492 posts • joined 3 Nov 2007
Re: 8. MainThreadProc() integer overflow
Integer overflow is very different from buffer overflow (and to be pedantic, heartbleed is a buffer overread issue). It can cause mathematical issues (e.g., for a signed byte, 100 + 100 = -56), but it's not easy to turn that into a security flaw.
Using a cloud service isn't an excuse for this. Would you be comfortable putting sensitive data on a server in Beijing? If you don't even know where your data is, you have no idea how well it's secured – and it might as well not be.
Re: Server-side vuln...
NASA uses older chips because they have larger wire traces and other components, which are less vulnerable to interference from high-energy particles. Outside the earth's magnetosphere, solar and cosmic radiation are major problems.
Hope they're using a good hash
and not one prone to collisions. If they're using something weak like md5, there's a potential denial-of-service attack here: identify a (legitimate) file you want removed, upload a copyrighted image or video carefully padded to have the same hash, issue DMCA notice, and they'll block access to both files.
He's as bad as a patent troll
Trying to make more money for himself while contributing absolutely nothing to the economy.
Re: Only on Windows...
Maybe not quite as well, but you can hide *nix malware fairly well using similar techniques. Keep most of the payload, scratch files, etc. in an encrypted virtual file system; to anyone else it looks like a regular binary file. The only exposed part would just open the VFS and load the rest of the code; give this a name confusingly similar to a known daemon, and it could easily be overlooked. It may not be as easy as it is on Windows, but don't say it can't be done.
Re: I'm no Frontiersman
Good analogy; much like the California Gold Rush, the people who really make a profit aren't the miners themselves, but the people selling equipment to them. In this case, it's the companies making Bitcoin mining machines. Low-end models cost $2000 or so, top of the line ones are $10,000 to $20,000. Due to the rapid pace of development, they quickly become outdated and too slow to be competitive, so people need to keep buying new ones.
Good intention, but not a good idea
The problem with a remote killswitch is that it can easily become a nasty denial-of-service attack target. It might be possible to implement it properly, but knowing the state of the industry, it probably wouldn't.
Full of weasels
Obviously written by a lawyer: by saying the press report as a whole is inaccurate, they have carefully avoided having to either confirm or deny any of the specifics. They may or may not be having discussions with Lenovo about something. They might be considering a business alliance with a different company. They might be planning to sell the Vaio unit entirely. I suspect they are up to something, but they don't want anyone to know yet.
Re: Nice straw man
Degradation doesn't even have to be that obvious. If an ISP delayed every packet to or from Netflix by 1 ms, no one would be able to tell the difference. Add another millisecond of delay every week, and see how it takes for anyone to notice. Netflix videos would still work without any obvious glitches, but they'd be a bit slower and take longer to buffer than the ISP's service. If only streaming data is throttled, and not ICMP traffic (such as pings and traceroutes), it would be almost impossible to prove that anything unusual is happening.
Re: Now this is more like it.
This is essentially an off-the-shelf MIG welder with the gun attached to a 3D-printer style mount. Not a complicated idea, though getting it to work reliably is the tricky part. It's fed with standard spools of welding wire and inert gas; there's no way to throw random scrap metal into it, and you wouldn't want to anyway – the resulting objects would be little better than scrap themselves.
Depending on the wire alloy and shielding gas used, the printed parts could be reasonably strong. It'll never be as good as forged steel, but still more than adequate for most low- and medium-strain applications.
That would be quite fascinating, but I think you mean 'not orbiting anything'. As for "six times the size of Jupiter", is that referring to diameter or mass?
"...between management and the software testing teams"
What software testing teams?
Re: About damm time
Your analogy was unclear at best. By the same logic, shouldn't Flash, Silverlight, Python, and every other interpreted language be turned into an ISO standard as well?
Could have been handled so much better
Microsoft could have gone to their community and said "Here are the problems with the current Masters certifications. Help us create a new set of certifications that will be more up-to-date and more accessible to people around the world." Once the replacements are more-or-less ready, they could have announced that the Masters certs were being phased out and replaced with Xyzzy certs. No outrage, users feel Microsoft cares about and listens to them, everyone's happy about better and cheaper certs.
Instead, they started by canceling the Masters certs with little explanation and no replacement ready, and now are scrambling to do damage control and try to rebuild bridges. From the phrasing of the announcement, I doubt they had any plans for a replacement certification before seeing what a negative response it got.
Re: Just curious
Bitcoin.org repeatedly refers to it as a currency, as do Wikipedia and the Bitcoin wiki (bitcoin.it). It was invented as a currency, marketed as one, and used as one, so I doubt anyone will seriously entertain claims that it's actually a commodity instead.
A bit of a difference
Garcia's work is about gaining access to a vehicle you otherwise can't get into, which usually means breaking into someone else's car. Miller and Valasek's work requires that you are already able to get into and start the vehicle; their paper doesn't tell you how to steal a car by itself, but Garcia's potentially does. That is why they're being treated differently, not the U.S. vs. U.K. legal jurisdiction.
will use any excuse to bury their heads in the sand.
Nothing here is at all new, or surprising, or in any way invalidates climate science. It's well-known that weather modeling is chaotic; small changes to input data result in disproportionately large variations in output. In this case, the output isn't all that different; there's a discrepancy between the test machines, but the overall result of the simulations are similar.
It's also well-known that floating-point calculations can produce different results on different processors. Chips are often designed to perform these calculations with more bits of precision than the output register can hold in order to produce a more accurate result. This is normally a good thing, but can be a problem when exact reproduceablitity between platforms is needed. Programmers have been dealing with this for many years; for example, back in 2000, Java added the StrictMath functions, which have consistent (but slower) results across all platforms.
180 days to fix security flaws?
Disappointing; I'd rather see apps removed after 30 days – or less, depending on how severe or actively exploited the vulnerability is.
Of course, then people would expect Microsoft to follow their own standard...
Just because your editor doesn't show the markup code doesn't mean it no longer exists.
Once attackers have been identified, redirect all traffic from them to a second server, full of good-looking but fake data. The intention is to make them waste time attacking the fake server, and even let them think they've succeeded, while preventing them from accessing the real database.
Re: The big problem is:
For nuclear reactions, it doesn't matter what chemical compound the atoms involved are part of. Having pure elements makes controlling the reaction easier (so you aren't also turning oxygen into fluorine, for example), but isn't necessary.
Turns nickel into copper, eh?
Should be easy enough to test - put a piece of pure nickel in, let it run for a while, then take it to an independent lab and have them do an elemental analysis of it. No concerns about revealing "trade secrets" there.
Of course, they'll never agree to it, as it would immediately show their claim of achieving fusion to be false. There are too many hallmarks of bad science to consider this credible. The only question I have is whether they've managed to fool themselves and actually believe what they're saying, or if they're just trying to fool everyone else.
is that they're killing Windows Phone entirely, replacing it with Windows RT/8/9/Blue. I seem to recall them saying a while back that they wanted a more unified interface across all versions of Windows.
I remember SimEarth had a 'terraform Mars' scenario. It would be interesting to see that game redone with more sophisticated modeling, now that personal computers are a few orders of magnitude more powerful than they were when it was released.
It appears they asked the question, "which of these eight issues are you most concerned about?", as if people are only capable of caring about one of them, and assumed they don't give a damn about the other seven. A properly done study would have allowed people to indicate how concerned they are (from 'not at all' to 'extremely') about each of those issues.
Also, "seventeen years of continuous surveys" is flat-out wrong. According to the linked report, the survey was conducted exactly three times, in 1993, 2000, and 2010.
A study with methodological errors, written up in a paper with multiple analytical errors (severe enough that some scientists say it should not have been published), by a biased group with a history of similarly flawed analyses and questionable use of statistics. Move along, nothing to see here.
Hopefully in a couple of years we'll see different scientists re-do the experiment properly and publish results that actually mean something.
Re: OS X & x86!
The PowerPC chips were problematic, particularly on heat - even the G4 laptops were uncomfortably warm - so I can understand the shift to a different architecture. I'm just disappointed they didn't pick another sane and properly-designed one, such as ARM. Compared to either, x86/x64 is a 35-year-old steaming pile of crap, with one layer of (mostly) backwards-compatible cruft bolted on after another.
Something of a point
To elaborate on his stock market example, if you look at prices on a minute-by-minute basis, there's a tremendous amount of random fluctuation (i.e., lots of noise). If you only look at daily closing prices, you have a few orders of magnitude less data to process, and it's just as good for making medium- and long-term predictions. Of course, it's easy to go too far; monthly stock market updates might not provide enough data to extrapolate from with an acceptable degree of confidence. And there are exceptions: an automated arbitrage trading program might be able to make use of price updates as often as every second.
As for log files, many of them are useless, and most will never be looked at. But when security breaches happen, they're essential in figuring out how someone got into the system and what they accessed.
The point here is that companies need to work on collecting better quality data, not more of it.
Poor choice of words
Referring to a supernova as a "Big Bang", and saying the most recent supernovae can provide the most information about it, is rather confusing for anyone who's paid attention to cosmology.
Virtual Service Provider eXchange
They've virtualized service as a service (SaaS) and are providing it as a service.
Another problem is that package providers don't always have a fixed URI that always points to the latest version. Open-source projects have a tendency to become unmaintained without notice, at which point there's no one to update it to use current packages.
They used automated static analysis to search for bugs; there's no practical way to go through several hundred million lines of code by hand. I'm sure people have found clever ways to write bugs that can't be found by that approach.
Avoid them like the plague, chlorine trifluoride, and IE 6 combined. Their work is overpriced, gaudy, and made to be 'interesting' or 'novel'. Quality and utility are sacrificed, often to the point that junior draftsmen could do better.
"Chrome catching IE slowly"?
If the current trend continues (which it probably won't), Chrome will pass 50% market share in two years, and IE will be dead and forgotten in five.
Safari usage shows a similar jaggedness, which suggests a 'use PCs at work but Macs at home' demographic. The Firefox line has become relatively smooth, though; anyone have an interpretation of what that means?
Would you mind spelling them out at least once? It makes the article much more comprehensible to people who don't happen to work in the same field. I was rather confused as to why Microsoft has an Estimated Retail Price division, and why they cared about Cardiac Rhythm Management software.
When an account is deactivated, remove it from other people's 'friend' lists, and remove everyone from their own 'friend' list. That eliminates this technique entirely, far more effective than some warning that most people will ignore. Even if users are aware of what's happening, it doesn't matter much if they still can't 'unfriend' the account in question.
Of course, this requires Facebook to delete information, so it will never happen.
This may or may not cause other software vendors to change their coding practices.
But I sure as hell don't have any confidence that Microsoft will change.
Even if dates are stored in a discrete year/month/day format, a competent programmer would never have let this happen. Any function that creates or modifies such a date should normalize it into a valid form. (For example, a user should be able to add 60 days to a date and get the correct result.) This is not difficult:
While day is greater than numDaysInMonth: subtract numDaysInMonth from day, increment month.
Proper handling of invalid months is left as an exercise for the reader, should take about 5 minutes. Add another 5 if you want to make if bulletproof and handle negative values as well. First-year CS students can do this; for a company such as Microsoft to screw it up requires sheer incompetence.
Re: What Am I Missing?
The article states that Arctic sea ice reached a minimum in 2007; this does not say anything about what has happened since then other than that it has not gotten as low again yet. You've assumed it's been continuously increasing for the last five years, which is not the case. The years with the lowest minimum sea ice extent are, in order: 2007, 2011, 2008, 2010, 2009, 2005, 2006, 2002, 2004, 1995. While 2007 was the absolute minimum, every year since then has still been lower than the previous record (2005).
"The moisture lost to the Arctic in the form of melting sea ice has to end up somewhere" - that would be the Arctic Ocean. More exposed ocean water does mean more evaporation and eventually precipitation, but there isn't necessarily any relationship between the quantity of sea ice lost and the increased quantity of precipitation.
Sure - as long as it's within Facebook. Try to get your data out in any way, and you'll find it feels more like 20-grit sandpaper.
Nice to see so many people thinking about how this can be used to benefit humanity, not just high boffinry. The trick will be to get the cost of manufacturing it low enough.
Drinking pure water generally isn't a problem; you can get enough of trace minerals through food, unless you're on an unusually restricted diet.
In theory, the server could pre-fetch URLs, scan them for malware, and have the client throw up a warning if something is found. I doubt they're actually doing this (they'd probably say if they were), but the same technology could be used for good purposes.
Most of that time is spent copying OS data from one place on the drive to another, which is much faster than reading it from a CD or DVD. There's also a tool to create an image of the drive with apps etc. installed. The refresh/reset will take longer, but that's still faster than re-installing everything by hand.
If they're really clever, OS/security updates will be applied to the clean backup copy as well, so they won't need to be downloaded again after a reset.
According to the linked article, there will be an option for a single-pass random overwrite of the entire drive. Not military-grade cleaning, but good enough for most people. Rather cleverly, it skips data encrypted by BitLocker, since that will be unrecoverable anyway.
Or will the phone companies still charge you for sending and receiving text messages?
Words can have several meanings:
I haven't owned, let alone watched, a TV for years.
Haven't missed it one bit, either.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip