Why, oh why, would I donate money to a company? Maybe I'll buy shares, but donation makes no sense in this context. If you like their product, buy it.
I was one of the first members of MandrakeClub. While I personally don't want any more boxes and books I will never use lying around, I *do* want Mandrake's service of continuing to make a nice distro that I can use and share with my friends.
So, in effect I'm paying them to keep doing what they're doing (service). As opposed to the proprietary model where I'd pay a company to not share their software with anyone else who hasn't paid.
FWIW, I tip at restaurants, too. Even if it means someone who doesn't tip gets their food brought to them and I end up (by some measures) subsidizing a for-profit waiter...
What if Monsanto then proceeded to BUY all of the land in the affected town, and had the residents pay rent or move out?
Well, firstly, if they had already poisoned people, they would be responsible for it. Even if they owned the town before poisining the residents, they would still have liability for their land. Knowingly poisoning a tenant on your land is not that much different from knowingly poisoning a neighbor.
Regarding punishment, the state prosecutes criminal cases. What you (currently) hire a lawyer for is civil (monetary) damages. Since the libertarian stance on criminal punishment is to support restitution to the fullest degree possible by the wrongdoer, the part about hiring a lawyer for the civil case could be skipped.
As for getting scientists to conduct studies to prove harm, this surely be done more cheaply and effectively (with less corruption potential) than the EPA by a private organiziation supported by voluntary donation. In fact, Greenpeace already does this.
What if the responsible managers/employees/corporations are out of business, or broke? What if they deliberately operate close to the bone, to insure that they can't lose much when their violations are discovered?
That's what prison is for. For knowingly causing the death or permanent physical injury of people in an attempt to "maximize stakeholder value", that fits the crime better, anyway.
Btw, an except from a legal dictionary on the word "liable" (being not just financial responsibility):
A person may be liable for a debt, liable for an accident due to careless behavior, liable for failing do something required by a contract or liable for the commission of a crime. Someone who is found liable for an act or ommission must usually pay damages or,
if the act was a criminal one, face punishment.
Before this discussion gets biased, we must present equal time for the Libertarian side of the argument:
If the people of Anniston simply stopped buying products from Monsanto, then they could use their "market forces" to stop this kind of activity.
What you're talking about is anarcho-capitalism, not Libertarianism. Libertarianism has always been about responsibility for your actions. By Libertarian standards, if your actions result in polluting the land and water of others, you are responsible for your crimes.
In gaming parlance, anarcho-capitalism and the current regime in the US is akin to the difference between chaotic evil and lawful evil (Monsato cultivated the complicity of the powers that be)
Pollution of other people's property is a violation of individual rights.
...
Toxic waste disposal problems have been created by government policies that separate liability from property. Rather than making taxpayers pay for toxic waste clean-ups, individual property owners, or in the case of corporations, the responsible managers and employees, should be held strictly liable for material damage done by their property.
That's part of the NRA's argument which I've never understood. They make the following statements:
If you ban guns, you should ban baseball bats because you can just as easily kill someone with one of them.
We need guns to protect ourselves because nothing else will do.
I'm sorry, but you can't have it both ways. Like any bunch of loonies, their arguments make no sense when you look at them closely.
To illustrate the NRA's point, imagine your 80 year old grandma. Now imagine a 20 year-old 6'4" 240lb criminal on speed.
Now, imagine your grandma with a baseball bat. Will she even have the reaction time necessary to connect even once with the bat? If she gets that lucky, will she have the strength to stop the criminal's attack? Could she use the bat from 30 feet away when he doesn't honor her commands to back off? Not to mention the logistics of carrying a baseball bat in her purse all the time due to not having the luxury of knowing when said attack would take place.
Now, imagine your grandma with a.38 shooting the criminal at close range in the chest. The criminal can likely imagine that, too. So, odds are if she has the chance to make the gun visible rather than shooting it through her purse, he'll run off.
See the point here? The same can apply to your 115lb wife or girlfriend against a rapist.
Using data from all 3,054 U.S. counties Lott found that right-to-carry laws reduce murder by 8.5 percent, rape by 5 percent and severe assault by 7 percent. Had right-to-carry prevailed throughout the country, there would have been 1,600 fewer murders, 4,200 fewer rapes and 60,000 fewer severe assaults.
In attempt to combat an upward trend in rape cases, for example, Orlando, Florida police launched an initiative to train 2,500 women in gun use in 1966. Consequently, Orlando was the only major American city to experience a reduction in rape in 1967; incidents of rape fell by 88 percent.
Not that having data to back up the overall effect of gun ownership should have any bearing on the fundamental human right to self-defense.
The sad thing is, in the US people scream if anyone tries to take away their guns. If anyone tries to take away their information or their right to privacy, only a few/.ers complain.
People scream either way, really. Not all people, of course, but some people. Remember when all the websites got black backgrounds and blue ribbon banners back in 1996 in response to the CDA? I don't think the problem is which abstract issue gets more attention, but that people in general aren't very interested in politics.
Of course, that changes some during wartime and when energy prices fluctuate. Usually not to any consequence. Interestingly, the possibility of using domestically-grown fuels such as hemp oil, rather than petroleum never seems to enter the debate. Meanwhile, that alone could stop enriching our often unfriendly trade partners for petroleum and drastically reduce pollution and deforestation. For a proof of concept on applying this to automobiles, see http://www.hempcar.org/
Anyway, Australia appears to have a very statist position on both speech and self-defense. i.e., that the nice men from the government should create a padded-cell world for you. Meanwhile, grannies have been cast to the mercy of criminals and the prior-restraint flavored net censorship (according to the article) would prevent mainstream political news, historic discussion from happening in an open manner:
According to the [OFLC] classification guidelines 'Adult themes may include verbal references to and depictions associated with issues such as suicide, crime, corruption, marital problems, emotional trauma, drug and alcohol dependency, death and serious illness, racism, religious issues'."
Of course, everyone knows it would only be used to root out vile filth! </sarcasm> Enter yet another law that lets the powers that be selectively shut down anyone they don't like.
Here's a snippet from an indianz.com article which specifies what was actually compromised:
With permission from U.S. District Judge Royce Lamberth, the special master's team logged onto computer servers, accessed databases, broke into Interior and Bureau of Indian Affairs networks, discovered they could modify and erase sensitive data and even created an Individual Indian Money (IIM) trust account in Balaran's name. All of these breaches occured repeatedly and with ease -- and all without being noticed, or even tracked, by the Interior's own computer officials.
Here's a rundown of how it happened.
Predictive originally planned a two-phase test of the Interior's computer infrastructure. First, it would try to access the system from the public Internet; and second, it would test the network from within.
However, the company soon found it could scrap the second phase because protections were non-existent.
"Early on in the testing it became apparent that it was possible to access the sensitive internal data from the Internet and that the internal on-site testing phase was not needed due to the lack of overall perimeter security," Predictive wrote in August after a first round of hacking.
Using widely available, and free, tools employed by hackers all over the world, Predictive tapped into a number of systems the Interior deemed "critical" to bringing its trust duties into the 21st century. These systems included:
The Trust Asset and Accounting Management System (TAAMS)
Predictive was able to break into a TAAMS server because it had "no password." As a result, the firm could perform administrative, high-level functions typically not available to low-level users.
Also, Predictive could access TAAMS because the BIANET, a BIA network accessible via the Internet, had "blank" passwords. Through this vulnerability, the firm gained administrative powers that allowed it to access data stored in a TAAMS database.
TAAMS is housed on two AS/400 servers, made by IBM, in Addison, Texas. The servers, the database
and all its associated logic (coded in dBase) are fully owned by a third party, Applied Terravision Systems, because the Interior failed to consider long-term ownership and development issues.
The Integrated Records Management System (IRMS)
A so-called "legacy" system in use since 1982, Predictive was able to gain "complete access" to IRMS, which tracks leases and distributes payments to account holders. Weaknesses on the BIANET allowed the firm to see every IRMS account that has ever existed.
Predictive could modify and delete user accounts, meaning it could prevent authorized Interior users from entering the system and give access to non-authorized outsiders.
Further, Predictive gained "complete control" to an IRMS server because it had a "blank" password. The firm was able to copy files and create links to sensitive data to outside networks via standard and highly vulnerable Microsoft Windows capabilities.
IRMS is coded in Cobol 74, an outmoded but pervasive language, and is composed of six databases -- including individual and tribal ownership and leasing data -- that reside on a Unisys Clearpath NX server in Reston, Virginia. Reston is the location of the BIA's Office of Information Resources Management, whose controversial move from Albuquerque, New Mexico, was temporarily halted by Lamberth.
Other Unnamed Systems.
Additionally, Predictive found numerous problems on a number of systems, most of which are not
specifically named because information in the report is redacted. The firm was able to access "sensitive" information including "gigabytes" of BIA e-mail, configuration files, log reports, and all usernames and passwords on an unnamed system. Many of these systems had weak password or no password protections.
Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders. Other systems were prone to well-known hacking techniques, including denial of service, buffer overflows, "Trojan Horse" programs and Microsoft Windows "scripting" attacks -- all of which are typically preventable by applying readily available "patches" to fix security holes.
All of this hacking -- which took place between June 24 and July 8 -- led Predictive to conclude in an August report that the BIA lacks "basic security" measures. "Even if every security vulnerability in this report was corrected, BIA's overall lack of a secure network perimeter would still leave BIA exposed to additional risk," the firm wrote.
Predictive recommended the BIA implement such standard protections as a firewall and intrusion devices. Along with Balaran, the firm informed BIA of the numerous problems at a meeting with Brian Bowker, then-director of OIRM.
Despite Predictive's damaging report, Bowker indicated the company was successful only because he had "turned over the keys to the store." Balaran said he felt Bowker was trying to "discount" the findings, so he again instructed Predictive to break into the system on August 30.
It was during this time that Predictive created a trust account for Balaran, whose report is not specific as to which system was accessed to perform this incredible breach. Predictive was able to create its own trust data and modify existing data on an unnamed system, leading the firm yet again to warn BIA of problems and make a number of specific recommendations to correct the deficiencies.
It was likely Bynari's Insight Server -
shown at Bynari's site. It's designed to be feature-complete for Outlook clients and also work with standards-based clients. That, of course, makes it especially plausible that Bynari was the software in question. Also, while the 5000 user license isn't mentioned in plain view on Byari's site, it's $19449 for 1000 users, which would put it in line with the $71000 for 5000 users mentioned in the article.
Of course, Bynari also runs on Linux/x86 and Solaris/sparc, for folks with a more typical environment.
Using the find command mentioned in another comment, have a look at all the setuid/setgid executables. If you see something you know that machine isn't going to use, you can either remove its package, or unsetuid/setgid it.
Eg., if the machine is a webserver which will never be connected to a printer, you can get rid of lp, lpr and friends.
If you don't know what a program does, check the manpage. If it doesn't have one, try a websearch or unsetuiding it to see what breaks. (In my experience BSD has the best manpage availability and quality - eg., even each kernel driver has its own manpage.)
Anyway, certainly having a multiuser environment and reading your mail from a most unprivileged account would provide *some* protection, but what about those executables that have the "sticky" bit set and run with higher authority? Could the trojan use those to compromise the system?
It's the setuid bit, not the sticky bit you need to worry about. Sticky bit on a regular file was a way of old to keep such executables in VM instead of having them flushed. (On directories, it means only the owner of a file in the directory or root can rename and delete the file, even if other users have write permission on the directory.)
Quoth chmod(1):
STICKY FILES
On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files.
And, yes, vulnerable setuid executables can be run by local users to compromise the system
in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.
That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)
Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.
That statement is totally unfounded. You are assuming the scheduling software will be stable.
If the schedualing software crashes now, it'll be the same situation as before, but the crash is just going to look different and the OS is still going to be running (though uselessly) under it all.
while true
do /usr/local/bin/KAschedule
sleep 10
done
That's what I use for especially buggy software that randomly crashes, but needs to be available. Maybe a few tweaks to clean up any mess left over by the process that died, but this kind of script does the trick w/o needing any real use education other than "if it crashes, wait 15-20 seconds for a new one to open".
"its not lame anti ms rhetoric"
Is this supposed to suggest that other MS articles that are posted to/. *ARE* "lame anti ms rhetoric"?
It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".
There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)
/. isn't exactly renowned for it's editing, but this seems to be a new low.
The post also has nothing to do with the article, we're given very little info.
Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.
If you want good editing, visit Linux Weekly News at http://www.lwn.net/. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/
Bynari at http://www.bynari.net/ already has an Exchange replacement for Unixoid operating systems:
Bynari's Insight Server provides services to Microsoft Outlook clients and various Linux and UNIX clients provided by the Open Source community and Insight Client. Insight which can come bundled with Insight Server works on various Linux distributions, Sun Solaris for Sparc and x86, and SCO UnixWare and Compaq's Non-Stop Clusters using Proliants and UnixWare. In the glass house, Insight Server runs on IBM zSeries and S/390 mainframes under TurboLinux.
It's not Free Software, but it uses free software components, eg., Exim, OpenLDAP, etc. And it has a very modest price compared to Exchange:
Insight allows unlimited users to access its services based on the platform. With Insight Server the cost of the product is based on the size of the user base each version supports. For example, a 100 user version of Insight Server costs $2.99 per user. A 500 user version would
cost $1.19 per user. That's a one time charge.
Compared to Exchange:
The cost of Exchange 2000 Enterprise Server with 25 CALs is $6,999. Each new Client Access License costs $67.
A company with 5025 users on Microsoft Exchange would pay $335,000 for new Client Access Licenses and $6,999 for the server. The total cost in this scenario would run $341,999.
1. He did not in the past correct people who were under the impression
that it was BSD-licensed. Now, copyright law doesn't require this - but
common courtesy does.
See e.g. this thread:
Or how about his message on the FreeBSD security list, where he describes it as public domain
ipfilter is generally considered to be the
"leading"
public domain packet filtering package and I try to ensure
it stays that way:-)
Does anyone know where the portion of the GPL that reads that if you modify the source code, that you must release the source code to the public after you've sold it for a while is?
Quoth the GPL:
2 b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
Note that this doesn't mean you _do_ anything for them, just that you give them permissions to it under the terms of the GPL.
The only people you need to actively provide source to are the ones you've given binaries to.
You may want to have a look at the GPL FAQ:
http://www.gnu.org/copyleft/gpl-faq.html
I don't understand this crowd. One minute, you're all spouting Libertarian rhetoric, the next, you're demanding that others foot the bill.
The patent office makes them available, but should our taxes be raised to subsidize everything? People doing patent research can pony up the money and pay for this service.
Since the point of the patent system is to encourage inventors to reveal the workings of their inventions instead of keeping them locked up, it only makes sense that the folks responsible for the running the patent office would make the information readily available.
I think the money paid by those applying for patents more than recoups any costs associated with putting a patent database on-line.
I don't see how wanting the patent office to provide access to its files conflicts w/ Libertarian ideology. More likely the concept of patents itself conflicts. Libertarian writings tend to say that the reason for monopolies is that government creates them. This happens to be one of those ways.
I do not want to impose any terms on anyone else's software.
You don't have the right to impose terms on other people's software, anyway. People can distribute whatever they like in patch form, no matter how the original source is licensed.
This was tossed around a bit when Minix still had a non-free license and people were pondering how to make it into a useful system instead of just an academic toy. The idea was, you'd buy a specific release of Minix (it came with source code) and then apply a huge patch. Of course, then Linux came along and BSD freed itself of its encumberances, so Minix was just left by the wayside and it became a moot point.
I want to prevent the terms of my software from being changed
Likewise, no one can change the terms of your software unless you specifically assign rights to them. That's why the BSD folks say: But, the original source is always there! Just because someone released a proprietary version based on BSD code does not make the original BSD code proprietary as well.
And yes, I realize that means Microsoft could use my software, not distribute any source, not acknowledge it, and never even tell me about it, all legally.
You should also have the freedom to make modifications and use them privately in your own work or play, without even mentioning that they exist. If you do publish your changes, you should not be required to notify anyone in particular, or in any particular way.
In January 2001, Apple released another version, ASPL 1.2. This version fixes two of the fatal flaws, but one still remains: any modified version "deployed" in an organization must be published. The APSL 1.2 has taken two large steps towards a free software license, but still has one more large step to take before it qualifies.
Disrespect for privacy
The APSL does not allow you to make a modified version and use it for your own private purposes, without publishing your changes.
Actually, in my experience, Sun systems have been far _less_ reliable than well-built x86 systems. Eg., the clusters of E4500's we're using at my day job have had very bad random crash issues apparently relating to faulty ecache (L2 cache on the CPU module).
Originally, Sun support denied the problem existed, even after a Sun VP talked about it in an interview.
I've had far better luck with hardware quality and overall stability using Athlon servers running NetBSD, FreeBSD and OpenBSD. The system vendors I've used are ASLab at http://www.aslab.com/ and Rackmount.Com at http://www.rackmount.com/
Specs are:
ASLab systems -
850 Mhz Athlon
ASLab's choice of RAM in two systems, Mushkin in one.
Asus K7M motherboard
Adaptec 39160 Ultra160 SCSI
Two of the systems are connected to an external
SCSI-> SCSI RAID, using an Infortrend SCSI->RAID module.
The cabinet was built by Enhance Technology - http://www.enhance-tech.com/
Rackmount.Com system:
1.2GHz Athlon,
Asus A7V motherboard,
Rackmount.Com's choice of RAM,
Mylex RAID controller.
All systems use IBM SCSI Ultra160 drives.
None have experienced OS crashes or hardware failures since being put into production under moderate to heavy load.
That said, I've had generally good results with lower-end Sun systems. Eg., E450's, Netras, etc. But, Sun's main advantage is the ability to scale, and integrate with things such as Veritas Volume Manager / File System / Cluster server. So it doesn't make much sense at low-end. For web servers, application servers, mail servers and DNS servers, for instance, network-based load balancers or inherent robustness of the protocol provide more usefulness for failure masking and availability.
What options do SPARCstation owners have for a reletively up to date distro that isn't in beta or otherwise have bizzar issues stemming from someone just trying to recompile an Intel distro for the Sparc architecture?
I suggest giving
NetBSD/Sparc a shot. I've found it to work very smoothly on non-x86 platforms, as all platforms are treated as first class citizens. I've had good results with NetBSD on each platform I've used it on - sparc, alpha and x86.
While working as a Solaris admin in big corporate sparc shop a while back, I developed a NetBSD floppy-based disk wipe procedure (for systems being decomissioned), which went onto become official there. Much nicer than waiting for a Solaris CD boot. I also managed to get Linux to be the OS on the on-call laptop, after the managers had tried pushing Solaris x86 (on a laptop.. heh..), and Windows NT.
Actually, the whole point of MandrakeFreq was to help people with limited bandwidth.
You can find MandrakeFreq at Cheapbytes for $4.99.
There is also supposed to be a list of other resellers at this page (according to the news at http://www.linux-mandrake.com/ ) - http://www.mandrakesoft.com/products/range/mandrak efreq (As I write, that page is currently down, though (looks like they moved their webservers to a system on a faster network, which broke mandrakesoft.com)
This quote, in particular sounds like prime Onion material:
"Not one person in my office, from the receptionist to the sales people to the engineers to the CEO use the blasted paper clip. Not even my wife, who is an elementary school teacher, uses it," Ketan Deshpande, senior software engineer at Manage.com, wrote in an e-mail to News.com. "In less time than it took MS to put this Web site together, they could have pulled the dumb clip out of their software."
And, then the article goes to sum it up stating in effect that this is just a $30million marketing campaign about a changed default:
Gurry said if people miss Clippy, they can turn him back on by clicking the "help" tag on the Office XP task bar.
Slashdot Mirror
So, in effect I'm paying them to keep doing what they're doing (service). As opposed to the proprietary model where I'd pay a company to not share their software with anyone else who hasn't paid.
FWIW, I tip at restaurants, too. Even if it means someone who doesn't tip gets their food brought to them and I end up (by some measures) subsidizing a for-profit waiter...
Regarding punishment, the state prosecutes criminal cases. What you (currently) hire a lawyer for is civil (monetary) damages. Since the libertarian stance on criminal punishment is to support restitution to the fullest degree possible by the wrongdoer, the part about hiring a lawyer for the civil case could be skipped.
As for getting scientists to conduct studies to prove harm, this surely be done more cheaply and effectively (with less corruption potential) than the EPA by a private organiziation supported by voluntary donation. In fact, Greenpeace already does this.
That's what prison is for. For knowingly causing the death or permanent physical injury of people in an attempt to "maximize stakeholder value", that fits the crime better, anyway.
Btw, an except from a legal dictionary on the word "liable" (being not just financial responsibility):
In gaming parlance, anarcho-capitalism and the current regime in the US is akin to the difference between chaotic evil and lawful evil (Monsato cultivated the complicity of the powers that be)
A simple visit to the party platform explains this:
Now, imagine your grandma with a baseball bat. Will she even have the reaction time necessary to connect even once with the bat? If she gets that lucky, will she have the strength to stop the criminal's attack? Could she use the bat from 30 feet away when he doesn't honor her commands to back off? Not to mention the logistics of carrying a baseball bat in her purse all the time due to not having the luxury of knowing when said attack would take place.
Now, imagine your grandma with a .38 shooting the criminal at close range in the chest. The criminal can likely imagine that, too. So, odds are if she has the chance to make the gun visible rather than shooting it through her purse, he'll run off.
See the point here? The same can apply to your 115lb wife or girlfriend against a rapist.
Here are a couple quotes from studies:
From http://www.ncpa.org/bothside/krt/krt050301a.html
From http://www.dartreview.com/issues/2.26.01/editorial .html
Not that having data to back up the overall effect of gun ownership should have any bearing on the fundamental human right to self-defense.
People scream either way, really. Not all people, of course, but some people. Remember when all the websites got black backgrounds and blue ribbon banners back in 1996 in response to the CDA? I don't think the problem is which abstract issue gets more attention, but that people in general aren't very interested in politics.
Of course, that changes some during wartime and when energy prices fluctuate. Usually not to any consequence. Interestingly, the possibility of using domestically-grown fuels such as hemp oil, rather than petroleum never seems to enter the debate. Meanwhile, that alone could stop enriching our often unfriendly trade partners for petroleum and drastically reduce pollution and deforestation. For a proof of concept on applying this to automobiles, see http://www.hempcar.org/
Anyway, Australia appears to have a very statist position on both speech and self-defense. i.e., that the nice men from the government should create a padded-cell world for you. Meanwhile, grannies have been cast to the mercy of criminals and the prior-restraint flavored net censorship (according to the article) would prevent mainstream political news, historic discussion from happening in an open manner:
According to the [OFLC] classification guidelines 'Adult themes may include verbal references to and depictions associated with issues such as suicide, crime, corruption, marital problems, emotional trauma, drug and alcohol dependency, death and serious illness, racism, religious issues'."
Of course, everyone knows it would only be used to root out vile filth! </sarcasm> Enter yet another law that lets the powers that be selectively shut down anyone they don't like.
With permission from U.S. District Judge Royce Lamberth, the special master's team logged onto computer servers, accessed databases, broke into Interior and Bureau of Indian Affairs networks, discovered they could modify and erase sensitive data and even created an Individual Indian Money (IIM) trust account in Balaran's name. All of these breaches occured repeatedly and with ease -- and all without being noticed, or even tracked, by the Interior's own computer officials.
Here's a rundown of how it happened.
Predictive originally planned a two-phase test of the Interior's computer infrastructure. First, it would try to access the system from the public Internet; and second, it would test the network from within.
However, the company soon found it could scrap the second phase because protections were non-existent.
"Early on in the testing it became apparent that it was possible to access the sensitive internal data from the Internet and that the internal on-site testing phase was not needed due to the lack of overall perimeter security," Predictive wrote in August after a first round of hacking.
Using widely available, and free, tools employed by hackers all over the world, Predictive tapped into a number of systems the Interior deemed "critical" to bringing its trust duties into the 21st century. These systems included:
Predictive was able to break into a TAAMS server because it had "no password." As a result, the firm could perform administrative, high-level functions typically not available to low-level users.
Also, Predictive could access TAAMS because the BIANET, a BIA network accessible via the Internet, had "blank" passwords. Through this vulnerability, the firm gained administrative powers that allowed it to access data stored in a TAAMS database.
TAAMS is housed on two AS/400 servers, made by IBM, in Addison, Texas. The servers, the database and all its associated logic (coded in dBase) are fully owned by a third party, Applied Terravision Systems, because the Interior failed to consider long-term ownership and development issues.
A so-called "legacy" system in use since 1982, Predictive was able to gain "complete access" to IRMS, which tracks leases and distributes payments to account holders. Weaknesses on the BIANET allowed the firm to see every IRMS account that has ever existed.
Predictive could modify and delete user accounts, meaning it could prevent authorized Interior users from entering the system and give access to non-authorized outsiders.
Further, Predictive gained "complete control" to an IRMS server because it had a "blank" password. The firm was able to copy files and create links to sensitive data to outside networks via standard and highly vulnerable Microsoft Windows capabilities.
IRMS is coded in Cobol 74, an outmoded but pervasive language, and is composed of six databases -- including individual and tribal ownership and leasing data -- that reside on a Unisys Clearpath NX server in Reston, Virginia. Reston is the location of the BIA's Office of Information Resources Management, whose controversial move from Albuquerque, New Mexico, was temporarily halted by Lamberth.
Additionally, Predictive found numerous problems on a number of systems, most of which are not specifically named because information in the report is redacted. The firm was able to access "sensitive" information including "gigabytes" of BIA e-mail, configuration files, log reports, and all usernames and passwords on an unnamed system. Many of these systems had weak password or no password protections.
Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders. Other systems were prone to well-known hacking techniques, including denial of service, buffer overflows, "Trojan Horse" programs and Microsoft Windows "scripting" attacks -- all of which are typically preventable by applying readily available "patches" to fix security holes.
All of this hacking -- which took place between June 24 and July 8 -- led Predictive to conclude in an August report that the BIA lacks "basic security" measures. "Even if every security vulnerability in this report was corrected, BIA's overall lack of a secure network perimeter would still leave BIA exposed to additional risk," the firm wrote.
Predictive recommended the BIA implement such standard protections as a firewall and intrusion devices. Along with Balaran, the firm informed BIA of the numerous problems at a meeting with Brian Bowker, then-director of OIRM.
Despite Predictive's damaging report, Bowker indicated the company was successful only because he had "turned over the keys to the store." Balaran said he felt Bowker was trying to "discount" the findings, so he again instructed Predictive to break into the system on August 30.
It was during this time that Predictive created a trust account for Balaran, whose report is not specific as to which system was accessed to perform this incredible breach. Predictive was able to create its own trust data and modify existing data on an unnamed system, leading the firm yet again to warn BIA of problems and make a number of specific recommendations to correct the deficiencies.
http://leb.net/blinux/
Complete with FAQ, docs and mailing lists.
Of course, Bynari also runs on Linux/x86 and Solaris/sparc, for folks with a more typical environment.
Using the find command mentioned in another comment, have a look at all the setuid/setgid executables. If you see something you know that machine isn't going to use, you can either remove its package, or unsetuid/setgid it.
Eg., if the machine is a webserver which will never be connected to a printer, you can get rid of lp, lpr and friends.
If you don't know what a program does, check the manpage. If it doesn't have one, try a websearch or unsetuiding it to see what breaks. (In my experience BSD has the best manpage availability and quality - eg., even each kernel driver has its own manpage.)
Quoth chmod(1):
And, yes, vulnerable setuid executables can be run by local users to compromise the system in such that unauthorized remote administration is possible. This can happen either through the user's evil intentions or by a trojan.
That's why it's necessary to patch locally exploitable programs, and good security practice to unsetuid things that don't need to be setuid (eg., the 'mount' executable on a system such as you described has no business being setuid)
Also, firewalls that only allow connections to be initiated to needed services can be of assistance. Apparently such a firewall would help in this case, but an attacker can set up a remotely intiated proxy or kill off the real daemon that's supposed to be running and replace it with a 'custom' version.
I think you're forgetting the obvious: gnulix.
And of course, the logo would be a gnu licking tux's face.
while true
/usr/local/bin/KAschedule
do
sleep 10
done
That's what I use for especially buggy software that randomly crashes, but needs to be available. Maybe a few tweaks to clean up any mess left over by the process that died, but this kind of script does the trick w/o needing any real use education other than "if it crashes, wait 15-20 seconds for a new one to open".
It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".
There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)
Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.
If you want good editing, visit Linux Weekly News at http://www.lwn.net/. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/
I have spent $0 on Windows in the last 2 years (I build my own systems, and Windows is not on the list of things to install)
Regarding Linux, I bought a $40-$60 Mandrake Powerpack version 7.0 last year.
Also, I've bought the official 2.8 OpenBSD CD set, and some posters/t-shirts + donation (total came to around $100 - $30 of which was the OS CD)
Of course, I also had the option of downloading and burning ISO's (which I often do), but I wanted the goodies.
It's not Free Software, but it uses free software components, eg., Exim, OpenLDAP, etc. And it has a very modest price compared to Exchange:
Compared to Exchange:
(yikes!)
Or how about his message on the FreeBSD security list, where he describes it as public domain
Quoth the GPL:
Note that this doesn't mean you _do_ anything for them, just that you give them permissions to it under the terms of the GPL.
The only people you need to actively provide source to are the ones you've given binaries to. You may want to have a look at the GPL FAQ: http://www.gnu.org/copyleft/gpl-faq.html
I think the money paid by those applying for patents more than recoups any costs associated with putting a patent database on-line.
I don't see how wanting the patent office to provide access to its files conflicts w/ Libertarian ideology. More likely the concept of patents itself conflicts. Libertarian writings tend to say that the reason for monopolies is that government creates them. This happens to be one of those ways.
You don't have the right to impose terms on other people's software, anyway. People can distribute whatever they like in patch form, no matter how the original source is licensed.
This was tossed around a bit when Minix still had a non-free license and people were pondering how to make it into a useful system instead of just an academic toy. The idea was, you'd buy a specific release of Minix (it came with source code) and then apply a huge patch. Of course, then Linux came along and BSD freed itself of its encumberances, so Minix was just left by the wayside and it became a moot point.
Likewise, no one can change the terms of your software unless you specifically assign rights to them. That's why the BSD folks say: But, the original source is always there! Just because someone released a proprietary version based on BSD code does not make the original BSD code proprietary as well.
It sounds like you're asking for the BSD license.
And, in the APSL commentary section - http://www.fsf.org/philosophy/apsl.html:
So, sharing my hard-won knowledge as a Unix admin over 5 years is now Overrated on this thread with most other messages at ranked at 2?
Originally, Sun support denied the problem existed, even after a Sun VP talked about it in an interview.
I've had far better luck with hardware quality and overall stability using Athlon servers running NetBSD, FreeBSD and OpenBSD. The system vendors I've used are ASLab at http://www.aslab.com/ and Rackmount.Com at http://www.rackmount.com/
Specs are:
ASLab systems - 850 Mhz Athlon ASLab's choice of RAM in two systems, Mushkin in one. Asus K7M motherboard Adaptec 39160 Ultra160 SCSI Two of the systems are connected to an external SCSI-> SCSI RAID, using an Infortrend SCSI->RAID module. The cabinet was built by Enhance Technology - http://www.enhance-tech.com/
Rackmount.Com system: 1.2GHz Athlon, Asus A7V motherboard, Rackmount.Com's choice of RAM, Mylex RAID controller.
All systems use IBM SCSI Ultra160 drives.
None have experienced OS crashes or hardware failures since being put into production under moderate to heavy load.
That said, I've had generally good results with lower-end Sun systems. Eg., E450's, Netras, etc. But, Sun's main advantage is the ability to scale, and integrate with things such as Veritas Volume Manager / File System / Cluster server. So it doesn't make much sense at low-end. For web servers, application servers, mail servers and DNS servers, for instance, network-based load balancers or inherent robustness of the protocol provide more usefulness for failure masking and availability.
While working as a Solaris admin in big corporate sparc shop a while back, I developed a NetBSD floppy-based disk wipe procedure (for systems being decomissioned), which went onto become official there. Much nicer than waiting for a Solaris CD boot. I also managed to get Linux to be the OS on the on-call laptop, after the managers had tried pushing Solaris x86 (on a laptop.. heh..), and Windows NT.
You can find MandrakeFreq at Cheapbytes for $4.99.
There is also supposed to be a list of other resellers at this page (according to the news at http://www.linux-mandrake.com/ ) - http://www.mandrakesoft.com/products/range/mandrak efreq (As I write, that page is currently down, though (looks like they moved their webservers to a system on a faster network, which broke mandrakesoft.com)
This quote, in particular sounds like prime Onion material:
And, then the article goes to sum it up stating in effect that this is just a $30million marketing campaign about a changed default: