4077 posts • joined 14 Jun 2007
Re: Names. Names. NAMES!
"The only other way would be to have your own unique domain (tomshome.co.uk) and uses sub domains I guess."
Um ... yes. They thought of that 30 years ago and so DNS is a hierarchy. That's exactly how you are supposed to do it. Only a complete moron would try to solve the name shortage by inflating the top-level domain. Oh wait...
Re: Maybe what the world needs
What *is* this fixation with literal IP addresses?
Unless you are configuring a router or a DNS or DHCP server, you should never even *see* an IP address, let alone have to type one in or remember it. If you have some other network software that regularly throws literal addresses in your face, report it as a bug.
Even if you *are* setting up such a machine, you'll always be using the same prefix (yours) and the double colon notation spans the middle ground. The bit you have to deal with manually is the final hex digit or two.
For domestic customers (and small businesses, actually), you don't even need to do that. Your ISP will deliver a prefix over the wire and your router and devices can all do the right thing without any configuration at all.
Re: Madness is doing the same thing and expecting a different outcome
"I am appalled at the likes of C++ or Java where, it seems, none of us can master even the full semantics of the basic language"
In fairness to the C++ guys, the worst of the complexity results from a sincere attempt to actually describe and then remain compatible with the C subset. In no particular order, C's integer types, promotion rules, decay of arrays to pointers, lack of initialisation guarantees and (until recently) lack of a memory ordering model, have been the bane of anyone who actually wanted to write clear and safe code. Classes, namespaces, exceptions, templates and the like are pretty damn clean in comparison.
Re: Please No !
"(whoops not call it that any more)"
Why ever not? :) As far as I'm concerned all the "debate" about what to call it is irrelevant. It is "Windows 8 with the latest service pack" and anyone who hasn't got the latest service pack running can whistle for support. Funnily enough, that's exactly the attitude of Microsoft, too.
You can start shouting about a "new version" when it is chargeable (and, consequently, not everyone can realistically upgrade and so software vendors actually have to support both platforms).
440m in 43s
How long does it take for the passengers stomachs to travel the same distance?
That million-fold difference.
"Data retrieval latency is orders of magnitude slower than memory. We're talking milliseconds compared to nanoseconds, a million-fold difference."
Good luck getting nanosecond latency out of the terabyte-sized memory mentioned in an earlier paragraph.
On a CPU running a few GHz, you'll get nanosecond latency out of your L1 cache. By the time you are hitting DRAMs or flash, the latency is more like microsecond. You've lost at least two of those orders of magnitude, maybe three. On the other hand ... that still knocks seven kinds of shit out of a disc and into a cocked hat. Back on the first hand, a decent disc cache subsystem will have delivered most of that performance already, even on DBs that are slightly too large to live entirely in memory.
So it will be interesting to see if this actually makes any measurable difference.
Re: living a lie
"In the UK, it emerged that Prince Charles actually has special powers, largely secret, to lobby and veto policies by the democratically elected government."
I call bollocks. If these "powers" are secret then they don't exist. Logically, the act of using them would require that they be made public, or else no-one would know what they'd been compelled to do against their will. Since that hasn't happened, we can conclude that they haven't ever been used. They are a figment of the Graun's over-active imagination.
It is true that Chaz has the ear of ministers, like many other lobbyists. However, the blame, er, responsibility, for the actual decisions rests entirely with the ministers involved. That's why we spit contempt for the ministers whenever they roll over for the lobbyists. We don't say "Oh, you cruel lobbyist forcing the nice minister to be a complete pratt.". We say "You complete pratt, listening to a pathetic lobbyist.".
And then we vote them back in for some reason, but I digress...
Re: an application he said had been "born in the cloud,"
It means the waiting is over. We now *know* that Microsoft's new CEO has no more of a clue than the last one. Win9 will be more window dressing, the next version of SQL Server will be a subscription model with all your data held in the cloud, and there's going to be a major new platform announcement as they reveal "WinBS", the successor to the legacy WinRT platform.
Re: Maybe I'm naive,
"How the heck do you expect the NSA to find every security flaw before the rest of the entire planet?"
I don't, but...
There are relatively few SSL suites in widespread use and pretty much all secure communication on the internet is built on top of them, so they are pretty important. OpenSSL happens to be open source, but that's probably not an issue since I'm sure the necessary arms can be twisted if the NSA want a look-see at Microsoft's crypto libraries. If the NSA, with a budget in the billions, doesn't have a team poring over these suites then someone needs to have their employment contract reformatted.
I expect that team to find a buffer overrun vulnerability in a codebase that lies square in the middle of their competence with a couple of years of it being published. Whether that is before the rest of the world is another matter entirely. I also assume that several other nations have teams doing much the same, so they might get there first.
Re: No proof but I wouldn't be surprised if it were true
"As is becoming increasingly clear, the NSA has done more economic harm to the U.S than any foreign actor in recent history, aside from perhaps China."
I don't wish to be too cynical here, but in peacetime it is generally true that the main damage to a country's interests come from the incompetence of its own government. They have so much more power than any other actor and yet they are subject to all the usual human frailties and incompetence.
Re: Did the NSA write this bug?
It is "elegant" in the sense that it does not adversely affect clients that send well-formed packets, it will never (for sufficiently small values of packet length) crash the server, is pretty unlikely to do so for larger values, and you can just set up a server farm hoovering up data from zillions of targets 24/7 for a few years and see what turns up. It costs you nothing more than the leccy bill.
Given their resources and their mission, they (and like-minded agencies in other countries) ought to have people reviewing the changes being committed to OpenSSL, as they happen. If they didn't spot the flaw within a week or two of it being committed then they should be asking themselves why.
"NSA isn't in the "protect your bank account[...]" because those functions aren't in the national interest no matter how important we think we are."
You must have missed the financial crash a few years ago. A way of pulling down small numbers of bank accounts is not a problem. A way of hoovering up credentials quietly until you have a million or so accounts that you can vaporise in one night of action would be untargetted but definitely a threat to the nation's well-being.
Missing the point, surely?
It is no secret that the NSA exists and has a massive budget. Any moral outrage about its activities should either have been consistently expressed for the last few decades or, if only recently felt, should be based on revelations concerning who they target rather than how they do it.
I don't have a big problem with the NSA using a 0-day to spy on (say) North Korea.
I took the OP to mean "well regarded ... as a regular source of material.".
Re: Fine until
"They are either unique or they are not. Stop mangling a very useful word."
I sympathise, but I thought that "not as unique" was rather appropriate. It will, after all, come as a great surprise to those concerned to discover that they are replaceable. One must break these things gently, even if it pains your inner linguist.
Actually I didn't see the icon.
Since this is an IT site...
...let me be the first to point out that (with a round-trip latency of just a few seconds) only a complete cretin would populate a moonbase with fleshies. They need air, food, water, healthcare and a psychological need not to be boxed up in a confined space for months on end. You want drones.
"Its ok we can let the Russians paint the moon communist red..."
News just in: Russia hasn't been communist since 1917.
News update: Russia hasn't even been pretending to be communist since 1991.
But they like red almost as much as the Republicans, so I'll let you have that one.
Re: Its mostly C ....
"a serious beating with a Clue Stick"
Would a Clue Fork do? Based on what I've learned in the last week, I wouldn't be surprised if OpenSSL wasn't the only game in town in twelve months time. They could start by fixing the bugs that prevent the use of the standard allocator.
Re: health check?
I'm sure that FOSS developers all over the world will be asking themselves what they can learn from this, but since it is all volunteer work there is no authority or paymaster who could perform such a review or enforce such standards.
Re: The real problem is C
"How about bounds-checking in hardware?"
To be effective in this case, it would need to have byte granularity and be capable of tracking millions of separate allocations. Hardware bounds-checking at page granularity works well for keeping processes off each other's toes. It's impractical for tracking the millions of tiny allocations that a large server might have in play at any given moment.
On the other hand, there are languages that automate such things. They are frequently able to prove the correctness of a particular access at compile time. Where a run-time check is needed, memory latency and out-of-order execution often means that the check costs no time. Either way, these methods are practical at whatever granularity and whatever scaling you care to mention.
Re: The problem isn't C
"No, the problem is C. In a reasonable language, declaring an array of byte data[P] would result in an *empty* array of bytes."
and that is what would have happened in OpenSSL if the writers hadn't chosen to write their own allocator. The most fascist bounds checking language out there won't help if you write your own allocator on top, particularly if you write one that permits use-after-free.
Re: Short-handed? Not bloody likely
Perhaps working on cryptography software requires a particular (and rare) combination of skills. It's all very well pointing out that this bug is a novice error, but when it is buried within a lot of code where even fixing valgrind errors has catastrophic consequences, most of us are too aware of our own limitations to even step forward.
Re: The real problem is C
"... D. It's a lovely language - essentially a rebuild of C++ with an "if we knew then what we know now" approach."
A bit like C++11 then. Both would be perfectly reasonable replacements for the C that (inexplicably to my mind) appears to be the preferred choice for several rather important FOSS endeavours. Seriously guys, it has been a quarter of a century since we learned how to make C safer without any loss in performance (or one's ability to twiddle bits or map brain-dead structure layouts). Memory management in particular is a solved problem.
Re: Another win for closed source software.
"I can't imagine any government agency trying to support an OS themselves."
The OS almost certainly isn't the problem (and if it was then the USG already has the source code and could probably use its waiver on copyright protection). The problem is probably half a dozen "critical apps". The company may have ceased to exist, or failed to keep the source code, or simply be too incompetent to product a working Win7 version. In those cases, source code escrow would be a useful insurance. We're probably talking about fairly small amounts of code, too, compared to an OS.
Re: The MS plan advances...
"You just described
Win 8 System/360."
why malloc doesn't nuke
It's because it serves no purpose to do so.
An OS will certainly zero pages before giving them to you because those pages could have come from almost any previous process and the security implications of that have been known since the 60s. However, all sane runtime libraries ask for big blocks from the OS and then implement their own sub-allocation scheme on top. Doing it in-process is a big performance win (because you don't have to cross privilege boundaries) and omitting to zero the sub-allocated memory in your own address space is not a problem because it was already visible to any thread in your address space. It's not a problem until you then squirt the dirty memory out of a socket.
Yes, it could have been avoided by using calloc() rather than malloc() everywhere, but it could also have been avoided by sanitising your inputs before responding to them. The former would pointlessly double the number of writes to memory. The latter is simply "correct". My vote goes for the latter.
Note also that debug versions of malloc nearly always do pre-fill the memory (and the matching version of free post-fills with a different pattern) but this is *because* it is pointless to do so. Or rather, because it bloody well ought to be pointless and therefore doing it is a simple way of flushing out a certain class of bug.
Nothing *particularly* remarkable, except that the only appliances in my house that eat more than 500W are the ones with heating elements in them. In other words, they were designed specifically to warm stuff up.
Re: "he doesn't think his data is particularly useful"
Well he obviously needs a female subject to complete his data set, but I'm guessing there aren't any women out there who are that stupid.
What would you bother? ext2 is adequate for most purposes and already exists. You'd need to bundle the Windows ext2 implementation as part of the "PC tools" for your phone, and persuade your customers to actually install those, but once you've done that you've broken the FAT licensing gravy train forever. *That* is what Microsoft are worried about.
"Mind you, I'm capable of learning a new GUI, which sounds like it's a massive problem for some people.
It's an even massiver problem for the IT staff who have to support those people. Fortunately, if MS have *any* corporate direction right now, then it seems to be "baby steps every six months back to Win7". IIRC, there are two more 6-month cycles until Win7 drops out of normal support. They'll need to hurry up.
Re: Torvalds's attitude
" I strongly suggest you follow the Linux Kernel Mailing List (LKML) thread a bit..."
Interesting. "what Andrew said" was that the rate limiting should be applied per-file-descriptor and this was in contrast to per-user. It was then noted that per-user would be more effective against someone who tried to get around the per-file-descriptor restriction by opening several FDs, to which Linus responded:
"I don't think we should try to protect against wilful bad behavior unless that is shown to be necessary. Yeah, if it turns out that systemd really does that just to mess with us, we'd need to extend it, but in the absence of proof to the contrary, maybe this simple attached patch works?"
And indeed it seems to work. Someone had one of the previously afflicted systems booting by Thursday. So it's all remarkably boring and grown-up and productive over there.
And elsewhere in the thread it is noted that the systemd people have fixed their side of the bug, too.
Re: Odd timing
Two points in mitigation:
"You did not read the Reg article properly, you certainly have not looked at the linked material"
Well, I think quite a lot of readers don't look at the linked material. We rely on El Reg to summarise enough of it so that we have a balanced view of the situation without doing all the research ourselves. Thanks, at least from me, for the additional summary.
And in any case:
If the kernel can't protect itself against bugs in user-space programs, it isn't a very good kernel. Linus is free to have as low an opinion as he likes of the systemd people concerned, but he does need to change his kernel to address this. It's a DOS attack vector and if it was in Windows then we'd be queueing up to explain how it proves Microsoft's inherent shit-ness.
Re: This will not be good
On the bright side, a similar cloud would probably be equally fatal for all the drones and robot soldiers they are building, which makes it less immoral than biological.
And historically, the evidence is actually in favour of developing such weapons. As a species, we've used all-out chemical weapons once (WW1) and thereafter only in pretty desparate conflicts where one side thought they wouldn't be noticed. Bio-weapons were certainly developed during WW2 but none of the sides were actually willing to use them for fear of retaliation. Atomic weapons were used once, when the US was certain that no-one else had them. As soon as that certainty was overturned, the willingness to use them (eg, in Korea) disappeared.
Slowly, the politicians and generals are learning. Our technical prowess makes all-out war indistinguishable from suicide. Therefore, all future wars will be fought with both sides pulling their punches and if one side looks like losing everything, it will stop pulling its punches and the "winners" will wish they hadn't.
Re: Call me cynical but…
Indeed. Let me join you in your cynicism.
If the article is to be believed, all the freed software is compilers and language tools. Given the maturity of this branch of software engineering (yacc and lex are as old as I am), I'd have thought writing a C# compiler was the least of your problems in trying to make C# or .NET useful on non-Windows platforms. Even if it weren't, Microsoft already give away a perfectly usable C# compiler.
Have they also released the extensive framework libraries that you need to do anything useful? Is this the same .NET that was pushed into the sidings with the announcement of WinRT a year or so back? Is there anyone at Microsoft who would be excited to be moved to the .NET team today?
Re: If food is not "organic", it logically must be "inorganic"
"He would have used whatever poison or killing mechanism possible to murder slugs and the like (table salt, for example). (They still tasted good though!)"
Well obviously you wouldn't eat one without *any* seasoning...
Re: Agenda here?
"Yup square root of fuck all."
Maybe they just don't like you. It's not like I'm counting, but when I'm visiting vegetarian friends I quite often get offered something meaty.
Re: risk of cancer
Well, if you live such a healthy lifestyle that you fail to die of anything else (like, heart disease) then you will eventually die of cancer. This is organic veg we're talking about, not the freakin' Elixir of Life.
A more meaningful metric would be the risk of dying *early* of cancer. In fact, this would appear to be a general weakness of all "X gives you Y" type studies that end up in the popular press, but it is entirely possible that grown-up medical researchers routinely allow for this in some clever and standardised way that goes straight over the newspapers' heads and so never gets reported. Does anyone here know?
Re: I hate to bang on about this AGAIN
"Ah. Silly me (and one or two others) then, for spending all that time creating a responsive design for my web site."
If your website tries to look the same on all these platforms then yes, you've wasted your time. If it adapts to the target device and offers different layout, different facilities, different navigation, then you've done just what the man said and created different UIs for each case. Well done.
Multi-threaded, eh? Gosh, how modern.
"Microsoft demonstrated a new Windows RT sync app that talks to some old database code using synchronous calls, but without blocking the user interface thread as synchronous calls used to do in the Victorian era (eg, 1995)."
I think you need to explain this a little more. As it stands, it sounds underwhelming.
Doesn't really help me, I'm afraid. The phrase "more quantumly" rather goes against the grain of quantumness in my book. Either something is quantised or it is continuous, surely?
Re: Upgrade cycle
"Most of the documents I've thrown at OO and LO have been well and truly mangled."
And if you are on the bleeding edge of the feature set then you'll have similar troubles moving documents between Office 2003 and 2007. The morals of the story are that Office formats are not a safe place to put your work, you need to stop using them, and it's only going to get harder the longer you put it off.
Re: Wasting taxpayer's money again
"I work at Nottingham Trent University, but any other UK university will be the same. As has been pointed out before in this thread, the majority of students use IT as a means to an end, mainly to write up their work and ultimately their thesis."
I'm rather surprised that everyone isn't just expected to bring their own device for such purposes. Back in the day we wrote up work with pen and paper and we were expected to buy our own. Students at secondary school are now expected to have access to a computer at home. (I don't know what the kids from deprived backgrounds do. I expect it isn't good for their education.) If you are paying several thousand in tuition fees, a cheap laptop is the least of your worries.
Now if there's some expensive software package that they need access to, that's different, but you didn't say that.
Re: To be fair...
"The only problem is they need to get this released now, not in Windows 9 in 2015."
From the article...
"Myerson didn't say when this next Windows makeover would ship to customers, but he did say that Microsoft "will be making this available to all Windows 8.1 users as an update.""
So that's before Windows 9. I expect they will roll it out in six months time. They'll call it something daft. Everyone else will call it 8.3 (coz next week's offering is clearly 8.2), and *if* there is an API actually willing to admit to the true kernel version number (which is looking increasingly unlikely) then it will be something like 6.5.
"many apps would be crippled by being restricted to 32-bit (more and more *need* 64-bit to function)."
Christ on a fucking bike, mate! What are you smoking?
Outside of database servers, video editing and weather forecasting, hardly anything is *crippled* by being squeezed into 2GB of working memory.
Re: Keeping Windows XP alive is not good for anyone
"As HiDPI screens finally appear, Microsoft needs programmers to switch to APIs that work well with these displays."
Actually no. Programmers don't need to use new APIs at all. If you followed the guidelines laid down 30 years ago in the Book of Petzold, using GetSystemMetrics() and the like, the only thing stopping your XP application from scaling perfectly on a Hi-DPI system is the fact that later versions of Windows deliberately lie to you when you call these APIs. The "fix" is for you to recompile your application with a manifest containing GUIDs that were only published in the years after Vista was released.
Re: Irrelevant Here.
"The article (please, read it) shows that it is [viable], even at the worst pessimistic scenario."
Er, no. The article's analysis is pretty flawed. People who are stuck with XP talking to old hardware have the option of isolating the XP boxes from the internet and carrying on as before, indefinitely, at zero cost, and zero risk.
The only people who need to pay for XP support are idiots in government who tethered themselves to IE6 and then went to sleep for a decade. Microsoft saw them coming and are charging three times Trevor's "viable" rate (initially, jumping to even larger multipliers in the next few years). MS will get their fee, too. The problem with the article is that there's no *larger* market for paid support if MS drop the prices to the levels suggested here (because you can isolate the machine and pay nothing), so there's no reason for MS not to gouge the small number of idiots for all they can.
"If it works initially then why should it not continue to work"
Quite, and I confidently expect isolated systems running XP to carry on working until the hardware fails. I've heard no credible claims that XP is going to stop working next week.
It's obviously different if you want to use your lathe to surf for porn on the internet. If that's what floats your boat, I suggest you get a new lathe with Windows 8 on it. (It'll serve you right.)
Re: Re:Linux running most of the world's servers
"Some devs have written a driver in a day."
But probably not in cases where the original hardware vendor either no longer exists, or no longer has any technical records for that particular model, or just wants to sell you a new lathe and is therefore unwilling to provide documentation.
And once your dev has reverse engineered the hardware spec, they are unlikely to be willing to guarantee the correct operation of their driver. At least, they won't be willing to sign a piece of paper that lets you recover losses from them if the driver turns round in a month's time and refuses to talk to the lathe that your business depends on. You might argue that the lathe vendor signed no such paper either, but you have a decade or more of experience to build your confidence in the original driver. The new one is a leap in the dark.
Re: Similar programs and Copyright
"If it does precisely the same thing in precisely the same way there is a prima facie issue of copying."
Or it is a pretty obvious idea with one particular expression that would be considered idiomatic by a large number of experienced programmers. I reckon quite a *lot* of things fall into that category, particularly if you spend time refining the spec so that it is mathematically minimal and then spend time refining your implementation to match, and then feed it to one of the fairly few compilers in widespread use, only for its optimiser to eliminate (in its own code generation style) the remaining differences between your code and the other guy's.
- Apple stuns world with rare SEVEN-way split: What does that mean?
- Special report Reg probe bombshell: How we HACKED mobile voicemail without a PIN
- RIP net neutrality? FCC boss mulls 'two-speed internet'
- Sony Xperia Z2: 4K vid, great audio, waterproof ... Oh, and you can make a phone call
- Pic Tooled-up Ryobi girl takes nine-inch grinder to Asus beach babe