Follow Slashdot stories on Twitter


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Bug of feature? (Score 3, Interesting) 47

Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

Comment I don't understand (Score 4, Interesting) 47

One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

Comment Re:People probably realized.. (Score 1) 237

I can see a lot of uses for a smartwatch:
  • The Apple watch can unlock my computer when I'm next to it and lock it again when I move away.
  • Apple Pay on the watch looks like it might actually be more convenient than getting the card out of my wallet - on a phone it doesn't.
  • A two-factor auth device that I carry around with me on my wrist sounds useful.
  • Calendar appointment reminders without having to get something out of my pocket.
  • More convenient map / direction display to glance at while cycling.
    • There are probably a lot more. The problem is that current smartwatches are like early-90s Nokia smartphones. All of the basic ingredients are there, but the technology isn't up to the vision. A decent smartwatch would be about 5mm thick, have a battery that lasts a few days, charge via induction from a thing I can leave on my bedside table, have always-available network connection without a smartphone, and be waterproof and rugged enough to survive frequent knocks. Give it another 5-10 years and we might get there...

Comment Re:of course the do! (Score 1) 42

I wouldn't be surprised if there's also a much more direct feedback loop for Netflix-produced content (though HBO is probably similar). Think about how a normal TV show is created:
  1. Someone has an idea. They persuade a studio to fund a pilot.
  2. The studio takes a loss on the pilot and shops it around to TV channels.
  3. The TV channels evaluate it and decide the demographics that will watch it and if a large enough segment of a profitable (i.e. high income, low impulse control) of the population might like it, they commission the series.
  4. The studio produces the series.
  5. The channel sells ads.
  6. If the ad purchasers think that the ads are worthwhile (via a complex indirect feedback mechanism involving tracking sales against projections) then they'll be happy and the studio will renew the show (unless a new show that could possibly make more money in the same slot comes along).

Now compare that to Netflix.

  1. Someone has an idea. They persuade a studio to fund a pilot.
  2. Netflix decides that people might like it and funds the full series.
  3. As soon as the show is available, Netflix records how many people watch it, how many didn't finish an episode, and what the review score distribution is from the subset of people that bother to write reviews.
  4. If it's popular, Netflix funds another season.

Which of these is more likely to produce shows that lots of people want to watch?

Comment Re: Oh noes!!!!11111 (Score 4, Insightful) 462

So if there were outside factors that biologically predisposed men and women towards different career paths or interests would you accept that those might result in something other than an even distribution of employment in certain vocations?

This doesn't make sense. The differences are either innate (biological) or the result of external factors. If they're the result of external factors (i.e. not biological) then they're likely to be amenable to change. The fact that the participation of women varies hugely between cultures (for example, in India, Korea, Israel, Iran, and Lithuania, Romania, it's a lot higher) implies strongly that external factors are far more of a reason why we have so few women than anything biological.

Comment Re: Oh noes!!!!11111 (Score 4, Insightful) 462

Outside factors are not an issue.

If every role model of a programmer you see until you're a teenager is male.

If computer programmer Barbie involves the girl doing some design, but the actual coding being done by boys.

If every children's TV show that includes both women and computers has the woman saying computers are hard and the man solving the problems.

If all of the clever boys at your school are encouraged into extracurricular activities involving computers, but the girls aren't.

I'm sure it would have no impact at all on you.

If you don't think that this is real, then sit down for a couple of hours this evening and watch two hours of children's TV. Count the number of male vs female lead roles. Count the number of times anyone builds anything and whether it's done by a male or female character.

Comment Re:First lesson (Score 4, Interesting) 135

I have two major beefs with IPV6. The first is that the end-point 2^48 switch address space wasn't well thought-through. Hey, wouldn't it be great if we didn't have to use NAT and give all of those IOT devices their own IPV6 address? Well... no actually, NAT does a pretty good job of obscuring the internal topology of the end-point network. Just having a statefull firewall and no NAT exposes the internal topology. Not such a good idea.

The second is that all the discovery protocols were left unencrypted and made complex enough to virtually guarantee a plethora of possible exploits. Some have been discovered and fixed, I guarantee there are many more in the wings. IPV4 security is a well known problem with well known solutions. IPV6 security is a different beast entirely.

Other problems including the excessively flexible protocol layering allowing for all sorts of encapsulation tricks (some of which have already been demonstrated), pasting on a 'mandatory' IPSEC without integration with a mandatory secure validation framework (making it worthless w/regards to generic applications being able to assert a packet-level secure connection), assumptions that the address space would be too big to scan (yah right... the hackers didn't get that memo my tcpdump tells me), not making use of MAC-layer features that would have improved local LAN security, if only a little. Also idiotically and arbitrarily blocking off a switch subspace, eating 48 bits for no good reason and trying to disallow routing within that space (which will soon have to be changed considering that number of people who want to have stateful *routers* to break up their sub-48-bit traffic and who have no desire whatsoever to treat those 48 bits as one big switched sub-space).

The list goes on. But now we are saddled with this pile, so we have to deal with it.


Comment Flood defenses? (Score 5, Informative) 135

There is no flood defense possible for most businesses at the tail-end of the pipe. When an attacker pushes a terrabit/s at you and at all the routers in the path leading to you as well as other leafs that terminate at those routers, from 3 million different IP addresses from compromised IOT devices, your internet pipes are dead, no matter how much redundancy you have.

Only the biggest companies out there can handle these kinds of attacks. The backbone providers have some defenses, but it isn't as simple as just blocking a few IPs.


Comment Re:Remote exploit (Score 1) 72

Most attacks these days are a sequence of memory safety violation followed by memory disclosure followed by arbitrary code execution. ASLR is meant to make the memory disclosure part harder, but there are now half a dozen known attack techniques that allow ASLR to be bypassed. Off the shelf attack toolkits will include these mechanisms, so it's a mistake to assume that an attacker won't be able to bypass it. It increases the barrier to entry from script kiddie with 5-year-old toys to script kiddie with new toys.

Comment Re:Holy flamebait batman! (Score 1) 894

If you don't have a job, "relocation" is a bus ticket. But very few people move to improve their circumstances.

Not true. If you don't believe me, look at the statistics for worker mobility - they correlate strongly with wealth. Poor people are a lot more reliant on their support networks (family, friends, and so on). If they're in a poorly paying job, then they probably can't afford to take a month to look for a new one in the new location (especially with the real possibility that they won't find one). If they don't have a job, then there's a strong psychological pressure not to move to places with fewer jobs and there's likely to be a delay in receiving unemployment benefit as these things are typically administered locally.

In contrast, someone like a typical Slashdot poster can afford to stay in a hotel room for a week or two (or have an employer willing to pay the cost) while they look for somewhere to live and will typically be able to find a job before they start moving.

Oh, if we're willing to tax the first dollar of earnings (over the UBI), it's far more credible. But right now the majority pays effectively no income tax, so that would be a massive change.

UBI itself is a massive change, so it's weird to think that you'd introduce it without introducing massive changes. Most proposals for UBI have it replace the tax-free allowance. You might have a very small tax-free allowance on top of it, but generally the way of balancing the books involves paying tax on all earned income.

Slashdot Top Deals

Anyone who imagines that all fruits ripen at the same time as the strawberries, knows nothing about grapes. -- Philippus Paracelsus