Posts by Testy McTester

Virtual organisation

"The lab [...] is a virtual organisation involving several universities."

So not really organised then.

HTTPS does not prevent tracking.

"The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track to anonymise users' searches."

"Do not track" does absolutely nothing to anonymise users' searches. All it does is add an extra HTTP header, "DNT: 1", indicating to the server that the user does not want to be tracked. This is a political, not a technical, approach, and I worry that users will think it actually gives them some sort of real protection. In fact I think it's rather amusing how a web browser can basically say, "please do not track me! Thanks. And by the way, the unique identifier you gave me last time is ac2983b6."

Using HTTPS by default is a good thing, even if it is only for Google searches. HTTPS authenticates the server and provides confidentiality from anyone intercepting or tampering with the connection between your browser and the web server, so your ISP, or the shady laptop user in the corner of the café, cannot see what you're searching for. It has nothing to do with whether the web server can track you or not.

"Additionally, using HTTPS helps providers like Google remove information from the referrer string."

If Google suppresses tracking when you use HTTPS (which I doubt), it's because Google decided to do that. Using HTTPS neither helps nor hinders.

"If you happen to click on an ad on a page you hit then the encryption is removed and advertisers can see who you are and where you’ve been."

Advertisers probably see that information without your clicking on it. HTTPS is to stop people intercepting your connection, it does nothing to control what the remote server does with the information you send it. (Note that advertisers don't intercept TCP connections to gather data, Google gives the data to them.)

The C library was not at fault.

This is an integer overflow vulnerability resulting from the mistreatment of the return value of memcmp.

The memcmp function can return any integer, but MySQL converted its return value to my_bool (a typedef of char), causing an integer overflow if memcmp returned a value outside the range of a char (typically -128..127). An implementation of memcmp that returned values in -128..127 would hide this vulnerability, but another, equally valid implementation of memcmp returned values outside that range.

What is most shocking is how few programming languages (even "modern" languages like Java, Caml, ...) actually bother to handle integer overflows properly.

No competition.

The article starts with:

"The Raspberry Pi – if you can get your hands on one – isn't the only small, inexpensive ARM computer around these days."

Pity the article didn't mention any ARM computers remotely as cheap as the raspberry pi.

Obvious?

I'd have thought that would've been obvious. Perhaps if you think of the question slightly differently: if you could afford a space flight, would you do it, or would you spend the money on something else? Considering what else you could do with the money, compared to how short a space flight would be, I'm not surprised.