> That is like saying "why would you use math to figure out the area of that rectangle when you can just guess randomly until you find a fitting number". > Both solutions work but one is intelligent.
That's the same distinction between an old-school program that tells the machine exact instructions "go forward 3 meters, turn left, go 1 meter", vs. artificial intelligence - building a robot that can adapt to it's environment. Why make it adaptable when you can program in precise instructions to begin with?
The entire field of AI is based on the idea that adaptable is better. We know of about 8.7 million species, from ones that live in boiling acid to blue whales and humans. If you wanted to make million variations on something, is it smarter to explicitly design one, then the next, then another, nine million times, or is it more intelligent to design one or ten which have the ability to morph into whatever variation is required?
You're assuming hard-coding specific values is the smart way. In almost al cases, hard-coding is the dumb way to do things.
The author has a point, maybe. I did notice that he was ten years old in the nineties and learned to program after college, meaning he has maybe five years of experience. He may be missing the REASON you name it "XMLReader", not "SusieQ" or whatever he said. If he ever has to grok a medium sized project full of classes with "whimsical" names he may wish for clear, intuitive names.
My predecessor at work was whimsical - every script or class has a variable named "bob", which sometimes is important, sometimes does nothing. Occasionally, he forgot what he was using bob for in a particular function and tried to have it represent two different things. One of our tasks is to slowly replace all of his whimsical code with proper code that is reliable and self documenting
I have some computer science / theory books that are twenty years old and still quite valuable. Those include Cod on relational database design theory. My Visual Basic 6 books are trash because they cover a specific, outdated version of the software.
Thinking about it further, not only are the good old books theory oriented, the ones that come to mind on authored by the originators of the topic - Cod & Date, K&R, etc. The thoughts of the founding fathers of a discipline are always relevant.
I checked it in a couple of different browsers. Only the Android browser made it look correct, and that was only on the second viewing using that browser. When I first viewed it, it was broken in Android too. Most lines are repeated three times. For example, the sentence starting with "Here's the problem. Dual_EC_DRGB is flawed" is in there three times. I wonder what you'll see if I repost a copy / paste of the text:
Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All tPutting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All the NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.he NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.
The answer is don't use FIPS 140-2 mode, but if you're dealing with the government -- and a huge number Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be
As I read this, I'm on a trip to Houston to retrieve several terabytes of data for Clonebox. At 90 minutes each way, if I bring back 8TB, that's what, 60 Gbps. There's no way I could transfer that data over my cable modem.
That's a good idea. More generally, "stop showing me ads for this, I'm not going to buy it (or don't care to have it show up where other people might see it on my screen). That would be a win-win for consumers and advertisers.
I don't care for the fact that advertisers have a profile of me, but I do like seeing ads that might actually interest me. eBay does a good job of showing me listings I might want to look at.
Sure they _could_, but since the people who misled the judges were representatives of an agency, engaging in the agency's business as directed by their superiors, it's better that the agency and it's leaders are held accountable. For now, there are congressional hearings going on handling the matter through the political process, with congresscritters feeling public pressure. As a general rule, judges don't like to single-handedly usurp the public political process. Of course the Supreme Court from time to time has to rule on cases involving politically disputed issues, but lower courts generally shouldn't.
If, through the process of congressional hearings and such, it becomes clear that specific people committed perjury, that would be time for courts to convict certain people, after the public has made decisions through their elected representatives.
> I worry about the educational validity of MOOCs and feel that universities don't really have an idea of what they are for
A Google fellow working on MOOC.org / edX, Dr. Guha, said Tuesday that they most certainly don't know what they are doing, no more than he knew what he was doing when he created RSS, so they are trying to set up a flexible framework in which people can experiment, try things.
It's ILLEGAL for the NSA to spy on Americans, and for good reason. That doesn't mean it's OKAY for them to spy on everyone else, but at least it's LEGAL.
As a US citizen, I'd rather China spy on me than the NSA. The reason is because China isn't going to try to "bust" me on a minor and erroneous charge. For example, there is a porn star named Ann Howe aka Melissa who started in porn when she was 20. She looks young, so several people have been busted for "child porn" for having pics of her when she was 20-25 years old. I don't want my government spying on my internet usage because my government will charge me with child porn based on a chick in her twenties. The Chinese government doesn't give a shit what porn I see. Therefore yes, it's less bad for a government to spy on foreigners - even when I am the foreigner.
Judges have ruled that the NSA could do these things - when the NSA lied to the judges about what they were doing and how. Some of those judges are pretty pisses off now that they know how the subpoenas were abused, so I wouldn't think think those rulings definitively say what NSA is doing is in fact legal. The judges who made the rulings don't think they approved what was actually going on.
There are some good people at Open University. A commenter mentioned quality. The person at OU who I work with annoys me at times because he insists on top quality. There's no such thing as a quick fix on the software we use - the OU person insists that every change is WELL thought out and implemented in the very best way possible, even if that's a lot more work than doing it the easy way.
Best of luck to my friends at OU in this new endeavour.
Sure, when you show the patent examiner what part of the Linux OS (or just kernel if you prefer) previously did that thing in the patent, how, and when. It sounds like that's the type of thing these people are doing.
MOST patent suits are filed by one of twelve companies. There are hundreds of companies who actively try to license their IP, like Arm and Bell Labs do.
The "good" scenario is in fact the common one. The bad scenario is the one you see covered on Slashdot. Also from time to time Slashdot covers a story of proper patent use, but in a totally misleading way so as to make it sound bad. For example, last week we had the story of Cisco wanting to come to the rescue when a big bad patent troll was suing defenseless defendants. The big bad wolf in that case is a nonprofit organization and the "defenseless victims" are AT&T, Comcast, Level3, and Time Warner.
You have a valid point. It's also worth noting that the NRA regularly supports bills requiring background checks, mandatory training to get a CHL, etc. Of course as you said they also have to watch out for slippery slopes.
As explained US_CERT, the US Computer Emergency response team:
> There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, > local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, > proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), > and ActiveX. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an > attacker significant access to the operating system.
Microsoft winked a acknowledgement the root of the problem yesterday with their advisory about this particular vulnerability. Microsoft's advisory says:
> By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML > email messages in the Restricted sites zone.
That's as opposed to the Local Intranet Zone, the Trusted Sites Zone, etc. IE opens content in the restricted zone (cage) and hope that there isn't a leak, like hoping that lion doesn't reach out of the cage. (and hope that IE picked the right zone to start with - web sites and batch files are both.com addresses.) Opera doesn't need to try to keep web sites from accessing functions in the local computer zone - there is no local zone, it just does web sites.
If your browser doesn't run shell batch files and registry patches, it doesn't have to decide which batch files to run in what context. It simply doesn't run batch files, or do anything else but show web pages.
My language was unclear. In Explorer, you can go to "My Computer" and choose "Format Drive". Windows Explorer IS Internet Explorer, showing a different menu bar.
In Chrome, Firefox or Seamonkey, there is no "format drive" function. Browsers don't need, and should not have, the ability to reformat your hard drive. That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.
It sounds like the destruction of objects is incomplete, so the attacker can still write to that area of memory. It's certainly possible that it's writeable BECAUSE it's still associated with the process, which mean it runs in the context of that process. Additionally, it's likely that while the attacker can write to the memory, they can't arbitrarily execute it directly. Rather, they have to cause IE to execute it, in which case it would run with the privileges IE has when IE runs it.
A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.
Yes, I'm aware that on Windows 8 Microsoft has attempted to sandbox the browser. Like putting a lion in a cage, that works until the lion reaches through the bars. It doesn't compare to using a browser such as Firefox which does not have the potential harmful abilities baked in. No need to sandbox something that doesn't exist.
Bcache does read caching and your choice of write through or write back. I believe that's the same thing ads offers. If you know of some difference in the caching, please specify what you are referring to.
Obviously ZFS is a volume manager, a filesystem, a file server AND a caching solution. Bcache does one thing and does it well - caching. Volume management is a separate thing handled by a volume manager such as LVM, though LVM can serve as a front end to bcache, allowing the user to manage both with one set of tools.
Agreed. I've used Linux for fifteen years and very rarely use anything else on hardware I own. One of the few things MS does better is their IDE. Visual Studio is excellent. Their programming languages may be excrement, but the IDE is excellent.
That would result in workplace violence.
> That is like saying "why would you use math to figure out the area of that rectangle when you can just guess randomly until you find a fitting number".
> Both solutions work but one is intelligent.
That's the same distinction between an old-school program that tells the machine exact instructions "go forward 3 meters, turn left, go 1 meter", vs. artificial intelligence - building a robot that can adapt to it's environment. Why make it adaptable when you can program in precise instructions to begin with?
The entire field of AI is based on the idea that adaptable is better. We know of about 8.7 million species, from ones that live in boiling acid to blue whales and humans. If you wanted to make million variations on something, is it smarter to explicitly design one, then the next, then another, nine million times, or is it more intelligent to design one or ten which have the ability to morph into whatever variation is required?
You're assuming hard-coding specific values is the smart way. In almost al cases, hard-coding is the dumb way to do things.
The author has a point, maybe. I did notice that he was ten years old in the nineties and learned to program after college, meaning he has maybe five years of experience. He may be missing the REASON you name it "XMLReader", not "SusieQ" or whatever he said. If he ever has to grok a medium sized project full of classes with "whimsical" names he may wish for clear, intuitive names.
My predecessor at work was whimsical - every script or class has a variable named "bob", which sometimes is important, sometimes does nothing. Occasionally, he forgot what he was using bob for in a particular function and tried to have it represent two different things. One of our tasks is to slowly replace all of his whimsical code with proper code that is reliable and self documenting
I wonder if they were there BECAUSE the airport was there.
Save wildlife - build more giant complexes of buildings and asphalt .
I have some computer science / theory books that are twenty years old and still quite valuable. Those include Cod on relational database design theory. My Visual Basic 6 books are trash because they cover a specific, outdated version of the software.
Thinking about it further, not only are the good old books theory oriented, the ones that come to mind on authored by the originators of the topic - Cod & Date, K&R, etc. The thoughts of the founding fathers of a discipline are always relevant.
I checked it in a couple of different browsers. Only the Android browser made it look correct, and that was only on the second viewing using that browser.
When I first viewed it, it was broken in Android too. Most lines are repeated three times. For example, the sentence starting with "Here's the problem. Dual_EC_DRGB is flawed" is in there three times. I wonder what you'll see if I repost a copy / paste of the text:
Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All tPutting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be FIPS 140-2 compliant, and operated in FIPS 140-2 compliant mode.
This includes just about all routers, switches, firewalls, operating systems and any other network or security gear in use by the U.S. gov't. Companies that supply this equipment include Cisco, HP, Dell, IBM, Juniper, EMC/RSA, Red Hat and others. In short -- everyone.
Granted, Dual_EC_DRGB is only one of four RNGs in the NIST suite, there is no way a user can specify *which* of those RNGs are actually used. Unlike setting cryptographic algorithms for SSL/TLS, there isn't any frontend for RNGs. They're implemented by the vendors. They're enabled in the products by a simple checkbox setting a registry entry (Windows), a kernel boot parameter (Red Hat) or config setting (most network infrastructure equipment).
Which is your vendor using? Who knows. But if we take the Snowden leaks seriously, the NSA has pressured many major companies to insert "weaknesses" or "backdoors" in various crypto-enabled gear.
Most people are thinking along the lines of "look for malicious code, odd errors or the like". But in the world of crypto, if the RNG isn't R, the entire thing collapsed like a house of cards. All the NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.he NSA has to do is have essentially a single obfuscated line of code in the RNG. Something along the lines of "if Backdoor then RNG=Dual_EC_DRGB". Hell, in assembly it could probably be a simple JNE instruction.
The answer is don't use FIPS 140-2 mode, but if you're dealing with the government -- and a huge number Putting it bluntly, you can't.
Here's the problem. Dual_EC_DRGB is flawed, but is *required* to be implemented as part of anything that claims FIPS 140-2 compliance. Anything cryptographic you sell to the government is *required* to be
Was that mess posted with Android 2.3 by chance?
As I read this, I'm on a trip to Houston to retrieve several terabytes of data for Clonebox. At 90 minutes each way, if I bring back 8TB, that's what, 60 Gbps. There's no way I could transfer that data over my cable modem.
That's a good idea. More generally, "stop showing me ads for this, I'm not going to buy it (or don't care to have it show up where other people might see it on my screen). That would be a win-win for consumers and advertisers.
I don't care for the fact that advertisers have a profile of me, but I do like seeing ads that might actually interest me. eBay does a good job of showing me listings I might want to look at.
Nm
It just costs ten times as much and lacks the same capabilities. ...
Other than the fact that it's a completely different class of product
Sure they _could_, but since the people who misled the judges were representatives of an agency, engaging in the agency's business as directed by their superiors, it's better that the agency and it's leaders are held accountable. For now, there are congressional hearings going on handling the matter through the political process, with congresscritters feeling public pressure. As a general rule, judges don't like to single-handedly usurp the public political process. Of course the Supreme Court from time to time has to rule on cases involving politically disputed issues, but lower courts generally shouldn't.
If, through the process of congressional hearings and such, it becomes clear that specific people committed perjury, that would be time for courts to convict certain people, after the public has made decisions through their elected representatives.
> I worry about the educational validity of MOOCs and feel that universities don't really have an idea of what they are for
A Google fellow working on MOOC.org / edX, Dr. Guha, said Tuesday that they most certainly don't know what they are doing, no more than he knew what he was doing when he created RSS, so they are trying to set up a flexible framework in which people can experiment, try things.
It's ILLEGAL for the NSA to spy on Americans, and for good reason. That doesn't mean it's OKAY for them to spy on everyone else, but at least it's LEGAL.
As a US citizen, I'd rather China spy on me than the NSA. The reason is because China isn't going to try to "bust" me on a minor and erroneous charge. For example, there is a porn star named Ann Howe aka Melissa who started in porn when she was 20. She looks young, so several people have been busted for "child porn" for having pics of her when she was 20-25 years old. I don't want my government spying on my internet usage because my government will charge me with child porn based on a chick in her twenties. The Chinese government doesn't give a shit what porn I see. Therefore yes, it's less bad for a government to spy on foreigners - even when I am the foreigner.
Judges have ruled that the NSA could do these things - when the NSA lied to the judges about what they were doing and how. Some of those judges are pretty pisses off now that they know how the subpoenas were abused, so I wouldn't think think those rulings definitively say what NSA is doing is in fact legal. The judges who made the rulings don't think they approved what was actually going on.
There are some good people at Open University. A commenter mentioned quality. The person at OU who I work with annoys me at times because he insists on top quality. There's no such thing as a quick fix on the software we use - the OU person insists that every change is WELL thought out and implemented in the very best way possible, even if that's a lot more work than doing it the easy way.
Best of luck to my friends at OU in this new endeavour.
Sure, when you show the patent examiner what part of the Linux OS (or just kernel if you prefer) previously did that thing in the patent, how, and when. It sounds like that's the type of thing these people are doing.
MOST patent suits are filed by one of twelve companies. There are hundreds of companies who actively try to license their IP, like Arm and Bell Labs do.
The "good" scenario is in fact the common one. The bad scenario is the one you see covered on Slashdot.
Also from time to time Slashdot covers a story of proper patent use, but in a totally misleading way so as to make it sound bad. For example, last week we had the story of Cisco wanting to come to the rescue when a big bad patent troll was suing defenseless defendants. The big bad wolf in that case is a nonprofit organization and the "defenseless victims" are AT&T, Comcast, Level3, and Time Warner.
You have a valid point. It's also worth noting that the NRA regularly supports bills requiring background checks, mandatory training to get a CHL, etc. Of course as you said they also have to watch out for slippery slopes.
Here are 1.3 million pieces of evidence:
https://www.google.com/search?q=IE+security+zone+exploit
As explained US_CERT, the US Computer Emergency response team:
> There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model,
> local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular,
> proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI),
> and ActiveX. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an
> attacker significant access to the operating system.
Microsoft winked a acknowledgement the root of the problem yesterday with their advisory about this particular
vulnerability. Microsoft's advisory says:
> By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML
> email messages in the Restricted sites zone.
That's as opposed to the Local Intranet Zone, the Trusted Sites Zone, etc. IE opens content in the restricted zone (cage) and hope that there isn't a leak, like hoping that lion doesn't reach out of the cage. (and hope that IE picked the right zone to start with - web sites and batch files are both .com addresses.) Opera doesn't need to try to keep web sites from accessing functions in the local computer zone - there is no local zone, it just does web sites.
If your browser doesn't run shell batch files and registry patches, it doesn't have to decide which batch files to run in what context. It simply doesn't run batch files, or do anything else but show web pages.
My language was unclear. In Explorer, you can go to "My Computer" and choose "Format Drive". Windows Explorer IS Internet Explorer, showing a different menu bar.
In Chrome, Firefox or Seamonkey, there is no "format drive" function. Browsers don't need, and should not have, the ability to reformat your hard drive. That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.
It sounds like the destruction of objects is incomplete, so the attacker can still write to that area of memory. It's certainly possible that it's writeable BECAUSE it's still associated with the process, which mean it runs in the context of that process. Additionally, it's likely that while the attacker can write to the memory, they can't arbitrarily execute it directly. Rather, they have to cause IE to execute it, in which case it would run with the privileges IE has when IE runs it.
A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.
Yes, I'm aware that on Windows 8 Microsoft has attempted to sandbox the browser. Like putting a lion in a cage, that works until the lion reaches through the bars. It doesn't compare to using a browser such as Firefox which does not have the potential harmful abilities baked in. No need to sandbox something that doesn't exist.
Bcache does read caching and your choice of write through or write back. I believe that's the same thing ads offers. If you know of some difference in the caching, please specify what you are referring to.
Obviously ZFS is a volume manager, a filesystem, a file server AND a caching solution. Bcache does one thing and does it well - caching. Volume management is a separate thing handled by a volume manager such as LVM, though LVM can serve as a front end to bcache, allowing the user to manage both with one set of tools.
Using a small, fast SSD as a cache for large, slow disks can be awesome for some workloads, mostly servers with many concurrent users.
To do that with ANY filesystem, bcache is now part of the mainline kernel . dmcache does the same thing, and there is another one that Facebook uses.
Agreed. I've used Linux for fifteen years and very rarely use anything else on hardware I own. One of the few things MS does better is their IDE. Visual Studio is excellent. Their programming languages may be excrement, but the IDE is excellent.