Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Details of iOS and Android Device Encryption

subreality Re:So what you're telling me (146 comments)

Android's, even without the upgrades in L, is strong enough in many contexts and it'll be even better after L, but still not as strong as iOS.

Could you expand on that? FDE with a hardware keystore is pretty decent. What more is iOS doing?

about two weeks ago
top

Remote Exploit Vulnerability Found In Bash

subreality Re:Full Disclosure can be found on oss-security... (399 comments)

Here's the exploit:

curl -A "() { :; }; /usr/bin/touch /tmp/vulnerable" http://127.0.0.1/test.cgi

User-Agent is copied to HTTP_USER_AGENT with no munging.

For DHCP, dhclient calls several hooks (which are usually bash scripts) when events happen. It needs to pass some information like the new domain name. Passing them via the command line creates another set of problems, so they pass them via the environment. For better or worse, it's a common convention.

about three weeks ago
top

Remote Exploit Vulnerability Found In Bash

subreality Re:Full Disclosure can be found on oss-security... (399 comments)

Take a look at the example CGI I posted. It looks completely innocent - the command is a fixed string. It shouldn't be vulnerable, but this bug makes it so.

about three weeks ago
top

Remote Exploit Vulnerability Found In Bash

subreality Re:Full Disclosure can be found on oss-security... (399 comments)

It's worse than you think. ANY CGI which calls bash without sanitizing the environment is vulnerable. For instance:


#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("bash -c ls");

but there is no reason to panic.

Start panicking.

about three weeks ago
top

New Evidence For Oceans of Water Deep In the Earth

subreality Re:Ingredients for water? (190 comments)

By RTFA I discovered that "This water is not in a form familiar to us—it is not liquid, ice or vapor. This fourth form is water trapped inside the molecular structure of the minerals in the mantle rock. The weight of 250 miles of solid rock creates such high pressure, along with temperatures above 2,000 degrees Fahrenheit, that a water molecule splits to form a hydroxyl radical (OH), which can be bound into a mineral's crystal structure."

about 4 months ago
top

After a Long wait, GNU Screen Gets Refreshed

subreality Re:most useful? (77 comments)

More compact: tmux at -d || tmux

about 6 months ago
top

SpaceX Launches Load to ISS, Successfully Tests Falcon 9 Over Water

subreality Re:Test and launch are the same, it is GREAT! (125 comments)

RTLS, TAL and AOA all relied on the main engines. If all three SSMEs failed they would have ditched it in the Atlantic. The scenarios aren't really comparable - they had a lot more fuel to work with but also a much heavier vehicle to return.

RTLS is easier for the Falon 9. After separation the stage 1 assembly is quite light: it has shed the payload, second stage, and most importantly, most of its own fuel; the remainder is about 5% of the original mass. It can therefore make a pretty quick burn to reverse its course.

They have some real numbers over here: http://forum.nasaspaceflight.c... .

about 6 months ago
top

Google Tries To Defuse Glass "Myths"

subreality Re:Yea, because glassholes will have learned (363 comments)

What do you think a Glass user can do that a phone user can't?

They can walk around maybe recording at any time. Someone who points a phone at me for a moment probably took a photo. Someone who points it at me continuously is probably taking a video. Either action is conspicuous which means that I can choose to leave, or I can confront them if they're doing it inappropriately.

Camera etiquette has been refined for a hundred years. Glass upsets the balance because it doesn't provide those visual cues. People who don't want to be recorded therefore presume it's not recording but feel uneasy because they're not sure, or they assume the worst and confront the wearer.

I'm actually quite enthusiastic about it as a technology, but the couple times I've encountered them in the wild I've fallen into the "uneasy because I don't know if I'm being recorded" group. I'd like to have one, but I'd cover the lens with a piece of tape most of the time.

about 7 months ago
top

Docker Turns 1: What's the Future For Open Source Container Tech?

subreality Re:Subjects suck. (65 comments)

It's a high-level interface to LXC (similar to Solaris Containers, or FreeBSD Jails). If you're not familiar with those, think of it as a combination of:
  chroot (virtualized filesystem root)
  git (version control where a hash-id guarantees an exact environment)
  virtual machines (virtualized networking, process tables)
  make (you make a config file describing an image to start from, then all the things to do to set up your application / build environment / whatever)

If you are building a complex product you can write a short Dockerfile which will:
  Start with 8dbd9e392a96 - a bare-bones Ubuntu 12.04 image
  apt-get install git gcc make libc6-dev

You now have a completely reproducible build machine - Docker builds it and gives you back a hashref. You run it with the right arguments (basically: a path to where your source code is, plus a command to run) and it builds your project reliably (you always have a clean container exactly the way it was when you built it) and quickly (unlike a snapshotted VM there's no need to boot it - in a split second the container comes up and it's running your makefile). More importantly, everyone else working on your project can clone that tag and get /exactly/ your environment, and two years from now people won't be scratching their heads trying to reproduce the build server.

Now let's say you're shipping your product - you're a web company, so you have to package it up for the operations guys to deploy. It used to be you would give a long list of dependencies (unreliable, and kind of a pain for the user); more recently you'd ship a VM image (big, resource-heavy, but at least it escapes dependency hell); with Docker you build an image, publish it on an internal server and give the hashref to the ops guys. They clone it (moderate-sized, resource-friendly) and they get your app with everything required to run it correctly exactly the way QA was running it.

As it's being run they can periodically checkpoint the filesystem state, much like snapshotting a VM. If something goes wrong it's easy to roll back and start up the previous version.

It's a young project and there are still some rough edges, but the benefits are significant. I think in a few years doing builds without a container will be looked at the same way as coding without source control.

about 7 months ago
top

Crowdsourcing Confirms: Websites Inaccessible on Comcast

subreality Re:Stop (349 comments)

It's OpenDNS's fault. They return a bogus A record instead of NXDOMAIN:

$ dig +noall +comments +answer test.example.com @8.8.8.8
-- Got answer:
-- -HEADER- opcode: QUERY, status: NXDOMAIN, id: 48729
-- flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

$ dig +noall +comments +answer test.example.com @208.67.222.222
-- Got answer:
-- -HEADER- opcode: QUERY, status: NOERROR, id: 31301
-- flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

-- ANSWER SECTION:
test.example.com. 0 IN A 67.215.65.132

about 7 months ago
top

First LSD Test In 40 Years Reveal Drug Helps Terminal Patients Prepare For Death

subreality Re:bad trip to the power of infinity? (221 comments)

I've had very few bad "trips" but I can't imagine how bad it could be if you know you are dying.

Knowing you're dying can be a bad trip, no drugs required. Someone who's looped their fear until their soul is crushed isn't in much danger - they've already hit bottom.

Knowing you're going to die is a terrible burden, but it presents you the opportunity to choose the last memories your friends and family will have of you. They can remember you living your last weeks in fear and dying terrified, or you spending some time recalling the good times, and perhaps forgiving some of the bad ones. That's all the control you have left of your legacy, and you don't have much time to take advantage of it.

LSD, especially low* doses with someone to help guide can sometimes give people a new perspective. If they can relax their fixation on the fact that their time is up they may see the bigger picture - that we're all mortal, that life is a cycle, and that this is just a part of it. It may give you the opportunity to make your peace with the world. And if not, you're dead anyway. So why not?

* There's adequate margin between free-association, preconception-questioning levels and moon-howling-naked.

about 7 months ago
top

Naming All Lifeforms On Earth With Hash Functions

subreality Re:Names are for communication (97 comments)

["dog\n", "deer\n", "wife\n", "animals\n"] ... People would find these names easier to understand if you used "echo -n".

about 8 months ago
top

Amazon Coins and How the Definition of 'Crypto-Currency' Is Getting Too Loose

subreality Re:BitCoin has complete record of transactions. (115 comments)

You're close. There's no difficulty decoding the blockchain. The transactions are a public ledger. Have a look: https://blockchain.info/tree/1...

It's not anonymous - it's pseudonymous. Your address is your pseudonym. It can be linked to you in many ways:

When you buy something the seller knows who you are (they have your mailing address, your IP address, etc), and they know your Bitcoin address (the transaction is public information). Anyone watching your address will also see the transaction. If the address you sent coins to is a known address the investigator can then go to that seller and request your identity (via subpoena, violence, bribery, etc).

When you transmit the transaction it's first received by a few network nodes. If the investigator is running one of those nodes they see your IP. They won't know for certain it's you (perhaps you were just relaying a transaction), but it's still a short list to check. If it's the NSA or anyone else who can monitor your internet connection directly, they can easily discover that the transaction originated from you because no one sent it to you first.

People use mixing services to help obscure the origin of their coins. It makes it harder, but it's still possible to perform statistical analysis. For a simple example: https://blockchain.info/taint/... . The investigator can find some addresses which correlate with yours. Even if they don't find YOU they might find someone you do business with, then coerce them into giving up your identity.

It's a lot like cash. You can pass it around freely, but every dollar bill has a serial number. You can spend it with relative anonymity, but it will be scanned whenever it passes through a bank. If someone is looking for certain serial numbers then they can easily find the bank your merchant uses; then stake out the merchant; then find you.

about 8 months ago
top

New England Burns Jet Fuel To Keep Lights On

subreality Re:[OT] mmBtu? (230 comments)

You're correct - apparently I'm the one demonstrating the problem. :)

about 9 months ago
top

New England Burns Jet Fuel To Keep Lights On

subreality Re:[OT] mmBtu? (230 comments)

so working in megaBTU makes perfect sense.

You just demonstrated the problem: mmBTU == kiloBTU, not megaBTU.

about 9 months ago
top

Office Space: TV Documentary Looks At the Dreadful Open Office

subreality Re:Anecdotal Experience (314 comments)

you can't make a phone call without annoying everyone, so now nobody uses the phone unless in a conference room; phone communication in general has dropped precipitously and now takes a back-seat to e-mail

How is that a con?

about 9 months ago
top

Does Anyone Make a Photo De-Duplicator For Linux? Something That Reads EXIF?

subreality Re:Geeqie (243 comments)

+1. The reason: it has a fuzzy-matching dedupe feature. It'll crawl all your images, then show them grouped by similarity and let you choose which ones to delete. It seems to do a pretty good job with recompressed or slightly cropped images.

Open it up, right click a directory, Find Duplicates Recursive.

fdupes is also good to weed out the bit-for-bit identical files first.

about 9 months ago
top

How To Create Your Own Cryptocurrency

subreality Re:Errors in Paper (203 comments)

The correct date is approximately 2140 AD. The reward per block started at 50 BTC and is cut in half every 210,000 blocks, which nominally takes about 4 years. After ~130 years you have done 33 halvings, so the reward is 50 / (2^33) = 0.58 Satoshi, where 100 million Satoshi = 1 bitcoin. Since the smallest unit in the bitcoin transaction system is 1 Satoshi, the reward becomes too small to measure, and thus mining for new coins stops.

This is closer but still incorrect. All accounting in Bitcoin is performed with integer arithmetic. The reward per block started at 5,000,000,000 satoshis and is right shifted by one bit every 210,000 blocks. The reward does not become too small to measure - it becomes precisely zero.

about 9 months ago
top

Ask Slashdot: Best Way To Implement Wave Protocol Self Hosted?

subreality Re:JSON (112 comments)

It doesn't require all those extras brackets and braces and quotes.

My point is all those extra brackets, braces, and quotes (and field labels) don't cost you much. They compress efficiently.

JSON is like any hammer. Sometimes you gotta know when it's time to put it down and pick up the screwdriver instead.

No argument there - JSON isn't my only tool. :) I just disagree that it "fails hard when you want to send 1,000s of records".

about 10 months ago

Submissions

subreality hasn't submitted any stories.

Journals

subreality has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?