Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

German NSA Committee May Turn To Typewriters To Stop Leaks

malvcr The problem is.... (244 comments)

The problem is NOT what they are trying to resolve.

As some pointed, there are ways to collect data that were in use several decades ago, combined with modern technology.

They need to perform a serious risk analysis to remake their procedures (all them), and to implant a serious educational programs with corresponding verifications (regular tests and checks).

To change computers by typewriters to resolve their problems is like to cure a cancer with a cup of tea.

about two weeks ago
top

Ask Slashdot: Easy-To-Use Alternative To MS Access For a Charity's Database?

malvcr SQLite (281 comments)

I am recommending this without enough information about the problem.

In my case, I wrote my own multiuser access layer on top of SQLite and it works very well. I don't rely in any type of file access control because, as the SQLite documentation says, it could be not reliable.

But if you can make an application that works in only one place within one machine, SQLite is extremely more powerful than MS Access, and uses almost no resources. Also, if you need to backup the data or to send the data to another place, you only need to copy the data file.

There is a Firefox add-on for basic database management, and that's all, you need no other thing to work more than the way to present the data to your users.

****

One comment here.

When we have only hammers to work, we see every problem as a nail.

Depending on how you model your solution, SQLite is just enough as any other database system also, even XML or plain text files.

Other people recommended HSQLDB (Libre/Open Office); as I remember, the database works in memory and have a backup in disk with a statement based storage. When you start your application, this database runs ALL the statements and refill the memory structures. I am not sure if this works for you. In the case of SQLite, it is a standard database system and the database file is analogous to an Oracle datafile or MySQL data structure.

about 2 months ago
top

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

malvcr Re:Financial Institution Vulnerabilities? (56 comments)

I was checking the source code of the original and the "official" (not the Akamai) patch itself.

In fact, the original code (with the bug) is more ordered and clear than the patch. But in general, the issue is that OpenSSL is a very big and complex piece of code maintained by a group of people with a very small quantity of resources, but being used by many important organisations around the world.

The problem is not that the software is open source. The proprietary source also have the same level of problems, being the only difference that we can check the open sourced products and we have no idea what they did on the proprietary (a.k.a. closed) products. The problem is that the Internet has not a good international and neutral organisation to help verify the important parts that make it work and the users of the technology invest no resources to verify how well these products are made.

And yes, if a Bank has a router having OpenSSL with the bug, the router has the bug. Or it is better to say that the router has been with that level of bug for nearly two years by now, and that it is possible somebody was able to bypass the security WHEN the SSL protocol is exposed.

So ... there are many sources of problems, much more than the web servers, although these vulnerabilities will become real problems depending on how well defined is the security of the network infrastructure. Good practices let to reduced exposition to existing vulnerabilities, this is why it is important to know, to understand and to apply these good practices.

about 3 months ago
top

Ask Slashdot: What Do You Consider Elegant Code?

malvcr Re:Elegance only exists in textbooks (373 comments)

I have more than 20 years coding, and lately I have been working with a security-oriented framework on C++.

I must admit my primary goal was security and I have been trying to be strict on security problems usually others have and that usually are defined as weaknesses. However, you also need to work with usability and effectiveness for having something really usable.

For me, elegant code helps you to express your needs following a very clear and understandable way, be for you in the future or for others to maintain. That code not only needs to be clear, but also needs to be secure and efficient. I do nothing inventing a beautiful piece of code that will use 100 times more CPU because it has been excessively layered, or that permits me to create beautiful pieces of crap that will leak any possible memory and to produce many different types of concurrent problems.

Elegant doesn't mean to hide responsibilities. I don't believe in the garbage collector "for everything" philosophy, because you lost the control on what you are dealing with, even in places where it is a must to have very precise control. Elegant code is clear, having well defined preconditions and postconditions, with no surprises. Every new has a delete (everything be created must be destroyed), and your programming rules are logical and built up your understanding about the problem you are resolving.

In a few words : elegant means you are in control.

about 3 months ago
top

Ask Slashdot: Can an Old Programmer Learn New Tricks?

malvcr Re: what you need them for? (306 comments)

Wrong assumption from my part :-)

Let me see ... all the languages using { } come from C, or more precisely from BCPL, although in their evolution several things changed (for some reason they were created).

According with (http://www.levenez.com/lang/lang.pdf), Python comes from Modula3, ABC and C. Eiffel comes from Simula and Ada, so although they share concepts they are different languages.

I don't think that C++ or Java have broken implementations, what I think it is that they follow different approaches. Eiffel seems to be more strict (CLU in its past can have some reason on this and was my first OO language in University). and ...

It is possible to create good software with any language and to create bad software with any language. In fact, it is possible to have perfectly coded software, following all the language rules but with a completely lost (aka broken) sense of the semantic it want to work on. This is, in fact, the biggest problem on the security area and it is not related with the nature of the languages.

And I understand you. I learned Pascal before C, so when arriving to C it was very "free" for me and was forced to understand the inner logic of the pointer world. With C++ things where more strict although not as systematically defined as Eiffel. What for me is terrible is to work the old fashioned Basic; this is as a short circuit in my brain, but I was able to do nice things with that language a lot of time ago (that, of course, I won't try to repeat).

about 4 months ago
top

Remote ATM Attack Uses SMS To Dispense Cash

malvcr Re:Physical Access = owned (150 comments)

Let me explain what happen with the ATM devices.

The ATM has a computer having the operating system and a basic bootstrap software. In fact, the configuration itself it is not located in the ATM but when the ATM is turned on, it is sent to it from the Bank. One important reason is that when somebody steal the ATM, will lost all the configuration including many different types of keys, making the task of opening it or to learn more about the ATM's network behaviour a difficult task.

When the security employees load the ATM with money, they actually have no access to such money. The Bank fills security money boxes (actually small security boxes that are not so easy to open). These boxes have a special key that is used only inside the Bank's vault. The employes that will give maintenance to the ATMs receive the loaded boxes from the Bank's personnel and replace the previous ones "complete" in the ATM (they don't have the keys), and deliver the full or partially empty boxes to the Bank for internal maintenance (to count remaining bills, clean, reload, etc.).

So, the security employees are the ones that could install the phone in the computer because they need to open the ATM to replace the money boxes. As they are the ones do this work, they also could put the phone, and the next time they load the ATM, they will quit it for let no trace of such action. So, it is not necessary for them to violate the physical boxes or to cut the ATM by half (that it is not easy anyway), but just to connect a phone, continue with their daily work and somebody else will come to extract the money with the help of the phone and the ATM itself.

As 80% of the attacks are from "insider", this have all the sense for me. To resolve the problem, however, it is not so easy, because they need to replace their ATM system for one would be invulnerable to USB or other type of ports access, something was not thought when the current systems where designed many years ago.

about 4 months ago
top

Ask Slashdot: Can an Old Programmer Learn New Tricks?

malvcr Re: what you need them for? (306 comments)

Let me add to this that the answer is not the framework but the paradigm. You are coming from C so you are not working object oriented. First, choose the program you like to write, then design it thinking in object oriented way, then choose the language according with your final required platform and this will tell you if a framework is required. For example, if you choose c++ you will work with STL for sure and maybe something else; and if you choose Java or C# you have no choice than to use the base framework because they are platforms more than only languages (Strousstrup words). But start with the design if you really like to learn well.

about 4 months ago
top

20 Freescale Semiconductor Employees On Missing Malaysia Airlines Flight

malvcr Re:Summary needs a slight rewrite (190 comments)

What about "something" can fly for a little landing from the plane and returning to depart again? ... this is not for 2014, but could be in the future, with a different design of what a plane is.

about 5 months ago
top

20 Freescale Semiconductor Employees On Missing Malaysia Airlines Flight

malvcr Re:Summary needs a slight rewrite (190 comments)

This is material for many new books and movies, even without knowing what really happened. Your description is a possibility (better knowing, as another reader point to, that Malaysia security control are very lax ... until now at least).

Other options:

  • These are flying by wire devices. You don't need to go to the cabin to destroy the plane, you only need to disturb the plane network to make it useless.
  • It is supposed the plane was turning to south before loosing contact. Could be possible it was hijacked instead of destroyed?
  • There are ways to disturb the satellite and GPS systems so the device believe they are in one place while they are really in a another one... but the lack of communication makes this a not so good option.
  • Static in te cabin .... what about our atmosphere, that is presenting many changes lately, is developing some type of unknown new, for us, electro magnetic disturbance that could destroy the electronics in a plane? ... I expect this not to be real, because many other planes could be in trouble very soon.
  • Errant and/or out of control Drone?
  • A meteorite?

In fact, I just realised that the Drones have a very nice possible future usage. Many planes with troubles are alone in their space. What about if we "always" send a small recognisance Drone with each plane? It is "outside" the plane, so if the plane explode or lost control, the Drone can be a first class witness. Also, if there is a strange air flow or some atmospheric disturbance and the Drone is flying in front of the plane, it will be affected first. Some seconds are the difference between life and death. And, they could give a hand if the pilots have very serious situations inside the plane.

about 5 months ago
top

Free (Gratis) Version of Windows Could Be a Reality Soon

malvcr Re:Free as in... (392 comments)

In fact ... it is not free at all.

You need to have a Windows 7 to have Windows 8.1 with Bing, and Windows 7 was not free. Also, Win7 it is not very old. They are just copying what Apple did with Mavericks, but with restrictions.

What I see is that Microsoft is in trouble because their business model from the 80s is not working well today. Apple have no problems, because they are not selling Operating Systems now, they are selling devices (many of them) ... and Microsoft almost no one, and this is why they needed Nokia. The Operating Systems, as the old days of computing, are returning to be a complementary free part of the systems, as must be.

A side note : There is a mistake with what an O.S. is. When trying to catch the market, Microsoft put every imaginable piece of technology inside the O.S. ... but this is not really an O.S., this is a "distribution". The O.S. must be a small part of the system. Look at Linux, it is really "ONE" file ... this is why people can make distributions, can put Linux in appliances, to create Chrome OS or Android on top, etc. Microsoft must evaluate to do the same, a small free element and to ask for money on the complementary parts for particular purposes. Forget the UI, forget the Server edition. Make them independent products, who knows, maybe this work for them...

about 5 months ago
top

How To Take Apart Fukushima's 3 Melted-Down Reactors

malvcr Re:I have a plan (167 comments)

For Plasma they are using a containing magnetic field.

And this is more troublesome than radioactive material.

They have 37 years to find the way to create a strong-enough and stable magnetic enclosure that be able to surround all the infrastructure, to attach it to a rocket and to send it to the sun.

Because, I don't think that they be able to create a magnetic or any other type of enclosure that last several thousands years until the radioactivity disappear by itself.

The other option is to clean everything. I really don't know what is more difficult.

about 5 months ago
top

Woman Attacked In San Francisco Bar For Wearing Google Glass

malvcr Re:No, not those who don't understand... (921 comments)

The Glass is a very obvious device. I suppose this is because they are selling the concept.

But what about a camera embedded in a pair of standard glasses?

You just turn the recording device (could be Bluetooth or stand alone) that even doesn't need to be with you, only in reachable distance, and record everything around. No wires, nothing delating what you are doing.

mm... I suppose this must be happening thousands of times just now. ... and for much less than $1500. ... Amazon, Fashion Listens Glasses Digital Video Glasses Hidden Eyewear DVR Camcorder Eyeglass $48.98

about 5 months ago
top

Does Relying On an IDE Make You a Bad Programmer?

malvcr Re:IDEs are good. UI builders are bad. (627 comments)

I don't think that the UI builders that create code, as a concept are bad.

The problem is not there, the problem is in the framework they are based to create the code.

In fact, if the framework is well ordered, efficient and trustworthy, they do almost nothing, very similar to create XML to run the user interface, but letting you to fill some gaps with more creative methods (when they won't destroy your own modifications when re-creating the source files).

On the other side, sometimes the UI builders really don't help you. Once I created a very complex and flexible database library directly using the VCL Delphi's framework without the usage of the UI Builder. The framework was wonderful, but the UI Builder just did't let you to go beyond some basic limit. And as I understand they never improved this, just made the particular libraries obsolete instead of trying to improve how they used them.

about 5 months ago
top

Stack Overflow Could Explain Toyota Vehicles' Unintended Acceleration

malvcr Re:Go Amish? (664 comments)

I think that there is a basic fundamental problem here.

There are characteristics and there are characteristics in a device that carry you to another place.

The first ones are classified as critical and it is important to invest all possible resources to make them to work. I know one car computer could cost $100 but to develop it cost millions of dollars, so there are resources to make them well.

The other characteristics, to attach an iPod, to control the temperature in your seat, to dim the internal light, they can have bugs, nobody will die because of them.

But, please, don't make bugs in the critical areas because you like to have the superficial characteristics at hand without using money, I will name that an irresponsible design behaviour.

about 5 months ago
top

Is Whitelisting the Answer To the Rise In Data Breaches?

malvcr Re:We're adopting this at work... (195 comments)

At the end, what happened is that the current user-computing environments where not created to be in a connected world where resources were available through the Internet. This has been a very disordered and incomplete evolution where something must die in the improvement process.

You are the owner of your environment. But others can execute sensitive/powerful code without your permission. Must be a difference between "you" and the "others" for you to be really secure, a difference that disappear when the software is already in execution position. And this is the main problem.

This is like to have a car. If you let an unknown person to drive your car then you are doomed. You don't do that, you have keys, you have a safe place to store your car, and when other takes your car it is an abnormal behaviour. But current systems see with good eyes that other pieces of software are executed without enough control inside them, and this is their normal behaviour ... something is not logical in this equation.

about 6 months ago
top

Wozniak Gets Personal On Innovation

malvcr Re:I blame textbook monopolies. (161 comments)

To watch TV and to hear music is useless because they are oriented to commercial goals, they are not intended to teach anybody useful things. With clear exceptions (let me see ... BBC, BBC ... BBC ... ).

Right now I am hearing Arthur Honegger: "Une Cantate de Noël" in Youtube, and I suppose nobody knows this music because of standard TV or Radio ... even, I doubt people, in general, knows that Honegger even exist as a composer or that there is this option to find good modern music; let me see, 6801 people saw this including me. Another test ... Samuel Barber (a very important US composer) ... "Summer Music" ... 958 views ... and a last one ... Miley Cyrus - "Wrecking Ball" ... 523,997,788 views ....

I think everything is said.

about 6 months ago
top

Should Everybody Learn To Code?

malvcr Re:Should Everybody Learn Calculus? (387 comments)

I use C++ every day and I understand you ... but in that case maybe what could be said is that C++ is bigger and, in that sense, more difficult to master.

In fact, you can do exactly the same you do with C++ with C, even object oriented programming. But ... and this is where things turn out, C becomes more complex tha C++ because you need to figure how to do the things with less language constructors.

At the end, returning to the original posting about education, what people needs to know is how to use effectively their computer and programming is a good way to have the maximum of such devices. What I don't see is everybody using C or C++ as daily basis because "both" are hard to use well. What the people need is to understand the concepts well and then, to use some language that permits them to have a flexible life with their devices without committing programming sins that later will take their eyes our of their orbits.

about 6 months ago
top

Should Everybody Learn To Code?

malvcr Re:Should Everybody Learn Calculus? (387 comments)

Calculus is important in the sense that Mathematics is the language of science.

And our computers are based on mathematics. Of course, you can create software without mathematical background, but when you do it with a careful design based on well stablished mathematical principles ... oh, what a difference!!

The modern Patterns based programming is ... a mathematical model. The object oriented programming follows rules that are crafted according with mathematical practice. How the cycles and conditions work inside the software flow describe mathematical considerations, and it is possible to anticipate how your software will behave using mathematical theory to save you a lot of time and "money".

The problem is not to learn "Calculus". The problem is to learn when to "apply" Calculus. As an example, I have many years learning english (spanish is my native language) ... my writing is not perfect, but I am improving it every day ... but as I don't use Mandarin for daily communications, my low Mandarin knowledge is rusted and disappearing. But this doesn't mean that to learn Mandarin is not important, talking fluent Mandarin could open me many doors that today are closed.

about 6 months ago
top

Should Everybody Learn To Code?

malvcr Re:Should Everybody Learn Calculus? (387 comments)

This is not true.

Both have advanced compilers, just that they are based on different principles.

You can create very complex things with C. An example are the UNIX like operating systems.

about 6 months ago

Submissions

top

Want your points of view - Secure by definition

malvcr malvcr writes  |  1 year,14 days

malvcr (2932649) writes "I have been a developer for 20 years by now, and have been dedicated to security my last years. My impression is that the current state of the affairs are carrying all the industry, in particular the Internet, to nowhere in security. Huge privacy concerns, basic mistakes with enormous consequences, a generalized lack of good programming practices leading to many security vulnerabilities, etc.

Having this into consideration, I started a company (http://www.hausmi.com) and an open source project (http://hausmisep.sourceforge.net). My purpose is to help as I can doing what I know, but instead of fighting hard to close holes and providing aspirins, I want to change the basic rules governing the creation of software. Secure by design, secure by construction, secure by definition.

Nobody has all the answers and this is why I am posting this on Slashdot. I have been reading here for a lot of time with some small replies, and I know there are many good and sharp comments, serious and funny (we need to laugh time to time), and your points of view will help me to adjust this attempt to work better what the security means for all us. Have no sense only to do what I want to do, but to know what the people need to have.

Thank you"

Journals

malvcr has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...