrath0fb0b (#47435979) Attached to: Lyft's New York Launch Halted By Restraining Order

If the USA is the bastion of freedom, capitalism and independence, why are cab licenses limited by city bureaucrats? Why not let everyone who qualifies swim in the taxicab business leaving those who cannot stand the waters perish? I just don't get it!

Because historically taxis have engaged in a number of fraudulent and unsavory practices, outright racism in some cases and have generally made cities look bad. So there was a legitimate reason to regulate them in order to ensure that they didn't bilk (or take the long route) for gullible tourists, refuse rides to people of the wrong color, install fake meters, organize into a racket to overcharge customer or skip on carrying decent insurance.

Then, lo-and-behold, the well-meaning regulators were captured by the taxicabs (because they were smart) and turned around and instituted any number of illegitimate regulations designed to stifle competition. This is generally pretty easy in a democracy because when there's a small number of cabbies with a very large interest in certain policies, they can often get their way when there are a large number of citizens with contrary interests. It's the law of diffused costs versus concentrated benefits.

So now, instead of being predictably idiotic with our left/right pro/anti regulation, maybe we should think about stupid regulation versus smart regulation. Then we could distinguish a rule require cabbies to carry insurance for their passengers with one that limits the number of medallions to some artifical number. Or one that requires accurate metering of any form with one that requires a specific brand or type of metering. Or a law that requires cabbies to serve any part of the city with one that requires them to drive home from the airport empty instead of picking up a fare immediately after dropping one off (this one really I don't understand -- there is a line for cabs at the terminal!).

On the other hand, nah, let's just hurf about it....

Comment: Re:We can thank corporate America (Score 1) 282

by Wrath0fb0b (#47389797) Attached to: Ask Slashdot: How Often Should You Change Jobs?

Part of the problem is that it's easier to hire new folks than to reallocate existing ones without getting into political turf wars -- let alone shrinking some departments* that don't need the headcount. This means that the utility of a new employee is automatically greater than one that's been there forever, even if they are equal in skill, just because they can be put in the most useful position.

This is a facet of downwards-stickiness -- it's easy to tell an overstaffed* department that they don't get to hire new folks, it's nearly impossible to tell them to give up folks. But both of those are equivalent in terms of overall allocation of resources.

* Note: I don't mean to say that these folks are incompetent, only that demands change and a team that might be stretched thin one year because of a large project might have few demands the next. In fact, it's exactly the opposite -- the most talented teams end up overstaffed because they build things well and end up without much maintenance to do, rather than constantly chasing their tails duct-taping things up. We should be moving talent from those teams to where it's needed the most.

Comment: Re:Actually not /all/ corporations are covered ... (Score 1) 1330

Who ever said that the IRS definition for the purposes of taxation is the correct one to apply to a RFRA claim over contraception?

I highly doubt that the Waltons would qualify, given that billions of dollars of WalMart stock is held and traded publicly.

Comment: Actually not /all/ corporations are covered ... (Score 1) 1330

The opinion restricts itself to "closely-held corporations" (a phrase used dozens of times) rather than /all/ corporations. They don't define with precision what that exactly means -- that kind of drudgery is the domain of the lower courts -- they did point out that Hobby Lobby is privately held by a small number of folks from the same family. It would seem clear to infer that "closely-held" is sort of an antonym to "publicly-held" here, so I think there's virtually no chance any lower court would allow Wal Mart or Exxon to assert a RFRA claim.

Now, since companies under 100 employees are already exempt from most of PPACA, the net net of this only covers the rare company that simultaneously large enough to be hit by the mandate but still owned closely enough to merit RFRA protection. In other words, not too many in the scheme of things.

[ Full Disclosure: I don't support what Hobby Lobby believes, I think they deserve to lose on the merits. But at the end of the day, I'm not going to make a molehill into a mountain for rhetorical or fundraising purposes. ]

Comment: Re:Error so popular it was enshrined in PCI DSS (Score 1) 192

by Wrath0fb0b (#47325179) Attached to: Improperly Anonymized Logs Reveal Details of NYC Cab Trips

Yes, you are right, I mistyped.

Public: { H(CC+Salt), Salt, Amount of money spent on porn, Amount of student debt }

[ where + is just shorthanded for "mixed with" ]

It's not at all within the realm of possibility for an attacker to brute force the CC space for each salt separately. So yes, an attacker can run through (2**CC_entropy) hashes to brute force a single entry, but that exercise provides him no help when he goes to do the next entry. Moreover, he can't spin up a few TB of storage on S3 and pre-compute anything useful.

The point of the scheme is to turn a pwn-once-win-forever game into a pwn-one-win-one game. This guy paid once and won the entire database. I would like him to have to pay that cost once for each entry.

Comment: Re:Error so popular it was enshrined in PCI DSS (Score 1) 192

by Wrath0fb0b (#47321469) Attached to: Improperly Anonymized Logs Reveal Details of NYC Cab Trips

Yes, a secret salt is no salt at all.

But there are very important uses for salting that make it better than assigning a random number -- it allows someone that does know the input value look up the relevant entry without any involvement from the secure side.

Imagine you had the following two datasets that you've partitioned:

Private: { Credit Card Number, Random Salt }
Public: { H(CC+Salt), Amount of money spent on porn, Amount of student debt }

Now whenever you want to obscure an entry, you do need to go to private one. But if you want to answer the question "How much money did a person with CC X spend on porn", you can look it up without entering the secure domain. But no one without access to the private side can find credit cards in the DB or other stuff -- to within the computational costs of the operation multiplied by the entropy of the salt.

Comment: Re:Error so popular it was enshrined in PCI DSS (Score 1) 192

by Wrath0fb0b (#47321451) Attached to: Improperly Anonymized Logs Reveal Details of NYC Cab Trips

Yes, which is exactly what the person in this article actually did -- he created a lookup table to accelerate brute-forcing the entire released dataset.

And yes, there are a trillion credit cards. But if each one gets a random 32-byte salt added to it, then that's a 4-billion-trillion input space ...

Comment: Re:Error so popular it was enshrined in PCI DSS (Score 2) 192

by Wrath0fb0b (#47303271) Attached to: Improperly Anonymized Logs Reveal Details of NYC Cab Trips

Um, the standard is fine. The phrase "One-way hashes based on strong cryptography" means (to any professional in the business) that one must salt the hash with sufficient entropy to make brute-forcing the input space impossible. So 16 digit CC has little entry, but add a 16-byte hash and you've somewhere.

So yeah, "strong cryptography" can't fix stupid, but those that know how to use it are plenty fine.

Comment: The ethnicities of my tech workplace (Score 1) 435

by Wrath0fb0b (#47262937) Attached to: Yahoo's Diversity Record Is Almost As Bad As Google's

And this is counting just those around me:

East Asia: Han, Cantonese, Korean, Japanese,
Indian Subcontinent: Telugu, Tamil, Sinhalese, Punjabi,
West Asia: Syriac, Turkmen, Arab, Persian,
North Asia: Slavs of all flavors,
Europe: Scandinavian, Germanic, Anglo-saxons, Castilians,
Africa: Hamitic, Bantu,

Looks pretty diverse to me, at least once you get past the crippling simplicity of the "White/Asian/Black/Latin" universe in which the race-baiters are forever trapped.

In these matters the only certainty is that there is nothing certain. -- Pliny the Elder

Working...