Sure, but how large is the common subset between the people who choose to use PHP and the people who are capable of designing secure software? I imagine it's not a very large set.
Says Linus. As the saying goes, anyone can design a security system(*) that they themselves cannot break, but that doesn't mean others cannot. Linus is no exception to that rule.
All the mitigating factors he mentions are good points, and he's right that the sky isn't falling. But still, using SHA-1 in 2005 was a lazy choice, and it would have been nice to have seen a move to SHA-2 sometime in the following decade.
(*) I know people are saying that the SHA-1 checksum is not a security device, but that's a bit naive: It's a central part of a protocol for exchanging data over the internet. Whatever it was intended to be, it is in reality a central part of git security.
If you use any modern smartphone as a dumbphone, then the display is hardly ever going to be on, the GPS and data link are going to be dormant, and you'll get fabulous battery life. Just try it.
Income inequality is an indirect, at best, and irrelevant at worst, measurement.
One cares about the average health, wealth, and longevity of a population.
Those are correlated. Equality is correlated with better health. Remarkably, that applies not only to average health, but to everyone's health: Even the rich are healthier where there's less inequality, despite being relatively poorer.
Europeans usually require a lot fewer workers for a similar TBM project than Americans do. Don't know why that is.
Labour costs. We automate the shit out of things because labour is expensive. You won't find many valet parkers or doormen in Western Europe either.
Not to mention Walmart greeters. Are those for real? How is it possible that a discount store can afford to pay someone to mostly just stand around? It boggles my mind to think of the income disparity that makes such a job possible. What do those people get paid?
You know, as an attacker I'm just going to do whatever turns out to be the simplest. You can't judge the risk of attack on average difficulty. So what if some of the items on my initial brainstorm were a bit mission impossible? I could certainly come up with a simple attack plan where the risk of getting caught is much smaller than for someone installing a shim.
Try pointing your imagination that way. You try figuring out a way to get a picture of the key without arousing suspicion. You've got phone cameras, pinpoint cameras and professional-grade zoom lenses at your disposal. If you can't come up with 10 different ideas in 15 minutes, you're not trying.
Just to be clear, I'm not going to share my ideas and I don't want to hear yours.
No borders for buttons or clickable icons, so there's no indication of how precise you need to hit it.
Nothing to indicate what is clickable and what isn't.
Grey text on grey background.
Ever so tiny status bar icons with no text, despite being on a large screen with plenty of space for more.
If you look closely, it would seem there is a menu hiding under an icon, though that's very easy to overlook. In addition to being tiny on a large screen that could have afforded more, it's another grey on grey thing.
The text input field is... well I would say something about that, but I'm not completely sure there is a text input field anywhere. Probably you can click on or around "Search", but that's just guessing.
There's a "shuffle" icon, but is it enabled or disabled? I honestly have no idea. The enabled state is probably a brighter grey than the disabled state, but exactly what shade means one or the other is unguessable and impossible to realiably memorise.
Scrollbars: There aren't any. There is clearly content being cut off by the not tall enough window, but no visible way to get to it. Perhaps I'm expected to use a scroll wheel, except my pointing device of choice doesn't have a scroll wheel.
And finally, the coup de grace: The dominant feature is an ad.
Dynamically re-keyable mechanical locks have been around for ages. [...] Also, they shouldn't even be on an LAN, either. Have the maid do it.
Dynamically re-keyable mechanical locks have the same security properties as magnetic strip keycards: Either way, if your reprogrammer/re-keyer or your locks are network connected, then the lock may be comprised through that communication channel. You can have no network and re-key on location with a keycard as well.
The only real difference is that dynamically re-keyable mechanical locks are more expensive and prone to mechanical failure.
And they only demanded 1,500 EUR? Hell, the hotel should pay them more than that for security auditing services.
I'm going to throw a brick through your window. And then charge you 1500 EUR for auditing the physical security of your home. I presume that's okay with you.
Yeah, high security mechanical locks have been around for at least two hundred years.
How does this "high security" lock prevent a previous guest from having made a copy of the key? It doesn't, mechanical keys are the wrong tool for the job. Keycards are the right tool, although of course you have to implement it correctly and not connect it to the internet.
I'm curious, in what way does turning threads into processes overrun CPU resources? Threads can peg the CPU meter on multiple cores just as easily as processes can. Is it a page table thing or an OS scheduler thing or what?
It seems to me that you have an operating-system level problem. If nice and ulimit and the OS scheduler aren't cutting it, then they need to be improved or replaced.
Coal converts 30-40% of the energy in the expended fuel to electricity. Solar converts a lot more than 100% of the energy in the expended fuel to electricity. Solar is more efficient.
Those 10-25% measure something else, which also happens to be a kind of efficiency, but that doesn't make it a meaningful comparison.
Everyone's under a lot of pressure to get things back up and running, and that's a big incentive to cut corners with procedure. Suppose someone calls you during a DDOS crisis and says "hi, I'm the highly paid consultant your boss' boss hired to handle this. I need you to go to www.wefixsecurityforyou.ru and download and run the DDOS diagnostics tool." You can't reach your boss to verify because your email and IP phones are down. What would you do? Do you have the guts to say no and risk being the guy who delayed recovery for hours, costing your company a million dollars?
If you're a lock-pick maker, and 90% of your sales go to burglars, then you may very well be on the hook. Especially if you know it and do nothing.
I'm not saying that's what KT did, just that you can't absolve them in advance because they're in some logical category with a level of indirection from any actual crime. The law isn't math.
Prosecutors and police enforcing the laws passed by your democratically elected representatives? Yes, I should hope so.
Government may have a function, that function being enforcing contract law and dealing with fraud. That is all that any government should ever have any power to do. Everything else is oppression, not justice.
That's democracy for you. Sometimes the 51% passes laws that the 49% doesn't like. I'm sorry you don't like it.
2. It should make it easier on your end to sanitize input.
How? By sticking your head in the sand and pretending that since it's a text-based format, you don't need to parse it, you can just shove it into whatever library came up as the first hit in a search for "convert markdown html perl"?
markdown is a DWIM syntax, and that sort of thing is always extremely complicated. HTML is simple and predictable to parse. markdown is anything but. If you disagree, show me an EBNF for markdown.
I do agree that better support for posting snippets of code would be nice. But then they could just implement <pre>.
They have a group of people who appreciate their site so much that they bought an app to improve the experience. It stands to reason that the same people - at least some of them - might be prepared to pay for a subscription.
I'm sure this business model will work out for you in the long run.
I don't see why not. It's not like the "customers" they lose are bringing in any revenue.
Slashdot Mirror
Sure, but how large is the common subset between the people who choose to use PHP and the people who are capable of designing secure software? I imagine it's not a very large set.
Didn't miss it, discussed in the last paragraph.
1. This is not a security issue.
Says Linus. As the saying goes, anyone can design a security system(*) that they themselves cannot break, but that doesn't mean others cannot. Linus is no exception to that rule.
All the mitigating factors he mentions are good points, and he's right that the sky isn't falling. But still, using SHA-1 in 2005 was a lazy choice, and it would have been nice to have seen a move to SHA-2 sometime in the following decade.
(*) I know people are saying that the SHA-1 checksum is not a security device, but that's a bit naive: It's a central part of a protocol for exchanging data over the internet. Whatever it was intended to be, it is in reality a central part of git security.
A quick google tells me it's a 21:9 ultra-wide. What's it like in portrait? Is it even possible to swivel into portrait mode?
If you use any modern smartphone as a dumbphone, then the display is hardly ever going to be on, the GPS and data link are going to be dormant, and you'll get fabulous battery life. Just try it.
If you can.
Income inequality is an indirect, at best, and irrelevant at worst, measurement.
One cares about the average health, wealth, and longevity of a population.
Those are correlated. Equality is correlated with better health. Remarkably, that applies not only to average health, but to everyone's health: Even the rich are healthier where there's less inequality, despite being relatively poorer.
I totally trust POTUS 45 on this: When he says fuck everyone else, me first, umm I mean America first, I really believe he means it.
Europeans usually require a lot fewer workers for a similar TBM project than Americans do. Don't know why that is.
Labour costs. We automate the shit out of things because labour is expensive. You won't find many valet parkers or doormen in Western Europe either. Not to mention Walmart greeters. Are those for real? How is it possible that a discount store can afford to pay someone to mostly just stand around? It boggles my mind to think of the income disparity that makes such a job possible. What do those people get paid?
You know, as an attacker I'm just going to do whatever turns out to be the simplest. You can't judge the risk of attack on average difficulty. So what if some of the items on my initial brainstorm were a bit mission impossible? I could certainly come up with a simple attack plan where the risk of getting caught is much smaller than for someone installing a shim.
Try pointing your imagination that way. You try figuring out a way to get a picture of the key without arousing suspicion. You've got phone cameras, pinpoint cameras and professional-grade zoom lenses at your disposal. If you can't come up with 10 different ideas in 15 minutes, you're not trying.
Just to be clear, I'm not going to share my ideas and I don't want to hear yours.
I need a five figure budget to photograph a key with a zoom lens?
To summarise: Yuck.
Can you install a reader device to intercept the key code from the mechanical key?
You mean except from using cameras, or radar, or magnetic sensors, or microphones, or pressure sensors?
Dynamically re-keyable mechanical locks have been around for ages. [...] Also, they shouldn't even be on an LAN, either. Have the maid do it.
Dynamically re-keyable mechanical locks have the same security properties as magnetic strip keycards: Either way, if your reprogrammer/re-keyer or your locks are network connected, then the lock may be comprised through that communication channel. You can have no network and re-key on location with a keycard as well.
The only real difference is that dynamically re-keyable mechanical locks are more expensive and prone to mechanical failure.
I'm going to throw a brick through your window. And then charge you 1500 EUR for auditing the physical security of your home. I presume that's okay with you.
How does this "high security" lock prevent a previous guest from having made a copy of the key? It doesn't, mechanical keys are the wrong tool for the job. Keycards are the right tool, although of course you have to implement it correctly and not connect it to the internet.
There's not necessarily anything there. It could be a conspicuously shaped gap, forming in the cloud formation.
That must be why the Chileans are calling it an "unidentified aerial phenomenon", not a UFO.
I'm curious, in what way does turning threads into processes overrun CPU resources? Threads can peg the CPU meter on multiple cores just as easily as processes can. Is it a page table thing or an OS scheduler thing or what?
It seems to me that you have an operating-system level problem. If nice and ulimit and the OS scheduler aren't cutting it, then they need to be improved or replaced.
Coal converts 30-40% of the energy in the expended fuel to electricity. Solar converts a lot more than 100% of the energy in the expended fuel to electricity. Solar is more efficient.
Those 10-25% measure something else, which also happens to be a kind of efficiency, but that doesn't make it a meaningful comparison.
But how?
People.
Everyone's under a lot of pressure to get things back up and running, and that's a big incentive to cut corners with procedure. Suppose someone calls you during a DDOS crisis and says "hi, I'm the highly paid consultant your boss' boss hired to handle this. I need you to go to www.wefixsecurityforyou.ru and download and run the DDOS diagnostics tool." You can't reach your boss to verify because your email and IP phones are down. What would you do? Do you have the guts to say no and risk being the guy who delayed recovery for hours, costing your company a million dollars?
If you're a lock-pick maker, and 90% of your sales go to burglars, then you may very well be on the hook. Especially if you know it and do nothing.
I'm not saying that's what KT did, just that you can't absolve them in advance because they're in some logical category with a level of indirection from any actual crime. The law isn't math.
1) Secondary infringement is still not a crime in the US
Except of course for aiding and abetting. Somehow the finest legal minds of Slashdot always forget that legal doctrine exists.
- is this what passes for 'justice' today?
Prosecutors and police enforcing the laws passed by your democratically elected representatives? Yes, I should hope so.
Government may have a function, that function being enforcing contract law and dealing with fraud. That is all that any government should ever have any power to do. Everything else is oppression, not justice.
That's democracy for you. Sometimes the 51% passes laws that the 49% doesn't like. I'm sorry you don't like it.
I don't know that it's even possible for a venue to avoid influencing the discussion.
It's possible to try. And trying makes a difference.
How? By sticking your head in the sand and pretending that since it's a text-based format, you don't need to parse it, you can just shove it into whatever library came up as the first hit in a search for "convert markdown html perl"?
markdown is a DWIM syntax, and that sort of thing is always extremely complicated. HTML is simple and predictable to parse. markdown is anything but. If you disagree, show me an EBNF for markdown.
I do agree that better support for posting snippets of code would be nice. But then they could just implement <pre>.
They have a group of people who appreciate their site so much that they bought an app to improve the experience. It stands to reason that the same people - at least some of them - might be prepared to pay for a subscription.
I don't see why not. It's not like the "customers" they lose are bringing in any revenue.
Looks like vi to me.