Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. Public WiFi, yes. Everybody is your ISP on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 1

    That's true, for wifi, access points can see your MAC address. I was thinking of home / office internet, where your MAC is only visible to your ISP (who already knows who you are).

  2. Not really. it's either one or the other on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 1

    Not really. For example, I'm said their system will EITHER add an additional header or it won't. One or the other is true.

    I suppose the "assumption" is that their code isn't fundamentally different from ALL of the tens of millions of lines of code I've reviewed over a decades-ling career. I "assume" that the programmers tried to get their job done. I've looked at the security posture of a LOT of software. In essentially all cases, no -application- code ever sufficiently anticipated all possible types of malformed input. Programmers (other than security analysts) try to write code that works. That's their job. It's what programmers do. They write a routine that takes certain input and produces certain output.

    What programmers don't do is they don't write code that assumes everything is wrong, that inputs are completely fucked. They (rightfully?) say "garbage in, garbage out". That was fine in the pre-internet world, and it's fine if security isn't a concern. For internet-facing applications, if security is important, that has to change to "garbage in is the normal, expected thing. We plan for any and all types of garbage. Garbage in, nothing out because the software fails fast and fails hard." (In other words, raise an exception immediately, and do so by default, in any case other than getting precisely the input you want, all the input you want, and nothing else.) People just don't write software that way. They write software based on the input being what it's supposed to be.

    They also write software in reasonable ways. For example, if there is a way that's quick, easy, and obvious, most programmers will do it that way. What that means is that programmers use the same patterns over and over, exposing the same types of vulnerabilities over and over. Very often, I can correctly list off security vulnerabilities without ever seeing the software, just based on the name. For example, any time I see something called download.php, I know they probably coded it the most clear and obvious way. The most clear and obvious way has three security issues. When I actually look at the source code for something called download.php, it almost always actually does have at least two of the three vulnerabilities that I would predict. Because the programmer is doing his job, writing a PHP script that causes a file to be downloaded. He's not doing my job - figuring out how such a script could be exploited.

  3. only if you don't have a router or modem. (or ISP) on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 1

    Layer 2 addresses don't pass routers, which operate at level 3, so your client media access control address is only visible if you don't have a router.

    The outside global address of your modem is of course visible to your ISP. You could change that, but most cable ISPs either require that not change at all (without calling them ) or if it changes it takes an hour or two to reconnect. Since you even with a direct ethernet connection your MAC address is only visible to your ISP, the only reason to change it would be to hide your identity from your ISP. That's going to be a problem for billing. Your ISP knows who you are, there's basically no getting around that. So no point in messing with your ethernet address.

    If you have PPoE service (such as some DSL), you could change your MAC, but since you're sending them a user name and password they still know who you are. So again, no point in that.

  4. PS: I've BEEN an executive, don't want to today on 'First, Let's Get Rid of All the Bosses' -- the Zappos Management Experiment · · Score: 1

    Ps, for much of my career I've been an executive, so I CAN do all those things (but not code at the same moment). I've done it, so that's how I know that I don't want to do it right now. Right now, I want to just do some magic with this database. In a year or three I'll probably want to split my time between deeply technical stuff and mentoring younger, less experienced programmers, while setting up an environment that helps them do well (like excellent testing tools), and helping them grow by presenting them with tasks that will be challenging, but not beyond their capability. In other words, low-level management.

  5. time, finance-speak (MCR), big picture on 'First, Let's Get Rid of All the Bosses' -- the Zappos Management Experiment · · Score: 1

    > so what's the point in not asking directly?

    There are three main things my bosses have done that have made it better for me than if the CEO talked to me directly. #1, as I said I don't have time to travel to Houston to meet with the CEO, than go have meetings with the big (but dense) client and still get the coding done. Those are separate tasks, why should I have to do everything? I like designing information systems and implementing them. I don't like dealing with clients' impossible demands. Let me do my job, which I'm good at.

    Secondly, the vast majority of developers can't tell you how much a project will cost. That's what the CEO needs to know. They don't CARE if it's written in C# or common Lisp, they need to know how much they need to budget for it, and decide IF they should budget for it or spend the money elsewhere. They need to know which major customers will be impacted by a change, and how much. As a coder, I don't know or care how much the client's MCR is. But it damn sure matters! I don't WANT to think about MCR and acquisition cost, I'm working on this tricky SQL transform.

    Lastly, I know every little detail of the programming code and SQL for my module, which is part of a larger project to update a product, part of a product-line. I don't know or care about how important this product line is to the corporate strategy and how that affects the priorities for various projects. I -could- study the strategic plan and try to understand that better, but I'm busy with some SQL right now. Right now, I'll do the SQL and let management try to balance the priorities of different projects in light of the overall strategy.

  6. clarity. Web apps: web design + system architectur on 'First, Let's Get Rid of All the Bosses' -- the Zappos Management Experiment · · Score: 3, Informative

    It is a type of design, sure. However, a different department, the design department, employs designers, who handle the design elements. Especially now that so many applications are web based, "design" is done by web designers. That's an entirely different job, of course, with an entirely different skill set.

    What a good systems architect does is develop a robust, reliable structure and pay attention to how the different systems interact. Obviously an architect designing a building has to think about overall structural integrity. The architect also has to consider how all the different systems like elevators and main utility runs fit together. Done properly, both types of architect apply generally recognized principles to have a degree of confidence that the final structure will be sound. It's a decent analogy. (Often better than engineering*, given the way most software systems architects work).

    "Architecture" also distinguishes from unstructured information systems, built ad-hoc by people with coding or IT expertise, but not systems expertise, without benefit of education in the principles of involved in making complex, growing systems continue to be reliable and easy to maintain. (Which isn't a knock on coders/programmers- I'm mostly a coder right now, as our big-picture architecture is solid, while our low-level code has room for improvement.

    So yeah, it's design. But so are a lot of other things, like what you do with CSS and Photoshop. The term software architecture makes clear what you're talking about.

    * There do exist a few software engineers, who apply disciplined engineering practices to software systems. Most with that job title (including me) don't really "engineer" that much, though I am learning to apply engineering- type principles and practices where I can.

  7. protect your privacy with a knife. Try it on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 1

    You COULD try attacking them (rather than not using their service) and then tell the judge that your attack was to protect your privacy. You could try that.

    You could also try attacking them using a knife to their sysadmin and try telling the judge the same thing.

    I wouldn't recommend either. I just use a different company.

  8. Re:Can Verizon Stealth on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 5, Interesting

    You can easily add your own X-UIDH header. It is likely that Verizon's proxy wouldn't add another if one were already present. It's also possible that the request would be sent on with two (or more) X-UIDH headers. Most programming is sloppy programming, so they probably didn't account for this correctly. It's extremely likely that random strings in the X-UIDH header would confuse the system.

    As I mentioned, most programming is sloppy programming. People keep making the same mistakes. One common mistake is, what if that string that's supposed to be about 16 characters is instead 500,000 characters (500KB)? Or 2MB? Things might break. What if it contains null characters (ascii value 0)? A lot of things break when strings have embedded nulls. Strings that are used to query a database to get a user's information often break when single quotes and semicolons are present.

    That said, it's also likely they use popular off-the-shelf, premade software for the proxy, and it's protected against the most obvious attacks. Their database query routines are probably written by their own programmers, and those programmers probably aren't security experts.

    Obviously, trying to harm their systems could very well be unlawful, even criminal. "I just sent web requests" might be about as convincing to a judge as "I just waved my arms around (while holding a knife)".
    I hope the bad guys don't mess with them too much.

  9. building on what you know, snapshot a vm on Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? · · Score: 0

    You know something about Linux, and something about virtualization. So you could move forward by setting up a slim VM running Firefox. Maybe one based on a LiveCD, which already controls writes.
    Take a snapshot of that VM (or the LVM volume it resides on).
    Boot the VM, browse a bit.
    Shutdown the VM
    mount the image and it's snapshot
    diff -Bbdir the vm with it's snapshot
    Take some notes.
    Snapshot again, or reset.
    Browse a bit , maybe taking notes this time.
    Rinse and repeat - boot, browse, mount diff, unmount.
    You've have an exact record of which web sites and doing what, to what files.

    I mentioned Firefox specifically because I think it holds cookies in a plaintext file, has a reasonable plugin system, and it's fully open - you can dig as deep as you want to see exactly how it works. You can see how to add and remove cookies, etc from the diff.

    Let us (or just me) know if you make some progress. This is conceptually similar to the hack-proof computer concept I designed. It resets most everything on boot, unless you boot into "configuration" mode. In regular run mode, 98% of the storage is read only, as if it were running from a CD-ROM.

  10. there is ALWAYS a conflict between tech & mark on 'First, Let's Get Rid of All the Bosses' -- the Zappos Management Experiment · · Score: 1

    There is ALWAYS a conflict between technical interests and business interests. The business people want it done by X deadline, while the technical people want to do it right (or vice-versa, the techs want to minimize the time they spend, marketing wants sparkly "features"). Individual developers want to work on interesting problems, the business needs the product to be reliable, and needs a stupid feature implemented for a stupid client who also happens to be a big client. There are natural conflicts - there is only so much time in the day, so things have to be prioritized. The feature client X wants makes the otherwise simple, straightforward system more complex.

    Someone has to make those decisions . Ultimately, most of those are BUSINESS decisions- the fact that I don't WANT to write user-documentation (and noone else does either) doesn't matter. Users need docs - it's not useful to "vote" that. So someone has to decide that documentation must be written, and since nobody WANTS to write it, someone has to assign that task. Making business decisions about how time will be spent and assigning tasks - sounds like management (aka bossing) to me.

  11. Do you want me to code, or deal with the suits? on 'First, Let's Get Rid of All the Bosses' -- the Zappos Management Experiment · · Score: 5, Insightful

    Somebody has to deal with the board of directors, senior managers, and large clients, ensuring that they're wishful thinking and lack of technical expertise doesn't destroy any chance that the project will be successful.

    I can spend my time explaining to the suits what is possible and what isn't , or I can architect and code the project. Which do you want me to do? Someone has to manage expectations and point out that fast-tracking one thing means delaying another. That's called management. Somebody has to do it. If I spend my day doing management, I can't spend it coding - and vice-versa. Forcing techies to deal with political BS and "dumb" executives is a sure way to piss them off. Many of us would rather have a good manager insulate us from the stupid.

  12. We already use the hydro places. Also slush fund on Wind Power Now Cheapest Energy In UK and Germany; No Subsidies Needed · · Score: 3, Informative

    > Speaking of renewables in the U.S. why is hydro never mentioned when discussing renewables?!?

    Two reasons. First, hydro at Niagra Falls and Lake Meade are great. Hydro is a good way to generate power in places where you have either huge waterfalls from a giant lake above a huge cliff or a giant canyon which can be dammed to make a lake that's 100 square miles. it's also a very good idea to make sure there aren't any cities downstream, so you don't kill 200,000 people (see Banqiao). There are a few such places in the US, so we built hydroelectric power stations at those locations. Built, as in past tense.

    Computer models show that if we flooded the area from the Rocky Mountains to the Appalachians - most of the continental US - that would provide enough power to replace most of our fossil fuel use. (Morris 2013). So while hydroelectric is certainly nice to have, we already have about as much as we can have in the US, it can never replace fossil fuels in any significant way.

    That still leaves a related question - why does US discussion of renewable energy focus on solar-electric 99% of the time, despite the fact that solar-electric is approximately the least efficient possible solution in most cases? Fifteen gallons of hot water is plenty enough for a shower. Black pipe outside that's 8 feet long and 6" ID will provide that, no problem (at least in the southern half of the country, and northern summers). That costs $20. So why are we promoting having an electric water heater plugged into an inverter, which is connected to a big bank of batteries full of hazardous chemicals, which are connected to a charge controller, which is in turn connected to a bunch of solar-electric panels? Seriously WTF? Because right now the politicians aren't trading billions of dollars of tax money for millions in campaign contributions with plumbing suppliers, the slush funds are titled "solar-electric". Obama says we should give a billion of your money and mine to the solar-electric guy, the solar electric guy gives Obama a million of it. It just so happens the politicians chose to call graft "solar electric" this time around, so we're spending billions on solar electric and therefore talking a lot about solar-electric. Reasonable, effective, efficient uses of solar, such as solar heating, don't get talked about because there's no billion-dollar grant program for that.

  13. wow 38% of copyright cases, 88% of IP, are Malibu on All Malibu Media Subpoenas In Eastern District NY Put On Hold · · Score: 2

    The motion to quash indicates that 38% of all copyright cases filed over a certain period were Malibu (x-art). Also, it indicates that 43% are based on an IP address. I think the vast majority Malibu's cases are IP-based, though in the past they've gone after web site operators who unlawfully published Malibu's work.

    If 38% are Malibu and that's included in the 43% that are IP-based, that means that 88% of IP-based cases are Malibu.

    Assuming that Malibu's are a problem, one can solve 88% of the problem by looking at the specifics of what Malibu does and putting a stop to their particular methods. In other words, because Malibu is 88% of the problem, you only need to stop Malibu in order to solve the vast majority of the problem.

    Because Malibu did in fact download part of the copyright video from defendant's home, the Washington.edu reference is actually irrelevant. Therefore it seems to me that the one clear problem is that Malibu hasn't followed court orders to file motions under seal. Generally, they do seem to maybe be abusing discovery, though offering to setttle isn't necessarily a bad thing.

    They do have a right to protect their rights to their very fappable content, and someone in that household did in fact unlawfully violate their rights, so they COULD bring a legitimate suit and handle it properly. But they don't.

  14. Slashdot does not like less-than sign on Matthew Garrett Forks the Linux Kernel · · Score: 1

    "Configuration mode" would be securelevel less than 1. Or indeed less than zero. Theoretically, different levels could allow different levels of configuration changes - one level could allow you to add email aliases, but not allow you to set it as an open relay.

  15. less malware, hacks. More, better devs for more fe on Matthew Garrett Forks the Linux Kernel · · Score: 2

    Are you asking about the benefit of securelevel or the benefit of a fork that doesn't have an asshole culture?

    Securelevel is of benefit to systems that run for a long time in the same configuration, making them more secure. This applies to many servers. Basically, it separates having the machine RUNNING from the setup process of CONFIGURING the machine. 99% of the time, the machine is in run mode (securelevel > 1) and in this state it's configuration can not be changed. To change the configuration, you boot into configuration mode (securelevel 1). That's a basic summary.

    The submission is more about this dev getting tired of the culture, the environment that Linus has created and doing his development outside of that structure. It's not clear if he intends to lead a group of developers who aren't assholes. If so, that could mean more developers would contribute and they might be more productive in a less caustic environment. More developers being more productive would mean end users get more features, done better.

  16. yep. We should talk on Disproving the Mythical Man-Month With DevOps · · Score: 1

    Sounds like you have it basically figured out. You keep the corporate politics BS from interfering, and I'll deliver an effective, reliable solution quickly.

    > choose the right devs in the first place (the difference in productivity between a good dev and a mediocre dev can be fucking scary, let me tell you, we're talking 20x sometimes)

    I don't know, an average developer can produce quite a bit of technical debt very quickly. That's productivity, right? :)

    Message me when you're hiring.

  17. got one of those too, more fun than the ATF versio on Ask Slashdot: What Is Your Most Awesome Hardware Hack? · · Score: 0

    I've got one of those in the bedroom right now. She's even more fun than the ematches that the ATF worries about. Except not this week - I'm not into the whole vampire thing.

  18. me too! :) on Ask Slashdot: What Is Your Most Awesome Hardware Hack? · · Score: 1

    I did a CD-duplicator robot too. Mine gripped the discs via the center hole, using a wooden clothespin carved to fit in the hole.

  19. how about ematches? on Ask Slashdot: What Is Your Most Awesome Hardware Hack? · · Score: 1

    Ematches are fun too.

    Dear NSA, yes I do have a clearance letter from the ATF, so I'm legal to use ematches.

  20. I take it back on Ask Slashdot: What Is Your Most Awesome Hardware Hack? · · Score: 1

    > As an aside, it was a few years later when we got an actual IT staff (and before we hired the database wizard) who kicked out of my own server room. Again, I listened. That was why I'd hired them too. They, like the programmers, could do the job faster and better than I. I mean, yeah, I could make it work and did make it work but they were far more adept than I.

    Sounds wise, uncommonly wise. I think I've recently called you a fool or a jerk. If so, I take it back.

  21. overdose X 10 on 3 Scientists Share Nobel For Parastic Disease Breakthroughs · · Score: 1

    It is not at all uncommon for one leaf to have a hundred times higher concentration of the active ingredient than another leaf from another plant, picked at a different time. So to get 10mg of medicine, you might need one leaf, or you might need 100 - and there is no simple way of knowing.

    At the same time, individual "doses" of the raw plant might vary just as much in the concentration of a bad substance which causes significant side effects. Ten leaves might be dangerous, or maybe 100 leaves. You don't know.

    Putting these two together, you don't know if 20 leaves will heal you or hurt you. By seperating out the active ingredient and the hurtful ingredient, you can give the patient the right amount of medicine, without the harmful part. That turns what was Russian roulette with the raw plant into reliable medicine.

  22. you're insane? on When Fraud Detection Shuts Down Credit Cards Inappropriately · · Score: 0

    It's been said that insanity is doing the same thing iver and over again, expecting different results.

    If said that a response of "call to verify" did not actually mean what it says, that would have been perfectly believable.

    However, you went on to say that you've been calling each time for 7-8 years, and with a million dollars of transactions per day, and it never doesbany good for your type of charges. (So around a hundred "call to verify" per day).

      You've called tens of thousands of times with the same result, because they don't approve your Viagre site charges under that code. You keep calling, failing to understand that they're not going to approve your charges.

    So if I take what you said 100% at face value, you're whacko. It's also possible that you're not actually insane, you just created some of those "facts" without thinking about the fact that if your story were true, it would mean you're a moron.

  23. my credit union calls me in seconds. Cashiers shou on When Fraud Detection Shuts Down Credit Cards Inappropriately · · Score: 4, Interesting

    I've been happy with my credit union's fraud prevention and detection (which is outsourced to some company). Sometimes I'm 100 miles from home when I spend about $800 on electronics at Fry's or Microcenter. (The datacenter is 100 miles from my house, for now.) The transaction sometimes returns a "call to verify" code. The merchant COULD call, they are supposed to, but most cashiers just say "it didn't go through". This is a training issue on the merchants' side, in my opinion.

    At the same time that the cashier is saying "it didn't go through", my phone rings. It's the fraud department calling to verify the purchase. The cashier re-runs the card and it works fine. It seems to mainly happen when buying from an electronics retailer, as I also remember the same thing at Best Buy. I'm fine with that. I know that if a crook gets my card, the bank is watching out.

    Occasionally, they'll call about an internet purchase or some other purchase after it happens (fraud detection). It's quick and easy to verify the transaction.

    I used to do another type of fraud prevention and detection, not directly related to credit cards, and I know our false positive rate was under 0.1%, probably under 0.01% - we stopped at least a thousand fraudulent instances for every one we declined in error.

  24. an example for those unfamiliar on US Bombs Hit Doctors Without Borders Hospital · · Score: 1

    I figured I should add a citation here in case the next reader isn't familiar with McCain's stance on various military interventions and doesn't know what I'm talking about. Here's an example of what I mean (he had two sons serving in the line of fire at the time):

    War is an awful business. The lives of a nationâ(TM)s finest patriots are sacrificed. Innocent people suffer. However just the cause, we should shed a tear for all that is lost when war claims its wages from us. But there is no avoiding this war. We tried that & our reluctance cost us dearly. While this war has many components, we canâ(TM)t make victory on the battlefield harder to achieve so that our diplomacy is easier to conduct. That is not just an expression of our strength. Itâ(TM)s a measure of our wisdom.
      2004 Republican Convention Speech , Aug 30, 2004

    McCain generally opposed interventions where there was no clear "win", no exit strategy. He has repeatedly argued that once we are engaged, we need to be "in it win it", get it done and over with.

  25. So John McCain, then on US Bombs Hit Doctors Without Borders Hospital · · Score: 1

    The only politician who comes to mind as meeting that condition is John McCain.