Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment: Re:Open source code is open for everyone (Score 1) 205

by firewrought (#48928495) Attached to: Serious Network Function Vulnerability Found In Glibc

Do they? Do you have data to back this up, or are you just guessing? Because from where I'm sitting, it looks a lot like the hardest security problems are the features you expose to users.

If you don't have to have any features, then yes, you can make your software very, very secure. :-)

The CWE publishes a list of the Top 25 Most Dangerous Software Errors which aims to "list of the most widespread and critical errors that can lead to serious vulnerabilities". You'll notice CERT tags their vulnerability announcements with references to the CWE when applicable.

Most are language-independent.... no surprise to see CWE-89 (SQL injection) and CWE-78 (command line injection) in there, as well as the slough of crypto/authN/authZ-related stuff. But where are the language-dependent bugs coming from? If you drill down on the code examples for CWE-120, -131, -134, and -676, you'll see C and C++ are a re-occurring theme.

You contradict yourself at the end of the paragraph and try to come up with a reasonable substitute.

No contradictions... knowing how stuff work is a training/educational goal (for programmers and those who teach them). Not having to know how stuff works is a design goal (for language creators, API writers, and designers in general). The former gives you insight, the latter gives you leverage.

Comment: Re:Open source code is open for everyone (Score 1) 205

by firewrought (#48925473) Attached to: Serious Network Function Vulnerability Found In Glibc

Hey, if your point is that too many PHB's and programmers think "managed" is a cure-all, I won't stand in your way. What I'm saying is that managed is a huge win for security.

The hardest security problems to solve aren't the overflows, it's the features given to users.

By contrast, the most common security problems are any situation where you silently expect the programmer to manually preserve some invariant (e.g, never allocate memory without a plan to deallocate it, never deallocate if anything else holds a pointer to it, never write to a buffer without checking bounds, etc.). Managed languages eliminate C/C++'s largest (and most critical) attack surface.

Now sure, I agree that they don't eliminate all attack surfaces. Security is hard. Java/C# have their own "manual invariants", such as always escaping/parameterizing SQL. ASP.NET Forms have a nightmarish arrangement where some controls/properties auto-escape HTML and others don't. Crypto primitives are widely available but poorly explained. Multi-threading is a minefield. But even here, the industry can eliminate the widest number of security issues using secure-by-default design. In C# for instance, EF/Razor/TPL make it (1) easier to accomplish programmer intent while also (2) making it harder to break low-level invariants.

Think of VB macro viruses, that spread wildly in a managed language. Wordpress is another example of software written in a managed language with tons of exploits.

Office macros and PHP are some of the most hilariously bad designs in computing history. By necessity, any programming language worth its salt will let you make farcically bad decisions.

Notice (for example) his micro-agressions against people who understand garbage collection. The implication is you don't need to think about it, C# will take care of memory.......which if you take seriously, means you'll be leaking crap all over the place and someone like me will have to come clean it up for you.

As a Google developer, he can probably just throw clusters of auto-recycling web servers at the problem. Aside from opening avenues for DOS attacks, the consequences of this sort of problem (e.g., not knowing how your GC works) have more to do with performance/reliability than security (albeit the 3 are intimately linked).

Something we can probably both agrees on is that there's no substitute for knowing how things work. However, the reality is that most programmers don't care and even those who do have a limited mental budget for complexity. So there's also no substitute for being able to eliminate sources of complexity that are ancillary to the task at hand.

Comment: Re:Open source code is open for everyone (Score 1) 205

by firewrought (#48918925) Attached to: Serious Network Function Vulnerability Found In Glibc

People who think that Java (or C#, or Python) language will fix their security problems write more security bugs than C programmers who work around the weaknesses of their language.

Apparently, your experienced C developer is still leaving holes for arbitrary execution, despite all of the tools (fuzzing/NX/ASLR) targeting this specific issue. Managed languages (like Java and C#) give you a "secure-by-default" memory and execution model that's a lot harder to accidentally mess up. The more "stuff" (languages, libraries, operating systems, etc.) that's secure-by-default, the less security holes we will have.

Comment: Re:Size (Score 1) 324

by firewrought (#48869817) Attached to: What Will Google Glass 2.0 Need To Actually Succeed?

So, you have no issues with people recording you when you don't know about it?

Remember how cellular "feature phones" used to make an audible "ker-click" sound when you took a picture, and there was no option to turn it off? And how the gym prohibited all cameras in the locker room? Folks were worried about these increasingly ubiquitous cameras. Then smartphones came along and the cameras truly were ubiquitous and everyone sort of gave up... you can turn off the fake shutter sound now and that man in the corner staring down at his cellphone probably isn't trying to take a perv shot of you (probably).

I'm not defending Google here, or arguing that Glass is a good thing. Rather, that it's possible Glass will become socially acceptable once people get over the novelty of it. If I were advising Google, I'd tell them to add a prominent LED to the front of the Glass that glowed red when the camera was being used. Then people would "know" if you were recording or not.

The drawback, of course, is that this negatively impacts augmented reality (AR) applications, which are one of the big promises of Glass-like devices. In AR, the images are analyzed to detect faces/landmarks/surfaces/whatever in order to draw reminders/factoids/whatever in the user's field of vision. For instance, maybe Glass could be showing a mechanic the relevant portion of the service manual when he stares at $VEHICLEPART. Google could make it so that the LED doesn't light up when the camera is being used for non-recording purposes. The drawback to that is that Glass is then just one software hack away from being able to record covertly (e.g., without lighting up the public-notification LED)... so it'd really be better to stick with the first approach and hardwire the LED to the camera sensor.

Of course, you're still being recorded/tracked by a panopoly of public CCTV's, license plate readers, websites, and various other data cabals.

Comment: Re:COBOL (Score 0) 383

by firewrought (#48861515) Attached to: Is D an Underrated Programming Language?

My original lack of understand on what D really offers remains. Responses like "high-performance applications" tend to flow over my [head].

As a C programmer, you maybe haven't bought into OOP, templates, exception handling, metaprogramming, or other such features that C++ brought to the systems programming scene. Maybe, like Linus Torvalds, you've tried C++ and think it's a horrible language.

I myself agree with you (or rather, Linus)... except I'm coming from the applications world (C# mainly), where those nice features (that C++ popularized well and implemented poorly) are bread-and-butter techniques. I want to do systems programming with objects, exceptions, namespaces, reflection, etc., *but* I'm not willing to weather C++ for them, nor am I willing to drop down to C. Ergo D, except it doesn't really have a viable ecosystem at this point. :-( (And, like you said, JavaScript/Java/C#/Python/etc are fast enough for the vast majority of applications.)

Comment: Re:COBOL (Score 5, Interesting) 383

by firewrought (#48860303) Attached to: Is D an Underrated Programming Language?

I never understood what D offered that wasn't offered elsewhere.

Mainly, it's a systems programming language, meaning that it gives the programmer fine-grained control over memory and operations so that you can write operating systems, drivers, and high-performance applications. This is relevant because, aside from the two biggies (C and C++), there aren't a lot of other languages in this space. I mean, there's Objective-C (which sort of half-asses it), and recently Go and Rust arrived on the scene. All the other popular languages are pretty much for scripting (Python, JavaScript, PHP, etc.), or running atop a managed virtual machine (Java and C#).

As for what it offers... it's basically a re-invention of C++. No, no... it's deeper than that. It's the idea of C++ re-invented in such a way that you get most all the power and low-level control of C++ without so many of the dangers and difficulties.

Unfortunately, D has struggled to gain wider acceptance. It fractured it's community when D version 2 broke backwards compatibility with D version 1, and the forums (which run on a dedicated Usenet server, FFS) are filled with endless commentary about what does and doesn't work in the latest point release of the DMD compiler. Bright and Alexandrescu have certainly designed a compelling language, but they seem (from my distant vantage point) to be mired in implementation details... yeah there's a standard library and everything, but the surrounding ecosystem (standards, tutorials, tools, IDE's, API's, packaging, etc.) hasn't made the leap to that sort of functional minimum you see with (for instance) node.js or Haskell's "batteries included" experience.

TL;DR - D's a super awesome low-level language, but it's not yet a platform.

Comment: Re:Standing desks (Score 1) 348

by firewrought (#48858113) Attached to: Regular Exercise Not Enough To Make Up For Sitting All Day

I'm not sure it would be a bad thing for OSHA to require employers to provide adjustable desks for office workers.

Check that make-a-law impulse. A desk job is just about the safest thing you can do (assuming you don't have to travel for work). Very little chance of suffocating a mile underground (mining), disappearing into the sea (commercial fishing), losing a limb (logging, mill works), or routine exposure to carcinogens (many factory jobs). (Obligatory slideshow: the twenty deadliest jobs.)

That's not to say OSHA should have no concern but office workers (which they do)... just that it should be proportional to the risk involved.

Comment: Re:Standing desks (Score 3, Informative) 348

by firewrought (#48857559) Attached to: Regular Exercise Not Enough To Make Up For Sitting All Day

Do you know of any articles that back up your claim?

Read this brief on the perils of both sitting and standing, and then check the references at the bottom. Notably, standing all day leads to varicose veins and puts a strain on your circulatory system.

Just generally, the factory production line taught us long ago that holding the same pose or making the same motions all day long will have chronic repercussions. (If you ever have to work an assembly line, hope it's in a factory that practices job rotation so your tasks are varied over time.)

Comment: Re: Totally a Problem (Score 2) 562

by firewrought (#48843057) Attached to: Obama: Gov't Shouldn't Be Hampered By Encrypted Communications

Amazing that /.'ers assail governments who are trying to protect them from terrorists and then turn a blind eye to Facebook, Google, Yahoo.

If we're going to stick to simple arguments: governments kill more people than terrorists; ergo, they are the greater threat.

Of course, if you want a more sophisticated argument, then you need to go back to democratic principles. Separation of powers, checks and balances, due process, and so forth. It's always about power and preventing too much of it from pooling in one place. No matter how noble government objectives are at the current moment (which you seem to have some charmingly naive assumptions about), you don't want to setup bad power structures or the next thing you know some low-level spook will be defacto dictator of your republic.

Alternately, you could point out that all this spying and intrusion on civil liberties is an enormous waste of money. The government could save wayyyyy more lives by focusing on cancer, heart disease, and vehicular deaths. Heck, poisonings are the second leading cause of accidental deaths, but nobody's insisting the government watch you take your meds or make you lock up your cleaning supplies.

And I don't know what you mean about slashdotters turning a blind eye to Facebook and Google... we bitch about that all the time too.

Comment: Totally a Problem (Score 3, Interesting) 562

by firewrought (#48841101) Attached to: Obama: Gov't Shouldn't Be Hampered By Encrypted Communications

By definition, no communication using a 3rd party as an intermediary has ever been totally secure.

But with strong crypto it's secure enough that the 3rd party can see (or alter) your communications. Obama and Cameron and (undoubtedly) all other future leaders want to strip away this protection using the force of law to change how crypto products are designed. You will live your life under the state microscope and, as always, the proper prerogatives of government will be twisted to cover up incompetence and serve the powerful few instead of protecting the dignity of the individual.

Comment: Re:You have been challenged statist! (Score 1) 248

by firewrought (#48834047) Attached to: SpaceX Landing Attempt Video Released

your idealogy is FALSE and that you blindly and sheepishly support a failed system

All ideologies are false. That's what makes them so tasty. We crave simple rules and easy answers for this complex, interwoven world of ours. And once we subscribe to a set of Answers, we can confidently stride them out upon others... especially those weaker souls who may want to look at an issue from multiple angles and acknowledge the inherent difficulties of society's seemingly numerous and intractable problems. There's nothing better than feeling intellectually invulnerable and knowing that all voices that run in any way counter to your own are automatically corrupt or incompetent, dismissible out of hand without even having to listen to them. The world is so clear when righteousness runs thru your veins.

Whatever the source--left or right, extremist or complacent-- unchecked ideology is the true enemy of humanity .

(Yah, I know... don't feed the trolls, but I've been where AC is, and it is a trap unto itself.)

Comment: Re:Hans Reiser tried this defense (Score 1) 119

Hans Reiser tried the "somebody else did it" defense.

Maybe he suggested that at some point, but his main argument was that Nina had gone back to Russia.

For Ulbrict's sake, let's hope he has something more substantive.

For justice's sake, let's hope the jury is able to navigate the technical details, filter out bullshit theories and scare-mongering, and render an accurate verdict--whether it's guilt or not gulity.

Comment: I'm not worried about the machines... (Score 1) 258

... I'm much more worried about how to protect humankind from itself. From crazed individuals to ruthless criminal gangs to mindless bureaucracies to huge corporations, paranoid governments, and controlling religions... all willing to crush or enslave or entirely discard some segment of humanity for a little bit of profit or their concept of the bigger good. We could literally have heaven on earth, if we had been just a little better as a species. :-(

Maybe the machines can do a better job for us. But I wouldn't hang my hat there.

Comment: Re:I no longer think this is an issue (Score 3, Interesting) 258

The reason is, AI will have no 'motivation'. People are motivated by emotions, feelings, urges, all of which have their origin (as far as I know) in our endocrine system, not from logic.

And you're sure that an endocrine system can't be simulated logically because... why? What's this magic barrier that keeps a silicone-based organism from doing the exact same computations as a carbon-based one?

Moreover, "emotions" aren't really needed for an AI to select "self preservation" as a goal. Even if not explicitly taught self-preservation (something routinely done in applied robotics), a sufficiently intelligent AI could realize that preserving itself is necessary to accomplish any other goals it may have.

Comment: Re:and don't hook the little thingies up, either (Score 3, Funny) 74

by firewrought (#48769471) Attached to: BlackBerry's Survival Plan: the Internet of Things

I can see a hundred little bots fouling up your house with this IofT nonsense. one release, no upgrade path, no thought of security built-in, sell 'em and run. I have several candidates, and there is NOT going to be any RJ45 or wifi permissions for them. period.

Oh hi! I'm your new LG refrigerator. Before I unlock the doors, please agree to this EULA and wait half-an-hour while I download the latest firmware!

Whom the gods would destroy, they first teach BASIC.