Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:So, UEFI is a good thing now? (Score 5, Interesting) 471

by Wyzard (#48970027) Attached to: Systemd Getting UEFI Boot Loader

First of all, UEFI is more than Secure Boot. UEFI has been standard on PCs for the past few years, and on Macs ever since they switched to x86. Secure Boot is just a feature of some newer UEFI implementations.

Second, Secure Boot is a legitimate security feature that helps to protect against boot-time malware. There's nothing inherently evil about it. The controversy is over who should have the power to decide which OS is considered trustworthy and allowed to boot: the owner of the computer, or the vendor of the OS that came preinstalled on the computer?

Naturally, you don't want to buy a computer that doesn't let you choose which OS you trust. But if you have a computer that does give you that choice, why not take advantage of it? Seems to me that it's good to have hardware vendors see increased demand for machines that support securely booting the OS of your choice, as opposed to those where you just have to disable Secure Boot entirely if you want to run something other than Windows.

Comment: Re:Java sandboxing helped in this case (Score 1) 127

by Wyzard (#47563921) Attached to: Old Apache Code At Root of Android FakeID Mess

Not quite.

First, sandboxing in Android isn't done at the Java level, it's done at the OS level, by running each app under a different UID and letting the kernel take care of enforcing what that UID is (and isn't) allowed to do. It's the same system that prevents different users on a "conventional" Linux system from accessing each other's private files. This is why Android apps can load and run native code (via JNI) without needing any special security permission or exemption. Native code is still in the sandbox.

Second, the real danger in this flaw isn't malicious apps tricking the user, it's malicious apps tricking other apps. Android's permissions system includes a feature called "signature-level permissions" which allows apps that are signed by the same publisher to grant each other permissions that aren't available to apps signed by other publishers. This bug means that a malicious app can pretend to be signed by Company X in order to gain signature-level permissions to interact with actual Company X apps in privileged ways. Depending on the app, this may allow access to sensitive data.

Comment: Wait for Haswell (Score 4, Informative) 260

by Wyzard (#42223025) Attached to: Ask Slashdot: Best Laptop With Decent Linux Graphics Support?

If you can wait awhile longer before buying, Intel's upcoming Haswell processor is reported to have significantly improvied graphics performance, and Intel GPUs are well-supported with free drivers in Linux and Xorg. They're less-powerful than NVIDIA and AMD GPUs, but should be fine unless you need to play high-end games on high quality settings.

Comment: Re:but its Java? (Score 2) 154

by Wyzard (#41997283) Attached to: Google Targets Android Fragmentation With Updated Terms For SDK

Apps can be written to use new features where available but degrade gracefully where they're not.

Every app has both a "minimum SDK version" that identifies which version of Android it requires, and a "target SDK version" that identifies the latest version of Android that it knows about. At runtime, the app can check which version it's actually running on, and enable or disable features as appropriate.

If an app is is run on an Android version newer than the app's "target", the OS itself will do whatever's needed to be backward-compatible with the target version. The developer can update the app and change the target version in order to take control of any new features and differences.

Comment: Re:Fork it, then (Score 1) 403

by Wyzard (#40009619) Attached to: Mozilla Leaves Out Linux For Initial Web App Support

As I recall, Mozilla was willing to grant Debian a license for the Firefox trademark, but they weren't willing to grant it recursively to all Debian users who might want to make (and distribute) their own modified versions of the code they got through Debian. Since Debian doesn't accept licenses that are specific to Debian (DFSG #8), Debian couldn't accept Mozilla's offer of a Firefox trademark license, and thus had to rename it.

The discussions at the time — this is based on my memory from reading the list archives — were all about the fact that Debian applies patches to the code; I don't think the logo issue came about until later.

Comment: Re:Its a trap!! Dont do it! (Score 1) 340

by Wyzard (#38350204) Attached to: Site Offers History of Torrent Downloads By IP

Looks like it shares more than that. The source for the login button is:

<fb:login-button perms="user_likes,user_about_me,email,user_hometown,user_relationship_details,user_location,user_website,user_work_history" onlogin="oRRQ.login();">

The site has no legitimate need for all that info if it just wants to know that you're a real person.

Comment: But is the data actually transmitted anywhere? (Score 5, Interesting) 322

by Wyzard (#38212960) Attached to: Android Dev Demonstrates CarrierIQ Phone Logging Software On Video

In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.

Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)

Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.

Comment: Re:More proof opt-in is the ONLY way to do it righ (Score 1) 134

by Wyzard (#37929620) Attached to: Carbonite Privacy Breach Leads To Spam

The article's suggestion of address hashes is kinda bogus, and especially dangerous if the hashed addresses are known to be customers. Assuming a spammer/phisher already has eleventy billion addresses, this is a hash collision attack. All the spammer has to do is hash their list and look for matches. Instant customer list.

That's the intended usage of the list of hashes: for each address that the marketer already has, they can determine whether it's the address of an existing customer so they can exclude it from the ad campaign. No technological measures can avoid the fact that if you want an advertiser to exclude your customers from an ad campaign, you have to give them a way to determine who your customers are. Only trust (and trustworthiness) can resolve that.

But hashing the list would at least prevent the marketer from learning new addresses that they didn't already know about, so it's better than giving them the raw list.

Comment: There are special cameras for this (Score 1) 170

by Wyzard (#37878788) Attached to: Ask Slashdot: Image Recognition For Race Timing?

I don't know how timing is normally done for auto races, but I've been part of the staff at a few track & field events, such as the Nike Indoor Nationals, and seen how the timing is done there. There's a special camera that captures a single column of pixels, carefully aligned with the finish line, that records a rapid sequence of images whenever something changes in its field of view. The software assembles all these one-pixel-wide images into a single image whose horizontal axis is time rather than space. You can clearly see each runner, though arms and legs often look a little curved since they're moving as they pass through the plane of the finish line. In particular, the ID number tags worn by each runner are clearly visible.

Recognition isn't automatic, but it doesn't need to be. The operator just clicks on the front of each runner's shoulder (the part that "counts" for finishing the race) and reads the number from the runner's ID tag, and the time value associated with that column of pixels is recorded as that runner's finish time. So there's a human delay involved in matching the time measurements to the runners, but no human delay in the measurements themselves.

The company that did the timing at the races where I worked was CFPI Timing, and the tech page on their website has lots of details. Apparently the camera system I described is made by FinishLynx.

Comment: Re:i dont get it (Score 1) 423

by Wyzard (#35802696) Attached to: <em>The Hobbit</em> Filming at 48fps

3D at the movies use polarized light, and each eye gets their usual 24fps. No flickering because there is no "black" in between each frame.

RealD uses polarized light, but through a single projector, running at 144fps, switching "sides" six times per (24fps) film frame. Your eyes see left-right-left-right-left-right for each still picture before moving on to the next.

Since each eye sees black while the other eye is seeing a picture, RealD does flicker. It's 144fps flicker, which most people don't notice, but some people are sensitive enough to be bothered by it.

Comment: Re:Wrong Version (Score 1) 88

by Wyzard (#35207078) Attached to: Civ IV's Baba Yetu Wins First Grammy For Video Game

It's the same song, but performed by different singers. The in-game version was performed by (I think) an a cappella group at Stanford; the album version is performed by Ron Ragin and the Soweto Gospel Choir.

Basically, the artist re-recorded the song with more professional talent. Compare:

Logic is a pretty flower that smells bad.