Become a fan of Slashdot on Facebook


Forgot your password?
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:What are Rust's prospects like? (Score 1) 339

You know where I've never seen a code of conduct? In an ISO, ANSI or IEEE standard. The threat to long-term viability of languages or platforms for serious projects is lack of rigerous standardization which can allow multiple competing yet interoperable implementations to exist that don't have to fall to the whims of any one company, foundation, or message board.

Comment Re:Security. (Score 2) 261

Much like the transition to cloud, most of the "eyes on glas" type jobs will be in MSSPs, and they'll have staff reduction sue to AI and workflow automation just like almost everything else. I have a really good sub niche right now that has low
Competition and goes widely unnoticed but pays a whole lot. I plan on milking it as long as I can, which is a lot longer than I was going to live with the stress from security "operations," that's for sure.

Comment Re:Security. (Score 1) 261

Insurance (risk transference) is one method of risk mitigation. However, insurance companies are, by and large, extremely good at risk analysis (they have to be to stay in business). The likelihood of an insurer paying out on a breach where the insured party can't show that they performed any sort of other risk mitigation is going to be extremely low.

Otherwise, I agree with you and your comment fits my experience to a T.

Comment What price point, and what kind of nerd? (Score 1) 232

Rolex originally marketed the Milgauss towards scientists and engineers who needed an antimagnetic watch. I have an Omega Seamaster >15'000 Gauss due to my need for higher levels of anti-magnetic resistence but a love of mechanical watches. The TAG my brother in law gave me for a wedding present wouldngain 2 minutes in the course of the day at work because of the EM from all the gear. Next one I go for is probably. A Breitling Navitimer; can't beat the useful nerdiness of a circular slide rule.

I also do have a Citizen Eco-Drive (solar power) that syncs the atomic clock signal. If you're totally about precision, those, or the GPS-synced watches from Citizen and Seiko are pretty cool, too.

Not having had a digital watch since 6th grade, I have nothing to offer on that front.

Comment Reasons: standards, size and man pages (Score 1) 286

C is a very small language with a modest standard library. The language itself has ANSI and ISO certifications. The standard C library is largely defined by POSIX. I con't have to hold much in my head by way of language constructs or reserved words, etc. and any other programming languages derived their syntax from C, so it will get reenforced often (except the weird ways to use pointers).

If I have a question about a standard libc function, the man pages will be there on my systems whether it is FreeBSD, Solaris or Red Hat. Most of the time, a question about C can be equally expressed as a question about Unix-like systems because of this.

C and POSIX are well established and have been through a rigerous standards process, so unless you're interested in a fancy new compiler feature like SafeStack on clang/llvm, you don't really have a lot to learn or relearn once you have it down. No one is about to change how C represents strings or any of the like between versions of compilers for reasons of "just because," though. You may need to look up the specifics of a third-party library if it didn't come with man pages, but that might not show up as a search about C.

Other languages with huge base libraries which aren't part of the OS's standards definition, multiple programming paradigms, lack of standards causing if shifts between versions, etc., are almost certainly going to get more people heading to Google because they have to.

Comment Re: Why always going for hominoid? (Score 2) 47

Well, it seems to me it is designed to functional specs, where the PRD phase probably said something like "it should work like a person, but without risk of death" and then they went about figuring how to build that. Humans don't have snaky arms with additional articulation points, so how would someone in a VR motion capture suit control that?

Comment Re: Writing software is risky. (Score 1) 148

There is no formal verification at EAL4. That is at 7. EAL4 is "methodical" design, testing and review. A lot of crap got EAL4, like Windows XP.

Besides, you can't get an EAL evaluation under NIAP anymore, it is Protection Profile only in the US. Unless you take your stuff to Europe for CC certification you're out of luck (BSI loves EAL) if that's what you want.

The EAL system has a lot of holes in it that enable crap products to skirt the spirit. Not that the PP system doesn't, but it is harder to do (usually)

Comment Of course not (with caveats) (Score 3, Insightful) 148

Code reuse is a fundamental tenant of secure software development lifecycles. You reduce the chance that you introduce new vulnerabillities by limiting the amount of new code per project to the core business logic and leveraging existing modules for the support infrastructure.

That said, if the module you reuse has problems then you aren't necessarily better off. The modules need to be vetted and maintained appropriately. Code reuse isn't the problem so much as taking random crap from the internet that solves your problem without assessing its suitability for inclusion given your threat model or properly assessing it for vulnerabilities.

Monoculture can be an issue from certain perspectives -- flaws in the libssl portion of OpenSSL affect a huge percentage of the internet. However, they only need to be fixed once and consumers of the library can all receive the update, assuming proper patch management in the environment. If your company uses 15 different libraries to perform a specific software function across different product lines without a basis in engineering requirements constraints, you're doing it wrong.

Security being a subset of correctness, I think overall it is b.s. to say code reuse is a problem. You just need to make sure you are reusing correct, vetted and maintained code. I.e., don't take strange code from someone's github to use in your enterprise software without reviewing it.

Comment Re: Anti-Virus on Linux? (Score 4, Interesting) 45

They can be used to scan emails coming in our out of your mail server; scan files on web servers for thing that might there to be infect other end points, etc. As to how common it is in the "real world," I don't know. I remember arguing about a requirement to support Mcafee with DISA a while back because running a competitor's product on the control plane of our own certainly was a non-starter, but they had a requirement around it. We won the argument, but it took some doing.

Comment Re:license their name, make nothing but money (Score 1) 48

Well, I was thinking more of the buildings/properties that he licenses his name to, but they're funded and built by other entities. They just license the Trump name for branding purposes. BlackBerry has a lot of brand recognition held over from the old days when they were doing far better than they are now. I have good memories of their hardware build quality, etc. They were like the the Thinkpad of "smart" phones. Now they've gone down hill and are only BlackBerry in name, just like Thinkpad.

But in the Thinkpad case, Lenovo makes the hardware and owns the brand. IBM didn't keep the brand name and slap it on someone else's computer, like Trump does with buildings and BlackBerry now does with phones.

Slashdot Top Deals

Memory fault -- brain fried