Slashdot Mirror
Forum: The Yahoo Denial of Service
It's one of the larger news items of the day, but we've sorta avoided mentioning it here because it is really "just another Denial of Service Attack." But it's the biggest one ever. It took down Ya- 'we serve half a billion pages a day' -hoo. And they were taken down for several hours from a distributed DOS attack. What does this mean? I honestly don't know, but I figure you guys might have some opinions.
Wow, a DOS attack. Does Microsoft know about that? Isn't it supposed to be DoS?
kwsNI
Well, the first thing that comes to mind is: If it can happen to yahoo, what's to stop it from happening to me?
Answer: NOTHING!! As far as I can tell, you're sitting out on a limb and there's nothing you can do to prevent becomming a victim of a DOS attack.
You CAN however do quite a lot to prevent being a source, or at least an untraceable source - you should take great care that no network traffic leaces your network whith bad (=not your own) source address. If this simple precaution was in more widespread use, tracking this stuff would be much easier.
probably does more harm than good. Need a smurfable subnet? they have a list of the 2048 worst offenders.
Only the State obtains its revenue by coercion. - Murray Rothbard
If your system is cracked, and then used to attack me, can I sue you for negligence? How else do we get companies to put proper practices in place?
Like IP spoofing, for example. IP spoofing would more or less come to a halt if ISPs, Universities, and corporations would put some simple filters into place, preventing packets with impossible source addresses from leaving their networks.
This distributed DOS stuff can be stopped only if *all* of the sites in the community engage in sound security practices.
As I do not see a link out to anywhere I will guess that this refers to a problem that started yesterday and propigated throughout many top level routers. The problem originated at Alter Net and it would appear as though they had a bad routing update - which propigated to glbx.net and effected many sites such as Yahoo!, CNN and a few others. This all depends on who your connected into - and where the routing packets are forced, but for many USWest !nterprise customers yesterday half or so of the internet was "down".
no.
I recently installed a firewall at our company - previously we were reliant on protection of our private network by Microsoft Poxy Server which is by no means a security product. We now use the Sonicwall Pro product which includes a DMZ segement and halfway decent reporting facilities.
One thing I've noticed is how many DoS attacks are attempted by single hosts aimed at our network, we're not a large organisation and we provide services to a pretty small yet worldwide market.
Now I'm not entirely sure how well the firewall would stand upto a proper attack and would like to know what other options are available to me to help avoid this sort of outage.
Any takers?
Matt Thompson - Actuality - Insert product here.
What? You mean all the times I've tried to get through to /. and it has taken several minutes to reply *haven't* been as a result of DoS attacks?
Tarsnap: Online backups for the truly paranoid
Those of you without the Hacker News Network slashbox on your front page might want to take a look at this story, which has a bit more information as well as links to a number of media stories about it (Wired, NYTimes, etc.).
Wired claims in Routers Blamed for Yahoo Outage that it was not a DoS attack; rather, it was a misconfigured router at their ISP. Anonymous source 'n everything.
Transcript show: self sigs atRandom.
I wonder how long (or if it has already happened) until an employee of an online business decides to improve the value of his stock options by taking out his company's top rival(s) for a couple of hours. There are times (say around December 15th for many merchants) when something like could be devestating.
D-O-S: Not just for script kiddies any more....
jf
When I first heard about it (it was on our 'superficial' morning TV news), I realised that it wasn't a 'hack' but just a DoS attack with some script kiddies not having enough time on their hands.
But now I'm realising that it would have been a large, very organised 'team' effort. After all, it's going to take more than just a couple of computers to put through 500 million page requests in such a short period of time.
The more worrying thing is this: If it was possible to take down Yahoo, what else are they going to try and take down? Was this just a one off, to see if it can be done? Or was this just the first.
A possible way to try and stop all this is to get the mainstream media to accept the term 'script-kiddie' and make sure they know what the meaning of it is, i.e. so that the next time a major DoS attack occurs, the media recognises that it was just script-kiddies playing around. This way, the script-kiddies will less likely to pull these stunts because they know they won't get called 'hackers', which is they're goal, but this derogatory term which makes them look uncool.
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
Yahoo was taken down by a major Denial of Service attack--this is true.
What's really scary isn't DoS attacks that are obvious, but ones which are indistinguishable from regular traffic.
Reasonably static and well hosted sites like Yahoo wouldn't be taken out, but the average E-Commerce site, with dynamically generated pages off a single-point-of-failure SQL Server architecture would be completely knocked out by what appeared to be nothing more than extremely heavy traffic.
Such an attack would require massive compromise of hosts(since they'd be able to execute only a few five minute random clicksessions per hour), but would show up on no security scans and would be indistinguishable from an unusually large horde of window shoppers.
How would you defend against this? How would you even know you were under attack?
And, most intriguingly, if you're getting paid by the ad impression, would you care?
A quick message to the people responsible...your behavior will eventually lead to the kind of IP network monitoring that the Russian Government is making all their ISPs pay for. It is one thing to describe the attacks and work to repair the infrastructure; it's something entirely different to execute attacks that will quickly lead to solutions that can only be described as nightmarish.
Think for a moment who <i>wins</i> when you take down Yahoo, and shudder. Because there is a winner, and in the long run, it ain't you. You're helping someone. Guess who.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
1) stacheldraht"
2) trinoo
3) tfn tribe flood network
4) tfn2k
5) Cert's denial of service tools
Useful?
...has to pay more attention to security. While I am sure there are quite a few people willing to cooperate in launching a DoS attack (and, BTW, who cares if it is typed DoS or DOS?), I'm equally sure the primary method is to launch the attack from the cover of a number of compromised systems. A DoS attack can be done with any compromised account, too. It doesn't require a "root" compromise if all you are doing is flooding a router or set of routers from multiple different networks. You only need a root compromise to do "cool" stuff with forged headers and illogical option bits (like SYN-FIN). If you are launching your attack from compromised accounts that you logged into from other compromised accounts, you don't care about forging headers. Your identity is already hidden by other means. What do you care if some suits come knocking on the door of the owner of the compromised host? You aren't there.
This means that we all have to take security seriously. That password matters. Don't share it. If you have resources, use two part authentication. Take reasonable precautions. Audit your setuid programs. Don't put "." in your path. Don't have world-writable files. If you can't afford commercial 2-part auth solutions, at least use ssh instead of telnet. Etc., etc., etc.
We can't afford to have security be the province of experts and miscreants. Responsible netizenship demands that we take security seriously, at least to enough of an extent that we can be confident our own systems aren't being used by others to attack systems.
Some people believe that cracking systems or launching DoS attacks are a legitimate form of civil disobedience. I actually agree with that. But you are only engaging in legitimate civil disobience if you are doing it on your own equipment and not concealing your identity. Protesters go somewhere openly and risk arrest. Vandals sneak around in the dark wearking ski masks and painting slogans. One is a principled stand and the other is a cowardly crime. Furthermore, when you use someone else's computer in your act of civil disobedience, it would be like the act of, when the police wade into your protest with their truncheons flailing, grabbing the nearest non-participant and using them as a shield. Cowardly.
So, as always shy with my opinions, that's what I think the giant DoS means.
Anyone know if this was mere mischeif or if there was a motive for this incident, BTW?
Ok I'm biased since I wrote this article, but it covers the Yahoo! DOS (I took a look at their network/etc) and goes over what you can do to prevent being DOS'ed, and what you can do to "be a good neighbour".
Yahoo! - Why denial of service (DOS) attacks work (http://www.securityportal.com/)
Kurt Seifried
CERT put out a thing about this a few months ago in this document - also see some of the links they have to past documents.
It looks like the script kiddies are basically getting a bunch of insecure machines to just all start pinging the hell out of something from different places around the net. Ya gotta admit, you could flood the hell out of a connection pretty fast just by finding even 20 insecure hosts.
I myself fail to see what the point of attacking Yahoo is. AFAIK, they are not domain name hijacking like a certain e-tailer nor are they trying to enforce a stupid patent like another certain e-tailer, and they did not try to trademark WHOIS, so what is the point of going after them?
There was an analysis on a distributed DoS software on Bugtraq somewhat recently. It's called Stacheldraht, is designed to be installed on many unsecure machines on the net (i.e. they get cracked and don't notice it, it's not a voluntary network). There's also another package of which I don't remember the name.
The design is quite well thought-out, with multiple layers where DoS servers are responsible for a bunch of slaves which do the actual DoS work. These servers can then be controlled from a central point. Massive bandwidth to DoS at the cracker's hands.
I guess this incident shows that it or a similar package is in use. This is a new way of attacking, so I think it was worth a news item.
Does this does attack have anything to do with the fact that the N et has sucked for the last four-five days here in North America?
---
DO NOT DISTURB THE SE
...every time slashdot links to a remote site!
Hmm... I could imagine the crap that would be posted here bashing MSFT if Yahoo was using NT/IIS. However, since they were using FreeBSD, we won't hear a peep from anyone.
Go ahead, moderate me down. Couldn't care less.
- Fred announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot
... the /. hordes go over to check it out .... EBay goes down - Fred gets pissed at EBay for some reason, and announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot
... the /. hordes go over to check it out .... EBay goes down
One is an indirect DOS attack on EBay, the other is just a 'normal' net traffic peak - how do you tell? do you care? (if you're EBay you may actually welcome the interest)Cyberattack Cripples Yahoo (APBNews)
Who's Behing Yahoo Attack? (ZDNet)
FBI talks with Yahoo! about attack (ZDNet)
How a basic attack crippled Yahoo (CNet) (with stupid protocol animations too!)
And in other news: A different type of DoS attack is being carried out against Yahoo. At least 40 web articles have been written so far, showing evidence of how many reporters must be calling Yahoo right now. Once the second round of DoS attacks are stopped, the techies can finally get some work done beefing up the site.
I said it in my earlier post, but I'm going to say it again here (so, yes, mark me redundant if you must): Certainly a DoS attack can be a legitimate form of civil diobedience, but if you are going to do it as such, have the courage of your convictions and launch the attack directly from your own machines on your own network, using your real IP address. Then its civil disobedience.
My attitude towards Greenpeace protests would be quite a bit different if they went down to local nursing home, yanked old people out of their beds (they're easier to handle than say, rading a gymnasium), and chained them to the gates of a nuclear power plant.
When you sneak through other people's accounts, machines, and networks to both hide your identity and launch your attack, then you are effectively chaining up the elderly (metaphorically speaking, of course). For an act of civil disobedience to be an honourable act, one must openly reveal one's identity and run the risk of arrest and imprisionment. I'm not impressed if someone comes up to me and says "I told my girldfriend to chain herself to the gate. I stayed home. I had the sniffles."
Civil disobedience by proxy is the act of a coward. A sniveling little spineless coward.
My account info has my real name and my real primary e-mail address. I stand up for what I say. I don't lay booby-traps or hide behind other people.
I wonder when we are going to start seeing subsets of the internet partition themselves off and only deal with other sites the implement certain policies (for example, contractual agreements regarding penalties from spam coming from your domain, failure to block impossible packets and so on).
It could be done pretty cheaply during the changeover to IPv6. Just use the first byte to indicate what level of security (or bitwise OR of different security features) the host network guarantees. Then you could just block, for example, any mail coming from someone who didn't guarantee they could track down the original author (whic implies that they have enforced similar rules on their relaying).
--Kevin
Yahoo (YHOO) is up 19 1/8 points on the news. Either investors are confused and think the DoS attack is generating millions of dollars in ad-impression revenue, or the stock market makes absolutely no sense. I have no good reason to suspect it's anything but the latter.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Because you can.
The point of the 33133+3 h^x0r d00d's existience is to see just how big a stink he can raise. Well, he sure raised a stink all right. The previous posters' comments are dead on. We're about two steps shy of one of two things: Total chaos on the Net, or (more likely) an event that will make the Inquisition seem like a polite conversation over tea and crumpets.
These kiddies need to be taken a clue, personally and fast: you're turning the global sandbox you play in into a litter box, and if you don't clean up your act RIGHT NOW, Big Brother is going to dump you (*and us*) right down the latrine.
How that clue is delivered is none of my business.
If all you want to do is to allow outgoing mail, just stop running sendmail in daemon mode. With redhat you can do this with
chkconfig sendmail off
In other OSes you may have to edit the startup scripts directly. Programs needing to send mail will execute sendmail in send only mode.
You can email me directly if you have specific problems.
--
"L'IT c'est moi!"
Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?
And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?
--
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Pardon me? a lot of shells? Haha... I don't think that 30 or 50 shells could make a dent in yahoo... (I can learn, correct me if i'm wrong... don't flame :-)). More likely this was a distributed smurfing (or somethin else semi-similar). If it didn't take intelligence, i guarantee it took preparation. I would place money on the fact that a lot of misconfigured routers were exploited to do this.
--
linuxisgood:~$ man woman
Restating the obvious since nineteen aught five.
When DOS attacks! This Sunday on FOX! (Right after the Simpsons!)
It is sweeps week after all....
A DOS attack is just as bad as creating a destructive virus, since it can cause serious financial losses for the site/company attacked. It'd be good to see the government (FBI hopefully, since it'd likely be inter-state) go after one of these jerks and hang them up to dry. Too bad if it's a script kiddie - an example needs to be set.
I'd expect there might be a great opportunity for some company to create tools/services for tracking DOS attacks... someone like Cisco would obviously be in a good position to track coordinated attacks.
The Yahoo! servers (there are a ton of them) are located at the GlobalCenter NOC in Sunnyvale. They have thousands of machines there - it's a very impressive setup. However, that NOC is perhaps the WORST place in the world to place a server - it is completely overloaded, and the employees barely have command of the English language. A company I worked for hosted their servers there, and the latency created by the jammed connections virtually hosed the web-based service they designed.
I find it quite likely that GlobalCenter screwed up, and that Yahoo! is attempting to spin the story so that their stock price doesn't get hammered. Fortunately for the readers of slashdot, we usually remember that it's not necessary to attribute something to malice that can adequately be explained by ignorance.
I was wondering the same thing. Feb 29th is close at hand. Wonder if that has anything to do with it?
**>>BELCH
Correct me if I'm wrong, but it's usually the number of times that the image has been requested, not a page on which the image is placed. A DoS script is unlikely to waste time requesting images.
Gates' Law: Every 18 months, the speed of software halves.
Likewise, anyone with a system connected to the 'Net must take responsibility for its security. A machine that's wide open to being "rooted" is an "attractive nuisance;" it is innocent by itself but incites trouble by facilitating abuse. The "white hats" on the 'Net should be proactive and stay one step ahead of the "black hats" in this respect. They should be walking down the Internet's virtual streets rattling doorknobs, and if they find one unlocked, they should tell the owner of the house, "See here; your house is unlocked. This is not good." This is far better than having a thief slip in later.
--Brett Glass
read the front page story in USA Today today (dead tree). It is about the iCraveTV lawsuit, and you'll see more people who want a massively regulated Internet.(they also misspelled Valenti (the MPAA dude), at least /. can fix 'em on the fly :-)
+&x
FreeBSD also has two special kernel options -- ICMP bandwidth limiting and TCP/IP RST restriction -- which can help with some DoS attacks. (No OS can do anything about a swamped pipe, of course, but if it knows how to throw away bogus packets and does not fall into the trap of trying to respond to them all, it'll be in much better shape. And, of course, it should never crash.)
I've seen some trolls in this discussion that suggested that FreeBSD was somehow responsible for Yahoo's woes. In fact, the opposite is true. If I'm going to get hit by TFN or Stacheldraht, I'll want a FreeBSD system -- probably the most recent version on the FreeBSD-stable development branch -- not NT, MacOS, or Linux. In our tests -- and we did a bunch of them when stream.c hit the streets -- it held up the best.
--Brett Glass
Wrong. 30 to 50 shells with 10 - 100mbps nic's connected to t3's (such as at univerities, large corporations and co-located hosting boxes) are quite capable of taking services such as yahoo out. This, as well as misconfigured networks, are easily taken advantage of.
I would know too. I've had hosting boxes with 100mbps interfaces on an network with oc3 and multiple t3's to tier1 providers completely annihilated due to users using IRC without permission (EFNet is evil). One one occasion, all it took was a DoS attack from a box at a corporation with a t3 to sprint, the university of colorado and a misconfigured US naval academy network. Estimated traffic? 134mbps. Scaling an attack such as that to 1gbps (as reported) is fairly easy if you use distributed sources.
It is also true that there are many script kiddies with this much bandwidth available due to compromised shells and broken networks. Visit EFNet IRC sometime. There are many idiots without a clue with the ability to carry out attacks such as this. You don't have to know what you're doing to scan the entire internet for known vulnerabilities then sniff traffic and tty's at a number of locations and gain access to many other networks.
Get the upstream ISP to identify the attack and install filters at their borders. If that tier 1 isp has enough capacity, the DoS attacker will probably get bored knowing they aren't affecting service and eventually go away.
The problem is that there are many types of attacks that are capable of interrupting service. Many times installed filters require the provider or the customer to compromise their use of the service to allow for better security and protection.
We in the Linux community have to pay more attention to our own security. We're going to start to see more and more folks with always-up DSL connections and static IP addresses. If the default configuration as shipped by Red Hat, or Corel, or whoever isn't damn near bulletproof, you know that the DoS freaks are going to own a lot of these boxes, simply because you can assume that there are a lot of people who won't apply security upgrades, who think "I don't need to care about security, nothing on this box matters".
On the contrary, any DSL-connected Unix clone is an attack vehicle, if captured.
It's not good enough to have some specialized Linux distributions that focus on security. The market leaders are the ones that really matter, because if you find a flaw in Red Hat you've found an exploit you can immediately use on thousands of machines.
Recent Linux versions also have a number of kernel options to help with some DoS attacks, and Linux and *BSD kernel developers have been learning from each other on this issue. Just the same, if a recent Linux kernel didn't hold up well in your tests, we should know. Which version did you test?
All the ideas above make fetchmail not work. I think to do what I want to do I'm going to have to set fetchmail to only listen on localhost. That will probably do it. Any ideas?
As someone else pointed out, you also need to put a script that does ``/usr/lib/sendmail -q'' into /etc/cron.hourly/ if you don't want your mail to get stuck at random.
But another useful trick, if there are certain machines you want to accept mail from and others that you don't, is to run sendmail under tcpd so that it obeys /etc/hosts.allow and /etc/hosts.deny, by adding this to /etc/inetd.conf:
smtp stream tcp nowait root /usr/sbin/tcpd /usr/lib/sendmail -bs
That way you can, for example, let specific machines on your subnet connect to your SMTP port without allowing the whole world to exploit the sendmail-bug-du-jour. (You can also do this with ipfwadm firewall rules, but I find hosts.allow to be easier to deal with.)
I generally prefer running services on my desktop machines (including sendmail and httpd) from inetd instead of having them always running as daemons in the background because that makes it easier to centralize control of their access lists, and because you don't have as many idle processes chewing up swap space. And since I'm the only one who ever connects to the http server on my desktop machine, the process-creation overhead is trivial (this wouldn't be such a good idea for a high volume web or mail server, obviously.)
ABC News is reporting that two more web sites were hit in the last 24 hours, in attacks remarkably similar to the one that hit Yahoo. One website was Buy.com, which was hit just as their stock was going IPO with 800 megabytes of traffic per second in a coordinated DoS (smurf?) attack. The other website was eBay. The Yahoo attack used one gigabyte of traffic per second, according to ABCNews. Full story is here.
Finding God in a Dog
The NYTimes has an article on the dsitributed attack on eBay today here.
--Brett Glass
The fact that two more attacks have been carried out in the same manner on two sites of similar size and renown in the past 24 hours seems to kind of punch some holes in the theory that it was a server misconfig. It's possible that Yahoo going down inspired some script kiddies somewhere to try and take down a few other 'big ones', but I doubt that three sights of this size were all suffering from simultanious server problems.
Advocates of the GPL tend to invoke the bogeyman of large, evil corporations just spoiling to use your code. But if you buy this argument, you'll in fact be hurting the little guy who might challenge the big ones.
It's unethical to participate in an agenda whose purpose is to hurt others -- especially out of spite. Therefore, you should not use the GPL.
--Brett Glass
---------
Question: How do I leverage the power of the internet?
---------
There is no try at jedinite.com
The question is about who own's your code. Stop saying someone is stealing the code when it was freely given to them. The BSD encourages massive code reuse, which means the programmer, corperate or not, wont have to re-implement the world all over again. That's how technology progresses, everything builds upon everything else.
The idea behind BSD is to help the community, for the comman person, the programmer, the corperation, and the user. It works, as helping one in turn helps the rest. If I gave you a lemonade, or a coke, told you it was absolutely yours to use, sell, give, etc. Even had a contract between us, and then after you drank it accused you of stealing, who would you think was nuts?
The GPL believes that no one should own the code, yet their advocates are afraid of someone stealing it, or even NON-GPL code. BSD believes in helping further technical advancement, and thus allows for reuse and splinters. In the end, splinters are a BOON, because (especially with open source) the best one comes out on top, or is applied in very new directions. If not the best standard is derived and pushed by a huge company, killing the smaller, the larger must still compete because no one will follow it if there are absolutely no benefits. And, would these features even come about if it wasn't for the free code? If they would have, obviously at a later date. The problem?
"Open Source?" - Press any key to continue
I find it hard to believe that Yahoo wasn't set up to cope with the denial-of-service attacks I've seen described so far. I'm sure that everyone who works on a web site with more than 10-20 million hits/day has dealt with these attacks.
For example, for the venerable SYN flood attack all one needs to due is tune the kernel to cope with it. SYN floods happen to most large sites on a daily basis.
The connect-to-port-80-and-hold attack is hard for a multiprocessing server like apache to deal with since it has to fork() for each connection. For a multithreaded server it's no problem at all-- it just needs a large pool of threads at its disposal. Each open connection takes up a thread until it times out, but thread creation takes up minimal resources. These connections are not always logged with the IP address in the web server, though perhaps they ought to be.A worse problem, and perhaps this is what happened, is if an actual GET takes place. In this case the thread has to do something other than merely exist. Each IP address is dutifully logged, making it possible to track down the participants in the attack. (Of course this leads into the other thread here on whether people who are not malicious, but whose systems were hijacked, should be liable.)
Does anyone know exactly what kind of attack this was? Was it directed at the Yahoo site and the routers just melted, or was it directed at the routers themselves? (E.g. bogus routing messages flooding the routers with false updates or other routing-level attacks.)
I'd hate to see Yahoo's networking bill for this month.
On MSNBC:
... three cheers for us."
"A SOURCE CLOSE to the investigation of the Web site attacks told MSNBC he had read a threatening 18-page letter written by the alleged attacker. Included in the letter: "This is a watershed event of Net security debacle. We have shot across the bow of Yahoo. It's a real wake up call. This attack is just the first of the assaults that we will be launching on the Web
In the letter, the purported attacker complained about companies "capitalizing" on the Internet; the investigator MSNBC spoke to believes online brokerage companies such as eTrade could be his next target.
Check it out at:
http://http://www.msnbc.com/news/367495.asp
-ben
http://www.exocortex.org
Nobody's mentioned this yet that I've seen, but I've been unable to get through to The Hunger Site today. Are they being hit too?
And the brethren went away edified.
This was Stallman's intent: to destroy programmers' prospects for success. He has said so, repeatedly.
You're twisting his words, and you know it. I could as well say "Brett Glass's intent is to give all the big corporations a free ride at the expense of the little guy." You might not agree with RMS. I myself don't agree with a lot of what he says. But I don't go spreading lies about him.
RMS created the GPL to make sure source code would always be available, no matter where it was or what it was incorporated into. You don't have to agree with this, but your policy of countering RMS's ravings with your own just hurts your cause.
The decision to use the GPL rests purely with the developer. Some people like the concept of code that cannot be incorporated into a closed source project. I kind of like it myself. Others want to foster code reuse as much as possible, and don't mind it being used in a close source project. When you come along and attempt to dictate what the developer should use, you are doing the same thing RMS does -- trying to force others to have your opinion.
Don't be a hypocrite, Brett.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
No, I'm not. In his more candid moments, Stallman states his intentions loud and clear. You may have seen him in "propaganda mode," in which he makes vague, warm fuzzy claims about "freedom."
Here are two quotes from Stallman -- spaced 14 years apart! -- which show that Stallman's intention is, and always has been, to hurt programmers via the GPL.
The first comes from Stallman's "GNU Manifesto," in which he says, explicitly, that his intent is to sabotage commercial developers and limit their career prospects so that they could make no more money than starving graduate students. In 1984, Stallman wrote:
In short, enraged that some of his colleagues were leaving the lab to pursue a commercial venture, he sought to sabotage them as a way of discouraging anyone from doing this in the future.
Stallman's more recent writings, speeches, and interviews confirm that this malicious intent still exists 14 years later. Here's what Stallman said when interviewed by a reporter for Forbes magazine:
(For the full text of the article, see http://www.forbes.com/forbes/98/0810/6203094a.htm. )
Thus, we can see that the GPL is a tool of spite. Its purpose: to attack commercial programmers and software businesses, and to reduce programmers' salaries to those of starving graduate students.
Now, I don't know about you, but I believe that to attack one's colleagues and hinder their progress out of spite and malice is unethical. Thus, I believe it's unethical to use the GPL. I hope that, now that I've told you some parts of the story that you may not have heard, you'll reconsider your stance regarding the GPL.
--Brett Glass
There's a great little store and forward proxy mail daemon you might want to put in front of your sendmail. Allows you to block IP ranges, block spam, etc.
Take a look here.
-John
What you say is very true - that's why I started this
-John
First of all, programmers who build on BSD-licensed code are not "taking" it. It's still there, for all the world to see and use. What's more, because the functionality of that code is already availble for free, they can only make money from a derivative work if they add substantial value. And all the money they do make will be the result of the functionality they added. Thus, they haven't "taken" anything from you. They've created value and deserve to be rewarded for that.
Hrm. You have a weird defination of hurt...
No, it's quite a normal definition of hurt. If you offer the code to anyone in the whole world to use as he or she pleases except a developer, you're playing a vicious game of "keep-away" with that developer. You're destroying the market for the functionality by making it available for free. At the same time, you're asking the developer to reimplement it before forging ahead. This is, indeed, hurtful. It holds developers back by requiring them to reimplement the wheel needlessly instead of making forward progress. And it deters standardization by requiring them to create and use a different code base. Not good.
it's my code.
In that case, why use it as a weapon to hurt people?
If the little guy wants to challenge the big guys, how about he offers to pay me to write code for him? I could use the cash.
So could he! Unfortunately, once you've given the code away to everyone else, it's not fair to ask him to pay for it. He can't make money off it, since its market value is now zero. So, you're asking him to pay for something which he cannot get his customers to pay him for! He's starting out "in the hole," and that's not fair.
But he can't run off with my code and hide it.
He can't hide it -- not if you've published it. He can only keep his improvements. (And that's fair; they're his improvements and his only way of making a living.) Nor can he "run off" with it. It's still there for anyone to use.
I don't see how failing to let someone else close-source code I wrote is either unethical or immoral.
Again, see above. They can't "close-source" your code; they can only decide to keep theirs.
Failing to do things for other people with no reward isn't unethical in any system of ethics I can think of. Certainly not mine.
Well, in that case I think you'll agree that programmers should not be forced to publish their work for free. But this is what the GPL tries to do.
However, what the people who take the code (no matter what their size) of BSD programmers, close source it, and give them no credit,
Actually, the BSD license allows the author to ask for credit. Ironically, this is something that Richard Stallman vehemently opposes. He's opposed to authors' rights -- not only for code, but for books and music, too.
while they are acting 'ethically' (because they were give permission to, however remotely), skirt the edges of morals in my book.
Again, the author can ask for this. But the trend is toward not doing so. Under the BSD or MIT X licenses, it's not required; the code has virtually no strings attached. Which is what open source should be about! The GPL is an attempt to turn open source -- which is otherwise a good thing -- into a weapon designed to hurt programmers. The motivation: pure spite and malice. This is not a good thing and is certainly not ethical, and so we should oppose it.
--Brett Glass
It's well recognised that FreeBSD's networking stack is an outstanding piece of engineering which the Linux kernel folks are racing to catch up with, and certainly as capable of withstanding this DoS as any OS out there. However, Glass overstates the problems with Linux here: there are no known ways of crashing a Linux server running the most recent production kernels over the network without special privilege, even using a coordinated DoS.
This is because Glass is a fulminating anti-GPL fanatic; facts unfortunately come second. Let the reader beware.
--
Xenu loves you!
Apparently, you're so much in denial about the notion that there could be a bug in Linux that you've felt compelled to resort to name calling and personal attacks when one is mentioned.
--Brett Glass
You might find that some of the other folks who have reported crashes under stream.c can help you more, since I'm sure that some of them have systems that are still running as they were.
--Brett Glass
But another useful trick, if there are certain machines you want to accept mail from and others that you don't, is to run sendmail under tcpd so that it obeys /etc/hosts.allow and /etc/hosts.deny, by adding this to /etc/inetd.conf:
/etc/mail/access.db. There are good instructions in the cf subdirectory in the source code, but the short version is that if you add the following to /etc/mail/access:
Sendmail has supported this internally since 8.8 or 8.9, by means of
example.com REJECT
192.168.0 REJECT
and run makemap hash access < access, sendmail will automatically reject mail coming from example.com or the 192.68.0 network.
Sendmail's rules are a bit looser than tcpwrapper's rules; for example, doing this will reject mail with an envelope sender from example.com as well as mail coming from a host in the example.com rDNS space. And Jamie's points about centralization of access files are well taken. But you can basically do this in sendmail without using tcpwrappers, if necessary.
Perhaps you haven't met Richard personally. Have you seen the way he leers at every passing female?
Recently, a female acquaintance told me that she and other women had specifically asked that Richard not be invited to a party they planned to attend. They further noted that, if he was present, they would stay in a different room to avoid being stared at, slobbered at, and bluntly propositioned -- as they had been at previous gatherings where Richard was present.
At the Fall 1999 LinuxWorld Expo, I watched as Richard, having just stepped off the dais after a panel discussion, ostentatiously scanned each woman in the group from head to toe as if he was mentally undressing her.
This is not exactly what I'd call behavior worthy of respect.
and morally support the FSF in most all of its activities.
The FSF is neither moral nor ethical. Attacking people out of spite never is.
However, I can understand someone disagreeing with Stallman. But to disagree with someone, you first have to understand what they are seeing. You, obviously, do not.
I've talked with Stallman at length and have reviewed his writings, speeches, and activities. I have also interviewed others about his behavior. I probably don't know more about him than his closest friends, but I daresay I know exactly what his views and aims are.
You say Richard Stallman created the FSF and the GNU GPL out of anger. I think you are probably partly right.
His writings, his speeches, and accounts of his behavior at the time fully support the notion that the FSF and the GPL were created entirely out of anger and spite.
You say it was out of spite towards some ex-colleagues, or the typical programmer. There, you are wrong.
Not so. Read Stallman's GNU Manifesto, where he explicitly states his aim: to ensure that no programmer can ever make more for his work than a starving graduate student.
Richard Stallman was screwed, and screwed good by proprietary software companies.
Not true at all. All of the work which was used by the spinoffs of the MIT AI lab was bought and paid for by grants from government and industry. It was the express intent that the concepts developed at the Lab be incorporated into government and commercial projects. Richard, unable to see the big picture, resented this -- even though this process was the entire reason he could live in an academic playground in the first place!
Of course, when the commercial spinoffs did happen, Richard couldn't go himself; he was a creature of academia and not one who "played well with others." In a fit of rage, So, he vowed vengeance on those who would threaten his small, cozy academic nirvana by leaving.
If you have read the GNU Manifesto, you know this. And the truth is, we all have. Yes, he was angry. But all I can say about that is "How could I be so comatose as to have not been angered by it?"
I think you might want to reread the document from a broader and more informed perspective. Again, this was Richard's perception -- warped, as it was, by horrible rage, anger, and spite.
Today, I am angry when I have to click "I agree" to some outrageous claims just so I can play a game. I'm glad I get angry. It shows me I've woken up. And Richard Stallman is one of the people who did that.
Actually, the GPL itself is a "shrink-wrap" (or "click-wrap") license, with terms every bit as onerous to developers as the ones to which you refer. The GPL, as a cure, is worse than the disease.
Richard Stallman does not wish for free software programmers to be poor.
He desires all programmers to be put "on a treadmill" (to borrow a phrase from a Microsoft executive) so that they cannot prosper. This intent is explicitly stated in The GNU Manifesto and in other documents and speeches.
He does wish for proprietary software manufacturers to make less money.
If software vendors charge too much, others who charge less will come along and compete with them. It's a self-correcting process.
Is he wrong?
It is always unethical and wrong to attack anyone's livelihood out of spite.
Exploitation will make you rich. Slave traders (they still exist) have never been poor.
Commercial software developers are, by and large, neither exploitative nor rich. And to label them as "slave traders" is a deceptive and nasty slur. Most software companies fail, and the ones that do succeed often barely manage to remain profitable. Only a few, such as Microsoft, have done inordinately well. These can be counted on the fingers of one hand -- and you won't use up all the fingers.
Richard Stallman believes proprietary software to be exploitation.
By this logic, owning my own house or car and not letting anyone use it at any time would also be exploitation. "Exploitation" is a loaded and pejorative word. There's nothing wrong with owning property -- intellectual or physical. Unless you're just plain spiteful about the other guy having it.
Looking at how much money Microsoft is worth, I'd agree.
That's paper worth. Red Hat is worth billions on paper too, incidentally, though it has never made a dime and in fact has lost millions of dollars per employee. Want to talk about exploitation? I think enticing them to buy stock in a company that has always lost money and has virtually no assets (Red Hat doesn't even own what it sells) is exploitation.
RMS would like software making to no longer exploit the end user.
He clearly wants to exploit programmers instead. ;-) Seriously, though, "exploitation" is an unjustified pejorative. Asking people to pay to license the intellectual property you produced via your own hard work is perfectly reasonable and fair. If you created something good, you deserve to be rewarded. Stallman wants to deny programmers a just reward for their work.
That will undoubtedly mean less money for those who try to exploit. All the better.
Again, the pejorative. By this logic, the person who asks you to pay for your food at a restaurant or supermarket is also "exploiting" you.
A few months ago, it was reported that Linus Torvalds had already cost Bill Gates several billions in shares value. I, for one, cheered.
It sounds as if you are spiteful.
Many others did as well. Yet when you quote Richard Stallman as having done the same to proprietary Unix companies, he is somehow evil.
It is never ethical to hurt anyone else out of spite or malice.
When people are free, the slave traders go bankrupt. That does not mean the the liberators were the bad guys to begin with.
"Slave traders?" "Liberators?" Sorry, but it's code, not people, that we're talking about here. One of the most misleading (and, at times, silly) parts of Stallman's rhetoric is his anthropomorpism of code. He talks about software as being "free" -- and uses the word "free" in multiple senses, that is, as a "pivot word," in an attempt to lead the reader to fallacious conclusions.
Richard Stallman paid the rent for many years by selling tapes with GNU Emacs on it.
Good for him. Why, then, does he begrudge other programmers a livelihood?
So stop the "He's a commie!" lingo already.
If you look at any of my postings, you'll see that I've never called Stallman a communist. However, his propaganda does borrow heavily from that of communism. And, alas, it is intended to mislead.
--Brett Glass
I sincerely hope they are not asking this. System and Network security is far to big and vital a topic to be covered in forums such as this.
There are many, well publicised portals and locations for such information, both system specific and universal. www.securityfocus.org, bugtraq, and many other environments provide up to the minute information on security for a wide range of systems, and any systems administrator should follow these closely, as well as system specific sources.
Those on a lesser scale, DSL and modem, should also pay attention. If you feel unwilling to take the time to secure your system, you should invest in an operating system that is Secure By Default. OpenBSD is the most publicised of these, but there are several hardened variants of linux, and hardeners for popular operating systems like RedHat (check out http://bastille-linux.org/).
For linux guys, I recommend reading the Linux Admin Security Guide (http://metalab.unc.edu/lasg/) and learning about IPChains, or for the bleeding edge people, Netfilter (Which is proving to be very powerful)
Unfortunately I have no pointers for Windows, but perhaps other users can contribute URLs where information like that can be located. A quick search in a search engine may help too.
You can't win a fight.
Now wait a minute, we are not talking about resisting tyranny in a police state, we are talking about civil disobedience which is, in essence, a propoganda tool designed to raise public awareness in a democracy, or, in a more repressive political climate, to incite a majority to action.
Partisan action against a violent repressive government is not "civil disobedience," it is guerilla warefare or an "underground."
Perhaps we were not in agreement about terms here. Resistance to Hitler's regime, from providing information to the Allies to slashings tires on government vehicles would not be, to me, acts of civil disobedience. And I absolutely agree with you that such acts are honorable in such a context. But the United States is NOT, no matter how upset you may legitimately be with it, in no way comparable to Europe under Nazi occupation.
Actually, here's one more thought to throw your way. What if people in Germany had risen up and decried the Nazi philosophy and fought it, openly and publicly, before the consolidation of the power of the Chancellor following the infamous Reichstag fire? Would partisan action have been necessary?
I don't remember whom I am quoting here, so if one of you knows, please give appropriate credit: "The only thing necessary for evil to triumph is for good men to do nothing."