Josh's Blog - Comments

Josh Bressers: How Long Does a Flash Drive Last?

nospam@example.com (Josh Bressers) — Mon, 02 Jun 2008 21:30:11 +0000

I can read the data just fine, it's only writing that now fails.

Paul Ignatenko: How Long Does a Flash Drive Last?

nospam@example.com (Paul Ignatenko) — Thu, 29 May 2008 09:54:34 +0000

Were you still able to read off of it even after the write died? Or was it all just burnt out?

Josh Bressers: How Long Does a Flash Drive Last?

nospam@example.com (Josh Bressers) — Fri, 23 May 2008 12:40:40 +0000

The noatime is a good call, but I was well aware of the journal updates and having them there was intentional. My goal wasn't so much to get an exact number of writes, but just a general idea of how a typical filesystem I run would stand up.

I'm certain there are lots of things I could have done to make this test more exact. Perhaps I'll put this knowledge to use in a future run.

Thanks.

Michael Brown: How Long Does a Flash Drive Last?

nospam@example.com (Michael Brown) — Fri, 23 May 2008 11:47:13 +0000

You really should be doing your test with EXT2, mounted with 'noatime', not EXT3. With EXT3, the filesystem writes to the journal every time you sync metadata to the file. With EXT3 and default options, it is going to update the metadata every time you write to update atime/mtime. This means that it updates several other blocks other than your file data.

partha: Security Week in Review (2008-04-13)

nospam@example.com (partha) — Mon, 21 Apr 2008 05:20:51 +0000

but i can't find firefox 2.0.0.14 in updates.

QUOTE:

yum list firefox*
Installed Packages
firefox.i386 2.0.0.13-1.fc8 installed
firefox-devel.i386 2.0.0.13-1.fc8 installed

should i grab the tarball from mozilla and use it then ?

troll: Security Week in Review (2008-03-16)

nospam@example.com (troll) — Mon, 24 Mar 2008 08:02:17 +0000

Relax with CERT-FI. They are a bunch of most incompetent "security officials" on this planet, their news releases and "advice" to the Finnish public have been a target of ridicule for years already.

Josh Bressers: Security Week in Review (2008-02-10)

nospam@example.com (Josh Bressers) — Mon, 18 Feb 2008 08:25:43 +0000

That is correct. SELinux won't prevent kernel bugs, but it could affect the exploit path. Depending what sort of setup the exploit needs, SELinux could help prevent this.

me: Security Week in Review (2008-02-10)

nospam@example.com (me) — Mon, 18 Feb 2008 02:03:41 +0000

> This flaw could allow a local user to gain root privileges, and things such as SELinux wouldn't stop it.

Selinux does not (and can not) fixe kernel bugs.

Anonymous: Security Week in Review (2008-01-13)

nospam@example.com () — Mon, 21 Jan 2008 04:07:33 +0000

"""
The tricky thing with X.org is that it has to run as root, so it gives a local attacker the potential to compromise the machine.
"""

Would be interesting to know how tight the selinux policy around the xserver is, any idea?

crf: Security Week in Review (2007-12-06)

nospam@example.com (crf) — Mon, 14 Jan 2008 18:46:30 +0000

This isn't really about security by obscurity.

You get an audit using secret methods, but the results are public. You can independently tell if the results are real or not (real bugs or not real bugs).

I don't know a heck of lot about Coverity or software engineering. But Coverity isn't a security system: it's just a tool for finding bugs.

---

Opening the tool up to public scrutiny could only improve it. It certainly cannot make it worse. Whether it would lead to the owner making less money is a question they undoubtedly have asked themselves. As a small company, sometimes it is hard to get maximum value out of your "IP", no matter whether it is open or closed. However, it isn't out of the question that some other company could buy coverity and make it open source. For example, if IBM, say, owned it, it might realize the vast majority of its value simply by using coverity improving their own products, compared to the value gained by selling coverity's services to others as closed or open source. Even considering, arguably, that the value of selling the software to others may be minimized if it were open source, how much value remains depends on how hard coverity is to deploy and use, and how much value can be added to the open source product by properly servicing, teaching, deploying and marketing it. (Should I have to point out that this form of value is significant, and often a greater source of value than just the software itself?) Furthermore, if the tool improved under open source, the value it improving IBM's products may be more than would be gained by keeping the code secret and selling it as service.

By keeping the tool closed source, Coverity runs a lot of risks too. Somebody could make a better tool, and wreck their business. If it were open source, and there isn't a comparable tool, Coverity's tool might expand it's market quicker, and become somewhat standardized, gaining value for the company and it's brand. Another risk is that while Coverity's engineers probably know coverity well, others, of course, don't. That means that Coverity is under great risk of having an unforeseen accident or event severely affecting their business. If it were open, more people would likely know how coverity works intimately, and be available to work for the company.

troll: Security Week in Review (2007-12-06)

nospam@example.com (troll) — Mon, 14 Jan 2008 15:50:58 +0000

Coverity is not serious about improving the state of Open Source. Coverity is serious about getting paid for using their (awesome) tools for auditing Open Source. Which is paid by the US government. Which selected Coverity from a number of contestants, based on how good bang for the buck Coverity can provide.

There's nothing really wrong with the situation there. The tools they are using are improving (they are getting money which they can use for serious development and further innovation by time) anyways and the results are fine (the tools are doing what they should - automatically helping to avoid falling into the traps that are easy enough for a computer to detect). Look at what these commercial tools did to the Linux kernel. When they introduced them the amount of certain types of bugs fell radically and they managed to plug quietly hundreds of critical flaws without anyone outside ever even noticing. Good working example case for obscurity vs security - their security policy using obscurity worked wonders there in real life, and the tools worked magnificently as well saving Linux folks from many embarrassing moments.

Going open source would kill the investments that living in the edge requires, and reduce the quality of their offering in many ways. Not that they are the only possibility. Coverity and their tools are just one of many. You are free to create your own tools if you really feel that unless your zealot views are fulfilled by someone giving out something worth a lot for free just "because" is a must thing and they won't abide. Lol. Sheesh. Jerk.

Brian Van Grunsven: Pretty Tux Pumpkin

nospam@example.com (Brian Van Grunsven) — Wed, 14 Nov 2007 16:40:47 +0000

I think that pic just made my YEAR! Nicely done Josh ... nicely done.

Josh Bressers: Pretty Tux Pumpkin

nospam@example.com (Josh Bressers) — Wed, 31 Oct 2007 11:52:16 +0000

I made my own stencil:
http://www.bress.net/mediawiki/index.php/Tux_Pumpkin_Stencil

Karsten Wade: Pretty Tux Pumpkin

nospam@example.com (Karsten Wade) — Wed, 31 Oct 2007 11:46:45 +0000

Where did you get the cool tux stencil? We were looking this morning and couldn't get google to cough one up.

Josh Bressers: Mr. Murphy, I hate you!

nospam@example.com (Josh Bressers) — Mon, 22 Oct 2007 09:47:37 +0000

Yes, I've done quite a bit of copper work. It's not hard to do honestly, but it can be a bit tricky. The most important thing to keep in mind is all the water has to be out of the pipes. Any water (which will become steam) in the pipe will divert the heat from your joint, preventing the solder from properly taking hold.

I never really understood the incredible amount of heat water can transfer until I started working with copper pipe.