Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Executes more code but runs faster ? (Score 1) 531

The "better" counter to the original argument is that not all bugs are memory overruns.

Back in the early nineties I was reading the manual page for the daemon that would send a message to a terminal when a mail message came in. I concluded, from the "published specs" that I could trick it to do "nasty" things. And that turned out to work.

This is an example where no overrun, just the published actions of a program lead to a security issue.

Comment Formal verification is worthless IRL. (Score 2) 531

When you write a program that needs to print the primes up to a certain number, you can easily create a formal proof that your program program is correct.

But when your program is say "apache", that needs to interact with many different browsers on one side, and interpret PHP scripts that interact with databases, this formal proof becomes impossible. Similarly, you cannot write a formal spec for the interaction with the user in for example, a web browser.

Even though both examples I put forward today (web server and web browser) didn't exist back then, I've held this opinion for thirty years (spring 1987).

Comment Same with Samsung. (Score 1) 387

There I actively performed the firmware update myself. The new firmware rejected the non-original cartridges. After a few tests the 123inkt-support team said: "well then, it seems your cartridge is broken". So they send me a new one, I returned the old one, and since then I've been printing again. (I was going to say something like "happily", but for honesty I must leave that out....)

Comment Why doesn't anybody get their facts straight? (Score 3, Informative) 228

After googling around a bit. stories about running a bash shell on windows pop up.

It isn't "running Linux" on windows. That would imply that there is a Linux kernel running that actually manages hardware. This impression of "running on hardware" is enhanced by the slashdot summary.

None of this. Windows is simply providing those Linux system calls that allows commandline apps to run. A story then mentioned that servers would not run. That's odd: When "bash" runs and say applications like ping, ssh and telnet, you'd have to go to great lengths to prevent another app like "apache" from running.

But if what I hear is true, this is only useful for the most basic of things, no graphical capabilities. I might be an old fart that uses the commandline a lot, but that becomes useful in combination with a bunch of graphical tools that display what I need to know on a graphical screen.

As to security: the implied trick of running a linux kernel that also has access to the windows block devices is very prone to bugs and security issues. But all that is not the case: It's just another program running in an operating system, using a slightly different set of API calls. If the emulated Linux system calls end up calling windows-internal stuff AFTER the "permissions checking" that normal windows calls would do then you have a problem. It tells a lot about how badly windows is layered.

Comment mi (Score 1) 133

.... John von Neumann said..... In 1947.


      It would appear that we have reached the limits of
      what it is possible to achieve with computer technology,
      although one should be careful with such statements,
      as they tend to sound pretty silly in 5 years.

For the record: I have produced this quote around 20 years ago when similar statements about the "end of moore within 5-10 years" were made

Comment Re:Yes (Score 1) 245

You are entirely correct that "audit at the interface" is a good idea. The problem here is that the interface is hidden inside the CPU. And the "interface" is undisclosed. What if there is a broadcast packet that, when the PC is off, puts the ME into slave mode? Yea, come out of powerdown, do NOT enable video (keep the monitor blanked), send the harddisk contents to NSA...
You can "see it happening" at the network interface (third meaning of that word) when it happens, but there might be a cryptographically secure way of preventing you from finding/probing that packet. In this case I mean with cryptographically secure that it is unfeasible to find it by brute force. Not that you can't see it come by on the net if it happens while you're looking. For such a feature: "all ME's report NOW" you can't have individually encrypted codes. So it would work for every one, e.g. a statiic say 256bit random password would be an example.

Anyway, This ME is embedded deep enough that it is difficult to probe at the interfaces. (you can't cut the trace that connects it to the rest of the system so that you can be sure it is turned off), and it has enough access to be able to do serious harm....

For example: Say the NSA secretly downloads your whole harddisk. But... you say: it's encrypted, don't worry! The ME has enough access that, when under control of "bad guys", it can halt your CPU just as it has obtained the key to your harddrive. Next time you boot the PC a mysterious packet flies off to some remote IP address...

Comment Illegal? (Score 1) 118

> Both are illegal and they will commit double offense
Ehh. Yeah, so what is different from the older tactic of promising to pop someones kneecaps? I'm told this is illegal too.

Shady lenders use shady tactics to force their clients to repay them. That's how it works. Now they have moved to the "internet" and "I know where to find you! (silently promises to pop kneecaps) " is no longer a threat to someone "far away" online, possibly through tor or whatever.

I find the new strategy less barbaric than the old one actually....

Comment I call bullshit. (Score 5, Interesting) 148

There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.

And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!

Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!

In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.

You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.

Comment Bitkeeper gripes. (Score 1) 197

Getting used to an SCS and getting better at using it efficiently is a hassle. So at one point in time, I decided to "learn" bitkeeper and use it. After I had invested some time and effort in the suite, suddenly the licence is changed and it becomes incompatible with my use of the software. Do you think I'm going to switch back after 11 years? Nah! Not me. And actually git is a lot better. Linus wrote git to be good at a few things that are important to him and "his" little project (that isn't very little). Linus' intuition about what's important is good. That's what makes Linux and Git succesful.

Comment UBI isn't that bad. (Score 1) 866

Here in the Netherlands, there are a bunch of people who are on welfare. Or social security, or whatever you may call it. They are in the situation that when they start to work, they will lose their right to that. So the first $1500 they earn each month, they get to keep... almost nothing. Now you wonder why they hang around and do nothing?
If, as a society, we provide everyone with a basic income. Disabled, without a job due to no fault of the person him/herself, too old to work or just plain lazy. Then for every dollar you earn, you get to keep most of it. No reason to cheat by working illegally, not a huge discontinuity when going from "can't work due to medial reasons" to "might be able to work part-time in another line of work".

Mind you.... The $2500 is way too much (at least here). The basic income should be enough that you can live in basic circumstances, but without many luxuries. If you want a car, work for it. If you want a vacation, work for it.

Comment Re:Legal? (Score 1) 321

So let me make up an example story.

You're going on vacation or business trip and call a cab to go to the airport. You put your luggage in the trunk, have a pleasant conversation on the way to the airport and after you pay the driver, he says: Sorry sir, but the trunk-security-system detected [something dangerous that is NOT in your luggage], your luggage is being safely destroyed, have a nice day.

You agreed to the "terms and conditions" of the cab company that they may scan your luggage and proceed as appropriate when they detect something dangerous. That seems entirely plausible and acceptable, until it hits a false positive and they are destroying YOUR property.

Somehow, it seems that SOME people feel "safe" that something is being done. But taking people's property because of a perceived threat is wrong. It would be acceptable if they say: "Your transfer triggered a double check, it will go through with a couple of days delay". If someone really thinks this is a serious threat, then go ahead and arrest the guy.

This is similar to the discrimination situation. It's all fun-and-games until it happens to you and they pick on you.

Comment Outdated model... (Score 1) 191

Back in the old days, you needed to put information on dead trees and transport those dead trees to the people. Companies were willing to do that, for a fee.

Some research-fields are small, so doing a magazine-run (and editing) for a handful of people costs a lot of money. So the subscription fee is (sometimes) high.

Nowadays, the distribution need not cost much.

But the "editing" and "quality control" are parts that are still difficult in the internet-age.

Comment Early april first joke? (Score 1) 227

Of course a prime ending in 9 will most often be followed by a prime ending in 1.

Primes are more-or-less "random": you can't easily predict the next prime. In every number-range primes have a certain density, and that density drops as numbers get larger. So "around 1000", the prime-density is higher than "around 10000".

So assuming the prime density is P and we have a prime p ending in nine, there is a P chance of p+2 (ending in 1) being prime. Then there (1-P)P chance of the next candidate being prime. This is a smaller number. The next number CANNOT be prime because it is divisible by five. Anyway, the chance of the next prime being p+10 is on the order of (1-P)^4.P.

Because the prime density is not all that low, even for numbers around a million, the fourth power of 1-P becomes small quickly.

Note that I'm using an adjusted prime density here. If there are x primes per stretch of 100 numbers on the number line, you have a prime density of x/100. The P I'm dealing with is only considering the 4-mod 10 options for primes. So P = 10/4. x/100 .

Slashdot Top Deals

"An entire fraternity of strapping Wall-Street-bound youth. Hell - this is going to be a blood bath!" -- Post Bros. Comics