Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. Conservatives' Drugs and Intrusive Government on Spam Trap Claims 10x-100x Accuracy Gain · · Score: 1
    No, what conservatives are against is government intruding into *their* lives, not yours. Unlike liberals, they don't feel guilty about that. And if the liberal nanny-state types want to "protect" you from yourself, conservatives are fine with that.


    Conservatives want to keep all that money in the black market because there's a lot more money that way, and it lets them keep police forces in business; many recreational drugs would be way too cheap to have a big economic impact if they were legal. Marijuana's the obvious example there; if people could grow their own without interference, high-quality weed wouldn't cost more than tea, which is a lot more work to grow, and unlike tobacco it's really tough to smoke two packs of dope a day. Taxing legalized homegrown isn't going to keep the CIA and their buddies funded.

    If you look at the costs of opiates, such as the poppies that keep the Taliban in business, medical opiates are really cheap /b>- a bottle of Tylenol 3 with Codeine over-the-counter in Canada costs about $5/100 tabs, and even in the US, the last time my dentist prescribed me Vicodin it was about $5/20. Either one could keep Rush Limbaugh happy for less money than my daily Starbucks habit if it weren't mixed with tylenol (which is dangerous in recreational doses.) Prescription Oxycontin isn't more expensive because there's a hydroxyl radical stuck over on the left-hand side, which doesn't change the manufacturing costs significantly compared to codeine or morphine, it's just the brand-name and the fancy timed-release packaging that addicts don't care about and the extra anti-diversion handling requirements.

    And the only thing keeping amphetamines expensive is the cost of the black market - Sudafed was dirt cheap back before the anti-meth laws made them overpackage it, and the pharma companies could make meth for about the same price as Sudafed or Phenylephrine since they wouldn't have to undo the last couple of manufacturing steps the way current meth-cooks do.

  2. How Botnets Work Around This on Spam Trap Claims 10x-100x Accuracy Gain · · Score: 1

    Botnets have gotten pretty big these days, and they've already _been_ using the technique of spreading around their spam so that any given ISP only gets a few messages from a given bot, at least at a given time. Botnets and spamming have gotten big enough that they can coordinate this kind of thing fairly effectively, at least for the organized-crime types of spam rings, though Bubba in his trailer park may not be doing that. As long as you've got the big numbers, it's not hard to coordinate it.

  3. The Ecology is the hard part on How To Beat Congress's Ban Of Humans On Mars · · Score: 1
    It's not going to be possible to move any significant fraction of the human race off-planet for a long, long time, and we aren't even vaguely close to understanding how to build a stable self-sustaining ecology for outer space, which we'd need for travel between planets, nor are we close to understanding how to build an ecology that'd work on Mars or the Moon, which we'd need if we're going to colonize them. Also, we'll need to avoid becoming dead between now and when we can leave.

    There's currently only one laboratory where anybody's seriously researching how to terraform planets - it's called "Earth" - and the group running it have been doing a spectacularly bad job so far, and haven't even figured out where the thermostat is. The kind of research that needs to be done if we're going to create off-planet living environments mostly overlaps with the kind of research we need to fix Earth, so we might as well focus on the important parts first. For the most part, that's not rocket science, it's something much harder.

  4. Spambait Recipients and Message Volumes on Spam Trap Claims 10x-100x Accuracy Gain · · Score: 1
    There are some recipients for whom you can easily identify their spamminess percentage, because they're fake usernames you've planted so 100% of their email is spam, plus there are nonexistent usernames on your system that are also 100% spam. It's not like either of those are new techniques; this guy's just doing a modified version that tries to use mail for real recipients as well.


    But both this new approach and the spambait-user approaches suffer from the problem of identifying identical messages; spammers often try hard to make messages slightly different, or images slightly different, so that message hashes will be different for otherwise-identical spam, and anti-spammers try to make hashes that ignore easily-modifiable stuff at the beginning and end of messages, and spammers try to work around those techniques, in the usual arms race.


    On the other hand, you don't need to be Google to get enough email volume that you've got some mailboxes that receive a lot more spam than others. Almost any domain is going to have some addresses like "sales@" and "info@" and "webmaster@" and such that get lots of spam, and just about any address on your web pages is going to get harvested. Statistically you're unlikely to kill 99% of the spam unless you've got over 100 users, and probably 100 is better, but that's probably enough, especially if you use some kind of shared spam-filtration system like Razor / Cloudmark. Also, while this guy's blazingly optimistic about his technique stopping most spam, it doesn't have to be your only tool - you can adapt it to use as a SpamAssassin weight or whatever.

  5. They're apes, not monkeys on Chimps Outscore College Students on Memory Test · · Score: 1
    Select followup line from
    • "Right turn, Clyde!"
    • "Don't say the M-word around the Librarian!"
    • something about Monkey Knife Fight...
    • 4 .... Profit!
  6. Senility doesn't work that way on Governments Prepare for Cyber Cold War · · Score: 1

    Senility doesn't work that way - if anything it's the opposite. During my grandfather's last few lucid years, it was *much* easier to talk with him about Paris in the 1920s or 1950s or the US during WWII than about what had happened in the previous few years when his memory wasn't working so well, and later on it got harder for him to remember what had happened yesterday or recognize people, but the older memories stuck around longest and were least confused. Memories of what other people did are harder to keep track of - my grandmother did the stereotypical "Rosie the Riveter" thing during the war, but my mom has trouble remembering whether grandma actually did riveting or whether it was something else (I think it was welding, though we mostly remember stories that grandma'd gotten good enough at it that she mostly taught other people rather than doing it herself; mom wasn't actually at the defense plant seeing grandma weld so it was still second-hand knowledge even though she was around at the time and I wasn't.)

  7. It says "All your base are belong to us" on MTV Takes on P2P by Making South Park Free · · Score: 1

    My hovercraft! It's full of Eels!

  8. "Overwriting Everything" is surprisingly hard on On-Call-IT Assists In Government Data Destruction · · Score: 2, Informative
    It's usually pretty easy to overwrite most of the data on a disk. But the operating system, disk controller, and various drivers make it hard to get absolutely everything, so depending on what you're trying to hide, you may not want to risk that.
    • Bad Block Remapping - Once a block goes bad enough to not be reliably writeable, or reliably readable, it'll get mapped out and replaced by another block, and after that, nothing's going to erase it. Normal tools aren't going to be able to access it, but forensics tools usually can.
    • Host Protected Area - HPA is a really annoying feature introduced in ATA-4 in 2001 which lets the disk driver hide data from the normal operating system tools and requires special BIOS tricks to access. It seems to have a couple of common uses - OEM-provided recovery operating systems, and making disk drives appear smaller than they actually are (for instance to let you use s 160-GB drive on a computer that doesn't know about drives >128GiB. There are some rootkits that use HPA to hide themselves. I'm currently annoyed at Maxtor because some of their external-USB-disk enclosures use HPA to map large non-OEM drives down to 128GiB, including the 500GB drive I bought to replace a failing 200GB drive, and not only do Maxtor and Seagate's tools not seem to be able to fix the drive, neither do the Linux tools I was able to find....

    So if you want to overwrite everything on a disk, you may need to talk to the disk controller at a lower-than-usual level rather than using your regular OS tools, and there still may be blocks that the controller can't successfully overwrite.
  9. Encrypting SIP Signalling vs. Media Channel on Expert Unveils 'Scary' VoIP Hack · · Score: 1
    More to the point, there are two kinds of connections in a SIP conversation - the SIP-protocol signalling between the endpoint and the PBX (or equivalent), and the media connection between the two endpoints that carries the actual voice/video/IM/etc. (Normally the media channel is directly between endpoints, e.g. two phones in the same office, and only touches the PBX if one endpoint is a non-VOIP telco line or if there's some special NAT requirement.)

    Encrypting the signalling channel is a pretty straightforward TLS application, though too many vendors' equipment doesn't support it, and doesn't have any real-time constraints.

    Encrypting the media channel is where the work is, and where the interoperability standards problems seem to be. The grandparent poster worried about encryption latency, but that hasn't been a problem for years - you're not carrying more than 64kbps of data, so there's no significant processing latency with a reasonable CPU, and accumulating the voice bits into a big enough packet for the voice codec (which does cause latency) means that the crypto system doesn't have to do that.

    On the other hand, media encryption does require enough CPU horsepower that it's not well supported on telco-scale equipment - phones can handle their end just fine, and a typical CPU can handle a T1 (24 calls) for a small-medium office, or a router with an underpowered CPU can use a crypto board or some of its DSP chips for encryption instead of VOIP codecs. But if you want to handle a thousand media channels at once, that starts to take some serious horsepower, so it's a cost tradeoff and isn't always supported. (Handling one 100 Mbps data stream of encryption isn't that hard, but maintaining 1000 separate streams is a lot more work, especially if the VOIP codecs are implemented in custom hardware.)

  10. ARP-jacking the traffic for the VOIP PBX on Expert Unveils 'Scary' VoIP Hack · · Score: 1

    You don't need to ARP-jack _all_ the traffic for your building, and ideally you don't want to. But if you can pull off the attack successfully (and I'm not convinced you can), what you want to do is only steal the traffic pointed at your VOIP PBX, which will get you the signalling traffic and probably outbound VOIP traffic as well. If you're not as lucky, the VOIP services will run on the same router that connects you to the outside world, but if that's the case it's usually only a T1 or two, not a T3, so you're still only having to redirect a couple of extra megabits onto your 100 Mbps LAN port, which isn't a problem.

  11. Telecom companies and VOIP on Expert Unveils 'Scary' VoIP Hack · · Score: 1

    Actually it's just the opposite - businesses that buy PBXs have been buying IP PBXs for the last few years as opposed to traditional TDM PBXs, and they'd rather buy VOIP interconnections to the telco networks than put in extra boxes with T1 or T3 interfaces. So scaring the market about VOIP not only annoys their customers, it gets many of their customers want more complex discussions about VOIP security - and given the appalling state of equipment vendor SIP compatibility out there, it's making it tougher for everybody. (Essentially, everybody says they're doing SIP, but typically only the basic features interoperate, or you have to fall back to H.323 to connect to other vendors' equipment even though boxes from Vendor X can interoperate using their interpretation of SIP.)

    For instance, if the telco has equipment from Telco-Switch Vendor X, and the customer has equipment from PBX Vendor Y, and X and Y can set up basic calls but can't make Feature F interoperate, then neither side wants to be told that they need Feature F for security reasons. The telco can't switch over to Vendor Y, because that equipment doesn't scale to carrier-sized networks, plus the telco needs to interoperate with many different brands of PBX, and the customer could switch over to another carrier that uses Telco-Switch Vendor Z, but then they're going to find that Feature G doesn't work, and maybe their first-choice carrier was the cheapest, or had better coverage in SouthEast Asia where the customer's factories are, or was providing the toll-free services that the customer uses to reach _their_ customers, etc. And nobody wants to delay their interconnection for a year while both sides submit bug reports to Vendors X and Y and wait for the next software rev.

  12. SQL's easy; DBA's much harder on Head First SQL · · Score: 1
    It's easy to learn basic SQL, at least if you've got a reasonable computer background. About 15 years ago we needed a database for a project, and somebody in the department had a copy of Informix around so I picked up the manual and was able to build a schema for my project and do reasonable queries within a day. I tried the same with Sybase, which one of the projects we'd be interconnecting with used, and it was a total swamp, with a stack of manuals as big as VMS's, and never was able to get anything useful built in the time I had available.


    Of course, my department decided that they were too cheap to pay $5K for another Informix license for my project, much less the $10K or $20K that Sybase cost, so I ended up rebuilding the project out of the old Unix join, sort, and look commands.

  13. Good news for Virginia, Philly, and Delaware corps on Maryland To Tax Custom Programming and Computer Services · · Score: 1
    If I were in the computer business in the Maryland side of the DC area, I'd make sure to move my office down the Beltway to Virginia - or at least hire IT contractors that were based there. Baltimore's got it a bit tougher - they're stuck between DC and Philly or Wilmington.


    I wonder if this applies if you're selling services in Fort Meade?

  14. That's not why people keep using heroin on Inside A Korean Rehab Camp For Web Addiction · · Score: 1
    Most heroin addicts keep using it because withdrawal symptoms really suck, and taking more gets rid of the pain for a while.


    People generally _start_ heroin because it feels good, or their friends tell them it's cool, or because they're stressed and it helps the stress, or because they're also using cocaine and it helps the jitters. But it doesn't take long at all to get addicted. An aquaintance of mine who was a writer found that the relaxation helped him with writers' block and also with coke jitters (coke also helped with writers' block), but once he used it for four days in a row and got addicted. It took him a long time to get off the stuff; he said it was far nastier than getting off coke had been (which had been pretty easy once he'd burned through all his money and friends....) Last time I saw him he still smoked cigarettes, but his girlfriend said she could cope with that, and they'd work on once vice at a time.

  15. Checking malloc() output, not just input. on Multiple FLAC Vulnerabilities Affect Every OS · · Score: 1
    It should be perfectly safe to take unchecked input and malloc() that much data - unless something's seriously broken, if malloc can't get that much data, it'll return NULL as an error value. The problem is that if you don't check the return value, you can then go do something stupid with the NULL. (Some machines or operating systems at memory block zero - either putting zeroes there to be "helpful", since for some errors that really will do what you thought you wanted, or setting the memory page to non-readable to cause an error so you have to fix your bug.) If libFLAC isn't checking its malloc() returns, shame on it!


    That doesn't mean that you *shouldn't* check your input also, because of course you should. (One of the first lessons my college CS100 class taught thirty+ years ago was "Never trust any input that you haven't validated", and you had to run any homework programs against the professor's data sets which had values deliberately chosen to trigger off-by-one errors, bad data types, etc. Apparently that wasn't common practice in computer science courses, based on how often I see software that's vulnerable to malicious input.) For some of the inputs to FLAC, it's pretty obvious what ranges of values are sane and what aren't, e.g. album art that's too big, or overly long URLs or comment strings.

    I don't know enough about the seek-table behaviour to know if those vulnerabilities are realistic or not - freeing already-freed or never-malloc()ed memory is in bad taste, but I don't know if that's the library's problem or the application's problem, and of course there are languages where the issue doesn't come up.

    Meanwhile, I guess you should avoid listening to malicious files... or contract with RIAA to spread them around.

  16. Internationalization is harder than EUisation on US Control of Internet Remains an Issue · · Score: 1
    It's fairly easy to get the Domain Name System to work for the main European languages - just allow 8-bit characters in the names using ISO-Latin-1. But real internationalization is harder - you not only have to deal with UTF-8 or other character sets, you also need to deal with right-to-left languages, and you have to deal with domain names that could have mixed character sets used for name-squatting. Or you can take the Punycode approach, which is way too ugly for anybody to want to deploy it unless they're Verisign making money by selling the names.


    There are political issues on this between Verisign and ICANN, and unfortunately ICANN does not seem highly motivated. But (last time I looked, which is a few years ago) Verisign really wanted to push Punycode solutions, and was trying to deploy internationalization using the same mechanisms they were using to hijack DNS requests for non-existent domains to point them to their advertising web pages (which were very annoying if you were using some protocol other than HTTP: TCP:80.)


    And of course there's not only the US Trademark Mafia trying to push domain name policy, but the US don't-trade-with-our-enemies people, and the Chinese government-censorship mafia, and various other governments that want to use this as an excuse for control or censorship.

  17. Hides by Glowing in the Dark? on "Stealth" Plasma Antennas · · Score: 1

    I don't quite get the usefulness of this thing either - when it's turned on, there's bright glowing plasma, and when it's turned off, even though it doesn't have a long metal piece, it still has a lot of metallic support machinery, plus it's a glass tube that you need to haul around carefully instead of a metal antenna or rubber ducky that you can bang into things.

  18. There's lots of direct EU-Asia bandwidth on US Internet Control To Be Topic #1 In Rio · · Score: 1

    The parent article's correct, unlike many of the replies to it. While there is still a lot of EU-Asia connectivity that goes the long way around through North America, there's an increasing amount of bandwidth on cable systems that go directly. Most of it's undersea cables that go through the Middle East to the Indian Ocean and then to east Asia or Australia, but there's starting to be some land-based cables across Russia as well. It's more likely to be bought by private businesses that need lower-latency connection for their applications than by the general Internet ISP market, but that's also growing. There's also some obvious geographical difference in which routes to take - EU-Asia cables are much more important for India or Singapore than for Japan.

  19. Re: Car engine lifetimes on Samsung Announces Fastest 64-GB SSD · · Score: 2

    Airplane mechanics actually do keep track of flying hours as a maintenance target, but cars lifetimes usually get counted by miles. However, suppose you do look at times - my experience with Chevy engines has been that they last about 120,000 miles, so at an average speed of 30mph, that would be 4000 hours, or about half a year (other cars should of course run longer :-) While 7000 RPM is obviously not a good speed to run the engine at, running it continuously for long periods of time is likely to be much better for it than realistic operating cycles. Diesels would probably do even better on long continuous use applications.

  20. Taliesin West's ceilings are way too low on MIT Sues Frank Gehry Over Buggy $300M CS Building · · Score: 1
    I really like some of Wright's prairie architecture stuff. But one thing that struck me very rapidly (and almost literally) about Taliesin West was that the dude was obviously *short*, and didn't mind forcing taller people to duck when they enter his buildings. There's an auditorium there where the entrance doorways are scarcely over 5 feet high; I'm only 6', and that's not the only place in the complex I had trouble. It's as annoying as having to use showers designed by short people.


    Fallingwater has unfortunately turned out to be the correct name for that building, but it's such a stunning place that it was worth building anyway, as long as the owners knew to think of it as a temporary art project rather than a centuries-of-use edifice. On the other hand, even a lot of his prairie-style stuff fails really badly in a few years if you don't do good maintenance on it, making sure all the windows and flashings stay watertight.

  21. Cars are actually a good tech comparison on Former Intel CEO Rips Medical Research · · Score: 1
    Medicine has good reasons for being difficult - biology is really complex, we're only gradually starting to understand the edges of the field (with lots of help from the computer industry, especially in areas like genetics), and mistakes often result in people dying so we're very risk-averse. The amount of fundamental research progress in medicine in the last decade is surprising, but most of it's genetics that we can't yet translate directly into curing diseases.


    But cars are just big dumb physics and a bit of chemistry, and we haven't made anywhere near the progress on them that we have with computers. My 1985 Toyota got 27 mpg when it was new. Except for a few hybrids, most of the cars on the market don't get more than 20% better mileage than that. Brakes have improved a lot, paint's a lot better, so cars last longer, and manufacturing costs have come down (though inflation hides how much cheaper cars are.) Pollution has gotten somewhat better. Cars might not need repairing quite as often.


    Except maybe for paint and a few pollutants, and of course for how fancy the car stereo players are, we haven't seen anything like one order of magnitude improvement in price/performance of anything in the automobile space, compared to the ~4 orders of magnitude in CPU speeds or 6 in memory costs, or even the one order of magnitude improvement in the cost of a desktop machine that runs the popular bloatware. So give the medicine people a bit of slack.

  22. Signature Keys vs. Ephemeral Message Keys, OTR on US Wants Courts to OK Warrantless Email Snooping · · Score: 1
    There's a difference between signature keys and message keys. In some cases, it may be reasonable (or at least useful) for a government or mafia to demand that you give them the keys used to encrypt a given message, if you have them. It's never reasonable for a government to demand signature-only private keys, since those can only be used to impersonate you, not to reveal information. (Mafias don't care if it's reasonable, but they do care about useful, or at least fun, so they might rubber-hose you into revealing them anyway.) That doesn't mean that a government won't force you to reveal your signature-only private keys, but that only compromises future conversations, not past ones, and you can at least argue about the issue in court.


    So if you need privacy in a UK reveal-your-keys environment, you need a cryptosystem where you don't keep the encryption keys for a given session that they might have eavesdropped on. (They can still demand that you give them the keys for files you've saved on your disk drive, if they can find your disk drive, but you don't have to save incriminating files.) Diffie-Hellman is the standard crypto protocol for generating session keys, and you can reinforce it with signature keys if you want to be sure who you're talking to. It's used in IPSEC session setup, and there are other crypto applications that can use it.


    Off-The-Record Messaging is Ian, Nikita, and Eric's protocol for an ephemeral-key session tool that can integrate with applications like Gaim. It has authentication built into it, so you can be sure that you're talking to the person you think you're talking to, but doesn't save message keys in a way that lets anybody decrypt messages later or prove who you were talking to. By contrast, PGP / GPG lets you encrypt email messages, but anybody who intercepts them can force you to decrypt them later, because the message key is fairly persistent (you might change it yearly, but you're not going to change it every day.)

  23. Stealing Keys Silently vs. Notifying You on US Wants Courts to OK Warrantless Email Snooping · · Score: 1
    There are many different issues here, but one of them is whether they can get the keys without you knowing about it. If you're the only one who has your keys, then it doesn't bother them that they need a court order to force you to hand them over, because you're going to know about it anyway. But if your ISP has access to the keys, they can give your ISP a subpoena or warrant and a gag order, and you'll never hear about it.


    It's also possible for the spooks to black-bag your computer - put in keylogger software, or a camera in your ceiling, or keylogger hardware into your keyboard. IIRC, the FBI has done something like this on Mafia suspects. It's very much the kind of thing that even if they have to get a court to rubber-stamp it, as opposed to doing it warrantless, you're never going to hear about it until they've hauled you into court for whatever you're accused of doing.

  24. Get off my LAN, you punk kids.... on Over-50s Invade the Social Networking Scene · · Score: 1

    We'd deliver the message by Usenet,
    but as Yogi Berra said, "Nobody goes there anymore - it's too crowded."

  25. Kucinich used to be serious, before the UFOs... on Colbert Ballot Bid Shot Down · · Score: 1
    Dennis Kucinich used to be a serious candidate. He knew he was far more progressive (i.e. cluelessly leftie :-) than the middle of the road Democrats, much less the Republicans, and having run in the last primaries he's got a fair bit of clue about his chances of winning, but that's not the only reason you run - you also run to influence your party and the debates. Kerry certainly wasn't a serious candidate - didn't have a clue what he was doing, didn't have the guts to take a stand on critical issues or to nail the Rove/Bush/Cheney ticket for how they were running the campaign, much less the country, and the only reason he came close to winning was that Bush was so appallingly bad.


    Kucinich represents a significant chunk of the Democratic Party's core values base, as opposed to its pragmatic base or its "who's most likely to beat the Republicans" base, and one reason Bush won is that none of the Democrats have been successful at framing themselves as the candidates with principle. Even Al Sharpton managed to do a credible job last time compared to Kerry (in spite of everybody including him understanding that he was totally unelectable.)


    Colbert's big threat to the Democrats was that he's more honest than the major players - even Obama has trouble getting to anything better than truthiness - and the difference between Colbert and his TV character emphasizes the problems the real politicians have with that. On the other hand, there are also people who don't get the joke and think Colber's really the right-winger he plays on his show :-)