Slashdot Mirror


User: TheRaven64

TheRaven64's activity in the archive.

Stories
0
Comments
32,964
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 32,964

  1. Re:Apples and oranges on OpenSSL: the New Face of Technology Monoculture · · Score: 1

    The problems with OpenSSL aren't actually in the crypto parts. libcrypto is pretty solid, although the APIs could do with a bit of work. The real problems are in the higher layers. In the case of heartbleed, it was a higher-level protocol layered on top of SSL and implemented poorly. It was made worse by the hand-rolled allocator, which is also part of libssl (not libcrypto).

  2. Re:Is anyone surprised? on OpenSSL: the New Face of Technology Monoculture · · Score: 3, Interesting
    OpenSSL is quite shockingly bad code. We often use it as a test case for analysis tools, because if you can trace the execution flow in OpenSSL enough to do something useful, then you can do pretty much anything. Everything is accessed via so many layers of indirection that it's almost impossible to statically work out what the code flow is. It also uses a crazy tri-state return pattern, where (I think - I've possibly misremembered the exact mapping) a positive value indicates success, zero indicates failure, and negative indicates unusual failure, so people often do == 0 to check for error and are then vulnerable. The core APIs provide the building blocks of common tasks, but no high-level abstractions of the things that people actually want to do, so anyone using it directly is likely to have problems (e.g. it doesn't do certificate verification automatically).

    The API is widely cited in API security papers as an example of something that could have been intentionally designed to cause users to introduce vulnerabilities. The problem is that the core crypto routines are well written and audited and no one wants to rewrite them, because the odds of getting them wrong are very high. The real need is to rip them out and put them in a new library with a new API. Apple did this with CommonCrypto and the new wrapper framework whose name escapes me (it integrates nicely with libdispatch), but unfortunately they managed to add some of their own bugs...

  3. Re:What?? on WhatsApp Is Well On Its Way To A Billion Users · · Score: 1

    If by 'any deal' you mean 'any contract' then they generally do come with either unlimited texting or quite a lot, but that's not true for pre-paid plans, which have made up the majority of the market for the last few years. I'm currently with Three, and they charge 3p/min for calls, 2p/min for texts and 1p/min for data - I'd have to spend a lot of time on the phone to come close to the cost of the cheapest contract plan, so they really only make sense for people who use their phone for business, or who haven't worked out that the 'free' phone that they get is really a loan at 50+% APR to buy a phone. For 2p, I can have one SMS or 2MB of data. The latter is enough to keep an IM connection open all day, so I can see the attraction of things like WhatsApp, especially since you can switch to the desktop version whenever you find the keyboard too limiting.

    And that's not counting the fact that you can use WiFi when you're somewhere where roaming is expensive, which is the only reason I still have a SIP client installed on my phone: It's cheaper for me to make calls to the UK from the UK over the mobile network, but when I'm abroad (outside one of Three's Feel at Home countries) it's often a lot cheaper to use SIP. Sending text messages abroad is very expensive, but using WiFi is usually free.

  4. Re:What?? on WhatsApp Is Well On Its Way To A Billion Users · · Score: 1

    No prepaid plans in the UK come with unlimited texting. You can generally buy a bundle that includes it, but a bundle that provides more data than it's easy to use on a smartphone (without tethering) is generally cheaper and allows you to use email and the web as well as IM apps. I generally pay £1-2/month, and it costs as much in terms of data to have an entire day of IM connectivity as it does to send one SMS.

  5. Re:openWRT runs, without wireless on WRT54G Successor Falls Flat On Promises · · Score: 1

    The last time I bought a dedicated device like this, I got a PC Engines WRAP, which is similar to the boards that Soekris sells. For about £100, I got a 266MHz AMD Geode (x86) CPU, a board that could boot from a CF card, and had 3 wired sockets and 2 miniPCI slots (with an 802.11g card in one), a metal case and a couple of antennae. That was quite a few (actually, almost ten) years ago.

    The first search result has a similar kit for £139, which is a bit more, but if you shop around you can probably get it for cheaper. That includes a 500MHz x86 CPU and 256MB of RAM, so it will happily run most stock *NIX distributions, or something firewall-centric like pfSense.

  6. Re:Intentional sabotage? on Next-Gen Thunderbolt: Twice as Fast, But a Different Connector · · Score: 1

    That's already double what USB provides over data connections, and you shouldn't be drawing much more than that from a notebook anyhow

    No, you shouldn't, but the laptop is probably drawing something on the order of 60-85W and there's no reason why it couldn't get that from a power supply in the display, rather than a separate wall wart...

  7. Re:Thunderbolt does USB, so no. (Also PCIe and HDM on Next-Gen Thunderbolt: Twice as Fast, But a Different Connector · · Score: 1

    Thunderbolt doesn't do USB, however the fact that it does PCIe means that you can run a USB controller on the other end. You wouldn't want a Thunderbolt mouse, because it would require sticking a USB controller in the mouse as well as a Thunderbolt interface and a load of PCIe bus logic. USB is nice because the client component is relatively simple and can be made very cheap. It's also nice because there are a number of standard higher-level protocols built on top of it (e.g. HID for keyboards, mice and so on, DUN for things that look a bit like modems). Thunderbolt doesn't replace USB, it's the connection that you use between your laptop and the display or docking station that has all of the USB devices plugged into it.

  8. Re:Intentional sabotage? on Next-Gen Thunderbolt: Twice as Fast, But a Different Connector · · Score: 1
    With Thunderbolt, since it can carry two DP signals, you can plug in one cable to drive two monitors. Since it also carries PCIe, you can drive a USB hub and SATA controller and NIC in one display and also connect the keyboard and mouse and an external disk and network at the same time. Having the same connector able to deliver power would mean that you'd be able to drop a phone in a dock and have it gain access to all of those things and charge, which sounds pretty compelling to me.

    We're also finding it useful because you can get PCIe enclosures so we can plug FPGA boards directly into laptops, rather than needing to have a desktop sitting under the desk doing nothing except exposing a high-speed JTAG interface, but that's a fairly niche use.

  9. Re:perception on GoPro Project Claims Technology Is Making People Lose Empathy For Homeless · · Score: 1

    Actually, the total tax burden for the working and middle classes in the USA is not that different from much of Europe. If you deduct the amount that the US citizen pays for health insurance from the amount that the EU citizen pays in taxes (while receiving socialised medical coverage), it's often quite a lot more. Part of the reason that the US has what appears from the outside to be an irrational distrust of government is that they get such poor value for money from their taxes. This leads to a nasty feedback loop (population expects the government to be incompetent, so it's hard to get competent people to want to work for the government, so the government becomes more incompetent, so the population expects...).

  10. Re:"it's also a smart visual explanation of why... on This 1981 BYTE Magazine Cover Explains Why We're So Bad At Tech Predictions · · Score: 1

    Casio did. Well, it was an alphabetic order rather than QWERTY, but they did put it in their organiser line of watches.

  11. Re:Like "Anansi boys" better than "American Gods" on Neil Gaiman Confirms Movie Talks For Sandman, American Gods · · Score: 1

    I enjoyed both, but I cringe at the thought of a movie version of either. If you have a description-heavy novel that's about 100 pages long, you can just about cram it into a movie. Anything longer, and you have to be quite aggressive about the cutting. Both Anansi Boys and American Gods have splits that would let them work quite well as a miniseries, but I can't imagine them as films without so much abridgement that they may as well be different stories. I've also not read Sandman, so I can't comment on that.

  12. Re:I need electricity. I need it for my dreams. on 93 Harvard Faculty Members Call On the University To Divest From Fossil Fuels · · Score: 2

    Is it to do with wanting to reduce emissions? I'd have thought it was a much more pragmatic requirement. Fossil fuel extraction costs are going to keep increasing. The costs of alternatives are going to keep decreasing. At some point, they will cross over and at this point the value of stocks in a fossil fuels will suddenly drop. Currently, they are quite high and probably will be for quite a few more years (although increased difficulty in extraction is going to make expensive accidents more common, which won't help). Harvard expects endowments to last a period measured in hundreds of years. Now is probably a good time to start selling off the shares in fossil fuel companies, while there are still people who want to buy them at a high price.

  13. Re:This is how America ceases to be great on Comcast PAC Gave Money To Every Senator Examining Time Warner Cable Merger · · Score: 2, Insightful
    I was thinking about this the other day. The core problem is not lobbying, because it's perfectly sensible that people with an interest in a particular topic would want to talk to their elected representatives about it. The problem is unequal access to lobbying, and that comes from the massive wealth inequality in the USA and the fact that lobbying is expensive. Perhaps a better solution would be for each member of the electorate to have allocated a certain amount of their representatives' time.

    For example, each member of the House of Representatives is responsible for approximately 500,000 people. Assume that they spend on average two hours a day talking to their constituents and the rest is spent in committees, or on holidays (since we're talking about an average). That's 2628000 seconds per year, or around 5 seconds per constituent per year (10 seconds per term). If you want to have a five minute conversation with a representative, then you must find 60 people all willing to give you their time allocations. Or 300 all willing to give you 20% of their allocation. If you want to have an hour-long meeting, then that's 720 people who must give up all of their allowance, or 3600 who must give up 20% (or any breakdown).

  14. Re:Not malicious but not honest? on Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake · · Score: 2

    I'm not sure what testing OpenSSL does, but most protocol tests include a fuzzing component, and if the fuzzer didn't generate heartbeat packets with an invalid length then it's not doing a good job. This sort of code is routinely run by people outside the OpenSSL team to look for vulnerabilities, so I'd hope that they'd do it themselves. Generally, any field that contains a length is used in guided fuzzing, because it's easy to get wrong.

  15. Re:Doesn't seem to be on purpose on Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake · · Score: 5, Interesting

    The date that it was added to the OpenSSL codebase is very close to the time when the leaked NSA documents claim that they had a 'major breakthrough' in decrypting SSL. I would imagine that they are not responsible for introducing it, but do have people doing very careful code review and fuzzing on all changes to common crypto libraries, so I wouldn't be surprised if they'd known about it (and been exploiting it) since it was originally released.

  16. Re:He's sorry now ... on Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake · · Score: 1

    It always amuses me when GPL'd software contains a clickthrough insisting that you press an "Agree" button, when the licence specifically says that no such agreement is necessary.

    In fact, by placing the requirement that someone agrees to the license before using a derived work of the GPL'd software, they are violating the GPL...

  17. Re:Sue FSF, relicense all GNU software ... on Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake · · Score: 1

    The FSF requires copyright assignment for all of their projects, so they do have some quite valuable assets. They provide the original author with a license to sublicense their contributed code under whatever license they choose, but they are the only ones that can relicense the whole. For example, if someone else managed to gain control of the GNU assets then they could legally relicense GCC under an MIT license, allowing its code to be used anywhere.

  18. Re:Not malicious but not honest? on Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake · · Score: 4, Insightful

    The point is not that a general malloc() would catch it, but that there are security-focussed malloc() implementations that will. Even valgrind will - it knows that malloc() has special properties and so will object if you derive a valid pointer to the wrong allocation by running off the end of another one. You don't need to use the security-focussed malloc() in deployment (unless you're really paranoid), you just need to support testing with it. Running this code with a malloc() that did aggressive bounds checking would have caught it immediately. That's something a continuous integration system and a test suite ought to have caught.

  19. Re:I've worked with many Russians... on Evidence Aside, FBI Says Russians Out To Steal Ideas From US Tech Firms · · Score: 3, Insightful

    Japanese products were initially low quality too. There have been a few interesting books on the subject of the change. In particular, several Japanese companies focussed very heavily on quality control processes for about a decade, which allowed them to dramatically improve their quality. Over the same time, the Japanese people who had been responsible for copying the designs became sufficiently familiar with them that they were able to initially improve them and then produce better ones.

    The main factor stopping Russia or China going through the same transition is institutionalised corruption. It's hard to implement good quality control if you can't trust the people doing the inspections not to take bribes...

  20. Re:Viva La XP! on Meet the Diehards Who Refuse To Move On From Windows XP · · Score: 1

    XP was unfortunate to come out just before computers became fast enough for the vast majority of users. A 1GHz CPU and a reasonable amount of RAM is enough for a huge proportion of computer users. Before that, you'd buy a computer and it would be too slow, but it would be the fastest that you can afford (or that existed) and you'd upgrade when you could afford a replacement, because there'd be something faster out a few months later. By the early 2000s, the new computer wasn't perceptibly faster than the old one, so there was an increasingly small incentive to switch.

  21. Re:Different views on a free market on Why There Are So Few ISP Start-Ups In the U.S. · · Score: 1

    Most likely yes. Well, you could operate them over short distances on unlicensed bands, but to operate a mobile carrier (in most of the world) you need to buy a license for some spectrum. In the US, these didn't come with strings attached, so you ended up with some CDMA carriers and some GSM carriers, with no interoperability. In most of Europe, they came with a requirement to deploy GSM. Similar conditions were applied for 3G frequencies. In the UK, companies had to request regulator approval to repurpose their existing frequencies to new technologies. This was mostly granted (as long as it was for industry standard protocols). I don't know what LTE coverage is like, but I've not had a problem with getting an HPSA in any parts of the UK that I've tried, so I believe that it works and I know that any phone I buy will work with any carrier. Especially now, when spending over £100 on a smartphone is fairly common, knowing that doing so doesn't lock you in to a specific carrier is valuable.

  22. Re:Ah, Crony-Capitalism! on Why There Are So Few ISP Start-Ups In the U.S. · · Score: 1

    I'd have listed TalkTalk as the third large ISP, since they're the company that does the most LLU work. They install their own equipment at exchanges and only use BT for backhaul. There are quite a few smaller LLU operators, but BT dragged its heels to delay LLU rollout until they'd largely cemented their monopoly.

    The problem with the split of BT retail and wholesale units is that there's no requirement for BT retail to make a profit. The wholesale part has to sell to BT retail at the same price that they sell to everyone else, but the retail division is able to operate at a loss and be bailed out by the rest of the company...

  23. Re:Where do you draw the line? on Should Microsoft Be Required To Extend Support For Windows XP? · · Score: 1

    Bullshit. They shipped Classic support right up until the last PowerPC release (10.5, 10 years after the first Rhapsody releases), years after pretty much every Mac user was running OS X-only applications. Try talking to some people who work at Apple or worked at Transitive some time about the dropping of Rosetta. Apple tried to rush a license agreement through when IBM announced that they'd buy Transitive, but were too late.

  24. Re:Phones yeah on Nanodot-Based Smartphone Battery Recharges In 30 Seconds · · Score: 2

    People are much more willing to put up with a 200 mile range on a car if it only takes them a 2-minute stop to recharge. If it takes an overnight charge, then that's a deal-breaker for anyone who might want to make long trips.

  25. Re:Won't work on Australia May 'Pause' Trades To Tackle High-Frequency Trading · · Score: 4, Insightful

    The important issue is the ratio between investors and speculators. You need speculators in the market to provide liquidity, but you don't want too many because liquidity is the positive spin on volatility. If you have too high a ratio of speculation to investment then the market becomes completely decoupled from the thing it's trying to represent and it becomes a dangerous place for investors (and companies) because they can lose all of their money as a result of something completely unrelated to the actual profitability of the company. If you have too few speculators, then it becomes difficult to buy and sell shares.

    The problem with HFT is not really HFT itself, it's that it magnifies the effects of speculators on the market, meaning that you need far fewer speculators with far less capital to have a disproportionate effect on the functioning of the market.