×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

A Paper By Maggie Simpson and Edna Krabappel Was Accepted By Two Journals

Kiwikwi That's ridiculous! (100 comments)

Sheesh. What kind of journal accepts a paper written by a baby?

about two weeks ago
top

Facebook Sets Up Shop On Tor

Kiwikwi Re:SSL? (125 comments)

Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive? Yesterday we had news of Chrome dropping support for it.

Now facebook it setting up new servers that use it?

SSL 3.0 is from 1996. The latest version of SSL is called TLS 1.2 and is from 2008, with 1.3 under development.

about a month and a half ago
top

Scotland Builds Power Farms of the Future Under the Sea

Kiwikwi Re:um, no (216 comments)

http://www.scientificamerican....

Solar is the real eye opener and should serve as a lesson on blindly trusting hype and "What seems obvious." Solar panels are terrible for the environment,

It's always important to remember that there's no such thing as free energy. That said, the linked graph doesn't say anything about solar being "terrible for the environment", only that other sources of electricity consumes* very little silver compared to solar (as Scientific American also notes in the graph). Importantly, it does not show how that use compares to e.g. worldwide silver use.

* "consumes"? "wastes"? "produces as a byproduct"? Pretty sure that oil energy (or biomass!) doesn't consume uranium, even if drilling for oil produces it as a byproduct. Not sure what exactly is being graphed here, honestly. Unfortunately, the cited report is paywalled.

Anyway, if you look at the other report cited by Scientific American as the graph source, in figure 4 on page 19, it shows the global material requirements (in giga-grams, that is, kilotons) under various energy mix scenarios. Neither silver or tin use even registers on the graph in the so-called "non-fossil" scenario (mix of solar, wind and hydro - and no nuclear). In other words, in the "non-fossil" scenario, silver and tin usage for power is less than 1 kiloton a year. Worldwide silver use in 2013 was 34 kt.

As a bonus, silver recycles better than aluminum, with energy savings of 96% (table 4.4).

about a month and a half ago
top

Debian's Systemd Adoption Inspires Threat of Fork

Kiwikwi Re:Fedora fork too (555 comments)

It seems whenever people want to show how simple a SysV init script can be, they pull out examples that don't do half of what the (still much shorter) SystemD unit file does.

In this example from Slackware:

- 'sendmail' is a globally reserved name for a binary; only the system-wide sendmail daemon may use it.
- you cannot query the service status.
- there's no automatic preprocesing of sendmail config files (rehashing etc.)
- there's no dependency information

And that's just what's missing compared to the Fedora SysV init script.

The Fedora SystemD unit file adds at least the following features:

- the ability to reliably stop or restart the service
- automatic restart if the service dies

about 2 months ago
top

As Prison Population Sinks, Jails Are a Steal

Kiwikwi Re:2,266,800 (407 comments)

1.6M? The U.S. prison population is 2,266,800 according to Wikipedia. It's been over 2M for years, and was 2,418,352 in 2008.

In the U.S., the word "prison" is more specific than you think. Look at the third figure from the top at your own link.

In 2010, the U.S. prison population was ~1,518,000 (state and federal prisons). The U.S. jail population was ~749,000. The sum of those is 2,267,000; then comes another ~90,000 in juvenile detention (see the table below the figure). Add all these (and a bunch of smaller numbers, such as holding facilities for immigrants, and military facilities), you get the number of incarcerated people, which is the number you mention.

But yes, AFAIK the U.S. still incarcerates more people than any other country in the world, both as a fraction of the population, and in absolute numbers. There's a long way down to the next on the list.

about 2 months ago
top

Battery Breakthrough: Researchers Claim 70% Charge In 2 Minutes, 20-Year Life

Kiwikwi Re:Charging amperage (395 comments)

Enh, seems to be only off by a factor 10, though IANAEE (I am not an electrical engineer). Forgive me if I'm missing a factor 1.44 or something, below.

Obviously you don't charge an electric car battery at 12 V. What the individual cells do is irrelevant, since they charge in parallel; the bottle neck is the cable attached to the car (and cooling, but hey, we're assuming magic new wonder battery tech, so I'll conveniently ignore that issue).

The highest power available using standard CEE (IEC 60309) plugs and mainline voltage is 3 x 125A x 230V, or about 86 kW. This is not normal in a home, obviously, but you can easily get a couple of these in commercial installations.

Ignoring losses (I know, I know), 86 kW means one hour to fully charge a Tesla Model S with the big 85 kWh battery pack, but that's also a big battery pack.

Charging the 48 kWh battery of the upcoming Model E to 70 % will take: 70% x 48 kWh / 86 kW = 23 minutes.

Now, I would've thought 3 x 125 A x 230V was about the limit, simple due to the weight (those cables are very heavy!). But apparently, Tesla Superchargers go beyond this, to more than 120 kW (340 A x 360 V), with possible plans for 135 kW or even 150 kW. (I guess if the cable is short enough, and you increase voltage beyond mains voltage...) This gives you 70% x 48 kWh charging times in as little as 17 minutes (120 kW) or even 13 minutes (150 kW). Still a far cry from 2 minutes, but then the 17 minute figure is using current mass-market technology.

about 2 months ago
top

Aral Sea Basin Almost Completely Dry

Kiwikwi Re:The water wars are coming (151 comments)

Yup, this is what you get when a short-sighted totalitarian government messes with the water cycle to enable farming in a desert, consequences be damned.

Come to think of it, California is what you get when a short-sighted democratic government messes with the water cycle to enable farming in a desert, consequences be damned.

Let's face it, environmental concerns wasn't really on any government's radar until the 70s. (And a lot of countries still try to ignore them...)

about 3 months ago
top

Apple Yet To Push Patch For "Shellshock" Bug

Kiwikwi Re:~/.cshrc (208 comments)

It really has nothing to do with the default shell. It won't matter what shell is the default when your CGI script starts with #!/bin/bash.

No, no, no, no... People really don't get the scope of this.

It doesn't matter what the default user shell is, or what language a CGI script is written in. Bash is the most common system shell, which means it's invoked all the time when other programs run commands.

Obviously, I can't know this, but OP is probably not using csh as his system shell, because that's not POSIX compliant and would cause major breakage.

If /bin/sh is Bash, you're vulnerable, no matter what shell you're using yourself, or what language your CGI script is written in.

Also, CGI scripts is only the most obvious attack vector; others that have been identified so far are the CUPS printing daemon, the ISC DHCP client and locked down SSH shells like those commonly used to host Git repositories. But there are without doubt many more. The only safe thing to do is to upgrade or remove Bash from your system immediately.

about 3 months ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Kiwikwi Re:"could be worse than Heartbleed" (318 comments)

No, it is any CGI program that sets an environment variable to unchecked user input and then invokes a shell or calls any other program that invokes a shell.

Got that?

No, it's not the CGI program that sets the HTTP_USER_AGENT environment variable, and this is not a vulnerability in the CGI program nor the CGI protocol. The fault lies 100% with Bash, which executes arbitrary shell code from arbitrary environment variables.

about 3 months ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Kiwikwi Re:"could be worse than Heartbleed" (318 comments)

any CGI program + any non-Debian Linux => vulnerable

No, only CGI programs that use system/popen/etc to call out to things that may be bash.

Enh, good luck auditing even just a resonably complex CGI program for direct and indirect invocations of the system shell.

For instance, care to guess whether this one is safe?

For once, the PHP programmers are ahead security wise due to the ubiquity of mod_php...)

Well for one most languages the equivalent facility is available and usually used since it is a requirement to scale.

I know, mod_perl and mod_wsgi on Apache, and of course, Fast CGI. But CGI is still common in a lot of setups.

For another, even the silly 'fork and exec' perl or php or python isn't vulnerable if said script avoids system/popen/backticks/whathaveyou.

Even if you don't call out to the shell yourself, the standard library might.

Pop quiz 1: How is the PHP mail function implemented?

Pop quiz 2: What parts of the Python standard library module uuid are safe to use, and what parts will render your CGI script vulnerable?

I guess I was wrong to play down the severity of bash, but my hope was for people to just consider themselves to make a mistake by ever potentially having bash in a cgi context, for reasons beyond this exploit.

It's the system shell. It's everywhere. The real lesson here is to not use a big bulky program like Bash as the system shell.

Answers to pop quiz:

1. popen to execute sendmail program.

2. The following Python CGI script is vulnerable: import uuid (that's it). (uuid uses ctypes.util.find_library, which uses popen).

These examples took me less than 20 minutes of grepping to come up with, and I'm not even trying to hack any computers...

about 3 months ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Kiwikwi Re:So flog the bash developer who checked this in. (318 comments)

In those days [late 80s/early 90s] revision control wasn't universally used. Even as late as the early 00's I was training engineers coming out of master's degree IT programs who had no idea how to use a revision control system.

Linus didn't use a revision control system for the Linux kernel until 2002.

(Aw... comparisons between CVS and the "soon to be finished" Subversion. How quaint.)

about 3 months ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Kiwikwi Re:This exposes systemic insecurities (318 comments)

Basically, this Bash bug is really only exploitable by remote users because of some questionable decisions made in designing the software stack.

Hm, no, the fault here lies squarely with Bash choosing to interpret an environment variable called HTTP_USER_AGENT as a program to execute.

This is not about accepting arbitrary environment variables; CGI puts data in a few, well-defined variables. This is a perfectly legimiate use of environment variables. (And Windows does the exact same thing.)

You're right that using a "full-bore shell program" such as Bash as the system shell is moronic. It is, unfortunately, still the norm on all major Linux distros except Debian and derivatives (which use the limited Dash shell, which is not vulnerable).

Primarily, I think this is a wake up call for Fedora, SUSE and the others: Bash is a huge, complex component, evidently with insufficient security review, and should not be used as the system shell. Debian dropped it for performance reasons, but now we can add security concerns to the list. It can stay around for use as an interactive shell (though why you'd do that when you have zsh, I don't know...)

about 3 months ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Kiwikwi Re:"could be worse than Heartbleed" (318 comments)

Outside of malicious HTTP headers landing in environment variable in CGI land, I'm hard pressed to think of another reasonable vector for this bug to be a problem...

Unfortunately, attackers do not share your lack of imagination.

First of all, the CGI vulnerability is not about CGI scripts written in Bash, this is about any CGI script that at any point invokes a shell or invokes a program that invokes a shell (e.g. using the system call), irrespective of the actual shell command, on a system that uses Bash as the system shell (so pretty much all non-Debian based Linux distros).

Got that? any CGI program + any non-Debian Linux => vulnerable. (For once, the PHP programmers are ahead security wise due to the ubiquity of mod_php...)

Second of all, there are all kinds of non-CGI situations in which untrusted data is passed in environment variables. This is normally not a problem... unless that environment variable at any point is inherited by Bash.

The ISC DHCP client (dhclient) is the canonical example, as it runs a distro-specific shell script to set up the network once it gets a DHCP lease. Unustrusted values from the DHCP server are passed - you guessed it - in environment variables.

about 3 months ago
top

How Our Botched Understanding of "Science" Ruins Everything

Kiwikwi Re:In lost the will to live ... (795 comments)

Why is causing pain to others bad? Why do you care about what other people feel?

Quid pro quo. I care about them and don't cause them pain; and in return, they care about me and don't cause me pain. It's also called the social contract.

You may argue, "prisoner's dilemma" style, that an individual can then gain an advantage by breaking the social contract, and indeed some people do that. Bruce Schneier wrote a whole book about that topic. But as it turns out, most people don't break the social contract, due to 1) intense social conditioning (religious or otherwise) and/or 2) the threat of punishment if they're caught.

The social contract predates Christianity by millenias; heck, it presumably existed in a primitive form in stone age hunter-gatherer culture.

But even ignoring social conditioning and even the evolutionary traits that have developed to promote that contract (e.g. increased empathy), abiding by the contract still makes sense: Civilization depends on the majority following the social contract, and indeed, most people find that the immediate benefit of breaking the contract is outweighed by the threat of civilization falling apart. Of course, once people start to break the social contract in larger numbers, the cost-benefit ratio changes, and civilization crumbles quickly.

Surely you've heard of the Golden Rule? This requires zero belief in the supernatural or any sort of sacredness.

Except that it doesn't explain why you should follow it. Most people seem to use "karma" (or "what comes around goes around") as a not-quite-as-supernatural-as-an-omnipotent-God reason for following the Golden Rule.

I'd argue that karma is a real thing, only global, not personal. When you do a good thing for others, you increase global karma, ever so slightly increasing the odds of good things happening to you, too. (But it's a big world; I think you'll find playing the lottery has better ROI.)

Personal karma AKA the "just world" belief is of course a myth. The fact that so many people believe in it is a testament to the aforementioned social conditioning.

about 3 months ago
top

Apple Edits iPhone 6's Protruding Camera Out of Official Photos

Kiwikwi Re:Parallax. (425 comments)

Yes they have. Two of my coworkers have them now. Got them a few days ago. That's the result of big money contracts.

I mistakingly read this as a response to linear a's post above:

Another Lie! Slashdotters don't have "fiances".

about 3 months ago
top

Court Rules the "Google" Trademark Isn't Generic

Kiwikwi Re:Don't google it. Bing it! (159 comments)

I'm sorry, but saying you "binged" it sounds slightly obscene...

Could be worse. Microsoft originally considered calling it "Bang".

...

I'm not kidding. I guess they liked "Bang" because it conveyed a sense of, uh, instant gratification. Specifically:

The company had several criteria in rebranding the search engine, he said. The company wanted a name that was one syllable and couldn't be misspelled and was as short as possible.

Webster said he initially came up with "Bang." The name had a few things going for it, he noted. "It's there, it's an exclamation point," he said. "It's the opposite of a question mark."

about 3 months ago
top

Surprising Result of NYC Bike Lanes: Faster Traffic for Cars

Kiwikwi Re:Simple change. What about round abouts (213 comments)

Huh? Roundabouts and standard crossings are equivalent when it comes to pedestrians. In both cases, you add crosswalks "circling" the roundabout or intersection, and cars must yield for pedestrians when entering and leaving the roundabout/intersection. (Example of small roundabout with pedestrian crossings and bike path.)

If there's a lot of traffic, you add traffic lights; this, too, can be done for both roundabouts and intersections. (Example of roundabout with traffic lights; though I've personally observed that it's able to carry traffic pretty smoothly even when the lights are malfunctioning. This latter example also has heavy segregation between cars and bicycles; research has shown that cars are unfortunately slighly more likely to overlook bicyclists otherwise, compared to a standard intersection.)

Of course, there's always hideous designs like the Dupont Circle mentioned above, but that's just traffic planners showing that they don't understand roundabouts. Pedestrians should walk around the roundabout, not across it (hence the name), otherwise cars have to yield for pedestrians inside the roundabout, and you get a complete traffic jam. (The whole point of a roundabout is to limit the number of directions in which traffic moves...)

about 3 months ago
top

White House Names Google's Megan Smith As CTO

Kiwikwi Re:I assume she's not qualified because she's a wo (75 comments)

I have no problem giving the job to the most qualified person, even if that person is a woman. But she's not the most qualified person! You know how I know? Because she's a woman! She is clearly an AFFIRMATIVE ACTION pick. She's no good. All she knows about is mechanical engineering (aside from her years of IT experience)! I'm so sick of all this AFFIRMATIVE ACTION! Again, I'd love to give the job to a qualified woman. But every woman who gets any job gets it because of AFFIRMATIVE ACTION!

Thank you for this succinct recap of much of this Slashdot discussion thread.

You did forget to mention how the position was "just invented" for her. (And her two predecessors, err...)

about 3 months ago
top

California DMV Told Google Cars Still Need Steering Wheels

Kiwikwi Re:Driverless (506 comments)

In the Copenhagen Metro (driverless), there are emergency brake levers next to every door. However, it was considered dangerous for the train to stop in a tunnel (and have passengers exit through the tunnel). Therefore: If you pull the emergency brake, the train will continue to the next station, then stop. (If you don't pull the emergency brake, the train will continue to the next station, then stop...)

Anyway, this might still be the safest mode of operation. If there's anything rail automation has taught us over the last century, it is this: Whenever the human second-guesses the automation, odds are that the human is wrong. About time cars got to this point, too.

about 4 months ago

Submissions

Kiwikwi hasn't submitted any stories.

Journals

Kiwikwi has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?