According to the page about breaking out of chroot linked from the discussion, the seteuid() is not effective because the process still has a real UID of 0 and can call seteuid(0) at any time.
Perhaps, but I believe that type of vulnerability can be limited through means such as privilege separation (as in OpenSSH)
Please tell me that none of those bone-heads on LKVM advocating that chroot should be 'root proof' haven't had any patches accepted!
Of course chroot() doesn't do any good if a process inside of it is running as root. This is very well known. However, that doesn't make chroot() useless, it is still plenty useful. If you execute chroot() and then a seteuid(uid) where uid>0, then you prevent a hole/bug in your program from being exploited in a way that will allow file access/execution outside the chroot. That *is* a security advantage.
The point of "chroot security", cases where chroot is used to improve security, isn't to contain a malicious root user. The point is to prevent privilege escalation. You can create a chroot without any directories with mode 7771 privileges (a la/tmp), that is free of any setuid binaries, and without "useful" utilities like wget or curl that can make exploiting the system child's play. If your program runs inside of a chroot as a non-root user, and your chroot has no setuid binaries, and your kernel has no privilege escalation vulns, then you can be reasonably sure that nobody will break the chroot or achieve privilege escalation. Without a chroot, you would have to clear your entire server of setuid binaries and mode 7771 directories -- not to mention the potential for intentionally world-readable files that can lead to information exposure. Quite simply, a chroot prevents an arbitrary-execution vulnerability in bind (or other process) from exploiting a privilege escalation vulnerability in apache (or other process).
What some people think, apparently due to pure ignorance, is that chroot() is an end-all solution that will prevent even a root-owned process from accessing files outside the chroot, or worse, thinking that it protects the memory subsytem in any way. It doesn't. Even if the discussed patch was applied to the kernel, a root-owned process could still alter kernel memory, access raw devices, etc.
Improvements in ACLs under Linux minimize some of the needs for a chroot, other than the fact that a chroot is still much easier to configure and ACLs do not handle all of the use-cases that a chroot can solve. (and visa-versa, chroot cannot solve all of the problems solved by ACLs) Additionally, a chroot *and* ACLs can be used together for further-improved security.
Say that all of those shows were on tv within the last 6 years... thats 6 years of cable at, what, $40/mo? Forty times twelve gives you a year, times six years would be a cost of $2880.
Even if all of the shows you listed had 24 episodes per season (and most of them don't), you listed a total of 6+3+4+3+3+1+6 (scrubs)+ and 4 (futurama) = 30 seasons. Multiply that by the number of episodes per season (24) and you get 720. Multiplied by iTune's $1.99 per episode and you get a grand total of $1432.80.
So... compared to cable, if you ONLY watched the shows that you listed, you would have saved about $1448 dollars by shopping on iTunes.
I did not include Dr Who in these figures as that ran on the BBC for a period of 26 seasons and ended decades ago. However, if, say, they were showing Dr Who reruns on BBC America twice a week without a repeat (ha!) for the past six years, that would be a total of 624 episodes, which would cost $1241 on iTunes. With that math, compared to cable ($40/mo), you would still have saved $207 over the past six years.
Even at one dollar for an episode this would quickly run in the hundreds for long running shows such as 24
Actually, there are only 24 episodes per season of 24... (yeah, imagine that!) At one dollar per episode, that would be $24 per season.
Depending on how much television you watch, buying from iTunes at $1.99 per episode can be cheaper than a cable tv subscription, and iTunes provides replay and on-demand value. Yes, it sucks that there is DRM and that maybe you can't "keep it forever", but on the other hand, its still better than Cable+VHS.
I'm not sure what is going on over at NBC. Last year they had The Office available to watch on their website but pulled it mid-season -- I suspect that is why The Office was consistently iTunes' top TV download.
I love Heroes, but I won't watch it this year if it isn't available on neither their website or iTunes. I could watch on bittorrent, but it really is NOT convenient, no matter what CNET says.
Well, they were just showing Heroes over the summer in Poland. I'm not sure if it was a hit or not, but its hard for such shows to be successful when they're voiced-over... I really wish Poland would move to subtitles, but then again, it could have something to do with the literacy rate -- and quality dubbing is expensive.
When TV on iTunes first appeared, the videos were at 320x240; however, that was since changed to 640x480, and I believe for some shows, 720x480. Immediately after the upgrade, there were a lot of complaints, however, that the older shows were upscaled from the original 320x240 files and that only new shows were being encoded at a true 640x480/720x480 resolution.
I'm not sure if they ever re-encoded the files that were at one point upscaled from 320x240, but I haven't run into any such files personally.
SciFi has Eureka online as well. Unfortunately, none of their other shows... as such, I still haven't seen the new Dr Who or Flash Gordon. (SciFi is an NBC network)
While everyone here is thinking about this in a sinister fashion.. could this be a "whitehat patent"? That is, by patenting forms of adware, Microsoft can legally protect their OS from such software -- giving them ammunition to use against the adware makers.
If you don't mind running it on OSX or Windows, you can get a Drobo. It handles building rebuilding and the arrays for you automatically, even with disks of different sizes. The only problem is that it requires an HFS+ or NTFS filesystem -- no ext2/3/4, reiserfs, xfs, jfs, etc.
Another possibly for local storage is a standard disk array and manage your own raid.
I'm not too much into voice, but I can attest for data. I had a "mobile broadband" plan in Poland with Era, but roaming to Germany or Italy was impossible. The data charges were outrageous and as such, roaming was disabled by default.
The good thing is that there are now data-plan prepaid/pay-as-you-go simcards available.
When I was in Italy, I paid 50 euros to Vodaphone for a 30-day pay-as-you-go data plan. That was a steal compared to what my roaming charges would've been.
I don't understand why so many Windows users are so quick to bash Safari as if it was a released product? They released a BETA, and shock, it has bugs! Wow, I never expected a BETA to have BUGS!?! Get real.
As for Quicktime and iTunes for Windows... I'm not sure what the complaint is, they seems perfectly fine whenever I've used them. I don't like the interface as much as I like the Mac version, but thats mostly because of the differences in the platform (menubar placement, etc). Anyway, iTunes is the only reasons at all that I have a virtual machine with Windows in it.
The people that steal/share "illegal" copies are not going to pay no matter what.
Not true. While there will always be people not willing to pay for such content, there may currently be a number of people that are not satisfied with the current distribution methods and find themselves unable or unwilling to use any method except unauthorized downloads.
Cases in point:
1) Viewers from abroad which are restricted from all forms of legal downloading and OTA signals. Even if the media is licensed in their country, it may be dubbed (sometimes horribly so, such as in Poland)
2) Those that cannot receive OTA signals and watch shows not on the website (such as The Office).
3) Those that found that buying shows in iTunes was cheaper than subscribing to cable, and to date had all of their favorite shows available. Now, those viewers will have to invest in an OTA antenna (and hope it gets any quality signal, which is nearly impossible in my experience), and a DVR. Or, they just stop watching NBC shows, or watch them on the NBC website, via their computer (not their TV) -- if the show is available there, and if they are happy with the low-bitrates. While these users have options, none of them are nearly going to provide the same level of quality that they were used to receiving on the iTunes downloads that they were willingly purchasing. So, in this case, viewers are left with a choice of solutions none of which, except pirating the content, provides a viewing experience on par with iTunes.
I think that The Office is a much better example for these discussions than Heroes, which is at least available on NBC's website. The Office is the #1 selling show in iTunes, and is not available on NBC's site. There will be many The Office viewers switching to unauthorized/illegal downloads. Unfortunately, this might ring badly for this 4th-season show, I'm afraid we might be seeing its last season.
What a lot of people miss here is that not every show is available for watching on their website. The Office is a notable example, and is one show that one would either have to watch via iTunes or from more dubious sources. Of course, DVD is an option, but they take forever to be released.
iTunes and "illegal downloads" are the only options for many outside the US, and even then, iTunes will attempt to block access (luckily, usually unsuccessfully) from many countries.
Who cares... it's not about who can, it's abotu what they sold.
I would have to check the TOS, but I would imagine that it would include some type of ability for them to deny services based on illegal use. (aka, if they get a DMCA letter, they can disable or terminate the service, etc) Just as the user can reasonably believe they have unlimited use of the service, the service presumes that the users will make legitimate use of the service. Illegitimate use is known otherwise as abuse, and abuse is not allowed...
If it can be proved that the users are not making legitimate use of the service, they can be disabled. While I agree that simply using absurd amounts of bandwidth is not proof of wrongdoing, there is little likelihood that those using 300GB/mo are not doing something wrong.
Now I pose a question. Consider that a DVD version of a linux distro is 4.7gb. Just how many of you out there are downloading more than 20 DVD-length Linux distros a month? Because that seems to me to be the only legitimate use of BT. I myself d/l multiple shows via BT but have never hit the limit--what exactly could anyone be downloading that takwes mroe than 100gb a month??
While I do believe that we will be seeing more and more traffic into the future, with higher bitrates, more video, etc... you have a very good point here. What LEGITIMATE purposes can really push 5-10GB per day!?!
I use a VNC-like connection to my IP-KVM units, a slingbox, buy tv shows on iTunes, stream free tv from abc/nbc/fox, listen to internet radio occassionally, download Linux distributions ocassionally, and browse websites. Even with terribly greedy estimates, I'm looking at only 20GB per month -- that would be for a monthly 90 hours of television, 67 hours of high-usage remote desktop/vnc, 13 hours of high-bandwidth radio, 4GB of standard webpages and ssh, and two dvd-length Linux distributions. (4GB/mo for standard webpages + ssh might seem excessive but I can manage that on my 3G cellular internet connection, which is too slow for any of the other items)
Probably the only legitimate thing I do that could possibly put me torwards 100-300GB/mo would be off-site backups. However, the transfer speeds for that are so low that its preferable for me to drive two hours for a sneakernet than to do it via the internet.
Then again maybe it was just my ISP at the time. Also, it seems I was wrong, their complaint was for actually being logged in too much Apparently, unlimited time was not quite that -- it was "unlimited interactive time", thus downloading while you slept was not allowed.
With dialup modems, few people really cared about bandwidth consumption, as they were so slow that they didn't make much of an impact, even when continually ran at top speed.
Not true. I repeatedly received, and know other that received letters, with different ISPs, regarding bandwidth usage on our dial-up accounts! Remember, back when dial-up was king, the providers still had a similar, or even higher cost for their backbone connections than they do today, and yet those connections were not nearly as fast. The difference now, if any, is that social networking and blogs are bringing these issues are out to the open... then again, I'm sure with the right search terms someone can probably find a similar discussion on USENET from the mid-90's.
Yeah, but Europeans get cheap flights to Africa. Thats how I saw the lunar eclipse earlier this year -- I flew from Poland to Egypt! (of course, not just to see the lunar eclipse, I had a nice vacation too!)
someone saying you must install windows. It is someone saying we need to monitor you if you are going to get back online. Nothing else is relevant here.
Well, thats true, but he can certainly argue that their requirement of having Windows in order to monitor his usage is an unnecessary requirement.
Imagine the following. Lets say that a court ruled that a felon should wear an ankle bracelet without specifying the weight, and was given a 100kg bracelet. Likewise, while it might be true that the criminal might be choosing this in lieu of prison, he certainly would have the right to question this and ask the court if assignment of a more, mutually agreeable device could be assigned. Surely, if the Judge was satisfied with a 10kg weight, rather than a 100kg weight, that Judge would have no complaint with allowing the alternative.
I think to get this opened up, he will need to indicate exactly alternative solutions that would be agreeable to him. I think he will, though, have better luck convincing them to have Windows on a gateway than to let him simply run Linux without their special software. Of course, it would be nice if they could rule Windows out here altogether, but I don't think the government could ever move quickly on supporting Linux -- no, it would be much more reasonable -- and agreeable to the judge -- to allow him to use Windows on a gateway. Argue against Windows on the gateway at another time, you need baby steps.
Slashdot Mirror
Beagle is based on Lucene.NET -- others have recommended Lucene (and its clones) as well, as do I.
Perhaps, but I believe that type of vulnerability can be limited through means such as privilege separation (as in OpenSSH)
Please tell me that none of those bone-heads on LKVM advocating that chroot should be 'root proof' haven't had any patches accepted!
/tmp), that is free of any setuid binaries, and without "useful" utilities like wget or curl that can make exploiting the system child's play. If your program runs inside of a chroot as a non-root user, and your chroot has no setuid binaries, and your kernel has no privilege escalation vulns, then you can be reasonably sure that nobody will break the chroot or achieve privilege escalation. Without a chroot, you would have to clear your entire server of setuid binaries and mode 7771 directories -- not to mention the potential for intentionally world-readable files that can lead to information exposure. Quite simply, a chroot prevents an arbitrary-execution vulnerability in bind (or other process) from exploiting a privilege escalation vulnerability in apache (or other process).
Of course chroot() doesn't do any good if a process inside of it is running as root. This is very well known. However, that doesn't make chroot() useless, it is still plenty useful. If you execute chroot() and then a seteuid(uid) where uid>0, then you prevent a hole/bug in your program from being exploited in a way that will allow file access/execution outside the chroot. That *is* a security advantage.
The point of "chroot security", cases where chroot is used to improve security, isn't to contain a malicious root user. The point is to prevent privilege escalation. You can create a chroot without any directories with mode 7771 privileges (a la
What some people think, apparently due to pure ignorance, is that chroot() is an end-all solution that will prevent even a root-owned process from accessing files outside the chroot, or worse, thinking that it protects the memory subsytem in any way. It doesn't. Even if the discussed patch was applied to the kernel, a root-owned process could still alter kernel memory, access raw devices, etc.
Improvements in ACLs under Linux minimize some of the needs for a chroot, other than the fact that a chroot is still much easier to configure and ACLs do not handle all of the use-cases that a chroot can solve. (and visa-versa, chroot cannot solve all of the problems solved by ACLs) Additionally, a chroot *and* ACLs can be used together for further-improved security.
AT&T/Cingular does support 3G, it is the second best 3G network in the US, behind Sprint..
Say that all of those shows were on tv within the last 6 years... thats 6 years of cable at, what, $40/mo? Forty times twelve gives you a year, times six years would be a cost of $2880.
Even if all of the shows you listed had 24 episodes per season (and most of them don't), you listed a total of 6+3+4+3+3+1+6 (scrubs)+ and 4 (futurama) = 30 seasons. Multiply that by the number of episodes per season (24) and you get 720. Multiplied by iTune's $1.99 per episode and you get a grand total of $1432.80.
So... compared to cable, if you ONLY watched the shows that you listed, you would have saved about $1448 dollars by shopping on iTunes.
I did not include Dr Who in these figures as that ran on the BBC for a period of 26 seasons and ended decades ago. However, if, say, they were showing Dr Who reruns on BBC America twice a week without a repeat (ha!) for the past six years, that would be a total of 624 episodes, which would cost $1241 on iTunes. With that math, compared to cable ($40/mo), you would still have saved $207 over the past six years.
Actually, there are only 24 episodes per season of 24... (yeah, imagine that!) At one dollar per episode, that would be $24 per season.
Depending on how much television you watch, buying from iTunes at $1.99 per episode can be cheaper than a cable tv subscription, and iTunes provides replay and on-demand value. Yes, it sucks that there is DRM and that maybe you can't "keep it forever", but on the other hand, its still better than Cable+VHS.
I'm not sure what is going on over at NBC. Last year they had The Office available to watch on their website but pulled it mid-season -- I suspect that is why The Office was consistently iTunes' top TV download.
I love Heroes, but I won't watch it this year if it isn't available on neither their website or iTunes. I could watch on bittorrent, but it really is NOT convenient, no matter what CNET says.
Well, they were just showing Heroes over the summer in Poland. I'm not sure if it was a hit or not, but its hard for such shows to be successful when they're voiced-over... I really wish Poland would move to subtitles, but then again, it could have something to do with the literacy rate -- and quality dubbing is expensive.
When TV on iTunes first appeared, the videos were at 320x240; however, that was since changed to 640x480, and I believe for some shows, 720x480. Immediately after the upgrade, there were a lot of complaints, however, that the older shows were upscaled from the original 320x240 files and that only new shows were being encoded at a true 640x480/720x480 resolution.
I'm not sure if they ever re-encoded the files that were at one point upscaled from 320x240, but I haven't run into any such files personally.
SciFi has Eureka online as well. Unfortunately, none of their other shows... as such, I still haven't seen the new Dr Who or Flash Gordon. (SciFi is an NBC network)
While everyone here is thinking about this in a sinister fashion.. could this be a "whitehat patent"? That is, by patenting forms of adware, Microsoft can legally protect their OS from
such software -- giving them ammunition to use against the adware makers.
Here is a Reference, although you're right.. Spirit has had wheel issues as well (and more severe, I believe)
Perhaps it has 6 wheels, but one is essentially non-functional and it drives only on 5. The 6th wheel is stuck at a 7 degree inward angle..
Who would run SQL Server on Vista??? It is a desktop OS.
If you don't mind running it on OSX or Windows, you can get a Drobo. It handles building rebuilding and the arrays for you automatically, even with disks of different sizes. The only problem is that it requires an HFS+ or NTFS filesystem -- no ext2/3/4, reiserfs, xfs, jfs, etc.
Another possibly for local storage is a standard disk array and manage your own raid.
I'm not too much into voice, but I can attest for data. I had a "mobile broadband" plan in Poland with Era, but roaming to Germany or Italy was impossible. The data charges were outrageous and as such, roaming was disabled by default.
The good thing is that there are now data-plan prepaid/pay-as-you-go simcards available.
When I was in Italy, I paid 50 euros to Vodaphone for a 30-day pay-as-you-go data plan. That was a steal compared to what my roaming charges would've been.
I don't understand why so many Windows users are so quick to bash Safari as if it was a released product? They released a BETA, and shock, it has bugs! Wow, I never expected a BETA to have BUGS!?! Get real.
As for Quicktime and iTunes for Windows... I'm not sure what the complaint is, they seems perfectly fine whenever I've used them. I don't like the interface as much as I like the Mac version, but thats mostly because of the differences in the platform (menubar placement, etc). Anyway, iTunes is the only reasons at all that I have a virtual machine with Windows in it.
Not true. While there will always be people not willing to pay for such content, there may currently be a number of people that are not satisfied with the current distribution methods and find themselves unable or unwilling to use any method except unauthorized downloads.
Cases in point:
1) Viewers from abroad which are restricted from all forms of legal downloading and OTA signals. Even if the media is licensed in their country, it may be dubbed (sometimes horribly so, such as in Poland)
2) Those that cannot receive OTA signals and watch shows not on the website (such as The Office).
3) Those that found that buying shows in iTunes was cheaper than subscribing to cable, and to date had all of their favorite shows available. Now, those viewers will have to invest in an OTA antenna (and hope it gets any quality signal, which is nearly impossible in my experience), and a DVR. Or, they just stop watching NBC shows, or watch them on the NBC website, via their computer (not their TV) -- if the show is available there, and if they are happy with the low-bitrates. While these users have options, none of them are nearly going to provide the same level of quality that they were used to receiving on the iTunes downloads that they were willingly purchasing. So, in this case, viewers are left with a choice of solutions none of which, except pirating the content, provides a viewing experience on par with iTunes.
I think that The Office is a much better example for these discussions than Heroes, which is at least available on NBC's website. The Office is the #1 selling show in iTunes, and is not available on NBC's site. There will be many The Office viewers switching to unauthorized/illegal downloads. Unfortunately, this might ring badly for this 4th-season show, I'm afraid we might be seeing its last season.
What a lot of people miss here is that not every show is available for watching on their website. The Office is a notable example, and is one show that one would either have to watch via iTunes or from more dubious sources. Of course, DVD is an option, but they take forever to be released.
iTunes and "illegal downloads" are the only options for many outside the US, and even then, iTunes will attempt to block access (luckily, usually unsuccessfully) from many countries.
I would have to check the TOS, but I would imagine that it would include some type of ability for them to deny services based on illegal use. (aka, if they get a DMCA letter, they can disable or terminate the service, etc) Just as the user can reasonably believe they have unlimited use of the service, the service presumes that the users will make legitimate use of the service. Illegitimate use is known otherwise as abuse, and abuse is not allowed...
If it can be proved that the users are not making legitimate use of the service, they can be disabled. While I agree that simply using absurd amounts of bandwidth is not proof of wrongdoing, there is little likelihood that those using 300GB/mo are not doing something wrong.
While I do believe that we will be seeing more and more traffic into the future, with higher bitrates, more video, etc... you have a very good point here. What LEGITIMATE purposes can really push 5-10GB per day!?!
I use a VNC-like connection to my IP-KVM units, a slingbox, buy tv shows on iTunes, stream free tv from abc/nbc/fox, listen to internet radio occassionally, download Linux distributions ocassionally, and browse websites. Even with terribly greedy estimates, I'm looking at only 20GB per month -- that would be for a monthly 90 hours of television, 67 hours of high-usage remote desktop/vnc, 13 hours of high-bandwidth radio, 4GB of standard webpages and ssh, and two dvd-length Linux distributions. (4GB/mo for standard webpages + ssh might seem excessive but I can manage that on my 3G cellular internet connection, which is too slow for any of the other items)
Probably the only legitimate thing I do that could possibly put me torwards 100-300GB/mo would be off-site backups. However, the transfer speeds for that are so low that its preferable for me to drive two hours for a sneakernet than to do it via the internet.
Then again maybe it was just my ISP at the time. Also, it seems I was wrong, their complaint was for actually being logged in too much Apparently, unlimited time was not quite that -- it was "unlimited interactive time", thus downloading while you slept was not allowed.
Usenet complaints/discussion about Voicenet policy, circa 1997
Not true. I repeatedly received, and know other that received letters, with different ISPs, regarding bandwidth usage on our dial-up accounts! Remember, back when dial-up was king, the providers still had a similar, or even higher cost for their backbone connections than they do today, and yet those connections were not nearly as fast. The difference now, if any, is that social networking and blogs are bringing these issues are out to the open... then again, I'm sure with the right search terms someone can probably find a similar discussion on USENET from the mid-90's.
Yeah, but Europeans get cheap flights to Africa. Thats how I saw the lunar eclipse earlier this year -- I flew from Poland to Egypt! (of course, not just to see the lunar eclipse, I had a nice vacation too!)
Well, thats true, but he can certainly argue that their requirement of having Windows in order to monitor his usage is an unnecessary requirement.
Imagine the following. Lets say that a court ruled that a felon should wear an ankle bracelet without specifying the weight, and was given a 100kg bracelet. Likewise, while it might be true that the criminal might be choosing this in lieu of prison, he certainly would have the right to question this and ask the court if assignment of a more, mutually agreeable device could be assigned. Surely, if the Judge was satisfied with a 10kg weight, rather than a 100kg weight, that Judge would have no complaint with allowing the alternative.
I think to get this opened up, he will need to indicate exactly alternative solutions that would be agreeable to him. I think he will, though, have better luck convincing them to have Windows on a gateway than to let him simply run Linux without their special software. Of course, it would be nice if they could rule Windows out here altogether, but I don't think the government could ever move quickly on supporting Linux -- no, it would be much more reasonable -- and agreeable to the judge -- to allow him to use Windows on a gateway. Argue against Windows on the gateway at another time, you need baby steps.