And we already have the solution too - the one guy who was running it under SELinux got an error message instead of a wiped system. (He also appears to be the one responsible for the bug in the first place...)
To play devil's advocate, the init-related complexity exists either way, so what it really comes down to is where it gets handled. I think that systemd's approach to daemons (declarative config files about 5 lines long) is much simpler than the sysvinit approach of having a few pages of bash. Journald is admittedly more complicated that traditional syslogs, but the ability to query a database with a simple command instead of several lines of perl is potentially worth it. (I say potentially because I haven't yet figured out which daemons actually log to journald, and which just use their own log files.)
Making systemd ignore all of fstab is painful because you're trying to disable an entire 'feature'. (The inability to do so contributes to the perception that it's monolithic, but I digress.) What would probably work better is adding 'noauto' to the entry for the file system in question, then add a.service file that calls 'mount/mnt/whatever || true' - that way you can ignore the return code or handle it however you want.
Correct me if I'm wrong, but doesn't that only mean that systemd needs to be the root of the tree of processes whose resources it manages, as opposed to the root of all processes on the system (which is implied by pid1)? Systemd-init expressly checks that it's running as pid1, but this seems to be an artificial constraint and more of a recommendation than a hard requirement.
Win10 doesn't look too bad, but the damage has already been done. I jumped ship for Linux when Win8 was in RC, and now it's almost comical how many different tools you have to install that come out of the box on pretty much every Linux distro (text editor, 7zip, compiler, a browser other than IE, codecs, etc.).
Microsoft's problem is that even if Win10 is on par with Win7 in terms of usability, they've still lost customers and marred their image. The Metro apps in the start menu (literally the first thing seen in pretty much any screenshot of the OS) are an immediate reminder of Win8 and everything disliked about it. Win10 needs to be significantly better than Win7, otherwise they're not going to be able to recover.
I agree. This is really the sort of thing that the government should be doing - tax software is just the modern reincarnation of the forms. In Australia, they've been doing this for as long as I can remember, and it works brilliantly. (My only complaint is that it's Windows only, though they do have a new (more limited) website that can be used instead.)
Bell is just an intermediary - the plaintiffs would have to be the recipients of the notices. The problem is you then have your classic big company vs. the little guy scenario, where the imbalance of power makes pursuing justice expensive. In Canada and Australia, this is normal resolved via regulations (which were omitted in this case). (The US approach seems to rely more on class action law suits.)
I'd say the bigger issue is that Java is not as portable as C, partly because of its overhead. The difference is really only negligible on a desktop.
the hard work is the cryptography
Agreed, and if there's one thing the OpenSSL folks have shown, it's that doing it right is hard. The more components you have in your stack, the more opportunities there are for bugs to slip in. (e.g. the infamous OpenSSL allocator). Java has a very thick stack (especially due to its tendency to use layers of objects for everything) - I'm not sure I'd rely on it for something security critical like this.
But on ordinary desktop OS? Since Windows 95, RAMDisks have been dead. Since then, we've been using RAM better to cache all recent filesystem accesses. There's very, very, very, very little that will ever benefit from a RAMDisk over just having that RAM as filesystem cache automatically anyway. You still have to read the data from permanent storage anyway, and once you've done that, it's in RAM until you start to fill up RAM. Read it often enough and it will never drop out of the cache. If you're not reading it often enough, why the hell bother to RAMDisk it?
This is consistent with my experiences on Linux. When compiling the kernel, I found no significant difference in compilation times on a SSD and tmpfs. If you only have a mechanical hard drive, it might make sense to use a tmpfs, but if you don't have a SSD you probably don't have enough RAM for that anyway.
Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.
Btrfs snapshots would have defended against this sort of attack effectively - they provide incremental backups that can only be deleted by root. It's trivially easy to setup a cron job to perform a daily snapshot of/home - I did so a while back and just found I'd accumulated a years' worth of snapshots. Admittedly, this isn't something the average user would have set up, but given that there are already distros which automatically snapshot the root fs before installing updates, it's not a huge stretch to say it could be added to a noob-friendly distro.
While Windows does have various mechanisms for creating backups, I'm not aware of anything equivalent to btrfs on it (incremental backups, takes less than a second to create the backup/snapshot).
I have a laptop with optimus (Lenovo T440p with GeForce GT 730M), and external monitors work fine for me. (I just tested this with 'optirun glxgears'.) I'm using Sabayon, and the only thing I had to do was install the Nvidia drivers - after that it worked perfectly. Sabayon made optimus support one of their selling points back in 2013, so it's possible it has a better default configuration than Ubuntu / whatever you're using.
Of course, it's entirely possible that your specific laptop is designed such that the external monitors can only be driven by the integrated graphics, but that's the fault of the laptop manufacturer, not Nvidia.
Package versions: Linux 3.18 Bumblebee 3.2.1 Nvidia drivers 340.58
The owner of the vehicle is presumed to be the driver unless they either nominate another driver, or file a police report stating that it was stolen. Naturally, if you're renting a car Avis, etc. will record your ID.
On Unix, sadly, only Adobe Flash player detects color corrections and plays your video in proper color. Neither Google nor Mozilla have figured this out for flash video, either.
Strictly speaking, wouldn't you want the video to be in the adjusted colour? Most of my late night PC usage is watching video, and I don't even notice the change anymore. (It helps that Redshift gradually changes the colour temp.) That said, I found it made a huge difference to my sleeping patterns.
your reference to male suicide rates means you're a "men's rights" nut too, so you're not only for conservatism, you're also robustly against anything that isn't conservatism.
I'm not a men's right activist / masculinist (I prefer egalitarianism), but a lot of the gender based inequities come down to the imposition of traditional values / stereotypes. In that sense, I think that such lines of thought are more probably more progressive than conservative, especially since things like allowing and accepting men to demonstrate feminine qualities are pretty much non-existent among conservatives.
Also, is it such a bad thing if a demographic has above average suicide rates and we want to fix that?
P.S. the parent post read like a troll, I just wanted to rebut that assocation
I'm thinking homework that is numerical or multiple choice
And that's your mistake. As I understand it, the point of homework (in addition to reinforcing what was taught), is to identify what the students did wrong and help them to understand the mistake. A simple correct/incorrect answer doesn't do that.
But the reality is that current requirements vary. A car battery is rated for ~300 A at 12 V. A laptop power supply might be rated for ~2 A at 12 V. An LED consumes about 10 mA at ~3V. A microcontroller can run off microAmps at 5 V.
All those voltages are within the same order of magnitude, but the currents span 8 orders of magnitude, and in practice you wouldn't even change the PCB design or wiring for anything 0.1 A.
If I'm reading the packaging info right, the pitch spacing is 0.50 mm. For context, that's about the width of a 0603 resistor (0.8 mm). So, if you have a very steady hand and a microscope, it should be doable. Also, I suspect if there's enough interest someone like Sparkfun will start selling these on breakout boards...
why is Apache still spawning processes for every request that comes in... don't they realize the overhead of that?
My guess is they're UNIX devs - under Linux (and probably some other Unices), forking is ridiculously cheap. In fact (IIRC), spawning a thread has more overhead than forking, since Linux threads are just processes which share resources.
I'm not sure how many people are using Apache under Windows, but I wouldn't be surprised if they were a minority.
Ah, I think you misunderstood me. When I said that it uses challenge-response, I was referring to the cryptographic challenge-response (e.g. the card receives a message, signs it with a private key, then transmits the signature), in contrast to magstripe, where data is simply read from the stripe.
I suspect the test could be generalized to work for N variables, since the noise should increase as we move along a causal chain. The only issue is the exponential drop-off in confidence. If the accuracy could be improved, it could be quite useful for deriving or verifying Bayesian networks.
Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?
I've been playing around with some ideas lately on how to implement a decentralised DNS, and what it basically comes down to is how you resolve conflicts. e.g. Microsoft reserves www.microsoft.com, then I try to do so. Ideally, the order shouldn't affect the final result, because a first-come-first-server system encourages squatting. Crypto-based systems also have to consider if the domain name can be reacquired if the private key is lost/stolen. Here's a quick summary of the different approaches:
Traditional DNS: uses first-come-first-serve (FCFS) and conflicts are resolved through legal means (trademark law). Conflicts are resolved by the registrar - the second application is denied because the name is already in use. Centralized.
mDNS: uses multicast, impractical for global usage. No conflict resolution. This is the only decentralized approach that doesn't involve a DHT.
Microsoft PNRP: requires registrars which sign names to handle conflict resolution. (The unsecured variant has no conflict resolution.) Also requires IPv6, which is currently impractical.
Namecoin (decentralized with FCFS): Conflict resolution is implemented algorithmically. There is a small (1 cent) cost associated with updates.
Decentralized with voting: whichever resolvent the majority decide is official gets the domain name. Impractical, due to ease with which fake votes could be created. (Can be mitigated by making voting expensive - the bitcoin approach.)
Decentralized with trust-on-first-use (TOFU): conflict resolution is implemented by the resolver. Where there is a unique resolvent, it is used and added to a list of trusted resolvents. Where there are multiple resolvents, and the name has not been resolved by the user previously, the client may check white/blacklists published by other clients whom they have previously marked as trusted. If unique resolution is still not possible, manual intervention is required.
Currently I'm leaning towards the TOFU approach, since it's an extension of what's currently used for SSH clients. The only issue is that allowing multiple clients to resolve the same name differently borders on breaking the internet (see RFC 2826). However, it does have the nice property that it's the only decentralized system where a name-holder have their private key seized by an attacker, and still recover the domain name (by creating new keys and having people blacklist the old domain name in favour of them).
If anyone has some ideas/suggestions on this, I'd love to hear them.
The VISA Pay Wave doesn't have user challenge/response, it's simply a wireless magstripe.
Do you have a citation for that? It seems odd to me that they would use such a weak mechanism, when the existing chip already uses challenge/response. The standard used is ISO/IEC 14443, which enables half-duplex communications, suggesting that challenge/response is at least plausible.
Additionally, in my country (Australia), I found that when they introduced PIN-less transactions for contact less cards below a certain threshold ($100), PINs were no longer required when the chip was inserted, which is consistent with my belief that the RFID mechanism is just another means of connecting to the chip.
Got my passport in 2006, don't think it has RFID. My VISA card does - or did until I centered a hole punch over the chip and whacked it with a hammer. That was strangely satisfying:-)
I really don't understand this logic. Yes, wireless connections to the card are a risk (and I say that as someone who took measures to shield my wallet), but that risk is minuscule in comparison to the risks associated with using the magstripe (vulnerable to skimming) instead of the chip (uses challenge and response). These days, if someone requires me to use magstripe, I look at the terminal extremely carefully before swiping.
Slashdot Mirror
And we already have the solution too - the one guy who was running it under SELinux got an error message instead of a wiped system.
(He also appears to be the one responsible for the bug in the first place...)
To play devil's advocate, the init-related complexity exists either way, so what it really comes down to is where it gets handled.
I think that systemd's approach to daemons (declarative config files about 5 lines long) is much simpler than the sysvinit approach of having a few pages of bash.
Journald is admittedly more complicated that traditional syslogs, but the ability to query a database with a simple command instead of several lines of perl is potentially worth it. (I say potentially because I haven't yet figured out which daemons actually log to journald, and which just use their own log files.)
Making systemd ignore all of fstab is painful because you're trying to disable an entire 'feature'. (The inability to do so contributes to the perception that it's monolithic, but I digress.) What would probably work better is adding 'noauto' to the entry for the file system in question, then add a .service file that calls 'mount /mnt/whatever || true' - that way you can ignore the return code or handle it however you want.
Correct me if I'm wrong, but doesn't that only mean that systemd needs to be the root of the tree of processes whose resources it manages, as opposed to the root of all processes on the system (which is implied by pid1)? Systemd-init expressly checks that it's running as pid1, but this seems to be an artificial constraint and more of a recommendation than a hard requirement.
Win10 doesn't look too bad, but the damage has already been done. I jumped ship for Linux when Win8 was in RC, and now it's almost comical how many different tools you have to install that come out of the box on pretty much every Linux distro (text editor, 7zip, compiler, a browser other than IE, codecs, etc.).
Microsoft's problem is that even if Win10 is on par with Win7 in terms of usability, they've still lost customers and marred their image. The Metro apps in the start menu (literally the first thing seen in pretty much any screenshot of the OS) are an immediate reminder of Win8 and everything disliked about it. Win10 needs to be significantly better than Win7, otherwise they're not going to be able to recover.
I agree. This is really the sort of thing that the government should be doing - tax software is just the modern reincarnation of the forms. In Australia, they've been doing this for as long as I can remember, and it works brilliantly. (My only complaint is that it's Windows only, though they do have a new (more limited) website that can be used instead.)
Bell is just an intermediary - the plaintiffs would have to be the recipients of the notices. The problem is you then have your classic big company vs. the little guy scenario, where the imbalance of power makes pursuing justice expensive. In Canada and Australia, this is normal resolved via regulations (which were omitted in this case). (The US approach seems to rely more on class action law suits.)
I'd say the bigger issue is that Java is not as portable as C, partly because of its overhead. The difference is really only negligible on a desktop.
the hard work is the cryptography
Agreed, and if there's one thing the OpenSSL folks have shown, it's that doing it right is hard. The more components you have in your stack, the more opportunities there are for bugs to slip in. (e.g. the infamous OpenSSL allocator). Java has a very thick stack (especially due to its tendency to use layers of objects for everything) - I'm not sure I'd rely on it for something security critical like this.
But on ordinary desktop OS? Since Windows 95, RAMDisks have been dead. Since then, we've been using RAM better to cache all recent filesystem accesses. There's very, very, very, very little that will ever benefit from a RAMDisk over just having that RAM as filesystem cache automatically anyway. You still have to read the data from permanent storage anyway, and once you've done that, it's in RAM until you start to fill up RAM. Read it often enough and it will never drop out of the cache. If you're not reading it often enough, why the hell bother to RAMDisk it?
This is consistent with my experiences on Linux. When compiling the kernel, I found no significant difference in compilation times on a SSD and tmpfs. If you only have a mechanical hard drive, it might make sense to use a tmpfs, but if you don't have a SSD you probably don't have enough RAM for that anyway.
Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.
Btrfs snapshots would have defended against this sort of attack effectively - they provide incremental backups that can only be deleted by root. It's trivially easy to setup a cron job to perform a daily snapshot of /home - I did so a while back and just found I'd accumulated a years' worth of snapshots. Admittedly, this isn't something the average user would have set up, but given that there are already distros which automatically snapshot the root fs before installing updates, it's not a huge stretch to say it could be added to a noob-friendly distro.
While Windows does have various mechanisms for creating backups, I'm not aware of anything equivalent to btrfs on it (incremental backups, takes less than a second to create the backup/snapshot).
I have a laptop with optimus (Lenovo T440p with GeForce GT 730M), and external monitors work fine for me. (I just tested this with 'optirun glxgears'.)
I'm using Sabayon, and the only thing I had to do was install the Nvidia drivers - after that it worked perfectly. Sabayon made optimus support one of their selling points back in 2013, so it's possible it has a better default configuration than Ubuntu / whatever you're using.
Of course, it's entirely possible that your specific laptop is designed such that the external monitors can only be driven by the integrated graphics, but that's the fault of the laptop manufacturer, not Nvidia.
Package versions:
Linux 3.18
Bumblebee 3.2.1
Nvidia drivers 340.58
The owner of the vehicle is presumed to be the driver unless they either nominate another driver, or file a police report stating that it was stolen.
Naturally, if you're renting a car Avis, etc. will record your ID.
If you're watching it full screen, you could just turn it off temporarily.
On Unix, sadly, only Adobe Flash player detects color corrections and plays your video in proper color. Neither Google nor Mozilla have figured this out for flash video, either.
Strictly speaking, wouldn't you want the video to be in the adjusted colour? Most of my late night PC usage is watching video, and I don't even notice the change anymore. (It helps that Redshift gradually changes the colour temp.) That said, I found it made a huge difference to my sleeping patterns.
your reference to male suicide rates means you're a "men's rights" nut too, so you're not only for conservatism, you're also robustly against anything that isn't conservatism.
I'm not a men's right activist / masculinist (I prefer egalitarianism), but a lot of the gender based inequities come down to the imposition of traditional values / stereotypes. In that sense, I think that such lines of thought are more probably more progressive than conservative, especially since things like allowing and accepting men to demonstrate feminine qualities are pretty much non-existent among conservatives.
Also, is it such a bad thing if a demographic has above average suicide rates and we want to fix that?
P.S. the parent post read like a troll, I just wanted to rebut that assocation
I'm thinking homework that is numerical or multiple choice
And that's your mistake. As I understand it, the point of homework (in addition to reinforcing what was taught), is to identify what the students did wrong and help them to understand the mistake. A simple correct/incorrect answer doesn't do that.
But the reality is that current requirements vary. A car battery is rated for ~300 A at 12 V. A laptop power supply might be rated for ~2 A at 12 V. An LED consumes about 10 mA at ~3V. A microcontroller can run off microAmps at 5 V.
All those voltages are within the same order of magnitude, but the currents span 8 orders of magnitude, and in practice you wouldn't even change the PCB design or wiring for anything 0.1 A.
If I'm reading the packaging info right, the pitch spacing is 0.50 mm. For context, that's about the width of a 0603 resistor (0.8 mm). So, if you have a very steady hand and a microscope, it should be doable.
Also, I suspect if there's enough interest someone like Sparkfun will start selling these on breakout boards...
why is Apache still spawning processes for every request that comes in... don't they realize the overhead of that?
My guess is they're UNIX devs - under Linux (and probably some other Unices), forking is ridiculously cheap. In fact (IIRC), spawning a thread has more overhead than forking, since Linux threads are just processes which share resources.
I'm not sure how many people are using Apache under Windows, but I wouldn't be surprised if they were a minority.
Ah, I think you misunderstood me. When I said that it uses challenge-response, I was referring to the cryptographic challenge-response (e.g. the card receives a message, signs it with a private key, then transmits the signature), in contrast to magstripe, where data is simply read from the stripe.
Do you need root to add yourself to the 'wheel' group?
Yes.
Hint: on Debian-based distros, wheel is better known as sudoers.
I suspect the test could be generalized to work for N variables, since the noise should increase as we move along a causal chain. The only issue is the exponential drop-off in confidence. If the accuracy could be improved, it could be quite useful for deriving or verifying Bayesian networks.
And replace it with what, exactly?
Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?
I've been playing around with some ideas lately on how to implement a decentralised DNS, and what it basically comes down to is how you resolve conflicts. e.g. Microsoft reserves www.microsoft.com, then I try to do so. Ideally, the order shouldn't affect the final result, because a first-come-first-server system encourages squatting. Crypto-based systems also have to consider if the domain name can be reacquired if the private key is lost/stolen.
Here's a quick summary of the different approaches:
Traditional DNS: uses first-come-first-serve (FCFS) and conflicts are resolved through legal means (trademark law). Conflicts are resolved by the registrar - the second application is denied because the name is already in use. Centralized.
mDNS: uses multicast, impractical for global usage. No conflict resolution. This is the only decentralized approach that doesn't involve a DHT.
Microsoft PNRP: requires registrars which sign names to handle conflict resolution. (The unsecured variant has no conflict resolution.) Also requires IPv6, which is currently impractical.
Namecoin (decentralized with FCFS): Conflict resolution is implemented algorithmically. There is a small (1 cent) cost associated with updates.
Decentralized with voting: whichever resolvent the majority decide is official gets the domain name. Impractical, due to ease with which fake votes could be created. (Can be mitigated by making voting expensive - the bitcoin approach.)
Decentralized with trust-on-first-use (TOFU): conflict resolution is implemented by the resolver. Where there is a unique resolvent, it is used and added to a list of trusted resolvents. Where there are multiple resolvents, and the name has not been resolved by the user previously, the client may check white/blacklists published by other clients whom they have previously marked as trusted. If unique resolution is still not possible, manual intervention is required.
Currently I'm leaning towards the TOFU approach, since it's an extension of what's currently used for SSH clients. The only issue is that allowing multiple clients to resolve the same name differently borders on breaking the internet (see RFC 2826). However, it does have the nice property that it's the only decentralized system where a name-holder have their private key seized by an attacker, and still recover the domain name (by creating new keys and having people blacklist the old domain name in favour of them).
If anyone has some ideas/suggestions on this, I'd love to hear them.
The VISA Pay Wave doesn't have user challenge/response, it's simply a wireless magstripe.
Do you have a citation for that? It seems odd to me that they would use such a weak mechanism, when the existing chip already uses challenge/response.
The standard used is ISO/IEC 14443, which enables half-duplex communications, suggesting that challenge/response is at least plausible.
Additionally, in my country (Australia), I found that when they introduced PIN-less transactions for contact less cards below a certain threshold ($100), PINs were no longer required when the chip was inserted, which is consistent with my belief that the RFID mechanism is just another means of connecting to the chip.
Got my passport in 2006, don't think it has RFID. My VISA card does - or did until I centered a hole punch over the chip and whacked it with a hammer. That was strangely satisfying :-)
I really don't understand this logic. Yes, wireless connections to the card are a risk (and I say that as someone who took measures to shield my wallet), but that risk is minuscule in comparison to the risks associated with using the magstripe (vulnerable to skimming) instead of the chip (uses challenge and response).
These days, if someone requires me to use magstripe, I look at the terminal extremely carefully before swiping.