Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re: CVSSv2 (Score 1) 30 30

From what I have seen, Mitre and NIST often show inaccurate CVSS scores on the CVE pages.

Have to stop you there, sorry for perhaps being a bit pedantic, but the NIST score is more or less the "official" score of a vulnerability, given how closely they work with organizations like MITRE. The CVSS scoring rules have some nuance to them, and in some scenarios the official rules on scoring a vector is not what you'd expect. NIST tries to follow the official scoring rules as strictly as possible. You may not agree with the rules (and many people don't, I'm not trying to knock you), but technically their scores are the most accurate.

CVSS recently released v3.0 scoring in order to try to address some criticisms in scoring. It did this by upgrading its base vector to be a bit more easily comprehensible by adding obvious metrics like "user interaction required", which was previously embedded in "access complexity" in v2. I think in general I like the concepts and it makes it easier for the most part, but time will tell if the general public agrees. The sticking point I think is the idea of scope, which is not a bad idea in general, but the definition seems a little fuzzy to me. We may have only shifted where the nuance is, and so disagreement in scoring may continue into the future.

In order for the metric to be truly useful, every organization has to localize measurement to their environment and each vendor needs to measure impact against their use or non-use of the underlying code. At the end of the day, it's all about risk measurement, but with those steps you end up with a reasonably accurate assessment.

Exactly. CVSS allows for this by use of temporal and environmental scores, but unfortunately, most organizations don't use them. This means most people run around talking about the base score without a clear sense of how it applies to them. I've seen vulnerabilities with a base score of let's say 7.0 or so being knocked down to 1.5, after you factor in its temporal factors (such as a patch being available) and environmental factors (such as not very widely deployed). I wish more people would talk about the environmental factors. CERT is one of the few places that lists temporal and environmental metrics, though their database is not comprehensive.

CVSSv3.0 is weakest in the fact that they essentially threw out the environmental metrics; yeah, its technically there, but its shadow of its former self -- it doesn't include important metrics like population anymore. I hope they will put that back in for CVSSv3.1, and encourage more widespread adoption.

There is nothing wrong with the current system that wider spread adoption and education cannot fix. Part of the problem is the media hype surrounding the bugs. If every little issue wouldn't get a cute name -- Shellshock, Logjam, POODLE -- the reactions might be a little less kneejerk.

I agree, but education can sometimes take a while and be harder than you think. There's momentum -- and money -- behind the current system. You get everyone wound up, and then offer to sell a widget that "protects against it". There's a lot of snake oil for sale in the industry right now, and so far, companies and governments are eating up. It will continue as long as money is being made. The bigger question is, how do you make it more profitable to tell the truth about threats?

Organizations like CERT tend to straight talk it and provide honest feedback with their temporal and environmental scores, but they're not picked up in the media as much as these security start-ups that are out to cause a ruckuss and make money. The start-ups seem to me to be more marketing companies than security companies these days; they tend to overinflate the CVSS base score and talk it up by reaching out to media directly, when in reality, the base score itself may not be that high, nevermind that temporal and environmental factors might lower it more. Fear makes money right now.

Comment Re:If only there was a rating system for this... (Score 1) 30 30

Temporal and environmental factors and only be assessed by people in the know. Windows shops obviously don't care about Linux vulnerabilities and vice versa.The base ratings are strictly focused on the vulnerability. Other factors you need to determine yourself... And there's already a system for that.

Yeah that's kind of the problem, most companies don't use temporal or especially environmental factors. If you base everything on the base score only, you're not getting a really accurate feeling for the severity of the vulnerability.

The other problem is that CVEs tend to be treated in the researcher community as gold. You list CVEs on your resume, for example. CVEs are not meant to indicate severe vulnerabilities, or even all types of vulnerabilities -- many things that are important don't get CVEs, while many lame vulnerabilities do have a CVE. These systems need rethinking in general.

Submission + - Qt 5.5 released->

mx+b writes: The latest version of Qt, the cross platform GUI toolkit and development platform, is out for all major platforms. Highlights include better 3D, multimedia, and web support, as well as better support for the latest OS X and Windows releases (including Windows 10) and more Linux distributions.
Link to Original Source

Comment Re:Probably GPL, but depends on Apple (Score 1) 171 171

It's because BSD/MIT pretty much are cool with anything as long as you attribute the code to the original author. That is the main requirement of distribution. So proprietary is ok as long as somewhere deep in the credits they add the name of the original author.

GPL meanwhile requires not just attribution, but the availability of the full source code. So you can't be a proprietary trade secret with GPL code, so any proprietary software using GPL is in violation of the license and therefore copyright law. It's illegal.

Comment Probably GPL, but depends on Apple (Score 4, Informative) 171 171

You beat me to it :-)

To the original poster:

The GPL is "viral" in that if you use even a smattering of GPLed code, you are required to release ALL of your code as GPL as well.

It concerns me that you state you use example Apple code. What license is it? ("has its own terms" is completely unhelpful).

In general, you're restricted to using a license that is the most restrictive. The liberal licenses like BSD and MIT can morph into anything pretty much. GPL is one of the most restrictive on redistribution (RMS would say it preserves user freedoms by restricting developer distribution, and I would tend to agree with it; just throwing that in there because I don't mean restrictive in a negative sense here, only that it was designed to prevent people from running off with the code without contributing back to the community, so you can't just re-release GPLed code under MIT like you suggested). Apple's license may be open source or not; furthermore, there are known open source licenses that are NOT compatible with the GPL, so its entirely possible that the Apple code may not be distributed together with the GPL code. For reference, see http://www.gnu.org/licenses/li....

It's possible your pro-bono advice is correct and this doesn't matter too much if you release it publicly and open source (it seems unlikely open source projects would sue other open source projects), but in case you ever plan on making money on this project (and even if you don't), to avoid any possible legal trouble you should choose the most restrictive license compatible with all licenses at play. Likely this means the GPL, but the wildcard is Apple. If you post the terms to it, we could probably help sort it out (with the usual IANAL caveat). Otherwise, you may need to rethink which libraries are included with your code and possibly even roll your own depending how niche it is.

Comment Qt for Android (Score 4, Interesting) 173 173

Where do I get started building Android apps in C++? Inquiring minds suddenly want to know.

The latest versions of Qt5 support building Qt/C++ apps for Android and iOS. I've never tried it for more than running a few examples, but it seems pretty nice and easy, and I've really enjoyed Qt development for years now.

Comment It's the economy, stupid (Score 1, Informative) 830 830

Really, with all the important issues that should occupy a president's attention, if this is even on your radar, you're not qualified for the job.

Converting to metric is not just a fun science nerd issue no one cares about.

Really it's an economic issue, and I'm surprised it hasn't been made more of a big deal. When we follow international standards, we can better share ideas and better trade goods. If the US used metric, we'd be in a much better position to sell our goods worldwide, as we wouldn't need to re-tool or re-calculate all the time.

Great example: our US engineers are mostly trained in the English system. My wife used to work in an industry that is now heavily developing and building things overseas. The American engineers had to build everything to metric standards, since they were building in India and what not, and really had trouble with it, as they weren't properly trained to do metric calculations and the equipment they wanted to buy from American companies didn't always come in a metric size. Instead, the engineers would have to half-ass some crazy scheme (like buying parts and then cutting them -- makes sense until you realize you'd have to pay field guys to do this 10,000 times) to get it to work. The quality suffers, and since there's all these problems, I get the sense that many international companies would rather just hire Germans or whatever to do it.

This is an anecdote of one industry, sure, but if our engineers were trained in metric, and our businesses made the jump to make metric products in the first place, we'd probably be a lot more competitive in the world market. We wouldn't need to spend all this extra time and money on customization, we could just do it. I imagine all this effort has long ago exceeded the cost of buying new tools once; we should have just switched then and told businessmen to shut up about costs.

Comment Have You Looked for a Job Recently? (Score 4, Interesting) 413 413

I find it amazing that not only is cable TV a "right", deserved by all, now broadband is also a "right".

In a way, it is. Your first comment is actually a little more correct than you realized.

I hunted for a job last year for quite some time before I got my new gig. Let me share some thoughts on the current job climate:

  1. (1) Many companies specifically say they do not fool with paper applications anymore, you are directed to submit resumes to their online HR portal.
  2. (1.5) For that matter, I don't see "Help Wanted" signs very much either. Job openings are posted online, so to even see if a job is available, you often have to check online.
  3. (2) An email address is as required as a phone number (perhaps more so?) these days when applying for jobs. Correspondence such as setting up interviews was done almost entirely in email in my experience. They may have called?... or may have thought since I didn't respond to their email, I wasn't available, and moved on to the next candidate.
  4. (3) A LinkedIn or Facebook is used to "verify" you are a real person that doesn't seem too crazy or weird, and that your public profile matches your resume (catching obvious liars). It was heavily insinuated to me that applicants without an online presence were basically treated as homeless drug addicts (i.e., "what are you hiding if you're not online?")

So, to get a job, it's quickly becoming a requirement to have internet access. If we ever expect to help people improve their lives, we have to be willing to give them a leg up to get started. Getting a decent job is a start to better things, so if jobs require internet access, I am all for making it a "right".

Furthermore, I think there is an even greater reason why to do this. While it is possible to call one's congressmen, you'd have to know what to call about. I never receive snail mail copies from my legislators, but I receive email newsletters and follow them on Twitter. Without internet, you would probably have much less of a chance of being informed as well as being able to interact with your representatives. Arguably, since democracy is one of the most important aspects of our society, I would say that allowing access to representatives is a fundamental right, and if those representatives now do a lot of their business and work online, we must require online connections for all.

Comment Not just no ads, but had content (Score 1) 531 531

I miss being able to do a google search, and the first few hits were generally exactly what I wanted.

Yeah yeah, I know, "use google-fu", but it doesn't really work anymore, not as well as it used to. The marketing droids and advertisers have their whole SEO thing now where they're actively out to cheat google to get you to browse to their crappy blog or whatever instead. Searching for anything technical gives you the first few pages of marketing blogs that copy-paste each other's heavily buzzword-laden summary, squelching the actual reporter or researcher that has real information.

It is obnoxious. I've day dreamed of making a TLD (.awesome or something) that has one specific requirement -- anyone can register a domain as long as you sign an agreement that you will NEVER DISPLAY ADS. Well maybe, a couple other requirements to try to cut down on the copy-paste news cycle. But generally speaking, if you search only .awesome addresses, you know you're getting legit content. That's what I want. That's what I could do in the early days of the internet. The internet has been destroyed by rampant greed and commericalism. I want those early days of hackers (in the sense of open source contributors, not malicious ones), professors and enthusiasts to come back. Do I just not know where to find them online anymore?

Comment In The Limit, It's the Things We Buy (Score 1) 837 837

Maybe we should just nix the idea that road infrastructure needs to be paid for with gas or vehicle taxes, and start paying for it from the general fund.

I came here to say this.

Pay-per-use means we have to track use, which means extra billing/administrative costs/HR involved, which means less of the money is actually going to what it is supposed to. Unless the tax hike is higher than what it is now. It's so much complication for no reason.

I'd say this: we all go to the supermarket roughly once a week to get groceries, clothing, whatever. Those things generally speaking come in by truck, which is much more damaging to the road than personal vehicles. So, no matter your personal habits, it is a drop in the bucket compared to the cost of your goods coming in. So how about we say: everyone needs to eat, buy new clothing, etc., and we just call it even and hike everyone's income tax by 0.1% or whatever. Everyone uses about the same because everyone needs goods trucked in, young, old, rich, poor. End of story. Earmark that money for transportation, and you're done, the tax is collected quarterly/biweekly automatically with no extra taxation infrastructure.

With an appropriate tax rate, we might even be able to offer free buses and shuttles and light rail for our citizens. It would be good for everyone, especially the poor, whom might pay less money with a 0.1% tax than current bus fare.

Comment Re:Free Tuition is better for citizens and budget (Score 1) 85 85

The majority of student loans (about 90%) are federal. The Federal government gets interest on those loans, that money goes to Obamacare which is partially how it got passed in the first place.

So why are you against Obamacare funding? Don't you like things like roads and police? You have to pay for services from the government you want.

Loans can't go away now, or be forgiven because that is a major funding point for Obamacare. I guess you didn't get to read the bill even after they passed it.

The bigger question is: why is most of our healthcare funding coming from 20-somethings just trying to earn a college degree and a better life? Why isn't the baby boom contributing more, for example?

Aside from ethical problems, here's another: that amount depends on people going to college. If there's a sudden swing in people not going to college, or at least staying at a local community college and paying cash, that money is now gone. As I said in my earlier post, this money on the backs of the young trying to start a life is just being used to "balance" a budget that was never actually balanced. We never actually asked for sacrifice from the American people as a whole, just saddled the debt on our youth and kicked the can down the road.

We can save money from the federal budget letting everyone go to school for free. Some of those savings can go directly to healthcare funding. There may be a funding gap, but honestly, Obamacare/Affordable Care Act didn't go far enough. The insurance companies are still out of control on prices and coverage. I suspect while we're reforming education we also need to reform healthcare correctly to ensure everyone gets appropriate cheap medical care as well.

We absolutely need funding for essential services and other things required of a modern democracy, such as education and even cheap internet access. What ticks me off about all of these industries (education, healthcare, internet service) is the entitlement these companies have to making money on the backs of poor people via unnecessary tax breaks (such as the breaks for banks for student loans I mentioned earlier). They really believe they're entitled to make maximum money on tax dollars, while providing nothing or very little. It is insane. We need to stop corporate welfare and make our tax dollars actually work for the people. When we do that, we will not only have a balanced budget but also great services.

Comment Free Tuition is better for citizens and budget (Score 1) 85 85

Because, it is better for society to have an educated populace, and not just have the children of the wealthy be able to afford to have one.

Did you go to public school? Did you enjoy the benefits of living in a mostly lawful society? Do you drive on public roads? Do you use any public infrastructure like water?

It is absolutely better to have an educated informed citizenry, especially in a democracy that requires informed decisions through voting to function properly. I think very few disagree with that.

What I disagree on is the need for loans. Loans are all about making money for the financial industry and even the federal government (used by politicians to "balance the budget" on some of their terrible decisions with war, social security, tax breaks, etc.). We should all agree that education is a fundamental investment in our nation, and pay for it out of taxes. Anyone that wants to go and displays aptitude (perhaps some sort of exam, or maybe let anyone in under probation for a first semester or two, no retaking classes on government dime if you fail -- the exact specifics need to be worked out) should be able to go, FOR FREE, because it is an investment in our nation.

There have been analyses before such as this article (though I have seen others as well). Essentially -- the US Gov already pays over $70 billion in loan guarantees and tax incentives for tuition... when we could cut out the middle man financial market entirely and simply pay the $60 billion in tuition directly. Everyone goes to school free, AND it actually reduces federal spending. Holy crap is that a win-win.

Any politician that proposes any continuation of loans as if it is a good thing is out of touch with reality and possibly trying to support corporate overlords. Let's dump them next major election.

Comment Re:This plan has holes (Score 1) 352 352

what's pushing this is the management class's absolute loathing of skilled individuals. they demand that every worker be a replacable component and they simply don't care that that means loss of productivity through loss of experience, skill, and talent.

they have this attitude towards workers in education and every other industry - whether for-profit or not-for-profit. it's what they're taught, and it's what they believe.

I can't speak for K12, but I taught post-secondary (tech school/community college as well as university level) for several years. I'm finally out now because of crap like this.

The tech schools / community colleges are already doing this plan. When I taught classes there, I was given a book and a curriculum and said "teach this, exactly in this way". Very cookie cutter, and since everyone was an adjunct, if you didn't follow the rules in how you governed your class, suddenly there weren't enough classes for you next semester. I absolutely loathed it because there was no room for customization or anything. Follow this path, make sure to give them this specific set of homework questions and tests on this subject, and that's it. Oh yeah, HR told us we have to pay lip service to "academic freedom", you're allowed to teach what you want, but only AFTER you cover the curriculum and give the assignments.

The universities were a little better, in that I did get a little more freedom on how I conducted the class. But it's still a bit of a cookie cutter curriculum, partially because of the reliance on adjuncts (part-timers). You still don't get a say in what textbook is used and what the course description is (I could customize the syllabus, but it needed to say certain boiler plate stuff about the class), and that unfortunately sets low expectations on the students.

So I fear the author's prediction may be pretty correctly. I think education will devolve into a bunch of part-time adjuncts following a "script" from a curriculum established by some far off group of education Ph.D.s, not actual content masters (sure, child psychology plays a factor, but only after you know what is important to a field and can decide what should be covered in the first place).

By the way, a number of years ago I applied to a consulting company looking for people in education. I was a young adjunct, needed extra money, so I thought sure, if I can find an extra part time job, I'd appreciate the money to pay off loans, etc. The company was pretty sketchy, and it turned out the job entailed writing curricula for K12. It was a loophole in the law -- most states require someone with an education degree to write curricula for the state, meaning very few subject matter experts could. So what they started to do was hire consulting companies from out of state to provide the curricula, who took the money and then hired well educated people on a temp basis (3 month employment usually) to write up a class curriculum, then you were fired. Had I have taken the job, I believe I would have wrote some of the algebra curriculum for the state of Minnesota. But not full time and paid well because it's an important job, but as a part time contractor with no benefits. I didn't do it, and in fact, laughed as I walked out of the interview with how terribly they treat me and pitched the job. But as I did, I saw a row of young to middle aged teachers in suits and dresses waiting to interview, and I realized, of course they don't care if they impressed me, they have a line of adjunct teachers in poverty waiting to do this for some quick extra cash.

So yes, unless we as citizens course correct, education will be low-pay part-timers, because we're already headed that way. And since most people hate living in poverty, the well educated ones will go look for jobs elsewhere, and we will end up with mediocre teachers that hate their low-paying jobs.

Comment Missing the Point (Score 5, Insightful) 482 482

If he's pulling down $5 million a year from company stock dividends, is giving up a $1 million salary that big a deal?

I think these kinds of statements are missing the point.

The real story here is: hey, you can still make an ass-ton of money without leaving your employees as slaves!! Everyone can win and grow together, rather than a subset at the expense of the majority. (and happy employees produce more, willing to work more, etc., so the company and therefore CEO benefit even more -- it's a positive cycle).

If it's not a big deal to lose some salary because it will be made up for in investment income/dividends, then why don't more CEOs do this? I hope this guy starts a movement; even if his intentions were not entirely altruistic, it is still a good thing.

Comment Does It Have to be Useful? (Score 1) 626 626

I would think as a philosopher you would understand the need for the human mind to create (which seems to be most of your argument, actually, that people create changes to languages very naturally).

So, if this person wants a hobby of messing around with language and seeing where that takes him, why not? Why not follow his passions, even if not for the rest of his life, just for a year or so to learn more about languages and history of them? I'm very disappointed to see so much negativity amounting to an academic subject; why not encouragement? It's one thing to say "don't expect to create the world's main language in the year 2050", but why such negativity about it?

After all, what use is anything we all do? Sports, mathematics, science, philosophy, arts. Culture changes on a whim, sometimes culture never accepts your work, and in a few billion years when the sun explodes perhaps all evidence of human kind will be extinguished anyway.

So why the hell can't a man dream? Why can't we encourage him? Even if his language never gets used by anyone ever, the process of creating will forever alter the submitter's brain in a way that lets him see the world (or at least, subset of the world) differently than before, and that's something I encourage.

I guess my tl;dr is : if he enjoys it, how is it a problem to want to tinker?

If you would like an example of the utter failure of humans attempting to create artificial languages then go look up Esperanto.

I looked into Esperanto and find it a very fun language. As you state, at least as far as I understand your argument, language needs to be adaptable. Esperanto is quite adaptable, as it only has a few essential rules. Subject-verb-object order can be strewn about without loss of understanding, adjectives and nouns can be built up using interesting prefixes and suffixes to get across a point (being only a beginner, I had already noticed there were several concepts I could express in a couple of words that take a sentence or two in English -- I imagine with better vocabulary and maturity one could communicate some very interesting concepts succinctly that perhaps cannot be done at all in English). Really it is a fantastic language, one that has indeed grown since it was first developed over 100 years ago, but the developments have kept in line with that minimalist set of rules.

If nothing else, just the consistent sounds of letters makes me happy. It drives me nuts trying to spell in English. If we had the consistency of Esperanto, it would be much easier to communicate in written word without confusion (or at least, easier to become proficient at writing).

I would encourage the original submitter to look into Esperanto and the design decisions of the language. It really did well in the early 1900s. I do not offhand have the link, but I believe I have read before that it likely would have become a more world-wide trading language (it was growing very fast) if it had not been the world wars that catapulted the U.S. into world power status and therefore English as a major language (prior to then, French had been the dominant international language -- in fact, I believe it said the U.S. supported the switch from French to Esperanto until it looked likely that English would take over). Pretty decent for a constructed language, and would probably be fascinating research for a person interested in languages. I admit my own interest but never the time to fully verify (isn't that everyone's problem though?)

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay