The problem is that this blogger appeared to be a law n00b. Should the head investigator be an independent lawyer (arrrgh) it would be much more convincing.
AFAIK the investigators haven't got anything useful so far, according to local news.
In case you are interested, here's some background info based on my readings..
The victim who died in police custody, Li, is a criminal suspect waiting for his trial in custody (according to Chinese court procedure). His death, according to the police, was the result of a physical conflict between him and another suspect. It was believed that the two suspects quarrelled over a dispute after playing some kind of game to kill time (games are usually forbidden, but they did it when the policemen were not watching). The quarrel escalated to physical conflict and Li, who was substantially weaker than his adversary, succumbed to his blow.
Li's death raised serious concern among "the blogosphere". It was suspected that Li might be a victim of torture by the police. Rumor has it that torture is a common practice of the Chinese police, and this is an often-discussed topic here.
The investigate which took place Friday proved to be very difficult. According to Chinese law, most information from the custodians are classified (e.g. security video record). The investigation team also tried to interview Li's attacker, but they were refused because the only one allowed to exchange information with the pre-trial suspect is his attorney. The blogger (whose moniker is "end tip of the wind") was far from being a professional investigator. He apparently lacked a grasp of criminal law and court procedures, and wasted much time on the stuff he had no hope of obtaining from the beginning. (I guess he needed an "IANAL" tag from/.)
The problem with this affair is the timing. Everything happened in the short time window of pre-trial custody, the least transparent period of criminal prosecution. This gave arise to reasonable questions as well as wild guesses.
They should have sent a pro. This blogger was supposed to be part of a gesture of "transparency" but he's a noob. IMHO he only made the situation worse. Conspiracy? Maybe or maybe not.
Disclaimer: I'm a Chinese (teh horror!) and IANAL (of course).
err, actually if you put a fork() in linux you get a pid, not a point, duh:-p
fork() can return not only pids but also useful error information via (pid_t)(-1) while setting errno. This piece of information certainly makes a point;)
Why do you trust the closed RAR format for that? Checkout PGP encryption.
my ISP once had servers exploded..
on
When Servers Explode
·
· Score: 2, Interesting
That was many years ago when we used dial-up connection over phone line. One day we just couldn't get connected and I asked around neighbors, who couldn't either. Later the in the local TV news it was revealed the ISP's server room exploded...
Maybe we need a special TLD for HTTPS-only traffic. Let's say ".s". For a given URL, if the hostname is of ".s" domain but the protocol part is not "https:" (or other secure protocols) then the URL is invalid by standard. A browser should be mandated to use HTTPS for such a host if the URL is given incomplete (e.g. user typing "example.s" rather than "https://example.s/" in the Awesome Bar). It should also fail to use a non-secure protocol even if it's available for a ".s" site during any phase of communication.
I don't think this idea is good enough but it's the first thing coming to my mind..
Also I'd like to know more about another exploit mentioned in the presentation.. the failure to check the "Basic Constraints" field of a SSL cert. Is Firefox vulnerable?
I usually do this in Thunar: navigate to the dir -> right-click, select "open shell here" --> type oowriter XXX where XXX is the file's basename.
Not an optimal solution but at least I get a chance of checking it myself before the "interpreter" (oowriter) does. If the file is suspicious (there are many ways to tell, e.g. the "file" command to check the magic number, checking length or permission, virus scanner, etc), it's likely to be stopped in the way.
You may argue this approach is even more "brain-dead", and there are good reasons to say so. However, consider this: a file manager is essentially a graphic shell that can fork-exec all kinds of executables, in an obscure way. With an old-skool shell you at least know what you are doing, but with a file manager too much dirt is hidden under the carpet. Which is better? I can't say.
BTW you can be a little creative in this usage pattern. Sometimes I navigate to a music directory, right-click and open shell, then do something like ls -1 *.mp3 | sort -R | xargs -d "\n" mplayer -- command line random-order music player:P
As long as you can login, you can always export your own PATH, no matter being tricked to do so or not. You don't even need that --- nothing prevents an attacker tricking the user to qualify the evil script by it's path (./runThisToWin10000).
I'm not saying my way is "better" and neither do I advertise it to everyone else. I know it sucks sometimes, from experience. I just think it's a bad thing that all GUI file managers I used (Nautilus, Konquerer & Thunar) are so similar to each other and they are all similar to the M$ stuff (doubleplusungood!)
Maybe I'm just too biased because my limited experience in this area and the "elitist ego", if you call it.
BTW I can foresee some using the the "argument of DIY" on this: "If you want a file manager like that, go code one yourself." Yes, maybe and maybe not. Anyway I'll have to learn GUI programming from ground up to do this.
I get your humor, but this may be the only way for Linux to claim the "year of Linux on the desktop".
I mean bug-to-bug, bullshit-to-bullshit compliance to MS Windows. People are fed crap to grow up and they asks for more crap. At least this is what I think I got from GNOME.
I use to have a sig. saying "so this is how Linux dies -- with thunderous applause." I changed it after being protested by someone as AC (and partly in fear of being sued by LucasFilm;) I've always feared that the year of Linux on the desktop would be the year of its death, because the line between "being popular" and "lowering standards to cater to the mass" is so easily blurred.
Luckily I've escaped to using minimal WMs and I'm not that dependent on the GUI.
Anyone can think I'm an elitist troll and mod me down accordingly. I'm open to mods and criticism because I know I may be wrong. OTOH I mean what I said. I like Linux and I'll be more than happy to see it prevailing. However, according to the current computer-literacy of your typical desktop user I can only say that the desktop market is not ready for Linux. Shovelling it down your average user's throat (and trying to prioritize "making it a less painful process") could result in the degradation of Linux.
The real paranoid (in the good sense) user will create a random, disposable, temporary user account for every session and work with it after chrooting into a sandbox -- all these are done in a virtual machine with a disposable disk image running on a LiveUSB host OS;)
Joking aside, your suggestion is quite reasonable.
Everyone is trying to mimic the brain-dead M$ Way.
Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.
That's why I use file managers almost only for bulk copying / moving. And I still prefer the CLI if the file names are regular-ish enough.
Sorry for self-replying, but the formatting was fried (I forgot about the line breaks)
REPORT ON THE INGREDIENTS OF THE EARTH'S CIVILIZATION AS SEEN FROM THE "WIKIPEDIA" SENT BY HUMANS
* 20% ---- Elitist mod-trolls
* 30% ---- Politics (a.k.a. sheeple herding)
* 35% ---- Religion-like (i.e. spirituals, rituals, TV, Paris Hilton, Web 2.0, Slashdot, pr0n, etc)
* 15% ---- Obsolete knowledge known as "science" and/or "technology"
CONCLUSION
Humans make good material for Soylent Green.
We could give them, say, the entirety of Wikipedia
REPORT ON THE INGREDIENTS OF THE EARTH'S CIVILIZATION AS SEEN FROM THE "WIKIPEDIA" SENT BY HUMANS
* 20% ---- Elitist mod-trolls
* 30% ---- Politics (a.k.a. sheeple herding)
* 35% ---- Religion-like (i.e. spirituals, rituals, TV, Paris Hilton, Web 2.0, Slashdot, pr0n, etc)
* 15% ---- Obsolete knowledge known as "science" and/or "technology"
CONCLUSION
Humans make good material for Soylent Green.
"Protect the user" is one of the worst excuses used by DRM supporters.
*I* can protect myself. I don't run an OS just because I can be protected by some obscure blob! I should be the one who decides what can be done to protect my machine.
This has nothing to do with *what* is protecting the libraries. It is a question about *who* is "protecting" them. This is like a lock vendor sells you a door lock and refuse to give you the key. Every time you need to open the door you'll have to ask them to do it, because it's "oh we so care about the integrity of your security". It doesn't matter whether your house is a Linux one or a Windows one.
It remains a question whether it is a Good Thing (tm).
For some users it may be. For me it's not. A good OS is one that is dumb, fully obedient and does not stand in my way. In other words, I decide that my house should have no doors and I will shoot anybody coming in myself, and you (the OS) is a fucking house and you have no right to enforce anything on me. If anything happens because of my fault, it is *I* who's going to take the responsibility.
How would you address the issue of software distribution to home users, who may have neither the time or patience to wait for the compilation process? I'll assume for now that the compiling would be added as part of the installation process.
"Pro" or "power" users that pay for big apps may appreciate the flexibility, but home users, as we all know, want it to "just work."
Home users are "end users". No matter how the software is distributed, end users don't have to compile everything. It's the distributors' job to release pre-compiled binaries for all targeted architectures, and Open Source makes porting to a new architecture possible and easier for the distributors.
You are worrying about all home users going the Gentoo way, which is not happening.
oops, I thought the poster I replied to was looking for a compiler which is compiled (bootstrapped) using PGO technology.
I think using PGO with GCC would require working on the build scripts (as in the GCC example above), not the compiler itself, although a compiler (or an extension) designed specially for the convenient of PGO would be very desirable. In other words, I think PGO is not "internal" of a compiler.
If you are interested, you can take a look at the build procedures of the ATLAS library (http://math-atlas.sourceforge.net/). It's similar to PGO, but more like "benchmark-guided" than "profile-guided".
GUI tools are fine, but when you are debugging a program running on a remote, non-X11 machine through a slow SSH link, then gdb and friends are teh roxx0r:P
Slashdot Mirror
Yunnan is not an autonomous region. There does have quite a few autonomous prefectures/towns there, though.
The problem is that this blogger appeared to be a law n00b. Should the head investigator be an independent lawyer (arrrgh) it would be much more convincing.
AFAIK the investigators haven't got anything useful so far, according to local news.
In case you are interested, here's some background info based on my readings..
The victim who died in police custody, Li, is a criminal suspect waiting for his trial in custody (according to Chinese court procedure). His death, according to the police, was the result of a physical conflict between him and another suspect. It was believed that the two suspects quarrelled over a dispute after playing some kind of game to kill time (games are usually forbidden, but they did it when the policemen were not watching). The quarrel escalated to physical conflict and Li, who was substantially weaker than his adversary, succumbed to his blow.
Li's death raised serious concern among "the blogosphere". It was suspected that Li might be a victim of torture by the police. Rumor has it that torture is a common practice of the Chinese police, and this is an often-discussed topic here.
The investigate which took place Friday proved to be very difficult. According to Chinese law, most information from the custodians are classified (e.g. security video record). The investigation team also tried to interview Li's attacker, but they were refused because the only one allowed to exchange information with the pre-trial suspect is his attorney. The blogger (whose moniker is "end tip of the wind") was far from being a professional investigator. He apparently lacked a grasp of criminal law and court procedures, and wasted much time on the stuff he had no hope of obtaining from the beginning. (I guess he needed an "IANAL" tag from /.)
The problem with this affair is the timing. Everything happened in the short time window of pre-trial custody, the least transparent period of criminal prosecution. This gave arise to reasonable questions as well as wild guesses.
They should have sent a pro. This blogger was supposed to be part of a gesture of "transparency" but he's a noob. IMHO he only made the situation worse. Conspiracy? Maybe or maybe not.
Disclaimer: I'm a Chinese (teh horror!) and IANAL (of course).
I kinda agree with you, but I think LOLCODE is different (from lolcat). It's a cool hacker toy.
err, actually if you put a fork() in linux you get a pid, not a point, duh :-p
fork() can return not only pids but also useful error information via (pid_t)(-1) while setting errno. This piece of information certainly makes a point ;)
> Is Flash Really On 99% of Net Devices?
I don't think I'm going to install Flash on my ethernet repeater and neither are you.
Why do you trust the closed RAR format for that? Checkout PGP encryption.
That was many years ago when we used dial-up connection over phone line. One day we just couldn't get connected and I asked around neighbors, who couldn't either. Later the in the local TV news it was revealed the ISP's server room exploded...
One of the claims from the presentation (linked in TFA: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf, PDF file) is "people don't type https:///" -- they reach SSL-enabled urls either by submitting a form (from non-SSL page!) or the result of HTTP redirect. And "that has made all the differences" according to the hacker.
Maybe we need a special TLD for HTTPS-only traffic. Let's say ".s". For a given URL, if the hostname is of ".s" domain but the protocol part is not "https:" (or other secure protocols) then the URL is invalid by standard. A browser should be mandated to use HTTPS for such a host if the URL is given incomplete (e.g. user typing "example.s" rather than "https://example.s/" in the Awesome Bar). It should also fail to use a non-secure protocol even if it's available for a ".s" site during any phase of communication.
I don't think this idea is good enough but it's the first thing coming to my mind..
Also I'd like to know more about another exploit mentioned in the presentation.. the failure to check the "Basic Constraints" field of a SSL cert. Is Firefox vulnerable?
I usually do this in Thunar: navigate to the dir -> right-click, select "open shell here" --> type oowriter XXX where XXX is the file's basename.
Not an optimal solution but at least I get a chance of checking it myself before the "interpreter" (oowriter) does. If the file is suspicious (there are many ways to tell, e.g. the "file" command to check the magic number, checking length or permission, virus scanner, etc), it's likely to be stopped in the way.
You may argue this approach is even more "brain-dead", and there are good reasons to say so. However, consider this: a file manager is essentially a graphic shell that can fork-exec all kinds of executables, in an obscure way. With an old-skool shell you at least know what you are doing, but with a file manager too much dirt is hidden under the carpet. Which is better? I can't say.
BTW you can be a little creative in this usage pattern. Sometimes I navigate to a music directory, right-click and open shell, then do something like ls -1 *.mp3 | sort -R | xargs -d "\n" mplayer -- command line random-order music player :P
As long as you can login, you can always export your own PATH, no matter being tricked to do so or not. You don't even need that --- nothing prevents an attacker tricking the user to qualify the evil script by it's path (./runThisToWin10000).
I'm not saying my way is "better" and neither do I advertise it to everyone else. I know it sucks sometimes, from experience. I just think it's a bad thing that all GUI file managers I used (Nautilus, Konquerer & Thunar) are so similar to each other and they are all similar to the M$ stuff (doubleplusungood!)
Maybe I'm just too biased because my limited experience in this area and the "elitist ego", if you call it.
BTW I can foresee some using the the "argument of DIY" on this: "If you want a file manager like that, go code one yourself." Yes, maybe and maybe not. Anyway I'll have to learn GUI programming from ground up to do this.
I get your humor, but this may be the only way for Linux to claim the "year of Linux on the desktop".
I mean bug-to-bug, bullshit-to-bullshit compliance to MS Windows. People are fed crap to grow up and they asks for more crap. At least this is what I think I got from GNOME.
I use to have a sig. saying "so this is how Linux dies -- with thunderous applause." I changed it after being protested by someone as AC (and partly in fear of being sued by LucasFilm ;) I've always feared that the year of Linux on the desktop would be the year of its death, because the line between "being popular" and "lowering standards to cater to the mass" is so easily blurred.
Luckily I've escaped to using minimal WMs and I'm not that dependent on the GUI.
Anyone can think I'm an elitist troll and mod me down accordingly. I'm open to mods and criticism because I know I may be wrong. OTOH I mean what I said. I like Linux and I'll be more than happy to see it prevailing. However, according to the current computer-literacy of your typical desktop user I can only say that the desktop market is not ready for Linux. Shovelling it down your average user's throat (and trying to prioritize "making it a less painful process") could result in the degradation of Linux.
The real paranoid (in the good sense) user will create a random, disposable, temporary user account for every session and work with it after chrooting into a sandbox -- all these are done in a virtual machine with a disposable disk image running on a LiveUSB host OS ;)
Joking aside, your suggestion is quite reasonable.
Everyone is trying to mimic the brain-dead M$ Way.
Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.
That's why I use file managers almost only for bulk copying / moving. And I still prefer the CLI if the file names are regular-ish enough.
CERN needs money badly. By crying out "The Yankees are catching up!" they hope the politicians would hear and pay them more fresh euro.
In this economy, do you really believe the scientists care that much about the God Particle? If your answer is yes, do you really think it's "yes"?
If they lose jobs and food, how can they go on chasing the Higgs particle?
Sorry for self-replying, but the formatting was fried (I forgot about the line breaks)
REPORT ON THE INGREDIENTS OF THE EARTH'S CIVILIZATION AS SEEN FROM THE "WIKIPEDIA" SENT BY HUMANS
* 20% ---- Elitist mod-trolls
* 30% ---- Politics (a.k.a. sheeple herding)
* 35% ---- Religion-like (i.e. spirituals, rituals, TV, Paris Hilton, Web 2.0, Slashdot, pr0n, etc)
* 15% ---- Obsolete knowledge known as "science" and/or "technology"
CONCLUSION
Humans make good material for Soylent Green.
We could give them, say, the entirety of Wikipedia
REPORT ON THE INGREDIENTS OF THE EARTH'S CIVILIZATION AS SEEN FROM THE "WIKIPEDIA" SENT BY HUMANS * 20% ---- Elitist mod-trolls * 30% ---- Politics (a.k.a. sheeple herding) * 35% ---- Religion-like (i.e. spirituals, rituals, TV, Paris Hilton, Web 2.0, Slashdot, pr0n, etc) * 15% ---- Obsolete knowledge known as "science" and/or "technology" CONCLUSION Humans make good material for Soylent Green.
"Protect the user" is one of the worst excuses used by DRM supporters.
*I* can protect myself. I don't run an OS just because I can be protected by some obscure blob! I should be the one who decides what can be done to protect my machine.
This has nothing to do with *what* is protecting the libraries. It is a question about *who* is "protecting" them. This is like a lock vendor sells you a door lock and refuse to give you the key. Every time you need to open the door you'll have to ask them to do it, because it's "oh we so care about the integrity of your security". It doesn't matter whether your house is a Linux one or a Windows one.
In short, you are pwned. Pwned I say.
It remains a question whether it is a Good Thing (tm).
For some users it may be. For me it's not. A good OS is one that is dumb, fully obedient and does not stand in my way. In other words, I decide that my house should have no doors and I will shoot anybody coming in myself, and you (the OS) is a fucking house and you have no right to enforce anything on me. If anything happens because of my fault, it is *I* who's going to take the responsibility.
Home users are "end users". No matter how the software is distributed, end users don't have to compile everything. It's the distributors' job to release pre-compiled binaries for all targeted architectures, and Open Source makes porting to a new architecture possible and easier for the distributors.
You are worrying about all home users going the Gentoo way, which is not happening.
oops, I thought the poster I replied to was looking for a compiler which is compiled (bootstrapped) using PGO technology.
I think using PGO with GCC would require working on the build scripts (as in the GCC example above), not the compiler itself, although a compiler (or an extension) designed specially for the convenient of PGO would be very desirable. In other words, I think PGO is not "internal" of a compiler.
If you are interested, you can take a look at the build procedures of the ATLAS library (http://math-atlas.sourceforge.net/). It's similar to PGO, but more like "benchmark-guided" than "profile-guided".
GUI tools are fine, but when you are debugging a program running on a remote, non-X11 machine through a slow SSH link, then gdb and friends are teh roxx0r :P
PGO in GCC: http://gcc.gnu.org/install/build.html#TOC4