Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment: Re:I'm Using C++ (Score 4, Informative) 393

by toejam13 (#48645559) Attached to: Ask Slashdot: Is an Open Source<nobr> <wbr></nobr>.NET Up To the Job?

The C standard library provides an API to all your system resources.

The C standard library (libC) provides a very basic API to some of your system resources. You have to include a large number of other libraries in order to obtain a feature set similar to the Java and .NET frameworks.

And in addition to the IO, thread and math limitations that the AC above touches on, there are several other major problems facing the core C libraries: wchar support, qword support, socket support and overflow safe functions. There has been significant balkanization between the BSD, GNU and Microsoft camps on these topics, making cross platform development difficult. I've written a lot of wrapper code over the years dealing with the issue.

The nice part about the Java and .NET frameworks is that they eliminate most of the problems I mentioned and several of the issues the AC brought up.

But I do still find the C libraries, Java framework and .NET framework all lacking. They're good for about 80% of all cases, but I seem to find myself thumping on the native APIs far more than I thought I should. I'm really annoyed at how often I find myself using PInovoke under C#.

My hope is that with the Core .NET moving off to the open source camp, maybe Microsoft can start focusing on adding C# bindings for the rest of WinAPI. The day I can write code without having to use a PInvoke is the day I'll stop writing C/C++ code.

Comment: Re:Stupid (Score 1) 394

by toejam13 (#48631801) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

This is a dumb idea. A very dumb idea. Since we're assuming MITM, what happens when I inject javascript into the page? Even assuming the browser prevents me from leaking the PROT header, I can still have it make arbitrary requests using your session.

Encrypting the content length header and adding an encrypted checksum (or cryptographic hash) of the payload would help detect JS injections, URL rewrites or other forms of malicious modification. Marking your user session cookie as HttpOnly should also help sandbox it from JS hijacking.

What happens when I just block the original response, pretend your session died, and serve up a bogus login page that gives me your credentials?

Introducing a new URL protocol for HTTP-Mixed could help prevent that. It would indicate that HTTP header encryption was a requirement and that the client refuses to proceed without it. So when the user hits refresh on their client after an hour, your bogus site would then need a counterfeit certificate in order to survive the PROT ClientSSL <-> PROT ServerSSL challenge.

The best way to deploy such a system would be to use HTTPS for your site's landing page. If the client's browser supports HTTPM, you could step down to it for pages deeper in your site. Otherwise, stick with HTTPS.

In some ways, HTTPM would be analogous to FTPES in the FTP/FTPS world. FTPS clients know to issue an AUTH TLS command shortly after starting an FTPES connection and refuse to continue if a FTP-503 Unsupported server response or a failed TLS handshake occurs.

Comment: Re:Stupid (Score 1) 394

by toejam13 (#48626723) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Utilizing a client IP address as a means of identification is highly unreliable unless that client is on the same network as you. Proxy servers, cache servers and NAT devices can masquerade multiple devices under a singular IP address. Worse, some organizations load-balance outbound connections across an array of those masquerading devices. Every TCP connection could originate from a different IP address. The same is true when the client itself is multi-homed, such as a mobile device utilizing both cellular and wifi simultaneously.

And while the payloads of cookies can be hashed to obscure sensitive information that is stored in clear-text, it does not prevent the theft of the cookie itself. I may not know the true value inside of it, but I may not care. I might want it just to tailgate on an authenticated session. To avoid that, you need to encrypt both the cookie payload and its name.

Comment: Re:Stupid (Score 1) 394

by toejam13 (#48626243) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

For most sites, I don't really care if my browsing activity is being monitored. If some security service wants to eavesdrop on my visits to catfancy.com, let them. For the sites where I do care about privacy, HTTPS is generally an option.

But keep in mind that HTTPS alone only buys you so much. You're still leaking information about the sites you visit via your DNS queries. Also, you're still being tracked at the end-points by ad networks and other systems that log your moves. If privacy is that important, you should also be using an anonymizing proxy service like TOR.

Comment: Re:Stupid (Score 3, Interesting) 394

by toejam13 (#48623463) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Encryption has a cost, it isn't free. ... This is a dumb idea. A very dumb idea.

Agreed. For most sites, there are only two areas where I care about encryption: 1) login authentication and 2) session tokens (cookies). For #1, briefly switching to SSL/TLS is no big deal.

The problem today is that there is no satisfactory solution for #2. In order to encrypt your cookies in your HTTP header, you have to encrypt everything. As previously mentioned, this can have some adverse side effects. It is also complete overkill. What HTTP needs is a middle option.

Enter explicit HTTPS.

When a client requests a protected URL, it can be given a challenge and negotiation method for TLS not unlike how NTLM authentication over HTTP occurs. It should also negotiate what HTTP headers should be private. When complete, the client then sends encrypted data using a PROT: [session id] [base-64 payload] header. If you wanted to be fancy, you could make the system tolerant of upstream proxies or load-balancers inserting their own cookies.

Now you have a system where your session tokens cannot be eavesdropped upon, but yet the payload of the HTTP request can be cached.

Comment: New Revenue System (Score 4, Interesting) 190

by toejam13 (#48567577) Attached to: Fraud Bots Cost Advertisers $6 Billion

Perhaps advertisers should finally move away from the current revenue system that pays per-click and should instead move towards a profit sharing system where the referring website receives a commission based on any sales or executed transactions.

I've been reading about click fraud for over a decade now. I don't expect it to go away under the current system.

Comment: Re:Doesn't matter even if the publishers win... (Score 4, Interesting) 699

by toejam13 (#48548849) Attached to: French Publishers Prepare Lawsuit Against Adblock Plus

...someone else will develop a list...

Which is why I believe that the whole exercise is futile. Suing Eyeo is not unlike playing Whack-a-Mole. If they are forced to remove their app, others will simply take their place. Given that Ad Block has already forked development lines (see: Adblock Edge), they're already too late.

Ultimately, websites are going to need to protect their content using JavaScript or other means. I'm already familiar with a few sites that use JS based elements that display a message after a few seconds if the ads in the page don't load (see: Fark.com). Of course, AdBlock Edge allows me to block those elements, but it wouldn't be hard to use element name randomizing techniques to thwart AdBlock Edge.

Comment: Re:Legal Opinion, Please? (Score 1) 699

by toejam13 (#48548627) Attached to: French Publishers Prepare Lawsuit Against Adblock Plus

IANAL, so I'd like a tort guru to enlighten us on exactly how creation and distribution of a product (AdBlock) that that gives consumers an informed choice over another product (advertising bullshit) is an actionable case.

I'm also curious how much Eyeo opened themselves to litigation by offering a for-profit whitelist that overrides the blacklist instead of sticking just with a blacklist-only model.

It sounds like a water utility company suing faucet makers for making a device that restricts flow of billable water, or the electric company suing light switch manufacturers.

Or like how AT&T used to prohibit third party phones on their lines?

The main difference here is regarding the level of exclusive ownership rights the publisher has versus the public good in relaxing those rights. Many governments have rules allowing small quotes and allowing parodies when it comes to published content. But ad skipping is somewhat murky. Over on the TV side, it is assumed that the Betamax timeshift ruling provides some protection (which the SonicBlue DVR lawsuit would have clarified had it continued). But I'm not aware of anything on the published side.

Comment: Re:Hibernation (Score 2) 77

by toejam13 (#48544453) Attached to: Pluto-Bound Spacecraft Ends Hibernation To Start Mission

But it is a PlayStation One system (well sort of).

Poor analogy. That would be like saying that the Macintosh Classic is sort of an Atari ST just because they both used Motorola 68000 processors.

As for the minimalistic nature of the Mongoose-V (MIPS R3000 based) processor in the NH spacecraft, it is more than adequate for an embedded processor. My Sony NEX camera uses a Bionz (also MIPS R3000 based) processor for image processing and user interface controls. The clock rate of the Mongoose-V might seem a little low, but remember that the spacecraft is both power and uplink speed limited. Having a faster processor really wouldn't gain much.

Comment: Re: Then again, maybe it _is_ good news. (Score 1) 172

by toejam13 (#48510779) Attached to: Study: HIV Becoming Less Deadly, Less Infectious

I've often wondered. Suppose you had a time machine, went back, took some random person from the year 1900, and brought them to the present day. How would they fare in the modern world? My guess is that there would be a big adjustment period but they would manage. How about a person from 1850? 1800? 1700? At what point would the person be so totally lost in modern society that they wouldn't be able to function at all.

If you want an example, look at how refugees from poor rural areas in third world countries handle the transition when they arrive in a first world nation. You often have massive language and cultural barriers. First hand knowledge and use of technology is going to be limited. They're going to know little to nothing about our laws. If you just drop them into the middle of NYC, they will do very poorly.

If you put them into an orientation program and assign them to a handler who will bring them up to speed, they'll probably do alright. It might take a decade before they're comfortable in their new home, especially if language was a barrier, but it will eventually happen. There are millions of examples all throughout the western world of this happening. People adapt.

Comment: Re:I bet Infosys and Tata are dancing in the stree (Score 1) 186

Eventually Obama is going to be a civilian again. If he pleases the right people, he (or his immediate family) can make tremendous amounts of money as a lobbyist, consultant, guest speaker, etc...

Just look at the money that Chelsey Clinton earns from her array of jobs at various consulting, investment, educational, media and humanitarian companies and organizations. Her success was handed to her on a diamond platter as political thanks to her parents.

Comment: Re:I bet Infosys and Tata are dancing in the stree (Score 2) 186

Tech, agriculture, service industries, foot services, etc. all benefit from the well behaved illegals.

You mean that their owners do. We just added millions of mostly uneducated people to the workforce. If you're in a low skill job and you dislike your wages, hours or working conditions, management will gladly and easily find a replacement.

This sucks for anyone who is entering the workforce or who lacks the proper skills or aptitude to crawl out of the bottom. As if unemployment and underemployment for those people wasn't already bad enough.

Obama just set the war of poverty back by about twenty years.

Comment: Re:Gentoo is the BSD of the Linux World (Score 1) 267

by toejam13 (#48430335) Attached to: Ask Slashdot: Workaday Software For BSD On the Desktop?

There was a period of time during the GCC->Clang transition where a lot of stuff didn't build, but those days are long gone.

If you stick with the Ports collection, using Clang is fairly safe if you're on 10.1 and you keep your Ports db up to date. The problem is when you stray outside of Ports, or you find one that really needs GCC (or worse, a newer version of GCC).

The last compiled version of GCC included with FreeBSD was 4.2.1. You can build newer versions using the Ports collection, but then you have to make a decision to keep two versions installed. There is also some hassle regarding which shared libraries to use.

I had a package that really wanted something newer, so I installed gcc48. It took me a few hours, but I finally got it shoehorned in. Ugh. I'll stick with packages that are happy with Clang.

Comment: Re:I just did this myself (Score 1) 267

by toejam13 (#48430231) Attached to: Ask Slashdot: Workaday Software For BSD On the Desktop?

In FreeBSD, network configuration data is stored in the /etc/rc.conf file, which overrides default options stored in /etc/defaults/rc.conf.

If you want to manually set the IPv4 address of an interface, you could use:
    ifconfig_xx0="inet 192.168.1.10 netmask 255.255.255.0"
    defaultrouter="192.168.1.1"

If you're using DHCP, remove the default router line and set the ifconfig string to "DHCP".

You can also use the command line tool sysinstall to set network options.

Also remember, FreeBSD uses network driver specific interface names. So instead of eth0, eth1, eth2, you can have fxp0, em0, and de0. If that's not your thing, you can always create an alias:
    ifconfig_em0_name="eth0"

Comment: Re:They tried to raise prices 20% unnanounced (Score 1) 392

by toejam13 (#48272529) Attached to: Cutting the Cord? Time Warner Loses 184,000 TV Subscribers In One Quarter
That's probably a ClearQAM signal that he is receiving. Most HDTVs in North America have dual-standard 8VSB/QAM64 tuners so they can receive both broadcast and cable channels. No CableCard required.

I think the complaint is that many cable companies are switching from ClearQAM to encrypted DTV channels, even basic channels, so that you have to rent a device from them. Which sucks. There should be no hardware rental costs for basic channels.

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...