Well, on the back of that, in the latest Risk Digest (Here), Walter Dnes points out:
"perl used to be a "Practical Extraction and Reporting Language". Now it's ballooned into something huge, requiring support libraries of its own. Don't get me wrong, perl is an OK operating system, but it lacks a lightweight scripting language."
I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.
One solution is SURBLs (Spam URI Real-time Block List, I think). This is a list of web addresses contained in spam. An anti-spam filter parses an email, then checks any URIs against various SURBLs. They are pretty damned effective. Any URI in spam gets blocklisted pretty soon, and filters can act accordingly and block spam.
These are up and working, and have been for at least a year. The latest SpamAssassin has support for them out of the box, I haven't checked but it may use around 5 different lists.
There is a small network delay and very little processing overhead on the spam filter. So email may be delayed for 15 seconds, but spam will be filtered to a far greater extent.
Visit www.surbl.org for more info, and don't forget to check out SpamAssassin as well. Anyone running a modern Linux can filter their own email, even if they pick email up from a pop3 server. I'd recommend a fetchmail, postfix, procmail and spamassassin combination, but there are many, many ways to do this.
Here's one procedure you can use whenever you use a computer that might have been interfered with (in a lab, in an internet cafe, even in a dorm).
This only works for GUIs, I'm afraid. It's important to use the *mouse* for cursor positioning, not the keyboard, as described below.
The basic approach is this: When you type in a username and/or password, don't type the username and password straight in. Instead, swap betwen the two fields, don't enter the characters in order. You will have to position the cursor where appropriate. For example: Click on the password field, and enter the 4th letter of your password. Then click on the username field, and enter the last letter of the username. Then click at the front of the field and enter the second character. Then back to the password, and enter the first character. Etc etc. Even if you only do this for a few characters, it will help security immensely.
At the end, the keystroke logger will have collected all the characters in your username, but any spy will have a nice anagram to reconstruct.
The truly paranoid can add extra characters early in the process, and then overtype them later on. This is particularly useful if the selection is done by the mouse and not the keyboard - the spy wil have no chance of reconstructing the password if some of the captured kestrokes aren't even part of the final password.
A simpler method is to stop typing the password partway through, click on another app (don't use alt-tab or another keyboard shortcut; the logger will capture this) and press a few keys, then return to the browser/whatever and complete the password.
The Internet (specifically WWW) in its current form did not exist before advertising. To think that the Internet today can continue without ads based on some magical elf business model is simply absurd. Everyone says "Well they'll just have to find a new business model," but no one has any suggestions.
How the *%^& did this get modded as insightful?
The internet was born before advertising, and it was pretty bloody useful too, probably more useful than the cluttered space it has become.
Almost every large company on the web is selling something - that's how they make their money. If they're not selling something, then they use the web to place pre- or post-sales information: specs, drivers, downloads and so on. Using the web is much cheaper than manning a telephone helpline and sending out paper copies.
OK, There are some useful places on the web that may be funded by ad. revenue - places like Google, Google Groups and Yahoo Groups. To be honest, I'd pay a _small_ fee for search engines and archives (I'd pay a *lot* for a Cable TV service without adverts too, by the way.)
But personally, I think that the web is too clutered with far too many crappy blogs, geocities pages, band fan pages, lyrics pages, guitar tabs pages, and so on. If these people had to pay for their web space, there would be a dramatic reduction in this crappy content.
People who want to be heard, like Gentoo, Wikipedia and Apache already fund their rather large bandwidth and hosting needs through donations and such like.
Is no-one else concerned about the length of time it has taken Sun to respond to this. According to the article, it took 4 months to patch, but in reality, it was nearer 6 months. Sun were informed on April 29, so we can add a month (possibly more) to the figure of 4 months. (I can't determine when the patched version was released while @work).
Most OSS is patched within a day or so, certainly less than a week. So why did Sun sit on this for so long, and then fail to publicise the fix as soon as it was available?
Are you sure you've been hit by _this_ exploit? Because the parent article does not mention any exploit being seen "in the field", as they say.
CERT says "As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site."
If you think you have, then which website were you browsing? I.e. which one contained the rogue applet that can exploit the bug.
Don't worry if it's pr0n - we're all adults here:-)
Did these guys actually just commit corporate suicide in front of the entire internet?
Strangely enough, I just got spammed by Rackspace UK (using the email address I registered for linux_expo with). They are launching a large campaign just now - see here. I wonder if they are seeing any kind of move of users away from them due to this. I'd like to think so, but I don't know how well this issue has been covered in the mainstream media in the UK
This whole incident has made me glad that I've chosen a UK-only ISP. I'd hate to have my site taken down due to leverage on a US parent company. (Not that I do anything wrong, of course!)
Well, I guess that this must cost Dell a fair amount in support costs. I've got no idea what the volume of calls is, but it must be great - and 20% of them to do with spyware? It *must* affect their bottom line.
Maybe they will begin to ship machines with a more secure initial configuration. They might start wit some changes suggested by last month's article at The Register.
It is becoming increasingly difficult for working Americans to afford quality health care. Costs for health care and health care coverage are spiraling beyond the reach of many in this country.
Well, to some extent, this is fallout from the increasingly litigious society we live in. As more people sue their doctors, the doctors (and hospitals, and pharmacutical manufacturers) insurance costs increase. This cost is eventually passed back to the patient. Now, to raise the cash, the patient needs a lawsuit...
While RTFA, I thought "opportunity for google here". How about google create a new service that notifies subscribers as soon as a large file appears on a site that a googlebot happens upon? People like the MPAA would subscribe, save them writing their own spiders. Google could look inside zips for mpeg or other content, and users, maybe individual studios, could register various keywords such as "hero" or "manonfire" if they liked.
Of course, google would be bound by robots.txt, whereas the MPAA will probably ignore that, so maybe it's not such a great idea anyway.
If Rome taught us anything, its that small groups, no matter how skilled or courageous, will lose to an organised and capable foe with clear lines of communication under one leader.
C'mon, everything comes in cycles. Big guys will rise and fall over time. Think Psychohistory. Babylon fell, after all.
Once upon a time, the Roman empire was not the biggest, but one of many small ones. It's chance circumstances and personalities that make things happen. The situation may appear dire now, but a generation after Gates retires, MSFT will be pretty much like ORCL and YHOO and many other software companies.
Overall, I think it's a poor analogy. When we talk about Rome, are we talking about the aqueducts? Or the roads? Irrigation? Wine? Public baths? Keeping Order? Life of Brian Script.:-)
In The Netherlands (call it Holland if you will), they have had skilled nasal workers for years. They are called Pig Shit Inspectors.
It was explained to me thus: Due to the high water table, the Dutch (hey, third term for them now) have to watch the pollution of their water, so the farmers are restricted in how much (ahem) natural fertilizer they can use on their land. So, inspectors drive around the country, stop at places, get out, and have a good noseful, then zone in for further tests before pouncing on the offender (presumably with a peg on nose).
Now, I was told that this was true by a cloggie (fourth term for them; what a schitzophrenic race) mate of mine once, but, thinking about it, what do they do with the pig shit if they can't put it on the land? Perhaps you (and I) should take this story with a pinch of salt.
On the other hand, whenever I can, when filling in forms and the likes, I put my occupation as a "nasal miner".
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
You know what, I wonder what's to stop me releasing a GPL? Mine would be pretty unrestrictive, I can assure you.
OK, I'm only half serious, but legally, what prevents another organisation from releasing GPL v3 that looks like the artistic licence, for example?
You can ssh into a gentoo SELinux machine as root
on
Would You Use SELinux?
·
· Score: 1
Simply ssh into that machine as root (password is gentoo). It's uncanny. You can't see the apache processes with "ps". You can't do much, really. It's probably too secure to be useful as a workstation, more of a single-task production server.
I'm glad I tried it, but I certainly won't be using SELinux, I should try all those grsecurity options at the bottom of the kernel config some time though.
6ft 25 connector ribbon cable with both a male and female db25 connectors (insulation displacing type) at each end with about 3in between them. Real easy to make one and it saves the trouble of lost gender benders. I have several of these, and also 9-pin versions (much longer). The connectors just clamp on to the ribbon, cutting through the insulation enough to make a contact.
I am amazed that it's almost impossible to buy a null-modem cable in the stores in the UK now. Sign of the times.
I can't believe that no-one has mentioned RS232 stuff. Maybe your idea of "old and slow" includes writable CDs, zip drives and ethernet, mine doesn't. You'll need some way of getting data between two machines at some point, or just to debug a modem connection. Floppies are a pain in the *ass*, so a serial connection is a useful tool. It's less than 10 years ago that I was using this stuff daily (albeit for RS-422 hardware control).
I'd take a selection of RS 232 cables, gender benders, 9 to 25-way adapters, null-modem cables, a copy of some DOS utilities like kermit and laplink, an RS-232 breakout box, and stuff like that. The breakout box lights when a line is high or low (different colours) allowing you to debug a serial connection. Ooh! Shiny!
If you can get a couple of RS422 to RS232 converters you can drive much longer cables too.
Some old keyboards (no PS/2 connectors), and serial mice might be useful too.
Not just PC's. Phones, answerphones, baby monitors, power outlet sockets, etc etc.
My 2.5 YO phoned a client's voicemail today. I had locked my phone but he can power it off, then on, then the lock is off. Also, someone in our house regularly changes the OGM on the answerphone - I wonder who?
Baby monitors have been plugged into the wrong transfomers - bzzzt! (One of my kids put the feed from the transformer into their mouth once - they didn't do that again!)
Radio alarm-clocks have been retuned or reset, lights blown by constant switching, and lots of tools lost around the house.
Oh, hone up on your toy fixing skills too, every week something gets broken, whether it's a cracked plastic case or a leg off a chair from the doll's house.
It sounds like chaos, and it is, often, but it's what life is all about.
Some general advice: In the first few weeks, get all he rest you can (both of you), forget the chores unless you have to, take all the help you can (that's why you saved the chores), and try to savour the moments. Take some photos, get both parents in too.
Oh, when they get to 18 months, they get *really* interested in water. Sometimes I wish I hadn't got ceramic valve taps, which even a 2 y.o. can turn on...
I recall a stink regarding a photo taken at a british racehorse meeting - there was a child i na wheelchair (it was a presentation of an award or something). The kid had got the paper - can't recall which one, but it was a tabloid - and they'd been edited out. Caused a big stink, on national news (TV and radio, and at least one other tabloid).
Also, I recall a british council brochure where they'd edited in (or out, I can't recall which) black people into a brochure. Or was it a political party, not a council? I can't recall. But it probably happens more than you think. This one also was in the national news.
i realize that disk space is cheap, but this could be interesting! if a user (viewer?) is allowed 6 hours (i say six because you have 6hr miniseries) and this takes (a guess!) 10G and you have 10,000 viewers.... thats's 100TB! damn.
Wait a minute, they don't need to store each episode for everyone, they just keep one copy of it until everyone has removed it from their favourites, then it gets deleted.
The problem with using VNC to access Windows is that it violates your EULA. That's right, Microsoft has denied access to the competion through their EULA. Go read it some time. It's like Anti-Trust Law 101
The MS issue is that the licence says you must use an XP machine to talk to XP - you can use vnc to do that if you want. See Here for details.
For these guys, I guess that you'd have to confirm the OS of all remote desktop users and give them the same one as their remote desktop - XP home, XP professional, XP 2003 server, XP 2003 server datacentre...
Slashdot Mirror
Well, on the back of that, in the latest Risk Digest (Here), Walter Dnes points out:
"perl used to be a "Practical Extraction and Reporting Language". Now it's
ballooned into something huge, requiring support libraries of its own.
Don't get me wrong, perl is an OK operating system, but it lacks a
lightweight scripting language."
Also: "EMACS is a nice operating system, it just lacks a text editor" (Emacs Stands For...)
I think he means the Open University.
I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.
One solution is SURBLs (Spam URI Real-time Block List, I think). This is a list of web addresses contained in spam. An anti-spam filter parses an email, then checks any URIs against various SURBLs. They are pretty damned effective. Any URI in spam gets blocklisted pretty soon, and filters can act accordingly and block spam.
These are up and working, and have been for at least a year. The latest SpamAssassin has support for them out of the box, I haven't checked but it may use around 5 different lists.
There is a small network delay and very little processing overhead on the spam filter. So email may be delayed for 15 seconds, but spam will be filtered to a far greater extent.
Visit www.surbl.org for more info, and don't forget to check out SpamAssassin as well. Anyone running a modern Linux can filter their own email, even if they pick email up from a pop3 server. I'd recommend a fetchmail, postfix, procmail and spamassassin combination, but there are many, many ways to do this.
Here's one procedure you can use whenever you use a computer that might have been interfered with (in a lab, in an internet cafe, even in a dorm).
This only works for GUIs, I'm afraid. It's important to use the *mouse* for cursor positioning, not the keyboard, as described below.
The basic approach is this: When you type in a username and/or password, don't type the username and password straight in. Instead, swap betwen the two fields, don't enter the characters in order. You will have to position the cursor where appropriate. For example:
Click on the password field, and enter the 4th letter of your password. Then click on the username field, and enter the last letter of the username. Then click at the front of the field and enter the second character. Then back to the password, and enter the first character. Etc etc. Even if you only do this for a few characters, it will help security immensely.
At the end, the keystroke logger will have collected all the characters in your username, but any spy will have a nice anagram to reconstruct.
The truly paranoid can add extra characters early in the process, and then overtype them later on. This is particularly useful if the selection is done by the mouse and not the keyboard - the spy wil have no chance of reconstructing the password if some of the captured kestrokes aren't even part of the final password.
A simpler method is to stop typing the password partway through, click on another app (don't use alt-tab or another keyboard shortcut; the logger will capture this) and press a few keys, then return to the browser/whatever and complete the password.
The Internet (specifically WWW) in its current form did not exist before advertising. To think that the Internet today can continue without ads based on some magical elf business model is simply absurd. Everyone says "Well they'll just have to find a new business model," but no one has any suggestions.
How the *%^& did this get modded as insightful?
The internet was born before advertising, and it was pretty bloody useful too, probably more useful than the cluttered space it has become.
Almost every large company on the web is selling something - that's how they make their money. If they're not selling something, then they use the web to place pre- or post-sales information: specs, drivers, downloads and so on. Using the web is much cheaper than manning a telephone helpline and sending out paper copies.
OK, There are some useful places on the web that may be funded by ad. revenue - places like Google, Google Groups and Yahoo Groups. To be honest, I'd pay a _small_ fee for search engines and archives (I'd pay a *lot* for a Cable TV service without adverts too, by the way.)
But personally, I think that the web is too clutered with far too many crappy blogs, geocities pages, band fan pages, lyrics pages, guitar tabs pages, and so on. If these people had to pay for their web space, there would be a dramatic reduction in this crappy content.
People who want to be heard, like Gentoo, Wikipedia and Apache already fund their rather large bandwidth and hosting needs through donations and such like.
Is no-one else concerned about the length of time it has taken Sun to respond to this. According to the article, it took 4 months to patch, but in reality, it was nearer 6 months. Sun were informed on April 29, so we can add a month (possibly more) to the figure of 4 months. (I can't determine when the patched version was released while @work).
Most OSS is patched within a day or so, certainly less than a week. So why did Sun sit on this for so long, and then fail to publicise the fix as soon as it was available?
Are you sure you've been hit by _this_ exploit? Because the parent article does not mention any exploit being seen "in the field", as they say.
:-)
CERT says "As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site."
If you think you have, then which website were you browsing? I.e. which one contained the rogue applet that can exploit the bug.
Don't worry if it's pr0n - we're all adults here
Did these guys actually just commit corporate suicide in front of the entire internet?
Strangely enough, I just got spammed by Rackspace UK (using the email address I registered for linux_expo with). They are launching a large campaign just now - see here. I wonder if they are seeing any kind of move of users away from them due to this. I'd like to think so, but I don't know how well this issue has been covered in the mainstream media in the UK
This whole incident has made me glad that I've chosen a UK-only ISP. I'd hate to have my site taken down due to leverage on a US parent company. (Not that I do anything wrong, of course!)
Well, I guess that this must cost Dell a fair amount in support costs. I've got no idea what the volume of calls is, but it must be great - and 20% of them to do with spyware? It *must* affect their bottom line.
Maybe they will begin to ship machines with a more secure initial configuration. They might start wit some changes suggested by last month's article at The Register.
It is becoming increasingly difficult for working Americans to afford quality health care. Costs for health care and health care coverage are spiraling beyond the reach of many in this country.
Well, to some extent, this is fallout from the increasingly litigious society we live in. As more people sue their doctors, the doctors (and hospitals, and pharmacutical manufacturers) insurance costs increase. This cost is eventually passed back to the patient. Now, to raise the cash, the patient needs a lawsuit...
While RTFA, I thought "opportunity for google here". How about google create a new service that notifies subscribers as soon as a large file appears on a site that a googlebot happens upon?
People like the MPAA would subscribe, save them writing their own spiders. Google could look inside zips for mpeg or other content, and users, maybe individual studios, could register various keywords such as "hero" or "manonfire" if they liked.
Of course, google would be bound by robots.txt, whereas the MPAA will probably ignore that, so maybe it's not such a great idea anyway.
If Rome taught us anything, its that small groups, no matter how skilled or courageous, will lose to an organised and capable foe with clear lines of communication under one leader.
:-)
C'mon, everything comes in cycles. Big guys will rise and fall over time. Think Psychohistory. Babylon fell, after all.
Once upon a time, the Roman empire was not the biggest, but one of many small ones. It's chance circumstances and personalities that make things happen. The situation may appear dire now, but a generation after Gates retires, MSFT will be pretty much like ORCL and YHOO and many other software companies.
Overall, I think it's a poor analogy. When we talk about Rome, are we talking about the aqueducts? Or the roads? Irrigation? Wine? Public baths? Keeping Order? Life of Brian Script.
In The Netherlands (call it Holland if you will), they have had skilled nasal workers for years. They are called Pig Shit Inspectors.
It was explained to me thus: Due to the high water table, the Dutch (hey, third term for them now) have to watch the pollution of their water, so the farmers are restricted in how much (ahem) natural fertilizer they can use on their land. So, inspectors drive around the country, stop at places, get out, and have a good noseful, then zone in for further tests before pouncing on the offender (presumably with a peg on nose).
Now, I was told that this was true by a cloggie (fourth term for them; what a schitzophrenic race) mate of mine once, but, thinking about it, what do they do with the pig shit if they can't put it on the land? Perhaps you (and I) should take this story with a pinch of salt.
On the other hand, whenever I can, when filling in forms and the likes, I put my occupation as a "nasal miner".
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
You know what, I wonder what's to stop me releasing a GPL? Mine would be pretty unrestrictive, I can assure you.
OK, I'm only half serious, but legally, what prevents another organisation from releasing GPL v3 that looks like the artistic licence, for example?
http://selinux.dev.gentoo.org/ runs gentoo SELinux.
Simply ssh into that machine as root (password is gentoo). It's uncanny. You can't see the apache processes with "ps". You can't do much, really. It's probably too secure to be useful as a workstation, more of a single-task production server.
I'm glad I tried it, but I certainly won't be using SELinux, I should try all those grsecurity options at the bottom of the kernel config some time though.
6ft 25 connector ribbon cable with both a male and female db25 connectors (insulation displacing type) at each end with about 3in between them.
Real easy to make one and it saves the trouble of lost gender benders.
I have several of these, and also 9-pin versions (much longer). The connectors just clamp on to the ribbon, cutting through the insulation enough to make a contact.
I am amazed that it's almost impossible to buy a null-modem cable in the stores in the UK now. Sign of the times.
I can't believe that no-one has mentioned RS232 stuff. Maybe your idea of "old and slow" includes writable CDs, zip drives and ethernet, mine doesn't. You'll need some way of getting data between two machines at some point, or just to debug a modem connection. Floppies are a pain in the *ass*, so a serial connection is a useful tool. It's less than 10 years ago that I was using this stuff daily (albeit for RS-422 hardware control).
I'd take a selection of RS 232 cables, gender benders, 9 to 25-way adapters, null-modem cables, a copy of some DOS utilities like kermit and laplink, an RS-232 breakout box, and stuff like that. The breakout box lights when a line is high or low (different colours) allowing you to debug a serial connection. Ooh! Shiny!
If you can get a couple of RS422 to RS232 converters you can drive much longer cables too.
Some old keyboards (no PS/2 connectors), and serial mice might be useful too.
Not just PC's. Phones, answerphones, baby monitors, power outlet sockets, etc etc.
My 2.5 YO phoned a client's voicemail today. I had locked my phone but he can power it off, then on, then the lock is off. Also, someone in our house regularly changes the OGM on the answerphone - I wonder who?
Baby monitors have been plugged into the wrong transfomers - bzzzt! (One of my kids put the feed from the transformer into their mouth once - they didn't do that again!)
Radio alarm-clocks have been retuned or reset, lights blown by constant switching, and lots of tools lost around the house.
Oh, hone up on your toy fixing skills too, every week something gets broken, whether it's a cracked plastic case or a leg off a chair from the doll's house.
It sounds like chaos, and it is, often, but it's what life is all about.
Some general advice: In the first few weeks, get all he rest you can (both of you), forget the chores unless you have to, take all the help you can (that's why you saved the chores), and try to savour the moments. Take some photos, get both parents in too.
Oh, when they get to 18 months, they get *really* interested in water. Sometimes I wish I hadn't got ceramic valve taps, which even a 2 y.o. can turn on...
I recall a stink regarding a photo taken at a british racehorse meeting - there was a child i na wheelchair (it was a presentation of an award or something). The kid had got the paper - can't recall which one, but it was a tabloid - and they'd been edited out. Caused a big stink, on national news (TV and radio, and at least one other tabloid).
Also, I recall a british council brochure where they'd edited in (or out, I can't recall which) black people into a brochure. Or was it a political party, not a council? I can't recall. But it probably happens more than you think. This one also was in the national news.
Sorry, no URLs to hand.
it seems like the tivo model is a wonderful example of distributed computing here!
Tivo is an example of personal computing. You don't share any part of it with anyone (except people in your home).
i realize that disk space is cheap, but this could be interesting! if a user (viewer?) is allowed 6 hours (i say six because you have 6hr miniseries) and this takes (a guess!) 10G and you have 10,000 viewers.... thats's 100TB! damn.
Wait a minute, they don't need to store each episode for everyone, they just keep one copy of it until everyone has removed it from their favourites, then it gets deleted.
No no, the one where hardware companies release the code because they make 100% of their money selling hardware...
They GPL the code so that the bugs can be fixed by unpaid OSS volunteers, and then incoporated into V2...
Or am I just a cynic?
The problem with using VNC to access Windows is that it violates your EULA. That's right, Microsoft has denied access to the competion through their EULA. Go read it some time. It's like Anti-Trust Law 101
The MS issue is that the licence says you must use an XP machine to talk to XP - you can use vnc to do that if you want. See Here for details.
For these guys, I guess that you'd have to confirm the OS of all remote desktop users and give them the same one as their remote desktop - XP home, XP professional, XP 2003 server, XP 2003 server datacentre...