Slashdot Mirror

Thanks, but I'd be surprise if that happened.

1. You may have noticed that the "story" submitter is Jaromil, so I suspect (extrapolating from experience) he's accompanied by his sock puppet army (do they imitate the NSA with forum flooding and FUD techniques, or does the NSA imitate them?)
2. I've always suspected that the NSA is actively involved in ceasing this opportunity to divide Debian, if not celebrating the number of senior Debian developers who have left due to the number of personal attacks and threats they've recieved from the "anti-systemd" "campaign"

Jaromil does some excellent graphic work - but his musical ability is more autistic than artistic, allowing for a broad spectrum of tastes... and his "software accomplishments" is less than truthful (his hasciicam program lacks truthful attributions to it's true basis, and his Dyneobolic distro is just one of very many "respins". Not a patch on Knoppix - which is the work of one person , or a shadow of Mint and other Debian derivatives. There have been many Debian fork attempts...

Some vaguely related trivia regarding your pseudonym. Unix was a joke name chosen by the developers of Multix - the operating system that was intended to "do everything", when their funding was cut. Eunuchs/Unix was the result. Linux was the name given to Linux Torvalds to create a non-Unix compatible kernel.

apt-get install sysvinit-core

http://www.steve.org.uk/Software/bash/

You're welcome.

Oh, what's that? You mean you really wanted Bash + the entire toolchain? And also the same OS conventions and the same security model?

Indeed, I have the same cynical exploitation that most PHP based blogging solutions are security problems waiting to happen.

So I too wrote my own blogging system. It is different than many in the sense that it outputs a collection of entirely static HTML files.

I wrote a script that converts *.txt into a hierarchy of individual pages, rss feeds, and tags.

The software is simple and it is in use by myself and many others.

There is certainly a place for dynamic applications, but blogging is more often a write-only medium.

Indeed, I have the same cynical exploitation that most PHP based blogging solutions are security problems waiting to happen.

So I too wrote my own blogging system. It is different than many in the sense that it outputs a collection of entirely static HTML files.

I wrote a script that converts *.txt into a hierarchy of individual pages, rss feeds, and tags.

The software is simple and it is in use by myself and many others.

There is certainly a place for dynamic applications, but blogging is more often a write-only medium.

Thats what I've done too - I can configure all my browsers to have the following URL as their homepage:

• http://www.steve.org.uk/start/

That way I don't bother with per-machine bookmarks, and I have easy nagivation to common destinations.

I maintain a ssh probe blacklist which currently has about 4000 entries in it.

This is only seeded by the reports from a couple of servers I maintain, and could easily be contributed to be interested parties.

This is what I have in my ~/.emacs file for that:

;;
;; Minimalism over all.
;;
(if (fboundp 'scroll-bar-mode) (scroll-bar-mode -1))
(if (fboundp 'tool-bar-mode) (tool-bar-mode -1))
(if (fboundp 'menu-bar-mode) (menu-bar-mode -1))

(The complete file is available online.)

Cute site. Look like I could even add one...

Yeah I do remember lurking upon the lua-users mailing list and seeing the start of the standardisation for the 5.1 module loading API.

That is definitely a good thing, and makes it a lot easier to distribute non-core extensions. (although my extensions for Lua 5.0 were simple enough to write).

Neat to hear that there is an SDL binding though, thanks!

You can use any bash version available for Windows. Cygwin Bash to start with but not excluding GNU Bash or many alternatives you can find from google (the one I linked is the first one from Google search for "Windows Bash").

Could I suggest a USB stick with Firefox for windows binaries, configured to run with the profile directory on the stick; bash for windows and putty.exe? It would fit on a 32MB stick, depending on what your few utilities are. It would run a minimal GUI, Windows' is kinda minimal until Vista hits gold.

don't even have that limited of bandwidth and I would like to see this mod in production. Very needed code IMHO.

http://cband.linux.pl/
http://www.steve.org.uk/Software/mod_curb/
http://www.snert.com/Software/mod_throttle/ This one might be best, I've looked at it before.
http://www.topology.org/src/bwshare/README.html

Or you could just dupe an ask.slashdot.org by asking something like:

http://ask.slashdot.org/article.pl?sid=02/07/18/02 31229&tid=4&tid=2

I'm really surprised this is not part of Apache by now.

"I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7"

http://www.steve.org.uk/firefox/README.html

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

If you follow the README URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

Not necessarily.

I reported some DOS bugs against firefox which will kill a browser by essentially saying:

• Give me a table of 1000000 rows and 1000000 columns.

The browser dies. Probably because it attempts to either a) allocate all the system's memory and the kernel kills it, or b) at some point memory allocation fails and the program terminates.

Not all crashes are buffer overflows, or exploitable.

• Kill Your Browser

Names are massively non-unique. So claiming a .com for your surname is going to be very hard. Whoever manages it is bound to annoy other people of the same name later. Of the two sites you list the second one seems useful for those who want to be associated with their surname, but didn't think to register the domain themselves - presumably anybody can sign up and be linked with the domain?

If you're interested in surnames specifically you might have a chance at using the .name TLD. That was advertised at one point as being useful for forename.surname.name - not sure how well that worked out because I've rarely seen the domain in the sites I visit.

As for me, I got lucky. I'm all forenamey - and had never thought of using my surname..

You've got it to work in bash.

No, he's got it to work in any Bourne-compatible shell (hine: /bin/sh not /usr/bin/bash), many of which are available for Windows, including bash.

I agree that just doing it is best.

I started looking at the SDL Wiki example page, and after looking over the code and browsing the game programming wiki I just started coding.

My first game, and first use of SDL is mousetrap - the graphics suck, but at least one person liked it.

SDL really was a pleasure to work with, and suprisingly easy to get started with.

Now I'm working on a more graphical platform game.

I come top when you search google for my name.

My website has images of my tattoos, graphic mentions of my body piercings, and a lot of free software.

I'm happy if people rule me out on the ground of piercings/tattoos whatever. At the end of the day the kind of environment where those things are unaceptable (no matter how discriminatory they are) I'm not going to want to work.

I think that my achievements stand on their own technical merits.

Hopefully somebody who's looking for a Debian Administrator would get in touch despite my piercings/tattoos/etc. If not no loss.

We've just saved me and them some time on each side.

I come top when you search google for my name.

My website has images of my tattoos, graphic mentions of my body piercings, and a lot of free software.

I'm happy if people rule me out on the ground of piercings/tattoos whatever. At the end of the day the kind of environment where those things are unaceptable (no matter how discriminatory they are) I'm not going to want to work.

I think that my achievements stand on their own technical merits.

Hopefully somebody who's looking for a Debian Administrator would get in touch despite my piercings/tattoos/etc. If not no loss.

We've just saved me and them some time on each side.

What sex am I?

I audit code for fun, write exploits to see if things are practical.

I'm also hirable - reckon my chances will go up if I write a mass mailer? ;)

First off, who are these guys?

Debian already has a security project, a few of them actually.

I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one and developer two.

Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?

Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.

I am not impressed. Working with the debian security team is the way to go.

Steve Kemp is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.

The official debian project for this is the debian audit project.

Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!

I accept donations - keep them coming ;)

And I write software some popular, some not, donations are always a good thing!

Finding problems which can be disclosed at the same time as a patch is very good.

All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.

Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit.

Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.

(The results of my work show that even with only a small amount of effort security can be increased)

Did I mention that I'm available for hiring? ;)

The right way is to promote your project on a big site like /.

Then subtly include wishlist links, and maybe pointers to other software you wrote.

Maybe you'll get lucky and somebody will buy you a thing or two ...

Thirded!

I've been using them for my domain for a few months now and it's been very impressive.

Sometimes support requests have lagged a little, but they are competent and reliable - and getting a discount for doing free software was a nice bonus.

I've been running a small audit for the past few months, mostly looking at low hanging fruit - but still in that time I've managed to have 17 advisories published.

Yet I've only recently come across your site and see there several audits which appear to show vulnerabilities but not any links to real advisories.

I think it's a worthwhile thing to do and spend several hours a week looking over code; but I've never found any volunteers either - it just isn't sexy enough for people I guess. (Apart from people who are being paid to do it, security companies and the like).

I wrote an apache module which I call mod_curb (for Apache 1.3)

This doesn't do exactly what you want, but I'm sure if you were to ask me or somebody else we could code something for you.

The basic idea I have for you problem is to have a database of currently active clients, beit MySQL/Flat files, then you can keep track of all data transferred by that address.

Once a threshold has been reached you can either stop everything, or start throttling.

However throttling alone won't help you out they'll still mirror you, just slowly.

(I'm the author of GNUMP3d)

Due to the Savanna compromise the downloads aren't available from gnu.org.

You may either use CVS to checkout the code - or download from a temporary archive I've setup.

Thanks for the plug ;)

That wasn't one of mine, but I've been auditing a lot of Debian packages recently.

Games are an easy target as many of them are setgid(games); so that they may access a global high-score file.

Most of the vulnerabilities I've found have been in games - easy to start with the low hanging fruit and work your way up ;)

That wasn't one of mine, but I've been auditing a lot of Debian packages recently.

Games are an easy target as many of them are setgid(games); so that they may access a global high-score file.

Most of the vulnerabilities I've found have been in games - easy to start with the low hanging fruit and work your way up ;)

I wrote a simple program to do this back in the day, only mine was called "clipboard".

Works in Windows 95+

• http://www.steve.org.uk/Software/clipboard

This was one of the first altruistic programs I ever wrote - very simple it is, but I saw it offered as a shareware program by somebody else for $25! I couldn't believe it was worth that much.

I've been doing something similar to this via the online blogging communities at LiveJournal

LiveJournal, like a lot of these online diarie thingys, has a field where you can enter the music you're currently listening to when you make new entries.

My system takes your username and grabs the most recent 50 tracks you've entered and trys to compare these tunes with the music that other people have entered - if you get a match then it will display some random tracks from that matching users most recent entries.

It appears to work well - but I haven't quite reached a critical mass of users.

Give it a go yourself

This is just another reason to avoid agencies, they truly are a parasitic bunch.

Over here in the UK I was looking for work last year, and scoured the local agencies. Many, many times I'd apply for a position only to be told eventually that it didn't exist. The agency just wanted to know how many Perl Programmers were around.

Worse than that, though, is the way that several agencies will advertise the same position with subtly different descriptions - and you don't realise until you get called for an interview. In one case an agency told me that they wouldn't put me forward for a position I was applying for because I'd also registered with another agency!

I've started keeping track of bad (and the rare good) agencies in Edinburgh - if you're local feel free to look at the list and submit your experiences.

(Yes that was a plug, and yes the section needs updating)

I was thinking of this recently actually, and came up with a prototype system for searching.

Essentially most people have their favourite areas of the web, which they visit frequently and probably cover their hobbies and interests.

What would be ideal then, would be to share peoples these links in some way. One obvious way of doing this is a Peer-to-peer bookmark searching system.

People essentially share their bookmarks.html file/favourites folders with other users - and then searches are conducted by asking for 'links with $foo in their title/url'.

Seems simple enough; but it would obviously only work if enough people shared their bookmarks; which might not be easy if people bookmark 'private' sites, or could be traced.

(Anybody wanting to discuss this; or interested in the idea feel free to drop me a mail or something)

I love the sig. It's just like a quiz I made a while back...

Its good to hear about these older games, sometimes I wonder if people will be reminiscing about our current games in 10 or 15 years time.

Nowadays the main game that I play is Counter-Strike, its a great game - but it can only be played via a network, so each game is varies, depending on who you're playing against.

I used to play an awfull lot of SF2 when I was at college, on friends machines - I only saw one arcade machine of SFII in the wild, and that was at my local tattoo parlour; where I got these beauties, I'd kill to own one of the consoles now ..

Well, as a result of seeing this post I've just nabbed MyBookmarks.org.uk..

While Blink.com, and Blacklink.com may be very reliable, and honest I just don't like the idea of entrusting my private bookmarks to them...

I think I'll be setting up something very similar though - Wouldn't it be interesting if you could moderate somebodies, (anonymous), bookmarks?

Hmm, this will be a fine excuse for me to learn how to deal with databases... ;)

I started programming originally on a 48k, rubber keyed, Spectrum. After finding the BASIC too limitting I progressed to z80 machine code.

After that when I was first exposed to PC's I wanted to find an assembler straight away. (Not having ever heard of C/C++/Perl by then - I was only 16 or so ;).

I wrote major, single-person, projects in pure x86 assembly language. Nowadays I wouldn't dream of doing that any more - but I have written Win32 programs in pure assembly; just to see if it could be done easily...

One of the few times I ever bother with assembly language nowadays is when I'm decompiling drivers - to reverse engineer protocols, and the like. (eg. My attempt at a Linux driver for the MPIO MP3 player).

As I'm interested in security I occaisonally find an exploit of my own, and being able to code in assembler is pretty essential for this.

I have to say that even if I never used assembly language again I'm so glad I learnt it, because it really has helped me understand how computers work; something that the current generation of programmers, fresh out of college, miss .. IMHO.

(Recent graduates seem to think the computers talking greek when presented with a stack dump/core file... I find that very depressing.)

You want to look at GNUSoftware.com - that has a large list of pointers to different GNU compilers available for Windows NT.

Steve

http://steve.org.uk