Slashdot Mirror

FBI reports have in the past tended to sometimes be ridiculously loaded with over-exaggerations for purposes of lobbying the US government to increase (a) their funding and (b) their powers. Recall, even some years before the US invaded Iraq, reports of the Iraqi government (and there were reports of the Cuban government too) having a vast network of computers and computer hackers dedicated to creating major hacking threats to the US's 'IT infrastructure'. Dubious links to "national security risks". E.g. see http://www.landfield.com/isn/mail-archive/2003/Jan /0094.html. More similar propaganda about China: http://www.mail-archive.com/marxism@lists.panix.co m/msg21238.html.

Although there is often some mild hacking activity from countries like this, the FBI sometimes WILDLY distorts the facts, and obviously it is in their interest to do so, since the result is the Senate assigning them ever greater funding and greater powers.

First and foremost, if I gave anyone the impression that I am disparaging the development work being done on Squid/NT, I apologize, such was not my intention in the slightest. I know that a good job is being done on it (because I occasionally evaluate it, I WANT choice in reverse proxies for Win32)

However, I still stand by my previous comments. Squid/NT is *not* as stable and not as scalable as the Unix based versions. Do I have documented statistics for this ? no, I do not. YMMV. I've run more than half a dozen reverse proxy deployments (2 of them were in the 200+ req/sec range) and this is what I've observed. I've met more than a few people who've told me that it is (hence my use of the term "myth", which it is).

Further, I prefer the flexibility that Squid offers.. If I had any choice in the matter, I definitely wouldnt push for ISA, but please stop spreading FUD of your own by implying it doesnt do its core job (of proxy and reverse proxy) as well as Squid. It gets the job done. I prefer not to hit against one of the published limitations of Squid/NT and find out ONLY after I put it into production.

thanks for listening.

Great post - mod up please!

A few weeks ago, easynet.nl's rbls were taken down, whom I was using as my only means of blocking mails from dynamic ranges, as well as one of my open proxy lists. The load on our mail server went through the roof as we were flooded with hundreds of thousands of junk mails poring in from dynamically assigned ip ranges and hijacked proxies, all of which have NO BUSINESS WHATSOEVER sending my users their garbage.

Just in case people who used it don't know, the EasyNet dynamic range list is now up and being maintained by SORBS (announcement) / How to Use

If anybody was honestly curius about what this meant, you might have checked the mail archives of the devel list. Here is a more detailed message from David Dawes. 'Nuff said.

when I saw it at Costco I went searching for compatibility info online (since pevious cruzers had been SD based and SD doesn't work in Linux) and all I found was this:

http://www.mail-archive.com/linux-usb-users@lists. sourceforge.net/msg08743.html

His employer appears to have been Voxeo

link: http://www.voxeo.com/

source: http://www.mail-archive.com/cf-jobs@houseoffusion. com/msg01747.html

It's my experience that the percentage of people who send feedback or patches is much lower than commonly expected. See, for example, Nicholas Clark explaning the volunteer pool for Perl 5 core development:

You may not be counting, but there are about a dozen active perl 5 developers on p5p, about half with commit rights. Similarly parrot has about 5 active committers.

This is the number of competent volunteers that a well established 16-year old programming language used by many individuals and many organisations can muster. From the entire world.

Of course, there are hundreds of people in the CREDITS file, but a handful of people do the bulk of the work. Maybe it's an edge case, but 10% of Perl users aren't contributing back to the core. It's very much below 1%.

That's not bad. It just is. My point is that expecting a smaller, younger, and less-well-used project to attract more regular and frequent developers is usually unrealistic.

Sophisticated spamware sends periodically control messages to a dropbox in hotmail/yahoo/whatever and alerts user if the open proxy appears not really working.

Open relay isn't the problem of net anymore, sophisticated spamware uses open proxies.

Open relays are these days hard to find as most smpt software ave sane defaults these days. OTOH With idiots like analogX proxy authors creating proxies with "default open world wide, not even dangerous ports closed" configuration, there is no sortage of open proxies.

If you really want to blackhole/track open proxy/relay abusers, look at BuggleGum proxypot instead. And prepare to hack it as as spamware tries to adapt the traps setup by people.

Biometrics won't change the difficulty of electronic attacks, where the biometric signature is copied as easily as your pin number. Biometrics might make physical attacks more difficult, but still not impossible. Time and time again it is shown that biometric systems do not live up to hype. Sometimes they can be easily fooled, and sometimes the biometric signature can be used to reconstruct an acceptable fake. You can count on someone figuring out how to explit any given system sooner or later. How will you restore your security then? Can you get new fingerprints, or new eyeballs?

Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)

Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)

I think the ITU controlling the net is wonderfull. I could't be happier about this.

For those of you who are serious, go read Malamud's account of the ITU. And keep in mind how sleazy these guys are.

Any of you who want to be a publically accessible nameserver for the ORSC root zone, drop me a line. Apparantly we're getting to be a bit popular and need to spread out the load a bit. Yo u guys are starting to chew up quite a bit of bandwidth.

It depends on your video board and driver version. Portrait works with the nv drivers and a number of other X driver modules now. Here is a discussion thread on the topic. BTW this is WAY off topic =-)

Ironically this trolling is basically accurate. Marc Fleury tells people who dare to ask if the manuals will be ready to suck his dick.

He's basically an arrogant prick. When the CoreDev guys resigned from the Jboss group he removed their commit privileges.

I personally would never recommend JBoss here because of his behaviour. Geronimo will rock, and jboss will then really have to put Fleury in his place or face losing all their clients.

They don't look like copies to me. Close relatives, yes. Accomplish the same task, yes. Comments identical? No.

Although I tend to agree that the similarities are not interesting enough to get in a huff, I'd be interested in hearing whether or not Scott Deboy wrote the comment "Convert an integer passed as argument to a level. If the conversion fails, then this method returns the specified default."

If he didn't write it, where did he get it? Perhaps both groups were borrowing from another source.

According to this Fedora list post, it will work.

"If you want unbreakable cryptography today, you can use a one time pad with less inconvenience."

I can't think of a more *IN*convenient method of cryptography. True OTP is nearly impossible because you would a) have to know the length of the data you're encrypting beforehand and b) exchange the OTP (ideally in person or in a worst-case over multiple channels) to make the encrypted data usable by more than just yourself. It's trivial to impliment the algorithm, unfortunately, the problem shifts to key management.

If you want to read the problem with OTPs, in Schneier's own words.. have a peek about 2/3 of the way down the page.

-AC

Absolutely not! That would be totally unprecedented!

No, he made the statement to the effect that he didn't want to waste so much of his time trying to get commits into the XFree CVS and if they didn't see fit to give him CVS access, he'd go someplace where he COULD get it. This is obviously a matter he has discussed before with these guys,

FreeVxFS

There's nothing magical about Veritas's implementation. Today we have FreeVxFS read-only support on Linux 2.4 and 2.6.

QuickIO is a hack, leaving some ugly metadata symlinks around on the filesystem.

-molo

Open Office has had Hebrew support for quite some time.

2002 Hebrew OpenOffice Files

Open Office Hebrew HowTo

Like hell Macintosh and Linux users are unaffected. I've been getting hundreds of copies of these little motherfuckers per day for the past few days. The spamassassin mailing list has been deluged with requests and suggestions of rules to block the damned things (along with the usual idealist whining that viruses/worms are not spam and therefore outside spamassassin's scope-- sorry guys, but it's both prodigious and unwanted, therefore it's spam, albeit not of a commercial nature).

F-Secure's detailed write-up of Gibe/Swen includes examples of several of the worm's canned subject lines and body phrases (not only does the worm pretend to be a security patch from Microsoft, it also pretends to be a message being 'returned' to you in other copies). Bah. Outlook must die.

>So did the Tibetans.

Yeah, nothing spells freedom and happiness like living in an oppressive theocracy.

[Full-Disclosure Mail Link]

Verisign has hired Omniture to collect info on what people misspell. While the website may seem clean and useful, it may not be, depending on what your take on privacy is.

I read your post and thought to myself, "this was fixed before the exploit? I upgraded my system a few weeks ago, I wonder if I got 3.7?"

Instead of going to figure out when 3.7 was released (could have been today for all I know, I didn't read everything this article linked to), I went looking for how to track my emerges and I found:
this.

Hope this informs someone else.

Cheers

Do you trust anybody posting something they've heard? The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit). And afterwards he says "The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH.". Note he is loosing it, the exploit FUD without base... and all ppl there start to talk about the bug as a fix against an exploit, though *nobody*, not even Theo's nemesis Darren Reed, mentions there is an exploit on the loose.

So FU** YOU. You scare ppl, you hide that and to d o so spread more fud by making wrong paraphrasing of the mailing list, hiding behind the slashdotted main archive.

SO BAD THERE ARE OTHER ARCHIEVES AROUND.

Knoppix for schools

there's plenty now...

GLUE

Knoppix for kids
Freeduc
The list is growing as more people experience the advantages of the Knoppix concept and make their own specialist version.

And that's really not so hard to do!

And remember, if you think it's hard for a stranger to get hold of your fingerprints, what do you think you leave behind when you use a fingerprint scanner?

Yep, IE does ignore TCP standards to get ahead. See http://www.mail-archive.com/mozilla-netlib@mozilla .org/msg01571.html for details.

Look at http://www.mail-archive.com/freebsd-questions@free bsd.org/msg27780.html and read the first sentence of the message.

Is this the same kind of religious fanatacism we can expect from all FreeBSD users? I certainly hope not.

I can't understand why mailing lists restrict their archives to members only. This is one of the most pointless, irritating policies around. This prevents me from quickly searching a list to find out if someone has already asked my question, without subscribing!

On high traffic lists, this is an insane situation. Even on low traffic lists, it's time consuming and counter to the spirit of co-operation and openness that I expect in the system administration community. Moreover, it thwarts a newbies ability to dig up information without having unravel yet another esoteric oddity of computing. (In this case, it's particularly ironic because the Linux complaints list will have huge volume!)

Anyone maintaining a list, wake up and turn this "feature" OFF ! Open the archives, and help build the public knowledge base. Last I checked RedHat's rpm-list was members only -- it's presumably one of the first places a new user would check for help!

For those are stuck on this problem, take a look at the Mail Archive and the Mailing list ARChives for plenty of list archives.

A Linux complaint?

How about RedHat's installer. They keep ramping up the version number, without doing anything to improve the installer! Anaconda is still garbarge. The resolve dependancies interface needs an option to turn off individual packages that have failed dependancies! Why are the options constrained to "install dependancies to satisfy these packages" or "do not install these packages with failed deps"? If you go through individual package selection and miss something, this is a major pain in the A**! You have to go back, and find the package in the package list!

Also, print the group and category information on the failed deps screen, so it's easy to go back and quickly find the package and turn it off. As it stands, you have a package with failed deps, and have to hunt through the entire list for it! Go on, try to teach all this to a new user. Guess what? In the first five minutes, they've said "Forget it. This is why Linux sucks."

Another one? How about checking the hardware before offering package selection? How many times have I sat for 30 minutes going through package selection, only to have the installer crash when trying to write the new partition table! I have to go through the whole process again! If using an ftp install (or with an network available), why not offer to allow me to upload the package list to another box before bailing out... then I could just download it next time!

What about graphical install for ftp? I install from a local ftp mirror, downloading an X server and libraries over my LAN is trivial, but I'm still stuck with the text install on RedHat 9!

Given that the installer is the first point of contact for most users (especially new users), why not fix it up? Get some UI people working on it, and for crying out loud, stop driving up the release number until you do something decent with the installer.

(And one final rant, why doesn't this Slashdot script comment submit script check URLs for me? Don't we want computers eliminating these mundane tasks? Otherwise, what purpose are they serving?)

the ability to drag a tab outside of the window to make it the first tab of a new window would also be fantastic

Yeah, everybody wants it but Adobe has a patent on it. Or is there uncited prior art?

It already has GSM operators; I wouldn't be too eager to make that move, though: GSM's encryption is a joke. Info about the weaker algorithm from a crypto list here; the followup post from John Gilmore about breaking the stronger of the two. Basically: GSM is half a step above ROT-13 - burn it!

The great irony, of course, is that when Iraq comes to upgrade to 3G, they'll almost certainly be upgrading to a CDMA variant anyway, unless they go with the TDMA derivative... (Article on the subject here.)

From here, GSM vs CDMA looks a lot like VHS vs Betamax: the inferior standard (at least in security) is much more common. Let's hope operators take the opportunity to move to the (3G) W-CDMA, which is backwards compatible with GSM as well...

Eventhough a novelty, it did allow me to personalize CDRs like business cards.

The new Plextor mentioned in the article sounds interesting. I wonder if I can access that feature on a Mac?

I know there's this program for OS X to overburn Firestarter - I use it often.

Hopefully, Roxio will make it availible in the next version of Toast.

As a note, firmware on optical drives, especially DVDs is risky due to region coding. If the firmware goes slightly wrong your region could get messed up. I know on the Mac you just reset open firmware and that usually takes care of that.

Are you still having fun?

I've commited some of my spare time to open source projects and even started a few pet projects of my own. While success can sometimes be measured by number of users, or downloads, or mailing list traffic, I think it's worthwhile to step back from the project and make sure you're still having fun. At least that's important for those of us who develop open source software as a hobby as opposed to those who do it for a living (and there are many more hobbiest out there). If suddenly you find yourself dreading to read your mailing list or fire up you text editor or IDE, then you know it's time to take a break or re-evaluate the project.

Then again, every developer and project has different goals and really it's only by these individual metrics that a project or individual's success can be measured.

There was an interesting thread on the Jakarta general mailing list about this a couple months ago. You might want to check it out.

um. i would bet 90% of current trademarks are made up of "words in the dictionary". the point is that the owner of a conflicting mark is operating in the same space, and AOL has decided to avoid having to defend their use by changing the name of the lightweight browser component.

and actually, no, trademarking words in the dictionary is not frowned upon at all. you can trademark anything you want, if you have deep enough pockets to pursue infringement and general upkeep of the mark. indeed, this recent post by DJ Spooky to <nettime> describes a press conference describing the trademark of the term "hip-hop".

Palladium was intended to be a joint hardware and software excercise. Where you could only run signed code on your boxen.

The claim that Palladium will only run signed code is one of the biggest falsehoods out there. We see it many times in this thread, but I can't correct them all. Read this message from Microsoft to see yet another explanation of why this is not true.

Security expert Steve Bellovin writes that he thinks this bill is intended by ISPs to fight off WiFi hotspots.

There has been a controversy in the WiFi arena about whether commercial WiFi services will take off or whether free access via "warchalking" etc is going to make it impossible to make a profit from commercial wireless access. Mostly it is the ISPs who are operating these commercial services (in partnerships with some national companies that set up the technology). And these same ISPs have anti-sharing clauses in their end-user contracts that are widely ignored.

This Michigan law, like the others that have been proposed, would make it arguably illegal to operate a free, public wireless access point without permission from your ISP. And if your ISP is trying to sell commercial wireless that you'd be competing with, you certainly won't get permission.

This law puts teeth in that prohibition. It could doom free wireless. A very big deal indeed.

...we read the sixth commandment, "lo tirtzach - You shall not murder." (Exodus 20:13) The King James' translation of this command is "Thou shall not kill." But in Hebrew there is a different word for "kill." It's harog, not the term ratzach used in the imperative of this commandment. "Ratzach" always refers to the intentional manslaughter of an innocent man "Horeg" refers to one who kills (whether by accident or intent). Source 1 Source 2

I find it hilarious that you people have been suckered into paying what amounts to a daily fee for simply communicating with your friends.

Yes, I occasionally eat my own words.

You'de be surprised how effective it is to expose a troll. Besides, its publically available information. What people do with publically available information isn't really my responsibility, or even my concern for that matter...

Just so you know, this guy follows me everywhere..He's basically a psychopath. I found out recently that blames me for the failure of his GetTux.com "business" about 3 or 4 years ago. The reason I say "business" is because he was trying to sell CDs of software people could easilly download for themselves. His "business", from start to finish, lasted two weeks. Lord knows how he connects me with the failure of his brilliant dot-com venture. I've never even heard of this guy before he started to obsess over me.

The last 5 years have been filled with hordes of dot-com losers and their attempts at assigning blame for their business failings. This guy apparently hasn't learned that he has no one to blame but himself, and is stuck in a loop where he needs to harass me to get over it.

Have a look, if you're curious.

What Google knows on this guy. ..and..
A little extra information.

Cheers,

I'd have to check, but I'm pretty sure the Plan 9 license is officially recognized as an Open Source license.

Plan 9 people tried and failed to gain certification for their license from the Open Source Initiative (the originators of the term 'open source'):

http://www.mail-archive.com/license-discuss@openso urce.org/msg05666.html

--
ralph

Wasn't there an article on slashdot a while back talking about how someone had defensively patented Palladium-DRM schemes in order to prevent M$ from doing exactly this?

That was cypherpunk "Lucky Green", who said he submitted a patent application on ways to use Palladium for software copy protection. This was after Microsoft publicly told him that not only did they have no plans to do that, they couldn't even think of a way to use the technology for that purpose. Lucky said that he could think of lots of ways, so he'd go ahead and patent them. You can read more about Lucky's plans here.

I haven't heard anything about this lately, and a recent patent office search for applications under Lucky's real name (widely known, his initials are MB) didn't turn up any hits. So I don't know if he actually went through with it or not.

FileCrypt was discussed on the Cryptography list a few months ago, and concerns were voiced about its security. Look at this exchange between PGP gurus Peter Gutmann and Len Sassaman. Can we trust this product? Is its source code available for review?

LaCie has 800MB firewire available according to this page. That said, firewire is already supported by all major OS's. Go ahead, buy a firewire drive and plug it into your XP box.

"LyX produces high quality, professional output ..using LaTeX.. in the background..No knowledge of LaTeX is necessary to use LyX, although it will give a user more power. "

Then again, there's that guy (Lucky Green) that has filed for a patent specifically to stop microsoft from using Palladium for DRM.

It's so crazy, it just might work......

Start spreading this around at the bottom of your emails:

"NOY[F]B, P"

"None Of Your [Fucking] Business, Poindexter". The 'F' is optional, of course.

(And Extrans is broken. Plain Old Text allows links, but Extrans does not. I'm not surprised.)

A recent and good introductory article about JSF is A First Look at JavaServer Faces

Craig McClanahan mentioned the transition to using JSP Faces in one of his Struts presentations at the recent ApacheCon and it has been discussed on the Struts mailing lists (e.g. http://www.mail-archive.com/struts-dev@jakarta.apa che.org/msg08457.html

It seems to me that for 95% of the web sites in operation, by the time you finish building the MVC app in Java using Struts you could have coded it 3 times in PHP or Perl?

This comes up from time to time and I think it's a good question. There was an good discussion about this on the jakarta-general mailing list. It's a long thread, but if you'd like you can start reading at this point. The best part of it I think is this response by Jon Scott Stevens:

Java is not the fastest technology to develop in, however, it produces the best code for the long term.

PHP is the fastest technology to develop in, however, it produces the crappiest code for the long term.

I develop Scarab in Java because it is going to live far longer than I do and needs a solid base to work from.

I develop my bar's website in PHP because I just needed to get the job done quickly and was not concerned with code quality.



Remember, PHP originally stood for Personal Homepage Parser. Java's web application technology was designed from the start to be a solution for a large "enterprise" class web site. You can do more with Java but you definitely take a hit in initial development time. Personally I feel that in the end, Java is easier to maintain and extend (but you may disagree).

By the way, Yahoo! didn't go with Java because of the Java threads implementation on FreeBSD. It didn't have anything to do with the merits of the java language. (See Why not JSP, Servlets, or J2EE?)