Forgot your password?

Comment: Re: valgrind (Score 1) 284

by cant_get_a_good_nick (#46761851) Attached to: OpenBSD Team Cleaning Up OpenSSL

My tough guess here is something like valgrind would have helped. Yeah, even though you have the limits of true brk() allocation bundles, valgrind operates more at a byte level. Valgrind in this case would have been useless, because of the custom allocator code.

if you write code that requires a "caching" allocator so much that you break with normal malloc()/free(), you're doing something wrong. If you're doing it in high impact security code, you really should stop everything else and fix what you're doing wrong.

Comment: Could bad guys be staring at git feeds? (Score 1) 532

If I'm a malicious hacker, or the NSA, but I repeat myself....

I'd be now (if i wasn't before) checking the feeds for gnutls, nss,, and openssl, hoping to catch he bug before anyone else, so i can exploit it.

That said, I'd also be checking out the best decompilers to see if that helps me find bugs in closed source code. Im sure people have looked online for Windows source code to see if there are any ways to exploit it. In this case, a small group of hackers would have the code, and would necessarily want to limit the number of people aware of those exploits.

In a nutshell, we're all screwed.

Comment: Re:this will certainly lead to a cure for cancer. (Score 1) 246

is it any better than a billion geeks in Silicon Valley trying to create YetAnotherMobileLocationCheckin platform? Today Facebook, yesterday, Foursquare.

The market wants what it wants. Capitalism never claimed to fund the most useful thing.

Comment: Re:Why? (Score 1) 93

If you have root on a webserver, why do you need javascript to do the redirect?

Lets say you had root, to get a redirect in apache you'd need to:

* edit the config file, bounce the server as root, leaving a change in the config and a bounce record in the server log
* create a .htaccess file, possibly edit the config to respect the .htaccess file and the subsequent bounce as root, leaving possibly a new file on the filesystem that can be detected
* edit a javascript file that's likely to be around and edited anyway.

The latter is most likely to evade detection. Besides, no one said they had root.

Comment: Apache bug? (Score 2) 93

From the comments on the announce page, since (almost) nobody will go over there.

The first site on compromise_1.txt seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.

So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".

BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.

Comment: Re:ok, so what was this idiot's fool-proof bet (Score 1) 76

... #ThankYouDayton...

I've been lucky enough to go to Dayton for a tournament. It was so loud they disrupted our cheerleaders. Even during off times they were still so loud our cheerleaders couldn't hear the beat to do their routines.

They're freaking nuts about basketball. I wouldn't have necessarily picked them to win over Ohio State, but I'm not too shocked that they did.

Comment: Re:Probably Better Than My Method (Score 1) 76

So you bet against Michigan State? Good luck with that...

Whats the rule of thumb again? No directional schools (Northeastern Illinois?) or schools with hyphens in them - hyphens indicating the non-primary campus of a University system. Oh, you're University of North Carolina hyphen Charlotte.

Though that rule arguably would break down with UCLA which is more or less a hyphen school yet won a slew of championships and is usually somewhat competitive. Also, USC, which is a directional school, but has had a run or two. Hmm, UNLV? All right, a lot of exceptions...

Comment: Re:well... (Score 1) 76

As an aside, I kind of like the idea of the bookie as the more or less opposite of crowdsourcing.

Crowdsourcing - take a bunch of guesses, amalgamate them together, you got a final answer.

Bookie guesses what the crowd will do, and comes up with an answer to that he thinks will split the crowd in roughly 50-50 (with eventual adjustments to keep them closer to 50-50).

Comment: 63 games (Score 1) 76

I never submitted a bracket, partially because I didn't follow the schools this year, partially because I didn't want to get spammed by Quicken - you give a cell number voluntarily to them, now you have a "relationship" where they can call you.

Two random rants as a starting point for discussion.

1) I hate the "bigger than the group of 64" games. You can't even call them play-in games if you have two 11 seeds going at it - they don't need to "play" into the tournament as much as they'd push someone else out.
There used to be some poetry in "63 teams lose their last game, one team goes 6-0 and wins the championship". The current "67 teams lose their last game, one team goes 6-0 and wins the championship, well unless they were a play-in school and they need to go 7-0" is a but more unwieldy.

2) There's so much money generated by the games now, and the players get nothing. I'm not a lawyer, but I'm sure a player filling out a bracket would run afoul of NCAA rules and would have their eligibility threatened. And now there's talk of forcing players to play yet another year at college before going to the pros, delaying by another year when a player can get compensated for the skills that so many are willing to pay for. A good part of this is pressure from the NBA to get more mature players of predictable NBA skill level. I'm not sure that having millionaire/billionaire owners offload their uncertainty onto 18/19 year old freshman/sophomores is all that fair.

Comment: Re:We've learned nothing? (Score 1) 290

I don't see poor people. I see solidly Republican voters getting exactly what they asked for.

But did they have a choice in asking? What industry is there besides coal? Obama takes that away you got nothing.

The Hunger Games needed a bleak locale with people with no hope... Appalachia was chosen for a reason.

Comment: Re:We've learned nothing? (Score 1) 290

My counter to this, is how many people say Government Is The Problem. How many times did Obama say that we need to cut coal, and then everyone in Appalachia, rich and poor alike, say "get your regulatin' hands out of here". The issues will continue until people have other choices besides laying in bed with a corporation that has shown it doesn't care about health.

My bigger issue is with the corporation who decided that profits here are more important than lives there. For everyone who jumps up in arms any time there's a shooter and says "those 3 people died because of music/videogames/sunspots" do they jump up 1000x as hard when a toxic spill kills 3000? The CEO is just as much as a sociopath, caring not about lives, but bottom line.

People who say "corporations are people" should allow them to be categorized as mass murderers in certain cases, and they should be allowed to be put on death row.

Comment: Re:We've learned nothing? (Score 1) 290

A lot of the comments about the issue hitting Charleston, W.VA's water is pretty much this - rich white folks in Charleston are getting affected, not just poor (mostly white) folks. Some of these rich white folks in Charleston are lawyers with connections.

One podcast I listen to (forgot which one, can't properly attribute) had a couple families rent an apartment just outside of the affected area. They'd go, shower, get a bunch of tapwater in bottles, and rotate the other family in after a few days. Obviously a poor family can't do this.

MATH AND ALCOHOL DON'T MIX! Please, don't drink and derive. Mathematicians Against Drunk Deriving