Become a fan of Slashdot on Facebook


Forgot your password?

Comment: Re:Open source code is open for everyone (Score 4, Informative) 209

by peppepz (#48918555) Attached to: Serious Network Function Vulnerability Found In Glibc
In fact, the bug had already been audited and fixed, almost two years ago, when the security researchers found a way to exploit it. From TFA:

We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)

Current glibc release is 2.20. That's three relases without the bug already.

Nothing to see here, move along.

Comment: Re:libressl-2.1.3 (Score 5, Interesting) 96

by peppepz (#48897057) Attached to: OpenSSL 1.0.2 Released

OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

We have GnuTLS which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries.

Comment: Re:lol, Java (Score 1) 79

by peppepz (#48873367) Attached to: Oracle Releases Massive Security Update

A large percentage works just fine even with holes, and with greater performance and less overhead.

You need benchmarks to prove such blanket statements. In my experience, Java code usually isn't far from C++ performance and it's actually faster when we're talking about high level "glue" code. It vastly outperforms C in string handling, because C's standard string routines are awful not only to the programmer, but to the processor, too. And then again, for maximum performance there's FORTRAN.

Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats).

Do you know any example of stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code overwriting done by a program written in pure Java? They're the stuff that hackers love. They happen automatically in C: any code you write causes them by default, and you need to be very clever, to have complete information about the machine state after every instruction (which is usually impossible), to have platform-specific tool support (relro, noexecstack, ASLR, ...) in order to avoid or prevent them. In Java, they just don't happen, barring bugs in the JVM, which are akin to bugs in the runtime library of any compiled language of your choice. If this isn't an improvement...

It also doesn't help that java comes with a browser plugin that opens a complete runtime environment to drivebys. Microsoft abandoned activex for this reason.

To be honest, the runtime environment for applets was supposed to be restricted (it's not the same runtime environment that Java applications see). It's the same mechanism that post-HTML5 Javascript has, except that at least we can disable (or better delete) the awful Java plugin, while we can't do the same for the browsers' Javascript support.

Comment: Patriots (Score 1) 562

by peppepz (#48843167) Attached to: Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
So, who are those "patriots" in Silicon Valley supposedly willing to give him, again, the keys to all the personal information that they collect?

I can make a guess, by looking at the track record and the lobbying spending of the usual suspects, but still it would be more appropriate, in the name of transparency, to state explicitly whether the companies that we are entrusting with our personal information are a neutral third party or, instead, are patriots. So we can choose.

Comment: Re:unexpected deletion (Score 1) 329

by peppepz (#48837483) Attached to: Steam For Linux Bug Wipes Out All of a User's Files
If you were using coreutils in your nightmare, you would actually have no problem:
(guys, don't do this at home, your rm implementation could differ)
# rm -rf /
rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe
# rm --version
rm (GNU coreutils) 8.23
You wouldn't enjoy such protection if you typed rm -rf /*, however.

Comment: They took mah job! (Score 4, Insightful) 484

by peppepz (#48817621) Attached to: IEEE: New H-1B Bill Will "Help Destroy" US Tech Workforce
Seeing the slashdot crowd, which is pro-capitalism and laissez faire when it's the other people's source of income which is being put in jeopardy, suddendly start to scream in pain because of the fear of a modest reduction of their earnings, is priceless.

What did you say when shiny gadget manufacturer #1 announced that workers had better learn to "run against the robots"? And when shiny gadget manufacturer #2 exploited underage workers in dangerous sweatshops in China? I haven't read any comments about "unions turning the IT sector into another Detroit" on this page, but instead I now learn that government regulation is in "the true spirit of America, because it's againt slavery". If selling stuff in Spain but paying taxes to the British Virgin Islands is not only moraly acceptable, but even a duty, because it's in the interest of the investors, then why would hiring IT developers from abroad be any different?

Capitalism is about making money, and that's it. It's not a philosophy, it won't make your lives better by itself. And rightly so. It is a government's job to ensure that the interests of those making money proceed in harmony with the interests of a nation as a whole; to which extent is matter of debate. When the government turns out as an expression of those with the most money (bi-partisan agreements...) rather than the choice of informed voters, we'd better learn to love the "invisible hand" and wait for its positive effects on the economy to trickle down on us.

Comment: Re:But (Score 1) 640

by peppepz (#48804831) Attached to: Microsoft Ends Mainstream Support For Windows 7
Change, however it happens, should make things easier. It's not the case for Windows 8 (and 8.1). I'll tell a random example: a friend of mine had her Internet Explorer links retargeted by an adware to point to an ugly search engine instead of her default home page. Fixing the desktop links was easy: right click / Properties. Fixing the Modern ones? Either it's impossible, or finding how it's done was too hard for me, so in the end I resorted to searching for .lnk files in desktop mode and change them from there. Now that made me feel old...

Comment: Re:Makes sense. (Score 4, Interesting) 629

by peppepz (#48794311) Attached to: Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

In fact, IIRC the WebView can be updated through the market in the newer versions of Android.

Comment: Re:islam (Score 1) 1350

by peppepz (#48759071) Attached to: Gunmen Kill 12, Wound 7 At French Magazine HQ
The very same things can be said about Islamist terror. Ignorant people are being maneuvered by virtual caliphs who wish to become actual ones. Every human conflict in history can be reduced to a matter of "us vs them", with a "flag" motivation covering the real, always political, one.

I can't speak to Islam, but what I do know is that Christians who use violence to spread their views can not be considered Christians.

The quran, too, prescribes tolerance towards Hebrew and Christians. And christian holy scriptures contain incitements to violence, too:

Howbeit of the cities of these peoples, that the LORD thy God giveth thee for an inheritance, thou shalt save alive nothing that breatheth, but thou shalt utterly destroy them: the Hittite, and the Amorite, the Canaanite, and the Perizzite, the Hivite, and the Jebusite; as the LORD thy God hath commanded thee; that they teach you not to do after all their abominations, which they have done unto their gods, and so ye sin against the LORD your God.

Comment: Re: 503 (Score 1) 396

by peppepz (#48623611) Attached to: Google Proposes To Warn People About Non-SSL Web Sites
Google has a dominant position (among other places) in the browser market so site owners can't disregard their imposition. Saying that you can install other browsers would have been just like saying "you can install another OS" when Microsoft played leverage games with their near monopoly on the desktop back in the times. Plus, Chrome tends to end up installed on the PCs of many unexperienced users because of their policy of aggressive bundling. So one can expect that a relevant portion of his site's visitors will be using Chrome in the foreseeable future no matter what.

Comment: Re: Standard FBI followup (Score 1) 388

by peppepz (#48550973) Attached to: Man Caught Trying To Sell Plans For New Aircraft Carrier
That's because the law doesn't say "you can own guns full stop", it will say something like "you can own guns as specified by law", so lower-level laws can be passed to regulate the ownership of guns without violating the constitution. But no person or government agency can decide that you can't own a gun without having a law that backs their decision.

You are right in the fact that most constitutions, and probably that of the USA too, comprise some kind of exceptional procedures allowing the government to override the rule of law in the case of an emergency. I think that they're required in order to deal with those cases such as angry people with pitchforks burning down cities etc, something that still happened once in a while in the past century, but I don't expect those procedures to have been applied often nowadays.

They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- Carl Sagan