Slashdot Mirror
Linux 2.2 DoS Attack
A small bug in the Linux networking code has been found, and just as quickly patched. The
bug affects all Linux 2.2 kernels, and can be fixed by removing "kfree_skb(skb);" from around line 455 of
linux/net/ipv4/ip_options.c. Big thanks to Alan Cox on this one.
From my mailbox:
Date: Tue, 1 Jun 1999 23:23:04 +0100 (BST)
From: Alan Cox
To: linux-kernel@vger.rutgers.edu
Subject: Linux 2.2.* remote exploit fix
The orignal announcement was already posted on slashdot.
5hours from the BT to Alan's post on Linux kernel.
Hahahah I was just reading my bugtraq email and damn this was reported just a few hours ago and a fix is already out. That was quick Alen Cox!!!!
This shows that Open Source is the only way to go.
Bug found one minute and the next hour or so it gets fixed and posted. M$ can't even come close to this kind of development model.
THANKS BUGTRAQ POSTER
AC #967
I think that, in the lingo, these types of attacks would be "DoS exploits". Adding in the "DoS" would be more complete, I agree. This is a pretty bad one though, since it causes a panic, and doesn't just wedge the network or somesuch, so I don't think that the extra alarmism is too far overboard.
Line 512 (assuming you delete 455 instead of just commenting it out) is not kfree_skb, it's kfree_s. It's not freeing a NULL pointer, the memory for the pointer is allocated about 20 lines up, and correctly checked for error.
ip_options_compile calls kfree_skb...
Isn't that what happened to Galileo?
face reality folks, free software will always be second rate
first of all: FreeBSD is _F_R_E_E_ (that's what the FREE in FREEBSD stands for, I think) and FreeBSD is one of the most secure Unixes if not the most secure Unix
second of all: NT is far more easy to break than Linux, even though it is commercial and totally non-free.
Unless you need the improved SMP features, why bother with Linux 2.2 when Linux 2.0.36 is so good for most people's purposes?
> Look at Sun Solaris 2.6/7, and *BSD, hardly ever hear about security holes in them...
> College kids writing code in their free time will never be close to what software engineers getting paid to write stuff like Oracle, etc will.
*ahem* BSD does stand for Berkley Systems Development, as in UC Berkley. Think before you speak.
Ok, FreeBSD is cool. Buth the ONLY pro-actively secure unix is OpenBSD .
Look at TOP security sites. They run it (SNI, L0pht, Defcon, etcetcetetc).
FreeBSD is cool anyway. Jut security isn't in their top commitments.
To any Linux 2.2 users, can you explain your reasons for using Linux 2.2 instead of Linux 2.0.36? Are there any applications that require Linux 2.2?
it makes the computer think you've installed Windows! ;)
The exploit dosent compile..Why does anyone care about the vulnerability in the kernel?
> Many great achievments in mathematics, physics, and other disciplines were done by young (college aged) people. Often by people without preconceptions of what should or should not be possible. And without corporate support. Just passion for what they are interested in. Why should programming be any different?
Well, because programming is closer to engineering than it is to science or math. Sure, college kids come up with brilliant ideas, but professional engineers can code up those ideas into a workable system better due to their experience.
Oh, it's easy to produce a kernel panic.
For example, wrong LILO configuration:
Kernel doesn't find init => kernel panic.
Frank
I've worked with the FreeBSD net code quite a bit. It's not that hot.. Fact: More porn w3 sites use Linux then any other OSes..
If you want to rip on one of Linux's subsystems, go get a clue and go after the SCSI subsystem.
Linux's network stack is one of the best written out there (it's been scrapped and redone more then once too!), it's very flexible and VERY fast, frankly, it's Linuxes most polished subsystem. Quite a bit more so then FreeBSD's in my experience (ever wonder most of those clusters run on Linux? They need fast fast networking and a kernel that stays out of their way)..
If you are going to express yourself, please make some attempt to do it clearly.. My orphan annie leet-speak decoder right is almost worn out!
In my experience, in a comercial environment all that matters is money. Things are often rushed, and shipped buggy to meet dead-lines. The 'beauty' of code is not appreciated. Often, its not even greatly optimized for speed unless absolutely necessary. The only use comercial development has IMHO is developing comercial apps.. Such as Hotel Management software or other such stuff no OSS coder would bother to write.
Alan Cox says it is.
A kernel panic means that Something Bad Happened.
More generally, 'panic' refers to what a computer program does when it hits an unrecoverable or unexpected error and doesn't know what to do next. I've seen the terminology used in programs other than kernels I think..although I can't remember any specific examples at the moment..
Daniel
Making reasoned complaints is one thing. Making vitriolic assertions backed up with bold lettering is something else.
Seriously, what speedup and how did you measure it? I personally wouldn't bother with speedups of less than 25%.
Regarding SMP, most PCs are not SMP, and, I guess, most Linux users' PCs are not SMP. I therefore wouldn't expect the improved SMP support in Linux 2.2 to be the key feature which makes most Linux users want to upgrade from Linux 2.0.36.
Filesystems are an area which have the potential for significant speedups. However, it looks like the ext2 filesystem code, which could really use some speedups (e.g. listing any ext2-filesystem directory with more than 5000 files is extremely slow compared to Solaris and Irix), hasn't improved significantly in 2.2.
In other specific areas of kernel responsibility such as sockets or file I/O, I find it hard to imagine Linux 2.2 gets 25% or more speedups.
Regarding traffic shaping, did you know there is traffic shaping in 2.0.36?
Linux network code sucks
Don't take this message as a flame. WE shoud fix it. Probably start from scratch.
Nice troll. So, since you see a problem, what have you done to contribute, improve, and then advocate new code?
It seems to bug you enough that, well, you should have already contributed by now.
After all, you did say "WE."
I have to agree. I find it at least just as easy just to check linuxhq or linuxtoday just to keep up on it. And if I was a kernel hacker (which I hope to be able to get to *some* day...or year...) I'd be on the appropriate news groups to get the announcement (amoung the other needed info) right away.
Just to add my candidate for a -1, why use Linux at all instead of the obviously superior OpenBSD. Or even FreeBSD for that matter? Sure the bug was fixed quickly after it was pubically reported but the bug has been there for months and possibly years.
The real test however is how quickly redhat can manage to distribute the upgraded kernel RPMs (nothing yet on updates.redhat.com). Sure the majority of slashdot users have probably patched their kernel already but there are thousands and thousands of users (mostly in the commercial area) who don't have the knowledge to edit source code and recompile kernels. This is precisely the reason why Linux is regarded as a hacker OS and not ready for prime time.
Also, at the current rate of remote DoS bugs in the Linux kernel, I bet there will be two more discovered by the end of this year. This will continue to happen unless the code is rewritten or seriously audited.
Well, one person sort of did.
AC #967
If you do, all you have to do is change this one line, and type "make bzImage (or zImage, whichever you normally use)." Compiling a kernel doesn't take nearly so long when only one of the .o files is out of date... :)
Just to add my candidate for a -1
Why do you think this thread is a -1 candidate? As this article posted by Justin is about a DOS attack in Linux 2.2, so it is relevant to ask users of Linux 2.2 why it should be used instead of the widely respected Linux 2.0.36. Linux 2.2.x has had several embarrassing security / filesystem glitches such as the much publicised 2.2.0 with its deadly ld.so bug and 2.2.6 with its filesystem corruption.
The real test however is how quickly redhat can manage to distribute the upgraded kernel RPMs
Bear in mind that Linux 2.2 was only released on January 25th 1999 and RedHat was using 2.0.36 until it released RedHat 6.0 with 2.2. Even with sales of 500000 CDROMs of RedHat Linux per year and even allowing for, say, 10% of the installed base doing ftp DIY kernel upgrades leaves most RedHat users still on 2.0.36 or earlier.
How do you measure a speedup which you just think is a "helluva lot"? I've compared 2.2 and 2.0.36 on a 486 with 16MB of RAM, and 2.0.36 ran the XWindows benchmark 10% faster and bonnie disk benchmark 6% faster than 2.2.
Wow, not one anti-Linux word. Imagine what we all would be saying if a bug like this were found in Windows.
This post is on-topic because it is about ways of avoiding Linux 2.2's bugs by backporting essential features to the 2.0.36 kernel.
What features would others most like to see backported from Linux 2.2 to Linux 2.0.36? There are only three features I'd vote for:
1. UDMA support for faster IDE hard drive access
2.KNFS networked filesystem support
3. Video4Linux
I've used 2.0.36 with 256MB -- no leaks here yet. It could be your libc5 application was leaking rather than the kernel. Please be specific and point to the leak in the 2.0.36 kernel source code.
Can you be specific about the "tons of new drivers" and explain your reasons for saying they are better in 2.2 than in 2.0.36?
But then most of them are eengineering/scientific types so I may have a tainted sample base. or something.
I'd say such users are a significant minority of Linux users nowadays.
knfsd does a good job. I'd like it backported to 2.0.36.
Well, If you don't have Ipv4, you can't connect to the internet (IP=Internet Protocol v4=Version 4) until IPV6 is ready in a couple years.
Actually, BSD stands for Berkeley Software Distribution.
Thanks
"Why do you think this thread is a -1 candidate?"
Because, they know they are trolling. This type of behavior is unfortunate because it makes BSD users look lame, which they are not. Neither BSD nor Linux can benefit from this type of "advocacy".
By your own admission, the 2.2 series of Linux kernels are not well described as stable. Linux 2.0.36 is demonstrably more stable than 2.2.x. The 2.2 series to-date has continually needed patching to fix yet another newly discovered serious bug, e.g. security bugs (2.2.0 and 2.2.8) and filesystem corruption bugs (2.2.5-6).
what would you suggest at a better alternative...NT?
So, what you are proposing is that this brought down the entire OS? I would say no. There are loads of DoS attacks against *ALL* MS OSes which never get fixed while in the Free *NIX community when a bug comes to light it is fixed nearly instantly. I would say this is a fairly stable feature myself.
Oh please... Motherhood and apple pie...
The point is upgrading to Linux 2.2 is not necessary for most existing Linux 2.0.36 users unless, for example, they need the improved SMP support in 2.2 which, as argued two posts above this one, is a minority interest since most PCs and most Linux users are not using SMP.
connect() to port 1073
write() 256 bytes of garbage
Do not close() your connection, and wait for the server to go down.
As far as I know, this EASY exploit has not been fixed. Somebody check it out... I don't have an NT box handy that I can trash. (Please do NOT check it out on someone else's box!)
Ethan
2) College kids writing code in their free time will never be close to
what software engineers getting paid to write stuff like Oracle, etc
will.
Actually, Alan IS getting paid to write free software.
Your troll detection is miles off target... Until your contribution, this thread was a useful discussion of reasons for using Linux 2.2 and 2.0.36.
What specific improvements to memory management do 2.2.x kernels have over 2.0.36 which lead you to claim "better, more dependable memory management"?
I would have to agree. With my recent upgrade to 2.2(.9), my IDE Zip drive is now generating endless I/O errors and looses data whenever I try to copy or write to the drive disk. Worked fine in 2.0 as far as I can remember, and it works fine when I have to use it in 98.
2.2.5 or 2.2.9 also will not reboot my machine. It will get to the point where it is done printing messages on the console and is ready to actually reboot the machine, but it never actually does.
If anyone has any ideas, I'd greatly appreciate it. this one has me stumped..
altair@rhythm.cx
Space is not an empty environment. Lots of charged particles flying about at near c speeds. While a few thousand particles passing through an astronaut and the ships hull causes negligable harm to either, particles zipping through 64MB SIMMS can easily flip lots of bits, maybe the bits that mean jettison fuel, and hit igniters, in that order. Even if the radiation killed all onboard life, the core memory would be unnaffected so that the ship could still be piloted back remotely. (To exmaine the ship to build the next one better).
Linux sucks, it's buggy,
now help fix it!!
*big grin*
does it help at all?
darned masochist!
heh heh...
cheers
It sends ICMP packets with some random header values (or that's what the text said, I didn't bother to read the source code too closely..)
1) If BSD had as many people banging on it as Linux does, I'm sure more bugs of this nature would turn up for that OS.
2) DG/UX is actually the most secure UNIX I've ever run across. I helped with the auditing to get it B2 certified.
It's because you're not a software developer (or at least not much of one), yet you are commenting on serious development issues as if you were. I'm going to have to ask you to put the keyboard down, step back, and come with me. You are being charged with violation of Linus' Law, section One.
But don't worry--you'll probably get off with a suspended sentence and a trip to net-traffic school. They'll teach you the meaning of the words "With enough eyes, all bugs are shallow" and you'll stop saying stupid shit like you did above.
But until then, it's my duty to get you off the net where you are a menace to real developers.
Can we log attempts on our system as part of the next kernel? I'd rather like to know when people are trying to DOS me and bitch at their sysadmins because I have nothing better to do with my time than getting script kiddies kicked off their ISPs.
Out of interest, why are you replying to this thread entitled "Any reasons for using Linux?" when you're post appears to be a followup to a different thread judging by the material you quoted?
I would think the best coders are the ones who enjoy it, it doesnt matter what external influences you have as long as you are following your heart and not the dollar alone
One of the benefits of open source software is that you are not forced into continual software upgrade cycles. The widely respected Linux version 2.0.36 is good enough for many people and should stay that way indefinitely. Kernel developers are of course free to enjoy their endless experiments with unstable risky Linux versions like 2.2.x.
Is that why the majority of research is done by or derived from research from universities and colleges?
For example I have seen a project done at a university of a 3D face that would move its mouth according to speech recognition. Its about a few years later and a company called film box finaly came out with this feature in their 3D program.
Give that man a see-gar! Well said, chum--you can be in my community any time.
You can create your own webboard and you can let them say anything they want.
There is always to much censorship and there is always to little censorship.... would you like to come home from work and find that public TV is showing all kinds of porn during your childs cartoon time? Of course not. There is always to much and always to little, let things balance out.
Thats a bad idea.. Since the sploit is ICMP, I could generate sploit packets with bogus IPs and get you to get people I dislike kicked off stupid ISPs..
So insted, Linux does not report such things.
The suits aren't here on Slashdot. My comments were aimed at the Slashdot crowd, ostensibly the cutting-edge 'nerds,' who seem to be all sitting back asking why they should take a chance on 2.2; not at the 'casual user.'
#ifdef RANT
:)
Ah, if people could only learn to use a GC rather than trying to free memory by hand...
#endif
You want GC in your IP stack!?!?
if you have a machine that's not 100% mission-critical, run 2.2.x on it. And in a few months, when 2.2 settles down, run
it on your mission-critical machines.
I did......Ialmost lost every thing. It sort had a system wide failure which I was unable to recover from even by starting from a scratch clean build. Actually now that I remember I DID loose every thing, but I managed enough life from it to do a quick backup of some things before it crashed completely.
Well in fact it could be ok for commenting out sections of the Linux kernel, because it is actually GNU cpp (the preprocessor) that removes the '//' comments, so it would works perfectly (even with a non-GNU C compiler configured to use the system GNU-cpp, obviously).
This sounds like a good time for someone to collect and publish the length of time it takes the major distributions (Redhat, Debian, Slackware, etc...) to post their official patches on their web sites. Has anyone done this before?
I've had a very low load NT 4.0 machine running since April 14th. No memory leaks, no nothing. It was up this morning, so I guess it made it... ;)
Although, it's just running one server application and dumping into Access...
My Linux box goes down several times a week. Then again, I'm writing RT-Linux modules on it
Switch to an OS where there aren't 10,000 programmers pounding away to add changes that result in a new release every two weeks.
I was amazed when I discovered how long a 2.2 was out before the first 2.3 became public. Shouldn't there be roughly 2-2 2.3 releases for each 2.2 release? Shouldn't there have been at least several 2.3 releases out before 2.2.0 went out?
Hey troll,
before you complain about bugs in the Linux kernel, I suggest that you take a look at Bugtraq and see how many DOS attacks / exploits have been found in both OpenBSD and FreeBSD over the last year.
Hint: considerably more than zero.
There are bugs in _any_ OS, the fact that Linux has a greater user base probably contributes to the fact that more bugs are found and fixed than other OSes.
Nope, I suggest FreeBSD.
At least the networking code is written well.
Ahh, thats not what I hear!
>mission-critical 24x7 system, perhaps I'd think about it some more
one would have needed a reboot to install 2.2.x in the first place - can't be that critical.
Yep! I always prefer FreeBSD for my IPX, AppleTalk, and DECnet needs.
Actually, the use of goto in the Linux kernel is not for exception handling (for the most part).
It is to optimize the machine code generated by the compiler. (basically, Linus and company have discovered on many occasions that using gotos in the manner they do produces faster code than using standard C constructs and trusting the compiler to optimize)
you actin' like a real bitch right now.
~gurly
The point is upgrading to Linux 2.2 is not necessary for most existing Linux 2.0.36 users unless, for example, they need the improved SMP support in 2.2 which, ...
...or ipchains, or ethertap, or fast VM, or a current driver base, or knfsd, or...
I'm sorry, but it's a fallacy to think that SMP is the only reason to fire up 2.2. The current kernel is extremely rich in desirable features, and boasts some performance improvements for UP and SMP systems alike.
Yes, there are still plenty of good reasons to stick with an existing 2.0 kernel, not the least of which is "ain't broke, don't fix." There are a surprising number of 1.2 kernels out there today, and if they're serving a need sufficiently, there's no reason to upgrade them. The same goes with 2.0.
However, it's important to note that 2.0, while stable, is outdated and not being maintained. It's fairly unlikely that most of the desirable features in 2.2 will be backported. If you need or want them, you go to 2.2. To say that most users have no need to upgrade is to belittle the performance boosts gained by improved VM and scheduling. Most of those 2.0-based systems are small UP machines -- as you mentioned -- and are the most likely to benefit from speed gains.
Should everyone run out and upgrade? No. But they should be encouraged to.
3x faster in disk access under IDE is enough for you?
Before you rush to judgement with "Hey Troll" take it easy and re-read what I said.
I said Linux 2.0.36 is widely respected and good enough for many people's purposes. I did not claim other OSs are better or worse than Linux version x. Linux 2.2.x will no doubt reach the same level of stability as 2.0.36 but it has had several embarrassing security / filesystem glitches such as the much publicised initial release 2.2.0 with its deadly ld.so bug and 2.2.6 with its filesystem corruption. N.B. I am not saying the early 2.0.x kernels had better stability than the 2.2.x kernels. I do think development kernels could stay longer in development without upsetting developers' egos and without undermining the effectiveness of the "many-eyes shallow-bugs" philosophy.
~The orignal notice of it went out a little less then 5hours before Alan posted a fix to linux-kernel.. *not bad* Esp considering the alert was kind of vague (something about 'panicing under a high volume of weird (perhaps size wrong) ICMP packets')..
Kudos to Alan and the rest of the Linux community.. Lets see a close source vendor come back with a 5hour turn around on a obscure one line logic boob bug.
I ment Alan not Alen!!!
Software that's new is insecure, because it hasn't been tested. This is an axiom. People laugh at NASA and at the Space Shuttle's dated hardware and software. But NASA tests the bajeezez out of their systems because they *have* *to* *work* or poeple die. So by the time they finish fixing bugs and testing, their system looks dated. In the consumer software market, the attitude toward bugs is always, "it'll be fixed in the next release". But the next release has new features or rewritten features. The result is that the old bug may be fixed, but there are new bugs to take its place. No one ever goes back to the already released code, fixes reported bugs, makes no other changes and adds no new features and then releases the same software again. This is why Linux (and Windows 9x and NT and SunOS and...) will always be inherently unreliable. Even in the automotive world, cars with discovered problems get recalled and fixed. Why? The gov't has quality regulations (lemon laws) that force manufacturers to actually fix problems (and to fix them for FREE) in their products. Given a choice, I'm sure the auto industry would happily tell consumers with flakey cars that all will be better in next year's model and that they should upgrade/trade up. It's only because they are forced to fix the old cars that they actually do so. Software has been unregulated and "disclaiming all liability and fitness for any purpose" (from any EULA) for far too long. And if they don't shape up on their own, the gov't will step in and do it for them.
ipchains..tons of new drivers..i believe Video4Linux.
im sure theres a lot more
I heard that RAF bombers still use core memory in the onboard navigation systems. Apparently they upgraded to pentium systems a couple of years ago, and they crashed too much. (the computers, not the planes ;) )
I would rather have a computer on my desk that crashes occasionally, than core memory.
A panic is a kernel crash message.. The Linux equiv of a BSOD (although many Linux panics dont cause a hard lock, and usually only kernel developers or people with bad hardware see Linux panics).
"All" 2.2 kernels? What about those that weren't compiled with Ipv4 support?
ran it against 2 boxes.
(all boxes are running 2.2.9)
Exploiter is a PII 233
exploited 1 is a dual pentium 133Mhz and crashed after 74 and 138 "b00m"s.
exploited 2 is a single 21164 600Mhz (DEC Alpha) and caused the "b00m" program to die after 367 packets with the following line "Unable to get host name: Connection refused".
will continue playing and see how many will be needed to bring down the PII, but I wanna know if anyone else has noticed similar "oddities" in this exploit (ie., has anyone crashed a non-x86)?
It goes with the purpose of moderation to weed the needless posts out from the good.
This criteria makes no sense. The post *is* a good post. What it is repetitive aka needless in your words.
We all know that he was trying to be helpful, and had he gotten here about 2 minutes earlier, he probably would have gained points instead of getting a -1.
Ridiculous. He's penalized for the time it takes a slashdot page to update with the other person's post? or the time it took him to (after checking for like postings) cut, paste, and preview?
Mind you, I agree that repetitive posts need to be cut down on. I do not see it fair, however, to negatively moderate. Don't cast it off as solely an aspect of "moderation." In most cases of moderation, there is not a peer review system. In most cases, a repetitive post would never make it through, but would also not be held against someone.
You could simply fix the problem by adding a criteria of "useful but repetitive" such that it acts as a -1 or -2 when comments are viewed, but does not contribute to the person's "average."
...so that you can find and report bugs.
If all you're worried about is what Linux can do for you, it would seem you don't totally GET what Open Source is about. We all participate. If you can't code, document or test or something.
But don't just sit back and say "2.0 works for me," because then you're just taking other peoples' work without giving anything back, and that's no way to run a community.
If you have a machine that's not 100% mission-critical, run 2.2.x on it. And in a few months, when 2.2 settles down, run it on your mission-critical machines.
And when 2.3.x gets past the point of exploding, start running it, and find bugs and report them and help make Linux better.
Contribute, people, don't just take.
That's too negative. If a particular version of open source software meets somebody's needs, who are you to say they are not benefitting the open source community unless they try a newer version and send back code and/or bug reports? One type of contribution you are completely ignoring is the satisfied user who becomes an open source advocate to potential new users.
Quite a few people have parallel port Zip drives these days, and the driver for it under 2.2 is so much better than the driver under 2.0.x that it's not even funny. Well, at least if you have a decent parallel port, which most people do. Under 2.0.x, I was getting disk access rates so slow on my Zip drive that I would
rather reboot into Windows just to copy files from my Zip disk. Now, the access rates are about the same as in Windows if not better.
The frame buffer devices are also _very_ nice. Not to mention better management for modules and such.
Really though, the clincher was the vastly improved parallel port driver. Oh, and you can print and access the Zip drive at the same time too. Very nice.
It allows a remote user to panic a affected machine with a bogus packet.
This just came to me from BUGTRAQ.
../linux.vanilla/net/ipv4/ip_options.c Wed May 12 16:49:38 1999
Can someone tell me what that output means?
--------------cut here---------------------
Ok problem confirmed. Its not icmp however - in fact the program given
has some bugs that cause it. If it had been a correctly written icmp tester
it wouldnt have worked. A blessing in disguise.
Anyway the fix seems to be this. Sorry it took so long to sort out.
---
+++ net/ipv4/ip_options.c Tue Jun 1 22:11:46 1999
@@ -452,7 +452,6 @@
error:
if (skb) {
icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)- kfree_skb(skb);
}
return -EINVAL;
}
Alan
ARGH! It's a remote crash.. Most people would rather there be a remote crash then a remote exploit.. (RE in most people's minds means the attacker gets root)
PLEASE update the post to indicate that this is a crash and not a root explot.. PLEASE!
No. Censorship. Evil.
This comment is at -1.. Another comment which was dated 1 minute earlier that contains the same information is at 5. This guy wasn't TRYING to be redundant! This post doesn't deserve to be at negative one. He posted this to try to be a nice guy.. Look what happened. He got slammed 2 points because he was down a minute, and now there's a good chance he won't be a moderator because of his negative alignment. This scares me, because I don't want to only people left with postive alignments to be moderators who hit the -1 far too liberally. Read the guidelines. Focus on promoting, not demoting!
oh, and if you're not behind at LEAST one firewall and you're connected to the Internet, you deserve anything you get hit with-- regardless of OS.
Period.
So, my grandmother.. On a dialup account on a win95 box.. In a support for disability channel on IRC.. deserves to be teardroped?
Bleading Edge hacker types run 2.2? Hrm. It's the stable kernel for distribution now. Anyone with RedHat 6 or whatever the latest Debian version is (Potato or something) will have this exploit. RedHat better have a fix up on their server pretty damn swiftly.
--
David Coulson (TechNoir)
themes.org Senior Developer
New slashdot suggestion: If a post is marked flamebait by 500 moderators, kill it totally...
--
--
Just lurking, thanks!
LinuxHQ is having DNS problems (the owner of the name took it back). The maintainer (Jim Pick) had just enough warning to preemptively get another DNS name (kernelnotes.org). Therefore, the LinuxHQ site is currently up and happily running at http://kernelnotes.org. If you want more info, check out the announcement.
----
Open mind, insert foot.
The same number of security holes are present in proprietary OS's. They're not easy to find without the source code, however. The holes that are found, if they're announced by the vendor (or kept secret), typically do not come with solutions.
I had similar problems with 2 IOMEGA Jaz Drives. The fact is that a good number of IOMEGA Jaz/Zip drives are defective. One of the better known problems is discussed at this page.
IOMEGA makes garbage hardware. It's a cryin' shame that they have established such a monopoly in the removable media industry.
----------------- ------------ ---- --- - - - -
----------------- ------------ ---- --- - - - -
Your honor is perfectly understandishable.
- A.P.
--
"One World, One Web, One Program" - Microsoft Promotional Ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
banner -w80 'Linux Still Sucks!'
A classic newbie prank is to pipe the output of banner to write to disply obnoxious stuff on someone else's screen. (It's almost as classic as using xloadimage to change someone's root window to a hardcore porn pic). This guy obviously hasn't gotten over it, though honestly I laughed my ass off when I saw it.
Can anyone confirm whether or not this affects 2.3.x kernels? The line in question is present in 2.3.4 (which came out today, though you'd never know it, 'cause Rob appears to have knuckled under to the 31337 weenies and quit announcing dev releases), so my guess would be yes...
The new 2.2.10pre2 patch includes this fix.
But what good are all those if you have to reboot every two days every time a new bug is found?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Posted by stodge:
Do you think he got his point across?
Posted by FascDot Killed My Previous Use:
...from someone who doesn't know how to use a dictionary.
"censorship - the prevention of publication, transmission, or exhibition of material considered undesirable for the general public to possess or be exposed to."
--
"Please remember that how you say something is often more important than what you say." - Rob Malda
Posted by Rafl:
...I'm learning.
So, when it says 'to comment', means that section of the code is 'not to be executed'!
All the time I thought that the author is requesting critiques or comments on the quality of his code.
Posted by The Masked Miscreant >:):
/. than you realize. Me, for example. There's probably a fair number of 'suits' who browse through here too.
There's more 'casual users' here at
Mind you, I have no intention of remaining a 'casual user' forever, I just don't have the experience with the OS yet to be comfortable enough with it to be of any real help on any of the projects I'm potentially interested in.
Did removing this kfree_skb call cause a memory leak? Or was the memory free always unnecessary?
... I'm not suggesting that the people in the know kernel-wise haven't considered this, I just find it odd that a free can be so readily removed without requiring new code elsewhere to make sure that the memory really does get freed at the right time.
If I ever fix a bug in my code by removing a call to free() I tend to get very suspicious
Probably a little of (b) and some of (c) as well. Someone had too much time on their hands, methinks. Apparently the original poster didn't get the concept of quick turnaround on fixes - there may be bugs, but when they're found, they can be fixed, and that fix propagated quickly. Some people never learn...
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Hmmm... how does that make it not an exploit? It seems like it could be used as a denial of service exploit at the very least. Also, crashing can be used to run specific code in some cases where there is a buffer overflow (although I don't know if that's applicable here). There was a bug found in IE awhile back that caused it to crash (I think it's archived at the l0pht somewhere) and the person who found the bug (dildog) was resourceful enough to turn it into a serious exploit by controlling the buffer overflow.
-----
Free P2P Backup, Windows & Linux
I was amazed when I discovered how long a 2.2 was out before the first 2.3 became public. Shouldn't there be roughly 2-2 2.3 releases for each 2.2 release? Shouldn't there have been at least several 2.3 releases out before 2.2.0 went out?
Nope, the 2.1 series led up to 2.2, while 2.3 leads to 2.4. There were "at least several" (ahem!) releases in the 2.1 series.
dylan_-
--
Igor Presnyakov stole my hat
I 'bother' to use 2.2.x myself because it's helluva lot faster than 2.0.x in my experience. If you run a P/100 with 32MB RAM, you know what I mean.
In Soviet Russia, Jesus asks: "What Would You Do?"
The past of Red Hat's security measures? eh? They always seemed fairly fast to me. They beat any commercial vendors, and as far as I can see any Linux distributions except debian.
I would rather have a computer on my desk that crashes occasionally, than core memory.
Maybe, but you don't fly your desk. I think.
Is that a mix between a segfault and a SIGSEGV? Don'
...from someone who can't think.
"sarcasm - a mode of satirical wit depending for its effect on bitter, caustic, and often ironic language that is usually directed against an individual"
On the other hand, if it takes you more than 3 minutes to write and compile a C filter program to remove C++ comments from a file, you're not a Real Programmer(TM). But seriously, it's a trivial task -- so trivial that I don't see this as a good reason for not using C++ style comments these days in straight C code...
--
"Convictions are more dangerous enemies of truth than lies."
Or you can keep the problem private, meaning the cracker will almost certainly hear about it before the sysadmin, assuming he's out looking for vulnerabilities while the sysadmin is busy doing his job, which unfortunately encompasses much more than spending 24/7 looking for vulnerabilities no one will tell him about.
The suits may think twice, but what are they going to do, stop using computers? That's the only way to prevent this sort of thing.
Since you say "that isn't good enough", what should be done instead? What would be "good enough"? For software to never have bugs in the first place? That would be great! Oh, and have I have a little of what you're smoking? It sounds positively blissful...
Stick our heads in the sand and ignore the problem? That doesn't strike me as useful.
Switch to an OS where solutions don't appear within hours? That doesn't sound very smart.
Please, pray tell, since the situation here isn't "good enough", what is?
--
"Convictions are more dangerous enemies of truth than lies."
It's about 4hrs slower than the teardrop fix, if your calculations are correct. Still, much faster than any patch or bugfix MS has ever made.
*All* OS'es suffer from DoS exploitable bad code. /sys dir on my FreeBSD box for
I had to patch the
some exploit too.
Well, there goes 70+ days of uptime. Damn.
:)
:)
Good thing with a full packet log though, running on a box with a non-affected kernel
Isn't this the first serious remote crash bug in the 2.2.x series ? There have been other bugs allright, and there still is, but I believe this is the first remote one.
That is not bad, if one thinks about the _huge_ changes that went into the 2.2 series from the 2.0 series. I'm pretty amazed we haven't seen a few more of these already... They may be coming though.
I would have expected a bug like this to appear sooner. And I would have expected more of these bugs. Well, either the developers are blessed with luck, or they are really skilled. We'll see which, in the next few months I guess. Luck don't last.
Good work guys ! Also on the fix btw.
ipchains and ipmasqadm. two *awesome* tools that I don't know how I lived so long without.
what OS he/she(it? are trolls gendered?) used to make that banner? ;-)
/dev
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
knfs.
...
Speed!!!
2.2 also kicks ass on multiproc machines. but you
already knew that
traffic shaping too...
/dev
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
The people I knew in school that would do that kinda crap would just pipe over a 10 mb gziped binary to your ptty. If you didn't know better it was enough to piss ya off and wreck your whole day.
...
or your whole term session anyway
/dev
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
I would love to agree with you, but can't.
:-) You can't ever really test this kind of general purpose system.
...
It would be damn near impossible to run a full qual. test on a modern OS. The complexity level is just to high and there are really no requirements to test anyway. The government will not (I hope) step in here. There is no reason for them to do so.
Think of it this way: it takes WEEKS of 24 hour computing to run a FQT on an aircraft digital flight control system. WEEKS. and this is a system with super super rigid, well defined, realtime requirements. There is no code in the system that is not used.
Now consider the Linux kernel. How many system calls are in there that joe average user never touches? How many combinations of things could be going on at one time? For all intents and purposes we are dealing with an infinite combination regression test situation here. or something.
With the complexity in modern realtime and avionics systems, we are pushing the limits of software test. Formal qual testing of general purpose software is a lost cause.
i'll stop rambling on now
/dev
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
From the archives at www.geek-girl.com
Linux kernel 2.2.x vulnerability/exploit
Piotr Wilkin (pwl@WOTAN.2SLO.WAW.PL)
Tue, 1 Jun 1999 17:43:17 +0200
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Salvatore Sanfilippo -antirez-: "whois_raw.cgi problem"
Previous message: aleph1@UNDERGROUND.ORG: "New Allaire Security Bulletin (ASB99-09)"
I'm sorry if this has been noticed before, but since I did't find anything
in the archives, I post it here.
There seems to be a bug in kernels 2.2.x (tested on 2.2.7 and 2.2.9), that
causes them to panic when they are sent a large number of specific ICMP
packages. I think the problem comes from the combination of the mangled
header length (shorter or longer ihl's don't cause hangup) and the random
ICMP packets (random type/subtype and source address) this program sends.
Windows 9x and FreeBSD 3.0 seem to be unaffected.
I think the most interesting thing is the date, though... I'm sure I'm making a timezone mistake here, but isn't that 8 hours ago? Is that faster or slower than the Linux teardrop fix?
It's annoying to find out about a new DOS attack, but the resolution is all that you could hope for.
It's a little less annoying that there don't seem to be any outstanding instant-crash attacks against Win98 to laugh about - they finally fixed the series of attacks that crashed 95 for 8 months straight, and I haven't seen anything since. Did Microsoft finally get their IP stack right?
echo 'main() {exit(0);} // useless program' |
sed 's#//\(.*\)$#/*\1 */#'
Hyuck! Jus' kidding!
**>>BELCH
When "found" = "fixed" I think it's well worth it.
**>>BELCH
Oracle, eh? Hmph. Ever used it?
I'll go with the College kids. Hell, I'll go with the drunk college kids!
**>>BELCH
With Linux, just figure out where the offending instructions are by groveling through the compiler and linker output, and write to the relevant locations in /dev/kmem. For this particular bug, you probably only have to NOP out a few instructions.
Personally, I'm just as happy to reboot. It's not like it takes very long, and it's easier and safer. But if I were running a mission-critical 24x7 system, perhaps I'd think about it some more.
Rather than let this dipshit have the last word, thought I'd mention that my box running 2.2.8 with ipchains firewalling and a rule banning incoming ICMP is NOT, i repeat ***NOT*** vulnerable to this exploit... just FYI. oh, and if you're not behind at LEAST one firewall and you're connected to the Internet, you deserve anything you get hit with-- regardless of OS.
Period.
Linux is buggy! Yay Microsoft!
Sorry, just had a moment of strangeness.
Uh... before you apply this patch, notice that the "less-than" in the icmp line should actually be doubled (i.e., a left shift opperation)! The second less-than symbol got swallowed somewhere in the HTML conversion.
Your Servant, B. Baggins
This is known for long. Win95 (and 98?) count time as milliseconds since boot in a 32-bit variable. If you do some calculations you will find out that it will wrap around after 49.71 days.
For a comparison: Linux counts hundredths of seconds (except on the Alpha, where it too is ms but 64-bit) and will therefore last ten times longer until wrap around. However, kernel code is expected to survive a wrap and debugging is done in this area (like setting the timer variable to a few minutes before wrap at boot time and see where problems arise - 2.2 should have eliminated most of them).
Well....
This is a bit irritating... but then again most people using 2.2 are bleeding edge hacker types who will think very little of making a new kernel.
Now... has anyone tried the exploit on other OS's?
See the following:
= /security/casesensitive.htm
http://www.ntsecurity.net/scripts/loader.asp?iD
In short, every version of NT has a security exploit that allows any user to get root access. That's a far greater security risk than this DoS attack, which can simply crash your system.
It has been known for over ten weeks. And AFAIK, Microsoft hasn't released a fix (at least I can't find one on microsoft.com). It is possible that NT 4.0 Service Pack 5, released six weeks after the hole was found, fixes it -- for NT 4.0 users and NT users willing to pay to upgrade to 4.0 only.
Now, which is a bigger deal -- a DoS attack fixed eight hours after publication, or a root exploit unfixed for at least six weeks after publication?
"Do you think the suits want to 'become part of the linux community'? "
One certainly hopes. It would be a good step in accord with linux becoming part of the business community.
"Do you think the casual user actually wants to be involved in tracking down and reporting bugs?"
No, I realize the casual user wants to be blissfully unaware of anything at all. This applies to lots more than computers. (Driving, for instancce -- I don't think the casual driver wants to be involved in avoiding traffic accidents except those involving him.)
"No average user is interested in 'running a community'."
Wait just a minute. The average Linux user is,
or ought to be. Or else somebody missed something fundamental about what linux is somewhere along the way.
"They don't want to contribute to making an operating system, and that's why they
continue to pay for software instead of going open-source."
What's wrong with that? Is this how you characterize the average *linux* user? You're using windows users to illustrate the beliefs and
behaviors of linux users. I have a real problem with that.
-fb Everything not expressly forbidden is now mandatory.
I was trying to figure out why this kfree()
broke things, and trying to figure out where
it was freed elsewhere.
Could the root of the problem really be the
program logic, which is implemented using a nonzero number of goto's?
I realize that goto is only being used for throwing exceptions, but still... if you're
using goto's in code with malloc's, you're asking for trouble.
But then, I'm no kernel hacker...
-fb Everything not expressly forbidden is now mandatory.
2.2 is a stable kernel, not a "bleeding edge" kernel. They're very stable...
In fact, I consider them more stable than 2.0 systems in many way... better, more dependable memory management is just the first of these improvements.
Try a system with 256 meg of ram. It leaks all over the place... even over 128 meg, it's a known problem that only 2.1/2.2 fixes.
:)
There are also quite a few networking bugs that were worked out for the never-quite-released 2.0.37 that are in 2.2... really, staying back on 2.0.36 because it does everything you need is fine, but so is staying with 1.2... a good lot of people can make their lives a lot easier with 2.2 and I'm surely one of them
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
i believe NT 3.51 was also affected, but it was patched/fixed for 4.0
This is not quite accurate. The actual bug was in Windows 95 (still in 98? Don't know). They discovered that the uptime counter rolled over after approximately the number of days you mentioned, and crashed the box. This was discovered, if I remember correctly, earlier this year (it seems that in 3 and 1/2 years NO ONE had ever successfully kept a Win95 box up for that long!).
NT, however, does not suffer from this particular bug. I have a client who managed to keep his NT box up for at least 78 days -- mostly because the machine was so little used (he's an exec, not a geek). After 78 or so days, he had next to no free RAM left for anything. The leaks in the OS itself had plugged the system horribly. Nevertheless, this man did successfully run it for 78+ days.
DFL
Never send a human to do a machine's job.
For Windows 98: "I sure hope that there aren't any more delays on that service release! It's been a year already! I hope this bug's covered in it or I'll have to wait another 6 to 8 months!"
For Windows NT: "Lessee, I can apply this 'unsupported' hotfix that Microsoft released...or I can wait for Service Pack 6 due in 3-6 months..."
Meanwhile, for Linux, it's this: "5 hours for a patch? What TOOK so long???"
DFL
Never send a human to do a machine's job.
>>*ahem* BSD does stand for Berkley Systems >>Development, as in UC Berkley. Think before you >>speak.
I thought it stands for
Berkley Standart Distribution....
Not being a programmer (I can write a "hello world" from memory on a good day) but having compiled many kernels, it was pretty easy to edit ip_options.c and recompile. In fact, using the other methode, I'd still be downloading an 18Mb "service pak" or a small "hotfix" from source code central & Fort Knocks, days afterward (and that's IF the supreme dictators decide it's in THEIR best interest to divert limited resources from other projects to address the issue).
Keep up the great work guys
Chuck
try { do() || do_not(); } catch (JediException err) { yoda(err); }
You might want to think twice about using 2.2.9. There are some known stability issues with 2.2.8 & 2.2.9; 2.2.7 is the latest stable `stable' kernel.
he probably used something like figlet, which is infact, a Linux program that has been ported to many other systems
Do you think the suits want to 'become part of the linux community'? Do you think the casual user actually wants to be involved in tracking down and reporting bugs? Most people want stable, usable software, without having to become part of the development process. No average user is interested in 'running a community'. They WANT to be able to sit back and say 'blah is fine for me'. They don't want to contribute to making an operating system, and that's why they continue to pay for software instead of going open-source.
-lx
-lx
Our version of Digital C (Digital Unix version 4.0D) for alpha barfs on this without a . This compiler is maybe a couple of years old.
I said no... but I missed and it came out yes.
And could you be more specific, exectly how NT is much more insecure than Linux ? If there is such a big difference then surely you should not have problems coming up with some examples ?
Yeah, no one ever said Linux was completely crash free; just that the events that cause crashes are fewer and farther between.
Shit, I get paid to write free software. I am lucky enough to have a boss that was able to open his eyes and see the potential of open source. He realized let the world debug our code rather than spend a million dollars doing it house in 10 times the amount of time.
I use the Vesa framebuffer, which allows my ATI Rage LT Pro graphics chip to work with X.
A reliable source[1] has informed me that Win95 crashes after about a month and a half of continous up-time.
It happened to a company he installed a dozen or so machines for; they all crashed about 49 days later, all within a couple of hours of each other...
Tim
[1] A friend whose job it is to build, configure and install PCs
It's official. Most of you are morons.
[snipped from bugtraq, dated jun 1]
From: Piotr Wilkin
Subject: Linux kernel 2.2.x vulnerability/exploit
I'm sorry if this has been noticed before, but since I did't find anything
in the archives, I post it here.
There seems to be a bug in kernels 2.2.x (tested on 2.2.7 and 2.2.9), that
causes them to panic when they are sent a large number of specific ICMP
packages. I think the problem comes from the combination of the mangled
header length (shorter or longer ihl's don't cause hangup) and the random
ICMP packets (random type/subtype and source address) this program sends.
Windows 9x and FreeBSD 3.0 seem to be unaffected.
[exploit code snipped, check www.geek-girl.com for it in the archive if you really need to know]
Whereas with this kind of security bug, I would personally wait and only upgrade my own kernel when a new version is released (and I think any newbie should wait at least this long as well), the patch can be applied manually as explained in the original post, or applied using a traditional patch that can be found in Alan Cox's bugtraq post.
The double-slash was originally intended to work with C++ only, not C. People liked the idea so they started using it in C as well. Then it finally became a standard.
However, not all compilers have not caught up. I don't know of specific examples, but some Unix variants still do not understand it. Therefore you should not use it if you intend to make your source code widely available. And if you think your source code will never, ever be widely available or maintained by someone else, think again.
Incidentally, in C and C++ another way to comment out source code is like this:
main() {
char *s = "Hello world!";
#if 0
s = "World, hello!";
#endif
puts(s);
}
Since "0" is always false, s = "World, hello!" will not be compiled.
That way the commenting can be nested and you can be sure compilers will recognize it. A drawback is that colorized editors will not recognize it as a comment. Another drawback is that there is no equivalent in Java and you have to fall back to regular comments.
Sure the majority of slashdot users have probably patched their kernel already but there are thousands and thousands of users (mostly in the commercial area) who don't have the knowledge to edit source code and recompile kernels. This is precisely the reason why Linux is regarded as a hacker OS and not ready for prime time. /* and corresponding */ to comment out a line. Not trying to flame, just an observation on what I perceive as the Linux user base.
Well, I would tend to think, and yes, I could be wrong, but most, if not all Linux users out there probably have enough knowledge and/or wherewithal to be able to go into one C file and add in a
If this comes out with the tags, sorry, I musta forgot all my html, cause previewing isn't showing the html...
I've noticed some problems with the swapping code in the > 2.2.5 stable kernels. Sometimes, under a heavy CPU/memory load, the kernel locks into a loop in the virtual paging code. The system quits responding, and the HD's run steadily. The Andrea patches fix it (sorry, I don't remember his whole name). I think the 2.3 kernels have the bug, as well, but I don't know. I would submit a bug report, but I don't have enough info to do so. Oh well. =)
Just my $.02
This is a *provisional* fix. It seems to work, it seem to be the explanation Alan --- ../linux.vanilla/net/ipv4/ip_options.c Wed May 12 16:49:38 1999 +++ net/ipv4/ip_options.c Tue Jun 1 22:11:46 1999 @@ -452,7 +452,6 @@ error: if (skb) { icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)
Avi
Huh?
- A fix is available for users who know how to use it.
- Companies who don't know how to use the patch could have a consultant compile a kernel for them if they feel it is urgent.
- Linus will probably have an "officially fixed" kernel out by the end of the week, with RedHat likely close on the heels.
And you want to speak as though this is a slow response time? Even if it takes two weeks for "commercial" fixes to appear, that is much faster than you would expect from the average commercial OS company. The fact that the kernel patch is available now to those who know how to use it is icing on the cake, not a negative point.
is this important? can we have some details please? is my computer likely to crumple in a heap and surrender to any attack whatsoever?
. (You'll fairly often see people using // for comments in C code, but it's a bad idea, and you shouldn't do it. Don't Be That Guy (tm)!)
// commenting part of the lastest ANSI-C standard? If so, why not use it?
Isn't
DrLunch.com The site that tells you what's for lunch!
linux/ means the directory where the Linux kernel sources live. Typically, when one refers to linux/ one means /usr/src/linux/ although this isn't a given. net/ means the dibdirectory called net/ ; ipv4/ means the subdirectory of net/ called ipv4/ ; ip_options.c is the file you want to edit. You want to open this file with your favorite text editor, preferably one that displays line numbers somewhere. (You can toggle whether emacs displays your current line number with M-x line-number-mode.) To comment out C code, you can use /* ... */ . Comments like these can't be nested. It's pretty easy to comment out large sections of code like this. (You'll fairly often see people using // for comments in C code, but it's a bad idea, and you shouldn't do it. Don't Be That Guy (tm)!)
HTH
You're a suburbanite.
The instructions (as they appear on a previous reply to your post) are quite straightforward. Now, about recompiling - It shouldn't take that long. If you just compiled 2.2.9, then this patch will only take a few seconds to get compiled, make will automatically notice this is the only file with a modification time newer than the object (compiled) code.
My personal reason - better drivers for my 3c905b card.
Seriously, if you don't stumble into any need to upgrade your kernel, you probably don't need to.
Just compile and install the fix. If someone attacks your machine, your watchdog board will reboot into the new kernel. The uptime will take care of itself.
Please don't read this as flame bait, I'm just raising some points for consideration.
It seems to me that this is a VERY BIG DEAL. 2.2 is supposed to be a stable distribution that's ready for enterprise use. This "small bug" means that any Linux 2.2 box anywhere can be taken down at any time. It's this kind of thing that gives the suits reason to think twice.
I realize that a fix is available immediately, and that's great, but that isn't good enough. There's an even chance that the cracker phreak trying to do damage to your business will hear about this before your sysadmin does.
Chill out, you've got quite a bit of pent up hostility don't ya? The point behind my original post was to question the trivial nature attributed to the bug by Justin and the early commenters.
ok, i'm curious, you mention *BSD as a good secure OS, then you rip on free software, whats up with that? i'm just curious if a) i'm clueless b) your clueless or c) since your an AC that your just posting some nice flamebait
Okay, but why not just hack that section of code out completely? Also, is there a diff that patches just that file? Thanks for the explanation, and for all the comments everyone.
"I have no respect for a man who can only spell a word one way." - Mark Twain
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
How about in future articles, you post a link to the patch as well? This would be very helpful to newbies like myself who don't quite know where to find everything yet...
And I JUST compiled 2.2.9 today!!! Arrgh!
"I have no respect for a man who can only spell a word one way." - Mark Twain
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
College kids like Linus and his little project?
Many great achievments in mathematics, physics, and other disciplines were done by young (college aged) people. Often by people without preconceptions of what should or should not be possible. And without corporate support. Just passion for what they are interested in. Why should programming be any different?
Been said before but....
> 1) Most people get 20x as much stuff done when there is a reason behind it - i.e., need to put food on the table etc.
Quality not quantity. Linux gets quantity from the no. of ppl working on it.
> 2) College kids writing code in their free time will never be close to what software engineers getting paid to write stuff like Oracle, etc
> will.
No, folks writing stuff because they want to, in a time scale to match the problem. And without such a thing as a marketing department. This is the ideal environment for good code and software.
And do try to investigate things, otherwise you sound like a 5 year old kid saying "It doesn't mention the holocaust in the children's books I read. It can't have happened!"
yeah, it was written initially in UC Berkley (a college/university).
Tranlation= "I Am a asshole"
Quemadmodum gladius neminem occidit, occidentis telum est
Good gawd, no kidding! Let's see, how long did it take from detection to cure? hmm less than a day? Wow. Let's conjecture on how MS would have handled this:
Publicly deny that a problem exists for 3 months while we figure it out.
Wait 2 more months for more bugs err features to be found so we can justify releasing a "Service Pack" that will cause more problems than it cures.
I think I'll stick with the "unstable" OS that doesn't screw me backwards (not to mention cost a fortune for crappy code I can't even evaluate).
doc.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
I'm also too stupid to figure out how to remove it, so here's my humble apologies instead.
:) doc.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Good gawd, no kidding! Let's see, how long did it take from detection to cure? hmm less than a day? Wow. Let's conjecture on how MS would have handled this:
Publicly deny that a problem exists for 3 months while we figure it out.
Wait 2 more months for more bugs err features to be found so we can justify releasing a "Service Pack" that will cause more problems than it cures.
I think I'll stick with the "unstable" OS that doesn't screw me backwards (not to mention cost a fortune for crappy code I can't even evaluate).
doc.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Please don't bother trying to bash the stability of *nix as compared to Windows NT. I work at an NT shop with over 30 servers where every day at least three NT boxes go schizo (apparently randomly, it's pretty well spread out among them, i.e. no troublesome children in particular). This is not due to bad configuration or even cranky hardware (half of them are HP Netservers), but due to the operating systems' inherent instability. Granted, these servers are under moderate to heavy loading pretty much all day, but that is not (IMHO) an abnormal requirement for a server. In contrast, the only BSD box we use (firewall and netmonitoring among other things) handles an ENORMOUS amount of traffic on a constant basis and has crashed or freaked out exactly ZERO times in eight months. In addition, I administrate a few Linux webserv boxen on the side, and have had exactly ZERO problems with them that I didn't cause myself.
:)
So please don't bother claiming that NT is a superior product stability-wise, I think everyone reading these articles have enough sense to realize the ridiculousness of your statement. I for one cannot resist a troll though.
doc.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Ummm... Mostly for the major NFS updates and the dcache/dentry code, myself... Of course, updated drivers, improved memory management and better /proc don't hurt, either.
Nato
Have fun,
Nathan 'Nato' Uno
http://web.unos.net/
When I had 2.0.36, I couldn't get my 3c905b working at all. When I upgraded to 2.2.x, it worked perfectly -- without a hitch.
I was under the impression that // was now the prefered commenting style (for C++ of course, // doesn't work in C!). I'm only a student, but that's what I've read and been taught. In huge comment blocks, // makes it more apparent that what you are looking at is a comment (which is why I think a lot of people use this style:
// is what Emacs uses when you do a "Comment out this section" -- it must be Right!
/* This is a comment
* blah blah blah
* blah.
*/).
'Sides,
Are you braindead? I cannot believe you believe that! Maybe you don't, maybe your just trolling you anonymous coward you.
Of course bugs will be found! They ARE found in Solaris... but they don't get fixed as quickly.
The oxen are slow, but the earth is patient... - High Road to China
OpenBSD is probably the least used BSD Unix.
...) calls are used does not make it the most secure.
See this page for an errata listing. Just because crypto and 'n' (strncpy, snprintf, vsnprintf
1) Most people get 20x as much stuff done when there is a reason behind it - i.e., need to put food on the table etc.
Open source programmers have a reason to do it: a real passion for it ( you can't understand that unless you are one of them)
2) College kids writing code in their free time will never be close to what software engineers getting paid to write stuff like Oracle, etc will.
Philosophicaly speaking you could debate on that, and forever. There are some people who thinks that the best work done is often when it's unnecessary or you are not pushed by time.
Think before shouting about something you don't understand.
A duck's quack does not echo and no one knows why
Did you ever stop to think that maybe security holes are found because the source is open? Ever notice how fixes are posted rather quickly and even if they aren't, you can fix it yourself instead of waiting 8 months for a 16 meg download that fixes the problem.
Linux is a fucking joke, face reality folks, free software will always be second rate
What operating system are you using? That awesome Windows95 that can't be running for more than a few weeks AT BEST without freezing or some integral part of the OS crashing? Oh no, you upgraded to Windows98, which "makes everything better"... yeah, Windows98 is better, but it still freezes every few days. By Microsoft's own admission (before the article was taken off their Knowledge Base), Windows NT and 9x can only be on for 49.7 days - max - before it will crash... of course, most people can't make NT or 9x run for more than a few days (I've maxed out at about 2 weeks - Windows98 - without crashing, and then it died a miserable death).
Did you ever stop to think that maybe security holes are found because the source is open? Ever notice how fixes are posted rather quickly and even if they aren't, you can fix it yourself instead of waiting 8 months for a 16 meg download that fixes the problem.
Linux is a fucking joke, face reality folks, free software will always be second rate
What operating system are you using? That awesome Windows95 that can't be running for more than a few weeks AT BEST without freezing or some integral part of the OS crashing? Oh no, you upgraded to Windows98, which "makes everything better"... yeah, Windows98 is better, but it still freezes every few days. By Microsoft's own admission (before the article was taken off their Knowledge Base), Windows NT and 9x can only be on for 49.7 days - max - before it will crash... of course, most people can't make NT or 9x run for more than a few days (I've maxed out at about 2 weeks - Windows98 - without crashing, and then it died a miserable death). Ah, yeah if you're not using them then maybe you've switched to BeOS. While a pretty good little operating system, it also is imperfect. It is not nearly as robust as Linux is, is underdeveloped, and is probably going to die out in a few years. If you're not using any of those, maybe you're running good old MacOS. Teriffic. Yeah, Macintosh is great, and Apple's processors are WAY fast... because they need that speed to make programs on the Macintosh seem comparable to those on other operating systems. The MacOS, while a nice thing to look at, isn't nearly as functional as it could be - it makes me reach for the mouse to complete the simplest of tasks, and operates so slowly it almost makes me want to cry. So what else are you running on your home machine? Maybe DOS. Okay, so it rarely crashes, has a good bit of programs for it, and is relatively easy to use. Does graphics great though. Really functional. True multitasking. GREAT network support. Yeah, I need to get back into DOS. Maybe you're using Solaris or one of the BSDs. That's all well and dandy. OpenBSD is incredibly secure and quite a good operating system. There are also tons of user programs out there for it. I could go on and on about operating systems, but I'm running out of time here...
Most people get 20x as much stuff done when there is a reason behind it - i.e., need to put food on the table etc.
Linux is developed by people that strive for excellence because they do what they love doing. They feel a passion for making Linux the best that it can be. Microsoft's operating systems, as well as MacOS, etc., are created by people who are striving to impress their managers, get raises, etc. Quality is not priority in environments such as these...
College kids writing code in their free time will never be close to what software engineers getting paid to write stuff like Oracle, etc will
How do you figure? Again, college kids writing the code in their free time are doing it out of a love for the operating system, not for money. I work better at home, where I am motivated solely by accomplishing excellence, than I do at school, where I am motived by earning good grades. At school, my goal is to impress teachers first and accomplish excellence second. I'm sure that's the way it is with most students.
The only problem I see with Linux now is that it's not as "user-friendly" as other operating systems. However, it is not meant to be. Linux was created for the true "hackers" (not the crackers that we're hearing about on the news lately) that are motivated by challenges. For me, learning Linux was fun because it was something new and because it was HARD. I wanted to be able to make it work, and so I myself worked harder to learn as much about it as possible so it would do whatever I wanted it to. So yes, it's not all that user friendly. However, this is being worked on as well . I recently upgraded to Red Hat Linux 6.0, and was definitely impressed with the progress that had been made. Users proficient in Windows would have no trouble installing it or using it. GNOME/Enlightenment make using and configuring Linux almost as easy as Windows. All accomplished by people who aren't being paid.
But yeah, you're right - Linux blows.
Godel's incompleteness theorem is one of the
most "philosophically abused" results, along with
the second law of thermodynamics (the one that
states that entropy can only go up in a closed
system).
A theorem, or a physics law, is only valid within
a precisely delimited domain.