"kids" are unable to see the kind of damage they do. the real damage is gradual acceptance of (among other kids) and escalation of destructive practices over time.
I've been running an IRC-server for almost a decade and a lot has changed during that time. the number of users has exploded, and the severity of abuse has skyrocketed. many years ago most types of common abuse would only affect other IRC users. security/system administration staff would usually adopt a "this is an IRC-related problem and we don't care what goes on on IRC" attitude, which was fine back then. Annoying to IRC users, but still fair enough.
in the last 5-6 years the attacks have become a lot more serious. even ignorant people can launch attacks that effectively render the network unusable for hundreds of thousands of users; if not millions, and they do not even need to understand what they are doing -- on a technical level or otherwise.
however the willingness and ability to address the problem has not really improved that much. most ISPs don't care about being a good neighbor and I have even experienced cases where ISPs would look the other way because an abuser was a personal friend or coworker of people in the abuse-department of that ISP.
the attitude of many ISPs has contributed to legitimizing denial of service attacks to some degree by not taking any responsibility for keeping their back yard clean.
ironically enough this attitude will just end up hurting the ISPs themselves, since the erosion of boundaries between what is acceptable and what is not ultimately ends up costing them wasted bandwith, time and effort.
also, as someone else mentioned: IRC admins are not totally free of blame. most of the good ones don't really have enough time to deal with all the bullshit -- and as for the not so good admins and opers: well, what do you expect when most of them are in it just to have a sense of power?
finding good admins is hard. I've been trying to pass along the baton for some years now so I could quit maintaining the IRC server, but whenever I try to recruit opers and prospective future admins I either end up with good people who can't spare the time or I end up with a bunch of people who are just after that sense of "power".
IRC as such stopped being fun many years ago. The biggest tragedy is that although we probably should just stop offering the services altogether in order to put a stop to the waste of resources, we aren't. even though the usefulness of IRC has been diminished there will always be those who will keep it alive in some shape or form which means that to the feeble of mind the service will never "die" and thus they conclude that it is okay to keep doing whatever they do to wreck it.
the title lead me to believe that it might be an
article discussing how to design better webserver
software -- something which would have been
very interesting since it has been ages since I
saw a fresh take on that.
instead: another article on piecing together hardware. *sigh*
I suggest you pick up some litterature on, for instance, Oracle and learn a bit about it before you make assumptions. Constraints in general are
a bit more flexible than you appear to believe.
Since I do know a little bit about Oracle (no, I am by no means a guru, but I do know more about Oracle than most people who mention it on their bloated CVs), I'll try to center on some of the points other people apparently haven't mentioned yet.
I mainly use constraints (referential or otherwise) in order to improve the quality of both the database model itself and the code that will use it. since the database will let you know when you are about to do something that is going to make it inconsistent, you are able to quickly identify these cases and you are forced to fix them before you move on.
it also helps you understand your relational model. People will often forget simple things like making sure their foreign keys are not NULLable or even unique, or even removing the foreign key leaving orphans in child tables. this might make them think. "is this column really a good candidate for identity?", "the model makes sense in my head but not as a relational model, where did I go wrong?".
While developing my constraints are as anal as possible. Sure, in some cases they do kill performance, but at this stage performance should not be a priority. correctness should be the priority. (and quite contrary to what some joker said in this thread: no, your application won't outperform a RDBMS' integrity checks unless your database software is horribly broken).
much later, if needed for performance reasons you can then choose to drop constraints, but as long as your performance is good: keep them in there.
if you do drop them, re-add them from time to time to make sure that the database is consistent. if it isn't perhaps it was too early to take them out.
You don't need foreign keys to maintain referential integrity. A proper GUI, among many other things, can enforce this anyway.
No, it is not a good idea to leave data integrity to the application. Maintaining data integrity is the task of the database system.
Just consider the case where you have several applications using the same database server? You'll be faced with the task of maintaining several implementations of the code that ensures integrity and ensure that all applications implement the same rules at all times.
I can assure you that in most situations this would never work for anything more complicated than a trivial database.
In my experience most people who do not understand why the shortcomings of MySQL disqualify it from being a real RDBMS, and what this means, haven't really acquired much experience with anything other than MySQL or they simply do not bother to design their applications robustly. believe me, the latter is rather the norm than the exception.
I personally use MySQL a lot. despite its obvious shortcomings it is great for simple applications.
but for serious systems where losing data or inconsistencies would be unacceptable I would be crazy to use it.
Re:I'm metasceptic
on
Secure IRC?
·
· Score: 2, Insightful
Pay attention; I did not proclaim that I had
greater knowledge of cryptography than the author.
What I said was that the way in which the author
talks about SILC suggests to me that the author
is not experienced in designing or even describing
security systems. People who design security systems are usually more precise in their wording and more reluctant to make assumptions or vague statements.
As I also mentioned, I do not doubt that the author knows the "mechanics" of cryptography (ie. how things work in general, the basic underlying theory and how available libraries etc work). But knowing the mechanics of cryptography isn't even half of what is needed to create a security product. On the contrary, it might be dangerous because it lulls you into the false assumption that you actually know what you are doing.
What I do doubt is that the author has the scientific discipline to be self-aware in terms of understanding what types of weaknesses a design can have and how these should be weighted in terms of how they do or do not contribute to "security".
Since you drag me into the discussion I'd like to make a few comments:
First off, you do not have to be an opera singer
to point out that the prima donna can't hit half the notes she is reaching for. My observation
can be verified by merely analyzing how practitioners of cryptography, mathematics or even
security theorists express themselves. In particular you will find that when these people publish papers or describe their work they will strive to be precise and careful -- not vague
and self-confident.
Second, I do not proclaim that I have greater knowledge of cryptography than the author. I might have and then again I might not. It isn't really interesting. What I think I do know more about is what kind of mindset you need to have when approaching security solutions. Again, if this applies to me or not, or to what degree, is not really important. The only remotely relevant aspect is that I've done enough work with security solutions to be able to _recognize_ handwaving.
(Ideally most people should be able to recognize
someone having an under par grasp on a given subject matter, but unfortunately many people neither posess the academic discipline to evaluate what they see in a cool, objective way nor do they have the inclination to understand basic scientific principles you need to follow in order to arrive at valid conclusions.
This observation can trivially be made on Slashdot: how many people exhibit an almost religously strong preference for a particular system while at the same time exhibiting narrow or lacking knowledge of a particular field (eg. OSes, languages) at the same time? I'd say most users. Well, most of the vocal ones anyway).
Third, you reveal a compelling lack of comprehension as to what a useful contribution from me or someone else would be in this case. Your preoccupation with "finding an exploit" reveals a naive assumption that "it is just a matter of finding and plugging the holes".
The most important problem with the SILC white paper is that it implies that the author did not start by asking fundamental questions and find answers to them. Nor does it reflect an understanding of the importance of doing so when designing a security system. If he had, he would have started by stating the problem in a precise manner and presented a plan for solving the problem.
What he does in the whitepaper is to make general statements about how secure the system is, with contradictory notions sprinkled throughout.
For instance he says that the user must trust the server. Then he says the user can't really trust the server. Which is it? If the author can't even clarify what parts of the system you need to trust and what the criteria for trusting them are within the first few pages then what is this guy doing designing a security system? Because apparently he has no idea what he is doing.
I say that because I have found myself in exactly that situation many times; thinking that I know what I am doing because it didn't occur to me that I needed to question my assumptions.
If you are at least able to discover that you don't you've accomplished a lot. I am sorry to say though: not many people are.
And you do not need to hold a Ph.D in mathematics to understand that something is VERY wrong here.
I have spent a lot of time trying to understand
security systems. It is hard work and I still
do not consider myself a guru (although I do know that I probably know a hell of a lot more about what sort of discipline you must exercise when
designing security systems than most so-called "professionals"). Far from it.
But: I am very _aware_ of my limitations and I keep asking myself if I am basing something on assumptions or if I actually know something. I'd be appropriately reluctant to stick my neck by making statements I would be unable to back up when designing a crypto app.
I'm sceptic
on
Secure IRC?
·
· Score: 5, Interesting
I started reading the
"SILC Protocol White Paper" and I have to admit
that it I didn't make it further than a few pages
before I lost interest. Mainly because of the
language and what it told me.
I am not talking about the embarrasing
mutilation of the english language, but
the fact that you can tell from the
wording that the person who wrote it is
neither a cryptographer by profession or
someone who seems to have digested any
significant amount of litterature
related to cryptography or security in
general.
If you've read a good deal of scientific
papers on cryptography and related
areas, perhaps digested a couple of
books you can spot this quickly. People
who understand cryptography express
themselves quite differently. They
strive to be precise and they are much
more reluctant to call anything safe
without at the same time either giving
some measure of what they mean by "safe"
or pointing out limiting factors. And
God forbid: they'd never point their
finger at a complex system and say that
it was provably safe unless they could
actually prove it.
I doubt you'll ever se any formal
proof that SILC is secure.
I know most people would say "so what?".
A lot of people would even say "well,
you don't need a Ph.D to write a crypto
app" -- and they would be right. you
don't. however you still have to know a
bit about cryptography and a LOT about
how you avoid basing conclusions on
assumptions.
(Just ask Bruce Schneier if his book
"Applied Cryptography" suddenly lead to
more quality crypto software being written. Tip:
it didn't. It lead to more inept people writing
even more bad crypto software).
But you do need to understand what you
are doing to make any kind of valid
statement about what one should expect.
In any case, my point is that it takes a
certain kind of mindset to design and
implement anything having to do with
security. The aforementioned white
paper was apparently written by someone
who understands some of the mechanics
involved, but who doesn't seem to have
absorbed any of the intellectual
discipline good cryptographers convey in
their writings.
I was thinking about downloading the
thing and possibly install it, but if
the white paper is that naive, what is
the actual system going to be like?
Probably not worth the bother from a
security point of view, although one
might actually learn other things from
such a system (for instance their
approach to message routing etc. I don't
know I never got that far once it became
obvious to me that this was the wrong
place to look for a *secure* system)
So why am I writing this? To slam SILC?
Definitively not.
I'm writing it because most people
are too ignorant, or to arrogant about
their ignorance, to realize that they
probably wouldn't be able to tell a more
secure system from a less secure system.
Also, because I think it is important
that people try to make an effort to
understand what type of security
something provides -- ie. exactly what
does the system prevent and what doesn't
it prevent. I'd like people to *think*
instead of choosing their security
solutions the way most consumers choose
toothpaste.
the reason I like Debian is because unlike RedHat
you can expect things to work once something is
called "stable". my experience with RedHat over the years is that they are not very good at QA before releasing something. they are more bent on releasing *new* features (sound familiar) than actually solving old problems.
the RedHat 7.0 release illustrates this well. I have not seen such a shoddy OS release since Sun Solaris 2.2 (or was it 2.1? doesn't actually matter, because Solaris wasn't much to cheer about until several major releases later) or the first IRIX 5.x releases that shipped with the first INDYs.
RedHat 7 was the reason I changed to Debian, and having used Debian since then I have not wanted to go back to RedHat and their hellish world of RPMs, stupid incompabilities, package management that is able to self-destruct if you are not aware of the "right" way to upgrade things and the constant hassle of Alpha-quality software that requires Alpha-quality libraries and *staying* on the bleeding edge if you want to upgrade them.
I used RedHat for many years, so the psychological threshold for moving to Debian was rather high.
the Debian crowd comes across as less pragmatic and more idealistic, but in reality I'd say the Debian crowd are more competent AND more pragmatic in the sense that they strive to deliver something that will work -- while RedHat will ship any assortment of crap that, although not breaking right away, certainly will result in a messy system once you start to upgrade things.
I am immensely grateful for the decent job the Debian people have put into their distribution. they seem to do things properly or not at all. thanks guys, you make my days so much easier because I haven't needed to clean up any of the boxes where I have run Debian for several months now. that something just works and keeps on working without me having to unfuckify things every N weeks is sort of a novelty for me with Linux distributions.
as for RedHat, I have talked to a few people there and the only thing I can say is that nobody is interested in your excuses or promises to fix things. what is required is a change of attitude. you need to become more aware of quality, you desperately need more personel that have used other UNIXen. whenever you invent new things you are prone to do the job badly or at best half-way.
people want release quality work from an OS distribution.
as for developers, I think that the question is one of tradeoffs. it is good practice to re-use components rather than designing and writing your own. but, when the components on which you depend have not yet reached a stable release state or they are otherwise low quality or prone to conflicts or installation problems, you should avoid them. the reason so much of the software for Linux is in practive unusable is because the developers don't give two shits about the users. they are used to installing bleeding edge libraries every two days and they expect their users to do the same for the privilege of using their code.
I have made it a general rule never to rely on anything that isn't considered stable enough for inclusion in reasonable OS distributions. usually, FreeBSD STABLE and the stable releases of Debian. RedHat and derived distributions seem to lack the maturity for me to trust them implicitly.
sure, things might work well for a while, but in my experience a RedHat installation detoriates over time to the point where suddenly the system is so broken you need to re-install (sound familiar?). and yes, I have used RedHat for about as long as they have been around, so this is not your ordinary Debian-zealotry.
since I require things to install easily on a virgin system and without having to muck about with bleeding edge libraries a lot of "cool" things are never installed on my machines. for instance some "cool" file managers and browser never make it to my machines because the developers are unable to produce something that can be installed pleasantly.
To sum it up: the reason a lot of shared libraries under Linux are such a hell is because there are too many morons who develop software out there in a fashion where you have to upgrade and/or install all sorts of crappy, unfinished buggy libraries on a weekly basis.
this can be avoided if you want to. by being conservative and by not using things before they reach an acceptable level of stability.
I recommend people use stable releases of Debian and install all their software with apt. if you absolutely need something not avilable, make sure you install it in/usr/local along with all the other stuff it depends on but which doesn't come with the OS.
but the best thing is to be disciplined and just use a clean Debian system. I have YET to have any problems with Debian (about 10 machines which have seen much use for 6 months. with RedHat the machines should be ripe for re-install about now)
well, I think one of the more subtle point RMS is trying to make (without actually saying so directly) is that in the US all this talk about freedom is just that: talk.
americans seem to spend very much time in self-congratulatory celebration of their "democracy" and their freedom -- yet americans are in many ways more confined than regimes they consider to be un-free. it is really easy to buy into the idea of "freedom" if you know nothing else than the status quo.
Think about it: are you free? What freedoms do you enjoy? Are these freedoms _real_ or just percieved? What freedoms do you lack? Which freedoms are significant? Are you able to think _beyond_ current laws and legal principles and think about what is _morally_ better?
Most people are unable to.
I think RMS is trying to remind you that the US never turned out the way its founding fathers wanted it to, and it is ironic that you make orwellian references because orwellian is just what the US has become. The individual does not
matter.
The only important kind of entity in the US is the campaign-contributing and lobbying corporations. The well-being of the individual has not been an issue for a very, very long time.
I think Richard Stallman is being very helpful.
For almost two decades, people have gotten his
message wrong and he has patiently corrected them and tried to explain what he means. Still,
journalists and the majority of the open source hang-arounds have no idea what Stallman is all about. They haven't even bothered to read the GPL and think about what it _means_, and they certainly have spent no time learning the difference between what RMS says and what ESR says.
Richard Stallman has to repeat his message because people are too daft to understand it. that Allchin
doesn't get it is not very surprising, but that
the open source hangarounds don't get it is
downright disappointing.
if I were RMS, I'm not sure I would be so patient. I would probably blow up every now and then, when people don't bother to make the mental effort to understand exactly what he is talking about.
if at all possible get his focus AWAY from absorbing and make an effort to encourage him to do what other kids his age do.
chances are that he'll be one fucked-up kid by the time he is 20 if all the adults around him can think of is stuffing his brain like it was some cool new toy.
Why are people even worrying about this? Sun represents the old and largely failing UNIX industry where hardware vendors try to get a competitive edge over other vendors by being odd.
I think it's a miracle that Sun even exists today. Perhaps this goes to show how valuable a good brand name is. I mean, Sun hardware is expensive and delivers less bang for the buck than other hardware solutions -- yet they survive.
If you are going to listen to the generation of business people who did their best to run UNIX into the ground, to make it marginal, to make it expensive, to make it exclusive, you should have your head examined. These people were not responsible for the great UNIX surge of late. It wasn't because they did something great. They were just lucky to still be in business.
So when Ed Zander or Bill Joy talk about UNIX, or Linux or open source or even Java I can't really say I get very excited because I don't think they have much important to say.
So what if Linux fragments. It has fragmented already. There are many different Linux kernel projects and if people fail to see that this is beneficial to the Linux kernel development they need to get off the drugs they are on.
If Zander is trying to get attention by Metcalfing then so be it, but people should be able to recognize it for what it is.
Using MD5 to checksum an MP3 file is not very likely to produce the desired results. if people can't see that then I certainly wouldn't waste my time explaining it to them.
(oh, and I do know a thing or two about "fingerprinting stuff")
Some of the intellectually challenged journalists here in Norway have suggested that the event of open source developers having free access to the stolen code would be just what they wished for.
Oh boy are they wrong.
Imagine the stolen code surfaces on the net. Imagine Microsoft lawyers all of a sudden start targeting open source projects that are somehow related to the code that was stolen, accusing them of making use of the stolen code.
Microsoft is a large company with huge resources. Huge enough to take on the US department of justice. I am perfectly capable of imagining how Microsoft could strike a blow at the open source industry and leave it in a legal quagmire for years to come.
Notice how the signal/noise ratio drops dramatically when IRC is being discussed. With my settings only 16 out of 107 posts were above the threshold. If you wonder why IRC is no longer a suitable system for semi-reliable chat infrastructure it probably has to do with the fact that it apparently brings out the worst in a lot of people.
I would read the license before I leapt at it and developed something that actually uses this. Especially if you work for a commercial entity.
The license has a real NASTY ring to it and I would advise everyone to stay FAR away from this software until the license has been changed:
1. You are hereby granted a nonexclusive, royalty-free license to use the
Software subject to the terms and conditions of this License. You may use
the Software on any computer for any commercial or non-commercial or research
work, provided that you do the following: make available the source code used
in the project at the start of such project, and any changes in the source
during the course of the project, make available within 30 days of project
completion all data and results of your project for which you used the
Software, and if the project takes over 60 days to complete, or is continuous,
publish all data and results of such project every 60 days, or if this is
impractical, transmit the above to a third party, named by Licensor, to be
made a part of a public archive.
As soon as I read the license I deleted the CVS tree from my disk. I don't even want to be tempted to use this thing with its current license.
I think you are forgetting something: there is currently no software package easily available for the Palm that makes it a viable option to, say, the HP 48SX (which I have). Not only can I use my HP to solve equations, visualize functions, muck about with matrixes etc. -- I can also trust that the people who wrote the software knew what they were doing so that I do not get any unpleasant surprises.
Also, my HP calculator has a physical interface that makes it faster to use. It has keys, (and very good quality keys at that). Plenty of keys. A stylus interface can't compete with that. At least not nowadays.
Sure, they are all computers. PDAs, calculators, laptops. It is not about the CPUs, the amount of
memory etc. It is about the software they run and the kind of use their physical interface is best suited for.
The Palm Pilot is a poor substitute for my HP 48SX. (It is an even poorer substitute for my
girlfriend's HP 48GX).
This is just a case of the ill informed of one camp attacking the ill informed of a different camp.
Linux has a huge number of ignorant followers just like any other entity that has "followers". There is no point in bashing the opinions of ignorants.
Fred is right. Linux is not impenetrable, uncrashable, it is not the fastest and best OS in the world. Sure, it has a lot of ignorant fans who will say so, but that doesn't make it true. Just look at sports teams. They have their loyal fans. People who feel they belong to a clan of sorts. They'll even get into real fights with each other over which team is better. This is just the way primitive people behave. It's not new. We should know this by now, and we should certainly be able to identify it.
Fred Moody is either just trying to get some attention by attacking claims which are known to be exaggerated (or even untrue), or he actually believes that just because a bunch of "fans" think so, everyone must think it is so.
If the former is true, then Fred Moody is a sad troll in dire need of inspiration. If the latter is the case, well, then we don't have to pay attention to Fred Moody when he is metcalfing.
As for CmdrTaco: it wouldn't hurt to exercise some judgement. This is just another one of those Slashdot entries that are guaranteed to end up as a flamewar. You should know better than to devote any attention to something as unimportant as what Moody thinks just because a bunch of morons feel they have been attacked by someone badmouthing their OS.
I read it because I expected to find valid criticism, and all I found was pretty un-interesting flamebait. Not one bit of insight.
Pretty please with sugar on top: try to make an effort.
The first time I heard about identifying individuals by the way they type was 7 or 8 years ago. The system was supposed to monitor workstations in order to detect if an unauthorized user was using the workstation and apparently they had a very high success rate.
A more recent paper by Fabian Monrose and Aviel Rubin with the title Authentication via Keystroke Dynamics might enlighten those interested in this, and I am sure that you'll find some interesting references on the above web page.
Scepticism is often healthy, but when it comes to new ideas, "new" being used in a very relative sense here since the idea is apparently "new" to Slashdot staff, one should be more keen to understand them before writing them off.
IRCnet and EFnet used to be the same network. After a difference of opinion mainly between the european opers and the american opers, the network more or less split in half.
The predominantly american part of the two networks continued under the name EFnet, while the other half eventually became known as IRCnet.
It should be noted that IRC originated in Finnland, and most (if not all) of the *.fi servers originally on EFnet went to the european side (IRCnet).
But all this is really irrelevant. What is relevant is that an old part of Internet culture is in jeopardy, and that the anti-social behaviour of a bunch of people is allowed perpetuate their modus operandi unhindered because nobody really cares.
...nobody really cares until it lands on their doorstep, that is.
If you put a frog in hot water it'll jump out. If you put it in cold water and heat the water gradually it will boil to death
This is very much like what has happened to IRC -- the level of abuse as well as the level of severity of the methods has gradually risen during the past 10 years.
Although nobody likes to be reminded about it, most of you are newcomers to the net. Most of you have been here less than 10 years. Most of you cannot even remember the net before the web -- some of you may remember having used email of some sort before the net or downloaded shareware from BBS'es.
There has always been some level of abuse on IRC, that is correct, but you are painfully wrong if you think that the distributed denial of service attacks of today have always been used within the context of IRC. Although I would grant you that IRC has always attracted the worst among the anti-social elements of the net. This is where losers gather. This is where losers vindicate their sad lives and for a brief moment feel they are worth something when they reach out and screw up someone else's network.
A network someone has to pay for. It is just a question of time before more servers disappear. People don't need this kind of trouble. They don't need someone to punish them every day because they want to offer a free service to the community. Constant denial of service attacks, harassment, threats, internet connections that are bogged down -- it has to end somewhere.
Either people realize that this isn't cool or things like large IRC-networks will go away.
Being an IRC administrator myself I have often wondered why I am doing this. Why do I even bother? It would be far less trouble for me to say "okay, I've given you 7-8 years of my time offering you a service, but now I am taking too much crap for this so from now on I'm taking the server down and donating the hardware to charity". I can always create a smaller IRC network for me and my friends that generates NO trouble at all since next to nobody will ever hear about it.
But that's kinda sad. Not being able to talk to people you've known on IRC for nearly a decade. Having to limit access to something that was built to be open, to encourage people to meet new people and to chat.
I'm not so sure if the "strike" is the best way to deal with this. I am going to participate and take out my server, but I don't like having to do this. My hopes is that it will grab the attention of people, that the issue will become subject of discussion, perhaps even outrage. My hopes is that people won't just shrug and say "hey, it's just IRC". These anti-social elements should scare the living shit out of every organization trying to do business on the net. The press should not be surprised when companies like Yahoo and Amazon are overrun by these kids -- it was bound to happen sooner or later. It is a result of the apathy, the ignorance and inability of everyone to deal with this.
So before you shoot off your mouth too much about this, try to picture yourself in our place. Chances are, most of you have probably never walked a mile in our shoes, have never had to fight to justify the existence of the service you provide against people who are sick and tired of constant abuse because they happen to donate resources so that people can enjoy a free service.
I'm not expecting this to solve anything in the short run. Maybe it will make people think. Maybe it will help contribute to making people, and corporations on the net, more aware that unless something is done about this, the problem will only grow and it will spill over into other arenas.
And please, I've hard all the quick-fix schemes there are, about making IRC more totalitarian, give opers more personal power, or hope that ISPs will wake up and dedicate resources to hunt down anti-social elements if you just pound them with mail.
Think ahead. Think about real solutions instead of stop-gap measures.
Making people wake up is a good first step. If you think this is a solution, or that the participands of the strike think this is the solution, you are wrong. Failure within the context of this "strike" would be if nobody cared. (and of that happens I will have to consider ripping my hub server out of the wall and donating it to the salvation army, because if people don't really give a rat's ass about a service they use then there's no point in fighting for its existence).
Slashdot Mirror
I've been running an IRC-server for almost a decade and a lot has changed during that time. the number of users has exploded, and the severity of abuse has skyrocketed. many years ago most types of common abuse would only affect other IRC users. security/system administration staff would usually adopt a "this is an IRC-related problem and we don't care what goes on on IRC" attitude, which was fine back then. Annoying to IRC users, but still fair enough.
in the last 5-6 years the attacks have become a lot more serious. even ignorant people can launch attacks that effectively render the network unusable for hundreds of thousands of users; if not millions, and they do not even need to understand what they are doing -- on a technical level or otherwise.
however the willingness and ability to address the problem has not really improved that much. most ISPs don't care about being a good neighbor and I have even experienced cases where ISPs would look the other way because an abuser was a personal friend or coworker of people in the abuse-department of that ISP.
the attitude of many ISPs has contributed to legitimizing denial of service attacks to some degree by not taking any responsibility for keeping their back yard clean.
ironically enough this attitude will just end up hurting the ISPs themselves, since the erosion of boundaries between what is acceptable and what is not ultimately ends up costing them wasted bandwith, time and effort.
also, as someone else mentioned: IRC admins are not totally free of blame. most of the good ones don't really have enough time to deal with all the bullshit -- and as for the not so good admins and opers: well, what do you expect when most of them are in it just to have a sense of power?
finding good admins is hard. I've been trying to pass along the baton for some years now so I could quit maintaining the IRC server, but whenever I try to recruit opers and prospective future admins I either end up with good people who can't spare the time or I end up with a bunch of people who are just after that sense of "power".
IRC as such stopped being fun many years ago. The biggest tragedy is that although we probably should just stop offering the services altogether in order to put a stop to the waste of resources, we aren't. even though the usefulness of IRC has been diminished there will always be those who will keep it alive in some shape or form which means that to the feeble of mind the service will never "die" and thus they conclude that it is okay to keep doing whatever they do to wreck it.
article discussing how to design better webserver
software -- something which would have been
very interesting since it has been ages since I
saw a fresh take on that.
instead: another article on piecing together hardware. *sigh*
Since I do know a little bit about Oracle (no, I am by no means a guru, but I do know more about Oracle than most people who mention it on their bloated CVs), I'll try to center on some of the points other people apparently haven't mentioned yet.
I mainly use constraints (referential or otherwise) in order to improve the quality of both the database model itself and the code that will use it. since the database will let you know when you are about to do something that is going to make it inconsistent, you are able to quickly identify these cases and you are forced to fix them before you move on.
it also helps you understand your relational model. People will often forget simple things like making sure their foreign keys are not NULLable or even unique, or even removing the foreign key leaving orphans in child tables. this might make them think. "is this column really a good candidate for identity?", "the model makes sense in my head but not as a relational model, where did I go wrong?".
While developing my constraints are as anal as possible. Sure, in some cases they do kill performance, but at this stage performance should not be a priority. correctness should be the priority. (and quite contrary to what some joker said in this thread: no, your application won't outperform a RDBMS' integrity checks unless your database software is horribly broken).
much later, if needed for performance reasons you can then choose to drop constraints, but as long as your performance is good: keep them in there. if you do drop them, re-add them from time to time to make sure that the database is consistent. if it isn't perhaps it was too early to take them out.
No, it is not a good idea to leave data integrity to the application. Maintaining data integrity is the task of the database system.
Just consider the case where you have several applications using the same database server? You'll be faced with the task of maintaining several implementations of the code that ensures integrity and ensure that all applications implement the same rules at all times.
I can assure you that in most situations this would never work for anything more complicated than a trivial database.
In my experience most people who do not understand why the shortcomings of MySQL disqualify it from being a real RDBMS, and what this means, haven't really acquired much experience with anything other than MySQL or they simply do not bother to design their applications robustly. believe me, the latter is rather the norm than the exception.
I personally use MySQL a lot. despite its obvious shortcomings it is great for simple applications. but for serious systems where losing data or inconsistencies would be unacceptable I would be crazy to use it.
As I also mentioned, I do not doubt that the author knows the "mechanics" of cryptography (ie. how things work in general, the basic underlying theory and how available libraries etc work). But knowing the mechanics of cryptography isn't even half of what is needed to create a security product. On the contrary, it might be dangerous because it lulls you into the false assumption that you actually know what you are doing.
What I do doubt is that the author has the scientific discipline to be self-aware in terms of understanding what types of weaknesses a design can have and how these should be weighted in terms of how they do or do not contribute to "security".
Since you drag me into the discussion I'd like to make a few comments:
First off, you do not have to be an opera singer to point out that the prima donna can't hit half the notes she is reaching for. My observation can be verified by merely analyzing how practitioners of cryptography, mathematics or even security theorists express themselves. In particular you will find that when these people publish papers or describe their work they will strive to be precise and careful -- not vague and self-confident.
Second, I do not proclaim that I have greater knowledge of cryptography than the author. I might have and then again I might not. It isn't really interesting. What I think I do know more about is what kind of mindset you need to have when approaching security solutions. Again, if this applies to me or not, or to what degree, is not really important. The only remotely relevant aspect is that I've done enough work with security solutions to be able to _recognize_ handwaving.
(Ideally most people should be able to recognize someone having an under par grasp on a given subject matter, but unfortunately many people neither posess the academic discipline to evaluate what they see in a cool, objective way nor do they have the inclination to understand basic scientific principles you need to follow in order to arrive at valid conclusions.
This observation can trivially be made on Slashdot: how many people exhibit an almost religously strong preference for a particular system while at the same time exhibiting narrow or lacking knowledge of a particular field (eg. OSes, languages) at the same time? I'd say most users. Well, most of the vocal ones anyway).
Third, you reveal a compelling lack of comprehension as to what a useful contribution from me or someone else would be in this case. Your preoccupation with "finding an exploit" reveals a naive assumption that "it is just a matter of finding and plugging the holes".
The most important problem with the SILC white paper is that it implies that the author did not start by asking fundamental questions and find answers to them. Nor does it reflect an understanding of the importance of doing so when designing a security system. If he had, he would have started by stating the problem in a precise manner and presented a plan for solving the problem.
What he does in the whitepaper is to make general statements about how secure the system is, with contradictory notions sprinkled throughout.
For instance he says that the user must trust the server. Then he says the user can't really trust the server. Which is it? If the author can't even clarify what parts of the system you need to trust and what the criteria for trusting them are within the first few pages then what is this guy doing designing a security system? Because apparently he has no idea what he is doing.
I say that because I have found myself in exactly that situation many times; thinking that I know what I am doing because it didn't occur to me that I needed to question my assumptions.
If you are at least able to discover that you don't you've accomplished a lot. I am sorry to say though: not many people are.
And you do not need to hold a Ph.D in mathematics to understand that something is VERY wrong here.
I have spent a lot of time trying to understand security systems. It is hard work and I still do not consider myself a guru (although I do know that I probably know a hell of a lot more about what sort of discipline you must exercise when designing security systems than most so-called "professionals"). Far from it.
But: I am very _aware_ of my limitations and I keep asking myself if I am basing something on assumptions or if I actually know something. I'd be appropriately reluctant to stick my neck by making statements I would be unable to back up when designing a crypto app.
I am not talking about the embarrasing mutilation of the english language, but the fact that you can tell from the wording that the person who wrote it is neither a cryptographer by profession or someone who seems to have digested any significant amount of litterature related to cryptography or security in general. If you've read a good deal of scientific papers on cryptography and related areas, perhaps digested a couple of books you can spot this quickly. People who understand cryptography express themselves quite differently. They strive to be precise and they are much more reluctant to call anything safe without at the same time either giving some measure of what they mean by "safe" or pointing out limiting factors. And God forbid: they'd never point their finger at a complex system and say that it was provably safe unless they could actually prove it.
I doubt you'll ever se any formal proof that SILC is secure.
I know most people would say "so what?". A lot of people would even say "well, you don't need a Ph.D to write a crypto app" -- and they would be right. you don't. however you still have to know a bit about cryptography and a LOT about how you avoid basing conclusions on assumptions.
(Just ask Bruce Schneier if his book "Applied Cryptography" suddenly lead to more quality crypto software being written. Tip: it didn't. It lead to more inept people writing even more bad crypto software). But you do need to understand what you are doing to make any kind of valid statement about what one should expect.
In any case, my point is that it takes a certain kind of mindset to design and implement anything having to do with security. The aforementioned white paper was apparently written by someone who understands some of the mechanics involved, but who doesn't seem to have absorbed any of the intellectual discipline good cryptographers convey in their writings.
I was thinking about downloading the thing and possibly install it, but if the white paper is that naive, what is the actual system going to be like? Probably not worth the bother from a security point of view, although one might actually learn other things from such a system (for instance their approach to message routing etc. I don't know I never got that far once it became obvious to me that this was the wrong place to look for a *secure* system)
So why am I writing this? To slam SILC?
Definitively not.
I'm writing it because most people are too ignorant, or to arrogant about their ignorance, to realize that they probably wouldn't be able to tell a more secure system from a less secure system. Also, because I think it is important that people try to make an effort to understand what type of security something provides -- ie. exactly what does the system prevent and what doesn't it prevent. I'd like people to *think* instead of choosing their security solutions the way most consumers choose toothpaste.
the RedHat 7.0 release illustrates this well. I have not seen such a shoddy OS release since Sun Solaris 2.2 (or was it 2.1? doesn't actually matter, because Solaris wasn't much to cheer about until several major releases later) or the first IRIX 5.x releases that shipped with the first INDYs.
RedHat 7 was the reason I changed to Debian, and having used Debian since then I have not wanted to go back to RedHat and their hellish world of RPMs, stupid incompabilities, package management that is able to self-destruct if you are not aware of the "right" way to upgrade things and the constant hassle of Alpha-quality software that requires Alpha-quality libraries and *staying* on the bleeding edge if you want to upgrade them.
I used RedHat for many years, so the psychological threshold for moving to Debian was rather high. the Debian crowd comes across as less pragmatic and more idealistic, but in reality I'd say the Debian crowd are more competent AND more pragmatic in the sense that they strive to deliver something that will work -- while RedHat will ship any assortment of crap that, although not breaking right away, certainly will result in a messy system once you start to upgrade things.
I am immensely grateful for the decent job the Debian people have put into their distribution. they seem to do things properly or not at all. thanks guys, you make my days so much easier because I haven't needed to clean up any of the boxes where I have run Debian for several months now. that something just works and keeps on working without me having to unfuckify things every N weeks is sort of a novelty for me with Linux distributions.
as for RedHat, I have talked to a few people there and the only thing I can say is that nobody is interested in your excuses or promises to fix things. what is required is a change of attitude. you need to become more aware of quality, you desperately need more personel that have used other UNIXen. whenever you invent new things you are prone to do the job badly or at best half-way. people want release quality work from an OS distribution.
as for developers, I think that the question is one of tradeoffs. it is good practice to re-use components rather than designing and writing your own. but, when the components on which you depend have not yet reached a stable release state or they are otherwise low quality or prone to conflicts or installation problems, you should avoid them. the reason so much of the software for Linux is in practive unusable is because the developers don't give two shits about the users. they are used to installing bleeding edge libraries every two days and they expect their users to do the same for the privilege of using their code.
I have made it a general rule never to rely on anything that isn't considered stable enough for inclusion in reasonable OS distributions. usually, FreeBSD STABLE and the stable releases of Debian. RedHat and derived distributions seem to lack the maturity for me to trust them implicitly. sure, things might work well for a while, but in my experience a RedHat installation detoriates over time to the point where suddenly the system is so broken you need to re-install (sound familiar?). and yes, I have used RedHat for about as long as they have been around, so this is not your ordinary Debian-zealotry.
since I require things to install easily on a virgin system and without having to muck about with bleeding edge libraries a lot of "cool" things are never installed on my machines. for instance some "cool" file managers and browser never make it to my machines because the developers are unable to produce something that can be installed pleasantly.
To sum it up: the reason a lot of shared libraries under Linux are such a hell is because there are too many morons who develop software out there in a fashion where you have to upgrade and/or install all sorts of crappy, unfinished buggy libraries on a weekly basis.
this can be avoided if you want to. by being conservative and by not using things before they reach an acceptable level of stability.
I recommend people use stable releases of Debian and install all their software with apt. if you absolutely need something not avilable, make sure you install it in /usr/local along with all the other stuff it depends on but which doesn't come with the OS.
but the best thing is to be disciplined and just use a clean Debian system. I have YET to have any problems with Debian (about 10 machines which have seen much use for 6 months. with RedHat the machines should be ripe for re-install about now)
read what I wrote again. you missed something namely if the freedom is real or percieved. *think* about it.
americans seem to spend very much time in self-congratulatory celebration of their "democracy" and their freedom -- yet americans are in many ways more confined than regimes they consider to be un-free. it is really easy to buy into the idea of "freedom" if you know nothing else than the status quo.
Think about it: are you free? What freedoms do you enjoy? Are these freedoms _real_ or just percieved? What freedoms do you lack? Which freedoms are significant? Are you able to think _beyond_ current laws and legal principles and think about what is _morally_ better?
Most people are unable to.
I think RMS is trying to remind you that the US never turned out the way its founding fathers wanted it to, and it is ironic that you make orwellian references because orwellian is just what the US has become. The individual does not matter.
The only important kind of entity in the US is the campaign-contributing and lobbying corporations. The well-being of the individual has not been an issue for a very, very long time.
Richard Stallman has to repeat his message because people are too daft to understand it. that Allchin doesn't get it is not very surprising, but that the open source hangarounds don't get it is downright disappointing.
if I were RMS, I'm not sure I would be so patient. I would probably blow up every now and then, when people don't bother to make the mental effort to understand exactly what he is talking about.
chances are that he'll be one fucked-up kid by the time he is 20 if all the adults around him can think of is stuffing his brain like it was some cool new toy.
I think it's a miracle that Sun even exists today. Perhaps this goes to show how valuable a good brand name is. I mean, Sun hardware is expensive and delivers less bang for the buck than other hardware solutions -- yet they survive.
If you are going to listen to the generation of business people who did their best to run UNIX into the ground, to make it marginal, to make it expensive, to make it exclusive, you should have your head examined. These people were not responsible for the great UNIX surge of late. It wasn't because they did something great. They were just lucky to still be in business.
So when Ed Zander or Bill Joy talk about UNIX, or Linux or open source or even Java I can't really say I get very excited because I don't think they have much important to say.
So what if Linux fragments. It has fragmented already. There are many different Linux kernel projects and if people fail to see that this is beneficial to the Linux kernel development they need to get off the drugs they are on.
If Zander is trying to get attention by Metcalfing then so be it, but people should be able to recognize it for what it is.
(oh, and I do know a thing or two about "fingerprinting stuff")
Oh boy are they wrong.
Imagine the stolen code surfaces on the net. Imagine Microsoft lawyers all of a sudden start targeting open source projects that are somehow related to the code that was stolen, accusing them of making use of the stolen code.
Microsoft is a large company with huge resources. Huge enough to take on the US department of justice. I am perfectly capable of imagining how Microsoft could strike a blow at the open source industry and leave it in a legal quagmire for years to come.
-Bjørn
As soon as I read the license I deleted the CVS tree from my disk. I don't even want to be tempted to use this thing with its current license.
I sure hope they won't use Word to create the files...;-)
Also, my HP calculator has a physical interface that makes it faster to use. It has keys, (and very good quality keys at that). Plenty of keys. A stylus interface can't compete with that. At least not nowadays.
Sure, they are all computers. PDAs, calculators, laptops. It is not about the CPUs, the amount of memory etc. It is about the software they run and the kind of use their physical interface is best suited for.
The Palm Pilot is a poor substitute for my HP 48SX. (It is an even poorer substitute for my girlfriend's HP 48GX).
Linux has a huge number of ignorant followers just like any other entity that has "followers". There is no point in bashing the opinions of ignorants.
Fred is right. Linux is not impenetrable, uncrashable, it is not the fastest and best OS in the world. Sure, it has a lot of ignorant fans who will say so, but that doesn't make it true. Just look at sports teams. They have their loyal fans. People who feel they belong to a clan of sorts. They'll even get into real fights with each other over which team is better. This is just the way primitive people behave. It's not new. We should know this by now, and we should certainly be able to identify it.
Fred Moody is either just trying to get some attention by attacking claims which are known to be exaggerated (or even untrue), or he actually believes that just because a bunch of "fans" think so, everyone must think it is so.
If the former is true, then Fred Moody is a sad troll in dire need of inspiration. If the latter is the case, well, then we don't have to pay attention to Fred Moody when he is metcalfing.
As for CmdrTaco: it wouldn't hurt to exercise some judgement. This is just another one of those Slashdot entries that are guaranteed to end up as a flamewar. You should know better than to devote any attention to something as unimportant as what Moody thinks just because a bunch of morons feel they have been attacked by someone badmouthing their OS.
I read it because I expected to find valid criticism, and all I found was pretty un-interesting flamebait. Not one bit of insight.
Pretty please with sugar on top: try to make an effort.
And there is no GUI available to Linux? I think you need to look again. -Bjørn
A more recent paper by Fabian Monrose and Aviel Rubin with the title Authentication via Keystroke Dynamics might enlighten those interested in this, and I am sure that you'll find some interesting references on the above web page.
Scepticism is often healthy, but when it comes to new ideas, "new" being used in a very relative sense here since the idea is apparently "new" to Slashdot staff, one should be more keen to understand them before writing them off.
-Bjørn
The predominantly american part of the two networks continued under the name EFnet, while the other half eventually became known as IRCnet.
It should be noted that IRC originated in Finnland, and most (if not all) of the *.fi servers originally on EFnet went to the european side (IRCnet).
But all this is really irrelevant. What is relevant is that an old part of Internet culture is in jeopardy, and that the anti-social behaviour of a bunch of people is allowed perpetuate their modus operandi unhindered because nobody really cares.
-Bjørn
This is very much like what has happened to IRC -- the level of abuse as well as the level of severity of the methods has gradually risen during the past 10 years.
Although nobody likes to be reminded about it, most of you are newcomers to the net. Most of you have been here less than 10 years. Most of you cannot even remember the net before the web -- some of you may remember having used email of some sort before the net or downloaded shareware from BBS'es.
There has always been some level of abuse on IRC, that is correct, but you are painfully wrong if you think that the distributed denial of service attacks of today have always been used within the context of IRC. Although I would grant you that IRC has always attracted the worst among the anti-social elements of the net. This is where losers gather. This is where losers vindicate their sad lives and for a brief moment feel they are worth something when they reach out and screw up someone else's network.
A network someone has to pay for. It is just a question of time before more servers disappear. People don't need this kind of trouble. They don't need someone to punish them every day because they want to offer a free service to the community. Constant denial of service attacks, harassment, threats, internet connections that are bogged down -- it has to end somewhere.
Either people realize that this isn't cool or things like large IRC-networks will go away.
Being an IRC administrator myself I have often wondered why I am doing this. Why do I even bother? It would be far less trouble for me to say "okay, I've given you 7-8 years of my time offering you a service, but now I am taking too much crap for this so from now on I'm taking the server down and donating the hardware to charity". I can always create a smaller IRC network for me and my friends that generates NO trouble at all since next to nobody will ever hear about it.
But that's kinda sad. Not being able to talk to people you've known on IRC for nearly a decade. Having to limit access to something that was built to be open, to encourage people to meet new people and to chat.
I'm not so sure if the "strike" is the best way to deal with this. I am going to participate and take out my server, but I don't like having to do this. My hopes is that it will grab the attention of people, that the issue will become subject of discussion, perhaps even outrage. My hopes is that people won't just shrug and say "hey, it's just IRC". These anti-social elements should scare the living shit out of every organization trying to do business on the net. The press should not be surprised when companies like Yahoo and Amazon are overrun by these kids -- it was bound to happen sooner or later. It is a result of the apathy, the ignorance and inability of everyone to deal with this.
So before you shoot off your mouth too much about this, try to picture yourself in our place. Chances are, most of you have probably never walked a mile in our shoes, have never had to fight to justify the existence of the service you provide against people who are sick and tired of constant abuse because they happen to donate resources so that people can enjoy a free service.
I'm not expecting this to solve anything in the short run. Maybe it will make people think. Maybe it will help contribute to making people, and corporations on the net, more aware that unless something is done about this, the problem will only grow and it will spill over into other arenas.
And please, I've hard all the quick-fix schemes there are, about making IRC more totalitarian, give opers more personal power, or hope that ISPs will wake up and dedicate resources to hunt down anti-social elements if you just pound them with mail.
Think ahead. Think about real solutions instead of stop-gap measures.
Making people wake up is a good first step. If you think this is a solution, or that the participands of the strike think this is the solution, you are wrong. Failure within the context of this "strike" would be if nobody cared. (and of that happens I will have to consider ripping my hub server out of the wall and donating it to the salvation army, because if people don't really give a rat's ass about a service they use then there's no point in fighting for its existence).
-Bjørn
do any mirrors carry it yet? I'm having a hard time fetching it from the FTP server at Netscape.
-Bjørn
I recommend that you pick up a copy of W. Richard Stevens' "TCP/IP Illustrated volume 1" and read it. please.