Slashdot Mirror

• MS Windows
• BSD Dragonfly
• OSX

• Different systems could have many of their drivers outside of the kernel, inside a separately maintained project.
• Feature creep may increase, but it would be largely isolated to out-of-kernel areas.
• It may present an opportunity to clean up more of the kernel interfaces. (Major re-works normally do).
• The interface of the userland products could maintain a consistent driver interface for companies to code drivers to. (One of several reasons why many manufacturers don't release drivers is because it is difficult to hit a moving target. Even now, the kernel developers are planning on yet another driver overhaul).

Well, the fix for Adobe Reader sluggishness on Windows is given in the other replies.

I don't see any satisfactory alternative to Adobe Reader. Pdf's are everywhere in academia; they are the standard platform-independent way to exchange articles, even whole books. I have hundreds, maybe even thousands of them on my harddrive.

And sadly, nothing else for viewing them seems to work well enough. Files made with Latex and converted with ghostscript have embedded type 1 fonts (if they're any good at all, that is.) Foxit PDF Reader doesn't appear to use the embedded fonts; can't tell for sure because it gives no font info, but the rendered text looks crappy. Pdfreader is full of adware. For Linux, xpdf and its derivatives appears not to work well under Ubuntu (saw a message that it renders in tiny text, but I can't find it anymore.) Kghostview I know doesn't work well enough; for the files I tried it on, it showed nothing at all, just blank pages! For more info on this, see
The Grumpy Editor's Guide to PDF Viewers

If anybody knows a free pdf reader that shows all standard files in good quality and has a text search function, I'd love to hear about it, especially if it's for Linux.

This merger of technologies seems very interesting. However, I think there is room for caution given recent issues on Acrobat and Flash:

There is the document tracking (via javascript) that is turned on by default in Acrobat Reader 7.0. This "feature" was uncovered by LWN.net and was previous mentioned here

One web site mentions Flash's ability of using local share objects to restore deleted cookies or to store them at a third party web site. Although I don't understand the details, this ability seems in part tied to javascript as well. They provide a link that is "dedicated to securing your local Flash-player installation".

Adobe's web site isn't responding at the moment, so I couldn't look for their explanation of Adobe Javascript.

o The BitKeeper licence prohibits attempts to reverse engineer the product, or to enable anyone else to do so.

o Tridgell was attempting to reverse engineer the BitKeeper product.

o The network traces and data files provided to Tridgell were generated by people who had agreed to the BitKeeper licence.

o Providing the aforementioned data to Tridgell was a violation of the BitKeeper licence.

Given the above points, there are three possibilities: (a) Tridgell incited BitKeeper licensees to violate the BitKeeper licence; (b) Tridgell misled BitKeeper licensees in order to get them to unknowingly violate the licence; (c) Tridgell stole data from BitKeeper licensees.

There's no need for any extensive, in-depth investigation of 'what happened'. The BitKeeper licence and Tridgell's actions speak for themselves.

If a commercial website can't support itself via its audience, that website should die. If the users of the website are sufficiently motivated to pay for content, they will, and it will survive. Here's a hint: if you need to be paid, then be up-front and honest about it (eg: LWN). If your worth preserving, you'll be fine.

There is no such thing as an implied or "social" contract - by their very nature, contracts are not implications! The whole terminology is a marketing exercise designed to appeal to the "guilt" that just because someone is giving you something, you ought to pay for it.

Sheesh! Social contracts! What next ? Breathing contracts ?

Simon

Acrobat 7 includes spyware right out of the box. When you open certain tagged pdfs, it reports this to a remote server. It appears to just be logging your IP address and reader info -- for now -- but it's javascript based, so any information that Adobe chooses to present to their scripting API is available to it. You can disable javascript, but it will suggest that you re-enable it every time you launch the program, which doesn't constitute disabling as far as any system administrator with lots of users is concerned. There are a variety of hacks that will make this go away. One is listed in the comments of this article:

http://lwn.net/Articles/129729/

Any chance JavaScript can now be disabled without the annoying warning message every time I close the reader? I like the rendering and the ability to fill PDF forms, but not the privacy implications of having JavaScript enabled.

READ this before installing it: http://lwn.net/Articles/129729/

Remote Approach's reporting did not work when we viewed the document with Kpdf, Xpdf and Adobe Reader 5.0.10. It also failed using Apple's "Preview" application on Mac OS X. The document was still viewable with no apparent glitch in other PDF readers, but the reporting function did not work. However, when we opened the file using Adobe Acrobat Reader 7, Remote Approach started logging views from our IP address. After doing a little research, we found that Adobe's Reader was connecting to http://www.remoteapproach.com/remoteapproach/loggi ng.asp each time we opened the document

(Easy fix: Assign a IP which doesn't work ie: 0.0.0.1 to www.remoteapproach.com in your /etc/hosts)

Christian Marillat has made available unofficial Debian packages of Acrobat 7 since a few weeks now. On sarge or sid, add the following to /etc/apt/sources.list:

deb ftp://ftp.nerim.net/debian-marillat/ testing main
deb-src http://perso.wanadoo.fr/debian/ unstable main

Then it's as easy as apt-get update; apt-get install acroread mozilla-acroread. This gives you the core functionality and Web browser plugin. (Incidentally, there are a bunch of other useful unofficial debs there, including mplayer and lame.)

You can also install the Javascript plugin and a whole bunch of other Acrobat plugins with apt-get install acroread-plugins. However, be aware that some plugins may report back to the mother ship: LWN article. Also, they will eat another 43 MB of disk space.

Be sure to read this article before you install the reader.

The software contains functionality that could cause serious privacy concerns - it is possible to include a tracking mechanism in PDF's, readers that this great 'feature' will then contact some website and keep track of how many people read that document.

More likely they'll only use the opportunity include some of the more unpleasant misfeatures like spying.

Xix.
(damn mouse button!)

Thing is, this "new story" brought nothing new. We knew that he DID drop bitkeeper, from the three 5,informative moderated posts which linked to LKML in the previous story. Now we can read that very LKML announcement in this slashdot story aswell. We knew that he won't pick subversion from the previous story and from the subversion developers aswell.

What is new, that Linus wrote his own SCM (README here)

Maybe it will appear in 1-2 days as another slashdot story?

Thing is, this "new story" brought nothing new. We knew that he DID drop bitkeeper, from the three 5,informative moderated posts which linked to LKML in the previous story. Now we can read that very LKML announcement in this slashdot story aswell. We knew that he won't pick subversion from the previous story and from the subversion developers aswell.

What is new, that Linus wrote his own SCM (README here)

Maybe it will appear in 1-2 days as another slashdot story?

http://lwn.net/Articles/131313/

Check the "made the first version available" link towards the top

Here's why not (read the PS).

Bit of discussion at LWN.net
http://lwn.net/Articles/131114/

...at least, according to this link from the lwn.net security page.

• Article is subscribers only (worthwhile)
• Article will be readable by guests 1 week after publishing
• Solution in Linux is to disable Javascript in acroread 7

A not-so-minor correction: the GPL is a license, not a contract. Read anout the implications of that here -- by the way, one of the clearest explanations of the GPL...and no wonder, its' written by Pamela Jones based on interviews with Eben Moglen.

Would it have killed you to make it a link? (BTW, your link doesn't work.

What a moron. Since when is FC4 out?

FC4 will include the relase version of GCC 4.0.0, and it will slip to follow it, unless the GCC release is too delayed, in which case they will revert.

Source.

Here's a flashback to 1999. (Wooo, all those years ago!)

LinuxPPC: "Crack our box."

We (LinuxPPC Inc.) announced that in response to the LinuxPPC Security Challenge, a competition to break in to a computer running LinuxPPC 1999. The target computer is running the standard installation of LinuxPPC 1999. The target box has the Apache web server and telnet services turned on. Sendmail and FTP are not activated yet.

The contest was announce in response to Microsoft's Window 2000 security challenge, which has a box running a Windows 2000 beta, we were going to put a PowerMac 9500 up running LinuxPPC 1999. While only HTTP is running on the Microsoft box, to make things more interesting, the LinuxPPC box had telnet service active, opening another possible door for endeavoring network security enthusiasts to break in.

To make things interesting, we even gave out the root password.

So what happened? A deserving LinuxPPC hacker, don't recall who, exploted a flaw in the FTP server (ProFTPd?) and got in, modifying the index.html file. He rightfully won the 9500, and Microsoft had a little more egg on its face.

LWN.net: VA Linux and Sun Wah Linux Join Forces Around Debian
LinuxWorld.au: VA Linux, Sun Wah team on Debian Linux

Martin Michlmayr(Debian Project Leader)'s comment

I hope the Canberra weather isn't too cold for another great dunking

Maybe not right now, but there have been a few arbitrary code execution vulnerabilities in Mozilla. If someone happened to visit a web site that made use of one of these vulnerabilities, then they could get something nasty installed. If they were running as root, then there's nothing stopping this from doing all sorts of kernel level things. If not, then it could just put trojaned copies of su and sudo somewhere on the user's path and wait for them to type in a password required for root access (meanwhile, harvesting data from the user's account, for example by polling X for copies of events).

Wow, I royally f'd up that url. What I really wanted to use was this.

BTW, good advice: "(Use the Preview Button! Check those URLs!)"

As pointed out here in an article by Pamela Jones, Napster is supporting the entertainment industry in it's lawsuit against Grokster. If successful, the Hollywood lawyers will have effective veto power over all new distribution technologies. Think about that. Dont subscibe to Napster. Don't let your friends subscribe. They are evil.

Just FWIW, I reviewed LAD2 in LWN about a month ago.

Trusted Build Agents are the final twelth step in my Twelve Step TrustABLE IT blog entry.

Also is already possible to secure Linux desktops the "right way"

(#75791 by guest NZheretic in response to Mainstream means more malicious code for Linux (SearchSecurity.com).)

On Windows, most of the viruses are e-mail borne. On the Linux side, today and in the future, viruses are network-aware, and [they] take advantage of vulnerabilities in networks or systems to infect machines. The Slapper worm, for example, attacked vulnerabilities in OpenSSL and Apache.

I have deployed Linux on the desktop (RH8+Ximian to RH9+StarOffice) in an enterprise and they do not suffer from such problems for long.
1) The only network service the desktop systems expose is OpenSSH and the Iptables limit access from only three addresses.( We use a custom script with ssh to keep the systems rpms uptodate from a private mirror).
2) The iptables are configured to allow the desktops client services to connect only to the specified server.
3) The /usr partions are mounted read only and the /tmp, /home, /var directories are mounted non executable.
4) None of the users have, or need, root access. They have access to printer setting etc via Webmin's Usermin which runs on a dedicated server.
5) Mounting the users home directory required shares etc ( we use Samba for domain, file and print services ) is performed by script when the user logs in.
6) We update all the desktops within minutes of a updated RPM package becoming available. The window of opportunity for any disclosed vulnerability is very small.
7) We schedule Tripwire to check the intergrity of the desktops a couple time a day.

Trusted Build Agents are the final twelth step in my Twelve Step TrustABLE IT blog entry.

Also is already possible to secure Linux desktops the "right way"

(#75791 by guest NZheretic in response to Mainstream means more malicious code for Linux (SearchSecurity.com).)

On Windows, most of the viruses are e-mail borne. On the Linux side, today and in the future, viruses are network-aware, and [they] take advantage of vulnerabilities in networks or systems to infect machines. The Slapper worm, for example, attacked vulnerabilities in OpenSSL and Apache.

I have deployed Linux on the desktop (RH8+Ximian to RH9+StarOffice) in an enterprise and they do not suffer from such problems for long.
1) The only network service the desktop systems expose is OpenSSH and the Iptables limit access from only three addresses.( We use a custom script with ssh to keep the systems rpms uptodate from a private mirror).
2) The iptables are configured to allow the desktops client services to connect only to the specified server.
3) The /usr partions are mounted read only and the /tmp, /home, /var directories are mounted non executable.
4) None of the users have, or need, root access. They have access to printer setting etc via Webmin's Usermin which runs on a dedicated server.
5) Mounting the users home directory required shares etc ( we use Samba for domain, file and print services ) is performed by script when the user logs in.
6) We update all the desktops within minutes of a updated RPM package becoming available. The window of opportunity for any disclosed vulnerability is very small.
7) We schedule Tripwire to check the intergrity of the desktops a couple time a day.

The current kernel release is 2.2.1. This is the "brown paper bag" release, so named by Linus since it did have a problem or two sufficiently embarrassing to make him want to wear a bag over his head in public for a while. Foremost among those was, of course, the "ldd core" bug reported last week, which allowed any user to crash the system.

But this situation is not covered by a contract, it's covered by a license, and your rights are different as a result. I found an article on the GPL where Eben Moglen explains the difference.

Forced obsolescence is yet another reason why EULAs must be stopped, or at least mitigated.

So then you don't trust my agregation of facts because i got paid $75 for the article I wrote?

Spender didn't write PaX, he just built the code around it to add many additional useful protections to produce a complete security solution.

It's good to deploy stack smash protection as well. This protects stack based overflows in general, very high quality :)

I don't feel like going into details right now, as it's 2am.

Do they look like rock stars? No. More like 1980s rap stars. Who looks like rock stars then? Kernel hackers. OS hackers look like church music stars and hacker anthropologists look like movie stars. As you see, all of the hackers look like stars, but only kernel hackers look like rock stars, except those who look like sport stars. If you have any other "Ask Slashdot" questions, you know where to find me.

First off, I'd suggest buying "Seven Habits of Highly Successful People", and NOT read it. Burn it, it's a great symbolic gesture. (*) This document does so not so much by answering the question, but by making it painfully obvious to the questioner that we don't have a clue to what the answer is. -Linus Benedict Torvalds

Firefox have a deal with Google such that they are the default search and on the default home page in Mozilla Firefox.

Here's another Debian-related example: http://searchenterpriselinux.techtarget.com/origin alContent/0,289142,sid39_gci938279,00.html

The origial ./ article mentions that the extensible system would have special modules to manage the display/compilation of source code. Like ActiveX controls, this will make the compiler extensible, but fragile.

My point was: what if, instead of infecting your machine directly, the attack hidden in the source would generate unexpected viral or backdoor code. Upon review the source code would look ok. But during compilation the attack (e.g. a buffer overflow connected to some meta-information) would lead to the generation of different code - which will then be embedded in the produced executable.

The first example above uses a syntax detail of the standard C language. But with an extensible compiler, opportunities to sneak unexpected behavior into the generated code may proliferate...

I can't imagine the guy who will beat Linux when Total World Domination(tm) is completed.

That would be the same bug that occured for all distors using an early 2.6.kernel and partitioning code based on Parted. (e.g. SuSE 9.1) A clear write up of this problem in case someone is still suffering from it and it's solution is provided by Jef Spaleta here

The second paragraph of this item from November is my favorite line from 2004.

Check this out. This is a goldmine. The dunk tank.

http://lwn.net/Articles/66669/

Yikes

Head over to LWN and check out their articles on several 64-bit Linux distributions.

Problems aren't unusual, but there are those that work.

Head over to LWN and check out their articles on several 64-bit Linux distributions.

Problems aren't unusual, but there are those that work.

Head over to LWN and check out their articles on several 64-bit Linux distributions.

Problems aren't unusual, but there are those that work.

Head over to LWN and check out their articles on several 64-bit Linux distributions.

Problems aren't unusual, but there are those that work.

Head over to LWN and check out their articles on several 64-bit Linux distributions.

Problems aren't unusual, but there are those that work.

I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version.

And given his description of how he found these problems, plus his frustration about getting Linus and akpm to reply, his tone is even somewhat understandable.

Grsecurity and PaX report vulnerabilities

Second, it'll probably be patched rather quickly.

I can only laugh out loud. Read this story for example.