America is a Republic, not a democracy. The idea of democracy was invented in ancient times. The American invention was to add the Constitution which makes America a Republic where the idea of pure democratic rule is toned down by giving all citizens certain basic rights which protect them from the People's "democratic" will.
> benefits democracy brings in terms of prosperity
Here you confuse democracy and the principles of free trade. The idea of free trade, by the way, was invented by a Scott, Adam Smith. American economic policy is largely based on ideas first described in Smith's "The Wealth of Nations."
There is no long distance networking without short distance networking. Bluetooth is a good standard for short distance communications. Look at the telcos. It's the local ex Bells and their brethren who control the phone business, because they control the local loops. With Bluetooth, you potentially have your own local loop. The long lines networks are already under heavy competition. It's easier, although very costly, to build long distance networks than short distance networks.
Ricochet had the opportunity to conquer the market in the past couple of years, but since they wanted to own the networks, instead of allowing local companies to provide wireless relaying, they lost. Now it's time for Bluetooth and the entrepreneurs. Bluetooth allows hardware manufactureres to get in on the action, while allowing entrepreneurs to write software and utilize the hardware. Little like IBM making the PC an "open standard."
As far as this attack is concerned, we should bare in mind that Linux and Solaris systems were used as launching points for the attacks. There are millions of machines on the Internet, ranging from DOS, Windows, Linux, FreeBSD, Solaris, Apple, to Amiga and others. Almost anyone can put up a machine on the Internet. It will be very difficult, if not impossible to secure all these systems, controlled by non professionals, who have few if any resources to fix security holes in their systems. The primary targets of the attacks were large companies who supposedly have the resources to secure their systems. As far as we know none of these systems were broken into, but they were brought down by the attacks.
I think it's silly to blame Linux or Solaris for the attacks, when these systems could be managed by anyone, including some DSL customer who just installed their first Red Hat system on their Windows box. If anything critical is said about Linux or Solaris, it should be the lack of concern vendors seem to have for the Internet's welfare. As a good example, we can bring up Red Hat, which notoriusly delivers their systems with almost every service enabled, leaving the new systems vulnerable to any new exploits against those services.
As a criticism to Slashdot, I find it amazing that a Press Release like this would get into the system. I mean, this article is straight out of the company's PR department. It looks like the magazine didn't even edit it, unless they have NO journalistic integrity at all.
By the way, were the primary targets of the attacks Windows or UNIX? I don't think this has been brought up.
Both UNIX (Linux) and Windows systems can be broken into. Macs cannot be broken into, and until the recent ping hack, they couldn't be used for attacking other systems either. All systems can be taken down by a DOS attack. Only, the resources required for this vary. Macs and windows hosts are probably the most vulnerable to DOS, whereas UNIX systems tend to be more robust.
Regardless, an improperly managed system will have security holes in it, which can be exploited by someone with the right tools. Both Windows and UNIX systems are vulnerable to a number of attacks.
Eternal vigilence is the price of freedom, and it is the price of having a secure system. Keeping up to date on the latest exploits is the only way to protect oneself against them.
Please check your facts. IPv6 doubles the average packet size for real time protocols with small packet sizes, like VoIP, which I specifically mentioned as an example. VoIP data is transmitted in very small packets, because delays must be kept to a minimum. Using IPv6 would double your bandwidth requirements.
Because VoIP data should take priority when transmitting data, its volume becomes a significant factor. Of course, if no network has bandwidth shortages, this is not an issue. Anyway, IPv4 and IPv6 can co-exist. IPv6 is necessary for the future survival of the Internet, because of the increasing demand for hosts. However, IPv4 is needed for real-time delivery of some data. It is possible to use IPv6 until your local router, and then have the packets reworked and transmitted as IPv4 packets to the destination. This is possible when the protocol is known. E.g. in the case of VoIP this is often done. (Well, I don't know about often, but I've designed an implementation myself and it wasn't too complicated.)
Dave, good work on the site and the docs. Very useful info. What is the hold up with catching the perpetrators? If you are able to find a master, you should be able to catch the master's user, no? Are they using some phreaky method like (a) a phone line attached to a waterpipe, run to another building, or dialup provider in a "renegade" country, or are we dealing with corporation sponsored terrorism, or state sponsored anti-capitalistic mayhem?
P.S. As far as IPv6 is concerned, it is wonderful for many things but because IPv6 packets, by nature, consume tons of bandwidth for small packets, they will never be used for long distance traffic, such as traffic between major traffic centers. Unless of course we invent giga-giga ethernet and everybody stops using new protocols, like 3D video, which would inevitably get invented. But now I am digressing. IPv6 is not suitable for a lot of mainstream stuff we need, and especially not for real time protocols. VoIP comes to mind as a good example. And besides, the well touted reason that IPv6 support only exists in the latest apps, will remain a good reason not to deploy IPv6 for a few years at least.
We have the interface. It's a bit of thing to learn for the older folks, but the kids have it installed as toddlers, so it's second nature to them. 500 words per minute, and no spell checks. An electro-chemical interface installed on your body, linked to nerve endings. No harm done. Just a superior way to communicate. And while we are at it, why even talk with people, just send them messages directly to their communication interface, over the local IP network. Evolution at work.
If this deal goes through, anyone not in the U.S. will see their bill for a server go from $0 to $1,000 and more. The cheapest server approved for use outside the U.S., by Verisign, was $1,000 when I last checked. The cheapest one approved by Thawte was $0 (Linux and Apache with SSL).
Verisign and Thawte provide different choices for the SSL web servers you can use.
Many banks will not allow a company to sell their products over the Internet unless the transaction is handled over an SSL connection.
Therefore, if you are interested in e-commerce, and happen to be outside the U.S., I would be very worried about this development.
Just wanted to point out another common programming error in the cgi, fixing which could have stopped the exploit.
The code which checked for slashes and backslashes allowed either one to match using Perl regex's $| operator. If the $| had been omitted, and instead the check would have consisted of two lines, one checking for slashes and the other one checking for backslashes, and if the checks had otherwise taken better care to assure that illegal names couldn't be passed through, the exploit could've been avoided.
The author of the exploit description might have missed that the following filename would also have passed:
.\\/root/anyfile/anypathhere/index.html
In other words, there was no need for all the dots.
Something important to note about this article is that it quotes numerous third party sources saying things against Linux and open source, without questioning the truthfulness of those statements.
E.g. ("It will be a cold day at the equator before L. Torvalds sets aside his ego for the sake of someone else's better ideas.")."
Anyone who has followed the development of Linux knows that one of the greatest talents of Linus Torvalds has been his ability to accept his own mistakes. He has been known to scrap his own code in favor of better code by others on several occasions. He is the leader of the movement precisely because he doesn't allow his ego to control decisions on Linux.
These types of unqualified comments are a tool used by authors of propaganda. It is not tolerated by scientists, who are very adamant about sticking to facts.
Whether you are a scientist or a lawyer, you know that third party quotes are a very bad way to prove your point.
However, every writer of propaganda knows that journalists don't have the time to check all their facts because of pressing deadlines. So these types of lies easily creap into published articles. This is true especially in the case of daily newspapers. And these are the primary source of information, or intelligence some like to say, for the voting, stock buying, software buying masses.
The article clearly seems like a piece written by a group of writers, set out to attack open source using every conceivable twist of words and phrases.
I would classify this as a PR release meant for journalists. It has tons of material which could be rephrased to fit whatever agenda the journalist has in mind. Ideal material for a journalist who gets a second paycheck from MS. No MS sources, just a "scientific" criticism of open source.
Is it a coincidence that this was timed to coincide with Microsoft's attack at Linux on their website? The timing should push a review of this piece into the same article which will cover Microsoft's attack at Linux in tomorrow's newspapers.
If I was planning MS's propaganda campaign against Open Source, free software, and Linux, I would distribute a piece just like this for the consumption of the public and journalists.
Seems like a classic piece, directly from a spook lab.
Slashdot Mirror
> benefits democracy brings in terms of prosperity
Here you confuse democracy and the principles of free trade. The idea of free trade, by the way, was invented by a Scott, Adam Smith. American economic policy is largely based on ideas first described in Smith's "The Wealth of Nations."
Ricochet had the opportunity to conquer the market in the past couple of years, but since they wanted to own the networks, instead of allowing local companies to provide wireless relaying, they lost. Now it's time for Bluetooth and the entrepreneurs. Bluetooth allows hardware manufactureres to get in on the action, while allowing entrepreneurs to write software and utilize the hardware. Little like IBM making the PC an "open standard."
I think it's silly to blame Linux or Solaris for the attacks, when these systems could be managed by anyone, including some DSL customer who just installed their first Red Hat system on their Windows box. If anything critical is said about Linux or Solaris, it should be the lack of concern vendors seem to have for the Internet's welfare. As a good example, we can bring up Red Hat, which notoriusly delivers their systems with almost every service enabled, leaving the new systems vulnerable to any new exploits against those services.
As a criticism to Slashdot, I find it amazing that a Press Release like this would get into the system. I mean, this article is straight out of the company's PR department. It looks like the magazine didn't even edit it, unless they have NO journalistic integrity at all.
By the way, were the primary targets of the attacks Windows or UNIX? I don't think this has been brought up.
Both UNIX (Linux) and Windows systems can be broken into. Macs cannot be broken into, and until the recent ping hack, they couldn't be used for attacking other systems either. All systems can be taken down by a DOS attack. Only, the resources required for this vary. Macs and windows hosts are probably the most vulnerable to DOS, whereas UNIX systems tend to be more robust.
Regardless, an improperly managed system will have security holes in it, which can be exploited by someone with the right tools. Both Windows and UNIX systems are vulnerable to a number of attacks.
Eternal vigilence is the price of freedom, and it is the price of having a secure system. Keeping up to date on the latest exploits is the only way to protect oneself against them.
Because VoIP data should take priority when transmitting data, its volume becomes a significant factor. Of course, if no network has bandwidth shortages, this is not an issue. Anyway, IPv4 and IPv6 can co-exist. IPv6 is necessary for the future survival of the Internet, because of the increasing demand for hosts. However, IPv4 is needed for real-time delivery of some data. It is possible to use IPv6 until your local router, and then have the packets reworked and transmitted as IPv4 packets to the destination. This is possible when the protocol is known. E.g. in the case of VoIP this is often done. (Well, I don't know about often, but I've designed an implementation myself and it wasn't too complicated.)
P.S. As far as IPv6 is concerned, it is wonderful for many things but because IPv6 packets, by nature, consume tons of bandwidth for small packets, they will never be used for long distance traffic, such as traffic between major traffic centers. Unless of course we invent giga-giga ethernet and everybody stops using new protocols, like 3D video, which would inevitably get invented. But now I am digressing. IPv6 is not suitable for a lot of mainstream stuff we need, and especially not for real time protocols. VoIP comes to mind as a good example. And besides, the well touted reason that IPv6 support only exists in the latest apps, will remain a good reason not to deploy IPv6 for a few years at least.
We have the interface. It's a bit of thing to learn for the older folks, but the kids have it installed as toddlers, so it's second nature to them.
500 words per minute, and no spell checks. An electro-chemical interface installed on your body, linked to nerve endings. No harm done. Just a superior way to communicate. And while we are at it, why even talk with people, just send them messages directly to their communication interface, over the local IP network.
Evolution at work.
Verisign and Thawte provide different choices for the SSL web servers you can use.
Many banks will not allow a company to sell their products over the Internet unless the transaction is handled over an SSL connection.
Therefore, if you are interested in e-commerce, and happen to be outside the U.S., I would be very worried about this development.
The code which checked for slashes and backslashes allowed either one to match using Perl regex's $| operator. If the $| had been omitted, and instead the check would have consisted of two lines, one checking for slashes and the other one checking for backslashes, and if the checks had otherwise taken better care to assure that illegal names couldn't be passed through, the exploit could've been avoided.
The author of the exploit description might have missed that the following filename would also have passed:
In other words, there was no need for all the dots.
Using a mobile phone is secure because transfers in the Finnish system are authenticated with one time passwords.
E.g. ("It will be a cold day at the equator before L. Torvalds sets aside his ego for the sake of someone else's better ideas.")."
Anyone who has followed the development of Linux knows that one of the greatest talents of Linus Torvalds has been his ability to accept his own mistakes. He has been known to scrap his own code in favor of better code by others on several occasions. He is the leader of the movement precisely because he doesn't allow his ego to control decisions on Linux.
These types of unqualified comments are a tool used by authors of propaganda. It is not tolerated by scientists, who are very adamant about sticking to facts.
Whether you are a scientist or a lawyer, you know that third party quotes are a very bad way to prove your point.
However, every writer of propaganda knows that journalists don't have the time to check all their facts because of pressing deadlines. So these types of lies easily creap into published articles. This is true especially in the case of daily newspapers. And these are the primary source of information, or intelligence some like to say, for the voting, stock buying, software buying masses.
I would classify this as a PR release meant for journalists. It has tons of material which could be rephrased to fit whatever agenda the journalist has in mind. Ideal material for a journalist who gets a second paycheck from MS. No MS sources, just a "scientific" criticism of open source.
Is it a coincidence that this was timed to coincide with Microsoft's attack at Linux on their website? The timing should push a review of this piece into the same article which will cover Microsoft's attack at Linux in tomorrow's newspapers.
If I was planning MS's propaganda campaign against Open Source, free software, and Linux, I would distribute a piece just like this for the consumption of the public and journalists.
Seems like a classic piece, directly from a spook lab.