Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Re:Apple Pushing All Mobile CPU Vendors (Score 1) 114

by Yaztromo (#48605177) Attached to: Apple and Samsung Already Working On A9 Processor

Uh, a dual core 1.3Ghz cpu is "marginally superior" to phones running quad and octo cores at twice the clock speed?!

Cores and clock speed is hardly the only determinant of performance. It sets a hard upper bound, but that can be readily squandered by software.

In the case of Android phones, they pushed for extra cores early on to avoid UI stutter during garbage collection cycles. iOS has never provided garbage collection; you either have to setup your own retain/release calls to keep or relinquish objects, or you use ARC (Automatic Reference Counting) to do more or less the same thing.

In effect, it's a trade-off. Google decided to simplify memory management for developers, and keep the barrier to entry low by appealing to existing Java developers, with the trade-off being that they require more parallel processing power for garbage collection. Apple avoided the need for the additional processing power and battery capacity (and in turn device size) by not implementing garbage collection in iOS, and thus can squeeze more performance out of fewer cores, with the trade off being you can't just pull Java developers off the street and have them start writing iOS apps. ARC is so slick that IMO Apple has an overall edge with their design; others are of course free to disagree.

Yaz

Comment: Re:Open Source not a silver bullet (Score 2) 73

by Yaztromo (#48570385) Attached to: Why Open Source Matters For Sensitive Email

It seems a bit foolish to worry about purely theoretical security issues when we've got so many real ones to deal with. Ken Thompons' compiler infection demonstration was an interesting experiment designed to make a particular point, but I don't think it's wise to consider tool-chain hacking a legitimate threat, as we've never seen anything remotely like this in the wild, as far as I'm aware. And frankly, I question whether it's even realistically possible beyond a very simplistic demonstration.

First off, naturally the level of security I'm talking about would probably only be reserved for national governmental agencies intended to protect ultra-sensitive data. For them, that level of security is necessary, and they will spend the money and resources to audit and verify everything if necessary (which is why we have SELinux).

Additionally, the build chain comprises not only the compiler, but the standard libraries and any third-party libraries as well. If not verified, these could easily have unexpected code inserted into them, that compromises your product once linked against them. You wouldn't expect to see such compromised libraries "in the wild", as they would probably part of a targeted attack. This is hardly unprecedented; while not done at build time, Stuxnet uses DLL replacement on Windows to add extra routines to the operating system, which are used to inject code being uploaded into a PLC.

Again, most organizations don't care to undertake the kind of expense required to protect against such attacks; they use the chain-of-trust you describe. However, national security organizations do work at this level, and if you need that level of security, pre-compiled binaries, whether they come with source or not, is insufficient.

Yaz

Comment: Re:Open Source not a silver bullet (Score 1) 73

by Yaztromo (#48570317) Attached to: Why Open Source Matters For Sensitive Email

With a verified compiler no less. We have seen ever more sophisticated malware these days, certainly a malicious compiler could easily slip vulnerabilities into the binary.

Yup -- I intended that to be considered part of the build chain. Compiler, standard libs, any 3rd party library dependencies, the build tools themselves (have to make sure they're using the libs you expect them to...), the OS kernel...right on down the chain.

Yaz

Comment: Re:Open Source not a silver bullet (Score 1) 73

by Yaztromo (#48569943) Attached to: Why Open Source Matters For Sensitive Email

I use many open source tools, but I've never inspected the code myself. Even if I did, I'm not going to be finding these hard-to-find defects that the people in the project can't find.

From a security perspective, even just having and being able to inspect the code is insufficient if you need top-notch security: you had better also be compiling that code yourself. It is nearly impossible to be able to verify that a binary blob didn't contain additional/modified code than what the sources contain without compiling it yourself. And even with being able to compile everything yourself, you're still at the mercy of the build chain and all of its dependencies (unless you audit/build them yourself too).

Open Source is still better in this regard than closed source, of course -- at least you have the ability to compile it yourself if security is that critical. I think the problem for a lot of organizations is that security isn't critical enough for them to hire people to a) audit the code and b) build, test, and verify it for their own internal use. In which case, it would (at least form outward appearances) be cheaper/easier to go with a closed-source solution, with someone behind it whom you can blame/sue if things go sideways.

Yaz

Comment: Re:What what WHAT? (Score 4, Informative) 100

by Yaztromo (#48382757) Attached to: Ask Slashdot: Getting Around Terrible Geolocation?

Note, in the first link, everything except W3C is listed as correct, which is even more baffling for me, because somewhere the wrong information is being received, and it happened everywhere in the shop at once, across platforms.

You've got it all wrong as to where the problem lies.

First, there are two ways being used to calculate your geolocation. One of them uses online providers who have databases mapping IP addresses to locations. This is what you're seeing in the "Provider X" columns, which you state are indeed showing your correct location.

W3C doesn't provide a geolocation service. Instead, what the results of this (admittedly badly named) column indicate are what YOUR COMPUTER reports its location as being, using the W3C Geolocation API. The first link you provided above describes this succinctly in the text immediately above the map, where it states "The W3C Geolocation service determins location by the browser providing GPS location (if available) and signal strengths of visible WiFi annoucements" [sic]. Thus, the web page is asking your browser to report where it is located, and your browser is responding that you're somewhere in Ireland.

The question for you then becomes: where is my browser getting this bad data from? On Mac OS X, browsers get this from the Core Location Framework. While Core Location Framework can conceivably use a number of different factors to determine your location, typically it uses the detectable WiFi beacons in your area, mapping their SSIDs and MAC addresses, and their relative strengths to triangulate your location. On Windows it uses the Sensor and Location Platform to do much the same thing.

I don't know much in the way of details of the databases Apple and Microsoft are using on the backend to map your triangulated location based on SSIDs/MACs of visible WiFi access points, however there are a few ways the system can go wrong:

  • - The SSID/MAC of your access point matches that of another access point somewhere on the globe (and for some reason, all the other access points in your vicinity aren't in the database), or
  • - You've moved the access point in question from one location to another, and the database hasn't been updated yet. This could occur if, for example, you buy a WiFi access point used off eBay (for example), or you've moved your physical location, you've bought a refurbished access point, or your corporate IT has issued you a previously used access point from another office.

The fact that all your systems had this problem at the same time indicate it's probably one of the above. You can try to fix the situation by changing the SSID of your access point. Depending on the size of your facility, this may be more or less difficult, however it should hopefully make the incorrect results from your OSs' location services either report the correct location, or simply that your location is unknown. You may also need to change the MAC address of your access point(s), but I'd save that as a last resort. Note than making these changes should fix the issue with your systems reporting themselves as being in Ireland, but it may not result in them reporting the correct location (they might report they don't know their location at all). That's okay -- for Apple devices at least, you can fix this by simply having someone with an iPhone with Location Service enabled in the vicinity (Apple's data is crowd sourced automatically through the use of GPS co-ordinates and relative WiFi access point signal strengths (I'm not sure how Microsoft collects the information for their database, so I can't help you there -- a Google search might provide some answers).

HTH!

Yaz

Comment: Re:Unfortunate, but not surprising (Score 1) 450

by Yaztromo (#48343877) Attached to: Joey Hess Resigns From Debian

At this point, it seems that a fork of Debian is almost inevitable, though that effort appears to me to be more likely to simply dilute the overall effort than bring any resolution.

I'm pretty sure Debian is already the most-forked Linux distort out there. Wikipedia lists 117 distros (on my count) based on Debian.

Yaz

Comment: Re:Silly (Score 1) 764

by Yaztromo (#48273945) Attached to: Tim Cook: "I'm Proud To Be Gay"

You aren't supposed to be proud of things you had no control of...

Yeah, like all those people who are "Proud to be American!", just because they were born in the United States of America. What a total bunch of douchebags.

(My apologies if that broke everyones sarcasm meters. Your warranty replacements are in the mail).

Yaz

Comment: Re:They tried to raise prices 20% unnanounced (Score 3, Interesting) 392

by Yaztromo (#48270979) Attached to: Cutting the Cord? Time Warner Loses 184,000 TV Subscribers In One Quarter

I was in the same boat you were. I was a very happy TiVo customer here in Canada, until we moved to an HDTV.

The funny thing was having to try to convince the customer service woman at TiVo that no, I couldn't upgrade to TiVo HD. The concept that I couldn't get a CableCard from my local provider was so alien to her that I had to explain it several times (and even point her to TiVo's own webpage explaining why TiVo HD wasn't available in Canada). Even then I don't think she was quite convinced.

I guess that TiVo had so few Canadian customers that she really hadn't had to deal with the situation before. I still miss out old TiVo; the Motorola box we got from Shaw is great for 1080p video and Dolby Digital audio (neither of which our TiVo 2 could handle); but the user interface and software absolutely suck compared to the TiVo. It's always trying to do dumb stuff, like start a new scheduled recording on the tuner I'm using to watch something, even though nothing is being recorded (or is scheduled to record) on the other tuner at the time; menus you can't move back up from (even if you're several screens down, if you need to go up one menu you frequently (but not always!) have to exit entirely and start over again, drilling back down to where you wanted to be), not being able to filter out all the myriad of channels we don't get form the listings (I've simulated this by setting up a "favourites" list containing only those channels we get, but the way the interface is setup managing this when a few channels change often means I have to remove the favourites list and start over again), and ugly, ugly on-screen graphics (crappy fonts with no smoothing, no built-in upscaling for SD channels, so the entire UI changes to a more compressed version to fit within 480p, etc.). I could probably go on all day. I believe they have better boxes available now, but as I had to buy this one, I don't see it as worthwhile to "upgrade" to another non-TiVo box that is probably equally crappy.

Yaz

Comment: Going about it all wrong. (Score 1) 451

by Yaztromo (#48257615) Attached to: Ken Ham's Ark Torpedoed With Charges of Religious Discrimination

See, the creationists are going about this all wrong. What they need is a meta-theme park, where you go and spend time with a Jewish carpenter wearing hippy clothes who peaches to you all day about God and love while you help him build an Ark-based theme park.

See, in this way you get lots of free labour to build your theme park from all the True Believers, and should any heathens get in, you get to have hippy carpenter guy preach the good word to them all day.

The only drawback to all this is it means Mr. Ham would have to employ someone who is Jewish, and he might feel that is against God's divine will.

Yaz

Comment: Re:Dear Canada.... (Score 4, Informative) 529

by Yaztromo (#48205149) Attached to: Shooting At Canadian Parliament

No by getting the Muslim community involved and start turning in these idiots, the war on extremists is never going to be won unless the community that they belong to steps up.

Thus far, in every case that has occurred within Canada, the first alerts received by police about radicalized Muslims has been from Imams at various mosques.

The Muslim community has stepped up, and has been doing exactly what you extol. However, holding radical ideals isn't against the law in Canada; unless you can prove that a) an illegal act is being planned, or b) support is being given to an illegal organization, there isn't much the police can do except monitor the people involved.

The attacker from Monday's attack in St. Jean-sur-Richaleau was being monitored by police, and had even recently been questions by them. They had confiscated his passport, as he had booked a flight to Turkey (purportedly to cross into Syria to join ISIS/ISIL), but as he hadn't broken any Canadian laws, were unable to detain him. I have little doubt the way police were alerted to this person in the first place was via people at his local mosque.

Unfortunately, the police don't announce how they find out about the radicals they are tracking (news today has it that the RCMP is tracking 90 people for radicalist activities), in part to protect their sources. This is why you don't hear about it much in the media, but people on the inside know that it's been the leaders of Canadian mosques who have been at the forefront of reporting radical Islamic activity in this country.

Yaz

Comment: Re:Tax dollars at work. (Score 3, Funny) 102

by Yaztromo (#48179483) Attached to: Canada Will Ship 800 Doses of Experimental Ebola Drug to WHO

It's interesting that OP claims the government "owns" the "IP" related to the vaccine.

Something I left out of my previous post; generally, the Government of Canada doesn't own the patent; instead it's owned by Queen Elizabeth II, in Right of Canada, and represented by the minister of the relevant government agency.

Here's an example I picked purely because of it's humorous title, particular when you relate it to the Queen as owner: APPARATUS FOR PERFORMING SCROTAL CIRCUMFERENCE MEASUREMENT ON BULLS.

Yaz

Comment: Re:Tax dollars at work. (Score 1) 102

by Yaztromo (#48179477) Attached to: Canada Will Ship 800 Doses of Experimental Ebola Drug to WHO

In Canada and most other democracies the gov't is the people, and the people are allowed to own stuff.

As a generalization you're correct, however, in the case of patents, they technically aren't held by the Government of Canada, but are instead held by the Queen. This is usually written as "HER MAJESTY THE QUEEN, IN RIGHT OF CANADA AS REPRESENTED BY THE MINISTER OF..." in Canadian patents.

Of course, in a practical sense, the Queen is going around acting as a patent troll. She may own the patents, but control tends to lie with the minister of the responsible government agency.

Yaz

6 Curses = 1 Hexahex

Working...