Slashdot Mirror


User: Richy_T

Richy_T's activity in the archive.

Stories
0
Comments
4,801
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,801

  1. Re:..and then have libraries fall apart.. on Librarians To Sue Over Mandatory Censoring · · Score: 2
    And of course, the thing to remember is that it isn't the government's money that they're withholding, that money came from the pockets of taxpayers. Those taxpayers are represented by their local state government when it comes to such things as deciding the legal drinking age.

    The federal government should not be able to tag on conditions to providing essential funding. It's like if you paid me to write you some software and I took your money then said I wasn't going to write it for you unless you quit smoking.

    Really, it's just plain theft and extortion.

    Rich

  2. Re:There are more gradual ways on Is There Still A Contract Market For Programmers? · · Score: 2
    Indeed. I had decided to move to the States. Visa applications took about 8 months. In the last month, I handed in my notice. A week before my employment ended, they offered to let me telecommute. A great improvement over the hour-each-way commute I would have been facing.

    Rich

  3. Re:MIT Lockpicking guide. on Infiltration · · Score: 2
    I used to subscribe to alt.locksmithing. The MIT guide to lockpicking was often talked about and impossible to get hold of. Someone was finally generous enough to give me a copy in '93. I printed it out and had it bound (I still have it somewhere). At that time, the web wasn't even a blip on the radar and consisted of about a dozen sites.

    Rich

  4. Re:Oh yeah this will help......... on Robo-chattel? New Legal Challenge to 'Bots · · Score: 2
    SPAM uses extra CPU cycles, in some cases spam causes users to go over quota (is that a DOS attack against my users?) Is SPAM outlawed, is anyone REALLY doing anything about it?

    When Canter and Siegel first pulled their little stunt, it was a bunch of geeks spread around the world that got upset. Who cares about that? Since then, spam moved to e-mail and more and more people are starting to use the internet: Judges, politicians etc. As the volume of spam increases and these people get more affected, we're starting to see rumblings of legislation against it. I am sure that one day, spam will finally be outlawed in one country then other countries will begin to follow suit.

    Rich

  5. Re:Public Spaces on Robo-chattel? New Legal Challenge to 'Bots · · Score: 3
    No, it's more like saying customers can't drive their cars up and down the aisle of the store or perhaps that people who are not employees of the store can't go through the door marked private. Ever see a sign which says "Shoes and shirt required"? The store has the right to control the manner in which people access the space

    Just because the machine is connected to the public internet does not mean that the machine is open for anyone to use however they please. This is enshrined in UK law these days (Note the gradual disappearance of "Welcome to hostname" for login prompts, it can be argued it's an explicit invitation for hackers to enter your machine

    I mean, your telephone is connected to the public network but would it be OK for me to set up a bot to constantly dial your home to see if you'd dropped the price on the car you were selling?

    Rich

  6. Re:Here's a buffer overflow on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    Fair comment but I would have used

    char *foo;

    foo=NULL;

    if(str_add(*foo,"Hello")!=0){
    //Process error (note: why use blockquotes for a single line?)
    ...
    }

    Where str_add is a function which attempts to allocate a buffer long enough to hold both the concatenation of the two arguments, concatenates them, frees the original foo then sticks the result back out into foo. If the buffer cannot be allocated, dont mess with the pointer to foo and return an error.

    Note that this is not efficient if you are creating long buffers from small chunks of data. In that case, I would make foo a struct containing char * and int and store the length of the allocated buffer in the int. I would #define a BUFF_CHUNK_SIZE and bump the size of the buffer up by that as required.

    But not for a ten line quickie program :)

    Rich

  7. Re:The Real Deal on New "mp3PRO" From Fraunhofer, But What About LAME? · · Score: 2
    Man, I know you were joking but as well as being funny, your post was an ironic statement on the hypocrisy of the current music industry as eminem's latest song's main rift is ripped from a Red Hot Chili Peppers song.

    Rich

  8. Re:Here's a buffer overflow on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    buf = malloc(strlen(src)+1); strcpy(buf,src);

    Hey, don't forget to trap those null pointers. And handle them. Then free that buffer when you've finished with it.

    One item in particular that I was referring to was a quick one liner to debug to check that part of a project was working properly by feeding and receiving values. Minimal development time assigned to it, no likelyhood of exploitation and it only had to run once and its job was done. It turned out with another project needed exactly the same functionality on a regular and reliable basis. Now the code was available (I wrote it) and the necessary tightening was done. But just as easily, someone else could have just used it out-of-the box. I think this points not to needing to have over-engineered perfectly written software down to "Hello World" but rather to ensuring that you know the security implications of any software you exec.

    Rich

  9. Re:Here's a buffer overflow on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    For a small internal utility where I know noone is likely to want (or have the need) to perform an exploit I might be lazy and use char[2000] and strcpy for paths

    I should state here that I have sometimes seen those small internal utilities go into full scale production systems, usually requiring a rewrite to remove all those little nasties. It's probably best to not be lazy in general :)

    Rich

  10. Re:Here's a buffer overflow on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    A string class will get rid of trivial buffer overflows like this, certainly, but at what cost?

    True. But that's up to the developer to decide when they are drawing up the project spec. For a small internal utility where I know noone is likely to want (or have the need) to perform an exploit I might be lazy and use char[2000] and strcpy for paths (though I still think it would be better if those functions disappeared but note that strncpy is not proof against buffer overflows and there are buffer overflow problems where strings may not be terminated properly [particularly in networked software]). For an absolutely robust, mission critical system such as one that stores credit card numbers (a database) I would be tempted to go for a string class and for something that needed to be robust but definitely needed to be lean, I would probably go for writing some specialised string functions (strcpy and friends do not have to be used in dangerous ways).

    Rich

  11. Re:you go away on New "mp3PRO" From Fraunhofer, But What About LAME? · · Score: 3
    It's getting into semantics now but in the contexct of his argument, his description of lossy compression is correct.

    The art of lossy compression is to remove parts of the data that won't be noticed. In the case of TV for example, advantage is taken of persistance of vision and the angular resolution of the eye to say "We can usually get away with 50-60fps and a screen that contains *about* 640x480 pixels). With mp3s, advantage is taken of certain harmonics of tones being inaudible to remove the need to encode them.

    You say that a compressed format needs a compression algorithm but the TV algorithm is "sample the picture every 1/60th of a second and average light values over x degrees horizonatally and vertically, arrange the samples horizontally and vertically and add sync pulses as appropriate". That *is* an algorithm

    Now, you may want to argue that for compression, the algorithm has to be complex and change dynamically with the data but then we *are* getting into semantics and I think you're choosing to define your terms to support your argument.

    So I agree with the original poster, all data fed to us us compressed in some way. Usually, effort is made to ensure that the losses are not noticed by us (with mp3 as much as with TV). Some audiophiles claim with mp3 that this is not done successfully (though I can't tell. I have "fill in" with music where I'm listening to the *music*, not the waveform that's coming into my ears). But equally, with TV, there's room for improvement (digital TV, HDTV et al).

    By the way, I'm an engineer so I've read some literature.

    Charles Dickens, Shakespear?

    Rich

  12. binary patch for interbase (oops) on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    <"BACKDOOR_PASSWORD\0My_Secret_Password\0"
    >"BACKDOOR_PASSWORD\0My_Sekret_Password\0"

    Rich

  13. Re:Security Through Obscurity Works! on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    It worked for 6 years

    Did it? Are you sure? Do you know that the Interbase people that had it didn't abuse it to go poking around in companies databases, reading peoples private messages? Are you sure they didn't tell any friends? Can you be sure that Interbase didn't supply confidential information obtained illegally about one of their users to a "friendly" competitor? (I mean I'm sure they haven't but the possibility is there)

    Can you be sure this hasn't been exploited somewhere somehow?

    Rich

  14. binary patch for interbase on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    >"BACKDOOR_PASSWORD\0My_Sekret_Password\0"

    Rich

  15. Re:Here's a buffer overflow on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 4
    OK, first a comment that you keep saying that it only took you 20 minutes to find the hole. Yet buffer overflows are well understood and strcpy and strcat are obvious red flags (sprintf does not necessarily mean buffer overflows with correct format strings). As you've shown, a quick grep will give you some clue where to look. You could even almost say that use of these functions is an error in the code. Yet the backdoor you are berating people for not finding is not an error, it is deliberately written into the program, more than likely using perfectly valid code. To find that backdoor mean understanding that piece of code and probably large pieces of code around it and, since you don't know in advance where to look, that means that the whole of the code has to be understood (though not necessarily by one person) to be sure there are no backdoors. Even then, if the understanding is held between more than one person, there may be an interaction between the parts which results in an unlocated problem.

    Add into this that this will be a HUGE source base with many many lines of code, that open source contributors generally want to produce things and not be reading over other peoples code and that reading other peoples code (and that usually includes the "you" from >6 months ago) sucks sucks sucks

    But those criticisms aside, it does indicate that open source probably does need to consider security more. Especially when inheriting code from closed source projects but just as importantly for exisitng open source projects. It seems that openBSD is doing a good job of auditing their code. While I wouldn't even think of saying that open source projects *must* do x or y, perhaps a central security auditing helping project which ranks other projects on their security and offers suggestions on common security errors and auditing methodology. Projects could apply these techniques or not as they desired but the end user could check the security status by going to the security site. Interbase would have been ranked red_unsecure_not-yet-audited, sendmail could be blue_unsecure_script-kiddie-heaven etc.

    My second comment is more a query. Are there header files available which make sure that strcpy and friends can't be used? It would go a way to helping if you could use these headers and WARNING:STRCPY USED. COMPILE ABORTED would pop up as appropriate. It wouldn't be a final fix but it would help and might get programmers out of the habit of using these awful functions in the first place.

    Finally, with the front page story yesterday being about OOP, this is clearly the kind of thing where OOP helps. A good string class will take you a long way. Also, OOP is more easy to read and understand in small chunks so it's easier to audit (and easier to get people to audit)

    Rich

  16. Re:These lines of code like sand.. on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    Don't forget the other side though. When someone jumps up and shouts "There's a hole in this open source code", you can run to you servers, bring down your firewall, patch the code, recompile and be back on line in a time somewhat proportional to your typing speed. With closed source, all you can do is sit there and wait while script kiddies prod at your sensitive data, the best security you can apply yourself being to work-around (if you can) or take your $3million a week transaction system off-line.

    Rich

  17. Re:A mixed bag on Interbase Backdoor, Secret for Six Years, Revealed in Source · · Score: 2
    I mean, why would I come to Las Vegas?
    Linus Torvalds

    I'm sorry, but I just had to comment. When I saw your sig, the following line just popped into my head.

    "Me, the creator of the Linux Kernel? in las Vegas? with showgirls? What were they thinking?"

    People who've seen "The Fast Show" ("Brilliant" in the US) will know what I'm talking about.

    Rich

    You aint seen me, right!

  18. Re:Of course, context is everything... on Free Books Online · · Score: 2
    Jeeze, take a chill pill. And get some decaffeinated coffee (lay down my life?) and a sense of humour. It was a joke pal.

    Rich

  19. Spin Police Response on Andre Hedrick On Hard Drive Copy Protection · · Score: 3
    All forms of copy protection can be defeated.

    OK, It's time we stopped using their terms and doing their spin for them. Let's call it "content control" which is what it is and not copy protection which it doesn't

    Rich

  20. Re:Encrypted filesystem? on Andre Hedrick On Hard Drive Copy Protection · · Score: 2
    There are already loopback devices in Linux where a file on one filesystem can become a filesystem all of its own. Thus harmless looking file disk.img contains all the questionable files. If you're worried the disk will be able to still tell that the data is copyright on the way in and way out, simply xor it with "MPAA/RIAA_SUCK"

    Rich

  21. Late breaking news - missing page found on Is There Anybody Out There? · · Score: 2

    In a statement released earlier today, scientists stated that due to a clerical error, the message had been compiled with a missing page without which, none of the message would make any sense to any alien trying to decipher it. That lost message can be viewed here

  22. Re:What about textbooks? on Free Books Online · · Score: 2
    Not only that but publishers would publish the book. Open you see. Follow this scenario

    Publisher x publishes "Expensive Science Book" by Prof Copyright for $180

    Publisher y publishes "Dear Science" by Prof Grabbinmoney for $180

    "Open Source Science" released

    Publisher z publishes "Open Source Science" by O.S.Community for $60

    Publisher x publishes "Open Source Science" by O.S.Community for $50

    Publisher y publishes "Open Source Science" by O.S.Community for $40

    Publisher z publishes "Open Source Science" by O.S.Community for $30 and includes the book on a CD

    Publisher x publishes "Open Source Science", "Free Mathematics" and "GNU Computer programming" as an omnibus edition for $60

    The price differential with the copyright books is now so big that people are flocking to use "open source science" so

    Publisher x publishes "Expensive Science Book" by Prof Copyright for $80

    Publisher y publishes "Dear Science" by Prof Grabbinmoney for $80

    See, competition leads to lower prices and more choice. And even though the original copyright books were not competing at first, in this example, the open source option caused a big enough price differential to drag their prices down as well (although admitedly, this wouldn't necessarily occur)

    Rich

  23. Re:Shouldn't this Be Simpler? on Is There Anybody Out There? · · Score: 2
    If you've seen the movie Contact, it's entirely possible to encode details information into a signal that can first be interpreted as a simple artificial signal.

    And if you've seen Superman, it's entirely possible that there's a guy from Krypton flying around upholding the law.

    Rich

  24. Re:Babel Fish for Aliens on Is There Anybody Out There? · · Score: 3
    Don't understimate the power of "2d" surfaces. After all, out primary method of communication for millenia is 1d (speach) yet even cavemen were painting pictures on cave walls.

    With light impacting a 3d object, you get a surface, patterns on that surface will be "2d" information and for any image processing organ (eye) worth its salt, will be projected onto a "2d" receptor (shadows, facial markings, body language).

    It's a fair bet (though by no means certain) that any species capable of using visual communication media will use something "2d". Of course, that's not to say they won't use others, we do ourselves after all (sculptures etc).

    Note that I use "2d" not in its strictly correct definition to make my point

    Rich

  25. Re: Arbitrary Symbols on Is There Anybody Out There? · · Score: 2
    Even if the aliens who receive and decode this message don't know about this particular prime, they might be able to determine its primality using similar methods to those used by us to do so. As such, the primality test of this number is a pretty big brag on our mathematical abilities.

    Actually, I don't think the problem is proving primality, I should imagine that this wouldn't take more than an afternoon on a reasonably fast machine. The problem is finding them. If I say "x is prime" it's trivial to prove (or not) by factorisation, if I say "Find the next prime larger than x", you have a (potentially) big big search on your hands for large values of x (I believe you'll have to search about x values or so).

    And as far as mathematical abilities go, it doesn't prove much. Only that we understand primes and that we have the ability to compute the factors of numbers on a speedy basis (which could be the domain of colonies of monks).

    I would say that probably one of our biggest maths brags would be calculus, an abstraction of physical properties (not that there aren't more impressive maths feats but it's the first which starts to peel back the layers of the universe being "invented" to describe gravity as it was)

    Rich