Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Re:buy the competition (Score 2) 98

by c (#48898295) Attached to: Brought To You By the Letter R: Microsoft Acquiring Revolution Analytics

It's ancient history, but when Microsoft put some money into perl-on-Windows development, there were a lot of ruffled feathers and panicky headlines.

It didn't amount to anything even close to "taking over perl", even during the nastier stretch of Microsoft's "embrace and extend" era, but asking people to remember things that happened so long ago is obviously too much.

Comment: Re:Who do your trust (Score 1) 184

by c (#48849363) Attached to: Ask Slashdot: Can I Trust Android Rooting Tools?

Remember just because the phone is rooted doesn't mean it also isn't running the manufacturer's (if any) malware.

Sure. But we're talking about evaluating trust, not whether or not the phone's running malware. If I'm running a stock firmware, in my mind it's already compromised; slapping an XDA hack on top of it doesn't strike me as increasing risk substantially.

That being said, I don't find getting root at all useful unless it's a means to the end of unlocking the phone and replacing the stock firmware. I trust XDA hacks to perform that function, at least, and at that point trusting the manufacturer becomes moot.

Comment: Re:Manual steps vs. payload (Score 4, Insightful) 184

by c (#48847029) Attached to: Ask Slashdot: Can I Trust Android Rooting Tools?

I'm a little surprised that the comments so far haven't really tackled the crux of your question, which was NOT "how do I find root exploits", but "are they trustworthy".

Well, the way I see it, I'll trust a random XDA developer pushing closed-source hacks way more than I trust my carrier and/or handset manufacturer.

It'll grant you that it's a low bar.

Comment: Re:90 days may be a little short (Score 1) 261

by plcurechax (#48831413) Attached to: Google Releases More Windows Bugs

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

Here is what Google use to say (circa 2010) from most of the same people who make up the Project Zero team (Chris Evans, Michel Zalewski, and others) AFAIK.

Rebooting Responsible Disclosure: a focus on protecting end users:

Update September 10, 2010: We'd like to clarify a few of the points above about how we approach the issue of vulnerability disclosure. While we believe vendors have an obligation to be responsive, the 60 day period before public notification about critical bugs is not intended to be a punishment for unresponsive vendors. We understand that not all bugs can be fixed in 60 days, although many can and should be. Rather, we thought of 60 days when considering how large the window of exposure for a critical vulnerability should be permitted to grow before users are best served by hearing enough details to make a decision about implementing possible mitigations, such as disabling a service, restricting access, setting a killbit, or contacting the vendor for more information. In most cases, we don't feel it's in people's best interest to be kept in the dark about critical vulnerabilities affecting their software for any longer period.

Somewhere along the way they appear to have lost their senses, and enshrine 90-days as some written-in-stone deadline that makes no sense, and is counter to their stated objectives.

Announcing Project Zero

... Our objective is to significantly reduce the number of people harmed by targeted attacks. ...We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.

Comment: Don't miss next week's episode... (Score 1) 119

Where the FBI submit a swore affidavit that Kim DotCom is Dread Pirate Roberts to the New Zealand courts in a bid to further his extradition to US, because surely those sheep-loving Kiwis can't possibly resist the War-on-Drugs(tm) as a legitimate reason to let the MPAA/RIAA go after Kim DotCom for digital piracy[1].

If he wasn't under so much financial pressure (freezing of assets) I'd expect him to make a press release suggesting it himself.

But the conspiracy theorists will posit that John McAfee is the real Dread Pirate Roberts. I mean he was found in Belize of all places. What do you think it was really doing there? Creating his second, pseudonyms fortune, this time without the IRS insisting on payments. Hell, half of software multimillionaires who have been in tufts with the IRS themselves would likely support his venture on the down low.

[1] Okay, infringement of intellectual property doesn't have the same sense of dire urgency does it.

Comment: Re:Very disturbed by tag "writeorexecute" (Score 1) 84

by plcurechax (#48813525) Attached to: OpenBSD's Kernel Gets W^X Treatment On Amd64

Well, you're right from a formal logic perspective. In spoken languages, though, there's often an implicit 'either' attached to the 'or', causing 'or' to essentially mean 'xor'.

Yes, everyone should be expected to go read Principia Mathematica before posting to Slashdot, far better than any captcha in use today.

Comment: Re:Virtualisation dates from the 1960's ! (Score 1) 180

by plcurechax (#48813467) Attached to: The Legacy of CPU Features Since 1980s

The first large scale availability of virtualisation was with the IBM 370 series, dating from June 30, 1970, but it had been available on some other machines in the 1960's.

So the idea that "newer machines have support for virtualisation" is a bit old.

This point has been made since the first virtualization software on microcomputers were being experimented with. Those who don't know history are doomed to repeat it (or something similar depending how diligent your citation tracking it).

I'm still waiting for someone tell us that IBM discovered perceptional acceptable lossy compression, such as JPEG, MP3, and MPEG, back in the mid-1960s mainframe era to generate image and videos for punchcards distribution.

And Xerox PARC labs had a portable MP3 player prototype with a seamless white case with a steering-wheel styled interface, locked in its vaults of time.

Comment: Re:Anyone else concerned? (Score 1) 164

by plcurechax (#48813277) Attached to: Man Saves Wife's Sight By 3D Printing Her Tumor

but doctors act a lot more like technicians than scientists or researchers.

Doctors are much more like technicians. You don't want doctors "experimenting" on you unless you really, really need that.

To clarify the doctors or physicians you are referring to medical practitioners in medical parlance. There is two additional medical "communities," which are linked, the medical teaching and research specialties though two these tend to be more intertwined. In many cases they share hospitals, labs, institutions.

Physicians are typically not brought up in a 'science' environment (question assumptions, learning how to research a topic, critical thinking.) Doctors are brought up in 'cram mode'. Dump a lot of into down your throat. You're expected to believe it. They are increasingly taught to 'follow the protocol' which amazingly, is what technicians do.

That is a gross over-generalization. A good physician is trained to be scientifically minded, to take careful observations (utilizing medical testing), question assumptions for faulty assumptions and correlations, and be critical in what they do. They are expected to learn and memorize a large body of knowledge that they will likely need to do their job on a daily basis, and was the first profession AFAIK to have formal continuing education requirements to keep their medical license in many jurisdictions. All bio-chemical scientists follow a protocol so that they have a consistent and reliable testing methodology to reduce mistakes, attempt to be as objective as possible, and to be comparable.

Yes, there are 'physician scientists' but they aren't treating the majority of patients and you don't want them to be ('hey that looks interesting, what happens when I tug on it?').

If you are being treated by a medical researcher, then either there is no known effective or reliable treatment, or there are testing for a new hopefully better treatment. It means you are the test subject, normally not an ideal situation.

This case is interesting as the husband of the patient kicked the docs out of 'technician' mode. And, of course, used a 3D printer.

ALWAYS ask your doc questions about stuff you don't understand.

Interesting, yes, but it bugs me more in that I fear the deniers of vaccine safety, and those who want to consumer-ize their medical experience ("the customer is always right" is a horrible mantra for any legitimate medical practice) will use it as evidence to vindicate their positions. Most of the medical drama was in fact about miscommunication, inconsistent practice, and the need to be your own advocate for medical treatment.

From working with physical scientists, I know that 3 and higher dimensional visualization is still often lacking in being easy to interpret with advanced computer visualization techniques. The results while sometime can be made to look pretty, that has little correlation with how quickly and easily the visualization can be interpreted to extract the relevant information.

Comment: Re:Makes sense. (Score 1) 629

by c (#48796279) Attached to: Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

No, not with encrypted-locked bootloaders becoming common.

Yeah, you're pretty much outlining exactly why I tend to research unlockability prior to buying my devices. I'm not going to pretend that even a small fraction of buyers do this.

  I don't really have much of a solution for people who blindly buy whatever junk the carriers decree that they're allowed to buy. Google's worked on migrating to the Play services approach to get around this, but short of hacking into, unlocking and updating everyones devices I'm not sure what more they can do.

Comment: Re:Makes sense. (Score 1) 629

by c (#48796165) Attached to: Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

Know, you are talking about an exploit that could be affecting 60% of Android phones...

No, I'm not.

I was responding to a comment about the general state of Android and iOS security updates, not anything specific to this security vulnerability.

In general, if you have an iOS device and Apple decides not to fix a security problem on your phone, it's most likely not going to be fixed.

In general, if you have an Android device and both Google and your vendor decide not to fix a security problem on your phone, you might have a chance to get it fixed by other means. It's not a sure thing, it's not without risk, and you might not be entirely happy with the end result, but it works often enough that it's not a crapshoot.

Now, if you want to get into specifics, I don't know how many of the 60% of vulnerable devices might be able to take advantage of non-Google support, but it's far better than nothing.

10 to the 12th power microphones = 1 Megaphone