Because the borders down the street from me has a nice collection of O'Reilly books, not to mention a bazillion other computer books, and I would have hated to have to go somewhere else to steal my books.
Umm, yes, a totally stripped down and trimmed version of linux could run in 16MB, but a fully fledged and usable version? I doubt if it could fit in 16MB.
The idea is to put a minimal kernel (no apps) in the 16MB, and then DLKM the rest. Actually, my idea was to put a minimal linux with just enough support to run freemware or some other vmware-like product, directly in the kernel. I have no idea how much space that would take, though. It's basically a microkernel architecture, the meat of the OS (filesystems, networking support, etc) would go on top of it. Besides booting quickly, you'd hardly ever need to reboot in the first place, because the majority of the code will be dynamically loadable.
You can't just do that load-a-memory-image trick because all of the devices in the system need to be in the exact same state that the drivers think that they are in.
I did this all the time with vmware. I suspend the linux to disk, reboot windows, then resume. The TCP gets a little messed up, but it's quite simple to just bring the interface down and then up again. Pending disk I/O is presumably flushed before halting the OS execution, I'm not sure exactly how they do it but they do, and I'd imagine most of their work is spent making it compatible with guest operating systems, if you had the actual support of the guest operating system it'd be a lot easier.
The only potential problem I see for this approach is with gaming. Perhaps it could be worked around with raw I/O access and direct screen writes, or maybe you'd have to modify the intel architecture itself, I'm not sure. But other than gaming, introducing a small amount of latency into system calls is worth it IMHO for the gain in reliability. Again, I'm running windows on vmware on linux and I am noticing zero problems. This on a 500Mhz celeron with half a gig of memory (256 megs dedicated to windows). An earlier article mentioned about how people buy machines which are way too powerful to be used, I think we've reached the point where we can start trading processing speed for features.
You can definately do it in 16 megs since I've seen a diskless linux box run on just 16 megs of ram. What I'd love to see is a barebones vmware-like OS done in ROM. I'm using windows on vmware on linux now (in raw disk mode) and I forget sometimes that I'm not windows directly, it's that fast (linux on windows sucks however). Of course my stupid BIOS doesn't let me stop the memory check so it takes me god-knows-how-long to check my half gig of memory (vmware loves memory).
With a vmware-like device you could easily store a memory dump to disk after bootup, and then load that directly into memory every time you restart (unless you need to update drivers).
How many years ago was it that an 80 gig hard drive would cost $2000? It is becoming likely that everyone will have these one day, since I don't see random storage devices cheaper/better than hard drives coming out any time soon. Unless of course you count the internet as a random storage device... That *might* win (if the phone company ever got its act together).
Or by looking over your shoulder when you type it in, or by using a trojan device when you purchase something, etc. Hopefully your card self-destructs after X failed attempts, or it will be trivial to brute force the PIN out of it with a hacked up POS terminal.
Don't get me wrong, this is a somewhat useful incremental improvement. I only hope that it isn't trusted too much. I carry around credit cards because I know that I'm limited to a $50 loss in the worst case scenario. In theory if the authentication is done offline your (the merchant? the credit card company? the card holder?) potential loss is unlimited.
I'd say the opposite is true in a properly set up thin client network. When someone's $100 computer breaks, you throw it out, and replace it with a new one. The data is stored remotely, so there's no need to transfer any files. Just replace with a new system and the user is up and running again. For the server side, you get much more reliability from 10 $100 computers than you do from one $1000 computer. There is a limit, of course, since you don't want to take up tons and tons of space. But again, if the system is properly set up, you throw out the nonworking computer and replace with a standby. If RAID is redundant array of inexpensive disks, I guess this would be RAIPC.
The people that know that very soon, it will be incredibly difficult to get any job beyond manual labor if you don't know how to use a computer.
And it's even harder to get a job if you don't know how to drive a car, but I don't see the school districts giving out compact cars to every student. Beyond the basics of how to use a mouse, how to use a keyboard, how to turn on a computer, any knowledge learned is going to be too specific to be useful in a job just 5 years later. The extent of mandatory computer education necessary for these kids amounts to a 2 week course for one period a day.
On the other hand, I think this could be a great idea, not so much to teach students computer skills, but to gain efficiency in teaching students non-computer skills. With each student having a laptop, a program could be written to have adaptive tests, automatically graded and with anti-cheating mechanisms. Graphs could be made automatically to show the teacher what subjects the students need more help with, or which students might benefit from one on one tutoring in a particular area. You're not going to replace the teacher, but you can keep the menial tasks out of the teachers hand and let the teacher concentrate more on teaching. Ultimately the cost has to be looked at and compared to where the school needs the money spent. And for this reason it shouldn't be a state mandated program.
Each school has different needs. If $1000/student could attract better teachers, and that is a place the school is lacking, it should probably be spent there. Tripling the productivity of a bad teacher isn't going to help much if that productivity is lacking. On the other hand, if most of your teaching staff is already tenured teachers who can't be replaced with any amount of money, maybe you're looking at a different situation. Have the state government focus on providing funds and hiring good superintendents. Let the superintendents make the decisions on where the money gets spent, and review their quality with regard to those decisions on a case by case basis.
But, the EULA says, in as lawyerly prose as possible, that Microsoft isn't liable for anything. Even if they intentionally bundled a virus with the OS and targetted it at you, the EULA disclaims all responsibility.
Well, first of all, I wasn't talking about Microsoft. I was talking about the DSL provider.
Secondly, if Microsoft intentionally bundled a virus and targetted you, you would still be protected under the law. You can't sign away your rights to that. That the EULA would even allow such a thing is merely a symptom of the fact that such laws exist, though. I don't agree with those laws. They make it too difficult to know what you're getting into when you sign something, and make it too easy for companies to have contracts which amount to "any right you can possibly sign away, you hereby sign away".
Thirdly, an EULA is not a contract, and should not be binding in a court of law. That it is is a major major problem with our current legal system.
Fourthly, everyone knows their products are shit for some definition of shit. If Microsoft knows about specific bugs and does not notify the customer of them, that's fraud, and has nothing to do with allowing adults to enter into binding contracts (unless that contract specifically says that you allow microsoft to fraudulently represent their products).
Fifth, Microsoft has a monopoly, and as such must be subject to different rules and government regulations. This is arguably the true problem, and it is one specifically and intentionally set up by the government, through copyright law.
Vigorous competition is the solution to these problems, IMHO.
I completely agree, unfortunately cable is a shared medium, so a solution like the phone company's line sharing agreements is impossible. You could at least force the cable companies to offer pure internet connectivity with no services to resellers at competitive prices though. Personally I'd like to see the communities buy out their local cable companies, even through local bonds if needed. There is real competition in the DSL broadband market though. The phone companies have a monopoly on the lines themselves, and on the colocation space in the COs, but this is highly regulated (and a natural monopoly). It wouldn't take too many people to create a co-op for DSL service for your local community, and you could easily expand that to a long distance and even local phone service co-op. Get enough revenues and maybe you could even start thinking about buying out your local CO. I don't know the regulations, but maybe you could even make a deal with some TV stations and offer cable TV service through the phone lines. Be sure to let me know where you do this, I'll strongly consider moving there.
Yeah, most of that is nothing more than shitty pipe dreams, but I still contend that the efforts should be spent treating the problem, not the symptoms.
Geez, the makers of these unix products are so stupid. When asked what they were going to do about this vulnerability, they responded that they were going to try to do what they can to increase the computational infeasibility of this security hole. Just like those unix people to resort to security through obscurity, as always.
during an encrypted session, how do you tell when the user's typing a password, as opposed to moving around in an editor or something?
Because when you type in a password (using su, anyway), echo is turned off. su has a fairly strong signature. Command prompt received, two characters sent and echoed, another character sent, then 11 characters (or so, CR+Password: ) sent, then characters being sent without any echo. Surely you could sniff that with a fairly high hit/miss ratio.
Re:So we might as well shut down Bugtraq...
on
Hotmail Hacked
·
· Score: 2
why would it be the most secure?
Because there are more people trying to find holes in it than any other system.
I suggest you try out Hushmail.
What I want is an email account which PGP encrypts the email with my public key as soon as it receives it, and then destroys the original. Then even my email provider can't read my mail unless it intercepts the mail before it is encrypted. Anyone who breaks in likewise can only get newly sent mail.
Even if that was implemented I'd still assume that all my mail could be read by someone if they really wanted to. You simply shouldn't be sending sensitive information via email unless it's end to end encrypted. If you're assuming any security against a semi-determined attacker absent that encryption, that is your main problem.
Re:So we might as well shut down Bugtraq...
on
Hotmail Hacked
·
· Score: 1
That is he knew or had a reasonable knowledge that by posting said information here he would be promoting and facilitating the hacking of a secure system
And once again, the same could be said of bugtraq. Personally I feel that posting the exploit lent a lot more credibility to the story, and I'm seriously considering moving all my mail off of hotmail because of it. Of course, I don't know where exactly I'd move my mail to, so I guess I'm going to leave it there. Of all the free, web-accessible sites out there, I bet you hotmail is the most secure.
Re:here's the instructions how to do it
on
Hotmail Hacked
·
· Score: 1
I've got an easier way
Log in with the person's username
If you've entered the right password, you've got it, if not, keep trying until you get the right password.
If four out of five desktops use one API (ActiveX) and the other one uses a completely different API (NS), are you going to bother writing two completely different plugins, or are you going to direct all your efforts to pleasing the 4 out of 5 that can be handled by writing to just one API?
In this case, you're probably most likely to direct all your efforts to pleasing the 1 out of 5 that can be handled by writing to just one API, since that covers 9 out of 10 users.
Just because no one finds an exploit doesn't mean the system is secure.
That could be said about any method of testing. do you suggest we abandon all testing?
If someone discovers a flaw, it may in fact be more lucrative for them to keep it a secret and exploit it later.
Leaving an IIS server on the net for people to crack, along with adequete monitoring software promiscuously recording packets would catch most of the exploits. Besides, with a system like IIS, it's already possible to set up an IIS server on the net for people to crack anyway. It makes a lot more sense for Microsoft to be the ones doing it, so they at least have more of a shot of discovering the holes. The only real danger would be from employees with access to the logs of holes.
This is probably what everybody said about C++ when they were using C.
The first version of C++ was a preprocessor which converted C++ into C. Thus you still had all the compiler optimizations and even the code for the compiler itself. Then you could further optimize the binary by shortcutting some of the C++ -> C -> machine code into C++ -> machine code.
Garbage collection has already been implemented into C++, it seems silly to make a new language for it unless you can obtain some serious optimizations.
The only real advantage of java over C++ that you can't build into C++ is the security manager. That can't be done without either hooks into the OS or an interpreted language.
With all these stories about how to make the network admins life easier, how about a question to bypass some network admin restrictions.
Specifically, I'm wondering if anyone knows of a place which will tunnel (PPTP or other VPN style) static IP addresses through outgoing connections. Basically, if you're connected in your dorm with outgoing only connections, and a dynamic IP, I know there's technically a way to tunnel out to a static IP and then be able to receive incoming connections through that tunnel. At $5-10 a month I bet you could get a lot of takers. I know I'd use it since my Verizon DSL doesn't allow incoming connections (for the most part).
Slashdot Mirror
Because the borders down the street from me has a nice collection of O'Reilly books, not to mention a bazillion other computer books, and I would have hated to have to go somewhere else to steal my books.
Umm, yes, a totally stripped down and trimmed version of linux could run in 16MB, but a fully fledged and usable version? I doubt if it could fit in 16MB.
The idea is to put a minimal kernel (no apps) in the 16MB, and then DLKM the rest. Actually, my idea was to put a minimal linux with just enough support to run freemware or some other vmware-like product, directly in the kernel. I have no idea how much space that would take, though. It's basically a microkernel architecture, the meat of the OS (filesystems, networking support, etc) would go on top of it. Besides booting quickly, you'd hardly ever need to reboot in the first place, because the majority of the code will be dynamically loadable.
You can't just do that load-a-memory-image trick because all of the devices in the system need to be in the exact same state that the drivers think that they are in.
I did this all the time with vmware. I suspend the linux to disk, reboot windows, then resume. The TCP gets a little messed up, but it's quite simple to just bring the interface down and then up again. Pending disk I/O is presumably flushed before halting the OS execution, I'm not sure exactly how they do it but they do, and I'd imagine most of their work is spent making it compatible with guest operating systems, if you had the actual support of the guest operating system it'd be a lot easier.
The only potential problem I see for this approach is with gaming. Perhaps it could be worked around with raw I/O access and direct screen writes, or maybe you'd have to modify the intel architecture itself, I'm not sure. But other than gaming, introducing a small amount of latency into system calls is worth it IMHO for the gain in reliability. Again, I'm running windows on vmware on linux and I am noticing zero problems. This on a 500Mhz celeron with half a gig of memory (256 megs dedicated to windows). An earlier article mentioned about how people buy machines which are way too powerful to be used, I think we've reached the point where we can start trading processing speed for features.
I think now we know what's really responsible for global warming.
You can definately do it in 16 megs since I've seen a diskless linux box run on just 16 megs of ram. What I'd love to see is a barebones vmware-like OS done in ROM. I'm using windows on vmware on linux now (in raw disk mode) and I forget sometimes that I'm not windows directly, it's that fast (linux on windows sucks however). Of course my stupid BIOS doesn't let me stop the memory check so it takes me god-knows-how-long to check my half gig of memory (vmware loves memory).
With a vmware-like device you could easily store a memory dump to disk after bootup, and then load that directly into memory every time you restart (unless you need to update drivers).
How many years ago was it that an 80 gig hard drive would cost $2000? It is becoming likely that everyone will have these one day, since I don't see random storage devices cheaper/better than hard drives coming out any time soon. Unless of course you count the internet as a random storage device... That *might* win (if the phone company ever got its act together).
Or by looking over your shoulder when you type it in, or by using a trojan device when you purchase something, etc. Hopefully your card self-destructs after X failed attempts, or it will be trivial to brute force the PIN out of it with a hacked up POS terminal.
Don't get me wrong, this is a somewhat useful incremental improvement. I only hope that it isn't trusted too much. I carry around credit cards because I know that I'm limited to a $50 loss in the worst case scenario. In theory if the authentication is done offline your (the merchant? the credit card company? the card holder?) potential loss is unlimited.
I'd say the opposite is true in a properly set up thin client network. When someone's $100 computer breaks, you throw it out, and replace it with a new one. The data is stored remotely, so there's no need to transfer any files. Just replace with a new system and the user is up and running again. For the server side, you get much more reliability from 10 $100 computers than you do from one $1000 computer. There is a limit, of course, since you don't want to take up tons and tons of space. But again, if the system is properly set up, you throw out the nonworking computer and replace with a standby. If RAID is redundant array of inexpensive disks, I guess this would be RAIPC.
Huh? This doesn't require encryption if the numbers are stored in a central database.
The point is that you dont require a data network to authorise a transaction, which means that transaction processing costs are reduced.
You certainly need a data network unless you intend to eat the cost if it turns out the card was stolen.
Gee, that sounds exactly the same way it is now.
The people that know that very soon, it will be incredibly difficult to get any job beyond manual labor if you don't know how to use a computer.
And it's even harder to get a job if you don't know how to drive a car, but I don't see the school districts giving out compact cars to every student. Beyond the basics of how to use a mouse, how to use a keyboard, how to turn on a computer, any knowledge learned is going to be too specific to be useful in a job just 5 years later. The extent of mandatory computer education necessary for these kids amounts to a 2 week course for one period a day.
On the other hand, I think this could be a great idea, not so much to teach students computer skills, but to gain efficiency in teaching students non-computer skills. With each student having a laptop, a program could be written to have adaptive tests, automatically graded and with anti-cheating mechanisms. Graphs could be made automatically to show the teacher what subjects the students need more help with, or which students might benefit from one on one tutoring in a particular area. You're not going to replace the teacher, but you can keep the menial tasks out of the teachers hand and let the teacher concentrate more on teaching. Ultimately the cost has to be looked at and compared to where the school needs the money spent. And for this reason it shouldn't be a state mandated program.
Each school has different needs. If $1000/student could attract better teachers, and that is a place the school is lacking, it should probably be spent there. Tripling the productivity of a bad teacher isn't going to help much if that productivity is lacking. On the other hand, if most of your teaching staff is already tenured teachers who can't be replaced with any amount of money, maybe you're looking at a different situation. Have the state government focus on providing funds and hiring good superintendents. Let the superintendents make the decisions on where the money gets spent, and review their quality with regard to those decisions on a case by case basis.
But, the EULA says, in as lawyerly prose as possible, that Microsoft isn't liable for anything. Even if they intentionally bundled a virus with the OS and targetted it at you, the EULA disclaims all responsibility.
Well, first of all, I wasn't talking about Microsoft. I was talking about the DSL provider.
Secondly, if Microsoft intentionally bundled a virus and targetted you, you would still be protected under the law. You can't sign away your rights to that. That the EULA would even allow such a thing is merely a symptom of the fact that such laws exist, though. I don't agree with those laws. They make it too difficult to know what you're getting into when you sign something, and make it too easy for companies to have contracts which amount to "any right you can possibly sign away, you hereby sign away".
Thirdly, an EULA is not a contract, and should not be binding in a court of law. That it is is a major major problem with our current legal system.
Fourthly, everyone knows their products are shit for some definition of shit. If Microsoft knows about specific bugs and does not notify the customer of them, that's fraud, and has nothing to do with allowing adults to enter into binding contracts (unless that contract specifically says that you allow microsoft to fraudulently represent their products).
Fifth, Microsoft has a monopoly, and as such must be subject to different rules and government regulations. This is arguably the true problem, and it is one specifically and intentionally set up by the government, through copyright law.
Vigorous competition is the solution to these problems, IMHO.
I completely agree, unfortunately cable is a shared medium, so a solution like the phone company's line sharing agreements is impossible. You could at least force the cable companies to offer pure internet connectivity with no services to resellers at competitive prices though. Personally I'd like to see the communities buy out their local cable companies, even through local bonds if needed. There is real competition in the DSL broadband market though. The phone companies have a monopoly on the lines themselves, and on the colocation space in the COs, but this is highly regulated (and a natural monopoly). It wouldn't take too many people to create a co-op for DSL service for your local community, and you could easily expand that to a long distance and even local phone service co-op. Get enough revenues and maybe you could even start thinking about buying out your local CO. I don't know the regulations, but maybe you could even make a deal with some TV stations and offer cable TV service through the phone lines. Be sure to let me know where you do this, I'll strongly consider moving there.
Yeah, most of that is nothing more than shitty pipe dreams, but I still contend that the efforts should be spent treating the problem, not the symptoms.
I think these companies SHOULD be reponsible for defects in their products.
I think that adults should be permitted to enter into binding agreements.
Geez, the makers of these unix products are so stupid. When asked what they were going to do about this vulnerability, they responded that they were going to try to do what they can to increase the computational infeasibility of this security hole. Just like those unix people to resort to security through obscurity, as always.
during an encrypted session, how do you tell when the user's typing a password, as opposed to moving around in an editor or something?
Because when you type in a password (using su, anyway), echo is turned off. su has a fairly strong signature. Command prompt received, two characters sent and echoed, another character sent, then 11 characters (or so, CR+Password: ) sent, then characters being sent without any echo. Surely you could sniff that with a fairly high hit/miss ratio.
why would it be the most secure?
Because there are more people trying to find holes in it than any other system.
I suggest you try out Hushmail.
What I want is an email account which PGP encrypts the email with my public key as soon as it receives it, and then destroys the original. Then even my email provider can't read my mail unless it intercepts the mail before it is encrypted. Anyone who breaks in likewise can only get newly sent mail.
Even if that was implemented I'd still assume that all my mail could be read by someone if they really wanted to. You simply shouldn't be sending sensitive information via email unless it's end to end encrypted. If you're assuming any security against a semi-determined attacker absent that encryption, that is your main problem.
That is he knew or had a reasonable knowledge that by posting said information here he would be promoting and facilitating the hacking of a secure system
And once again, the same could be said of bugtraq. Personally I feel that posting the exploit lent a lot more credibility to the story, and I'm seriously considering moving all my mail off of hotmail because of it. Of course, I don't know where exactly I'd move my mail to, so I guess I'm going to leave it there. Of all the free, web-accessible sites out there, I bet you hotmail is the most secure.
I've got an easier way
If four out of five desktops use one API (ActiveX) and the other one uses a completely different API (NS), are you going to bother writing two completely different plugins, or are you going to direct all your efforts to pleasing the 4 out of 5 that can be handled by writing to just one API?
In this case, you're probably most likely to direct all your efforts to pleasing the 1 out of 5 that can be handled by writing to just one API, since that covers 9 out of 10 users.
Just because no one finds an exploit doesn't mean the system is secure.
That could be said about any method of testing. do you suggest we abandon all testing?
If someone discovers a flaw, it may in fact be more lucrative for them to keep it a secret and exploit it later.
Leaving an IIS server on the net for people to crack, along with adequete monitoring software promiscuously recording packets would catch most of the exploits. Besides, with a system like IIS, it's already possible to set up an IIS server on the net for people to crack anyway. It makes a lot more sense for Microsoft to be the ones doing it, so they at least have more of a shot of discovering the holes. The only real danger would be from employees with access to the logs of holes.
You can use garbage-collecting class libraries -- which only work with those classes.
Or you can use D, which doesn't have any classes yet.
This is probably what everybody said about C++ when they were using C.
The first version of C++ was a preprocessor which converted C++ into C. Thus you still had all the compiler optimizations and even the code for the compiler itself. Then you could further optimize the binary by shortcutting some of the C++ -> C -> machine code into C++ -> machine code.
Garbage collection has already been implemented into C++, it seems silly to make a new language for it unless you can obtain some serious optimizations.
The only real advantage of java over C++ that you can't build into C++ is the security manager. That can't be done without either hooks into the OS or an interpreted language.
Of course we wouldn't find out about the DMCA infringement for 45 years, and the statute of limitations is only 5 years.
All this space nonsense is just a way to distract us from what is really important in our lives.
Hmm, the meaning of life would be second on my list, right behind "women". Discovering aliens seems like it could contribute to that goal.
With all these stories about how to make the network admins life easier, how about a question to bypass some network admin restrictions.
Specifically, I'm wondering if anyone knows of a place which will tunnel (PPTP or other VPN style) static IP addresses through outgoing connections. Basically, if you're connected in your dorm with outgoing only connections, and a dynamic IP, I know there's technically a way to tunnel out to a static IP and then be able to receive incoming connections through that tunnel. At $5-10 a month I bet you could get a lot of takers. I know I'd use it since my Verizon DSL doesn't allow incoming connections (for the most part).