Forgot your password?

Comment: Re:Or.. (Score 1) 340

by Just Some Guy (#46815795) Attached to: Not Just a Cleanup Any More: LibreSSL Project Announced
But their "JUST an OpenBSD implementation"s seem to be imminently portable to other platforms with minimal work. See OpenSSH as perhaps the shining example of this. If I were porting code to a new platform, I'd rather start with something from the OpenBSD guys than just about anyone else. That's why I donated to the project this morning.

Comment: Re:"Web 2.0" is a decade old now (Score 1) 55

by Just Some Guy (#46789491) Attached to: The Internet of Things and Humans

When I step on my scale, it tells me if I need to carry an umbrella today (based on the weather forecast it downloaded). Then it sends my weight etc. to my iPhone where it's merged with information from my fitness wristband and my diet tracker. Based on that, I get suggestions like "you've been going to bed a little later than usual. You should catch up." or "drink more water today" or "try to walk this much further than you did yesterday".

I think that's not so shabby.

Comment: Next up: customer notification (Score 1) 188

by Just Some Guy (#46788513) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

One thing I haven't heard discussed is whether affected companies should be notifying their end users about whether they were affected and when it was fixed. I haven't heard from my bank, for example. Where they ever vulnerable? Should I update my password? If they were vulnerable, is it fixed now or would I just be handing an attacker my new password if I were to reset it today?

I wrote up a proposal called Heartbleed headers for communicating this information to site visitors. While I'd like it if everyone picked my idea as the new standard way for doing this, I just wish admins would start using something. We're so close to having a browser plugin be able to tell you "you need to update your password on this site" as you browse. How nice would that be?

Comment: Re:Nonsense (Score 1) 293

by Just Some Guy (#46781275) Attached to: Ask Slashdot: System Administrator Vs Change Advisory Board

So... the business made a stupid decision, and when they realised the error of their ways, rather than trying to reach agreement on the best way forward, you delighted in rubbing their noses in it, using processes designed to protect you to hurt your employing organization instead.

One of the most important pieces of career advice I've received is to make sure that people who cause pain feel the pain. It is not my job to be a whipping boy who suffers for every bad decision I tried to warn someone about. If management insists that I do something really goofy, then they should not be spared from the consequences of their plans. Insulating them only enables them to keep making bad choices and inflicting them on codependent organizations.

You say "rubbing their nose in it". I say "making sure decision makers understand the results of those decisions".

Comment: Re:RAID? (Score 2) 256

by Just Some Guy (#46780513) Attached to: SSD-HDD Price Gap Won't Go Away Anytime Soon

From a review of the Samsung 840 EVO 1TB SSD I just stuck in my MacBook Pro:

  • Sequential READ: up to 540 MB/s
  • Sequential WRITE: up to 520 MB/s
  • Random READ: up to 98,000 IOPS
  • Random WRITE: up to 90,000 IOPS

From the same site reviewing a WD Black 4TB HDD:

Performance from the WD Black scaled from 66 IOPS at 2T/2Q to 86 IOPS at 16T/16Q, versus the 7K4000 which scaled from 82 IOPS to 102 IOPS.

So assuming IOPS scales linearly with heads (they don't), you'd need about 1,000 heads to get similar random access performance out of HDDs as one SSD.

There's a reason everyone's migrating to SSDs for anything remotely IO related.


Code Quality: Open Source vs. Proprietary 133

Posted by Soulskill
from the put-your-money-where-your-code-is dept.
just_another_sean sends this followup to yesterday's discussion about the quality of open source code compared to proprietary code. Every year, Coverity scans large quantities of code and evaluates it for defects. They've just released their latest report, and the findings were good news for open source. From the article: "The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date. A few key points: Open source code quality surpasses proprietary code quality in C/C++ projects. Linux continues to be a benchmark for open source quality. C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects."

Comment: Re:Rewarding the bullies... (Score 1) 797

I'm not saying this is the "right" or "best" solution, but...

I taught my son to punch hard and aim for the nose: "if you miss, you'll get his mouth or cheek or eye and it'll still hurt". I also explained that if the bully hit, slapped, tripped, or otherwise battered him, that my son was to lay him out. "What if I get in trouble?", he asked. "You let me handle that part", I replied. We had to play-act it a few times because my boy kept wanting to say something first, like "if you touch me again I'll hit you in the nose!" No. You've already warned him before and he kept it up. Don't talk: act.

Cut to a week later when the teacher was waiting for me when I went to get my son from school. "He hit another kid today." "Was it so-and-so?" "Yes." "Good. I told him to." The teacher looked around, leaned in and confessed: "someone needed to belt that little asshole."

The bullying ended that day. My boy stopped coming home with torn clothes, scratches, and bruises. My son got an enormous confidence boost and hasn't had a problem with other little thugs since then.

Violence is not the solution to all problems, but damned if it can't fix some.

Comment: Re:for a library... (Score 1) 446

by Just Some Guy (#46721911) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

... so much of the internet depends on for security just one reviewer for a commit seems way way way too little, honestly checking anything into openssl (or gnutls) should be at least a 4-step approval process (submitter -> mantainer for that area -> overall library mantainer -> security officer), for any code that includes buffers/malloc especially if related to user supplied data the final security review should be a panel.

Plus three extra steps: compiles without warnings, passes Valgrind, and makes it through an intensive test suite.

Comment: Tell your users, too! (Score 1) 239

by Just Some Guy (#46711003) Attached to: Heartbleed OpenSSL Vulnerability: A Technical Remediation

Follow the proposed specification at to tell your users when you've patched your servers. This eliminates the guessing: "is it OK to update my password now? Do I even need to? Can I trust that I'm not being MITMed with their old SSL key that an attacker stole?" It's bad enough using the tools at hand to detect that information from a single site, let alone the hundreds you might have in your password manager.

Comment: Re:what the hell? (Score 1) 353

"Obviously, the first performance enhancement you do on any computer you own is max out the RAM"

I don't think it's that unreasonable. My MacBook has two RAM slots. 8GB of RAM from Newegg is about $80 and 16GB is about $150. Given that you can't start with 8 and then later add more - you have to replace what's already there - I tend to go with 16GB right from the start. If it saves me an hour of grief over the course of the three years I'll be using it, then it's more than paid for itself.

Comment: Re:Max RAM? (Score 1) 353

16GB is basically video editing only.

...or programming, like a huge chunk of the Slashdot community. A text editor and a few terminal windows don't chew through RAM, granted, but I've never had so much memory that a compiler didn't wish it had more. I'm also running a lot of local daemons (RabbitMQ, Cassandra, Mongo, Redis, etc.) so that I can run a full test suite without Internet access and all of those want their pound of flesh.

My company laptop has 8GB of RAM. The fact that swap is on an SSD is the only thing that makes it a comfortable development environment.

Comment: Re:Risk versus certainty (Score 2) 402

There is a difference between a risky endeavour and certain death.

Not really. There are some fields of endeavor that are incredibly, inherently, irreducibly dangerous. Space travel is one of them. There's not much of a gap between, say, a 25% chance of fiery or icy death and a 100% one. It's certainly not the same as the difference between driving to work and taking flight in a space shuttle.

Instinctively, we accept risk of death when the reward justifies it. Being a successful astronaut is rewarding - in terms of prestige if nothing else.

Have you ever listened to an astronaut? To a person, they'd all return to space in a heartbeat if asked. Their motivations have very little to do with personal prestige - they just want to return to the stars.

A compelling scientific mission that will add to human knowledge is arguably more rewarding for civilization, but not for the individual who dies, and the reward is too abstract for our instinctive response.

There's no place for instinctive response here. My instincts are that climbing into a tin foil capsule on top of a fuel tank filled with 5 million pounds of kerosene and LOX is insane. And yet people have worked out the risk-reward calculations and decided that hey, this is a good thing we should do.

Plus it's not obvious that there is a lot that live astronauts can do that do that robots can't.

Well, other than collect data on the effects of deep space travel on human physiology, and the ever-present "anything a robot hasn't been specifically designed to do".

Simply 'being first' will not be a compelling reason for others to enable suicide, or be left to watch it helplessly from a distance.

Then use any of the other millions of reasons why human space travel is something we need to start figuring out and practicing.

Comment: Ethics? Bullshit. (Score 4, Insightful) 402

The hell you can't. What that's saying is "we refuse to honor the wishes of educated, rational adults to make decisions we wouldn't". I guarantee that all of the Mercury astronauts knew there was a good chance they were going to die during each mission. They knew the failure modes, the risks, the potential ways they might get splattered across our planet in fiery ashes. And they still wanted to go! I cannot understand how it could possibly be unethical to explain the dangers and still give candidates the right to say, "yeah, I know I'm not coming back. For personal pride, for adventure, for my country, and for humanity I choose to go anyway. Now step aside and light this candle."

There has been a little distress selling on the stock exchange. -- Thomas W. Lamont, October 29, 1929 (Black Tuesday)