* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

ASLR-security-busting JavaScript hack demo'd by university boffins

Charles 9

Re: Java*.*

"Plus, with a more "remote desktop"-oriented model, you could keep the client a lot more stable. Not as much need for new fancy features every week when the client is simply doing the presentation. So the amount of vulnerabilities would actually go down over time, instead of basically staying constant as it is today."

But the client will ALWAYS be a target. They'll just target the rendering engine and send it malformed inputs and so on. Hoping for perfect code when it's open to the outside is like wishing for unicorns.

Charles 9

Re: Java*.*

I use TightVNC, but the problem is that even on a home LAN setup, on-the-fly MJPEG doesn't get up to 30fps and involves lot of tearing, plus as you said no sound. Plainly and simply, network bandwidth issues mean you really need the originally-compressed data stream (the optimal way to send the data) sent down the pipe and then decompressed locally to get the most performance. Some things like video and audio rendering are simply best done at the render point.

Charles 9

Re: Java*.*

And BTW, due to the architecture involved, X servers actually reside on the clients. So when I say malware writers target the X servers, I'm referring to the X servers residing on the clients.

Charles 9

Re: Java*.*

"You solve this by having somewhat intelligent protocols, so text input and other basic building blocks of UI interaction are handled on the client."

Anything *smart* you put in would be targeted by the malware writers, such as with malformed input. And then there's the matter of things like video players that MUST be on the client for performance reasons (Don't believe me? Try VNCing a video player...)

And while you can harden a protocol, protocols are useless without implementations, and it's the implementations the malware writers will target. Remember, there are times when browsers get pwned by malformed HTML: no JavaScript necessary.

Charles 9

Re: Timing attacks?

An auction site, for starters. Especially when it gets towards the end and there's a rush of bids.

Charles 9

Re: Java*.*

Not true. Not everyone has broadband. Plenty are stuck on dialup, satellite, or low-end wireless. Plus what's stopping X servers from being attacked, not to mention servers full of juicy information. Frankly, I'd say the horse of privacy has bolted and will never return. Even if consumers abandon the Internet en masse, high speed private and government network will continue.

Pwnd Android conference phone exposes risk of spies in the boardroom

Charles 9

Re: Android 2.3?

I believe many ATMs still run OS/2 v3.

Forget quantum and AI security hype, just write bug-free code, dammit

Charles 9

Re: AI/ML is dead bollocks...

And then you have things like Return-Oriented Programming, which can use bits and pieces of otherwise-innocuous code to wreak havoc. After all, ammonium nitrate fertilizer and diesel fuel are both common tools of the farmer, but put them together just the right way and you end up with ANFO (BOOM!).

Microsoft releases open source bug-bomb in the rambling house of C

Charles 9

Re: what happens when you have to deal with UNstructured data

"A guess is taken (maybe configurable by the user) as to what starting resources to allocate to the process."

The trouble with guesses (especially wild ones, which can be the case here as something like a raw stream is pretty much a shot in the dark) is that they tend to miss more often than hit. And I wouldn't want to be the one fielding the calls for when the process keeps aborting half the time and it hogs the memory the other half.

Charles 9

Re: >handling pointers directly makes for efficient, “close to the hardware” programming>

"Then you choose a language and/or system that is appropriate for that particular problem domain."

Can you NAME a system or language that's specifically designed to handle arbitrary amounts of unstructured data?

Charles 9

Actually, I wonder if what you're REALLY really looking for is "dilemma", as in a choice between two things, both of them bad. As in not using pointers is too slow, but using them is too risky. You lose either way.

Despite the spiel, we're still some decades from true anti-malware AI

Charles 9

The TL:DR version: Due to the motivations involved, odds are that malware will have AI first instead of anti-malware.

Charles 9

Re: AI vs Greed

But the reason you don't see Rube Goldberg-type entries is that the REALLY sophisticated people steal data the EXACT SAME WAY it get access PROPERLY. Because the biggest, most sophisticated threats were, are, and always will be insiders, and you can never completely defend against insiders.

Charles 9

Re: Do you even know what a neural network is?

It got lucky. I didn't have to actually pass one of the CAPTCHAs. Let's see one do THAT several times in succession (since the tests differ each time), then I'll be impressed.

Charles 9

Re: Um, sarcastic joking?

"And that's effective with AI software, how?"

Since when did the problem have to do with AI software. The question was, "How do you tell a real woman from a drag queen?" I gave a "42" solution: groin shot from behind.

Now, as I understand it, the Turing Test was to fool a human engaging the program in a chat room setting into thinking he's chatting with a person when it's really the program. And that's still a work in progress.

Charles 9

Re: Um, sarcastic joking?

"Sad fact: we have nothing that passes Alan Turing's original test: how to tell a woman from a man pretending to be a woman."

I would think a nice stiff rod swing up at the groin between the legs from behind would make for a quick and effective test. From behind means it's unanticipated so no preparation techniques can be used.

Charles 9

I can see the overlap here. I see it more like a siege. Defenders necessarily have to fix many of their defenses, and attackers can learn these and work against them, leaving only the mobile defenses which are also necessarily limited, particularly by resource costs. In this scenario, the attackers have access to everything the defenders have and can use them against the defenders. This can include AI at some point. Meaning as long as they can out-resource the defender, it's basically only a matter of time.

Not even behavior-based detecting will work for long as the attackers learn to pace themselves and re-learn the arts of "smurfing" things under the radar and mimicking legitimate actions.

Charles 9

Re: What to protect? Nothing. The article is absolutely senseless.

"3. All programming languages and codes are soon over - AI speaks, understands and thinks using language, texts."

I believe you forgot the Joke Alert icon. I'll believe you when your supposed AI can survive the "This Sentence Is False" paradox. Or perhaps the "My Dog Has No Nose" routine Danger Mouse once used to defeat a "AI" computer.

Ex-FBI man spills on why hackers are winning the security game

Charles 9

Re: Comfortable illusions about computer security

Then someone develops a hypervisor attack and breaks out of the VM the same way Java malwares learned to break out of their sandboxes. Anything man can make, man can BREAK. Even the humble paperclip can be pretty much broken by folding it in half.

Charles 9

Re: I can suggest a guaranteed fix:

The CEOs will counter by looking for ways to convince any legislatures not to enact such a law: to the point of moving if they have to. Remember, it's HARD to convince a business to do anything they don't want to. They can play sovereignty against you. Then there's the matter of investors. Limitation of liability is one reason corporations exist in the first place, and that was done to encourage investment.

Charles 9

Re: Nice to Hear Some Truth

So? They're not gonna pay otherwise. And THEIR vulnerable systems can be used as stepping stones to other systems, including yours, or simply used in a DDoS attack.

Charles 9

Re: Nice to Hear Some Truth

"Since no solution is perfect, one really has to do all three; reduce the number of vulnerabilities through a more secure design, mitigate the impact of vulnerabilities through additional techniques, and keep current with the advantage hackers are taking of what's left."

One problem: end users who don't want to learn, meaning you have to make the whole mess as simple and turnkey as possible.

Charles 9

Re: Comfortable illusions about computer security

But people want things as simple as possible. KISS Principle, turnkey simplicity and all that. And they outnumber you.

Totally not-crazy billionaire Elon Musk: All of us – yes, even you – must become cyborgs

Charles 9

You assume that the cost of living will fall faster than the average take-home pay. I disagree. The robot masters will be inclined to pocket as much as they can. Competition can apply pressure, but that can be countered by cartel behavior (we all play nice then we can all make a killing). Meanwhile, the working population is already so great as to glut the labor market. Fewer available jobs spread among an increasing number of laborers will put downward pressure on take-home pay, keeping people from being breadwinning. It's just like with basic income. The only people you could leech to pay for the program will be the least inclined to participate: to the point of packing up and leaving if pressed.

Strong non-backdoored encryption is vital – but the Feds should totally be able to crack it, say House committees

Charles 9

Re: Summed Up Quite Well

Last I checked, the fingerprint code is in hardware and separate from the GPL stuff. Compartmentalized, IOW, so all the GPL software is clean but the fingerprints are added on top and in a way that can't be bypassed (thus why it's in hardware).

New PayPal T&Cs prevents sellers trash-talking PayPal

Charles 9

Re: Bad Mouthing

"This story also raises some VERY red flags. The companies involved are in Canada, not the United States, so why is Paypal applying American law on transactions taking place in a different country?"

Because PayPal is headquartered in the US (in San Jose, California). Technically, everything goes through there which means they go through the US and get subject to American laws. Therefore, their activities are subject to American law: particularly those involving the financial sector.

Honeypots: Free psy-ops weapons that can protect your network before defences fail

Charles 9

Re: " incident becomes SO common"

Seems to me more like it becomes "normal" and gets ignored. Most people want a decently good life, but if "normal" stuff happens to other people, it just becomes noise.

Planned Espionage Act could jail journos and whistleblowers as spies

Charles 9

Re: Two things...

"If I start to feel like a prisoner in public and cannot do anything about it, I would simply leave the country and go else where. Germany seems like a good bet since their constitution prohibits things like this, or so I am told."

One, they could prevent you from leaving (see China). Two, Constitutions are just ink on a page in the end.

Grumpy Trump trumped, now he's got the hump: Muslim ban beaten back by appeals court

Charles 9

Re: It's all a media conspiracy!

"Not sure what they'll do if when Sarah Palin becomes the ambassador to Canada."

Declare her persona non grata and send her home?

Charles 9

Re: as is usual in Trump article comments here...

Trouble is, Acts ate subject to Constitutional scrutiny. The ban on religious discrimination is in the First Amendment, part of the Constitution itself and therefore takes precedence.

Charles 9

Re: Failure of our courts

"Immigration and Nationality Act of 1952."

An Act of Congress. Therefore, subject to be overruled by the First Amendment.

Charles 9

Re: Failure of our courts

"If our judges fail to uphold the constitutional laws our representatives have enacted in our names. Then they should be removed from the bench and never be allowed to serve in public office again."

Then convince your Congressman to impeach them.

Charles 9

Re: Overturned

"The constitution gives POTUS the authority to do what he did. Period."

Please cite the exact text of the Constitution where this is stated, then. Please note, also, that the Bill of Rights (where discrimination against religion is forbidden) was ratified AFTER the original Article II, therefore anything it says takes precedence as official Amendments.

And don't give us that bit about national security because if that were true, Saudi Arabia would be on that list (since the 9/11 hijackers and the Al Queda mastermind all came from there). Also the US would be banning ITSELF since homegrown terrorists have committed atrocities as well (Oklahoma City in particular).

Charles 9

Re: Oh dear...

Why doesn't the US look at ITSELF as well, since at least two known terrorist attacks were entirely domestic in nature, including the perpetrators?

Charles 9

Re: Trumped

"The infamous Ninth Circuit Court sided with him, the same circuit that has been overridden more than any other."

Tell me, how many unanimous appeals rulings were overturned by SCOTUS (remember, the decision has no dissent, meaning ALL THREE were in agreement)?

Charles 9

Re: Right wing hypocrisy.

That would mean the US would have to ban ITSELF. Oklahoma City and Bath Township were both committed by natural born white Americans.

Charles 9

Re: "SEE YOU IN COURT, THE SECURITY OF OUR NATION IS AT STAKE!"

"Trump can't be elected for more than two terms."

That's assuming they don't just tear up the Constitution and stage a coup. After all, laws in the end are just ink on a page.

Charles 9

Re: "SEE YOU IN COURT, THE SECURITY OF OUR NATION IS AT STAKE!"

"98 out of 100 of the top publications in the US were opposing trump. Just were do you think you can find even 'half-way neutral' reporting?"

You can't. He's a "for us or against us" type of guy. To him, there is no neutral.

Oracle refuses to let Java copyright battle die – another appeal filed in war against Google

Charles 9

"Y'know, Einstein said that doing the same thing over and over again while expecting a different result is a definition of insanity."

Didn't he ALSO say that doing the same thing over and over again and actually getting a different result is a definition of persistence?

Who's behind the Kodi TV streaming stick crackdown?

Charles 9

Re: @Charles 9

Well, it can fluctuate, but the point is that they DO tend to meet. The trick with illicit drugs is that there's a high demand for them overall: enough users keep the market going. The quantity is kept low due to legal interdiction, which raises the equilibrium price (by pushing the supply graph upward). Drug suppliers probably could care less if their drugs are legal or not; if illegal, they'll stick with their illicit connection, if legalized, they have a first-mover advantage to create legal supplies.

But if customer expectations are SO low for the price of something that the highest they're willing to pay is less than the cheapest it can be made (say a nearly nonexistent Q in the bottom-left corner while the P graph starts some distance to the right), then you can have a situation where people demand music but aren't willing to pay for it: a potentially unworkable market. Now is this REALLY Q? Can't say, but it's a possibility.

Charles 9

Re: Hmm

Are you SURE they inflate the prices? Or is it that the sports know they have an audience and are jacking up their prices due to the high demand? Can your cite where the sports are taking in less than the media companies are claiming?

Charles 9

Re: @Charles 9

"Free commerce certainly doesn't care about me, why should I care about it?"

Because without commerce, where would you get anything?

The other side of your argument is that regulations hamper business. Business can, have, and always will be out for themselves; it's part of the human condition, after all. And because of the way our laws are set up, no business can ever really be compelled to do anything. Worst comes to worst, they'll simply bail out. Remember that: people can and will walk away. Markets don't have to be fulfilled; in fact, if the supply and demand graphs never intersect, then that market CAN'T be fulfilled.

The TL;DR version: Interfere with commerce and commerce starts disappearing.

Cattle that fail, not pets that purr – the future of servers

Charles 9

Even if your pets are old and sickly and there's no budget to get a new pet?

Charles 9

Re: What if your requirement is for a Cat not a Cow

The pet's not the software; that the job. The animal is the beast that RUNS the job. You either have a "pet" as in a personally-raised-and-maintained machine, or you hire a cow (a cloud server) to do it for you.

Charles 9

Re: "on-premise" !?

So you agree with me since you used a double negative, turning it into a right (wronging a wrong).

"Show me a building which occupies no land.."

A FLYING building, of which such concepts are being developed (like a floating warehouse). Plus what about space stations? Meanwhile, I've demonstrated the fact of land with no building.

And yes, one CAN change another's opinion. It's called drilling it continuously from all angles until you give up.

Charles 9

Not necessarily. With fewer servers on site sucking up the juice and making your HVAC work its compressors off, your electric bill would drop. Depending on the other things you wouldn't have to pay (because you may not need to lease so much space and so on), it could more than offset the cloud costs. It depends.

Charles 9

Re: "on-premise" !?

And before you start with legless undergarments like panties, English is inconsistent. Deal with it. After all, why "houses" instead of "hice"?

Charles 9

Re: "on-premise" !?

Pants count for two LEGS which encompass most of the material so are treated as pairs. It doesn't apply to shirts since most of their material are for the torso instead of the arms.

Charles 9

Re: Standardisation

It's a two-edged sword. A common base means lots of experience dealing with problems when they arise, but it also means when a problem arises, it's likely to hit more of them at once. Sort of the difference between repairing a stock, mass-produced car and a custom-built one.

Microsoft's DRM can expose Windows-on-Tor users' IP address

Charles 9

The situation between Blizzard and Valve is the same as the situation between say BT and Sky: both are competing for the same audience and want to conquer the other. To them, sharing is surrendering. Blizzard knows they have hits with WoW and now Overwatch. People willingly pay bookoo bucks each month for the former, so they have proven natural draw and really don't need a third party to help them.