×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Ask Slashdot: Is an Open Source .NET Up To the Job?

toejam13 Re:I'm Using C++ (369 comments)

The C standard library provides an API to all your system resources.

The C standard library (libC) provides a very basic API to some of your system resources. You have to include a large number of other libraries in order to obtain a feature set similar to the Java and .NET frameworks.

And in addition to the IO, thread and math limitations that the AC above touches on, there are several other major problems facing the core C libraries: wchar support, qword support, socket support and overflow safe functions. There has been significant balkanization between the BSD, GNU and Microsoft camps on these topics, making cross platform development difficult. I've written a lot of wrapper code over the years dealing with the issue.

The nice part about the Java and .NET frameworks is that they eliminate most of the problems I mentioned and several of the issues the AC brought up.

But I do still find the C libraries, Java framework and .NET framework all lacking. They're good for about 80% of all cases, but I seem to find myself thumping on the native APIs far more than I thought I should. I'm really annoyed at how often I find myself using PInovoke under C#.

My hope is that with the Core .NET moving off to the open source camp, maybe Microsoft can start focusing on adding C# bindings for the rest of WinAPI. The day I can write code without having to use a PInvoke is the day I'll stop writing C/C++ code.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

toejam13 Re:Stupid (391 comments)

This is a dumb idea. A very dumb idea. Since we're assuming MITM, what happens when I inject javascript into the page? Even assuming the browser prevents me from leaking the PROT header, I can still have it make arbitrary requests using your session.

Encrypting the content length header and adding an encrypted checksum (or cryptographic hash) of the payload would help detect JS injections, URL rewrites or other forms of malicious modification. Marking your user session cookie as HttpOnly should also help sandbox it from JS hijacking.

What happens when I just block the original response, pretend your session died, and serve up a bogus login page that gives me your credentials?

Introducing a new URL protocol for HTTP-Mixed could help prevent that. It would indicate that HTTP header encryption was a requirement and that the client refuses to proceed without it. So when the user hits refresh on their client after an hour, your bogus site would then need a counterfeit certificate in order to survive the PROT ClientSSL <-> PROT ServerSSL challenge.

The best way to deploy such a system would be to use HTTPS for your site's landing page. If the client's browser supports HTTPM, you could step down to it for pages deeper in your site. Otherwise, stick with HTTPS.

In some ways, HTTPM would be analogous to FTPES in the FTP/FTPS world. FTPS clients know to issue an AUTH TLS command shortly after starting an FTPES connection and refuse to continue if a FTP-503 Unsupported server response or a failed TLS handshake occurs.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

toejam13 Re:Stupid (391 comments)

Utilizing a client IP address as a means of identification is highly unreliable unless that client is on the same network as you. Proxy servers, cache servers and NAT devices can masquerade multiple devices under a singular IP address. Worse, some organizations load-balance outbound connections across an array of those masquerading devices. Every TCP connection could originate from a different IP address. The same is true when the client itself is multi-homed, such as a mobile device utilizing both cellular and wifi simultaneously.

And while the payloads of cookies can be hashed to obscure sensitive information that is stored in clear-text, it does not prevent the theft of the cookie itself. I may not know the true value inside of it, but I may not care. I might want it just to tailgate on an authenticated session. To avoid that, you need to encrypt both the cookie payload and its name.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

toejam13 Re:Stupid (391 comments)

For most sites, I don't really care if my browsing activity is being monitored. If some security service wants to eavesdrop on my visits to catfancy.com, let them. For the sites where I do care about privacy, HTTPS is generally an option.

But keep in mind that HTTPS alone only buys you so much. You're still leaking information about the sites you visit via your DNS queries. Also, you're still being tracked at the end-points by ad networks and other systems that log your moves. If privacy is that important, you should also be using an anonymizing proxy service like TOR.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

toejam13 Re:Stupid (391 comments)

Encryption has a cost, it isn't free. ... This is a dumb idea. A very dumb idea.

Agreed. For most sites, there are only two areas where I care about encryption: 1) login authentication and 2) session tokens (cookies). For #1, briefly switching to SSL/TLS is no big deal.

The problem today is that there is no satisfactory solution for #2. In order to encrypt your cookies in your HTTP header, you have to encrypt everything. As previously mentioned, this can have some adverse side effects. It is also complete overkill. What HTTP needs is a middle option.

Enter explicit HTTPS.

When a client requests a protected URL, it can be given a challenge and negotiation method for TLS not unlike how NTLM authentication over HTTP occurs. It should also negotiate what HTTP headers should be private. When complete, the client then sends encrypted data using a PROT: [session id] [base-64 payload] header. If you wanted to be fancy, you could make the system tolerant of upstream proxies or load-balancers inserting their own cookies.

Now you have a system where your session tokens cannot be eavesdropped upon, but yet the payload of the HTTP request can be cached.

4 days ago
top

Fraud Bots Cost Advertisers $6 Billion

toejam13 New Revenue System (190 comments)

Perhaps advertisers should finally move away from the current revenue system that pays per-click and should instead move towards a profit sharing system where the referring website receives a commission based on any sales or executed transactions.

I've been reading about click fraud for over a decade now. I don't expect it to go away under the current system.

about two weeks ago
top

French Publishers Prepare Lawsuit Against Adblock Plus

toejam13 Re:Doesn't matter even if the publishers win... (698 comments)

...someone else will develop a list...

Which is why I believe that the whole exercise is futile. Suing Eyeo is not unlike playing Whack-a-Mole. If they are forced to remove their app, others will simply take their place. Given that Ad Block has already forked development lines (see: Adblock Edge), they're already too late.

Ultimately, websites are going to need to protect their content using JavaScript or other means. I'm already familiar with a few sites that use JS based elements that display a message after a few seconds if the ads in the page don't load (see: Fark.com). Of course, AdBlock Edge allows me to block those elements, but it wouldn't be hard to use element name randomizing techniques to thwart AdBlock Edge.

about two weeks ago
top

French Publishers Prepare Lawsuit Against Adblock Plus

toejam13 Re:Legal Opinion, Please? (698 comments)

IANAL, so I'd like a tort guru to enlighten us on exactly how creation and distribution of a product (AdBlock) that that gives consumers an informed choice over another product (advertising bullshit) is an actionable case.

I'm also curious how much Eyeo opened themselves to litigation by offering a for-profit whitelist that overrides the blacklist instead of sticking just with a blacklist-only model.

It sounds like a water utility company suing faucet makers for making a device that restricts flow of billable water, or the electric company suing light switch manufacturers.

Or like how AT&T used to prohibit third party phones on their lines?

The main difference here is regarding the level of exclusive ownership rights the publisher has versus the public good in relaxing those rights. Many governments have rules allowing small quotes and allowing parodies when it comes to published content. But ad skipping is somewhat murky. Over on the TV side, it is assumed that the Betamax timeshift ruling provides some protection (which the SonicBlue DVR lawsuit would have clarified had it continued). But I'm not aware of anything on the published side.

about two weeks ago
top

Pluto-Bound Spacecraft Ends Hibernation To Start Mission

toejam13 Re:Hibernation (77 comments)

But it is a PlayStation One system (well sort of).

Poor analogy. That would be like saying that the Macintosh Classic is sort of an Atari ST just because they both used Motorola 68000 processors.

As for the minimalistic nature of the Mongoose-V (MIPS R3000 based) processor in the NH spacecraft, it is more than adequate for an embedded processor. My Sony NEX camera uses a Bionz (also MIPS R3000 based) processor for image processing and user interface controls. The clock rate of the Mongoose-V might seem a little low, but remember that the spacecraft is both power and uplink speed limited. Having a faster processor really wouldn't gain much.

about two weeks ago
top

Study: HIV Becoming Less Deadly, Less Infectious

toejam13 Re: Then again, maybe it _is_ good news. (172 comments)

I've often wondered. Suppose you had a time machine, went back, took some random person from the year 1900, and brought them to the present day. How would they fare in the modern world? My guess is that there would be a big adjustment period but they would manage. How about a person from 1850? 1800? 1700? At what point would the person be so totally lost in modern society that they wouldn't be able to function at all.

If you want an example, look at how refugees from poor rural areas in third world countries handle the transition when they arrive in a first world nation. You often have massive language and cultural barriers. First hand knowledge and use of technology is going to be limited. They're going to know little to nothing about our laws. If you just drop them into the middle of NYC, they will do very poorly.

If you put them into an orientation program and assign them to a handler who will bring them up to speed, they'll probably do alright. It might take a decade before they're comfortable in their new home, especially if language was a barrier, but it will eventually happen. There are millions of examples all throughout the western world of this happening. People adapt.

about three weeks ago
top

Obama's Immigration Order To Give Tech Industry Some, Leave 'Em Wanting More

toejam13 Re:I bet Infosys and Tata are dancing in the stree (186 comments)

Eventually Obama is going to be a civilian again. If he pleases the right people, he (or his immediate family) can make tremendous amounts of money as a lobbyist, consultant, guest speaker, etc...

Just look at the money that Chelsey Clinton earns from her array of jobs at various consulting, investment, educational, media and humanitarian companies and organizations. Her success was handed to her on a diamond platter as political thanks to her parents.

about 1 month ago
top

Obama's Immigration Order To Give Tech Industry Some, Leave 'Em Wanting More

toejam13 Re:I bet Infosys and Tata are dancing in the stree (186 comments)

Tech, agriculture, service industries, foot services, etc. all benefit from the well behaved illegals.

You mean that their owners do. We just added millions of mostly uneducated people to the workforce. If you're in a low skill job and you dislike your wages, hours or working conditions, management will gladly and easily find a replacement.

This sucks for anyone who is entering the workforce or who lacks the proper skills or aptitude to crawl out of the bottom. As if unemployment and underemployment for those people wasn't already bad enough.

Obama just set the war of poverty back by about twenty years.

about 1 month ago
top

Ask Slashdot: Workaday Software For BSD On the Desktop?

toejam13 Re:Gentoo is the BSD of the Linux World (267 comments)

There was a period of time during the GCC->Clang transition where a lot of stuff didn't build, but those days are long gone.

If you stick with the Ports collection, using Clang is fairly safe if you're on 10.1 and you keep your Ports db up to date. The problem is when you stray outside of Ports, or you find one that really needs GCC (or worse, a newer version of GCC).

The last compiled version of GCC included with FreeBSD was 4.2.1. You can build newer versions using the Ports collection, but then you have to make a decision to keep two versions installed. There is also some hassle regarding which shared libraries to use.

I had a package that really wanted something newer, so I installed gcc48. It took me a few hours, but I finally got it shoehorned in. Ugh. I'll stick with packages that are happy with Clang.

about a month ago
top

Ask Slashdot: Workaday Software For BSD On the Desktop?

toejam13 Re:I just did this myself (267 comments)

In FreeBSD, network configuration data is stored in the /etc/rc.conf file, which overrides default options stored in /etc/defaults/rc.conf.

If you want to manually set the IPv4 address of an interface, you could use:
    ifconfig_xx0="inet 192.168.1.10 netmask 255.255.255.0"
    defaultrouter="192.168.1.1"

If you're using DHCP, remove the default router line and set the ifconfig string to "DHCP".

You can also use the command line tool sysinstall to set network options.

Also remember, FreeBSD uses network driver specific interface names. So instead of eth0, eth1, eth2, you can have fxp0, em0, and de0. If that's not your thing, you can always create an alias:
    ifconfig_em0_name="eth0"

about a month ago
top

Cutting the Cord? Time Warner Loses 184,000 TV Subscribers In One Quarter

toejam13 Re:They tried to raise prices 20% unnanounced (392 comments)

That's probably a ClearQAM signal that he is receiving. Most HDTVs in North America have dual-standard 8VSB/QAM64 tuners so they can receive both broadcast and cable channels. No CableCard required.

I think the complaint is that many cable companies are switching from ClearQAM to encrypted DTV channels, even basic channels, so that you have to rent a device from them. Which sucks. There should be no hardware rental costs for basic channels.

about 2 months ago
top

Mark Zuckerberg Speaks Mandarin At Tsinghua University In Beijing

toejam13 Re:/. is getting more and more unbelievable !! (217 comments)

Anglo-Saxon refers to the blending of Germanic and French roots. English is an Anglo-Saxon language because it is a mixture of Germanic- and Latin-root languages.

Not really. Anglo-Saxon is less recognized as a language family as it is a synonym for Old English. It is also an ethnic term for describing western Germanic tribes (Angles, Danes, Franks, Frisians, Jutes and Saxons) who came to colonize post-Roman southern Britain and people of their decent.

You are spot on about the Germanic and Latin roots. Back in the fifth century during the Anglo-Saxon migration, the intellectuals in southern Britain (and much of post-Roman Europe) spoke Latin. The spread of the Bible kept Latin as a influential language.

But Old English had only limited "French" influence. The Germanic Franks who lived in Gaul were never a major conquering force in Britain. There are some Old Frankish loanwords that influenced Old Saxon and Anglo-Frisian languages, but it wasn't much. The predominate French influence didn't come for centuries later via the Norman conquests. That resulted in Middle English, which is not synonymous for Anglo-Saxon.

According to the language experts, the classification is: English -> Anglic languages -> Anglo-Frisian languages -> Ingvaeonic languages -> West Germanic languages -> Germanic family. Ingvaeonic includes Old Saxon, but Anglo-Frisian does not. Likewise, West Germanic includes Old Frankish, but Ingvaeonic does not.

about 2 months ago
top

Mark Zuckerberg Speaks Mandarin At Tsinghua University In Beijing

toejam13 Re:/. is getting more and more unbelievable !! (217 comments)

Most scholars in the linguistic world seem to disagree with you. While the three remaining Frisian dialects have moderately drifted from Old Frisian, there seem to be enough fundamental differences between the Anglo-Frisian family and the Old Norse family to disqualify Modern Icelandic from being the most closely related living language to Old English.

Having said that, that assumes that you are talking about Old English that was spoken in London. As you traveled into Northumbria (modern Yorkshire), Old English had significantly more influence from Old Norse due to the conquering Danes (see: Kingdom of Jórvík). So, your statement may be true, but only for what was spoken in York in the tenth century.

about 2 months ago
top

FTDI Removes Driver From Windows Update That Bricked Cloned Chips

toejam13 Re:Alternatives? Same problem.. (572 comments)

I don't know much about FTDI's chip ... but it sounds like they designed something that was relatively easy to clone, and now they're stuck trying to sell something that many manufacturers don't see as differentiated enough from the copy-cats to try too hard to buy the original part? Trying to actively destroy the competition is NOT the solution. Perhaps more R&D to offer a superior update to the original chip would be?

The manufacture of inexpensive clones is nothing new in the chip industry. After the SN7400 TTL series was released in the 1960s, a flurry of clones were released. Same goes for the MC6800 IC series in the 1970s. Some were licensed second source suppliers, some were unlicensed compatibles, some were outright counterfeits.

Intellectual property law in many countries tends to prohibit counterfeits. Those knockoff Asian light bars you described could have been seized by customs if they tried to pass off as KC brand products. Likewise, it is unlawful in most countries to create a chip and sell it as an FTDI brand chip without their express permission. That isn't an issue of R&D issue, that's I.P. theft.

The issue of unlicensed clones is a little more murky. In some cases, the original product may have one or more patents that protect its design, function or interface. If those knockoff Asian light bars tried to used a patented housing design or voltage module without licensing, you have another I.P. theft issue. The owner of the patent could get judicial permission to have customs block or seize those products.

In the case of the affected FTDI compatible clones (and counterfeits), the issue comes down to their use of FTDI's vendor and device code in the USB stack. FTDI developed software drivers for customers of FTDI products. The unlicensed clone manufacturers have designed their chips to utilize FTDI drivers so that they didn't have to incur the expense of writing and maintaining their own drivers. So really, it is the unlicensed clone manufacturers who need to bump up their R&D research so that they don't facilitate I.P. theft and/or terms of use violations for their customers. If Microsoft wrote the device drivers or if unlicensed clone manufacturers wrote their own device drivers, we wouldn't have this mess.

The big question is if FTDI has a lawful monopoly on the USB vendor code it has been assigned. If it has, then it may have a right to physically stop squatters from using it (read: resetting the USB vendor ID code). Of course, being an international issue, it is going to vary by country. They may have broken the law in some places. They may only have the right to disable the driver. They may only have the right to degrade the driver. Or they may only have the right to display warning messages.

So I don't think it is just a cost, quality or R&D issue here. It really is about third parties designing their products to utilize work on FTDI's part without paying for it.

about 2 months ago
top

Mark Zuckerberg Speaks Mandarin At Tsinghua University In Beijing

toejam13 Re:/. is getting more and more unbelievable !! (217 comments)

English is not a Romance language (it's derived from Old Low German), but due to many accidents of history, it has accumulated an incredible number of words directly from Romance languages or derived from words in Romance languages

After the Norman invasion, English barely hung onto its Germanic roots. So many English words have a Latin heritage, it has become something of a hybrid.

For non-native English speakers reading this who aren't familiar with its history, English is a blend of about five different languages: Old Celtic, Roman Latin, Old Low-German, Old Norse and Norman French, along with a sizable number of Greek, Arabic and [recently] Spanish loanwords.

Old English is the name for English after the infusion of Old Low-German. Middle English is the name for English after the infusion of Norman French. Modern English is what developed after the Renaissance.

The closest living language to Old English is Frisian, which is still spoken in small parts of the Netherlands, Germany and Denmark. Here is an example of it.

about 2 months ago
top

Assange: Google Is Not What It Seems

toejam13 Re:Goolge is helping... (289 comments)

Goolge is helping... ...compiling dossiers on everyone.

The question is how public those dossiers remain. If Google locks the information up and refuses to share, then it is of limited consequence. If Google releases all of its dirty laundry at once, then it will probably result in some major changes to society as open secrets come to light and things thought to be taboo are suddenly found to be normal.

The danger is if Google uses and shares it sparingly and deliberately. Think blackmail, insider trading, identity theft and so on.

about 2 months ago

Submissions

top

Amiga looses Seattle area stadium naming bid

toejam13 toejam13 writes  |  more than 7 years ago

toejam13 (958243) writes "Amiga, Inc. has recently been negotiating for the naming rights for a proposed hockey arena in Kent, Washington. The city required a $2.5 million deposit, which Amiga ultimately failed to procure after much bickering and backtracking on Amiga's part. Unfortunately, this is an additional black eye regarding the company's dealings in Washington state, which includes an eviction from their former Snoqualmie offices and a bankruptcy that left several ex-employees with thousands in unpaid wages."
Link to Original Source

Journals

toejam13 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?