Serious Network Function Vulnerability Found In Glibc
and the funny bits get flipped around
chmod 101 /dev/joke
Serious Network Function Vulnerability Found In Glibc
How many years was Heartbleed around before anyone noticed? Apparently "many eyes" were not reading that bit of code.
Even you admit heartbleed *WAS* around (not *IS* around) and thus was found and fixed.
Clearly at least two eyes reviewed the code, found the bug, and it is now fixed as a result.
That is two more eyes than is searching through closed source code.
Two is still greater than zero so it is still a net positive.
NVIDIA GTX 970 Specifications Corrected, Memory Pools Explained
As an owner of a GTX 970 card, all I can say is I can run Shadow of Mordor at full 1920x1080 res with the "ultra" texture setting and it never dips below 30fps, usually getting 45-60.
The additional fact I got the card as an open-box return at the local computer store for $220 makes things a no-brainer for me even if the allegations of 3.5gb vram were true.
There is no game in existence that a 980 or titan card can play that my 970 couldn't, even if I had to bump the settings down to just "very high".
If I bought a thousand of the things for super computer style multi-GPU number crunching, then I would probably be more upset and yelling a bit louder at Nvidia.
As a gamer I just can't see myself getting any worked up over this.
U.S. Gas Stations Vulnerable To Internet Attacks
>We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
It isn't a "need", it is only a "want"
Just imagine the cost difference between a fleet of IT people posistioned in every city the gas station chain does business in, paying their US pay rates - compared to a poor lone indian guy on the other side of the planet being paid a tiny fraction of US pay rates, not multiplied by the number of employees (or multiplied by one technically) able to manage all 100000 pumps owned by the chain.
The psychopaths at the top of the gas station chain companies get to keep that unspent money for themselves, so the less they pay out the better it is in their mind.
Of course you both get what you pay for, and must suffer the consequences of your own choices and actions once made, but it's pretty rare either of those factors even pops into their minds - and when it does the only reaction is to beef up the golden parachute package for when the inevitable happens.
The point is the whole intention here is not to do things right but to save money and raise profits without concern for the future or security of the company as a whole.
Going by those terms, not only do the pumps need to be on the Internet, but does make them more short term profits, so clearly is the correct solution to their incorrect and needless problem.
Windows Server 2003 Reaches End of Life In July
I agree with IBM to a point but Google doesn't have the best track record of supporting their products after they decide the product has reached the end of its life. In fact, they probably have one of the worst.
Sadly that is true.
In my previous post I was more thinking along the lines of trusting IBM/Google/etc to release updates that actually fix vulnerabilities instead of intentionally injecting new ones - more as in comparison to those shady sites out there hosting windows update msis for people using pirated windows without full access to legit update channels.
While I personally would trust Google in that sense, I do have to agree I can't say the same about them "sticking with it" for the long run.
Of course I don't really see them even starting this to worry about them closing down the beta a few months later ;P
But your point remains.
Windows Server 2003 Reaches End of Life In July
Just because something is "inside" doesn't mean you can ignore its security.
I'm curious, which one of "low risk", "risk limited to lan", or "not zero risk for sure" did you interpret as me saying there was no risk and thus security is being ignored?
Or was it just the statement that it actually is being upgraded that sounded like " being ignored"?
I of course was light on details, since they don't really matter here, but I feel I spelled out most of the points in my risk analysis process such that "ignore" is a pretty unfitting adjective for what I actually said.
Windows Server 2003 Reaches End of Life In July
My understanding is that fixing newly discovered vulnerabilities in Windows XP or Windows Server 2003 would be fairly inexpensive.
One more downside to being closed source - if Microsoft won't fix vulnerabilities, no one else can for any sane price.
At work I'm still migrating our last two 2003 servers, one migration nearing completion the end of this month, and the next not even started yet but expecting to take 9-12 months.
Exchange server was our primary risk because by its nature it has to handle SMTP, and while you can't poke that server directly from the Internet (a postfix relay server is the only one with direct internet exposed ports) but those emails still flow through it, and it sends outgoing mail directly so has to connect to other MTAs and everything involved with that like DNS queries... A pretty big risk footprint on that one, so no argument from me that it needs upgraded.
The last 2003 server however doesn't technically require being replaced, the risk is very small and mostly controlled for even then. It would likely run fine until enough hardware failures make keeping the server up cost prohibitive, which is really the biggest reason (though a fairly justified one) to upgrade.
The vulnerability risk footprint is limited to the LAN, and then only really to windows file sharing (that and SQL server are the only exposed services)
Not zero for sure, but taken alone not enough of a reason to justify the cost of an upgrade. Only everything taken together combined with a string of purchase approvals to upgrade everything else that demands it, is why it ultimately will be.
If only another big player could release continued security updates, or ideally more than one to help both competition on price and a choice of whom to trust for such a thing.
There is definitely a market for very long term support, which you have to look no further than IBM to see.
In fact many would trust IBM to fill such a role if they were to do so. Others may trust Google. I'm sure there are plenty of other examples as well.
But I don't see "long term windows support" being in many of those companies interests, nor see microsoft going along with such a plan even if they were.
Microsoft wants you to buy their latest shiney instead, Google would prefer you didn't use Windows at all, and IBM doesn't seem to be as big on the support thing these days even for their own products let alone microsofts.
All of those facts factor in to the cost of providing security updates, and does raise the bar quite a bit higher than it would appear at first glance.
Steam Broadcasting Now Open To Everyone
Who the hell wants to watch other people play games
Only a few hundred millions of people...
when you could be playing them yourself?
Only idiots that think and insist those two things are exclusive and that you can't do both.
Analysis Suggests Solar System Contains Massive Trans-Neptunian Objects
Until you can name all hundred thousand of the "planets" in our solar system, we won't be using your definition of planet.
Why do you insist 3rd graders should be able to recite all hundred thousand planets from memory yet refuse to do so yourself even with the Internet as your reference?
Systemd's Lennart Poettering: 'We Do Listen To Users'
Linux has almost two orders of magnitude more code than systemd, and it changes all the time. Security vulnerabilities are far more likely to be in the monolithic kernel.
Yes, that is an excellent reason to add even more vulnerability vectors!
At least when it comes to the kernel and networking, I have iptables in between.
With SystemD starting the network stack before starting anything else (including iptables), I can no longer even firewall off potential exploitable services.
Too bad they didn't bother to include a functional services manager inside the systemd "service manager" that could bring up iptables before the network stack, perhaps using some dependency based system.
But I fully understand how no mere mortal can wrap their head around the concept of renaming a symlink so iptables rules are prefixed with a lower number than your network services and thus load in a plain clear obvious order.
Maybe one day computers will be able to know "10" comes before "20" without 250 megs of additional software. One can dream at least.
SystemD Gains New Networking Features
Christ almighty, this beast is a fucking monster. What's next, a shell and a userland?
According to the slashdot editors, the next thing is clearly debiand!
Apparently it is to be the systemd module which uses the Debian logo/filter on front page /. articles to clearly indicate a story about generic linux software made by a guy at redhat that emulates behavior in microsoft windows...
After that they will install the new shutupd module, that does nothing but write "Woah slow down there cowboy, you last posted 140*10^12 minutes ago, try again later to give others a chance" to stdout - before repeatedly restarting itself for no good reason, as every proper init service boot manager network shell app should do
AI Experts Sign Open Letter Pledging To Protect Mankind From Machines
But why would a machine have any goal if it is not motivated in the first place?
Same reason kids get sent to soccer lessons or swimming lessons or piano lessons the kid didn't want to take.
In the above example, it is the parents "programming" the kids behavior (even if that programming results in the child acting out later in life, as such actions can cause)
In the AI example, the essence is the same. An AI would have a goal because we programmed such a goal into it.
That isn't to say an AI must be programmed with a goal, it fully depends on how we go about constructing a given AI.
If the AI is I because we are simulating a brain, nervous system, and hormonal systems along with simulated inputs and outputs - that AI is likely to have goals (assuming it isn't driven insane by gaps in our knowledge in said simulation of course)
If the AI was brought forth in a brute-force manor or comes about from emergent properties, it is impossible to guess or even relate to its thinking to assume.
It may have goals similar to how we do. It may have goals brought about by completely different emergent properties. It may have no goals but what we program, or even no goals at all.
It's impossible to say without some knowledge of the process creating the AI, and at this point in time no such thing exists to have knowledge about.
But we know we humans have goals (or at least some of us), so if an AI is a strict simulation of a human, it will have goals just like we do. So we know for a fact it is possible for a thinking conscious being to have goals (humans being the evidence)
We don't know as sure if it's possible to not have goals in such a situation, but so far there is no evidence it isn't possible, so it is quite premature to rule it out at our current stage of understanding.
Microsoft Restricts Advanced Notification of Patch Tuesday Updates
Presumably, a sysadmin in a corporate environment would get a premier account so that they *can* make such necessary plans.
Presumably. This just means I will need the company to pay more than previously for the same service.
Proven fact however, the "bad guys" make much more money from their crimes than our company does legally. Rest assured that all the "bad guys" that matter already have the resources to pay for this advanced notice and nearly all will do so if they somehow are not already.
Only the script-kiddies living in the basement that mow lawns for their income will actually be locked out. Any serious actor will not.
Microsoft just made it a priority to release patch and thus exploit details to the blackhats ahead of most of their legitimate customers.
*slow golf clap*
If you are going to help the "bad guys" at the expense of the "good guys", why bother patching any exploit ever?? The exact same end result, but less time, money, and effort needed by MS employees.
How Close Are We To Engineering the Climate?
Let's start by trying to make the ocean's deadzones...undead
Oh great! So now instead of an eerie dead section of ocean, we will have eerie sections full of zombie fish, zombie lobsters, zombie crabs, and of course the kraken.
*Goes off to stockpile silver tipped harpoons for our new three hundred leagues under the apocalypse*
Text Editor Created In Minecraft
Thanks for the response. Well put. I was not meaning to belittle what was accomplished, but just as to the why. If it brings great joy to that individual, AWESOME, keep on!
He made an awesome minecraft thing instead of curing cancer likely for the same reason we are posting to slashdot instead of curing cancer :P
I just wish I possessed that same talent as to where I could use it for other purposes.
Don't we all.
I too wish I had the knowledge, talent, and energy to do something world changing and/or useful to many - but alas I am not as learned, intelligent, or capable of doing so (and at my age it's mostly all down hill from here)
And although I have the knowledge to build an ACU and simple CPU from the gate level up, as well as love minecraft as much as the next geek, I'm both not certain I could actually do it in redstone nor have the energy and time to try and find out.
Living vicariously through people such as Koala_Steamed is as close as I likely will get, but the awe and impressiveness of their effort is still great for me, likely only to be topped by trying and succeeding at the task myself.
If their creation has that much of a positive effect on me, I can hardly imagine how much of one it has on them for being among those who have actually built them. That's plenty of good reason to do so there alone.
Anthropomorphism and Object Oriented Programming
The last time I anthropomorphized a program it got quite angry at me.
Mrs Compiler wouldn't let me sleep in C: for a week, and even then she wouldn't let me declare unsigned variable types for the rest of the month!
Fraud, Not Hackers, Took Most of Mt. Gox's Missing Bitcoins
With bitcoin, the only thing you are trading is the knowledge that somebody wasted a shitload of electricity.
So bitcoin is bad because the metal presses that stamp out coins and the printing presses and cutters that make bills all run on magical unicorn farts instead of electricity?
Happy Public Domain Day: Works That Copyright Extension Stole From Us In 2015
Does it sound fair to someone who has never created a single patentable invention in his life?
Try three, and yes not only do I think it is fair, but clearly you too think it is fair by your actions (or you're just admitting to being a parasite criminal stealing my work... either way you look pretty bad)
To claim you don't think it is fair, you need to send me my first payment, and continue sending me payments every month for the rest of your life.
Until those checks clear, you're just being a lying hypocrite.
In fact, you seem to be arguing that even ONE payment is too much, let alone multiple ones.
So I thank you for your permission to take anything you make for free - or I would if you actually made anything.
South Korean Activist To Drop "The Interview" In North Korea Using Balloons
Think before you drop bags of food on people's heads, crushing their farm animals and houses.
As God is my witness, I thought turkeys could fly!
Ask Slashdot: What Should We Do About the DDoS Problem?
But persistent connections should be easier to protect because the legitimate connections are distinguishable.
How can you distinguish one thing from another thing if you can't look at either of the things?
The only way to prevent "10000 packets in a second were sent, but my connection can only transfer 1000 packets in a second" (aka a DoS attack) is to not have those extra 9000 packets sent in that particular second.
If they aren't sent, you can't see them (they aren't there to see!), so you have exactly Zero variables to use for decision making upon.
If they are sent so you can make a choice based on some characteristic of the packet, then the packet must be sent, and you have failed in your goal of not having the packet sent.
Worse in a typical DDoS, any characteristic of 1 packet will not match the same characteristic of the other 8999 packets.
So not only is your choice of "do I want to receive this packet" too late after it has already been sent and received, but any choice you might decide to make will also not apply towards helping the problem in the future.