Slashdot Mirror


User: Animats

Animats's activity in the archive.

Stories
0
Comments
14,273
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 14,273

  1. They already did, and it made things worse on It's Time To Split Up NSA Between Spooks and Geeks · · Score: 5, Informative

    This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.

    Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.

    All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.

    For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.

    The process is now more "industry friendly". Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.

    The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.

  2. "Deaf culture" opposition to curing deafness on Could Colorblindness Cure Be Morally Wrong? · · Score: 1

    There's a political position that "curing deafness" can be immoral. It's even been called "cultural genocide". See this National Association for the Deaf position statement, Deaf Culture, Cochlear Implants, and Elective Disability: "Many within the medical profession continue to view deafness essentially as a disability and an abnormality and believe that deaf and hard of hearing individuals need to be "fixed" by cochlear implants. This pathological view must be challenged and corrected by greater exposure to and interaction with well-adjusted and successful deaf and hard of hearing individuals."

  3. What threat? on Facebook Goes After Greasemonkey Script Developer · · Score: 4, Informative

    The link in the Slashdot article links to a blog which links to a Facebook page which links to an ad-heavy web site and a Twitter log. Nowhere is the actual "legal threat" defined.

    If the legal threat is real, post it to Chilling Effects.

  4. Quit bothering the guy on Perelman Urged To Accept $1m Prize · · Score: 3, Interesting

    Quit bothering the guy already.

    He's sensible enough to know that if he accepts, people will want him to give speeches, attend talks, and will generally waste his time. Feynman once pointed out that winning a Nobel Prize meant that he heard from many people he really didn't want to talk to. Feynman sometimes gave talks under a pseudonym, so that only the people really interested in the subject matter would show up.

  5. "Against intellectual property" is copyrighted. on Beware the King of the Patent Trolls · · Score: 2, Interesting

    The book mentioned is copyrighted:

    © Michele Bouldrin and Daniel K. Levine 2008.
    This publication is in copyright. Subject to statutory exemption and the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press.

  6. Richard Marshall is a lawyer on US Not Training Enough Cybersecurity Experts · · Score: 2, Insightful

    Of course people aren't going into this field. Look who's in charge.

    This Richard Marshall, "Director of Global Cyber Security Management, Departent (sic) of Homeland Security", is a lawyer. From LinkedIn, his undergraduate degree, from The Citadel, is in history, English & political science. He then went to Creighton and Georgetown University law schools.

    The last person in that job who knew what he was doing was Amit Yoran, who had a computer science degree. He kept saying that Microsoft operating systems were the big problem, and was sidelined for that. He was replaced by Cisco's lobbyist.

    What we have now is a lawyer making policy recommendations that effectively mean doing nothing. That's "Homeland Security".

  7. Not political, just too much work on GoDaddy Follows Google's Lead; No More Registrations In China · · Score: 3, Interesting

    China is imposing requirements that domain registrants must provide a photo and a business ID. That's too much hassle for GoDaddy, home of extreme low-end domain registrations. This has little to do with politics and much to do with GoDaddy's business model.

  8. Ah, a new attack vector on Microsoft To Distribute Third-Party Patches · · Score: 1, Insightful

    Now we just have to break into one of the machines allowed to submit updates to be pushed, and we can rule the world!

  9. I see nobody read the article. on Tridgell Recommends Reading Software Patents · · Score: 1

    The link in the Slashdot "article" isn't valid. No one seems to have noticed this. No, they just blither away in ignorance.

  10. Sue DoubleClick on Malware Delivered By Yahoo, Fox, Google Ads · · Score: 5, Interesting

    A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".

    The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.

  11. Re:The problem: the event-driven model on Multicore Requires OS Rework, Windows Expert Says · · Score: 1

    That's true of standard C++. However GCC has thread safety annotations. We use them at work, they're pretty handy.

    That's new, and it's a big step in the right direction. But "annotations" that don't do anything aren't that useful. If there's something that checks them, and it does more than produce "warnings", then you've got something. You need to be able to detect all potential race conditions at compile time.

  12. Re:The problem: the event-driven model on Multicore Requires OS Rework, Windows Expert Says · · Score: 1

    Do you know of any existing C++ compiler that does automatic parallelization on fully const objects?

    The state of the art isn't very good. Even Unified Parallel C doesn't trust "const". It requires the "shared" attribute on "const" objects. UPC, unfortunately, punts on synchronization. "Which lock locks which data" is unknown to the language. UPC is really a migration path for supercomputer number-crunching jobs previously written in parallel dialects of FORTRAN. The big change in UPC is that data is thread-local by default. UPC is primarily for machines where some, but not all, memory is shared between processors. This is typical of larger supercomputers today. Typically, there isn't a large volume of parallel code in programs; it's the inner loops of big number-crunching programs that are highly parallel.

    The Cell CPU in the PS3 falls into this category. The Cell architecture has been of limited use so far, because there's so little local memory. There's only 256KB (not MB) per CPU. IBM gave up on the Cell line in late 2009. When we see multicore CPUs with, say, 16MB of local memory per CPU plus slower access to shared memory, they might be more useful.

    There's something to be said for the concept that data is, by default, thread-local.

  13. Re:The problem: the event-driven model on Multicore Requires OS Rework, Windows Expert Says · · Score: 2, Informative

    An interesting comment overall, but what relevance does "mutable" have to multi-threaded programming?

    A "const" object can be accessed simultaneously from multiple threads without locking, other than against deletion. A "mutable const" object cannot; while it is "logically const", its internal representation may change (it might be cached or compressed) and thus requires locking.

    Failure to realize this results in programs with race conditions.

  14. The problem: the event-driven model on Multicore Requires OS Rework, Windows Expert Says · · Score: 4, Informative

    A big problem is the event-driven model of most user interfaces. Almost anything that needs to be done is placed on a serial event queue, which is then processed one event at a time. This prevents race conditions within the GUI, but at a high cost. Both the Mac and Windows started that way, and to a considerable extent, they still work that way. So any event which takes more time than expected stalls the whole event queue. There are attempts to fix this by having "background" processing for events known to be slow, but you have to know which ones are going to be slow in advance. Intermittently slow operations, like an DNS lookup or something which infrequently requires disk I/O, tend to be bottlenecks.

    Most languages still handle concurrency very badly. C and C++ are clueless about concurrency. Java and C# know a little about it. Erlang and Go take it more seriously, but are intended for server-side processing. So GUI programmers don't get much help from the language.

    In particular, in C and C++, there's locking, but there's no way within the language to even talk about which locks protect which data. Thus, concurrency can't be analyzed automatically. This has become a huge mess in C/C++, as more attributes ("mutable", "volatile", per-thread storage, etc.) have been bolted on to give some hints to the compiler. There's still race condition trouble between compilers and CPUs with long look-ahead and programs with heavy concurrency.

    We need better hard-compiled languages that don't punt on concurrency issues. C++ could potentially have been fixed, but the C++ committee is in denial about the problem; they're still in template la-la land, adding features few need and fewer will use correctly, rather than trying to do something about reliability issues. C# is only slightly better; Microsoft Research did some work on "Polyphonic C#", but nobody seems to use that. Yes, there are lots of obscure academic languages that address concurrency. Few are used in the real world.

    Game programmers have more of a clue in this area. They're used to designing software that has to keep the GUI not only updated but visually consistent, even if there are delays in getting data from some external source. Game developers think a lot about systems which look consistent at all times, and come gracefully into synchronization with outside data sources as the data catches up. Modern MMORPGs do far better at handling lag than browsers do. Game developers, though, assume they own most of the available compute resources; they're not trying to minimize CPU consumption so that other work can run. (Nor do they worry too much about not running down the battery, the other big constraint today.)

    Incidentally, modern tools for hardware design know far more about timing and concurrency than anything in the programming world. It's quite possible to deal with concurrency effectively. But you pay $100,000 per year per seat for the software tools used in modern CPU design.

  15. The trouble with market-based electricity. on Chinese Researcher Says US Power Grid Is Vulnerable, Strategist Overreacts · · Score: 5, Informative

    It's a worry. Power grids use the Internet extensively. Since "deregulation", generating companies and distribution companies are separate businesses, and the generating companies compete with each other. The generating companies make bids, the distribution companies buy from the bids, and the grid operator (a neutral party) keeps the players connected and runs the market. Bear in mind that these systems don't have much excess generating capacity. 12-20% excess capacity during peak periods is typical. For a good overview of how this works, see Background on Generation Control, an online training course from PJM, the biggest grid operator in the world.

    Most of the communication between the various players takes place over the Internet. The bid handling is done on machines connected to the Internet and many of the applications involved are Windows-based. The execution of a power buy involves the transfer of a set of switching decisions from the bid-handling machines to the machines which actually have control over generation and transmission equipment.

    Details of the PJM Dispatcher Application and Reporting Tool are available. This is the main way generation companies and the dispatch center communicate. The user interface is Flash in a browser. Bid and buy information is shipped around as XML.

    If the Internet-based apps go down, they revert to "conservative operation" and stop trying to optimize the economics. All generation facilities, even high cost peaking plants, crank up to at least standby power levels, in case they're needed. Export of power to outside the control area in trouble is stopped. Coordination is over the "all call", a squawk box system, and satellite phones. Worst case, everybody backs down to a preplanned schedule of what they're supposed to be doing at each hour of the day. In this mode, millions of dollars per hour are being lost, but the grid can probably be kept up.

    One worry is insertion of bad data into the bid system via the Internet. The California ISO had outages in the early part of the last decade when energy traders put bids into the system which resulted in transmission congestion, forcing the CAISO to buy more expensive power. Back then, California had an energy auction every half hour. That was an extreme of deregulation. Now, the grid manager has more authority; generating companies put up data which offers price/quantity curves as bids, the grid operator takes them in increasing order of cost, and "energy traders" like Enron are no longer involved in hour by hour decisions. So there's more stability in the system.

    Internet-based attacks against the control systems are also a worry. There definitely are connections to the external Internet. PJM seems to be using XML, in well-defined formats, to pass data across that boundary. They're not dumb. The problem is making sure that there aren't unwanted connections somewhere amongst the hundreds of different companies which connect to the control side of the system.

    It's interesting that PJM doesn't rely on "security through obscurity". Hundreds of thousands of people have to know how this works. So they put the manuals, training materials, and live operational data on the Internet. (Right now, there's a problem near the West Virgina/Ohio border.)

  16. Tablets are mostly-output devices on 5 Reasons Tablets Suck, and You Won't Buy One · · Score: 4, Insightful

    There's a class of devices which are mostly-output. Game machines, e-readers, and smartphones without keyboards fall into this category. Their primary function is to display content created elsewhere. Input requirements are minimal.

    Think of Apple's "iPad" as a big e-reader, with color and video, and it makes more sense.

  17. Yes, they were paid off, and here's how much. on Madoff's Programmers Indicted · · Score: 4, Informative

    Here are the payoff details, from the SEC press release. They were paid off, but not very well.

    The SEC alleges that O'Hara and Perez had a crisis of conscience in 2006 and tried to cover their tracks by attempting to delete approximately 218 of the 225 special programs from the House 17 computer. But they did not delete the monthly backup tapes. O'Hara and Perez then cashed out hundreds of thousands of dollars each from their personal BMIS accounts before confronting Madoff and refusing to generate any more fabricated books and records.

    According to O'Hara's handwritten notes from the encounter, one of them told Madoff, "I won't lie any longer. Next time, I say 'ask Frank,'" meaning that Madoff should rely on DiPascali alone to create the false data and reports.

    The SEC's complaint alleges that Madoff responded by telling DiPascali to offer O'Hara and Perez as much money as necessary to keep quiet and not expose the misrepresentations. O'Hara and Perez considered the offer and demanded a salary increase of nearly 25 percent along with one-time bonuses in late 2006 of more than $60,000 each. They stated to DiPascali at the time that they did not ask for more because a greater amount might appear too suspicious. DiPascali then managed to convince O'Hara and Perez to modify computer programs so that he and other 17th floor employees could create the necessary reports themselves.

  18. Major domains being exploited on Naming and Shaming "Bad" ISPs · · Score: 4, Informative

    We've been doing something like this at SiteTruth for two years. We have the list of major domains being exploited by active phishing scams. This is simply a list of domains that are both in PhishTank (about 100,000 entries) and Open Directory (about 1.5 million entries). Today, 84 domains are in both. There's been a surge; it was 54 two days ago.

    Domains are on this list for one of several reasons.

    1. They had a break-in, and didn't clean it up. Generally, the sites with this problem for long periods are ones without effective contact information, so there's no easy way to tell them about their problem.
    2. They have an open redirector. Those are rare now, but were common two years ago. Yahoo, eBay, and Microsoft Live all used to have open redirectors. After much nagging, and some press coverage, the big players have plugged that hole.
    3. They're a hosting service, especially a free hosting service. Free hosting services need to be very aggressive about checking themselves for exploits. The smarter players now read the PhishTank and APWG feeds automatically, to detect abuses of their own systems. Right now, "t35.com" is suffering from a massive attack, with 227 pages in PhishTank. Their problem is that they're being attacked by a program, but are cleaning up by hand. Every day they kick off hundreds of phishing pages, but they can't keep up. The previous site with the worst problems was "piczo.com" (some kind of social network/hosting service for teenage girls), but they've been gaining on the problem.
    4. They're an ISP There are a few ISPs with phishing sites they just never seem to kick off. Most of the active ones were kicked off long ago. In fact, other than ISPs which are also hosting services, we show only one entry in this category, and it's a DSL line on RoadRunner that redirects to a dead page.
    5. They're a "short URL" service. These are popular as a way to get phishing URLs past spam filters. The "short URL" services have become much more aggressive about kicking off phishing URLs over the last year.

    While this is to some extent a "blame the victim" approach, it's more effective than "phishing education" aimed at end users. Hundreds of webmasters have to be educated, not hundreds of millions of end users.

  19. They didn't turn Madoff in. on Madoff's Programmers Indicted · · Score: 5, Insightful

    Also, the courts are granting one of the masterminds leniency in exchange for prosecuting their underlings? Isn't that the opposite of how it works? Reducing the sentence of a drug kingpin in exchange for testimony against 2 of his street dealers, really?

    Justice Department policy is that the first one to come forward and turn in the others gets leniency. Those guys could have turned in Madoff, even after Madoff's arrest, until Madoff confessed. But the one "that is second in the door -- even if by only a matter of days or hours, as has been the case on a number of occasions -- will not be eligible for leniency." If your company is crooked, it's very important to know this.

    Madoff himself, of course, is Prisoner #61727-054, at Butner Federal Correctional Institution (medium security).

  20. What's so hard about this? on ISC Releases the First Look At BIND 10 · · Score: 1

    Most of the trouble with BIND stems from the fact that it's a database app with its own database implementation. BIND10 uses SQLite, which already works. That ought to simplify the thing enormously.

    Building in a web server for BIND administration is probably the source of much of the complexity.

  21. Re:seems a bit of a conspiracy theory to me on Microsoft Lifts XP Mode Hardware Requirement · · Score: 1

    On the other hand, while I can't find that link now, I do recall seeing one of VPC guys explaining that they went hardware-only for the new release simply because it allowed them to cut out a lot of code, which then no longer needs to be supported.

    Well, yes. x86 "Software virtualization" is an awful hack. All that code examination and patching. Getting rid of that machinery is a big win from the developer perspective.

    From a development perspective, you'd like to get rid of 16-bit mode, mixed 16/32 bit mode (very ugly), and software virtualization. Linux, after all, supports none of those legacy modes.

  22. Re:Good luck with that... on 1st Trial Under California Spam Law Slams Spammer · · Score: 3, Informative

    File this one with all the others who think they will get money out for punitive damages from spammers. We all know in the end it won't work, the plaintiff won't see any money; hence don't hold your breath for your "share" either.

    No, he's going to collect on this one. The other side showed up in court, represented by counsel, and lost. The spammer has business premises within Redwood City, CA, where the court is located.

  23. This is significant. on High-Tech Research Moving From US To China · · Score: 4, Informative

    Understand what Applied Materials does. They're a leading manufacturer of semiconductor manufacturing equipment. Your CPU was probably made in a fab equipped with Applied Materials equipment. Applied Materials itself does not make ICs or solar panels.

    Until recently, most high-end ICs were designed in the US or Japan and manufactured with US or Japanese equipment. That's changing; more consumer electronics parts are being designed in China. There are some good Chinese chip design houses. Although they're not yet up to doing a state of the art superscalar CPU, they can do most smaller parts.

    I've met the head of Applied Materials's solar division, who is one of the more sensible people in the solar energy field. For him, it's all about installed cost per KWh per year. He shows charts of where the cost has to be to compete with other energy sources without subsidies. (This changes with latitude; as you get closer to the equator, it gets better. Spain is competitive now.) Most of the people in "alternative energy" are asking for subsidies, but Applied Materials recognizes that to really make a success of solar, it has to compete without subsidies. So, unlike the firms making noise about getting costs down (Nanosolar, etc.) but not actually shipping much, Applied Materials is really doing it.

    A point made by the Applied Materials guy is that the cost of installation needs to come way down. Right now, installation costs are about half the cost of a solar installation on a building. It's "a guy with a pickup truck", he says. That needs to come way down. Solar panels shouldn't be placed on roofs; they should be the roof. This requires roof designs where a section can be either a solar panel or a plain roof, and all the seams are weathertight. There's a big payoff for getting this right. The cost of installation goes way down, the panels are less likely to be pulled off in wind storms, and the wiring is under the roof, which simplifies connecting the panels.

  24. No, the Government should not host "apps". on Berners-Lee Calls For Government Data Transparency · · Score: 4, Insightful

    "data.gov" should not host "apps". Just release the raw data, and let others analyze it.

    If the Government provides "apps", they will be limited in annoying ways and won't be integrated with data from other sources.

  25. The audition on Filming For The Hobbit Begins In July · · Score: 4, Funny

    I have visions of furries lined up for the audition.