They are indeed something of an art! I went the other way to the original questioner - moving from full-time molecular biology into systems nd network admin via a little scientific coding and support work at a couple of major teaching hospitals. In all honesty, I loved both careers and I still (after 12+ years as a sysadmin) sometimes miss the lab work. I was somewhat peeved when (shortly after I made the career change) my lab record for most number of bases read from a single sequencing gel went away at the cybernetic hands of one of the first automated sequencing machines. The art is still there - a few years ago I got the chance to show some friends that I'd "still got it" by helping out when their sequencing machine was down and they had publication deadline coming up. At the same time I discovered that servicing Gilson micropipettes was something you just dont forget how to do:)
The one thing I miss about computer work in the scientific environment as opposed to the corporate arena I now work in is that when working with scientists - in pretty much any field - you have an easier time explaining why you need to take a particular approach to a problem. Its not that the senior folks in either environment are more or less willing to get it done, but the scientists are usually experts in a specialized field (or aspire to be) and are therefore more ready to accept the advice of the IT folks as coming from an experienced professional rather than discounting technical concerns as happens all too often in the business world.
In molecular biology, whilst a skilled researcher may have a substantial support infrastructure to do low-end work (like preparing media and stock solutions, cleaning and repairing equipment etc) the career path leaves most of them able to do it themselves if they had to (if its critical they often insist.) The same attitude also makes a good geek. Yes, its easier to have the service tech replace that failed bit of hardware but if you're in a hurry or its important you can always say "Courier it to me - I'll do the swap." There may not be an appropriate solution immediately available to a software issue, but you know enough to code a workaround even if it is hacky and ugly provided it keeps things going whilst you take your time getting something better. This should work the other way too. A good geek has the makings of a good scientist.
You are, of course, within your rights to pay for your www sites expenses with ads. I personally have no problem with advertising appearing in my browser provided its kept within reasonable limits. A site that doesnt keep to those limits doesnt get visited by me.
Having said that, what constitutes "reasonable limits" varies depending on what my browser and I can do to enforce those limits. Prior to the popup-blocking feature appearing I blackholed every ad server I could identify at my firewall because I was sick of the ever-more-intrusive flood of popunders, popups, browser-hijacking JS etc... I now see more ads than I used to, because having the browser zap the annoying ones that appear in their own window I dont have to block the ad-servers entirely. I still dont click on them, but the advertiser gets their impressions.
... are to be found in a ring I inherited from my grandmother. Whilst neither of us would have considered going out and buying them, the family connection makes the difference.
The procedure for determining a winner would be to tally all of the first choices and eliminate the candidate with the lowest vote count......more accurately represent the true will of the voters.
Its called a "single transferrable vote" system and was the system mandated for all elections of officers in the Students Union when I was at university in the UK - some of them a big deal since the appointee got a full-time paid job for a year along with a sabbatical from his/her studies whilst remaining eligible for university accommodation and all student benefits... The most interesting part of it is that there was always an extra "candidate" on every ballot. His name was "Re-open nominations." Kinda like writing in "They're all political hacks, find somebody else". He almost never got elected but if he did then the election was repeated with the candidates "Ron" beat disallowed from running. Now theres an interesting thought. Shame it would never fit with the constitution of most nations...
Its worth noting that in other jurisdictions an "implied warranty of merchantability", to use the phrase common in the USA, cannot be disclaimed. IMHO this is probably one of the reasons that software companies are so reluctant to admit to selling you a product rather than licensing you to use it. If, for example, in the UK they were to sell you a piece of software rather than a license to use it then the sale of goods act would require that it was "of merchantable quality". Selling you a license seems to apply that standard to the license not to the software itself and guess what - "you're allowed to use it, therefore the license we sold you has performed exactly the function we sold it for..."
Maybe the law should require that when puchasing a software license that exchanges a one-time fee for a non-expiring license then that transaction must be treated as a de facto sale of this copy of the software. Instant applicability of implied warranties and, as a side note, also strengthening the applicability of the first sale doctrine and making sure that an EULA cannot limit a customers rights any more severely than in any other sale.
Of course, if that were ever to happen then commercial software users would really be in trouble. The software companies would sell nothing but subscriptions, licenses would last a year at most (assuming the loophole of "not a non-expiring license - it expires in 99 years" is plugged) and every piece of commercial software would contain timebombs.
Unfortunately, for so long as people want what they are selling badly enough the software giants hope to get away with providing it on any terms they want. THAT is why they are so scared of open source and/or free software. Even if we admit the questionable argument that commercially produced software is supposedly "higher quality" (dont see it myself but...) we are already at the stage where mainstream users are finding their relationship with the software companies almost as inconvenient as coping with the supposed shortfalls of open source alternatives. Add just that little bit of extra hassle (like recurring fees, time-limited installations etc...) and the balance could easily tip.
OK, clarification is in order here. This particular incarnation of the problem is indeed, as you so rightly point out specific to the win32 API. I promise you I never disputed that. I made 2 separate points in my earlier post.
This is a variant of the "local root exploit" type of problem and as such is not as minor as the MS response to notification would have us believe. I think I can be fairly confident you agree with that point:)
Local privilege escalation exploits in general are not specific to windows or any other OS and they are a problem wherever they appear.
It was not my intention to link these two points into implying that a win32 exploit can somehow be viable on other OSs that dont use this API and I apologize for not making it sufficiently clear.
Geez, guys.. He pulls shellcode out of an in-the-wild exploit and clearly says so and you act all surprised that the shellcode is picked up by AV software? Whats more he clearly states in his paper that he went looking for shellcode to spawn a command shell on a given port. Was it a bogus attempt to root the boxes he'd not have warned you first exactly what it was would he...
The point remains that it isnt a question of "a user runs unknown code, they're screwed" - in this scenario the USER is the attacker.. they already have a legit account but it doesnt have administrator privs. They want to get past some restriction on their account - like maybe locate and disable any nasty corporate keyloggers that might get them fired for pr0n-mining, or plant some nasty stuff on a shared PC to grab other accounts credentials so somebody ELSE gets fired for it? Lots of attacks come from inside and lots of *nix attacks are described as "local root" compromises - thats what we have here.
To rephrase your statement its more a question of "if a user can get localsystem privs by running arbitrary code, you (as the sysadmin) are screwed."
This isnt specific to windows or any other OS for that matter. If any user can get arbitrary code to run with a higher privilege level than their own, this kind of hole exists.
Lots of suggestions about just keeping a computer somewhere dry but in a small sailboat, bare minimum for one person to live aboard for an extended period? Good luck finding anywhere that doesnt accumulate salt deposits over time if its open to the atmosphere. Problem is, once those deposits are there (even if they are not visible to the eye) that surface will never be truly dry, even on the hottest day. Nowhere is safe. The best deckheads develop persistent small leaks over time, particularly near the gunwales or worse still by the foot of a deck-stepped mast. Most "watertight" hatches on sailboats only qualify for that name on the grounds that if you get a wave over the deck most of it will drain off rather than go through. Assuming the craft goes anywhere other than the occasional brief trip around the harbour the phrase "dry stowage" on a boat this size is at best a relative term.
Now look at larger vessels. In general if they are large enough to have a genuine superstructure (ie you can be "indoors" with your feet no lower then deck level) then you stand a chance of keeping dry stowage dry and might get away with trying to protect a regular machine.
The harder you sail the worse it is of course. The engineers that have posted are absolutely right about the impacts and vibes and again the larger vessels have it easier (If your deckhead doesnt leak now, dont worry. After a couple of seasons pounding like this, it will.) At one point I saw the same piece of (genuine marine-quality) electronics installed on 2 craft. One was the 24-footer that my dad & I sailed all over the Irish Sea, the other was 42-foot motor-sailer that a friend had. My dad & I raced in ours, our friend took leisurely coastal cruises, so long as the weather forecast was perfect. Guess which piece of electronics died first?
Does anyone but me find it ironic that the most influential gripe about ICANN is coming from the registries that gained most benefit from ICANNs excesses? Of course they only gripe about the price cap since this is one of the few ICANN policies that bites the registries harder than it does the domain owners.
The registries are as evil as ICANN in their own way. The only spark of interest in this is that Nominet joined the party - Having dealt with administering domains in.com,.ac.uk and.co.uk I found that of the new crop of domain barons, Nominet were the most true to the way it used to be. (probably because when they took over.uk the fastest backbones in the UK were still in the hands of the academics, so they messed with.ac.uk at their peril)
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
As a Brit living in the US (still undecided on whether I'll switch citizenship so hopefully free of undue bias) I'll have a stab at answering this one...
In the UK it is illegal to fire a woman simply because she is pregnant. It is also required for a company to offer maternity leave that must be paid for a statutory minimum time, after which up to a years unpaid leave must be offered with the employee able to return with no loss of status or seniority. Unfortunately some companies (just like in the US and everywhere else any corporate behaviour is regulated) dont like living up to these rules and will often do the bare minimum their lawyers think they can get away with. The ones with the good lawyers do get away with it, the others get sued or prosecuted.
The police in the UK and in the US have a duty to protect the public. They have lots of rules about how they are allowed to go about it which they are expected to apply before anything gets into court to decide questions of law. Three or more huge guys wearing Vikings colors making a point of getting in the face of anyone coming down the street wearing green and gold would likely get arrested over here too. UK cops are expected to use their judgement just as US cops are. In either country its still true that is you piss off a cop badly enough (s)he can probably find something to nick you for.
One could probably refuse to divulge a crypto key on the grounds that you cannot be required to answer questions.. However, that is one area in which the US has the superior laws since in the US courts are not allowed to even mention whether you answered questions or not. In the UK the advice of your rights when arrested goes on to say that if you do not answer questions then that refusal itself may be alluded to in court - That caused a HUGE stink when it got pushed through.
This one isnt much of an issue. In MN I cant buy wine in a grocery store. Similarly liquor stores are not open past 8pm and are all closed Sundays. This has in the past few years caused me more hassle than being unable to buy beer or wine before 11am or on Sunday afternoons in the UK. Wherever you are you'll find folks who dont like the licensing laws.
Stores closed on a Sunday.. not much of an issue anymore. First it was a holdover from the days when the church was a legislative power in Europe, then small local stores were exempted to try and save them from being driven out of business by huge supermarkets and then large corporations lobbyists got their megastores exempted too... Hmmm.. sounds kinda familiar:)
In the UK you ARE guaranteed a refund if the product is faulty. Some stores will try and persuade you to accept a replacement or an in-store credit but if you insist they must take faulty goods back and refund your money. Most folks just dont want the hassle of insisting on a refund and threatening the store with legal action if they dont comply. In the US I believe you have similar rights but unlike in the UK you're more willing to complain so it makes business sense here to just refund with no questions asked beyond seeing the receipt. In the UK there isnt that pressure so again they dont do more than the law requires.
Six Sigma is a maximum of 3.4 defects per million. So converting to uptime would be...
Dont forget you're talking about defects here. Where I work, planned outages for things like preventive maintenance or the deployment of an upgrade to the core apps are not considered defects whereas unplanned outages are. I have several servers here that have only a few dozen days uptime but the last time they system or the primary app they serve crashed resulting in an unplanned outage or a six-sigma-style 'defect' was over a year ago.
Its part of the autoreplace stuff - similar to the "smart quotes" options et al that have been adding bloat to word-processors for years. The question mark appears when you're displaying in a font or charset that doesnt have the character its looking for as a replacement (I think)
Whatever the reason its easy to turn off. Disable the "Turn minus signs into dashes" autoreplace option.
Lots of posts on quantity of comments and theres a bundle of good arguments for both the more-is-better folks and the dont-overcomment advocates. Similarly the drive to make your variable names meaningful is worthwhile but the one addition to any code, be it perl, C or anything else, that makes maintaining it easier has to be the humble newline.
The important thing is not how many comments of what type but the overall layout of the source so that it is consistently understandable on reading through it. If a comment is required to accomplish that then insert one. If, OTOH, all you need to do is break up and indent the lines a bit more intuitively then do that rather than trying to explain the more awkward structure in a comment.
Sure, you can easily pack a fully functional perl script into a 4-line.sig if you want but a 100 line script thats as squeezed together as it possibly can be becomes unreadable no matter how many comments are inserted into it. If a single line of code does more than one step in your program then consider breaking it up. If it absolutely has to be one line in order to work then backslashes are your friend. The guy that reads your code to find out how you did that after you've moved on to bigger and better things might be an entry-level hire who has enough of a learning curve to cope with without wrapping his/her head around tightly compacted code as well.
Remember how simple you kept it when you first started learning a language? Keep it that way when you're more experienced unless theres a reason to do otherwise.
If a company has made themself dependent on the MS platform for the sake of email and Calendar, I most seriously doubt their judgement and competence.
Corporate workstations all running 'doze (especially the ones on the desks of the guys with the budgets to spend), lots of NT servers in the data center, no its not surprising that they should choose to standardize on outlook for corporate email. Once thats in place its also an apparent no-brainer to get everybody using the integrated calendar management. Then, once this hypothetical company has done all this, they start getting bitten firmly on the ass by the disadvantages of this solution and the IT dept can do nothing but shrug and say "we warned you, but you didnt listen...." Unfortunately having said that they still have to look for solutions that will work in the environment that exists at the time. Unless it was done comparatively recently there wasnt any real alternative to 'doze for the generic user - unix variants and other alternate OSs have come a long way in that regard real fast.
Once you've been "embraced and extended" its real hard to break loose unless you've got something thats 100% compatible to ease the migration process.
Linux clients can't use it to talk to Exchange for shared calendaring.
Yeah, thats where I hit a brick wall with it too. Shame the Evolution developers havent given a little thought to on-the-fly conversion of outlook-format appointment messages to Evolution vCalendar entries - although I can kinda understand why since on my Sun box the latest Evolution builds have much more serious problems in the calendar side than just an inability to correctly interpret outlook appointments - when I get a build that doesnt crash its calendar so readily I'll do a serious evaluation.....
"Evidence", yeah, right. But how much of what they took can possibly be real evidence of anything? Not much, and they dont have any real reason to keep it either. IANAL, but heres why I think so...
If they booted that machine they took even once their chain of evidence is tainted. It doesnt take much C++ skill to mess around with, for example, a DHCP client that will irreversibly trash certain areas of the HD if the packet that gave it its IP addy happens to come from the wrong MAC address indicating the machine is no longer on its home network - it could even be made to look plausible by looking like a boot-time fsck pass. If they did anything but temporarily connect the media on the confiscated system to a different machine and make a raw copy of each disk (without even mounting it) they cant trust anything they see.
Of course if they are doing that once, they can do it twice and present the guy they are accusing with a copy of the evidence they collect just like in the UK the police are required to tape interviews (on a machine that records 2 tapes simultaneously) and give you or your lawyer a copy of the tape immediately the interview is over. Of course I'd bet the cops really wouldnt like that - it means if theres a single bit difference between the two images when it comes time to go to court and the defendants lawyer can prove their copy has been sitting in his safe the whole time then somebody just got caught tampering with evidence. No matter how good the police force is, some of that goes on in all of them - thats why the UK introduced that regulation about the taped interviews.
This also means that every piece of data on that computer is in their hands. They probably will want to hang onto the physical media from it in case they decide to do the more invasive data recovery techniques but theres no harm to their chain of evidence from handing back the machine(s) excluding disks, but with a complete disk image on whatever media they like. No unjust deprivation of a persons access to and use of their personal property either - and yes, I include the data in that category as well, its the most valuable component of the system because hardware is replaceable, work is not.
I, for one, am not holding my breath waiting for this to happen though. Perhaps the best we can hope for is to have the cops wake up to reality and make sure that they actually send along somebody who knows his ass from his elbow where data security is concerned to cases like these, just like they send cops trained in accountancy on financial cases.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Subsection (c)(1) reads Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title. so the "fair use" defense is unaffected by this measure.
As for DeCSS I'm guessing the defense lawyers are hammering real hard on subsection (f) which explicitly permits reverse engineering any access control AND distributing the means to do so so long as it is solely for the purpose of allowing interoperability. Of course the corporate weasels didnt like this so they are claiming DeCSS in "purely a piracy tool." IANAL but from reading the actual letter of the law it seems that all it should take to defend against the suit is claiming "I made this code to allow interoperability between the firmware code on commercial DVD drives and the linux OS since nobody else had made a driver for it." - that fulfills the requirement in (f)(2) that it is for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability and also of (f)(3) where the information gained may be made available to others... solely for the purpose of enabling interoperability
In the absence of the MPAA being able to prove that any of the coders intended DeCSS for piracy or actively used it for such (and since "fair use" remains intact their lawyers should be able to argue that the presence of decrypted movie fragments in old temp files on their disks is simply evidence they played them, not that they copied them) whilst the MPAA may throw more and more money and lawyers at this they should eventually lose. # human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
The problem with your amoral view - that it is not your place to decide which of us is right - is that by taking that position you surrender your part of the world to evil. Be aware of that simple fact
This is the only part of your reply that I disagree with absolutely. It is not amoral, it is in fact a statement of my own morals and ideals, which whilst different from yours (as evidenced by your classification of my position as amoral) are held as strongly as yours. For the most part an enlightened society frowns on an individual taking upon themselves the right to judge their peers. There are places where however distasteful we find it an individual must be given that responsibility, as part of their duty to the society they live in but outside those areas both the principle of allowing personal freedom to live ones life as one sees fit and the principle of "judge not, lest ye be judged" apply. Nothing has given me the right to say your statement is "right" or "wrong", but nothing can take away my right to either agree or disagree with your statements. As it happens I agree with most of them but that doesnt make it any more "right" than it would be if I didnt. Absolute right and wrong are not in any human hands to judge no matter how loudly and stridently some may claim the right to usurp a power that almost every faith reserves to the divine. Personally I think that if a few more legislators remembered that we'd have a lot more common sense in the making and applying of laws. # human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
So do I.. If I'm sat in my cube when I do anything net-related my employer is welcome to watch it - If they can show me a single instance when I mised a deadline or otherwise didnt get the work done because of it then I'll deserve anything they throw at me but I have no worries there because there are no such incidents. All the same, there isnt any reason I have to make it easy for them, the only way they can read any email I send from my home accounts is either to do screen/keystroke capture (which I'd know about pretty quick as I regularly sniff my own network traffic as part of my job) or pull a fullscale man-in-the-middle attack on my ssh connection to my home LAN at the corporate firewall. If they are that paranoid and want to waste that much time and resources on the project then they are welcome to. If my boss wants to sink that much budget into completely non-productive tasks then he's on a bigtime losing streak and I'll soon have his job myself. Alternatively if he is getting pressure from upstairs to account for my net traffic all he has to do is ask and I'll hand him a logfile. With nothing to hide theres no loss in telling them what you're doing, its just polite for them to ask for the info rather than simply grab it. # human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
It appears that the author of this post is either a lawyer, or is able to think like a lawyer. He makes a mistake which many intelligent people make: he mistakes the winner of a fight for the person who is right
You are absolutely correct in general, but there is another aspect to your argument. You state that the winner of a fight has won only the fight and you are correct, but what makes people fight is what is at stake. If something is happening that you do not like you have a seemingly simple choice, accept it or fight it whether you are "fighting" in a legal context through the courts, applying your martial arts training to defend your person or simply making your views known in a forum such as slashdot. You make the choice of whether or not to fight based on how much you will have to put into it to win that fight and the consequences of winning, losing or not fighting at all. You have to make that decision based partially on an objective view of the circumstances and partially on the purely subjective aspect of how you feel about the various possible outcomes. Most people cant do this, although I suspect that you, as a martial artist, can.
Governments make laws, its their job. They rarely get it "right" first time, where getting it right means that the law is acceptable to the majority of the people being governed. In theory, in a democracy at least, those lawmakers are held accountable for their mistakes in this regard at the ballot box. This is the only place in which whether a particular law is "right" or not is judged. Even where a USA law raises constitutional issues a court is not deciding that a law is "right" or "wrong", only whether it is enforceable or not within the limits the constitution imposes on government action. Once a law is on the books it doesnt define what is right but what the stakes are in a particular legal fight. Court precedents may modify the interpretation of the law but even that is not a decision on right or wrong but an attempt to modify the consequences of its application. This assembled body of law is neither right nor wrong, it is simply the ground upon which legal conflicts take place. Of course the more influence you can bring to bear on the lawmaking process (corporate lobbyists, for example) the closer you can get to Sun Tzus ideals of being able to choose your own ground for a conflict.
This being the case both you and the poster you replied to are correct. Whether either of you is "right" isnt my place to judge.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Anyone wanting to really use digital sigs for authentication purposes had better keep hard evidence of all changes to their key pairs - store them on read-only media along with the revocation notices for previously used keys and then get the government to timestamp 'em for you by posting them to yourself via registered mail and never opening the envelope when it arrives.
Guess we'd all better start including disclaimers in our standard email.sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.
Paranoid? Me? Surely not...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
they can't take a working technology and leave it as it is
No, they cant. And nor can anyone else. Whenever a software or hardware product ceases to be developed, improved and updated it usually dies if its in a niche market or rapidly becomes a niche market instead of mainstream. Suddenly something else will come along that takes up the cause and does it better - Apache didnt become the primary webserver of choice as quickly as it did because it was open source or free, it had this huge headstart that it was a drop-in replacement for the old, tired, no longer being developed NCSA httpd and whats more it did the job better.
Sun has a long tradition of building what they can themselves, buying in the rest. I'm neither applauding nor criticising this approach but it is simply the way they work. Their hardware works, their unix does what they say it does just fine, aside from a few standards related glitches their software also works as specified. This doesnt make them better than linux, just different. If they feel they can support it better if its running on Solaris or that they will be able to offer a better product by porting to that OS then they will, of course, go ahead and do it. If they feel it so strongly that they find its worth porting their mainstream OS product to a new platform thats their decision and it will either work fine and sell or it will be a pig and wont.
Dont fear it, look at the products they turn out and ask "are they good enough?" before you buy them. If they are not and folks dont buy them you can bet they will either sell it off again and the linux development will continue or they will back out the plan and just keep marketing the linux based version. On the other hand if the products are good enough what the hell was there to fear in the first place? # human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Slashdot Mirror
They are indeed something of an art! I went the other way to the original questioner - moving from full-time molecular biology into systems nd network admin via a little scientific coding and support work at a couple of major teaching hospitals. In all honesty, I loved both careers and I still (after 12+ years as a sysadmin) sometimes miss the lab work. I was somewhat peeved when (shortly after I made the career change) my lab record for most number of bases read from a single sequencing gel went away at the cybernetic hands of one of the first automated sequencing machines. The art is still there - a few years ago I got the chance to show some friends that I'd "still got it" by helping out when their sequencing machine was down and they had publication deadline coming up. At the same time I discovered that servicing Gilson micropipettes was something you just dont forget how to do :)
The one thing I miss about computer work in the scientific environment as opposed to the corporate arena I now work in is that when working with scientists - in pretty much any field - you have an easier time explaining why you need to take a particular approach to a problem. Its not that the senior folks in either environment are more or less willing to get it done, but the scientists are usually experts in a specialized field (or aspire to be) and are therefore more ready to accept the advice of the IT folks as coming from an experienced professional rather than discounting technical concerns as happens all too often in the business world.
In molecular biology, whilst a skilled researcher may have a substantial support infrastructure to do low-end work (like preparing media and stock solutions, cleaning and repairing equipment etc) the career path leaves most of them able to do it themselves if they had to (if its critical they often insist.) The same attitude also makes a good geek. Yes, its easier to have the service tech replace that failed bit of hardware but if you're in a hurry or its important you can always say "Courier it to me - I'll do the swap." There may not be an appropriate solution immediately available to a software issue, but you know enough to code a workaround even if it is hacky and ugly provided it keeps things going whilst you take your time getting something better. This should work the other way too. A good geek has the makings of a good scientist.
You are, of course, within your rights to pay for your www sites expenses with ads. I personally have no problem with advertising appearing in my browser provided its kept within reasonable limits. A site that doesnt keep to those limits doesnt get visited by me.
Having said that, what constitutes "reasonable limits" varies depending on what my browser and I can do to enforce those limits. Prior to the popup-blocking feature appearing I blackholed every ad server I could identify at my firewall because I was sick of the ever-more-intrusive flood of popunders, popups, browser-hijacking JS etc... I now see more ads than I used to, because having the browser zap the annoying ones that appear in their own window I dont have to block the ad-servers entirely. I still dont click on them, but the advertiser gets their impressions.
... are to be found in a ring I inherited from my grandmother. Whilst neither of us would have considered going out and buying them, the family connection makes the difference.
yes, I know my coding style sucks....
The procedure for determining a winner would be to tally all of the first choices and eliminate the candidate with the lowest vote count... ...more accurately represent the true will of the voters.
Its called a "single transferrable vote" system and was the system mandated for all elections of officers in the Students Union when I was at university in the UK - some of them a big deal since the appointee got a full-time paid job for a year along with a sabbatical from his/her studies whilst remaining eligible for university accommodation and all student benefits... The most interesting part of it is that there was always an extra "candidate" on every ballot. His name was "Re-open nominations." Kinda like writing in "They're all political hacks, find somebody else". He almost never got elected but if he did then the election was repeated with the candidates "Ron" beat disallowed from running. Now theres an interesting thought. Shame it would never fit with the constitution of most nations...
Its worth noting that in other jurisdictions an "implied warranty of merchantability", to use the phrase common in the USA, cannot be disclaimed. IMHO this is probably one of the reasons that software companies are so reluctant to admit to selling you a product rather than licensing you to use it. If, for example, in the UK they were to sell you a piece of software rather than a license to use it then the sale of goods act would require that it was "of merchantable quality". Selling you a license seems to apply that standard to the license not to the software itself and guess what - "you're allowed to use it, therefore the license we sold you has performed exactly the function we sold it for..."
Maybe the law should require that when puchasing a software license that exchanges a one-time fee for a non-expiring license then that transaction must be treated as a de facto sale of this copy of the software. Instant applicability of implied warranties and, as a side note, also strengthening the applicability of the first sale doctrine and making sure that an EULA cannot limit a customers rights any more severely than in any other sale.
Of course, if that were ever to happen then commercial software users would really be in trouble. The software companies would sell nothing but subscriptions, licenses would last a year at most (assuming the loophole of "not a non-expiring license - it expires in 99 years" is plugged) and every piece of commercial software would contain timebombs.
Unfortunately, for so long as people want what they are selling badly enough the software giants hope to get away with providing it on any terms they want. THAT is why they are so scared of open source and/or free software. Even if we admit the questionable argument that commercially produced software is supposedly "higher quality" (dont see it myself but...) we are already at the stage where mainstream users are finding their relationship with the software companies almost as inconvenient as coping with the supposed shortfalls of open source alternatives. Add just that little bit of extra hassle (like recurring fees, time-limited installations etc...) and the balance could easily tip.
OK, clarification is in order here. This particular incarnation of the problem is indeed, as you so rightly point out specific to the win32 API. I promise you I never disputed that. I made 2 separate points in my earlier post.
It was not my intention to link these two points into implying that a win32 exploit can somehow be viable on other OSs that dont use this API and I apologize for not making it sufficiently clear.
Geez, guys.. He pulls shellcode out of an in-the-wild exploit and clearly says so and you act all surprised that the shellcode is picked up by AV software? Whats more he clearly states in his paper that he went looking for shellcode to spawn a command shell on a given port. Was it a bogus attempt to root the boxes he'd not have warned you first exactly what it was would he...
The point remains that it isnt a question of "a user runs unknown code, they're screwed" - in this scenario the USER is the attacker.. they already have a legit account but it doesnt have administrator privs. They want to get past some restriction on their account - like maybe locate and disable any nasty corporate keyloggers that might get them fired for pr0n-mining, or plant some nasty stuff on a shared PC to grab other accounts credentials so somebody ELSE gets fired for it? Lots of attacks come from inside and lots of *nix attacks are described as "local root" compromises - thats what we have here.
To rephrase your statement its more a question of "if a user can get localsystem privs by running arbitrary code, you (as the sysadmin) are screwed."
This isnt specific to windows or any other OS for that matter. If any user can get arbitrary code to run with a higher privilege level than their own, this kind of hole exists.
Lots of suggestions about just keeping a computer somewhere dry but in a small sailboat, bare minimum for one person to live aboard for an extended period? Good luck finding anywhere that doesnt accumulate salt deposits over time if its open to the atmosphere. Problem is, once those deposits are there (even if they are not visible to the eye) that surface will never be truly dry, even on the hottest day. Nowhere is safe. The best deckheads develop persistent small leaks over time, particularly near the gunwales or worse still by the foot of a deck-stepped mast. Most "watertight" hatches on sailboats only qualify for that name on the grounds that if you get a wave over the deck most of it will drain off rather than go through. Assuming the craft goes anywhere other than the occasional brief trip around the harbour the phrase "dry stowage" on a boat this size is at best a relative term.
Now look at larger vessels. In general if they are large enough to have a genuine superstructure (ie you can be "indoors" with your feet no lower then deck level) then you stand a chance of keeping dry stowage dry and might get away with trying to protect a regular machine.
The harder you sail the worse it is of course. The engineers that have posted are absolutely right about the impacts and vibes and again the larger vessels have it easier (If your deckhead doesnt leak now, dont worry. After a couple of seasons pounding like this, it will.) At one point I saw the same piece of (genuine marine-quality) electronics installed on 2 craft. One was the 24-footer that my dad & I sailed all over the Irish Sea, the other was 42-foot motor-sailer that a friend had. My dad & I raced in ours, our friend took leisurely coastal cruises, so long as the weather forecast was perfect. Guess which piece of electronics died first?
Does anyone but me find it ironic that the most influential gripe about ICANN is coming from the registries that gained most benefit from ICANNs excesses? Of course they only gripe about the price cap since this is one of the few ICANN policies that bites the registries harder than it does the domain owners.
The registries are as evil as ICANN in their own way. The only spark of interest in this is that Nominet joined the party - Having dealt with administering domains in .com, .ac.uk and .co.uk I found that of the new crop of domain barons, Nominet were the most true to the way it used to be. (probably because when they took over .uk the fastest backbones in the UK were still in the hands of the academics, so they messed with .ac.uk at their peril)
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
As a Brit living in the US (still undecided on whether I'll switch citizenship so hopefully free of undue bias) I'll have a stab at answering this one...
Dont forget you're talking about defects here. Where I work, planned outages for things like preventive maintenance or the deployment of an upgrade to the core apps are not considered defects whereas unplanned outages are. I have several servers here that have only a few dozen days uptime but the last time they system or the primary app they serve crashed resulting in an unplanned outage or a six-sigma-style 'defect' was over a year ago.
Its part of the autoreplace stuff - similar to the "smart quotes" options et al that have been adding bloat to word-processors for years. The question mark appears when you're displaying in a font or charset that doesnt have the character its looking for as a replacement (I think)
Whatever the reason its easy to turn off. Disable the "Turn minus signs into dashes" autoreplace option.
Lots of posts on quantity of comments and theres a bundle of good arguments for both the more-is-better folks and the dont-overcomment advocates. Similarly the drive to make your variable names meaningful is worthwhile but the one addition to any code, be it perl, C or anything else, that makes maintaining it easier has to be the humble newline.
The important thing is not how many comments of what type but the overall layout of the source so that it is consistently understandable on reading through it. If a comment is required to accomplish that then insert one. If, OTOH, all you need to do is break up and indent the lines a bit more intuitively then do that rather than trying to explain the more awkward structure in a comment.
Sure, you can easily pack a fully functional perl script into a 4-line .sig if you want but a 100 line script thats as squeezed together as it possibly can be becomes unreadable no matter how many comments are inserted into it. If a single line of code does more than one step in your program then consider breaking it up. If it absolutely has to be one line in order to work then backslashes are your friend. The guy that reads your code to find out how you did that after you've moved on to bigger and better things might be an entry-level hire who has enough of a learning curve to cope with without wrapping his/her head around tightly compacted code as well.
Remember how simple you kept it when you first started learning a language? Keep it that way when you're more experienced unless theres a reason to do otherwise.
If a company has made themself dependent on the MS platform for the sake of email and Calendar, I most seriously doubt their judgement and competence.
Corporate workstations all running 'doze (especially the ones on the desks of the guys with the budgets to spend), lots of NT servers in the data center, no its not surprising that they should choose to standardize on outlook for corporate email. Once thats in place its also an apparent no-brainer to get everybody using the integrated calendar management. Then, once this hypothetical company has done all this, they start getting bitten firmly on the ass by the disadvantages of this solution and the IT dept can do nothing but shrug and say "we warned you, but you didnt listen...." Unfortunately having said that they still have to look for solutions that will work in the environment that exists at the time. Unless it was done comparatively recently there wasnt any real alternative to 'doze for the generic user - unix variants and other alternate OSs have come a long way in that regard real fast.
Once you've been "embraced and extended" its real hard to break loose unless you've got something thats 100% compatible to ease the migration process.
Linux clients can't use it to talk to Exchange for shared calendaring.
Yeah, thats where I hit a brick wall with it too. Shame the Evolution developers havent given a little thought to on-the-fly conversion of outlook-format appointment messages to Evolution vCalendar entries - although I can kinda understand why since on my Sun box the latest Evolution builds have much more serious problems in the calendar side than just an inability to correctly interpret outlook appointments - when I get a build that doesnt crash its calendar so readily I'll do a serious evaluation.....
"Evidence", yeah, right. But how much of what they took can possibly be real evidence of anything? Not much, and they dont have any real reason to keep it either. IANAL, but heres why I think so...
If they booted that machine they took even once their chain of evidence is tainted. It doesnt take much C++ skill to mess around with, for example, a DHCP client that will irreversibly trash certain areas of the HD if the packet that gave it its IP addy happens to come from the wrong MAC address indicating the machine is no longer on its home network - it could even be made to look plausible by looking like a boot-time fsck pass. If they did anything but temporarily connect the media on the confiscated system to a different machine and make a raw copy of each disk (without even mounting it) they cant trust anything they see.
Of course if they are doing that once, they can do it twice and present the guy they are accusing with a copy of the evidence they collect just like in the UK the police are required to tape interviews (on a machine that records 2 tapes simultaneously) and give you or your lawyer a copy of the tape immediately the interview is over. Of course I'd bet the cops really wouldnt like that - it means if theres a single bit difference between the two images when it comes time to go to court and the defendants lawyer can prove their copy has been sitting in his safe the whole time then somebody just got caught tampering with evidence. No matter how good the police force is, some of that goes on in all of them - thats why the UK introduced that regulation about the taped interviews.
This also means that every piece of data on that computer is in their hands. They probably will want to hang onto the physical media from it in case they decide to do the more invasive data recovery techniques but theres no harm to their chain of evidence from handing back the machine(s) excluding disks, but with a complete disk image on whatever media they like. No unjust deprivation of a persons access to and use of their personal property either - and yes, I include the data in that category as well, its the most valuable component of the system because hardware is replaceable, work is not.
I, for one, am not holding my breath waiting for this to happen though. Perhaps the best we can hope for is to have the cops wake up to reality and make sure that they actually send along somebody who knows his ass from his elbow where data security is concerned to cases like these, just like they send cops trained in accountancy on financial cases.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Looking at the text of title 17, section 1201...
Subsection (c)(1) reads Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title. so the "fair use" defense is unaffected by this measure.
As for DeCSS I'm guessing the defense lawyers are hammering real hard on subsection (f) which explicitly permits reverse engineering any access control AND distributing the means to do so so long as it is solely for the purpose of allowing interoperability. Of course the corporate weasels didnt like this so they are claiming DeCSS in "purely a piracy tool." IANAL but from reading the actual letter of the law it seems that all it should take to defend against the suit is claiming "I made this code to allow interoperability between the firmware code on commercial DVD drives and the linux OS since nobody else had made a driver for it." - that fulfills the requirement in (f)(2) that it is for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability and also of (f)(3) where the information gained may be made available to others ... solely for the purpose of enabling interoperability
In the absence of the MPAA being able to prove that any of the coders intended DeCSS for piracy or actively used it for such (and since "fair use" remains intact their lawyers should be able to argue that the presence of decrypted movie fragments in old temp files on their disks is simply evidence they played them, not that they copied them) whilst the MPAA may throw more and more money and lawyers at this they should eventually lose.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
The problem with your amoral view - that it is not your place to decide which of us is right - is that by taking that position you surrender your part of the world to evil. Be aware of that simple fact
This is the only part of your reply that I disagree with absolutely. It is not amoral, it is in fact a statement of my own morals and ideals, which whilst different from yours (as evidenced by your classification of my position as amoral) are held as strongly as yours. For the most part an enlightened society frowns on an individual taking upon themselves the right to judge their peers. There are places where however distasteful we find it an individual must be given that responsibility, as part of their duty to the society they live in but outside those areas both the principle of allowing personal freedom to live ones life as one sees fit and the principle of "judge not, lest ye be judged" apply. Nothing has given me the right to say your statement is "right" or "wrong", but nothing can take away my right to either agree or disagree with your statements. As it happens I agree with most of them but that doesnt make it any more "right" than it would be if I didnt. Absolute right and wrong are not in any human hands to judge no matter how loudly and stridently some may claim the right to usurp a power that almost every faith reserves to the divine. Personally I think that if a few more legislators remembered that we'd have a lot more common sense in the making and applying of laws.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
So do I.. If I'm sat in my cube when I do anything net-related my employer is welcome to watch it - If they can show me a single instance when I mised a deadline or otherwise didnt get the work done because of it then I'll deserve anything they throw at me but I have no worries there because there are no such incidents. All the same, there isnt any reason I have to make it easy for them, the only way they can read any email I send from my home accounts is either to do screen/keystroke capture (which I'd know about pretty quick as I regularly sniff my own network traffic as part of my job) or pull a fullscale man-in-the-middle attack on my ssh connection to my home LAN at the corporate firewall. If they are that paranoid and want to waste that much time and resources on the project then they are welcome to. If my boss wants to sink that much budget into completely non-productive tasks then he's on a bigtime losing streak and I'll soon have his job myself. Alternatively if he is getting pressure from upstairs to account for my net traffic all he has to do is ask and I'll hand him a logfile. With nothing to hide theres no loss in telling them what you're doing, its just polite for them to ask for the info rather than simply grab it.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
It appears that the author of this post is either a lawyer, or is able to think like a lawyer. He makes a mistake which many intelligent people make: he mistakes the winner of a fight for the person who is right
You are absolutely correct in general, but there is another aspect to your argument. You state that the winner of a fight has won only the fight and you are correct, but what makes people fight is what is at stake. If something is happening that you do not like you have a seemingly simple choice, accept it or fight it whether you are "fighting" in a legal context through the courts, applying your martial arts training to defend your person or simply making your views known in a forum such as slashdot. You make the choice of whether or not to fight based on how much you will have to put into it to win that fight and the consequences of winning, losing or not fighting at all. You have to make that decision based partially on an objective view of the circumstances and partially on the purely subjective aspect of how you feel about the various possible outcomes. Most people cant do this, although I suspect that you, as a martial artist, can.
Governments make laws, its their job. They rarely get it "right" first time, where getting it right means that the law is acceptable to the majority of the people being governed. In theory, in a democracy at least, those lawmakers are held accountable for their mistakes in this regard at the ballot box. This is the only place in which whether a particular law is "right" or not is judged. Even where a USA law raises constitutional issues a court is not deciding that a law is "right" or "wrong", only whether it is enforceable or not within the limits the constitution imposes on government action. Once a law is on the books it doesnt define what is right but what the stakes are in a particular legal fight. Court precedents may modify the interpretation of the law but even that is not a decision on right or wrong but an attempt to modify the consequences of its application. This assembled body of law is neither right nor wrong, it is simply the ground upon which legal conflicts take place. Of course the more influence you can bring to bear on the lawmaking process (corporate lobbyists, for example) the closer you can get to Sun Tzus ideals of being able to choose your own ground for a conflict.
This being the case both you and the poster you replied to are correct. Whether either of you is "right" isnt my place to judge.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Anyone wanting to really use digital sigs for authentication purposes had better keep hard evidence of all changes to their key pairs - store them on read-only media along with the revocation notices for previously used keys and then get the government to timestamp 'em for you by posting them to yourself via registered mail and never opening the envelope when it arrives.
Guess we'd all better start including disclaimers in our standard email .sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.
Paranoid? Me? Surely not...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
they can't take a working technology and leave it as it is
No, they cant. And nor can anyone else. Whenever a software or hardware product ceases to be developed, improved and updated it usually dies if its in a niche market or rapidly becomes a niche market instead of mainstream. Suddenly something else will come along that takes up the cause and does it better - Apache didnt become the primary webserver of choice as quickly as it did because it was open source or free, it had this huge headstart that it was a drop-in replacement for the old, tired, no longer being developed NCSA httpd and whats more it did the job better.
Sun has a long tradition of building what they can themselves, buying in the rest. I'm neither applauding nor criticising this approach but it is simply the way they work. Their hardware works, their unix does what they say it does just fine, aside from a few standards related glitches their software also works as specified. This doesnt make them better than linux, just different. If they feel they can support it better if its running on Solaris or that they will be able to offer a better product by porting to that OS then they will, of course, go ahead and do it. If they feel it so strongly that they find its worth porting their mainstream OS product to a new platform thats their decision and it will either work fine and sell or it will be a pig and wont.
Dont fear it, look at the products they turn out and ask "are they good enough?" before you buy them. If they are not and folks dont buy them you can bet they will either sell it off again and the linux development will continue or they will back out the plan and just keep marketing the linux based version. On the other hand if the products are good enough what the hell was there to fear in the first place?
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking