Granted, only one kernel runs, 1/sys/proc, etc., which is "less isolated" than a qemu vm but lets you run on bare metal for specific applications.
If stuff is actually running, then there's probably a/dev in the chroot as well. And if there's anything running as root, then it's trivial to mount/dev and escape from the chroot. It sounds as if you're using chroot for exactly its intended purpose: running applications that don't necessarily work with the host system libraries and tools. There was never intended to be any serious attempt to prevent an attacker from escaping from a chroot.
First, chroot isn't a sandbox. For desktop applications, it isn't even useful isolation because you have a big attack window via the IPC to the display server. That said, iOS uses the TrustedBSD MAC framework (also in FreeBSD - Apple funded the development of both), which allows very fine-grained resource control to processes. The entire sandboxing framework is based on this.
Second, the grandparent doesn't really mean sandboxing, he means compartmentalisation (which depends on some isolation primitive). Process-based isolation is fine when your threat model is different levels of trust for different processes. In a web browser, that isn't the case. Your tab browsing some random site needs to be strongly isolated from the other tab that contains your webmail login. Ensuring that this isolation is really present and not leaky is a very hard problem. Even that isn't really enough: if someone sends you an image as an email attachment and there's a vulnerability in your copy of libpng that allows arbitrary code execution, it doesn't really help you that the attacker can't compromise any other tabs: they already have the high-value target.
Beyond that, mobile Safari also has some quite neat tricks. It makes use of execute-only memory for the JavaScript engine. On startup, it reserves a range of memory for the JIT code emission and generates a special memcpy that copies data into an offset within that address range. It then deletes all copies that the process holds of the base address and marks the special memcpy as execute-only, so there is nowhere in readable memory that contains the address range where JavaScript code will run, making it almost impossible to exploit gadgets placed in JIT'd JavaScript code.
That said, no security is perfect and a monoculture is a good way of turning a vulnerability into a pandemic. If you have 4 different browsers with approximately equal market share, it's a lot harder to exploit all of them. This is why Verisign uses a mixture of FreeBSD and Linux with 3 different DNS server implementations on their root nameservers: If you want to take down their root zone, you need a to have a compromise for at least two DNS servers and for both operating systems.
Bike lights are already mostly LEDs. It's quite unfortunate that white LEDs became popular for front lights, because they destroy night vision much faster than yellow (red+green) LEDs. The most dangerous ones flash (to conserve power) and are very bright. The person riding them gets enough persistence of vision to see, but from the perspective of oncoming vehicles you're a dot (not large enough for the visual cortex to be able to accurately estimate distance) that keeps disappearing.
I don't know anyone who keeps women out of computing
I do. One of my colleagues ran a masterclass for 16-year-old children to study some computer science. The first year he ran it, he got over 90% boys. He asked the schools why this was and heard, from multiple teachers 'girls can't code'. The second year he said that the schools could send up to two students, but they had to send at least one girl if they sent anyone. Almost all of the schools still managed to send two students and there was no drop in quality.
Another of my students, on receiving her offer to study computer science here, was told by one of her teachers 'oh, you probably weren't one of the best applicants, just one of the best girls' (as the person who reviewed her application, I can confirm that this was not the case).
Do you honestly think that this kind of stated opinion from authority figures has no impact on teenage boys and girls?
Add to that, Clinton is a Washington insider, Trump is not. They're both going to try to do bad things, but the establishment hates Trump and will try to stop him. Clinton might actually succeed.
France transitioned a lot earlier. Everyone else transitioned about 10 years ago, because the patents had just expired and no one wanted to pay licensing fees to a French company before then. The US moved recently, because the US has an archaic banking system.
As does water vapor, which is why it's a greenhouse gas
Lots of water vapour in the air also tends to condense and form clouds, which are white and reflect energy away from the Earth. The greenhouse effect happens when shorter wavelengths (which can penetrate carbon dioxide) hits the ground and are re-radiated as infra red. The IR is then unable to radiate into space because of the greenhouse gasses. If you have a lot of white clouds in the air, then the energy is simply reflected. This causes cooling, which causes the air to be unable to gold as much water vapour, which causes rain, and the system largely balances with respect to water vapour.
Last I heard the prevalent theory was that if you continue long enough down that road you get enough weather to flip you over into an ice age
That's one of the predictions. If you dump a lot of energy into a chaotic system, it's difficult to tell exactly which of the equilibrium points you're going to end up at (though none of them look particularly good for human habitation[1]). In this model, you get a lot of water vapour in the air, which then causes most solar radiation to be reflected before hitting the ground. This causes enough cooling at surface levels that large areas of the sea freeze, creating big white ice sheets. As the atmosphere cools, the reflections from clouds are replaced with reflections from ice and the process continues.
[1] As an analogy, imagine that you spin a spinning top so that it's balancing perfectly on its point. A civilisation evolves on the surface and observes that it's on the top of a spinning disk. They build a large city in one point on the rim. Scientists argue that this is causing an instability that will cause it to topple over, but they're shouted down because their models predicted that it would veer a bit to the left next, whereas it veered to the right first. When the tack falls over, it's going to be very bad for the people living on the top, and it's pretty easy to model the fact that it's going to fall, but it's very hard to predict exactly where it will veer first.
Talking for 12 hours solidly and browsing the web solidly for 6 hours are typical phone workloads? I'm probably an outlier in phone use, but I rarely use mine for more than 10 minutes at a time. I want it to go in and out of standby quickly and give good performance when I'm using it. I have other devices (with much bigger screens) for when I intend to use them solidly for a few hours.
Exactly. ICANN and IANA don't exist because they have a mandate from the US government, they exist because there is a consensus that they're doing a reasonable job. You don't own an IP address because IANA says so, you own an IP address because the people who configure the BGP routes for backbone networks agree to send packets for you to the place that you've asked. They currently do this because they perceive the assignments made by IANA (and then subsequently by national organisations) to be fair and equitable. If it looks like the USA is imposing too much control on IANA, then their authority goes away and there is likely to be a new consensus about whose assignments become the real ones (probably with a long interim process where bits of the Internet were broken or unreliable).
Ironically, a lawsuit like this is exactly the sort of thing that would push the consensus away from the USA.
When banks implement blockchains, will their version allow tracking of all the individuals involved in the whole chain?
Of course it will. They want to use a blockchain for maintaining an efficient high-speed ledger of all bank-to-bank transactions. When you do a funds transfer from, for your account to an account at another bank, they'll write an entry to the block chain and both parties will be able to validate the time at which the transaction occurred. Having an unforgeable ledger is the entire point of the system that they're proposing.
Your comment makes no sense. They're not talking about adopting BitCoin as a consumer payment system, they're talking about adopting some of the underlying technology for bank-to-bank transfers.
I'm surprised that it was that few. I remember seeing them for £50 in Argos about a decade after they were first released. They were incredibly popular as games machines and a load of shops had a row of C64 game tapes for around 50p each (NES games were around £10, if I remember correctly, at the same time).
There's no vast left- or right-wing media conspiracy. There's a small number of owners of the mainstream press, and they will not print anything that directly contradicts the interests of these owners. This has no allegiance to any political party or ideology other than a desire for certain individuals to increase their personal power.
Various governments have allowed mergers and acquisitions among news companies until there's very little independent press. Most countries don't want to regulate press freedom too heavily (for good reason - there's a very fine line between regulating truth in journalism and forcing propaganda and it's incredibly easy for the former to slip into the latter), so we're left with the majority of the population being informed by untrustworthy sources.
I find the map pretty surprising. Zoom in on the UK, and most of England is yellow (11-15 g/m3), but Reading (dense traffic, industrial areas, lots of diesel trains passing through) is green (<10), yet completely surrounded by yellow areas. I'd probably be inclined to trust the point samples, but their averaging between them looks like it's nonsense. The middle of Wales is pretty green, but with squares of yellow. The green makes sense (it's basically a big space full of hills and sheep), but the yellow doesn't seem to correspond with any human habitation or industry.
Indeed. Under the Consumer Rights Act and the earlier Sale of Goods Act, you are entitled to a refund for a variety of reasons. Any claims made by the seller that influenced your decision and are false gives you grounds for a refund (or a replacement with a version that meets these requirements). I had the battery on an Apple laptop fail after the warranty expired, but because of the SoGA they replaced it without quibble: their website claimed that it would retain 80% of its charge after 300 discharge cycles and the system monitor showed that it was retaining about 15% of its charge after about 120 complete cycles.
It's a bit better since they finished the refurbishment (it was truly hell in the middle, as most of the seating was unavailable). I'd much rather be sitting on a train than sitting in Stansted though.
I did, I went to StartCom, who offer free S/MIME certs, and free TLS certs that are valid for one year. Now, apparently, Mozilla wants to force me to move to a different CA, but the one that they're backing doesn't provide the same set of certs.
It's often also cheaper. It costs me less to take a train to Stansted airport, then an Easyjet plane from Stansted to Edinburgh and a bus to the city centre than it does to take a train from Cambridge to Edinburgh. Even including faffing at the airport time, the plane is a bit quicker. I'll take the train given the choice, because it's more comfortable and I can get some work done on the way, but it's a close-run thing.
Make sure that you let them know that, because you have gone through responsible disclosure, if they are compromised then you will happily testify in court that they were aware of the insecurity of the personal information and that this makes them liable for increased damages for any compromise resulting in a failure to address the issue in a number of jurisdictions.
And yet a CA that was seriously compromised by 'a single kid' is still trusted by Mozilla, whereas the CA that provides the best competition for Mozilla-backed Let's Encrypt is subject to sanctions.
Slashdot Mirror
Granted, only one kernel runs, 1 /sys /proc, etc., which is "less isolated" than a qemu vm but lets you run on bare metal for specific applications.
If stuff is actually running, then there's probably a /dev in the chroot as well. And if there's anything running as root, then it's trivial to mount /dev and escape from the chroot. It sounds as if you're using chroot for exactly its intended purpose: running applications that don't necessarily work with the host system libraries and tools. There was never intended to be any serious attempt to prevent an attacker from escaping from a chroot.
Second, the grandparent doesn't really mean sandboxing, he means compartmentalisation (which depends on some isolation primitive). Process-based isolation is fine when your threat model is different levels of trust for different processes. In a web browser, that isn't the case. Your tab browsing some random site needs to be strongly isolated from the other tab that contains your webmail login. Ensuring that this isolation is really present and not leaky is a very hard problem. Even that isn't really enough: if someone sends you an image as an email attachment and there's a vulnerability in your copy of libpng that allows arbitrary code execution, it doesn't really help you that the attacker can't compromise any other tabs: they already have the high-value target.
Beyond that, mobile Safari also has some quite neat tricks. It makes use of execute-only memory for the JavaScript engine. On startup, it reserves a range of memory for the JIT code emission and generates a special memcpy that copies data into an offset within that address range. It then deletes all copies that the process holds of the base address and marks the special memcpy as execute-only, so there is nowhere in readable memory that contains the address range where JavaScript code will run, making it almost impossible to exploit gadgets placed in JIT'd JavaScript code.
That said, no security is perfect and a monoculture is a good way of turning a vulnerability into a pandemic. If you have 4 different browsers with approximately equal market share, it's a lot harder to exploit all of them. This is why Verisign uses a mixture of FreeBSD and Linux with 3 different DNS server implementations on their root nameservers: If you want to take down their root zone, you need a to have a compromise for at least two DNS servers and for both operating systems.
Bike lights are already mostly LEDs. It's quite unfortunate that white LEDs became popular for front lights, because they destroy night vision much faster than yellow (red+green) LEDs. The most dangerous ones flash (to conserve power) and are very bright. The person riding them gets enough persistence of vision to see, but from the perspective of oncoming vehicles you're a dot (not large enough for the visual cortex to be able to accurately estimate distance) that keeps disappearing.
It depends. A pale blue might make things more dangerous - it takes a lot less blue light to destroy your night vision than it takes to see usefully.
I don't know anyone who keeps women out of computing
I do. One of my colleagues ran a masterclass for 16-year-old children to study some computer science. The first year he ran it, he got over 90% boys. He asked the schools why this was and heard, from multiple teachers 'girls can't code'. The second year he said that the schools could send up to two students, but they had to send at least one girl if they sent anyone. Almost all of the schools still managed to send two students and there was no drop in quality.
Another of my students, on receiving her offer to study computer science here, was told by one of her teachers 'oh, you probably weren't one of the best applicants, just one of the best girls' (as the person who reviewed her application, I can confirm that this was not the case).
Do you honestly think that this kind of stated opinion from authority figures has no impact on teenage boys and girls?
Yup, it's true. That's why it's still very easy to buy a high-end phone with user-replaceable batteries.
Add to that, Clinton is a Washington insider, Trump is not. They're both going to try to do bad things, but the establishment hates Trump and will try to stop him. Clinton might actually succeed.
France transitioned a lot earlier. Everyone else transitioned about 10 years ago, because the patents had just expired and no one wanted to pay licensing fees to a French company before then. The US moved recently, because the US has an archaic banking system.
As does water vapor, which is why it's a greenhouse gas
Lots of water vapour in the air also tends to condense and form clouds, which are white and reflect energy away from the Earth. The greenhouse effect happens when shorter wavelengths (which can penetrate carbon dioxide) hits the ground and are re-radiated as infra red. The IR is then unable to radiate into space because of the greenhouse gasses. If you have a lot of white clouds in the air, then the energy is simply reflected. This causes cooling, which causes the air to be unable to gold as much water vapour, which causes rain, and the system largely balances with respect to water vapour.
Last I heard the prevalent theory was that if you continue long enough down that road you get enough weather to flip you over into an ice age
That's one of the predictions. If you dump a lot of energy into a chaotic system, it's difficult to tell exactly which of the equilibrium points you're going to end up at (though none of them look particularly good for human habitation[1]). In this model, you get a lot of water vapour in the air, which then causes most solar radiation to be reflected before hitting the ground. This causes enough cooling at surface levels that large areas of the sea freeze, creating big white ice sheets. As the atmosphere cools, the reflections from clouds are replaced with reflections from ice and the process continues.
[1] As an analogy, imagine that you spin a spinning top so that it's balancing perfectly on its point. A civilisation evolves on the surface and observes that it's on the top of a spinning disk. They build a large city in one point on the rim. Scientists argue that this is causing an instability that will cause it to topple over, but they're shouted down because their models predicted that it would veer a bit to the left next, whereas it veered to the right first. When the tack falls over, it's going to be very bad for the people living on the top, and it's pretty easy to model the fact that it's going to fall, but it's very hard to predict exactly where it will veer first.
Both are biased, but only one has gone to court to argue that they are not required to tell the truth (and won) in things that they present as news.
Talking for 12 hours solidly and browsing the web solidly for 6 hours are typical phone workloads? I'm probably an outlier in phone use, but I rarely use mine for more than 10 minutes at a time. I want it to go in and out of standby quickly and give good performance when I'm using it. I have other devices (with much bigger screens) for when I intend to use them solidly for a few hours.
Exactly. ICANN and IANA don't exist because they have a mandate from the US government, they exist because there is a consensus that they're doing a reasonable job. You don't own an IP address because IANA says so, you own an IP address because the people who configure the BGP routes for backbone networks agree to send packets for you to the place that you've asked. They currently do this because they perceive the assignments made by IANA (and then subsequently by national organisations) to be fair and equitable. If it looks like the USA is imposing too much control on IANA, then their authority goes away and there is likely to be a new consensus about whose assignments become the real ones (probably with a long interim process where bits of the Internet were broken or unreliable).
Ironically, a lawsuit like this is exactly the sort of thing that would push the consensus away from the USA.
I have two different variants of the C64 and there was a later one (slightly off-white) that was in production for a long time.
When banks implement blockchains, will their version allow tracking of all the individuals involved in the whole chain?
Of course it will. They want to use a blockchain for maintaining an efficient high-speed ledger of all bank-to-bank transactions. When you do a funds transfer from, for your account to an account at another bank, they'll write an entry to the block chain and both parties will be able to validate the time at which the transaction occurred. Having an unforgeable ledger is the entire point of the system that they're proposing.
Your comment makes no sense. They're not talking about adopting BitCoin as a consumer payment system, they're talking about adopting some of the underlying technology for bank-to-bank transfers.
I'm surprised that it was that few. I remember seeing them for £50 in Argos about a decade after they were first released. They were incredibly popular as games machines and a load of shops had a row of C64 game tapes for around 50p each (NES games were around £10, if I remember correctly, at the same time).
There's no vast left- or right-wing media conspiracy. There's a small number of owners of the mainstream press, and they will not print anything that directly contradicts the interests of these owners. This has no allegiance to any political party or ideology other than a desire for certain individuals to increase their personal power.
Various governments have allowed mergers and acquisitions among news companies until there's very little independent press. Most countries don't want to regulate press freedom too heavily (for good reason - there's a very fine line between regulating truth in journalism and forcing propaganda and it's incredibly easy for the former to slip into the latter), so we're left with the majority of the population being informed by untrustworthy sources.
I find the map pretty surprising. Zoom in on the UK, and most of England is yellow (11-15 g/m3), but Reading (dense traffic, industrial areas, lots of diesel trains passing through) is green (<10), yet completely surrounded by yellow areas. I'd probably be inclined to trust the point samples, but their averaging between them looks like it's nonsense. The middle of Wales is pretty green, but with squares of yellow. The green makes sense (it's basically a big space full of hills and sheep), but the yellow doesn't seem to correspond with any human habitation or industry.
Indeed. Under the Consumer Rights Act and the earlier Sale of Goods Act, you are entitled to a refund for a variety of reasons. Any claims made by the seller that influenced your decision and are false gives you grounds for a refund (or a replacement with a version that meets these requirements). I had the battery on an Apple laptop fail after the warranty expired, but because of the SoGA they replaced it without quibble: their website claimed that it would retain 80% of its charge after 300 discharge cycles and the system monitor showed that it was retaining about 15% of its charge after about 120 complete cycles.
It's a bit better since they finished the refurbishment (it was truly hell in the middle, as most of the seating was unavailable). I'd much rather be sitting on a train than sitting in Stansted though.
I did, I went to StartCom, who offer free S/MIME certs, and free TLS certs that are valid for one year. Now, apparently, Mozilla wants to force me to move to a different CA, but the one that they're backing doesn't provide the same set of certs.
It's often also cheaper. It costs me less to take a train to Stansted airport, then an Easyjet plane from Stansted to Edinburgh and a bus to the city centre than it does to take a train from Cambridge to Edinburgh. Even including faffing at the airport time, the plane is a bit quicker. I'll take the train given the choice, because it's more comfortable and I can get some work done on the way, but it's a close-run thing.
Make sure that you let them know that, because you have gone through responsible disclosure, if they are compromised then you will happily testify in court that they were aware of the insecurity of the personal information and that this makes them liable for increased damages for any compromise resulting in a failure to address the issue in a number of jurisdictions.
Comodo.
And yet a CA that was seriously compromised by 'a single kid' is still trusted by Mozilla, whereas the CA that provides the best competition for Mozilla-backed Let's Encrypt is subject to sanctions.