Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Readability wins every time (Score 2) 151

Speaking of readability, here's an entertaining one I've been seeing more of in C:

if (result == SUCCESS)
versus
if (SUCCESS == result)

The rationale behind the second is that you don't end up accidentally assigning SUCCESS to result (eg, if (result = SUCCESS)). But I know that I find it weird to look at it the other way around. I want to know if the result was successful, not if successful was the result. Maybe it's an english thing.

I know that Xcode has been putting up warnings/errors for code that does assignments in if-statements and saying that if you really want to do that, wrap it in an extra layer of parentheses (eg, if ((booleanResult = Do_Something()))). I'm not sure this is somehow more clear that you're doing the assignment...

Comment Re:Public Admission of Stupidity (Score -1) 218

Yea, it sounds like the GP doesn't actually drive a car.

The difficulty in seeing people moving into the road in low light conditions can be pretty much impossible even when everyone is doing the right thing, throw in someone just wearing dark cloths and you run over them before you know what you saw in your headlights if you've got any speed at all.

It amazes me that teenagers survive at all. As drivers or pedestrians. I have no idea how I did.

Comment Re: How? (Score 1) 333

The reason that companies like Logitech get cranky is that they assume the goods are probably grey market imports, which you're allowed to do, but you have to clearly advertise the fact that it has no U.S. warranty. But if you have receipts to prove that it was purchased in the U.S., they have no legal grounds to challenge you reselling it as new.

Last I checked, most (if not all) major retailers routinely take unopened returns and put them back on the shelves as new. So if the law considers those to not be new, then that is the most consistently ignored law in the history of the world. And I've dug through California's code, and I see nothing that defines "new" in any way other than "not used". And an unopened package clearly precludes use of the product, so at least in California, I'm about 99% sure that you're wrong. Obviously the answer may vary from state to state, but it seems unlikely that an unopened product could ever be considered anything but new by a reasonable person.

Again, as I said, for automobiles, the law is explicitly different. Once it is transferred to a non-dealer, it is considered used. But as far as I know, that is the only product for which this is the case, and only because there is a specific body of law that explicitly defines the transfer of an automobile to a consumer as "use".

Comment Sandboxing? (Score 2) 21

Perhaps I've just missed this in the reports, but is there any analysis on how this is impacted by sandboxing?

Apple tends to keep things pretty locked down and isolated, and while Stagefright was a Go Directly to Root kind of exploit, I'm curious whether this has the same risk. Can a bad TIFF file delivered via iMessage actually break out of iMessage? "Ultimately, an attack could give a hacker access to portions of a computerâ(TM)s memory" is not very descriptive here.

Side note: why the heck is anyone still supporting TIFF as a built-in image format. The TIFF standard is so complex that it has been the source of an innumerable number of security exploits over the years. It's a very risky format to support for exactly this reason.

Comment Re:How? (Score 1) 333

Yes, even to a toaster oven, there is a legal definition of "NEW" and if you buy it at Walmart and resell it on Amazon, it is actually no longer "NEW".

As far as I know, there's no commonly accepted legal definition of "new". That's why various companies like eBay and Amazon explicitly describe what is meant by "new". Through most of those channels, "new" does not mean "sold by a licensed dealer", but rather "unopened". Up until you open the packaging, something is generally considered "new", no matter how many times it changes hands, and no matter whose hands it goes through in the process, because there's no practical difference between purchasing a product directly from a store and purchasing it from someone who purchased it from a store, so long as no warranty registration occurred. (You should, of course, apply for a tax exemption if you resell new items frequently, because otherwise you're getting charged sales tax twice, but that's orthogonal.)

The only absolute exceptions I can think of are vehicle sales, where "new" means "never previously owned by anyone who isn't a car dealer licensed by the manufacturer," but that's more an artifact of the way cars are sold than anything else (no packaging, franchise dealerships, etc.), and doesn't really apply to consumer goods.

Comment Re:Yay for Open Standards! (Score 1) 51

Not sure how this changes the facts—that ASN.1 is a niche language used in a few narrow areas, that it doesn't get a lot of attention because only a tiny percentage of engineers understand or use it, and that we'd all be better off if everyone just used more sensible data formats, such as JSON, XML property lists, or any number of other similar formats that are well understood, broadly used, and thus thoroughly debugged. The same is true for all the usual binary formats that people define using ASN.1 (BER, DER, etc.), but doubly true for the ASN.1 format itself.

If they're really passing the actual ASN.1 syntax data around over an insecure channel and providing a compiler that compiles the abstract syntax into a new parser to parse a data stream... that's just a recipe for failure in every possible way. Such a design means taking ASN.1 compiler code that most people assume will be used only by software engineers in a controlled setting, and deploying it in such a way that communication equipment all around the world has to use it on the fly to create executable code and run it. Such a design precludes code signing, because the device has to be able to run unsigned, freshly generated parser code derived from the ASN.1. This means that the security of the device is weakened fundamentally, and any security holes in either the ASN.1 compiler or in the resulting parsers are likely to be easier to exploit as a result.

More importantly, it means that arbitrary third parties can create parsers and then provide incompatible data to feed to those parsers, maximizing the chances that there will be an exploitable bug in those parsers that can result in privilege escalation.

ASN.1 should die already, and so should all of the various binary encodings derived from it. IMO, they're fundamentally bad for security, they're hard to audit, and when used in dangerous ways like this, they represent a major security risk.

Comment Re:This Adds to my Nest Frustration (Score 1) 52

Wouldn't virtualization make this pretty trivial, concentrating your workloads on hosts served by a single zone?

Depends on what you mean. It makes reorganizing the machines pretty trivial, potentially, assuming they all have similar hardware capabilities (which may or may not be a safe assumption). But there is a cost (both in power and time) to moving large quantities of data from one machine to another, so you can't necessarily shift load around instantly, depending on what the machines are doing and how many other machines are configured to do the same job.

Slashdot Top Deals

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin

Working...