Many people are not aware that GCC itself uses garbage collection as it runs. You can actually select which algorithm gets used at configure time, and tweak the GC parameters during runtime (via a growing set of command-line options that users never think to use).
That aside: I've corresponded with Linus a couple times (on other subjects), and while he is the brilliant guy that/. thinks he is, he is a kernel expert, not a compiler expert. Entirely different problem domain, very differnt approaches to solutions. Not every compiler is alike, not every GC strategy is alike, and most of the GC strategies out there are not appropriate for use within GCC. (Note: within GCC, not by a program compiled with GCC.)
What the GCC maintainers have known for a long time -- due to actual analysis of the compiler, not "this tends to work elsewhere and in other programs" -- is that the current GC strategy is suboptimal. There's even a design for a good replacement. None of the volunteers have had time to write it yet. And on that note, I'll leave you with a quote from Torvalds: "What we need is less people running around and telling everyone else
what to do and more people actually writing code."
...why I always go back and add security holes to all of my programs. If some future (or current) anti-regime hacker needs to be able to break into a local power plant, I want to make sure my code can help!
[I considered signing this post "love, Theo" but then thought better of it.]
Now we have a big and fat tool that can do nearly everything,
That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.
Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.
It would have been a better idea to do a small diet and dis-integrate functions into different tools
Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?
You're correct; this is often more noise than signal. But/. is simply following the major media in this respect. How many times have you seen a headline like, " To Announce," where the body largely consists of a pre-announcement of the announcement?
but if you are simply interested in making money, go sell cars or something.
Or you could go undercover as a car salesman for months at a time and find out that they get screwed over at their jobs too.
Re:And the second rule of secure programming club
on
Secure Programming
·
· Score: 1
I think we were using different definitions of undefined behavior. I don't necessarily disagree with you, but it seems you're talking about a different problem domain than I am. And that's okay.
As far as conclusion jumping, closed minds, and needing to try those languages, sorry, you're flat wrong.:-) I've already tried those languages, and just wasn't impressed. They're useful, but I think we get more security by focusing our attentions elsewhere.
Re:And the second rule of secure programming club
on
Secure Programming
·
· Score: 1
or assure you that your program has no "undefined behavior" (i.e., a security hole). These are impossible in C,
Because they're impossible in general. See "halting problem, the".
In what sense don't languages like SML (or, hell-- Java, Dylan, ADA, Lisp, or any of the other safe languages proposed by slashdot posters) solve all of your buffer overflow problems?
In the sense that the VM is just another piece of software, capable of being attacked and exploited. Like I said previously, these languages are great in and of themselves, and certainly help solve common programming errors, but they're still not the end-all-be-all solution.
Re:And the second rule of secure programming club
on
Secure Programming
·
· Score: 1
If you mean "private" vs. "public," that's not what we're talking about. We're talking about your language having properties like safety, which means that the only person who gets to write code is the developer (not the remote user uploading shellcode!).
I don't mean just private-vs-public (although some misguided folk wish those were security related). Attempts like "safety properties" strike me as just giving a warm fuzzy feeling without doing much beyond security-through-obscurity. How does a piece of software know I'm a developer rather than an intruder? If I poke bits into the proper places in memory, software will believe anything I tell it to believe.
I'm not advocating avoiding such research, but I have yet to see anything that isn't just being touted as "this silver bullet will make your problems all go away".
Re:And the second rule of secure programming club
on
Secure Programming
·
· Score: 1
Just because I watched the movie the other night and can therefore quote entire reams from memory:
The 3rd rule of secure programming club is: some process yells SIGABRT, goes Z-state, taps out, the program is over.
4th rule, only one major process to a sandbox.
5th rule, only two sandboxes to a machine, fellas.
6th rule, no telnetd, no ftpd.
7th rule: debug sessions go on for as long as they have to.
And the 8th and final rule, if this is your first night at secure programming club, you will be 0wn3d.
And the second rule of secure programming club is
on
Secure Programming
·
· Score: 1
Quoting Bjarne Stroustrup when some moron tried to flame him for C++'s perceived lack of security, "I assume that a sufficiently skilled [cracker] will be able to do anything not explicitly forbidden by the hardware." (Emphasis mine.)
So, the second rule is, recognize that most "levels of protection" and "access controls" in programming languages are there to help realize a clean design and facilitate debugging. NOT to enforce some kind of real-world security.
IRIX will core dump to the swap partition. On the next boot it analyzes this core file, which includes various system logs, etc, and saves useful output in/var/adm/crash.
Solaris does the same thing. Actually, I think several commercial Unixes do this. Some even provide some basic analysis tools so that you can pore over the/var/wherever/crash dumps yourself; see which processes were running, which ones were on the CPUs when it crashed, which instruction was executing, etc.
I've always been disappointed that this hasn't been part of Linux. Copying down OOPS text by hand onto paper and then typing it back in after the reboot is needlessly difficult. I don't have terminals sitting around for serial output. I've heard rumours that something like the save-to-swap-space facilities are finally going in, or that there are patches available for the DIY'ers.
And in my particular case, I'm not sure it would help anyhow. My desktop machine occasionally just goes *click* and reboots. If it tries to panic, it may not get time, I dunno, I'm not here to watch it. I do know that when I have gotten OOPSes, I usually don't bother trying to send a useful report in to lkml, because I don't have pen and paper around.
Of course, testing for validation and compliance to standards is not quite the same thing as "does my web page look okay in Arbitrary Browser Foo," which is what the submitter was asking about. At some point you simply have to say, "any browser will work as long as it doesn't suck with regards to published open standards."
SoBig's builtin MTA sends a syntactically-incorrect "HELO" line when connecting to a mail server. The SMTP grammar specifies a fully qualified name in the machine name following HELO, I think, and SoBig doesn't give one.
This is hearsay, though. Can someone verify it?
So, if true, you could simply drop the connection on poorly-formed HELO lines. But that would also disconnect a few legit-but-badly-written MTAs out there. (In my opinion, fuck 'em. It's lost past time to be using properly written software.)
First I read the/. article about the spacecraft being dropped, and saw that photo. Ouch! Now B+N have dropped some ebooks? Man, those things usually aren't built as sturdy as the satellites. That's gonna be ugly.
Okay, fine, popups are legal. That particular devil we know very well, and I gots my armor of righteousness loaded up at boot. But if popups (even competitive ones) become illegal, then who knows what the poodlefuckers will come up with next.
...with running a connection through a tool like stunnel? Both are doing encryption, SSH likes keys, stunnel/SSL likes certificates, but after that I'm somewhat ignorant.
I've been tunnelling all kinds of stuff through OpenSSH for years, and while I've heard of stunnel, I only just recently started using it (encrypting an IMAP connection because IMAPS isn't supported).
I'm not asking for an hour-long briefing on/. or anything, but if you know of any web pages, pointers would be appreciated.
but I suppose I do sort of long for authors to know when they've reached the end of their time with their characters, when they've reached the best end they're going to find...
When it's time, say, to contact fellow authors and friends and say, "Here's the story universe, care to have a go?"
I've never read any of the Sandman series (I'd like to, someday), so I'm not suggesting that it's time for Gaiman to consider such a step. But I don't have to, since he's made the invitation already.
I've actually read one Sandman short story without knowing it at the time. Later, after I'd heard of the Sandman stories, I happened to reread the short, and noticed "first published in The Sandman: Book of Dreams" on the flyleaf. It was a short by Gene Wolfe -- one of my favorite authors -- and was an interesting retelling of one of his own short stories, from the viewpoint of another (dreaming) character.
I don't know who else has guest-authored Sandman stories. Clearly Gaiman has good taste in picking them, however.
Maybe the spiders can decide whether or not to add an extra "stickiness" protein to the silk as they extrude it, so they can make non-sticky support strands for their webs. That way they could walk around without getting themselves stuck---or maybe they have some weird foot-based non-stick thing.
Nope, you had it right the first time. Some strands of a spider's web are sticky, some are not. It's not for "extra support for the web" as it is "it's nice to be able to walk around without sticking to my own house." The spiders know which strands are which. And if they have to step on a sticky strand, they just pull themselves loose.
"If we looked at what we do in software, if we could only compile and test our program once a year, we'd never get anything done."
Yeah, but damn if that code wouldn't be perfect.
Think to the bad old days of batch processing, where you handed your code to one of the engineer/sysadmin/priests, who would feed it to the system when the system was done doing its current work. You might not get the results of the build+run for 24 hours after submitting it. And you wouldn't get another chance for another 24 hours.
So, before you handed in the code, you would read it. Because the smallest typo would set you back another 24 hours. You would try to prove -- formally, mathematically -- that it was correct, because a simple logic error ("oops, wrote ==, wanted to write !=") would set you back 24 hours, and doing the proofing was faster than waiting an additional day.
Maybe they "got nothing done" back then, but when that software was finished, it was good.
All we need is the ability to invoke arbitrary text editors.
Put initial contents of form in temp file.
Run $users_favorite_editor on temp file.
Wait for child process to finish.
Read in temp file, replace contents of textarea.
Umpteen million text editors, most of which have some form of spell checking available, even if it's just "pipe contents through spell(1)". Mozilla doesn't need to reinvent that wheel, or any other text-editing wheel.
Heh. This goes to show that tastes differ. I have a difficult time reading source code in a proportional font[*], so I always built wily with a monospaced font, a slightly different cursor symbol, etc. They've a couple of alternative settings commented out in the code; just flip those and rebuild.
As for mouse chords, they're like heroin: you swear that you'll never need them, and then you try them, and suddenly you're hooked.:-)
[*] Except for lgrind/vgrind pretty-printed LaTeX forms of the code. Oh, so pretty.
...I for one welcome our new lizard-based pharmacueticals!
Until now, I've always need coffee to wake me in the morning, plus taking an injection of insulin. Now I can become wide awake and manage the blood sugar at the same time!
[P stumbles groggily into the kitchen, rubbing sleep from his eyes.]
P: *mumble* [As his arm brushes the kitchen counter, a LIZARD darts forward and bits him.]
LIZARD: *snap*
P: *mumb*-GAAAAAAH! What the FUCK was th- oh, the lizard. Right.
Slashdot Mirror
Many people are not aware that GCC itself uses garbage collection as it runs. You can actually select which algorithm gets used at configure time, and tweak the GC parameters during runtime (via a growing set of command-line options that users never think to use).
That aside: I've corresponded with Linus a couple times (on other subjects), and while he is the brilliant guy that /. thinks he is, he is a kernel expert, not a compiler expert. Entirely different problem domain, very differnt approaches to solutions. Not every compiler is alike, not every GC strategy is alike, and most of the GC strategies out there are not appropriate for use within GCC. (Note: within GCC, not by a program compiled with GCC.)
What the GCC maintainers have known for a long time -- due to actual analysis of the compiler, not "this tends to work elsewhere and in other programs" -- is that the current GC strategy is suboptimal. There's even a design for a good replacement. None of the volunteers have had time to write it yet. And on that note, I'll leave you with a quote from Torvalds: "What we need is less people running around and telling everyone else what to do and more people actually writing code."
...why I always go back and add security holes to all of my programs. If some future (or current) anti-regime hacker needs to be able to break into a local power plant, I want to make sure my code can help!
[I considered signing this post "love, Theo" but then thought better of it.]
That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.
Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.
Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?
You're correct; this is often more noise than signal. But
Or you could go undercover as a car salesman for months at a time and find out that they get screwed over at their jobs too.
I think we were using different definitions of undefined behavior. I don't necessarily disagree with you, but it seems you're talking about a different problem domain than I am. And that's okay.
As far as conclusion jumping, closed minds, and needing to try those languages, sorry, you're flat wrong. :-) I've already tried those languages, and just wasn't impressed. They're useful, but I think we get more security by focusing our attentions elsewhere.
Because they're impossible in general. See "halting problem, the".
In the sense that the VM is just another piece of software, capable of being attacked and exploited. Like I said previously, these languages are great in and of themselves, and certainly help solve common programming errors, but they're still not the end-all-be-all solution.
I don't mean just private-vs-public (although some misguided folk wish those were security related). Attempts like "safety properties" strike me as just giving a warm fuzzy feeling without doing much beyond security-through-obscurity. How does a piece of software know I'm a developer rather than an intruder? If I poke bits into the proper places in memory, software will believe anything I tell it to believe.
I'm not advocating avoiding such research, but I have yet to see anything that isn't just being touted as "this silver bullet will make your problems all go away".
I see very little difference, to be honest.
Just because I watched the movie the other night and can therefore quote entire reams from memory:
Quoting Bjarne Stroustrup when some moron tried to flame him for C++'s perceived lack of security, "I assume that a sufficiently skilled [cracker] will be able to do anything not explicitly forbidden by the hardware." (Emphasis mine.)
So, the second rule is, recognize that most "levels of protection" and "access controls" in programming languages are there to help realize a clean design and facilitate debugging. NOT to enforce some kind of real-world security.
Solaris does the same thing. Actually, I think several commercial Unixes do this. Some even provide some basic analysis tools so that you can pore over the /var/wherever/crash dumps yourself; see which processes were running, which ones were on the CPUs when it crashed, which instruction was executing, etc.
I've always been disappointed that this hasn't been part of Linux. Copying down OOPS text by hand onto paper and then typing it back in after the reboot is needlessly difficult. I don't have terminals sitting around for serial output. I've heard rumours that something like the save-to-swap-space facilities are finally going in, or that there are patches available for the DIY'ers.
And in my particular case, I'm not sure it would help anyhow. My desktop machine occasionally just goes *click* and reboots. If it tries to panic, it may not get time, I dunno, I'm not here to watch it. I do know that when I have gotten OOPSes, I usually don't bother trying to send a useful report in to lkml, because I don't have pen and paper around.
Yeah, if only... oh, wait, it is.
Of course, testing for validation and compliance to standards is not quite the same thing as "does my web page look okay in Arbitrary Browser Foo," which is what the submitter was asking about. At some point you simply have to say, "any browser will work as long as it doesn't suck with regards to published open standards."
At least, that's what I've been told.
SoBig's builtin MTA sends a syntactically-incorrect "HELO" line when connecting to a mail server. The SMTP grammar specifies a fully qualified name in the machine name following HELO, I think, and SoBig doesn't give one.
This is hearsay, though. Can someone verify it?
So, if true, you could simply drop the connection on poorly-formed HELO lines. But that would also disconnect a few legit-but-badly-written MTAs out there. (In my opinion, fuck 'em. It's lost past time to be using properly written software.)
First I read the
between the devil we know and the devil we don't.
Okay, fine, popups are legal. That particular devil we know very well, and I gots my armor of righteousness loaded up at boot. But if popups (even competitive ones) become illegal, then who knows what the poodlefuckers will come up with next.
...with running a connection through a tool like stunnel? Both are doing encryption, SSH likes keys, stunnel/SSL likes certificates, but after that I'm somewhat ignorant.
I've been tunnelling all kinds of stuff through OpenSSH for years, and while I've heard of stunnel, I only just recently started using it (encrypting an IMAP connection because IMAPS isn't supported).
I'm not asking for an hour-long briefing on /. or anything, but if you know of any web pages, pointers would be appreciated.
When it's time, say, to contact fellow authors and friends and say, "Here's the story universe, care to have a go?"
I've never read any of the Sandman series (I'd like to, someday), so I'm not suggesting that it's time for Gaiman to consider such a step. But I don't have to, since he's made the invitation already.
I've actually read one Sandman short story without knowing it at the time. Later, after I'd heard of the Sandman stories, I happened to reread the short, and noticed "first published in The Sandman: Book of Dreams" on the flyleaf. It was a short by Gene Wolfe -- one of my favorite authors -- and was an interesting retelling of one of his own short stories, from the viewpoint of another (dreaming) character.
I don't know who else has guest-authored Sandman stories. Clearly Gaiman has good taste in picking them, however.
I wondered whether I was the only one thinking that. If this was yesterday, I would still have mod points to give you.
Nope, you had it right the first time. Some strands of a spider's web are sticky, some are not. It's not for "extra support for the web" as it is "it's nice to be able to walk around without sticking to my own house." The spiders know which strands are which. And if they have to step on a sticky strand, they just pull themselves loose.
I like the sig.
...wouldn't necessarily be a bad idea.
Yeah, but damn if that code wouldn't be perfect.
Think to the bad old days of batch processing, where you handed your code to one of the engineer/sysadmin/priests, who would feed it to the system when the system was done doing its current work. You might not get the results of the build+run for 24 hours after submitting it. And you wouldn't get another chance for another 24 hours.
So, before you handed in the code, you would read it. Because the smallest typo would set you back another 24 hours. You would try to prove -- formally, mathematically -- that it was correct, because a simple logic error ("oops, wrote ==, wanted to write !=") would set you back 24 hours, and doing the proofing was faster than waiting an additional day.
Maybe they "got nothing done" back then, but when that software was finished, it was good.
All we need is the ability to invoke arbitrary text editors.
Umpteen million text editors, most of which have some form of spell checking available, even if it's just "pipe contents through spell(1)". Mozilla doesn't need to reinvent that wheel, or any other text-editing wheel.
Heh. This goes to show that tastes differ. I have a difficult time reading source code in a proportional font[*], so I always built wily with a monospaced font, a slightly different cursor symbol, etc. They've a couple of alternative settings commented out in the code; just flip those and rebuild.
As for mouse chords, they're like heroin: you swear that you'll never need them, and then you try them, and suddenly you're hooked. :-)
[*] Except for lgrind/vgrind pretty-printed LaTeX forms of the code. Oh, so pretty.
...I for one welcome our new lizard-based pharmacueticals!
Until now, I've always need coffee to wake me in the morning, plus taking an injection of insulin. Now I can become wide awake and manage the blood sugar at the same time!
[P stumbles groggily into the kitchen, rubbing sleep from his eyes.]
P: *mumble*
[As his arm brushes the kitchen counter, a LIZARD darts forward and bits him.]
LIZARD: *snap*
P: *mumb*-GAAAAAAH! What the FUCK was th- oh, the lizard. Right.