Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone?

grcumb Re:Why such paranoia ? (267 comments)

So your situation is something you saw on 24?

Unless the guy is live streaming 24/7 then your goon can brick the whistleblower's phone with an actual brick.

Also, look at real whistleblowers and try to explain how the government would have stopped Snowden with this power? Stop imagining spy drama fiction.

They wouldn't stop Snowden (only) with this. They would, however, be able to keep the story about what's happening in Ferguson, MO (for example) from ever trending on Twitter, simply by killing every phone talking to a particular tower.

To be clear: I'm not suggesting the Feds (black helicopters and all) would do it. I'm suggesting the enlightened minds of the Ferguson Police Department, who have already demonstrated the depth of their acuity, would be perfectly willing to use such a tool, if it were (somewhat) legally available to them.


Facebook Tests "Satire" Tag To Avoid Confusion On News Feed

grcumb Re:BRILLIANT (131 comments)

[satire]That's a fucking brilliant idea! I really really really mean it. Sincerely.

I think that's sarcasm, not satire.

Is it? I wasn't aware. Clearly sarcasm must have some association with satire, because making sardonic statements seems to be the first thing I want to do when I'm writing satire. Then I take someone's stupid idea, and extend it, by including absurd examples of where their (il)logic would/should take them....

... Which I did on the very next fucking line.

Stephen Cobert's show is satire of Bill O'Reilly.

Do tell. Next you'll be telling me that The Daily Show isn't real news.

Because Jon Stewart never uses sarcasm when he indulges in acts of satire.

P.S. I'm still being sarcastic. And by aping your tone, satirical, too.

3 days ago

Facebook Tests "Satire" Tag To Avoid Confusion On News Feed

grcumb BRILLIANT (131 comments)

[satire]That's a fucking brilliant idea! I really really really mean it. Sincerely.

But don't forget the [lies-all-lies], [am-i-boring-you-yet], [pandering-listery], [corporate-shilling] and [too-stupid-even-for-you] prefixes.

3 days ago

Bezos-Owned Washington Post Embeds Amazon Buy-It-Now Buttons Mid-sentence

grcumb Re:So what's the problem here? (134 comments)

Nobody is forcing you to read the Washington Post. Nobody is forcing you to buy anything from Amazon. You can easily avoid both of them, if you want, without any harm or negative effects to yourself. So what's the big deal here?

Just because neither of us hangs out with him doesn't mean I don't get to tell you what a giant douchebag Jeff Bezos is. That's one of the joys of the First Amendment, my friend! Freedom of speech is the freedom to bitch inanely about things that don't directly affect you.

You, of course, are equally free to tell me to shut the fuck up, or to take your own advice and not bitch about something that doesn't interest or affect you....

... But if you do decide to keep talking about the problem, and maybe even about how to address or resolve it, then you see the true glory of Open Public Dialogue - the very thing that makes Slashdot such a lovely place to be. :-)

And no, I am not being in the least bit sarcastic, Sheldon.

4 days ago

Knocking Down the Great Firewall of China

grcumb Re: Who gives you the right? (165 comments)

For the record, this is the 'Great Satan' argument. By castigating outside influences as Other, and associating them with a group or nation that the populace has been indoctrinated to hate, it's possible to reject an idea without ever actually considering the merit of the idea itself. Thanks to the hard-working censorship peons from the People's Republic of China for this updated version. The Iranian one was getting old, and we're WAY past blaming the Jews.

4 days ago

Watch a Cat Video, Get Hacked: the Death of Clear-Text

grcumb Re:https is useless (166 comments)

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Okay, so go back to the top of my post and read it again for my response to 'It's too hard.' :-)

If you think that 'just fix everything' is what I'm saying, then you haven't even done me the justice of thinking about what I'm suggesting. I am saying that we geeks should know better, that we should do what we did in the 80s and 90s and turn our collective back on the well-trodden path and build our own internet, only this time with hookers and blackjack. Then I offered a few key suggestions about things we as geeks could fairly easily work on to move us in that direction.

To assume that I simply want to snap my fingers and effortlessly get all that and a pony is to fundamentally misunderstand what it is to be a geek. We build things for ourselves. When things don't work the way they should, we change them.

Now, I'm not suggesting you're not a True Geek (or Scotsman, for that matter). I'm just saying that if you're going to say 'too hard' about a situation such as this...

... No, fuck it. I am saying you're not a Real Geek :-)

5 days ago

Watch a Cat Video, Get Hacked: the Death of Clear-Text

grcumb Re:https is useless (166 comments)

Going to slashdot is safe? No SSL here.

GCHQ has already spoofed Slashdot in the past. So no, going to Slash dot is not safe.

If they want you, they can't get you?

All right then. Let's all just roll over and die, why don't we?

Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

  • - Stop making it easy on them. Stop using Windows. Seriously. Understand that what's convenient for you is often convenient for them.
  • - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking about safer. And FOSS is, objectively, a safer environment, and will remain so even after it becomes popular.
  • - Start building and using federated, encrypted, decentralised, peer-to-peer systems. I honestly don't know why geeks didn't do this years ago, but why the fuck is Facebook the state of the art in social media? I mean, seriously. It's not only a privacy disaster area, it's a badly polished piece of shit to boot. We know that They don't like TOR because it's harder for Them. We know That they don't like bittorrent because it's harder for Them. So why the fuck are we not taking a clue from that and creating a UseNET we can go back to? I mean, I get why the peons don't, but we're geeks, for fuck sake. That used to mean something.
  • - Start re-imagining an internet whose physical characteristics resemble its protocols. At the outset, we thought it would be cool to have generic protocols that ran more or less transparently on any old network at all. What we didn't realise was that just because stupid networks were possible, that didn't mean they were inevitable. The whole ICANN/ITU fiasco is all the evidence we need to see that the world's telcos have begun to realise how much ground they've lost and they want it back. But that doesn't mean we have to give it to them. Mesh topologies using low-power devices are the only we we cut them back down to size.

You can get all fatalistic if you like, but if your only response to the encroachments of authority is to run further and faster, then (apologies to Scotsmen everywhere) you're not a real geek.

5 days ago

Watch a Cat Video, Get Hacked: the Death of Clear-Text

grcumb Re:https is useless (166 comments)

Eve? Is Bob cheating on Alice?

Ah, she told you her name was Alice?

You poor naive thing....

about a week ago

Study: Firmware Plagued By Poor Encryption and Backdoors

grcumb Re:Quit with the idiotic "internet of things" meme (141 comments)

That's how language works. Deal with it.

Dealing with such toxic bullshit only ensures it will spread around more, even if only slightly. I'd rather point out why it's garbage.

Yes, but the entire article is low-brow drivel. I have no idea why this was the source they chose to link to (though it might go a long way toward explaining the tone and content of Slashdot's discussions these days...). I mean, check out this para:

The murky world of firmware sometimes makes it hard to figure out which products might be affected. Manufacturers often rely on tools and development kits that are widely used across industries, so the flawed firmware can end up in product sold under lots of different brands.

It's hard to know whether this 'writer' even teh English. But worse, the content is almost anti-information. What the fuck is a 'murky world'? People use generic toolkits? Sold to more than one company?! Who is this Adam Smith and where do I get his pamphlets?!?

Worse, the author[*] is implying that this is somehow an inherent flaw that might prove to be a fundamental difficulty. In truth, it's an aspect of software development that has been there since the very first computers existed. And what's more, we know how to fucking deal with it. Instead of massaging the conscience of halfwit managers, maybe he could have offered a bit of illumination concerning the decades of precedent for dealing with software quality, and explaining how these principles can (or cannot) be applied to firmware.

The thing that drives me toward despair is that the article - the whole publication - is clearly aimed at corporate decision-makers.

[*] With apologies to all real authors everywhere.

about a week ago

Larry Rosen: A Case Study In Understanding (and Enforcing) the GPL

grcumb Re: What if it were Microsoft code (191 comments)

Seriously, dude? 'She was dressed provocatively, so she had it coming.' That's your argument?

about two weeks ago

Google Fit Preview SDK Arrives For Android Developers

grcumb No REST for the ... (13 comments)

Google warns that the preview release contains the Google Fit APIs for Android, but does not contain the REST API or the Android Wear APIs....

Sorry, you're telling me that there's no REST for the FIT? Sounds exhausting....

about two weeks ago

Ecuador To Forge Ahead With State-Backed Digital Currency

grcumb Interesting turn of phrase (85 comments)

'Ecuador To Forge ... Currency'

I see what you did there. :-)

about two weeks ago

Ask Slashdot: IT Personnel As Ostriches?

grcumb Re:Simple Answers to Simple Questions (246 comments)

That wasn't the question. What do you do when you did read something inadvertently? You can't unread "Irregularities in the pension fund". Do you pretend that you don't know? What if it's something illegal / against company policy / unethical?

We used to call it 'being trustworthy'. Not sure what the term is today.

People need to know that they can rely on you under pretty much any circumstances, otherwise they'll stop calling and you won't be able to do your job. That means ignoring pretty much everything.

I say pretty much, because there is a line past which you cannot remain silent. For me, it was child pornography on a customer's computer. I called the police and handed over the equipment.

This was in a small town, and it ruined my life, by the way. The owner of the computer was a prominent citizen who immediately accused me of planting the material, then began a slur campaign against me. The town, as the saying goes, wasn't big enough for the both of us. After more than a year of this, I had to leave. I'd lost my job, and I'd lost half my friends.

Some time later, I ran into an acquaintance from that town in an airport. His first bit of news that that the kiddie diddler had finally been convicted. His own smear campaign finally had the effect of bringing three adult victims of his out. They testified against him and put him away. The lesson I learned is that, sometimes, there is justice in this world. But it doesn't come free.

So yes, you need to be - and you need to be seen to be - completely, implicitly trustworthy. How you do it is simple enough: Always be there, never be seen to be part of the gossip. Be open and obvious about everything you do, and never, ever work in someone's office with the door closed. Equally, though, you need to be seen to be the kind of person who will do the right thing. That's a little harder to do and, as I've recounted, sometimes comes at a cost.

about three weeks ago

In France, Most Comments on Gaza Conflict Yanked From Mainstream News Sites

grcumb Re:Or maybe you're not so good at math (512 comments)

Ireland didn't do anything remotely like what Hamas is doing to Israel. If it did, you would have seen the relevant bits of Ireland flattened like what England helped do to Nazi Germany.

I don't really have a side in this argument. But I do feel compelled to mention that England absolutely did terrible, terrible things in trying to quell the Irish problem. Oliver Cromwell famously said that Catholics were welcome to go to 'Hell or Connaught' as he drove them from the Pale. (Those of you who can see beyond the postcard photos will know that Connaught is close enough to Hell when you're trying to work a farm.)

The potato 'famine' was a direct result of predatory practices put in place by the British and Anglo-Irish to keep the Irish poor and desperate. Over a million people died. But this practice had been going on for years and years beforehand. Deacon Smith's A Modest Proposal , considered one of the greatest examples of satire in the English language, was a direct response to the appalling depredations of the landlord class in Ireland.

In fact the intransigence of the problem of Northern Ireland is a direct result of the British relocating large numbers of people (mostly Scots) to Ulster in order to create a 'buffer' population. Now, 400 years on, they have a very similar problem to that experienced by the Israelis, who tragically are using almost exactly the same tactics to deal with it, proving that they've failed to learn a thing from the fight for Irish independence.

about three weeks ago

No RIF'd Employees Need Apply For Microsoft External Staff Jobs For 6 Months

grcumb Re:Considering the success of Microsoft's Mobile I (282 comments)

Grandma's still got a chance of being raped if those frat boys are drunk enough and high enough.

... Which pretty much explains every 'Enterprise IT' purchasing decision ever.

about a month ago

Pushdo Trojan Infects 11,000 Systems In 24 Hours

grcumb Re:Missing information (32 comments)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows.

This propagation rate is positively tiny. Honestly, I don't know why it's even part of the headline. For context, this paper (PDF, sorry) shows Code Red infecting over 500,000 machines in an hour.

If 11,000 machines in a day is an event, then we should all be sitting back and breathing a sigh of relief that the bad old days are over....

(Not that I believe that they are. I just don't see any reason for the breathless headline.)

about a month ago

NSA Says Snowden Emails Exempt From Public Disclosure

grcumb Re:The Existence of a "United States of America" (231 comments)

You are a citizen who cares more about your children's survival than the survival of Freedom and the well being of millions. In other words you aren't merely part of the problem, you are the problem.

You could happily sit in the company of many of history's great men. The too were willing to sacrifice countless lives for some lofty goal.

Is there any benefit too small, in your mind, for my kids to die supporting it?

It's worth noting that most revolutions happen when the only way remaining to provide for and protect one's children is to take up arms or man the barricades.

... And most of them are won by the side most able to protect its children.

about a month ago

Elite Group of Researchers Rule Scientific Publishing

grcumb Re:Just an opinion... (123 comments)

...and a negative one at that.

Could it ever possibly be that these scientists who "dominate" the scientific publishing are actually worthy of such a thing?

Indeed. And besides, compared to the star system in Hollywood, for example, this is downright democratic.

The intellectual penury that comes with serving with a leader in a given field seems to be gladly endured by most young researchers. This story ignores the fact that, although the senior researcher's name may be at the top of the paper, the junior researcher's name is right there below it.

It's a bit like an actor accepting a lesser credit in order to appear in a bigger film.

about a month ago

Python Bumps Off Java As Top Learning Language

grcumb Re:Java or Python (415 comments)

The ability to seamlessly use + with mixed text and numeric types in a language without explicitly declared types is usually considered a design flaw, not a positive feature. Perl uses separate operators for strings vs. numbers to avoid ambiguity....

Though in fairness, it should be mentioned that, as with other aspects of the language, Perl also assumes that you are using the right operator, and that you actually mean what you wrote:

perl -e 'print "x" + 1;'

Or, even better:

perl -e 'print "x" x 22;'

about a month and a half ago

'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

grcumb Re:say wha? (68 comments)

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place.

ummmm what? english please!

The code sneaks a Flash file disguised as a URL into some JSON data and cons the browser into treating it as JavaScript, but on the local machine it acts like an HTML <OBJECT>, and because the browser is executing the Flash code locally now (due to the masquerade), it can run with greater privileges than if it were from a remote site.

Or in layman's terms: Flash totally sucks the suckage, dude. Always did. Still does.

about a month and a half ago



Android Ice Cream Sandwich Source Released

grcumb grcumb writes  |  more than 2 years ago

grcumb (781340) writes "Looks like the folks at Google have made good on their promise to release the Android 4.0 source code. Android software engineer Jean-Baptiste Queru writes: "Hi! We just released a bit of code we thought this group might be interested in. Over at our Android Open-Source Project git servers, the source code for Android version 4.0 (Ice Cream Sandwich) is now available."

"This is actually the source code for version 4.0.1 of Android, which is the specific version that will ship on the Galaxy Nexus, the first Android 4.0 device. In the source tree, you will find a device build target named "full_maguro" that you can use to build a system image for Galaxy Nexus. Build configurations for other devices will come later."

If the Cyanogen elves get busy Daddy just might be getting a new ROM for Christmas...."

Link to Original Source

Economist Mag Profiles "Wireless Carrier-Pigeons"

grcumb grcumb writes  |  more than 3 years ago

grcumb (781340) writes "The Economist magazine is running a brief profile of Digicel, a 'minnow' in the wireless telecoms market that has distinguished itself by setting up shop in some of the most unlikely (and dangerous) markets in the world, including Haiti and Papua New Guinea, whose capital, Port Moresby, has one of the highest murder rates in the world.

"If you just focus on risk, you can't do a thing," said Digicel's billionaire president Denis O'Brien in a 2008 Forbes profile. But O'Brien's small-market revolution should teach us another lesson, too: Traditional economic analysis doesn't work when it comes to communications. Telecommunications is a supply-driven economy. If you build it — no matter where you build it — they will come.

Now, if someone could just teach the North American telcos this...."

Anonymous Coward or Corporate Troll?

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "In a recent article on Alternet, Annalee Newitz writes to report that our perception of the typical anonymous poster as a fat, half-naked basement dweller with a grudge is nearly 100% wrong. Virgil Griffith's WikiScanner site exposes the surprising truth: The majority of dishonest edits and omissions on wikipedia derive from corporate and government IP addresses. In Annalee's words: 'It turns out that the people who are hiding behind anonymity online for nefarious or selfish reasons are not little guys in pajamas but the very bastions of accountability that haters of the Web have deified.'"
Link to Original Source

AT&T Practices Political Censorship

grcumb grcumb writes  |  about 7 years ago

grcumb writes "Pearl Jam reports that their live webcast from Lollapalooza was censored by AT&T. The statement on the band's website outlines their concerns in the context of the ongoing Net Neutrality 'debate':

"AT&T's actions strike at the heart of the public's concerns over the power that corporations have when it comes to determining what the public sees and hears through communications media.

"Aspects of censorship, consolidation, and preferential treatment of the internet are now being debated under the umbrella of "NetNeutrality." Check out The Future of Music or Save the Internet for more information on this issue.

It's refreshing to see that at least some of our media darlings have a clue about what this debate is about,"

Link to Original Source

France: Surrender Your Blackberries!

grcumb grcumb writes  |  more than 7 years ago

grcumb writes "Le Monde has published a story claiming that French defence officials have asked all senior functionaries in the French government to stop using Blackberries wireless mobile devices. Fears that the US-based mail servers supporting the service could lead to systematic eavesdropping by US intelligence agencies led to the drastic move. From the AP story:

"It's not a question of trust," Mr. Lasbordes told The Associated Press. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

Research In Motion, makers of the Blackberry device, claim they couldn't read the emails even if they wanted to: "No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution,"

Apparently, nobody at RIM has ever worked at the NSA."



Flickr: Flunkr

grcumb grcumb writes  |  more than 5 years ago

About once a month or so, I'm tempted to dump 25 bucks on Flickr to upgrade to a 'Pro' account, just so I can plop more than 200 photos into that particular bucket. I admit I've been on the cusp a couple of times.

But I never do. The plain fact is that Flickr is a terrible photo viewing interface.

White, what?

A bright white background is possibly the worst neutral background they could have chosen. White washes out colours and destroys one of the things that I personally love best: subtle shading on very dark and earth-toned pictures. It's got the point where a lot of self-respecting photographers actually have a 'View on Black' link, pointing to one of several services that do nothing other than render the very same photo with a dark background. The difference is stunning.

But Flickr, in its infinite marketing wisdom, would rather emulate Google's 'any colour as long as it's white' mantra. In Google's case, there's wisdom in the approach; they are a utility, like power or water, not a creative service. Flickr does not benefit in the least from an engineer's design sense, and it's high time someone told them that.

One Hundred's Spartan

When viewing photos in groups - or any aggregation, for that matter - one is usually presented with a hodge-podge of 100 pixel thumbnails. Viewing photo sets is even worse. the screen is filled with a patchwork quilt of arbitrarily cropped 75×75 pixel postage stamps. No, wait, I take that back. Postage stamps are larger.

I can't imagine a worse fate for any decent photo. To be reduced to a smudge of light among dozens or hundreds of others on a glaring white page. I'm not sure even Ansel Adams could survive that.

Of course, there are some photos that do just fine in such an environment. Too often, they're from the 'Ooh Shiny!' school of art. To everyone's credit, some genuinely lovely photos can be found, if you know where to look. But they're lovely in spite of Flickr, not because of it.

There are any number of technical arguments for crowding dozens of blots of colour together and call them a collection, but none of them wash when it comes to aesthetics, or even usability, for that matter.


Flickr's groups are subject to the same AOL-ish devaluation that most large scale communities suffer from. The absolute preciousness of users who troll through other galleries, bestowing silly trophy and ribbon icons on pretty photos in a desperate attempt to burnish their collective karma by associating with only the best types... it's off-putting in a way that I'd rather not characterise in a public medium.

Let's just leave it at this: Any group of more than a few dozen people who are mostly unknown to one another can never merit the descriptor 'exclusive'.

Worst of all, Flickr is a vortex. It's a gravity well whose debris can be found throughout the Web, but which is entirely self-referential. Once you're in there, you don't come out. I've had over 14,000 visitors to my main photo stream, yet a mere 18 referrals from Flickr show up in my server logs. People who use Flickr don't go elsewhere.

Flickr, in other words, is good for Flickr. Any benefit that derives to individual photographers seems to be purely coincidental.


All of of this isn't Flickr's fault, per se. The fault lies in our technical inability to render - and more importantly, to manage - images efficiently through a standard GUI, and to share them effectively.

It seems almost paradoxical. Digital technology has allowed revolutionary advances in photography. It has made possible one thing that I love more than any: the ability to draw with light rather than pigment. Sometimes when I'm engrossed in my work I find myself getting almost drunk on colour. There is nothing more rewarding than watching a well-built slide show wash the room with light and shape, to see human vision captured, distilled and transformed in the process.

It astounds me, therefore, how poorly most websites handle photos.

But this is the environment that Flickr has chosen. With few tools to effectively deal with social economies of scale, people are left to their own devices, so they crowd together (as people always do), creating cacophony where contemplation might once have been. Flickr has embraced (in the embarrassing cloying-college-drinking-buddy sense of the word) conventional wisdom with regards to UI, and have spent all their effort on the engineering challenge of handling photos in volume. They've tacked on a few trendy bloggy/webbish bits, like tagging with keywords and location data, but done nothing whatsoever to innovate how photos are viewed.

And that, it seems to me, should be the very essence of innovation where photography is concerned.

I won't demur for a moment if you counter that thumbnails are a necessary evil, that larding a page up with binaries slows down load times, that we're unfortunately bound by the lowest common denominator where display and download capacity are concerned. Nor will I argue if you express admiration for their ability to handle the data volumes that they do. Just storing and serving up 2 billion photos is a decidedly non-trivial task.

But let's be clear here: I expect more from Flickr. I judge them by a higher standard.

They want to set themselves apart? Then let them deal intelligently - dare I say it? creatively - with their popularity. The engineering challenge is interesting; I'll be the first to admit it. But dammitall, this is a photography site. It's for creative people. Is it too much to ask that they should actually take a little of their revenue and use it for basic research and innovation? Where's the research into lossless compression, peer-to-peer content distribution, point-and-click monitor calibration, optimal display environments, click-and-drag online image resizing? Where's the community for UI geeks?

How many of Flickr's 10-30 million monthly visitors have paid accounts there? My guess would be: Several. Surely some of that revenue could go into renewal, exploration and invention.

Perhaps it's no surprise that Flickr founders Catarina Fake and Stewart Butterfield left Yahoo! just as soon as they reasonably could. I don't doubt for a moment that they've thought a great deal more about these issues than I have. Perhaps they'll be the ones who manage to pull a rabbit or two out of their digital cap.

If they do, they'll get my money, too.


Steaming Piles

grcumb grcumb writes  |  more than 6 years ago

[Cross-posted from the Scriptorum.]

Sometimes you have to destroy the document in order to save it....

I give up. I can't support OpenOffice Write any more, and it's nobody's fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.

No, that's too generous. The thing is, they're at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.

Yes, I'm ranting. Let's put this into a proper context:

I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven't liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I'd author all my documents in either emacs or vi, depending on the circumstances.

Why do word processors suck so badly? Mostly, it's because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation at the same time is a mug's game. Even on a medium as well understood as paper, it's just too hard to control all the variables with the tools available and still have a comprehensible interface.

But the real sin that word processors are guilty of is not that they're trying to do WYSIWYG - okay it is that they're trying to do WYSIWYG, but they way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.

Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to learn and easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it's going to look like right now, and for our sins, that's what we've become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.

It doesn't help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.

There's no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I'll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone's desk.

Maybe I'll just stop using them at all. Maybe I'll just start doing everything on the web and never print again. I'm half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn't heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.

At least on the Web, I can choose which steaming piles I step into.

I'm going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.


Trust Works All Ways

grcumb grcumb writes  |  more than 6 years ago

[Cross-posted from the Scriptorum.]

The Debian OpenSSL vulnerability apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it?

Over the weekend, I've been thinking about last week's disclosure concerning Debian's OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.

There's a pretty good subjective analysis of the nature of the error on Ben Laurie's blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I'm told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis - sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn't notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure. It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian's OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be. That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I'd venture to state that there's a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there's one circumstance that I think could undermine the credibility of this speculation, and that's if there's any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>