Slashdot Mirror


User: Chris+Burke

Chris+Burke's activity in the archive.

Stories
0
Comments
12,567
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,567

  1. Re:100% Correct -- for many reasons What...? on Should Vendors Close All Security Holes? · · Score: 1

    When given the option between a week of effort to fix a security hole (for free), or a week of effort to build a new feature (for cost), not all but most of our clients prefer the latter. They would rather grow their business (even on an unstable balancing act) than safe-guard their business. And all the advice in the world doesn't seem to be able to change that.

    I guess it's the typical/traditional backup advice. I have yet to meet a client that is willing to spend the time and effort to develop a reliable backup routine (not even a restoration routine). They'd rather run the risk of losing all of their data, and dealing with the headaches and fall-out, than to spend money to prevent something that may never occur.


    Oh, okay, I see. Your customers are idiots, and you are merely providing them with the quality of software they deserve. If you just want to exploit the foolish for minimal effort, that's fine for you, just don't act like your policies are actually how software should be developed.

  2. Re:Japan migrates to Non-existant Software on Hilf Claims Free Software Movement Dead · · Score: 2, Funny

    Yeah, they're trying to compute by not computing. Whereas when you run Windows, it's the opposite!

    Now me, I once tried Zen programming: Coding by not-coding.

    Sadly Zen programming resulted in my employer Zen paying me.

  3. Re:Huh? on Hilf Claims Free Software Movement Dead · · Score: 5, Funny

    <on a highway>
    radio: pls be aware of the one guy driving in the wrong way!
    guy: one? All of them!
    </on a highway>


    Geeze, I just can't keep up with all these application-specific html tags! I bet that doesn't render the same on IE and Firefox...
  4. Re:The thing is that it's true on Bungie Vs. Miyamoto - Fight! · · Score: 1

    This whole thread has been a misunderstanding? On /.?! Unpossible!

  5. Re:100% Retarded -- for many reasons on Should Vendors Close All Security Holes? · · Score: 1

    Outside of terribly serious security holes, security holes are only security holes when they become a problem. Until then, they are merely potential problems. Solving potential problems is rarely a good idea.

    NONSENSE. Maybe it isn't a "good idea" to your manager whose only care is a deadline, but that's the exact opposite of what any rational person would do. Solving things when they are merely potential problems is the ideal time to solve them! If you wait to fix a bug until it causes problems, then you've waited to fix a bug until after it has hurt your customers. I bet they won't agree that you did things in the right order, waiting until it was no longer "potential".

    Do you work for the Louisiana Corp of Engineers? "Well the levies are a potential problem, but I think it's better for us to wait until they are an actual problem before we fix them. That should be the smart thing to do." Just compare the cost of repairing New Orleans to the cost of fixing the levies to see just how much of a "good idea" that was.

    I could go on and on and on for days and days with countless examples from software and Real Life of just how stupid it is to wait for something you know is a potential problem to turn into a real one. But so long as its the customer who pays the price for this attitude, I guess it works, eh?


    We're not talking about tiny functions that don't consider zero values. We're talking about complex systems where every piece of programming has the potential to add problems not only to the system logic, but also to add more security holes.

    That's right, I said it -- security patches can cause security holes.


    Oh noes, what a terrible secret! That's why you take the lower priority bugs, fix them, and then spend the time to test the fixes to see if they introduce new bugs and release them in a periodic patch. Yes I know you can't prove you haven't introduced bugs, blah blah, you can't for any other checkin either. If by your own estimate the bug isn't urgent, then you can take the time to check your fix at least. Frankly I'd be more worried about the patch you have to hastily throw together when one of your "potential" problems becomes a real one and your customers are getting pwnzored and are demanding a fix yesterday. That's the fix that is more likely to introduce bugs, and it's a direct consequence of your "don't worry about potential problems until they bite us in the ass" idiocy.

    Your front door has a key-lock. That's hardly secure -- they are easily picked. But it's secure enough for most neighbourhoods.

    If there was a device that could automatically attempt to lock-pick any lock with a known vulnerability, and it could check thousands of locks per second, you better believe I'd be out to buy the best damn lock I could find, and upgrade every time a vulnerability was discovered in my existing lock. And I'd be pissed as hell if I found out my old lock vendor had known about an issue but didn't do anything until after my house had been robbed. Door locks serve as a deterrent because even if they are relatively easy to pick that at least takes time and effort for every lock. Computers allow the lock to be picked once and then every lock of that type can be opened with essentially zero effort. Thus why there are tens of millions of Windows zombies out there.

    So the question with your software is: when does this security hole matter, and how does it matter. If it's only going to matter when a malicious person attacks, then the question comes down to how many attackers you have.

    Once again, no. Remember computers? Automation? The question comes down to is there a single attacker on earth who knows the vulnerability. If the answer is "yes", then that one hacker can exploit every single one of your customers.

    And if those attackers are professional, you might as well make their life easier, because they'll get in eventually in one

  6. Re:The thing is that it's true on Bungie Vs. Miyamoto - Fight! · · Score: 1

    Nor can it be used as an example of a lack of innovation (both because it is old, and because at that time it was truly innovative), which if you've been paying any attention, you'd know was the intended slight of the Bungie dev who brought it up.

  7. Re:Procrastination? on Should Vendors Close All Security Holes? · · Score: 1

    Now, that's bugs, which is a wider category than security holes. So, suppose that instead of crashing, it very rarely and briefly enters a state in which a particular sequence of bytes sent to it via the net can cause it to execute arbitrary code. Furthermore, suppose the program should never be running as root, so the arbitrary code is nearly useless. This is a low risk security hole, and probably not worth patching.

    Could take hundreds of man-hours to find the cause, and perhaps even longer to fix. Probability of ever seeing this exploited is very very low. Should it then be patched?


    Absolutely, though I don't think that exploit should have ever been rated 'low' priority in the first place. Execution of arbitrary code not run as root is still very bad, not just because being able to do anything the service can do is bad, but also because then any local-priviledge-escalation bug combines with this bug to form a complete remote-exploit-box-pwnage bug. Since your software company probably doesn't deal with any of the multitudinous pieces of software that could result in a local escalation exploit, you may not be warned in advance when such an exploit becomes known. So you've sat on this "low" priority bug for years with no intention of fixing it, and suddenly all your customers are vulnerable, and you're still at square 0 with regards to fixing your now high priority and still high-effort-to-fix bug.

    There is ultimately no question. Yes, the bug should be fixed. There is nothing wrong with assigning priorities, and working on the "high", then "medium", then finally "low" bugs. Unless your "low" bug should really be a "high" bug. But there should absolutely never be a policy of "we will not fix this bug until our customers hear of it".

  8. Re:The summary missed those parts. on Should Vendors Close All Security Holes? · · Score: 3, Insightful

    No matter how good the QA testing is on a piece of software before it's released, it invariably has bugs and security risks.

    Trivial and meaningless statement. There is good code and bad code. Good code is code with fewer bugs. Bad code is code with many bugs. A good developer is one who designs the code to avoid bugs, and who, more importantly, fixes the bugs they find. A bad developer uses the above truism as an excuse to avoid fixing their shitty code.

    Why do you have a problem with assigning priorities to issues that need fixing?

    When one of those priorities is "don't fix until our customers find out, and try to keep them from finding out" then I have a problem with it.

    The only thing that should distinguish a high priority bug from a low priority bug is: Do we fix it, then release the patch as an urgent hotfix? Or do we fix it, then release the patch as part of a periodic security update so that we have more time to test and so sysadmins aren't overwhelmed having to apply and test patches all the time? There is no priority that should read "Do not fix, unless we get bad P.R. for it."

    The only developer who would do such a thing is a bad developer who is okay with leaving their customers exposed. Of course the reason they got into that situation, of having so many security issues that they can't afford to fix them all, is due to them being bad developers.

    Are you incapable of thinking reasonably, or do you just like pointing fingers?

    You need to drag your brain out of its pie-in-the-sky abstract concepts like "do you have a problem with priorities" and start actually thinking about the situation before you start saying things like this.

  9. Nobody knows what Treo light is for? on A "Bill of Lights" to Restrict LEDs on Gadgets? · · Score: 1

    "Annoyingly, nobody knows what that green light is for, and even worse, you can't turn it off."

    It's true that the treo's indicator light is too bright, and it flashing in a dark room is annoying. It should definitely be turned down in future versions. But it does serve a useful and pretty obvious purpose, so I'm surprised that the author says "nobody knows what that green light is for".

    It's simple. It blinks green when you're connected to the network. It blinks red when it can't get a signal. When you plug it in, it glows red until it is fully charged, at which point it glows green.

    Oh, and it can be turned off: Turn off the phone function of the Treo. Not that useful, but easy, and if the problem is that it's blinking at night that may be acceptable.

  10. Re:Support? on Inside AMD's Phenom Architecture · · Score: 1

    Well the thing to remember is that for most people's usage patterns they will have many processes running at once but usually only one of them will be cpu-limited. Nevertheless, the argument for dual-core desktops is a slam dunk: One core to run whatever CPU intensive task you want, one core to run everything else. The performance of the CPU bound app goes up while the responsiveness of every other task also improves.

    Quad core becomes a little tricky. When one spare cpu can run every background task with cycles to spare, what are you going to do with two more spare cores? "Even more multitasking" is the first answer, where you're re-encoding DVDs while playing Quake4. That might work, but seems also somewhat contrived. It'll have to do, though, until a real reason to want quad core in the form of multi-threaded CPU-intensive apps become commonplace. Certainly anyone doing rendering wants as many cores as they can get, but until games become multi-threaded as a matter of course it's going to be hard to show what real advantages quad-core will bring.

    But maybe that's okay. I'd be happy if dual-cores are the standard on desktop while quads are relegated to the "Extreme" editions and servers.

  11. Re:AMD IS Doomed to Always Be a Follower Unless... on Inside AMD's Phenom Architecture · · Score: 1

    They are following because they are barely making a profit, the last I heard.

    There's a semantic distinction between "following" and "trailing". "Following" is doing whatever your competitor is doing, after they have done it. "Trailing" is to merely be behind, as in a race or other competition. AMD may be trailing due to being unprofitable and losing some marketshare, however this does not indicate that they are following Intel.

    It seems you want AMD to make a completely new architecture (microarch or ISA? I assume the former because the latter is DOA). They probably are. New architectures take half a decade from conception to production. AMD needs to compete with Core 2 now. Thus an upgrade to the existing k8 architecture.

    Not that this has anything to do with your original post, nor does AMD have anything to do with software reliability. They make hardware that already has standards of reliability and rigorous formal testing far beyond what any software outside of avionics and nuclear reactors goes through.

  12. Re:Begging the question on Inside AMD's Phenom Architecture · · Score: 1

    Well it's not like anyone cared about the Pentium D, since it was pretty craptacular. Lessee, take a bandwidth-starved core design, slap two down in one package, downclock the system bus since the MCM has some of the same signal integrity issues as multi-socket, and you get... two cores that are starved for bandwidth even more. Yay.

    So you were much better off waiting until Core 2 regardless, if you wanted an Intel dual core anyway.

  13. Re:What Maroons! on Teachers Fake Gunman Attack · · Score: 1

    These kids won't trust teachers ever again ... and they'll probably have trouble with authority figures for the rest of their lives.
    You say that like it's a bad thing.
    If that mistrust of authority is created through a traumatic event, then it certainly can be. I had a friend who as a late teenager had the cops burst into his house on a drug bust, roughing up him and his family, except it was the wrong street. Ever since then, he has a panic reaction when he sees a cop and he runs. Guess what the police think when they see a guy suddenly take off running? Yeah, I'd say it's overall a bad thing. I would bet only a few kids at best would learn some intellectual life-lesson about mistrusting authority; the rest were probably severely scarred by their teacher's betrayal.
  14. Re:Begging the question on Inside AMD's Phenom Architecture · · Score: 4, Informative

    I introduce to you the Pentium D.

  15. Re:Of course they haven't. on Bill Bans NSA Eavesdropping · · Score: 1

    But he can't be a diabolical mastermind and an idiot.

    Have you seen how they planned Iraq and what they thought would happen? I'd say it's damn possible for them to be both a diabolical mastermind and an idiot.

    Even an idiot can have an evil agenda.

  16. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    A stay is not unusual. Who considers it overwhelmingly likely to be overturned? The same media sources for whom Carter saying "I am complying with the provisions of this act" justifies Bush saying "I have no intention of complying with this act"?

  17. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    That is not precisely true in general (there are circumstances under which searches are reasonable under Fourth Amendment law despite not having a warrant), but under FISA, it is true of electronic surveillance under color of law without specific statutory authorization, including "foreign intelligence" surveillance without a warrant outside of the specific exceptions to the warrant requirement in FISA itself.

    Thats a good point and I'm aware of exceptions for general law enforcement if not FISA, but was trying to be accurate without unecessary precision. :)

    Thanks for the heads up though, as it hurned out handy when whats-his-name linked to an article that claimed all the presidents since FISA was signed including Carter have issued statements saying they would conduct warrantless searches... But the article conveniently left out the part of Carter's executive order where he said the Attorney General could conduct warrantless searches, but only in compliance with the relevent (and referenced) provisions of FISA. So... Carter was saying he is obeying the law, Bush says he is not going to obey the law, but with selective editing it becomes proof that "everyone's doing it".

  18. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    A consensus of opinions that, as you are so fond of pointing out about the signing statements, have zero legal weight. I can't help but notice though that your article, picked once again from a source decrying the evils of the liberal media, failed to include a rather important clause of Carter's statement. Specifically where the article stops with "Pursuant to Section 102(a)(1) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1802(a)), the Attorney General is authorized to approve electronic surveillance to acquire foreign intelligence information without a court order ..." the elipses there are actually "but only if the Attorney General makes the certifications required by that Section." Carter was only granting the written authorization required by the law for the Attorney General to make requests and then only in accordance with the law. So... No, there is no consensus.

    Anyway, here's an opinion that matters.

  19. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    P.S. Here's your ruling.

    Oh but I'm sure it's just the judge confusing illegal with her preferences, and not Bush doing that.

  20. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    So another administration put forth the theory that the President can ignore the 4th Ammendment whenever they want. That means nothing. A different President theorized that he didn't need to pay any attention to Supreme Court rulings, and he was wrong too.

  21. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    Yes it is. The FISA court was created in part for granting warrants for domestic wiretaps. No other method for obtaining such a warrant exists. Without a valid warrant, the search is illegal. The only possible counter-argument is the one that Bush makes: The law and the Constitution don't apply to him when he doesn't think they should.

    And no, "someone who thought it was illegal" could not challenge it in court, as they would have no standing to bring such a suit unless perhaps they knew or had reason to suspect that they had personally been illegally surveiled. That's the way it works. I can't go to court to stop my neighbor from beating his wife and I can't go to court to stop the president from conducting domestic surveilance.

  22. Re:You've got that kinda right. on Bill Bans NSA Eavesdropping · · Score: 3, Insightful

    The problem is that having FISA issue warrants for the kind of surveillance the Bush administration wants IS NOT POSSIBLE.

    How is FISA going to approve tens of thousands of warrants?


    Irrelevent, because even if they could issue 10,000 warrants, 9,999 of those search requests would be completely and utterly without any merit whatsoever because the government had absolutely no reason to think that person had any useful information. FISA would not issue any of those warrants individually, why on earth would they issue them en-masse?

    FISA or any other court wouldn't issue warrants for the kind of searches Bush wants. They are meritless searches. They are unconstitutional searches. They are illegal searches. That's the real reason FISA can't issue such a warrant.

    Separate from FISA itself, is computerized monitoring of millions of phone calls as intrusive as a human agent listening to a particular person's phone calls? I think we'd all say no. So should we be willing to accept a lower burden on the governement for this sort of automated search?

    Oh, I highly disagree. I think monitoring millions of phone calls of innocent people is WAY more intrusive than the monitoring of a single person who the agent has reason to think is doing something illegal sufficient to convince a judge that a warrant should be granted. The whole reason we have the 4th Ammendment is so that the police can't just search everyone in the desperate hope of finding a crime. Now that computers have let them do this to literally millions of people, you think it's less intrusive?!

    And maybe you feel better if it's only a computer listening to you, but how exactly do you know that an agent didn't decide to listen in on your call? What do you think all that data does sitting on NSA computers; you think the NSA agents can't access it?

    The 4th amendment was written in a time when 'search' meant agents of the government came into your home or business and actually PHYSICALLY SEARCHED it. Automated search of electronic communication could not possibly have been considered then, and is thus something we need to consider now.

    Or a "search" meant agents of the government read your mail. What's the difference between automated search of electronic communication, and a huge room in the back of the post office with federal agents reading the mail of random U.S. citizens, other than e-mail and NSA computers allows many more random citizens to be illegally searched?

    The great thing about the founding fathers is that they worded things such that they described basic principles and not specific technologies, and thus we don't actually have much to consider. The invention of the telegraph and the phone didn't do much to change the way this was viewed. Neither has the computer.

    But you're right, we should consider automatic en-masse surveilance without a warrant. Hmm... nope, still unconstitutional. Well that was easy. Time for tea.

  23. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 2, Insightful

    The existing law is perfectly clear that domestic wiretapping without a warrant gotten through FISA is illegal. Bush has publicly admitted that he has done so. The only legal justification given by him for breaking the law is that he doesn't think the law applies to him.

    So it seems that it is Bush who has confused "legal" with his own preferences, and that you somehow believe that this is true, that his preferences define legality. Well they don't. The law is perfectly clear, and it is perfectly clear that Bush is breaking it because he has stated that he has done so.

    BTW, is the something that someone could do impeachment? If you're going to use the "if nobody has done anything to him, it couldn't have been illegal" argument you might want to take into account political realities.

  24. Re:Unconstitutional on Bill Bans NSA Eavesdropping · · Score: 1

    Those signing statements actually have no effect. They are simply clarifications of policy. All the complaining you're hearing about them is just noise. If anything, it's a lot more honest to issue signing statements declaring a policy rather than to simply implement the policy quietly.

    I don't know. I think it is pretty bad when the President can state in perfectly clear terms in a signing statement that he has absolutely zero intention of obeying the law he just signed, and there are no consequences.

    At least when the President secretly implements a policy of violating the law, there is an inherent acknowledgement that the policy is in fact illegal. The signing statement is making the violation of the law public and explicit, the policy is implemented anyway, and yet nobody can do anything about it? What you're hearing isn't just noise, it's the rumbling anger of people who are simply incredulous that the President can say "I'm going to break the law", go break the law, and then continue standing there with a smirk on his face.

    At least Nixon had the common decency to skulk around.

    Your attempt at scare-mongering probably worked on some other people though.

    So, you're not scared because the signing statements do nothing, even though the actions describd in the signing statements continue to go on with no evidence that they will ever be stopped?

    Okie-dokie then.

  25. Of course they haven't. on Bill Bans NSA Eavesdropping · · Score: 5, Informative

    "the administration has not publicly provided Congress with a single example of how current FISA standards have either prevented the intelligence community from using new technologies, or proven unworkable for the agents tasked with following them."

    They haven't provided it privately, either, and the reason is simple.

    The FISA court is well-known as being basically a warrent rubber-stamping court. Out of thousands of requests sent in the last few years, only a handfull have been rejected, and most of those were accepted with changes suggested by the court. Since the court will issues warrants post-facto, even temporal urgency isn't an obstacle to getting a FISA warrant. Basically in any situation where the request is properly made and has any merit whatsoever the FISA court grants the warrant, it can be done retroactively, and there's pretty much no reason to skip the process. So why would the administration bypass the court in order to conduct a search?

    Because the searches had so little merit that even FISA would not grant warrants.

    So no, Bush's administration is not going to give an example of a situation where FISA got in the way of conducting legitimate security operations because no such case exists, it could only give examples of illegitimate ones and it isn't going to do that either.

    This is a great start, though I hesitate to support the inherent thinking behind it -- which is, the President has the power to do whatever the fuck he wants until Congress specifically steps in and removes one of these infinitely many powers. But that's okay, we have to do something to at least make it explicit that when the President breaks the law, that means it was illegal, not that the Pres can put the pieces back together however he chooses. And I hope they continue to pass laws constraining government power, increasing oversight, and that they do this right up to the point where one of them gets in office and realizes they are subject to those same laws.