Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

In France, Most Comments on Gaza Conflict Yanked From Mainstream News Sites

grcumb Re:Or maybe you're not so good at math (340 comments)

Ireland didn't do anything remotely like what Hamas is doing to Israel. If it did, you would have seen the relevant bits of Ireland flattened like what England helped do to Nazi Germany.

I don't really have a side in this argument. But I do feel compelled to mention that England absolutely did terrible, terrible things in trying to quell the Irish problem. Oliver Cromwell famously said that Catholics were welcome to go to 'Hell or Connaught' as he drove them from the Pale. (Those of you who can see beyond the postcard photos will know that Connaught is close enough to Hell when you're trying to work a farm.)

The potato 'famine' was a direct result of predatory practices put in place by the British and Anglo-Irish to keep the Irish poor and desperate. Over a million people died. But this practice had been going on for years and years beforehand. Deacon Smith's A Modest Proposal , considered one of the greatest examples of satire in the English language, was a direct response to the appalling depredations of the landlord class in Ireland.

In fact the intransigence of the problem of Northern Ireland is a direct result of the British relocating large numbers of people (mostly Scots) to Ulster in order to create a 'buffer' population. Now, 400 years on, they have a very similar problem to that experienced by the Israelis, who tragically are using almost exactly the same tactics to deal with it, proving that they've failed to learn a thing from the fight for Irish independence.

6 hours ago
top

No RIF'd Employees Need Apply For Microsoft External Staff Jobs For 6 Months

grcumb Re:Considering the success of Microsoft's Mobile I (277 comments)

Grandma's still got a chance of being raped if those frat boys are drunk enough and high enough.

... Which pretty much explains every 'Enterprise IT' purchasing decision ever.

about a week ago
top

Pushdo Trojan Infects 11,000 Systems In 24 Hours

grcumb Re:Missing information (32 comments)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows.

This propagation rate is positively tiny. Honestly, I don't know why it's even part of the headline. For context, this paper (PDF, sorry) shows Code Red infecting over 500,000 machines in an hour.

If 11,000 machines in a day is an event, then we should all be sitting back and breathing a sigh of relief that the bad old days are over....

(Not that I believe that they are. I just don't see any reason for the breathless headline.)

about two weeks ago
top

NSA Says Snowden Emails Exempt From Public Disclosure

grcumb Re:The Existence of a "United States of America" (231 comments)

You are a citizen who cares more about your children's survival than the survival of Freedom and the well being of millions. In other words you aren't merely part of the problem, you are the problem.

You could happily sit in the company of many of history's great men. The too were willing to sacrifice countless lives for some lofty goal.

Is there any benefit too small, in your mind, for my kids to die supporting it?

It's worth noting that most revolutions happen when the only way remaining to provide for and protect one's children is to take up arms or man the barricades.

... And most of them are won by the side most able to protect its children.

about two weeks ago
top

Elite Group of Researchers Rule Scientific Publishing

grcumb Re:Just an opinion... (123 comments)

...and a negative one at that.

Could it ever possibly be that these scientists who "dominate" the scientific publishing are actually worthy of such a thing?

Indeed. And besides, compared to the star system in Hollywood, for example, this is downright democratic.

The intellectual penury that comes with serving with a leader in a given field seems to be gladly endured by most young researchers. This story ignores the fact that, although the senior researcher's name may be at the top of the paper, the junior researcher's name is right there below it.

It's a bit like an actor accepting a lesser credit in order to appear in a bigger film.

about two weeks ago
top

Python Bumps Off Java As Top Learning Language

grcumb Re:Java or Python (415 comments)

The ability to seamlessly use + with mixed text and numeric types in a language without explicitly declared types is usually considered a design flaw, not a positive feature. Perl uses separate operators for strings vs. numbers to avoid ambiguity....

Though in fairness, it should be mentioned that, as with other aspects of the language, Perl also assumes that you are using the right operator, and that you actually mean what you wrote:

perl -e 'print "x" + 1;'
1

Or, even better:

perl -e 'print "x" x 22;'
xxxxxxxxxxxxxxxxxxxxxx

about three weeks ago
top

'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

grcumb Re:say wha? (68 comments)

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place.

ummmm what? english please!

The code sneaks a Flash file disguised as a URL into some JSON data and cons the browser into treating it as JavaScript, but on the local machine it acts like an HTML <OBJECT>, and because the browser is executing the Flash code locally now (due to the masquerade), it can run with greater privileges than if it were from a remote site.

Or in layman's terms: Flash totally sucks the suckage, dude. Always did. Still does.

about three weeks ago
top

Shark! New Sonar Buoy Will Warn Beachgoers When Large Sharks Are Near

grcumb Re:What about false positives... (55 comments)

Consider the actions if a cretan like Rush Limbaugh was to paddle by...

How would the sensor decide if it was a cretan, a cetaceans or a chondrichthyes?

Clearly, they would know that a Cretan is just a Minoan a large pool.

about a month ago
top

Ask Slashdot: Choosing a Web Language That's Long-Lived, and Not Too Buzzy?

grcumb Re:Perl with Mojolicious (536 comments)

Very powerful and very flexible, without the heavy lifting of many frameworks. We use on a large ISP as RESTFull Server.

Seconded.

Mojolicious is an excellent back-end or middle layer (depending on your data needs), mostly because it removes the need for many of Perl's more infamous convolutions and contortions. With a bit of Bootstrap and/or AngularJS on the front end, you can get a useable online service put together in a very limited amount of time.

about a month ago
top

Swedish Farmers Have Doubts About Climatologists and Climate Change

grcumb Re:People living in the polar regions (567 comments)

...don't believe in Global Warming

Film at 11.

Well, to be fair, climatologists have always been a little dubious about Swedish farmers, too....

about a month ago
top

SpaceX Delays Falcon 9 Launch To Tuesday

grcumb Re:This is how rockets work.... delays happen (43 comments)

It is almost like reporting that a thunderstorm was spotted in Florida today. Is that news?

As a pilot once sagely put it: Take-off is optional. Landing is compulsory.

about a month ago
top

Google Engineer: We Need More Web Programming Languages

grcumb Re:Why? (309 comments)

Genuine question, here, since I've never done any web dev. Why not write libraries in an existing language that spit out HTML/Javascript/PHP/whatever? Why do we need a new language to do this?

Sit down, my child. This may take a while....

I started writing web apps in 1994. Using CGI.pm in Perl was pretty much state of the art - and the art wasn't very pretty. ColdFusion appeared shortly thereafter, but only supported basic control structures - no functions or even subroutines at the start. Then came ASP and a disastrous mishmash of security holes, ActiveX objects being called from the only thing worse than PHP for tag soup with spaghetti code for filler. PHP, for our sins, went from being a 'hey, kids, look - I made a web page!' app to an actual application platform.

.. and the list goes on.

I've lived through the browser standards wars, I've seen such sins committed in the name of the Web that I would wake up screaming, 'Why, Tim Berners Lee?!? WHY???!!' I've lived through <BLINK>, Flash, animated GIFs, <MARQUEE>... and other monstrosities whose names Shall Not Be Spoken.

I've used JavaScript since it was a toy.

But this, my child, is the key: It's not a toy any more. Finally, after two decades of stumbling around blindly, wreaking more chaos and mayhem than a shirtless, drunken Australian on a JetStar weekend in Bali, web development has finally matured. A bit. It's learned that being cool doesn't earn you nearly as many friends as being useful. It's learned that a guy's gotta eat, fer Chrissakes, and sleep from time to time. It's learned that popsicle-stick bridges may be neat, but won't carry the load that a boring old concrete one will.

But, as the scripture says, 'then I put away my childish things.' Oh, it's true that just because we've grown up doesn't mean we've learned every lesson ever. It's true that we Web Developers still get seduced by Teh Shiney. But all in all, we've grown; we've lost our innocence and our hair. But we sleep at night. And we parallelise. And we scale. We're grown-ups now. With grown-up tools.

So put down your PHP child. It's really just Poorly Hung Perl. Accept that JavaScript is a language. REST in your Bower and accept that some change is for the better.

about a month and a half ago
top

South African Schools To Go Textbook Free

grcumb Re:I don't like this. (76 comments)

I'm old and I don't like this. Fuck progress.

I couldn't agree more about Slashdot curmudgeonery, but the real problem is when that quote comes from the mouths of teachers. Which it all too often does.

Based on my experience (10+ years) working in ICT in a developing country, I think that this plan is:

1) Very audacious; and
2) Very likely to fail. These things work well in micro scale (because of committed individuals), but are very hard to systematise, because of 'I'm old and I don't like this.'

about a month and a half ago
top

Electric Stimulation Could Help You Control Your Dreams

grcumb Re:insert PKD joke here (138 comments)

Torn between "Do androids dream of electric sheep" joke and a "we'll remember it for you wholesale" one.

I was thinking more about tweaking the summary to read:

"Researchers recruited 27 men and women to spend several nights in a sleep lab, located on Elm Street. Each night, the surviving volunteers were plunged into REM sleep..."

about 2 months ago
top

Programming Language Diversity On the Rise

grcumb Re:A good sign (177 comments)

not when you start to have too many tools.

part of your value is being experienced in a language. you can't do that if you are spread thin amongst too many.

As a 50-year-old, I'm inclined to agree with the statement that there is such a thing as too many tools, but not for the same reason. Expertise and experience are important, no question about that. But both are often easily transferred from one language or framework to the next. For my part, I'm quite enjoying working with NodeJS, Angular, NoSQL and a bunch of things that take significantly different approaches to problems I've been solving my entire career.

But a problem I face quite often these days is trying to apply the toolkit approach with newer software. On any decent POSIX-supporting platform, you can generally leverage libraries and modules for just about anything and still expect at least a modicum of consistency. Each tool has its own quirks and foibles and strengths, all of which need to be understood, but with a bit of time and perseverance, these can be coped with.

But the application I'm working on right now requires the integration of an Angular framework with UI elements derived from JQuery, D3 and Bootstrap as well as one or two products of the inspiration of some young developers who are clever but sadly too confident in their own abilities. Trying to reconcile them all has resulted in a LOT of time spent pondering, refactoring and coping with bugs that inevitably result from using the tool in a way that wasn't foreseen by enthusiastic but inexperienced developers.

So far, the benefits have outweighed the costs, but there's a fine line between saving time by appropriating others' tools and wasting time shaving a very big, hairy yak.

I like many of the new technologies I'm using, and I love learning new tricks, notwithstanding the few grey hairs remaining on my shining dome. But yes, there is such a thing as too many tools. And many young developers these days are going to have to learn that the hard way.

about 3 months ago
top

Richard Stallman Answers Your Questions

grcumb Re:alternative to (C) that protects freedoms? (394 comments)

2) Publisher B wants a cut of the profits and so makes a run of the books with their own cover art. However, they put the author's name on the cover. They don't sign a deal with the author or give him any money.

This (specifically #2) is what originally spawned copyright.

Not to take away from your argument, but that statement is incorrect. The very first copyright law was "An Act for preventing the frequent Abuses in printing seditious treasonable and unlicensed Bookes and Pamphlets and for regulating of Printing and Printing Presses."

In other words, its original motivation was to limit the ability of people to print whatever they liked - in other words, an engine of censorship.

The US Constitution framed the rationale for copyright differently, as did French copyright law, which introduced the concept of 'droits d'auteur', or authors' rights.

about 3 months ago
top

Netflix Pondering Peer-to-Peer Technology For Streaming Video

grcumb Re:Oh No (114 comments)

Yet another answer for "Why is my hard drive going constantly?"

Don't worry, they're going to name the executable 'System Idle Process'. :-)

about 3 months ago
top

Hulu Blocks VPN Users

grcumb Re:I don't think, they worry about non-US users (259 comments)

Why, when Hulu detects a visitor arriving from a country other than the United States, does it not refer the user to the licensee doing business in that particular country?

Because for the majority of the world's population, there simply is no legal way to obtain this stuff. I live in a country where the majority of the population cannot get a credit card, and for whom internet is a luxury beyond the means of most. But even for people like me who have full-time access, the prospect of actually paying for things is a daunting one. Many companies simply won't accept my credit card; virtually none of them ship to my country, and a number of software makers (I'm looking at you, Apple & Adobe) don't even admit that my country exists.

Someone who goes to the lengths required to maintain a VPN presence and a subscription should be welcomed by the industry, not cast out. But instead they drive us back to our shonky screeners purchased for a buck at the local Chinese store.

about 3 months ago
top

Google's New Camera App Simulates Shallow Depth of Field

grcumb Re:Why? (127 comments)

lenses that can achieve a narrower field of focus are the more expensive ones, so there is established artistic value.

I'm not really taking issue with your conclusion, but a decent quality 50mm lens (widely known as a portrait lens because of its shallow depth of field) can be got new for about $200. And I got a beautiful 1984-vintage 105mm prime lens for $250 a few years back. It's an exception to the rule, yes, but sometimes the glass is less expensive than the camera body. That said, if you've got good lenses, they can make up for a lot of shortcomings in the camera body.

My own feeling about algorithms such as this is that they'd be better off chasing the ideal of perfect focus for everything - or better yet, for pseudo-3D renderings - those would be more desirable goals, IMO. I suppose it's possible to get the same effect as really good glass, but something tells me the laws of physics (well, optics) will always win over computed logic.

about 3 months ago

Submissions

top

Android Ice Cream Sandwich Source Released

grcumb grcumb writes  |  more than 2 years ago

grcumb (781340) writes "Looks like the folks at Google have made good on their promise to release the Android 4.0 source code. Android software engineer Jean-Baptiste Queru writes: "Hi! We just released a bit of code we thought this group might be interested in. Over at our Android Open-Source Project git servers, the source code for Android version 4.0 (Ice Cream Sandwich) is now available."

"This is actually the source code for version 4.0.1 of Android, which is the specific version that will ship on the Galaxy Nexus, the first Android 4.0 device. In the source tree, you will find a device build target named "full_maguro" that you can use to build a system image for Galaxy Nexus. Build configurations for other devices will come later."

If the Cyanogen elves get busy Daddy just might be getting a new ROM for Christmas...."

Link to Original Source
top

Economist Mag Profiles "Wireless Carrier-Pigeons"

grcumb grcumb writes  |  more than 3 years ago

grcumb (781340) writes "The Economist magazine is running a brief profile of Digicel, a 'minnow' in the wireless telecoms market that has distinguished itself by setting up shop in some of the most unlikely (and dangerous) markets in the world, including Haiti and Papua New Guinea, whose capital, Port Moresby, has one of the highest murder rates in the world.

"If you just focus on risk, you can't do a thing," said Digicel's billionaire president Denis O'Brien in a 2008 Forbes profile. But O'Brien's small-market revolution should teach us another lesson, too: Traditional economic analysis doesn't work when it comes to communications. Telecommunications is a supply-driven economy. If you build it — no matter where you build it — they will come.

Now, if someone could just teach the North American telcos this...."
top

Anonymous Coward or Corporate Troll?

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "In a recent article on Alternet, Annalee Newitz writes to report that our perception of the typical anonymous poster as a fat, half-naked basement dweller with a grudge is nearly 100% wrong. Virgil Griffith's WikiScanner site exposes the surprising truth: The majority of dishonest edits and omissions on wikipedia derive from corporate and government IP addresses. In Annalee's words: 'It turns out that the people who are hiding behind anonymity online for nefarious or selfish reasons are not little guys in pajamas but the very bastions of accountability that haters of the Web have deified.'"
Link to Original Source
top

AT&T Practices Political Censorship

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "Pearl Jam reports that their live webcast from Lollapalooza was censored by AT&T. The statement on the band's website outlines their concerns in the context of the ongoing Net Neutrality 'debate':

"AT&T's actions strike at the heart of the public's concerns over the power that corporations have when it comes to determining what the public sees and hears through communications media.

"Aspects of censorship, consolidation, and preferential treatment of the internet are now being debated under the umbrella of "NetNeutrality." Check out The Future of Music or Save the Internet for more information on this issue.


It's refreshing to see that at least some of our media darlings have a clue about what this debate is about,"

Link to Original Source
top

France: Surrender Your Blackberries!

grcumb grcumb writes  |  more than 7 years ago

grcumb writes "Le Monde has published a story claiming that French defence officials have asked all senior functionaries in the French government to stop using Blackberries wireless mobile devices. Fears that the US-based mail servers supporting the service could lead to systematic eavesdropping by US intelligence agencies led to the drastic move. From the AP story:

"It's not a question of trust," Mr. Lasbordes told The Associated Press. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

Research In Motion, makers of the Blackberry device, claim they couldn't read the emails even if they wanted to: "No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution,"

Apparently, nobody at RIM has ever worked at the NSA."

Journals

top

Flickr: Flunkr

grcumb grcumb writes  |  more than 5 years ago

About once a month or so, I'm tempted to dump 25 bucks on Flickr to upgrade to a 'Pro' account, just so I can plop more than 200 photos into that particular bucket. I admit I've been on the cusp a couple of times.

But I never do. The plain fact is that Flickr is a terrible photo viewing interface.

White, what?

A bright white background is possibly the worst neutral background they could have chosen. White washes out colours and destroys one of the things that I personally love best: subtle shading on very dark and earth-toned pictures. It's got the point where a lot of self-respecting photographers actually have a 'View on Black' link, pointing to one of several services that do nothing other than render the very same photo with a dark background. The difference is stunning.

But Flickr, in its infinite marketing wisdom, would rather emulate Google's 'any colour as long as it's white' mantra. In Google's case, there's wisdom in the approach; they are a utility, like power or water, not a creative service. Flickr does not benefit in the least from an engineer's design sense, and it's high time someone told them that.

One Hundred's Spartan

When viewing photos in groups - or any aggregation, for that matter - one is usually presented with a hodge-podge of 100 pixel thumbnails. Viewing photo sets is even worse. the screen is filled with a patchwork quilt of arbitrarily cropped 75×75 pixel postage stamps. No, wait, I take that back. Postage stamps are larger.

I can't imagine a worse fate for any decent photo. To be reduced to a smudge of light among dozens or hundreds of others on a glaring white page. I'm not sure even Ansel Adams could survive that.

Of course, there are some photos that do just fine in such an environment. Too often, they're from the 'Ooh Shiny!' school of art. To everyone's credit, some genuinely lovely photos can be found, if you know where to look. But they're lovely in spite of Flickr, not because of it.

There are any number of technical arguments for crowding dozens of blots of colour together and call them a collection, but none of them wash when it comes to aesthetics, or even usability, for that matter.

Cliqr

Flickr's groups are subject to the same AOL-ish devaluation that most large scale communities suffer from. The absolute preciousness of users who troll through other galleries, bestowing silly trophy and ribbon icons on pretty photos in a desperate attempt to burnish their collective karma by associating with only the best types... it's off-putting in a way that I'd rather not characterise in a public medium.

Let's just leave it at this: Any group of more than a few dozen people who are mostly unknown to one another can never merit the descriptor 'exclusive'.

Worst of all, Flickr is a vortex. It's a gravity well whose debris can be found throughout the Web, but which is entirely self-referential. Once you're in there, you don't come out. I've had over 14,000 visitors to my main photo stream, yet a mere 18 referrals from Flickr show up in my imagicity.com server logs. People who use Flickr don't go elsewhere.

Flickr, in other words, is good for Flickr. Any benefit that derives to individual photographers seems to be purely coincidental.

Flunkr

All of of this isn't Flickr's fault, per se. The fault lies in our technical inability to render - and more importantly, to manage - images efficiently through a standard GUI, and to share them effectively.

It seems almost paradoxical. Digital technology has allowed revolutionary advances in photography. It has made possible one thing that I love more than any: the ability to draw with light rather than pigment. Sometimes when I'm engrossed in my work I find myself getting almost drunk on colour. There is nothing more rewarding than watching a well-built slide show wash the room with light and shape, to see human vision captured, distilled and transformed in the process.

It astounds me, therefore, how poorly most websites handle photos.

But this is the environment that Flickr has chosen. With few tools to effectively deal with social economies of scale, people are left to their own devices, so they crowd together (as people always do), creating cacophony where contemplation might once have been. Flickr has embraced (in the embarrassing cloying-college-drinking-buddy sense of the word) conventional wisdom with regards to UI, and have spent all their effort on the engineering challenge of handling photos in volume. They've tacked on a few trendy bloggy/webbish bits, like tagging with keywords and location data, but done nothing whatsoever to innovate how photos are viewed.

And that, it seems to me, should be the very essence of innovation where photography is concerned.

I won't demur for a moment if you counter that thumbnails are a necessary evil, that larding a page up with binaries slows down load times, that we're unfortunately bound by the lowest common denominator where display and download capacity are concerned. Nor will I argue if you express admiration for their ability to handle the data volumes that they do. Just storing and serving up 2 billion photos is a decidedly non-trivial task.

But let's be clear here: I expect more from Flickr. I judge them by a higher standard.

They want to set themselves apart? Then let them deal intelligently - dare I say it? creatively - with their popularity. The engineering challenge is interesting; I'll be the first to admit it. But dammitall, this is a photography site. It's for creative people. Is it too much to ask that they should actually take a little of their revenue and use it for basic research and innovation? Where's the research into lossless compression, peer-to-peer content distribution, point-and-click monitor calibration, optimal display environments, click-and-drag online image resizing? Where's the community for UI geeks?

How many of Flickr's 10-30 million monthly visitors have paid accounts there? My guess would be: Several. Surely some of that revenue could go into renewal, exploration and invention.

Perhaps it's no surprise that Flickr founders Catarina Fake and Stewart Butterfield left Yahoo! just as soon as they reasonably could. I don't doubt for a moment that they've thought a great deal more about these issues than I have. Perhaps they'll be the ones who manage to pull a rabbit or two out of their digital cap.

If they do, they'll get my money, too.

top

Steaming Piles

grcumb grcumb writes  |  more than 6 years ago

[Cross-posted from the Scriptorum.]

Sometimes you have to destroy the document in order to save it....

I give up. I can't support OpenOffice Write any more, and it's nobody's fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.

No, that's too generous. The thing is, they're at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.

Yes, I'm ranting. Let's put this into a proper context:

I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven't liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I'd author all my documents in either emacs or vi, depending on the circumstances.

Why do word processors suck so badly? Mostly, it's because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation at the same time is a mug's game. Even on a medium as well understood as paper, it's just too hard to control all the variables with the tools available and still have a comprehensible interface.

But the real sin that word processors are guilty of is not that they're trying to do WYSIWYG - okay it is that they're trying to do WYSIWYG, but they way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.

Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to learn and easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it's going to look like right now, and for our sins, that's what we've become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.

It doesn't help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.

There's no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I'll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone's desk.

Maybe I'll just stop using them at all. Maybe I'll just start doing everything on the web and never print again. I'm half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn't heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.

At least on the Web, I can choose which steaming piles I step into.

I'm going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.

top

Trust Works All Ways

grcumb grcumb writes  |  more than 6 years ago

[Cross-posted from the Scriptorum.]

The Debian OpenSSL vulnerability apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it?

Over the weekend, I've been thinking about last week's disclosure concerning Debian's OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.

There's a pretty good subjective analysis of the nature of the error on Ben Laurie's blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I'm told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis - sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn't notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure. It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian's OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be. That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I'd venture to state that there's a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there's one circumstance that I think could undermine the credibility of this speculation, and that's if there's any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...