This is why I bought a 2 core CPU. For the power draw and upfront cost it made the most sense for my workloads.
Occasionally I encode videos for youtube and vimeo, and compile large software packages, but otherwise a 4 core CPU would be drawing power needlessly and unnecessarily expensive for me 99.9% of the time..
Google supports Theora in Chrome. It's only apple who doesn't, probably because iPhone/iPods do H.264 in hardware and not Theora.
Also, HTML5 does not standardize on either Theora, H.264, or any other format. And I fail to see how that standards bring DRM into the picture at all... Both google and Apple have been heavily anti-drm in the past.
I'm cynical about large companies, but you make me look downright cheerful;-)
China is more free then you would think. Yes, there are some things they hide from their people(Case in point.. I talked to a nuclear engineering grad student in China who was complaining about how China has no nuke reactors because the west won't let them, when they have had reactors since 1994, and have 11 on the mainland and a few in Hong Kong, with more on the way.) but for the most part they realize technical information must be free-flowing to increase their economy. This is why thet have internet access, but pictures of the Tienanmen Square massacre are filtered. All inforation is free, except that which hurts the party.
This seems to be most damaging to them in biology, history, and political sciance, and much less so in engineering, physics, and the like. China wants badly to make money, and knows science is a good way to get there.
The flip side is that the culture does encourage saving face and helping your peers to the point of cheating, which has influenced even some of their best scientists and institutions to fake results and plagiarize as a matter of course. Yes, this is a problem all over the world, but it has more institutional support in China, at least the part of China that I am familiar with.
I've been to China a few times, and my in-laws lived there for 3 years, teaching at a high tech university. There is definitely a class struggle in China where a contingent of highly educated, highly skilled workers feel that the peasant masses are holding them back. The large population is both a blessing and a curse to China.
Even so, the well educated portion of the population if China is still quite large, and we will see their influence continue to grow.
There's been tons of innovative stuff in Linux, just on a level most users don't have to interact with it. And that's the way it should be.
Your comment is like knocking on Toyota for basically making the same car as everyone else, the only difference being their superior production methods and products.
In fact, the Toyota prodcution process and Linux are a lot a like: Linux is where it is today through a philosophy of continuous improvement, not any one great feature that is a world beater.
The shuttle software is near perfect, and it cost about $1000 per line to write. Average commercial code is crap and costs about $18 a line to write.
Also, with the rate of change in a web browser at the moment, I don't think you could write a perfect one even at 50x the cost, because projects don't scale that well.
All comes back to: Fast, cheap, good. Choose two. Same as any other profession.
Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.
Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.
Just ran sloccount on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers. The average code has about.5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.
Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.
The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.
The format is trivial, but oddly enough a secure parser is not.
One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.
Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.
For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook by Michal Zalewski.
Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.
Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.
Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.
That is not related to most of the incidents. Honestly the current state of software security is really bad, and any well funded attacker can get in pretty much anywhere. However, but there have been counterfeit networking equipment with backdoors that has been found after being sold to defense contractors...
Honestly, there are major flaws in all browsers all the time, they're really complicated software and are the most exposed part of the computer at the moment, so lots of research is put into finding flaws.
The two continuing problems are: 1) The use of old versions. IE 6 sucks. No way around it. IE 7 sucks less, and IE 8 has a mix of good and bad things. 2) The time between updates. Some known IE bugs go patched for a long time, with about a 1 month minimum exploitation window, and often quite a bit longer. FF and especially Chrome are MUCH better about pushing out patches and getting their users to upgrade.
I can't speak on this specific case, but in general there are specific areas in china and IP ranges where attacks have come from for a while, many of which have no resale value on the market, or political value only to China. One incident doesn't tell the story, but combined they do.
They are NOT doing a bad job of it, and they are much more skilled then "script kiddies".
When organizations like Google and people like Richard Bejtlich (who has literally written the book on network monitoring and incident detection) admit to being p0wn3d and unable to be sure the mess is cleaned up, you know you're up against a very sophisticated attacker.
This is what smartcards do today. Currently in the US, they are only commonly in use in the military as CAC cards, but some other people are using them also,
No real research here, bu my conjecture is that we're used to freedom on PCs, but when it comes to cellphones, we've never known differently, so we just take what we can get.
No worker in a large bureaucracy / corporation you mean. If you want to make what you're worth, you start and or join a small company. I'm a consultant who makes what I'm worth, which is sometimes great and sometimes not so great. It's not for everyone, but if you're a risk taker, it might be for you.
On the other hand, ODF is a proprietary SUN standard couched in the clothing of an international standard. Yes, ODF does seem to be somewhat less baroque and better documented then OOXML, but they are in fact both formats created for a particular piece of software which has been extracted for wider use.
Apple has a large percentage of the smartphone market. Phones that are optimized for making calls just ain't sexy any more, even if they are popular and useful.
You CAN still go buy an unlocked phone and connect it to a providers network, you just pay through the nose for the phone, and don't get a discount from the carrier. They'll be happy to connect it for you as long as the tech is rthe same though.
Look to the high integrity side of the industry to avoid outsourcing pressure. Military, banks, and other high risk organizations pay a premium for dependable in house talent with integrity. If you can score a top security clearence w/ polygraph, you'll have employment for life. If not, looking to high risk organizations usually leads to better treatment.
DVDs and flash memory [sticks,cards,drives] have enough space to back up most projects that will be done on the road, and less likely to be stolen or destroyed.
Slashdot Mirror
I guess it's time to bring back the cypherpunks.. Somebody light up the Phil Zimmerman beacon! ;-)
Only upside I can see is more willingness to use GPG or S/MIME if a law like this gets passed..
I'm sure that kenetic response for network threats is part of the US strategy. Though we don't use swords much anymore...
This is why I bought a 2 core CPU. For the power draw and upfront cost it made the most sense for my workloads.
Occasionally I encode videos for youtube and vimeo, and compile large software packages, but otherwise a 4 core CPU would be drawing power needlessly and unnecessarily expensive for me 99.9% of the time..
Google supports Theora in Chrome. It's only apple who doesn't, probably because iPhone/iPods do H.264 in hardware and not Theora.
Also, HTML5 does not standardize on either Theora, H.264, or any other format. And I fail to see how that standards bring DRM into the picture at all...
Both google and Apple have been heavily anti-drm in the past.
I'm cynical about large companies, but you make me look downright cheerful ;-)
China is more free then you would think. Yes, there are some things they hide from their people(Case in point.. I talked to a nuclear engineering grad student in China who was complaining about how China has no nuke reactors because the west won't let them, when they have had reactors since 1994, and have 11 on the mainland and a few in Hong Kong, with more on the way.) but for the most part they realize technical information must be free-flowing to increase their economy. This is why thet have internet access, but pictures of the Tienanmen Square massacre are filtered. All inforation is free, except that which hurts the party.
This seems to be most damaging to them in biology, history, and political sciance, and much less so in engineering, physics, and the like. China wants badly to make money, and knows science is a good way to get there.
The flip side is that the culture does encourage saving face and helping your peers to the point of cheating, which has influenced even some of their best scientists and institutions to fake results and plagiarize as a matter of course. Yes, this is a problem all over the world, but it has more institutional support in China, at least the part of China that I am familiar with.
I've been to China a few times, and my in-laws lived there for 3 years, teaching at a high tech university.
There is definitely a class struggle in China where a contingent of highly educated, highly skilled workers feel that the peasant masses are holding them back. The large population is both a blessing and a curse to China.
Even so, the well educated portion of the population if China is still quite large, and we will see their influence continue to grow.
There's been tons of innovative stuff in Linux, just on a level most users don't have to interact with it. And that's the way it should be.
Your comment is like knocking on Toyota for basically making the same car as everyone else, the only difference being their superior production methods and products.
In fact, the Toyota prodcution process and Linux are a lot a like: Linux is where it is today through a philosophy of continuous improvement, not any one great feature that is a world beater.
For those of you who missed out on the 80s when Toyota changed the auto industry, see this: http://en.wikipedia.org/wiki/The_Toyota_Way
The shuttle software is near perfect, and it cost about $1000 per line to write. Average commercial code is crap and costs about $18 a line to write.
Also, with the rate of change in a web browser at the moment, I don't think you could write a perfect one even at 50x the cost, because projects don't scale that well.
All comes back to:
Fast, cheap, good. Choose two. Same as any other profession.
Indeed. There are a number of alternative browser projects, but only 4 main browsers that qualify as modern and complete.
A few of my favorite smaller projects:
Lobo browser- a browser in pure java. One of the most complete engines outside of the big 4.
http://lobobrowser.org/java-browser.jsp
dillo - Small and fast.
http://www.dillo.org/
env.js - browser in javascript. No layout engine, but useful for automated testing/building scanners, etc.
http://github.com/thatcher/env-js
libxml2 and html5lib - Now firmly out of anything we can really call a browser, but theses are some very high quality html parsing libraries.
Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.
Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.
Just ran sloccount on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers. .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.
The average code has about
Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.
The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.
The format is trivial, but oddly enough a secure parser is not.
One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.
See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 for more details.
Java and windows have also had GIF parsing security bugs in the past:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html
Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.
This is why security is hard: Secure software is perfect software, and we don't write perfect software.
Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.
For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook by Michal Zalewski.
Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.
Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.
Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.
That is not related to most of the incidents. Honestly the current state of software security is really bad, and any well funded attacker can get in pretty much anywhere. However, but there have been counterfeit networking equipment with backdoors that has been found after being sold to defense contractors...
Honestly, there are major flaws in all browsers all the time, they're really complicated software and are the most exposed part of the computer at the moment, so lots of research is put into finding flaws.
The two continuing problems are:
1) The use of old versions. IE 6 sucks. No way around it. IE 7 sucks less, and IE 8 has a mix of good and bad things.
2) The time between updates. Some known IE bugs go patched for a long time, with about a 1 month minimum exploitation window, and often quite a bit longer. FF and especially Chrome are MUCH better about pushing out patches and getting their users to upgrade.
I can't speak on this specific case, but in general there are specific areas in china and IP ranges where attacks have come from for a while, many of which have no resale value on the market, or political value only to China.
One incident doesn't tell the story, but combined they do.
See http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html for more details.
They are NOT doing a bad job of it, and they are much more skilled then "script kiddies".
When organizations like Google and people like Richard Bejtlich (who has literally written the book on network monitoring and incident detection) admit to being p0wn3d and unable to be sure the mess is cleaned up, you know you're up against a very sophisticated attacker.
This is what smartcards do today.
Currently in the US, they are only commonly in use in the military as CAC cards, but some other people are using them also,
No real research here, bu my conjecture is that we're used to freedom on PCs, but when it comes to cellphones, we've never known differently, so we just take what we can get.
No worker in a large bureaucracy / corporation you mean.
If you want to make what you're worth, you start and or join a small company.
I'm a consultant who makes what I'm worth, which is sometimes great and sometimes not so great. It's not for everyone, but if you're a risk taker, it might be for you.
On the other hand, ODF is a proprietary SUN standard couched in the clothing of an international standard.
Yes, ODF does seem to be somewhat less baroque and better documented then OOXML, but they are in fact both formats created for a particular piece of software which has been extracted for wider use.
Apple has a large percentage of the smartphone market. Phones that are optimized for making calls just ain't sexy any more, even if they are popular and useful.
Well, you used to legally be required to lease your phone from Ma Bell.
http://www.porticus.org/bell/bell_system_property.html
You CAN still go buy an unlocked phone and connect it to a providers network, you just pay through the nose for the phone, and don't get a discount from the carrier. They'll be happy to connect it for you as long as the tech is rthe same though.
Look to the high integrity side of the industry to avoid outsourcing pressure.
Military, banks, and other high risk organizations pay a premium for dependable in house talent with integrity. If you can score a top security clearence w/ polygraph, you'll have employment for life. If not, looking to high risk organizations usually leads to better treatment.
DVDs and flash memory [sticks,cards,drives] have enough space to back up most projects that will be done on the road, and less likely to be stolen or destroyed.
Web tablets. That's the real market for ChromeOS. Otherwise, I agree with you, snooze city.