Forgot your password?

Comment: Re:Metaphor (Score 1) 234

by rabtech (#46790069) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

While you are technically correct, the reality is that the most serious security vulnerabilities are almost all directly related to buffer overruns (on read or write), allowing an attacker to read or write arbitrary memory. Everything else is a second-class citizen by comparison; denying service by causing Apache to repeatedly crash is far lower priority than compromising all traffic and stealing credentials.

So when we look at that class of serious problems, we find that managed memory languages completely eliminate them.

Relying on people to "just drive better" is an automatic failure. We design everything from signs/road markings to cars themselves around the idea that relying on humans to be perfect is pure idiocy, so we need to create affordances that lower cognitive load, along with automatic systems that attempt to avoid collisions and mitigate their consequences when they occur.

Similarly, just relying on programmers to never make mistakes is guaranteed to lead to more exploits like Heartbleed. It's pure stupidity.

If OpenSSL were written in Rust or C#, it wouldn't be quite as fast, but we wouldn't be looking at years of government spies completely negating SSL, forcing all webservers on the *entire* internet to replace their SSL keys, instantly obsoleting hardware that can't be upgraded, exposing user's data (including login credentials) to attackers thus requiring EVERY FUCKING USER ON THE INTERNET TO CHANGE THEIR PASSWORDS.

Was the tiny performance benefit worth what we have now paid for it?

Of course we're going to continue using C and getting burned over and over and over. Who needs air bags? Just drive better.

Comment: Yet again C bites us in the ass (Score 4, Insightful) 303

by rabtech (#46690135) Attached to: OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

Yet again, C's non-existent bounds checking and completely unprotected memory access lets an attacker compromise the system with data.

But hey, it's faster.

Despite car companies complaining loudly that if people just drove better there would be no accidents, laws were eventually changed to require seatbelts and airbags because humans are humans and accidents are inevitable.

Because C makes it trivially easy to stomp all over memory we are guaranteed that even the best programmers using the best practices and tools will still churn out the occasional buffer overflow, information disclosure, stack smash, or etc.

Only the smallest core of the OS should use unmanaged code with direct memory access. Everything else, including the vast majority of the kernel, all drivers, all libraries, all user programs should use managed memory. Singularity proved that was perfectly workable. I don't care if the language is C#, Rust, or whatever else. How many more times do we have to get burned before we make the move?

As long as all our personal information relies on really smart people who never make mistakes, we're doomed.

Comment: Let's get some clarity here (Score 2) 564

by rabtech (#46672035) Attached to: Was Eich a Threat To Mozilla's $1B Google "Trust Fund"?

Eich was not fired. He chose to resign. Maybe he did so because he cares about the foundation and didn't want to be a distraction. Maybe he was told he'd better resign or they would lose their funding and have to lay everyone off. We don't know, but the insinuations of the original story are out of line for implying so. The truth is we just don't know.

This isn't some free speech issue or some form of inquisition trying to purge the unbelievers.

Eich chose to wade into a controversial issue by making political donations (after all, a conservative majority of SCOTUS claims money == speech). Those "free speech" statements offended a bunch of people and he chose to resign rather than drag the non-profit Mozilla foundation through an ordeal over it.

Anyone in a leadership position is certainly free to make any statements or support any political cause they want. Employees, customers/donors, etc are also free to loudly complain or refuse to associate with the organization if they disagree. That comes with the territory. We wouldn't give Eich a pass if he were sending checks to neo-Nazi organizations. A leader always takes a risk that they'll piss people off by taking a stance. He was CTO of Mozilla at the time, he knew what the consequences could be and made the donation anyway.

A few decades ago it was accepted that blacks and whites shouldn't intermarry. Even some people who campaigned for civil rights still held such a view. If Eich were donating to a group promoting a constitutional amendment to outlaw interracial marriages almost none of you would be wringing your hands over free speech. Everyone would laugh at him for being a dumbass and move on with their lives.

Freedom of speech is not freedom from consequences. Even if someone faces no offical sanctions for speaking out, they can certainly be excluded socially, even to the point of being driven out of the organization. That's how human group dynamics have always worked since we were grunting at each other and throwing pointy sticks.

Furthermore, technology has always been intertwined with personalities, politics, and the like. Only very rarely is it always 100% about the pure technology. You can write the best code in the world but if you can't play nice with others you run the risk of your code languishing in obscurity.

Social norms are changing; you can change with them, you can keep your mouth shut about it, or you can fight for the status quo. Each of those courses of action has risk associated with them. Eich chose to fight for the status quo, then chose to stick by his guns when it pissed a lot of people off, including a lot of the very people his organization depends on to contribute money and code from their own good will! That has consequences and it always has.

Comment: Just pointing out that Linus is usually fair (Score 5, Insightful) 641

by rabtech (#46661673) Attached to: Linus Torvalds Suspends Key Linux Developer

Linus is generally fair from what I can tell, and does not except himself from criticism. In that very thread:

Yeah, what Andrew said. My suggestion of per-task or per-cred is
obviously moronic in comparison.

Linus "hangs head in shame" Torvalds

Someone proposed a better idea and Linus immediately admits his idea was worse and moves on. That was also one of Steve Jobs' greatest talents, even though it's in a completely different sphere. He originally said "no" to iPods for Windows and the iOS app store. People presented their case and he changed his mind.

We should all be so willing to admit when someone else has a better idea or we were wrong.

Comment: Re:Contradictory news (Score 4, Insightful) 230

by rabtech (#46609629) Attached to: Geologists Warned of Washington State Mudslides For Decades

So, if someone said to you, "your house is likely to catch fire in the future", and then your house caught fire 15 years later, you'd be thinking "damnit! I was warned this would happen, I should have listened to that guy 15 years ago and moved"??"

if that person said it would catch fire in the future because of faulty wiring (or something else) then i'd fix the wiring.

Ah, the arguments of the willfully ignorant. I wish I were still a conservative. No nuances, no questions. Everything had a trite simple answer.

Reality does not so neatly fit into a box.

House fires happen rapidly. They are also largely preventable. And even though one person's house fire may be a tragedy, pouring water on it puts out the fire. (Remember kids: the fire department exists to prevent your house fire from burning down the rest of the city, not to save your house)

Mudslides, like earthquakes, are triggered by complex conditions that are not knowable by humans in advance (with any degree of certainty). They also cannot be prevented or controlled. There is no "Mudslide Department" because there is no response. By the time you find out about it, the mudslide is over and the damage is done.

This case is very simple to explain: no one wants to be the person who "wastes" taxpayer dollars buying out homeowners and tearing down houses when the potential disaster can strike anywhere between tomorrow and 50 years from now. So county officials, housing developers, and maybe to some degree homeowners all chose to ignore the report and get on with their lives. That works great, right up until the moment when everyone died.

Comment: Re:Nope (Score 1) 117

by rabtech (#46557531) Attached to: One Billion Android Devices Open To Privilege Escalation

That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like. Apps can only ask for normal permissions that the OS offers, not bypass security or the sandbox. It's basically a UI issue.

Correct. The huge, gaping security flaw with Android is the same one that afflicted ActiveX in Internet Explorer: Assuming that the majority of users
a) have a clue what any of the permissions actually mean
b) can trust the app not to abuse the permissions it has (or contain flaws that allow it to be hijacked)

The reality is that 100% (rounding up from normal people to geeks) of people simply tap accept, click OK, etc and move on with their lives. Those annoying dialogs are just how you use phones/computers. They've learned if they choose Cancel they don't get the game/app they wanted, so the correct course of action is to always accept.

Any security decision that relies on users to take the correct course of action is an automatic failure. If making the wrong choice results in being pwned, having a $10/mo premium SMS subscription added to your bill, etc then the system is badly designed and broken.

Comment: People are missing the point (Score 5, Insightful) 231

by rabtech (#46401027) Attached to: Teaching Calculus To 5-Year-Olds

The article didn't make this terribly clear, but people seem to be missing the point.

If you teach the concepts through hands-on interactive play, kids as young as five can understand the concepts underlying Calculus without too much difficulty. This also happens to be one of the best times in your life for learning, when the brain is rapidly forming new connections.

Her point is teach the concepts, teach the patterns, teach kids how to find patterns, and how to internalize mathematical knowledge.

The mechanical drudgery of formal language, writing out and solving equations, etc comes later on but builds on the fundamental understanding developed much earlier in life.

Comment: Not a new thing (Score 1) 72

by rabtech (#46340699) Attached to: New iOS Keylogging Vulnerability Discovered

There have always been holes in the App Store and sometimes you can sneak things through.

The difference is if you try such things and you app becomes even remotely popular, Apple can pull your app and even your developer account so the actual window where your fraud or evil tricks can result in some kind of gain is very small.

I'm not sure why people constantly fail to recognize this.

Similarly with the SSL flaw... Apple pushes iOS updates in a way Android users can only dream of; within a month more than 90% of all iOS devices still in use will have the patch applied. Compare that with the web view remotely exploitable hole just revealed for Android... at least half of all Android devices will still have that hole a year from now!

So in theory yes, Apple is just the same as everyone else. In reality, the actual user experience will be quite different.

Comment: Seems reasonable? (Score 2) 266

by rabtech (#45905741) Attached to: UK Benefits System In Deeper Trouble?

I may be misunderstanding, but it appears that the existing contractors are using old-school waterfall. Gee, government contractors using a heavily-specs-oriented approach, when has that gone wrong?

The new idea seems to be having a team of smaller players use an agile approach to deliver the real system.

Any time you can get a group of smaller developers doing rapid iterations with the government it's a miracle... It is also vastly more likely to deliver something decent and on-budget.

Anytime I see HP, IBM, Agilent, et al winning a contract for some government system I automatically assume it will be an epic fail.

Comment: Repeat After Me! (Score 3, Insightful) 684

by rabtech (#45879387) Attached to: Polar Vortex Sends Life-Threatening Freeze To US

Repeat After Me: No single weather event can be said to be proof or refutation of Global Climate Change.

All Global Climate Change says is that as the *average* global temperature increases the traditional weather patterns we have become accustomed to will change in unpredictable ways. Some areas may see colder winters, others warmer. Some areas will see increased rain, others will become deserts. In fact some places may have hotter, drier summers yet colder wetter winters. The problems come from the fact that we've put farms and cities in certain locations with the expectation that the weather would be stable over the long term.

You can't say any one hurricane is proof of global climate change any more than you can say any one cold winter refutes global climate change.

Comment: Re:Why morons are so prevalent in scientific circl (Score 1) 366

by rabtech (#45875333) Attached to: Why a Cure For Cancer Is So Elusive

Oh, cancer is an evolutionary compromise of multi-cellular life? Yeah, right. It's a product of mutation, but it runs counter to reproductive fitness, and it's not like our bodies don't have immune systems which reject other foreign (differently mutated) cells, so, Checkmate, moron.

A lot of crack pottery going on around here...

Anyway, evolution may certainly favor cancer-susceptibility for any number of reasons. A mutation that makes you more fit to produce young during your own relative youth could trigger an increase in cancers later.

The more likely explanation is that most people have historically died of something other than cancer and long after they produced their offspring, making cancer a complete non-entity as far as evolutionary fitness goes. We simply haven't lived in a way that makes anti-cancer (or anti-obesity or anti-heart-disease) a factor for near long enough to have evolution drive us in that direction.

Yes, naked mole rats don't tend to get cancer but that's literally one in a million. The vast majority of species are perfectly susceptible to it, they just don't live long enough in the wild for the issue to pop up.

Comment: Re:Both Science and Nature? (Score 5, Interesting) 84

by rabtech (#45750547) Attached to: Researchers Crack Major HIV Mystery

If you don't publish papers, you don't get funding. Sucks, but that's what we get for budget cut after budget cut, tax cut, after tax cut.

The big question appears to be if the latent infected cells can clear or deactivate HIV, or if they'll happily activate, travel to the site of an infection of some other kind, then start spewing HIV everywhere.

This process is basically cells realizing they are being infected (virus) or eaten (bacteria) by a foreign organism, and responding by killing themselves and spewing massive amounts of chemicals that alert the immune system to the problem. Normally, this recruits other immune cells to the site and is probably the right strategy 99% of the time. The problem is when the infected cells are immune cells themselves, their death just recruits more immune cells to an area with a higher chance of picking up HIV. What they found was that the body's stockpile of immune cells in the spleen, etc (normally dormant, awaiting an infection) get infected by HIV, but don't replicate the virus due to being inactive, however they are active enough to sense the virus in their DNA and kill themselves before repair mechanisms can remove or deactivate the virus genes.

The drug mentioned apparently shuts down or reduces this pathway, opening you up to a higher risk of bacterial infection but slowing or stopping the massive die-off of immune cells (assuming they are able to clean themselves up).

Comment: Re:Excellent question (Score 5, Interesting) 321

by rabtech (#45652571) Attached to: Ask Slashdot: Practical Bitrot Detection For Backups?

Bitrot is a myth in modern times. Floppies and cheap-ass tape drives from the 90s had this problem, but anything reasonably modern (GMR) will read what you wrote until mechanical failure.

This isn't just wrong, it's laughably wrong. ZFS has proven that a wide variety of chipset bugs, firmware bugs, actual mechanical failure, etc are still present and actively corrupting our data. It applies to HDDs and flash. Worse, this corruption in most cases appears randomly over time so your proposal to verify the written data immediately is useless.

Prior to the widespread deployment of this new generation of check-summing filesystems, I made the same faulty assumption you made: that data isn't subject to bit rot and will reproduce what was written.

ZFS or BTRFS will disabuse you of these notions very quickly. (Be sure to turn on idle scrubbing).

It also appears that the error rate is roughly constant but storage densities are increasing, so the bit errors per GB stored per month are increasing as well.

Microsoft needs to move ReFS down to consumer euro ducts ASAP. BTRFS needs to become the Linux default FS. Apple needs to get with the program already and adopt a modern filesystem.

"I'm not afraid of dying, I just don't want to be there when it happens." -- Woody Allen