Slashdot Mirror

Respect yourself, value your time, do not help others with computer problems. Do not feel obligated. You will not get play from girls this way. Charge per hour, say you're too busy, tell them to go to student services and wait in line. Hours will go down the toiliet installing some stupid windows driver for people who will look upon you as a servant after you "helped" them.

I agree with this.

Unfortunately the people doing the hiring will only look at your gpa, and will totally discount any IT skills gained outside of class in a college environment. Stop screwing around with linux and reading slashdot and do your scheme project and cpeg lab. If you were smart enough to pick up linux in high school you can catch up during the summers on changes during the school year.

As an employer I must vehemently disagree with this. I value distinguished open source contribs to real systems above GPAs. Only idiot managers judge by GPA alone, or even primarily.

Get to the gym get in shape, lay off the tripple big grille burgers in the student centers.

... but I do agree with this. I was a geek and hated gym class (regimented jock fascism) in high school, but learned to appreciate and benefit from individual physical activity in college. Go do something, your body and mind will both benefit.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

The flyer that 3 Unsafe Laws wants you to download and hand around is a .doc file :( While they're harping about ethics and artificial life forms, someoneone should explain viruses to these people :)

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

I sign all my email -- why don't you?

Good question. I ran an interesting experiment in this space. For about six months, I PGP-signed all my e-mail. No apparent change in how anyone interacts with me. Then I upgraded my mail client and did not upgrade the GPG module because I was too lazy, and started sending non-signed e-mail. I got zero complaints from people asking if this new, non-authenticated traffic was actually authentic.

Conclusion: PGP signing is completely ineffective, because even in extreme cases, users ignore the absence of signatures.

Furthermore, this is all irrelevant to the point of spam. Spam prevention requires authentication at a different level:

• PGP authenticates that this mail did in fact originate from the hands of Crispin Cowan
• SMTP-layer authentication would authenticate that the mail did in fact come from immunix.com (and not some trivially forged "From:" header) and if SMTP AUTH was a required part of the protocol, could authenticate that "crispin" was in fact authorized to send mail via immunix.com

The difference is that the former is presented to users, possibly with a "bad/no signature" flag on the e-mail if the authentication fails. The latter is just never delivered at all without authentication, because your server would not accept mail from immunix.com without a signature matching immunix.com, and the immunix.com MTA would not let me send any mail without a valid password (that last part is actually true thanks to SMTP AUTH).

Crispin ----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

The costs these fucktards incur upon everyone else leaves us with a wasteland. If it weren't for vigilant individuals spending their free time trying to fight the problem, the internet would probably die

And praise be to those vigilant individuals. However, it is not that the Internet would die; more like this crappy insecure non-authenticated protocol called SMTP would die. The only problem with just pre-emptorily killing it ourselves is that it would cost many $billions to replace it.

My favorite alternative to replacing SMTP is to adjust the penalty for activities like this guy S.Pammer to be "head mounted on a stick". There is lots of data that says that a majorit of all spam is sent by the top 200 spammers; kill them all in greusome ways, and they are unlikely to have followers :-)

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

C++ has the safety of C, and the performance of SmallTalk :(

There is no excuse for writing anything in C++ in this day and age:

• If you are writing a kernel or an embedded bit whacker or a real-time thing, use C. C++ is too slow.
• If you are writing an application, be it desktop, server, whatever, use Java or C#. C++ is far too unsafe.
• If you are writing a rapid prototype, use PERL, or Python, or Ruby.

My condolances to the KDE kommunity. It's a cool desktop & all (I'm typing on it) but bolting your whole framework on a C++ basis was a really unfortunate choice. It dooms KDE to long-term security vulnerabilities.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

And the GNU GPL forbids the addition of extra restrictions. ... Do you see the problem yet?

No, I don't. You could distribute the program strictly under the GPL, and not put in any such restriction. The fact that the EU passed laws making it illegal to modify the code to take out the currency blocker is not a restriction imposed by those distributing the code. I do not see how a GIMP developer, even in the EU, is in violation of the GPL by distributing a program that is further restricted by EU law.

Caveat: depending on how the EU law is written, such an EU GIMP developer may well be in violation of the EU law, e.g. if the law prohibits distributing enabling technology, the way the DMCA does in America for copy-prevention-breaking software. EUphies should check that before releasing GIMP or similar patches.

Caveat2: IANAL, nor am I EU, so do your own legal advising.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

No, that was OS/9, which was an alternate OS for the Radio Shack Color Computer II, a completely different product line than the TRS-80. The TRS-80 had:

• full keyboard
• came with a BW monitor
• used a Z80 CPU

while the Color Computer II had:

• chicklet keyboard
• a modulator to interface to a color TV
• used a 6809 CPU

To make it a really useful OS/9 machine, one would skip the color TV and the chicklet keyboard, and instead snarf an old serial terminal and plug it in the serial port in the back and log in.

The CoCo II was my (counts on fingers and toes) 4th computer. A shell prompt and multi-user OS in 64KB on an 8-bit CPU was damned impressive back in 1986.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

My credentials:

Canadian born and educated

moved to the US 10 years ago after finishing my PhD

worked in the US and Canada as a developer/intern, and in the US as a professor and executive

Bias: as a child, I was always an American-wanna-be My opinion: Canada and the US are very similar: It is wisely said that Canadians are polite, unarmed Americans, with health care. However, there are interesting differences:

• Canadians are more "conservative", in the small-c sense of danger-aversion. Canadians by and large will accept an average lower standard of living in exchange for a lower risk of catastrophe. This shows up in substantially lower wages for technical staff, but with a substantially higher standard of living for those supported by the social safety net.
• There is much less entreprenure-ship in Canada. Go to Canada if you like large companies, because there are a lot fewer start-ups.
• Republican bullshit not withstanding, the Canadian single-payer health care system works better than anything I have ever seen in the US.
• Canadians are generally more reasonable and less excitable than Americans. Conversely, Canadians are a lot less exciting than Americans. A Canadian radio station once ran a contest to pick a saying analogous to "As American as apple pie." The winner was "As Canadian as possible, under the circumstances."

A lot of Canadians have a very poor opinion of the quality of life in the US. I submit that this is because a substantial plurality of Canadians actually live in Southern Ontario, between Buffalo and Detroit. If all you ever heard of the US was that North Tonowanda was burning again, what would you think? :)

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

As an educator, I can assure you that there are both brilliant minds and slacker idiots among people of all races and places of origin."highschool and undergraduate in India" is no assurance of quality, any more than doing your education in California or Montana.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

You're half right. It is a programming language, but it is a domain-specific language (DSL). DSL's are not always Turing-equivalant (which is what it takes for a language to bootstrap itself). Configuration files are an example of a limited kind of non-Turing-complete DSL's. Also called "little languages" by Brian Kernighan.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

The article makes a compelling case that the surface area of the sensor inside the camera is a sound metric of quality: the bigger the sensor surface area, the better sensitivity you get, and thus the better signal:noise ratio, especially in low-light or high-speed situations.

I would be very happy if camera vendors and review sites started prominently listing sensor surface area as prominent figure of merit.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

This really isn't all that new. The U.S. Naval Postgraduate School has been
sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
this year's Interz0ne conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.

Also, Immunix, a DARPA funded hardened Linux version has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).

The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.

It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot
the Fed" game MUCH easier.

This really isn't all that new. The U.S. Naval Postgraduate School has been
sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
this year's Interz0ne conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.

Also, Immunix, a DARPA funded hardened Linux version has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).

The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.

It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot
the Fed" game MUCH easier.

You mean that a cheesy diploma from a paper-mill that reads the O'Reilly manuals to you for a semester or two and charges you tens of thousands of dollars is no substitute for a real degree or real experience? I'm shocked. Shocked I tell you!!

Well, no, I'm not really shocked :)

Disclaimer: several bachelor's and master's degrees work for me, as well as several no-degree people with strong skills, but as far as I know, no "certificates", which is the way I like it.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

I like it that Tivo can track my viewing habits. That way, when I don't watch yet another trite and lame episode of "Friends" and instead choose to watch something interesting, perhaps the morons in network programming will get a fucking clue.

Crispin, always wanted to be in the Neilson ratings
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Think very seriously about why anyone would want to contribute at your site rather than somewhere else. I'm not a kernel coder of any sort ...

Sardonix is not about the kernel per se. It is mostly about auditing applications, which is where most of the security vulnerabilities are.

Now lets look at those points. What gives them any value?

Their intended value was a objective assessment of the person's ability to audit code. They are not "awarded" by an organization, they are objectively computed by performance: how may packages or lines of code did you audit? How many bugs were subsequently found in code you audited? These metrics give people a real assessment of how good you are at auditing code.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

The project is not dead. You can still go there and submit an audit. We have no intention of turning it off, and if people want to contribute, we welcome that.

All the conspiracy theory noise on this topic is just a load of crap. DARPA didn't cut us off for any spooky reason, the contract just ended on schedule. I did my best to market the project to suitable audiences, but it never caught on. I'm still all for making it work, but I no longer have Federal money to pay for it, so its now all-volunteer.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

"... get kicked off DARPA funding too?" Sardonix was not "kicked off DARPA funding." The contract spent its alloted budget and ended. IMHO, the most interesting result to come out of Sardonix, apart from there being more talk than action in security auditing :-/ was this paper:

"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

The /. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Since when is "push technology" a failure? After renaming it to "pop up ads", it has been a rousing success :-)

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Technically Beagle 2 did make it first.

Well, technically Viking made first :-)

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

I went to IMDB to look up some Family Guy stuff, and tripped over this alleged Family Guy Movie. No other data tho.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.

I ran out of moderator points yesterday, so I just have to second this. Saltzer and Schroeder is the seminal paper on computer security. Every major idea in computer security is represented here, with the exception of public key cryptography which hadn't been invented yet, but even so they discuss some issues of how you might use PK.

The paper, having been written in the 1970s, is full of archaic references to irrelevant technologies, such a memory control registers and segmentation hardware that is no longer used. However, the concepts still apply: the authors are discussing models of controlled interaction among users. In the early 1970s, that was with shared memory. In the 1980s, it was time share file systems. In the 21st century, it is networks of interacting computers, but the concepts still apply.

I taught security for several years. Saltzer and Schroeder was always the first topic covered. 28 years later, it is still a seminal work.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.

Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.

Except for one tiny little nuance that the Gamespy lawyers seem to have missed: Luigi lives in Milan, Italy and therefore is not subject to US law.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.

I think we should just say "beware" :-)

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.

How to patch intelligently was the subject of a research paper that we did, which is still applicable, and offers ways to make better decisions than "now" or "later:"

"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.

While many in the security community continue to berate Microsoft and demand they do better, I am not aware of a single person who would claim Microsoft has not improved dramatically since 1999 in the speed and quality of their patch releases.

Don't you think Linux has also improved over that time period? I've certainly seen it.

Why yes, I do think both Microsoft and Linux have improved their response times. What makes you believe I don't?

The computing world is a moving target. 4 years is at least two generations. Get some updated facts.

I brought the only facts I have seen in this debate. If you don't think my facts are good enough, the onus is on you to do better. I would love to see more current data, but I haven't had the time to conduct the study since the story hit Slashdot this afternoon :)

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

While many in the security community continue to berate Microsoft and demand they do better, I am not aware of a single person who would claim Microsoft has not improved dramatically since 1999 in the speed and quality of their patch releases.

Don't you think Linux has also improved over that time period? I've certainly seen it.

Why yes, I do think both Microsoft and Linux have improved their response times. What makes you believe I don't?

The computing world is a moving target. 4 years is at least two generations. Get some updated facts.

I brought the only facts I have seen in this debate. If you don't think my facts are good enough, the onus is on you to do better. I would love to see more current data, but I haven't had the time to conduct the study since the story hit Slashdot this afternoon :)

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

What you're saying here boils down to this: Bill Gates is lying or wrong, because what he says his company does today wasn't the case four years ago.

Except that I did not say that. I presented it as the only relevant hard data that I know of, and explicitly pointed out the date issue. What Gates is claiming clearly was not true 4 years ago; this begs the question of whether something has changed recently.

Past behavior does not necessarily predict future behavior, but it often does. This old data draws Gates' claim into serious doubt, and motivates a repeat of this study using current data. Students looking for a term project might want to consider doing it.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

What you're saying here boils down to this: Bill Gates is lying or wrong, because what he says his company does today wasn't the case four years ago.

Except that I did not say that. I presented it as the only relevant hard data that I know of, and explicitly pointed out the date issue. What Gates is claiming clearly was not true 4 years ago; this begs the question of whether something has changed recently.

Past behavior does not necessarily predict future behavior, but it often does. This old data draws Gates' claim into serious doubt, and motivates a repeat of this study using current data. Students looking for a term project might want to consider doing it.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

The data is from 1999

True, but its the data we have, unless you know of a more recent study.

Linux data is from Red Hat only

True. But talking about response time for patches to the Linux kernel is pretty meaningless, so you end up talking about distro vendors. Red Hat seems like a pretty reasonable vendor to look at.

You neglected to mention Sun

The original article also did not mention Sun, so I considered it irrelevant to comment on Sun. That Reavis studied Sun is a bonus. Enjoy :)

Only three operating systems were included

So what's your point? I'm just refuting Gates' claims that MS patches faster than "Linux".

Evaluation criteria were not explicitly stated

I don't get your point. The evaluation criteria was "how many days does the vendor leave you exposed to a published vulnerability?"

Raw data are not available

Raw data for Microsoft, Red Hat, and Sun.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

The data is from 1999

True, but its the data we have, unless you know of a more recent study.

Linux data is from Red Hat only

True. But talking about response time for patches to the Linux kernel is pretty meaningless, so you end up talking about distro vendors. Red Hat seems like a pretty reasonable vendor to look at.

You neglected to mention Sun

The original article also did not mention Sun, so I considered it irrelevant to comment on Sun. That Reavis studied Sun is a bonus. Enjoy :)

Only three operating systems were included

So what's your point? I'm just refuting Gates' claims that MS patches faster than "Linux".

Evaluation criteria were not explicitly stated

I don't get your point. The evaluation criteria was "how many days does the vendor leave you exposed to a published vulnerability?"

Raw data are not available

Raw data for Microsoft, Red Hat, and Sun.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

My favorite study on this question was "Linux vs. Microsoft: Who Solves Security Problems Faster?" by Jim Reavis. The data is from 1999 and 2000, but it is nicely systematic. At least back in 2000, Linux was much faster than Microsoft, averaging 11 days vs. 16 days.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution

My favorite study on this question was "Linux vs. Microsoft: Who Solves Security Problems Faster?" by Jim Reavis. The data is from 1999 and 2000, but it is nicely systematic. At least back in 2000, Linux was much faster than Microsoft, averaging 11 days vs. 16 days.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution