Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment: Re:Open source code is open for everyone (Score 1) 154

by peppepz (#48918555) Attached to: Serious Network Function Vulnerability Found In Glibc
In fact, the bug had already been audited and fixed, almost two years ago, when the security researchers found a way to exploit it. From TFA:

We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)

Current glibc release is 2.20. That's three relases without the bug already.

Nothing to see here, move along.

Comment: Re:libressl-2.1.3 (Score 5, Interesting) 96

by peppepz (#48897057) Attached to: OpenSSL 1.0.2 Released

OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

We have GnuTLS which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries.

Comment: Re:lol, Java (Score 1) 79

by peppepz (#48873367) Attached to: Oracle Releases Massive Security Update

A large percentage works just fine even with holes, and with greater performance and less overhead.

You need benchmarks to prove such blanket statements. In my experience, Java code usually isn't far from C++ performance and it's actually faster when we're talking about high level "glue" code. It vastly outperforms C in string handling, because C's standard string routines are awful not only to the programmer, but to the processor, too. And then again, for maximum performance there's FORTRAN.

Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats).

Do you know any example of stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code overwriting done by a program written in pure Java? They're the stuff that hackers love. They happen automatically in C: any code you write causes them by default, and you need to be very clever, to have complete information about the machine state after every instruction (which is usually impossible), to have platform-specific tool support (relro, noexecstack, ASLR, ...) in order to avoid or prevent them. In Java, they just don't happen, barring bugs in the JVM, which are akin to bugs in the runtime library of any compiled language of your choice. If this isn't an improvement...

It also doesn't help that java comes with a browser plugin that opens a complete runtime environment to drivebys. Microsoft abandoned activex for this reason.

To be honest, the runtime environment for applets was supposed to be restricted (it's not the same runtime environment that Java applications see). It's the same mechanism that post-HTML5 Javascript has, except that at least we can disable (or better delete) the awful Java plugin, while we can't do the same for the browsers' Javascript support.

Comment: Patriots (Score 1) 562

by peppepz (#48843167) Attached to: Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
So, who are those "patriots" in Silicon Valley supposedly willing to give him, again, the keys to all the personal information that they collect?

I can make a guess, by looking at the track record and the lobbying spending of the usual suspects, but still it would be more appropriate, in the name of transparency, to state explicitly whether the companies that we are entrusting with our personal information are a neutral third party or, instead, are patriots. So we can choose.


Feds Operated Yet Another Secret Metadata Database Until 2013 102

Posted by timothy
from the problem-with-authority dept.
A story at Ars Technica describes yet another Federal database of logged call details maintained by the Federal government which has now come to light, this one maintained by the Department of Justice rather than the NSA, and explains how it came to be discovered: [A] three-page partially-redacted affidavit from a top Drug Enforcement Agency (DEA) official, which was filed Thursday, explained that the database was authorized under a particular federal drug trafficking statute. The law allows the government to use "administrative subpoenas" to obtain business records and other "tangible things." The affidavit does not specify which countries records were included, but specifically does mention Iran. ... This database program appears to be wholly separate from the National Security Agency’s metadata program revealed by Edward Snowden, but it targets similar materials and is collected by a different agency. The Wall Street Journal, citing anonymous sources, reported Friday that this newly-revealed program began in the 1990s and was shut down in August 2013. From elsewhere in the article: "It’s now clear that multiple government agencies have tracked the calls that Americans make to their parents and relatives, friends, and business associates overseas, all without any suspicion of wrongdoing," [said ACLU lawyer Patrick Toomey]. "The DEA program shows yet again how strained and untenable legal theories have been used to secretly justify the surveillance of millions of innocent Americans using laws that were never written for that purpose."

Obama: Gov't Shouldn't Be Hampered By Encrypted Communications 562

Posted by timothy
from the some-animals-more-equal-than-others-by-jingo dept.
According to an article at The Wall Street Journal, President Obama has sided with British Prime Minister David Cameron in saying that police and government agencies should not be blocked by encryption from viewing the content of cellphone or online communications, making the pro-spying arguments everyone has come to expect: “If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem,” Obama said. He said he believes Silicon Valley companies also want to solve the problem. “They’re patriots.” ... The president on Friday argued there must be a technical way to keep information private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the 1990s when it pushed for a “clipper chip” that would allow only the government to decrypt scrambled messages.

Comment: Re:unexpected deletion (Score 1) 329

by peppepz (#48837483) Attached to: Steam For Linux Bug Wipes Out All of a User's Files
If you were using coreutils in your nightmare, you would actually have no problem:
(guys, don't do this at home, your rm implementation could differ)
# rm -rf /
rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe
# rm --version
rm (GNU coreutils) 8.23
You wouldn't enjoy such protection if you typed rm -rf /*, however.

Comment: They took mah job! (Score 4, Insightful) 482

by peppepz (#48817621) Attached to: IEEE: New H-1B Bill Will "Help Destroy" US Tech Workforce
Seeing the slashdot crowd, which is pro-capitalism and laissez faire when it's the other people's source of income which is being put in jeopardy, suddendly start to scream in pain because of the fear of a modest reduction of their earnings, is priceless.

What did you say when shiny gadget manufacturer #1 announced that workers had better learn to "run against the robots"? And when shiny gadget manufacturer #2 exploited underage workers in dangerous sweatshops in China? I haven't read any comments about "unions turning the IT sector into another Detroit" on this page, but instead I now learn that government regulation is in "the true spirit of America, because it's againt slavery". If selling stuff in Spain but paying taxes to the British Virgin Islands is not only moraly acceptable, but even a duty, because it's in the interest of the investors, then why would hiring IT developers from abroad be any different?

Capitalism is about making money, and that's it. It's not a philosophy, it won't make your lives better by itself. And rightly so. It is a government's job to ensure that the interests of those making money proceed in harmony with the interests of a nation as a whole; to which extent is matter of debate. When the government turns out as an expression of those with the most money (bi-partisan agreements...) rather than the choice of informed voters, we'd better learn to love the "invisible hand" and wait for its positive effects on the economy to trickle down on us.

Comment: Re:But (Score 1) 639

by peppepz (#48804831) Attached to: Microsoft Ends Mainstream Support For Windows 7
Change, however it happens, should make things easier. It's not the case for Windows 8 (and 8.1). I'll tell a random example: a friend of mine had her Internet Explorer links retargeted by an adware to point to an ugly search engine instead of her default home page. Fixing the desktop links was easy: right click / Properties. Fixing the Modern ones? Either it's impossible, or finding how it's done was too hard for me, so in the end I resorted to searching for .lnk files in desktop mode and change them from there. Now that made me feel old...

Comment: Re:Makes sense. (Score 4, Interesting) 629

by peppepz (#48794311) Attached to: Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

In fact, IIRC the WebView can be updated through the market in the newer versions of Android.


Sloppy File Permissions Make Red Star OS Vulnerable 105

Posted by Soulskill
from the helps-to-feed-your-developers dept.
An anonymous reader writes: Red Star OS Desktop 3.0, the official Linux distro of North Korea, which recently found its way onto torrents and various download sites in form of an ISO image, is interesting for a number of reasons, including its attempt to look like commercial operating systems (currently OS X, earlier versions mimicked the Windows GUI). Hackers are also poking Red Star for security vulnerabilities. An pseudonymous researcher noted in a post to the Open Source Software Security (oss-sec) mailing list, that the OS has one significant security hole: Red Star 3.0 ships with a world-writeable udev rule file /etc/udev/rules.d/85-hplj10xx.rules (originally designed for HP LaserJet 1000 series printers) which can be modified to include RUN+= arguments executing arbitrary commands as root by Udev. In the post he also mentions how the older Red Star 2.0 shipped with another schoolboy mistake: /etc/rc.d/rc.sysinit was world-writeable.

SpaceX Rocket Launch Succeeds, But Landing Test Doesn't 213

Posted by Soulskill
from the better-luck-next-time dept.
New submitter 0x2A writes: A Falcon 9 rocket built by SpaceX successfully launched a Dragon cargo ship toward the International Space Station early Saturday— and then returned to Earth, apparently impacting its target ocean platform during a landing test in the Atlantic.

"Rocket made it to drone spaceport ship, but landed hard. Close, but no cigar this time. Bodes well for the future tho," Elon Musk tweeted shortly after the launch. He added that they didn't get good video of the landing attempt, so they'll be piecing it together using telemetry and debris. "Ship itself is fine. Some of the support equipment on the deck will need to be replaced."

Comment: Re:islam (Score 1) 1350

by peppepz (#48759071) Attached to: Gunmen Kill 12, Wound 7 At French Magazine HQ
The very same things can be said about Islamist terror. Ignorant people are being maneuvered by virtual caliphs who wish to become actual ones. Every human conflict in history can be reduced to a matter of "us vs them", with a "flag" motivation covering the real, always political, one.

I can't speak to Islam, but what I do know is that Christians who use violence to spread their views can not be considered Christians.

The quran, too, prescribes tolerance towards Hebrew and Christians. And christian holy scriptures contain incitements to violence, too:

Howbeit of the cities of these peoples, that the LORD thy God giveth thee for an inheritance, thou shalt save alive nothing that breatheth, but thou shalt utterly destroy them: the Hittite, and the Amorite, the Canaanite, and the Perizzite, the Hivite, and the Jebusite; as the LORD thy God hath commanded thee; that they teach you not to do after all their abominations, which they have done unto their gods, and so ye sin against the LORD your God.

The sooner you fall behind, the more time you have to catch up.