Well, don't forget that they actually have to look through all this crap and find the good ideas (if they exist). So it is a gamble, but it's probably a good one. Anyway, I'm sure many people will be happy to do this, so don't spoil their fun.;)
But -- typical slashdot folks respond really well to this kind of button pushing. I'm thinking that there must be some way to channel all of this energy into something good.....
I agree with you that it is easier to secure a linux system, but mainly because it is just simpler. On one side people are still working on things like linuxconf to make it easier for unknowledgeable folks to admin a linux box -- and (I think) this will lead to security problems, just as GUIs and wizards did in windows. But windows already has years of experience...
> Also, while you were rewriting wu_ftpd, IIS was
> suffering from a multitude of flaws, yet you had
> no opportunity to rewrite that to fix them.
Sure I did. I presume you're implying that because it's closed-source? I didn't need the source to rewrite the ftp daemon (from scratch); the source is shitty, huge, and in a different language. I just used the RFC, and it would have been just as easy to rewrite a web server.
> So they came with your distro, WTF didn't you turn them off?
Because I need them.
Eventually I got sick of security issues and rewrote FTPD, (BIND is soon...) but the fact remains that those are the standard network services for linux, and they are insecure. Unless you think linux is just the kernel, I think it's fair to say that linux has its fair share of security problems unless you replace some of its packages with others.
>actually, no. On my system, Netscape 4.77 is
>FAST, and completely stable (and Opera is even
>better, by the way!). Never had a single crash.
>By contrast, Mozilla is VERY, VERY slow, and
>crashes all the time. Granted I haven't tried
>0.9.8, but judging from my past experiences it
>will take a lot more than a couple point releases
>for the Mozilla team to clean up the complete
>mess that is Mozilla
Seriously?
It's true that Mozilla is slower, maybe even slower than IE, but it has support for modern HTML stuff and does things like incremental reflow... so it is not really comparable to NS4. Anyway, my computer is fast, and it doesn't crash for me. It does get better all the time, so maybe it's time for another look...
But the 4.7 series of Navigator was pretty crashy for me. There was a particularly common freeze where I couldn't click links, and I'd need to manually end its task before I could start up Navigator again... that happened to a lot of my friends too, so I thought it was common. Well, I guess your mileage may vary.
Yes, canaries are not perfect, but I believe the stub code that XORs the return address with a random word pretty much makes exploiting buffer overflows impossible. Am I wrong?
First, is "DivX;-)" Version 3 really just microsoft's codec with the fourcc changed? That's the one that started all of this, not the various groups that took the name for their own projects.
Second, is it or is it not open source, and if it is, why is it patent pending?
I have been using nightly downloads for a while now as my only browser. Every once in a while I'll get one that's unstable, but for the most part it is way stabler than Navigator ever was. Plus it has support for modern web standards and tabbed browsing.
The point releases are fun, but I really like the excitement of running the nighly builds.
> You call that being vigilent? lol. what a bunch of
> crap. You installed 2 of the most insecure
> programs for Unix and you wonder why you got
> hacked. rofl.
Actually, asshead, they came with my distribution of linux. I am talking about linux the operating system, not like "the kernel plus sshd" (which, as I recall, has also had remote exploits recently).
Vigilance refers to my expediency in staying up-to-date on patches. My overall point is that linux and its associated applications are not particularly secure.
I thought DivX;-) was just a repackaged version of Microsoft's MPEG-4 codec. ("Version 3")
I seem to recall that some folks were writing a new codec and using that name (presumably to get free publicity, I mean, who will sue them?), and also making it open-source. ("Version 4")
So why does Fraunhofer need to license this new codec if it's open source? And why is it "patent pending"??
I think it will be hard to do, but I think it's important. Furthermore, when you elect to turn on a network service, it should download the newest version from Redhat or whatever, and install that instead. If you don't have network access, what are you doing installing wu_ftpd?
Also, it blows my mind that redhat doesn't ship their default internet services compiled with stackguard. The performance loss is negligible (the people who need hard core performance will be recompiling and tuning themselves, anyway), and it would make buffer overflows unexploitable automatically. WTF, redhat?
I got rooted by the BIND exploit before it was patched. (.edu spaces tend to get scanned for vulnerabilities early since they usually have great bandwidth) This particularly pissed me off because I had *just* upgraded to the newest bind at the time. Fortunately, their root kit made my machine not boot, so they didn't really do any damage.
The first time was with wu_ftpd, a long time ago. I have since gotten sick of patching that beast, and I re-wrote it in SML to be buffer-overflow free (see other rant).
My point was not that Windows has no security holes if you run lots of network services, merely that even a reasonably vigilant person can still get their linux box rooted. It is far from invincible; it just tends to be simpler (at least, it used to be) and have more capable users.
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
> The difference is only in the top-level design,
> that in Windows every application has access to
> the whole filesystem and all the hardware, though
> this appears to be changing with XP (but
> installing 3rd party sw as a user seems to break
> most sw not designed with this in mind)
This isn't true, really; XP has file permissions just like NT. I suppose it's true that you can't deny access (AFAIK) to certain devices like you can with the devfs on linux. But, then again, XP has stuff like built in fs encryption, and somewhat finer-grained file access control.
However, it certainly is more comfortable in windows to just give all programs access to everything; maybe old habits die hard, or maybe that really is something intrinsic to windows.
God, it is kind of sad the kinds of posts I am seeing on this story. Everybody laughing at Microsoft, ha ha, they have so many bugs, etc. I don't see anyone saying, let's do the same for linux.* I think that's really cocky of us, and pretty disappointing.
In fact, MS has built a really good product with Windows XP. I am using it right now. It has never crashed on me! It's true that I wouldn't use it for a server, because it is a pretty complicated beast, but it is pretty damn good on the desktop.
I am not trying to say that we should give up because microsoft has us beat. I am saying that we need to keep working, because I actually think that MS will be providing an OS that is very very stable in the next few years, and this will take away one of Linux's chief selling points to the average person. Linux will always have freedom, and that's great (enough for many people), and it will have better C programming support, but what else? Complacency is a terrible thing, folks!
* Don't tell me linux doesn't need it. Some of the important code I've seen is pretty damn amateurish. Check out the MD5_crypt code for PAM, for instance.
Anyone who learns a lot about something will find out, almost invariably, that the rest of the world doesn't do things the best way. I find myself in this situation a lot, and I often find myself frustrated in how difficult it is to get through to people.
The whole reason I even bother to post to slashdot any more is as an exercise in this kind of argument. (The slashdot crowd is particularly susceptible to this kind of quasi-technical emotional stuff.) Here are some lessons I've learned.
Rule #1 is: Never be a pedantic asshole. Nobody likes one, unless he's already on his side!
Rule #2 is: Entice people to do it the better way by showing them how cool it is.
That's it. Just show people why your thing is better in a non-annoying way. Be excited, not hateful. Most people are very reasonable, and even if they are not convinced, you may have changed their minds slightly and they won't resent you (and your movement) afterwards!
time compressing audio and video to make it not sound/look strange is actually pretty computationally expensive to do in real-time. But you're right, this would be a pretty kick ass feature. I'll bet that they'll have it once we have fast enough embedded processors to do it.
Seriously.
Everything on my computer runs plenty fast at the instruction level except for:
mprime (distributed prime search, though I think this is written in hand-tuned x86 asm)
quake 3 (my video card is the bottleneck, and I also believe that speed-critical parts are written in hand-tuned x86 asm)
I suppose I should include multimedia encoding as well. (I am not sure how these were written. Maybe a faster compiler really would help here, if I had the source to recompile.)
Being faster is nice when it comes at no cost, but I say it is one of the least important goals of a compiler. Much more important is being reliable (doesn't make mistakes, doesn't crash, is compliant with the language definition if it exists), being available on many platforms, and in this case, being Free software. If GCC gets these optimizations, great for them, I will upgrade. But I consider a move to the Intel compiler a downgrade because (though it may have better performance) it fails at least at portability and freedom.
(By the way, I think that the way they summarize their numbers is quite misleading. The geometric mean really exaggerates those two benchmarks that Intel creams GCC on (probably because the Intel compiler recognizes some loop idiom that it knows how to compile efficiently). What I saw looked like an average 10%-20% better performance, with a few outliers.)
Slashdot Mirror
Well, don't forget that they actually have to look through all this crap and find the good ideas (if they exist). So it is a gamble, but it's probably a good one. Anyway, I'm sure many people will be happy to do this, so don't spoil their fun. ;)
Well said.
But -- typical slashdot folks respond really well to this kind of button pushing. I'm thinking that there must be some way to channel all of this energy into something good.....
Actually, I just download one when I remember, or when my current build crashes. But I'm sure it'd be easy on linux with wget and rpm, or tar -zxvf...
Yes, that was my point. ;)
I agree with you that it is easier to secure a linux system, but mainly because it is just simpler. On one side people are still working on things like linuxconf to make it easier for unknowledgeable folks to admin a linux box -- and (I think) this will lead to security problems, just as GUIs and wizards did in windows. But windows already has years of experience...
> Also, while you were rewriting wu_ftpd, IIS was
> suffering from a multitude of flaws, yet you had
> no opportunity to rewrite that to fix them.
Sure I did. I presume you're implying that because it's closed-source? I didn't need the source to rewrite the ftp daemon (from scratch); the source is shitty, huge, and in a different language. I just used the RFC, and it would have been just as easy to rewrite a web server.
An AC flames,
> So they came with your distro, WTF didn't you turn them off?
Because I need them.
Eventually I got sick of security issues and rewrote FTPD, (BIND is soon...) but the fact remains that those are the standard network services for linux, and they are insecure. Unless you think linux is just the kernel, I think it's fair to say that linux has its fair share of security problems unless you replace some of its packages with others.
>actually, no. On my system, Netscape 4.77 is
>FAST, and completely stable (and Opera is even
>better, by the way!). Never had a single crash.
>By contrast, Mozilla is VERY, VERY slow, and
>crashes all the time. Granted I haven't tried
>0.9.8, but judging from my past experiences it
>will take a lot more than a couple point releases
>for the Mozilla team to clean up the complete
>mess that is Mozilla
Seriously?
It's true that Mozilla is slower, maybe even slower than IE, but it has support for modern HTML stuff and does things like incremental reflow... so it is not really comparable to NS4. Anyway, my computer is fast, and it doesn't crash for me. It does get better all the time, so maybe it's time for another look...
But the 4.7 series of Navigator was pretty crashy for me. There was a particularly common freeze where I couldn't click links, and I'd need to manually end its task before I could start up Navigator again... that happened to a lot of my friends too, so I thought it was common. Well, I guess your mileage may vary.
Now that's an answer!
These are all compatible on the decompression end because they all produce MPEG-4 compatible streams, is that the deal?
I already know what the differences between "Open Source" and "Free Software" are. What made you think I didn't?
Jeesh. If you're going to be rude and act like you're inconvenienced by answering my question, just don't answer it.
What?
I know "way stabler" may not be perfect english, but it's nowhere near as screwed up as "more better".
Which is more awkward, "more stabler" or "way better"?
Yes, canaries are not perfect, but I believe the stub code that XORs the return address with a random word pretty much makes exploiting buffer overflows impossible. Am I wrong?
This doesn't answer my question at all.
;-)" Version 3 really just microsoft's codec with the fourcc changed? That's the one that started all of this, not the various groups that took the name for their own projects.
First, is "DivX
Second, is it or is it not open source, and if it is, why is it patent pending?
Yes, Mozilla rocks.
I have been using nightly downloads for a while now as my only browser. Every once in a while I'll get one that's unstable, but for the most part it is way stabler than Navigator ever was. Plus it has support for modern web standards and tabbed browsing.
The point releases are fun, but I really like the excitement of running the nighly builds.
An AC flames,
> You call that being vigilent? lol. what a bunch of
> crap. You installed 2 of the most insecure
> programs for Unix and you wonder why you got
> hacked. rofl.
Actually, asshead, they came with my distribution of linux. I am talking about linux the operating system, not like "the kernel plus sshd" (which, as I recall, has also had remote exploits recently).
Vigilance refers to my expediency in staying up-to-date on patches. My overall point is that linux and its associated applications are not particularly secure.
I thought DivX ;-) was just a repackaged version of Microsoft's MPEG-4 codec. ("Version 3")
I seem to recall that some folks were writing a new codec and using that name (presumably to get free publicity, I mean, who will sue them?), and also making it open-source. ("Version 4")
So why does Fraunhofer need to license this new codec if it's open source? And why is it "patent pending"??
Right on.
I think it will be hard to do, but I think it's important. Furthermore, when you elect to turn on a network service, it should download the newest version from Redhat or whatever, and install that instead. If you don't have network access, what are you doing installing wu_ftpd?
Also, it blows my mind that redhat doesn't ship their default internet services compiled with stackguard. The performance loss is negligible (the people who need hard core performance will be recompiling and tuning themselves, anyway), and it would make buffer overflows unexploitable automatically. WTF, redhat?
OK, sure...
I got rooted by the BIND exploit before it was patched. (.edu spaces tend to get scanned for vulnerabilities early since they usually have great bandwidth) This particularly pissed me off because I had *just* upgraded to the newest bind at the time. Fortunately, their root kit made my machine not boot, so they didn't really do any damage.
The first time was with wu_ftpd, a long time ago. I have since gotten sick of patching that beast, and I re-wrote it in SML to be buffer-overflow free (see other rant).
My point was not that Windows has no security holes if you run lots of network services, merely that even a reasonably vigilant person can still get their linux box rooted. It is far from invincible; it just tends to be simpler (at least, it used to be) and have more capable users.
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
Well, Quake 3 is quite different from their previous games because it is "deathmatch only". There's no single-player adventure.
Of course, Quake 3 didn't do so well, and Doom 3 is back to the old thing again. So maybe you are right after all...
> The difference is only in the top-level design,
> that in Windows every application has access to
> the whole filesystem and all the hardware, though
> this appears to be changing with XP (but
> installing 3rd party sw as a user seems to break
> most sw not designed with this in mind)
This isn't true, really; XP has file permissions just like NT. I suppose it's true that you can't deny access (AFAIK) to certain devices like you can with the devfs on linux. But, then again, XP has stuff like built in fs encryption, and somewhat finer-grained file access control.
However, it certainly is more comfortable in windows to just give all programs access to everything; maybe old habits die hard, or maybe that really is something intrinsic to windows.
God, it is kind of sad the kinds of posts I am seeing on this story. Everybody laughing at Microsoft, ha ha, they have so many bugs, etc. I don't see anyone saying, let's do the same for linux.* I think that's really cocky of us, and pretty disappointing.
In fact, MS has built a really good product with Windows XP. I am using it right now. It has never crashed on me! It's true that I wouldn't use it for a server, because it is a pretty complicated beast, but it is pretty damn good on the desktop.
I am not trying to say that we should give up because microsoft has us beat. I am saying that we need to keep working, because I actually think that MS will be providing an OS that is very very stable in the next few years, and this will take away one of Linux's chief selling points to the average person. Linux will always have freedom, and that's great (enough for many people), and it will have better C programming support, but what else? Complacency is a terrible thing, folks!
* Don't tell me linux doesn't need it. Some of the important code I've seen is pretty damn amateurish. Check out the MD5_crypt code for PAM, for instance.
Snoot's got an infinite supply of randomly-generated recipes:
http://snoot.org/factory/recipe/
Anyone who learns a lot about something will find out, almost invariably, that the rest of the world doesn't do things the best way. I find myself in this situation a lot, and I often find myself frustrated in how difficult it is to get through to people.
The whole reason I even bother to post to slashdot any more is as an exercise in this kind of argument. (The slashdot crowd is particularly susceptible to this kind of quasi-technical emotional stuff.) Here are some lessons I've learned.
Rule #1 is: Never be a pedantic asshole. Nobody likes one, unless he's already on his side!
Rule #2 is: Entice people to do it the better way by showing them how cool it is.
That's it. Just show people why your thing is better in a non-annoying way. Be excited, not hateful. Most people are very reasonable, and even if they are not convinced, you may have changed their minds slightly and they won't resent you (and your movement) afterwards!
time compressing audio and video to make it not sound/look strange is actually pretty computationally expensive to do in real-time. But you're right, this would be a pretty kick ass feature. I'll bet that they'll have it once we have fast enough embedded processors to do it.
Who cares about performance?
Seriously.
Everything on my computer runs plenty fast at the instruction level except for:
mprime (distributed prime search, though I think this is written in hand-tuned x86 asm)
quake 3 (my video card is the bottleneck, and I also believe that speed-critical parts are written in hand-tuned x86 asm)
I suppose I should include multimedia encoding as well. (I am not sure how these were written. Maybe a faster compiler really would help here, if I had the source to recompile.)
Being faster is nice when it comes at no cost, but I say it is one of the least important goals of a compiler. Much more important is being reliable (doesn't make mistakes, doesn't crash, is compliant with the language definition if it exists), being available on many platforms, and in this case, being Free software. If GCC gets these optimizations, great for them, I will upgrade. But I consider a move to the Intel compiler a downgrade because (though it may have better performance) it fails at least at portability and freedom.
(By the way, I think that the way they summarize their numbers is quite misleading. The geometric mean really exaggerates those two benchmarks that Intel creams GCC on (probably because the Intel compiler recognizes some loop idiom that it knows how to compile efficiently). What I saw looked like an average 10%-20% better performance, with a few outliers.)