Forgot your password?
typodupeerror

Comment Re: GPL is software herpes (Score 2) 93

Actually, I'm a Unix and Plan 9 enthusiast -- I merely focused on BSD Unix because it's the topic at hand. Having used, at one point or another, almost every Unix distribution that has existed since the mid-1970's, I have my preferences -- but since some of those are long-defunct, it's not practical to attempt to run them in 2026. And of course Plan 9 takes the Unix approach to its next level: many of the ideas it incorporates are advanced yet elegant, a quality that often gets lost in bloatware -- a canonical example of which is systemd, currently infesting any number of Linux distributions (but not the ones I'm running, which is in fact why I'm running them).

The point, which you seemed to have missed entirely, is that regardless of what you're running and what I'm running, the world is running rather a lot of Linux and Unix on all kinds of hardware, and it's often under the hood so it's not readily obvious which is in play.

Comment Re:GPL is software herpes (Score 2) 93

Ah, my dear child; my dear ignorant child.

Linux is certainly in a lot of places -- including on the laptop I'm writing this from. But BSD is as well, including on tens to hundreds of millions of devices that are running it without explicitly mentioning it, and of course on everything running a contemporary version of MacOS. Not to mention all the systems that are running OpenBSD, NetBSD, FreeBSD, or one of the other variants.

It would be an interesting exercise to try to enumerate all computing systems, including those in the IOT, routers, switches,, etc. and come up with an actual count of Linux, Unix, and "other" -- also a large number by the way thanks to dedicated small operating systems designed/built to run things with rather limited computing requirements.

But whether or not someone invests the time/effort to do that, it's most certainly a blunder to dismiss BSD.

Comment This is WORTH remembering - for the future (Score 1) 74

I've noted the comments here about how this is old news: that's true. But it will be novel to some people who didn't live through it, and even for those who did, it's a necessary reminder. Microsoft is ruthless, unscrupulous, and unethical: they will do anything. They're not the only ones, of course, but they're arguably the most dangerous because of their size, wealth, and longevity. They're the enemy of open standards. They're the enemy of open source. They're the enemy of open protocols. They're the enemy of Unix. They're the enemy of Linux. They're the enemy of security. They're the enemy of privacy. They've always been the enemy and they always will be, because it's in their DNA: it's impossible for them to change.

So any time -- ANY TIME -- there's some statement or initiative or announcement that they're going to support open standards/source/etc., any of the things I listed -- the first things that should come to mind are these wise words of Ash: "It's a trick -- get an axe."

Comment Re:Oh, right! (Score 1) 74

We were still buying VAXes because we would put the VMS tapes aside, install a second CPU (the "PurDual" modification), install BSD (Berkeley Unix), and run them nearly 24x7 for years at a time. "We" included the (large) university I was at, but it also includes a LOT of other universities, because -- thanks to DEC's academic discounts on hardware -- this was one of the most cost-effective ways of deploying a lot of computing power. (For the time, of course,)

Comment This isn't even a little surprising (Score 4, Insightful) 22

Amazon, Google, Microsoft, Oracle, Facebook, all these large companies have huge numbers of employees and contractors and subcontractors and sub-subcontractors. And with few exceptions -- at the top -- they treat them as disposable, as we see in their headlong rush to replace them with horribly broken AI systems. Many of these people are elsewhere in the world and are paid far less than their US counterparts.

All of this creates a rich ecosystems that's ripe for bribery; it's an inexpensive and effective way to get things done. It's not rare: it's commonplace and unremarkable. Of course these companies will claim otherwise because they don't want to admit that they're created a culture of corruption, and every once in a while they'll throw someone under the bus so that they can claim they promptly investigate all such activities, that's all bullshit. The systems they've built are functioning as designed and intended, and as long as massive amounts of money keep flowing to corporate executives, they have no reason to disturb them.

Everyone foolish enough to put their personal/company/organization data in clouds run by these companies should consider that all of their data is quite likely available to anyone who can put $5K or $20K or whatever in a manila envelope and slide it across a table.

Comment There's a working group of cryptographers... (Score 2, Interesting) 98

...who are spending some of their time researching Bitcoin (and other cryptocurrencies) in an attempt to reduce their value to zero.

This isn't a particularly well-funded or dedicated effort, it's just something being done ad hoc. So it may go nowhere. But if it does succeed, then it'll be quite amusing to watch every crypto bro cry as their "investment" suddenly becomes worthless, even to the other fake money criminals.

Comment I've seen enough (Score 3, Informative) 22

Although to be more precise: I saw enough about LastPass years ago. This is the N'th security incident that they've publicly admitted. No doubt the number of incidents they're aware of is higher, and no doubt the number of incidents they're not aware of is still higher.

I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly.

The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down.

Comment Re:Right now the real temperature here ... (Score 5, Interesting) 164

About 25 years ago, I began to take a serious interest in climatology. I started buying textbooks and reading them - and for the most part, that went smoothly, because I could easily understand the math and physics. (I struggled a bit with some of the organic chemistry, and had to spend a couple of years coming up to speed on that.) After a while, I could read all the reports and some of the papers being published, so I made my way through things like the IPCC reports -- which are thousands of pages. Eventually, I got to the point where I could read almost anything published in the field -- but admittedly, some of the material still takes me a long time to get through.

And the single biggest takeaway from all that work is: climatologists, as a field, have been consistently underestimating how bad things are and how bad they're going to get. This is because they're scientists, and all scientists are trained to be conservative in their assessments. Whereas a non-scientist might write "X proves Y", a good scientist will write something like "X suggests that Y may be happening" or the equivalent. This approach implicitly acknowledges uncertainty and the possibility that future work will yield different results: it's how science self-corrects over time.

This mindset is commendable: it shows intellectual honestly. But unfortunately in this particular discipline, at this particular time, it doesn't ring the alarm bells loudly enough. We need a Samuel L. Jackson moment: "The world is on fire, mXXXXrfXXXXXrs" We need radical changes, e.g. all fossil fuel production and consumption must end. We need vast reductions in energy consumption. We need sweeping societal changes, e.g., an end to daily commuting as the norm, it should be an exception. And even if we do all of that, it may still not be enough, because this is an exponential process with a huge amount of momentum -- in other words, we're going to keep sliding up the curve for some period of time even if we do everything that we should have done decades ago.

I've said, for all these years, that I'm not going to live to see the hellscape that's coming - the mass starvation, the killer megastorms, the wars over water, the refugee crises, the political, economic, and societal chaos. Now I'm not so sure.

Comment Re:You'll end up with an empty repository (Score 3, Insightful) 170

All true - but also a young arrogant engineer who completely failed to read and learn from people who have entire closets full of computing awards (including Turing Awards) for a reason.

There are only two valid use cases for systemd: first, as an interview question. I use it as a fast and easy way of classifying candidates; anyone who thinks systemd is in any way, shape, or form a good idea may safely be dismissed from any further consideration. Second, as a security wedge: there is so much new, poorly-written code in systemd -- with more being shoveled in all the time by Poettering's submissive kneeling fanboys -- that it provides all kinds of opportunities. (I'm being snarky but also serious: read the damn code. It's absolute crap, so much so that one could argue that the number of security holes exceeds the corpus of useful code.)

Comment Re:Seems defensible. (Score 3, Interesting) 38

How would it have damaged Google to (a) give credit where it's due and (b) cut a $50,000 check?

Answer: not at all.

In fact, it would help them, because it'd go a little way toward repairing the reputation they've spent the past several years damaging. And it'd be a far better choice -- in every possible way -- than trying to weasel out of it as they've done in this case.

What Google (and Microsoft, and others) have done by abusing the good faith and trust of security researchers has convinced a lot of them that they're better off just selling information to anyone who can/will pay. It's less aggravating and it has a higher payout. This isn't good for anyone, and 100% of the blame lies with these enormously wealthy corporations -- who could easily afford the expense, but are too greedy and too short-sighted to understand the damage they're doing.

Comment This is why "responsible disclosure" isn't (Score 5, Insightful) 38

This isn't the first, or the tenth, or the hundredth time this has happened to some security researcher dealing with some company. And even when their research is properly acknowledged and credited, the payouts are pitifully small. The entire concept of "responsible disclosure" is to guilt people who don't work for companies into free labor for them, donating it, and then receiving neither credit nor fair compensation.

It's time to discard not just the practice, but the entire concept, because the industry has proven that it concocted this nonsense as a one-sided deal, and that it will screw anyone/everyone at every possible opportunity. It's time for researchers to abandon any attempt to collaborate with companies, because it doesn't work.

What should they do instead? Just drop the vulnerabilites and let the companies deal with the fallout. They're too cheap, too lazy, and in too much of a hurry to make sure their products/services are secure before they start selling them, so they deserve what they get. Let them burn.

Comment Some things that would be helpful (Score 4, Insightful) 10

1. The list of "1 million fraudulent domains". I'd like to drop that list into the appropriate configuration files. I'd also like to see which registrar(s) are involved and who's providing DNS services for them.

2. The list of "9,000 fake websites". Same for these, and I'd like to see who's providing hosting for them.

This is a pet peeve of mine: reports like this come out, but the original source (Google in this case) doesn't publish the fundamental factual information that everyone needs to defend themselves AND to gain some understanding of how the threat works, so that everyone can defend themselves against the inevitable copycats. Instead we get a bunch of corporate PR-speak, which is utterly useless. So if you're reading this, Google: pony up.

Comment These disclosures aren't the worst of it (Score 1, Interesting) 35

The person(s) behind this series of disclosures are clearly highly intelligent, knowledgeable, and industrious. Microsoft should be paying them the minimal acceptable bug bounty -- per bug, which is this case is $1M USD. (Anything less than that is an insult.) But of course Microsoft is far too accustomed to lying, cheating, and screwing other people, it's so embedded in their corporate culture, that it has never occurred to them to even try to do the right thing.

Now to turn my attention to the Subject of this posting. Surely nobody thinks that the person(s) behind this particular effort are the only ones conducting such research. And it is importable that they are the most intelligent, most knowledgeable, and most industrious -- in other words, there are probably people out there somewhere who are even better. And, rather ominously, who aren't doing the world the enormous favor of making these known publicly.

That's an easy speculation to make, of course, but it's also congruent with history. "There's always someone cleverer than yourself" is a wise maxim because in all but a very, very cases it's accurate. So unless this one of those cases -- and I very much doubt that -- then there are one or more other person(s) out there discovering bugs of similar severity and consequences, and doing....well, we don't know what they're doing with them. If they're working for national intelligence agencies, then likely stockpiling them for future exploitation. If they're working for themselves, perhaps packaging and seller them on the open market. There are all kinds of possibilities and none of them bode well.

TL;DR: we have reached the point where it has become painfully obvious that Microsoft can't secure its own operating system for any even minimally acceptable value of "secure"; every day it becomes more obvious that they're losing.

Slashdot Top Deals

Scientists will study your brain to learn more about your distant cousin, Man.

Working...