At $29.95 a year I'd rather just print out all this information, put it a safety deposit box, and give a key to someone I could trust.
Only problem with your plan is that, in MOST states, safe deposit boxes owned by a deceased person are SEALED at death and cannot be opened until their estate is probated. Because of this, you should NEVER put your original will into your OWN safety deposit box.
A better plan, if you trust this individual that much, is put your printed list (suitably privacy-sealed, of course) into his or her safe-deposit box.
Likewise, leave the original of your will on file in the office of the lawyer who drew it up for you.
I don't usually reply to my own posts, but this quote from the paper in the Register's article REQUIRES a riposte...
"Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them."
Mt. Brown, the one time I have purchased a "boxed set" of GPL software, it came with quite nicely printed manuals, installation guides, and 90 days of paid-up installation and configuration support (it was RedHat 5.2 back in 1999). Since then, I have used GPL-distributed copies and non-commercial distributions of the software with quite satisfactory results.
I have not received any printed documentation with a Microsoft product since the days of Windows 3.1, and the manuals I was provided back then were in no way comparable with the documentation produced by Red Hat.
I have NEVER had to call a GPL software vendor for technical support because of the depth and breadth of documentation available on the internet. If a problem arose that I could not figure out from the documentation that was available online, I could turn to usenet, IRC and the O'Reilly press.
The few times I have needed technical support on Microsoft products, I have gotten highly variable results. One time, a non-Microsoft program had overwritten the Microsoft C Runtime Library DLL, which promptly cratered my Microsoft Access RDBMS. That time, I managed to penetrate to a roughly level three technician who walked me right through the process of restoring the proper dll from the cab files on my Office 95 CD without trashing my system.
My next experience with Microsoft tech support was after they had outsourced user support to another company and the only response I got was "Windows 95 doesn't support dual video adapters" (I was having trouble using a Diamond Monster 3d card with a Creative Graphixx Blaster Exxtreme). A quick call to Diamond Multimedia and Creative Labs got the problem solved because THEY still had service techs who KNEW their products and cared about creating repeat customers.
So, Mr. Brown, I would submit that my real-world experiences with both GPL Open Source Software (Red Hat Linux) and closed-source proprietary software (Microsoft Windows 3.1, 95 and 2000 and Microsoft Office) are diametrically opposed to those speculations you make in your white paper.
You have been asked about the source of funding for your study, but have declined to disclose that information.
I have accepted the challenge inherent in the title of your white paper. I have offered to debate the subject matter of your paper in your choice of forum.
I now challenge YOU... PROVE that the study leading up the your white paper was performed in an OBJECTIVE manner. Disclose who paid for your opinions.
I will assure you that MY experiences are based upon my own experiences and were funded entirely out of my OWN pocket.
If you mean something on the lines of the IBM 730T I found when I searched ebay I don't see any reason why not. I appears to run Win95 which indicates that it's at least a 386 processor. It uses a Cirrus graphics chip, so getting X to work on the thing might be dicey. My advice would be to do your own research before spending any money unless you make writing device drivers your hobby.
As for anything older than the 730T, I think your probably going to run into problems like sub-32 bit processors that will stop you.
Like everything else about n*x, the Perl motto holds true.  TMTOWTDI (There's More Than One Way To Do It).
Simplest and most traditional way to set this up would be to create a group (named, say "installers") and add yourself to it, then change the group ownership of/usr/local to this group. Change the permissions on/usr/local to 775 and you are done. If you are wanting to install stuff in/usr instead of/usr/local, I really recommend you not do this. The basic system binaries should remain the property of root.
A more secure way to do it would be the way the previous poster said. Install the LSM patch and the LSM implementation of the NSA's SELinux kernel mods. I've not used it, but my understanding is the its role-based permissions allow you to do away with uid 0 in toto.
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
And your point, Mr. Brown, is exactly what?
First point: Today I mistakenly started up IE's infamous "Windows Update" feature for the Win2K installation on the SunPCI card in my Ultra 10. The first "update" it wanted to install was the MS "Automatic Updater" so that Microsoft could cram changes to my system software down my throat whenever they chose to. Mr. Gates does not own my hardware, the State of Texas does. Given Microsoft's track record in the security area, please explain to me the exact difference between this "feature" and a "back door or worse, a dangerous virus"?
Second point: Microsoft's "Windows update" service is ONLY available over the internet and is usually the ONLY source for critical security fixes and other patches for Microsoft products. Please tell me exactly how that differs from the normal distribution channel for GPL software.
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications."
Please show me your bar number before you start rendering legal opinions, Mr. Brown. The only class of Intellectual Property that is infringed by reverse engineering is patents. Specifically, so-called "clean room" reverse engineering of copyrighted works has been repeatedly blessed by the courts as an exercise of the fair-use doctrine.
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
Mr. Brown, this "lighter note" comment of yours is little more than a cheap shot that openly displays your lack of understanding of the subject matter on which you write.
"Open source enthusiasts" not only avail themselves of trademark protection, they also assert and defend their rights as copyright holders. This in no way conflicts with their advocacy of the principle of copyleft. What it DOES do is give them the power to enforce the particular license (GPL, LGPL BSD, or other) under which they choose to release their software.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Answering your questions in order:
Yes, if it's my GPL code, it most certainly IS fair. If Microsoft, Adobe, Symantec or whoever, wants to license my code for use in their proprietary product, I will be HAPPY to negotiate a special *non-exclusive* license with them for a SUBSTANTIAL fee. HOWEVER, if their objective is to take my code without payment and claim it as their own they had better be ready for MAJOR litigation.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as:
Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical?
They already do. The FAA's Air Traffic Control Database uses Oracle 9i Real Application Clusters running on Dell PowerEdge servers and (surprise!) Red Hat Linux.
Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties?
Apparently the FAA thinks it's a better gamble than hoping that no one with an old copy of debug.exe will find a buffer overflow in Windows 2000 Advanced Server.
Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
Again, you clearly demonstrate your lack of knowledge in this field, Mr. Brown. GPL software is NOT public domain. It is private property released for public use under license. It is no more public domain software than Windows XP. And... in a more direct answer to your question... Probably... most of the 'script kiddies' I've encountered on the 'net have a burning desire to crack a Linux box and 0wn it. Do they manage to accomplish this desire? Not many of them.
However, a more cogent inquiry would be "If the FAA's Air Traffic Control System is exposed to access from the public internet, shouldn't we fire all the boneheaded bureaucrats that decided it SHOULD be?"
Most of the.mil TLD is not accessible from the public 'net, including ALL the most security-sensitive systems. These systems are isolated on a non-public backbone that you might be able to get to from the public internet if you were an EXTREMELY talented cracker, however, I'd be willing to bet that the FBI would be knocking on your door before you got through the third layer of firewalls and IDS's. Shouldn't something like the FAA's Air Traffic Control system be accorded the same level of security?
Mr. Brown, your white paper exhibits a failure of understanding of your subject that I find very disappointing in one who would call his operation a "think-tank". You entitle your publication "Opening the Open-Source Debate,"... I will interpret that title as a challenge, and I accept. Debate me... in the forum of your choice...
There is no such thing as an "implied contract" under any branch of the English common law or any American statute that I was able to find in law school.
I don't think it is enforceable under the law, however.
Got that much right...
What is enforceable is the law itself, in this case probably the Universal Commercial Code...
ermmmmm... I don't THINK so... just because the ads are called "commercials" doesn't make the UCC apply. It governs things like Sales of Goods (Article 2), Lease of Goods (Article 2A), Negotiable Instruments (Article 3), Bank Deposits and Collections (Article 4) Funds Transfers (Article 4A) Warehouse Receipts (Article 7) and Investment Securities (Article 8) to the extent state law governs such things, and Secured Transactions (Article 9).
It's essentially commercial removal rather than commercial skipping.
... and your point is?
The truth of the matter is that the audience is not the *caster's customer. The *caster's CUSTOMER is the advertiser. The customer buys the product from the *casters. The product is the opportunity to present his message to the audience (me). The fact that the product is *presented* carries no guarantee or warranty that it will actually be watched!
A small portion of the revenue from that sale is used to develop content which is offered to the audience as bait to generate ratings which, in turn, determine the value of the product in the media marketplace.
The content is a mere byproduct of the sale transaction between the *caster and their customer. The only reason it is sent into my home is to serve as bait to entice me to watch the id10t box. There is no privity of contract between me and the *caster, therefore, there is NOTHING in this transaction that obligates me to watch the advertising on TV.
<sarcasm> An analogous transaction would be the act of me buying a box of worms from a bait shop. Do you think for one minute that the purchase obligates a fish to bite my hook??? </sarcasm>
<RANT> Theft my ASS! The ONLY thing that Kellner's remarks have shown me is that I now have a VERY good reason to NEVER watch TNT again. </rant>
Solaris has a long, long patchlist, Trusted Solaris included.
True... but wouldn't you rather have a "long, long patchlist" issued as quarterly, predictable cluster releases (I DL'd the latest Solaris clusters the day after they were released, BEFORE I received the auto e-mail notification from Sun) instead of (roughly) annual Service Packs (NT got to what... SP6?... in what... 6 years?). Solaris 8 was released 2 years ago? It's had 7 patch clusters released since then... and I have YET to see a patch cluster that had to be "recalled" (oops... superseded) like SP5 was.
The impression I've gotten of the Unix world is that the universal reaction to a SERIOUS security hole is "Oh sh!t, we've got to FIX this, NOW!" This attitude tends to lead to "long, long patchlist"s.
I don't usually reply to myself, but I HAVE to clarify...
*cough*part-time effort*cough* by *cough*amateur*cough* developers
includes:
Linus Torvalds, Alan Cox, Bruce Perens, Miguel de Icaza, Tridge, Rasterman, TigerT, ESR, RMS (I LIKE Emacs... sort of) and more luminaries (none of whom are AMATEUR developers and MOST of whom make their living from Free/Open Source Software) than I can think of at this time...
The lack of availability of a commercially backed clustering package for Linux was one of Microsoft's key objections to Linux in their "Linux Myths" whitepaper. It appears as if all of the criticisms Microsoft has had of Linux are now becoming irrelevant - Linux has adapted to the times...
Gee... could it be that ESR was RIGHT about something? I seem to recall, from MindCraft II, there really WERE performance bottlenecks in the Linux Kernel (2.0.x generation) and Apache... now, we're at 2.4.x with khttpd in the kernel for static content and Apache 2.x (re-architected) for the dynamic content (AND... if you just HAVE to tread the hairy edge in search of performance, there's always the SGI patches for Apache... ), and Linux kicks some SERIOUS ass as a server (not just NT, but also FreeBSD, Solaris, AND Win2K)...
... and all this change in the space of 2... yes 2 years time of *cough*part-time effort*cough* by *cough*amateur*cough* developers...
Trust me... done right, it works... we have approximately 100 Solaris, Tru64, Irix and Linux boxen in our NIS domain. In the 14 months I have worked at the U we've had ONE box WE admin (as opposed to the profs who think they can admin their OWN boxen) cracked...
Agreed... but this isn't about security. It's about availability. Corps do NOT understand InfoSec and will ACCEPT an insecure solution if it is ALWAYS available... after all, they just need a tighter firewall...
However, when the e-commerce site goes down because of a broken database server and they are losing $100K/MINUTE of REAL money... THAT they understand...
Wanna know why admins have greying hair in their 20s???
Re:Wow, taking on IBM mainframes...
on
'Unbreakable Linux'
·
· Score: 4, Interesting
Moderator...
N.B.: this is NOT flamebait... it's only sarcasm
I think it means that IBM is going to have wake up and smite someone.
With what? A bargain-basement priced cluster of AS/400s? zServers are DAMNED reliable, but they are *single* systems in a *single* location. A high-availability cluster doesn't HAVE to be located in a *single* server room, or even a *single* geographic location... if you don't believe me, ask Akamai...
Give me 16 "Unbreakable Linux" PowerEdges and some damned fat pipes and I can design you a cluster that a nuclear attack probably couldn't take out. Edge-of-the-network clusters give good performance and DAMNED good availability.
Re:How about reading the announcement first?
on
'Unbreakable Linux'
·
· Score: 2
They probably imagine a Beowulf cluster of these.
Not really... more like a Google(TM) server farm of these... although the "divide and conquer" method does yield SOME performance increase, RAC won't yield NEARLY the speed of a Beowulf. RAC is optimized for reliability (read 8-10 9s availability), NOT performance.
Thank you, as an admin, all props are appreciated. 99.999% (5 9's... it's an admin joke, son) of what we receive is user gripes.
99.99% of hacks occur because either:
a) User Error (@see shitty passwords)
which is why my NIS master server refuses to accept passwords that are less than 8 characters long and that have less than 2 non-alpha characters in them. Okay, I COULD require tougher passwords, but there is a limit to what faculty will accept at an.edu...
or
b) The system was not kept up to date.
You'll RARELY find one of my UNIX servers with an uptime of more than 90 days. Reason why? My team applies the quarterly (maintenance stream) overlays from SGI and the [7-8]_Recommended patch clusters from Sun religiously. They usually, generally, almost ALWAYS require a reboot because of kernel patches. We also troll (not THAT kind of trolling) CERT, bugtraq and CVE for vulnerabilities so we will know what "interim" bugfix patches really NEED to be applied.
For an admin, ANY admin, but ESPECIALLY a Unix admin<super>footnote 1</super>, a healthy dose of paranoia is a professional requirement.
<super>1</super> - 5kr1p7 k1dd13z would rather 0wN a RISC-based Unix box than anything else on the planet... except, maybe, for the Beowulf I admin... I guess they think they're REALLY 133t if they can r00t an Indigo(IP20) or an Indy running a default install of Irix 5.2... go figger. One of my funniest admin stories is about a SPARCstation5 that one of our "semi-supported" profs owned. At one point we had 3 separate groups of crackers fighting over who 0wNed it. By the time he got tired enough of receiving complaints about port-scans and cracking attempts from his lab workstation that he allowed us to lock it down, it was one of the most secure systems we had. All we had to do was install the latest patch cluster and TCP Wrappers to make it the most secure Unix (Solaris 7) box on campus.
I must respectfully disagree. Professionalism is an ATTITUDE, not an appearance.
I would liken professionalism with obscurity, because you can hide something better from people.
I consider myself a professional, but I NEVER wear a tie (jacket, maybe), and I go to work 2-3 days (sometimes 4) without shaving. My boss is cool with it so... no problems. I have little to hide because I spend the time to research a problem and fix the CAUSE, not the symptoms, of the problem.
You want a definition for "professional"? A professional does what he/she does FOR MONEY, and treats their job responsibilities accordingly. I do NOT do what I do because I enjoy it (although I REALLY do enjoy my work)... I do it because I am good at it and because I get paid enough to live reasonably comfoprtably for doing it.
Since the last sentence means I receive a fairly significant check on the first of each month, I protect my job by making sure my employer receives their money's worth.
But they still keep them secret because it is one more obstacle for an intruder to have to overcome to compromise a system.
Actually, the most advanced crypto algorithms the NSA has are kept secret because the NSA, itself, can't break them in any feasible timeframe, so they don't want the "bad guys" using them.
Actually, sendmail is used to... errrr... SEND mail. My ISP does not relay, so I HAVE to run my own MTA because I don't connect to one of their IP blocks. I use exim at home rather than sendmail, but I administer about 100 Unix boxen at work that use sendmail for, among other things, remote security logging, availability monitoring (the hostwatcher e-mails my pager when a monitored host goes down), and just GOBS of other admin tasks. E-mail really IS the killer app of the internet.
All that being said, if all you need is a client sendmail mailserver, DO NOT generate your sendmail.cf from the nullclient.mc file distributed with sendmail. It WILL create an open relay. I can't get to the m4 file I created to do the trick right now, but I will be happy to provide it to any sendmail admin who wants it if they e-mail me at cwilkin3-AT-egr-DOT-uh-DOT-edu. The file generates a sendmail.cf equivalent to what nullclient.mc creates, but without the relay enabled.
Just in case CRN gets slashdotted, an excerpt speaking on the subject of Linux in the federal government:
The software appears to be winning friends among military and intelligence agencies.
A study completed for the Pentagon by the Mitre last week identified 249 U.S. government uses of open-source computer systems and tools, with Linux running on several Air Force computers, along with systems run by the Marine Corps, the Naval Research Laboratory and others.
The report recommended further use of open-source computing systems, on the grounds that they were less vulnerable to cyberattacks and far cheaper.
'Nuff said. I think I would believe a federally-funded study by Mitre Corp. (a scientific research organization that, among other things, hosts the CVE database) before I would buy into a study by a think tank 1) that lacks Mitre's technical muscle and, 2) has a history of whoring for inter alia Microsoft, the tobacco industry, and various egregious polluters. Remember Mindcraft?
Slashdot Mirror
At $29.95 a year I'd rather just print out all this information, put it a safety deposit box, and give a key to someone I could trust.
Only problem with your plan is that, in MOST states, safe deposit boxes owned by a deceased person are SEALED at death and cannot be opened until their estate is probated. Because of this, you should NEVER put your original will into your OWN safety deposit box.
A better plan, if you trust this individual that much, is put your printed list (suitably privacy-sealed, of course) into his or her safe-deposit box.
Likewise, leave the original of your will on file in the office of the lawyer who drew it up for you.
I don't usually reply to my own posts, but this quote from the paper in the Register's article REQUIRES a riposte ...
... PROVE that the study leading up the your white paper was performed in an OBJECTIVE manner. Disclose who paid for your opinions.
"Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them."
Mt. Brown, the one time I have purchased a "boxed set" of GPL software, it came with quite nicely printed manuals, installation guides, and 90 days of paid-up installation and configuration support (it was RedHat 5.2 back in 1999). Since then, I have used GPL-distributed copies and non-commercial distributions of the software with quite satisfactory results.
I have not received any printed documentation with a Microsoft product since the days of Windows 3.1, and the manuals I was provided back then were in no way comparable with the documentation produced by Red Hat.
I have NEVER had to call a GPL software vendor for technical support because of the depth and breadth of documentation available on the internet. If a problem arose that I could not figure out from the documentation that was available online, I could turn to usenet, IRC and the O'Reilly press.
The few times I have needed technical support on Microsoft products, I have gotten highly variable results. One time, a non-Microsoft program had overwritten the Microsoft C Runtime Library DLL, which promptly cratered my Microsoft Access RDBMS. That time, I managed to penetrate to a roughly level three technician who walked me right through the process of restoring the proper dll from the cab files on my Office 95 CD without trashing my system.
My next experience with Microsoft tech support was after they had outsourced user support to another company and the only response I got was "Windows 95 doesn't support dual video adapters" (I was having trouble using a Diamond Monster 3d card with a Creative Graphixx Blaster Exxtreme). A quick call to Diamond Multimedia and Creative Labs got the problem solved because THEY still had service techs who KNEW their products and cared about creating repeat customers.
So, Mr. Brown, I would submit that my real-world experiences with both GPL Open Source Software (Red Hat Linux) and closed-source proprietary software (Microsoft Windows 3.1, 95 and 2000 and Microsoft Office) are diametrically opposed to those speculations you make in your white paper.
You have been asked about the source of funding for your study, but have declined to disclose that information.
I have accepted the challenge inherent in the title of your white paper. I have offered to debate the subject matter of your paper in your choice of forum.
I now challenge YOU
I will assure you that MY experiences are based upon my own experiences and were funded entirely out of my OWN pocket.
This just goes to show you that not ALL high-tech elegant solutions require digital circuitry.
If you mean something on the lines of the IBM 730T I found when I searched ebay I don't see any reason why not. I appears to run Win95 which indicates that it's at least a 386 processor. It uses a Cirrus graphics chip, so getting X to work on the thing might be dicey. My advice would be to do your own research before spending any money unless you make writing device drivers your hobby.
As for anything older than the 730T, I think your probably going to run into problems like sub-32 bit processors that will stop you.
Like everything else about n*x, the Perl motto holds true.  TMTOWTDI (There's More Than One Way To Do It).
/usr/local to this group. Change the permissions on /usr/local to 775 and you are done. If you are wanting to install stuff in /usr instead of /usr/local, I really recommend you not do this. The basic system binaries should remain the property of root.
Simplest and most traditional way to set this up would be to create a group (named, say "installers") and add yourself to it, then change the group ownership of
A more secure way to do it would be the way the previous poster said. Install the LSM patch and the LSM implementation of the NSA's SELinux kernel mods. I've not used it, but my understanding is the its role-based permissions allow you to do away with uid 0 in toto.
And your point, Mr. Brown, is exactly what?
First point: Today I mistakenly started up IE's infamous "Windows Update" feature for the Win2K installation on the SunPCI card in my Ultra 10. The first "update" it wanted to install was the MS "Automatic Updater" so that Microsoft could cram changes to my system software down my throat whenever they chose to. Mr. Gates does not own my hardware, the State of Texas does. Given Microsoft's track record in the security area, please explain to me the exact difference between this "feature" and a "back door or worse, a dangerous virus"?
Second point: Microsoft's "Windows update" service is ONLY available over the internet and is usually the ONLY source for critical security fixes and other patches for Microsoft products. Please tell me exactly how that differs from the normal distribution channel for GPL software.
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications."
Please show me your bar number before you start rendering legal opinions, Mr. Brown. The only class of Intellectual Property that is infringed by reverse engineering is patents. Specifically, so-called "clean room" reverse engineering of copyrighted works has been repeatedly blessed by the courts as an exercise of the fair-use doctrine.
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
Mr. Brown, this "lighter note" comment of yours is little more than a cheap shot that openly displays your lack of understanding of the subject matter on which you write.
"Open source enthusiasts" not only avail themselves of trademark protection, they also assert and defend their rights as copyright holders. This in no way conflicts with their advocacy of the principle of copyleft. What it DOES do is give them the power to enforce the particular license (GPL, LGPL BSD, or other) under which they choose to release their software.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Answering your questions in order:
Yes, if it's my GPL code, it most certainly IS fair. If Microsoft, Adobe, Symantec or whoever, wants to license my code for use in their proprietary product, I will be HAPPY to negotiate a special *non-exclusive* license with them for a SUBSTANTIAL fee. HOWEVER, if their objective is to take my code without payment and claim it as their own they had better be ready for MAJOR litigation.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as:
They already do. The FAA's Air Traffic Control Database uses Oracle 9i Real Application Clusters running on Dell PowerEdge servers and (surprise!) Red Hat Linux.
Apparently the FAA thinks it's a better gamble than hoping that no one with an old copy of debug.exe will find a buffer overflow in Windows 2000 Advanced Server.
Again, you clearly demonstrate your lack of knowledge in this field, Mr. Brown. GPL software is NOT public domain. It is private property released for public use under license. It is no more public domain software than Windows XP. And
However, a more cogent inquiry would be "If the FAA's Air Traffic Control System is exposed to access from the public internet, shouldn't we fire all the boneheaded bureaucrats that decided it SHOULD be?"
Most of the
Mr. Brown, your white paper exhibits a failure of understanding of your subject that I find very disappointing in one who would call his operation a "think-tank". You entitle your publication "Opening the Open-Source Debate,"
I agree there is an implied contract.
...
...
...
... I don't THINK so ... just because the ads are called "commercials" doesn't make the UCC apply. It governs things like Sales of Goods (Article 2), Lease of Goods (Article 2A), Negotiable Instruments (Article 3), Bank Deposits and Collections (Article 4) Funds Transfers (Article 4A) Warehouse Receipts (Article 7) and Investment Securities (Article 8) to the extent state law governs such things, and Secured Transactions (Article 9).
... and the laws against counterfeiting.
... huh???
*BZZZT!* WRONG in one
There is no such thing as an "implied contract" under any branch of the English common law or any American statute that I was able to find in law school.
I don't think it is enforceable under the law, however.
Got that much right
What is enforceable is the law itself, in this case probably the Universal Commercial Code
ermmmmm
All I can say here is
It's essentially commercial removal rather than commercial skipping.
... and your point is?
The truth of the matter is that the audience is not the *caster's customer. The *caster's CUSTOMER is the advertiser. The customer buys the product from the *casters. The product is the opportunity to present his message to the audience (me). The fact that the product is *presented* carries no guarantee or warranty that it will actually be watched!
A small portion of the revenue from that sale is used to develop content which is offered to the audience as bait to generate ratings which, in turn, determine the value of the product in the media marketplace.
The content is a mere byproduct of the sale transaction between the *caster and their customer. The only reason it is sent into my home is to serve as bait to entice me to watch the id10t box. There is no privity of contract between me and the *caster, therefore, there is NOTHING in this transaction that obligates me to watch the advertising on TV.
<sarcasm>
An analogous transaction would be the act of me buying a box of worms from a bait shop. Do you think for one minute that the purchase obligates a fish to bite my hook???
</sarcasm>
<RANT>
Theft my ASS! The ONLY thing that Kellner's remarks have shown me is that I now have a VERY good reason to NEVER watch TNT again.
</rant>
Solaris has a long, long patchlist, Trusted Solaris included.
... but wouldn't you rather have a "long, long patchlist" issued as quarterly, predictable cluster releases (I DL'd the latest Solaris clusters the day after they were released, BEFORE I received the auto e-mail notification from Sun) instead of (roughly) annual Service Packs (NT got to what ... SP6? ... in what ... 6 years?). Solaris 8 was released 2 years ago? It's had 7 patch clusters released since then ... and I have YET to see a patch cluster that had to be "recalled" (oops ... superseded) like SP5 was.
True
The impression I've gotten of the Unix world is that the universal reaction to a SERIOUS security hole is "Oh sh!t, we've got to FIX this, NOW!" This attitude tends to lead to "long, long patchlist"s.
I don't usually reply to myself, but I HAVE to clarify ...
... sort of) and more luminaries (none of whom are AMATEUR developers and MOST of whom make their living from Free/Open Source Software) than I can think of at this time ...
*cough*part-time effort*cough* by *cough*amateur*cough* developers
includes:
Linus Torvalds, Alan Cox, Bruce Perens, Miguel de Icaza, Tridge, Rasterman, TigerT, ESR, RMS (I LIKE Emacs
The lack of availability of a commercially backed clustering package for Linux was one of Microsoft's key objections to Linux in their "Linux Myths" whitepaper. It appears as if all of the criticisms Microsoft has had of Linux are now becoming irrelevant - Linux has adapted to the times ...
... could it be that ESR was RIGHT about something? I seem to recall, from MindCraft II, there really WERE performance bottlenecks in the Linux Kernel (2.0.x generation) and Apache ... now, we're at 2.4.x with khttpd in the kernel for static content and Apache 2.x (re-architected) for the dynamic content (AND ... if you just HAVE to tread the hairy edge in search of performance, there's always the SGI patches for Apache ... ), and Linux kicks some SERIOUS ass as a server (not just NT, but also FreeBSD, Solaris, AND Win2K) ...
... and all this change in the space of 2 ... yes 2 years time of *cough*part-time effort*cough* by *cough*amateur*cough* developers ...
...
Gee
'Nuff said for me
Trust me ... done right, it works ... we have approximately 100 Solaris, Tru64, Irix and Linux boxen in our NIS domain. In the 14 months I have worked at the U we've had ONE box WE admin (as opposed to the profs who think they can admin their OWN boxen) cracked ...
God ... am I glad I read farther down than the parent ... I avoided the dreaded "Redundant" mod ...
...
...
... not even [g-n-t]roff.
The Unix philosophy is that you write small programs that do ONE thing VERY well, then string them together with pipes, tees and scripts
Good plan, EXCEPT when someone decides to trust the program they are piping into NOT to return a buffer overflowing string
The GID vulnerability in man is a WONDERFUL example of "trust NOTHING"
If it includes a power cord and an ethernet cable it's crackable ...
No system is secure in the face of inept admins.
... but this isn't about security. It's about availability. Corps do NOT understand InfoSec and will ACCEPT an insecure solution if it is ALWAYS available ... after all, they just need a tighter firewall ...
... THAT they understand ...
Agreed
However, when the e-commerce site goes down because of a broken database server and they are losing $100K/MINUTE of REAL money
Wanna know why admins have greying hair in their 20s???
Moderator ...
... it's only sarcasm
... if you don't believe me, ask Akamai ...
N.B.: this is NOT flamebait
I think it means that IBM is going to have wake up and smite someone.
With what? A bargain-basement priced cluster of AS/400s? zServers are DAMNED reliable, but they are *single* systems in a *single* location. A high-availability cluster doesn't HAVE to be located in a *single* server room, or even a *single* geographic location
Give me 16 "Unbreakable Linux" PowerEdges and some damned fat pipes and I can design you a cluster that a nuclear attack probably couldn't take out. Edge-of-the-network clusters give good performance and DAMNED good availability.
They probably imagine a Beowulf cluster of these.
... more like a Google(TM) server farm of these ... although the "divide and conquer" method does yield SOME performance increase, RAC won't yield NEARLY the speed of a Beowulf. RAC is optimized for reliability (read 8-10 9s availability), NOT performance.
Not really
Programmers don't make systems secure. Admins do.
... it's an admin joke, son) of what we receive is user gripes.
.edu ...
... except, maybe, for the Beowulf I admin ... I guess they think they're REALLY 133t if they can r00t an Indigo(IP20) or an Indy running a default install of Irix 5.2 ... go figger. One of my funniest admin stories is about a SPARCstation5 that one of our "semi-supported" profs owned. At one point we had 3 separate groups of crackers fighting over who 0wNed it. By the time he got tired enough of receiving complaints about port-scans and cracking attempts from his lab workstation that he allowed us to lock it down, it was one of the most secure systems we had. All we had to do was install the latest patch cluster and TCP Wrappers to make it the most secure Unix (Solaris 7) box on campus.
Thank you, as an admin, all props are appreciated. 99.999% (5 9's
99.99% of hacks occur because either:
a) User Error (@see shitty passwords)
which is why my NIS master server refuses to accept passwords that are less than 8 characters long and that have less than 2 non-alpha characters in them. Okay, I COULD require tougher passwords, but there is a limit to what faculty will accept at an
or
b) The system was not kept up to date.
You'll RARELY find one of my UNIX servers with an uptime of more than 90 days. Reason why? My team applies the quarterly (maintenance stream) overlays from SGI and the [7-8]_Recommended patch clusters from Sun religiously. They usually, generally, almost ALWAYS require a reboot because of kernel patches. We also troll (not THAT kind of trolling) CERT, bugtraq and CVE for vulnerabilities so we will know what "interim" bugfix patches really NEED to be applied.
For an admin, ANY admin, but ESPECIALLY a Unix admin<super>footnote 1</super>, a healthy dose of paranoia is a professional requirement.
<super>1</super> - 5kr1p7 k1dd13z would rather 0wN a RISC-based Unix box than anything else on the planet
if Microsoft's programmers spent more of their time on writing clean code and less time on coding Easter Eggs in Office Applications, Internet Explorer and Windows.
Professionalism is an appearance ...
... no problems. I have little to hide because I spend the time to research a problem and fix the CAUSE, not the symptoms, of the problem.
... I do it because I am good at it and because I get paid enough to live reasonably comfoprtably for doing it.
I must respectfully disagree. Professionalism is an ATTITUDE, not an appearance.
I would liken professionalism with obscurity, because you can hide something better from people.
I consider myself a professional, but I NEVER wear a tie (jacket, maybe), and I go to work 2-3 days (sometimes 4) without shaving. My boss is cool with it so
You want a definition for "professional"? A professional does what he/she does FOR MONEY, and treats their job responsibilities accordingly. I do NOT do what I do because I enjoy it (although I REALLY do enjoy my work)
Since the last sentence means I receive a fairly significant check on the first of each month, I protect my job by making sure my employer receives their money's worth.
THAT is professionalism.
But they still keep them secret because it is one more obstacle for an intruder to have to overcome to compromise a system.
Actually, the most advanced crypto algorithms the NSA has are kept secret because the NSA, itself, can't break them in any feasible timeframe, so they don't want the "bad guys" using them.
Actually, sendmail is used to ... errrr ... SEND mail. My ISP does not relay, so I HAVE to run my own MTA because I don't connect to one of their IP blocks. I use exim at home rather than sendmail, but I administer about 100 Unix boxen at work that use sendmail for, among other things, remote security logging, availability monitoring (the hostwatcher e-mails my pager when a monitored host goes down), and just GOBS of other admin tasks. E-mail really IS the killer app of the internet.
All that being said, if all you need is a client sendmail mailserver, DO NOT generate your sendmail.cf from the nullclient.mc file distributed with sendmail. It WILL create an open relay. I can't get to the m4 file I created to do the trick right now, but I will be happy to provide it to any sendmail admin who wants it if they e-mail me at cwilkin3-AT-egr-DOT-uh-DOT-edu. The file generates a sendmail.cf equivalent to what nullclient.mc creates, but without the relay enabled.
You mean like This Article??
Just in case CRN gets slashdotted, an excerpt speaking on the subject of Linux in the federal government:
'Nuff said. I think I would believe a federally-funded study by Mitre Corp. (a scientific research organization that, among other things, hosts the CVE database) before I would buy into a study by a think tank 1) that lacks Mitre's technical muscle and, 2) has a history of whoring for inter alia Microsoft, the tobacco industry, and various egregious polluters. Remember Mindcraft?
We all vie for eMacs, with vigor, no less, but rather more.
... I GOTTA do it ...
I can't HELP myself
If your going to plug this, you should link to this.
Hmmmmm ... wonder how long it'll be before THIS lawsuit happens??