I've also been seeing this attack against my own machines in this same timeframe. It is worth noting because although these attacks do happen all the time, the distributed nature, high frequency, and overall girth of the attack is noteworthy. That is, it doesn't seem to be just one guy getting attacked, there seems to be a single concerted (distributed) attack against many hosts.
However, you're right, this is a threat very easily defended against.
I think the point was that once 10.6 is out, 10.5 will stop receiving updates, even vital bugfixes. That might have some truth and legitimate concern to it. Then again, that isn't much different than what other vendors (i.e. Cisco) do.
Most manufacturers, Dell in particular, now conform to the newer BTX standard. However, most whitebox systems and parts (such as PSUs) are still being built to ATX. You can, however, build your own BTX system and buy BTX compatible motherboards, cases, and power supplies.
From software, the best solution is a multi-pass random rewrite. This isn't very practical and doesn't work with broken drives.
The best methods of physical destruction are: 1. Running it through a degausser, which can be expensive commercially, but not too difficult to build or scavenge from old CRTs. 2. Throwing it into a blast furnace. This can be dangerous and bad for the environment, but at least you can re-use the iron! The heat will degauss the metal. If melted into a liquid, complete destruction is assured! There are webpages providing instructions for building backyard blast furnaces.
IRC is quite an easy protocol. You can access it via telnet if you want to. There are plenty of decent clients for all platforms, although a botnet would just connect directly from its code and wouldn't use a GUI client.
Disclaimer: I work for a hosting company doing VPS/cloud hosting.
This is pretty old-hat. First, the host-keys issue inside pre-generated images is a very obvious one, although I'm not too surprised that companies aren't considering it. RNG issues aren't quite as obvious, but they're not super-secret either, anyone with any amount of background in security has been aware of this for a while.
In fact, questions regarding RNGs have even surfaced in the ##xen IRC channel (freenode.org) because it is a very important issue to some. In particular, those with the need for hardware RNG solutions have come seeking assistance.
I'm certainly not minimizing the issue, just noting that it isn't really a new one at all. More than anything, is that the average systems administrator has been slow to realize this, and developers even less so.
The solution is to encourage electronic distribution, charge students for printing. Put signs on the printers, "Save money: copy electronically.". Professors will almost certainly, at least in the beginning, need a quota for free printing and copying, after which they'll need to pay. You can then shrink that quota against a schedule.
The last time I went on a vacation without internet? 2001. About a month before I started my first industry job.
I'm a bit shocked at the outrage expressed here, but I'm sure it depends quite a bit on your job role and the size of your company. I've always been with small companies and/or on retainer, where I simply couldn't disconnect.
When I worked for others, I'd put in at least 4 hours from the hotel during the evenings. Now, having my own business, I specifically don't go -- can't go -- where I won't be able to obtain a consistent signal. The good thing is that these days, with 3G, I can relax and just do everything on my phone (or tethered). That's pretty relaxing. I no longer have to scour for phone lines, internet cafes, or wifi signals.
I thought that with the widespread availability of 3G, even those with only casual needs wouldn't be *that* far from the internet.
"give it at least until Monday before publicly humiliating the guy."
Except they had been calling for 2 weeks to nothing but a busy signal, which alone might be sufficient cause for such an open letter, especially considering the financial and management concerns.
Oh, and nobody goes on holiday without contact for over 24 hours, do they? I bring a laptop and a smartphone with me wherever I go. Even when I visited Northern Africa, I made sure to get online at least once a day to check, act on, and reply to my email.
HMO is "health maintenance organization". Remember, we do not have national medicine in the USA, we instead have medical insurance companies. There are two primary types of plans one can get, an HMO or a PPO (Preferred Provider Organization), the difference is in which doctors you can see, how much you pay, and the process through which you must visit specialists.
Two years is too short for the same reasons that 5 years are too short, as RMS has specified. With a term as short as 5 years, or shorter, something like RMS' planned solution would have to be implemented. The reality is that a 5 year (or less) term is simply never going to happen, its too short for concensus, especially without such a 'closed source -> open source' analogue. Instead, a return to a ~14-15 year term would be an adequate compromise for most parties.
Remember that as you note, most renewals would not occurr. Much of Linux, for example, would be public domain in only a couple short years. Meanwhile, as RMS notes, the closed source software would remain enshrouded by secrecy.
Unfortunately, while I like the spirit of your idea, I think it is misguided due to the unfortunate consequences such a law would bring. With your proposal, any work not submitted in full to the copyright office would not be given copyright protections. With dynamic works such as software, this would be a disaster! It would require that either all changes to GPL works are first processed by the copyright office, or worse, those works fall into the public domain! It would kill all open source licenses and open source development. Even if applied to non-software works, this could arguably affect art that is dynamic in form, such as some installations.
I think that the optimal number of years is closer to 15, it should be treated like "classic cars" are in Pennsylvania. This is enough years that publishers have had sufficient time to make profit, that the work has had sufficient opportunity to make and exploit its cultural impact, and is not so many years that the work is lost from lack of preservation.
In terms of software, 15 years is quite a bit of time, enough that software is unlikely to be of significant commercial use, so that copyright-lapsed software shouldn't too seriously affect the sales of modern solutions. Open sourced material lapsed into the public domain wouldn't be as much of a concern as it would be within a 5 year period.
If this was in force today, old versions of the GNU toolkits, the X11 system, and even Linux itself would be in the public domain. That might seem scary, but we're talking really old versions. If someone in 2009 wants to include Linux 0.99 into their embedded product without contributing their changes back, I'm not sure thats really a bad thing.
Or, maybe they'll make sure MacOS requires some sort of "trusted computing platform" nonsense laced throughout the entire software stack, so that it's really impossible to run the software directly on a system without hardware support for DRM (which would mean running it on a VM that emulated that would be a clear case of circumvention as the DMCA discusses).
Apple already uses a TPM chip (aka "Trusted Computing") for this reason, but it has been circumvented through binary patching. I'm sure they could make the code more pervasive, but under the DMCA what they have done is more than enough to protect them legally. Unless, of course, a judge rules in Pystar's favor and indicates that the DMCA's circumvention provisions do not apply here.
Rather than emulating a TPM chip, which might have its own legal ramifications besides DMCA violations as a result of its use, I have another suggestion. An easier solution would be to salvage TPM chips from broken and discarded machines to create daughterboards. The virtual bios of virtualization platforms could then communicate to these legitimate, legal TPM chips. I'm sure that using a TPM daughterboard would be a much more legally defensible position, although it is far from guaranteed.
Personally, I've been slowing advancing towards a mathematics degree because:
I own my own business and am not looking for a job
Mathematics has applications in both business and computer science
If I ever decide to be hired, I feel that Mathematics is a suitable substitute for a computer science degree.
I would gain nothing from a computer science degree besides the paper it is printed on. I am attending classes to learn. If I wanted paper, I'd go to Staples or Kinkos.
For the challenge of it.
As one with an "engineering mind" I want to know how things work, what makes them tick. Mathematics makes everything tick.
I would have said that until 1-2 years ago, the best "value per dollar" for video cards was about at $200. This is how much I spent on my first Voodoo2 card and my Geforce 6800. This past year, I spent less than $100 for a card that is arguably better performance per dollar, relative to the demand of the games on the market. So I would agree, $100 is the old $200 in terms of video cards.
For medium to long runs, make your own Cat* cables, but for short patch cables: buy them. Exceptions to this being super-short runs (2-inch) or intentionally unusual pinouts (say, for non-ethernet usage like roll-over cables.
It sounds to me that this was a relatively long run, so it would be both significantly less expensive and easier to make cables as it is a typically easier to run bare wire than terminated wire through walls and over ceiling tile. It really depends on the complexity of the run and how you wish to terminate it.
If it is a short run, you'll (usually) get better quality and a lower price buying manufactured cable.
Like any other cables, replace them if they've gone bad, or if you have a reasonable expectation that they're failing.
If you have cables that flex and move relatively frequently, and you're seeing a number of them failing, replace them. If the cables that are installed currently are poorly made, replace or fix them. However, cables that aren't moving or flexing, and aren't having problems shouldn't be replaced. That is, don't rip the wires out from your walls if you're not having problems with them.
I was working at a company a few years ago where there were a number of people reporting intermittent connectivity issues and I found various transmission errors. Replacing their patch cables into the switch solved their problems. The cables were Cat5, some even Cat3, and many were installed while the company was using Token Ring. Due to cable management issues and very bare-bones switching, the cables were moved somewhat frequently. The cables were quite stiff, I think the jackets were experiencing dry-rot. Finally, the migration from Token Ring and Ethernet hubs to full-duplex, switched FastEthernet was likely bringing to light poorly made cables that otherwise went unnoticed.
As there were a number of affected users, I convinced my boss to spend the $100 (or less) on new Cat5e patch cables for everyone. I told him that even if it was unnecessary, the expense was pretty negligible compared to the labor costs if they did deteriorate, and replacing them would only take about an hour. After that, besides the occasional bad switch port, or a bad cable outside the server room, we no longer had problems on the physical layer.
I personally have a policy that whenever I'm physically working on a system, if the patch cable seems to be poorly made or if the jacket seems to be deteriorating, or of poor quality, I toss and replace. Cables aren't that expensive, but the failure of a cable can be expensive.
I'm expecting that Oracle has some interest in keeping the hardware around. Don't underestimate the requirement for storage for databases! There is a business case for Oracle to provide "Database Optimized" servers and storage (SAN, DAS). Storage in particular is very important to Oracle. They've contributed the OCFS clustering filesystem for this reason. More importantly and relevant, Oracle has been sponsoring Btrfs development, as an alternative/competitor to ZFS. So yes, I think the hardware will definitely stick around, at least enough that Oracle can provide turn-key solutions based on ZFS, Dtrace, and iSCSI.
Oracle being in control of both ZFS and Btrfs is a bit scary since the aspect of competitive advancement is gone (there is no other product they have to keep "one step ahead of"), and it is likely that we'll eventually see one of them wither and die. However, in the short term it might make both filesystems better.
As the games become less popular, the value naturally decreases, even with digital distribution. The retailers, even the online ones, know that they won't sell an older, (now) unpopular game two years after its release for $50.
Like you, I tend to only buy games once they're in the bargain bin, and yet I now do this almost exclusively online. Especially with the economy in the dumper, I've seen "bargains" popping up on Steam quite frequently. Games that were $50+ a year ago are now going on sale, or into digital bargain-bins for $5-20.
If you ditch cable and just buy television series on iTunes, the $2/episode can actually be pretty cheap. This is especially true now that the broadcast channels are putting their shows online for free (well, with ads). However, for that same reason, there is little worth buying on iTunes that you can't get elsewhere for free, legally -- if it has just aired in the last month. If it is older, you're better off getting it on DVD, if it has even been released yet.
Finally, there have certainly been a few cases where iTunes was cheaper than the corresponding DVD releases. I bought my episodes of "24" for cheaper than I'd have bought the DVDS.
I know that IBM is playing a part of this, but it seems to be more than a little related to Ruv, and after reading it, I really don't buy the suggestion that the "leaked" document was written by an IBM staffer. Ruv and Jesse are promising news by Monday, so we'll see then. However, I hope that if their plans for Monday contrast in any way with the goals of the CCIF, or the community, that they reconsider and "do it right" before it is too late.
Slashdot Mirror
I've also been seeing this attack against my own machines in this same timeframe. It is worth noting because although these attacks do happen all the time, the distributed nature, high frequency, and overall girth of the attack is noteworthy. That is, it doesn't seem to be just one guy getting attacked, there seems to be a single concerted (distributed) attack against many hosts.
However, you're right, this is a threat very easily defended against.
I think the point was that once 10.6 is out, 10.5 will stop receiving updates, even vital bugfixes. That might have some truth and legitimate concern to it. Then again, that isn't much different than what other vendors (i.e. Cisco) do.
Most manufacturers, Dell in particular, now conform to the newer BTX standard. However, most whitebox systems and parts (such as PSUs) are still being built to ATX. You can, however, build your own BTX system and buy BTX compatible motherboards, cases, and power supplies.
You can always melt it. A blast furnace will degauss it for you too, for no additional fee ;-)
Degaussing seems to be the best method. The DoD seems to think so as well. You could also melt it...
From software, the best solution is a multi-pass random rewrite. This isn't very practical and doesn't work with broken drives.
The best methods of physical destruction are:
1. Running it through a degausser, which can be expensive commercially, but not too difficult to build or scavenge from old CRTs.
2. Throwing it into a blast furnace. This can be dangerous and bad for the environment, but at least you can re-use the iron! The heat will degauss the metal. If melted into a liquid, complete destruction is assured! There are webpages providing instructions for building backyard blast furnaces.
IRC is quite an easy protocol. You can access it via telnet if you want to. There are plenty of decent clients for all platforms, although a botnet would just connect directly from its code and wouldn't use a GUI client.
Disclaimer: I work for a hosting company doing VPS/cloud hosting.
This is pretty old-hat. First, the host-keys issue inside pre-generated images is a very obvious one, although I'm not too surprised that companies aren't considering it. RNG issues aren't quite as obvious, but they're not super-secret either, anyone with any amount of background in security has been aware of this for a while.
In fact, questions regarding RNGs have even surfaced in the ##xen IRC channel (freenode.org) because it is a very important issue to some. In particular, those with the need for hardware RNG solutions have come seeking assistance.
I'm certainly not minimizing the issue, just noting that it isn't really a new one at all. More than anything, is that the average systems administrator has been slow to realize this, and developers even less so.
The solution is to encourage electronic distribution, charge students for printing. Put signs on the printers, "Save money: copy electronically.". Professors will almost certainly, at least in the beginning, need a quota for free printing and copying, after which they'll need to pay. You can then shrink that quota against a schedule.
The last time I went on a vacation without internet? 2001. About a month before I started my first industry job.
I'm a bit shocked at the outrage expressed here, but I'm sure it depends quite a bit on your job role and the size of your company. I've always been with small companies and/or on retainer, where I simply couldn't disconnect.
When I worked for others, I'd put in at least 4 hours from the hotel during the evenings. Now, having my own business, I specifically don't go -- can't go -- where I won't be able to obtain a consistent signal. The good thing is that these days, with 3G, I can relax and just do everything on my phone (or tethered). That's pretty relaxing. I no longer have to scour for phone lines, internet cafes, or wifi signals.
I thought that with the widespread availability of 3G, even those with only casual needs wouldn't be *that* far from the internet.
"give it at least until Monday before publicly humiliating the guy."
Except they had been calling for 2 weeks to nothing but a busy signal, which alone might be sufficient cause for such an open letter, especially considering the financial and management concerns.
Oh, and nobody goes on holiday without contact for over 24 hours, do they? I bring a laptop and a smartphone with me wherever I go. Even when I visited Northern Africa, I made sure to get online at least once a day to check, act on, and reply to my email.
HMO is "health maintenance organization". Remember, we do not have national medicine in the USA, we instead have medical insurance companies. There are two primary types of plans one can get, an HMO or a PPO (Preferred Provider Organization), the difference is in which doctors you can see, how much you pay, and the process through which you must visit specialists.
Two years is too short for the same reasons that 5 years are too short, as RMS has specified. With a term as short as 5 years, or shorter, something like RMS' planned solution would have to be implemented. The reality is that a 5 year (or less) term is simply never going to happen, its too short for concensus, especially without such a 'closed source -> open source' analogue. Instead, a return to a ~14-15 year term would be an adequate compromise for most parties.
Remember that as you note, most renewals would not occurr. Much of Linux, for example, would be public domain in only a couple short years. Meanwhile, as RMS notes, the closed source software would remain enshrouded by secrecy.
Unfortunately, while I like the spirit of your idea, I think it is misguided due to the unfortunate consequences such a law would bring. With your proposal, any work not submitted in full to the copyright office would not be given copyright protections. With dynamic works such as software, this would be a disaster! It would require that either all changes to GPL works are first processed by the copyright office, or worse, those works fall into the public domain! It would kill all open source licenses and open source development. Even if applied to non-software works, this could arguably affect art that is dynamic in form, such as some installations.
I think that the optimal number of years is closer to 15, it should be treated like "classic cars" are in Pennsylvania. This is enough years that publishers have had sufficient time to make profit, that the work has had sufficient opportunity to make and exploit its cultural impact, and is not so many years that the work is lost from lack of preservation.
In terms of software, 15 years is quite a bit of time, enough that software is unlikely to be of significant commercial use, so that copyright-lapsed software shouldn't too seriously affect the sales of modern solutions. Open sourced material lapsed into the public domain wouldn't be as much of a concern as it would be within a 5 year period.
If this was in force today, old versions of the GNU toolkits, the X11 system, and even Linux itself would be in the public domain. That might seem scary, but we're talking really old versions. If someone in 2009 wants to include Linux 0.99 into their embedded product without contributing their changes back, I'm not sure thats really a bad thing.
Apple already uses a TPM chip (aka "Trusted Computing") for this reason, but it has been circumvented through binary patching. I'm sure they could make the code more pervasive, but under the DMCA what they have done is more than enough to protect them legally. Unless, of course, a judge rules in Pystar's favor and indicates that the DMCA's circumvention provisions do not apply here.
Rather than emulating a TPM chip, which might have its own legal ramifications besides DMCA violations as a result of its use, I have another suggestion. An easier solution would be to salvage TPM chips from broken and discarded machines to create daughterboards. The virtual bios of virtualization platforms could then communicate to these legitimate, legal TPM chips. I'm sure that using a TPM daughterboard would be a much more legally defensible position, although it is far from guaranteed.
Personally, I've been slowing advancing towards a mathematics degree because:
I would have said that until 1-2 years ago, the best "value per dollar" for video cards was about at $200. This is how much I spent on my first Voodoo2 card and my Geforce 6800. This past year, I spent less than $100 for a card that is arguably better performance per dollar, relative to the demand of the games on the market. So I would agree, $100 is the old $200 in terms of video cards.
For medium to long runs, make your own Cat* cables, but for short patch cables: buy them. Exceptions to this being super-short runs (2-inch) or intentionally unusual pinouts (say, for non-ethernet usage like roll-over cables.
It sounds to me that this was a relatively long run, so it would be both significantly less expensive and easier to make cables as it is a typically easier to run bare wire than terminated wire through walls and over ceiling tile. It really depends on the complexity of the run and how you wish to terminate it.
If it is a short run, you'll (usually) get better quality and a lower price buying manufactured cable.
Like any other cables, replace them if they've gone bad, or if you have a reasonable expectation that they're failing.
If you have cables that flex and move relatively frequently, and you're seeing a number of them failing, replace them. If the cables that are installed currently are poorly made, replace or fix them. However, cables that aren't moving or flexing, and aren't having problems shouldn't be replaced. That is, don't rip the wires out from your walls if you're not having problems with them.
I was working at a company a few years ago where there were a number of people reporting intermittent connectivity issues and I found various transmission errors. Replacing their patch cables into the switch solved their problems. The cables were Cat5, some even Cat3, and many were installed while the company was using Token Ring. Due to cable management issues and very bare-bones switching, the cables were moved somewhat frequently. The cables were quite stiff, I think the jackets were experiencing dry-rot. Finally, the migration from Token Ring and Ethernet hubs to full-duplex, switched FastEthernet was likely bringing to light poorly made cables that otherwise went unnoticed.
As there were a number of affected users, I convinced my boss to spend the $100 (or less) on new Cat5e patch cables for everyone. I told him that even if it was unnecessary, the expense was pretty negligible compared to the labor costs if they did deteriorate, and replacing them would only take about an hour. After that, besides the occasional bad switch port, or a bad cable outside the server room, we no longer had problems on the physical layer.
I personally have a policy that whenever I'm physically working on a system, if the patch cable seems to be poorly made or if the jacket seems to be deteriorating, or of poor quality, I toss and replace. Cables aren't that expensive, but the failure of a cable can be expensive.
I'm expecting that Oracle has some interest in keeping the hardware around. Don't underestimate the requirement for storage for databases! There is a business case for Oracle to provide "Database Optimized" servers and storage (SAN, DAS). Storage in particular is very important to Oracle. They've contributed the OCFS clustering filesystem for this reason. More importantly and relevant, Oracle has been sponsoring Btrfs development, as an alternative/competitor to ZFS. So yes, I think the hardware will definitely stick around, at least enough that Oracle can provide turn-key solutions based on ZFS, Dtrace, and iSCSI.
Oracle being in control of both ZFS and Btrfs is a bit scary since the aspect of competitive advancement is gone (there is no other product they have to keep "one step ahead of"), and it is likely that we'll eventually see one of them wither and die. However, in the short term it might make both filesystems better.
As the games become less popular, the value naturally decreases, even with digital distribution. The retailers, even the online ones, know that they won't sell an older, (now) unpopular game two years after its release for $50.
Like you, I tend to only buy games once they're in the bargain bin, and yet I now do this almost exclusively online. Especially with the economy in the dumper, I've seen "bargains" popping up on Steam quite frequently. Games that were $50+ a year ago are now going on sale, or into digital bargain-bins for $5-20.
If you ditch cable and just buy television series on iTunes, the $2/episode can actually be pretty cheap. This is especially true now that the broadcast channels are putting their shows online for free (well, with ads). However, for that same reason, there is little worth buying on iTunes that you can't get elsewhere for free, legally -- if it has just aired in the last month. If it is older, you're better off getting it on DVD, if it has even been released yet.
Finally, there have certainly been a few cases where iTunes was cheaper than the corresponding DVD releases. I bought my episodes of "24" for cheaper than I'd have bought the DVDS.
Ask and you shall receive. Thats right, IBM has already made an OpenOffice-based Lotus suite.
Right, I've read Ruv's "damage control" post.
I know that IBM is playing a part of this, but it seems to be more than a little related to Ruv, and after reading it, I really don't buy the suggestion that the "leaked" document was written by an IBM staffer. Ruv and Jesse are promising news by Monday, so we'll see then. However, I hope that if their plans for Monday contrast in any way with the goals of the CCIF, or the community, that they reconsider and "do it right" before it is too late.