The law as written didn't even allow for a "no". Just the 7 days. So if the DoJ says no you can tell them to screw themselves, and still be within the law. Berman is slowly steering us towards anarchy with this vigilante law.
He's right, though. Customers may end up requesting things they don't really need. Sometimes it is better to educate them in how to use the tools that already exist than to install every little piece of software they all "need" at the time.
They pay us to administer their servers. I think we (administrators) do a better job if we keep the server stable and up than we would if we were just their lackeys.
Wonder when Linus will get tired of "tar"? After all, its about as standard as "dump" is in any UNIX distribution. Maybe some file buffer cache change will render tar unusable, and we'll be told to use say.. dd? Or maybe cat.
MySQL needs several improvements before it can be trusted with data.
- Needs to handle memory limits better. 15 threads shouldn't be able to allocate more memory than the kernel allows (through ulimit-style limits). As it is now, MySQL hits that limit and then sits there and consumes 99.9% CPU forever. Won't die to kill 15, requires kill 9, which forces us to isamchk. Bad, bad, evil.
- Replication should not be query based, it should be data based. As it is now, replication is nothing more than a hack. Because it is a hack, it is very easy for the slave to differ from the master, which requires shutting down the master (effectively) while you restore the slave. This can take hours. Bad, not so evil. Just bad.
- MySQL can't tell if a database is corrupt, at least not in every case. Sometimes it'll sit there and chew CPU for hours trying to process some impossible data. This is a show-stopper, IMO. The first thing (the memory) is the typical reason for it to corrupt its databases.
- Documentation. MySQL's online documentation is horrible. For instance, they claim that SET SQL_LOG_BIN = 0 will stop replication. But in actuality, it does nothing (and they claim it works in the version I'm using, so don't bother). This wouldn't be such a problem if they didn't change syntax so drastically between minor versions. This is very bad, but not necessarily a show-stopper.
Some minor things:
- Explain doesn't work right. It doesn't return the right number of rows for a query. It's seemingly random. I don't know why.
- Insert delayed. What the hell is the point of this? It's about 10x slower when using mysqldump | mysql than straight inserts. The documentation indicates this should not be so.
- The MySQL team seems more interested in pushing out frequent updates and calling them stable than actually testing and making sure that their server is stable. Now I'm not suggesting a 5 year beta period, but something needs to be done about this. As it is now, I'm barely comfortable with 3.23 at all. 3.22.32 was probably the last great MySQL distribution.
I probably should have a lot more rants here, but I can't think of them now, I'm too busy trying to figure out why MySQL is so goddamned slow.
Sounds good. Let's put Verisign in charge of it!;)
But seriously, it does sound neat. An open-CA. You still have to trust that the committer themselves is not submitting bad code, or is not forged. (Even if the code is PGP/GPG signed, it could be forged, because the signing system could be compromised.)
But in this case, the openssh tarball was trojaned at the openssh site. Wouldn't it seem reasonable that the FreeBSD port committer would have used that tarball, tested it (but not necessarily seen the trojan), then tar'd up the results and MD5'd them before uploading it to the FreeBSD site?
Maybe this wouldn't have happened here (since apparently the backdoor deleted itself), but it easily could have.
It wouldn't have helped your FreeBSD box much if this trojaned OpenSSH build ended up in CVS - build world and bam, you're hit, no MD5 checking even occurs.
I wish FreeBSD would continue the trend of removing crap (perl) from their OS and set everything up as packages. They could then concentrate on the security of their OS instead of always getting hit by "contrib"uted securitiy problems.
Want OpenSSH? Install the package. Want UUCP? Install the package. Etc. Then, you could more easily upgrade the packages, too. That'd be supersweet.
...and don't trust the OpenSSL advisory sent out to Bugtraq by a "Ben Laurie". It's not signed, so I can't show that he wrote it. Apparently, it's trivially possible to get a trojaned tarball installed in mirrors everywhere, so that it is mirrored on "official" sources does not help. Is there any reason to believe the OpenSSL advisory other than its mention on their webpage (which could also be hacked as they're running Apache 1.3.6 which could have the chunked bug?)
The danger of the bill is that you don't have to violate their copyright. There's no mention of a license. As a copyright owner, you'd be free to do whatever you can/want to keep them from "distributing" your file.
So, yes, it is outrageous. But as written, it makes the Big Boys too vulnerable, and those they've bribed apparently didn't see it. Since they fumbled the bill so much, the RIAA et al are going to have to bribe more congressfolk to make a better bill/amend this one. I'd be surprised if the RIAA doesn't fire Berman and crew.
Re:The Slashdot effect - enough is enough
on
OpenSSL Security Update
·
· Score: 3, Insightful
Yeah, RTFM yourself. OpenSSL.org is not a commercial site.
I can sort-of understand not caching pages from commercial sites but from a site that is part of the "Open Source" community? The one that/. itself is also a big part of? It's inexcusable.
For that matter, if it's possible for libraries to take care of this, why isn't libc (or whichever) fixed to handle this itself? It seems like that'd be a great area to spend effort.
Bugtraq's signal-to-noise ratio is much lower than/.'s when it comes to relevant security vulnerabilities, IMO. Bugtraq has shit like "Easy Guestbook" "W3Mail" and "phpBB" all the time. Barely readable.
Sure, well, in any case, I don't think it's appropriate to represent that he's so sacrificing, when he made more than I (an average Joe) will make in 50 lifetimes.:)
Ya know, reading this further, since it's on the "file trader" (I love that term) to notice and complain about the action, any time you lose a file or "get hacked", you should send a letter all of the MPAA/RIAA folks asking for a report on what they removed and why (See 2A through 2C).
Since there's no way to know who actually did it, and there doesn't appear to be any reason to believe the DoJ would care to tell you, you'd have write all of them to figure it out. Wonderful law eh!
Oh, this will be easy for the *AA to fight. "You cost us $1,000,000 by allowing our content on your server. We cost you $250 in damages. Here's a bill for $999,750."
Yeah. I think I read something in there about how the US Govt can go after copyright holders if they get out of line. IE if they destroy files that aren't the target. Chances are good this'll be applied more to the little guys than the big guys. "Our losses from the illegally hosted file outweigh the damages to your computer. We'll reduce our claim by $5 to make up for it."
The DoJ doesn't have to approve what you do (yeah, I did read the bill to check), you just have to notify them. I guess if they don't stop you in 7 days, nobody will.
By the way, since I assume you're on the Internet, you should probably know that the entire Internet falls under the definition of "publicly accessible peer-to-peer file trading network".
I quote: "(2) 'peer-to-peer file trading network' means two or more computers which are connected by computer software that (A) is primarily designed to (i) enable the connected computers to transmit files or data to other connected computers (ii) enable the connected computers to request the transmission of files or data from other connected computers; and (iii) enable the designation of files or data on the connected computers as available for transmission; and (B) does not permanently route all file or data inquiries or searches through a designated, central computer located in the United States"
In other words, you are on a peer-to-peer network if you use your computer's web browser (software) to connect to the MPAA's web server (another computer). You're presumably doing so primarily to transfer files from them (HTML, images). They're also able to "request" files from your computer (cookies).
There is no "designated, central computer" located anywhere. I can't guess what they could have meant there. Maybe in a future bill they'll create a directory of "designated, central computers."
There doesn't appear to be any mention of the DoJ having to approve the requests, just that you have to notify them 7 days in advance.
If the RIAA attacks a cable connection with enough behind it, they could flood the ISP's peering. AT&T is particularly susceptable to this. That could cost over $250, but then we'd have to expect AT&T to take up the fight...
Also, the primary car does play in to the liability rates on the driver. However, if you're say.. renting a car, your liability insurance applies if you hit someone.
Slashdot Mirror
The law as written didn't even allow for a "no". Just the 7 days. So if the DoJ says no you can tell them to screw themselves, and still be within the law. Berman is slowly steering us towards anarchy with this vigilante law.
He's right, though. Customers may end up requesting things they don't really need. Sometimes it is better to educate them in how to use the tools that already exist than to install every little piece of software they all "need" at the time.
They pay us to administer their servers. I think we (administrators) do a better job if we keep the server stable and up than we would if we were just their lackeys.
Wonder when Linus will get tired of "tar"? After all, its about as standard as "dump" is in any UNIX distribution. Maybe some file buffer cache change will render tar unusable, and we'll be told to use say.. dd? Or maybe cat.
MySQL needs several improvements before it can be trusted with data.
- Needs to handle memory limits better. 15 threads shouldn't be able to allocate more memory than the kernel allows (through ulimit-style limits). As it is now, MySQL hits that limit and then sits there and consumes 99.9% CPU forever. Won't die to kill 15, requires kill 9, which forces us to isamchk. Bad, bad, evil.
- Replication should not be query based, it should be data based. As it is now, replication is nothing more than a hack. Because it is a hack, it is very easy for the slave to differ from the master, which requires shutting down the master (effectively) while you restore the slave. This can take hours. Bad, not so evil. Just bad.
- MySQL can't tell if a database is corrupt, at least not in every case. Sometimes it'll sit there and chew CPU for hours trying to process some impossible data. This is a show-stopper, IMO. The first thing (the memory) is the typical reason for it to corrupt its databases.
- Documentation. MySQL's online documentation is horrible. For instance, they claim that SET SQL_LOG_BIN = 0 will stop replication. But in actuality, it does nothing (and they claim it works in the version I'm using, so don't bother). This wouldn't be such a problem if they didn't change syntax so drastically between minor versions. This is very bad, but not necessarily a show-stopper.
Some minor things:
- Explain doesn't work right. It doesn't return the right number of rows for a query. It's seemingly random. I don't know why.
- Insert delayed. What the hell is the point of this? It's about 10x slower when using mysqldump | mysql than straight inserts. The documentation indicates this should not be so.
- The MySQL team seems more interested in pushing out frequent updates and calling them stable than actually testing and making sure that their server is stable. Now I'm not suggesting a 5 year beta period, but something needs to be done about this. As it is now, I'm barely comfortable with 3.23 at all. 3.22.32 was probably the last great MySQL distribution.
I probably should have a lot more rants here, but I can't think of them now, I'm too busy trying to figure out why MySQL is so goddamned slow.
Sounds good. Let's put Verisign in charge of it! ;)
But seriously, it does sound neat. An open-CA. You still have to trust that the committer themselves is not submitting bad code, or is not forged. (Even if the code is PGP/GPG signed, it could be forged, because the signing system could be compromised.)
But in this case, the openssh tarball was trojaned at the openssh site. Wouldn't it seem reasonable that the FreeBSD port committer would have used that tarball, tested it (but not necessarily seen the trojan), then tar'd up the results and MD5'd them before uploading it to the FreeBSD site?
Maybe this wouldn't have happened here (since apparently the backdoor deleted itself), but it easily could have.
It wouldn't have helped your FreeBSD box much if this trojaned OpenSSH build ended up in CVS - build world and bam, you're hit, no MD5 checking even occurs.
I wish FreeBSD would continue the trend of removing crap (perl) from their OS and set everything up as packages. They could then concentrate on the security of their OS instead of always getting hit by "contrib"uted securitiy problems.
Want OpenSSH? Install the package. Want UUCP? Install the package. Etc. Then, you could more easily upgrade the packages, too. That'd be supersweet.
...and don't trust the OpenSSL advisory sent out to Bugtraq by a "Ben Laurie". It's not signed, so I can't show that he wrote it. Apparently, it's trivially possible to get a trojaned tarball installed in mirrors everywhere, so that it is mirrored on "official" sources does not help. Is there any reason to believe the OpenSSL advisory other than its mention on their webpage (which could also be hacked as they're running Apache 1.3.6 which could have the chunked bug?)
:)
(this has turned in to quite the rant. sorry.
Yeah. Tell her to get over herself. :)
The danger of the bill is that you don't have to violate their copyright. There's no mention of a license. As a copyright owner, you'd be free to do whatever you can/want to keep them from "distributing" your file.
So, yes, it is outrageous. But as written, it makes the Big Boys too vulnerable, and those they've bribed apparently didn't see it. Since they fumbled the bill so much, the RIAA et al are going to have to bribe more congressfolk to make a better bill/amend this one. I'd be surprised if the RIAA doesn't fire Berman and crew.
Yeah, RTFM yourself. OpenSSL.org is not a commercial site.
/. itself is also a big part of? It's inexcusable.
I can sort-of understand not caching pages from commercial sites but from a site that is part of the "Open Source" community? The one that
For that matter, if it's possible for libraries to take care of this, why isn't libc (or whichever) fixed to handle this itself? It seems like that'd be a great area to spend effort.
Bugtraq's signal-to-noise ratio is much lower than /.'s when it comes to relevant security vulnerabilities, IMO. Bugtraq has shit like "Easy Guestbook" "W3Mail" and "phpBB" all the time. Barely readable.
Sure, well, in any case, I don't think it's appropriate to represent that he's so sacrificing, when he made more than I (an average Joe) will make in 50 lifetimes. :)
One dollar?
The SEC would seem to disagree
This August 6th, join me and the rest of the world in celebrating Co-Developer Appreciation Day! Buy them a mouse pad couch, or maybe a beer.
And remember, if you don't appreciate your co-developers on August 6th, the terrorists have already won.
I know you're a Windows user and all, but still, come on.
1.1 - 1.0 = 0.1
Yours Truly,
dpk, a sysadmin who needs no appreciation
Heh, good point.
Ya know, reading this further, since it's on the "file trader" (I love that term) to notice and complain about the action, any time you lose a file or "get hacked", you should send a letter all of the MPAA/RIAA folks asking for a report on what they removed and why (See 2A through 2C).
Since there's no way to know who actually did it, and there doesn't appear to be any reason to believe the DoJ would care to tell you, you'd have write all of them to figure it out. Wonderful law eh!
Oh, this will be easy for the *AA to fight. "You cost us $1,000,000 by allowing our content on your server. We cost you $250 in damages. Here's a bill for $999,750."
Yeah. I think I read something in there about how the US Govt can go after copyright holders if they get out of line. IE if they destroy files that aren't the target. Chances are good this'll be applied more to the little guys than the big guys. "Our losses from the illegally hosted file outweigh the damages to your computer. We'll reduce our claim by $5 to make up for it."
Who knows..
The DoJ doesn't have to approve what you do (yeah, I did read the bill to check), you just have to notify them. I guess if they don't stop you in 7 days, nobody will.
By the way, since I assume you're on the Internet, you should probably know that the entire Internet falls under the definition of "publicly accessible peer-to-peer file trading network".
I quote:
"(2) 'peer-to-peer file trading network' means two or more computers which are connected by computer software that (A) is primarily designed to (i) enable the connected computers to transmit files or data to other connected computers (ii) enable the connected computers to request the transmission of files or data from other connected computers; and (iii) enable the designation of files or data on the connected computers as available for transmission; and (B) does not permanently route all file or data inquiries or searches through a designated, central computer located in the United States"
In other words, you are on a peer-to-peer network if you use your computer's web browser (software) to connect to the MPAA's web server (another computer). You're presumably doing so primarily to transfer files from them (HTML, images). They're also able to "request" files from your computer (cookies).
There is no "designated, central computer" located anywhere. I can't guess what they could have meant there. Maybe in a future bill they'll create a directory of "designated, central computers."
There doesn't appear to be any mention of the DoJ having to approve the requests, just that you have to notify them 7 days in advance.
If the RIAA attacks a cable connection with enough behind it, they could flood the ISP's peering. AT&T is particularly susceptable to this. That could cost over $250, but then we'd have to expect AT&T to take up the fight...
Ah, sorry. I should have said I am in the US.
Also, the primary car does play in to the liability rates on the driver. However, if you're say.. renting a car, your liability insurance applies if you hit someone.
Another way they could probably make more money is if less people would block their ads. :)
Auto insurance isn't mandatory everywhere. And where it is, it isn't tied to a car, it's tied to you, the driver.
So, given that, where on your person would you like to have the GPS tracking unit installed?