Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Does this guy know what a microkernel is? (Score 5, Insightful) 108

If you read TFA this guys says:

"The first feature is that the Kaspersky OS is based on microkernel architecture, which basically means using the minimum amount of ingredients to bake your own operating system. The OS can be custom-designed as per requirements by using different modification blocks. This is similar to what Cyanogen Inc. has implemented in the module-based form of Cyanogen Modular OS for smartphones."

Unless I have missed something Cyanogen's OS is still using a normal monolithic kernel. Actually this guys description would pretty well include normal module loading and unloading in the linux OS. Why do people who don't understand things try to explain them by comparing them to other things they probably also don't understand?

But then I read Fossbytes 'about us' page and realized that they are just another aggregator running out of Delhi, and their biggest claim to fame is 300,000 followers on social media. Can't we at least get a link to the horse's mouth like
instead of re-aggregating an poorly written per-aggregated mention of the news?

Comment The hardware is completely knowable? (Score 1) 78

Umm, sure 5 buttons, one of them being a fingerprint reader. Oh, and 3 axis accelerometer, multiple thermometers, a magnetometer, a microphone, a multitouch touch screen, a couple software defined radios, a lightning port that does a more than just USB, whatever else I forgot. All capable of being inputs which can control things in the phone. I think maybe Mr. Gruber was fooled by the sleek exterior and thought he knew the hardware. The hardware is so unknowable that there are forum discussions about other stuff that might be in there but not enabled, like FM radios and barometers.

Anyone that refers to modern proprietary hardware as completely knowable simply proves they don't.

Of course the border between hardware and software, the "firmware" layer if you will, has gotten very flexible. Without the software the hardware is a brick. Without the hardware the software, well, isn't.

This whole debate is completely academic and useless. Every time an app crashes we have proof that software needs improvement. Every time a Note 7 bursts into flames or an iPhone gets the touch flu we know hardware needs improvement.

Talk about a waste of time, why do we pay attention to these experts?

Comment Relevance? (Score 5, Informative) 404

Buried in all the statisics abuse in the summaries there is a paper of significance only to historians. This paper is based on numbers for 2005-2007, before the financial crisis.

It also does not reflect work per person, but work for a theoretical average person age 15-64. Employment rate is a component of this person, so as employment rate drops so does the hours this average person works.

Actually, that feels intuitively wrong, the ~25 hours per week in the US seems way too high when employment rate is factored in, but I am not interested enough in how much we all worked 10 years ago to read the paper more carefully.

Besides, I don't have time for this, I have to get back to work.

Comment Re:IPv6 (Score 1) 207

ummm, how does moving to IPv6 make my internet connection bigger or my web server capable of handling more connections? The problem here is simply the number of connections, not the protocols they used to connect. For that matter, this was on Akamai infrastructure, do we have any idea what percentage of this attack was IPv6?

IPv6 is not a universal panacea, it simply fixes a few structural issues with IPv4 and makes the address space a lot bigger. (Actually IP space is bigger than MAC address space, we are gonna hafta fix that one sooner or later, a non-expiring universal MAC address is unsubstainable since we throw a few away with every piece of hardware we dispose of.)

IPv6 does not prevent DDOS attacks or any other nefarious behaviour.

Comment Re:Wait a minute.. (Score 1) 207

I guess you aren't understanding a simple fact here. This is not devices that are spamming, this is thousands and thousands of devices, none of which is generating more traffic than could be legitimate.

The design of the internet says I can send packets from any device to any device on any port I choose, and that is what these bots are doing. I am sure that no single device out there is putting out as much traffic as a single high resolution web cam watching baby eagles hatch or many other non-evil uses.

This kind of attack is basically unstoppable, since much of the traffic is indistinguishable from normal web site visitors.

A technical solution would have to involve attacker device identification, by profiling traffic originating from pretty much every IP on the internet, and as such would not be a real time defense, it would be a long term, continuous, ongoing effort to identify and remedy every exploited device out there.

That pretty much means that no one can afford to dedicate the resources that are required, even state entities will not be willing to spend that much on such a cause. Actually, the state actors seem to be more interested in using exploitable devices than fixing them, and they sure aren't helping anybody else fix them.

And last time I checked easily exploited devices are being attached to the internet at an increasing rate with no sign of slowing in the future.

I agree about IP spoofing, if everyone set their routers up correctly it simply wouldn't exist, but I also don't think IP spoofing is a significant contributor to DDOS attacks. Why would the bad guys care if you know where the individual devices in their botnet are? They aren't on the hook if some ISP shuts down your smart TV or thermostat or Windows XP box for being bad.

I also was pretty impressed by the numbers in this attack, Akamai kinda shines in this story, they took surges over half a terabit a second and didn't fall over, they should use those numbers for advertising.

Comment Re:How is this patentable? (Score 1) 84

I agree, that is why this patent is different. The ringer adjuster (which actually just adjusts the distance from the solenoid clapper to the bell) is for all incoming rings. The patent in question here silences the ring for a single call, and you don't have to remember to turn it back up if you want to hear the next ring.

I grew up with mechanical phones, I remember the annoyance of missed calls because the ringer was accidentally left silenced.

It is a little tedious to read the ESL the patent is written in, but I do not recall ever seeing a silence 1 call button on a phone.

I am also quite sure if there was prior art Apple woud have managed to unearth it in the years this case has dragged on.

Comment Re:Poor innocent Apple (Score 2) 84

Don't get me wrong, I am not sticking up for Apple's morals in this argument.

I am coincidentally a Mac user, and as MacOS diverges from it's open BSD roots I come ever closer to ditching it, probably for Debian. Apple has consistently pushed MacOS further and further from the ideals which we attribute to Unix, programs that do one thing well, human readable config files, etc.

I think Apple took advantage of all the BSD hackers that built the foundation they stand on, but the "freedom" the BSD licenses stand for is the freedom that allows that exploitation. That particular ethos would rather allow the existence of parasites than limit any use at all of the software. There can be no "steal" when all are welcome to do as they see fit with the singular requirement to attribute.

In the GPL ethos there is indeed theft, because that freedom is one that strictly regulates the behaviour of the people who use the software, they are required to contribute if they release.

I am not going to judge in either direction, In my personal IT space I use FreeNAS and pfSense and Debian and MacOS. I don't use Windows, but not because of the eula. I don't use Windows beause it is a PITA to get it to do what I want, and every time you turn around I have to reboot the dumb thing for updates or leave it vulnerable to the attack of the week. In fact those same reasons are why I don't use Ubuntu and am considering changing my laptop from MacOS.

Comment Re:Poor innocent Apple (Score 1) 84

You cannot steal BSD unless you remove attribution. This is exactly the holy war being fought by Stallman The BSD license specifically allows copying, modification, use, obfuscation and repressive licenses.

This is the great difference between the free licenses, and the one that makes BSD people call the GPL infectious. It is also probably the reason that Apple didn't even consider Linux for their OS.

In retrospect, I would rather have Mac OS in our environment than not, two competing closed operating systems is better than one, and Apple was never going to really have an open OS in spite of all their Darwin talk.

But disregarding philosophical wars Apple did not "steal" BSD.

Comment Re:Obvious (Score 5, Interesting) 84

If it is really obvious then where is the prior art?
Telephones are a couple years old now, and the ring silencer has been around for just about as long. In fact the old mechanical bell phones had ring volume control that just adjusted clapper/bell distance. However the patent in question is for a 1 time mute, you push the button and that call is muted but future calls are not. Even when land lines were all we had people would silence the ringer, then miss calls because they forgot to unsilence it.

Just because an idea is obvious in the sense of "Why didn't I think of that" after the patent is issued does not mean the patent fails the obviousness test.

I am fairly anti-patent, feeling that patent life needs to be strictly limited, and vague concepts should not be patentable, but this one has some merit. In fact, I am sitting here pondering how to implement a 1 call ring mute in an old mechanical analog phone, and it isn't obvious to me how to accomplish that.

In a cell phone context a call exists as an entity, in the analog world a ring is a singular event, going back to the days when a human operator cranked the handle and you had to count rings to know it was your call.

I suppose you could use a mechanical timer, that disengaged the bell clapper for a period of time. The first thought would be a clockwork snail type counter, but you never know how many rings comprise a call, so it would have to be a timer. It would at best be a guess, because it is entirely up to the caller how long to let the phone ring.

  I recall in my younger years calling a friend who didn't want to talk and just letting the phone ring for minutes at a time. However he responded by just going off hook, and the phone switch would not release the line until both ends went on hook, so I annoyed him for a few minutes, but he took our phone offline for the whole evening.

Anyway, thanks for the opportunity to take a side I don't recall taking on the patent question before, and to recall a simpler time from my youth.

Comment Re:RFC5961 is flawed (Score 3, Interesting) 115

Actually, the global rate limiting may not be the problem, the fixed limit may be. If the global rate limit were periodically randomly set, instead of 100/second, somewhere between 95 and 105 per second, then this attack would not work. It depends completely on knowing the global rate limit, and assumes there is no other traffic generating challenge ACKs.

A per connection rate limit would not accomplish the purpose of a rate limit, but an unknown global rate limit that changed fairly often would prevent this information leakage. Based on the attack time in the paper I think a rate limit that reset to a random value at a random time from 3-5 seconds would make this attack useless.

If the time the limit changes is fixed then the attacker can synchronize with the reset clock and still achieve a workable attack window by probing to determine the new limit.

I suppose you could skip the lifetime and just change it every second, since then the attacker would have great difficulty synchronizing with the limit counter as described in the article.

Comment Re:Seems too scary to be believable (Score 4, Insightful) 115

Yeah, I am also having a little trouble with the "hackers anywhere" You can't inject into traffic you can't see, so saying you don't need a man in the middle is a little disingenuous. Yes, you don't need an actual man in the middle routing packets, but it appears that you need a controlled host on a subnet through which the traffic passes.

In a switched network even this would be insufficient, since in the terminal subnets (both client and server) IP traffic is only visible on the actual switchport to which the relevant host is connected.

In the routing subnets between the terminal subnets I would hope that any computers that exist (as opposed to hardware switches and routers and flow shapers and such) would be very carefully monitored and protected. I know on the college campus network I administer the routing subnets are very small (/29s or even /30s) and usually do not contain any general purpose computers.

If you have a compromised computer actually in a position to see IP traffic it has always been trivial to spoof TCP RST packets and such to break a connection.

So yes, the vulnerability exists, but I don't see anything that I will lose sleep over. The problem with the hack is it seems to require the hacker to have already owned a machine on one of the terminal subnets involved in the attack which can see a lot more than it should be able to. A promiscuous NIC still can't see switched traffic. If this is indeed the case there has been a severe misconfiguration on the network.

Even in a wireless scenario I am not sure it is a serious threat, unless the hacker has full visibility in the wired network behind the access points, since WPA2 is going to make packet injection pretty tough

I looked briefly at the RFC mentioned, and it is attempting to make the old school "spoof a RST" type attacks harder, but those attacks should be very difficult on a modern network simply because layer 2 switching makes it hard to collect the parameters needed to build the layer 3 attack packets.

There was a company a decade or so ago (maybe they still exist, I dunno) called Audible Magic which was designed to prevent downloading copyrighted music. It required a span or mirror port so it could see the entire internet feed, it then watched TCP connections, did some sort of hash based song detection, then spoofed RSTs to both ends of the connection. Didn't work all that well, probably because it took to long to detect the song, and bittorrent made it useless because you don't get big enough pieces to fingerprint the song from a single connection, so we didn't have it around too long. I just don't understand how this attack works without that full sniffer connection.

If you were to combine some kind of storm attack in the network to cause the switches to fall into dumb repeater mode then yes, you could see the packets, but at that point the network is probably too dysfunctional for the target TCP connection to stay up anyway.

Comment Re:Float? Not quite. (Score 4, Informative) 238

hmm, that is a point. If the wheel stays up in the fender it may act as a very inefficient impeller, taking in water at the rear of the fender opening, the fender liner acting as the casing of a very poorly coupled pump.

It would work better if it was a fully skirted fender, which they aren't, so most of the water being pumped is going to just blast out sideways, mostly out, because the inside of the wheel well is lower that the outside.

Just guessing, without modeling, I think the thrust would be mostly down, with some backwards.

I don't know my Tesla models that well, but if it is AWD any thruster effect from the front wheels would be less, because of the larger wheel well clearances for turning, and would disappear almost entirely when the wheels were turned left or right at all.

Teslas probably have an advantage in this regard, because they have a pretty taught suspension, and probably won't droop as much as the cars us mere mortals drive, which at full droop can be almost entirely out of the wheel well, below the body of the car.

You are correct, I had not considered the ducting action of the fenders. However I stand by my final judgement that the car in the video is not floating.

Comment Float? Not quite. (Score 5, Insightful) 238

I am sorry, but that car wasn't floating. The wheels and tires on a Tesla are going to have no forward thrust, because the entire wheel will be submerged, meaning the top of the wheel is thrusting backwards just as well as the bottom is thrusting forward.

The low profile tires on the Tesla are going to have minimal thrust anyway, because the tread is not even vaguely paddle like. For reference look at this video of the bigfoot monster truck floating across a lake. Even that truck with duallies on it (total of 8 monster truck wheels), which did float high enough for the big mudders to act like paddles, didn't make as quick forward progress as an old man in a canoe, and was extremely slow to respond to steering input.

The tesla in the video not only has enough power to push a big bow wave, it has enough steering traction to slalom through the other cars on the road. The weight of that car was obviously enough to keep the tires on the pavement at that water depth. I am not denying that the Tesla could float, nor am I denying that it may be water tight enough to float well, but it will be pretty much powerless and uncontrolled while floating.

Mr. Musk is very proud of his car, but on this video I call BS. That is not floating.

Comment Good Idea (Score 5, Insightful) 343

Now let us just tweak it a little...

Sometimes airplane crashes are fiery, styrofoam burns easily, lets wrap them in a tough stainless steel shell.

Oh, when that shell gets hot, the styrofoam will melt, and the heat will destroy the flash drives. If we use a special wax instead the wax will absorb heat as it changes state, that will protect the drives.

Hmm, now they don't float, even if we wrap them in something floaty it may get burned/torn off in a crash. We could put an audio transducer in them, and when they get "unplugged" in a crash they could start automatically pinging.

But just having coordinates won't help us figure out why the plane crashed, lets record a bunch of environmental and control status on them as well.

Of course it would be nice to be able to cast some light on why the controls were in the state they were in, maybe we should record an audio stream from the cockpit as well.

Hey, that might be too much data for this single box, lets put 2 of them on the plane, one for enviro/mechanical status and location, and one for the human side of the equation.

Oh, wait.......

Comment Re:Necessary? (Score 2, Insightful) 269

Is it really necessary to bring the gender component into this?

She is a brilliant person who was instrumental in our space program. Isn't that enough?

There, fixed that for you.

Seriously, as human beings, the people we look up to and emulate, the people who inspire us, are people with whom we identify in some way. The details are what allow us to identify with them.

The particular person in this story is more readily inspirational to women, and to blacks, because they can identify with those facets of her identity.

There are other details of her life that would add additional groups that could identify with her, people from her town, people who went to her school, people who share her hobbies, etc.

If I reduce all people who do remarkable things to just 'persons' they are all amazing, but I can not identify with or emulate them, that requires details, handles for my emotions to grab on to.

Currently I am looking for remarkable things done by mid 40s out of shape men, because I can identify with that. That means I can do great things too.

On a tangent this is also why biographies are crucial reading. History is only history until you can identify with the individuals who made it.

So in this case, you aren't black, or a woman, so it doesn't apply? Maybe you need to take 20 minutes and see if there is something you have in common with this person.

(wiki......) Damn this woman was the bomb! She did a bunch of inspirational and important stuff before she went to work at NASA. Went to college to be a teacher, went back to grad school to desegregate it, spent 15+ years teaching, all before deciding to be a mathematician.

Not really a lot for me to identify with, wikipedia doesn't have enough details. She lost her first husband to brain cancer, there is another detail that means something to a specific group of people. She sang in the church choir, that is something to some people. She had three daughters. I have a daughter. There are definitely things that she and I share in the parenting of daughters.

Wow, raising three daughters with energy left to accomplish things. I identify with that.

So is it really necessary to bring race or gender into this? Yes, it really is. Without them she is an achiever, with them she is a role model.

Slashdot Top Deals

I have the simplest tastes. I am always satisfied with the best. -- Oscar Wilde