Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment Re:GNU/Linux is made in the USA (Score 1) 332


Not really, most of each of thousands of projects have at most a few core developers and extraneous people who occasionally submit patches to fix specific itches. There is no "A team" scouring all open source for vulnerabilities from the simple fact such vulnerabilities most certainly do exist as innocent bugs and have not been reported by such teams.

To illustrate this point the linux kernel is developed by armies of smart people yet an automated tool found a laundry list of shit that has been around for years nobody noticed.

First, from the very report that you linked to:

The results show that the number of defects detected by the Coverity analysis system has decreased from over 2000 to less than 1000 while, during the same period of time, the source code has quadrupled in size and the power of Coverity's detection capabilities has increased markedly. We conclude using this data that the Linux kernel is a robust, secure system that has matured significantly.

You want a real eye opener? Check out Coverity's current press release:

Code quality for open source software continues to mirror that of proprietary softwareâ"and both continue to surpass the accepted industry standard for good software quality. Defect density (defects per 1,000 lines of software code) is a commonly used measurement for software quality. Coverityâ(TM)s analysis found an average defect density of .69 for open source software projects that leverage the Coverity Scan service, and an average defect density of .68 for proprietary code developed by Coverity enterprise customers. Both have better quality as compared to the accepted industry standard defect density for good quality software of 1.0. This marks the second, consecutive year that both open source code and proprietary code scanned by Coverity have achieved defect density below 1.0.


Linux remains a benchmark for quality. Since the original Coverity Scan report in 2008, scanned versions of Linux have consistently achieved a defect density of less than 1.0, and versions scanned in 2011 and 2012 demonstrated a defect density below .7. In 2011, Coverity scanned more than 6.8 million lines of Linux code and found a defect density of .62. In 2012, Coverity scanned more than 7.4 million lines of Linux code and found a defect density of .66. At the time of this report, Coverity scanned 7.6 million lines of code in Linux 3.8 and found a defect density of .59.


While static analysis has long been cited for its potential to improve code quality, there have been two significant barriers to its adoption by development organizations: high false positive rates and a lack of actionable guidance to help developers easily fix defects. Coverity has eliminated both of these obstacles. The 2012 Scan Report demonstrated a false positive rate for Coverity static analysis of just 9.7 percent in open source projects. Additionally, the 2012 report noted more than 21,000 defects were fixed in open source codeâ"more than the combined total of defects fixed from 2008-2011.

The real conclusion that you should draw is twofold. First, if you're relying on software that isn't doing static code analysis, you're probably relying upon insecure code.

Second, Every. Single. App. Has. Bugs. The difference is that open source lets anyone do the analysis and fix the bugs. The same can't be said when of any closed source package.

So, which is safer? The OSS app where everything is publicly discussed and bug fixes generally get acted upon fast, or the closed source app where the vendor may be handing the known vulnerabilities off to the NSA or its equivalent in the country of your choice? I know which way I choose. :-)

Comment Re:Yes (Score 4, Insightful) 533

Killing 3 people and maiming 234 using explosives and shrapnel counts as mass destruction in my book.

It definitely doesn't count, in my book. You post-cold-war kids are so cute. Did you know the band Megadeth got their name from something that was believed to be reasonably likely could happen? 237 casualties isn't even a blip on the WMD scale. WMDs are for serious scale murder.

Exaggeration sounds like good idea when you're going after a specific bad guy, but it reminds me of how "registered sex offender" used to mean "rapist" and now, for all you know, it can mean some kid who sext-messaged his girlfriend or maybe even got drunk and peed on a parking meter.

Overbroad terminology abuse will remove stigma. Now the next time someone wants to start a hideously expensive war over alleged WMDs, the public will say "why should I care if Saddam II has a hand grenade?"

Hmm... now that I think of it, this could save us a shitload of money. Ok, you've convinced m-- wait, what if Saddam II actually has (oldschool definition) WMDs? Are we going to need a new term that means the same as WMD used to mean, like "WMDs, no I mean for real, 'Threads' and 'The Day After' style, dude!"?

Comment Re:Not really HTML5 (Score 1) 337

In the UK, the content was so abysmal that "leave it" is what I did.

90% of everything is shit, and the grass is always greener on the other side of the fence.

I'm sure 90% of your TV is shit, but so is ours. What you're doing is concentrating on our 10% and your 100%. Over here on the other side of the pond, I do the same thing but from opposite perspective: "Damn, so there's much great stuff we're watching from the BBC."

Comment Resume bug or "overqualified" (Score 2) 472

Traditional hiring processes seem to revolve around.. not one's track record and accomplishments.

I'm surprised. First guess is that you've misdiagnosed it being about formal education.

You might have something horribly wrong on the resume. Maybe have a friend look at it and figure out why no one should ever hire that awful person. Then remove the part about how you made the Nazi Party's website 100x faster, or whatever it is. ;-)

Other idea is that people are seeing it and thinking "this guy wants a real job, not our job; there's no way we can afford him." You have to address that in the cover letter, hopefully without throwing away too much money. Think about whom you're approaching. They shouldn't all necessarily get the same spiel.

Good luck, buddy.

Comment Re: Backlash (Score 1) 148

This is like saying "you were hit by a car but we left you to bleed to death by the side of the road because you didn't express your preference to be scooped up and taken to hospital"

Yes, and?

When we're talking about what someone else's computer internally does with the information you choose to send to it, they liter-- uh -- analogously do have the right (and more importantly: the POWER, even if you disagree about the right) to get away with away with the attitude that you just described. If it helps, think of them as Powerful Assholes Who Have The Law On Their Side.

Sure, PAWHTLOTS are going to let most people bleed to death. The weird strange thing that happened, though, is that while they're all always free to let everyone bleed to death (whether they want to go to the hospital or not), a few of the .. shall we say.. evil-yet-honorable PAWHTLOTS said they'd take people to the hospital if those people said "I thought about it and decided I would prefer to go to the hospital" as opposed to two other choices (the other choices were "I don't care" and "I thought about it and would prefer to die").

Microsoft came out with a medical bracelet, where the "I'd rather go to the hospital" and "I don't care" part was smudged, so that people trying to read the card can't tell the difference.

If you are trying to read such a bracelet, I think you're going to say "well, they clearly don't say they'd prefer to die" and I think you're going to take that person to the hospital. But what do you predict an evil-yet-honorable PAWHTLOTS will do?

The people who invented the DNT medical bracelet thought about that last question and were very explicit that people who make bracelets should use care in making sure the bracelets don't display ambiguous information, but Microsoft blew it.

Look at it another way: we all want this bullshit to be opt-in. But we send information to trackers, where they get to decide how it works. And they want it to be opt-out. It's their computer, so they win, period. If we work within opt-out, some of us can get some of what we want. If we defy it, then we haven't opted out.

This, BTW, is half of the tracking issue. The other half of the issue is that we leak so much damn information, which is what has put so much power into the adversaries hands. And FWIW, this actual Firefox story is about that. So there's at least something to be cheerful about. I prefer technical means to dealing with the problem, but DNT was a brilliant social prong of the action too, and MS has spoiled it.

Comment Re:I've come out of hiding just to say... (Score 1) 98

Years later it's still clearly nothing more than a nasty hack.

Sometimes a hack is what you need, and it's the difference between being able to accomplish the goal, and not being able. But key is "years later." Now Citrix is irrelevant, but 20 years ago it let you do things which otherwise simply couldn't be done, and "p0wned" is largely a non-issue when talking about machines not connected to the Internet.

Let's say it's 1994 and you have a legacy MS-DOS application where porting it to Linux or whatever isn't an option. The application talks a lot to a database, and it's fast enough over 10M ethernet. But your medical practice has a satellite office a few miles away, and for a shitload of money, you can get a 56K link. (Yes, these numbers all sound so quaint today, but that's the whole point.) You're not going to have 8 users running that app doing its database queries sharing a 56k link. The patients will die of old age in the waiting room if you do that.

But you put a Citrix box at the main office, which is OS/2 2.0 plus Citrix's hacks, an 8-serial-port digiboard, plugging into a serial multiplexer which plugs into your synchronous mode USR Courier plugged into the 56k link. At the satellite office the other Courier plugs into the demultiplexer and serial lines go to the terminals, and there you go. You've got 8 users at dumb terminals running an MS-DOS legacy app which is really running at the main office where it can easily query the database fast enough. And it works.

Of course it's a hack. But it's a hack that lets you tell the client Yes, we'll take your money and make it work and you'll be able to see patients. That's better than telling them No, it can't be done. Don't you agree?

Ten years later, you might say "screw Citrix, just run dosbox on some Linux machine instead, and connect by ssh over an IP link (or the Internet itself)" and dude, I would totally agree with you. But no fair, you're in the wrong decade, unless you have dosbox working on Linux and talking to Netware servers in 1994 -- and you don't. Believe me, I know, I looked, and you just don't have that in 1994. Or forget dosbox, just port your shitty legacy app to Linux, right? *sigh* Once again, you have my agreeing with you in principle, but it's 1994 and you're trying to sell Linux and you've been pleading for years that we ought to work on getting our app no-longer-dependent on unportable proprietary libraries (and compilers!), and .. holy shit do I NOT miss those days. OMG do I love my new job. Sometimes I forget how much I love my new job and how much crap I'm not dealing with anymore. :-) Fuck you, 1990s. I don't ever want to see the fucking 1990s again. If I'm ever walking down the street and the 1990s are there .. I don't know if I can be held responsible for what happens.

Comment Re:Missing Innovation (Score 1) 178

Your comment wouldn't be stupid, if Congress didn't already have hundreds of pages of law about this very topic, to address various industries' entitlements to have special powers and exclusive rights granted by the government at the expense of the people. But they do. Congress is already pointing guns at peoples' faces, saying "do this business, this way or else." This is already a "market" (and I use that term loosely) where how it works is centrally planned. And it fails to deliver adequately or live up with the constitutional justification for it. What I'm proposing is an everyone-wins fix.

If anyone actually had a problem with "entitlement" here, someone would have voted that way by now. So far 100% of Congress (can't even find Rand Paul to suggest he'd be an exception) is still supporting some level of regulation of these industries, not advocating copyright be abolished, etc. We tried the radical-left-overregulated approach (DMCA) and it failed; now sit down, shut the fuck up, and let libertarians solve this mess. Yes, libertarians. I may be talking about pointing guns at peoples' faces too, but if you're paying attention you'll see it's a shitload fewer guns aimed at fewer people than the status quo, and every bit of it is based upon accomplishing the goal as stated in Article 1 Section 8.

I know I've been trolled, but .. damn. We've had DMCA on the books for about fifteen years and no one does anything about it, and then someone has the fucking nerve to suggest my idea involves entitlement? No, fuck you.


Altering Text In eBooks To Track Pirates 467

wwphx writes "According to Wired, 'German researchers have created a new DRM feature that changes the text and punctuation of an e-book ever so slightly. Called SiDiM, which Google translates to 'secure documents by individual marking,' the changes are unique to each e-book sold. These alterations serve as a digital watermark that can be used to track books that have had any other DRM layers stripped out of them before being shared online. The researchers are hoping the new DRM feature will curb digital piracy by simply making consumers paranoid that they'll be caught if they share an e-book illicitly.' I seem to recall reading about this in Tom Clancy's Patriot Games, when Jack Ryan used this technique to identify someone who was leaking secret documents. It would be so very difficult for someone to write a little program that, when stripping the DRM, randomized a couple of pieces of punctuation to break the hash that the vendor is storing along with the sales record of the individual book."

Comment Re:Missing Innovation (Score 1) 178

Line up deals with content sources..

This is actually very close to right (you're not crazy), but it's wrong.

What this industry's player products, video services, and the users of those products and services, really need is for the player-manufacturer-makes-a-deal-with-the-service-provider to not happen, and for all the industry's mis-steps in this direction, to be rolled back.

If we can prevent these deals from happening, and instead put pressure on these video services to conform to a STANDARD INTERFACE for doing the same kinds of operations that you talk about -- so that any player is allowed to implement it, then Tivo (and MythTV and Sickbeard and AppleTV and your "smart TV" and Intel's new product and Roku and the hacker in the garage next door) would just have to write one component that speaks that protocol, and you would be able to use your player (whatever that may be) with any and all video services that you subscribe to, without giving a competitive advantage to Amazon and Netflix and Hulu (and by corollary: a disadvantage to their competitors, both present and future) .

Standard interfaces are what made analog TV (both OTA and cable) great. It's what makes OTA digital TV great, and it's how digital cable fails and why people stopped subscribing.

It's what made the web great.

This is how video could open for business again, instead of giving up and admitting that pirating is the only way to get things to work right. And right now, pirating is the only way to get things to work right, have clean interfaces, be user-friendly and hassle-free, etc. It's not even about money right now, it's about not-brain-damaged functionality and the fact that pirates use standards and the people they pirate from, don't.

Using congressional force to make video services use standards instead of DRM, would be easily justifiable and there's already ridiculous amounts of precedent (thanks, fifteen years of DMCA) that it's within Congress' powers and that no voters have a problem with it. It'd vastly improve the quality of consumer experience, and increase revenues since it'd remove the need for piracy. If video copyright can still be saved, this is how it'll be done.

But we can't get there, the more "deals" that are made between manufacturers and service providers, to make things work about 25% as well as they ought to while at the same time, excluding competition and innovation. That just makes it harder to get progress, and with each passing year of the current clusterfuck, more consumers "drop out." This should have been part of the 2009 mandatory digital OTA TV thing.

Comment Re:How Facebook innovated (Score 1) 307

facebook didn't innovate anything, they just provided a popular version of something that already existed

In your opinion, has anyone ever innovated anything?

Got an example? Feel free to draw from the entire sphere of endeavor, for all of human history.

Can you guess what I'm going to do, to any example that you cite? ;-)

Slashdot Top Deals

There is no likelihood man can ever tap the power of the atom. -- Robert Millikan, Nobel Prize in Physics, 1923