Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:RFC5961 is flawed (Score 3, Interesting) 115

Actually, the global rate limiting may not be the problem, the fixed limit may be. If the global rate limit were periodically randomly set, instead of 100/second, somewhere between 95 and 105 per second, then this attack would not work. It depends completely on knowing the global rate limit, and assumes there is no other traffic generating challenge ACKs.

A per connection rate limit would not accomplish the purpose of a rate limit, but an unknown global rate limit that changed fairly often would prevent this information leakage. Based on the attack time in the paper I think a rate limit that reset to a random value at a random time from 3-5 seconds would make this attack useless.

If the time the limit changes is fixed then the attacker can synchronize with the reset clock and still achieve a workable attack window by probing to determine the new limit.

I suppose you could skip the lifetime and just change it every second, since then the attacker would have great difficulty synchronizing with the limit counter as described in the article.

Comment Re:Seems too scary to be believable (Score 4, Insightful) 115

Yeah, I am also having a little trouble with the "hackers anywhere" You can't inject into traffic you can't see, so saying you don't need a man in the middle is a little disingenuous. Yes, you don't need an actual man in the middle routing packets, but it appears that you need a controlled host on a subnet through which the traffic passes.

In a switched network even this would be insufficient, since in the terminal subnets (both client and server) IP traffic is only visible on the actual switchport to which the relevant host is connected.

In the routing subnets between the terminal subnets I would hope that any computers that exist (as opposed to hardware switches and routers and flow shapers and such) would be very carefully monitored and protected. I know on the college campus network I administer the routing subnets are very small (/29s or even /30s) and usually do not contain any general purpose computers.

If you have a compromised computer actually in a position to see IP traffic it has always been trivial to spoof TCP RST packets and such to break a connection.

So yes, the vulnerability exists, but I don't see anything that I will lose sleep over. The problem with the hack is it seems to require the hacker to have already owned a machine on one of the terminal subnets involved in the attack which can see a lot more than it should be able to. A promiscuous NIC still can't see switched traffic. If this is indeed the case there has been a severe misconfiguration on the network.

Even in a wireless scenario I am not sure it is a serious threat, unless the hacker has full visibility in the wired network behind the access points, since WPA2 is going to make packet injection pretty tough

I looked briefly at the RFC mentioned, and it is attempting to make the old school "spoof a RST" type attacks harder, but those attacks should be very difficult on a modern network simply because layer 2 switching makes it hard to collect the parameters needed to build the layer 3 attack packets.

There was a company a decade or so ago (maybe they still exist, I dunno) called Audible Magic which was designed to prevent downloading copyrighted music. It required a span or mirror port so it could see the entire internet feed, it then watched TCP connections, did some sort of hash based song detection, then spoofed RSTs to both ends of the connection. Didn't work all that well, probably because it took to long to detect the song, and bittorrent made it useless because you don't get big enough pieces to fingerprint the song from a single connection, so we didn't have it around too long. I just don't understand how this attack works without that full sniffer connection.

If you were to combine some kind of storm attack in the network to cause the switches to fall into dumb repeater mode then yes, you could see the packets, but at that point the network is probably too dysfunctional for the target TCP connection to stay up anyway.

Comment Re:Float? Not quite. (Score 4, Informative) 238

hmm, that is a point. If the wheel stays up in the fender it may act as a very inefficient impeller, taking in water at the rear of the fender opening, the fender liner acting as the casing of a very poorly coupled pump.

It would work better if it was a fully skirted fender, which they aren't, so most of the water being pumped is going to just blast out sideways, mostly out, because the inside of the wheel well is lower that the outside.

Just guessing, without modeling, I think the thrust would be mostly down, with some backwards.

I don't know my Tesla models that well, but if it is AWD any thruster effect from the front wheels would be less, because of the larger wheel well clearances for turning, and would disappear almost entirely when the wheels were turned left or right at all.

Teslas probably have an advantage in this regard, because they have a pretty taught suspension, and probably won't droop as much as the cars us mere mortals drive, which at full droop can be almost entirely out of the wheel well, below the body of the car.

You are correct, I had not considered the ducting action of the fenders. However I stand by my final judgement that the car in the video is not floating.

Comment Float? Not quite. (Score 5, Insightful) 238

I am sorry, but that car wasn't floating. The wheels and tires on a Tesla are going to have no forward thrust, because the entire wheel will be submerged, meaning the top of the wheel is thrusting backwards just as well as the bottom is thrusting forward.

The low profile tires on the Tesla are going to have minimal thrust anyway, because the tread is not even vaguely paddle like. For reference look at this video of the bigfoot monster truck floating across a lake. Even that truck with duallies on it (total of 8 monster truck wheels), which did float high enough for the big mudders to act like paddles, didn't make as quick forward progress as an old man in a canoe, and was extremely slow to respond to steering input.

The tesla in the video not only has enough power to push a big bow wave, it has enough steering traction to slalom through the other cars on the road. The weight of that car was obviously enough to keep the tires on the pavement at that water depth. I am not denying that the Tesla could float, nor am I denying that it may be water tight enough to float well, but it will be pretty much powerless and uncontrolled while floating.

Mr. Musk is very proud of his car, but on this video I call BS. That is not floating.

Comment Good Idea (Score 5, Insightful) 343

Now let us just tweak it a little...

Sometimes airplane crashes are fiery, styrofoam burns easily, lets wrap them in a tough stainless steel shell.

Oh, when that shell gets hot, the styrofoam will melt, and the heat will destroy the flash drives. If we use a special wax instead the wax will absorb heat as it changes state, that will protect the drives.

Hmm, now they don't float, even if we wrap them in something floaty it may get burned/torn off in a crash. We could put an audio transducer in them, and when they get "unplugged" in a crash they could start automatically pinging.

But just having coordinates won't help us figure out why the plane crashed, lets record a bunch of environmental and control status on them as well.

Of course it would be nice to be able to cast some light on why the controls were in the state they were in, maybe we should record an audio stream from the cockpit as well.

Hey, that might be too much data for this single box, lets put 2 of them on the plane, one for enviro/mechanical status and location, and one for the human side of the equation.

Oh, wait.......

Comment Re:Necessary? (Score 2, Insightful) 269

Is it really necessary to bring the gender component into this?

She is a brilliant person who was instrumental in our space program. Isn't that enough?

There, fixed that for you.

Seriously, as human beings, the people we look up to and emulate, the people who inspire us, are people with whom we identify in some way. The details are what allow us to identify with them.

The particular person in this story is more readily inspirational to women, and to blacks, because they can identify with those facets of her identity.

There are other details of her life that would add additional groups that could identify with her, people from her town, people who went to her school, people who share her hobbies, etc.

If I reduce all people who do remarkable things to just 'persons' they are all amazing, but I can not identify with or emulate them, that requires details, handles for my emotions to grab on to.

Currently I am looking for remarkable things done by mid 40s out of shape men, because I can identify with that. That means I can do great things too.

On a tangent this is also why biographies are crucial reading. History is only history until you can identify with the individuals who made it.

So in this case, you aren't black, or a woman, so it doesn't apply? Maybe you need to take 20 minutes and see if there is something you have in common with this person.

(wiki......) Damn this woman was the bomb! She did a bunch of inspirational and important stuff before she went to work at NASA. Went to college to be a teacher, went back to grad school to desegregate it, spent 15+ years teaching, all before deciding to be a mathematician.

Not really a lot for me to identify with, wikipedia doesn't have enough details. She lost her first husband to brain cancer, there is another detail that means something to a specific group of people. She sang in the church choir, that is something to some people. She had three daughters. I have a daughter. There are definitely things that she and I share in the parenting of daughters.

Wow, raising three daughters with energy left to accomplish things. I identify with that.

So is it really necessary to bring race or gender into this? Yes, it really is. Without them she is an achiever, with them she is a role model.

Comment Re:Inconceivable (Score 1) 66

Fill it from what? /dev/urandom isn't even that fast on any normal hardware, and it would take a lot of spindles and a dedicated 100Gb/s network card to fill that pipe. This thing isn't practical for anything in a normal datacenter. The only place I can see something like this currently being a justifiable purchase would be as caching drives in a massive data acquisition system, like the LHC or similar, or very large scale modeling, like weather. I am actually curious about the capacity of these drives, is it going to be cheaper than similar quantities of RAM? Some of the applications that make sense are also candidates for large RAM caches, which are just as fast.

It is interesting to consider a machine with no RAM, this drive is faster that the slower DDR3 rates, which at first glance would mean that someone could design a truly non volatile computer, all state information except for processor registers is non volatile, so enough capacitor on board would allow a machine to write current pipeline contents to the SSD on power down, and it could resume exactly where it was on power up, only costing a CPU cache flush.

Of course TFA seems to indicate that it is pretty power hungry, so that kinda dampens excitement about a instant on/off device since most of the uses I see for that include power saving, either for unreliable power (off grid stuff) or long battery life, like a laptop with instant zero power hibernation.

As cool as this is, it isn't going to make a difference for normal PCs for at least a couple product cycles. It is fun watching the ongoing convergence of RAM and disk storage speeds and prices. There is a future in view now when we won't need to differentiate.

Comment The man is a marketing genius (Score 3, Interesting) 207

Right now the auto industry is reeling from a serious of serious "we had a problem, but we didn't want to say anything" scandals, from the GM ignition switch to the VW super smoggers, and don't forget the shrapnel bags. The entire ecosystem is full of distrust, some of it fairly active distrust.

In this environment a one off assembly mistake where there was no accident, no damage of any kind, is a marketing opportunity you couldn't even buy in a normal market environment.

Musk already recalled all his cars once, to bolt extra belly armor on them because of an accident which would have been considered extreme in any vehicle, and in which his car came out smelling like a rose.

This recall is going to be a lot cheaper. No engineering, not even any replacement parts, but now Tesla is Even More Different(tm) because they recalled a potential problem immediately, before anybody even asked about it.

Based on Musk's previous behaviour I think he really cares that his products are perceived as the best. I am not making a character reference because I don't know the guy, but he obviously cares about at least the appearance of superlativeness.

The guy runs a marketing machine that reminds me of the late Mr. Jobs in his prime.

Comment Forbes (Score 2) 103

I really hate to contribute to the hate noise the haters bring, but I really hate to visit websites that hate to let me see the site without allowing scripting I hate from dozens of hated sources.

Could we get some kind of automated indicator when a link points at a site that just won't load with NoScript?

I don't think I am a tinfoil hat paranoid, I just don't like to have to allow 17 different sites to run scripts in my browser just to read an article. After reading a few comments it looks like I didn't miss much this time.

Comment Re:Goolge fiber next. (Score 4, Informative) 165

wow! talking through hat much?

Independent contractors most certainly can be forced to use and buy uniforms. If the contract says "provide service X while wearing uniform Y" and you accept the contract you most certainly are required to wear uniform Y. Just like a contractor can be required to use specific materials for a job.

A contract can also require when a job is done, such as "paint the walls of our building using [specific brand and color code] paint, work will be performed after hours between 5PM and 8AM, to be completed by November 15th 2015.

The difference between a contractor and an employee is rooted in the negotiation and powers of the parties.

If the worker answers to a boss for day to day instructions, has little or no say in the compensation level, is contractually prevented from working for others, paid on a regular time basis and is scheduled by the employer then they are pretty much sure to be considered an employee.

If the worker is just required to meet deadlines, is paid by the job, has freedom to work elsewhere, and freedom to hire their own help then they are generally going to be considered an independent contractor.

A contractor cannot be fired. They can lose the job if they fail to meet the terms of the contract, but for the length of that contract they are not susceptible to the whims of a grumpy PHB, and the contractor has the same right to initiate a breach of contract suit as the company who hired them.

The grey areas that are showing up in recent class actions are pretty much all the result of companies wanting to avoid the responsibilities of employees, such as unemployment insurance, workers comp, disability, etc, but wanting to regulate the worker/customer interface to preserve a consistent corporate image.

Because these are large corporations contracting individuals to a large extent the contractor does not have any power of negotiation, the corporation writes the contract, and contractors can take it or leave it. This does introduce a bias against the independent contractor classification.

I think in many of these cases the workers will win, because the company is really trying to say "you don't work for me, but you have to represent me in a strictly defined way".

If a company really wanted to do this with contractors the right way they could write a contract that regulated the workers as strictly as they wanted, then put the contract out for bid. This would shift the negotiation power toward the worker, let them name their own price, but it would also cost the company a lot more money, because people bidding on a contract are either going to name a price that actually reflects their money/time investment, or if they grossly underbid to get the job, they will not be able to actually fulfill the contract requirements.

An actual example:

Your mailman is a government employee, benefits, insurance, the whole kit and caboodle. In rural areas he is actually required to provide his own vehicle, but is an employee.

The truck that takes your mail between sorting centers is probably an independent contractor. That particular contract has pretty strict time requirements, and a bunch of hoops to jump through (after all, it is a government contract) but the government is not concerned about that contractor representing them, because they do not interact with the customer. The contractor provides and maintains the equipment, hires their own drivers, and bids competitively to get the contract every time it comes to an end. They run some pretty ratty trucks sometimes. I have seen U.S. Mail painted on trailers that have other logos just painted over, being pulled by tractors that look like they were purchased third hand.

If the contractor underbids the job he will either suck it up and lose money (if they have the capital to do that) or will be forced to break the contract.

But any way you look at it a contract can be so specific as to specify the brand of toothpaste the contractor uses. The specificity of the contract is not the primary differentiator between the employee and contractor classification

Comment Did anybody else think about who InFocus is? (Score 2) 224

This isn't a computer company, this is a projector company. Did no one else immediately think "Oh, they are going to build the dock into projectors, you have a conference room system in one piece that just needs a wireless keyboard/mouse/presentation remote."

The battery means the projector can be as small as a pico projector, with its own built in battery and you have a complete presentation system that fits easily in the briefcase with your sales literature and you are completely wireless.

Add a smartphone with hotspotting, you have complete connectivity (unless you live in the boonies where I live) with no other pieces required for your sales presentation, whether it is in a hotel room or the corner of a MacDonalds.

So yeah, all us geeks want to know how it would work in a beowulf cluster, but I think the real target is going to be non-geeks who really can benefit from not having to worry about whether the potential client has a projector with VGA or HDMI in the conference room.

In the longer view of things, if InFocus standardizes on this dock connector you can upgrade the computer or the projector one at a time. At this price you could even have computers dedicated to a specific presentation, swap the computer, the IT guys back at $bigCo set it up to auto run, you just plug in the computer with your presentation on it. Even easier than swapping out those itty bitty micro SD cards.

Comment WTF? (Score 5, Informative) 220

What is all this doom and gloom about debian spiralling into oblivion and the end is coming? Did anybody read TFA before posting? The only thing that I can see from the LSB that has actually had a positive effect on me is the FHS, to which Debian is still adhering.

The LSB in its entirety actually contains a list of required libraries and standardized symlinks which may or may not be used on a system, but which must be there for "LSB compliance". IRL Debian package maintainers spend a lot of time and effort building dependancy lists into their packages so you DON'T have to have all those libraries on your system if you are not going to use them.

If you use dpkg or a wrapper (apt-get, aptitude, etc) to manage your system the LSB requirements are redundant at best and bloatware at worst.

The only situation where something like the LSB really makes sense is proprietary copy and run programs that depend on proprietary pieces. Even closed source proprietary software can utilize the apt database to resolve dependencies if it only has open source dependancies, or if the company hosts their own repository.

A large company running large numbers of Linux machines that wanted to standardize will probably (hopefully) do so to meet their requirements, rather than a generalized LSB desktop spec which attempts to be all things to all people.

If people went to their local computer store and bought software packages on CDs, and installed them on computers that did not have internet connectivity, the yes, up with the LSB. Do you do that? I don't even use a full installer package to install an OS anymore, just a network capable installer that then pulls all the dependancies in the appropriate versions from a repository on the net.

Yes, it was a noble concept, to try to define a standard set of always available libraries, and where they were, but in reality you rapidly run into the same problem software has on Windows, where software is written to depend on shared DLLs, but because people don't update their OS, or because people do update before the developer tests against a new version of the shared DLL, so software starts shipping with it's own copy of the relevant DLLs, and you end up with multiple versions of standard DLLs on your system.

When I started playing with slackware years ago, I really wished for something like the LSB, because I was sneakernetting everything home or taking days to download things on dialup. Those days are now distant memories.

Both rpm and apt solve the same problems, but do so without requiring a pile of unused libraries that just sit around cluttering up your system.

And just as a last point, how in the world does the LSB/NO LSB discussion compare in any way to the systemd/sysvinit discussion? One of them fundamentally changes the way a system operates, the other one just installs a bunch of packages that you can install just fine on your own. That's not an apples and oranges comparison, that is an apple and cinderblock comparison.

Comment Solar powered electric fence charger (Score 1) 403

A solar powered electric fence charger is designed for neglect. The fence itself will be useless, weeds will ground it fairly quickly, and anybody who maintains them knows a fence won't last a year unmaintained, but the solar powered charger will keep ticking as long as the battery lasts, and will probably keep trying even after the battery fails. The cheap little solar powered yard lights also should keep working for quite a while, at least the ones that aren't DOA when they are purchased.

But all devices that rely on a battery will be outlasted by devices using RTGs for power, or direct solar devices that don't use a battery, like those car ventilation fans you put in your car window.

The type of devices built with RTGs (Satellites and Mars rovers) are the absolute highest quality components assembled and tested with the best quality control, while the solar powered car ventilation fan is built by an 11 year old Chinese kid working an 18 hour shift, so I am betting on the satellites.

Slashdot Top Deals

"If anything can go wrong, it will." -- Edsel Murphy

Working...