Slashdot Mirror

dear npietran@umich.edu

read my lips, we don't fucking care!

All I use is secure FTP. Seems fine to me and no DUNS number necessary.

As far as ease of use:
1) Get a better computer
2) Get Fugu
3) Get a clue. End-Users aren't that difficult, you just need to be able to communicate.

Exactly, and sometimes busses come a little early. So when you get out to the stop, maybe you're on time, maybe you're not. Maybe there are people there, and perhaps there aren't.

If you're the only one, do you guess and wait for the bus - (you could be out there a long time, freezing your butt off) or do you go back in? There is definitely a great application for this, but it requires GPS (if it's not on a centralized system, like a subway).

These guys are working on a bus-tracking GPS project.

I always figured one book was more than enough for Dubya...

The bigger problem is that the principle of least privilege is not adhered to in world of Unix. Programmers will always write bugs and applications will always have vulnerabilities that can be manipulated. Manipulation of services should only effect the service being manipulated, not the whole system. For example, services should have NO access to anything by default.

That is very much the approach that OpenBSD is taking - e.g. with privilege separated OpenSSH. If you exploit OpenSSH before authentication, you are unprivileged in a chroot that you can't write too. While this is not invulnerable (you may still abuse kernel bugs to escalate your privilege), it is a good deal better than before. OpenBSD also provides you tools with which you may further protect yourself: systrace - a system call policy checker.

Yeah, and I'd also add that one of the big sources for books on DP is (currently) large, grant-funded, completely useless to the average reader operations like MOA and, to a lesser extent, CWRU or Canadiana.org.

These other sites digitized 10s of thousands of titles, but the stuff isn't even really available (think huge single page images, slow-moving search engines, etc.).

However, these images download great through a second PC, get OCR'd, ftp'ed, copyright clearance, tons of volunteers help, another person manages the project: boom! DP's gonna easily do a million pages this year should have their 1,000th book next month...

and they're growing.

Thanks!

(I'm the one responsible for Anatomy of Melancholy, but also lots of mysteries, Parkman, 'n stuff so please don't kill me.)

This makes interesting reading The Value of Reputation on eBay: A Controlled Experiment by Paul Resnick, Richard Zeckhauser, John Swanson, and Kate Lockwood[1]

Abstract
Many empirical studies assess the effectiveness of reputation mechanisms, such as eBay's Feedback Forum. These investigations involve products ranging from pennies to collector guitars; they vary widely in their conclusions on how well reputation systems perform. Part of the explanation for the disparity among prior studies is that they merely collect samples from the eBay population. Such observational studies significantly increase the number of other variables that are left uncontrolled. This makes it difficult to isolate the effects of reputation on auction outcome.

In our main experiment, we worked with an established eBay auctioneer to sell matched pairs of items -- batches of vintage postcards -- under his extremely high reputation identity, and under newcomer identities with little reputation. Our second experiment followed the same format, but compared sales under newcomer identities with and without negative feedback. Having controlled the content of the auctions, and the presentation of item information, we were able to minimize the effects of variables other than reputation. As expected, the established identity fared better. The price difference was 7.6% of the selling price. Back-of-the-envelope calculations indicate that this amount is reasonable, given the level of risk that buyers incur. Surprisingly, one or two negative feedbacks for our new IDs had no price effects, even though these sellers had few positives.

You are absolutely right.

However, another method to slow down the spread of viri and increase overall cyber security is to populate your network with fake services.

The worms select their hosts randomly and most networks host only a small number of real machines. If all network addresses reply to worm probes, they potentially suck up worm resources and prevent it from spreading quicker. One tool to this might be honeyd.

On the other hand, the spreading behavior would still be exponential. But it might be something interesting to study.

You are absolutely right.

However, another method to slow down the spread of viri and increase overall cyber security is to populate your network with fake services.

The worms select their hosts randomly and most networks host only a small number of real machines. If all network addresses reply to worm probes, they potentially suck up worm resources and prevent it from spreading quicker. One tool to this might be honeyd.

On the other hand, the spreading behavior would still be exponential. But it might be something interesting to study.

A key feature of any episode of Sailor Moon is transformation. Choose one morphing scene from any episode or film version of Sailor Moon. Describe in concrete terms how the animators render this transformation in time and space. ... We want to emphasize that there is no necessarily correct answer for this topic; the success of your paper will lie in its specificity in analyzing the work of the animators, and the argument you mount---no matter how speculative---concerning the relationship of the animation and its probable viewers. ...

While a game (nethack) is only the basis for the project, games do lend themselves to fun algorithm problems. In general being a computer gamer doesn't help being a programmer all that much, but those people tend to be more modivated and excited about programming.

i can't wait for them to sue the united states government for patent infringement.

The flask paper has a one paragraph argument against system call interposition. Basically the time of check is not the time of use and there may be different names to address the same resource, in other word aliasing problems.

These are valid arguments that show problems for a system call interposition tool. However, Systrace is a hybrid system, it has parts in the kernel that allow it to get whatever additional control it requires. Aliasing is not an issue in practise because resource names can be normalized and the remaining aliasing problems are merely hyptothetical. The same goes for the TOCTOU argument. In practise, you can ensure that such race conditions are not relevant.

But let me ask you another question. Have you ever used a system that is based on Flask? Or do you know anyone who has?

On the other hand, Systrace is available for GNU/Linux, Mac OS X, NetBSD and OpenBSD.

A company can not just barge into another country and demand their wants and rules be met

Computers are by nature deterministic; same starting state + same input => same output. So if you can manage to log all the external input to a program and deliver it the same way, it will do exactly the same thing.

Input comes in two types:

• External data like keyboard, mouse, and so on
• Timing like interrupts, signals, or scheduling.

Right now we're using it for forensic analysis after an intrusion, but there's no reason it couldn't be used for debugging as well.

50k and under have been homeless for awhile now in Silicon Valley.

Check out this old New York Times article

Of course /. has talked about this issue before too

My school offers a degree taught largely through computer-mediation (called the executive or emba). Students (rather their employers) pay over $100K in tuition to participate in the program.

The students meet on campus once per month and then disperse for the remainder of the month's instruction. Computer-mediation comes into play in several ways:

1. The students receive canned lectures from professors on CD.

2. The students use collaboration environments such as e-rooms to share documents and interact with each other and the profs.

3. The students use teleconferencing.

Of these, the canned lectures are the most time consuming to produce and the least well received by students. It's like watching educational tv. Yes, you can get something out of it, but it is not necessarily very engaging.

The collaboration environments and teleconferencing work well. People like them and use them. These two technologies enable people to interact with each other and more easily share electronic artifacts. It's like IM on steroids. Note that on-line games seem to moving in this direction, enabling enhanced interaction between people vs. pure person-computer interaction.

I think the issue with improving the canned lectures on CD is that you would have to create something like a PC game to get it really interesting, and that is beyond the power of most academic institutions. Then, you still have the issue of people ultimately figuring out all of the machine's tricks and becoming bored.

In sum, my school's experience seems to suggest that enhancing and enabling interaction is a good role for computers in education.

Apple hasn't written too much, but they do have this doc.

Also, macosxlabs.org has written a doc that fills in some gaps. If you are going to be doing a lot during login/logout, you might want to checkout iHook from the University of Michigan. It's a great little tool that give a GUI to boring old shell scripts.

Also, by forcing all computers to have a microsoft os on them, there will be no incentive to pay for another operating system (even if it is linux).

From the Ohio FAQ:

The contract with Microsoft is not an exclusive contract. Some OSU departments will continue to purchase other competing vendors' software products because they have determined these other products meet their needs more completely than the Microsoft product suite.

I couldn't find a similar comment in the Michigan FAQ , which may or may not mean that the Michigan Uni has a more exclusive deal.

In some places what they're doing is not legal. Michigan's foia law, for example, seems to put their agreement in a a very grey area, legally. I can't say that MS did nothing wrong, because the facts don't seem to support that.

Is FrontPage recommended for use with my environment?

Before purchasing or developing your web pages with Microsoft FrontPage, ensure the web server for your pages will be the Microsoft Internet Information Server (IIS) running on Windows NT. FrontPage embeds proprietary and/or non-protocol-compliant features within HTML code, many of which are incompatible with many non-Microsoft web servers, including those utilized in OSU's OpenVMS and Novell architectures. The implications are twofold:

Web page creators can't just place FrontPage-generated HTML files in their OpenVMS accounts or in their Universal Disk Space and expect the web pages to work correctly.

Even if the pages are served successfully, they may only be fully readable by certain versions of Microsoft's Internet Explorer (IE) web browser.

Systrace on the other hand lives inside your normal kernel - you don't run any virtual machines at all. However systrace can decide what system calls a program can use, and if desired limit how they can be called. For example you could say Apache is allowed to create a bound socket to port 80, but no other port. You can say allow it to read files in /var/www/htdocs but nothing else. This means that should some user make a symlink to /etc/passwd, it can't be read. Should someone get Apache to run shellcode, it can't run /bin/sh or open a new network socket for inbound access.

The configuration to do this is rather extensive, but anything that will be expicit must be. See the sample apache config for example.

Systrace works similarly to other kernel hardening patches, such as GRSecurity or LIDS. LIDS for example can lock down access to the filesystem (read/write/nada) and to root permissions (allow root to read non-root files, dissallow socket binding, etc) but this is different in that the systemcalls themselves have been hooked, not just some common access methods.

Sounds like a job for systrace...

systrace seems like a good solution for Unix-like OS's.

My team runs just under 6 dozen web and database servers ( Solaris and Linux ) for the University of Michigan using an open source system management suite called 'radmind' and I can't say enough good things about it ( I'm not one of its developers, so I can get away with this ): fast, secure, stable, standards based, and makes a little thing like patching several dozen servers a breeze ( though ... what kind of freak patches in the middle of the day? ).

Incidentally, the CTO of loudcloud ( a.k.a. opsware ) is Tim Howes, of LDAP fame and formerly of the UMich RSUG ( the same group that has since developed radmind ). small world.

I definitely agree that there's something going on with Smart Mobs, networks, etc. Communications are advancing at an amazing rate (despite plenty of stupidities), and I'm sure they'll only get more interlinked and complex.

However I do wonder just how much we can predict. As these systems get more complex and include more factors, what can we actually say and predict about them beyond some basics and metaphors?

I recall Vernor Vinge's idea of Singularity, the creation of greater-than human intelligence. Maybe we're witnessing a hint of that as people connect to machines and each others like neurons in the brain. However, the irony is that we may not be smart enough to know if something like that is happening.

This sounds like a great book and an interesting phenomena, and I plan to buy it. But I wonder how much we can say about this phenomena.

"God is what mind becomes when it has passed beyond the scale of our comprehension."

i hope you were kidding.

we have different kinds of plastics for different applications. some are well suited for heat, others for flexibility. well, now we will have one that mcdonalds can use and claim to be helping the environment. don't worry your little american schitzo-from-the-doomsaying-tv brain, we won't have a rash of sprinkler systems degrading because the construction company bought 'biodegradable' plastic.

i say use a mug

$ key.pl
Password:
Website: slashdot.org
Password for slashdot.org:
llynUngiltBerneLobal

Its fairly useful on a day to day basis.

Forget the PDP-8, give me a PDP-15 any day!

Talk about geek factor. We had a PDP-15 in the sub-basement of our Math building collecting data from a Van der Graf accelerator.

Then I would have a use for my HP-16C Computer Science calculator, you know the one that did conversions to/from Octal/Decimal.

Those were the good old days.

Those were the good old days.

Unfortunately for you, discreet speech is seen as passe by the major players (IBM, L&H, MS). For a long time, continuous speech was seen as the major boundry to widespread acceptance of general purpose dictation software (another boundry was the support of large vocabularies). Eventually, processor power and algorithms evolved to a point that both barriers were overcome and discrete speech (and small vocabs) were left by the wayside.

One byproduct of this was a decrease in voice error correction performance -- Most verbal corrections are single words (e.g., the user selects the misrecognized word, "foo" and repeats the intended word "bar" without any of the coarticulation cues that the continuous recognition engine relies on). The recognition of isolated words by a continuous speech recognizer is inferior to the performance of a discrete system, yet the major software companies removed the discrete recognition engines from their products. (for more on speech errors, see this or this pdf).

Anyway, the use of discrete recognition engines has been essentially abandoned by the major players, and seems to have been relegated to the specialty shops that cater to disabled users. One outcome of this is that there is very little innovation related to discrete speech because it was one of (many) historical barriers to the use of desktop speech reco. I can certainly understand the resistence by the big companies to go back to an "inferior" recognition engine for handheld devices. Most likely, speech reco on the handheld will emerge in a client-server environment with the speech signal (maybe somewhat processed) being sent from the handheld to a server for recognition, and the text being returned to the handheld. We probably won't see a general purpose speech recognition application (as opposed to a limited vocab application) that runs solely on a handheld until continuous processing can be done entirely on the device.

Unfortunately for you, discreet speech is seen as passe by the major players (IBM, L&H, MS). For a long time, continuous speech was seen as the major boundry to widespread acceptance of general purpose dictation software (another boundry was the support of large vocabularies). Eventually, processor power and algorithms evolved to a point that both barriers were overcome and discrete speech (and small vocabs) were left by the wayside.

One byproduct of this was a decrease in voice error correction performance -- Most verbal corrections are single words (e.g., the user selects the misrecognized word, "foo" and repeats the intended word "bar" without any of the coarticulation cues that the continuous recognition engine relies on). The recognition of isolated words by a continuous speech recognizer is inferior to the performance of a discrete system, yet the major software companies removed the discrete recognition engines from their products. (for more on speech errors, see this or this pdf).

Anyway, the use of discrete recognition engines has been essentially abandoned by the major players, and seems to have been relegated to the specialty shops that cater to disabled users. One outcome of this is that there is very little innovation related to discrete speech because it was one of (many) historical barriers to the use of desktop speech reco. I can certainly understand the resistence by the big companies to go back to an "inferior" recognition engine for handheld devices. Most likely, speech reco on the handheld will emerge in a client-server environment with the speech signal (maybe somewhat processed) being sent from the handheld to a server for recognition, and the text being returned to the handheld. We probably won't see a general purpose speech recognition application (as opposed to a limited vocab application) that runs solely on a handheld until continuous processing can be done entirely on the device.

Perose Staircase in VRML

"[Allchin] later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."

Our products just aren't engineered for security.

Back to source, closed source will no longer enjoy the market it once had (why pay for work twice, thrice, etc.?) Right now new, profitable economic models are replacing the out-moded failing models in use by Microsoft. Despite this month's multi-million dollar campaign of ads and astroturfing, with people's attention now on security and TCO, the bottom would drop out of Microsoft's market if the code were accessible, even despite illegally leveraging their desktop monopoly.

Microsoft has just fallen too far behind in technology. Microsoft dropped the ball in regards to the Internet and has frittered away the time it needed to catch up. Arguments against using Macintosh or Linux usually center on retraining issues. However, heavy retraining occurred when migrating between Win3.11, WinNT, Win2000, and - for the chumps - WinXP. So if you have to retrain anyway, then why not go with something easier to both use and maintain like Macintosh OS X or Mandrake/Redhat?

When you consider the bizarre nature of the service pack EULAs, the migration to Macintosh or Linux should be the obvious choice

Accuse me of FUD all you want, but examine the evidence for yourself.

Exhibit A
Win NT beats Windows 2000 in SQL Server 7 Benchmarks
What? The new O/S is slower? Must be FUD, doesn't have anything to do with bloated code and forcing users into hardware upgrades.

Exhibit B
Red Hat/Samba far outscales Windows 2000 on identical hardware
Yes your honor, it's true, at a load level of 16 clients Windows 2000 filesystem throughput flat lines vs. Red Hat Linux with Samba which is still scaling up nicely with 28 clients.

Does Windows 2000 mask the true power of the Intel hardware? Examine the report and look at the benchmark graphs. Decide for yourself if it's FUD or FACT. Note: the source is PC Magazine which if you will refer to this months copy contains many advertisements for Microsoft .NET .. Looks like PC Mag has some integrity.

Shall I continue?
Want to see why TUX stomps IIS and Apache for serving static content?
I challenge you to find the FUD in any of this. In fact, many of you might wish to save these links for future TCO discussions within your local IT departments.

PROVE ME WRONG!!!! Show me how Microsoft is doing it faster and better compared to either a) A Previous Microsoft Server Product, or b) Linux. Wave your hands and shout FUD all you want, but be prepared to back it up.

I wish someone would back me up! :)

As for my 486, I wrote a user mode driver which allows me to access the data pins on the parallel port to activate a relay and ultimately switch A/C power. (Web page coming soon.) This device can be used to remotely reboot Windows servers that BSOD, or turn on Christmas Lights add/or Coffee Pots via cron or telnet. Did I mention it all fits on a floppy, runs on a 486, and is network accessible? I am trying to shoe-horn a webserver onto the floppy now.

forget interarchy for sftp, check out panic's transmit. it is a very well constructed cocoa application and is $25 USD rather than interarchy's $45, but if cost is really an issue you can look into fugu a free sftp cocoa app written by the university of michigan coding cowboys...

couldn't the user above tunnel their connections though?

I've thought of making something like ZoneAlarm on Linux myself, but felt it was more of a novelty than something useful, since I find my applications pretty trustworthy as it is.

The mirrors contained the trojan as well.

Besides, this is an exploit of trust, no operating system is any more vulnerable than any other. Binary distributions would only contain the libpcap backdoor to ignore tcp port 1963, the actual trojan appears in the configure script.

How many times have you downloaded sources and blindly ran ./configure && make? This is certainly a case for running builds in a systrace jail.

For the record, this fits the modus operandi of trojans found in irssi, fragroute, dsniff, BitchX, OpenSSH, and sendmail.

In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.

This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.

We need to be much more careful about the software that we run.

In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.

This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.

We need to be much more careful about the software that we run.

There was an MS-DOS shareware product -- in fact, it was the product for which the word "shareware" was coined, and by a guy who'd been Microsoft employee number 9, no less -- called PC-Write. It was a lightweight (fit on a floppy), blindingly fast (even on an original 4.77 MHz 8088) quasi-WYSIWYG word processor. I tried it, I paid for it, I used it a lot. With a little care, you could do fairly close to WYSIWYG editing of plain ASCII files.

The author (Bob Wallace) passed away September 29, 2002. His company is long gone, as is the company his product was sold to.

It looks as if you can download version 3.04 here. Halfway down this page you'll find version 4.15. The Pascal source code was available at one point; it's probably disappeared.

A similar product, "Breeze Word Processor," appears to be available here. This is a four year old (to the day!) Netnews discussion of lightweight MS-DOS word processor packages. Your very best bet might be an MS-DOS or Windows 3.x version of WordPerfect or Microsoft Word.

None of these are actively supported.-(

In this day when people lightly port Sim City and Civilization to PDAs and phones and web browsers, it shouldn't be that hard to recreate one of these.

P.S.: What OS is your 8 MB system running?

So, it's probably not what you're think of, but here are some Unreal mods being created at universities to develop and study AI. I know of two of them,

John Laird is heading the Haunt 2 project at the University of Michigan

and Martin Martin is heading Escape Online at Carnegie Mellon.

I'm currently helping develop Haunt 2.

So, it's probably not what you're think of, but here are some Unreal mods being created at universities to develop and study AI. I know of two of them,

John Laird is heading the Haunt 2 project at the University of Michigan

and Martin Martin is heading Escape Online at Carnegie Mellon.

I'm currently helping develop Haunt 2.

This is a joke? Delete any of the X11 poop if it somehow got installed, turn off inetd, kill and delete anything that isn't part of the machine's intended use, remove any unnecessary hardware, strip down the kernel ( if necessary ) and boot scripts, patch, use something like radmind to push this out to all of your machines, and then monitor.

This is exactly how I run my servers.

Systems that extract power from wave energy as opposed to tidal energy may be a little less problematic and a lot cheaper to build, albeit also on a smaller scale. The basic idea is to find a waterfront cliff and drill a hole straight down to about 10 feet below the water level, then turn and drill until you encounter ocean. The result is a tunnel with a column of water in it that moves up and down a dozen times a minute or, pushing a fair amount of water and air. Put a turbine in that tunnel in either medium, and you've got power.

Here is a diagram of such a design that uses a prefabricated tunnel rather than drilling. Google will turn up quite a bit about various designs and research.

All crackpots of course. Every good SUV-drivin' Amer'kin knows thar ain't no energy sources other than oil!

These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries

Ahemmm! set[ug]id, both. Also, the addition of Provos' systrace(1), which has been coming along for some time is tres cool, man. Listen, read:

Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.

CTS. Someone bitched about the installer, and how cooler it'd be, how more ``popular'' OBSD'd be if it came with a purdier installer, cotton candy, and power seats. This flies in the face of how OBSD developers feel about the audience of their OS. `Fuck popular! Popular only brings unwashed numbers and wastes time; they don't handhold anyone.' `Read gaddammit, read!' `If you wont read the fucking excellent manpages, or wont read other included documentation, if you wont search list archives for the same repeated questions (and they will be if you are that stupid) you're a fucking slacker, if you read them and don't understand them, you're a fucking luser.' Sound like an OS that gives a shit about being popular or tolerant of stupid newcomers? I don't think so.

If you're prepared to do the hard work, not expecting handholding and waste anyone's time, you'll be alright. Not for everyone, as it should be.

opensource.apple currently redirects users to opendarwin.org to fetch the iso, but unfortunately opendarwin.org has been taken offline. in the interim the following mirrors are available...

darwin/x86 iso
http://web.mit.edu/darwin/www/darwinx86-602.iso.gz
http://enigma.us.itd.umich.edu/darwin/www/darwinx8 6-602.iso.gz

darwin/ppc iso
http://web.mit.edu/darwin/www/darwinppc-602.cdr.gz
http://enigma.us.itd.umich.edu/darwin/www/darwinpp c-602.cdr.gz

md5 checksums
MD5 (darwinx86-602.iso.gz) = d4e9a94c48d900736fa9f77d42707d50
MD5 (darwinppc-602.cdr.gz) = 07d4614c4e3b417f0022a97cf941ad97

installation instuctions
http://www.opensource.apple.com/projects/darwin/6. 0/install.x86.txt
http://www.opensource.apple.com/projects/darwin/6. 0/install.ppc.txt

opensource.apple currently redirects users to opendarwin.org to fetch the iso, but unfortunately opendarwin.org has been taken offline. in the interim the following mirrors are available...

darwin/x86 iso
http://web.mit.edu/darwin/www/darwinx86-602.iso.gz
http://enigma.us.itd.umich.edu/darwin/www/darwinx8 6-602.iso.gz

darwin/ppc iso
http://web.mit.edu/darwin/www/darwinppc-602.cdr.gz
http://enigma.us.itd.umich.edu/darwin/www/darwinpp c-602.cdr.gz

md5 checksums
MD5 (darwinx86-602.iso.gz) = d4e9a94c48d900736fa9f77d42707d50
MD5 (darwinppc-602.cdr.gz) = 07d4614c4e3b417f0022a97cf941ad97

installation instuctions
http://www.opensource.apple.com/projects/darwin/6. 0/install.x86.txt
http://www.opensource.apple.com/projects/darwin/6. 0/install.ppc.txt

For now I'll delete the entries by hand, but if this increases it could get really annoying.

AlpineR

For now I'll delete the entries by hand, but if this increases it could get really annoying.

AlpineR