Slashdot Mirror
Slashback: Shelter, Panic, Intrusion
Remember, Free Software Sinks Ships curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through." This might be more exciting if it was the first time, but jamie posted about a very similar-sounding flaw a few months ago.
Calling off the dogs of war. An anonymous reader writes: "Slashdot reported that Indymedia had received a court order to hand over the logs and other records pertaining to the IMC's coverage of anti-globalization protests in Quebec City. Now FBI has dropped the case. Here is the press release."
phunhippy points to coverage at Wired as well.
This Old House - gr8dane writes "I was just checking out the Sunday posting on /. about .commers in homeless shelters and Salon is running an update to the same story. The previous post prompted quite a bit of feedback on /. and this update article seems to support those who felt the Sunday article wasn't indicative of the industry as a whole. 'John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.' Quite interesting ... "
DoctorZ writes: "In response to reading the recent article about Zero-Knowledge's withdrawal from Linux development for Freedom. I emailed them discussing my concerns along with everyone else's. Here was their response:
'Hello,We know....
We understand your disappointment. It is not a easy decision. We are not giving up on Linux. Our entire Freedom Network is Linux based!This decision was taken in response to the number of people purchasing the Linux version as compared to the number purchasing the Windows version. While many of us at Zero-Knowledge are Linux enthusiasts, the number of interested Linux users downloading Freedom simply didn't warrant continued development efforts, and we have chosen instead to apply our development resources in a way that will maximize value to our customers.
Once again, thank you for expressing your concerns.
Regards,
Alan"
To be honest, my impression of IndyMedia is that they are just as biased, if not more so, than the mainstream media they want to subvert.
--
But frankly, indymedia's bias is why I read it (though not as regularly as I used to). You're unlikely to find truly neutral journalism anywhere, so why not at least find a couple of sources whose viewpoints are clear (and preferably at odds)?
Those ship-based NT systems that are less reliable will drown while those that work will survive to breed with other ships thus improving the species....
Ships are all "she"s.
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
FYI it isn't against libertarian beliefs to give or receive (or ask for) charity. It is against libertarian beliefs to force someone to give "charity" (quoted here because it isn't really charity if it is taken by force). So giving $5 to a homeless guy on the street is fine. Running a soup kitchen is fine. Going to one is fine. Taking 26% of someone's wages and using it to fund all manner of things including aid to the homeless is not so fine. Not because of the things funded by that money, but because it is taken, not offered up freely.
Likewise asking someone for $5 so you can eat is OK. Telling someone to give you $5 so you can eat, or you will stab them in the eye is not OK.
One is a hypocrite for wanting to change from a involuntary system to a voluntary one? As far as I know most libertarians (they prefer little l) don't claim to currently be living the live they want too (i.e. are not a person who puts on a false appearance of virtue or religion). They would like to privately fund schools, highways, and most want to fund national defense with excise taxes (I think). They aren't going and claiming that they are doing it, or otherwise falsely asserting that they are currently are not benefiting from the taxes of others.
It would be rather hard to not do so since there is no alternate method set up to account for everyone's use of government services and pay for them.
I don't think the often quoted libertarian idea of almost no government is attainable. But I do want one radically smaller then the existing one. At least on the federal level. At the state level my feeling are much more mixed. I know that would increase the local state taxes quite a bit because a lot of the funding for state works comes from the feds, but it would also increase the likelihood of being able to find a state that offers roughly the services you want for roughly the taxes you are willing to pay. Currently it is all but impossible because so many services are actually payed out of your federal taxes...
Check out Crowds from AT&T's research arm... the same people who did VNC. It's not encrypted, but it has the same pooling affect.
--
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
Or if not overconfidence, at least a captain far too easily influenced by the media and the fleet owner: IIRC, the Titanic was also touted as being really fast, and thus the pressure was on to prove that she could cross the Atlantic in record speed.
IOW, egos did 'er in.
--
--
Don't like it? Respond with words, not karma.
Let's face it, every major operating system has security flaws, either in the past or just waiting to be discovered. The benefit of Open Source is not only that it makes it easier for everyone to see its flaws, but it makes it easier for anyone to fix them.
Right now we have Craig Mundie preparing to argue the merits of commercial licenses over Open Source, and having a hole of this magnitude (read the article for details) showing up in closed-source software so close to this debate only serves to make our case look better.
There are times when a closed-source license scheme will work out better for a particular company, and there are times when an open-source one will be better (and I'm only talking in regards to the company, not the rest of society). This security hole will hopefully reduce the FUD level against Open Source software, particularly from a security point of view.
I can't wait to hear the Mundie debate next week.
--Cycon
Your Brain + EEG + LEGO Robots = Brainstorms
Alot of times when working with a pre-existing codebase buffer overflows and problems pop up when you add new code to older code or go back and try to fuck with older code. Big software projects can get really complex which means for every so many lines you write you've fucked up so many times. Plus with writing code on a schedule you often times have to have a product ready by a certain date, not when it's finished so you don't have time to do a whole bunch of testing. Personally if I were managing something like IIS I'd give the dev guys plenty of time to work on testing and evaluation but thats just me.
I'm a loner Dottie, a Rebel.
We don't need better programming languages, we need better programmers. Those who try to code too quickly and fail to think about what they are doing are the ones that bring us buffer overflows. And now you want to encourage these same people to code with a language they are told will speed up their programming? They better not be coding anything for medical instruments, airplane controls and navigation, nor any military systems ... even if they are using Java.
Since when was a language able to make up for neglect?
now we need to go OSS in diesel cars
Followed closely by: 'But it doesn't have Rover(tm), the cute, MS-BOB-based, animated pooch that will help you figure out how to type words into the "Look For File Named"(tm) field in the "Search"(tm) Window(tm).'
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
no more unlimited futures
Isn't that a contradiction in terms? I guess in "unlimited futures" savings accounts and wads of cash stuffed into mattresses are "off limits."
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
NT applications...provide damage control
At my $ORK_PLACE, it's usually the other way around.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Maybe, but Leonardo DiCraplio sinks films.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
You left out, "Oh, she's unsinkable, so the lifeboats are for show, and can only accomodate a fraction of the passengers."
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
You just don't understand "Microsoft Time", man. In Microsoft Time, there was never a printing of "The Road Ahead" that dismissed the importance of the Internet. Microsoft Time is completely and totally subjective, governed by the whimsies of Bill Gates, his wife, his daughter, that nice man on the corner that calls him "Mistuh Gates, Suh," and the value of the sum of the build numbers of the Release to Manufacturing of all versions of Windows 9x running on the DOS code-base that was officially declared dead with the release of the Windows OS that "Makes a Grown Man Cry" multiplied by the pequininos lucky number and divided by PI then raised to Avogadro's number.
So you see, Microsoft is right in what they claim the date is, and it's a user error that occured during the installation of MS Office Professional that makes it appear incorrect.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Oh, man. I'll forgo my raise next year if only they would offically declare me the Chief Hacking Officer. (It's almost as influential as Senior Shouting Officer amongst the Vogons, you know.)
If I were a Chief Hacking Officer, I could make broad assumptions like declaring that each domain that uses IIS only has one computer serving pages for it. I could be in article posted to Slashdot! What more could any sane geek want?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It does. Most people call the thought pattern "blind luck". Most technical people call investing a SWAG (scientific wild ass guess). Face it, investing is no more scientific than betting on sports contest. There are some pretty good indicators that some companies are going to win, but everyone is looking at the same indicators which drives the price of that companies stock higher. Betting (investing) on a 'long shot' will provide better payoffs if that company/team wins, but there's a reason that it's called a long shot.
The best thing I've found to do with my money is to spend it. My kids won't have a big inheritance, and both of us will have to work our asses off to get them through college (why do kids today think they shouldn't have to work while in college is beyond me). But when I'm gone they'll have a lot of fond memories of all the fun we had spending money in the good times, and I won't have to worry about anyone trying to come get their stuff during the bad times ('cause it won't be there). Reckless? Yes, but I've dug ditches before and I can do it again.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Of course you never went to a public school, don't use any interstate highways, or depend on the U.S. military to keep you safe.
If you do you are a major hypocrite, like most of the Libertarians I know...
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
A man who wants nothing is invincible
All the recent news stories around the rise and fall of the dot coms are starting to resemble the urban myths that make up 83.2% of all corporate e-mail traffic. The truth is far more complicated and far less interesting to the average reader.
I'm sure there's plenty of human interest stories in other boom-to-bust industries, but they lack the "magical" elements (massive wealth at a young age, mysterious computer skills) that lend the Dot Com stories their fairytale qualities.
I personally can't wait until these stories join the Chupacabra and Monkeyman in the footnote department.
Marc Siry || interactive media professional, motorcycle enthusiast ||
For a second I thought ./ had been compromised again.
I guess that nobody explained to you that Slashdot.org used to be a Microsoft website. Microsoft has simply been too embarassed about having their web sit so throroughly owned that they've never taken it back.
(There is no truth to the rumor that, once Linux was remotely installed on their IIS box, they were not able to bring the system down.)
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Letting your paying customers find the bugs (and, in some cases, then denying the existence of bugs reported by multiple users), is not what I'd call 'testing'.. I'm not interested in paying big money to be part of an unofficial 'public beta' that never seems to end.
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Captain: Frigin Script kiddies....
Weapons Control Specialist: I think they used a Microsoft back door to..
B O O M ! !
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Oh - MS was informed severeal weeks ago???
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Then again, spending the better part of a day removing posts about the (non)'raid' was a surprisingly effective way of igniting interest about the story while keeping with the spirit of the order.
In any event. The FBI probably dropped the case because they were almost sure to lose it on appeal. The sweeping nature of the court order was bound to be seriously questioned by any upper court, and given that the original order was for a non-existant IP address, they would need to ask for a material change to the order to be able to wrest any data from I.M..
On the other hand, if the intent of the order was to provoke disorder and chaos at I.M. in the middle of the summit, it has achieved it's purpose and outlived it's usefulness. Keeping it alive would cost the FBI lots (both money and PR), while gaining them little beyond the damage already done.
It really seems to me like the last was the real intent of the order. Consider that it was dumped on them in the middle of the Quebec conference, referenced an unused IP address, a foreign crime and non-existant posts, while demanding that a site dedicated to getting news out to the public to not tell anybody that everything that they had done for the last 48 hours might be handed over to an organization famous for previous anti-activist activity.
When I think about it, it's actually possible that the FBI was really probing the organization, and hoping that they would breach the gag order. If they had, then the FBI would have had an excuse to shut down the whole operation even though they had done nothing else illegal. This is not too far from a tactic often used in Canada (esp. BC).
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
when are companies going to start coming out with really refined and good code
Microsoft has been releasing software with good, refined code ever since they used BSD code in Windows.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
Samuel Clemens (Mark Twain) managed to blow $300,000 (19th century $) of his savings investing it in development of an automatic typesetting machine; Sir issac Newton lost his fortune in the South Sea Trading Company bubble way back in 1720; plenty of otherwise thought-to-be-intelligent people bit it investing in RCA in the 1920's, Polaroid in the 1960s, etc... I wouldn't try to judge people's intelligence based on their financial success. Human nature applies to the temptations of all, no matter how otherwise intelligent they might be. I think financial wisdom must follow a different thought pattern.
Ever had a look at Indymedia? The wire's full of Marxist bleatings, bleeding-heart whining about the costs of convenience, and crackheaded posts from kooks. It's a complete waste of time.
And I suppose news from agencies which filter out the important parts are better than Indymedia. Take a look at Jim Bell, the judge scared the media, and the media shoved their tails up their asses and stood silently as Bell was shafted.
Take a look at the McVeigh trial, where did the media go when John Doe news was brought about from the beginning? What about CNN's actions during the Gulf War... Sure allow the military into the company to monitor what gets reported.
Sorry sir I would rather have all forms of news to look at instead of believing what I'm fed, especially from normal news agencies which break under pressure by Big Brother's bully tactics.
I don't see why the FBI backed off. Secret documents were stolen, and it's important to find out where they came from, lest the next stolen documents result in murders and chaos.
It's likely they backed off because they didn't have a case to begin with jackass.
Indymedia supports violent actions. Witness how they moan and cry about police trying to maintain order in Gothenburg, Sweden last weekend, ignoring the 50 injured officers and 5 dead horses that
resulted from anarchist riots in the downtown core. The "collective" doesn't seem to give a shit about the one officer that got nailed in the head by a rock, knocking him unconscious, but you'll hear no end to the bitching about the attacker who got shot by fellow officers in self-defence.
Hypocrites and suburbanite bleeding-hearts, the lot of them. They don't deserve sympathy, and they
don't deserve pity.
Your post means absolutely little. I read IndyMedia, and feel no need to go out and hurt anyone asshole.
New World Disorder?
Want Root?
... that it's just another buffer overflow.
Not to say buffer overflows aren't major, but it's not like one is typically any bigger than another. Whether you can throw a cat through or a mouse, is all up to the media and (l)user hype.
Sorry. Just another one of those rants I guess about making mountains out of molehills.
Jason
I wonder when the privatized prisons will get around to selling the labor of programmers who have been incarcerated for violation of /PL\d+-\d+/ and then having Salon "journalists" writing about how this is simply "rehab" for young men who needed guidance anyway? It would certainly appear to be a great boost to the economy to be able to compensate young programmers with rooms in the portions of the "facility" not populated by gang-rapists. That way you don't have to give them actual Federal Reserve Notes -- greedy neurotic little bastards that they are.
Seastead this.
My response: "What do you mean WE?"
You need to have to burn a lot of bridges to actually end up in the street. You have to lose your income, your savings, your friends (or the goodwill of your friends) and what might be called Social Capital.
The trick is to have a lot of bridges to begin with, and to keep them from catching on fire.
Most of this will sound utterly obvious to nearly all of you, but you've got to reserve money (for upcoming bills and insurance payments), save money (for no particular purpose . . . a rainy day fund), be absolutely fanatical about paying off your debts, and stay in good with friends and family.
Short of a natural disaster or major crash, someone who does this won't end up on the street or "car camping."
And if there is a major crash, think of the great blues songs you can write! "Once I built a network, made it run, . . ."
Stefan
Thomas Jefferson died broke and deeply in debt. I guess he made some really poor choices, didn't he?
"Freedom means freedom for everybody" -- Dick Cheney
-Legion
-Legion
It's a nice idea, but I suspect it wouldn't work. It's like free coooperative DNS - too tempting for abusers. I suspect that if Freedom takes off, Abuse will be their biggest cost center. The service is a natural haven for crackers and spammers. Hobbyists might enjoy setting up the FreeFreedom servers, but I doubt they'd enjoy chasing down and disconnecting abusers. Besides, in a free anonymous system there is really no such thing as disconnection.
In fact, netblocks housing such servers would very likely end up on the RBL, never to be removed (until our ISP's TOS us).
I wonder how many of those other submitters also conveniently "forgot" to point out that the article specifically mentions that a patch was released yesterday.
Riiiggghhhttt...we all know how much the popular "DotSlash" website gets hacked.
If you celebrate Xmas, befriend me (538
I posted this Yahoo! article describing the flaw, but it was first posted at news.com. Really does it suprise anyone? Now what about the poor network admin who isn't keeping updated with latest bug news, and still has the old version a month from now?
For a second I thought ./ had been compromised again.
At the time I write this (11:12 am Australian Eastern Standard), Microsoft's announcement of this vulnerability at was dated May 18, not June 18.
Sheesh.
The first factor was a design flaw. She was designed to float with any two compartments totally flooded. They could have done better by extending the bulkhead walls higher, but nobody could conceive of a collision that would flood more than two compartments. But if you head straight at an iceberg and then try to turn at the the very last minute...
The second factor was overconfidence. "Oh, the people who built this ship have thought everything through! There's no reason we can't go at flank speed through an iceberg field!"
Fallible engineers and blind faith in technology. Not a problem any more, right?
__
In part (it is a long and thoughtful read):
In the story, a couple of consultants/network guys wound up in a shelter because they lost their jobs and couldn't pay their bills. One had a 100K a year job, the other a steady 60K consulting gig. These men caught the fear and it has swept them into the gutter. Is the idea of being young and homeless scary? Sure. But here are some factors people have to consider before embracing the fear. Why? Because the fear is a powerful thing. Once it has a hold of you, it owns you. You can't think, can't do anything but absorb the fear and let it control you. Why is the fear spreading so fast, based on ONE article? Because it could be anyone. It was as if everyone now had permission to be scared about their future and all of a sudden, all that liberterian thought they had sucked down was not working. The possibility of poverty, or a quick trip back to 1992 was not what they expected after the boom. And the fact that it's here scares people to the core. There's no work, there doesn't look like there's going to be any work, and people don't see a market for their skills. No more trips to Europe, no more unlimited futures, no more foosball in the office. No more office. But let's look at the circumstances of that article more closely: "
And it goes on.
a pretty good look at the psychology behind why the story struck a raw nerve in folks
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
The basic idea behind Zero Knowledge's Freedom project is that your traffic gets pooled (in a cryptographically secure manner) with that of the rest of their customers in such a way that all anybody (but ZKS) can discover is that one of their customers is doing something.
It would seem to me that a cooperative group of people could accomplish much the same without too much trouble: set up an IPSEC WAN and a bunch of proxy servers that only speak to clients on the private side of the network. Use DNS load balancing, and all you know is that a request is coming from a participant of the WAN.
ZKS also offers psuedononymous email, web server profiles, newsgroups posting, etc--all very good. But there's no reason the cooperative couldn't provide similar functions.
ZKS runs the servers that do all the heavy lifting. In the cooperative, all the members would provide a piece of the heavy lifting.
Yes, I'm painting with a broad brush here, and even I could start to pick holes in the way I phrased some of all this. But, I think the basic idea is sound: rather than rely on a company like ZKS to do everything, have everybody chip in, even if it's just to share some bandwidth and CPU cycles. Surely if we can all cooperate sufficiently to create a number of operating systems--even if the form of cooperation is nothing more than using them--we can also cooperate to protect our privacy?
b&
All but God can prove this sentence true.
On one hand you have a company talking about leaving the linux market because people aren't buying the stuff, and on the other hand you have the world's most profitible closed source developer being exposed for another huge hole that likely would have been caught sooner under an OSS model.
How much longer will it be till free market conditions start to force MS to shift its balance from flexibily/interoperability towards security?
ummm...I'm pretty sure it was an ICEBERG and not Free Software that sank the Titanic.
actually, now that I think about it, i'm pretty sure there wasn't much in the way of software back then either....
And you guys talk about Slashdot stories not getting researched enough!
WIRED: EEye alerted Microsoft's security team immediately upon discovery of the vulnerability several weeks ago and has worked closely with Microsoft on the development of a patch and the expeditious alerting of system administrators worldwide.
ZDNN: On that basis, Microsoft scores highly for its response, said International Security Systems' Rouland.
"If you compare the speed at which Microsoft responds to these vulnerabilities, it's incredible," he said. "They get through with the information and the fix much quicker than you'd see with open-source software."
(emphasis mine...)
Fair to say that M. Rouland just scored a huge A+ in my "troll of the year" quest...
But does someone knows what the hell is International Security Systems, except a lame sounding name?
The closest I could find is a Christopher J. Rouland working for X-Force @ Internet Security Systems (xforce.iss.net)...
-- p a n a p i c - panoramas des alpes: Mont-Blanc, Mont-Rose, Cervin, etc...
Free software crashes ships?
Do you like German cars?
Clearly this is a perfect strategy: Those ship-based NT systems that are less reliable will drown while those that work will survive to breed with other ships thus improving the species....
Simon
Then there's proper unit testing, which should include full coverage testing. Unit test should be written so that they provide all sorts of legal and illegal input. Most software shops do not have the resources to do this properly within their deadlines. They might fore up the tools if they see som insane memory leaks or if the program crashes.
But again, I'd think Microsoft has all the resources they need. Judging on the poor quality of their software they probably have figured that the (lack of) quality of their software has no detrimental effect on their sales, so they probably leave the testing to GUI monkeys, and hope for the best. Even a 0.5 trillion $ company can make a few bucks extra by spending a few pennies less.
-- Another senseless waste of fine bytes.
Now, I don't think they will, because it would cost a lot of money and not make them much. They know their priorities - make money and dominate the market - and they know how to achieve them. They won't work hard on quality until we really start cutting into the desktop market. And at that point it will probably be too late.
My point is, quality is not now and never has been the point of free software. It is an important point for open source, which is basically about getting business to try free software, even if it's not all that free. If you're trying to convince executives who don't give a rat's ass about freedom, you have to put it in terms they can understand. The open source movement has gotten a lot of people to open up their code and use other people's free software, who otherwise would still be dismissing GNU as a bunch of left-wing wackos not living in the real world. Which they decidely are not, but sometimes you have to take a lateral approach to make people see that.
Free software is, and always has been, about freedom. The fact that it tends to result in better quality code is a fortuitous side effect. It's not the reason it exists, and it's not why I use it.