Slashdot Mirror


User: jc42

jc42's activity in the archive.

Stories
0
Comments
6,784
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,784

  1. Re:Two things: on Wireless Computing and Airplanes? · · Score: 1

    Hey, I'm jealous; you beat me to that observation! That was my first reaction, too. If I had mod points, I'd mod you up. Let's see how many humor-impaired moderators read this as a troll ...

    And ya gotta admit, in political discussions, such post hoc reasoning is rather standard, if not de rigeur.

    (Pardon my French, uh, I mean Freedom. ;-)

  2. Re:That's all very well but on AAC vs. OGG vs. MP3 · · Score: 5, Informative

    A few years back, Consumer Reports did an interesting set of listening tests. The usual blinds, of course. But the interesting part was that in addition to random staffers, they had two extra groups: sound engineers and musicians. They reported that these two groups differed radically in their rankings of sound quality. The difference was fairly straightforward: The sound engineers gave a high rank to equipment that produced the sound accurately. The musicians gave a high rank to equipment that made the music clear. These are not at all the same thing. In particular, musicians generally liked "distortions" that removed non-musical information, strengthened the fundamentals, and so on.

    From a musician's viewpoint, one of the real frustrations with just about anything published about sound quality is that it's always written from the engineer's viewpoint. But what I want to know is which gadgets do a good job of reproducing the music. They never seem to tell you that.

  3. Re:What's the Point... on The Virus Did It · · Score: 1

    This isn't at all hypothetical. I wrote up a little javascript demo a couple of years ago. Similar things can be done to you if you have any sort of "scripting" turned on in your browser, email program, etc.

    This is especially a problem on Windows machines, where all sorts of software comes with the ability to execute downloaded files, and this is usually turned on by default. Most Windows users aren't much aware of the problem, and don't understand it when you try to explain it to them. The config thingies that disable it are hidden all over the system, and very difficult to find. And they change from one release of Windows to the next.

    It's not just Windows, though. Unix/linux browsers tend to come with javascript enabled, too, which can make you susceptible to this sort of attack.

    I've seen a number of machines at work with porn in the browser cache, and users who seem to be honestly surprised when I show it to them. If you've seen how simple the code is, you are likely to believe them when they say they didn't download those things. Anyway, you're welcome to my demo code. There are lots of other such things around on "HOWTO" sites.

  4. Re:Sounded fishy at first... on The Virus Did It · · Score: 2, Insightful

    Kinda makes you want to update your virus detection/bot detection/firewall/etc, doesn't it?

    That may not help much. A couple years back, I inadvertently started a minor "research project" at a place I was working by checking out a link to a bit of cute satire sent to me by a friend. I chuckled at it a bit, and then forgot about it. For about one day. When I came in the next morning, the NT workstation that I'd used was showing a rather pornographic picture.

    I quickly verified that the site was indeed primarily a port site, though it did have some good cartoons and satire in a few directories. My friend had looked at it from a unix-type system, using netscape, and didn't see any of the porn.

    I showed it to the other guys in the lab, and we investigated. We found that the site sent something in the first web page that we couldn't decipher (as it wasn't any sort of standard html), but which caused the browser to fetch the site's main page every day just after midnight. Most of the time this page was pornographic.

    This only worked on Windows, though it affected both IE and Netscape there. The only way we found to prevent it was to turn off all scripting. This couldn't be done in the browsers; it had to be done on a system-wide basis. And the place to do it was different on nearly every Windows machine we had, so I can't tell you how to do it on your Windows box.

    I don't work there any more, but I wouldn't be surprised if some of the machines there are still downloading porn every day just past midnight local time. A lot of the machines were used for testing java, javascript, active-X, and other scripting languages, so we had to leave such things enabled.

    We did wonder whether the folks monitoring the network noticed that we were apparently sneaking in at midnight and downloading porn to a number of the lab machines. We all thought it was pretty funny, and a good example of why you should disable all scripting. Virus protection and firewalls won't help you. If any of your installed packages can ever interpret any downloaded text as commands, you are vulnerable. And on Windows, automatic execution of content is turned on by default in more packages than you want to think about. Unless you can find all of them and disable this execution everywhere, you are vulnerable to having your disk filled with porn.

    Unixoid systems tend to be more sensibly run, and such things are usually off by default. But not always.

    Anyway, it does make for a good defense. Especially if you're running Windows, where it's so difficult to even find such things and disable them. We had a bit of fun showing this to some of the more important folks in the company's network management team, and innocently asking them if they knew how to prevent this problem. They were obviously a bit embarrassed by not being able to give us good answers.

  5. Re:All Depends on the Employer on Should You Hire a Hacker? · · Score: 1

    If someone will employ you, then you're trusted.

    Well, maybe, but we should also point out that in this case, it's irrelevant.

    Anyone seriously interested in a secure network will have a policy that nobody is trusted. Especially not the foxes guarding the henhouse.

    A good security setup is one whose violations are spotted quickly. This is especially true of violations perpetrated by the people running the security setup itself.

    The management should trust the security people, and the security people shouldn't trust each other. They should all do what they can to make sure that they are also subject to the security system.

    An instructive example is the Randal Schwartz case. He was arrested after running a password cracker that showed that a number of the VPs had easily-guessed passwords.

    The obvious question here, from a security viewpoint, is "Why the hell weren't those VPs charged or fired?" They were violating a written company security policy, and making their systems vulnerable. The obvious answer is: Those VPs knew damned well what they were doing, and were in a position to punish someone who discovered their violations. They are probably still knowingly violating their system's security.

    This is what happens when the top people are immune from the security policies themselves.

  6. Re:This made me confused. on The Economist on The Rise of Linux · · Score: 1

    I'm not sure what other platform is left. Apple is just as well known for subsuming applications in with the OS, and you can't make money writing for Linux, so what can you do?

    Well, in the tax forms I just filled in, I reported about $120,000 of income last year. All of it was for software development on linux.

    It's just one data point, of course. But I've been working with a team that's helping a Big Corporation convert their old IMB-mainframe system over to an online flock of linux servers. Rumors that this is happening (and Larry Ellison's recent prediction) are not just rumors.

    And, contrary to the usual image, we're Americans working in the US for a foreign corporation.

    So much for the media's image of what's going on.

    A growing "talking point" in much of the world now is "Do you want your computer systems and company data controlled by a big American corporation?" This isn't just a rhetorical question. A lot of people in the world are getting very worried about American corporate power. The fun thing is that there are a lot of us Americans who are quite happy to help them out of their mess.

    There's no irony here; we don't like those big corporations any better than they do. ;-)

  7. Re:This made me confused. on The Economist on The Rise of Linux · · Score: 1

    I'm sorry, but what the *hell* are you talking about? ... Are you really trying to say that Microsoft is trying to control what software you can sell for Windows, and that you need to sell it through them?

    Yes, that's exactly what I'm saying. And it's well known in some developer circles.

    For example, I have a couple of friends who have been working on high-quality "component-style" music software. They are getting rather depressed these days.

    The reason is simple: Their software more and more can not run on Windows unless they license it through Microsoft. The reason is that, if any component of MS Media Player wakes up and runs, their unapproved music programs stop working. Often, they need to be re-installed.

    This behavior was documented in some of the earliest reviews of MP several years ago. It has gotten worse, as MP gets better at recognizing unapproved music software. The way to get off the hit list is to license your music software through Microsoft.

    (Actually, there probably isn't an explicit "hit list". Rather, there appears to be an "approved list". If a program isn't on the list, it may have a lot of problems getting at some things that are locked by some component of MP. Some details of the MP implementation are hidden inside the binary, of course.)

    It's well understood among music-software developers that Microsoft fully intends to control this market, similarly to how the recording industry has historically controlled the distribution chain. But Microsoft has the advantage that it controls the player on the major "desktop". The result will be similar to what has happened with commercial music: Aside from a handful of big-name acts, nobody but the controlling corporation(s) will be able to make money in the business.

    In the US, at least, it's now obvious that this is perfectly legal. The outcome of the recent Microsoft case means that it applies to software, too. The future for Windows developers is that you will be able to sell your softare only under license to Microsoft, under terms of their license. "If you don't like the license, you don't have to sign it." And your software will die mysteriously at random times.

    This is much of the explanation for the recent stories of venture capitalists dropping support for Windows development. They've figured out that they probably can't make a profit in this market any more. And it is also behind the recent stories of independent Windows software developers one by one switching over to linux or OSX. If you have a dream of getting rich from sales of your great new app, it's best if you can sell to the customers. If you have to go through a single licenser who can dictate terms, you'll never get rich no matter how big your sales might be.

    I've never done any significant Windows development. But I have quite a lot of friends in this line of work. They are all showing signs of depression, and are all seriously looking into other computer platforms where their software is supported by the OS, and not controlled by its owner.

  8. Re:A Lesser Form of Unix on The Economist on The Rise of Linux · · Score: 3, Interesting

    While it's not nearly the whole story, an interesting benchmark is the top 500 supercomputers list. Sun and linux are both on the list. Sun seems to be the main supplier of supercomputers these days. But they first appear on the list as number 156. There are only two linux systems, but they are numbers 5 and 45.

    I guess that doesn't tell you all that much about the top end, other than that linux and Sun are both quite capable of supporting raw, top-end gigaflops power. The actual computing is done by processes, of course, so this benchmark really just tells you that neither OS has any showstoppers. Neither interferes with the ability of a process to crunch bits and bytes.

    Now on to the other benchmarks ...

  9. Re:This made me confused. on The Economist on The Rise of Linux · · Score: 4, Insightful

    ... SUN is the one who's not doomed.

    Right. Note first that Solaris is highly POSIX-compliant, as is linux. This means that most software ports from one to the other with few if any problems, as long as you haven't used the private extensions of either. This isn't a conjecture; I and many others have tested this with our software. Portability between linux and Solaris is easy, almost as easy as between linux and *BSD.

    And note also that Sun is actively supporting several linux distros. There was some confused news recently about Sun supposedly dropping their linux. What they actually did was drop the attempt to "rebrand" RedHat linux as Sun linux. This was mostly because customers got confused. And some of them wanted RedHat explicitly. But Sun seems to be going strongly into the linux support business, letting someone else supply the POSIX-compliant platform that runs on their hardware and has all of their software goodies available as options.

    There is a strong contrast with Microsoft here: Microsoft has been moving strongly to a "total experience" platform which doesn't allow any software that isn't on their approved list. So if you're a software developer, you are facing a market in which you can only sell to Microsoft, on their terms. If you try selling retail, you'll find that your software constantly breaks, until you sign the rights over to Microsoft.

    Sun, on the other hand, has a strong history of supporting independent software developers by sharing information about the innards of their systems while not requiring onerous licensing of any sort. As either a software developer or an IT manager, it's obvious which would be the wiser purchase. Why would anyone with half a brain go with a secretive, monopolistic computer system when there's another available that is open and cooperative?

    And for a final note, we might observe that Sun has in the past objected to being called "SUN", since that refers to the Stanford University Network that they grew out of. They are officially "Sun", which isn't an acronym for anything. In todays environment of rabid copyright and trademark enforcement, it's important to get such things right. ;-)

  10. It's because ... on Trusted Computing Group Formed · · Score: 4, Insightful

    We all understand that "Trusted Computing" simply means whether or not Microsoft trusts us to run a program.

  11. Re:It works on Internet via the Power Grid, Again · · Score: 1

    Well, you wouldn't need filters on all of your equipment. Light bulbs and blenders will do just fine with an AC power supply that has an RF signal added.

    Well, actually some blenders might not do fine. Some of them now have IC controllers, and the major problem with internet-over-wall-power is that the RF component will do "interesting" things to the sanity of a lot of cheap consumer electronic devices. Quality electronic gadgets will have a power supply that filters out the higher frequencies. But blenders are commodidy devices that are sold partly on price. They'll have the cheapest power supplies that do the job. Hitting them with a high-frequency signal that's comparable to their internal signal is a recipe for disaster, from the blender's point of view.

    This is the second of the major problems with signals over the power system. It means that the power company has to install the right kind of filter at the point of entry to the customer's house. At a few hundred bucks each, a power company with a million customers can run up a pretty good bill.

    But such things are getting cheaper. Several other messages here have supplied links to the companies that are selling them. It's just a matter of time before your phone and/or cable monopoly has a bit of competition.

  12. Re:It works on Internet via the Power Grid, Again · · Score: 1

    Maxwell? Didn't he have something to do with the invention of coffee?

  13. Re:It works on Internet via the Power Grid, Again · · Score: 4, Insightful

    Yeah, and it's in limited use in the US. It does require a fairly clean power system that doesn't mess up the imposed RF signal, including not "cleaning up" the power by filtering the RF signal out. And it requires that all your electronic gear have power supplies that do filter out the RF signal (or a device that does it that's plugged into the wall outlet). I've worked in a couple of development labs where we did exactly this. But these requirements pretty much rule it out for most commercial power systems.

    But the main evidence that the story was about a con job was the quote

    By piggybacking on this magnetic field, instead of on the electricity itself, he could obtain almost limitless speeds of transmission. [emphasis from the article]

    This clearly implies cluelessness. Now, you might not expect a manager type to understand what's wrong with this statement. But you'd expect that they'd have some EEs on their payroll, and an EE's basic reaction to such a statement would be to snicker and say "Yeah; right."

    Any manager who continues saying such things after a few minutes discussing it with their EEs is clearly involved in a con, and knows it. In his next con, he's gonna market a truck that doesn't damage the roads like other trucks do. His explanation will be that trucks do their damage by harming the base that the road is built on. But his trucks only drive on the surface of the road, so they won't damage the roadbed at all.

    (Hmmm ... Maybe I shouldn't suggest that. Someone will decide it's a good idea, take out a patent, and start marketing it ...)

    Yeah, you can transmit data by piggybacking it on power lines. But making it work on a legacy power system is gonna be expensive. Ripping out the system and building a new one would probably be cheaper in many (if not most) existing systems.

  14. Not exactly news ... on Corporations Getting Into The Open Source Spirit · · Score: 5, Insightful

    Back in the 70's, IBM came out with their VM meta-OS. Its origins were in academia, not in IBM's shops, and in all the installations that I saw, it always came with full source. They actively encouraged customers to submit not just bug reports, but fixes, which were then sent out to other customers.

    In one place that I worked around 1980, there was a big IMB mainframe, and one day we brought in some Amdahl people to demo their unix that ran on VM. One question was whether source was available. Their answer was "The source isn't an option; you get it whether you want it or not." Within a couple of weeks, I'd made a small fix to the kernel's clock routine (needed because the turkeys who ran our VM had screwed up their clock in a way that Amdahl's people hadn't conceived of ;-). I emailed the fix to the Amdahl support people, they thanked me, and it was in their next set of patches.

    Closed source was to a great extent an invention of Microsoft. Before them, it was obvious to even the stupidest manager that it was a good idea to make source available to any programmers who could understand it. That way, you got bug fixes rather than bug reports.

    It's actually a bit strange that we now have management that doesn't understand this. What are they teaching them in business schools these days?

  15. Re:Incredibly compressible on New Whitespace-Only Programming Language · · Score: 2, Insightful

    Compressing whitespace code is probably a good idea, and not just for the space savings. Among the many problems with the email system, one of the really annoying things is the fact that whitespace is often damaged in transit. This is especially true for trailing whitespace, and of course, whitespace code is entirely trailing whitespace, and likely to be fully trimmed from messages. So to send it via email or other messaging software, you will need to encode it somehow. GZIPping it or BASE65-encoding it will work.

    You can see the problem with another message posted nearby on /., where the poster says "I have something to say" and the message is blank. If you check the source of the web page, you'll find that there isn't any whitespace there. The poster could well have included a lot of text, whitespace-encoded of course, but the /. software trimmed it away and reduced it to just the line feeds.

    (And note that whitespace encoding has been used for steganography. The least noticeable way is to encode a message not as spaces and tabs, but as 1 or 2 spaces between words. Especially when viewed with a variable-width font, this is hardly visible to the eye, and will pass unnoticed in most situations. Just don't use trailing whitespace in the encoding, and it will probably work in most environments.)

  16. Re:anyone else getting the feeling... on Prime Numbers Not So Random? · · Score: 1

    I first heard the proofs that all odd numbers are prime back in the 60's, when I was in high school. There were a lot of them, for various occupations.

    Some of my favorites:

    Politician: 1 is prime, 3 is prime, 5 is prime, 7 is prime, 11 is prime, 13 is prime; that should be enough to convince anyone.

    Thologian: 3 is prime; therefore all odd numbers are prime.

    News reporter: 1 is prime, 3 is prime, 5 is prime, 7 is prime, 9 is prime, 11 is prime; looks like it's always true.

  17. Re:anyone else getting the feeling... on Prime Numbers Not So Random? · · Score: 1

    Actually, this is the punch line to the followup to the long lists of proofs that all odd numbers are prime. The followup joke is the proof that all prime numbers are odd. This is trivial for all prime numbers but 2. For 2, the proof observes that, being even, 2 is a *very* odd prime ...

  18. Re:Meteor strikes not that uncommon on Meteor Over Midwest · · Score: 1

    The larger ones ......Well can anyone remember the last time you saw a live dinosaur.

    Yeah; there's one sitting on a perch next to my desk at the moment.

    It's been around 15 years since the birds were officially reclassified as dinosaurs by zoologists. By the mid-80's, the evidence was just too convincing. Scientists now often use the phrase "non-avian dinosaurs" when talking about the mass extinction. (But it'll probably be a few more decades before the media hears about it. ;-)

    (She's a blue-crowned conure, for those who are interested. She has lately taken to commenting on politics, shouting "IRAQ!" when she wants to get attention)

    The big impact 65 million years ago also wiped out most mammal species. We're descendents of one of the little ones that managed to get past the crisis, probably by eating the decaying remains of the bigger species.

    And it'll happen again. Maybe tomorrow, maybe 100 million years from now.

  19. Re:Or heres an idea on Too Cool For Secure Code? · · Score: 1

    Maybe they just don't like posting every way to hack into the OS on a website read by millions of juvenile hackers.

    This is the standard red herring used to keep us ignorant.

    Neither I nor the original poster even remotely suggested publicizing newly-discovered holes. We all understand the problems with that. And there has been plenty of thoughtful discussion of the topic. Most of the discussions conclude that you should first notify the peope responsible for the code, and check with them for a while to see how their patch is coming along. Then, if after a month or so they haven't acted responsibly, you send your report to the appropriate security lists. Long experience has shown that security holes in commercial systems tend to not get fixed until they are at least publicised in the "professional" security fora.

    But this is off topic. The topic is the fact that we programmers repeatedly create new security holes of types that were known decades ago. We do this because, even a decade after an exploit is found, people still do their best to keep us ignorant. When we ask "How does this work?" for security-related things, we are treated like we're evil hackers bent on destroying all the world's computers. We respond to this as anyone under suspicion would: We clam up and stop asking questions that might get us into trouble.

    The inevitable result of this is that, in our ignorance, we continue to create the same sorts of security holes. The reason is that people are intentionally keeping us ignorant of our mistakes.

    Then, when the holes are discovered, we become scapegoats. But the real culprits are the people who react to our questions like you have, and intentionally keep us ignorant for years or decades.

  20. Re:Yeah..all that awesome 'peer reviewed' code... on Too Cool For Secure Code? · · Score: 1

    This is just insane, if programmers don't discuss or uderstand the problems how can they fix them!

    Exactly. But you have to understand, the goal isn't to prevent such problems. If people really wanted that, they'd be openly documented exactly how every security hole works, so that programmers could learn and not repeat those mistakes.

    When people keep the programmers ignorant, it's a dead giveaway that they're looking for scapegoats, not solutions.

    As long as they keep you and me ignorant of how the security holes work, we will both continue to implement security holes. Then people can blame us for our ignorance, without facing the reasons that we're so ignorant.

    Lasser's comments don't help much here. He seems to think that the solution is higher levels of abstraction. But from a security viewpoint, what that mostly does is increase the number of "black boxes" whose behavior the programmer can't know. The more black boxes you have underneath your code, the more places there are for security holes. And when a problem pops up in the lower levels, you usually can't get at the innards to fix things.

    Open Source is a partial solution to this, because *in principle" you can open up those black boxes and learn about the details. But to make this work, programmers have to have the time to thoroughly analyze and understand everything under their own code. We almost never have the time.

    And note that the Open Source community is not immune to the mistake of treating an inquiring programmer as a bad guy. This goes a long way toward making even the most open systems insecure.

  21. Re:Conflict...Hmm on Office Depot: Windows XP Apps Must Be Microsoft-Approved · · Score: 1

    who thought RH would manage to get a "Designed for Windows XP" certification!

    I did something like this on a project about 10 years ago. It was a turnkey package with a fixed user interface that required a RT OS underneath, but the client insisted that it has to run on Windows. I was the one who did most of the packaging of the low-level RT stuff. What the startup code did was grab all of DOS/Windows and put it on the free-space list. But it "ran on Windows", i.e., you could start it from Windows. To terminate it and get back to Windows, you used CTL-ALT-DEL, of course.

    It worked just fine, and the customer was happy.

    Note that this isn't entirely facetious. Their support people could halt the startup code and would find themselves in the expected Windows environment. Nothing we did ever wrote to the Windows disk partition; it used its own private partition. And the client wanted it to be the only thing running on the machine when it was running. Just how we did this wasn't really their concern; they just wanted it to start up automatically when the power came on.

    So I can see a RH release that "runs on Windows". That is, there's a RedHat icon and/or a Start entry. They cause linux to boot, and probably to mount the Windows partition as a filesystem. With wine or lindows or some such, it could even look to users like Windows is there, and in some sense it is.

    Saying that something "runs on Windows" is a rather vague and ambiguous claim ...

  22. Re:There's insight in the humor. on Microsoft To Teach Undergrads About Secure Computing · · Score: 1

    You had the start of a great joke there: ...

    Punch line: Oh, wait, MS already tried that!


    Hey, I gave you the straight line. I was hoping someone would reply with the obvious punch line. Thanks for completing the joke.

    (Of course, long-time readers of /. probably thought it automatically.)

  23. Re:There's insight in the humor. on Microsoft To Teach Undergrads About Secure Computing · · Score: 3, Informative

    In situations like these, the actual facts play only a modest role in shaping public opinion,

    True, but public opinion has relatively little to do with whether your computers are secure or not. If it did, then nobody would bother with engineering approaches to security; they'd just set aside a large PR budget to create the public perception of security, and that would make their software secure.

    The main irony here is the old observation by many security people: If you want computer security, you never, ever allow any software to be run unless you have all the source and you've compiled it yourself. Otherwise, you have no idea what may have been hidden inside that binary by the people who sold it to you.

    It would be interesting to see whether Microsoft's teachers bring out this rule. Will they even mention the topic? If so, will they teach the course the second time?

    Granted, this isn't nearly the whole story. You must not just have the source. You must also have competent, trustworthy people on your staff who have the time to thoroughly take the software apart and understand it all. And even then, Ken Thompson's famous paper shows how subtle the problems can be.

    Still, as a baseline argument, any such course on computer security should start with the observation that if you allow binary software to be installed, you are utterly defenseless against the people who compiled and packaged it for you. This is really the main thing that needs to be said about security and Microsoft.

  24. Re:Paying for bug fixes on Apple to Announce new Mac OS X version in June · · Score: 1

    This does make me think: Amidst all the comments on how much current Mac users may/will have to pay to upgrade, I haven't seen much mention of the effect on those like me who have been thinking of splurging and buying an OSX machine.

    Does this report mean that I should wait until the panther is for sale? I'd think that Apple wouldn't really want me to do this. But if waiting 6 months will get me better software for the same price, that's probably what I'll do, and I'll keep working on my linux boxen until then.

    So is there any reliable info about this (e.g., a link to an apple.com page saying what their policy is for people who bought a jaguar just before the panther was released)?

    It'd be nice to get a warm, fuzzy feeling that I can trust Apple to do the Right Thing here for new customers ...

  25. Re:Why is this required? on Texas Bill Would Require Open Source Consideration · · Score: 1

    Another excellent point. And $5 is far too low a quote. The thing to do is follow RedHat's lead, and make the bid as a company selling consulting and support.

    We might note that this isn't exactly a new idea. IBM has historically made money from selling hardware, yes, but they also make billions selling support contracts. Their approach for decades has been to sell or give away the software, and charge customers for support.

    It may be true that the Open Source crowd has good, free online consulting help. But a close look shows that this is mosly a good tool for us geeks. If we really want to succeed in the commercial arena, we need consulting help for businesses. This is probably not a job for computer geeks; it's a job for specialized business consultants. IBM has realized this, and it may be a matter of time before MS realizes it, too. Then we'll see both IBM and MS abandoning their OSs and making billions selling support contracts for Open Source software. IBM has already started on that path.