Similarly, give linux to an unskilled (in linux) admin and they'll botch it up royally; linux is no magic bullet.
The one advantage Linux, BSD and the free downloadable Solaris have is that you can train yourself on them.
That is, you get a complete system with all the management (such as they are) tools ready to go. In Linux's case, you'd have to find one of those RHEL-recompiled distros like Whitebox, but still, all the bits are there.
Compare that to what you'd have to get if you aren't already a Windows professional with an MSDN subscription. I know enough about the internals of Windows to play around with "CACLS" to try and tighten down filesystem permissions on XP Home Edition--but without spending another $200, I can't get the ACL GUI editor (or the user privilege editor). (Of all things to leave out of Home Edition... why not just put them under an "Advanced Settings" tab or something?)
Even with XP Pro, there are still OTHER packages you need to really know how to administer the Web server, the e-mail server, and so on. (To be fair, I haven't played with XP Pro much--I don't know anyone with a copy that is willing to let me mess around that much with their computer. We're still on 2K at work.)
Even Apple's got this wrong, with the extra features in OS X Server. I have no idea how to run a full-fledged OS X Server system, and I've been using OS X since the Public Beta.
I'm somewhat reminded of IBM's chant when they were moving AIX onto the inexpensive PowerPC machines: "AIX is AIX is AIX is..." No matter what box you buy, you'll have all the same OS features--the more expensive versions just give you more simultaneous users, not different management interfaces.
RMS has never said it is wrong to be paid to program, or even that it is wrong to pay a programmer to program.
What he says is, it is wrong to be given an unmodifiable program for any amount of money--including zero.
Having been stuck with poorly-supported or outright abandoned commercial packages (WordPerfect on Amiga, any MacOS driver by Microtech, the Microtek X6USB scanner software, ClearQuest and ClearCase, and so on), cases where the vendor won't fix program defects or support updated (as in minor patches) operating systems (not even for an additional charge)... I really can identify with where RMS is coming from.
RMS's arguments are not about paying coders or buying software. They are about the freedom of the end-user to fix, port or enhance the software.
Heck, I'm running bog-standard FireWire enclosures from the local PC discount shops on my Macs, so I probably wouldn't buy one either. I have started getting USB+FireWire cages, so they will work with anything... even if it has to be at USB 1.1 speeds.
This does remind me of the old SCSI drives that were in enclosures perfectly sized to fit underneath the original All-In-One Macs.
Yup; there is a limit to the number of hubs you can have in either a USB or a FireWire chain, so you'd want to connect, say, 1 Mini Mate right to the computer, then 2 more Mini Mates to the first Mini Mate.
Now, for even more fun, don't worry so much about the ports, and have a chain of USB-only Mini Mates, and a second chain of FireWire-only Mini Mates.
Each FireWire-only Mini Mate can have two further Mini Mates plugged into it, up to the FireWire hub limit.
And each USB-only Mini Mate can have three further Mini Mates plugged into it, up to the USB 2.0 hub limit.
Say you go 3 levels deep on each; so you'll have 27 open USB 2.0 ports (not counting the second one on the Mini itself), 8 open FireWire ports, and a total of 20 Mini Mates... giving you 1.6 TB to 8.0 TB of additional storage. (This was a bit more than I can count on my fingers, so I could be off a bit....)
If you really want a bunch of FireWire or USB ports, you might want to think about just getting one or two Mini Mates and a couple of hubs...
The surge results in a voltage drop on the +12 rail of the "good battery" car. It's trying to bring the dead battery up to the exact same voltage, within the current limiting effect of the jumper cables. Lead-acid batteries have a very low internal resistance, so they won't slow things down much. (And that's how you get 800 "cold cranking amps" out of 'em.) A dead battery will be between 11.8 and 12.2 volts, and the good system should be up around 13.2 to 14 or so, depending on the regulator.
Many computers need to have/RESET held low for a few would-be clock cycles after power-up, to allow the power rails to stabilize and the master oscillator to start. Usually this is done by a capacitor which slowly (comparatively) charges up to supply volatage; when it crosses a certain voltage, it releases/RESET (they're usually active-low), and the CPU can start.
All well and good...
If you've got a situation where the power rail drops suddenly, the capacitor on/RESET starts to discharge to the power rail. Enough, and it activates the/RESET line on the CPU. Even though the power drop wasn't enough to wipe out the CPU, it was able to trigger the power-on-RESET circuit. (The fix is to put a diode in the computer's power supply connection, so that the computer's power supply capacitors never try to bring the +12 rail back into spec.)
Another fun thing that can happen, though probably not in automotive circuits, is GND and Vcc inversion.
This used to happen a lot on Amigas with defective monitors; you'd get a high-voltage discharge in the monitor to the GND line, which would momentarily bring GND over Vcc, triggering a/RESET. The fix there is to separate shield ground from signal ground; or you could just go bankrupt.
Given the number of modern cars which, apparently, tell you not to jump-start, there is an awful lot lacking in modern automotive design. It's not hard to cope with a jump-start, you just have to not cut all those corners.
(My 1998 Subaru has no such warning; I've only heard about that warning from GM owners--I've never seen it myself.)
As others have pointed out, Windows has had hardlinks since NT 5.0 (sold to the masses as Windows 2000...).
I did notice that the Explorer (not the Internet Explorer, the Finder-equivelent) didn't know how to cope, though; it would only update one window's list to show the changes to the file.
That was a few service packs ago, and I've not tried it on NT 5.1 (errr, XP).
Worked on Macintosh, for starters. I don't know if there ever was a Real Jukebox for Mac. If there was, I wouldn't have installed it.
But it was the album management that was truly wonderful. I still would rather have SoundJam's selection interface than iTunes; though I'm starting to get used to the 3-pane browser iTunes likes. I never built playlists; I didn't need to.
When you sorted your library by Genre, you got a list of genres with disclosure arrows. Hit one, and you got all artists in that genre, with disclosure arrows for artists. Hit one of those, and see all the albums, each with another disclosure arrow. Hit one of those, and you see all the tracks on that album.
Similarly, sort by Artist, and you get the Artist/Album/Track list; sort by Album and you get Album/Track. All in a format very similar to System 7 Finder's list view. (I think they must have used the same Toolbox routines.)
SoundJam also ran really well on low-ish machines. It was actually useful on my 100 MHz 603E-based Performa.
Though I believe Apple contacted the N2MP3 developers to write iTunes first.
You paid a levy in exchange for the LEGAL RIGHT to make personal copies of music, even if you don't own the source material.
That's not what the Copyright Act says. It says that you can copy audio recordings for personal use. (And the way legal judgements tend to go in Canada, I would expect the courts to consider modern DVDs "similar enough" to audio recordings to be considered equivelent under the private copying provisions of the Copyright Act.)
It does NOT say you have to pay a levy to obtain this right.
The statute has it written the other way up. Because this right has been granted, we will assess levies to remunerate eligible performers and makers.
I know a number of homosexuals whose computer of choice is made by Apple because of the rainbow bitten apple.
But, for most of us, we pick based on function, price and compatibility-with-what-we-already-have. And sometimes looks.
Most of the gay people I know have Windows XP; a few are still running 98; a few are on Linux; a few have Macs. I know more gay people than have Macs than industry-average--but that's because I have a Mac, so I'm more likely to know people with similar interests.
I have a Mac mainly because I hated Windows 95 and I got tired of my then-8-year-old Amiga 2000... which had a rainbow checkmark logo, so I guess I'm not disproving anything here. (OK, if I could have gotten a PowerPC-based RS/6000 for a reasonable price, I'd probably have one of those instead. And have even less commercial software than on the Amiga.)
My first Mac was an early PowerPC Performa, but I got an iMac anyway later. Those Performas SUCKED, and not in a good way.
(Anyone want to buy a Performa 6300CD? It can't run OS X, it can't run Linux and it can't run BSD.)
Like I said, removing SUID/SGID scripts is probably a good thing, but I definitely want developers to be as cautious as possible in how they remove features. Perhaps rather than completely removing certain features, they should be disabled by default.
Disallowing SUID/SGID scripts is industry standard in UNIX-land. Not that "everyone else does it" is a good justification on its own. But, in this case "everyone else had a reason".
You can easily run a script as any ID you desire via sudo, provided with the system. As Apple states, none of their software uses SUID/SGID scripts. And I very much doubt any 3rd-party software does also. It is just such a universally unavailable feature, no UNIX programmer would think to even try it these days.
Well, you can at least mitigate some of the problems by starting your script with "-pe". The "p" flag disables use of the user's ENV setting and ~/.*rc files. And "-e" has it bail on error.
Most shells should give you -p behaviour on SUID or SGID anyway (no matter what account they S?ID to).
I always set both in my scripts; what's the use of seeing someone's alias table? And if they're one of those weird people who doesn't know the difference between.profile and.(ba|k|z|)shrc, well, I don't want their messed-up environment settings to hit my script--they're just going to complain my script is broken. That's at work, at home, it's more of a performance and safety thing--don't read files you don't need.
And stopping on error is always good. If you are testing for errors, then commands are allowed to fail without aborting the script. But unhandled errors kill it--so someone trying to blast junk into the script might cause it to die earlier.
Still, there are so many ways for environment settings to poison a script or the shell command line, S?ID is too dangerous. Using a few well-chosen "sudo" commands inside the script is the way to go. And, for batch jobs, you can set up those commands and the specific argument pattern to run without password prompt in sudo.
No, the porn discs are not the ones I was talking about that didn't have CSS protection. (Some of my porn discs do have CSS, most don't. I've even got a couple of DVD9 porn discs. And let me tell you, there are times when you do not need full 5.1 surround.)
I was talking about Regular Hollywood Movies. I wished I'd been paying more attention, it would be interesting to make a list.
...except that the links he gives are just to pages of reports, and I'm not sure which ones are worth reading.
But, by writing off all of Internet Explorer's problems to the "installed base" scale factor is extremely dangerous to his readers.
The problem being, since MSIE is embedded into the OS, a flaw in MSIE can be exploited from any program which uses an HTML viewer, not only the "iexplore.exe" application itself. Firefox, even when it's your default browser, still pops up in full "visiting the Web" paranoia.
Another problem, of course, relates to MSIE's very strange handling of text/plain and application/octet-stream data types. (It will actually reject the Content-type: header from the server and make up a new one based on filename suffix and/or file content... imagine sending a text/plain file from a CGI URL that has ".doc" in it and it turning into a Word file. Note that the ".doc" is in the URL, not in the downloaded file name....) I've got a CGI I just can't make with MSIE properly because it rejects my server's claim that file "foo.log" with "inline" presentation is type "text/plain" and it can display it--it insists on saving to disk... only to find out that Notepad is the right application. To work around it, I'd have to change the extra path information fed to the CGI... and I can't do that--it means something, of course.
But that problem ("feature", if you read the MS knowledgebase) is one way how people are tricked into downloading seemingly "safe" content that turns dangerous.
Plus, he makes no assessment of the security problems. He doesn't mention ANY, from ANY browser, not even as illustration--he just leaves it to the reader to plow through pages of cryptic reports from Synamtec and CERT.
And he's got no analysis of the "trouble reports" he provides for Firefox. Missing images? 99 times out of 100, that's because the Web page has backslashes in the IMG URLs--which are not part of the hierarchical URI syntax. (They work only in MSIE on Windows. MSIE for Macintosh will not process them the same way.)
Plus... how do we really know what security problems are fixed in MSIE? On my XP box at home, and the W2K boxes I have to use at work, the Windows Updates just say things like, "A security problem could allow an attacker access to your computer." How am I to know what that security problem is, what part of the system it affects? I don't even know if it is function I use, or even have enabled--the update information is just too terse--at that's after clicking, "Show Details".
(My main systems are Linux and Mac, so there may be a way to get more information from Windows Update, but it isn't as obvious... unlike Mac OS X Software Update, where it lists the major components right there, and links that take you to the Apple web site for more information.)
The "You may not skip this" codes (PUOs--Prohibited User Operations) are entirely separate from the CSS encryption.
I have discovered, while backing up my purchased DVDs a surprising number of them are, in fact, not CSS protected. (It isn't that a large number, but it is a non-zero number; say a dozen or so out of a hundred.)
And yet, even without CSS, they still have the PUOs.
Similarly, region coding is just a bit-mask in the control block for the VOB. RPC-2 drives use that to enable the CSS decryption for a disc, but it isn't really tied into the CSS. You can make a region-protected, CSS-free disc. (And I did once, by accident, because I forgot to clear the bitmask... this was before DVDDecrypter made it all easy.)
Of course, the back-up software I use strips both CSS (because consumer-grade burners can't create CSS discs) and PUOs (because I asked it to).
In fact, the main reason I back up DVDs is not for media protection, though I have had a couple of originals fail... it's to strip out the *$^& PUOs so I can get to movie and change the subtitle settings when I want.
Well, sure, we all know it's really Gnome and X11 at fault, and I'm sure he does too.
But, you put the Ubuntu disc in your drive, and that's what you get. If Ubuntu doesn't want to be held accountable for Gnome's actions, then they shouldn't put their name in front of Gnome.
Wandering off the actual topic... LASER HARP brought this back to memory.
There was a program for the Amiga back in the "Workbench 1.2 is pretty cool" days that could be hooked into one of the then-new (and incredibly expensive) real-time video digitizers. (Not something like DigiView.)
I think the digitizer was a precursor to the NewTek Video Toaster; it was an Amiga 1000 expansion block; there was nothing for the new 500 or 2000 machines to match it for a while.
Anyway; the program... I seem to recall it being named something like "Mandala". It would allow you to set up on-screen instruments, which you could then "play" by waving stuff (like your hands, feet, head, whatever) in front of the video camrea. It did some rudimentary edge-detection, and was really quite cool for a home computer in 1988 or so.
We had it set up at one show with the camrea aimed partly across a lesser-used aisle by our booth. So when someone walked by, the harp (or drums, or whatever we had set) would play... and they'd stop and look, and it would stop... they'd move, it would start again. (The notes depending on where they stopped, of course. Different parts of the screen were "hot" for different instruments.)
To give the explanation of DNS poisoning in a slightly different way (based on what I know of BIND, DNS and from the SANS pages from earlier)....
I'll assume everyone's up on how a cache works. DNS poisoning is possible on DNS caches which aren't suitably paranoid about how data gets into the cache.
Basically, a server that is trying to poison a cache sends additional records with its answer, and those records are unrelated to the question.
So, you ask "What is the address of bogusserver.badguy.com?". In the answer you get back, it says something like this:
bogusserver.badguy.com. IN A 192.168.12.12 com. IN NS 192.168.12.12
(For those that don't know, a DNS name ending with '.' is considered an absolute name; the "root" of the DNS is noted with a single '.'.)
That answer above gives the host address of bogusserver.badguy.com (the "A" record) and a nameserver address for all of "com" (the "NS" record). (These examples are IPv4 only, that's effectively what the "IN" means.)
So, a poison-resistant DNS will reject all the parts of the answer that do not match the question. "What, com.? I asked about bogusserver.badguy.com.! Forget this bit about com.!"
One that is susceptible to poisoning will accept the updated record for "com." also, and enter it into the cache. Since it didn't need to know about the nameserver for com., the only part that matters is that it is caching the wrong nameserver address. Now, anyone who asks that DNS cache for the name server address for ALL of "com." gets the address injected by the nameserver for bogusserver.badguy.com. At that point, that nameserver can tell your client whatever it wants. All future lookups for "com.", until the cache expires (usually 2-7 days), will use the malicious server.
Some servers make this worse by invalidating all entries for a domain when the nameserver entry is updated for that domain--forcing a query of the malicious server for sites that are used often (and hence are in the cache).
This attack DOES require that someone requests a name that will trigger a query of a malicious nameserver. This is pretty easy, though; send mail that will bounce with an envelope-from address in the malicious domain.
I went through the same concerns. However, I was dealing with a slow and defective ISP's DNS, so it ultimately came down the fact that I simply could not "forward-first" to my ISP. (Now that I think about it, maybe this is why I never had any trouble with that ISP--quite unlike many of my friends. I simply routed around their incompetence.)
Keep in mind, your cache will keep things around for the TTL of the entry, which (just checked) is at least 900 seconds. The SOA record for "com." is set to expire after a week, and the TTL of the NS records is 2 days.
So, for anything in "com.", your server will cache it for at least 15 minutes; the records which establish what the REAL "com." nameserver is are good for 2 days; and it won't have to check back on who's authoritative for "com." for a week.
Frankly, misspelled GTLDs would probably generate more traffic from a small LAN.
And if you got fed up with your ISP's DNS taking so long that all your clients kept timing out, you could just set up your own caching BIND or djbdns server pointing at a known-good set of root-servers.net.
Since you're too lazy to switch back, you're protected to this day... barring any BIND bugs anyway.
Well if you see yourself as a part of a larger community, it can be construed as a rights issue.
I cannot speak to the American constitution, but the Canadian constitution provides for the right of both exit and entry. So they cannot put barriers to entry in the way of Canadian citizens; in particular, requiring a difficult to obtain non-free document would not be constitutional.
(Those of us who do our own taxes, don't have a regular GP, and are athiests, and work in software generally do not know people allowed to sign your passport application.)
You can do it free WITH wi-fi too, just set up an ad-hoc network, instead of one run through a access point (base station in Applespeak). You wind up with a LAN on wi-fi; no need for the 'net.
I'm pretty sure it will still suck for gaming, though; though maybe 802.11g won't.
(And if you're doing that sort of thing, don't turn on encryption--especially if you've got a card that has all the encryption done in software.)
Slashdot Mirror
The one advantage Linux, BSD and the free downloadable Solaris have is that you can train yourself on them.
That is, you get a complete system with all the management (such as they are) tools ready to go. In Linux's case, you'd have to find one of those RHEL-recompiled distros like Whitebox, but still, all the bits are there.
Compare that to what you'd have to get if you aren't already a Windows professional with an MSDN subscription. I know enough about the internals of Windows to play around with "CACLS" to try and tighten down filesystem permissions on XP Home Edition--but without spending another $200, I can't get the ACL GUI editor (or the user privilege editor). (Of all things to leave out of Home Edition... why not just put them under an "Advanced Settings" tab or something?)
Even with XP Pro, there are still OTHER packages you need to really know how to administer the Web server, the e-mail server, and so on. (To be fair, I haven't played with XP Pro much--I don't know anyone with a copy that is willing to let me mess around that much with their computer. We're still on 2K at work.)
Even Apple's got this wrong, with the extra features in OS X Server. I have no idea how to run a full-fledged OS X Server system, and I've been using OS X since the Public Beta.
I'm somewhat reminded of IBM's chant when they were moving AIX onto the inexpensive PowerPC machines: "AIX is AIX is AIX is..." No matter what box you buy, you'll have all the same OS features--the more expensive versions just give you more simultaneous users, not different management interfaces.
What he says is, it is wrong to be given an unmodifiable program for any amount of money--including zero.
Having been stuck with poorly-supported or outright abandoned commercial packages (WordPerfect on Amiga, any MacOS driver by Microtech, the Microtek X6USB scanner software, ClearQuest and ClearCase, and so on), cases where the vendor won't fix program defects or support updated (as in minor patches) operating systems (not even for an additional charge)... I really can identify with where RMS is coming from.
RMS's arguments are not about paying coders or buying software. They are about the freedom of the end-user to fix, port or enhance the software.
I might very well have bought a copy of Mac OS 8 slightly ahead of the official release date.
Only a day early, and they said don't tell anyone.
Ooops.
Heck, I'm running bog-standard FireWire enclosures from the local PC discount shops on my Macs, so I probably wouldn't buy one either. I have started getting USB+FireWire cages, so they will work with anything... even if it has to be at USB 1.1 speeds.
This does remind me of the old SCSI drives that were in enclosures perfectly sized to fit underneath the original All-In-One Macs.
Now, for even more fun, don't worry so much about the ports, and have a chain of USB-only Mini Mates, and a second chain of FireWire-only Mini Mates.
Each FireWire-only Mini Mate can have two further Mini Mates plugged into it, up to the FireWire hub limit.
And each USB-only Mini Mate can have three further Mini Mates plugged into it, up to the USB 2.0 hub limit.
Say you go 3 levels deep on each; so you'll have 27 open USB 2.0 ports (not counting the second one on the Mini itself), 8 open FireWire ports, and a total of 20 Mini Mates... giving you 1.6 TB to 8.0 TB of additional storage. (This was a bit more than I can count on my fingers, so I could be off a bit....)
If you really want a bunch of FireWire or USB ports, you might want to think about just getting one or two Mini Mates and a couple of hubs...
Many computers need to have /RESET held low for a few would-be clock cycles after power-up, to allow the power rails to stabilize and the master oscillator to start. Usually this is done by a capacitor which slowly (comparatively) charges up to supply volatage; when it crosses a certain voltage, it releases /RESET (they're usually active-low), and the CPU can start.
All well and good...
If you've got a situation where the power rail drops suddenly, the capacitor on /RESET starts to discharge to the power rail. Enough, and it activates the /RESET line on the CPU. Even though the power drop wasn't enough to wipe out the CPU, it was able to trigger the power-on-RESET circuit. (The fix is to put a diode in the computer's power supply connection, so that the computer's power supply capacitors never try to bring the +12 rail back into spec.)
Another fun thing that can happen, though probably not in automotive circuits, is GND and Vcc inversion.
This used to happen a lot on Amigas with defective monitors; you'd get a high-voltage discharge in the monitor to the GND line, which would momentarily bring GND over Vcc, triggering a /RESET. The fix there is to separate shield ground from signal ground; or you could just go bankrupt.
Given the number of modern cars which, apparently, tell you not to jump-start, there is an awful lot lacking in modern automotive design. It's not hard to cope with a jump-start, you just have to not cut all those corners.
(My 1998 Subaru has no such warning; I've only heard about that warning from GM owners--I've never seen it myself.)
I did notice that the Explorer (not the Internet Explorer, the Finder-equivelent) didn't know how to cope, though; it would only update one window's list to show the changes to the file.
That was a few service packs ago, and I've not tried it on NT 5.1 (errr, XP).
Worked on Macintosh, for starters. I don't know if there ever was a Real Jukebox for Mac. If there was, I wouldn't have installed it.
But it was the album management that was truly wonderful. I still would rather have SoundJam's selection interface than iTunes; though I'm starting to get used to the 3-pane browser iTunes likes. I never built playlists; I didn't need to.
When you sorted your library by Genre, you got a list of genres with disclosure arrows. Hit one, and you got all artists in that genre, with disclosure arrows for artists. Hit one of those, and see all the albums, each with another disclosure arrow. Hit one of those, and you see all the tracks on that album.
Similarly, sort by Artist, and you get the Artist/Album/Track list; sort by Album and you get Album/Track. All in a format very similar to System 7 Finder's list view. (I think they must have used the same Toolbox routines.)
SoundJam also ran really well on low-ish machines. It was actually useful on my 100 MHz 603E-based Performa.
Though I believe Apple contacted the N2MP3 developers to write iTunes first.
That's not what the Copyright Act says. It says that you can copy audio recordings for personal use. (And the way legal judgements tend to go in Canada, I would expect the courts to consider modern DVDs "similar enough" to audio recordings to be considered equivelent under the private copying provisions of the Copyright Act.)
It does NOT say you have to pay a levy to obtain this right.
The statute has it written the other way up. Because this right has been granted, we will assess levies to remunerate eligible performers and makers.
(I'm tired of linking to www.justice.gc.ca.)
But, for most of us, we pick based on function, price and compatibility-with-what-we-already-have. And sometimes looks.
Most of the gay people I know have Windows XP; a few are still running 98; a few are on Linux; a few have Macs. I know more gay people than have Macs than industry-average--but that's because I have a Mac, so I'm more likely to know people with similar interests.
I have a Mac mainly because I hated Windows 95 and I got tired of my then-8-year-old Amiga 2000... which had a rainbow checkmark logo, so I guess I'm not disproving anything here. (OK, if I could have gotten a PowerPC-based RS/6000 for a reasonable price, I'd probably have one of those instead. And have even less commercial software than on the Amiga.)
My first Mac was an early PowerPC Performa, but I got an iMac anyway later. Those Performas SUCKED, and not in a good way.
(Anyone want to buy a Performa 6300CD? It can't run OS X, it can't run Linux and it can't run BSD.)
I can't even get Nikon's stupid webpage to work well enough to tell me anything about "Capture", just it's product ID.
Canon is looking better and better.
Disallowing SUID/SGID scripts is industry standard in UNIX-land. Not that "everyone else does it" is a good justification on its own. But, in this case "everyone else had a reason".
You can easily run a script as any ID you desire via sudo, provided with the system. As Apple states, none of their software uses SUID/SGID scripts. And I very much doubt any 3rd-party software does also. It is just such a universally unavailable feature, no UNIX programmer would think to even try it these days.
Well, you can at least mitigate some of the problems by starting your script with "-pe". The "p" flag disables use of the user's ENV setting and ~/.*rc files. And "-e" has it bail on error.
Most shells should give you -p behaviour on SUID or SGID anyway (no matter what account they S?ID to).
I always set both in my scripts; what's the use of seeing someone's alias table? And if they're one of those weird people who doesn't know the difference between .profile and .(ba|k|z|)shrc, well, I don't want their messed-up environment settings to hit my script--they're just going to complain my script is broken. That's at work, at home, it's more of a performance and safety thing--don't read files you don't need.
And stopping on error is always good. If you are testing for errors, then commands are allowed to fail without aborting the script. But unhandled errors kill it--so someone trying to blast junk into the script might cause it to die earlier.
Still, there are so many ways for environment settings to poison a script or the shell command line, S?ID is too dangerous. Using a few well-chosen "sudo" commands inside the script is the way to go. And, for batch jobs, you can set up those commands and the specific argument pattern to run without password prompt in sudo.
I was talking about Regular Hollywood Movies. I wished I'd been paying more attention, it would be interesting to make a list.
But, by writing off all of Internet Explorer's problems to the "installed base" scale factor is extremely dangerous to his readers.
The problem being, since MSIE is embedded into the OS, a flaw in MSIE can be exploited from any program which uses an HTML viewer, not only the "iexplore.exe" application itself. Firefox, even when it's your default browser, still pops up in full "visiting the Web" paranoia.
Another problem, of course, relates to MSIE's very strange handling of text/plain and application/octet-stream data types. (It will actually reject the Content-type: header from the server and make up a new one based on filename suffix and/or file content... imagine sending a text/plain file from a CGI URL that has ".doc" in it and it turning into a Word file. Note that the ".doc" is in the URL, not in the downloaded file name....) I've got a CGI I just can't make with MSIE properly because it rejects my server's claim that file "foo.log" with "inline" presentation is type "text/plain" and it can display it--it insists on saving to disk... only to find out that Notepad is the right application. To work around it, I'd have to change the extra path information fed to the CGI... and I can't do that--it means something, of course.
But that problem ("feature", if you read the MS knowledgebase) is one way how people are tricked into downloading seemingly "safe" content that turns dangerous.
Plus, he makes no assessment of the security problems. He doesn't mention ANY, from ANY browser, not even as illustration--he just leaves it to the reader to plow through pages of cryptic reports from Synamtec and CERT.
And he's got no analysis of the "trouble reports" he provides for Firefox. Missing images? 99 times out of 100, that's because the Web page has backslashes in the IMG URLs--which are not part of the hierarchical URI syntax. (They work only in MSIE on Windows. MSIE for Macintosh will not process them the same way.)
Plus... how do we really know what security problems are fixed in MSIE? On my XP box at home, and the W2K boxes I have to use at work, the Windows Updates just say things like, "A security problem could allow an attacker access to your computer." How am I to know what that security problem is, what part of the system it affects? I don't even know if it is function I use, or even have enabled--the update information is just too terse--at that's after clicking, "Show Details".
(My main systems are Linux and Mac, so there may be a way to get more information from Windows Update, but it isn't as obvious... unlike Mac OS X Software Update, where it lists the major components right there, and links that take you to the Apple web site for more information.)
I have discovered, while backing up my purchased DVDs a surprising number of them are, in fact, not CSS protected. (It isn't that a large number, but it is a non-zero number; say a dozen or so out of a hundred.)
And yet, even without CSS, they still have the PUOs.
Similarly, region coding is just a bit-mask in the control block for the VOB. RPC-2 drives use that to enable the CSS decryption for a disc, but it isn't really tied into the CSS. You can make a region-protected, CSS-free disc. (And I did once, by accident, because I forgot to clear the bitmask... this was before DVDDecrypter made it all easy.)
Of course, the back-up software I use strips both CSS (because consumer-grade burners can't create CSS discs) and PUOs (because I asked it to).
In fact, the main reason I back up DVDs is not for media protection, though I have had a couple of originals fail... it's to strip out the *$^& PUOs so I can get to movie and change the subtitle settings when I want.
It wasn't thinly veiled: "My new venture has just opened its doors."
Doesn't get much more blatant than that.
Well, sure, we all know it's really Gnome and X11 at fault, and I'm sure he does too.
But, you put the Ubuntu disc in your drive, and that's what you get. If Ubuntu doesn't want to be held accountable for Gnome's actions, then they shouldn't put their name in front of Gnome.
You're judged, in part, by the company you keep.
There was a program for the Amiga back in the "Workbench 1.2 is pretty cool" days that could be hooked into one of the then-new (and incredibly expensive) real-time video digitizers. (Not something like DigiView.)
I think the digitizer was a precursor to the NewTek Video Toaster; it was an Amiga 1000 expansion block; there was nothing for the new 500 or 2000 machines to match it for a while.
Anyway; the program... I seem to recall it being named something like "Mandala". It would allow you to set up on-screen instruments, which you could then "play" by waving stuff (like your hands, feet, head, whatever) in front of the video camrea. It did some rudimentary edge-detection, and was really quite cool for a home computer in 1988 or so.
We had it set up at one show with the camrea aimed partly across a lesser-used aisle by our booth. So when someone walked by, the harp (or drums, or whatever we had set) would play... and they'd stop and look, and it would stop... they'd move, it would start again. (The notes depending on where they stopped, of course. Different parts of the screen were "hot" for different instruments.)
Haven't seen it since.
But the math errors in the savings column do take away from the GP's point.
To give the explanation of DNS poisoning in a slightly different way (based on what I know of BIND, DNS and from the SANS pages from earlier)....
I'll assume everyone's up on how a cache works. DNS poisoning is possible on DNS caches which aren't suitably paranoid about how data gets into the cache.
Basically, a server that is trying to poison a cache sends additional records with its answer, and those records are unrelated to the question.
So, you ask "What is the address of bogusserver.badguy.com?". In the answer you get back, it says something like this:
(For those that don't know, a DNS name ending with '.' is considered an absolute name; the "root" of the DNS is noted with a single '.'.)
That answer above gives the host address of bogusserver.badguy.com (the "A" record) and a nameserver address for all of "com" (the "NS" record). (These examples are IPv4 only, that's effectively what the "IN" means.)
So, a poison-resistant DNS will reject all the parts of the answer that do not match the question. "What, com.? I asked about bogusserver.badguy.com.! Forget this bit about com.!"
One that is susceptible to poisoning will accept the updated record for "com." also, and enter it into the cache. Since it didn't need to know about the nameserver for com., the only part that matters is that it is caching the wrong nameserver address. Now, anyone who asks that DNS cache for the name server address for ALL of "com." gets the address injected by the nameserver for bogusserver.badguy.com. At that point, that nameserver can tell your client whatever it wants. All future lookups for "com.", until the cache expires (usually 2-7 days), will use the malicious server.
Some servers make this worse by invalidating all entries for a domain when the nameserver entry is updated for that domain--forcing a query of the malicious server for sites that are used often (and hence are in the cache).
This attack DOES require that someone requests a name that will trigger a query of a malicious nameserver. This is pretty easy, though; send mail that will bounce with an envelope-from address in the malicious domain.
Keep in mind, your cache will keep things around for the TTL of the entry, which (just checked) is at least 900 seconds. The SOA record for "com." is set to expire after a week, and the TTL of the NS records is 2 days.
So, for anything in "com.", your server will cache it for at least 15 minutes; the records which establish what the REAL "com." nameserver is are good for 2 days; and it won't have to check back on who's authoritative for "com." for a week.
Frankly, misspelled GTLDs would probably generate more traffic from a small LAN.
And if you got fed up with your ISP's DNS taking so long that all your clients kept timing out, you could just set up your own caching BIND or djbdns server pointing at a known-good set of root-servers.net.
Since you're too lazy to switch back, you're protected to this day... barring any BIND bugs anyway.
I cannot speak to the American constitution, but the Canadian constitution provides for the right of both exit and entry. So they cannot put barriers to entry in the way of Canadian citizens; in particular, requiring a difficult to obtain non-free document would not be constitutional.
(Those of us who do our own taxes, don't have a regular GP, and are athiests, and work in software generally do not know people allowed to sign your passport application.)
I'm pretty sure it will still suck for gaming, though; though maybe 802.11g won't.
(And if you're doing that sort of thing, don't turn on encryption--especially if you've got a card that has all the encryption done in software.)