Feeds

* Posts by sed gawk

49 posts • joined 1 May 2008

Can't agree on a coding style? Maybe the NEW YORK TIMES can help

sed gawk

Re: @sed gawk @Robert Long 1

Bellyfeel doesn't seem appropriate - grok is "to drink" - a sentiment appreciated after much hunting through source code - mailing lists and man pages to finally make a leap of intuition having drunk deeply of the well of information.

Bellyfeel is more like uncritically accepting "goto is evil" without wondering why.

0
0
sed gawk

Re: @Robert Long 1

Read http://en.wikipedia.org/wiki/Stranger_in_a_Strange_Land - grok is one of the more appropriate tech borrowings from literature.

1
1

Apple wins documents fight with Google in Samsung case

sed gawk

Irony

It means sort of like iron ;)

0
0

House passes, Obama disses 55,000 visas for educated immigrants

sed gawk

Re: Of course migrant workers don't take away american jobs in the long run.

Just a datapoint, I'm from the UK, I'm working in Europe, paid in sterling a good rate for back home, there is no way I'm cheaper than a local with exactly the same experience and professional background.

So there must be a reason they went overseas to find people, maybe, just maybe that reason wasn't money.

2
2

BBC iPlayer downloads BORKED by Adobe Air update

sed gawk

Re: Testing, testing, 1-2

Testing within BBC is getting better, but there is still some way to go, fundamentally its still a very top down place to develop software, and the valiant efforts of the various teams can only address so much upstream cruft (e.g. third party binary blobs), The cult of agile is quite strong there, with a (non-technical) project manager for every five developers, but not very much pair-programming, TDD, code reviews or (technical) project post-mortems.

I would say that they are genuine in there attempts, and they sincerely are trying to do the right thing but the path of advancement hinders disruptive change, (you can't really get a top job unless you have a very similar background to the people already in the top job). So the head of product (responsible for the software delivery for an entire Fiefdom of the BBC) would be an ex-journo (take Sports for example, ex-ITN and not a techie.)

This means something "radical" like a "major" platforms test harness for mobile is seen as too disruptive to adopt, and instead the "safer" choice of outsourcing a mobile app to a third party is chosen.

The bbc news app was built by a third party developer (fact) who has now allegedly been removed from the approved supplier list (gossip, but I believe it to be true).

On the flip side, the BBC is a big place and a lot of very well meaning people work there, for example, I saw a demo of NativeDriver from Google, which is an automated gui testing tool for android applications, guess what android app it was being talked about deployed on (that's right the buggy android news App)

BTW the list of things wrong when it was delivered, and the list of things that the public got to see are of markedly different lengths so don't be too hard on the mobile guys.

3
0

The GPL self-destruct mechanism that is killing Linux

sed gawk
Stop

Dont rag on autotools

The autotools are a bit difficult to learn but I think they are worth the effort, M4 is a bit fugly but

with a bit of practise and ruthless factoring into small macros its not that bad, (Top tip add banner lines to your macros so you can spot the output in the generated configure script)

With the autotools, I get cross-compilation/packaging/ cross-compiled unit-tests execute in a cross environment/transparent replacement of missing functions at link time/standardised argument handling which generates help messages/binutil access and ability to mung various assets (images/sql etc) in to my code with very little effort.

Mostly I copy my build-aux and m4 directories into a new project and write a simple configure. My heart sinks when I have to work on project that doesn't use autotools.

So I think the autotools survived because when you take into account everything it provides, it's streets ahead of everything else. (Libtool is still a thorn in my side, admittedly)

1
2

Google spikes old MS file formats

sed gawk
Thumb Up

Re: Download =/= upload

There exist large organisations who don't run the Microsoft Office suite and won't let you send anything other than an (small) image or PDF over email. DOC - DOCX and related binary formats don't make it through, if you send me a CV electronically and it's not a PDF it's going to get quarantined and I won't read it, all I'll be aware of is that someone tried to send me "spam".

TL;DR Don't be spam - PDF or paper.

toodles

7
3

'Programming on Windows 8 just like playing bingo' - Microsoft VP

sed gawk

Re: thx for asking about variadic templaces

It's not that bad, You don't have to rushing to write the cleverest template code you can.

Write simple code and C++ is a lovely language to work in provided you follow the rule.

Finally you have both typedef and a macro pre-processor, you really don't have any excuse for code that's hard to read.

Boost and the STL contain some very clever code (a bit hard to read, I grant you) but there are quite a few open source frameworks which are rather easy on the eye, try looking at http://www.webtoolkit.eu/wt for an example of clean easy readable C++ write on top of Boost no less.

0
0

Chase joins Bank of America in possible Islamic attack outage

sed gawk

Re: Time for a Radical Muslim Disconnection

Might have something to do with the fact English and French are taught nationally in Egyptian schools (perhaps other Arab countries as well)

0
0

Ambitious Alibaba wants to take on Android

sed gawk
WTF?

Re: The Key Missing Factor is Trust and Quality

Racist rubbish.

There is good and bad hardware and software everywhere - nothing about the country of origin tells you anything about it's quality.

As for the level playing field, I'm writing this in the UK, it's not a level playing field here either. As for govern'muppets interference. You think that doesn't happen in the UK?, it does!

The Chinese produce the same level of quality as the rest of the world, sorry to disabuse of your charming slight on 1/5th of the world population.

0
0

Dropbox drops JavaScript, brews CoffeeScript

sed gawk

Re: plus ça change, plus c'est la même chose

1) ASM to C - easy win, chances are your' ASM is worse than the compiler generated code.

2) C to C++ - rewrite would be a bit strong, wrapping C functions with classes perhaps but rewrite C code rather than wrap in C++ - madness.

3) C++ to Java - stupidity on a grand scale.

Coffee to JS is more like C with a preprocessor vs C without a preprocessor, it's not a paradigm shift.

like

1) reliquishing control over register allocation.

2) Letting someone else manage the container library and using automatic RAII.

3) Going from portable multi-paradigm elegance to overly verbose, badly designed kludge.

It's just a preprocessor, they are cool, C/C++ benefit from a preprocessor, Java suffers the lack of a preprocessor, anything that makes JS less painful can only be a good thing.

0
1
sed gawk

Re: Which Script has 5 less KLOC?

CoffeeScript is just a preprocessor. The underlying language (if you can call it that) is still JS with all the kludge that JS implies but there a couple of common idioms folded in to the language which you don't have to write by hand.

So for example string concatenation is a little less verbose in CS but will expand to the long hand form in JS. From a coder's perspective the results are the same but one is a little easier to read.

From the point of view of correctness I don't think it is a silver bullet but it does make working in JS less painful and more importantly IMO easier to automate generation.

1
0
sed gawk

I agreee really

As title, I do think it's a little more readable but there's not that much really, my thinking was that you could prototype code in ruby and make a couple of small tweaks (two lines in the above example) and run it through the translator and hey presto some JS.

Still you could just write the JS in the first place as you suggest, but I do think it's a little more readable but then again I don't really like JS anyway and I do quite like ruby so YMMV.

0
0
sed gawk

Simple example but it's less painful then JS, I'd say more rubyish than python.

RUBY

>===============

def encode(decimal)

# restrict range of input to 1 .. 3999

max_decimal = 4000-1

exceeds_range = "Only numbers in the range ( 1 .. #{max_decimal} ) are supported"

raise "Cannot convert (#{decimal}): #{exceeds_range}" unless (decimal <= max_decimal && decimal > 0)

# table of translation factors for each glyph in the subset of the roman numerals supported

factors = [1000, 900, 500, 400, 100, 90, 50, 40, 10, 9, 5, 4, 1]

glyphs = ["M", "CM", "D", "CD", "C", "XC", "L", "XL", "X", "IX", "V", "IV","I"]

# factorise decimal representation into roman numerals

result = ""

factors.each_with_index{|numeral,index|

order = decimal / numeral

decimal = decimal % numeral

result += glyphs[index] * order

}

result

end

Coffee

>===============

@romanNumeralGenerator = (decimal) ->

# restrict range of input to 1 .. 3999

max_decimal = 4000-1

exceeds_range = "Only numbers in the range ( 1 .. #{max_decimal} ) are supported"

throw new Error("Cannot convert (#{decimal}): #{exceeds_range}") unless (decimal <= max_decimal && decimal > 0)

# table of translation factors for each glyph in the subset of the roman numerals supported

factors = [1000, 900, 500, 400, 100, 90, 50, 40, 10, 9, 5, 4, 1]

glyphs = ["M", "CM", "D", "CD", "C", "XC", "L", "XL", "X", "IX", "V", "IV","I"]

# factorise decimal representation into roman numerals

result = ""

for numeral, index in factors

# in a more cpu focused language we could just use integer division

remainder = decimal % numeral

order = Math.floor(( decimal - remainder ) / numeral)

decimal = remainder

# this is the js eqivilent of glyph * order in ruby or

# glyph x order in perl

result += Array(order+1).join(glyphs[index])

result

JS

>===============

// Generated by CoffeeScript 1.3.3

(function() {

this.romanNumeralGenerator = function(decimal) {

var exceeds_range, factors, glyphs, index, max_decimal, numeral, order, remainder, result, _i, _len;

max_decimal = 4000 - 1;

exceeds_range = "Only numbers in the range ( 1 .. " + max_decimal + " ) are supported";

if (!(decimal <= max_decimal && decimal > 0)) {

throw new Error("Cannot convert (" + decimal + "): " + exceeds_range);

}

factors = [1000, 900, 500, 400, 100, 90, 50, 40, 10, 9, 5, 4, 1];

glyphs = ["M", "CM", "D", "CD", "C", "XC", "L", "XL", "X", "IX", "V", "IV", "I"];

result = "";

for (index = _i = 0, _len = factors.length; _i < _len; index = ++_i) {

numeral = factors[index];

remainder = decimal % numeral;

order = Math.floor((decimal - remainder) / numeral);

decimal = remainder;

result += Array(order + 1).join(glyphs[index]);

}

return result;

};

}).call(this);

1
1

Job ad seeks 'mediocre' developers

sed gawk

Re: What the company is missing ...

Funny thing is that web application is likely to be I/O bound not CPU bound so you could write the backend in assembler and you still not see a drastic improvement.

6
0
sed gawk

Re: What the company is missing ...

Professional grade is my term not yours, I meant a tool fit for a professional to use for a front end, in the example you quote.

I've written a few applications as.

1)Front end application implemented as some web interface (ruby/perl are 50/50 % split here)

2)Interface layer implemented as scripting language extensions in the same language as (1)

3)Backend end libraries in C & C++

Quick to develop, easy to enforce constrains in the API layer and access to your favourite scripting language for the glue.

language choices for 1 & 2 have largely been dictated by the client existing software stack.

For me I've not really seen much to choose between the current crop of scripting languages, they all more or less do the job within the contraints I've encountered. Then again perhaps we are thinking of different use cases.

I use ruby as a glue/scripting language, maybe some parsing/pre-processing or tools. But the code is more or less the same code I used to write in C i.e. I still use the self pipe trick and select in ruby ( it doesn't expose the pselect syscall, I can still use pseudo-terminals etc).

Nowdays, I'd only write in C/C++ to talk to hardware or if the code is something other than the usually (throwaway tools/sysadmin helper/fancy web app) that ruby seems to end up being used for.

The quality of people producing ruby code varies but I see ruby and C as complementing each other. I agree that given time to craft the work and a skilled worker, C and C++ and a sprinkling of assembler is all one really needs.

I'm glad I have ruby in my toolbox, I'm intensely grateful that it's not the only tool, I still don't see why it's a toy and not a tool ?

3
1
sed gawk

Re: What the company is missing ...

Hey jake, ruby is not so bad..

Hows the ranch? I love the sound of a slackware driven greenhouse..

Why would you classify ruby as a toy and perl as professional grade?

I quite like the (ruby) extension api as a way to expose C or C++ libraries to a scripting language (plain C api) as opposed to some of the other scripting language choices..

Ok it's totally hamstrung by a slow vm, but I must say it's quite nice to knock up little tools and scripts, testing is quite well supported, the community, well the community is the community what can you do?.

Perl is nippy and very powerful but testing perl is painful, extending perl is initially painful, (perlguts lied to me and I'm still sore).

There's lots of stuff I wouldn't use ruby for but I don't think it's a toy, so I'm interested in your thoughts, I usually enjoy your posts.

Sed

3
0

Super-powerful Flame worm could take YEARS to dissect

sed gawk

Re: Years to dissect? Really?

- didn't paste all the code..

#include <pthread.h>

#include <string.h>

#include <stdio.h>

#include <ctype.h>

#undef D

#undef E

#undef U

#ifndef C

#define I int n,r;

#define D(N) void*N(void*);

#define C pthread_create

#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

#define U int

#elif ! defined J

#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

#define U };

#define D(N) N,

#define L return fwrite("\1\t\0;",1,4,stdout)!=4;

#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

#else

#define T pthread_t

#define E char B[8][256];

#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

#define D(N) void *N(void *y) {\

static I char *x=y;\

T t=0;\

if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

n++;\

if(*x) N(x+1);\

if(t) pthread_join(t,&y);\

return y;\

}

#endif

E

D(bdefhklmnprtuvwxyz57)

D(bcdefgiopqrstz23567890K)

D(abcdefgjopqrstz123567890K)

D(cefghkoqstz23457890K)

D(mntuvwxyz7)

D(bcdefghklmnopqrsuvw256890K)

D(aimnxy1)

D(jkt14)

D(abdhmprxyz0)

D(mnoquvw237890K)

D(abcdefghklmnopqruvw560K)

D(befhikprs45689MK)

D(befghjmnqprstwxyz156890MK)

D(dghs234789M)

D(amnoquvw90K)

D(abcdefghjklmnopqruw4680K)

D(aivxz40PK)

D(ajkrtwy1247PK)

D(abdghnqvx456K)

D(amnosuw34890K)

D(abdefhklmnprxz25_)

D(bcdegijloqsuwz12356890_PK)

D(bcdegloqstuvyz123567890_PK)

D(cehklorsuwz1234890_K)

D(amnqxz2_K)

U

#ifndef T

#include __FILE__

#endif

0
0
sed gawk

Re: @PyLETS (was: 20 meg malware "threat" in the field for 2 years, undetected.)

Hey Jake,

Perhaps you could elucidate further.

Sed

0
0
sed gawk

Re: Years to dissect? Really?

I understand the point that you are making, in that syscalls/win32 calls have a fairly destinct appearence in the dissassembled output of a native binary.

However, there is no requirement for a malware author to use the api's for the intended purpose, meaning taking the api/syscall signatures at face value is unlikely to be helpful.

Suppose you have large volumes of logic in a scripting language that you can generate at runtime, then your native app, is just a host with the lua generator seeds + interpreter.

Also, what happens if all your interesting native code is application layer, and the api calls are just false flags.

What does this do - ( this is from the IOCC - so give it a punt before you look up the answer)

#include <pthread.h>

#include <string.h>

#include <stdio.h>

#include <ctype.h>

#undef D

#undef E

#undef U

#ifndef C

#define I int n,r;

#define D(N) void*N(void*);

#define C pthread_create

#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\

='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}

#define U int

#elif ! defined J

#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"

#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={

#define U };

#define D(N) N,

#define L return fwrite("\1\t\0;",1,4,stdout)!=4;

#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)

#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K

#else

#define T pthread_t

#define E char B[8][256];

#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}

#define D(N) void *N(void *y) {\

static I char *x=y;\

T t=0;\

if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\

if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\

n++;\

if(*x) N(x+1);\

if(t) pthread_join(t,&y);\

return y;\

}

#endif

E

/* ____ END OF CODE __ */

Not trying to be difficult but I'm not any sort of expert in the domain, and I reckon I'm aware of quite a few techniques to make it difficult to determine the intent.

A simple stream cipher + interperter + randomized memory locations should slow most people down for long enought to collect the paycheck and move on to the next gig.

Imagine what tricks you might know if this was your domain, I fully expect that there are techiques for this kind of thing that make my feeble imaginings look rather old hat but hey it's not my domain.

Just some food for thought,

Sed

0
0

Don't bother with that degree, say IT pros

sed gawk

// reverse in place

void str_reverse(char *str)

{

if(!str)

{

ERRNO = EINVAL;

return;

}

else

{

// new scope for autos

char *begin = str;

// swap begin and end until we meet in the middle

for( char *end = (str + strlen(str))-1; end > begin; --end, ++begin; )

{

// using a temporary is probably faster now days but I like this method

*end ^= *begin;

*begin ^= *end;

*end ^= *begin;

}

}

}

Complexity

Hash tables/containers are O(1) -> lookup complexity is not dependant on size of container

Trees are O(log n) -> lookup complexity is logarithmically related to depth of tree

// Design patterns

The observer pattern is fancy name for a list of callbacks, something that is "observable" provides a mechinism for interested parties to register a callback (e.g function pointer in C).

When something happens, the observable object iterates over its list of interested parties calling the callback.

You might use that in an application by using the observer to update the view in response to changes in the model, in a traditional MVC application.

For what it's worth these question are a bit rubbish, anyone with any STL knowledge will know the complexity ratings of the various containers.

Secondly GOF is probably the most overrated book in the literature, some of the patterns are useful and some are widely overused outside of the problem they actually solve, e.g. the singleton solves the static initialization problem in C++ but almost everywhere else is just disguised global.

How about some questions which assess useful knowledge.

// knowledge of testing and refactoring

1) how would you refactor a piece of code which is atrocious in implementation but correct in behavior to a more maintainable design while preserving behavior.

2) how would you prove the behavior was the same.

// knowledge of existing methods

3) implement an efficient hash function for strings

4) explain why you chose that implementation and any tradeoffs in the design.

// Recursion -> Iteration

5) implement a recursive pre-order tree traveral i.e. visit(*node)

6) implement the iterative equivalent.

// IPC

7) name three methods of IPC

8) explain when you would prefer one method over another and why.

// Memory Managment

9) Explain how you would determine the maximal memory usage of a process

10) is there a way to impose a hard limit on the usage of your application (e.g allocators)

// Sorting

11) describe the behaviour of a quicksort

12) describe the behaviour of bubblesort

13) describe when is a bubblesort preferable to a quicksort

// STL knowledge

14) name three sequence containers

15) when should you prefer a pair of sorted std::vector<K> over a std::map<K,K>

// CI & build systems

16) what is the function of Continuous integration

17) name two CI systems

18) name three build systems e.g. Make/Ant/CMake

// Copy correctness

19) what properties are needed to make an object "trivally" copyable

// Estimation and planning

20) How do you estimate how long it will take to complete a piece of work

21) What safety factors do you build into your estimate.

// Low level knowlege

22) what is an atomic operation

23) how would you implement atomic increment and decrement on an x86 processor

24) how would you implement a mutex given the following primitives atomic_increment() and atomic_compare_and_swap();

BTW, left school at fifteen, been a paid programmer since seventeen, been training graduates and post-graduates since the age of twenty-three, now the highest paid person on the team (the only one without a phd).

Do I regret not taking a degree? Sometimes, but not so I could spend three years, reading textbooks that I could read at anytime, but more for the esoteric parts of the discipline, compiler construction - access to different architectures other than the x86 and mips.

I learned a lot on the job, working with really good programmers, I'm still learning all these years later. It's not about code - it's about design and architecture. You can learn these things yourself overtime, but the idea that three years trying to get your end away and killing braincells in the student union, confers some advantage to three years at the coal face learning your craft is a joke.

The main advantage of the really good course are the additional elements of the industry, but for your developer as opposed to your quant, a degree doesn't confer much except a whole bunch of bad habits which must be shaken out of the incoming member of staff.

As for getting your foot in the door, here what you do..

Setup a github account,

Start writing code, make sure that code has tests.

Go to the agile conferences, meet people around the industry.

Learn new technologies, for example teach yourself erlang.

Buy a copy of sedgwick`s algorithms - implement them, understand them.

Install Linux on a old pc, any old piece of junk will do.

Write some code, disassemble it, try and understand the relationship between the high level code you have written and the assembly it generated.

Learn a scripting language - like ruby or python - learn how to interface them to native languages.

Write simple network applications and use a packet sniffer (Tcdump or wireshark) to examine the packets and understand whats going on when you send something across the wire.

Use distributed source control (git or mercurial )

Keep your chin up and your resolve strong and you will do it, keep applying and don't let the bar-stewards grind you down.

Qualifications don't mean anything, ability and experience are everything.

You can't teach ability and remember experience is a fancy way of saying "I made that mistake already so I won't do it again" no more - no less.

0
0

The 64-bit question

sed gawk

That wou;d be NSPluginWrapper

nspluginwrapper is method to run 32-bit plugins inside a 64-bit firefox

0
0

Enough with the Apple App Store apathy

sed gawk
Thumb Down

Rubbish

I write code for a living, I work for a large company on a massive source base 5 million + locs I also contribute to a few FOSS projects. There is way more stinky code @ day job than in the FOSS arena. Where commerical software has the edge is being *able* to pay people to work on nice interfaces. That said the *ablity* to afford decent ui design doesn't automatically translate to the *desire* as shown by the woeful UI design of many commercial applications.

2
0

Virgin Media set-top box modder gets 5 years

sed gawk
FAIL

Wouldn't be so impressed with SKY.

Prior to a rewrite of the payment gateway for mobile purchase, 1 in 10 boxes shared the same decryption key due to the limited range of the code used and the cobbled together *in house* crypto (not worth the name).

After the rewrite, now *only* 1 in 1000 boxes shares the same key. Still stored on the box, but at least now they use a reasonable cypher.

Still, the code only protected some really crap games so *shrug* not so big a deal, still if you're going to implement crypto then use a cryptographer and do it properly.

0
0

Smart meters pose hacker kill-switch risk, warn boffins

sed gawk

Re Rental

Not quite, nominally the idea is that the meter is supposed to help you workout if you can save electric, but really the thing is just a method for working out that a particular electric signal is a fridge and not a telly, so you can more accurately model the usage profile of different times of day and adjust accordingly (you as a punter, not so much the electric company).

As a punter, your bill will be more accurate but other then that, I couldn't really see any huge benefit to the punter for having one, no downside either really).

The Net and PC combo is only if you want the pretty graphs as a user, the meter itself doesn't require an active connection, it just broadcasts encrypted data when ever a suitable dongle is in range.

Sed

Meter reading becomes, as simple as turn up to premises with laptop and 3gdongle with spare usb port.

Insert dongle, wait a couple of seconds to grab the usage data and off you go, not much different from just looking at the numbers on screen.

Given I wrote the code myself, I'm quite sure that the code only exists in my former employers git repo.

About the only thing from that board that is available to anyone other then the manufacture is the AES implementation and fat lot of good that will do you.

As for Mac/Nix etc version of the dongle code, no you have to log on to the website and *choose* to upload the data.

Of course there are many versions of low power short range comms over usb out on the market but, it doesn't matter as the dongle itself doesn't forward the data, its just a passive consumer bit like a oyster card reader.

0
0
sed gawk
Thumb Up

for what it's worth at least one of these meters is well secured.

I worked on one of these smart meters for a previous employer.

The smart meter hardware was not accessible from outside the fusebox (inductively powered).

The meter encrypted all data with 256-AES as a block cypher (i won't disclose the stream cypher built around it, but suffice to say it's an encrypted-authenticated protocol) prior to broadcasting to a USB dongle attached to

the user's pc.

This encypted data was passed to the electric company servers, decrypted there and

the data used for graph generation and peak usage analysis.

The cypto protocols were designed by a proper cryptographer at a truly eye watering daily rate.

Key points.

1) you can't shut the thing off remotely as you can't communicate with the meter directly.

2) all data is encrypted between meter -> dongle -> server

3) the key on the meter's only help you with that meter and don't help you touch any other meters.

4) no keys are stored on the dongle and the meter key is burned in at manufacture time.

5) the protocol between the server and the meter had some nice safeguards built in so someone trying to hijack an established connection would fail, hard causing that meter to be flagged.

6) the meter itself is an embedded board(no external connections), so in short unless you remove your own meter, reverse engineer it to derive the key *AND* somehow break into the server with the master keys, all you have is a really rather useless meter that will be spotted next time you try to connect to the server.

@AC 15:55

Professor Anderson is quite well known in crypto circles, I suggest you google him prior to gobbing off about him trying to get publicity.

2
0

ConLibs leave open question over net surveillance

sed gawk
Black Helicopters

Agreed

I personally think that the widely used algorythms are secure, however it's not beyond the realms of possibilty for *GOV to;

1) have sufficent distributed computing power to reduce the problem to the point

where a rainbow table or some variant thereof, might solve it quick/easier then rubber-hose cryptanalysis.

2) have suffiencent funding to employ experts in cryptanalysis on a 24/7 basis just to squeeze a few percent more of some refinement on brute force using the aforementioned computing power.

There are some really quite head scratching side channel attacks, but who know, if anyone has the money or the time to explore every option no matter how bizzare or unlikely it seems, it would be *GOV.

That said, I think brute forcing no matter how smart you make it, is going to struggle on internet scale volumes of traffic, and god know what *useful* info you glean from the junk flying back and forth.

Still if something really really big comes up, it'll leak, scientists engineers, programmers gossip like old women and breaking AES by 5% or whatever would keep you in beer for quite a few rounds.

1
0

Home Secretary swats away calls for Mosquito ban

sed gawk
Thumb Down

There is a nice example of this in Bristol

A friend of mine is a (probation) youth worker in Bristol, the offices where her clients are *required* to attend, are directly opposite a large supermarket which has these fitted.

So choose between suffering a persistent sonic assault or violating parole conditions, some choice!

I think these devices should be illegal, and the makers forced to compensate people who are *required* to attend areas where they are deployed.

If you want to disperse people, what's wrong with the old nightclub favorite of playing country and western music, it cleared the room in every club I've ever been in.

0
0

UK is safer from al-Qaeda 'bastards', says security minister

sed gawk
Troll

No thought crime, really are you quite sure.

Disclaimer: INAL

Some Examples:

Football disorder act 2000

Restriction on travel for people on the basis of wearing the wrong footy shirt and as such being likely to commit an offence.

http://www.opsi.gov.uk/acts/acts2000/ukpga_20000025_en_1

Confiscation of asserts without proof said asserts were dishonestly obtained.

http://www.opsi.gov.uk/acts/acts2002/ukpga_20020029_en_1

permits removal of British Citizenship, even for people who have been born in the UK, "for the public good", by Order of the Home Secretary

http://www.opsi.gov.uk/acts/acts2006/ukpga_20060013_en_1

Computer Misuse Act 1990 Section 1 unauthorized access.

In summary, despite never attempting access, the intent is suffficent to convict you.

So having a list of ip addresses and a perl script to generate passwords is sufficent to satisfy the offence.

Unauthorised access to computer material

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

Do you get it yet ?

In this country, which I was always so proud to be born in, you can be locked up for offenses beyond your capacity to commit, you freedom of movement restricted and your citizenship revoked.

You can be pinned down on a packed tube train, shot in the head for the crime of being a bit foreign looking (the officer in charge cressdia dick, got promoted :( )

We are not heading to a police state, we live in one, only the general incompetence of the gov'muppets protecting us.

Pull your head out of your backside and take a look around, I don't know how old you are, but the idea of ID cards, being required to register prior to peaceful assembly, DPI on comms traffic, detention without trial, removal of double jeopardy(basically one bite at the cherry, either your guilty or not and thats the end, not keep retrying utill you get the *right verdict*) and removal of citizenship are things that growing up here were unimaginable to me.

My parents moved here in the 70's to escape all that shit, now it's right here and it stinks.

Don't take my word for it, read the legislation in all its Orwellian finery

http://p10.hostingprod.com/@spyblog.org.uk/blog/UK_Legislation_Links.htm

In summary, educate yourself or shut the fuck up.

Troll, because either you really are that stupid or a magnificent troll, for your sake I hope you`re a troll.

11
0

IEEE names 28-year-old woman its new 'Face of Engineering'

sed gawk
Grenade

Agreed,

Good luck to her, the more smart *people* in the business the better for everyone, except the frauds currently scraping through with their knuckles a dragging, many of whom appear to be in residence today.

2
0

Experts reboot list of 25 most dangerous coding errors

sed gawk
Pint

@bluegreen

> Well since you ask java doesnt' do deterministic finalization because [reasons]

>It's more complicated than you made out. Generational, Mark-sweep, compacting -- none of these can immediately pick up all dead objects. The only thing that can approach this is reference counting which has other problems (speed, overhead), and still can't make immediacy guarantees (consider cycles).

>More: <http://msdn.microsoft.com/hi-in/magazine/bb985010%28en-us%29.aspx>, look for "There are several reasons for this" for a summary, but this doesn't do justice. Conflating garbage collection and object finalisation was recognised as a bad idea back in the 80s by Modula 3's designers, but Java's creators were too witless to learn the lesson (like so many others they fail to learn), so Microsoft had to follow on and we all move backwards, again.

Agreed, more to it than meets the eye.

Re Actor, I've come across that before, but thank you for the link.

Re Design/Frameworks/language stuff,

I suppose my point is just that most errors security or otherwise are design flaws that can be eradicated if you want to throw enough time/money at the problem.

The MSDN link has a nice example on it, take this part when referring to c# finalizers vs c++ destructors "Don't let the identical syntax fool you." (this is a design flaw, two separate concepts that are easily conflated, with the same syntax)

Re Erlang/Concurrancy

It's more that there are messages buses like rabbitmq that do the heavy lifting, I'm know you can do the same thing in other languages but this works out of the box for my application needs YMMV.

Using a message broker e.g. rabbitmq, just makes the producers/consumers simpler to write, they aren't aware that erlang/rabbitmq is used.

nice. that aside, it's quite a balanced article, again ta for the link.

Re java pre-processor,

I made a crude attempt at this years ago (pre-java generics), using java as the output from a simple generation language that added explicit calls to allow *more deterministic* code. Generics replaced 95% of the benefit of my little tool, so I mothballed it. But using Java pre-processing is already here, I think (too lazy to verify) at least one of the google tools pre-processes some other language into java, and annotations while not preprocessing in the trad sense surely blur the line.

using C++ would work too.

> think peer nodes associations

this patent troll explains it quite well http://www.faqs.org/patents/app/20080307094

> 5) Strategies exist in languages with determinstic finalization e.g. allowing resource management to be implicitly bound to object lifetime with the language doing the work rather than the developer.

>I think you are thinking of C/C++ where object lifetimes are explicitly and sharply delimited by free() or implicitly by subroutine returns. It is reasonable, I suppose, to ask that Java provide some kind of equivalent to smart pointers so things happen automatically on subroutine returns, but there's not much you can do about other objects you intend to have longer lives. If you want deterministic deallocation for "local" variables, you have to wrap a try/finally around the routine body.

I was, and I accept that smart pointers won't solve everything.

> 6) A data point, there are plenty of garbage collectors for C/C++ yet GC is not that widely used for what ever reason, perhaps because of point five).

These are conservative garbage collectors (I'm sure wiki has an article. Read up on them and have nightmares) and they don't provide the behaviour you are asking for.

I know what they are, cheers.

> 7) These stategies are examples of designing out problems rather than coding round them, using say explicit calls to synchonization primitives like mutexes.

I don't know what you're saying that I have a tendency to build frameworks to hide grubby detail in the same way that you suggested wrapping realloc(), but typically on a bigger scale. I guess that's easy to say though.

That realloc bug is present in a decent proportion of C code from compilers to virtual machines, that's a pretty big R-O-I for ~15 line of code, that designs out the error rising from the disparity between how people percive realloc() and how it's specified by the C standard.

Exactly as C# finializer syntax reintroduces the "realloc bug" by virtue of the disparity between how people percive "~foo" in C# and how it's specified by the C# specification/standard.

Design Again:

For example when you enter a numeric value in an application ui/ (This is more about preventing cockups rather than malice)

1) you can enter a number into a text input field then validate

2) pick from pre-verified data e.g. valid numbers from drop down.

13)I don't think resource/memory management too big a deal,

then you're a better person than I.

I'll take your word for it ;) but I only meant that shared resource management problems are well documented and understood, distributed resource/concurrency access issues are less well understood.

> (re. erlang) I don't have memory leaks,

Hmm. Is that because Erlang has a garbage collector?

No, it's because it's implements the non-shared state concurrency model in a functional language which *has a garbage collector* :)

Pint, because I need one, why don't you join me in raising a glass.

0
0
sed gawk
Grenade

@bluegreen

Thank you for your reasoned and well thought out critique, you have a genuine flair for language and the sheer variety of your response was most refreshing. ;)

Well since you ask java doesnt' do deterministic finalization because

Java's designers made design choices in the generational G/C to not equate garbage collection with destruction,

This means

1) post/GC objects can become reachable again, in a rise from the dead leading to all sorts of fun and games in unwary code.

2) JVM prefers to dump all memory on exit(i.e. without finalizing) rather then run GC if possible, fast path with no finalize stub rather then slow finalize path which might never run but adds overhead anyway.

3) language scoping rules can't be used to implicitly bound object lifetime imposing implicit ordered finalisation (see point two), it has to done explictly using weak references making some useful design strategies cumbersome to implement,like say throttling a resource using an object reference counts(think peer nodes associations) to dynamically drive load management in a distributed system, additional ref, extra notch on the power, one less reference, means you step it down, scope managed ref counting is a nice way of implementing that sort of throttling principle

Try that with a java generic, add_ref() on construction is easy, how do you make sure release() is *always* called *for* you rather than *by* you, can you sure you caught every edge case? is it exception proof?, how easily can you test it?

I use whatever *tools* work best for the *job* in hand, I'm not picking on java so much as saying

4) *Memory* is no different from any other sort of *resource*.

5) Strategies exist in languages with determinstic finalization e.g. allowing resource management to be implicitly bound to object lifetime with the language doing the work rather than the developer.

6) A data point, there are plenty of garbage collectors for C/C++ yet GC is not that widely used for what ever reason, perhaps because of point five).

7) These stategies are examples of designing out problems rather than coding round them, using say explicit calls to synchonization primitives like mutexes.

8) Some of these strategies are less effective/more difficult to implement without language level support for deterministic finalization, hence the java reference (had to do this before and it's a pain)

9) Most of the items on the secure coding list are design problems, for example failing to sanitize user input is really failure to have/use user facing functions that sanitizes input for you.

10) Realloc() is a source of leaks in C code because people treat it as "free(old); return malloc(size);" when it's really "return (pnew=malloc(size)) ? free(pold),pnew : NULL;"

11) The realloc wrapper I posted plugs that *really common* class of realloc leak simply by including a header with a macro, i.e. no source change needed

12) Exactly that realloc leak in the JVM no less http://gcc.gnu.org/ml/java-patches/2008-q1/msg00092.html ("fourth google result for 'ralloc leak'"), easy fix.. #define realloc utitity_realloc

13)I don't think resource/memory management too big a deal, so much as I think some interfaces need wrapping for sanity including my own sometimes, not too often I hope.

I'm not advocating one language over another just saying we need better implementation designs.

Memory *really* is just another *resource* is it not, and almost all the coding flaws on the list come down to bad design, whether architectural/interface/implementation.

Granted some library interfaces in C/C++ are easy to make mistakes but as I said wrap them with

the safer/saner interface of your choice, why throw such a flexible tool away simply for the lack of using one of the thousands of decent library interfaces for what ever resource management issue you have, or here's a thought write a C/C++ extensionn for perl/ruby/python whatever and get the best of both worlds, memory managed access to all the C/C++ libraries through a thin shim layer.

14) Shared Memory Concurrancy, even with automatic management of resources, and all the tools we have is a right pain, it's even worse

trying to do anything even vaguely realtime and parallel that way in C/C++ for a few reasons, some of which are changing with boost/c++0x , but some are basic language issues.

The dominant model with c/c++ is shared memory concurrency(pthreads and the like) and everyone does it slightly differently, scaling to large numbers of cores/gpus cries out for language/library support for expressing something as clean message passing co processes without having to manage the details of the concurrency explicitly or give up the portability/expressiveness/compatibility of C/C++.

As I said previously, I think concurrency is the issue, those "muppets" over at intel, seem to agree that language support is needed http://software.intel.com/en-us/articles/intel-concurrent-collections-for-cc/

you've heard of Intel right?

I don't have memory leaks, I have spread work across distributed processes issues, erlang solves that for me by inconnecting C/C++/whatever consumer/producers and letting them ignore concurrency completely, this thing from intel looks interesting too.

wow that was far too much.

1
0
sed gawk
Pint

Cheers

Thanks for the effort, have a pint for your efforts

0
0
sed gawk
Badgers

Memory_management != the_issue

First off, Memory management is *not* the issue with C/C++, *concurrency* is the issue, and that`s

solved by using concurrent languages (erlang etc) not a garbage collector.

You can use *deterministic* finalization to have the stack manage *allocated* memory using RAII patterns, 'C' also lets you do this with a bit more work ,try that in say, java, oh wait no deterministic finalization.

I'm a fan of V-HLL (ruby/perl etc) for lots and lots of things, but Language as panacea for bad resource management whether the resource is memory/db connections/sockets/threads/files open etc, is unhelpful in my view.

Finally, there are huge amounts of existing code in C/C++, you want to rewrite/wrap it all in some managed language de jour, go right ahead.

C/C++ are languages that you build your layers on, if you use the naked stdlib/stl you'll end up making more mistakes then if you write a handful of decent wrappers, like the following for realloc.

Almost all the stuff on the list in every language comes down to design issues, you can't get rid of error but you can design out most of the causes, aside from users.

/* Resize a chunk of memory obtained by a previous call to malloc()

* The behaviour is different to stdlib realloc in that 'old' is always freed

* Null pointers and zero sizes are not supported, use malloc/free directly if that behaviour is

* ... desired.

* This means that p = utility_realloc(p,size) is safe while as we all know

* p = realloc(p,size) is a leak waiting to happen

* On success: Returns a pointer to size bytes of uninitialized memory freeing 'old'

* On Failure: Returns NULL on failure modifiying errno AND freeing old.

* EINVAL: invalid args passed, 'old' is null or size is '0'

* Function may fail and set errno for same reason as realloc()*/

void *

utility_realloc(void *old,size_t size)

{

void *p;

int err;

errno = EINVAL;

if(!old || !size)

return NULL;

/* old is freed on success */

if((p = realloc(old,size)))

return p;

/* old is not freed on stdlib realloc failure */

err = errno;

/* it is now */

free(old);

errno = err;

return p;

}

0
0
sed gawk

Bit rusty on delphi

If memory serves, the syntax is something like the following, been years since I touched delphi so this might all be way of base.

What's code complete say on the subject ?

type

TFunc = function (n: integer) : integer;

TFunctPtr = ^TFunc;

TFuncTab = array[0 ..1] of TFuncPtr;

var

fptr:TFuncTab;

function my_square(n:integer):integer

begin

my_square := n*n;

end

begin

fptr[0] := my_square;

fptr[0](10);

end.

0
0
sed gawk
Pint

Keep the faith, the work is out there.

Management still has nothing but deadlines/money (security are people that watch cctv monitors) in mind, for example, a company owned by a Australian with a Scottish name, bought D/C racks to run automated tests in an attempt to up the abysmal quality rate of their HD STB. The pointy haired manager, decided that the code written by developers would be maintained by help desk staff with no programing training. To effect this cunning plan, "none of that programmer nonsense" like design, structure, meaningful identifiers/ OO / unit-tests or indeed tests of any kind, would be used on a code base that provided OCR/Image recognitions over a network while attempting to compensate for latency when simulating user interaction with set top box.

I walked out at the end of the first day, never to return, the other chap who'd foolishly taken a little longer to notice the smell of fail emanating from the boss's office, stayed a month, by which time the project had failed, and the manager been promoted on the back of his *genius* cost-cutting plan.

So it's hard to find decent employment, but I'm largely self-taught, did a couple of City & Guilds software development courses back when they offered Unix/C++ and Portable/C qualifications. (circa 1999) Got my first contract completely by chance, loitering outside an internet cafe, ended up chatting to a random, a cyber-squatter/domain broker, and hacking out a little application, a grand for a weeks work, he made rather more with the software but that's life. Since then, I've written encryption software for the embedded market, parallel processing software for the HPC market, and for my sins financial software (never again).

I've written polished, unit/integration tested code in C, C++, Perl, Ruby, Java, Python, Pascal(Delphi) and Sparc/x86 Asm (these tend to be inline in C apps, rather then complete asm except for the smallest of boards). I've also written really shonky code in VB and made all the mistakes on the list in various languages, including a major missing one: not *just* writing the simplest code that would work, on the basis it'll come in handy at some unspecified time in the future. I've also spent some big chunks of time out of work, but I use that time in developing my skills and underlying codebase. ( I've some interest in code generation/ toy compilers) So long as you know what you're doing, and you keep your head up, it'll be ok.

As for industrial robotic skills, are you any where near bristol? There's always people looking for embedded / industrial development staff round there.

as the title, sed.

Beer for the west country pubs.

5
0

Minister deploys 'dodgy' DNA case study

sed gawk
Badgers

Why Bother

Perhaps a discarded cigarette butt would provide sufficient misinformation if the intention is simply to plant DNA, boxes of suitable "evidence" freely provided outside of many public buildings.

Given the respect cost/benifit of a DNA/DB vs >1000 new coppers/frensic support staff/ that the politians are all too thick to understand the DNA/DB is a rubbish idea with serious flaws that vastly outweight the rather scant benifits, is hard to swallow.

The political truth is they have signed the vendor contracts and spent the kickbacks, come what may they must extract some return from the DNA/DB.

In the context of admitting you've sawn through the thick end of a couple of hundred million, (too lazy to look up the real figure, but am feeling generous) with nothing but an unfavourable verdict from ECHR to show for it, fabrication/sexing up of evidence is pretty small beer.

I'm impressed they were even handed enough to include the obvious "administrative error", while submitting evidence to support the contention that DNA/DB would *prevent* administrative error.

Their fail warms me as I have long believed that incompetence will protect the populce from the ambitions of the pointy haired politos, ie they are collectively rubbish to the point where almost any scheme they attempt fails no matter how hard they try or how many laws they pass. They really want to get some value out of DNA/DB so QED it must turn out to be a shambles.

ttfn

1
0

Linus Torvalds doesn't hate the Googlephone

sed gawk

Not about cost

You have to ship network endpoints that locked down when they access corporate services, the networks guys are extremely intolerant of endpoints that allow users access to the centre, their developers are seldom recalled for additional projects.

Thing is, if you *really* want to overwrite the firmware on a deployed consumer product, all the info is available. I'm starting from largely the same position as most consumers e.g. google + what ever I can cook up in house to help, combined with badly translated hardware manuals that read like zen mantra.

As for kernel builds to fix driver issues, well ok fair comment there, but the device has to be remotely managed and upgraded cheaply, (flash costs), so what should a vendor give you access to, and how much is *additional money* is it worth to cater to the % you represent ?(Time costs)

You've reported a bug, the vendor should fix it, we would have, however it can take a month for a deployed device to get a two line change through Q/A sign-off, trial rollout, and on to the metal. (Testers cost and I have to wait my turn for the Q/A slots)

If you fancy knocking up your own kit, why start from a deployed network endpoint anyway?

For example quite a few Broadcom Wireless APs like Asus wl-500 build with current OpenWRT release out of the box.

You can re-flash these to your heart's content, *including* all the features you want (subject to memory) [ hint, you can live without /bin/ls by using /bin/echo * in the current directory]

0
0
sed gawk
Linux

Missing the point

Re Linus:

The guy is a old school coder, he hacked on a kernel project because he could, he still hacks on Linux because he can.

Market share orientated thinking is anathema to most hackers of that ilk.

Re Locked down Linux

I built several devices running embedded Linux(OpenWRT usually) for a previous employer, all for eventual use in the ents market (pubs, hotels etc).

All of these were locked down tightly with only services related to management and application provisioning running. This resulted in a stable, secure, plug-in-and go device for the consumer and low management/deployment costs to the vendor.

You might be able to gain root access to the device(good luck), but exposing it directly removes the ability for vendor to use remote re-flash for firmware upgrades. (any changes you made would be wiped, hence support calls, hence increased cost)

All patches to openWRT and related OSS projects were contributed back to the community.

Like Google: we added some bits to make development easier/faster, unlike Google we made it easy for the main project by following the rules, so our changes got accepted.

Now in six months time when I check out the latest OpenWRT, I get my stuff maintained integrated with lots of new toys, simples.

Google didn't play by the rules, they got handed their fork and told to enjoy tracking umpteen patchsets for ever. Seems fair.

1
0

Facebook re-write takes PHP to an enterprise past

sed gawk
Linux

There have been variants on this approach for years

So ..the traditional sped up approach,

1)Front end application implemented as some scripting language web interface

2)Interface layer implemented as scripting language extensions

3)Backend end libraries in C & C++

Quick to develop, easy to enforce constrains in the API layer and access to your favourite scripting language for the glue.

Instead, we get,

1 )Front end application implemented as some scripting language web interface

2) Interface layer implemented as scripting language translated into native code

3) Backend end libraries in translated C & C++ interfaces to native code

Not exactly a new approach, but interesting that they are targetting C++ as opposed to C,

perhaps they are preserving more OO constructs or simply they want to generate STL aware code.

For language generation, a lot of people (myself included) use C as an output interface when knocking up tools for code generation, SWIG seems to be the best known example of the technique, despite the unreadable code it generates.

Personally, I have long made the assertion that java is the perfect language for use as an output generation language, e.g truly labourious to write manually but with enough redundancy in the output to make it easy to generate individual statements.

Eclipse and other IDE's do this on some level already, but nothing seem to expose the generation layer to developers in quite the right way.

ttfn

0
0

Early adopters bloodied by Ubuntu's Karmic Koala

sed gawk

@Quirkafleeg

Hi,

Thanks for the improvement over my fix, I did try building the package directly, but it didn''t seem to have the desired effect upon installation.

Thinking back I didn't log in/out which was probably why I thought it didn't work and hacked round it by replaced the underlying library, which despite the crudity of the solution works .

I've stuck a new pastie up here http://pastie.org/690429 with your suggestions.

Cheers

Sed

0
0
sed gawk
Linux

@Robert E A Harvey

Hi, basically the snd-hda-intel module is really a generic interface to lots of different cheapo audio chips, each have their own method for controlling the hardware, known as a codec parser in the module documentation.

There is a long ist of the right codec parsers for each audio chip supported by the driver, the

suitable one is selected on module load by the kernel.

Most of the time this works just fine but when it doesn't, like for you and for me, you can override the kernel choice by adding a line in the alsa-base.conf file, with the name of the module and the name of the codec parser option.

so <module> option=<codec-parser> means load this module and use that codec parser.

So when you add "snd_hda_intel option=XX" to the alsa-base.conf file, it tells the sound driver that it should use this specific set of commands (codec parser called "XX") to do things like enable volume for the module called "snd_hda_intel"

There is a list of the matching options for sound card models as reported by lspci -vv

here http://ubuntuforums.org/showthread.php?t=1043568

A bit of trial and error trying different options from that list and with any luck your sound card will be back in use.

Hope this helps.

Sed

0
0
sed gawk
Linux

Mixed Results here,

I run a number of *nix variants.

Recently upgraded to 9.10 on two machines,

1) a rebadged MSI Wind netbook,

2) a older 1-2 year old craptop from fujitisu.

All upgrades were performed in a gentoo vserver guest prior to cloning on to target machine.

UNR 9.04 -> UNR 9.10

Netbook (UNR) flawless, no problems, upgraded rebooted done.

Ubuntu 9.04 -> 9.10

Craptop, some problems

1) PulseAudio,

Reason: Ubuntu 9.10 switched to pulse audio by default, no policykit file is provided so PulseAudio HAL detection doesn't work out of the box.

Fix: write a a policy-kit file, stick it under the /etc/dbus-1/system.d/ directory.

[pastie] My one is here http://pastie.org/681176

2) Media key events,

The evdev driver still doesn't send key up events on volume_down or volume_up events so

you can DOS your own box by pressing volume_up or volume_down.

There is a small patch to fix this that I wrote based on another bug report.

[pastie] http://pastie.org/681181

Fix, apply the patch, recompile and Finally copy your newly patched driver to the right location, and your done.

N.B. The changing of the driver will cause X to restart, so don't worry when that happens.

(this will only install to /usr/local/lib/xorg/modules/input/)

mkdir tmp && cd tmp && apt-get source xserver-xorg-input-evdev &&

wget http://pastie.org/681181.txt -O - | patch -p1 && ./configure && make && sudo make install

(this copies the new driver to final location)

sudo cp /usr/local/lib/xorg/modules/input/evdev_drv.so /usr/lib/xorg/modules/input/

Sound

Bug: My previously working sound card stopped working

Reason: /etc/modeprobe.d/alsa-base.conf is overwritten during upgrade.

Fix: only for

Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)

The sound card needs a line added to /etc/modprobe.d/alsa-base.conf

options snd-hda-intel model=lenovo-nb0763

That's all she wrote folks, both machines working without any other issues as far as I can tell.

Apart from policykit/ PulseAudio all the other issues are hardware related and down to having crap hardware in a cheap old laptop.

Hope this helps someone

0
0

Bug in latest Linux gives untrusted users root access

sed gawk
WTF?

Not this guy again

This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.

If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.

While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.

In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,

it wouldn't take more then an hour to fix and for the most part they bomb correctly.

The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.

Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096

or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.

Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms

And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042

Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.

0
0

Unsafe at any speed: Memcpy() banished in Redmond

sed gawk
Flame

@james and others,

First off, Yes, sorry, brain fart, should have been sizeof(FOO) not sizeof(dest) though sizeof(*dest) would do just as well.

Unfortunatly, obfucatsed by my fat fingers but the point about *using the compiler to associate sizes with pointers at compile time* holds true.

This implies that you would *know* if the assert(sizeof(FOO) >= sizeof(BAR)) is true at compile time meaning memcpy(dest,src,sizeof(*dest)) is allways safe provided dest/src are non-null.

@james

That said, nothing about any language protects you from typo related bugs or copying data to the wrong place, so I must assume your comment about languages is an attempt to impune my work, in response I Fart In Your General Direction!

@ @@Kevin

Yeah the src buffer too small issue is an edge case that has to be solved by context,

I think that limiting the write length with truncation as needed, and using declartive checking to avoid the short-copy issue is the way to go, YMMV.

@Others

And as for the various people pointing out sizeof(FOO) != sizeof(BAR), that may or may not be relevant but if i was assigning one FOO to another, structure assignment would be the method to use rather then memcpy.

The article refers specifically to a memcpy variant with the capacity for differing src/dest sizes so

the use of different types is implicitly a nod to the same techinque but portably done.

@Anonymous Coward Posted Friday 15th May 2009 12:10 GMT

Interestingly you both invoke efficency and scala in the same post, no contradiction there.

Tuck the little tin god efficency back in the box.

As far as flavour of the month languages go, I prefer ruby and erlang myself.

1) When your app is time critical, you don't use scala.

2) Offsets cause buffer overflows do they? Two words, Region Allocators.

here a link to maybe lift that cloud from your worldview scala boy.

http://www.dur.ac.uk/computer.science/staff/?mode=pdetail&id=2385&sid=2385&pdetail=25243

From the linked article :

Region-based memory management offers several important potential advantages over garbage collection, including real-time performance, better data locality, and more efficient use of limited memory. Researchers have advocated the use of regions for functional, imperative, and object-oriented languages.

TTFN

0
0
sed gawk
Stop

@kevin

I'd have to agree, the destination argument is irrelevant.

The proposed M$ fix is not really that helpful as it both makes the code non-portable (completely by accident I'm sure) and doesn't make it any safer as the above poster explains.

A much better way is to arrange that your calls are truncated at the limit of the

destination buffer using the sizeof operator, hence allowing the compiler to "associate sizes with pointers".

It's portable, pure ANSI and works a treat.

void

my_func(FOO *dest, BAR *src)

{

memcpy(dest,src,sizeof(dest));

}

TTFN

0
0

Hotmail holdouts grumble about 'pathetic' new interface

sed gawk

Possible work around for some people

As one of the rare Linux/Hotmail users ..

Provided a user has had a hotmail account for a certain amount of time prior to MS removing web-dav access, there is a workaround to avoid using the horrible UI of hotmail.

If your account was created after this time, the following won't work, however if your account *predates* the switch over, your`re in luck.

[Receiving mail]

http://sourceforge.net/projects/hotwayd/

Hotwayd provides a pop3 interface to hotmail, configured as part of Xinetd

You'll need to configure it, here is my /etc/xinet.d/hotwayd

service hotwayd

{

# comment out following if you want other hosts to access your gateway

only_from = localhost

socket_type = stream

wait = no

user = nobody

port = 6667

server = /usr/sbin/hotwayd

# uncomment following if you're behind a proxy

# server_args = -p http://quadbrsprx:8080

# -u proxy_user -q proxy_password

log_on_success += USERID

log_on_failure += USERID

disable = no

}

Now that you have this you can configure any pop3 client to grab your mail from localhost:6667 , you can't send mail via hotmail's smtp gateway for some reason, so this is only a partial solution.

[Sending Mail]

http://www.google.co.uk/search?q=nbsmtp

I tend to use my isp's smtp gateway and forge the headers on the mail using nbsmtp which has all params passed on the command line, here's mine with user/pass changed.

I just added this to my ~/.muttrc

set sendmail="/usr/bin/nbsmtp -U user@myisp.com -P myisp-password-with-special-chars-escaped -d hotmail.com -h mail.myisp.com -f myhotmailaddr@hotmail.com"

Hope it helps

J

0
0

Gordon Brown claims a Brit invented the iPod

sed gawk
Stop

wtf

Current stars of international industrial design, my bum.

its a white rectangle with a thumb wheel, what is so astounding about that, face it you bought one because your mates have one and its nice and warm in the middle of the flock with all the other sheep. Baa

Personally I think they look hideous, just like a mini unbranded cereal packet box.

The lack of a search is a total killer unless you are dumb enough to sit there on the RSI wheel until you have scrolled through 160GB of tracks to find the song you want.

If your idea of good design is rounded corners and no keyword search then you sir make Chris `the monacle` Eubanks look like the epitome of good taste.

IPOD Almost any other PMP

Create Playlists on the move ? [ N ] [Y]

Supports Any OS without fcking around ? [ N ] [Y]

Has Keyword search ? [ N ] [Y]

Supports most of the popular audio codecs [ N ] [Y]

Rapes the punter for $$$ to add a video codec [ Y ] [N]

If you like the iPrat, buy one, cherish it, practise onanism in its honour but be under no illusions that it is anything other than a shiny turd in a cheap white case.

Baa

0
0

Why have Radiohead broken freetards' hearts?

sed gawk
Stop

@Richard Kay

First off, if you want to draw flimsy moral authority from history, go for it, I wouldn't but thats just me.

I'm a paid developer for a large consumer electronics firm, the right of s/copy/theft/g you claim would put my employer at commercial disadvantage leaving me less able to support myself, in effect you *steal* my job security.

Secondly, you have no *right* to the fruits of my labor.

As an unpaid GPL developer, I've chosen to *gift* my time to the project because I can, and gift my work *gratis* to man+dog because doing that costs nothing and feels good.

Without the creator having ownership and a means to exploit that ownership, there is no way to altruistically donate the created work.

0
0