Slashdot Mirror

According to eweek: Thompson also suggested implanting military personnel with the chips to replace dog tags. Though he hasn't quite gotten around to being chipped himself.

Because that's what Sony does best, ehh??

But seriously though, I was just going to post an asinine comment about how the Sony Rootkit was outsourced to a 3rd party overseas, and how great their programming turned out to be.

But when googling for some 'sony outsourcing' links, it looks like this isn't news:

The Outsourcing Weblog: Sony Considers Outsourcing PSP Production

The Outsourcing Weblog: New Sony CEO Could Mean More Outsourcing

Sony Ericsson moving part of R&D program to India?

Sony outsources IT development to India

Sony Europe signs up with Indian outsourcer

Sony Will Outsource Some [Battery] Replacements

Sony to outsource notebooks to Taiwan

And that's literly just the first 3 pages.

The truth is out. Microsoft didn't kill clippy in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing questions.

This link allegedly tells you how to turn the questions off , but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?

Actually, the arguement from ignorance doesn't fit at all. You need some lessons on logic yourself. The post I originally replied to was arguement from ignorance, ie: Vista doesn't have exploits because I haven't been given a link to any.

When I wrote that post, I did two quick searches. "Vista exploit" and "Vista patch" if I remember correctly. Then I posted links to a first page result from both searches. It's a slashdot post, not a thesis, not a research paper, not professional journalism.

http://www.toptechnews.com/story.xhtml?story_id=41 034 This article (January 18, 2006) it titled "Microsoft Issues First Vista OS Patch" the article in my original post http://www.eweek.com/article2/0,1895,1911406,00.as p says "Microsoft Ships First Vista Security Patches" and says "A Microsoft spokesperson told eWEEK that the Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month." (emphasis mine)

Graham Cluley, senior technology consultant with Sophos, calls it a patch for Vista. The unnamed Microsoft spokesman call it a patch for Vista. You think I'm misleading to call it a patch for Vista. Go figure. I think you need a reality check. If two (presumably) professional journalists can report it as a Vista patch and not be called to account, if the Microsoft spokesman called it a Vista patch and hasn't issued a retraction, then I can call it a Vista patch in a slashdot post without accepting your assertion that I was misleading.

Since Vista (then Longhorn) was supposed to be RTM in 2005 http://www.winsupersite.com/showcase/longhorn_prev iew_2003.asp then a December 2005 patch is relevant to the topic. It's a Vista patch.

I am betting he is talking about "Spencer F. Katt". Spencer is a pseudonym for a tech gossip / rumors column writer. He's been around for a long time.

http://www.eweek.com/category2/0,1874,1642,00.asp

The problem is that oftentimes there is no real way to quantify whether someone is bragging or simply stating what they believe to be facts without any attempt to glorify themselves.

The problem with that approach is that all braggarts believe what they say on some level, otherwise they wouldn't say these things or defend the lies so staunchly. The only way to know is to objectively examine their claims. So let's do that, shall we?

From TFA:
When somebody comes to us [after discovering a vulnerability] we've got [a fix] before there is any exploit. So it's totally according to plan, and that's why we have the whole Windows Update thing. We made it way harder for guys to do exploits.The number [of violations] will be way less because we've done some dramatic things [to improve security] in the code base. Apple hasn't done any of those things.

So according to him there have been no zero day exploits for Vista (http://www.eweek.com/article2/0,1895,2073611,00.a sp), Apple has no equivalent to Windows Update (its been called "Software Update" since OS 8.5, see, not equivalent at all), and Apple have done nothing to improve the security of a platform that has no exploits in the first place...well that last one is true, I suppose, but that's like saying a housebrick is better than a car because it won't roll down hill if you leave the brake off.

I could go through the entire article and pick apart everything he says, but I'm tired so do it yourself; you seem to need the practice. And remember, this isn't an interview with a 14 year old fanboy, this is the head of the company who has been in the software business for over thirty years. He isn't a complete idiot with no historical or technical knowledge, he knows exactly what he's saying.

For instance, if I say that I won three gold medals in the last Olympics, I could be bragging or I could just be stating facts.

Whether its a fact depends on whether its actually true or not. Since it certainly isn't true, I'd have no problem entitling an article "udderly brags about fabricated athletic successes". Come and sue me if you want a judge to explain the concept of "absolute truth" to you. Whether you believe it to be true is utterly irrelevant if you can't verify your claims with hard evidence.

What would be your opinion if Fox News ran a value-judgment headline in reference to President Clinton that referred to him as "the Playboy President?"

You do realise there is a difference between calling someone a name and describing what they're saying, don't you? The headline here isn't "Bragging Billy Gates Boosts Vista", it is "Bill Gates Brags About Vista"; it is not saying he brags all the time, it says in this particular article he is bragging. And I agree.

Slashdot *does* claim to be a news source and being an editor has a higher responsibility than some anonymous individual posting on a thread

Yes, the editors of a publication have a responsibility to treat facts as facts, and point out when someone is either lying or mistaken (for whatever reason). The reason politicans and business can get away with so much is because they've convinced people like yourself that all of reality is variable according to perspective. it isn't: the only thing that changes with perspective is opinion, the facts remain the same. That's what "fact" means.

I'm guessing Spencer F. Katt, who manned PC Week's industry gossip page back then and apparently still writes for eWeek.

~Philly

[regarding the use of patent litigation insurance] Bradley M. Kuhn, executive director of the Free Software Foundation (FSF) added that the news "isn't a surprise."

"The U.S. Patent Office has been granting patents at an alarming rate. In fact, it's likely difficult today to write any software program--be it free software or proprietary--from scratch that does not exercise the teachings of some existing software patent in the U.S.A."

Moreover, the "FSF has long warned that software patents were very dangerous not only to free software, but to the software industry as a whole. We firmly believe that the world would be a much better place without software patents," Kuhn said.

I am aware of the first one there, and the second only works in beta so we have one.

I thought this quote: "The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop." would have been enough to make it clear. If you'd followed the link in the story, you would have found this: "The Windows Vista exploit--which has not been independently verified--was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor." Well, they haven't been independently verified, but you wouldn't expect that with illegal code being sold for tens of thousands of dollars. One of many.

(I'm not denying nor would I ever deny that no exploits for Vista exist - only that past exploits for an OS that is 12 years old cannot sensibly be included against Vista - that is ridiculous).

I repeat: "As for why to mention old windows exploits, it seemed to be the point was to show how ludicrous Bill's challenge was. Try to get one a month? 140,000 in the last 12 years averages over 10,000 a month. Are we to beleive that Vista is so much better that this number will drop to less than 1/month? This does not seem likely to me at all."

It's not saying that the 140,000 exploits will work on Vista. It's saying "You've averaged about 10,000 a month for the last 12 years, it's a joke that you think you can get that to less than one a month with this release." Bill's challenge is marketting speak, nothing more. Nobody is claiming that there are 140,000 exploits current for Vista right now.

Again I agree Microsoft might not be the best company on the block but I think we need to move beyond "Microsoft is evil" emotion.

Yes, yes, indeed!

If people push Novell too hard I predict Novell will move to FreeBSD and that would be a shame...

No, that would, actually, be a great thing — they should've started with a better OS to begin with (ha-ha). But it would not help the problem, which is largely with applications — Evolution, Samba, et al. are licensed the same way, independently of the underlying OS' license.

Vista Exploit Surfaces on Russian Hacker Site: The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop.

Microsoft Ships First Vista Security Patches: A Microsoft spokesperson told eWEEK that the Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month.

There you go, Vista exploits, even acknowledged (and patched) by MS. I have no idea if there are actually more than on BeOS.

As for why to mention old windows exploits, it seemed to be the point was to show how ludicrous Bill's challenge was. Try to get one a month? 140,000 in the last 12 years averages over 10,000 a month. Are we to beleive that Vista is so much better that this number will drop to less than 1/month? This does not seem likely to me at all.

Vista Exploit Surfaces on Russian Hacker Site: The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop.

Microsoft Ships First Vista Security Patches: A Microsoft spokesperson told eWEEK that the Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month.

There you go, Vista exploits, even acknowledged (and patched) by MS. I have no idea if there are actually more than on BeOS.

As for why to mention old windows exploits, it seemed to be the point was to show how ludicrous Bill's challenge was. Try to get one a month? 140,000 in the last 12 years averages over 10,000 a month. Are we to beleive that Vista is so much better that this number will drop to less than 1/month? This does not seem likely to me at all.

An eweek article clarifies the situation. Eben Moglen was quoted out of context; he was talking about writing GPLv3

"According to a recent Reuters report, the FSF's (Free Software Foundation) board was going to be looking into Novell Inc.'s rights to continue selling its version of the Linux operating system. That's not actually what's will be happening.

Eben Moglen, the Software Freedom Law Center executive director and FSF board member, explained: "This is a story being hyped by the Reuters guy who wrote it."

The Reuters quote was: "The community of people wants to do anything they can to interfere with this deal and all deals like it. They have every reason to be deeply concerned that this is the beginning of a significant patent aggression by Microsoft."

"What he actually asked me," said Moglen in an e-mail interview, "was 'Is it true that some members of the community want GPLv3 to keep Novell from distributing future versions of GPL'd software?' I said, 'Yes, the Free Software Foundation is opposed to the deal, and is thinking about what to do; there will be a new draft soon [of the GPLv3 (Gnu General Public License Version 3).]"

See Special Report: Novell's Linux Facelift

Therefore, "The actual quote he prints is entirely accurate, but his lede destroys the context and is making unnecessary waves."

The FSF, which governs the GPL (GNU General Public License), has long been concerned about Novell recent patent deal with Microsoft Corp. The Samba Group has stated that it wants Novell to abandon the deal. Open-source figure Bruce Perens started a petition that accused Novell of betraying the free software community. And, one group of free software supporters launched a Web site with a self-explanatory name, Boycott Novell. "

Hell, Vista has an installed base smaller than BeOS right now and it has more exploits already.

Care you cite some examples?

Well, I guess we're going to be hearing about 'em Real Soon Now:

http://www.eweek.com/article2/0,1895,2073611,00.as p

Certainly it is unfair to laden Vista with all the bugs/exploits associated with previous versions of Windows. However, it does speak to track record - I don't think making the change to Predominately Good Code from Holy Shit Handles! code is like hitting an On/Off switch.

Some folks might argue that that's why it took Vista so long to complete (and yes, I know that it really isn't complete, they just scaled back the feature set); being careful and considered takes time.

You might also argue that Vista, as a bottom-up re-write, is divorced from what we've seen previously, and that it shouldn't be painted with the 85/98/2k/xp bug brush. But this arguement cuts both ways - as a new codebase, we may be starting from the ground with a whole new bug/exploit set. But I don't have any visibility into the extent to which the 'brand new codebase' schtick is true, anyway.

At the end of the day, I'll believe that Vista is a different experience from a bug/exploit perspective when I see it - Bill's word just isn't worth shit on this topic.

I dare anybody to do that once a month on the Windows machine.'

Yeah, there's one this month.

also here.

This Federal ID idea is definitely rediculous. I'm glad someone is actively opposing it. I suppose it is good they are trying to push states to actually have good ID cards. Some of them (West Virginia, New Jersey until recently) are rediculously easy to fake. Not that I, ahem, would know anything about that.
But let's not give them too much credit. This is obviously another step toward removing already eroding privacy rights in this country. And of course the convenient excuse "war on terror" will be stamped all over this.

Let's get a run-down of what this will actually mean to the average consumer.
~ By "common machine readable technology", I'm assuming they mean RFID, which we all know has its drawbacks.
~ I doubt this will end up being a substitute for a Driver's License. What if you lose driving privilages and have to turn in your ID? Do you have to get a new "non-driver" card just to go to the bank? Bull shit. Inevitably, this will have to be carried around in addition to a driver's license. Great, another unnecessary card to carry in my wallet. Why don't they just make us all wear collars around our necks. Not like nobody's ever thought of that before.
~ It will obviously be scanned at every point of use. I forsee an amendment in the near future extending this to train/bus travel as well.
~ Inevitably, this will be part of a big government database. We all know those are generally bad ideas. I wouldn't be surprised if they link this up to your EZ-Pass so they can see where your car is going too. Remember (FTA) this is an $83 billion project. It is going to be BIG. ~ What if you lose this thing? It's bad enough getting the state to replace an ID... who do I complain to now? The FBI? Dept of Homeland Security?

I don't even want to think about this anymore. Go Maine.

Google. What a mystique! They can 'innovate' new forms of -

Cross-site scripting exploits:
http://blog.outer-court.com/archive/2007-01-01-n12 .html
http://blogs.zdnet.com/Google/?p=338

Exposure of personal and sensitive data:
http://www.finjan.com/Pressrelease.aspx?id=1261&Pr essLan=1230&lan=3

Data loss:
http://dream.sims.berkeley.edu/MT/vanhouse/archive s/000663.html
http://googlewatch.eweek.com/content/google_featur es/google_email_troubles_continue.html

Site failure:
http://status.blogger.com/

Privacy violation:
http://www.google-watch.org/bigbro.html
http://www.google-watch.org/krane.html

If Microsoft doesn't write its own DRM software for Windows, the media companies will do it themselves or hire a third party to. We've seen what great things have come out of that arrangement in the past.

And Municipal Broadband seems unpopular with states.

There is faint hope for an opportunity in the Senate Communications Act of 2006 on page 184 of which I find:

''(c) LOCAL GOVERNMENT PROVISION OF ADVANCED COMMUNICATIONS CAPABILITY AND SERVICES.--No State statute, regulation, or other State legal requirement may prohibit or have the effect of prohibiting any public provider from providing, to any person or any public or private entity, advanced telecommunications capability or any service that utilizes the advanced telecommunications capability provided by such public provider.

There is no way the communications giants would let that pass.

A real case of Microsoft using BSD-licensed code. The code in question is the Message Passing Interface "a library specification for message passing proposed as a standard by a broad-based committee of vendors, implementers and users."


Asked by eWEEK what Microsoft will give back to the open-source community for the MPI component, which is licensed under the BSD and not the GNU General Public License (GPL), Faenov said all fixes will be given back, while "we'll probably give the changes back as well."

Microsoft has also learned a lot about what is required for a software company to include an open-source technology component in its product, from ascertaining who has contributed that code to being able to make sure that all the licenses and permissions are in place, he said.


My money is on the Microsoft lawyers, instead of Groklaw's Mr. Dickhead, THE LAWYER.

http://www.eweek.com/article2/0,1895,1859439,00.as p

Each time an exploit comes out, the pattern is the same. the company doesn't announce it, anti-virus makers are either paid off (as in 'approved' spyware and/or rootkits) or not kept informed, and once the story breaks, the public relations machine starts. The researcher is vilified as a hacker, the problem is denied or minimized, and the prospect of a patch is left moot because this would require accepting that a huge problem exists. Most of us scream that this is ridiculous, companies should tell everyone when an exploit shows up, and patch it as soon as possible. More to the point, they should expose their source code to scrutiny in order to better provide services to their customers.

Are you sitting down? good. They won't and they don't care. The first rule in the PR handbook is to deny and put off realization. If the big front is that there isn't a problem, or that a crack of a voting machine can only be done in a lab, and months down the road, the company quietly sues the researcher or releases a patch, they win. People have a limited attention span and fatigue quickly in the face of fear and hysteria. As long as your company's admission of guilt comes well after the original problem, or not at all, people are happy.

With this in mind, let's look at the law. thankfully, whistleblowers have some protection, and some internal voices about code might not be silenced, especially if the review takes place within the judicial system, and not through a new law. Of course, corporate secrecy, as in the case of Apple and HP, is pretty extreme, and most employees wouldn't risk the civil consequences of voicing a problem that doesn't rise to the level of a public safety hazard.

Outside researchers are in more and more trouble, and this really only leads to problems for the customer base as a whole. We rely on sites like MOAB to shame companies into action. We also rely on OSS competition in order to make products like IE better--Firefox gives an economic incentive to Microsoft to improve their product, otherwise, security development would have languished.

Very few analogues exist in the places where this is critically important: commercial and banking software. CITIbank suffers a classbreak and doesn't bother informing their customers. Security conscious customers can voice their discontent and move to another bank, but we have to trust that the new bank is as averse to security breaches as we are. For the rest of the millions of customers, security will not improve. Since identity theft costs are largely borne by the customers, the banks don't care. because the banks don't care, it is much easier, and better in their eyes, to make publishing voulnerabilities like this one illegal and trust that their customers will never be the wiser.

check out this article:
[PDF] Why information security is hard

Linus has said before that he'd probably choose a different licens if had was to choose one today.

x64/x86 DVD ---- non sun hardware install set

However, a lot of people don't have family or friends who are familiar or comfortable enough with Linux to be able to solve these problems

They do if they are changing to Linux. If they are "ordinary users" they'll use what they can get support for from their friends. It's not like Windows can be operated without regular maintenance by a fairly technical admin. And one reasonably savvy Linux user can support a lot of Linux users. As I said, I have a lot more time to visit when I head over to my parents house now.

But how about "niche" apps such as Photoshop

Um, Adobe specifically made sure Photoshop would run well under WINE. I'll grant Flash authoring, but most people don't need to write it (especially not the parents of most Slashdot readers), just run it, and there are current workarounds and good future prospects for that.

In short, Linux just isn't ready to seriously compete with Windows and OS-X for the common user, mostly because of lack of application support...

Well, you start out talking about greeting card programs and wrap up with Photoshop and Flash editing. I think your definition of the "common user" is a bit... odd.

• Three Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
• One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Visual Studio. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates will require a restart.
• One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Office. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
• Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

TFA is quite short on screenshots (and the video is essentially just talking head), but you can find quite good ones here and here (the latter is a slideshow). (Note: I haven't read those articles, just went looking for pretty pictures of O2007.) Looks good, be interesting to see how it works for us keyboard-intensive people (although I, for one, will be really glad to stop typing "Alt+O / p / Alt+P / Alt+X / Enter" to make a paragraph keep with next. (Years ago I gave that its own toolbar button, but I use other people's machines too often...)

...but doesn't Moore look like Al Capone?

Yup, at least that's what MBNA (now BankAmerica) has had for a long time. You can lock in the amount and when the card number expires (minimum is 2 months). I love it, and don't worry about shopping online or even via the phone (since I only have a cell phone), since the number is basically useless since I set the limit to the rounded up dollar amount of my purchase.

I also found it useful for sites that wouldn't tell me the tax and shipping costs until AFTER I entered in my creditcard. I'd limit it to the purchase plus what I thought the tax and max shipping cost would be, and this kept the website from charging some stupid extra fees. With MBNA/BofA you can also increase the amount. I don't recall if you can change/extend the expiration date.

I've used the Citibank feature once as well, but that was only because MBNA was merging into BofA and they had the account access down and/or their "ShopSafe" feature wasn't online yet. I don't recall much about the CitiBank one, but I believe there were a few features lacking.

One thing I also like with the MBNA one is you can see the minute a hold (or whatever it is called) is put on funds, as the available amount of money left on the card number goes down, so you know once they've run the transactions.

I just wish there was a way to do this in person, so there wouldn't be fears of the Dollar Store employees ripping you off. Somehow I think stores would freak if you were told them, "Hold on while I generate a temporary virtual credit card number for you."

*COUGH* VERIZON *COUGH*

Look at pen computing: since the late 80's many companies (other than Microsoft) tried to push for pen computing and failed utterly, whereas Microsoft decided to take a crack at it and was very successful with the Tablet PC.

Drinking too much of that there Koolaid seems to have rotted your brain enough to miss the rather obvious trend in tablet PCs, a market that just lies there perfecting its pining parrot imitation.

Ask anyone who's followed the SCO lawsuit saga and they'll tell you about the major Microsoft shills. Enderle (his own "group", just him really), Didio (garner), Daniel Lyons (forbes), and Maurice (sorry, didn't follow that part so well).

These folks know how to work the media. They appear quoted over and over again. They have massive bias. Enderle is the by far the WORST.

Of the many Enderle stories, he gave a keynote speech at some SCO developer conference... after things had gone pretty far south for SCO and they were well on their way to being the laughing stock they are now. Enderle reportedly was cussing and swearing about the open source world, practically paranoid that someone in the audience was an open source spy or some-such.

Sure, the register likes to bash other more, er, established publications at any chance. And yes, the "policy" doesn't seem to make sense. But if you read the register article (yeah, I know, this is slashdot, but still)... it doesn't take a lot of reading between the lines to see this is probably the NYT finally getting fed up with Rob Enderle.

1: Here's how wrong Rob Enderle has been about Apple

2: More Enderle stuff

3: Enderle's take on SCO's lawsuit with IBM - yeah, right

4: Even Wikipedia has a Enderle entry, listing his poor prediction history, if only briefly

Rob Enderle is quoted VERY FREQUENTLY. If you read this little comment (likely to remain only +2 cause it's not posted in the first several minutes), please remember just one thing:

Whenever you see Rob Enderle quoted, read with skepticism.

Sadly, he's very good at getting quoted all over the place. Hopefully the NYT will no longer be among the rags that takes the easy way out and prints whatever convenient sound bite he's serving up that day.

Apologies, the security expert's name is Joanna Rutkowska. Her article describing the
"blue pill" is here:

http://www.eweek.com/article2/0,1895,1983037,00.as p

I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?

Well, the latest vulnerability allows a malicious word doc to run code on the users machine. Assuming I wrote a userspace piece of malware, I could easy start sending stuff (anything the user has access to, theoretically) out port 80 to a collection point. Since windows will open documents with unknown extension but proper Word headers in word, filtering at the email level doesn't really cut it.

Now imagine that my malware starts appending the exploit to random internal word documents that the user has access to (and that other, more priviledged users will open) and you've got a pretty serious infection on your hand.

Oh, and the details of the exploit? So amazingly stupid you'll want to line up the design team responsible and take one long running smack, three stooges style.

"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"

source

As I've noted elsewhere, if you think your filter is protecting you, you are wrong:

"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."

source

Reasonable or not, Microsoft's suggestion regarding the vulnerability is to "not open or save Word document files"

I am not a Linux user, but I am a software developer, and it seems to me, that ALL the distros could benefit from a universal package manager, that was compatible with all the major package types?

This actually already exists and works quite well I might add:

http://labix.org/smart
http://www.eweek.com/article2/0,1895,1776186,00.as p

History has shown that the way to get a patch out of Microsoft is to have some third party come out with a patch. Even though it works they will say that the patch is risky (FUD) and the official patch will appear in a few days.

I run a small mail server for friends and family and have been trying to tackle the recent rise in spam. Here is an article detaling some of the causes.

http://www.eweek.com/article2/0,1895,2060235,00.as p

I believe it was also listed as a slashdot story.

I was trying to think of solutions concerning this particular problem. (spammers utilzing ip addresses from virtually anywhere in the world where there are virus infected machines)

One partial solution that aol, microsoft have been putting forth is
http://www.openspf.org/dns.html

but this is mainly for dealing with spoofing the mail from of the email. The other problem is it works best if everyone buys into the system.

I had an idea for a similar tactic that would apply to eliminating spybot emailing nets.

What if, when you registered a domain, you had to also put in an record that identified your mail servers. It would be very similar to how you put in DNS servers that handle a domain.

Then it would be trivial to have receiving mail servers to do a DNS check to see if the ip address of the mail they just received was in the DNS records.

Now, granted, this would not prevent a spammer from buying a domain and setting up their own servers. Or from hijacking someone elses servers. But it would go far from eliminating people that have had their computers infected with a virus and are unknowingly sending out spam.

The problem I see with this solution is it would be additional work for the registrars and their is little monetary incentive for them to set it up. And all the design implemntations that would have to be worked out.

Here is a message we sent to customers. Links were added for posting on Slashdot:

Everyone,

Don't use Microsoft Word. Use Open Office instead. This advice remains effective until Microsoft releases a patch, and it is installed.

Microsoft just issued a security advisory warning people not to open Microsoft Word documents unless they have the latest version of Microsoft Word, which was just released, and costs $329 for the upgrade, or $679 for the most powerful full version.

On the security advisory web page the relevant parts are buried in sections that aren't visible unless you click on them:

"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."

"We recommend that customers exercise extreme caution when they accept file transfers [files] from both known and unknown sources."

The vulnerability is being actively used to infect user's computers. That's the meaning of the phrase "zero-day" attack in the first sentence of the advisory. None of the anti-virus software vendors have made signatures for this attack yet, which means that anti-virus software CANNOT protect against an attack.

The reason Microsoft says to "exercise extreme caution" with files received "from both known and unknown sources", is that no one, not even computer consultants, can know whether a source can be trusted, since the anti-virus vendors have not yet made a method of detection for this vulnerability.

Michael

Better explanation here: http://www.eweek.com/article2/0,1895,2068769,00.as p

Novell also retained the unusual right to require SCO to follow its directions to amend, supplement, modify or waive these licenses and, if SCO does not comply, Novell can do so on SCO's behalf.

You mean, this?

You might consider E*trade. Here are two links to eweek articles with more information:

Etrade Goes into the Great Wide Open

Etrade VP talks open source

You might consider E*trade. Here are two links to eweek articles with more information:

Etrade Goes into the Great Wide Open

Etrade VP talks open source

(IMHO) From what I've seen, it looks like Novell got sucked into this Microsoft deal without knowing the real purpose of this deal: to discredit Linux.

* Novell is saying 'WTF? Where did this come from? You scammed us!!1!!'

You may well be right, but, erm, isn't it Novell management's job to have worked out all the angles on this? It's not like this is some newbie company that knows nothing about Microsoft. Novell have tangled directly with Microsoft and indirectly with their proxies before on many many occasions. They are veterans of the server computing industry. If they had no idea that Microsoft would scam them, it shows an extraordinary corporate structure in disarray.

Rich.

My initial reaction is that it's somehow related to Blue Pill. See http://www.eweek.com/article2/0,1895,1983037,00.as p for a brief discussion of Blue Pill. See http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html for the original publication.

Still, I doubt that security is the only reason for this. I mean, why the licensing restriction then? Wouldn't a configuration UI suffice? Also, from what I remember, Blue Pill is mostly about fooling the primary OS instance (the "host" instance), not about the "guest" instance. Why restrict the "guest" instance at all?

Fortress, the language being developed by a bunch of people led by Guy Steele, was funded as part of the HPCS effort. This means that DARPA is going with IBM or Cray's language (X10 for IBM, Chapel from Cray). According to a press release quoted at http://www.eweek.com/article2/0,1895,2063043,00.as p (but not available at http://www.sun.com/smi/Press/sunflash/index.xml) the work will continue, but how likely is it to succeed?

Guy Steele gave an excellent talk at OOPSLA on Fortress - the slides are at http://research.sun.com/projects/plrg/PLDITutorial Slides9Jun2006.pdf - I thought it was pretty impressive.

The groups's site is at http://research.sun.com/projects/plrg/

Saying that it works as intended is hardly badmouthing.

Some more articles I have found, with some substance to them:
InfoQ, also mentions Glassfish.
eWeek.

There is also going to be a official webcast about this by Jonathan Schwartz and Rich Green 9.30 a.m. PT.

In related news, apparently Project Looking Glass, the 3d desktop, is likely to be included in the Ubuntu Feisty release.

That said, since he's "outgoing" and with a comfortable financial situation, I doubt he much cares. Perhaps in his spare time he can lounge by the pool and read something enlightening.

In general, if I am using a Linux product I use it at least partially because of its rather clean non-encumbered IP position. The hope is that the GPL assists in that protection as well.

While it would be nice to be able to say "Well, if Novell (or whoever) is willingly putting IP encumbered stuff into their Linux then I don't want to use them", the reality is you can't really make that statement: the IP systems currently in play make disclosing the problematic elements a major no-no.

There has been basically one study (from 2004--New York based Open Source Risk Management will announce it has studied the Linux kernel and discovered it infringes on about 283 issued patents. Twenty-seven of those patents are owned by Microsoft.") so far that has addressed this IP problem in the kernel--the kernel, not the applications that run in that infrastructure.

Yes, we know a few of the items of interest, but 283 of 'em? And you can't exactly find the list because of the little perverse "if you knew then you willfully violated IP..." issue in patent law.

We (the Linux community in general) need to spend a little time making sure our IP is spotless against such (hopefully) groundless diatribes from the likes of Microsoft (and SCO, etc...).

Ultimately tho, companies with big pockets will always be able to sue (with cause or with malice) smaller entities and make them go away.

A few nice links:

Willfullness issue (just an abstract):
http://papers.ssrn.com/sol3/papers.cfm?abstract_id =472901

The OSRM position paper on IP issues in Linux (minus the specifics of course... )
http://www.osriskmanagement.com/pdf_articles/linux patentpaper.pdf

Another piece from D. Ravicher (of OSRM/PubPat fame) re: Ballmer's comments:
http://www.eweek.com/article2/0,1759,1729908,00.as p