1 and 6 maybe mulligans, but I'd call 8 more of a "gimme"...
I've seen screenshots of an official (and not even alpha quality) official AOL client for Linux.
Given AOHell's recent decision to join the Liberty Alliance, could it be that AOL's partnership with Sun (as in Sun is the center of the Netscape iPlanet world now) has addicted AOL-TW to the need for open standards???
Most freshwater aquaria actually require water coolers to keep the temperature down to what the fish can stand. IIRC, the correct temperature for a freshwater tank is approximately 68F. Marine (saltwater) aquaria are somewhat more temperature tolerant, having a recommended temperature of 78F. However, the water movement requirement of a marine aquarium demands so much pump capacity (again, IIRC, I had something like 1350 liters/minute of total pump capacity in my 55 gallon marine tank) that the 10 degree "flex" in temperature ranges was insignificant.
If you allow for the heat generated by the 80+ watts of recommended fluorescent lighting needed for a moderate-sized tank (say 50-75 gallons), the problem that arises is one of keeping the temperature DOWN to the recommended range. Last time I looked at the price for water coolers for a decent-sized aquarium, it exceeded the cost of a mid-range PC (D00d, you're getting a Dell!).
Not wanting to throw (figuratively speaking) cold water on a promising research project, I SERIOUSLY think you are going in the wrong direction by planning to hook up another heat source to your tank.
would prevent a LOT of buffer overflows. Despite the following:
Never use gets(). Because it is impossible to tell with out knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security.
Use fgets() instead.
-- man -S3 gets()
This nugget of easy-way-to-enhanced-security knowledge has been known for YEARS, yet C programmers blithely ignore it. I'm sure there's something equivalent in C++ too.
Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?
A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?...
Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?
Hows this Win machine supposed to route packets? Win 9.x doesnt do that, I dont know about ME or XP.
Beginning with Win98SE, there is an "Internet connection sharing" component available in Windows that is a crude version of a routed/NAT protocol.
Assumming he has a NT Workstation: how to find a subnet range that wouldnt conflict with the rest of the campus? Assuming this network is a typical university network, all the machines probably use public IP addresses. Pick a subnet from those allocated for private networks (e.g. 192.168.*.*) and use NAT on the gateway.
How to tell other routers about the new subnet without the netadmins consent?
With NAT, all your admin will see is a single IP address... that of the gateway box. The address translation will be done in that one machine.
...I was told by the network administrator that the linux machines were not to be connected to the network for fear of viri, DoS attacks, and so on.
There are over 15,000 viruses documented that are active in the Windows environment. I am only aware of two that can infect a Linux box, and the damage they can do is minimal if users aren't permitted to install executables in their $HOME directories. Linux boxen ARE popular targets for crackers because they have a fully implemented IP stack that allows forging packet headers for DoS attacks against other computers, but a little thought given to the job of locking the box down can prevent that. Of course, this particular "advantage" to cracking Linux boxes is going to disappear as the home version of Windows XP becomes more common, since Windows boxen are MUCH easier targets than ANY flavor of n*x is. As for the "and so one," all I can say is "etc."
Why do people fear Linux?
Because it's easier to say "No" than it is to learn something new.
It seems to me that people are misinformed that Linux is only a 'hackers' OS.
But, but, but... this is true. Linux users eventually become hackers... however, they almost always become white-hat hackers.
How can we change this?
Hit 'em with a clue-by-four? I don't know the answer to this...
This is only one of the common Linux "myths", and there are several more where these came from. Is there a central clearing house of such myths and intelligent efforts at debunking them somewhere online? Although the comments are really aimed at the embedded OS space, a lot of what was said in the responses by Lineo and LynuxWorks to Microsoft's white paper on the subject of Windows XP Embedded also applies to the desktop.
Here's a bright, although somewhat backwards way to subvert your admin's thinking process. Get a handful of PCs and install Linux on them, then connect them to the network through a Win2K box configured as a gateway. That way you can point out how the Win2K box is "protecting" (teeheeheehee) his network from those "renegade Linux boxen. I would submit to you that after about six months go by without ONE of the Linux boxes being cracked, he/she might have to develop a sudden appetite for crow.
I also know three ways to avoid buffer overflow, and they don't require any of the techniques you mention. Two are easy, one is tedious, but not difficult:
1) NEVER use
char *gets(char *s);
in a program. Use
char *fgets(char *s, int n, FILE *stream);
2) Use one of the kernel patches that renders the
stack non-executable. Then, even if the bad
guys manage to overflow a buffer, they can't
do anything with it.
3) Write your own low-level character-by-character
i/o handlers that stop accepting input before
the buffer overflows (that's the easy way), or
reallocates the buffer to be larger (that's the
more user-friendly way.
Numbers 1 and 2 aren't difficult at all, number 3 can be VERY tedious, but it isn't difficult.
An argument that proceeds from false premises is flawed no matter how logical its conclusions may seem.The specific flaws in these premises are:
2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].
The first link is to a story that questions Alan Cox's decision not to expose himself to a Sklyarov-type persecution under the DMCA by revealing the reasons for certain security bugfixes in a kernel patch-level release.Despite the fact that Alan didn't reveal the specific nature of the bug that was fixed, the bug was, in fact, fixed.
The second link refers to a remotely root-exploitable hole in wu-ftpd.Although almost every Linux distribution includes wu-ftpd, it is well-known as a source of security problems, and in those distros where it is installed and enabled by default the distributor usually takes fair pains to make sure that it is installed as securely as the state of reasonable knowledge of its problems allows.Also, IIRC, wu-ftpd also runs under Windows, where it serves the function of being an alternative to IIS's ftp server functionality.At this moment, I don't have the time to research the irrefutable facts, but my anecdotal impression, which comes from my experience as both a Windows and Unix admin indicates that the score in the IIS vs. Apache + wu-ftpd exploit game is more than a little lopsided in favor of IIS being the cracker's friend.
3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].
Ah yes... the "ptrace() 'bug'"... how the Microsoft apologists LOVE that one.A design flaw, rather than a true "bug". There is absolutely NO evidence that this vulnerability has ever been exploited, yet, please allow me to ask you one question... the ptrace() system call worked exactly as designed... that the design was flawed... well, no one's perfect....believe it or not, I even cut Microsoft some slack on design flaws unless the flawed design is so totally bone-headed that a freshman Comp Sci student wouldn't have done it that way.
Now for the question... HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it.A day or two?
Every e-mail client I've ever seen (with the possible exception of some early versions of Eudora) allows you the option of adjusting the layout so that there is no "preview pane"... NOW you can delete the e-mail without opening it by right-clicking on the subject line in the header list and selecting delete from the context menu...
Or, you can use Linux and pine, elm, mutt, or one of the other console-type mail clients that have NEVER had a "preview pane" and be shed of the problem.
The problem here arises from the fact that Windows allows more than one '.' in a filename, but will only display one. Therefore, a malicious webmaster can name a file "foo.pdf.exe" and Windows Open/Save dialog will only display foo.pdf.
As for the fix, it's a 2-step process... 1) set IE to treat the entire "Internet Zone" with its "Restricted sites" security setting, and 2) do NOT open any files online unless you completely trust the website you are browsing... and how many of those are there?
As for potential Microsoft liability, one might be able to make a case that Microsoft was grossly negligent by trying to cover up this hole... in which case, the case becomes quasi-criminal and disclaimers in the EULA go out the window... but gross negligence is tough to prove. It requires a showing of wanton, willful neglect and a complete disregard for the rights of the victim... errrrmmmm.... sorta like the actions of... errrrmmmm... an abusive monopoly... oops, might not be so hard after all...
My personal fix for problems with IE is a 5 CD set of Debian woody and Mozilla...
English, is by its nature, extremely poorly suited for an exercise such as this. A large portion of the meaning of an English statement is derived from context and the order of words in a statement, while the meaning of a C, Pascal or Fortran expression is almost purely a matter of syntax. I believe that it would be extremely difficult to write a compiler or interpreter that could process nature-looking English into computer code.
OTOH, there is already a "natural-language" programming language available for a project such as this... Perl! Don't laugh yet.
Damian Conway's paper, Lingua::Romana::Perligata -- Perl for the XXI-imum Century demonstrates that "natural language" programming IS possible in a quasi-grammatical way, while also pointing out WHY English really just doesn't fit the needs of a programming language. The "Latin" code that results from using Lingua::Romana::Perligata is "sort of" grammatically correct, quite readable, although somewhat "forced", to those with a grounding in the Classics (which many judges have), and lacking a LOT of the special characters that make most programming languages look mysterious to non-techies.
You'll have to read the paper to see the effect of using the module... the lameness filter stopped me from including any of Conway's examples.
I don't claim to be enough of a Perl hacker to even begin trying to convert one of the perl versions of DeCSS to a Perligata script, but I feel I know enough linguistics to consider an attempt to create an English-based "natural language programming language" that would come CLOSE to being grammatically correct and comprehensible to non-programmers to be quixotic.
My complaint on this subject is about coders who play the "If it runs on my box, it's good enough to release" game.
As a case in point, consider GnomeMeeting. I have an INTENSE professional interest in videoconferencing under Linux. GnomeMeeting shows considerable promise for fulfilling this need, but I can't get it to build under Debian woody. Despite the fact that I run apt-get upgrade at least once a week, the developer is apparently using some library more advanced than I have on my system... I suspect he probably developed GnomeMeeting under the as-yet-unreleased GNOME 2.0 rather than the current stable GNOME 1.4.
What's the point of all this? Developers... if you are going to push your stuff out as the greatest thing since sliced bread, make sure it will build and run under a fully-'stable' version of kernel/libs/sysutils... anything less marks you as an update snob and your project as less than useless...
This would be the worst of all possible worlds. Just ask on comp.os.minix... since the underlying system isn't free, it has become fragmented and forked all to hell with the various free patches that often conflict with one another.
Don't blame hardware dependencies on the package tool, cups doesn't depend on ghostscript, so your ability to break your printing capability without upsetting apt is irrelevant.
On SuSE, I often used --nodeps for rpm, cos I *knew* that mutt doesn't *require* a spell checker, even if the stupid.SPEC file said so.
I did this too, back when I was using Red Hat. Sometimes it was the only way. In the end, I said "to hell with the database" and started building everything from source tarballs.
Things went fine, and my what was originally RH 6.0 install soon became more advanced and up-to-date than RH 7.0... until I decided to go to a built-from-source 2.4.0 kernel back around the first of the year. In the process of updating my system utilities to the point that I could build 2.4.0, I broke something that destabilized the entire system... might have been glibc-2.2.1, since it seems that the ld version I had upgraded to didn't like 2.1...
Anyhow, to make a long story short, I decided to install Debian woody. I ordered the CD set from the computerhelperguy who, at that time, was the only source for woody. I EFT'd $20 bucks and, about a week later received the 5-CD set.
Switching from RH to Debian imposed a significant learning curve, but APT is schweeeeet, and I don't think I'll be going back anytime soon.
Now that the intro material is out of the way, anybody and everybody who uses an rpm-based distro, owes it to themselves to try out apt4rpm. The beauty of apt is that it automagically resolves all the dependencies, and in those cases where you get circular dependencies, it picks what appears to be the least damaging package to apply the --nodeps option to.
I'm not saying that Debian is the best distro. I am not distro-religious. I am not anti-rpm, although I would like them use.tar.bz2 for their internal compressed archive. All I am saying with this overly-long and rambling post is that apt is the finest package management tool I have ever encountered, whether you are talking about Linux, Solaris, or any other n*x I've encountered.
Try it... I suspect you'll fall in love with it, even though it only runs in text mode.
That kind of depends on the volume and depth of the magma chamber. If a super-volcano explodes, the overlying rock usually collapse into the suddenly depressurized magma chamber resulting in a huge (as in 10's of miles, and in a very few cases 100's of miles, across) crater-like structure called a caldera.
Actually, the oldest remains of a settlement that could be called "urban" at Jericho date from about 8000 BCE. There are other areas where extremely ancient evidence of the beginnings of urbanization exists, but I think they are all in the Middle East. I'm not aware of anything that old in the western hemisphere.
Coral doesn't grow under 2000 feet of water... it relies on photosyntehsis for a significant part of its energy needs and can't survive without a pretty good light level.
IIRC, the deepest known coral reefs are about 100 feet down in places like the Red Sea, Micronesia, Bali and other regions that are known for the clarity of the water.
Hormonally, humans (and other diurnal creatures (this excludes Solaris admins)) are stimulated into various modes by light levels.
Waittaminute... I'm a Solaris admin, and I work in a delightful machine room whose ENTIRE North wall is glass... of course I work at a university, which is a LOT more laid back than the profit mills are...
The two BIGgest factors I've noticed in work environment comfort are 1) lighting and 2) a feeling of privacy (while not being completely deprived of human contact. I like bright lighting and a subdued (but warm) screen color scheme... YMMV. The reverse is (for me) very tiring because dim lighting leads to dilated pupils that allow way too much UV from the screen to enter the ol' Mark One eyeball... the important thing is to find what YOU are comfortable with, then convince management that it is in their best interest to let you have it... at your own expense, if necessary, but optimally on their dime. After all, it's 1/3 of YOUR life... there's no rational reason you should be physically uncomfortable during it, unless you are such a hot coder that they are paying you an unreasonably high salary. And if you are such a superstar, management should fall all over themselves trying to accomodate your needs.
Require all U.S. ISPs (especially AOL) to use egress filtering on their border routers. This may not put a complete end to DDoS, but it will certainly ease the burden imposed on the 'net by script kiddies. This is especially necessary in light of the fact that a 'feature' of the home edition of Windows XP is that consumer Windows users now have the ability to forge IP headers;
Leave crypto alone. It is a necessary component of secure e-commerce as well as being a component of criminal communications. There are enough ways to snoop on the bad guys already without disabling an already-struggling sector of the economy. Besides, how are you going to keep the black hats from having crypto when all they need is a copy of gcc and a modestly talented programmer to write their own crypto software. It sounds over-simplified but it is true that "When crypto is outlawed, only outlaws will have crypto.";
Get competent, disinterested technical advice before legislating technical issues. Have your advisor give you both the pros and the cons of the issue, then vote in the best interest of the people who elected you, NOT the corporations that financed your campaign;
Give serious consideration to passing legislation banning some of the more abusive EULA provisions, especially disclaimers of ALL liability for consequential damages. American law has enough safeguards in place that holding software companies responsible for damages they cause by, for instance, gross negligence (like not releasing the patch to cure the Code Red vulnerability until the exploit was "in the wild") will NOT destroy the industry.
Repeal the DMCA and put the SSSCA on the rubbish heap. The RIAA, MPAA and the BSA are powerful enough that they don't NEED a class os special crimes just to protect them. Additionally, "standardization" and "certification" of "security measures" will make the digital world less, not more, secure
If you feel you really MUST pass some laws regarding 'net abuse, give us some anti-spam, anti-online-fraud and anti-identity-theft laws with REAL TEETH!
I think you have to include some provisions regarding negligence.
There doesn't have to be a negligence provision in the contract in order for a person damaged by breach of that contract to sue. Breach of contract and negligence are governed by entirely separate bodies of law and are separately actionable.
If windows crashes while you're playing Quake, and made you lose, that's not sufficient to sue.
Depends... if you were playing in the final round of a professional deathmatch tournament with a purse of, say $1 million AND you held an insurmountable lead at the time of the crash, AND the rules of the tournament disqualified you because of the crash, I'd say you would have lawyers lined up to take the case.
If you're Little Johnny l337 $uX47qu4k3 who was playing with his buddies online and lost "because windows crashed" it would be a different story. The question is not one of contract provisions, it's one of damages. However, in either case, you'd still face the problem of the disclaimers in the Windows license.
Alot of the/.ers claims I hear regarding Microsoft are speculation at best, and they aren't sufficient.
And almost ALL the legal "opinions" you hear on/. amount to nothing more than uninformed babble.
Or look at it another way, an vuln developer produces software that causes B in Software C, should he be held liable as well?
Here you go again... wrong body of law... this act is a crime, and yes, one of the punishments available under criminal law is an order of restitution. BTW, crimes can also be the subject matter of tort suits in the civil courts if the DA declines to prosecute.
In short, please don't try to give someone legal advice unless you know the law. A lawyer (actually Abraham Lincoln) once said, "It is better to keep silent and be thought a fool than to open your mouth and remove all doubt."
P.S.: The burden of proof in a civil case is "preponderance of the evidence" NOT "beyond a shadow of a doubt." In a criminal case under Anglo-American and MOST European law, the burden is "beyond a reasonable doubt." The only legal system of which I am aware that requires absolute proof of guilt is Islamic law, and it is only required there for the 7 crimes referred to as "Huddud".
There isn't a contract involved in using open source, so no-one can be held liable.
Not so. There IS a legally enforceable license (which is a contract) and it is legally enforceable. The "consideration" to support a contract's enforceability does not HAVE to be money.
Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design
No, I don't. If Red Hat started to distribute GnomeOutlook some day, they deserved to be sued to Hell and back.
Red Hat's product is selling decisions. "This we take, that we don't". So maybe writing code isn't their business, but selecting code is. And therefore they should be held responsible, at least by their paying customers.
Actually, Red Hat is a MAJOR contributor to Open Source development, employing such luminaries as Alan Cox (kernel) and Rasterman (enlightenment). RedHat had the fix for the ptrace exploit out in THEIR release of 2.4.9, but the fix didn't make it into the general kernel tree until 2.4.10. Also Red Hat puts a LOT of development effort into the GNU tools, such as gcc and glibc, so I don't think it is quite fair OR accurate to say they are "blindly redistributing stuff others wrote and have no input in the design". Companies that hire Open Source developers andd tell them "Develop Away" are a major factor in the current state of OSS technical excellence. Were it not for the RHATs, Caldera's, SUSe's and IBM's of the world, Linux would be nowhere NEAR its current state.
Slashdot Mirror
1 and 6 maybe mulligans, but I'd call 8 more of a "gimme" ...
I've seen screenshots of an official (and not even alpha quality) official AOL client for Linux.
Given AOHell's recent decision to join the Liberty Alliance, could it be that AOL's partnership with Sun (as in Sun is the center of the Netscape iPlanet world now) has addicted AOL-TW to the need for open standards???
1 word, fish stew.
:-) (C'mon ... LAUGH).
Not wishing to be TOO pedantic, I think that's 2 words.
Most freshwater aquaria actually require water coolers to keep the temperature down to what the fish can stand. IIRC, the correct temperature for a freshwater tank is approximately 68F. Marine (saltwater) aquaria are somewhat more temperature tolerant, having a recommended temperature of 78F. However, the water movement requirement of a marine aquarium demands so much pump capacity (again, IIRC, I had something like 1350 liters/minute of total pump capacity in my 55 gallon marine tank) that the 10 degree "flex" in temperature ranges was insignificant.
If you allow for the heat generated by the 80+ watts of recommended fluorescent lighting needed for a moderate-sized tank (say 50-75 gallons), the problem that arises is one of keeping the temperature DOWN to the recommended range. Last time I looked at the price for water coolers for a decent-sized aquarium, it exceeded the cost of a mid-range PC (D00d, you're getting a Dell!).
Not wanting to throw (figuratively speaking) cold water on a promising research project, I SERIOUSLY think you are going in the wrong direction by planning to hook up another heat source to your tank.
would prevent a LOT of buffer overflows. Despite the following:
This nugget of easy-way-to-enhanced-security knowledge has been known for YEARS, yet C programmers blithely ignore it. I'm sure there's something equivalent in C++ too.
Gotta LOVE this exchange ...
...
Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?
A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?
Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?
Hows this Win machine supposed to route packets? Win 9.x doesnt do that, I dont know about ME or XP.
... that of the gateway box. The address translation will be done in that one machine.
Beginning with Win98SE, there is an "Internet connection sharing" component available in Windows that is a crude version of a routed/NAT protocol.
Assumming he has a NT Workstation: how to find a subnet range that wouldnt conflict with the rest of the campus?
Assuming this network is a typical university network, all the machines probably use public IP addresses. Pick a subnet from those allocated for private networks (e.g. 192.168.*.*) and use NAT on the gateway.
How to tell other routers about the new subnet without the netadmins consent?
With NAT, all your admin will see is a single IP address
This is basic TCP/IP networking.
...I was told by the network administrator that the linux machines were not to be connected to the network for fear of viri, DoS attacks, and so on.
... this is true. Linux users eventually become hackers ... however, they almost always become white-hat hackers.
...
There are over 15,000 viruses documented that are active in the Windows environment. I am only aware of two that can infect a Linux box, and the damage they can do is minimal if users aren't permitted to install executables in their $HOME directories. Linux boxen ARE popular targets for crackers because they have a fully implemented IP stack that allows forging packet headers for DoS attacks against other computers, but a little thought given to the job of locking the box down can prevent that. Of course, this particular "advantage" to cracking Linux boxes is going to disappear as the home version of Windows XP becomes more common, since Windows boxen are MUCH easier targets than ANY flavor of n*x is. As for the "and so one," all I can say is "etc."
Why do people fear Linux?
Because it's easier to say "No" than it is to learn something new.
It seems to me that people are misinformed that Linux is only a 'hackers' OS.
But, but, but
How can we change this?
Hit 'em with a clue-by-four? I don't know the answer to this
This is only one of the common Linux "myths", and there are several more where these came from. Is there a central clearing house of such myths and intelligent efforts at debunking them somewhere online?
Although the comments are really aimed at the embedded OS space, a lot of what was said in the responses by Lineo and LynuxWorks to Microsoft's white paper on the subject of Windows XP Embedded also applies to the desktop.
Here's a bright, although somewhat backwards way to subvert your admin's thinking process. Get a handful of PCs and install Linux on them, then connect them to the network through a Win2K box configured as a gateway. That way you can point out how the Win2K box is "protecting" (teeheeheehee) his network from those "renegade Linux boxen. I would submit to you that after about six months go by without ONE of the Linux boxes being cracked, he/she might have to develop a sudden appetite for crow.
I also know three ways to avoid buffer overflow, and they don't require any of the techniques you mention. Two are easy, one is tedious, but not difficult:
1) NEVER use
char *gets(char *s);
in a program. Use
char *fgets(char *s, int n, FILE *stream);
2) Use one of the kernel patches that renders the
stack non-executable. Then, even if the bad
guys manage to overflow a buffer, they can't
do anything with it.
3) Write your own low-level character-by-character
i/o handlers that stop accepting input before
the buffer overflows (that's the easy way), or
reallocates the buffer to be larger (that's the
more user-friendly way.
Numbers 1 and 2 aren't difficult at all, number 3 can be VERY tedious, but it isn't difficult.
An argument that proceeds from false premises is flawed no matter how logical its conclusions may seem.The specific flaws in these premises are:
... the "ptrace() 'bug'" ... how the Microsoft apologists LOVE that one.A design flaw, rather than a true "bug". There is absolutely NO evidence that this vulnerability has ever been exploited, yet, please allow me to ask you one question ... the ptrace() system call worked exactly as designed ... that the design was flawed ... well, no one's perfect ... .believe it or not, I even cut Microsoft some slack on design flaws unless the flawed design is so totally bone-headed that a freshman Comp Sci student wouldn't have done it that way.
... HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it.A day or two?
2) Rail about security through obscurity. Ignore similar [slashdot.org] linux issues [slashdot.org].
The first link is to a story that questions Alan Cox's decision not to expose himself to a Sklyarov-type persecution under the DMCA by revealing the reasons for certain security bugfixes in a kernel patch-level release.Despite the fact that Alan didn't reveal the specific nature of the bug that was fixed, the bug was, in fact, fixed.
The second link refers to a remotely root-exploitable hole in wu-ftpd.Although almost every Linux distribution includes wu-ftpd, it is well-known as a source of security problems, and in those distros where it is installed and enabled by default the distributor usually takes fair pains to make sure that it is installed as securely as the state of reasonable knowledge of its problems allows.Also, IIRC, wu-ftpd also runs under Windows, where it serves the function of being an alternative to IIS's ftp server functionality.At this moment, I don't have the time to research the irrefutable facts, but my anecdotal impression, which comes from my experience as both a Windows and Unix admin indicates that the score in the IIS vs. Apache + wu-ftpd exploit game is more than a little lopsided in favor of IIS being the cracker's friend.
3) Rail about how long a bug has been open. Ignore similar linux issues [slashdot.org].
Ah yes
Now for the question
Every e-mail client I've ever seen (with the possible exception of some early versions of Eudora) allows you the option of adjusting the layout so that there is no "preview pane" ... NOW you can delete the e-mail without opening it by right-clicking on the subject line in the header list and selecting delete from the context menu ...
Or, you can use Linux and pine, elm, mutt, or one of the other console-type mail clients that have NEVER had a "preview pane" and be shed of the problem.
Actually, no ...
... 1) set IE to treat the entire "Internet Zone" with its "Restricted sites" security setting, and 2) do NOT open any files online unless you completely trust the website you are browsing ... and how many of those are there?
... in which case, the case becomes quasi-criminal and disclaimers in the EULA go out the window ... but gross negligence is tough to prove. It requires a showing of wanton, willful neglect and a complete disregard for the rights of the victim ... errrrmmmm .... sorta like the actions of ... errrrmmmm ... an abusive monopoly ... oops, might not be so hard after all ...
...
The problem here arises from the fact that Windows allows more than one '.' in a filename, but will only display one. Therefore, a malicious webmaster can name a file "foo.pdf.exe" and Windows Open/Save dialog will only display foo.pdf.
As for the fix, it's a 2-step process
As for potential Microsoft liability, one might be able to make a case that Microsoft was grossly negligent by trying to cover up this hole
My personal fix for problems with IE is a 5 CD set of Debian woody and Mozilla
English, is by its nature, extremely poorly suited for an exercise such as this. A large portion of the meaning of an English statement is derived from context and the order of words in a statement, while the meaning of a C, Pascal or Fortran expression is almost purely a matter of syntax. I believe that it would be extremely difficult to write a compiler or interpreter that could process nature-looking English into computer code.
... Perl! Don't laugh yet.
... the lameness filter stopped me from including any of Conway's examples.
OTOH, there is already a "natural-language" programming language available for a project such as this
Damian Conway's paper, Lingua::Romana::Perligata -- Perl for the XXI-imum Century demonstrates that "natural language" programming IS possible in a quasi-grammatical way, while also pointing out WHY English really just doesn't fit the needs of a programming language. The "Latin" code that results from using Lingua::Romana::Perligata is "sort of" grammatically correct, quite readable, although somewhat "forced", to those with a grounding in the Classics (which many judges have), and lacking a LOT of the special characters that make most programming languages look mysterious to non-techies.
You'll have to read the paper to see the effect of using the module
I don't claim to be enough of a Perl hacker to even begin trying to convert one of the perl versions of DeCSS to a Perligata script, but I feel I know enough linguistics to consider an attempt to create an English-based "natural language programming language" that would come CLOSE to being grammatically correct and comprehensible to non-programmers to be quixotic.
My complaint on this subject is about coders who play the "If it runs on my box, it's good enough to release" game.
... I suspect he probably developed GnomeMeeting under the as-yet-unreleased GNOME 2.0 rather than the current stable GNOME 1.4.
... if you are going to push your stuff out as the greatest thing since sliced bread, make sure it will build and run under a fully-'stable' version of kernel/libs/sysutils ... anything less marks you as an update snob and your project as less than useless ...
As a case in point, consider GnomeMeeting. I have an INTENSE professional interest in videoconferencing under Linux. GnomeMeeting shows considerable promise for fulfilling this need, but I can't get it to build under Debian woody. Despite the fact that I run apt-get upgrade at least once a week, the developer is apparently using some library more advanced than I have on my system
What's the point of all this? Developers
This would be the worst of all possible worlds. Just ask on comp.os.minix ... since the underlying system isn't free, it has become fragmented and forked all to hell with the various free patches that often conflict with one another.
I did this too, back when I was using Red Hat. Sometimes it was the only way. In the end, I said "to hell with the database" and started building everything from source tarballs.
Things went fine, and my what was originally RH 6.0 install soon became more advanced and up-to-date than RH 7.0
Anyhow, to make a long story short, I decided to install Debian woody. I ordered the CD set from the computerhelperguy who, at that time, was the only source for woody. I EFT'd $20 bucks and, about a week later received the 5-CD set.
Switching from RH to Debian imposed a significant learning curve, but APT is schweeeeet, and I don't think I'll be going back anytime soon.
Now that the intro material is out of the way, anybody and everybody who uses an rpm-based distro, owes it to themselves to try out apt4rpm. The beauty of apt is that it automagically resolves all the dependencies, and in those cases where you get circular dependencies, it picks what appears to be the least damaging package to apply the --nodeps option to.
I'm not saying that Debian is the best distro. I am not distro-religious. I am not anti-rpm, although I would like them use
Try it
That kind of depends on the volume and depth of the magma chamber. If a super-volcano explodes, the overlying rock usually collapse into the suddenly depressurized magma chamber resulting in a huge (as in 10's of miles, and in a very few cases 100's of miles, across) crater-like structure called a caldera.
Actually, the oldest remains of a settlement that could be called "urban" at Jericho date from about 8000 BCE. There are other areas where extremely ancient evidence of the beginnings of urbanization exists, but I think they are all in the Middle East. I'm not aware of anything that old in the western hemisphere.
No, but there are other radioisotopes that can be used to date stone ... especially granite
Coral doesn't grow under 2000 feet of water ... it relies on photosyntehsis for a significant part of its energy needs and can't survive without a pretty good light level.
IIRC, the deepest known coral reefs are about 100 feet down in places like the Red Sea, Micronesia, Bali and other regions that are known for the clarity of the water.
Ia, Ia Cthulhu phtagn
;-)
Hormonally, humans (and other diurnal creatures (this excludes Solaris admins)) are stimulated into various modes by light levels.
... I'm a Solaris admin, and I work in a delightful machine room whose ENTIRE North wall is glass ... of course I work at a university, which is a LOT more laid back than the profit mills are ...
... YMMV. The reverse is (for me) very tiring because dim lighting leads to dilated pupils that allow way too much UV from the screen to enter the ol' Mark One eyeball ... the important thing is to find what YOU are comfortable with, then convince management that it is in their best interest to let you have it ... at your own expense, if necessary, but optimally on their dime. After all, it's 1/3 of YOUR life ... there's no rational reason you should be physically uncomfortable during it, unless you are such a hot coder that they are paying you an unreasonably high salary. And if you are such a superstar, management should fall all over themselves trying to accomodate your needs.
Waittaminute
The two BIGgest factors I've noticed in work environment comfort are 1) lighting and 2) a feeling of privacy (while not being completely deprived of human contact. I like bright lighting and a subdued (but warm) screen color scheme
- Require all U.S. ISPs (especially AOL) to use egress filtering on their border routers. This may not put a complete end to DDoS, but it will certainly ease the burden imposed on the 'net by script kiddies. This is especially necessary in light of the fact that a 'feature' of the home edition of Windows XP is that consumer Windows users now have the ability to forge IP headers;
- Leave crypto alone. It is a necessary component of secure e-commerce as well as being a component of criminal communications. There are enough ways to snoop on the bad guys already without disabling an already-struggling sector of the economy. Besides, how are you going to keep the black hats from having crypto when all they need is a copy of gcc and a modestly talented programmer to write their own crypto software. It sounds over-simplified but it is true that "When crypto is outlawed, only outlaws will have crypto.";
- Get competent, disinterested technical advice before legislating technical issues. Have your advisor give you both the pros and the cons of the issue, then vote in the best interest of the people who elected you, NOT the corporations that financed your campaign;
- Give serious consideration to passing legislation banning some of the more abusive EULA provisions, especially disclaimers of ALL liability for consequential damages. American law has enough safeguards in place that holding software companies responsible for damages they cause by, for instance, gross negligence (like not releasing the patch to cure the Code Red vulnerability until the exploit was "in the wild") will NOT destroy the industry.
- Repeal the DMCA and put the SSSCA on the rubbish heap. The RIAA, MPAA and the BSA are powerful enough that they don't NEED a class os special crimes just to protect them. Additionally, "standardization" and "certification" of "security measures" will make the digital world less, not more, secure
- If you feel you really MUST pass some laws regarding 'net abuse, give us some anti-spam, anti-online-fraud and anti-identity-theft laws with REAL TEETH!
.I think you have to include some provisions regarding negligence.
... if you were playing in the final round of a professional deathmatch tournament with a purse of, say $1 million AND you held an insurmountable lead at the time of the crash, AND the rules of the tournament disqualified you because of the crash, I'd say you would have lawyers lined up to take the case.
/.ers claims I hear regarding Microsoft are speculation at best, and they aren't sufficient.
/. amount to nothing more than uninformed babble.
... wrong body of law ... this act is a crime, and yes, one of the punishments available under criminal law is an order of restitution. BTW, crimes can also be the subject matter of tort suits in the civil courts if the DA declines to prosecute.
There doesn't have to be a negligence provision in the contract in order for a person damaged by breach of that contract to sue. Breach of contract and negligence are governed by entirely separate bodies of law and are separately actionable.
If windows crashes while you're playing Quake, and made you lose, that's not sufficient to sue.
Depends
If you're Little Johnny l337 $uX47qu4k3 who was playing with his buddies online and lost "because windows crashed" it would be a different story. The question is not one of contract provisions, it's one of damages. However, in either case, you'd still face the problem of the disclaimers in the Windows license.
Alot of the
And almost ALL the legal "opinions" you hear on
Or look at it another way, an vuln developer produces software that causes B in Software C, should he be held liable as well?
Here you go again
In short, please don't try to give someone legal advice unless you know the law. A lawyer (actually Abraham Lincoln) once said, "It is better to keep silent and be thought a fool than to open your mouth and remove all doubt."
P.S.: The burden of proof in a civil case is "preponderance of the evidence" NOT "beyond a shadow of a doubt." In a criminal case under Anglo-American and MOST European law, the burden is "beyond a reasonable doubt." The only legal system of which I am aware that requires absolute proof of guilt is Islamic law, and it is only required there for the 7 crimes referred to as "Huddud".
There isn't a contract involved in using open source, so no-one can be held liable.
Not so. There IS a legally enforceable license (which is a contract) and it is legally enforceable. The "consideration" to support a contract's enforceability does not HAVE to be money.
Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design
No, I don't. If Red Hat started to distribute GnomeOutlook some day, they deserved to be sued to Hell and back.
Red Hat's product is selling decisions. "This we take, that we don't". So maybe writing code isn't their business, but selecting code is. And therefore they should be held responsible, at least by their paying customers.
Actually, Red Hat is a MAJOR contributor to Open Source development, employing such luminaries as Alan Cox (kernel) and Rasterman (enlightenment). RedHat had the fix for the ptrace exploit out in THEIR release of 2.4.9, but the fix didn't make it into the general kernel tree until 2.4.10. Also Red Hat puts a LOT of development effort into the GNU tools, such as gcc and glibc, so I don't think it is quite fair OR accurate to say they are "blindly redistributing stuff others wrote and have no input in the design". Companies that hire Open Source developers andd tell them "Develop Away" are a major factor in the current state of OSS technical excellence. Were it not for the RHATs, Caldera's, SUSe's and IBM's of the world, Linux would be nowhere NEAR its current state.