×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Lavabit Loses Contempt Appeal

gnasher719 Re:What are the "procedural mistakes"? (128 comments)

So roughly speaking, if a judge tells you to do something, and you think it is nonsense, and you just say "no, I won't do that", then you are in contempt. Even if you were right and what he told you was nonsense. If you tell the judge "what you are asking for is nonsense for these reasons ... so no, I won't do that", then chances are you are not in contempt.

2 days ago
top

How Apple's CarPlay Could Shore Up the Car Stereo Industry

gnasher719 Re:Wouldn't trust Apple (193 comments)

CarPlay is likely to assume integration with an iphone. fewer consumers have iphones than have non-iphones.

The number of consumers having each kind of phone doesn't matter. The number of consumers demonstrably willing to spend several hundred dollars matters.

Seriously, if you have one guy who paid $600 for an iPhone, and 10 guys who spent $100 for the cheapest Android phone they could find, who is more likely to spend $500-$700 on music in their car?

2 days ago
top

OpenBSD Team Cleaning Up OpenSSL

gnasher719 Re:What about a re-implementation... (287 comments)

But C++ gives you the tools to automatically catch various kinds of errors and memory leaks. If you use class destructors correctly, you can ensure that an object is automatically closed properly when it goes out of scope. There are a lot of standard classes such as smart pointers that are specifically designed with this kind of programming in mind. It's not 100% foolproof but it is a lot more reliable than having to remember to do it all manually in C (or C masquerading as C++).

None of these would have stopped the Heartbleed bug.

3 days ago
top

Jenny McCarthy: "I Am Not Anti-Vaccine'"

gnasher719 Re:Why do people listen to her? (584 comments)

The only issue is: Are existing vaccines safe and could they be made safer?

The questions are: Is vaccinating a lower risk than not vaccinating? And: By spending the same amount of money, do we get more risk reduction by trying to make vaccines safer, or are there places where the money would be better spent?

4 days ago
top

Jenny McCarthy: "I Am Not Anti-Vaccine'"

gnasher719 Re:Why do people listen to her? (584 comments)

The problem is: what constitutes "safe"? You're never going to have something that's completely safe, so it all comes down to probabilities.

If four million parents in the USA alone take their kids to be vaccinated, I'd be quite sure that some of them will die on their way in traffic accidents. So, just down to probabilities. Of course if you don't vaccinate them they could fall off a step ladder at home (which is a surprisingly high cause of death), so not vaccinating isn't safe either.

4 days ago
top

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

gnasher719 Re:Do I get this right: (56 comments)

The fact that they are re-issuing certificates clearly indicates that they were open to Heartbleed.

That seems to be the US thing, where trying to fix a problem is taken as admission of guilt. (I heard this weird story that US hospitals have a problem if one of their X-ray machines breaks and the replacement is a better model, because anyone examined using the older machines can claim they didn't get the best possible treatment).

4 days ago
top

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

gnasher719 Do I get this right: (56 comments)

So Akamai claims that they protected certificates in memory. So that would be independent of the heart bleed bug, if we assume that heartbleed only managed to report "unprotected" data. And someone found that the protection isn't as good as they thought it was. Still doesn't answer the question if the Akamai code was vulnerable to Heartbleed in the first place. (So that's similar to the claims that OpenSSL didn't use malloc and therefore data had less protection, which doesn't make the Heartbleed bug less bad, but could have protected some data).

4 days ago
top

Commenters To Dropbox CEO: Houston, We Have a Problem

gnasher719 Re:And the attempt to duplicate their efforts resu (446 comments)

Saddam's removal however, did have justifiable reasons, besides simply political incentive; he did commit crimes against humanity, and his treatment of his country was quite oppressive. In terms of crimes against humanity, the nations of the world had every right to remove him from power.

I don't feel one bit sorry that he is gone. However, what you say is not the reasons that were given for the US attack on Iraq, and the reasons that were given were rubbish.

about a week ago
top

IRS Misses XP Deadline, Pays Microsoft Millions For Patches

gnasher719 Bad math and assumptions (322 comments)

The amount mentioned is not what the IRS pays. It is what the article assumes, based on number of PCs running XP and an estimatd average price of $200 per PC. But contracts are negotiated individually. The British government pays less than $10 million for all their computers, which includes about 650,000 PCs running XP in the health service, more than 10 times as many as in the US IRS.

about a week ago
top

'weev' Conviction Vacated

gnasher719 What happens now? (147 comments)

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?

about a week ago
top

UN Report Reveals Odds of Being Murdered Country By Country

gnasher719 Re:Singapore (386 comments)

..except for where it gives the 13.8 figure right away in the second sentence of the article, and references it as a number estimated by the United Nations.

That's why you read things on wikipedia _carefully_. The number refers to the 1990's. And even though the number of executions was significantly higher back then, a little bit of maths with the data in the rest of the article shows this is still way off.

about a week ago
top

UN Report Reveals Odds of Being Murdered Country By Country

gnasher719 Re:Singapore (386 comments)

Singapore has 13.8 executions per 100,000 [wikipedia.org], which is more than the 12.5 murders per 100,000 in Africa (though I don't know the execution rate in Africa).

You are posting a link to wikipedia, which actually contradicts what you are saying. In the last 8 years, there have been 52 executions, or 6.5 on average per year. The population is about 5.3 million, which makes it about 0.12 executions per 100,000 per year, less than one percent of what you are saying. So were you just reckless with the truth, bad at maths, or trying to badmouth the country?

about a week ago
top

UN Report Reveals Odds of Being Murdered Country By Country

gnasher719 Re:I've made a decision (386 comments)

You could also move to Lichtenstein for example, there were 0 murders there, I don't know why Singapore is mentioned, perhaps the submitter is from there.

With Liechtenstein's small population, you'd expect that statistically they'd have a zero murder years in most years, but an excessively high rate of one in 20,000 for some years.

about a week ago
top

Theo De Raadt's Small Rant On OpenSSL

gnasher719 Re:Why OpenSSL is so popular? (301 comments)

First, make sure that code that must be secure is transparent. That means little (or no) optimizations, standard calls to OS functions, and clearly structured. It's clear that the OpenSSL developers made their code more opaque than was prudent and the many eyes of open source land could not see through the murk. Yes, clearer code would mean that it ran more slowly and some folks would need to run a few more servers, but the security problem might have been uncovered sooner (or not have happened) if someone hadn't thought that performance was a reason to make the code more complex.

I think the developers thought their code runs slower if all variable names are single characters. Which isn't actually true. I had the joy to look through bits of openssl to figure out how some stuff worked, and it is just generally unreadable. Just writing down in the interface files what each function does would have helped as well.

Theo can complain as much as he likes about attack mitigation not working, but the fact is that this was a stupid bug which quite likely wouldn't have happened if struct members had had meaningful names that would have made it obvious that openssl sends more bytes back than it received.

I don't think that better code costs performance at all. Better code is so much easier to maintain, you have some spare time to make things quicker.

about a week ago
top

Theo De Raadt's Small Rant On OpenSSL

gnasher719 Re:not developed by a responsible team? (301 comments)

I understand Theo's point, to a certain degree I kinda understand it, but I'm more inclined to feel the problem is with OpenSSL's developers clearly not understanding the security concerns about malloc(). That is, if they were aware that OpenBSD's malloc() contained code to ensure against data leakage, it would seem to me to be highly probable they would have implemented the same deal in OpenSSL given, you know, their entire point is security. The fact they didn't makes me think they didn't know OpenBSD's malloc() had these measures in the first place.

Here is what happens, as far as I understand: a client sends two bytes of data to the server and asks the server to send the identical two bytes back to the client, to check that the server is still alive. That's how it works normally. A client could send 65,000 bytes and ask for the 65,000 bytes to be sent back, except that would be inefficient.

Instead, an attacker sends two bytes of data to the server and asks for the same 65,000 bytes back. The server stores the two bytes with a bit of overhead into a malloc block, creates a huge malloc block for the results, and memcpy's 65,000 bytes from the small malloc block to the huge one. 64,998 bytes that are copied are just whatever was in memory after that malloc block.

All the usual measures against buffer overwrites don't help, because there is no buffer overwrite. Nothing is destroyed on the server, instead it is tricked into giving information it didn't want to give. What could malloc do about that? A "free" and "realloc" implementation that sets memory to zero wouldn't hurt. Of course that doesn't help if the memory after the small malloc block is actually currently used. You'd need a malloc that will crash if you read past the end of a malloc buffer. That's hard to do efficiently.

about a week ago
top

Scientists/Actress Say They Were 'Tricked' Into Geocentric Universe Movie

gnasher719 Re:where is the controversy? (639 comments)

"The sun rises and the sun sets, and hurries back to where it rises." - Ecclesiastes 1:5

That is a lot stronger than geocentric. It claims that the sun circles around the earth _once a day_. Even with a geocentric model, that's insane. It would be much more likely that the earth rotates about once a day, and the sun rotates around it once a hear. You could just for fun calculate the centrifugal force.

about a week ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

gnasher719 Re:What is freedom (645 comments)

I suspect both Stallman and Torvalds would strongly object to being mixed together like that :-)

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

gnasher719 Re:Implied warranty. (645 comments)

In the state of Maine we have an implied warranty law that states that if an item fails to function as advertised due to a manufacturers defect within 4 years the consumer can initiate legal action against the manufacturer.

You'd have to show then that any bugs actually stop the item from functioning as advertised. And there is a difference between "can initiate legal action" and "can win a case".

And can I just say that I'd like to see some actual text of that law? Since most of the time seller and manufacturer are not the same, and the seller does the advertising, I can't imagine you could hold the manufacturer responsible for claims that the seller made. If PCWorld claims that Windows improves your success with woman and you still don't get laid, could you sue Microsoft about that?

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

gnasher719 Re:Microsoft still provide support for Windows XP (645 comments)

There is no monopoly. There are alternative OSes you can install on the exact same hardware.

Doesn't actually matter, because Microsoft isn't trying to sell Windows XP to anyone.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

gnasher719 Re:Depends (645 comments)

Actually, consumer protection laws would say different. After all these are not upgrades we are talking about. These are repairs to existing defects.

You are simplifying too much. In UK consumer law for example, a product isn't required to be free of defects - it must be of sufficient quality to be sold. If there is a bug that nobody has noticed for ten years, you can't really argue that this makes the product "not good enough to be sold".

about two weeks ago

Submissions

gnasher719 hasn't submitted any stories.

Journals

gnasher719 has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...