Slashdot Mirror


User: Aighearach

Aighearach's activity in the archive.

Stories
0
Comments
12,400
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,400

  1. Re:Too bad on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    I'm not sure you're going to get very far in your communications by insisting that the context is only idiotic off-topic language wars and not the actual context of the discussion.

    You fail so hard, you don't even comment on what I said, you comment on what you said already, and yet you offer no clarification or correction.

    Just presume I understand the context, and chose my words knowingly. You'll have a chance to understand my comments. What you're basically saying is that you can't understand my words, because I'm saying something different than what you said. To which I say, you failed to even try to understand me, so of course you didn't. I'll give you another hint: I wouldn't have wanted to say whatever you already said.

    Yet another hint: language wars are so brain-dead, most of the programmers who respond to those threads will be discussing other points. Especially when the language-war is off-topic!

  2. Re: Not this old info again on Paris Attacks Would Not Have Happened Without Crypto (arstechnica.com) · · Score: 1

    It wasn't even offensive, just that awful!

    Tar et pluma eum! Crucifige eum!

  3. Re: And this is why Republicans... on Paris Attacks Would Not Have Happened Without Crypto (arstechnica.com) · · Score: 1

    The Soviet Union had a significant percent of the population spying on family members, and when it collapsed there was still substantial (former) contraband that came out of the shadows.

    People forget to ask, "Who watches the watcher-watcher-watcher-watchers?"

  4. Re:Minimal impact on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    Most nerds think about the properties of different types of glass with some frequency, because glass is a common material that we interact with in multiple areas of life.

    We also hear a lot of idiots say a lot of idiot things, generally consistent with the scene you described. However, I've never heard that one about dishwashers being dangerous. It is hilarious. Absolutely more surprising than knowing about glass properties.

    Also, here in the US a "high temp" commercial dishwasher is expected to reach 180F on the rinse cycle. Even the cheap glasses do fine.

    *BSD proved many times over time that strict coding practices can defeat these types of bugs. However, they also resist adding features and thrashing working code more than 1 or 2 times initially when porting it in and cleaning it up. I'm not convinced it is reasonable to expect these types of bugs to be avoided on systems where "innovation" in existing libraries is considered a positive thing. How can systems that want to "keep up" possibly avoid repeating these mistakes, or other new ones if you achieve a best practice that prevents the old one?

  5. Re:FUCK_LIBS on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    In addition to the problems with your comment already listed, I'd like to add that avoiding libraries would only mean pasting the code from the library into a single file before compilation. None of the code would be different in the non-library version, and so none of the bugs would be different either.

    You could expand it to the more general solution, __FUCK_CODE, but where would you even define it?

  6. Re:strlcpy() isn't good enough for glibc. on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    OK I'll be sure to only run their code, and not ask their opinions about dinner or politics. ;)

    Not sure you really thought through your hate-spew there... the context was actually wrench related in that metaphor!

    I assume everybody is an idiot, regardless of success or letters. That helps me to make use of whatever their work product is without getting distracted by love, hate, or other things that are off-topic. Last time I did some auto repair I hired an unemployed wrench-turner to help. He wasn't some genius who could fix any automobile, and he'd have caused me to need an alignment job if I hadn't been paying attention and stopped him from doing it the "works on any car and you don't have to read the book" method. But, he turned the wrenches pretty good. Same thing applies to doctors. They might really try to slip you the poisonous crap medicine that is newly-popular but dangerous. Don't be credulous, don't presume that skills in a field are supposed to imply being an awesome human being, or a philosophical giant.

  7. Re:strlcpy() isn't good enough for glibc. on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.

    What to remove?

    Features. New features. Old features are fine, they can receive bugfixes only. Refactoring may be done once every 10 years, but only if the code appears sloppy.

    Done.

    Even Matt's Script Archive became secure over time. Sucky code can be slowly improved until it borders perfection, but only if it still does the same thing it used to do, and no more.

  8. Re:That's what they get on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    I was just getting exited over a vacation to the glib sea, but then I saw on the news that it is being invaded by pirate hackers, and everybody says they're really vulnerable so I guess that means nobody has confidence in the local security.

    I think I'm going to change my plans and just stay with the hurd until the danger passes.

  9. Re:Too bad on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 2

    You might have an off-by-times-negative-one error in there, oops!

    How can you preach about not making known C-language mistakes when you still make known English-language mistakes? Is it presumed that programmers have an easier time writing perfect C than writing perfect English?

    If they stopped thrashing the code and put the new features in a new product, the existing product would reliably improve over time, regardless of what types of idiot mistakes they started out with. As long as the code is being frequently updated, it will have new bugs. Humans make mistakes, it is a fact and you are not immune. You are wrong to insist that it is somehow dysfunctional for humans to make known mistakes. Mistakes are the expected nominal condition!

    How would they know to use C99, but not to switch to C17 or whatever comes in the future, that will doubtless have new bugs? And if they were using a clib from pre-C99... would it even be vulnerable to this bug? (no, it was introduced much later)

    If the code is being continually updated, there is no escape from continually having new bugs and security holes. If you only fix real bugs, and don't add any features, then you still have new bugs in the fixes but the frequency will go down over time because less than 100% of new code is actually a bug, and so eventually the bug generation frequency would average less than a byte.

  10. Re:Too bad on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    If code-thrash continues to be common, and "bug-fixes" for non-security-related bugs are mixed together with security fixes and even new features, with a mono-culture system of a single "latest" version that contains all types of changes, then these bugs will never end. They will continue forever in that scenario. Luckily, eventually computers will not seem new, and so code thrash will not continue to be interesting or profitable.

    Give it a few hundred years, things will settle out.

  11. Re:Too bad on Magnitude of glibc Vulnerability Coming To Light (threatpost.com) · · Score: 1

    Don't worry, I'll work on the latter later. Right now I'm busy... uh... compiling. Yeah. I'm uh recompiling everything because of the glibc vulnerability. Yeah, I'll check in a progress report later.

    This is the only employee you have left when you expect programmers to magically know about problems in other people's code just because they used that software as a tool.

    Imagine expecting a factory worker, even an engineer working in a factory, to know the inner workings of the pick-and-place machine and predict all serious future bugs. It may even turn out that glibc has more lines of code to analyze and memorize than the pick-and-place firmware! And that is just one library. And when they start reading it, they'll realize they have to learn everything about the OS kernel so that they have the context to understand libc, and then they still don't understand it all because they have to consider the CPU implementation details, and all the motherboard subsystems. And the CPU probably has secret microcode, so you eventually just have to apply blind faith and trust an API when you get to the (fake) bottom! But there are actually still more turtles below you at that point.

    All of that said, of course they're shitty programmers; all the applicants were humans. And according to various people with lots of letters after their names, the AI is even scarier. It makes sense when you realize that the "artificial" intelligence is actually human intelligence reduced to code and then left to free-associate.

  12. Re:And how exactly on Chief CETA Negotiator Says Treaty "Virtually Complete" (freezenet.ca) · · Score: 1

    The main tenet of fascism was the merger of the functions of business and state, combined with totalitarianism. Duh. You seem exceptionally ignorant of the Italian position leading up to WWII.

    And "uber-capitalist" is exactly another word for "fascist."

    Especially if you read Adam Smith, and know what Capitalism is! (hint: Capitalism is the system where the government uses regulation to ensure a "level playing field" which is what allows "capital" to be the important factor is starting a new business. Prior to capitalism was a laissez-faire system where the established businesses could manipulate the markets to keep out new entrants)

  13. Re:And how exactly on Chief CETA Negotiator Says Treaty "Virtually Complete" (freezenet.ca) · · Score: 1

    Oh, it is easy to understand: Sanders is nearly a hippie, so they just assume he's a Pinko.

    I'm assuming "criminal" refers to... I'm drawing a blank on that. I guess he just hates the Constitution and presumes an accusation is equivalent to a conviction, and being investigated and not charged or even accused is also the same as being convicted? Some people just hate Freedom.

    Neo-fascist is easy, Trump proposes policies that would violate the Constitution left and right.

  14. Re:And how exactly on Chief CETA Negotiator Says Treaty "Virtually Complete" (freezenet.ca) · · Score: 1

    ...communist or fascist, which to choose, which to choose .....

    If you don't know what either word means, I can see how the false-choice would fail to look like a real choice. But you might not be very close to understanding your feelings on the issue.

  15. Re: And how exactly on Chief CETA Negotiator Says Treaty "Virtually Complete" (freezenet.ca) · · Score: 1

    Worse, a lot of people don't even understand that the President is insulated from interference in law enforcement, and can only hire and fire the top guy... and isn't legally allowed to use that power to control law enforcement. There were legislative reforms after Watergate that sought to prevent it happening again, but the average Joe on the street doesn't even know about them. But political opponents do; half the stuff related to copyright enforcement that people blame on Obama, he'd land in court if he tried to interfere! All he can do about that stuff is advocate to Congress, and sign or veto legislation.

    And then when it comes to who he appoints to head the department, it turns out that person is also mostly not allowed to interfere with the lawyers working for the department. And that is a good thing, mostly.

  16. Re: And this is why Republicans... on Paris Attacks Would Not Have Happened Without Crypto (arstechnica.com) · · Score: 1

    Oops, you spilled your gamergate all over your Shakespeare quote, I hope that washes out.

  17. Re:Telemetry Free Version on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    If they were directly connected to the internet... they wouldn't need to worry about replacing a giant firewall, because that implies they're going around it anyways. ;)

    Using an internet-routeable IP address allows systems outside their intranet to talk to the gateway about specific services on specific machines. It does not imply that those machines are directly accessible from the outside; it just means that they don't need a giant NAT gateway.

    It may indeed by a dubious setup. The way they appear to have it set up is not a way that I would recommend to a large client. However, you seem to speculate without understanding the details you point to. "Directly connected to the internet" is not necessarily the same thing as "has an internet-routeable address." If it can only be accessed via a gateway, the connection may or may not be considered "direct" depending on the specific architecture. There may indeed be no way to connect to it directly from the outside, but perhaps you can still send email to that IP address, as an example.

    You'd have to actually have specific knowledge of their network to know. Simply knowing that they're using some large number of IP4 addresses doesn't tell you anything, even if you knew that they were assigning them to workstations.

  18. Re:As a government IT contractor... on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    Rather akin to a paramedic cheering whenever there's a natural disaster....

    I don't care if they cheer while running for their smock, I care about if they run out in the street and try to save my ass.

  19. Re:Telemetry Free Version on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    You can save a bundle on training if you don't tell them that the OS is different, you just install a window manager with the same paradigm as the old OS, and tell them "the icons are different now, but all your documents are the same."

    If they ask why the splash screen for "Office" is different, don't go down that rabbit hole; just use literal words. "We have a different Office version now, but all your documents are the same."

  20. Re:Telemetry Free Version on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 2

    You have two choices; accept that almost everybody are incompetent boobs, or just concede that the average are mediocre and that almost everybody are mediocre. These things might be equivalent values. If mediocre isn't incompetent, then the standard is simply so low that "competent" means "makes lots of mistakes every day; sometimes huge ones."

    If your gold standard is the best person in the department, then the department is full of incompetent boobs. This is true even if the department is above-average!

    For it be false would require not even trying to be good, which would in itself be professional incompetency.

  21. Re:Telemetry Free Version on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 2

    OTOH, if there is another department with lower-level access to the pipes who is altering some small percent of the data being extracted by China, then the conclusions they draw from that data might be incorrect in ways very convenient to the DoD.

    Don't over-think it if you're going to under-think it. ;)

  22. Re:Not the same as the rest of us .. on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    Important clients have source access, they don't have wonder or theorize or conspiricize.

    Also, minimally competent IT workers have the ability to monitor network traffic.

  23. Re:Not the same as the rest of us .. on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    BSD is great in a datacenter, but if the US Government came to me for *nix systems, I would make sure to give them linux because of the SE stuff and the availability of existing tooling for their secret blahblahs.

  24. Re:Not the same as the rest of us .. on Windows 10 To Be Installed On 4 Million US Department of Defense Computers (betanews.com) · · Score: 1

    Thanks for adding a wrong comment to balance the correct and incorrect comments you lumped together as incorrect. You managed to sway the balance over to the incorrect side, at least partially proving your point! How clever.

    Yes, they do get the source code. So does India. So do major companies. Microsoft source code has always been proprietary "shared source" that is viewable by important enough parties. The conflict with OSS is about licenses and permissions, not secrets.

    That said, they'll likely get the same version as everybody else, and have to add their own stuff on top to secure things. Who cares? These are office computers for regular cube workers whose employer happens to be DoD. I don't want them to spend extra on fancy secure staplers for those workers either. They need a secure proprietary OS about as badly as they need a $15k hammer.

  25. Re: Just a thought... on Women Get Pull Requests Accepted More (Except When You Know They're Women) (peerj.com) · · Score: 1

    Perhaps you missed that what was being suggested is that there may be gender-based differences in attitudes and coding styles--and this might be a testable hypothesis for why having female coders in the group might be desirable for concrete reasons. You know, as opposed to just meeting the project's tit quota?

    Actually, no, there is no reason to think I missed that at all. Perhaps you clicked on the wrong post, or simply didn't comprehend my comments? Certainly your conclusion about the implication of diversity in participation is valid, but I can't see how that implies I missed something. Certainly the comment I was replying to was not reaching that conclusion; it was a pile of stereotype that drew false conclusions that contradict the study result. I don't give a hoot what their intent was, they directly misrepresented the results. Worrying about or focusing on intent instead of what is actually said might be the same idiocy that people are engaging in when they treat pull requests differently based on who they think the author is instead of what the code is. Intent is sometimes the best focus, and is valuable in debugging, but working code doesn't care about intent, and working pull request processes would be based solely on concerns related to the code.

    Perhaps I have an inherent advantage though; in the 90s I learned a lot online through discussions with one "Abigail," inventor of the JAPH; a man who used his daughters name as his internet handle, and who was too disgusted with people's false assumptions to bother correcting anybody. People thought he was a woman; or alternatively, that he must be gay, or identify as a woman, or some such. He couldn't be bothered with such absurdities long enough to correct anybody... lol My own first BBS handle in the 80s was "Bambi," which seemed pretty normal to me as a pre-teen boy. After all, anybody who reads the story or watches a movie of it knows that Bambi was a boy! Unlike Abigail I did at least correct people if they asked, but mostly I just mentally flagged people who reacted differently to me as idiots.

    That people intentionally try to "learn who the code is from" when they get a pull request explains a lot about the amount of code thrash and the low quality of code in this era. That they also have a bunch of internalized stereotypes just magnifies the damage.