Yeah, right. By now, just about every square bit of BIND has been scrutinized by hundreds of people for possible buffer overflows etc. Same goes for Sendmail, BTW. (Note: they apparently still missed some!)
Do you really think that even someone with the god-like (cough, cough) capabilities of Daniel Bernstein is capable of performing a similar review all on his own?
You're reading this wrong: Vixie is proposing to form this 'support group' in response to criticism that only the root and some TLD server operators were notified in advance about the latest BIND emergency fix release. A lot of people were asking "why weren't we told in advance about these bugs, and this is the answer. This proposed group (now with public membership rules instead of a "secret handshake") would know about new BIND emergency maintenance releases a few days/weeks before they would be generally available, allowing them to safely upgrade.
This is not about doing away with full disclosure: merely delaying it to make sure that critical parts of the Internet infrastructure can't be easily brought down by K3WL RAD SCR1PT K1DD13S. For "regular" users, this won't make a difference: even if they receive advance notification (say, 1 or 2 days), as soon as the new version hits the FTP server, every "hacker" idiot will be out there diffing the new version against the old and finding the security flaws
Exploits will still be on Bugtraq in a few hours, and the usual legions of K3WL RAD SCR1PT K1DD13 L00SERS will be on your servers anyway soon after that. The proposed group would just make sure the really important servers are difficult to exploit and that your vendor might have a fixed version available at the same time the new general BIND (in source format...) is.
I don't feel great about this, but only because I'm asking myself what happened to the Internet where users used to care, not mindlessly destroy each other's networks...
Yeah, great -- just keep sending back those brick-filled envelopes, so more and more companies will stop using postage-paid envelopes and I'll have to use more and more of my own stamps for stuff like, oh, mailing checks to my cable company
Since they haven't announced their new product yet, it's a bit difficult to guess what TuxTops is going to do, but I sincerely hope it's better than "a distro that installs really easily on your notebook".
After all, recent distributions already do quite a good job running on notebooks themselves (even RH7 worked fine on both my portable machines...), so the competitive advantage of such a thing might be small -- and getting smaller fast.
I guess the coolest possible outcome would be something like "Ghost meets PartitionMagic meets (RedHat,SuSe,...) Linux" where they would make it really easy to quickly deploy Linux onto systems that may or may not have an existing OS that needs to be preserved and where they would take care of special driver needs.
I'm really happy to see that Sun is joining the 1U fray in non-Cobalt-related ways. But, really: no multiprocessor support? No hardware RAID??
Granted, at $1000 a piece, you can afford to cluster these thingies, but I still feel a lot better about my Compaq DL360s. With 2 Pentium IIIS, hardware RAID1 SCSI drives and a Remote Insight board, these puppies rock for serious use in remote data centers. Sun's current offering is a bit too departemental for me...
Well, it's obvious: CMGI cares about CMGI *a lot*, mainly about its share price. Funny enough, a higher valuation for AltaVista would improve that metric a lot
So, why not sue a few hapless competitors based on trivial patents? Perhaps this will somehow trick investors into thinking AV is doing something profitable and/or the perverse US legal system will actually *make* them profitable...
The study doesn't look too authorative (I mean, it's the first one to notice this effect, and with a sample size of a whopping 118 patients, I can see some room for error...), but I really could care less about all this cellphone-radiation-brain-heating-cancer crap.
Why? Because there is an easy solution to the entire 'problem' already! Use a hands-free (earpiece/microphone) set: it's safe in traffic (heck, in lots of countries it's The Law) and you can keep your cellphone away from your precious brain cells.
I keep my Nokia in my pocket all the time, and apart from people who are confused about who exactly I'm talking to, all is fine...
Shame about the risk...
on
Space Tourism
·
· Score: 1
If it weren't for the high risk involved with space flight, this would be the ultimate 'team building' experience for bored SillyValley dwellers. After all, what better place to really get to know your coworkers than in outer space?
Shame this will never happen, though. No exec would be willing to explain why he just lost the entire engineering department in an unfortunate launch mishap...
Will GTK become Yet Another X?
on
GTK+ without X!
·
· Score: 3
While I see why this development is cool and might solve performance problems for some individual applications right now, I''m not too sure about the long-term gains for all users here. Consider the following:
1. As long as there are still 'legacy' X apps, you'll need to run X anyway;
2. If GTK+ gets 'enhanced' to do some handy things X does right now (like, oh, IPC/RPC-based stuff), won't it just become another X, minus the compatibility with zillions of existing apps?
Don't get me wrong, I'd love to see the architectural disaster that is X go, but I'm not too sure that GTK+ is the right way to achieve this...
OK, now that the link topic has been beaten to death, perhaps a good time to discuss some of the article's content. What really annoyed me was the focus on the free availability of the software over actual functionality, as in:
From a pure free software perspective, Evolution is designed to be the best mail and personal information manager free software product
I'm pretty sure that most users, and especially those coming from the Windows platform, couldn't care less. Software like Outlook Express has been free for ages, so that's pretty much the norm (not the exception) for this kind of software
Having used Evolution for a while, I'm really, really happy with this product - it's the first viable replacement for the POS Netscape mail client I've ever seen. However, I think that a focus on how GNU-compliant the software is doesn't help anyone: let's work to make this the best mail client available anywhere, period!
I know of a lot of Solaris users who wouldn't mind paying a sizable client license fee for a working GUI mail client equivalent to Outlook Express but without the enormous overhead of the Microsoft product (or even the Netscape client, for that matter...)
Hmm, after reading the opening paragraphs, full of over-the-top language, including the demand to BOYCOTT ALL INTEL PRODUCTS (caps used by the original author...), I kinda lost interest.
Although I'm sure the author knows a lot about processors, he is so obviously biased against Intel (and towards AMD) that getting any information from this article is like learning about Linux from Microsoft
What this guy needs is a good editor, and perhaps a few chill pills...
You miss my point: even menial tasks at least expose people to a Real Scientific Environment, etc. etc. Circling craters at NASA during college might very well get you some valuable contacts/ideas/etc. as a beginning scientist. If that work is farmed out to Internet volunteers, that aspect is pretty much lost
Hmm, wonder what the scientist's union would have to say about this. I mean: outsource labor to unpaid Internet volonteers, eliminating valuable NASA positions for junior scientists? I know classifying craters for a few months is the most menial and possibly boring work imaginable, but programs like this might cause many graduates *not* to get valuable working experience in a scientific organisation
I might be wrong about all this, but I still don't have a good feeling about projects like these...
I'm not sure what the author of the paper intended. There are indeed a bunch of RTOSes already that offer memory protection, provided they're run on a chip with a decent MMU (QNX, OSE, VxWorks etc. on a PowerPC or Intel >=386, for example).
You could argue that the process of doing table lookups for each memory access makes things less "real-time", but unless you're dealing with a really slow/primitive chip (which, remember, a lot of older RTOSes had to do...), it shouldn't be too much of an issue...
Ehm, not to ruin a perfectly good conspiracty theory, but: Microsoft already owns the source code for a full *ix implementation. It's called Microsoft XENIX, and they used to market it way back when Unix was still considered a possible follow-up to DOS 1.x. From what I remember, it was a piece of crap, but if MS truly wanted to, they could legally have all the Unix source code they wanted in their products...
Typical case of "if you let me choose the metric, I can come up with any number I want". As with many "studies", they just looked for numbers to support a pre-defined conclusions. If you think about it for, like, 3 seconds, you'll realize that the "number of applications written" is a totally irrelevant figure for *any* OS, Linux included. It doesn't *mean* anything, simply because it's impossible to define "application"
Does the "Hello world" sample cited by other posters count as an application? Does a throw-away internal utlity written in Perl? If I write something in Perl and run it on a Windows box, does that count as a Windows application?
I doubt that Microsoft will support this figure, BTW: if they want to count the number of applications written for Windows, they'll no doubt take a look at the number of Windows logo certified apps, as well as at the number of applications worth mentioning in their solutions directory developed by their authorized solution providers.
But, all conspiry theories(tm) aside, I really don't see the point of this metric at all. Does anyone really need any convincing that Windows is the dominant consumer/corporate desktop OS? Really??
I don't think 'censorship' is the right classification of this ISP behavior: 'lack of spine' might be more accurate. If an individual user causes disruption of a shared infrastructure (i.e. the ISP network) on a large scale, something needs to be done. Now, I'm definitely not advocating account termination (some temporary traffic filters at the edge of the ISP network are just so much more friendly), but in cases where filtering is infeasible, taking content down until the script kiddies go away may not be unreasonable.
The unavoidable point here is that, from an ISPs point of view, people solliciting abuse are almost as bad as the ones causing it: they just want the trouble to go away. Some user cooperation is a good thing here, and may avoid kneejerk reactions like account termination (which, just to reiterate, is stupid and wrong...)
I'm not sure there is a reason for the *ix community to get all excited about this. Since Apple is still 100% committed to their highly proprietary hardware platform (remember, they killed all clones just last year!), all that the BSD kernel gives Mac users is better multitasking --which has been long overdue-- and the ability to run *ix utilities (nice for sysadmins, but totally irrelevant for the typical Mac end-user).
There will be no cool Mac software coming back to the *ix community because of this, since all that cool software will still be tied to Apple's proprietary APIs that in turn are tied to their proprietary hardware. It's as simple as that: even Windows stuff will be easier to port than OS/X apps.
To me, the real issue here seems to be whether mp3.com is --in a legal sense of the word-- publishing the record companies' intellectual property.
Proponents of their scheme will argue they are not, and that they're simply giving consumers access to their licensed copy of the property, which definitely falls under fair use.
However, the fact that the Internet is involved (a public network if there ever was one) and that the potential for abuse is huge, the record companies argued that MP3's actions constitute publication, something that doesn't fall under fair use in any circumstance.
I can't blame the judge going with the latter argument: MP3.com's system would need much better security before it would be workable. I still like the idea, though...
It's easy to get all sarcastic about this paper, but I think it would be an interesting exercise to come up with some truly convincing reasons to do Open Source, as well as the numbers to support them
I mean, the FSF is quite clear about what it wants to achieve, and questionable though those goals might be for some, it at least gives them a purpose. What is the goal in life for the Open Source movement?
Could Linux have succeeded as a closed source product, if the same brilliant team of developers could have been assembled and convinced to release the product for free? Or Apache? Why does a seemingly brilliant Open Source project like Mozilla only enjoy such limited success?
And: How many people are actually taking advantage of the Source part of the Open Source equation, not just the Open/Free part? Is there anything more to the Linux hype than that it provides low-income hackers with cool stuff to play with?
Now, don't get me wrong: although the questions are a bit tainted, this is definitely not flamebait. Having some real answers and real statistics here would really help a lot to advance Open Source. If you're a college student in the IT or statistics field, this sounds like a great project to me...
This article annoys me to no end. First of all, as has already been pointed out, there is no backdoor: the only thing that happened is that someone managed to get access to a poorly secured site and alerted every major newswire to the 'backdoor' he found before checking whether one actuall existed.
Stripped of all the hype, the worst thing to come out of this is that, apparently, the string "Netscape engineers are weenies!!", reversed, is used in an obsolete version of a Microsoft support DLL (which, BTW, may have its roots in non-Microsoft legacy FrontPage code...) as a 'secret' to 'encrypt' web pages in transit. This is definitely a bad security design (as well as childish), but in this case it happens not to hurt anybody (except perhaps the ego of the few remaining Netscape engineers:-)
The kicker in this article is the claim that there would never be anything like this in the "BIND library" -- well, the library might not have any issues, but BIND itself sure has been the source of a number of root exploits so far, and there is no guarantee whatsoever that this won't happen again in the future
FUD should not become a standard for Linux advocacy...
OK, everyone who knows anything about open source knows that this article isn't worth the electrons it's rendered with.
HOWEVER, why is there in each article like this also an "open source advocate" who claims that "patches from Microsoft take months to appear!", which is simply not true either!
For open source to be taken seriously, it's equally important that this kind of FUD stops as well. It's OK to claim that "you're at Microsoft's mercy for patches", but please wake up and recognize the fact that even MS is making serious attempts at keeping their software secure.
As for the rest of the issue: the best way to keep software secure is through exhaustive source reviews. Open source software makes that really easy...
Ac-tually, NT5 and Win98SE both support side-by-side libraries, which is kinda the *nix shared library model, as well as COM redirection to resolve versioning conflicts.
But then again, what AOL is doing is deliberately mucking up your system configuration, which is not something you can do much about under Win95/98, or any other OS without file-level security, really...
Having 'proper' shared libraries wouldn't solve the problem either, since it's the *configuration* that gets hosed. AOL would have no problem achieving the same thing on most Linux boxes.
Slashdot Mirror
Do you really think that even someone with the god-like (cough, cough) capabilities of Daniel Bernstein is capable of performing a similar review all on his own?
Good, I didn't think so either...
This is not about doing away with full disclosure: merely delaying it to make sure that critical parts of the Internet infrastructure can't be easily brought down by K3WL RAD SCR1PT K1DD13S. For "regular" users, this won't make a difference: even if they receive advance notification (say, 1 or 2 days), as soon as the new version hits the FTP server, every "hacker" idiot will be out there diffing the new version against the old and finding the security flaws
Exploits will still be on Bugtraq in a few hours, and the usual legions of K3WL RAD SCR1PT K1DD13 L00SERS will be on your servers anyway soon after that. The proposed group would just make sure the really important servers are difficult to exploit and that your vendor might have a fixed version available at the same time the new general BIND (in source format...) is.
I don't feel great about this, but only because I'm asking myself what happened to the Internet where users used to care, not mindlessly destroy each other's networks...
Every cool hack has a downside...
P.S. Note that the subject is a poor attempt at humor, not the result of my limited command of the English language.
(The point is that TuxTops intentions will be discussed to death on Slashdot before anyone even knows what the product is. Whatever...)
After all, recent distributions already do quite a good job running on notebooks themselves (even RH7 worked fine on both my portable machines...), so the competitive advantage of such a thing might be small -- and getting smaller fast.
I guess the coolest possible outcome would be something like "Ghost meets PartitionMagic meets (RedHat,SuSe,...) Linux" where they would make it really easy to quickly deploy Linux onto systems that may or may not have an existing OS that needs to be preserved and where they would take care of special driver needs.
Granted, at $1000 a piece, you can afford to cluster these thingies, but I still feel a lot better about my Compaq DL360s. With 2 Pentium IIIS, hardware RAID1 SCSI drives and a Remote Insight board, these puppies rock for serious use in remote data centers. Sun's current offering is a bit too departemental for me...
So, why not sue a few hapless competitors based on trivial patents? Perhaps this will somehow trick investors into thinking AV is doing something profitable and/or the perverse US legal system will actually *make* them profitable...
Why? Because there is an easy solution to the entire 'problem' already! Use a hands-free (earpiece/microphone) set: it's safe in traffic (heck, in lots of countries it's The Law) and you can keep your cellphone away from your precious brain cells.
I keep my Nokia in my pocket all the time, and apart from people who are confused about who exactly I'm talking to, all is fine...
Shame this will never happen, though. No exec would be willing to explain why he just lost the entire engineering department in an unfortunate launch mishap...
1. As long as there are still 'legacy' X apps, you'll need to run X anyway;
2. If GTK+ gets 'enhanced' to do some handy things X does right now (like, oh, IPC/RPC-based stuff), won't it just become another X, minus the compatibility with zillions of existing apps?
Don't get me wrong, I'd love to see the architectural disaster that is X go, but I'm not too sure that GTK+ is the right way to achieve this...
From a pure free software perspective, Evolution is designed to be the best mail and personal information manager free software product
I'm pretty sure that most users, and especially those coming from the Windows platform, couldn't care less. Software like Outlook Express has been free for ages, so that's pretty much the norm (not the exception) for this kind of software
Having used Evolution for a while, I'm really, really happy with this product - it's the first viable replacement for the POS Netscape mail client I've ever seen. However, I think that a focus on how GNU-compliant the software is doesn't help anyone: let's work to make this the best mail client available anywhere, period!
I know of a lot of Solaris users who wouldn't mind paying a sizable client license fee for a working GUI mail client equivalent to Outlook Express but without the enormous overhead of the Microsoft product (or even the Netscape client, for that matter...)
Although I'm sure the author knows a lot about processors, he is so obviously biased against Intel (and towards AMD) that getting any information from this article is like learning about Linux from Microsoft
What this guy needs is a good editor, and perhaps a few chill pills...
You miss my point: even menial tasks at least expose people to a Real Scientific Environment, etc. etc. Circling craters at NASA during college might very well get you some valuable contacts/ideas/etc. as a beginning scientist. If that work is farmed out to Internet volunteers, that aspect is pretty much lost
I might be wrong about all this, but I still don't have a good feeling about projects like these...
You could argue that the process of doing table lookups for each memory access makes things less "real-time", but unless you're dealing with a really slow/primitive chip (which, remember, a lot of older RTOSes had to do...), it shouldn't be too much of an issue...
Oh, that would be like the 'flight mode' feature on my Nokia 9150 cell phone/PDA?
Ehm, not to ruin a perfectly good conspiracty theory, but: Microsoft already owns the source code for a full *ix implementation. It's called Microsoft XENIX, and they used to market it way back when Unix was still considered a possible follow-up to DOS 1.x. From what I remember, it was a piece of crap, but if MS truly wanted to, they could legally have all the Unix source code they wanted in their products...
Typical case of "if you let me choose the metric, I can come up with any number I want". As with many "studies", they just looked for numbers to support a pre-defined conclusions. If you think about it for, like, 3 seconds, you'll realize that the "number of applications written" is a totally irrelevant figure for *any* OS, Linux included. It doesn't *mean* anything, simply because it's impossible to define "application"
Does the "Hello world" sample cited by other posters count as an application? Does a throw-away internal utlity written in Perl? If I write something in Perl and run it on a Windows box, does that count as a Windows application?
I doubt that Microsoft will support this figure, BTW: if they want to count the number of applications written for Windows, they'll no doubt take a look at the number of Windows logo certified apps, as well as at the number of applications worth mentioning in their solutions directory developed by their authorized solution providers.
But, all conspiry theories(tm) aside, I really don't see the point of this metric at all. Does anyone really need any convincing that Windows is the dominant consumer/corporate desktop OS? Really??
The unavoidable point here is that, from an ISPs point of view, people solliciting abuse are almost as bad as the ones causing it: they just want the trouble to go away. Some user cooperation is a good thing here, and may avoid kneejerk reactions like account termination (which, just to reiterate, is stupid and wrong...)
There will be no cool Mac software coming back to the *ix community because of this, since all that cool software will still be tied to Apple's proprietary APIs that in turn are tied to their proprietary hardware. It's as simple as that: even Windows stuff will be easier to port than OS/X apps.
Proponents of their scheme will argue they are not, and that they're simply giving consumers access to their licensed copy of the property, which definitely falls under fair use.
However, the fact that the Internet is involved (a public network if there ever was one) and that the potential for abuse is huge, the record companies argued that MP3's actions constitute publication, something that doesn't fall under fair use in any circumstance.
I can't blame the judge going with the latter argument: MP3.com's system would need much better security before it would be workable. I still like the idea, though...
I mean, the FSF is quite clear about what it wants to achieve, and questionable though those goals might be for some, it at least gives them a purpose. What is the goal in life for the Open Source movement?
Could Linux have succeeded as a closed source product, if the same brilliant team of developers could have been assembled and convinced to release the product for free? Or Apache? Why does a seemingly brilliant Open Source project like Mozilla only enjoy such limited success?
And: How many people are actually taking advantage of the Source part of the Open Source equation, not just the Open/Free part? Is there anything more to the Linux hype than that it provides low-income hackers with cool stuff to play with?
Now, don't get me wrong: although the questions are a bit tainted, this is definitely not flamebait. Having some real answers and real statistics here would really help a lot to advance Open Source. If you're a college student in the IT or statistics field, this sounds like a great project to me...
Stripped of all the hype, the worst thing to come out of this is that, apparently, the string "Netscape engineers are weenies!!", reversed, is used in an obsolete version of a Microsoft support DLL (which, BTW, may have its roots in non-Microsoft legacy FrontPage code...) as a 'secret' to 'encrypt' web pages in transit. This is definitely a bad security design (as well as childish), but in this case it happens not to hurt anybody (except perhaps the ego of the few remaining Netscape engineers :-)
The kicker in this article is the claim that there would never be anything like this in the "BIND library" -- well, the library might not have any issues, but BIND itself sure has been the source of a number of root exploits so far, and there is no guarantee whatsoever that this won't happen again in the future
FUD should not become a standard for Linux advocacy...
HOWEVER, why is there in each article like this also an "open source advocate" who claims that "patches from Microsoft take months to appear!", which is simply not true either!
For open source to be taken seriously, it's equally important that this kind of FUD stops as well. It's OK to claim that "you're at Microsoft's mercy for patches", but please wake up and recognize the fact that even MS is making serious attempts at keeping their software secure.
As for the rest of the issue: the best way to keep software secure is through exhaustive source reviews. Open source software makes that really easy...
But then again, what AOL is doing is deliberately mucking up your system configuration, which is not something you can do much about under Win95/98, or any other OS without file-level security, really...
Having 'proper' shared libraries wouldn't solve the problem either, since it's the *configuration* that gets hosed. AOL would have no problem achieving the same thing on most Linux boxes.