I am a linux supporter. I run linux on my web server, it's great for that. (I had to rewrite some of my network services though, because they were full of security holes and I was sick of patching.) I hope that some day I can run a free OS on my desktop computer too, but in order for that to happen, I need apps, and in order for that to happen, linux needs a stronger desktop user base.
Linux is not a technologically advanced OS. This is another common misconception on slashdot. It is a clone of Unix, a very old (and rather good) idea. There have been loads of new ideas and technologies since them, and I wish that hackers would implement these in new operating systems. (Do we *really* need to be running our network services as root just so that they can bind to a low-numbered port?) But the operating systems world (much like the rest of computer science) is very fad-oriented, and a good idea is worth nothing unless there is good marketing.
Linux has pretty good marketing. Windows has great marketing. But linux marketing is based on stuff that's starting to be less and less true. linux kicked the ass off of Windows 95 in terms of stability and security. (I remember rebooting to linux when the rest of my dorm was getting WinNuked all day.) But, Windows has practically caught up. 2000 is very stable; it crashes about as often as X does for me (and I do a lot more daring things with 2000, like play Quake and watch DVDs and burn CDs and do video capture). As linux has become more and more complex, certain major distributions are just as insecure as (or even more insecure than, perhaps) Windows. My question was, when joe consumer doesn't care about stability because his computer doesn't crash, and doesn't get hacked (Win XP has a personal firewall now, no?), why would he want to use linux?
The post wasn't intended as a troll, merely to stir the waters. Complacency is a terrible thing.
> For the most part, it will probably depend on how MS handles approving drivers.
Interestingly enough, MS has a neat project, a programming language called Vault which is a sort of machine-verified C. It makes sure that drivers "follow the rules" with respect to locking disciplines and such. If they roll this out (I don't know how likely that is), even shit 3rd party drivers can't help but work -- if they don't, they won't compile. (Also, if they start writing their apps in C#, they can say bye to memory leaks, certain kinds of crashes, and a large class of security holes!)
That's true of Windows up through ME, but not of 2000 and XP. There may be bugs, but they are not due to technical weakness, they're just bugs. (In my experience, 2000 is quite stable.)
By the way, fork bombs do a pretty good job of taking down a linux box. Linux performs awfully under super-high load. And up until the most recent kernels, it was possible to freeze up the whole system with a certain form of recursive symlink. Bugs exist.
I don't really like Microsoft much, but I think that a lot of the stuff we hear on slashdot is just folklore. My point is, if we get cocky and take the "windows is unstable and insecure" stuff for granted, I think we are going to be left in the dust.
I think pretty soon. Windows and linux will be on equal footing for stability and security... we can't ride the "more stable" horse (ha ha, get it?) forever.
I don't think it's a worm if it uses vulnerabilities to get root on the local machine, but whatever it's called, it's not impossible on linux and doesn't require running unknown binaries as root.
> The only way a linux virus is ever going to do
> damage is if it gets into a package on a major
> distro's ftp and goes unnoticed.
How about if it,
- infects source code (not too hard...)
- installs itself in system headers so that all new programs compiled would include it (#define main...)
- infects kernel modules, or the kernel itself
- exploits common vulnerabilities to infect new hosts or to gain root on the local host (I would venture a guess that *most* people who don't have users are not safe against all local root exploits)
I could imagine a really good virus making its way around, especially right around the time a new remote root exploit is announced... I don't think a linux virus is that far-fetched, especially as more unsophisticated users begin using linux, and as our platforms grow more homogeneous...
How might RC5 find something useful some day? The key was generated by the people who run the contest. If you discover it, well, big deal -- they could have just not destroyed the key in the first place and that would set us ahead several hundred CPU-years!
Try GIMPS for the "find something some day" (they have actually found several of the largest known primes) and the results are mathematically sound and verifiable...
This is one of the few clear-headed posts in here. I hate spam just like everybody else, but hitting delete a few times a day (or setting up filters) is far far less annoying than the kind of clueless laws that the government likes to regulate the internet with.
Listen slashdot! You don't want the government's hand in this!
Remeber how they "solved" the pornography problem? (CDA I, II, etc., forced use of censorware in libraries)
Remember how they "solved" the movie piracy problem? (DMCA?)
I want as little regulation of what I do on the internet as possible. I think the spam problem is best solved by (1) hitting delete, (2) technological/social solutions, or finally (3) civil torts.
Real Product, Fake Videos?
on
Apple PDA?
·
· Score: 2
I think those videos are fudged. (Take a careful look at sayhello and watch the screen stay steady as the unit shakes...)
But that doesn't mean that the product isn't real. How many demos have we all fudged in our time? It's possible that the screen doesn't take well to video recording, and that they needed something to wow people at MacExpo.
If the whole thing is a fake, then, well... damn, that's a nice hoax.
That doesn't make any sense, either. The DMCA does not prevent you from reverse-engineering software and making or distributing patches, UNLESS that software controls access to a copyrighted work, which AIM does NOT.
People really need to get their facts straight about the law or we are going to be totally incoherent when we try to challenge it (or convince our friends and family that it is bad).
Not *every* program is vulnerable, dude. It is certainly possible to write secure software. (For instance, I trust the FTP server I wrote pretty well.)
It's true that overflows are easy to prevent, by using a modern language like Java or O'Caml that has automatic bounds-checking on arrays. (To a lesser extent the C++ STL can help you with this, but you don't get any guarantees since the language is not safe.)
But I don't agree that it is easy to prevent when you're writing your software in C or C-like C++. In fact, I think C and the typical memory model practically encourages you to write exploitable software. Sure, it's easy to look at a stupid little program and say, yes, that has a buffer overflow problem. But large programs like IIS or even AOL AIM are an awful lot harder to analyze. (Take a look at the IIS overflow again if you think it's easy. This was due to the interaction between two totally different modules, both of which did bounds checking, but assumed that the buffer was large enough to hold twice the amount of data after unencoding. Indeed it was, but not if you unencode twice!)
If it is so easy to prevent, why do we continue to see loads of these kinds of bugs? You might argue that AOL programmers are stupid, and IIS programmers, and wu_ftpd, BIND, perl, quake 3 arena, sshd, (etc. etc.), but I think you'd be left with almost no programmers if you listed all the packages that have had buffer overflows in them. It is C's fault.
Personally, I think it's ridiculous that people still write software that's not at all performance-critical in C and C++. Technology exists (see O'Caml at http://caml.inria.fr/) for making really fast programs that are guaranteed not to have this kind of security hole in them. All that's really needed is toolkits for interfacing with system libraries... (for non-interactive stuff like network daemons there's absolutely no excuse to be using C).
The reverse-engineering clause only applies to technology designed to limit access to a copyrighted work. The DMCA is for protecting digital content. AIM has nothing to do with that.
It's a bad law, for sure, but making false claims about what it covers does NOT help our cause.
Yes, you are right. There are a couple of reasonable criticisms that one can make of the GPL, depending on one's selfishness and other factors, but this definitely isn't one of them. Someone needs to straighten this feller out!
Yes, and don't forge the playing field is many times larger than the surface of the earth. It would make a good spy story or action movie, but I don't think it's very reasonable in practice. (Also, remember how much trouble it was to bring down mir in the right area? It would also be non-trivial to bring one of these down in a city...)
And why was saving the monolithic design so worthwhile? I think we'd have a more secure, stable, extensible, and maintainable OS if we were using the modern microkernel approach. That's why academia and industry were (and are...) abandoning it, remember?
I think linux is pretty good, but I don't see why it's necessarily good to save an obsolescent idea.
There seems to be an impression around slashdot that linux is somehow the most brilliantly advanced operating system around.
Linus and friends have created a great (the best) hobbyist operating system, so good that it stands up well even against "real" commercial operating systems. But the design of the operating system is nothing revolutionary; it is based on 30+ year-old ideas.
Anyway, I am glad to have the pressure on Microsoft (and others) and to see Open Source and Free Software benefit as well. Thanks linus!
- every card knows every other card's public key, so the storage requirement grows polynomially with the size of the network (not good).
- key exchange is a non-trivial step; in order to have adequate security you need to protect against man-in-the-middle attacks.
- using fixed keys is probably not so smart, since recovering the device would mean that you could decode all messages previously sent to that device, and a device with a compromised key could never be used securely again.
> 3) There is no chroot command. If you have to
> have a server running with special privilege, at
> least the chroot limits the target area for
> damage available to exploits
Yes, though Windows does have much more sophisticated access control policies. I agree that they are more complex than unix, but it is possible to give a user even more fine grained access than unix gives. (Also, I believe it is relatively easily to break chroot as a super-user.)
Linux/BSD's security track record is no better than Microsoft's. The things we have going for us:
- source code, so we can spot and fix bugs faster
- non-homogeniety (I didn't worry much about the overflows in PINE, since with all the jillions of architectures and versions it was extremely unlikely that someone would create an exploit or worm specifically for my version and machine.)
But we all have the same factors working against us:
- Writing software in inappropriately low-level languages (C/C++), where security holes are possible because the language makes it easy for programmers to make mistakes which can lead to exploits
- Writing software in or supporting scripting languages (perl, VBS) which make it easy to write broken CGI/etc. scripts on unix or easy to write worms on Windows. (Actually, now that perl is standard-issue on unix systems, it would seem that a cross-platform scripted worm would be relatively simple to pull off.)
- Ad-hoc (if even) code-review procedures. My favorite example is the MD5 Crypt code in PAM (a very important module for security!!) -- it's clear to me that nobody ever read this code before making it standard. Take a look.
Jeez. The screen is fine, folks. You need to learn how to turn on the lights!
In fact, the screen is better than GBC's, and *loads* better than the original Game Boy's. (Dig yours out and see if you like the pale green and shadowing better..) Yet, these systems are very popular and successful. (Did you know that Nintendo had the #1 revenue in video games last year, despite the PS2 and Dreamcast release? Nearly twice Sony's earnings, and it was mostly the GBC.)
It would be nice if there were a back-lit version (I wouldn't buy it unless it had a long battery life, though), or if developers didn't make games with such dark graphics (castlevania...), but seriously, there are much worse things to complain about. How about a highly portable laptop that lasts more than 3 hours on battery? An input device that doesn't give you RSI? A car that doesn't pollute?
Slashdot Mirror
Dear AC,
I am a linux supporter. I run linux on my web server, it's great for that. (I had to rewrite some of my network services though, because they were full of security holes and I was sick of patching.) I hope that some day I can run a free OS on my desktop computer too, but in order for that to happen, I need apps, and in order for that to happen, linux needs a stronger desktop user base.
Linux is not a technologically advanced OS. This is another common misconception on slashdot. It is a clone of Unix, a very old (and rather good) idea. There have been loads of new ideas and technologies since them, and I wish that hackers would implement these in new operating systems. (Do we *really* need to be running our network services as root just so that they can bind to a low-numbered port?) But the operating systems world (much like the rest of computer science) is very fad-oriented, and a good idea is worth nothing unless there is good marketing.
Linux has pretty good marketing. Windows has great marketing. But linux marketing is based on stuff that's starting to be less and less true. linux kicked the ass off of Windows 95 in terms of stability and security. (I remember rebooting to linux when the rest of my dorm was getting WinNuked all day.) But, Windows has practically caught up. 2000 is very stable; it crashes about as often as X does for me (and I do a lot more daring things with 2000, like play Quake and watch DVDs and burn CDs and do video capture). As linux has become more and more complex, certain major distributions are just as insecure as (or even more insecure than, perhaps) Windows. My question was, when joe consumer doesn't care about stability because his computer doesn't crash, and doesn't get hacked (Win XP has a personal firewall now, no?), why would he want to use linux?
The post wasn't intended as a troll, merely to stir the waters. Complacency is a terrible thing.
(PS: 12 moderations done to my post! Jeesh!)
> For the most part, it will probably depend on how MS handles approving drivers.
Interestingly enough, MS has a neat project, a programming language called Vault which is a sort of machine-verified C. It makes sure that drivers "follow the rules" with respect to locking disciplines and such. If they roll this out (I don't know how likely that is), even shit 3rd party drivers can't help but work -- if they don't, they won't compile. (Also, if they start writing their apps in C#, they can say bye to memory leaks, certain kinds of crashes, and a large class of security holes!)
That's true of Windows up through ME, but not of 2000 and XP. There may be bugs, but they are not due to technical weakness, they're just bugs. (In my experience, 2000 is quite stable.)
By the way, fork bombs do a pretty good job of taking down a linux box. Linux performs awfully under super-high load. And up until the most recent kernels, it was possible to freeze up the whole system with a certain form of recursive symlink. Bugs exist.
I don't really like Microsoft much, but I think that a lot of the stuff we hear on slashdot is just folklore. My point is, if we get cocky and take the "windows is unstable and insecure" stuff for granted, I think we are going to be left in the dust.
Win2k and XP are actually quite stable.
I think pretty soon. Windows and linux will be on equal footing for stability and security... we can't ride the "more stable" horse (ha ha, get it?) forever.
So linux is free, which is great, but what else?
Not binaries, source.
I don't think it's a worm if it uses vulnerabilities to get root on the local machine, but whatever it's called, it's not impossible on linux and doesn't require running unknown binaries as root.
> The only way a linux virus is ever going to do
...)
> damage is if it gets into a package on a major
> distro's ftp and goes unnoticed.
How about if it,
- infects source code (not too hard...)
- installs itself in system headers so that all new programs compiled would include it (#define main
- infects kernel modules, or the kernel itself
- exploits common vulnerabilities to infect new hosts or to gain root on the local host (I would venture a guess that *most* people who don't have users are not safe against all local root exploits)
I could imagine a really good virus making its way around, especially right around the time a new remote root exploit is announced... I don't think a linux virus is that far-fetched, especially as more unsophisticated users begin using linux, and as our platforms grow more homogeneous...
> If so, is it illegal under the DMCA to block those
> reporting mechanisms in your firewall?
No. The DMCA anti-circumvention clause is only about software that controls access to a copyrighted work.
"Apache" is pretty close to "Appliance". Come on, use your noggin'.
> I'd rather find some prize money than some
> really big but practically worthless number.
Well, that's a fine reason, but that's a lot different than doing it because it's more "useful" than this guy's steganography study.
BTW, the EFF has sponsored a very big reward for a 10 million digit prime. I'm not sure how your odds compare, but it's not *just* the number...
How might RC5 find something useful some day? The key was generated by the people who run the contest. If you discover it, well, big deal -- they could have just not destroyed the key in the first place and that would set us ahead several hundred CPU-years!
Try GIMPS for the "find something some day" (they have actually found several of the largest known primes) and the results are mathematically sound and verifiable...
This is one of the few clear-headed posts in here. I hate spam just like everybody else, but hitting delete a few times a day (or setting up filters) is far far less annoying than the kind of clueless laws that the government likes to regulate the internet with.
Listen slashdot! You don't want the government's hand in this!
Remeber how they "solved" the pornography problem? (CDA I, II, etc., forced use of censorware in libraries)
Remember how they "solved" the movie piracy problem? (DMCA?)
I want as little regulation of what I do on the internet as possible. I think the spam problem is best solved by (1) hitting delete, (2) technological/social solutions, or finally (3) civil torts.
I think those videos are fudged. (Take a careful look at sayhello and watch the screen stay steady as the unit shakes...)
But that doesn't mean that the product isn't real. How many demos have we all fudged in our time? It's possible that the screen doesn't take well to video recording, and that they needed something to wow people at MacExpo.
If the whole thing is a fake, then, well... damn, that's a nice hoax.
That doesn't make any sense, either. The DMCA does not prevent you from reverse-engineering software and making or distributing patches, UNLESS that software controls access to a copyrighted work, which AIM does NOT.
People really need to get their facts straight about the law or we are going to be totally incoherent when we try to challenge it (or convince our friends and family that it is bad).
Not *every* program is vulnerable, dude. It is certainly possible to write secure software. (For instance, I trust the FTP server I wrote pretty well.)
It's true that overflows are easy to prevent, by using a modern language like Java or O'Caml that has automatic bounds-checking on arrays. (To a lesser extent the C++ STL can help you with this, but you don't get any guarantees since the language is not safe.)
But I don't agree that it is easy to prevent when you're writing your software in C or C-like C++. In fact, I think C and the typical memory model practically encourages you to write exploitable software. Sure, it's easy to look at a stupid little program and say, yes, that has a buffer overflow problem. But large programs like IIS or even AOL AIM are an awful lot harder to analyze. (Take a look at the IIS overflow again if you think it's easy. This was due to the interaction between two totally different modules, both of which did bounds checking, but assumed that the buffer was large enough to hold twice the amount of data after unencoding. Indeed it was, but not if you unencode twice!)
If it is so easy to prevent, why do we continue to see loads of these kinds of bugs? You might argue that AOL programmers are stupid, and IIS programmers, and wu_ftpd, BIND, perl, quake 3 arena, sshd, (etc. etc.), but I think you'd be left with almost no programmers if you listed all the packages that have had buffer overflows in them. It is C's fault.
Personally, I think it's ridiculous that people still write software that's not at all performance-critical in C and C++. Technology exists (see O'Caml at http://caml.inria.fr/) for making really fast programs that are guaranteed not to have this kind of security hole in them. All that's really needed is toolkits for interfacing with system libraries... (for non-interactive stuff like network daemons there's absolutely no excuse to be using C).
The reverse-engineering clause only applies to technology designed to limit access to a copyrighted work. The DMCA is for protecting digital content. AIM has nothing to do with that.
It's a bad law, for sure, but making false claims about what it covers does NOT help our cause.
Yes, you are right. There are a couple of reasonable criticisms that one can make of the GPL, depending on one's selfishness and other factors, but this definitely isn't one of them. Someone needs to straighten this feller out!
;)
Anyways, emacs rulz.
Yes, and don't forge the playing field is many times larger than the surface of the earth. It would make a good spy story or action movie, but I don't think it's very reasonable in practice. (Also, remember how much trouble it was to bring down mir in the right area? It would also be non-trivial to bring one of these down in a city...)
And why was saving the monolithic design so worthwhile? I think we'd have a more secure, stable, extensible, and maintainable OS if we were using the modern microkernel approach. That's why academia and industry were (and are...) abandoning it, remember?
I think linux is pretty good, but I don't see why it's necessarily good to save an obsolescent idea.
There seems to be an impression around slashdot that linux is somehow the most brilliantly advanced operating system around.
Linus and friends have created a great (the best) hobbyist operating system, so good that it stands up well even against "real" commercial operating systems. But the design of the operating system is nothing revolutionary; it is based on 30+ year-old ideas.
Anyway, I am glad to have the pressure on Microsoft (and others) and to see Open Source and Free Software benefit as well. Thanks linus!
> Friendless, relativeless, sober, miserable...
One of these things can be fixed with just a little bit of money! Which one is it??
- every card knows every other card's public key, so the storage requirement grows polynomially with the size of the network (not good).
- key exchange is a non-trivial step; in order to have adequate security you need to protect against man-in-the-middle attacks.
- using fixed keys is probably not so smart, since recovering the device would mean that you could decode all messages previously sent to that device, and a device with a compromised key could never be used securely again.
Yes, there are a lot of other issues, it's true.
> 3) There is no chroot command. If you have to
> have a server running with special privilege, at
> least the chroot limits the target area for
> damage available to exploits
Yes, though Windows does have much more sophisticated access control policies. I agree that they are more complex than unix, but it is possible to give a user even more fine grained access than unix gives. (Also, I believe it is relatively easily to break chroot as a super-user.)
Linux/BSD's security track record is no better than Microsoft's. The things we have going for us:
- source code, so we can spot and fix bugs faster
- non-homogeniety (I didn't worry much about the overflows in PINE, since with all the jillions of architectures and versions it was extremely unlikely that someone would create an exploit or worm specifically for my version and machine.)
But we all have the same factors working against us:
- Writing software in inappropriately low-level languages (C/C++), where security holes are possible because the language makes it easy for programmers to make mistakes which can lead to exploits
- Writing software in or supporting scripting languages (perl, VBS) which make it easy to write broken CGI/etc. scripts on unix or easy to write worms on Windows. (Actually, now that perl is standard-issue on unix systems, it would seem that a cross-platform scripted worm would be relatively simple to pull off.)
- Ad-hoc (if even) code-review procedures. My favorite example is the MD5 Crypt code in PAM (a very important module for security!!) -- it's clear to me that nobody ever read this code before making it standard. Take a look.
Jeez. The screen is fine, folks. You need to learn how to turn on the lights!
In fact, the screen is better than GBC's, and *loads* better than the original Game Boy's. (Dig yours out and see if you like the pale green and shadowing better..) Yet, these systems are very popular and successful. (Did you know that Nintendo had the #1 revenue in video games last year, despite the PS2 and Dreamcast release? Nearly twice Sony's earnings, and it was mostly the GBC.)
It would be nice if there were a back-lit version (I wouldn't buy it unless it had a long battery life, though), or if developers didn't make games with such dark graphics (castlevania...), but seriously, there are much worse things to complain about. How about a highly portable laptop that lasts more than 3 hours on battery? An input device that doesn't give you RSI? A car that doesn't pollute?