Slashdot Mirror


User: phantomfive

phantomfive's activity in the archive.

Stories
0
Comments
31,362
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 31,362

  1. Re:Great guy on Linus Explains What Surprises Him After 25 Years Of Linux (linux.com) · · Score: 5, Insightful

    Yeah, Gates set computing back a decade. Good programmer, but he should have stayed in school. I know some people will ask, "Why stay in school? He made plenty of money." He should have stayed in school for the betterment of humanity.

  2. Re:The power of brute force on Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) · · Score: 1
  3. I can't tell you for other states, but in California, we like speeding. That's why we don't like speed cameras. (Also, the fact that red-light cameras increase accidents is kind of a negative. Even worse, they mainly catch people who are turning right on right, which is completely legal)

  4. Re:The power of brute force on Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) · · Score: 1

    Nice.

  5. Re:Interesting, makes me wonder on 'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) · · Score: 1

    That's a really great writeup. This comment should be modded up.

  6. Re:The power of brute force on Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) · · Score: 1

    What do you use to do your fuzzing? Did you write a custom set of tools?

  7. Re:Requires poorly-designed software, basically on 'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) · · Score: 1

    I would expect common, battle-tested free software that powers the intertubes to be well designed and written by experienced greybeards who fully understand how an operating system works, and the fact that the stack is not an endless resource, that it is quite a limited resource actually; with the resulting code minimizing automatically-scoped object usage on the stack, which should eliminate the vulnerability completely.

    That's the most optimistic thing I've read today.

  8. Re:You're talking about the company that... on 'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) · · Score: 1

    I understand systemd. I don't understand why they decided to replace yum. I'm sure they had reasons, but I don't understand them other than some kind of nih syndrome variation where you don't trust what was written by people who came before you.

  9. Re: requires local access on 'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) · · Score: 2

    tbh this seems like a fertile area for research. Probably many PhDs available in for people who want to work on making formally verifiable permission systems. Just starting to think about the problem here,

    You'd need to start with a very simple permission system. For example, Android has so many complex, overlapping, and confusing permissions that holes are easy to find without any thought at all. Basic Unix has a very simple permission system so you could probably work with that, Windows is probably too complex to do reasonable proofs, and modern Linux gets rather complex with all the containers, too.

    The next step would be to start looking at individual system calls. Is there a way to formally verify that they aren't going to cause problems outside the rules of the permission framework? Of course there is, and with some of the system calls it's really easy. Other system calls would be very much harder (I'm thinking of select() here).

    Once they system calls have been divided into 'easy' 'hard' and 'intractable' (or other appropriate categories), you can get started formally verifying the easy ones, and ideally built an automated system to prove their correctness. Then, in the hard category, there are likely some syscalls that can be moved into the 'easy' category with some simple changes, like unifying code paths that are mostly the same, for example.

    You can start chipping away at the intractable syscalls, and eventually move some of them into the hard category, but at least you'll clearly know which syscalls are the intractable ones. Once you know that, you can offer a 'safe' mode in the kernel, where certain processes are not allowed to call those syscalls that are known to be dangerous.

    We should be able to reach DJB's goal of, "We will have invulnerable software systems, with no bugs in trusted code. We will be confident that these systems enforce the user's security requirements."

  10. Re:requires local access on 'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) · · Score: 1

    There are always privilege escalation exploits available, because setting up a good permissions system that considers all the subtle interactions between parts is hard. At this moment in time, you have a chance of stopping remote exploits, but you have no chance of stopping privilege escalations once someone's code is already running on your system.

    To me privilege separation seems like an area where formal verification could be useful, but so far no one cares enough to really work on it.

  11. Privilege escalation exploits are in every system, because the attack surface is so broad. The key lesson is to not run unknown code on your system (containers won't help you here because this can escape the container).

    Remote exploits are the real problem though. This is not a remote exploit.

  12. Re:Putting two comments together... on Obama Authorized a Secret Cyber Operation Against Russia, Says Report (engadget.com) · · Score: 1

    Wait, so are you implying that it's the Russians who hate systemd?

    And everyone else. Everyone knows Redhat is a corporation and shouldn't have free speech. Debian had an election, but the Germans rigged it. Now we're stuck with an orange-haired init system.

  13. If one of these women had been your sister or your daughter, would you have considered the situation "handled" after Caldbeck stepped down?

    There was no real damage, it wasn't assault, just harassment. If it happened to my sister I would be proud of her for standing up for herself, and now that Caldbeck isn't likely to do it again, move on with her life.

  14. Re:Conventional mediicne started the same way. on 'Chiropractors Are Bullshit' (theoutline.com) · · Score: 1

    Medical empiricism has never been quite so robust as scientific empiricism, but by 1900 you were probably better off with a medical doctor than with the village herbalist, faith healer, or random quack.

    Why the year 1900 specifically? Just curious..

  15. Re:Not says WebMD on 'Chiropractors Are Bullshit' (theoutline.com) · · Score: 1
    Well at least read the article, quote:

    "patients who underwent a sham chiropractic adjustment. Because patients can't feel the technique, they were unable to tell which group they were in."

    Personally I would have just kicked the placebo group in the knee. There's your adjustment!

  16. First, it's been verified by the guy. He's admitted his guilt, apologized, and stepped down. No "probably" about it.

    For anything reported in the news, there's a probability distribution. It's probably true.

  17. This news is:

    Probably largely true,
    probably what he did isn't illegal (just awkward),
    and he's probably already been punished by his company.

    tbh there's no reason to publicize anyone in this story, the situation's been handled. Let people move on with their lives.

  18. Re:In this thread: on If You Can Decentralize the Internet, Mozilla Has $2 Million For You (cnet.com) · · Score: 1

    It will destroy us all. With the IoT, and a wifi server plugged into every street-lamp, malware will make its own decentralized internet. But at least we'll have a decentralized internet.

    Interesting thing is that malware can do a decentralized internet because its usage patterns are different. Malware spreads out traffic (more or less) randomly, whereas normal human traffic tends to go to the same few places, thus creating huge bottlenecks.

  19. make you feel better on 'Chiropractors Are Bullshit' (theoutline.com) · · Score: 4, Interesting

    I used to go to the chiropractor for my back. It hurt, but afterwards I felt better.
    Then I started massage therapy instead. I felt better, and it didn't hurt, either. Win-win.
    Now I just go sit in the sauna. Just as effective, much cheaper. Win-win-win. All win for me.

  20. As an actual scientist sometimes I wish I was shameless enough to get into this sort of business. You apparently don't have to even make it sound plausible!

    No, but you do need to be good at sales/marketing, not science. Your skills are useless here.

  21. everyone NOT in the Faux "News" moonbat directory.

    What news source isn't in the moonbat directory right now? They've all gone off the deep end as far as I can tell.

  22. Re:What should I report? on Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com) · · Score: 1

    Actually, yes: there should absolutely be a public API that people can use to report automated attack probes to the FBI.

    That sounds so open to abuse that malware writers everywhere are just salivating thinking about it.

  23. Re:Of course they aren't on Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com) · · Score: 1

    Worth remembering when the FBI announces that North Korea (or anyone else) hacked someone.

  24. Re:So, how long until they shut it down? on Google Will Stop Reading Your Emails For Gmail Ads (bloomberg.com) · · Score: 1

    It's more likely that over time it becomes less and less important (to Google), and the people who cared about it have moved on, and at that point they will just cut it off (whether or not it's popular seems to be irrelevant).

  25. Re:Time for a $20 minimum wage. on McDonald's Hits All-Time High As Wall Street Cheers Replacement of Cashiers With Kiosks (cnbc.com) · · Score: 1

    It definitely varies by state, and a single male is in the worst position as far as welfare goes (there's no WIC for them). If you really want to make money (relatively speaking, of course), the way to do it is either have kids of get on disability or both.