Slashdot Mirror


User: Rich0

Rich0's activity in the archive.

Stories
0
Comments
11,574
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 11,574

  1. Re:Broken by design on X11/X.Org Security In Bad Shape · · Score: 2

    the X server itself is root which makes the X server a big target

    Good point. With KMS I'm not quite sure why it still is root, but sure enough mine is...

    Strictly speaking, we already have that capability in SELinux or in AppArmor. The reason it's not really heavily implemented is because you might want your web browser to be able to save a file in your mail directory or overwrite your local .bashrc from a server stored copy somewhere. Meanwhile, sticking all the UI stuff to allow/disallow isn't some magic bullet...

    Oh, I agree. The problem is that nobody has figured out a good model for app-level security that isn't extremely inconvenient.

    However, I still think the status quo is really insecure. The fact that nobody has come up with something that works better doesn't change that. Sure, if your browser doesn't contain an exploit then you don't need the extra security, but if you want security then you really need defense in depth.

    I think something that the NSA has recently demonstrated is that a lot of software contains zero-days known to very few. The more defense in depth you have, the harder it is to exploit your systems. If you're relying only on perimeter security then you're up the creek when somebody breaches it. Of course, the fact that they're sticking rootkits in the firmware also points to the fact that you need to control the bootstrap from a known-good state. What we really need is secure boot that starts from a trustworthy FOSS loader implemented in ROM that verifies and proceeds into flash for UEFI, and then verifies/loads the OS. Maybe store the ROM's verification certificate in flash which is protected against writing by a hardware switch (that way you can install your own UEFI and configure its trust settings). Of course, all of this only works if you trust your hardware vendor.

    However, this might be a bit of a pipe dream. Linux has had Trusted Grub for eons and who uses that?

  2. Re:Broken by design on X11/X.Org Security In Bad Shape · · Score: 1

    Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

    Which mainstream OS does this differently?

    Linux under SELinux potentially does this different. I guess you could also count Android - as it gives each application a separate uid, though access to the sdcard is all-or-nothing.

    However, yes, this is a common vulnerability, and just another reason why the world is crawling with worms.

  3. Re:Broken by design on X11/X.Org Security In Bad Shape · · Score: 4, Insightful

    Doesn't everyone use X over an ssh tunnel anyway? I haven't used a raw X connection in over a decade.....

    That doesn't help at all. He's talking about the fact that any X client can obtain information from any other X client on the same server. Tunneling the X clients through ssh doesn't help at all - it just causes the server to make all that information available over ssh.

    Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

    Why is this sort of thing bad? Well, now not only can a browser exploit result in a script being able to sniff your keyboard traffic to other tabs in the same browser, it can also sniff your keyboard traffic to every other window on your display, regardless of where those clients are actually running. There are ways to block it, but nobody uses them as they are rather inconvenient (xterm probably still supports it though).

    However, until we close the gap of by web browser being able to read my mail directory or modify my .bashrc, I think that X11 vulnerabilities are just the tip of the iceburg.

  4. Re: Who would believe it? on Researchers Claim Facebook Is 'Dead and Buried' To Many Young Users · · Score: 1

    Blind people cannot demand to be issued drivers licenses, even if it is discriminatory.

    The only reason blind people cannot get a drivers license is because it isn't possible to safely operate a vehicle (today) without being able to see. That really isn't discriminatory (at least not in the commons sense of the word), and neither is refusing to hire a blind person to translate ordinary print books into braille or refusing to hire a quadriplegic as a ditch digger.

    On the other hand, requiring somebody to pass a multiple choice test is discriminatory, because there are people who have the knowledge to drive safely who couldn't pass a multiple choice test (I know one firsthand - took about 30 tries to pass though she could have discussed any driving law in conversation or by drawing diagrams and was perfectly able to follow the rules of the road when driving). But, that's another topic...

    I don't think you meant what you wrote. What you wrote is saying that you can't discuss the NEC with anyone unless they buy a copy.

    I didn't say that you couldn't discuss the NEC - only that you couldn't tell somebody what it is (as in, verbatim). If you posted a copy of it on your website without permission you'd get in trouble for it, despite it having the force of law in many communities.

    And you can always try this link to pdfs.

    Thanks - useful, though I don't see a copy of the NEC or USP in there.

    Pardon the tiny url, the website is the nfpa...
    That is for online viewing only.

    That's my point. Sure, some of these organizations may provide copies for limited public use, but they're still copyrighted and the example you just linked isn't even visible unless you register for an account.

    Governments should not be able to incorporate copyrighted outside standards into law by reference. They should be free to directly incorporate them if they wish, but they would need to republish them in the body of the law and putting them into the public domain in the process. You shouldn't need to pay somebody for the right to access the law. Sure, I'm fine with administrative fees if you want them to print you a bound copy, but anybody should be free to copy and distribute anything that has the force of law.

  5. Re:I never see people with Chromebooks. on Chromebooks Have a Lucrative Year; Should WinTel Be Worried? · · Score: 1

    They are hugely popular in K-12 education. It is probably not best at this point to try to assign them a niche.

    Well, I'd fit K-12 education in with the small businesses running web-based apps. Most schools are administered on the scale of small businesses.

    The main difference between K-12 education and college education is who buys the PC. The former tends to have institutionally-owned devices, and the latter tends to be BYOD. Hence my point about cost being no object for college kids.

  6. Re:What an idiot. on Convicted Spammer Jeffrey Kilbride Flees Prison · · Score: 1

    30 years in max security for shoplifting

    ... and execution by a firing squad for stepping on your toe? Because that's the best way to ensure that he is "not likely to commit future crimes"

    You're missing the point. This isn't about eliminating people - it is about rehabilitating people. If somebody simply is never rehabilitated then they're simply never rehabilitated. There are plenty of people who could never live outside of a mental institution, for example. This isn't about punishing them - it is about dealing with them.

    It also isn't about increasing penalties. I mentioned probation for second degree murder in the same sentence - a crime that is usually punished more harshly. In general I'd expect most criminals to spend much less time in prison. However, those who truly can't be rehabilitated might spend more time, and my point was that the time spent in prison has nothing to do with the crime they commit.

    Nobody is going to spend 30 years in prison "for shoplifting," They're going to spend a lot of time behind bars because they fail to comply with rehabilitation and reintegration into society despite having spent 30 years at it. Shoplifting just might be what gets them on the radar. If somebody is that hardened then better to lock them up before they kill somebody and not after. If they aren't a kleptomaniac then they don't need to be behind bars at all most likely.

  7. Re:Chromebooks on Chromebooks Have a Lucrative Year; Should WinTel Be Worried? · · Score: 1

    Indeed, Chromebooks are a real userspace frankenstein. It is a Gentoo derivative that runs Upstart. Yes, go look it up...

  8. Re:I never see people with Chromebooks. on Chromebooks Have a Lucrative Year; Should WinTel Be Worried? · · Score: 1

    The most likely markets for a Chromebook would be at home, or at work in a small business that can operate entirely on web-based apps. The least likely place to find it would be on a train, where network connectivity is probably a bit of an issue since most people don't have tethering plans.

    If I had to buy a relative a computer it would be a Chromebook. It does just about everything they'd be likely to need a computer for, and it basically requires zero support. If I were starting a small business and didn't have a need for any thick-client applications I'd also use Chromebooks - again zero overhead.

    I don't see why they wouldn't be useful at college, but whoever is paying for college is already sinking tens of thousands of dollars a year on the exercise, so why they'd be concerned about how much they spend on a laptop isn't clear to me. Plus, they're not the same fashion statement an Apple product is.

  9. Re: Who would believe it? on Researchers Claim Facebook Is 'Dead and Buried' To Many Young Users · · Score: 3, Interesting

    Makes me wonder what Google did wrong with G+ to get so little popularity - the categorization of friends into separate groups and selective per-group availability of your content seemed to be among the initial assumptions (based on press releases from long time ago, I have no idea whether it works as advertised). That seems to be the right solution.

    Well, being the right solution doesn't make a social network popular, automatically.

    However, G+ has its flaws as well. Its main fault is that it is purely people-centric in terms of sharing information, and is blind to topics. I'm interested in reading about Linus Torvald's work on Linux. I'm not interested in his scuba-diving hobby. With G+ it is very difficult to get the one without the other. It requires that Linus use multiple accounts (something Google doesn't like), or that he not post publicly and maintain separate circles for the millions of people who are interested in his work on Linux vs his other hobbies.

    Sure, for the little noise Linus generates I'll overlook it. However, the problem is that this does not scale up. When you want to communicate with hundreds of people it is really disruptive when many are "off-topic" much of the time. That's why mailing lists and forums enforce topic-adherence.

    What Google+ really needs is the ability to not follow Linus, but to follow posts by Linus with the hashtag #linux or whatever.

    I probably take a harsher stand on this than many, but the sentiment really is out there. A few months ago the rage on G+ was begging all your friends not to share their "+1's." It wasn't that people weren't interested in having access to that data. The problem was that the UI turned it into noise. Not only do I now have to read about Linus's scuba-diving, but if Linus +1's his sister's announcement of the birth of his nephew I get to read about that too. Such a thing only makes sense if you treat the network like most people treat Facebook - a place to interact with family and family-safe friends.

  10. Re: Who would believe it? on Researchers Claim Facebook Is 'Dead and Buried' To Many Young Users · · Score: 1

    I don't think a professor can demand that of the students. What if a student cannot accept the EULA of Twitter? Will the school refund the tuition and other expenses incurred before knowing about this requirement?

    Yeah, I thought the same thing when the local public school (a mandatory-attendance government-run institution) required kids to sign up for Turnitin(TM). Certainly I didn't have an option as to whether to pay my school taxes in light of this requirement.

    I think it is bogus, but good luck getting the majority to go along with it. What is even more bogus is that stuff like the National Electric Code or United States Pharmacopoeia is copyrighted. It is basically illegal to tell somebody what the law is - you need to pay the appropriate corporation for the right to know the law.

  11. Re:first shot on Hearing Shows How 'Military-Style' Raid On Calif. Power Station Spooks U.S. · · Score: 1

    The reason this shit doesn't happen is that it's really hard to get 50 guys to agree on a single operation without one of them ratting everyone out to the cops. For all that we bitch about our government, and the amount of times said government deserves to be bitched at, things have not gotten so bad that people think starting a Civil War is a good idea.

    Good point. Substations are vulnerable enough that just a few people could do quite a bit of damage, but not the kinds of doomsday scenarios people worry about.

    That said, our power grid really is a lot more fragile than it needs to be. It isn't really a "grid," to start with (a structure that implies a level of redundancy in the connectivity). Having a reasonable stockpile of transformers on-hand in the event of a disaster makes sense. That disaster could be anything - accidental or intended, natural or artificial, etc.

    While there is a level of efficiency to be gained by having every wire, road, bridge, and airplane loaded at 99.99% every day, it means that there is a huge mess anytime anything unexpected happens.

  12. Re:What an idiot. on Convicted Spammer Jeffrey Kilbride Flees Prison · · Score: 1

    But you assume crime and illegality are the same thing. What about drug-usage offenses? There's probably no finite in-jail punishment time to prevent future toking upon release.

    Well, crime and illegality ARE the same thing. Legality and morality, on the other hand...

    Yes, in such a world having laws that make sense is even more important than enforcing them in a way that makes sense. As long as we're dreaming about the one, we can dream about the other as well.

    Neither will happen. The majority loves to enforce their perceived brand of righteousness on the minority all the time, though it does change slowly over time. Yesterday's booze is today's drugs, and tomorrow it will be something else. Likewise nobody ever got elected by promising to not be tough on crime, so when somebody commits a crime due to circumstances that are unlikely to ever come up again, don't expect to see him let go without punishment simply because he is unlikely to ever re-offend, even though doing so would probably result in no harm to society and would allow that person to remain a positive contributor instead of a drain.

  13. Re:What an idiot. on Convicted Spammer Jeffrey Kilbride Flees Prison · · Score: 3, Insightful

    The idea that the government should "keep people in jail until they change what they believe" is terrifying.

    Agree 100% - what sane person wouldn't? Would I have used the term "brainwashing" if I didn't want you to be terrified?

    No, we should NOT be judging people based on some arbitrary judges imagining whether they are likely to commit a crime in the future. Rehabilitation is a disgusting concept.

    Sure it is a disgusting concept, but so is preying on the innocent, and locking people up forever, perhaps punctuated by letting them out for a few years to let them prey on the innocent until we lock them up again.

    Why do we punish criminals at all? Who are we to decide that spending time to build a car is a legitimate way to obtain a car, and clubbing your neighbor over the head and driving off with their car is an illegitimate way to obtain a car?

    The answer is simple - the former society is one where people actually spend their time creating things. The latter society is one where everybody lives in the dark ages defending their small plot of crops against poachers, pledging their fealty to the local warlord in exchange for "protection."

    Since most people would rather live in a civilized society, it behooves us to take steps to keep society civilized. That basically requires brainwashing everybody from childhood into not doing anything you think you can get away with. Some people's brains seem to be wired in such a way as to make that lesson easier to learn than others, and some parents do a better job of teaching it. One way or another some people just don't get it and when they become adults they become problems. So, we can either treat them like problems for the rest of their lives and either live with them or lock them up anyway, or we can actually try to do something about them.

    Whether you're a nice progressive humanist or a zealot who believe in blowing up the meeting-places of people of the wrong faith, and whether you believe in locking up thieves for six months or cutting off their hands largely depends on how you were brainwashed as a child. Since we're doing it anyway, we might as well do it in a way that results in a society we would want to live in...

  14. Re:Cinder-block walls around transformers. on Hearing Shows How 'Military-Style' Raid On Calif. Power Station Spooks U.S. · · Score: 1

    Great idea Sherlock.

    Wasn't my idea.

    Now how about building cinder block walls around every insulator on every tower/pole, because all it takes is shooting those out to bring down the local grid.

    Gee, I had no idea that was possible.

    The concern is that the transformers are much more difficult to replace than the insulators. You are of course correct that either will cause an outage. However, one has the potential to create an outage many months in duration, and the other days.

    Stockpiling transformers would be an alternative solution - probably a better one. Not doing anything has been working well, but then again it worked great for credit default swaps for a while as well.

  15. Re:Slashdot Poll ? on Microsoft's Ticking Time Bomb Is Windows XP · · Score: 1

    I suspect 0. They didn't do it for NT, so why would they do it for XP? Lots of companies were stuck with NT machines they couldn't easily get rid of when that was no longer supported.

  16. Re:What's the alternative? on Microsoft's Ticking Time Bomb Is Windows XP · · Score: 1

    So maybe its a bad idea to do business with peripheral makers who's long term plan is for you to have to re-buy their devices rather than offer long term support to let you use them with modern systems. The idea that you will never have to upgrade your OS is just plain stupid, since computers started they have never stopped being updated. When you pick a system have FORWARD compatibility in mind.

    Sometimes you just don't get a choice. For companies that make state-of-the-art instrumentation/automation/etc the PC used to control the thing is almost an afterthought, and for the buyers that is just as much the case. When you are spending $500k on a scientific widget capable of doing something no other vendor offers, are you going to decide to not invest in the capability simply because the OS will be obsolete before the investment pays for itself? If so, you'll find your place as an industry leader usurped by somebody who does.

    Typically in these cases my company will firewall the living daylights or air-gap the equipment. Sure, we do look at the OS support when we buy equipment, but that only helps if you have a viable alternative. If you need some piece of equipment to be relevant then you're going to buy it warts and all.

  17. Re:What an idiot. on Convicted Spammer Jeffrey Kilbride Flees Prison · · Score: 5, Insightful

    It's money well spent. Spammers need to rot in jail and the longer the better. He's caused millions of dollars in damages with his spam shit and if he stays on the loose he'll be back at it. These guys never quit, they think they have the right to annoy us without end.

    If that were true then the sentence should be life, not a few years.

    Our justice system is extremely messed-up. It is about punishing people for past transgressions, and not about preventing future transgressions. If anything the way we treat people once they're out just makes them more likely to offend - do you think this guy could get a job running mail servers for a legit corporation once he's out? No, they'd never hire them, so that leaves what he's good at - sending more spam.

    People who commit crimes should be kept under an appropriate amount of supervision until they've been rehabilitated to the point where they're not likely to commit future crimes. The right "sentence" isn't going to be the same for every criminal. Some criminals could probably be put on immediate probation for 2nd degree murder, and others might need 30 years in max security for shoplifting. It shouldn't be about punishments that fit the crime, it should be about rehabilitation that fits the criminal. There shouldn't be registered sex-offenders - people likely to re-offend shouldn't be let out at all, and those unlikely to re-offend shouldn't be treated as if they are likely to do so. Whether a criminal in rehabilitation is behind bars or not should depend on how likely they are to re-offend during rehabilitation, and how likely they are to comply with their rehabilitation activities. If they were trusted to be out on bail during their trial, I'd probably trust them to show up on time for their 8 hours a day of brainwashing until they do otherwise.

  18. Re:Calcium Magnesium Acetate (CMA) works great on Wisconsin Begins Using Cheese To De-Ice Roads · · Score: 1

    That was my first thought. All they're doing is just finding another source of NaCl. They shouldn't be trying to spend less on salting roads - they should be spending more as the current strategy is penny wise and pound foolish.

    Many have argued that switching to organic salts would cost a bit more in the salt budget, but would easily pay for itself many times over in reduced road maintenance and increased car longevity.

    We'll never see it happen though - society is WAY too short-sighted for that.

  19. Re:Cinder-block walls around transformers. on Hearing Shows How 'Military-Style' Raid On Calif. Power Station Spooks U.S. · · Score: 4, Insightful

    Would you be prepared to pay 50% more on your power bill for these unneeded modifications.
    Transformers need cooling so when encased they would need more fans etc...

    The problem with security is that you don't need it until you do, kind of like the fire insurance on my house. When you have good security you tend to deter attacks, which makes it seem like a waste. When you don't have good security all it takes is one black swan event to cripple half the country.

    I'm sure we could cinderblock every substation in the country for the cost of a few F-22s. Considering all it takes is a bunch of nutjobs with rifles to take out all the transformers servicing a major city I'd consider the cinderblocks money well spent, well, assuming cinderblocks really are enough to do the job (I tend to think it would take a bit more).

    Heck, half the northeast US had a blackout a decade ago due to some honest mistakes. I can only imagine what a coordinated attack would accomplish.

  20. Re:first shot on Hearing Shows How 'Military-Style' Raid On Calif. Power Station Spooks U.S. · · Score: 3, Insightful

    I just RTFA'd. Scared the hell out of me when I considered the ramifications of a co-ordinated attack,

    I remember reading an article about this sort of doomsday scenario back in the 80s. You don't even need a big army to attack these substations/etc. All you need is some guys with rifles to hit a whole bunch at the same time. Just shoot the insulators on the high-voltage lines and watch the whole thing go up in a shower of sparks. If you want to use 50 cal rifles and shoot up the transformers you could of course do so - the last time I drove past a substation they didn't exactly have guards on ready alert, so you could take shots at the thing for half an hour before the police showed up most likely.

    For the billions of dollars we spend on bombers you'd think that somebody could stockpile a bunch of spare transformers and standardize the substation designs.

  21. Re:XP is a vulnerability itself. on Microsoft's Ticking Time Bomb Is Windows XP · · Score: 1

    Watch the video completely. You'll see a keyboard being used.

    I did watch it before commenting. However, I saw very little tedious playing with numbers/colors/formatting/etc, and a lot of click/drag/copy/paste. I don't think I saw more than a sentence typed using a keyboard.

    That just isn't the reality of how presentations get made. That is, unless you actually give the computers enough AI that they can create the presentations entirely on their own, and if they did that there would be no need to pay all the people to tap the screen.

  22. Re:XP is a vulnerability itself. on Microsoft's Ticking Time Bomb Is Windows XP · · Score: 1

    Let me just close with a video from almost 3 years ago showing where Microsoft sees themselves as heading.

    Ah, everybody loves charts and hates numbers, but videos like these never show the poor guy playing with page after page of endless numbers and tweaking formulas until the charts look nice, and then sitting there tweaking colors/fonts/etc so the slide looks good. Oh, sure, the autoformat will pick a bunch of colors, but if you're making anything of any complexity you probably want the colors to mean something so that the clip-art over here matches the color of the line over there. This stuff is really tedious, and good luck doing it with a touch-screen...

  23. Re:Understandable, but... on Surge In Online Orders Overwhelms UPS Christmas Deliveries · · Score: 1

    That extra capacity carries with it some benefits, as well as a price.

    There are lots of couriers out there that you can use when you just HAVE to get a package there in time. I'm sure somebody needed a heart transplant somewhere the day before Christmas, and I'm sure it got there on time. It was packaged up in a hospital, where a helicopter landed and took it to a small airfield, where it was loaded on a jet and flown to another airfield, where it was loaded onto helicopter and taken to a hospital where it was run down to the OR where the patient was waiting with their chest cut open. You can imagine what it cost to get it there, and the courier wasn't the one who ended up footing the bill.

    UPS is a general-purpose parcel service. They aren't going to stick a box in somebody's carry-on allowance if that is what it takes to get it someplace. They aren't going to handcuff a briefcase to somebody's wrist and have them followed by a squad of guards. What they will do is get your package someplace on-time 99.5% of the time for $10.

  24. Re:Understandable, but... on Surge In Online Orders Overwhelms UPS Christmas Deliveries · · Score: 2

    Which is why UPS should have, oh, went public with the information and told the press that Amazon and others were lying?

    UPS telling their customers (which is Amazon, not you) what the deal is makes their customers happy. UPS embarrassing their customers by calling them out to the press doesn't make their customers happy. Which strategy do you think will be better for business?

    UPS is going to lose zero business because of these delays. Everybody who actually pays them money knew about them in advance and chose to use them anyway. Anybody other than a retail shipper doesn't care since normal businesses don't ship tons of stuff out the day before Christmas.

    UPS didn't promise anybody that their package would be there on time. Amazon may very well have, and that's where the fault lies. Amazon doesn't even let customers pick the courier anyway - they just pick the delivery timeline and Amazon picks the courier. So, even if UPS went on the radio saying that they'd spend a million dollars a package getting stuff there on time if that was what it took there would be no way to buy something from Amazon and be assured that they'd use UPS anyway. And the only way UPS is going to spend a million dollars getting you a package is if somebody paid them a $1.1M to do it.

  25. Re:Understandable, but... on Surge In Online Orders Overwhelms UPS Christmas Deliveries · · Score: 1

    The reason bean counters don't like paying for "surge capacity" is because "surge capacity" is often left unused, because it is insurance for the rare-to-never case where things completely shit the bed.

    You make it sound like they're trying to make money or something.

    There is a simple solution for the surge capacity problem - flexible pricing. If $10 is the regular overnight rate then make the guarantee that it will get there overnight on 99% of all shipping days, which means the company is free to take longer 3 days a year. Then offer an overnight for $100 for the exact same size/weight that comes with the 100% guarantee. Now you can afford the surge capacity, and you can bump the 99% tier as much as you need to the day before Christmas. If somebody absolutely needs their X-Box the day before Christmas then they can just fork over $175 for shipping.

    They'd have no trouble getting the packages delivered for that rate. Just put out an ad in the paper that anybody can show up and be given a package and an address in exchange for a deposit, and upon return with a signed receipt for delivery they get their deposit plus $100. People would line up to deliver packages. You could even pay people $50 to pick up their own packages at the depot.

    You can deliver anything, for a price. It just doesn't make sense to staff for a peak that you only hit one day per year. Sure, you can surge by scheduling double-shifts and such, but that only lets you maybe double or triple your capacity. You aren't going to maintain a fleet of delivery vans that you use one day per year. At least, not if you want to stay in business, because as much as everybody would prefer that the guarantee be honored that one day per year, they're not going to switch to a carrier that charges 25% more the other 364 days per year in order to do it.