Slashdot Mirror


User: julesh

julesh's activity in the archive.

Stories
0
Comments
8,446
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 8,446

  1. Re:If it's actually a brute-force == Solution! on Windows Vista Keygen a Hoax · · Score: 1

    Because 14 years is the expected time to find a solution. In repeated trials, 14 years would be the average length of time that finding a solution would take. Do you understand probability theory at all?

  2. Re:"Industrial" on Objections Over Antibiotic Approved for Use in Cattle · · Score: 1

    High Fructose Corn Syrup - while it's cheaper than cane sugar and other sweeteners, HFCS makes type II diabetics
    out of people. And we've adulterated the food supply with the damn stuff.


    I'm afraid you've bought into the 'natural foods' hype there. There's no medical evidence that HFCS produces any negative effects when compared with similar quantities of cane sugar. There is (IIRC) evidence that high levels of fructose may trigger type-II diabetes, however HFCS typically doesn't contain any more fructose than is produced by the natural digestion of sucrose anyway.

    Bizarrely, I've never heard anyone suggest that inverted sugar syrup has such problems, despite it being almost chemically identical to HFCS.

  3. Re:One quick thought about licensure on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    I think there are a lot of organizations that would love to take your money and it might be good PR to join one, but I don't think it proves anything about your abilities.

    Perhaps not -- but it does prove something about your honesty if you get thrown out of them. It's a minimum standard, IMO, not something that states something positive about you.

  4. Re:inculpate on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    Seriously, I had never heard of that word either. It was kind of lame that the lawyer spent so much time drilling him on it.

    He's a professional expert witness. Expert witnesses, among other things, are generally expected to have at least some knowledge of legal terminology.

  5. Re:more then one kind of filtering? on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    Since when does filtering have many differnt meanings?

    Well, there are at least two that are vaguely relevant to the field -- one being to strip out part of a signal that is unwanted (which is clearly what was intended here) the other being to transform a signal in order to change its qualities (e.g., applying an averaging filter to remove noise from an audio signal).

  6. Re:Page 97 "DHCP Name Server" on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    He's referring to the nameserver addresses that are supplied to the computer as part of the DHCP configuration information.

  7. Re:Arrrg on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    I wonder why kazzaa includes the computers NIC ip in conversation with other nodes. This strikes me as creepy.

    Probably so that if there's a discrepancy between the two, the other can show a warning next to the address indicating that it's probably firewalled.

  8. Re:Kazaa protocol... on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    One, you could be running a hacked version of Kazaa that attempts to check the IP address of the publicly-seen device (e.g., your router's IP address) and then reports* it in its transmitted data.

    Two, you could have a second network device in your computer and assign that device the same IP address that your ISP assigns to your router. If you configure the network devices in the proper order, Kazaa will report* the IP address of the second network device, even though it's not connected to anything.

    Three, you can have a machine on a privately-routed network have a non-"private" (i.e., non-10.x.x.x and non-192.168.x.x) IP address. The only problem is that whatever subnet you count as being internal to that network can't be accessed on the public network, but in most cases, this won't cause a practical problem.


    Four, some personal routers have an option that allows you to make them assign their external IP address to one of the nodes on your internal network, so that it can be addressed directly (sometimes this is called a 'DMZ', despite being subtly different from what a DMZ usually means in firewall terminology) by the external network. This is sometimes recomended in their instructions for people running games and/or file sharing software.

  9. Re:One quick thought about licensure on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    (I also find it alarming that MD5 and SHA1 are still used for the purpose of authenticating disk images, given that unchosen collisions in one or even both of these functions can be produced at whim and that these could be used for certain forms of tampering. SHA-256 or WHIRLPOOL should be used instead of, or as well as.)

    Note that the date of the case -- August 2004, IIRC -- means that a lot of this work probably predates the knowledge that SHA1 at least is broken (MD5 I think may have been before that, though).

  10. Re:One quick thought about licensure on RIAA's 'Expert' Witness Testimony Now Online · · Score: 1

    That doesn't mean that there aren't appropriate professional bodies that he *could* belong to. Membership in the ACM, for example, would be a reasonable suggestion for somebody who wanted to claim credentials as a professional computer engineer. As an expert witness in computer forensics, perhaps membership of the Forensic Science Institute or some other similar body would be appropriate.

    These are issues of professionalism, which are enforced by professional societies. If he wants to claim to be professional in front of a court of law, he should be putting his money where his mouth is and joining a society that has the power to throw him out if they think he is behaving inappropriately.

  11. So they have e-pub rights for all of their books? on Book Publishers Agree to Online Browsing · · Score: 2, Insightful

    I'm not entirely sure how they expect to be able to legally do this. I mean, this was one of the things that got Google into trouble with their book search service: they accepted publishers' words that they had the legal right to grant permission for this, when in many (if not most) cases, only the authors of the books have the necessary legal rights to put copies of them online. Most publishing contracts, even now, do not grant the publisher permission to do this. Copyright remains with the authors in most cases.

  12. Re:Baen on Book Publishers Agree to Online Browsing · · Score: 2, Informative

    Baen's library, while it's great, doesn't include all of their books. They choose which books to include mainly for promotional purposes, and allow authors to opt out.

  13. Re:Down with DST! on Microsoft Charging Businesses $4K for DST Fix · · Score: 1

    That's right. I'm blaming the state of the world on DST.

    Actually, I think we should standardise on DST. I mean, I live in the UK, and right now it's getting light at about 7am and dark at about 6pm. If we were on DST, that would be 8am and 7pm, which ties in much better with the way most people want the day to run. It works out the same way almost all of the time.

  14. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 1

    You have something to prevent people from requesting /whatever.php?a[][](etc)=1&a=0 to trigger that recursive overflow crash?

    Yes; I have set up my server to reject requests with GET/POST variables that have unrecognised names. The '[]' would trigger that rejection.

  15. Re:If it's actually a brute-force == Solution! on Windows Vista Keygen a Hoax · · Score: 1

    Not around 14 years, but up to 14 years. There is a possibility that the first key tried works. It will only take 14 years if the 1/14 years happens to be the last one tried in those 14 years, more likely it will be one of the other [14years-1] worth. (yes, this means that for any particular key attempted it is more likely to be one of the others that will be attempted]. Odds are just that, odds.

    No, E[time until a valid result found] = 14 years. Max[time until a valid result found] would probably come out somewhere in the region of millenia. It's just as likely to take longer than 14 years as it is to take less time.

  16. Re:Oh Nose! on Month of PHP Bugs Has Begun · · Score: 2, Informative

    You do realise the difference between PHP and GLIBC, don't you? PHP is designed to have a "safe mode", which (according to the documentation) is supposed to allow a system administrator to run arbitrary code in the knowledge that it can't do certain things -- one of these things should be crashing the web server.

  17. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 2, Informative

    Actually, lots of people have abandoned PHP for Python and Ruby.

    It may never completely go away, but there are alternatives to using it.


    Not really. Most of us in the off-the-shelf web package software development industry are constrained to develop in whatever's available on the servers our clients are likely to choose. An informal survey suggests that of 5 popular hosting providers in my local area, only 1 offers anything other than PHP or Perl/CGI in their basic level package. With this kind of support, we'd be crazy to develop our software in any other environment. Sure, if you're building a site for yourself to use with a hosting provider you can choose, and your budget isn't so tight you have to go with the cheapest available, you get a choice of environments. Most people aren't in that situation -- most people have to use packaged software, and the packaged software vendors are in the same situation I'm in that it is market suicide to use anything other than PHP (or, for a significant minority, ASP.NET).

  18. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 1

    If you read the website, you would have seen that the unserialize bug was fixed in PHP 4.4.5

    Doesn't mean calling unserialize on untrusted data is a good idea. Unserialized data may be of any class, and code may be automatically executed in it during the unserialization process. This means an attacker may be able to execute code you were not expecting to be executed, potentially leading to any of a number of exploit scenarios. Unserializing untrusted data in PHP (and many other dynamic languages) is a bad idea.

  19. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 4, Interesting

    I think PHP has got beyond the stupid-design-flaws-causing-security-issues stage. Now, as you correctly point out, the major issue is endemic insecure programming practices and a lack of attention to bug reports.

    How I wish we could just junk the language and start again with something else; unfortunately, market pressures being what they are, I'm afraid we're stuck with it, at least for the time being.

  20. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 2, Insightful

    Uhmm, you are aware that all the phpBB forums out there use unserialize() on cookie data?

    No, I wasn't. One more reason not to use phpBB, I guess.

  21. Re:Defective by Design? on Month of PHP Bugs Has Begun · · Score: 5, Informative

    Is PHP defective by design?

    It was. A lot of work has been done in the last couple of major versions to fix this, but still a lot of installations are crippled in the name of backward compatibility.

    Most of what we're seeing here though is just run-of-the-mill sloppy coding. Create a lot of references to a variable and overflow its (16-bit) reference count? Please. That should never have happened.

    Fortunately, it seems most of the bugs released so far don't affect the majority of installations. We have a number of 'executing arbitrary PHP code can let somebody own your web server' -- well, most of us don't let random people run arbitrary PHP code anyway. We have some 'deserialising arbitrary data can let somebody own your web server' issues too, but then there has been a long-standing warning that PHP's deserialise function isn't secure anyway, so that shouldn't affect anyone who's been paying attention. We have some issues with the Zend Platform, but I'm not sure how many people have that installed. So far, the only issue to affect me, is the phpinfo XSS vulnerability -- and that just meant I had to delete my phpinfo.php file that I kept in the root of each domain I host.

  22. Re:Just like Dell on Windows Vista Keygen a Hoax · · Score: 1

    It looks like somebody got The Phone Call. Anyway, why would it be a hoax all of a sudden? It works. Not very fast (the site did specify hours to days, though weeks might be more like it), but does work, hence not a hoax.

    If MS weren't morons when they designed the key system, hundreds of thousands of years might be more like it. But you can keep trying if you like.

  23. Re:If it's actually a brute-force == Solution! on Windows Vista Keygen a Hoax · · Score: 3, Interesting

    Based on calculations in the other thread discussing this, we reckoned that if MS hadn't been stupid designing the key system, you'd have to try somewhere in the region of (IIRC) 10^17 keys before getting one that works. Now we can discard the "evidence" that suggested they had been stupid, this is back to being our baseline assumption. Based on speed-of-trial stats reported there, this would take a 65K-node botnet around 14 years to crack a single key.

  24. Re:Not an 'Operating System' on A Free XML-Based Operating System · · Score: 3, Interesting

    And by the looks of the company site, it's vapourware. They have a "sign up to beta test" button on the home page, but when you fill in the form (*after you fill in the form*) they tell you you've been added to their list of people to send news about the thing.

  25. Re:not an os on A Free XML-Based Operating System · · Score: 1

    It runs inside a browser, probably is a collection of javascript and dhtml script piles. It's not an OS. It's maybe an application suite, a framework, a collection of javascript application libraries, whatever, but it's not an OS. Putting the "internet" word before it doesn't help.

    Let's be fair to them. They may have implemented a virtual machine environment and produced an operating system that runs on it.

    It doesn't sound likely to me, but if they have, this would count IMO as an operating system.