Feeds

* Posts by DanDanDan

103 posts • joined 17 Aug 2010

Page:

OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash

DanDanDan

Re: Open Source Funding...

From what I hear, OpenSSL has a small (half a dozen) group of core developers who reject any and all outside contributions in terms of bug fixes, etc.

They also have a TERRIBLY HORRIBLE code base (think #if 0 everywhere), barely any evidence anything has been refactored and barely readable code, with feck all comments in it.

Frankly, it needs to be forked and the forked version needs funding from the megacorps who profit from the code. They can all benefit from open source by sharing the development cost and shared benefit.

1
0

TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

DanDanDan

Re: Maybe

Look at OpenSSL!! Ha! Have you SEEN the code?!

http://www.reddit.com/r/programming/comments/22o7kp/want_to_audit_openssl_you_sure_check_out_this_one/

0
0

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

DanDanDan

Re: Thank

While you're not exactly wrong here, the "msg" has a header declaring it's 64kb. So it was given 64kb and got 64kb back. The issue is that the message isn't 64kb.

0
0

Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed

DanDanDan

Re: Simple solution

"But have they issued a patch yet?"

Uh, yes... Patched on the 8th of April, but compiling from source is not difficult either.

Confirming whether you're safe or not is as simple as:

# opkg list | grep openssl

Updating to the latest version is as easy as

# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/libopenssl_1.0.1g-1_ar71xx.ipk

# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/openssl-util_1.0.1g-1_ar71xx.ipk

# opkg install libopenssl_1.0.1g-1_ar71xx.ipk

# opkg install openssl-util_1.0.1g-1_ar71xx.ipk

# reboot

As far as "It was open source that caused the problem in the first case" - I don't even know whether to bother explaining the errors in logic. How does publishing the source code of a program cause it to be insecure? Either it's secure or it's not.

1
0
DanDanDan

Re: Simple solution

Ask yourself:

•Can I easily find out if my router is running OpenSSL, and if so what version? (Answer: probably no)

- With OpenWRT this is pretty easy

•Can I easily upgrade to a secure version? (Answer: only if my vendor or the ISP that provided the hardware ships a firmware upgrade)

- With OpenWRT this is pretty easy

•Will old devices get upgraded? (Answer: probably not in a hurry and almost certainly not automatically)

- With OpenWRT this is pretty easy

•What can I do? (Answer: turn off remote management, if you can).

- Keep using open source router firmware? :)

1
1

Monkey steals iPod touch, loses interest in minutes

DanDanDan
Meh

Re: That's a plus one for Apple.

Hmmm, upon re-reading, I now understand the ambiguity that might make this either: the new look makes iOS nauseous, or the new look makes the monkey nauseated... Huh.

0
0
DanDanDan
Headmaster

Re: That's a plus one for Apple.

Or even nauseated.

3
2

Shuttleworth: Firmware is the universal Trojan

DanDanDan

Re: Wow

Downvote from me for misunderstanding Open Source software on a fundamental level.

"Have-a-go amateur"? Almost all major open source projects are supported by commercial interests. The Linux kernel is contributed to in a very significant manner by big name corporations, not have-a-go amateurs.

http://www.linuxfoundation.org/publications/linux-foundation/who-writes-linux-2013

11
7

Proper boffins make your company succeed, even if you're not very technical

DanDanDan

Re: Ah, but...

Will you give in with this bull**** nonsense about techies being basement-dwelling, neck-bearded, live-at-home-with-mum, single and lonely introverts? Please!

We have more than enough technical jobs "in this country", we also have a shortage of people trained up to do those jobs and willing to do them for the going rate - this will change once people fully grok the pros and cons of outsourcing. RBS, NatWest and Co. are doing a nice job educating people thankfully.

6
1

Tiny heat-sucker helps keep Moore's Law going

DanDanDan

Re: Did they try just annealing it?

Did you try reading the article?

0
0

Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge

DanDanDan

Re: Dell already install Firefox on Ubuntu

"Well it is Linux; what did you expect?"

The reason it was a complete failure is that it costs MORE to take Linux than it does to take Microsoft.

If you want Linux, chances are you don't want to pay £20-50 for someone else to install it, given you're perfectly capable of installation yourself. Add into the mix that you now have a spare MS Windows license to sell and Dell's Linux failure becomes clear.

0
0
DanDanDan

Re: Are they blond?

I'm not a decision-maker at Mozilla. My main argument is that they're free to do what they want. IF someone was distributing MY software and making a tidy profit off it (I guarantee this won't be a break-even venture by Dell), then I'd want a cut of it.

IF they'd asked me, agreed to share a reasonable cut of the profits, yada yada, etc. then I'd be ok with it. As it is, Mozilla had NO IDEA that this was going on. I think it's cheeky of Dell to say the least. Whether or not it's "Good promo" for Mozilla, it should be done with their consent; as stipulated in their T&C's!

0
0
DanDanDan

Re: Mozillidiots

Wrong. Coca-Cola(TM) DO enforce WHATEVER restrictions they want on the distributors of their drinks. Such as "You MUST NOT display pepsi-licensed drink products in the same area as Coke products, you must not use our vending machines, with our logo on, to sell Non-Coke products, etc".

If you charge a fee for installing Mozilla Firefox (TM) on someone's computer, then you're in violation of the terms of use of their software. If you don't want to install it for free, then you have the option of not installing it at all. It's tough luck that you can't profit from their (trademarked) branding.

1
1
DanDanDan

Re: Are they blond?

I think Mozilla are perfectly within their rights to make any claims to the distribution of their own trademarked software.

There are 10 types of computing consumer: those who know how to install firefox and those who don't. Now, those who don't will see "alternative and costly browser". Or they can stick with the default (free). If anyone in future mentions Firefox to them, then that type of consumer will think "Oh no, I don't want to pay, I'm happy with IE".

I think this "service" would be damaging to the Mozilla trademark and that's why I think they're entitled to enforce such distribution restrictions.

If Dell want to strip all trademarks and compile their own version of the Mozilla browser (a la CentOS), then charge to install that, then that's fair game. They will only damage their own reputation.

2
0

The browser's resized future in a fragmented www world

DanDanDan

Re: re - "Fragmentation is hurting the PC and the browser, yes"

I thought Safari was the desktop version of the browser. Oh wait, it's both? Oh man, how confusing! How would I distinguish between the two? Maybe I could call it "The iOS browser" to make it clear I'm on about the iPhone version of Safari, not the OS X version. Oh crap no, that would totally invalidate all of my arguments instantaneously!

4
3

Plusnet goes titsup for spectacular hour-long wobble

DanDanDan

Spectacular?

Nothing particularly spectacular about it; I'm getting almost constant evening and weekend issues in my (city centre) apartment.

0
0

New Flash vuln exploited (again). Adobe posts emergency fix (again)

DanDanDan

Re: Infinite loop

void fixbug()

{

fixOldBug();

createNewBug();

}

1
0

Google warns Glass wearers: Quit being 'CREEPY GLASSHOLES'

DanDanDan

Re: In a C-shell ...

"How social you are"

You mean "Conform or leave"?

Who wants to be part of a society where individuality is shunned?

7
2

Tired of arguing with suits? Get ready to argue with engineers!

DanDanDan

Re: If it ain't broken ...

The problem comes when the supplier goes bust. Then, you just have to pray that that box in the corner doesn't die too! All the while frantically commissioning a new system (IF the guys upstairs will sign the cheque!)

1
0

Object to #YearOfCode? You're a misogynist and a snob, says the BBC

DanDanDan

Re: Interest

A whole HOUR?!!? Omg, what if paedo's get them. We can't allow them any free time to investigate things for themselves and find themselves and get to know about their own interests!! They should either be at school, (so their parents can work longer hours) or asleep!!

THINK OF THE CHILDREN FOR CHRIS' SAKE!!!

10
1

Hear that, Sigourney? Common names 'may not constitute personal data'

DanDanDan
Coat

Re: Paranoia?

John Suchlike sounds like a quite unusual name...

1
0

Minecraft developer kills Kickstarted Minecraft movie

DanDanDan
Coat

Re: They could always do a movie based on...

Or write a book about his "struggle" to get a movie started...

2
0

Bitcoin value plunges as Mt.Gox halts withdrawals and Russia says 'nyet'

DanDanDan

Re: Interesting

I don't think it's principle so much as "ripping off the wealthy through an inflation stealth tax".

It's what the govt. in the UK is doing by printing mon... er... quantitative easing.

Imagine if someone came up with a currency based on a basket of commodities with intrinsic value; in this case, intrinsic value dictated by the interests of the currency's "customers". A bit like air miles...

0
1

CERN outlines plan for new 100km circumference supercollider

DanDanDan

Re: How much?

"At the end of the day we get it all back again."

Thanks for the economics lesson, but Keynes don't work that way. You can't just keep breaking everyone's windows, spending money on repairing them and expecting the world to recoup all of the money at the end of the day; some of it will be wasted.

I don't believe that $40bn or even $100bn on CERN would be a waste by the way, I'm just arguing with your basic economic premise.

2
3

Ditch IE7 and we'll give you a FREE COMPUTER, says incautious US firm

DanDanDan

Re: Unfortunately no matter ....

Sensible, yes. But wouldn't it be much better not to piss people off in the first place? The *only* reason that they didn't conform to web standards is because if web standards took off, they'd lose due to healthy competition (like they are doing now): http://upload.wikimedia.org/wikipedia/commons/8/86/Usage_share_of_web_browsers_%28Source_StatCounter%29.svg

They had a (significantly) inferior product which they were able to keep because people had the sane concept of: "If I use another browser, the internet stops working". Web devs had developed their sites to only work in IE because it had a majority market share.

Abusing a monopoly to maintain your inferior product is poor form and they deserve punishing for it.

0
0
DanDanDan

Re: Unfortunately no matter ....

I think you mean... "fortunately no matter ...."

Refusing to support web standards when it suits your monopoly market share, then adopting them posthumously to avoid losing it as quickly is scummy and no matter how good your product now is, your past behaviour betrays you for who you really are. I hope they end up setting an example of why you shouldn't be as evil as possible in order to maximise profits.

3
0

London's King of Clamps shuts down numberplate camera site

DanDanDan

I wonder if the frequency of oscillation could be added as an additional factor. That way, you have oscillation frequency in addition to height of the load (average height of the load given it's moving). Would that not be enough? I know it's complicated by the damping of the system (maybe assume critical damping? Then measure the time for the oscillation to settle and infer the spring constant and mass...)

0
0

iFrame attack injects code via PNGs

DanDanDan

Re: disable javascript in your browser!

Ah, a fine solution. why don't I just stop using the browser altogether! I could avoid getting run over by avoiding roads, avoid AIDS by not having sex, avoid hangovers by not getting drunk. This could be fun...

2
3

Bored with patent trolls? Small fry - prepare for the Design Trolls

DanDanDan

haha, good one

"Imagine how much better the world would be if the drugs research done in universities was freely available."

Well I have a few friends in university research departments and I'm pretty sure they'd just leave the country if their work instantly became public domain. You don't expect all carpenters to donate their furniture to the public. What's the difference?

1
12

Cryptocurrencies now being pooped out by cartoon cat

DanDanDan

The denationalisation of currency

Probably most seriously proposed by Hayek: http://mises.org/books/denationalisation.pdf

http://mises.org/daily/1854 is a genuinely enlightening article on the matter. I think the premise is good: more competition and choice promotes a *stable*, *counterfeit-free* and *convenient*.

I think bitcoin only really satisfies one to two of the above and fails almost catastrophically at being stable, probably the most important aspect of a currency.

1
0

Pay-by-bonk on the blink: O2 loses Wallet

DanDanDan

NFC, think you mean PBB

The only reason I want a PBB card is so I can ask the staff if I can "Pay by bonk". If NFC starts to catch on, I'll be truly gutted!

0
0

Anatomy of a 22-year-old X Window bug: Get root with newly uncovered flaw

DanDanDan

Re: I have looked

Hmmm, the debian ssh bug is definitely interesting, have an upvote. However, the bug only circumvents the SELinux policies, so I don't quite see it being the same as "breaking other stuff". Breaking other stuff would imply that it stops something working or is in itself a vulnerability.

The usual access control rules would still apply and Linux is still quite safe without SELinux installed (due to the myriad of other control mechanisms in place already (ACL, PAM, IPtables, SSHconfig for your example [authorized_keys restriction of executable commands]).

I also dislike the phrase "Regardless of how it's integrated into the source code" - Being built in from the start is a method of integrating it into the source code, one you seem happy with. Also, who says it's still considered an "afterthought"? I'm pretty sure SELinux is on a firm and secure footing by now.

I also don't see any issue with having "multiple security models", indeed, this is good security practice. Redundancy and a layered approach mean that you're never left with a single point of failure. IPTables are unnecessary with an effective implementation of SELinux. Encrypting your hard disk is unnecessary if you aren't connected to a network and have physically secured the server. Memory segmentation is unnecessary if source code is correctly vetted and free from faults. But personally, I employ them all as and where necessary. Different tools for different jobs.

3
0
DanDanDan

Re: I have looked

It was originally a set of patches, which have now been integrated into the core of the Linux kernel (since 2003). It's not really what I'd call a bolt-on.

5
0

Take off, nuke 'em from orbit: Kill patent trolls NOW, says FTC bigwig

DanDanDan

Re: Only one option really...

I was right with you up until you started mentioning mathematical algorithms.

3
0

Ross Ulbricht: 'Oi! Give me back my $34m in Silk Road Bitcoin booty'

DanDanDan

Re: strange...

Gold is useful for manufacturing a number of electrical and electronic items. i.e. gold plated audio connectors, gold wire-bonding in silicon chips/devices, etc.

The fact that people also hoard them has caused these industries a huge surge in costs for no reasonable reason.

2
0

Ho, ho, HOLY CR*P, ebuyer! Etailer rates staff on returns REJECTED

DanDanDan

Re: I feel it in the air

"which permit anything standard and new purchased online to be returned, for ANY reason, within a specified amount of time."

The statutory period is 7 days, but it's important to note that not everything is included - e.g. Concert tickets, plane tickets, hotel reservations... there are probably many more examples.

I wish the above were covered though; my girlfriend recently selected the wrong date to fly by mistake (don't ask) and only spotted it after the email confirmation was made. She then had to pay more than the flight to get the date amended.

3
1

PS-PHWOARRR: We review Sony’s next-gen PlayStation 4

DanDanDan

Re: The problem is that the current gen is still current

The problem is that if the PS4 had been released earlier, then GTAV would have been developed for the PS4, despite the PS3 being perfectly good enough for it. So the next set of games to be released, won't be available on the PS3...

0
0

The TWEET got me drunk, Conshtable, I SHWEAR IT

DanDanDan

Re: BBQ sauce from beer?

Watering down my BBQ sauce? No thanks...

1
0

Linus Torvalds seeks REDEMPTION for every coded SIN

DanDanDan

What's wrong with Git?

I like git. It's not even difficult to use. You can even phase it in gradually (use only what you need and ignore the rest) and apply it retrospectively (with a single command in many cases!). I admit I don't use/need many of its advanced features (that I know about), but I'm yet to find anything that comes even close to its usability without totally ensnaring my entire project. If I want to leave Git at any point in the future, I'm confident it won't be an issue.

5
0

Cinnamon Desktop: Breaks with GNOME, finds beefed-up Nemo

DanDanDan

[sic]

Thank goodness for the [sic] tag; for a second there, I thought it was a genuine spelling error.

1
0

UK's tech capital named: Read it and weep, Tech City startup hipsters

DanDanDan
Coffee/keyboard

Harsh... but fair?

Being close to Reading is considered an advantage in the tech world, if not in the real one.

0
0

Windows XP folks: At least GOOGLE still loves you ... UNTIL 2015

DanDanDan

Re: Dangerous to users

The difference here is that IE6 was worse than bad. XP is possibly the best OS MS have ever made.

6
0

Kids hooked up with free Office subs at Microsoft-addicted schools

DanDanDan

Re: If you get them young and you will have them for life

Your post was so well-edited that I can't tell if it's a troll or not.

1) People use what they are taught

2) Employers use what people know

3) We should teach people what Employers use

And if what the employers are using is second-rate how do you break the cycle?

5
0

Brew me up, bro: 11-year-old plans to make BEER IN SPACE

DanDanDan

This is a cool idea

It's interesting to think about how many standard brewing processes are dependent on gravity (such as airlocks, siphoning, etc.)

3
0

Feds smash internet drug bazaar Silk Road, say they'll KEELHAUL 'Dread Pirate Roberts'

DanDanDan

I'm not sure whether it's the selling of the bitcoin or the intention to sell the bitcoin that would cause its value to crash. As with shares, it's the perceived expected value that determines the current value. This explains why markets can be so volatile.

0
0

Look out, world! HP's found a use for Autonomy - rescuing Win XP bods

DanDanDan

Re: I prefer my ads...

I agree Trevor, but a good article would answer the questions you've posed and tackle the subject from both sides instead of pointing out all the pros and neglecting to mention any of the potential disadvantages. We'd be able to weigh up the pros and cons as suggested, if some of them were presented.

0
0
DanDanDan

I prefer my ads...

to appear at the side of the articles thanks.

18
1

Quantum computing gets recursive

DanDanDan

assert()

Is this just the quantum mechanical equivalent of an assert() function or have I missed something?

1
0
DanDanDan

Re: Useful?

Two words: Grover's algorithm

0
0

So, Linus Torvalds: Did US spooks demand a backdoor in Linux? 'Yes'

DanDanDan

Re: Other ways to get a back door

Frankly, I'd be more worried if the code *didn't* contain comments as such. There's no such thing as perfect code. Sometimes what you're writing seems pretty damn good, but sometimes there's a question mark about the better approach to take to solving a problem or its organisation. "Does this belong here" is a perfectly good comment to place by code. A more experienced coder may see the comment and think "Hmmm, no, I'll move it elsewhere and explain in the commit message my reasoning". Without the comment, probably no-one is going to review it and it'll be left there forever.

Given that "perfect" code is a highly subjective affair and given that time constraints exist, the search for perfection is fairly futile and not productive. "Better" is better than "Not better", so if a clear improvement is there to be made, subject to one or two doubts, it should be implemented, with a comment explaining the doubts so it can be picked up for further improvement down the line.

3
0

Page: