American also has simpler and better spellings for many words, such as "draft" ("draught" in UK English; WTF is with all those extra letters?).
Those two words have entirely different meanings in International English (that spoken by most native English speakers outside the US). A "draft" is a version of something, such as a "first draft" of a book. A "draught" is cold air, coming from an improperly closed window for instance. I understand that in US English "draft" has both meanings - if so, in this particular example US English is just confusing.
ULTRIX (oh wait, it's called Tru64 now and it's still shipping)
Lose a nerd point. Ultrix was a BSD based system, while Tru64 (formerly known as Digital Unix) is a version of OSF/1 which is based on System V and the Mach kernel. Ultrix was essentially scrapped when DEC switched to OSF/1. I really must get out more.
I had an Atari ST and there was literally nothing to read and nobody to learn from. No users groups, no books, no magazines which were worth a damn.
I assume you were not in the UK or Germany, as we had a number of decent magazines and books. I still have an Atari ST (not the original one I owned - my brother sold it without asking me), as well as a number of books on how to program the machine in assembler and C. I forget the name of the series of books, but one which covered the system calls and hardware was known as the "bible" for ST programmer since it was so good.
There's this subtle difference (well it must be too subtle for you) between where you get your payment from. Apart from the vendor, Apple in this case, I struggle to think of any other source of payment for an exploit that isn't, well, dodgy. Although I seem to recall from my days on the security mailing lists that there were plenty of people for whom the kudos of their peers was payment enough.
Unless he was worried that the exploit would be discovered by malicious crackers, sitting on the exploit was no risk.
How does he know that others haven't discovered the exploit (unless he believes he's more l33t than anyone else).
How dare he use his technical skills for personal gain.
As others have pointed out, Apple pay for verified bugs. By sitting on it he simply made it more likely someone else would get paid for it, unless he thought there was a more profitable use for the bug. And I wonder what those would be?
Wait, what do you do for a living?
Something a damned sight more productive than this cracker, which is probably why I don't have to fuck about to get paid.
You should work for free, society deserves to leech off you...
BTW Apple pays people to report verifiable bugs to them.
So your original point is moot - he could of been paid by Apple for finding and reporting issues. The fact he didn't makes it even more suspicious that he had something else in mind, perhaps selling to someone prepared to pay more. I wonder who that someone might be? Surely not someone with less than entirely innocent intentions? To be honest though, all this talk of people paying tens of thousands of dollars for an exploit sounds more like a black hat's imagination running riot, which fits with the sad sack fantasists calling themselves "hackers" that I've encountered.
Your experience mirrors mine - I enabled softdep on most of my machines and never had an issue with it. However, there are plenty of postings on the NetBSD mailing lists discussing actual breakages tracked down to softdeps, the known technical shortcomings and how the complexity of the code made them hard to fix with any confidence that something else wouldn't break in equally subtle ways.
Apple tends to sweep security problems under the rug as much as possible.
Their track record has been a bit variable, but by his own admission this guy didn't contact Apple. He sat on the exploit, in the knowledge that it could be used for no good by others, making him little better than the really bad guys. He then used the exploit for personal gain. Classy.
No, it's because he's not going to do free work for Apple.
That's precisely the attitude of a black hat. A responsible hacker notifies the vendor or author of the issue, giving them a reasonable amount of time to release a fix. If the fix is forthcoming in a timely manner, the hacker should be thanked in the release notes and is then free to post a description of the issue along with a proof of concept exploit if they like. If a fix is not forthcoming in a timely manner, and no reasonable explanation given by the vendor or author, then the hacker releases the description in the knowledge that they've adhered to the widely acknowledged good practice. This is responsible full disclosure.
A black hat doesn't notify the vendor in order to gain some kind of material benefit - be it selling the exploit or using it directly for personal gain. Funnily enough personal gain is what this guy did it for, making him a scumbag black hat hacker.
It has proven to be very resilient (up to hardware problems).
No it hasn't, which is why it has been removed from NetBSD and replaced by a journaled filesystem. I've also heard grumblings from OpenBSD people about corrupted filesystems with softdep enabled.
Pragmatism is very high on his list of important values
Yes, and being fun at parties is high on my list important values - doesn't mean I am though. Pragmatic would mean that the RMS wouldn't have slagged me off for working at Elsevier Science while he was sat in my apartment, seeing as I was the only one who offered to put him up when he came to my town. RMS is not pragmatic, he's dogmatic.
This is from the man who by his own admission doesn't use a web browser. He's becoming more and more like the Ayatollah - issuing edicts about things that he barely comprehends and has never actually tried himself.
Java is a severely restricted subset of C++, with an (bad) API that makes a few things easier.
Nope. Java (the language) was influenced far more by Objective C than by C++, as Gosling has pointed out many times. The class libraries also heavily influenced by NeXT/OpenStep (which became Apple's Cocoa libraries), as Sun were considering adopting the OpenStep APIs at the time. Smalltalk was also a major influence, as it had been on Objective C and the NeXTstep libraries. This represents a different strand of object oriented programming development from that taken by C++, which was influenced by Stoustrup's experience with Simula.
So,looked at from a C++ perspective Java (and C#) may seem like a "restricted subset" of that language, but that misses the point that C++ is a very different language to Objective C or Smalltalk. An Objective C programmer (and those more familiar with Java or C#) would most likely find C++ an unbearably messy hodge-podge of features that despite Stoustrup's assurances have little consistency and poor choices - for instance the STL and features of the language itself which cause copy constructors to be called far too often.
Java isn't successfull because of its API (if that was the case, Trolltech would have probably take over the world).
The fact that Qt offers so many alternatives to the STL and other standard classes just reinforces the point that C++ is poorly designed from a usability standpoint. The article submitter seems to think most jobs require C++, which as another UK based developer I find to be quite untrue. Even the limited number of jobs that use a C++ compiler generally mean you'll be working on a code that contains a mess of different C++ features poorly applied in different ways and to different degrees across a large codebase. However, in my experience the cost of maintaining many of these applications has crossed the tipping point where a rewrite in Java, C# or even plain C has been undertaken.
In short, C++ is looking more and more like a legacy programming language for business applications. As for web applications, it's never been a popular choice.
Therefore it is important to have a good baseline to mix your music on, the perferable baseline being listening to the music through a good pair of headphones.
In the bigger studios (in the UK at least) it's smallish sized monitors that provide the "baseline", as they are more accurate than tiny headphone speakers and tend to colour the sound far less than really big speakers (too much compression if I recall correctly).
Consider the professionals. What do you think all those stage technicians, sound engineers, etc. etc. use when dealing with audio? That's right, headphones.
I rarely see stage techs or sound engineers (or producers for that matter) use headphones. The reason being is that most of them have hearing impairment. For live work there's also little point in using headphones because the volume levels are too high and the need to listen to specific sounds and instruments doesn't require the degree of isolation that headphones can provide. In the studio, most engineers and producers I've worked with have simply used small monitors on top of the mixing desk for "detailed" listening, and then crank the main studio monitors up to ear bleeding levels to test the final mix.
Cost: You have to remember, these are volunteers doing this stuff in their spare time.
No, these days most of the code that makes it into the Linux kernel tree is from developers employed by people like RedHat, SuSE, IBM and so on. Check the Git statistics or follow the (albeit voluminous) kernel development mailing list.
GCC is not very well structured, making it hard to work on (it has a relatively poor intermediate language as well). As a result it can be very painful trying to improve GCC, so it could be good for the Linux kernel to try and isolate GCC'isms as much as possible in order to make it easier to support building from other compilers.
I haven't the faintest idea what the Triton demogroup is, so unless it was a painful experience that medication has erased from my memory it would be a "no". The Lizard King nickname is because of my snakeskin tattoo. And in honour of Jim Morrison who shared similar tastes in leather strides - although I don't plan on dying in the bath following a strenuous wank.
Cruise missiles are pretty slow, and fly at a low level - this makes them vulnerable to even the crudest ant-aircraft weapons. The advantage of the cruise missile versus bombing by aircraft is that the cruise is cheap and doesn't risk personnel. All in all, the cruise is just an updated V1, and shares many of the advantages of that weapon, along with many of its disadvantages.
Cool, but where can I get this mythical virtualisation software that allows me to replace a PDP-11 or VAX? Oh, I can't. And no, SIMH doesn't count - it's emulation software, not virtualisation software. Not that either can provide the kind of hardware support that many industrial applications for PDPs and VAX rely on - ever tried sticking a card designed for a PDP backplane into a PC? As for "any PC in the last 7-8 years", the x86 platform only got basic hardware support for virtualisation a couple of years ago (2005 for Intel and 2006 for AMD). And if you wonder why I call x86 hardware virtualisation "basic", you should take a look at something like an IBM 360 or Sun Niagara to see what advanced virtualisation is like.
Bullshit. Go and read the changelogs. For instance, OpenBSD supports far more wireless ethernet chipsets than Linux - and by "support", I mean it that it works unlike Linux where kernel releases regularly result in broken drivers, and don't get me started on that madwifi shite.
32MB? Let's see now, my current PC has 4GB of RAM.
Yes, and judging by how much RAM my companies CentOS servers need to accomplish the same things as our NetBSD ones I'm not surprised. Back in the 1980s, British programmers had a reputation for eking more performance out of the systems they programmed for than American ones. This was down to them having cut their teeth on more limited hardware, where programming for performance was a must. We saw similar things in the late 1990s with programmers from Eastern Europe and the former Soviet Union. Linux is now targeted at the higher end, and as a result it sucks on more limited hardware (and even the desktop - see the flames over better scheduling for desktop machines). Most Linux kernel hackers are paid by companies only interested in server performance, and it shows. The only reason Linux is in the embedded market is familiarity, and you'd probably be surprised how much stuff is actually built around a BSD because they're far easier to strip down and the resource requirements are more modest.
Slashdot Mirror
American also has simpler and better spellings for many words, such as "draft" ("draught" in UK English; WTF is with all those extra letters?).
Those two words have entirely different meanings in International English (that spoken by most native English speakers outside the US). A "draft" is a version of something, such as a "first draft" of a book. A "draught" is cold air, coming from an improperly closed window for instance. I understand that in US English "draft" has both meanings - if so, in this particular example US English is just confusing.
ULTRIX (oh wait, it's called Tru64 now and it's still shipping)
Lose a nerd point. Ultrix was a BSD based system, while Tru64 (formerly known as Digital Unix) is a version of OSF/1 which is based on System V and the Mach kernel. Ultrix was essentially scrapped when DEC switched to OSF/1. I really must get out more.
I had an Atari ST and there was literally nothing to read and nobody to learn from. No users groups, no books, no magazines which were worth a damn.
I assume you were not in the UK or Germany, as we had a number of decent magazines and books. I still have an Atari ST (not the original one I owned - my brother sold it without asking me), as well as a number of books on how to program the machine in assembler and C. I forget the name of the series of books, but one which covered the system calls and hardware was known as the "bible" for ST programmer since it was so good.
There's this subtle difference (well it must be too subtle for you) between where you get your payment from. Apart from the vendor, Apple in this case, I struggle to think of any other source of payment for an exploit that isn't, well, dodgy. Although I seem to recall from my days on the security mailing lists that there were plenty of people for whom the kudos of their peers was payment enough.
Unless he was worried that the exploit would be discovered by malicious crackers, sitting on the exploit was no risk.
How does he know that others haven't discovered the exploit (unless he believes he's more l33t than anyone else).
How dare he use his technical skills for personal gain.
As others have pointed out, Apple pay for verified bugs. By sitting on it he simply made it more likely someone else would get paid for it, unless he thought there was a more profitable use for the bug. And I wonder what those would be?
Wait, what do you do for a living?
Something a damned sight more productive than this cracker, which is probably why I don't have to fuck about to get paid.
You should work for free, society deserves to leech off you...
Oh do fuck off you anonymous twat.
BTW Apple pays people to report verifiable bugs to them.
So your original point is moot - he could of been paid by Apple for finding and reporting issues. The fact he didn't makes it even more suspicious that he had something else in mind, perhaps selling to someone prepared to pay more. I wonder who that someone might be? Surely not someone with less than entirely innocent intentions? To be honest though, all this talk of people paying tens of thousands of dollars for an exploit sounds more like a black hat's imagination running riot, which fits with the sad sack fantasists calling themselves "hackers" that I've encountered.
Your experience mirrors mine - I enabled softdep on most of my machines and never had an issue with it. However, there are plenty of postings on the NetBSD mailing lists discussing actual breakages tracked down to softdeps, the known technical shortcomings and how the complexity of the code made them hard to fix with any confidence that something else wouldn't break in equally subtle ways.
Apple tends to sweep security problems under the rug as much as possible.
Their track record has been a bit variable, but by his own admission this guy didn't contact Apple. He sat on the exploit, in the knowledge that it could be used for no good by others, making him little better than the really bad guys. He then used the exploit for personal gain. Classy.
No, it's because he's not going to do free work for Apple.
That's precisely the attitude of a black hat. A responsible hacker notifies the vendor or author of the issue, giving them a reasonable amount of time to release a fix. If the fix is forthcoming in a timely manner, the hacker should be thanked in the release notes and is then free to post a description of the issue along with a proof of concept exploit if they like. If a fix is not forthcoming in a timely manner, and no reasonable explanation given by the vendor or author, then the hacker releases the description in the knowledge that they've adhered to the widely acknowledged good practice. This is responsible full disclosure.
A black hat doesn't notify the vendor in order to gain some kind of material benefit - be it selling the exploit or using it directly for personal gain. Funnily enough personal gain is what this guy did it for, making him a scumbag black hat hacker.
It has proven to be very resilient (up to hardware problems).
No it hasn't, which is why it has been removed from NetBSD and replaced by a journaled filesystem. I've also heard grumblings from OpenBSD people about corrupted filesystems with softdep enabled.
Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year.
Definitely a black hat then, as I'm assuming if he'd reported the vulnerability when he'd found it even Apple would have patched it by now.
Pragmatism is very high on his list of important values
Yes, and being fun at parties is high on my list important values - doesn't mean I am though. Pragmatic would mean that the RMS wouldn't have slagged me off for working at Elsevier Science while he was sat in my apartment, seeing as I was the only one who offered to put him up when he came to my town. RMS is not pragmatic, he's dogmatic.
This is from the man who by his own admission doesn't use a web browser. He's becoming more and more like the Ayatollah - issuing edicts about things that he barely comprehends and has never actually tried himself.
Java is a severely restricted subset of C++, with an (bad) API that makes a few things easier.
Nope. Java (the language) was influenced far more by Objective C than by C++, as Gosling has pointed out many times. The class libraries also heavily influenced by NeXT/OpenStep (which became Apple's Cocoa libraries), as Sun were considering adopting the OpenStep APIs at the time. Smalltalk was also a major influence, as it had been on Objective C and the NeXTstep libraries. This represents a different strand of object oriented programming development from that taken by C++, which was influenced by Stoustrup's experience with Simula.
So,looked at from a C++ perspective Java (and C#) may seem like a "restricted subset" of that language, but that misses the point that C++ is a very different language to Objective C or Smalltalk. An Objective C programmer (and those more familiar with Java or C#) would most likely find C++ an unbearably messy hodge-podge of features that despite Stoustrup's assurances have little consistency and poor choices - for instance the STL and features of the language itself which cause copy constructors to be called far too often.
Java isn't successfull because of its API (if that was the case, Trolltech would have probably take over the world).
The fact that Qt offers so many alternatives to the STL and other standard classes just reinforces the point that C++ is poorly designed from a usability standpoint. The article submitter seems to think most jobs require C++, which as another UK based developer I find to be quite untrue. Even the limited number of jobs that use a C++ compiler generally mean you'll be working on a code that contains a mess of different C++ features poorly applied in different ways and to different degrees across a large codebase. However, in my experience the cost of maintaining many of these applications has crossed the tipping point where a rewrite in Java, C# or even plain C has been undertaken.
In short, C++ is looking more and more like a legacy programming language for business applications. As for web applications, it's never been a popular choice.
Therefore it is important to have a good baseline to mix your music on, the perferable baseline being listening to the music through a good pair of headphones.
In the bigger studios (in the UK at least) it's smallish sized monitors that provide the "baseline", as they are more accurate than tiny headphone speakers and tend to colour the sound far less than really big speakers (too much compression if I recall correctly).
Consider the professionals. What do you think all those stage technicians, sound engineers, etc. etc. use when dealing with audio? That's right, headphones.
I rarely see stage techs or sound engineers (or producers for that matter) use headphones. The reason being is that most of them have hearing impairment. For live work there's also little point in using headphones because the volume levels are too high and the need to listen to specific sounds and instruments doesn't require the degree of isolation that headphones can provide. In the studio, most engineers and producers I've worked with have simply used small monitors on top of the mixing desk for "detailed" listening, and then crank the main studio monitors up to ear bleeding levels to test the final mix.
there are things people prefer not to discuss in polite company like what you do in the toilet
Things you do in the toilet? Like read the paper while having a crafty cigarette? What's so offensive about that?
Cost: You have to remember, these are volunteers doing this stuff in their spare time.
No, these days most of the code that makes it into the Linux kernel tree is from developers employed by people like RedHat, SuSE, IBM and so on. Check the Git statistics or follow the (albeit voluminous) kernel development mailing list.
GCC is not very well structured, making it hard to work on (it has a relatively poor intermediate language as well). As a result it can be very painful trying to improve GCC, so it could be good for the Linux kernel to try and isolate GCC'isms as much as possible in order to make it easier to support building from other compilers.
Speaking as a frequent air traveler, I'd never go near a 17" laptop of any brand--it's too darned large even if you upgrade out of coach/economy.
That surprises me, as I'm 6'4" tall and can work quite comfortably on a 17" Powerbook when flying in economy. Perhaps you need to change airlines.
LizardKing? From the Triton demogroup?
I haven't the faintest idea what the Triton demogroup is, so unless it was a painful experience that medication has erased from my memory it would be a "no". The Lizard King nickname is because of my snakeskin tattoo. And in honour of Jim Morrison who shared similar tastes in leather strides - although I don't plan on dying in the bath following a strenuous wank.
If this is anything like the last time a scientist tried finding the clitoris it could be a long wait.
Cruise missiles are pretty slow, and fly at a low level - this makes them vulnerable to even the crudest ant-aircraft weapons. The advantage of the cruise missile versus bombing by aircraft is that the cruise is cheap and doesn't risk personnel. All in all, the cruise is just an updated V1, and shares many of the advantages of that weapon, along with many of its disadvantages.
Cool, but where can I get this mythical virtualisation software that allows me to replace a PDP-11 or VAX? Oh, I can't. And no, SIMH doesn't count - it's emulation software, not virtualisation software. Not that either can provide the kind of hardware support that many industrial applications for PDPs and VAX rely on - ever tried sticking a card designed for a PDP backplane into a PC? As for "any PC in the last 7-8 years", the x86 platform only got basic hardware support for virtualisation a couple of years ago (2005 for Intel and 2006 for AMD). And if you wonder why I call x86 hardware virtualisation "basic", you should take a look at something like an IBM 360 or Sun Niagara to see what advanced virtualisation is like.
support of new hardware is little and slow.
Bullshit. Go and read the changelogs. For instance, OpenBSD supports far more wireless ethernet chipsets than Linux - and by "support", I mean it that it works unlike Linux where kernel releases regularly result in broken drivers, and don't get me started on that madwifi shite.
32MB? Let's see now, my current PC has 4GB of RAM.
Yes, and judging by how much RAM my companies CentOS servers need to accomplish the same things as our NetBSD ones I'm not surprised. Back in the 1980s, British programmers had a reputation for eking more performance out of the systems they programmed for than American ones. This was down to them having cut their teeth on more limited hardware, where programming for performance was a must. We saw similar things in the late 1990s with programmers from Eastern Europe and the former Soviet Union. Linux is now targeted at the higher end, and as a result it sucks on more limited hardware (and even the desktop - see the flames over better scheduling for desktop machines). Most Linux kernel hackers are paid by companies only interested in server performance, and it shows. The only reason Linux is in the embedded market is familiarity, and you'd probably be surprised how much stuff is actually built around a BSD because they're far easier to strip down and the resource requirements are more modest.