Tell me you're not one of those [vulgar pejorative] sysadmins who block outgoing access on port 8000 and port 8080. Some academic websites with good sources run on those ports, maybe because their sysadmins won't let them run on port 80, too.
And, as this reply suggests, why don't you give them root access on a test machine?
John.
Security idiots
on
Real Security?
·
· Score: 2, Insightful
(I just read the reply subtree.)
I can't believe you people. This is the kind of thinking that saddles the rest of us with security nazis. This isn't GURPS, it's real life. There aren't muggers out there gunning for access to your computer system. There aren't Tempest-equipped Secret Agent Persons sniffing your authentication fields. You don't really need that tin-foil hat, and you don't need to make the rest of us wear one, either. Maybe if this was a matter of national security, but it's not.
"Gimme your iButton and PIN or I'll blow your fucking brains out" is *exactly* equivalent to "gimme your password or I'll blow your fucking brains out".
Intuition and Binary XML
on
Effective XML
·
· Score: 1
There have been a lot of comments on performance and the possibility of binary formats. A little googling turned this up:
http://www.xml.com/pub/a/2001/04/18/binaryXML.ht ml
Summary: you would *think* binary would be a performance boost, but that doesn't seem to be the case.
It's funny that you mention that it would be easier to hack the OS with the source code available. That's exactly why the chances of a zero-day exploit are higher on open source software than closed source. *OUCH*
Not sure what you mean by "zero-day".
Is that the day the source containing the vulnerability is checked in to CVS? In that case, the vulnerability has probably not been deployed to the field yet.
Or, is that the day that somebody discovers the vulnerability, which has presumably been in place and deployed for some time. In that case, how is that different from the zero-day when somebody discovers a Windows vulnerability?
Good point, they *do* already have your money. Stay with Verisign (until your registration expires), but make a lot of support calls. (After all, you've paid for their sterling support.) Especially about this wildcard thing. I'm already forgetting exactly what it is, maybe you are, too. I'm sure they'd be happy to explain it to you, and why it's not bad. And if you forget again after a month or two, they'll be happy to discuss it with you again. And any other questions you might have, like how to set up a mail server alias thingy.
Ya know, it occurs to me that the man in the moon, face on mars and devil's face in WTC smoke constitute false positives on the part of our own brains, so we're not *quite* as superior to computers as we think we are. Or maybe it's a *really* tough problem.
Also, here's another interesting point, possibly only tangentially related: I understand that, in trials, eyewitnesses are not considered particularly reliable (including but not limited to facial recognition, presumably). Harder evidence (like fingerprints or DNA) is generally preferred.
You're assuming the deal(s) done today won't come unravelled tomorrow. MS is hoping the following plays out: the target countries stay w/MS "for the time being" while (a) MS continues to campaign for them stay w/MS longer-term AND (b) MS continues to improve Windows. A year or two from now (ok, 2-4 years from now), things could be different, and MS is hoping that they can keep users until then and get another shot. Don't think the days of vaporware are past; even today, a sucker continues to be born every minute.
I'll see your response and raise you a level of abstraction.
Moving the data (g in the example given, uwisc's ip addr in the router) to one place in the code "in case it ever needs to be changed" is a Good Thing, and not entirely irrelevant.
What was missed (and what a lot of developers miss, in my opinion) was: if the data needs to be changed, how is it going to be changed? How do we allow the user to configure this doo-hickey (moon-landing simulator, router)?
What, you think Unix has no vulnerabilities, and that's why there haven't been more cracks?
As the "general spiffiness" and "in widespread use" factors increase for a platform, which they are for Linux, this sort of thing is going to happen more frequently. Don't assume the wonderfulness of open source/many eyes/separate address spaces/better fundamental design constitute a suit of armor.
As we make executable content availabe in email messages (Flash, Evolution, anyone?), as we make lots o' hooks for pieces of software to play with each other (Gnome, anyone?), we open up the possibility of some unexpected interaction biting us in the ass.
Similarly, as more and more organizations deploy Linux, it becomes a juicier target to attack.
(The lesson being: developers (especially developers of cool shit) should not relax about security.)
(Can't tell if that beer comment is your sig or not.)
(1) It's about MONEY, one of those fundamental things in life. As in, "follow the..."? As in, we can drop $100,000,000 on some right-wing Central American regime, but somehow, when it comes to teaching inner city adults to read and finding something for inner city teens to do besides hang out and participate in the drug industry, we're strapped for cash, so sorry, the budget has run dry? Where did it all go?
(2) A good chunk of it is written in Scheme, one of the cooler languages floating around out there. Aren't you getting tired of fiddling bits for graphics drivers and tracking down segfaults? Haven't you had enough of "swap integers X and Y w/out using a temp. variable. Hint: XOR is your friend."? Aren't you ready for a paradigm shift? Don't you remember being thrilled in the process of learning a language and all the concepts that went with it?
(2)(b) Isn't it just *insane* that a money-tracking package is written in LISP? Are you aware of some of the wacky languages high-powered financial systems are written in? (I've heard LISP, PROLOG, Smalltalk.) Is it possible that somebody knows something you don't?
I'm tellin' ya, if I didn't have three kids, a full-time job and a wife who's constantly riding my case to get off the computer, I'd be all over this.
Speaking of wife... imagine being able to point to the expense tracker and say, "See? My car does *not* cost too much to maintain, neither."
That being said [eye roll at breezy eco-elitist assertion made by a guy who probably summers in the Amazon], the southern part of the Appalachian Trail has got some nice scenery. Oldest mountains in the world (along w/the Urals), so they're nice and rounded and lush, as opposed to being all rocky and craggy and dramatic. Rich ecosystem.
it is entirely within the power of the Chinese people to settle their problems with the government, WITHOUT our intervention, and so I leave it to them to do so.
What, they're gonna vote? Hold demonstrations in Tienenman square? Quietly petition the government? Engage in a long campaign of civil disobedience? Rise up in armed rebellion? With what weapons?
And, if that 50 was only 10% of the Netscape workforce, and we split that $2 mil over 500 users, that's a Christmas bonus, not a salary.
So, $1 mil/yr for the Moz Foundation is chump change. An earlier statement that "5 coders is plenty for Mozilla" seems kind of silly to me. I wonder how big the IE team is.
Thanks for the good time, honey, I'll call you. Here, buy yourself something nice.
Now we get to see how Moz survives as a *real* open-source project (i.e., w/out funding). At least it's got a good code base (right?).
Varley (anthologies), Saberhagen (berserker), Bear
on
A Good Summer Read?
·
· Score: 1
Good list. I'd forgotten about Saberhagen. His Berserker stuff is good, too, if less dramatic than stuff like Snowcrash.
I shy away from trilogies and series these days, they're generally just ways to get you to buy a lot of paper (kind of like really big vegetables with no taste) (Asimov's _Foundation_ series and Robot Novels being the exception that proves the rule).
Try Varley's anthologies, _Persistence of Vision_ and _Blue Champagne_. Very creative and humanistic.
Also, Greg Bear writes some good stuff. I think his best is _Queen of Angels_, but _Moving Mars_ was pretty good, too.
Joe Haldeman (_Forever War_, _All My Sins Remembered_ (can't believe that's out of print)) might be good reading in these days of kicking ass in foreign countries and then not quite knowing how to win hearts and minds.
David Drake: another Vietnam vet, with a somewhat different take on things than Haldeman:).
Also, try Keith Laumer.
And I remember a book named _The Man Who Folded Himself_ that was the best treatment of time travel I ever read. (Hmmm. bn.com tells me I'm not the only one w/this opinion, either.)
Brust: I tried Jhereg or Yendi (can't remember which) -- blech, too bombastic, hard to get into. Instead, I recommend _Brokedown Palace_ (which has absolutely nothing in common w/the recent move of the same title -- I'll always wonder if that was a result of a conversation I had with someone in the film industry at my aunt and uncle's house in N. Hollywood one Thanksgiving).
Are you claiming that such a high-level structure as a monitor is unnecesary for real programmers, who know what they're doing and will never screw up using synchronization primitives?
Slashdot Mirror
Impossible.
And, as this reply suggests, why don't you give them root access on a test machine?
John.
(I just read the reply subtree.)
I can't believe you people. This is the kind of thinking that saddles the rest of us with security nazis. This isn't GURPS, it's real life. There aren't muggers out there gunning for access to your computer system. There aren't Tempest-equipped Secret Agent Persons sniffing your authentication fields. You don't really need that tin-foil hat, and you don't need to make the rest of us wear one, either. Maybe if this was a matter of national security, but it's not.
"Gimme your iButton and PIN or I'll blow your fucking brains out" is *exactly* equivalent to "gimme your password or I'll blow your fucking brains out".
There have been a lot of comments on performance and the possibility of binary formats. A little googling turned this up:
t ml
http://www.xml.com/pub/a/2001/04/18/binaryXML.h
Summary: you would *think* binary would be a performance boost, but that doesn't seem to be the case.
John.
I use fvwm2. (not "too").
John.
Iron City is supposed to be pretty good (I've never had it).
I've had good brew in Rochester, MN.
Carolina Pale Ale is my current fav, it's made right down the road a ways.
I doubt any beer snob in America has to go very far to find a good microbrew. As for the mainstream "beers", well... this IS the land of iced tea.
John.
Not sure what you mean by "zero-day".
Is that the day the source containing the vulnerability is checked in to CVS? In that case, the vulnerability has probably not been deployed to the field yet.
Or, is that the day that somebody discovers the vulnerability, which has presumably been in place and deployed for some time. In that case, how is that different from the zero-day when somebody discovers a Windows vulnerability?
John.
Good point, they *do* already have your money. Stay with Verisign (until your registration expires), but make a lot of support calls. (After all, you've paid for their sterling support.) Especially about this wildcard thing. I'm already forgetting exactly what it is, maybe you are, too. I'm sure they'd be happy to explain it to you, and why it's not bad. And if you forget again after a month or two, they'll be happy to discuss it with you again. And any other questions you might have, like how to set up a mail server alias thingy.
John.
Where are my mod points when I need 'em?
View C: Rep. Lampson is looking out for the interests of the country, something which is legitimately within his charter.
(Reply first, think later, that's my policy.)
Ya know, it occurs to me that the man in the moon, face on mars and devil's face in WTC smoke constitute false positives on the part of our own brains, so we're not *quite* as superior to computers as we think we are. Or maybe it's a *really* tough problem.
Also, here's another interesting point, possibly only tangentially related: I understand that, in trials, eyewitnesses are not considered particularly reliable (including but not limited to facial recognition, presumably). Harder evidence (like fingerprints or DNA) is generally preferred.
John.
Not the mention the "face on Mars" and "Satan's face in the WTC smoke".
John.
You're assuming the deal(s) done today won't come unravelled tomorrow. MS is hoping the following plays out: the target countries stay w/MS "for the time being" while (a) MS continues to campaign for them stay w/MS longer-term AND (b) MS continues to improve Windows. A year or two from now (ok, 2-4 years from now), things could be different, and MS is hoping that they can keep users until then and get another shot. Don't think the days of vaporware are past; even today, a sucker continues to be born every minute.
John.
Moving the data (g in the example given, uwisc's ip addr in the router) to one place in the code "in case it ever needs to be changed" is a Good Thing, and not entirely irrelevant.
What was missed (and what a lot of developers miss, in my opinion) was: if the data needs to be changed, how is it going to be changed? How do we allow the user to configure this doo-hickey (moon-landing simulator, router)?
John.
What, you think Unix has no vulnerabilities, and that's why there haven't been more cracks?
As the "general spiffiness" and "in widespread use" factors increase for a platform, which they are for Linux, this sort of thing is going to happen more frequently. Don't assume the wonderfulness of open source/many eyes/separate address spaces/better fundamental design constitute a suit of armor.
As we make executable content availabe in email messages (Flash, Evolution, anyone?), as we make lots o' hooks for pieces of software to play with each other (Gnome, anyone?), we open up the possibility of some unexpected interaction biting us in the ass.
Similarly, as more and more organizations deploy Linux, it becomes a juicier target to attack.
(The lesson being: developers (especially developers of cool shit) should not relax about security.)
John.
That's about equivalent to boxers vs briefs: completely silly and trivial.
The real question is: SMB vs. AFS? (Or whatever is considered to be better than AFS these days.)
(Can't tell if that beer comment is your sig or not.)
(1) It's about MONEY, one of those fundamental things in life. As in, "follow the..."? As in, we can drop $100,000,000 on some right-wing Central American regime, but somehow, when it comes to teaching inner city adults to read and finding something for inner city teens to do besides hang out and participate in the drug industry, we're strapped for cash, so sorry, the budget has run dry? Where did it all go?
(2) A good chunk of it is written in Scheme, one of the cooler languages floating around out there. Aren't you getting tired of fiddling bits for graphics drivers and tracking down segfaults? Haven't you had enough of "swap integers X and Y w/out using a temp. variable. Hint: XOR is your friend."? Aren't you ready for a paradigm shift? Don't you remember being thrilled in the process of learning a language and all the concepts that went with it?
(2)(b) Isn't it just *insane* that a money-tracking package is written in LISP? Are you aware of some of the wacky languages high-powered financial systems are written in? (I've heard LISP, PROLOG, Smalltalk.) Is it possible that somebody knows something you don't?
I'm tellin' ya, if I didn't have three kids, a full-time job and a wife who's constantly riding my case to get off the computer, I'd be all over this.
Speaking of wife... imagine being able to point to the expense tracker and say, "See? My car does *not* cost too much to maintain, neither."
John.
Sheesh, I should know better than to make superlative assertions on Slashdot. Thanks for the diplomatic corrections, y'all.
John.
That being said [eye roll at breezy eco-elitist assertion made by a guy who probably summers in the Amazon], the southern part of the Appalachian Trail has got some nice scenery. Oldest mountains in the world (along w/the Urals), so they're nice and rounded and lush, as opposed to being all rocky and craggy and dramatic. Rich ecosystem.
John.
What, they're gonna vote? Hold demonstrations in Tienenman square? Quietly petition the government? Engage in a long campaign of civil disobedience? Rise up in armed rebellion? With what weapons?
John.
2 years.
$2e6/50 = $20,000/yr
And, if that 50 was only 10% of the Netscape workforce, and we split that $2 mil over 500 users, that's a Christmas bonus, not a salary.
So, $1 mil/yr for the Moz Foundation is chump change. An earlier statement that "5 coders is plenty for Mozilla" seems kind of silly to me. I wonder how big the IE team is.
Thanks for the good time, honey, I'll call you. Here, buy yourself something nice.
Now we get to see how Moz survives as a *real* open-source project (i.e., w/out funding). At least it's got a good code base (right?).
John.
Me too. Wotta rip.
Good list. I'd forgotten about Saberhagen. His Berserker stuff is good, too, if less dramatic than stuff like Snowcrash.
:).
I shy away from trilogies and series these days, they're generally just ways to get you to buy a lot of paper (kind of like really big vegetables with no taste) (Asimov's _Foundation_ series and Robot Novels being the exception that proves the rule).
Try Varley's anthologies, _Persistence of Vision_ and _Blue Champagne_. Very creative and humanistic.
Also, Greg Bear writes some good stuff. I think his best is _Queen of Angels_, but _Moving Mars_ was pretty good, too.
Joe Haldeman (_Forever War_, _All My Sins Remembered_ (can't believe that's out of print)) might be good reading in these days of kicking ass in foreign countries and then not quite knowing how to win hearts and minds.
David Drake: another Vietnam vet, with a somewhat different take on things than Haldeman
Also, try Keith Laumer.
And I remember a book named _The Man Who Folded Himself_ that was the best treatment of time travel I ever read. (Hmmm. bn.com tells me I'm not the only one w/this opinion, either.)
Brust: I tried Jhereg or Yendi (can't remember which) -- blech, too bombastic, hard to get into. Instead, I recommend _Brokedown Palace_ (which has absolutely nothing in common w/the recent move of the same title -- I'll always wonder if that was a result of a conversation I had with someone in the film industry at my aunt and uncle's house in N. Hollywood one Thanksgiving).
John.
I'm not sure how locks and semaphores are a step forward from monitors, which is what "synchronized" represents.
Are you claiming "synchronized" is inefficient? Did you see the developerWorks article?
Are you claiming that such a high-level structure as a monitor is unnecesary for real programmers, who know what they're doing and will never screw up using synchronization primitives?
John.