Damn, why do we not lock our houses, leave our keys in our cars and while we are at it - stores won't need any employees, everyone can be trusted to pay before they leave. Wait, money is evil.
Why does a detailed account matter? The fact is that it happened. There are no excuses and the potential ramifications of such a compromise is mind boggling.
Mirrors as a backup methodolgy have at least one fatal flaw which has been clearly exposed by this incident:
A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.
In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.
Indeed, a very difficult situation to be in.
In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.
I think then the question is: why is this just being discovered now? Why was it not considered a "risk" that an exploit was available in the period of time the machine was vulnerable to the time it was patched? On such a high profile system, I would think that the integrity of the system would be of the utmost concern. I understand that it takes time to do such things - but if FSF is in the "business" of distributing software for the world to use they'd better be in the business of protecting it too.
I'm sure they are watching - this can't possibly be ignored. The only way that SCO and the people involved in this SCAM is to prove that SCO's claims are in fact, untrue. Until such time as that is proven the officers of the company are free to trade their shares so long as they do so in accordinance with insider trade laws.
There is one thing that is glaringly fishy as far as insider trading goes... REGINALD CHARLES BROUGHTON is listed as conducting many trades over the last few months. Not only has he been selling exising shares but the company keeps "Awarding" him stock conviently, when the stock is at a low point. Sounds like our REGINALD is getting free stock from the comapany and selling it. It "feels" wrong but I'm not a lawyer!
that holds so much weight in the software development community, the "recommendation" by Bradley Kuhn was rather terse. Moreover, his argument was not well-supported. His relase read more as if he was simply bashing Apple's license. The first half of Bradley's statement reads as if he is supporting the new version of the AFSL. Statements such as "The APSL 2.0, like the Affero GPL, seeks to defend the freedom...". Two thirds of the way through his statement we are hit with three bullet points stating why the AFSL is "bad". Prefacing these bullet points is an unlinked reference comparing the AFSL to the NPL. After the bullet points Bradley then goes on to state "For this reason, we recommend you do not release new software using this license". Bradley probably knows a great deal more about the AFSL issue, but such a terse and unelaborated statement against adopting it is irresponsible. Especially coming from a representative of the organization that supposedly worked with Apple's lawyers to draft the new version of the License.
Furthermore - a company such as apple is in the business of making money. In many ways operating a software business "is incompatible with the GPL." [kuhn]. It's nice to see - for a change - an organization that is at least making an effort to give back some of their innovations to the development community. The only other method of protecting their IP is through patent law, and we know how GNU feels about that (link on GNU's home page)
Instead of taking such a cynical and negative stance on an effort to change the way the software industry works - why don't we support it?
Notify the vendor via e-mail. Include all that you know about the vulnerability. Make at least several attempts to contact them.
If for some reason the vendor does not respond in a reasonable amount of time, post the vulnerability on the Bug Traq Mailing list www.securityfocus.com many software bugs are posted here along with their fixes. State that the vendor failed to contact you regarding a fix.
Use the media sparingly, if they are rude to you - let them have it. Considering the debacle with Diebold and the voting software the media would certainly like to have a story about automated grading being haxered.
I'd suggest remaining anonymous during this process. No one likes to be told their software sucks:-)
Haven't we abused this poor machine enough. Just several weeks ago it was the victim of a slashdotting. Now once again the moderators seek to wipe it's presence from the net.
Silly embeded computer, web serving is for servers.
and yet another half assed, more complicated "standard" that not everyone will implement correctly and that will partially work but need to be fully supported. >:O
dude. get of y3r rinky dink ass pony. it's not even a horse. if you used quotas and permissions correctly you wouldn't have a problem with people dumping crapola where they shouldn't be. "defeat a virus on a WAN that spans 1000km". are you kidding me, over glorified that task a bit didn't you? it's not like the virus lives on the wan. thinkning that if you did your job right in the first place it wouldn't be a problem. After all, there ARE only 3 of you, your company can't be that big.
The FCC does something right. In fact, the FCC is doing what the PEOPLE want. 28 Million can't be wrong. Look what happens! They get sued by an entire industry. Thinking this says a great deal about the tenious relationship the government has with business.
Really - quick and dirty is acceptable for things with a short lifetime. If it's something more lasting it's important to do it well. Ideally - you should develop a process that allows you to develop things rapidly - but correctly. Code these days can be more or less self documenting if you use the right tools. As far as testing goes - it's up to the developers to test their code before incorporating it. If you develop/follow standard patters then "quick and dirty" can be "quick and good".
If it's a PC and it runs XP... then it's graphics language of choice is Direct X, Open GL or another PC/Desktop compatible API. PC Game makers have been continually losing ground to the pc market. I think this is primarily because hardware is so rapidly obseleced in the gaming world. The cost of a machine that lends itself to a reasonable "experience" costs to much to own/upgrade/purchase on an ongoing basis. Enter the console - buy it, hook it up and play very simple really AND works 99% of the time. The user does not have to worry about the console not performing well. It's not the end users problem, it's the game makers problem. Consoles are simple, and easy to use, and most importantly: Reliable. The choice of XP could render that last point a moot one. But this console could quite possibly be the bridge from the PC world to the Console world. I imagine that PC game makers would be anxious to retrofit their games to this piece of hardware. It's makes a lot of sense from a business perspective. If you can't beat em' (The console makers) join em'.
If I were the network designers i'd isolate the wireless access points to their own physical network that is disconnected from the wired network at the site. A machine or router would serve as the control point for all traffic from the AP's to the wired lan. This machine would also be responsible for negotiating the tunnels.
right now IPSec should be the solution. Given what the question asker just posted it's pretty clear that 802.1x is "half baked" as far as a standard goes. IPSec howerver has been out for a while and it's evils are pretty well known. Certainly not easy to setup but as far as ubiquity goes, it's available on almost every platform. In addition - IPSec enhances not only the security of your wireless connections, it also enhances the security of the wired network. With a good certificate distribution infrastructure and a knowledgeable support staff IPSec is a viable alternative.
The IPSec tunnel is established between the two computers communicating. There would be no reason for the AP to do any processing other than what it already does - moving packets.
Slashdot Mirror
Damn, why do we not lock our houses, leave our keys in our cars and while we are at it - stores won't need any employees, everyone can be trusted to pay before they leave. Wait, money is evil.
Such ideoligies are better left on paper.
Why does a detailed account matter? The fact is that it happened. There are no excuses and the potential ramifications of such a compromise is mind boggling.
It was not the source of the crash that was mysterious but the cause of it.
Mirrors as a backup methodolgy have at least one fatal flaw which has been clearly exposed by this incident:
A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.
In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.
Indeed, a very difficult situation to be in.
In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.
I think then the question is: why is this just being discovered now? Why was it not considered a "risk" that an exploit was available in the period of time the machine was vulnerable to the time it was patched? On such a high profile system, I would think that the integrity of the system would be of the utmost concern. I understand that it takes time to do such things - but if FSF is in the "business" of distributing software for the world to use they'd better be in the business of protecting it too.
The only mysterious horrable crashes that I've had on windows 2000 have been because of my video card.
I'm sure they are watching - this can't possibly be ignored. The only way that SCO and the people involved in this SCAM is to prove that SCO's claims are in fact, untrue. Until such time as that is proven the officers of the company are free to trade their shares so long as they do so in accordinance with insider trade laws.
There is one thing that is glaringly fishy as far as insider trading goes... REGINALD CHARLES BROUGHTON is listed as conducting many trades over the last few months. Not only has he been selling exising shares but the company keeps "Awarding" him stock conviently, when the stock is at a low point. Sounds like our REGINALD is getting free stock from the comapany and selling it. It "feels" wrong but I'm not a lawyer!
that holds so much weight in the software development community, the "recommendation" by Bradley Kuhn was rather terse. Moreover, his argument was not well-supported. His relase read more as if he was simply bashing Apple's license. The first half of Bradley's statement reads as if he is supporting the new version of the AFSL. Statements such as "The APSL 2.0, like the Affero GPL, seeks to defend the freedom...". Two thirds of the way through his statement we are hit with three bullet points stating why the AFSL is "bad". Prefacing these bullet points is an unlinked reference comparing the AFSL to the NPL. After the bullet points Bradley then goes on to state "For this reason, we recommend you do not release new software using this license". Bradley probably knows a great deal more about the AFSL issue, but such a terse and unelaborated statement against adopting it is irresponsible. Especially coming from a representative of the organization that supposedly worked with Apple's lawyers to draft the new version of the License.
Furthermore - a company such as apple is in the business of making money. In many ways operating a software business "is incompatible with the GPL." [kuhn]. It's nice to see - for a change - an organization that is at least making an effort to give back some of their innovations to the development community. The only other method of protecting their IP is through patent law, and we know how GNU feels about that (link on GNU's home page)
Instead of taking such a cynical and negative stance on an effort to change the way the software industry works - why don't we support it?
As with most vulnerabilities:
:-)
Notify the vendor via e-mail. Include all that you know about the vulnerability. Make at least several attempts to contact them.
If for some reason the vendor does not respond in a reasonable amount of time, post the vulnerability on the Bug Traq Mailing list www.securityfocus.com many software bugs are posted here along with their fixes. State that the vendor failed to contact you regarding a fix.
Use the media sparingly, if they are rude to you - let them have it. Considering the debacle with Diebold and the voting software the media would certainly like to have a story about automated grading being haxered.
I'd suggest remaining anonymous during this process. No one likes to be told their software sucks
Good Luck
Haven't we abused this poor machine enough. Just several weeks ago it was the victim of a slashdotting. Now once again the moderators seek to wipe it's presence from the net.
Silly embeded computer, web serving is for servers.
and yet another half assed, more complicated "standard" that not everyone will implement correctly and that will partially work but need to be fully supported. >:O
dude. get of y3r rinky dink ass pony. it's not even a horse. if you used quotas and permissions correctly you wouldn't have a problem with people dumping crapola where they shouldn't be. "defeat a virus on a WAN that spans 1000km". are you kidding me, over glorified that task a bit didn't you? it's not like the virus lives on the wan. thinkning that if you did your job right in the first place it wouldn't be a problem. After all, there ARE only 3 of you, your company can't be that big.
The FCC does something right. In fact, the FCC is doing what the PEOPLE want. 28 Million can't be wrong. Look what happens! They get sued by an entire industry. Thinking this says a great deal about the tenious relationship the government has with business.
Don't forget his many forms. Personally, the Dog was my favorite.
Now we've found out what the RIAA is REALLY going to do with the money they steal from "innocent" youths! Buy air time on networks!!
Fsckd.
Really - quick and dirty is acceptable for things with a short lifetime. If it's something more lasting it's important to do it well. Ideally - you should develop a process that allows you to develop things rapidly - but correctly. Code these days can be more or less self documenting if you use the right tools. As far as testing goes - it's up to the developers to test their code before incorporating it. If you develop/follow standard patters then "quick and dirty" can be "quick and good".
If it's a PC and it runs XP... then it's graphics language of choice is Direct X, Open GL or another PC/Desktop compatible API. PC Game makers have been continually losing ground to the pc market. I think this is primarily because hardware is so rapidly obseleced in the gaming world. The cost of a machine that lends itself to a reasonable "experience" costs to much to own/upgrade/purchase on an ongoing basis.
Enter the console - buy it, hook it up and play very simple really AND works 99% of the time. The user does not have to worry about the console not performing well. It's not the end users problem, it's the game makers problem. Consoles are simple, and easy to use, and most importantly: Reliable. The choice of XP could render that last point a moot one. But this console could quite possibly be the bridge from the PC world to the Console world. I imagine that PC game makers would be anxious to retrofit their games to this piece of hardware. It's makes a lot of sense from a business perspective. If you can't beat em' (The console makers) join em'.
Basically - most companies are not ready, don't have the system to support consumer based selling from the U.S. to The Rest OF the World.
When I say "who" I mean organizationally, as I realize 99% of us geeks already use it.
I use safari and IE.
If I were the network designers i'd isolate the wireless access points to their own physical network that is disconnected from the wired network at the site. A machine or router would serve as the control point for all traffic from the AP's to the wired lan. This machine would also be responsible for negotiating the tunnels.
right now IPSec should be the solution. Given what the question asker just posted it's pretty clear that 802.1x is "half baked" as far as a standard goes. IPSec howerver has been out for a while and it's evils are pretty well known. Certainly not easy to setup but as far as ubiquity goes, it's available on almost every platform. In addition - IPSec enhances not only the security of your wireless connections, it also enhances the security of the wired network. With a good certificate distribution infrastructure and a knowledgeable support staff IPSec is a viable alternative.
The IPSec tunnel is established between the two computers communicating. There would be no reason for the AP to do any processing other than what it already does - moving packets.
I wonder what kind of column this N00b will write once he tries Panther on a G5? Look for Augusts installment: "The holy light befalls me!!!!".
And yet there will always be places to go - say france - if you want some vacation time :-)
I'm just being a grouch. The real truth of the matter is that if I had a month of vacation I couldn't take it. My j.o.b. keeps me very busy.
Mr. Zebra X
EOM