Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

India Successfully Launches Region-Specific Navigation Satellite

dwheeler Re: How many GPS systems are there? (86 comments)

I know of at least the following systems that exist or are being built: GPS (United States), GLONASS (Russia), Galileo (planned, European Union), Indian Regional Navigation Satellite System (India), and the Beidou Navigation Satellite System (China). GPS and GLONASS, in particular, have been around a long time.

5 days ago
top

Ask Slashdot: How Many Employees Does Microsoft Really Need?

dwheeler Binary prefixes: Use them (272 comments)

By standard and by law, a "k" is x1000, an "M" is x1,000,000, and so on, and NOTHING else. Standards groups like IEC and IEEE are unanimous: they ALWAYS mean a power of 10. There have already been a number of court cases where someone used "K" etc. to mean binary prefixes, and every time they have had to concede (and typically end up paying up in out-of-court settlements). Examples include Willem Vroegh v. Eastman Kodak Company and Cho v. Seagate Technology (US) Holdings, Inc.

And don't tell me that computers "always" use base 2 measurements. Hard disk drives, clock cycles, and bandwidth are typically measured using base-10 prefixes (multipliers of 10^3). Yes, RAM has been traditionally been measured using prefixes that imply powers of 2, but the errors have been getting worse and worse as the numbers get larger.

Technologists should care about being precise. If you can't tell what a number means, that is a problem. The binary prefixes are a nice solution to a widespread problem. If you don't care about precision, use whatever term you want. But when you want to measure accurately, use the right units.

about 3 months ago
top

With New Horizons Spacecraft a Year Away, What We Know About Pluto

dwheeler What do you call objects orbiting stars? (128 comments)

The practical problem is a difficulty of communication. The purpose of words is to help us communicate. If we have no word for a common idea we want to express, then we usually create a new word or phrase.

Let's say we observe an object, with mass less than a star, that is orbiting a star other than our Sun. What, exactly, do you call it? Under the IAU rules, you cannot call it a planet, because we generally cannot know if it has cleared its orbit. The standard solution in English is to call it a "planet". But if we call it a planet, then we should use the same definition everywhere.

about 3 months ago
top

With New Horizons Spacecraft a Year Away, What We Know About Pluto

dwheeler Pluto=planet, because there are other stars (128 comments)

As I commented years ago, the worst problem with the current IAU definition of "planet" is a practical one: we can't practically use it for objects orbiting other stars.

We are too far away to observe small objects around other stars, and I think we will always be able to detect larger objects but not smaller ones in many faraway orbits. So when we detect an object in another galaxy with the mass of Jupiter, and it’s orbiting a star, is it a planet? Well, under this current definition we don’t know if it’s a planet or not. Why? Because we may not be able to know what else is there in orbit. And that is a real problem. I think it’s clear that we will always be able to observe some larger objects without being able to detect the presence of smaller ones. If we can’t use the obvious word, then the definition is useless - so we need a better definition instead.

I think a much better definition of "planet" is "orbits a star, enough mass to become round". Yes, that means that Ceres and some Kuiper Belt objects become planets. That's a GOOD thing. A lot of people don't know of Ceres, yet that one object has about 1/3 of the ENTIRE mass of the asteroid belt.

Of course, none of this affects reality; this is merely a definition war. But clear terminology is important in any science.

about 3 months ago
top

India's National Informatics Centre Forged Google SSL Certificates

dwheeler Internet Explorer IS vulnerable though (107 comments)

This is a big deal. If you use a browser on Windows that does NOT counter this, such as Internet Explorer, then you ARE vulnerable. I imagine Microsoft will come out with a special-purpose patch, but still, this is a pretty nasty issue.

Untrustworthy CAs have been a problem for a long time; we need mechanisms to address them. The terrible cert revocation system makes it even worse; you can't be sure that the certs are checked in many cases. Chrome's CRLSets are not the answer; they are not even the beginning of an answer. We need to fix the whole revocation system. Sadly, there hasn't been enough work or enough urgency on these problems; maybe this will light a fire under those efforts. I doubt it, but it's worth hoping.

about 3 months ago
top

Qualcomm Takes Down 100+ GitHub Repositories With DMCA Notice

dwheeler Counter-notice! (349 comments)

Hopefully they will quickly submit a counter-notice.

about 4 months ago
top

Judge Frees "Cannibal Cop" Who Shared His Fantasies Online

dwheeler Conspiracy != fantasy (185 comments)

The difference is that in a conspiracy someone plans to DO something unlawful, or cause someone else to do it... and not just talk about it. A "conspiracy" is "a secret plan by a group to do something unlawful or harmful". A fantasy is just the "activity of imagining things".

about 4 months ago
top

WebODF: JavaScript Open Document Format Editor Deemed Stable

dwheeler Impressive start! (91 comments)

This is a really impressive start. It's not done, but they don't claim it is. It's responsive and does quite a bit.

about 4 months ago
top

Exploiting Wildcards On Linux/Unix

dwheeler Old problem. Let's fix it. (215 comments)

I'm glad that people are learning about this problem. Sadly, it's not new, it's been known for decades. CERT’s “Secure Coding” item MSC09-C (Character Encoding — Use Subset of ASCII for Safety) specifically discusses the vulnerabilities due to filenames. The Common Weakness Enumeration (CWE) includes 3 weaknesses related to filenames (CWE 78, CWE 73, and CWE 116), all of which are in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. My freely-available book on writing secure software has a whole section about filenames. And so on.

We need to fix the problems with Unix/Linux filenames, not just keep rediscovering them. In particular, ensuring that filenames had no control characters, no leading dashes, and used UTF-8 encoding would simplify developing correct programs. Most people writing software already follow these rules. We don't need to make it easy for attackers.

about 4 months ago
top

7.1 Billion People, 7.1 Billion Mobile Phone Accounts Activated

dwheeler Re:Sanity check (197 comments)

To be fair, the article itself does state that the 7.1B figure does not represent unique users or handsets in use. Instead, it says that "The number of unique users is now 4.5 Billion or 63% of all humans alive are actually users of mobile phones. The remaining 2.6 Billion accounts are second or third accounts for the same user... So 20% of us, one in five who has a mobile subscription or account, actually walks around with two phones (and at least two accounts)."

about 5 months ago
top

7.1 Billion People, 7.1 Billion Mobile Phone Accounts Activated

dwheeler Common situation: Work phone + personal phone (197 comments)

Lots of people I know have at least two phones. Heck, I personally have a "work phone" and a "personal phone". My company is a lot less worried about their data mixing with other stuff, especially when combined with additional sandboxing mechanisms like GOOD. It helps me, too. If some organizational data gets out, my employer can erase the phone without me worrying that they'll erase my stuff. Also, I'm a lot freer to install apps than I would be if my company controlled what could be installed on the device that also housed my company's data.

This isn't even unusual. Phones are small and cheap enough to have two. Software-based security mechanisms leak all the time; making things physically separate is far more effective if protecting data actually matters. Not everyone needs to do this, but it's fairly common when data confidentiality really matters.

about 5 months ago
top

One Month Later: 300,000 Servers Remain Vulnerable To Heartbleed

dwheeler Need to find vulnerabilities earlier (60 comments)

OpenSSL was actually examined by a lot of tools, but they all missed Heartbleed. My article How to Prevent the next Heartbleed lists approaches that could have found it. We need to improve how we examine this software so problems like this don't happen again.

about 5 months ago
top

How To Prevent the Next Heartbleed

dwheeler Preventable! (231 comments)

But that's the point, we can and should take measures to prevent it. Even if we never eliminate all vulnerabilities, we can prevent many more vulnerabilities than we currently do.

about 6 months ago
top

How To Prevent the Next Heartbleed

dwheeler Sure, but not in C (231 comments)

Agreed, but not in C. You need to change C (and modify the code to use the functionality) or change programming language. The article does discuss switching languages.

about 6 months ago
top

How To Prevent the Next Heartbleed

dwheeler Re:The LLVM static analyzer finds this bug. (231 comments)

The LLVM static analyzer finds this bug. So would warning about dead code, since the code past the point of the second goto...

Um, no. You're talking about the Apple "goto fail; goto fail;" vulnerability. That's a different vulnerability in a different program. They're both vulnerabilities in TLS/SSL implementations, but they are different programs.

about 6 months ago
top

How To Prevent the Next Heartbleed

dwheeler Re:Input fuzzing, if you know what's good for you. (231 comments)

Profiling w/ 100% code coverage would have caught this bug. - No, code coverage would not have worked in this case. Since the problem was that code was missing, you can run every line or branch without triggering the vulnerability. For more, see: http://www.dwheeler.com/essays...

Input fuzzing in the unit tests under memtest could have located this bug even faster. - No, not in this case. Fuzzers were countered because OpenSSL had its own set of memory allocators. When fuzzing you often are looking for crashes; to force buffer over-reads into a crash, the usual way to do that is to override memory allocation. Since OpenSSL managed its memory separately, the override had little useful effect. For more, see: http://www.dwheeler.com/essays...

about 6 months ago
top

How To Prevent the Next Heartbleed

dwheeler Re:Too much reliance upon testing tools (231 comments)

I'm really glad you're trying to think of alternatives. However, when you say: 1). Initialize all allocated memory. Routinely and automatically.... They did. But the Heartbleed bug let you see currently-active memory. In particular, you have to have the private key available somewhere so you can use it.

Some of the weirdness was due to the spec itself (RFC 6520). I agree that error avoidance is better than parameter-checking, but it's not clear that parameter-checking could have been avoided in this case. But that's certainly worth checking out.

about 6 months ago
top

How Concrete Contributed To the Downfall of the Roman Empire

dwheeler Rediculous (384 comments)

This referenced article is rediculous. First of all, the title says "Downfall of the Roman Empire", but Caesar FOUNDED the Roman Empire, so clearly it did not cause the empire's fall. I suspect they meant the fall of the Roman REPUBLIC, which preceded the empire. But it's still garbage. What most emperors wanted was power, not concrete buildings. The article doesn't even begin to make a connection between the two. If you want more about the history of the (Western) Roman republic and empire, listen to AWESOME "The History of Rome" podcast: http://thehistoryofrome.typepa... It's fantastic.

about 6 months ago
top

Illustrating the Socioeconomic Divide With iOS and Android

dwheeler Screenshots are built into Android (161 comments)

There's no "app" for screenshots because it's built into Android itself, and has been since 4.0 (which was released many years ago). It's volume down + power button. Just Google for "Android screenshot".

about 7 months ago
top

New Apache Allura Project For Project Development Hosting

dwheeler Nonsense (43 comments)

This makes no sense. If you want to search for code, the obvious way to do it today is use Google or some other search engine. Tomorrow, the obvious way to do it... will be to use Google or some other search engine. You don't need a "federated search", you just need a good search engine. There are a number of code-specific search engines that already work today too, again, there's no need for one system to rule them all.

I think there's great advantage in having an OSS management system for managing OSS projects.

about 7 months ago

Submissions

top

New DoD memo on Open Source Software

dwheeler dwheeler writes  |  more than 4 years ago

dwheeler (321049) writes "The U.S. Department of Defense (DoD) has just released "Clarifying Guidance Regarding Open Source Software (OSS)", a new official memo about OSS. This memo is important for anyone who works with the DoD (including contractors) on software and systems that include software, and may influence many other organizations as well. The DoD had released a memo back in 2003, but "misconceptions and misinterpretations... have hampered effective DoD use and development of OSS". The new memo tries to counter those misconceptions and misinterpretations, and is very positive about OSS. In particular, it lists a number of potential advantages of OSS, and recommends that in certain cases the DoD release software as OSS."
Link to Original Source

Journals

Slashdot Login

Need an Account?

Forgot your password?