Forgot your password?
typodupeerror

Comment This is WORTH remembering - for the future (Score 1) 74

I've noted the comments here about how this is old news: that's true. But it will be novel to some people who didn't live through it, and even for those who did, it's a necessary reminder. Microsoft is ruthless, unscrupulous, and unethical: they will do anything. They're not the only ones, of course, but they're arguably the most dangerous because of their size, wealth, and longevity. They're the enemy of open standards. They're the enemy of open source. They're the enemy of open protocols. They're the enemy of Unix. They're the enemy of Linux. They're the enemy of security. They're the enemy of privacy. They've always been the enemy and they always will be, because it's in their DNA: it's impossible for them to change.

So any time -- ANY TIME -- there's some statement or initiative or announcement that they're going to support open standards/source/etc., any of the things I listed -- the first things that should come to mind are these wise words of Ash: "It's a trick -- get an axe."

Comment Re:Oh, right! (Score 1) 74

We were still buying VAXes because we would put the VMS tapes aside, install a second CPU (the "PurDual" modification), install BSD (Berkeley Unix), and run them nearly 24x7 for years at a time. "We" included the (large) university I was at, but it also includes a LOT of other universities, because -- thanks to DEC's academic discounts on hardware -- this was one of the most cost-effective ways of deploying a lot of computing power. (For the time, of course,)

Comment This isn't even a little surprising (Score 4, Insightful) 22

Amazon, Google, Microsoft, Oracle, Facebook, all these large companies have huge numbers of employees and contractors and subcontractors and sub-subcontractors. And with few exceptions -- at the top -- they treat them as disposable, as we see in their headlong rush to replace them with horribly broken AI systems. Many of these people are elsewhere in the world and are paid far less than their US counterparts.

All of this creates a rich ecosystems that's ripe for bribery; it's an inexpensive and effective way to get things done. It's not rare: it's commonplace and unremarkable. Of course these companies will claim otherwise because they don't want to admit that they're created a culture of corruption, and every once in a while they'll throw someone under the bus so that they can claim they promptly investigate all such activities, that's all bullshit. The systems they've built are functioning as designed and intended, and as long as massive amounts of money keep flowing to corporate executives, they have no reason to disturb them.

Everyone foolish enough to put their personal/company/organization data in clouds run by these companies should consider that all of their data is quite likely available to anyone who can put $5K or $20K or whatever in a manila envelope and slide it across a table.

Comment There's a working group of cryptographers... (Score 2, Interesting) 98

...who are spending some of their time researching Bitcoin (and other cryptocurrencies) in an attempt to reduce their value to zero.

This isn't a particularly well-funded or dedicated effort, it's just something being done ad hoc. So it may go nowhere. But if it does succeed, then it'll be quite amusing to watch every crypto bro cry as their "investment" suddenly becomes worthless, even to the other fake money criminals.

Comment I've seen enough (Score 3, Informative) 22

Although to be more precise: I saw enough about LastPass years ago. This is the N'th security incident that they've publicly admitted. No doubt the number of incidents they're aware of is higher, and no doubt the number of incidents they're not aware of is still higher.

I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly.

The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down.

Comment Re:Right now the real temperature here ... (Score 5, Interesting) 164

About 25 years ago, I began to take a serious interest in climatology. I started buying textbooks and reading them - and for the most part, that went smoothly, because I could easily understand the math and physics. (I struggled a bit with some of the organic chemistry, and had to spend a couple of years coming up to speed on that.) After a while, I could read all the reports and some of the papers being published, so I made my way through things like the IPCC reports -- which are thousands of pages. Eventually, I got to the point where I could read almost anything published in the field -- but admittedly, some of the material still takes me a long time to get through.

And the single biggest takeaway from all that work is: climatologists, as a field, have been consistently underestimating how bad things are and how bad they're going to get. This is because they're scientists, and all scientists are trained to be conservative in their assessments. Whereas a non-scientist might write "X proves Y", a good scientist will write something like "X suggests that Y may be happening" or the equivalent. This approach implicitly acknowledges uncertainty and the possibility that future work will yield different results: it's how science self-corrects over time.

This mindset is commendable: it shows intellectual honestly. But unfortunately in this particular discipline, at this particular time, it doesn't ring the alarm bells loudly enough. We need a Samuel L. Jackson moment: "The world is on fire, mXXXXrfXXXXXrs" We need radical changes, e.g. all fossil fuel production and consumption must end. We need vast reductions in energy consumption. We need sweeping societal changes, e.g., an end to daily commuting as the norm, it should be an exception. And even if we do all of that, it may still not be enough, because this is an exponential process with a huge amount of momentum -- in other words, we're going to keep sliding up the curve for some period of time even if we do everything that we should have done decades ago.

I've said, for all these years, that I'm not going to live to see the hellscape that's coming - the mass starvation, the killer megastorms, the wars over water, the refugee crises, the political, economic, and societal chaos. Now I'm not so sure.

Comment Re:You'll end up with an empty repository (Score 3, Insightful) 170

All true - but also a young arrogant engineer who completely failed to read and learn from people who have entire closets full of computing awards (including Turing Awards) for a reason.

There are only two valid use cases for systemd: first, as an interview question. I use it as a fast and easy way of classifying candidates; anyone who thinks systemd is in any way, shape, or form a good idea may safely be dismissed from any further consideration. Second, as a security wedge: there is so much new, poorly-written code in systemd -- with more being shoveled in all the time by Poettering's submissive kneeling fanboys -- that it provides all kinds of opportunities. (I'm being snarky but also serious: read the damn code. It's absolute crap, so much so that one could argue that the number of security holes exceeds the corpus of useful code.)

Comment Re:Seems defensible. (Score 3, Interesting) 38

How would it have damaged Google to (a) give credit where it's due and (b) cut a $50,000 check?

Answer: not at all.

In fact, it would help them, because it'd go a little way toward repairing the reputation they've spent the past several years damaging. And it'd be a far better choice -- in every possible way -- than trying to weasel out of it as they've done in this case.

What Google (and Microsoft, and others) have done by abusing the good faith and trust of security researchers has convinced a lot of them that they're better off just selling information to anyone who can/will pay. It's less aggravating and it has a higher payout. This isn't good for anyone, and 100% of the blame lies with these enormously wealthy corporations -- who could easily afford the expense, but are too greedy and too short-sighted to understand the damage they're doing.

Comment This is why "responsible disclosure" isn't (Score 5, Insightful) 38

This isn't the first, or the tenth, or the hundredth time this has happened to some security researcher dealing with some company. And even when their research is properly acknowledged and credited, the payouts are pitifully small. The entire concept of "responsible disclosure" is to guilt people who don't work for companies into free labor for them, donating it, and then receiving neither credit nor fair compensation.

It's time to discard not just the practice, but the entire concept, because the industry has proven that it concocted this nonsense as a one-sided deal, and that it will screw anyone/everyone at every possible opportunity. It's time for researchers to abandon any attempt to collaborate with companies, because it doesn't work.

What should they do instead? Just drop the vulnerabilites and let the companies deal with the fallout. They're too cheap, too lazy, and in too much of a hurry to make sure their products/services are secure before they start selling them, so they deserve what they get. Let them burn.

Comment Some things that would be helpful (Score 4, Insightful) 10

1. The list of "1 million fraudulent domains". I'd like to drop that list into the appropriate configuration files. I'd also like to see which registrar(s) are involved and who's providing DNS services for them.

2. The list of "9,000 fake websites". Same for these, and I'd like to see who's providing hosting for them.

This is a pet peeve of mine: reports like this come out, but the original source (Google in this case) doesn't publish the fundamental factual information that everyone needs to defend themselves AND to gain some understanding of how the threat works, so that everyone can defend themselves against the inevitable copycats. Instead we get a bunch of corporate PR-speak, which is utterly useless. So if you're reading this, Google: pony up.

Comment These disclosures aren't the worst of it (Score 1, Interesting) 35

The person(s) behind this series of disclosures are clearly highly intelligent, knowledgeable, and industrious. Microsoft should be paying them the minimal acceptable bug bounty -- per bug, which is this case is $1M USD. (Anything less than that is an insult.) But of course Microsoft is far too accustomed to lying, cheating, and screwing other people, it's so embedded in their corporate culture, that it has never occurred to them to even try to do the right thing.

Now to turn my attention to the Subject of this posting. Surely nobody thinks that the person(s) behind this particular effort are the only ones conducting such research. And it is importable that they are the most intelligent, most knowledgeable, and most industrious -- in other words, there are probably people out there somewhere who are even better. And, rather ominously, who aren't doing the world the enormous favor of making these known publicly.

That's an easy speculation to make, of course, but it's also congruent with history. "There's always someone cleverer than yourself" is a wise maxim because in all but a very, very cases it's accurate. So unless this one of those cases -- and I very much doubt that -- then there are one or more other person(s) out there discovering bugs of similar severity and consequences, and doing....well, we don't know what they're doing with them. If they're working for national intelligence agencies, then likely stockpiling them for future exploitation. If they're working for themselves, perhaps packaging and seller them on the open market. There are all kinds of possibilities and none of them bode well.

TL;DR: we have reached the point where it has become painfully obvious that Microsoft can't secure its own operating system for any even minimally acceptable value of "secure"; every day it becomes more obvious that they're losing.

Comment Welcome to the 1940's (Score 3, Insightful) 193

Researchers have been trying to solve this problem for a very, very long time -- using the same approach. Nobody's cracked it yet, and throwing a huge pile of money at a bunch of researchers seems unlikely to crack it in the kind of short timeframe amenable to investors.

I cited the 1940's in the Subject because that's when Hebbian learning was hypothesized. It's only one of the waypoints in the history of neural networks, and one could easily argue for any of the others, but in my view it's the one that marks the transition from systems that couldn't learn to systems that could. Of course current researchers have the advantage of all previous research and superior tools, and that will certainly help. but this is still largely unknown scientific territory.

There's also a major ethical question here: is this a good idea? That is, suppose they succeed: is that going to be good for humanity? What happens to every one of us if all of our labor, all of creativity, all of everything we do with our minds can be replaced? Particularly if it can be replaced with something that never gets tired, never gets sick, never grows old? How is this good for anyone except the billionaires - the same people building their climate-catastrophe bunkers, the same people funding life extension research, the same people funding cloning research, the same people exacerbating global warming? Are all of us just supposed to...die?

Comment Re:I don't buy the assumptions (Score 4, Interesting) 50

(One of my degrees is in physics, but string theory is not my lane: I deal with electromagnetic field theory.)

If the scientists are wrong, they will eventually figure out that they're wrong and fix it: that's how science works. For example: Abberation (astronomy). That article contains a paragraph that explains how stellar aberration was observed, explained incorrectly, explained better - but still incorrectly, and eventually explained correctly. Science is designed to be self-correcting, and while sometimes those corrections are difficult and contentious, they inexorably happen.

The assumptions you list are made by physicists because (a) we have no experimental evidence that they're wrong and (b) we have a mountain of experimental evidence demonstrating that they're right. If that changes, if even a single bit of experimental evidence shows that they're wrong then (1) someone will win a Nobel Prize and (2) science will apply the correction. But I strongly doubt this will happen.

As to string theory: my own feeling is that we may be only a few years from being able to conduct experiments that might invalidate it. Please read carefully: I'm not predicting that they will, I'm predicting that they will be capable of doing so. If I'm right about that, and those experiments are run, then either (a) they won't invalidate string theory, leaving the door open for more discussion and research, or (b) they will invalidate string theory. Of course if the latter happens, the people who've invested so much of their lives working on it will be very disappointed -- but because they're scientists, they'll accept it.

Rather than write more about this, I'm going to quote Carl Sagan: "The Cosmos is all that is or was or ever will be. Our feeblest contemplations of the Cosmos stir us -- there is a tingling in the spine, a catch in the voice, a faint sensation, as if a distant memory, of falling from a height. We know we are approaching the greatest of mysteries."

Slashdot Top Deals

Never appeal to a man's "better nature." He may not have one. Invoking his self-interest gives you more leverage. -- Lazarus Long

Working...