Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Re:Surely this is not the only source of entropy! on Debian Bug Leaves Private SSL/SSH Keys Guessable · · Score: 2, Insightful

    The uninitialised memory there isn't the only source they use, they just use it if it is there because it doesn't matter, and at worst doesn't make the data less random.

    Yes, I get that, you're just restating what I quoted in slightly different words. My point is that it looks to me that at best it doesn't matter because it's not a good source of randomness.

    They then call a randomisation routine. The broken patch commented out both calls.

    Both calls were to the same routine, MD_Update, that added part of the uninitialized buffer to the message digest being built in two different places.

    Don't mess with code you don't understand, especially when it is so important.

    I'm not messing with it, I'm questioning it. If that code is important, then I'd like an explanation of why they think this is a good sort of randomness to depend on.

    If they don't want to use /dev/random, and they don't want to make the user stop and enter some random text (I always faithfully enter gibberish for OpenSSH initialization, don't you?), then they could pick a better fallback than a chunk of data whose randomness depends unpredictably on the execution environment.

    Heck, you can do a lot better by deliberately taking advantage of known variations in the environment: they'd do better hashing /var/log/messages, particularly as soon after a boot as this seems likely to happen, because then at least they'd get a buffer that actually depends on the details of the hardware installation, the IP address, the speed of the processor, the amount of memory, the distro, the enumeration of the PCI bus, the file systems, programs installed, the time and date, and so on... not predictable or reproducible (even if you cloned the hardware and faked the time and IP address network load will change the contents of timestamps unpredictably).

  2. Surely this is not the only source of entropy! on Debian Bug Leaves Private SSL/SSH Keys Guessable · · Score: 4, Interesting
    Going to http://www.links.org/?p=327 I read...

    OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it.
    Uninitialised data doesn't seem to be a good source of randomness to depend on, since depending on where it happens you may consistently end up with a buffer that previously contained all zeroes (or some default memory test pattern), the same part of the same shared library header, or a series of stack frames that for whatever reason happen to be the same frames on every run.

    In fact I'd expect that separate runs of the same program with the same parameters and environment would leave the same junk on the stack every time.

    So I would hope that they have some better source of entropy than unpredictable uninitialized data of dubious randomness.

    So if this is really a serious problem, then it seems to me there's already a serious problem in OpenSSH.
  3. Marcus Ranum's got them beat... on Just How Effective is System Hardening? · · Score: 1

    You can completely prevent unauthorized access with Marcus Ranum's ultimate firewall!

  4. Maybe less motion sickness. on Screen With 180 Degree Field of View · · Score: 3, Interesting

    FPS games give me motion sickness already, but that's because the distorted areas of the game are projected onto a plane, and when I track something to the side or bottom of the screen I look directly at them. Having them off in my peripheral vision would seem to reduce that. Having the game create a sphere map instead of one plane of a cube map (which is what it's effectively doing when you expand the fov inside the game) would be even better, because it would eliminate the corner distortion.

  5. Read the fine article. on Screen With 180 Degree Field of View · · Score: 1

    This isn't the range over which you can see the screen, this is the amount of YOUR field of view that's covered by the screen.

    This is the first display for which you'd pretty much NEED a virtual reality environment to use effectively. ^^

  6. What do they think it's for? on 80 Gbps Deep Packet Inspection Hardware Announced · · Score: 1

    But Brear and Lindén made the case that this shouldn't be seen as a looming consumer nightmare, nor should it be seen as having anything to do with network neutrality.
    What ELSE do they think it's for?

    Don't say that he's hypocritical
    Say rather that he's apolitical
    "Once the rockets are up, who cares where they come down
    That's not my department," says Wernher von Braun
    -- Tom Lehrer
  7. That's not what actually happened on Microsoft 'Shared Source' Attempts to Hijack FOSS · · Score: 4, Informative

    Back in the 1980s, when Richard Stallman was the only one talking about the need for "free software," no one quite knew what he was talking about.

    Back in the 1970s lots of people were talking about he need for free software, under all kinds of names. More than that, we were doing it. The movement that RMS is given credit for starting was already well under way, all across the spectrum. You had compilers (and not just on big computers, in the 8-bit worls Small-C, Tiny-Pascal and -Basic, and Forth were published in Dr Dobbs Journal), editors, shells, UNIX emulation (the Software Tools VOS on minis and mainframes, and more modest tools on micros), the free/open/whatever-you-call-it community was already huge when he published the Gnu Manifesto in 1984.

    Before the late '70s commercial closed-source software was really the exception. It wasn't even clear how much of a future there was for proprietary code, because a software package that didn't include source meant you were locked in to the operating system you got it for. A friend of mine came up with he name "Tangible Software" to describe software that wasn't proprietary and locked down to a single OS by being distributed only in compiled format, and we even used that name for our company (don't bother googling for it, it lasted less than a year and never shipped any product... we were both undergrads at Berkeley and had no time for classes AND starting up a business). Of course what happened was that this turned into a benefit for the vendors of proprietary software... they could sell you the white album over and over again.

    The point is that what actually happened is that RMS provided a focus for what a lot of people were already doing, and tried to redirect the energy of the community his way. He succeeded, in both, to a point... but the people who didn't want to be redirected found they needed a better name. "Free Software" already meant too many things to too many people, from freeware (mostly binary (not "tangible") and some of which was crippled, and soon became 'shareware') to things like BSD- and MIT- licensed code to purely public domain stuff, even before Stallman, but he sure didn't help things.

    Now we have RMS arguing that "open source" should refer to the development model (the bazaar) rather than the license, though the OSI's definition of open source is all about the license... and Microsoft trying to hijack the mindspace with "look but don't touch" licenses (also nothing new... you used to be able to get VMS source code... on microfiche). The term's under attack from both sides, and the history of the past 30 years is being rewritten (with the best of intentions, no doubt) by all sides.

  8. It's all about undermining open source on Microsoft 'Shared Source' Attempts to Hijack FOSS · · Score: 1

    Microsoft was doing this long before the ruling you're pointing to: the history of their "shared source" initiative is full of explicit statements by Microsoft that indicate this is their response to "open source", and that "shared source" is a "better" model because people "really" don't want to modify the code, they just want to read it.

    More recently Bill Gates was quoted as saying that giving away demo copies was "free software" and that "open source" meant you HAD to give away the source (ie, the GPL), and that the alternative to this was "shared source".

    So, yes, they absolutely are trying to be confusing. They were even more confusing before they renamed some of their licenses to get them certified as Open Source.

    And they really *are* being confusing. I've run into people from all sides of the open source issue, including people arguing for the GPL, confusing open source and "shared source".

    It's not FOSS, but it *is* pretending to be.

  9. You have a university using it? on Recruitment Options For a Small-Scale FOSS Project? · · Score: 1

    This is a fairly serious problem for me now, because my software has recently been adopted by a university, and I'm just not in a position to manage the entire set of applications and update everything on my own.

    If you have a university (or any other organization with budgets and developer resources) using it, then they should be supporting it, and if they don't want to they should be paying you for your time. If they're not willing to do that, then you need to reconsider whether you should be supporting them.

  10. Re:Rootkit is payload... on NSA Takes On West Point In Security Exercise · · Score: 1

    Interesting, I'll have to read the story more carefully because I didn't catch that...

  11. Mod parent up "informative" on NSA Takes On West Point In Security Exercise · · Score: 1

    Mod parent up "informative" only because there isn't "primary source" as an option. :)

  12. Rootkit is payload... on NSA Takes On West Point In Security Exercise · · Score: 1

    Rootkits are payload, normally, something deposited by an attacker using an exploit to get in. THe author of the article doesn't seem to appreciate the difference between the holes used to get into the network and the secondary attacks launched from there. It's not even clear from the article whether the Army ever found out how the rootkit was delivered.

  13. Re:From Experience... on EA Loosens Spore, Mass Effect DRM · · Score: 1

    I know a dev who made a PC only title last year, who also thought tech like this was intrusive and heavy-handed; they did not use it.

    I'm a dev who shipped one Amiga game, maybe 20 years ago, and the publisher had to recall it because the copy protection wasn't compatible with their floppy duplicating process. We'd specifically targeted the low level copiers... the Amiga equivalent of the Apple "nibble copiers", that most pirates used. We provided them scripts to do the duplication... but they used one of the copy protection busting tools we'd targeted to do their production run. Whoops.

    And ironically the scripts we provided them were able to crank out copies faster than their nibble-copiers, once they realized they really needed to use them. We missed the Christmas release, which basically wiped it out, because back then you had to make all your money back in the first few months... because cracks abounded, and games went out on pirate BBSes in no time. Even with out superior copy protection tricks.

    So this isn't new. Copy protection is a risk, and even improved copy protection won't protect you... because once ONE broken copy is out there you might as well not bother. You gotta live with it, limit the development time and costs based on what you're going to make back in the first sales peak. So you don't do as many mega-hit games like Spore, instead you shoot for more smaller and cheaper titles and concentrate on making them fun to play instead of depending on the special effects to sell them.

    If we were to do it again, I'd have shipped without any protection at all. We might have hit the peak a month before christmas, but we'd have actually HIT it... and we'd have been able to spend more time on the game and less on the copy protection. And maybe I'd have stuck to the games business instead of spending the next 20 years as a system administrator - surer money, that, if not as flashy.

  14. They crippled the Pocket PC... so what happens? on Microsoft Decides To Take On Linux On Low-Cost PCs · · Score: 1

    Microsoft removed functionality from several releases of their Windows CE handheld software ... before Pocket PC there were Windows CE powered clamshells that would have been quite competitive with the EeePC, but the Pocket PC didn't come in a clamshell form factor and they removed multi-level menus and multiple windows. Why? Well, they were pushing for the Tablet PC to take over that part of the market and it was pretty obvious to us at the Pocket PC Wireless and Beyond marketing conference in 2000 that they didn't want the Pocket PC to become a notebook replacement.

    Well, now they're stuck, they don't have a platform that's competitive with Linux at the low end. I suspect this will turn out to be a stopgap until they can come up with a new "entry level" platform, perhaps with limitations like their third-world-Windows, based on Windows PE or Windows 7, or maybe even bringing back the clamshell version of Windows CE.

  15. Zune II on A Guardian Angel In Your Cell Phone · · Score: 2, Funny

    My immediate reaction is that this is the next step for the Zune. It's already got local wireless file transfer, and it's getting software to scan for (cough cough) non-traditionally distributed movies. What's better to add a full power Big Brother... I mean Guardian Angel mode?

  16. Re:Underwater maybe? on NASA Wants to Take the Blast Out of Sonic Booms · · Score: 1

    Ah, doh, thanks for clearing that up.

    Where do people use "pounds per square foot" as a common unit? I've never run into that one before, so mentally read it as PSI. Is this some NASA-only usage that they use when they're need to lose a Mars orbiter to a translation error or something?

  17. Re:Sure, but... on x86 Evolution Still Driving the Revolution · · Score: 1

    Pipelines are integral to foundation of the processing of the execution of the architecture and not simply an implementation technique.

    I can't parse that.

  18. Re:Good strategy on UK Uses CCTV, Terrorism Laws, Against Pooping Dogs · · Score: 1

    Because although I have smoked marijuana in the past, some 20 years ago, and gotten away with it; I haven't really felt the need to kill or rape anyone so far...

    What about littering?

    At least it'll be easier to take twenty seven eight by ten color photographs of the quote scene of the crime unquote with CCTV...

  19. Underwater maybe? on NASA Wants to Take the Blast Out of Sonic Booms · · Score: 1

    Unless I'm really confused here, this doesn't make a lot of sense. What is this fella trying to say?

    The change in air pressure associated with a sonic boom is only a few pounds per square foot -- about the same pressure change experienced riding an elevator down two or three floors.

    Atmospheric pressure at sea level is only 15 PSI. If you experience a "few" PSI pressure change going from ground floor to the 3rd floor, either you're underwater or your floors are thousands of feet high.

  20. Re:Riddle me this... on Processing Visualization Language Ported To Javascript · · Score: 1

    Ah, yes, I was wondering about the "flex" bit, and I really do prefer a classless model, but I'll grant you that global-by-default is a bugger to deal with for any program more than a couple pages long. If all they did in JS2 was to fix that bit and left the classlessness intact I wouldn't be dreading JS2.

    In Javascript's defense, I don't think it was originally intended for programs more than a couple of pages long.

    Python will be ubiquitous after they redesign the syntax. Preferably towards a Smalltalk-like rather than a C-like model. C doesn't really have a good syntax for building an OO language on top of.

    Indentation for nesting creeps people out.

  21. Re:It wasn't all roses. on iMac Turns 10 · · Score: 1

    My personal experience includes having to wear a wrist brace for six months, after which I paid a LOT more attention to input devices I'd previously thought worked just fine. :)

  22. Re:Sure, but... on x86 Evolution Still Driving the Revolution · · Score: 2, Informative

    Pipelines are an implementation technique, not part of an architecture. Some architectures make it easier to take advantage of pipelining than others, but that doesn't mean they're pipelined architectures. Hell, the intel x86-family processors have had longer pipelines than just about anything else for at least a decade. P4 family chips had up to 33 pipeline stages, neatly beating the profligate G5's max-23-stage pipeline.

    The Core 2 still has 14 stages in its pipeline.

    As for the ARM, the XScale has 5 stages, other arm implementations have had up to 8.

  23. Riddle me this... on Processing Visualization Language Ported To Javascript · · Score: 1

    Why is the distinction between objects that you can inherit from (classes) and ones you can't (instances) so important?

  24. I've been using Mobipocket Reader since 2000 on Have You Changed Your Opinion On eBook Readers? · · Score: 1

    I've been using my handheld (originally a Visor Deluxe, now a Clie SJ22) for reading eBooks since 2000, and I like it fine. :)

    Don't see the point in a dedicated piece of hardware that's six or eight times the size and doesn't do anything else I use my handheld for, nor for the more expensive DRM-encumbered book formats they favor.

  25. Re:It wasn't all roses. on iMac Turns 10 · · Score: 1

    The ones where the entire top of the mouse pivots, rather than having a button at the front of the mouse that you click. Like the Mighty Mouse and its immediate precursors.