Follow Slashdot stories on Twitter


Forgot your password?

Comment Re:Print to PDF (Score 3, Informative) 238

Stripping JavaScript isn't enough. For example, a number of 'PDF' exploits have actually been due to vulnerabilities in libpng: if your PDF contains a PNG image (a lot do), then it may have a metadata payload that triggers a bug in libpng that allows arbitrary code execution. The same can happen for embedded fonts and for embedded JPEG images.

Comment Re:Print to PDF (Score 1) 238

You need to run it through a PDF parser, and therefore potentially trigger bugs. There's nothing stopping you from doing this from a sandboxed process, so exploit code would be contained. You'd also want to make sure that it went through a simpler intermediate format that another sandboxed process could check. On the other hand, if you can do decent sandboxing, why not solve the problem properly and just sandbox the PDF reader so it can't access anything except the PDF that's passed into it?

Comment Re:Foxit Reader? (Score 1) 238

Why not? Open the PDF locally, and if there's an exploit in the parsing code then it will infect your machine. Upload it to Google, and if there's an exploit in the parsing code then it will infect one of their machines. Of course, doing this with any PDF that had commercially sensitive information in it would be stupid...

Comment Re:Oh Yeah Be Afraid of The Fed (Score 2) 92

Everyone has the power to create debt. Money is just readily transferable debt, which is the entire point of it: I do some work now for someone, and they don't produce anything that I need right now, then they give me some tokens representing the debt. I can use these tokens to exchange for some useful product or service from someone else who doesn't directly want anything that I produce.

Saying that money is backed by debt is a nice libertarian talking point, but it doesn't actually convey any information. Money exists so that you can balance unequal trades with a promise that they will be equalised in the future, and any promise of future balance is debt.

Comment Re:Confusing luck with talent (Score 4, Interesting) 91

There's an old stock market scam. You open 100 accounts. You invest randomly. After a week, roughly half will be turning a profit. You close the ones that aren't, and do another round of random investing. Again, roughly half make a loss, half a profit. After a few rounds of this, you have lost quite a lot of money, but you have one account that looks really stellar - huge returns on investment. You then open this up to investment, with the disclaimer that past performance does not guarantee future results, and wait for the money to roll in (you can then invest this in your own companies, or just take it and run away).

Much the same applies with CEOs. You take a few thousand business graduates each year and put them in management positions. They all make random decisions. Then you cherry pick the handful that have made decisions that turned out well. Then you say 'Superstar CEO, please pay enormous salary'.

Comment Re:Garbage Collection is not O(GC)=0 (Score 1) 106

The counter argument to this is simple: Memory allocations accounts for 99% of all scarce resource allocation in a typical program (and all of the resources that they're actually likely to exhaust: when was the last time you saw a program that had so many file descriptors open at once that it was hard to keep track of them and they came anywhere close to the system limit? It happens, but in very unusual code). Saying 'well, I have to do it for 1%, I may as well do it for the other 99%' is really not a very compelling argument.

Comment Re:No need for copyright notice on every file (Score 2) 120

The problem is, adding a copyright notice when you are not the copyright holder is legally dubious, and so if there isn't one in the file you have to maintain the license information separately. This leads to a load of LICENSE.GPL, LICENSE.LGPL, LICENSE.BSD, and so on files in your tree, and separate lists of which files each relate to. It saves everyone time to just stick your license template in the top of every new file that you create.

Comment Re:No need for copyright notice on every file (Score 4, Informative) 120

Not having a license on every file is a colossal pain for people wanting to take part of your code and integrate it into something else. I recently went through this with OpenIndiana: they wanted to take some of my code from another project and include it in their libc. This is fine - the license I'm using is more permissive than their libc so there's no legal problem - but I'd forgotten to include the license text in the file, I'd only put it in a LICENSE file in the repository root. Keeping track of the license for one file that is different from the others in the project imposes a burden for them and, without the copyright in the file, potentially means that others will grab that file and think it's under a different license.

In short: Please put licenses in files. It makes life much easier for anyone wanting to use your code. If you don't want people to use your code, then you can save effort by not publishing it in the first place.

Comment Re:Two memory models as an solution? (Score 1) 106

David F Bacon designed some GCs for realtime applications that used reference counting with deferred cycle detection. The longer you defer cycle detection for, the higher the probability that the object will already have been proven to be non-garbage (by having its reference count incremented again) or garbage (by having its reference count reach 0 and it being collected). The trade for this is that it increases the maximum time for the cycle detector to run. You can adjust the delay based on the latency constraints of your application.

Slashdot Top Deals

Work is the crab grass in the lawn of life. -- Schulz