Slashdot Mirror


User: jc42

jc42's activity in the archive.

Stories
0
Comments
6,784
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,784

  1. Re:No on Cisco Products Have Backdoors · · Score: 1

    A small, motivated team of security experts reviewing your code is worth more than a legion of morons.

    The traditional name for this argument is false dichotomy.

    You find motivated experts and morons in both the open-source crowd and the closed corporate environment. I could give you lists of all four combinations from personal experience, and I expect that many other people here could, too.

    There is historically a separate problem with closed environments, and that's the natural human tendency to react to embarrassing problems with a coverup. This doesn't always happen, but preventing it takes management that is dedicated to preventing it. This doesn't happen often, partly because the dedicated professional types tend to react to coverups by quitting, and this leaves the pro-coverup types in charge. (Google for "Richard Clarke" for a current example. ;-)

    This can happen in open projects, too, of course. But it's less likely, because the dissenters can fork off a branch and do it their way. Also, coverups are technically difficult when your code is available for any moron to study.

    There is a basic problem that we're talking about groups of humans here. This is a species that often has problems with operations that require more than one participant. Also, we mostly learn from failure. With an open-source project, a failure can be studied and the mistakes can be avoided by others. With secret projects, there's usually no way to learn any lessons from a failure, so you end up making the same mistakes over and over.

  2. Re:Yes, it works on Skype Releases PocketPC Version Of VoIP Software · · Score: 1

    ... and holding the PDA to my ear like a phone was a new experience.

    Hmmm ... I do that with the Kyocera 6035 smartphone (a PalmOS PDA phone) that's been riding around in my pocket for the past two years or so. It's hardly a new concept to a lot of us.

    Of course, it's not WiFi. It uses digital cell-phone technology, so it's usable in about 2/3 of the US. This is at least 1000 times the coverage of WiFi, which only works in a few blocks of a few cities (including the one I live on because of my Airport ;-).

    This does mean that its internet access is painfully slow, of course. When WiFI gets near-universal coverage like the cell-phone system, it'll probably be a lot better. But we have a loooooooong way to go before we'll see that.

  3. Re:No on Cisco Products Have Backdoors · · Score: 1

    Well, maybe, but I think this is overrated. The usual explanation is the fear that their clever software will be stolen and used by competitors. But there have been rather few actual cases of software theft in the history of the computer biz, even when the source was easily available.

    The problem is that effective software theft requires porting the software to another platform. I know from long experience how difficult this can be. Writing portable software is difficult; writing hardware-specific software is easy. Software developers have this tendency to take a quick glance at some source, then they usually decide that it's not worth it and they start programming it themselves. I've had several cases where I spent a month or more trying to get some software to work, unsuccessfully despite the cooperation of the software's owners. Then I decided "The hell with it" and spend a day or two rewriting it from scratch. And I'm not the only one; most seasoned programmers will tell you the same thing.

    So I conclude that fears of software theft are a red herring. It's a PR claim that has little to do with reality. When people want their source secret, it's almost always for some other reason.

    Usually it's embarrassment at the quality of the software. Competitors won't steal the software; they'll publicly ridicule it.

    Sometimes it's because of things hidden in the software. That's what you don't want your customers to know about.

  4. Re:Cookbooks on Code Copying Survey for Developers · · Score: 1

    I have an extensive library of "Learn by Example Books".

    In olden times, such books were published to help you learn, and the authors expected that you would use the examples in your own work.

    Nowadays, such books are also published with the expectation that you will use the examples. Then the publisher's lawyers descend on you or your employer and charge you with copyright infringement.

    To be safe, you should never read any books that contain code examples. Avoid looking at any code that may appear on the Internet. Don't ever re-use any code under any circumstances. They are all protected by copyright, so if you look at them and then produce some similar code, you can be sued.

    (I wish I were paranoid. But it really is coming down to this. So much for advancing the sciences and useful arts.)

  5. No on Cisco Products Have Backdoors · · Score: 3, Insightful

    Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

    Simple question, with an even simpler answer: No.

    If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.

    Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.

    But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."

    If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.

    Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.

    But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.

  6. Re:Choice? on Code Copying Survey for Developers · · Score: 1

    Where is I wouldn't copy a single line without permission?

    Well, I've often copied single lines of copyrighted programs without permission. Here's a famous example from which I've often plagiarized a single line. I mean that single non-comment line in the middle, of course, since that's what AT&T's copyright obviously covers.

    I posted this example to several newsgroup discussions back in the 1980's, and publicly challenged AT&T's lawyers to charge me with copyright infringement. I and lots of others have wished they had done so. It would have made for a fun court case.

    This is a useful example to keep on hand for when people are overly doctrinaire about "not a single line". There are some things that just can't be owned, no matter how much your company's lawyers would like to own them.

    I also routinely copy lines like "/*" and "*/" and even "}".

    This may not be as trivial observation as it appears, because we've had a number of suggestions that SCO's claimed infringement line counts can easily be explained by counting the lines like these in the linux source.

    There's a lot of absurdity in this whole issue.

  7. Re:The Purloined Letter on Hidden Messages in Spam · · Score: 1

    I don't understand why history classes are always so dull when history itself is so interesting.

    There's an old paranoid theory that schools make history look boring so that the masses won't want to study history, and they won't understand what their leaders are doing to them. All your history teachers have been part of this conspiracy.

    Actually, I had a history teacher in high school who made it interesting to his students. The local parents were constantly pressuring the school board to fire him. So I'd conclude that you don't need the above theory to explain it. The general population appears to approve of keeping the population ignorant of history.

  8. Re:This has me wondering... on Lindows Agreeing to Change Name · · Score: 2, Funny

    Y'know, you can pop the key cap off quite easily with a knife blade or screwdriver, and press a new one in place. It can be fun to do this with a few of the odd keys on someone's keyboard. I knew someone once who liked the Dvorak keyboard, and moved all the key caps around on his keyboard to match that layout. Impressed the hell out of most visitors. I had this temptation to sneak in one day and move them all back, just to see the reaction.

    Maybe someone should start making key caps with little Tux logos on them, for when you install linux and don't want that damned Windows logo to be on your nice machine.

    A problem we have around our house is a cockatiel who sneaks in when he thinks you can't catch him, and pops off the key caps. So far we've always found them, but some day he's going to fly off with one and hide it. Or he'll figure out how to put them back on.

    I have seen some replacement keys that say "Any".

  9. Re:New Name Announced on Lindows Agreeing to Change Name · · Score: 1

    Don't get around much, do ya? ;-)

    Anyway, "Windoze" isn't nearly as tiresome as "M$".

  10. Re:Lindows, GIMP, Ogg Vorbis, Debian... on Lindows Agreeing to Change Name · · Score: 3, Insightful

    OSS developers always seem to pick the most moronic names.

    That's because whenever we pick a simple, obvious name, Microsoft takes it and sues us for using it.

    There is a long list of MS trade names that were used by someone else before MS started using the name. The most egregious is probably "Personal Computer", which was used by all the small-computer makers before MS took it over. And DOS was used as an OS name by many other vendors before MS claimed it; it was the industry-standard TLA for Disk Operating System in the days when many computers didn't automatically come with a disk.

    The lesson is that you don't want to use a trademark that Microsoft will want. If you do, you either give it to them when they ask, or they'll bankrupt you with legal fees. Granted, they're likely to do that anyway, but you don't have to give them an easy excuse.

  11. Re:New Name Announced on Lindows Agreeing to Change Name · · Score: 4, Informative

    Well, I think it should be Lindoze.

    After all, to challenge this, MS would have to acknowledge the widely-used "Windoze" mispeling of their trademark name.

    Of course, there's always Mike Rowe to think of. And there's a nice parody of it all at www.ubersoft.net.

  12. Re:Google has AFAIK a wonderful track record on Speculating About Gmail · · Score: 1

    [R]esidual copies of email may remain on our systems, even after you have deleted them from your mailbox or after the termination of your account.

    Why are people acting like this is something new? It's an obvious fact of life with Usenet, which many of us have been using for decades. It didn't inhibit us much there, and it won't with google, either.

    Just keep this warning in mind, and remember that anything you say may be still available a century from now. Especially the dumb things you say.

    It can be fun to look up your own Usenet postings from 20 years ago ...

  13. Re:Only one? on Speculating About Gmail · · Score: 1

    Maybe they don't care.

    Actually, they're already backing up nearly all my files. Several copies, in fact, for each of several accounts on different machines.

    Except for the very few truly private things, I've put all my stuff under my public_html directory. That way I can get at it no matter where I'm working at the moment. And it has copies of the GPL in all the directories that contain any actual source code, so y'all are welcome.

    I did put a few lines in the robots.txt file to scare google away from a few tmp directories, for the obvious reason. Why burden them with saving something forever if nobody will ever have any use for it?

    To paraphrase Linus, a Real Programmer doesn't do backup. He just makes his stuff available so that others provide the backup on their own machines.

    I also contribute to the general welfare by generously backing a lot of other people's files. If we all do this for each other, none of our stuff will ever disappear from the Net.

    And some future historical archaeologists will be totally baffled by most of it.

  14. Re:Usability is for N(0)(0)bies on Still More on Open Source Usability · · Score: 1

    A set of standard commands to indicate what is possible, eg ? to list available commands. 4DOS uses this, and i have seen it a few other places.

    Here y'are:

    !#/usr/bin/perl
    $pat = shift || '.*';
    @path = split(':',$ENV{'PATH'});
    for $dir (@path) {
    @files = glob("$dir/*");
    for $file (@files) {
    print "$file\n"
    if (-f $file && -x $file && ($file =~ $pat));
    }
    }

    Install it somewhere in your search path under whatever name you like. Oh, yeah; you want a standard command, i.e., a standard name. What do you think we should call it? It's in my search path under the name 'xpath'; will that do? I'd originally called it "cmds", but that clashed with a library program on some distro.

    For those not familiar with perl, it takes command-line args that are perl patterns, and for each, produces all the matching program names in your search path. If you call it without args, it shows you every program in your search path.

    Some common 'exit' command, that will close the program.

    That would be ^D (CTRL-D). ;-)

    (Or, for those few perverse programs that intercept this, there's always the "kill -9" command from another window. Totally standard, works exactly the same on any unix-like system, and has for a quarter century.)

  15. Re:Usability is for N(0)(0)bies on Still More on Open Source Usability · · Score: 1

    What kind of insane and obscure command would possibly be easier on a CLI than a GUI for the average Windows user?

    Well, my favorite example is the "cd" command. ;-)

    Seriously, I've noticed that when working through a GUI, even on my supposedly so wonderful Mac, I spend an inordinate amount of time in the file-open dialogs (or the finder) trying to locate a file. Often I know exactly where it is, but the app doesn't, so I have to laboriously lead it through the file system. Then, five minutes later when I want the same app to use another file in the same directory, I have to go through it all over again. And I'm not the only one; when I watch experiences Windows or Mac users working, I see them doing the same thing.

    With a CLI, if I want to work on a set of files for a while, I can open a new term window, type a "cd" command, and then those files don't need to be found. I can fire up windowing apps and they also find the files locally without any directory navigation, since they're running in the current directory.

    There are many other equally trivial examples of the huge time savings that CLI users can get with relatively little effort. Things like wildcards in file names and auto-completion save even more time, as does a good history mechanism. These are either missing or rarely available in GUI tools. You have a search path that you can modify, leading to quickly-typed commands rather than firing up a search tool. And you can alias commands, further reducing your keystrokes.

    A CLI is for people who consider their time valuable and are reasonably good typists. If you can't type, and don't value your time, you'll probably be much happier with a GUI.

    (There's also the objection that CLI/GUI isn't an either/or choice; using them together is better than either alone. But that's a different rant.)

  16. Re:Microsoft becoming like AT&T of old? on Microsoft WiX Code Released to SourceForge.Net · · Score: 1

    AT&T was a government sanction monopoly ... MS is a natural monopoly ...

    I think you got it backwards. AT&T was a natural monopoly. The phone system depended on an infrastructure of physical wires connecting every phone to the phone switches. It's hardly practical to permit anyone who wants to start installing wiring everywhere they like; the result would be impassible streets due to the zillions of wires everywhere. No government could possibly permit this, so the phone system was restricted to a very small set of wire owners, who quickly got bought out (or bankrupted) by whichever had the deepest pockets in the ensuing price wars. Meanwhile, of course, they made deals with the government ensuring that "regulation" wouldn't permit new competitors from arising.

    Microsoft's monopoly has no natural basis. Small computers can be and always have been built by a lot of companies. But by starting with IBM's money, MS was able to demand contracts with retailers that locked out all competitors except for Apple, which MS permitted so they could say "See, we're not a monopoly."

    In fact, when MS started, there was already a flock of small "personal" computer makers who were starting to do well. This ended when the IBM/MS partnership hit them with a marketing budget larger than the entire operating budget of all the other PC makers combined.

    The way that IBM bankrolled the takeover of the PC market wasn't anything at all natural, except in the sense that a company with effectively unlimited funds can "naturally" eliminate its competitors in short order. In this case, the main reason for the monopoly was their overwhelming clout with retailers, so that competitors couldn't even get their equipment on the shelves.

  17. Re:This is not news on Microsoft WiX Code Released to SourceForge.Net · · Score: 1

    Maybe the Great Firewall of China only restricts what comes into the country?

    Also, most of the Chinese spam that I get comes from machines in Taiwan. But not all of it. Needless to say, I have no idea what they're trying to sell me.

    My favorite Chinese-spam story was the guy who said that he always replies with a message thanking them for their support of Falun Gong. He reported getting some really funny messages from panicky admins after he started doing this.

  18. Re:This is not news on Microsoft WiX Code Released to SourceForge.Net · · Score: 3, Informative

    Yeah; Microsoft released Windows source - to the Chinese government. And after the techies looked it over, the Chinese government decided to standardize on linux. There was a rumor that the techies recommended that MS Windows be banned in China, but this was too radical a step by China's current capitalist rulers. ;-)

    (Hey, maybe I can get a "troll" rating, too. And maybe this will be read in China, they'll put me on a "banned" list, and they'll stop sending me all that "big5" spam ...)

  19. Re:This should prove fascinating on A Completely Separate Ecosystem on Earth · · Score: 1

    Sigh... how can this be proven. How can the theory of evolution ever be proven. or will it always just be mans answer at removing God from science. ...
    If you define the term 'proof' so strictly that something that survived such thourough challanges and scrutiny as the concept of evolution did is not proven by your terms, there's nothing much you can be really sure of.


    A more useful counter-argument has been suggested by many scientists, and well explained by such as Karl Popper. This is that the phrase "scientific proof" mostly illustrates a poor understanding of science, because scientific methods rarely if ever actually prove anything. They are rather a method of disproof.

    It is widely understood among scientists that what you usually are doing is, first, listing all possible explanations of what you've observed, and then systematically trying to disprove all those explanations. The explanations that survive such attacks are first given the name "hypothesis", signifying that they are tentatively valid. Further methods of disproving them are then devised. A hypothesis that survives sufficiently many attacks is reclassified as a "theory".

    And, contrary to general public speech, in scientific circles "theory" means something generally accepted as true. But this isn't because it has been proved; it's because we've attempted repeatedly to disprove it, every attempt has failed, and nobody can think of a theory that works better.

    Yes, this is a double negative. A scientific theory is an explanation that hasn't been shown false.

    The concept of "proof" is primarily mathematical; it's not a very useful concept in science. It's really only used in a negative sense, since you often can disprove a proposed theory: You show a counterexample.

    One of the dead giveaways that someone has little understanding of science is that they use phrases like "scientific proof" and "just a theory". You don't hear these phrases much in scientific circles, because they are an open admission that you don't understand how science works.

  20. Re:Well duh... on Zero Install: The Future of Linux on the Desktop? · · Score: 1

    I propose we set aside a location on the system to hold subdirectories each dedicated to a single software package. Let's call it /opt.

    Of course, a lot of people have already done just this.

    The problem is, they all pick a different name.

    This has happened from the start off unix. That's why we have /usr, /usr/bin, /usr/local/bin, /var, and on and on and on.

    If you look at the other messages, you'll see that lots of people here think this is a good idea. And most of them propose the best name, no two the same.

    Lots of vendors have implemented this, too. No two with the same name. I've been experimenting with OSX for the past year. It's lots of fun discovering where they hid things. I use the find command a lot. Recently I updated my Powerbook to 10.3 (panther). I still haven't found where they moved half the system.

    It's easy to rename a directory. Doing so often causes far more problems than it solves.

    OTOH, it does keep the virus writers on their toes.

  21. Re:It's not quite that simple on Zero Install: The Future of Linux on the Desktop? · · Score: 3, Interesting

    Application installers that have no business needing my password ask for it; why does Acrobat reader need sudo to install itself into Applications? Answer- it doesn't, but it's probably saving some prefs file somewhere it shouldn't.

    Exactly. And you have no way of knowing what it's doing with that password. If you're hooked up to the Net, chances are it's (then or later) being cached somewhere inside apple.com, too. Do you know of a way to convince me otherwise? If not, a sensible person would just assume that the password is now known to Apple.

    Similarly, when I first got my Powerbook, it had to be sent in for repairs after about a week. (The screen wouldn't come to life.) They wanted my password, of course, and I gave it to them. No problem, I thought; when I got it back, I'd just change my password.

    Lotta good that did me. Yeah, I can use my new password when I log in. But nearly everything in the system that asks me for my password will only accept the original one. I've found a few places that packages cache the password, and changed those. It lasts for a while, then one day it wants my original password again. I've found it necessary to keep a record of all the passwords I've used, because I generally have to try them one at a time until I find which one works with a given app.

    Your password is cached all over the place by OSX packages, so the only sensible approach is to assume that it's public knowledge, at least to Apple insiders.

    This is one reason that I'd never use OSX for any sensitive applications. I have to assume, from the way it handles passwords, that OSX systems are open to anyone at Apple, and to anyone able to bribe the right people at Apple, and to any intruder who knows where they are cached on my machine.

    I'd like to be proved wrong. But a mere assertion that I shouldn't worry my little head about it won't convince me. I want proof.

    So far, I've never seen linux software playing fast and loose with passwords like this. I mean, mozilla will cache passwords for you, but it asks,you can say "No", and it apparently honors that. And it doesn't ask for local passwords, only those demanded by web sites.

    Also, there are some linux apps that ask you for the root password because they need to run something as root. But you never have to give the root password. You can always kill the app and start it again under sudo. Then it won't know the password, and won't ask for it because it already has the right permissions, so you know the password couldn't be cached.

  22. Close to correct ... on SCO Changes Tune, Again: Linux Now Just a Riff on Unix · · Score: 1

    It's perhaps worth pointing out that it's almost correct to classify linux as a "riff on unix". In fact, as is clear from studying linux, it's actually a riff on POSIX, which is in turn modelled directly on SYS/V. With AT&T's permission, we might add.

    Given this fact, I keep wondering why people aren't asking the obvious question: How can it be illegal to implement an official US government standard? This is really what SCO is accusing the linux gang of doing.

    I'd think that having something published as a standard would automatically make it legal to implement it. If not, why bother with the standard in the first place?

  23. Re:Misprint on Omniscience Protocol · · Score: 1

    I think they actually meant: "to remotely destroy the user of any computer who has been involved in copyright infringement"

    Heh. But it's not just a clever April 1st joke. The technology to do this has been prototyped in the Middle East. We've probably all read about the assassination of Yahya Ayyah by the Israeli government by installing a bomblet in his cell phone while it was being repaired, then calling him and transmitting the trigger signal.

    Less well-known is the growing use of cell phones as remote-control triggers by the Palestinian radicals to set off larger bombs. That's probably a lot easier, since all you have to do is cut the wires to the speaker and attach them to the bomb mechanism, then call the phone. The cell-phone bomb couldn't have been too powerful, so you'd want to talk to the person and verify that they're holding the phone next to their head before transmitting the trigger signal.

    In any case, the technology to remotely trigger a real bomb in your computer isn't all that different from what's done with a cell phone.

    If they're running Windows and Outlook, the trigger command could even be sent via email, and would thus be run only when someone is sitting there using the mouse.

    And we should note that the RIAA has tried to get Congress to pass laws that would legalize remote sabotage of computers.

    So this April 1st RFC is based on reality.

  24. Re:most pointless job on The Worst Development Job You've Ever Had? · · Score: 1

    The project was outsourced to India, where more time can be wasted for less money. This will ultimately be good for the economy as a whole.

    Hey, that would make a wonderful .sig; do you mind if I use it? ;-)

  25. Re:only 640x480? on NEC Develops Linux Tablet/PDA Hybrid · · Score: 1

    The only thing this has going for it is the 8-inch screen, which is not so much of an advantage if it cannot fit in your pocket, and therefore must be treated like a full notebook PC.

    Yeah; I remember back in the early days of the first Palm Pilots, when the original designer was quoted as saying "If it doesn't fit in your pocket, it won't be in your pocket."

    That seems to me to be a rather important point that PDA makers (including current Palm gadgets) keep forgetting.

    I have a couple-year-old Kyocera 6035 smartphone (PalmOS) that rides around in my pocket. I keep looking for something to come out that that's better. But they keep making them too big for my pocket.

    And, of course, now you'd expect them to have both GSM and WiFi capability. It sucks to have to rent temp phones when outside the US, and to have to use a slow phone circuit for web access, meaning two minutes to download the first web page (and getting charged full connect time when not sending any packets). If there's a PDA-like gadget available here in the US like that, I haven't spotted it yet.