Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Better a walled garden than a steel octagon (Score 5, Insightful) 439

I think Mr. Doctorow errs in assuming two things: 1) that there's an intrinsic value in the total openness of programmable electronic devices, and 2) that the new "walled garden" approach adopted by Apple, Microsoft et al. is somehow being done to benefit the estate of Jack Valenti (thank God the Supreme Court couldn't extend his lifetime).

Before you mod me into oblivion, hear me out.

Most people do not give a good goddamn about having control over the code execution path. In fact they don't want control because they can get confused into letting viruses and other malware execute. They want their devices to make life easier, whether that means keeping track of information or playing games to pass the time or some other convenience, and given a two-dimensional optimization choice over the convenience/freedom axis they'll pick convenience every time. And they're not wrong or stupid or evil to do so. They just don't agree with your set of principles.

And thank God for that, because I for one would not want to witness the consequences of a Melissa or Slammer-type worm infecting every Android or iOS device in the United States. We would just stop.

There will always be vigorous and enthusiastic communities centered around truly general purpose devices. You need only look to the many devices other posters here have mentioned, such as the Raspberry Pi, Arduino, and dozens of other hackables. Hell, through Amazon you can rent time on an infinite mountain of general-purpose computing if you're interested.

Let's face it -- hackers, by which I mean the folks who want to push devices to do things they were neither designed nor intended to do, are a teensy minority in the world of users.

Comment Re:Easy fix, for lazy administrators (Score 1) 281

Thanks so much for linking the slides! Just some initial thoughts:

On Slide 17, the CVE percentages are meaningless without some breakdown of installed base. If "Mac OS Server" includes everything from Rhapsody DR2 on up, then the numbers are flawed. If not, Apple might have some security issues.

Slide 28 -- I'm not particularly clear on why you would want ASLR or DEP to be configurable -- that just opens another avenue of attack. It should be always on every process all the time to be meaningfully effective.

Slide 34 -- UAC can be and frequently is turned off by stupid people, even some software vendors demand that it be disabled due to "incompatibilities". Escalation dialogs in Mac OS can't be.

Slide 38 -- you keep calling the attack on the Keychain credential store a "brute force," but it isn't -- it's a simple social engineering attack to get a password. Unfortunately the Keychain keeps (encrypted) passwords in the clear rather than hashes only, but this is so users don't forget their passwords.

Slide 53 -- "Modify existing binaries and services, which breaks signing but is generally not noticed" -- maybe in your shop, pal, not mine.

Slide 76 -- "Run your computers as little islands on a hostile network" -- FTFY

The Bonjoof hack is very clever, and demonstrates a real hole in the way Bonjour handles computer identification. In a well-managed enterprise situation I would expect it to be turned off though. I don't precisely know what it means by a "centralized" way to turn it off. That would be done in the imaging phase of deployment.

On balance the presentation seems to be just an "Apple is vulnerable too" talk, given the countless comparisons with Windows. All the clever people already knew that. The presentation seems to have been excellent in terms of breadth and thoroughness, though, and I would call it a must-read for network ITs in Mac-friendly environments.

Moral of the story? Every one of your attacks here can be mitigated structurally. In a secure environment, don't let your end users be sudoers, filter Bonjour traffic across layers, and always keep your server on a different subnet. We've been doing all that for years; combined with administrator vigilance, people should still be OK.

Comment Easy fix, for lazy administrators (Score 5, Informative) 281

defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO

There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.

To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.

Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?

Comment Re:the end of privacy? (Score 1) 278

Posting an anti-privacy rant with the name Schmidt was the first laugh.

Wow. I don't know if that's supposed to be anti-Semitic or some kind of joke about Germany passing this law (I'm Irish-American).

I'm about ready to get off this crazy train. Slashdot respects my privacy, so I can delete my account, right? OH WAIT

Comment the end of privacy? (Score 1) 278

I realize that Slashdotters in the main have a libertarian-ish bent, but you guys really need to understand that when these Web 2.0 moguls stand up and say "privacy is dead" they do have a leg to stand on. An awful lot of people the world over, especially in the US, do not fetishize anonymity to anywhere near the extent that you do. Mostly people don't give a damn because they never do anything anonymously themselves, and then on the rare occasion when they have to conjure up an opinion on the subject they're pissed off because someone calling themselves anonymous (with or without a capital A) just did something rash or obnoxious. They do not know the names Brutus and Publius. They think the Pentagon Papers was a novel by Charles Dickens, and as far as they know Voltaire's Candide is the instruction manual for the first lightbulb.

This is not to say that people don't respect anti-establishment thinking. Christ and his later student Luther, Cicero and his distant colleague Paine, and even the antithetical squawkers Ron Paul and Rachel Carson, for instance, all earned respect in their own times precisely because they were willing to stand up and let their names be associated with their opinions. They were, of course, all called nasty things for not swimming with the current like the other fishies, and at least one of them got his hands chopped off and (maybe) stuffed in his mouth by one of the people he'd been criticizing. But they've had a far longer-lasting impact on the things they wanted to try to change than any pseudonymous wag ever has.

Anonymity, of course, isn't the real issue because it's perfectly simple for anyone to install Adblock, stay off Facebook, and generally lurk in the shadows unnoticed. Every time I hear "OMG they're killing anonymity" I hear "OMG they're killing my God-given right to say or do whatever I want and avoid responsibility!" Perhaps they don't realize that this argument puts them in the company of Phoebe Prince's tormentors as much as Voltaire and the Federalists.

But this is my central complaint about libertarianism: it disingenuously ignores the consequences of conduct. Privacy, more often than not, really is a shield for misconduct. Is it your right to be unseen at a bar when you're cheating on your wife, or kissing another man, or doing whatever it is you're so ashamed of your friends and family finding out about? Well, clearly not, because you were there for some kid to take your picture and get you automagically tagged on Facebook for your wife or father confessor to find out about. So how in the hell can you get angry that it's now less easily concealed?

Privacy, I might add, is not the same thing as the right against unwarranted police and government intrusion. That particular conflation is no older than William O. Douglas. So don't accuse me of promoting a police state, because I'm not. I still believe in the 4th amendment and I still think police need to get warrants to do so much as peek in your garbage bin. The behavior we're talking about here, however, is by private actors (Facebook and Google and Apple and whoever) in relation to other private actors.

"But," some will object, "what I'm doing anonymously is morally OK but my culture doesn't tolerate it, like smoking pot or having an obscure religious viewpoint!" Did it ever occur to anyone that part of the problem with this kind of conduct is that concealment reinforces the notion that there's something bad or wrong with what's being done? Hell, if all the people who had ever smoked pot were to admit to it, either half the adult population of America would be in prison or it wouldn't be a crime to smoke pot.

Anyway, what I'm trying to say is this: anonymity and privacy are rapidly extinguishing in our culture, and though it's likely to be messy I doubt the change is going to destroy free society any more than it did to take the US off the gold standard or give women the vote. These are cultural conventions, remember, ones that other, newer values are displacing.

So, there's my rant. Mod me into oblivion for disagreeing with the current groupthink on Slashdot, or just ignore me. I'm kind of an asshole anyway. But it's not just me you're ignoring, it's your family, neighbors, and fellow citizens too.

Comment "End of an era," indeed (Score 5, Insightful) 256

The fact that the Shuttle was still flying in 2011 isn't just a testament to its longevity. It's a sad reminder that, at least for now, human spaceflight is at the mercy of the schizophrenia that is the American political process.

NASA has consistently brought together some of the finest minds in the world to do what the preceding finest minds thought was impossible. Then, because this is America, we take a bunch of mouth-breathers who probably got Cs and Ds in basic high school science courses and make them the bosses and the gatekeepers, the people who decide that it's more important to systematize the abuse of human rights at airports and buy the jokers at the Pentagon their newest murder toy than it is to push the frontiers of knowledge and ingenuity.

I'm putting my hope for the future of space exploration in private hands. Not because I fetishize the free market, or because I think government is evil, but because human spaceflight is way too important to be put in the hands of the American electorate, which is probably the stupidest and most poorly-informed decision-making body since the Athenian ekklesia.

Comment Re:Sparc (Score 4, Insightful) 235

There's hardly any good reason to choose anything else over it, either.

Well, yes and no. Certainly in the space between the notebook computer and any but the mightiest supercomputers there's no reason at all not to go with x86. But in the mobile processor space, where ultra-low TDP is the order of the day, ARM has a big leg up on x64. Intel sold out their Xscale division (which was only ARM 5 anyway) and now they're losing this increasingly important segment of the market.

I'm not counting Intel out by a long shot in that race, but ARM is the new hotness for most geeks.

Slashdot Top Deals

Promising costs nothing, it's the delivering that kills you.