Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



The New 'One Microsoft' Is Finally Poised For the Future

grcumb Re:Godwin's law. (270 comments)

What's a Scompany?

In C, a Hungarian string manufacturer. :-)

about a week ago

Ask Slashdot: Which NoSQL Database For New Project?

grcumb Re:CouchBase (272 comments)

CouchBase/CouchDB is probably the easiest and most available one out there. It's particularly well suited for app backends too, as both the backend and mobile apps can talk to the same database, in theory eliminating the need for the backend to handle data syncing.

Those are good reasons, and it's also true that CouchDB will use a lot less resource overhead than a full-bore RDBMS under load. Depending on the use case, it might also prove decidedly easier to scale.

But the place where NoSQL really shines is storing amorphous or heterogeneous data. Because you have no constraints about what goes into a given record, you can record more or less name/value pairs at your whim. As with Perl, though, freedom comes at the cost of potential disorder.

But honestly, with the tiny amount of detail provided, it seems like it's really six of one and half a dozen of the other. If it's just call data being recorded, and the same call data every time, it won't make a huge difference if you use a full-blown RDBMS or a NoSQL database. Either one has its costs (individual PUTs and POSTs in CouchDB for example, can be expensive, whereas queuing and write contention might cause headaches at extreme scales in PostGres or Oracle).

Both an RDBMS and a NoSQL database will deal with replication fairly well, though my personal inclination is to prefer the simplicity of replication in CouchDB right up until the noise level gets out of hand.

about two weeks ago

Snowden: NSA Spied On Human Rights Workers

grcumb Re:Snowden has jumped the shark (230 comments)

And French intelligence bombed the Rainbow Warrior.

To their detriment. It's telling that the bombing of the Rainbow Warrior was the event that triggered so much outrage among Pacific island nations that the practice of atmospheric testing was finally stopped. It also wounded relations between New Zealand and France for over a decade, and resulted in a long period of Labour (i.e. left wing) rule. The Tahitian independence movement also made hay from the event.

It was, in short, a complete fiasco for the French intelligence service, and for the government of France, an unmitigated failure.

If for no other reason than realpolitik, governments need to learn to tread more lightly when it comes to abrogating the freedoms that make their societies as peaceful and prosperous as they are.

Precisely what is so surprising about the NSA spying on political radicals?

When you call Amnesty International politically radical, you debase the discussion. Amnesty uses non-violent tactics - mostly media relations - to shame governments into releasing political prisoners. If agitating against the imprisonment of your political opponents is radical to you, then perhaps you should revise your opinion on freedom and human rights.

about two weeks ago

Neovim: Rebuilding Vim For the 21st Century

grcumb Re:There's a reason people argue about vim and ema (248 comments)

Do people in fact still argue about vim vs emacs?

I stopped on the day I found myself writing:

vim ~/.emacs

... Though I never have quite forgiven myself.

about a month ago

Nate Silver's New Site Stirs Climate Controversy

grcumb Re:Go after em Nate (335 comments)

Its sad to see these scientists cry fowl, controversy, and blasphemy at dissenters . Isn't science supposed to have opposing views, with fact-based research on multiple view points using the "scientific method" for cross-checking each-others work?

First off: Let's leave the chickens out of this, shall we?

Second: No, it's not sad at all. This is exactly the kind of debate we want - one where people disagree about specific and detailed issues, and respond to one another on points of fact. Yes, it's heated and the antagonism is distressful to some, but the plain fact is that this is real, healthy debate.

I don't see propaganda, mis- and disinformation from 'high priests'; I see a bunch of pencil-liner geeks getting furious with one another over data. And I like it.

The only thing that saddens me in all this is that people think disagreement is equivalent to enmity these days.

about a month ago

Malware Attack Infected 25,000 Linux/UNIX Servers

grcumb Re:So is it 10,000 or 25,000? (220 comments)

Read, or don't read the article, your choice. But the level of sophistication will blow your mind.

No, no it really won't.

That article read like the opening page of a third-rate techno-thriller. Once you get past the alarmist dross, you see that people are busy pwning servers just as they always have. Only today - shock, horror - there are more servers around, and some of them are really badly maintained.

25,000 servers is a pretty useful resource for someone with malice in mind. And admittedly, it takes a certain amount of cleverness to amass that many. So yes, these guys aren't completely useless. But in the larger scheme of things, that number represents the lowest of the low-hanging fruit in the Linux ecosystem, and it's sufficient unto the day to know that if you (or your sysadmin) have half a clue, you'll likely not be bothered by this threat.


about a month ago

Eric Schmidt On Why College Is Still Worth It

grcumb Re:Old thinking. (281 comments)

'The economic return to higher education over a lifetime produces significant compound greater earnings.'

That has been true in the past.

Not exactly. You know what was true in the past? That a good education made you a better person.

Now, I won't deny for a second that there were numerous social and economic factors in getting the 'right' education from the 'right' schools. It's true that being a 'gentleman' was inextricably tied up with class, economic status and the clannishness of the privileged. But it was still about being the right sort of person rather than a more-or-less necessary precursor to employment. The cost in those days was primarily to keep the riff-raff out, rather than any reflection of economic realities (conditions in some British colleges, for example, were abominable).

In spite of all the hypocrisy and all the cant, a liberal education was designed to improve the person. It had little or nothing to do with employment, except inasmuch as employers at the time wanted 'improved' people for a number of lines of work.

Full Disclosure: It's easy for me to talk. I was one of the last people through a system that actually did focus on a decent general education, at a level of government funding that allowed me to finish 4 years of a double major with only $10,000 in debt, payable at a pittance a month over a ten-year term. I'm an arts major who's also a CTO, by the way.

about a month ago

Stanford Team Tries For Better Wi-Fi In Crowded Buildings

grcumb Re:and how do they track users across muilt units? (43 comments)

also what about stuff like file shearing...

Well, typically, you start by grabbing the file by its strings, give 'em a twist and get it on its back. Then you lift the tail[*] such that all the loose bits run off onto the floor as you make your first pass. Some prefer Occam's Razor when shearing data, but I find Hanlon's Razor works, too.

[*] I find that tail -n 100 is enough to get a decent grip, but it really depends on the size of the RAM....

about a month and a half ago

Ask Slashdot: Reviewing 3rd Party Libraries?

grcumb Re:Open source (88 comments)

Easy: use open source libraries.

Yep, like GnuTLS, or Apple's SSL implementation. You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

I remember back in 2008, when the Debian OpenSSL package was found to have a gaping hole in it. I was fascinated at the fact that it had been able to lie their, dormant, until it was discovered and immediately fixed. By rights, the damage should have been widespread.

Back then, I wrote:

My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code.

So, perversely, yeah: The fact that the GnuTLS hole remained unnoticed for yonks is -weirdly- an argument for using open source libraries. Notwithstanding the fact that the vulnerability remained unpatched for years, it appears to have remained pretty much unexploited for the same period of time.

When processes are perceived to be robust, by black hat and white hat alike, then the mere presence of trust in the system makes them more trust-able. (I won't say trustworthy, because hindsight shows us that they're not.)

about a month and a half ago

Tor Is Building an Anonymous Instant Messenger

grcumb Re:Joy of joys! (109 comments)

Now I'll be able to communicate with some random, anonymous Internet person.

Yeah, first thing I thought was chats like this:



SPARTACUS12: U rite?

SPARTACUS19982: Wait, who said that?

SPARTACUS4x9: Said what?


SPARTACUS19982: That!


SPARTACUS19982: Yeah, what!

SPARTACUS12: Wait - which what?

SPARTACUS4x9: Dude, being Spartacus is starting to suck, ya know..?

SPARTACUS4x9: I mean, I don't even know who I am any more...


about 2 months ago

Harold Ramis Dies At 69

grcumb Re:See you on the other side, Egon (136 comments)

I concur. An inspirational nerd.

I sympathise, but as an old Canadian geezer, I always felt that by the time the US audience finally heard about them, the SCTV alumni had already done their best work. That troupe - and their cheezy, low-budget show - formed my sense of humour more than anything else. Dave Thomas, Harold Ramis, Eugene Levy, Andrea Martin, Catherine O'Hara... all of them went on to make memorable comedy in the US. I think Joe Flaherty was the only one who didn't make a big splash. (Which is America's loss, not his.)

But there was a time when all of them were callow, reckless youths with nothing to lose by making asses of themselves week after week on a second-rate Toronto-based network that was so small (it had only 13 stations at the start) it too had nothing to lose.

Back in junior high school, my week was centred around that blessed moment when the Indian-head test pattern would appear and the announcer would say, 'Don't touch that dial. Don't touch that one either. And stop touching yourself.' I still remember the intonation....

(... I never did stop touching myself, but that's another story.)

about 2 months ago

Netflix Blinks, Will Pay Comcast For Network Access

grcumb Re:Long-term loss (520 comments)

Bandwidth and latency are neither free or infinite.

Nobody said it was. The issue here is that Comcast subscribers are not getting what they paid for, unless NetFlix pays again for the bandwidth. This is bandwidth for which NetFlix has already paid, and for which Comcast has already been paid by its customers.

Your argument is the same as saying that if you pay for a bridge with your taxes, you should be able to drive a fully loaded hauling truck (type Caterpillar 797F) on it. But guess what ? The bridge has not been designed to handle that load, it has been designed for lighter load (car, 40' truck, etc.).

You're dead wrong on this count. Comcast is arguing (speciously) that traffic to and from a particular destination doesn't deserve the same service as traffic to and from other destinations - unless the destination pays an additional toll. The fact that this is a popular destination is only relevant inasmuch as this increases Comcast's ability to extort payment for something which has already been paid for.

This is straight-up anti-competitive behaviour. If the US telecommunications regulatory environment made any sense at all, Comcast would be slapped down hard for doing this.

about 2 months ago

New Beetle Named After Charles Darwin and David Sedaris

grcumb Re:David Sedaris? (35 comments)

No, no its a NEW Beatle.
John Lennon
Paul McArtney
Geo. Harrison
Ringo Starr
Charles Sedaris
Actually, not very new, Yoko took off the disguise and VIOLA!

Guitar, bass, guitar, drums... and... viola?!?

... Could work, I guess.

about 2 months ago

Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

grcumb Re:Editing? (98 comments)

1) "badly written" is acceptable

Not in this context. 'Badly written' normally means 'illegible'. 'Poorly written' is the appropriate phrase.

So Dexter, seeing a quotation from Paradise Lost scrawled by a bloody hand across the wall of a Miami condo, would say, 'That was badly written.'

Milton's ghost, on the other hand, would look at the awkward parts of the latter seasons of Dexter and say, 'That was poorly written.'

about 2 months ago

OneDrive Is Microsoft's Rebranded Name For SkyDrive

grcumb I can just see it... (197 comments)

Coming soon...

Celebrity endorsement of One Drive by the eye of Sauron: 'One Drive rules them all! Two thumbs up! If I had Thumbs!'

Enter our One Draw to win! Secret decoder rings for the first nine (human) winners!

about 3 months ago

Blowing Up a Pointless Job Interview

grcumb Re:The Akamai question is actually pretty good (692 comments)

For director-level types, not engineers ("How does the Internet work?"), especially with follow-ups to nail someone who has googled and memorized the canned "answer".

This could filter out those who have the requisite charisma and social skills but who don't have a clue about the technology.

A friend of mine once suggested that the best possible question you could ask of a potential sysadmin was, 'Explain how traceroute works.' There are so many levels of 'right' answer that you can determine whether the interviewee is a rank amateur or whether she's currently communing with the spirit of Ada Lovelace and spontaneously generating CS zen koans using the AI in her programmable calculator.

about 3 months ago

Porn Will Be Bitcoin's Killer App

grcumb Re:seems reasonable (216 comments)

Philips had been proposing 11.5cm and a playing time of one hour exactly, but the longest running version of Beethoven's 9th was Furtwangler's 1951 Bayreuth Festival recording at 74 minutes, requiring the extra 0.5cm.

So, just to bring this back on topic: What you're saying is that the size of your Furtwangler[*] DOES matter?

[*] I'm assuming that's the German name for it....

about 3 months ago

Irish Politician Calls For Crackdown On Open Source Internet Browsers

grcumb Re:Shut up drinky (335 comments)

A Fine Gael TD named Patrick
Vied for the cluelessness hat trick:
He blamed anonymity
For people's affinity
To gambling, drugs and well-stacked chicks.

He represents Limerick, for Christ's sake. He had it coming.

about 3 months ago

Red Hat To Help Develop CentOS

grcumb Re:Odd... (186 comments)

I understand GPL allowing CentOS and Scientific Linux to use Redhat in their respective products, but I find it really puzzling that they would actively *help* CentOS... Doesn't make a lot of sense to me...

Well, as the saying goes, a rising tide lifts all boats.

RedHat gains in a number of ways:

  • - Build adherence to the RPM/YUM ecosystem of Linux distros (as opposed to DEB-based distros);
  • - Ensure that CentOS doesn't drift too far from the mothership, making CentOS a 'gateway drug', as it were, to RedHat;
  • - Major karma bump among sysadmins and other professionals (valuable when planning discussions are happening and IT gets a voice);
  • - Experiment and potentially learn a lot of important lessons without sullying the RedHat brand.

about 3 months ago



Android Ice Cream Sandwich Source Released

grcumb grcumb writes  |  more than 2 years ago

grcumb (781340) writes "Looks like the folks at Google have made good on their promise to release the Android 4.0 source code. Android software engineer Jean-Baptiste Queru writes: "Hi! We just released a bit of code we thought this group might be interested in. Over at our Android Open-Source Project git servers, the source code for Android version 4.0 (Ice Cream Sandwich) is now available."

"This is actually the source code for version 4.0.1 of Android, which is the specific version that will ship on the Galaxy Nexus, the first Android 4.0 device. In the source tree, you will find a device build target named "full_maguro" that you can use to build a system image for Galaxy Nexus. Build configurations for other devices will come later."

If the Cyanogen elves get busy Daddy just might be getting a new ROM for Christmas...."

Link to Original Source

Economist Mag Profiles "Wireless Carrier-Pigeons"

grcumb grcumb writes  |  more than 3 years ago

grcumb (781340) writes "The Economist magazine is running a brief profile of Digicel, a 'minnow' in the wireless telecoms market that has distinguished itself by setting up shop in some of the most unlikely (and dangerous) markets in the world, including Haiti and Papua New Guinea, whose capital, Port Moresby, has one of the highest murder rates in the world.

"If you just focus on risk, you can't do a thing," said Digicel's billionaire president Denis O'Brien in a 2008 Forbes profile. But O'Brien's small-market revolution should teach us another lesson, too: Traditional economic analysis doesn't work when it comes to communications. Telecommunications is a supply-driven economy. If you build it — no matter where you build it — they will come.

Now, if someone could just teach the North American telcos this...."

Anonymous Coward or Corporate Troll?

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "In a recent article on Alternet, Annalee Newitz writes to report that our perception of the typical anonymous poster as a fat, half-naked basement dweller with a grudge is nearly 100% wrong. Virgil Griffith's WikiScanner site exposes the surprising truth: The majority of dishonest edits and omissions on wikipedia derive from corporate and government IP addresses. In Annalee's words: 'It turns out that the people who are hiding behind anonymity online for nefarious or selfish reasons are not little guys in pajamas but the very bastions of accountability that haters of the Web have deified.'"
Link to Original Source

AT&T Practices Political Censorship

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "Pearl Jam reports that their live webcast from Lollapalooza was censored by AT&T. The statement on the band's website outlines their concerns in the context of the ongoing Net Neutrality 'debate':

"AT&T's actions strike at the heart of the public's concerns over the power that corporations have when it comes to determining what the public sees and hears through communications media.

"Aspects of censorship, consolidation, and preferential treatment of the internet are now being debated under the umbrella of "NetNeutrality." Check out The Future of Music or Save the Internet for more information on this issue.

It's refreshing to see that at least some of our media darlings have a clue about what this debate is about,"

Link to Original Source

France: Surrender Your Blackberries!

grcumb grcumb writes  |  more than 6 years ago

grcumb writes "Le Monde has published a story claiming that French defence officials have asked all senior functionaries in the French government to stop using Blackberries wireless mobile devices. Fears that the US-based mail servers supporting the service could lead to systematic eavesdropping by US intelligence agencies led to the drastic move. From the AP story:

"It's not a question of trust," Mr. Lasbordes told The Associated Press. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

Research In Motion, makers of the Blackberry device, claim they couldn't read the emails even if they wanted to: "No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution,"

Apparently, nobody at RIM has ever worked at the NSA."



Flickr: Flunkr

grcumb grcumb writes  |  more than 5 years ago

About once a month or so, I'm tempted to dump 25 bucks on Flickr to upgrade to a 'Pro' account, just so I can plop more than 200 photos into that particular bucket. I admit I've been on the cusp a couple of times.

But I never do. The plain fact is that Flickr is a terrible photo viewing interface.

White, what?

A bright white background is possibly the worst neutral background they could have chosen. White washes out colours and destroys one of the things that I personally love best: subtle shading on very dark and earth-toned pictures. It's got the point where a lot of self-respecting photographers actually have a 'View on Black' link, pointing to one of several services that do nothing other than render the very same photo with a dark background. The difference is stunning.

But Flickr, in its infinite marketing wisdom, would rather emulate Google's 'any colour as long as it's white' mantra. In Google's case, there's wisdom in the approach; they are a utility, like power or water, not a creative service. Flickr does not benefit in the least from an engineer's design sense, and it's high time someone told them that.

One Hundred's Spartan

When viewing photos in groups - or any aggregation, for that matter - one is usually presented with a hodge-podge of 100 pixel thumbnails. Viewing photo sets is even worse. the screen is filled with a patchwork quilt of arbitrarily cropped 75×75 pixel postage stamps. No, wait, I take that back. Postage stamps are larger.

I can't imagine a worse fate for any decent photo. To be reduced to a smudge of light among dozens or hundreds of others on a glaring white page. I'm not sure even Ansel Adams could survive that.

Of course, there are some photos that do just fine in such an environment. Too often, they're from the 'Ooh Shiny!' school of art. To everyone's credit, some genuinely lovely photos can be found, if you know where to look. But they're lovely in spite of Flickr, not because of it.

There are any number of technical arguments for crowding dozens of blots of colour together and call them a collection, but none of them wash when it comes to aesthetics, or even usability, for that matter.


Flickr's groups are subject to the same AOL-ish devaluation that most large scale communities suffer from. The absolute preciousness of users who troll through other galleries, bestowing silly trophy and ribbon icons on pretty photos in a desperate attempt to burnish their collective karma by associating with only the best types... it's off-putting in a way that I'd rather not characterise in a public medium.

Let's just leave it at this: Any group of more than a few dozen people who are mostly unknown to one another can never merit the descriptor 'exclusive'.

Worst of all, Flickr is a vortex. It's a gravity well whose debris can be found throughout the Web, but which is entirely self-referential. Once you're in there, you don't come out. I've had over 14,000 visitors to my main photo stream, yet a mere 18 referrals from Flickr show up in my imagicity.com server logs. People who use Flickr don't go elsewhere.

Flickr, in other words, is good for Flickr. Any benefit that derives to individual photographers seems to be purely coincidental.


All of of this isn't Flickr's fault, per se. The fault lies in our technical inability to render - and more importantly, to manage - images efficiently through a standard GUI, and to share them effectively.

It seems almost paradoxical. Digital technology has allowed revolutionary advances in photography. It has made possible one thing that I love more than any: the ability to draw with light rather than pigment. Sometimes when I'm engrossed in my work I find myself getting almost drunk on colour. There is nothing more rewarding than watching a well-built slide show wash the room with light and shape, to see human vision captured, distilled and transformed in the process.

It astounds me, therefore, how poorly most websites handle photos.

But this is the environment that Flickr has chosen. With few tools to effectively deal with social economies of scale, people are left to their own devices, so they crowd together (as people always do), creating cacophony where contemplation might once have been. Flickr has embraced (in the embarrassing cloying-college-drinking-buddy sense of the word) conventional wisdom with regards to UI, and have spent all their effort on the engineering challenge of handling photos in volume. They've tacked on a few trendy bloggy/webbish bits, like tagging with keywords and location data, but done nothing whatsoever to innovate how photos are viewed.

And that, it seems to me, should be the very essence of innovation where photography is concerned.

I won't demur for a moment if you counter that thumbnails are a necessary evil, that larding a page up with binaries slows down load times, that we're unfortunately bound by the lowest common denominator where display and download capacity are concerned. Nor will I argue if you express admiration for their ability to handle the data volumes that they do. Just storing and serving up 2 billion photos is a decidedly non-trivial task.

But let's be clear here: I expect more from Flickr. I judge them by a higher standard.

They want to set themselves apart? Then let them deal intelligently - dare I say it? creatively - with their popularity. The engineering challenge is interesting; I'll be the first to admit it. But dammitall, this is a photography site. It's for creative people. Is it too much to ask that they should actually take a little of their revenue and use it for basic research and innovation? Where's the research into lossless compression, peer-to-peer content distribution, point-and-click monitor calibration, optimal display environments, click-and-drag online image resizing? Where's the community for UI geeks?

How many of Flickr's 10-30 million monthly visitors have paid accounts there? My guess would be: Several. Surely some of that revenue could go into renewal, exploration and invention.

Perhaps it's no surprise that Flickr founders Catarina Fake and Stewart Butterfield left Yahoo! just as soon as they reasonably could. I don't doubt for a moment that they've thought a great deal more about these issues than I have. Perhaps they'll be the ones who manage to pull a rabbit or two out of their digital cap.

If they do, they'll get my money, too.


Steaming Piles

grcumb grcumb writes  |  more than 5 years ago

[Cross-posted from the Scriptorum.]

Sometimes you have to destroy the document in order to save it....

I give up. I can't support OpenOffice Write any more, and it's nobody's fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.

No, that's too generous. The thing is, they're at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.

Yes, I'm ranting. Let's put this into a proper context:

I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven't liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I'd author all my documents in either emacs or vi, depending on the circumstances.

Why do word processors suck so badly? Mostly, it's because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation at the same time is a mug's game. Even on a medium as well understood as paper, it's just too hard to control all the variables with the tools available and still have a comprehensible interface.

But the real sin that word processors are guilty of is not that they're trying to do WYSIWYG - okay it is that they're trying to do WYSIWYG, but they way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.

Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to learn and easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it's going to look like right now, and for our sins, that's what we've become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.

It doesn't help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.

There's no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I'll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone's desk.

Maybe I'll just stop using them at all. Maybe I'll just start doing everything on the web and never print again. I'm half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn't heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.

At least on the Web, I can choose which steaming piles I step into.

I'm going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.


Trust Works All Ways

grcumb grcumb writes  |  more than 5 years ago

[Cross-posted from the Scriptorum.]

The Debian OpenSSL vulnerability apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it?

Over the weekend, I've been thinking about last week's disclosure concerning Debian's OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.

There's a pretty good subjective analysis of the nature of the error on Ben Laurie's blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I'm told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis - sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn't notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure. It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian's OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be. That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I'd venture to state that there's a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there's one circumstance that I think could undermine the credibility of this speculation, and that's if there's any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account