Slashdot Mirror


User: MobyDisk

MobyDisk's activity in the archive.

Stories
0
Comments
5,998
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,998

  1. Re:Excellent explanation on When Not to Use chroot · · Score: 2, Insightful
    You're reply demonstrates the very complaint many posters are making, and the issue with the article:

    It doesn't make sense. Using chroot(2) for security is like trying to fit a round peg into a square hole that it was never intended to go into. You say that chroot isn't good, then make a cool analogy, but don't actually explain why it is wrong. That analogy doesn't explain to anyone what is wrong with chroot. You then go off on a totally unrelated tangent about Windows security and TCP ports.

    So what's wrong with chroot?
  2. Re:Have to get away from the "patch" concept on Microsoft 'Stealth Update' Proving Problematic · · Score: 2, Interesting
    This is interesting - I've wanted to have this discussion with someone. While I agree with your reasoning on shared -vs- static libraries, I don't agree your estimation of the impact of static libraries.

    because of the installation and "maintenance" hassles they create. One big savings of shared libraries is that if a vulnerability is fixed in libpng, you don't have to update 25 apps. And the authors of those apps don't have to repackage their app. And old projects that aren't in active development can still take advantage of the security fixes. Same with performance improvements and bug fixes. It saves a lot of redundant updating.

    This is also why I preface the discussion with "proper" packaging. I encounter lots of packages that have incorrectly stated dependencies. If I recall, every rpm/apt problem I ever had could be traced down to some package that stated a dependency incorrectly. Like it requires an exact version of a particular library when it really didn't. Or a library was made incompatible in an update, but the version number was not incremented by a whole number (Ex: version 1.02 is not compatible with 1.01 so all apps saying they need 1.0 or above break).

    You may have a dozen programs which use a particular library, but do you ever run them all at once? Probably not. My guess is "most of the time" -- I'm using Windows right now, but let' see what I'm running: Firefox, Mozilla, Trillian, Notepad, Skype, Virtual PC, Zone-Alarm, a VPN client, a volume meter, an anti-virus program, Visual Studio, RapidSVN, Photoshop, a SQL server... My guess is that all of those share at least the C/C++ runtimes. Probably also share 2 dozen Windows API DLLs. COM libraries are common. Half of them use libpng, libjpg, etc. There's a lot of re-used libraries there.

    So just keep a dozen copies on disk; that way they can all be different versions if needs be. I agree that disk space isn' t really a big deal. Graphics and icons usually take more space than code. But the packaging solutions we are discussing allow you to have multiple different versions in place at once. In Windows with DLLs, this is hard, but on Linux it is very easy since the library version is in the file name and symlinks + intelligence in ld can make things bind to whatever version they need.

    Overall, I think you underestimate the number of shared libraries each application uses. That measurement is really what would make the tipping point on this point. If the memory savings is minimal, and I didn't require updating too many apps when a bug was fixed, and if old apps could somehow be magically updated... then yeah, static libraries would be better.
  3. Javascript needs a sandbox/security model on Gmail Vulnerability May Expose User Information · · Score: 2, Interesting

    I can open HTML email in a standalone application (Thunderbird, Eudora, whatever) with very little concern about someone getting my login information. That's because there is an implicit barrier between the application state and the HTML page. But it is more difficult with web-based email: If you display HTML messages, then they are being displayed on the same page that has access to your login credentials.

    It seems to me that the most foolproof solution is to display the HTML email inside a sandbox that does not have access to the cookies (or any other part) of the enclosing page. There may be some way(s) to do this with browsers as they are today, but it seems like ultimately, such a sandbox should be designed-in to HTML and/or Javascript. Something like a chroot command.

    This would eliminate the constant cat & mouse game of scrubbing the HTML for something dangerous, then a new HTML/browser feature being used to get around it, etc.

  4. Re:Have to get away from the "patch" concept on Microsoft 'Stealth Update' Proving Problematic · · Score: 2, Interesting

    IMHO, this is what package managers solve, and Microsoft still hasn't gotten the idea right. In the Windows world, applications just drop files wherever they want and that's an install. In Linux using rpm or deb packages, every file on the system is part of a master database that indicates what package it is a part of, and what the interdependencies are. So long as everyone creates proper packages, these problems go away.

    The down side is that many packages aren't created properly, which results in rpm hell like as-in dll hell. But done properly, it is utopia. (Properly -- No source code packages, no packages with incorrect version numbering like "2.0alpha" comes before "2.0", no "this package depends on a dozen files in some absurd directory that only appears in my distro")

  5. Random passwords on Convicted VoIP Hacker Robert Moore Speaks · · Score: 3, Interesting

    It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
    - They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
    - You would have to print it on the router, or on a slip of paper
    - If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.

    Even if you don't implement that last bullet, it still seems like it would help a lot.

  6. Re:Why this _is_ wrong... on Apple May Be Breaking the Law With Policy On iPhone Unlocks · · Score: 2, Insightful

    It doesn't mean you can modify your car for more horsepower, and expect the manufacturer to cover the engine under warranty when it breaks. The issue is that people are modifying the engine and the warranty says that Apple will is thus to support the seat belts. It's like the guy who installed Linux on his laptop and HP refused to fix the broken keyboard.
  7. Re:Is that even legal? on Upcoming Firmware Will Brick Unlocked iPhones · · Score: 2, Informative

    In the US, it is illegal to put arbitrary terms in a warranty. The manufacturer must prove that using the iPhone with another carrier damages the device. This same point came-up in a discussion about HP refusing to repair a broken keyboard because Linux was installed.

  8. Re:Economic loss due to patents. on 802.11n May Never Happen Due to Patent Concerns · · Score: 2, Insightful

    You are "putting the cart before the horse."

    It is not that we will be deprived of this technology because of patents. It is the other way around. This technology would not exist without patents. Organizations would not spend money designing and researching technology if they didn't have a guarantee that they could sell that technology.

  9. Facts cannot be copyrighted on Don't Take Notes In the Bookstore · · Score: 4, Insightful

    This has come up before and I believe a judge ruled that prices are facts, and facts cannot be copyrighted. That applies to the ISBN number as well.

    Although that doesn't mean you cannot be asked to leave the store for doing it. It's their store and they can throw you out for anything they want. And the store is perfectly allowed to suffer for it.

  10. Re:Unacceptable on Ameritrade Security Audit Finds Privacy-Busting Back Door · · Score: 1

    The problem here is autorun. No separation of data and executables anymore. I can insert a burrito into my microwave and be 100% certain that the burrito will not change the firmware of my microwave. But for "convenience" Microsoft makes things so that they automatically run, under the privileges of the user logged-in, whatever the heck the inserted media wants. Totally lame.

  11. Obligatory ST:TOS reference on HP's Inkjet Technology Used to Administer Drugs · · Score: 4, Funny

    Damn it Jim! I'm a doctor, not a printer!

  12. Re:Word doesn't preserve layout either on de lcaza calls OOXML a "Superb Standard" · · Score: 1

    That's not true.

    If you have margins set to 0.1 inches an your printer requires 0.5, then Word chops-off the top 0.4 inches to preserve the layout. Likewise, fonts are rasterized in the software and sent to the printer. The printer can use internal fonts, but that is very rare today and they only do it if the font is exactly the same in the printer and in the software.

  13. Obviously Linux cause this on Retailer Refuses Hardware Repair Due To Linux · · Score: 3, Funny

    Gentoo was so difficult to install that it forced him to hit the laptop in frustration, breaking the hinge. :)

  14. Re:Oh! on Name Your Favorite Bloat-Free Software · · Score: 1

    Photoshop's memory requirements are probably 95% based on the content, not the application. So bloat doesn't apply to it as much. However, I still think Photoshop is bloated because it takes too long to load. That's a metric whenever I get a new computer: How fast does Photoshop load? It always starts out to be a few seconds, but then I upgrade to the latest version and 3 years later it's at 30 seconds and I realize I need a new computer. Then I realize Photoshop 5 has 95% of the features as Photoshop CS2 but loads much faster, and I begin to wonder what happened.

  15. Re:Why? on Justice Department Opposes Net Neutrality · · Score: 1

    I would agree with that if I heard Libertarian posters say "I do not believe in Net Neutrality because I believe a better solution is to eliminate the monopoly regulations in affect already that make Neutrality necessary in the first place." But that isn't what people are saying. They are saying "no network neutrality" because "I hate regulation" ignoring the fact that regulation is already in place.

    Plus, it also ignores the fact that broadband service really really -IS- a natural monopoly because the physical phone/cable lines. It means there will always be some monopoly in place. I do agree though -- if we decoupled broadband service providers from the physical phone/cable line companies then we would be very close to the ideal situation. Maryland did that with electricity: power lines are a separate entity from the power providers.

  16. Re:Responsibilities on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 1

    I agree entirely then. So long as it starts with the individual and works the way up. It doesn't always necessarily end with the CEO. People seem to want to hit the CEO first, and let the individual go - which lets people hide behind the company. Walking the chain of command/responsibility makes sense. In some cases, it is the CEO.

    Abu Grahib / Iraq is definitely an example of something that goes all the way to the top. Throwing out some paperwork probably doesn't.

  17. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 1

    I almost agree with you: Are you saying the immediate managers who ordered it should be held responsible too? I'm all for that. Don't let the middle managers get away either if they are responsible (they probably are). Responsibility starts with the individual, and works it's way up.

    Ex:
    Joe wrote the code.
    Sally, Joe's boss, said "make a rootkit"
    Herman, Sally's boss, said "make it secure"

    Sounds like Joe goes to jail for doing something illegal, Sally goes to jail for the same crime for coordinating it, and Herman is fired and maybe Fined because he can't manage his employees properly.

  18. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 1

    If there was some evidence that the CEO told the person to throw away the forms, that would apply. But we don't have any indication of that.

    Responsibility starts with an individual. If that person can then say "my boss told me to do it" then fine: hold the individual AND the manager responsible. But the individual still did it and is responsible. If that manager says "it is company policy" then walk up the chain. But rarely is the CEO the one who made the policy. In a 50-person company: perhaps. But the company in question here is a multinational, and that isn't likely.

    The problem with "Do it or we'll fire you and find someone who will" is that this absolves the person from actual responsibility. I've been in situations where I've had access to data and been told to send it to someone who should not have it according to the company privacy policy (and basic morality). I refused. Because _I_ am the one turning the key, entering the password, and copying the data. I won't do that just because somebody tells me to. If your boss said to do something blateltly immoral or illegal you would do it, and expect them to be held responsible and you to get off scott free?

    Holding CEO's responsible isn't fixing these problems. Because CEO's don't know they are happening, and the only way they have to solve them is micro-management. Really, it's impossible at that level. The best thing to do is hold responsible the people who did it, and stop letting them hide behind the corporation and absolve their conscience. Companies are made up of people, not mindless automatons, and not a single figurehead who puppets all their actions.

  19. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 1

    It sounds like you trying to argue, by analogy, that the CEO is personally responsible for every bad thing in a company because they personally told each person to do the bad thing? If that was true, I would agree with you.

    First thing, the CEO isn't the one who told the Blockbuster employee to say that. More likely, the immediate manager and/or their manager. Hold those managers responsible then, if they had personal involvement. But don't automatically hold the CEO responsible if the CEO is in Texas and the employee is in Canada and they've never met.

  20. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 1

    Captain != CEO. Captains don't have 10 thousand people working for them, some of whom he/she has never met, who work in a different building in a different area of the world. The rebate forms example is like holding the president responsible for a bar fight by a soldier stationed in Taiwan. Fine - hold the manager of the individual responsible. That makes complete sense because that manager should fire the person, be aware that it happened, and clean it up. But that's a far cry from the CEO.

  21. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 0

    didn't send the rebate form to that disgruntled employee You just fell into the very trap you are trying to avoid: People can now hide behind the company and not be held responsible. I can now throw away the rebate forms into the trash and "ha ha" I'm not responsible because now the CEO is responsible!

    Why would the CEO not be responsible for the actions of his company? Because there may be nothing the CEO could have done about it, and no way for him/her to know. As I said, if there is a company with 10k employees, and somebody's marriage is on the rocks and they throw out the rebate forms, that's not the CEO's fault.
  22. Re:Why? on Justice Department Opposes Net Neutrality · · Score: 1, Insightful

    But every libertarian also knows that capitalism does not work:
    1) without an even playing field
    2) in the presence of a monpoly

    Broadband internet is a regulated monopoly. And without network neutrality, the ISPs can perform subtle slight-of-hand making it appear as though one web site is too slow while another is fast. Or make it appear like you need more bandwidth for your VOIP when you really have plenty. This distorts the reality of the market unto the consumer.

    A libertarian should support network neutrality because the minimal government intervention necessary to enforce the rules is required for capitalism to function. Libertarianism without this principle devolves into a corporate oligarchy.

  23. Re:arrest warrant for key managers on 1300 Unopened Fry's Rebate Forms Found In Dumpster · · Score: 2, Insightful

    Everybody here hates CEOs and likes to hold them liable for everything. I want to hold the individuals responsible. A CEO can't track every little thing every employee does. If I have a company with 10k employees and an employee trashes somebody's rebate form, you can't hold the CEO responsible. Hold the employee responsible.

    This is especially true when I hear of engineers writing rootkits or spyware for a company. I want the balls of the engineer who wrote that code. Likewise, if somebody trashes rebate forms, take it out of their pay checks. These are cases of malicious, intentional damage to a customer and the individual should be held responsible for their actions.

  24. Re:Khan is no exception on Everything I Needed to Know About Game Writing I Learned From Star Trek · · Score: 1

    Hacking into the computers would --NOT-- have been good.

    I agree about his intelligence though. And the 2-dimensional thinking thing is a really good example.

  25. Khan is no exception on Everything I Needed to Know About Game Writing I Learned From Star Trek · · Score: 4, Insightful

    At the end of the day, there needs to be a direct confrontation between the Hero and the Villain; Khan is a great exception to the rule. The end of "The Wrath of Khan" ends with a very personal showdown between Kirk and Khan. Yes, they are on separate ships, and yes, it is Spock's advice ("His pattern indicates two-dimensional thinking...") that results in Khan's death. But the entire time Khan is cursing Kirk and treating this fight as an epic battle between Khan's raw hate and intelligence -vs- Kirk's heart and experience.

    Direct confrontations do not always involve fisticuffs (although with Kirk, they usually do).