Slashdot Mirror


User: mcrbids

mcrbids's activity in the archive.

Stories
0
Comments
4,341
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,341

  1. Security defined on Analysis of the Witty Worm · · Score: 4, Interesting

    I think we all have to come to terms with the fact that our current state of Computer Science is not up to the task of dealing with the Internet as it is becoming.

    Linux/BSD has a somewhat better security record than MSFT, but even after all the auditing effort put out by the guys over at BSD/OpenSSH, there have *still* been a number of security vulnerabilities of recent!

    The problem is not being viewed in the proper light. Something like a buffer overflow should not result in a compromisable host! Something like a misquoted SQL statement should not result in an SQL injection vulnerability!

    Applications and programming environments need to be structured and developed with the understanding that people make mistakes and there needs to be allowance for that.

    You can't expect a group of programmers to maintain 50,000, 500,000, or 5,000,000 lines of code without there being mistakes in there.

    It just cannot be done.

    So languages, programming techniques, and infrastructure needs to be developed that truly prevents the "bug==severe security risk" situation.

    Really, as much as we all laud their security record, Microsoft is in a good position to trounce the OSS crowd if they can come up with a software language and security system that allows for programming mistakes.

    The answer is NOT to make sure you input validate *everything* - although input validation is always a good thing.

    The answer is to develop a system where common programming mistakes do not result in a security issue.

    Get used to it. People are people. They make mistakes. We either cease being human, or develop a system that makes allowances for our humanity.

    Can we do it?

  2. Re:Funny, Funny, Funny...! on Yahoo and Hotmail Filter Flaw · · Score: 1

    Well, then. Perhaps we understand each other?

    See, I get paid by companies (and sometimes individuals) to solve problems. OSS allows me to leverage other people's work to solve my client's problems.

    I routinely d/l somebody else's work, use it, make some improvements, and give those improvements back, on time that's paid.

    For me, OSS = house payments, food for my family, and college. (though I don't fly) I jumped on the bandwagon 4 years ago, and while it took a while for my re-founded business to catch wind, it's now going full sail, and I'm having FUN!

    One of my most frequent contributions is documentation. Really, OSS tends to truly suck in this area. After working out some frustrating details in a package, I usually write improved documentation and submit. I do this not because "I'm being nice" but by doing so, that documentation is there for my future use, as well.

    I can't tell you how many times I've had my butt saved because of a note or sidebar in the documentation I wrote months or years before...

  3. Re:Funny, Funny, Funny...! on Yahoo and Hotmail Filter Flaw · · Score: 1

    So when a pro-open source person knocks MS, I should respond, "Are you bitter and twisted because MS has high paying jobs which you can't perform and are thus relegated to giving your labor away?"

    I'm not sure if you are an Astroturfer or not - your posts are pretty one-sided.

    But, I'll bite anyway. There are many reasons to "give labor away" - one of the best is all the free labor it gives back!

    See, OSS is frequently much like love - the more you give, the more you get back in return.

    If I give away a library, a class, a project, whatever, most people will d/l, use, and never mention word one back to me.

    But some people will make improvements. And some of *THOSE* people will send those improvements back to me.

    For every project I've released, I've typically seen at least as much effort (and frequently more) than I originally exerted given back to me as new features, or other improvements.

    And, using OSS software, when I run into a bug or need a feature, by making sure the bug fix or feature gets back to the main source tree, I find that I then have updates to the software in question along with the fixes I found/needed forever thereafter.

    Forget altruism. I usually give my stuff away for *very* selfish reasons - and the funny thing is that it works!

  4. Mediocrity is the key on U.S. Students Shun Computer Science, Engineering · · Score: 1

    Hey guys: I have a news flash for you!

    It's damn hard to find a decent, skilled employee/contractor.

    Everybody figures they "are qualified", but when push comes to shove, finding somebody to trust, rely on, who will get the job done, who will perform at their honest best, who will put out high quality work and take personal pride in the deliverable?

    Damn, damn hard to find.

    Be that person, and make sure those you work with know that you are that. Play the game. It will take a while, but once you find your groove, you'll find people tripping over themselves to give you paying projects!

    When the right people know that they can give you a project and have it done, and "don't have to worry about it", you will get lots and lots of well-paying work.

    Be worthy of trust. Be willing to work your ass off. Develop strong interpersonal skills, and focus on making things work. Make sure those you work with benefit from your work.

    It will happen.

  5. Re:Excellent on Gimp Hits 2.0 · · Score: 2, Interesting

    Personally, I'd LOVE to be able to write Perl / GTK2 apps that run under Windows, and it looks like I might be able to soon

    Dunno about Perl, but with PHP-GTK, I've been able to do this for over a year with PHP. Combined with the Ion Cube compiler, I've been writing cross-platform Windows/Linux/OSX programs for quite a while.

  6. My $0.02 on The Unhappy World of IT Professionals · · Score: 3, Interesting

    As I write this, there are 89 comments viewable at level 3, so it's not real likely that this will "go anywhere" - but here's my experience.

    I work as an independent consultant. My largest client has about 130 staff. I do database engineering, software design, and Linux system administration for a total customer base of around a dozen clients.

    Every day is unique. Yesterday I developed, tested, and began using a new template system for PHP that is much, much faster than the PHPLib template system I've used for the past 4 years.

    Today, I'm going to be refining an application framework for a company I'm partner in, writing a backup system based on rsync, and working on transferring Internet services from a couple of servers to a couple of other newer replacements.

    I deal with customers directly, and get to hear the shreiks and exclamations when they realize how much easier I've just made their life...

    I spend an average about 1-3 hours on the phone every single day, dealing with clients all over North America, and I put in an average of around 4-7 hours of billable time.

    My average workday is generally between 8-12 hours a day. Sometimes, I take the day off with no prior planning. Sometimes I work 18 hours straight.

    I love my job, and it loves me!

  7. Re:sounds cheap compared to... on Debunking the Trillion-Dollar Space Myth · · Score: 1

    waiting around for this world to become uninhabitable because of a nuclear war, or a strike from some rouge asteriod!

    Sorry. I know what you meant. But, the picture of a giant asteroid made of makeup was just too much.

    Blam! Overnight, the world's population was turned a lovely pinkish-coral by a giant, rouge asteroid!

    Some Avon marketing weenie could have a field day with this! (momentarily) Or, perhaps, some guy with too much time spent in front of a monitor would find this amusing? (hangs head)

    But, I figure you meant some rogue asteroid?

  8. Re:To be honest on File Sharing Increases CD Sales · · Score: 1

    Chances are, this is a wasted post. Any post on a forum more than about 6 hours old just seems to be hardly read.

    Most people buy stuff based on features. "Mega bass". 12" woofer. Made by (Bose / Kenwood / Klipsh [sp?]), etc. and go down this mental checklist.

    However, I submit to you this: When you buy speakers, go to a *quality* stereo shop. Here in Chico, CA the buzz is all around "Sounds by Dave".

    Don't worry about your checkbook too much. Don't look at the stereo, close your eyes. And ask yourself - is this speaker system good enough that you could easily picture the artist standing in front of you?

    Don't look for "mega bass". Ignore the stupid lights. Don't pay any attention to the size of the speakers, or anything. Just walk around the unit, eyes closed, and ask yourself if you are convinced that the artist is, in fact standing there.

    Try it loud. Try it soft. Be demanding of the salesman, if you have to.

    The results might surprise you. I recently spent about $300 on a 3-way speaker system based solely on this very criterion. I bought the cheapest speaker system that convinced me I had an artist in front of me. I'm still amazed that something so inexpensive can sound so incredibly good.

    MP3s suddenly sound terrible - I catch artifacts all the time I never caught before.

    You came real close to the actual answer - the mojo of audio is not lost between the artist and the microphone, it's usually lost in the microphone itself.

    A good microphone is not cheap. The microphone (and to a far lesser extent, the recording medium) makes all the difference in the world. While size is not the primary consideration, I'm convinced that a truly good quality mic cannot be smaller than about your fist. Forget the stupid dynamic mics that are so common on stage - they're trash that throw out all kinds of dynamic range.

    Get a good quality, condenser microphone, such as a good Neumann, or maybe a Shure. It'll cost a few hundred bucks.

    Combine a good mic, high-quality digital recordings, and a good speaker system, and you'd be amazed how good sound can, eh, sound!

  9. Re:I would have to agree... on Astronauts, Robots to Save Hubble · · Score: 4, Insightful

    For (probably) 3 times the cost of the repair mission, a telescope of (probably) 100 times the quality of hubble could be deployed.

    Do you have *any* basis for a claim like this, other than "your gut feeling"?

    14 years is a long time, around 10 iterations of the "performance doubling every 12-18 months" if you're talking about computer technology. But optical technology has been stable for quite some time. Or, do also claim to have binoculars 512x-1024x better than your dad's?

    Remember, Hubble is not a computer - it's a telescope. And, since image processing is done on the ground, advances in computer technology are likely largely irrelevant to the Hubble.

  10. Re:To be honest on File Sharing Increases CD Sales · · Score: 0, Offtopic

    Yes i Download songs,

    Call me shallow. Call me prejudiced. But when I see a post where the poster can't so much as capitalize their "I"s, or even remember to not capitalize letters in the middle of a sentence, I immediately feel the inclination to dismiss the message, even if I agree with it.

    I know I'm not the only one.

    You really don't have to be perfect. But, using reasonable, basic English grammar and syntax is a prerequisite to being taken seriously.

  11. Re:Solutions? on Broadband Access Leading to Internet Breakdown? · · Score: 1

    Change the way email works. Step one, NO ATTATCHMENTS. Seriously, why the hell are we using email to shuttle files around? It was not designed for this.

    This has to be one of the most uneducated, pedantic, and just plain *wrong* posts I've seen, even on slashdot.

    The purpose of email is to transfer (communicate) information from userA to userB. Whether that information is ASCII text, html, or base64 encoded binary information is largely irrelevant.

    Email is most definitely designed to handle attachments, from a very early age.

    1) Traffic is a small cost compared to the cost of labor. Who cares about saving $0.03 worth of traffic that then brings $2 of labor costs publishing files to an FTP server?

    2) You have traceability. Most any email program allows you to view the headers of an email.

    Get real.

  12. Re:Safety? on PHP 5 RC 1 released · · Score: 1

    Forget abstraction. It is even more trivially solved by using placeholders with prepared SQL statements, like "select * from table where field1 = ?".

    I use something similar. Here's how it'd look using "my tech": (PHP)

    $MDB=&New DBLayer('pgsql');
    $sql="SELECT * FROM usertable WHERE user_name='[username]'";
    $todb=array('username'=> trim($_REQUEST[login])) ;
    if (!$res=$MDB->SQ($sql, $todb))
    Error($MDB->Error());
    else
    while ($row=$MDB->Fetch_Array($res))
    { // do something with the result...
    }

    The stuff in the square brackets is parsed with a regex, and the values are matched against same-named values in the input array. If anything doesn't match, it errors gracefully through the error() function.

    I stumbled on this about 6 months ago, and it's dropped the number of SQL injection bugs to zero, as well as caught bugs in my SQL statements before they could ever become problems.

  13. Re:RedHat 7.2/7.3 not supported, yet on Multiple Vulnerabilities in OpenSSL · · Score: 1

    That doesn't answer the question. How do you know which of your self-compiled packages on your 20 serves are critically out of date? You have an Excel spreadsheet with all the servers, libs and apps installed and their versions? How do you know new version is out? You're on 300 mailing lists, one for each product?

    My friend, you have hit the nail on the head. I do an "up2date" or "yum -y update" on a particular server at least monthly. I'm anal about keeping patches updated. I do everything possible to avoid compiling anything that can be provided by RPM, since as soon as you compile a package, you're married to it.

    Compile once == recompile forever and constantly worry about updates.

    Any idiot can type "wget http://site.com/package; tar -zxvf package; cd package; ./configure; make; make install;" and then pedantically make idiotic claims about what it takes to be "a sysadmin".

    But I'm in the trenches. Thousands of people depend on these servers. Do you really think I'm going to compile something like openssl, on which all the TLS stuff for LDAP, Apache's HTTPS, SSH, and stunnel all depend?

    When, as soon as the package is installed, a simple "up2date <package>" or "yum -y update <package>" is going to suffice?

    No phone calls, no pissed off customers, no lost contracts. Which would you choose?

  14. Re:Compare to redhat-config-* on YaST to Become Open Source · · Score: 1


    I don't have much experience with Redhat but one thing that I like about YaST is that all the configuration can take place by just typing yast at the command line. You don't have to deal with separate redhat-config-* packages, just one command and from there it's all very simple.


    Well, perhaps it's because I've been using RH since 5.1, but I've not used a "config tool" in years. Too damn annoying.

    I like /etc/sysconfig/iptables and a few others - making stuff like this (EG: firewall) into dameon-like config files makes it easy to manage these kinds of things - but the GUI configurators are never good enough for me.

    I mean, let's say you want to allow SSH connections from any of 5 distinct IP addresses, or anywhere in a class C network, but nowhere else?

    Or, you want to reject SMTP connections from a backup relay unless the primary relay is offline, at which point you want to script an update to allow SMTP?

    There are a zillion scenarios like this where the simplistic GUI tools just don't cut the mustard...

  15. Re:RedHat 7.2/7.3 not supported, yet on Multiple Vulnerabilities in OpenSSL · · Score: 1

    No, compiling software isn't torture.

    Keeping track of every individual package on 20+ systems and their update status can be quite torturous.

    Or, do you have no trouble keeping "the server" under your bed (that shares MP3s to your roomie down the hall) updated?

  16. Re:RedHat 7.2/7.3 not supported, yet on Multiple Vulnerabilities in OpenSSL · · Score: 1

    If you can't compile source code then you shouldn't be a sysadmin.

    If you enjoy torturing yourself, compile everything from scratch. Once you've done this, you have to chase down every update in anything you ever compile for the duration of the life of the machine, as well as beat out any changed dependencies.

    It's not as bad if/when you use a tool like checkinstall...

  17. RedHat 7.2/7.3 not supported, yet on Multiple Vulnerabilities in OpenSSL · · Score: 1

    As of the time of this writing, yum repositories for Fedora Legacy 7.2 have does *NOT* have these updates!!!

  18. Re:Safety? on PHP 5 RC 1 released · · Score: 2, Interesting
    It minimizes a large class of SQL Injection errors in web applications

    ...which is handled smoothly with a decent abstraction layer...

    Anything else?

  19. Re:Network Biology on Broadband Access Leading to Internet Breakdown? · · Score: 1

    The best defense against viruses is a healthy immune system, and an organism gains a healthy immune system through exposure to germs and viruses.

    So, at what point does the Internet become self-aware and Sky-Net is launched?

  20. Re:Safety? on PHP 5 RC 1 released · · Score: 1

    Hmm... why do we always get new expressivity features and library extensions, instead of new safety features and ways for statically checking our code (such as type checking, a novel but, admittedly, completely impractical and academic invention that only freak languages use)?

    Explain to me how typecasting is a safety feature.

    I'm not being sarcastic, or anything. I'm serious!

    Give me some examples of where typecasted languages are safer or better, or where it's an advantage.

  21. Re:Power Power Power on PHP 5 RC 1 released · · Score: 2, Informative
    It's funny, I remember when it was a main tenet of programming that data should be separate from presentation. However, PHP has shown just how powerful integrating data and presentation can be through inlining code directly into a webpage layout.

    That tenet is still true. If this were not true there wouldn't be some 112 projects on sourceforge with "PHP" and "template".

    I personally use PHPLib templates, something I've discussed quite publicly.

    Mixing logic and presentation is a no-no for effective software design.

  22. The power of viruses on PhatBot Trojan Spreading Rapidly On Windows PCs · · Score: 4, Interesting

    I have a client who sends out an aviation newsletter, with a list size in the tens of thousands. They have their own dedicated mail server, running RH Linux that I set up for them. Email is virus filtered with MailScanner and f-prot.

    No complaints for months. And then, I add a new account to the mail server and restart sendmail.

    Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!

    Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.

    Very sobering, to realize how bad viruses online have gotten...

  23. Re:I'm curious. on Linux Sourcecode To Minitar Access Point · · Score: 5, Insightful

    Yes, I know that there already is a binary driver [realtek.com.tw] for the 8180, but it is very flaky, and rather picky about the kernels and distributions it agrees to work with... (as binary drivers usually are, alas!)

    Which is why I contend that the Linux driver interface sucks.

    Assume that I have, on my Red Hat system, kernel 2.4.20-8. Which I parse as 2.4.20 kernel, build #8. So a security update comes out, and I upgrade to 2.4.20-12. (Not an atypical scenario).

    Suddenly, my nvidia driver doesn't work, and once that's resolved (with a loss of 3D support, no less) I find also that VMWare won't load properly.

    It may be that 3 lines of code were changed, so that

    "if (a>20){
    b=5;
    } "
    now reads
    "if (a>=20){
    b=5;
    } "

    out of umpteen kazillion lines of code, but dammit, now I have to find precompiled binaries for the exact version and build of the kernel I'm now running.

    I think that's just retarded.

    Kernel modules should communicate through a documented API, allowing a particular binary driver to work on a series of versions. I think it'd be fair to have a 2.4.x api, and a 2.5.x, 2.6.x, and so on.

    But the current way is just stupid and hampers Linux' adoption in the less techie areas.

    Of course, since I'm not Linus, nor a programmer of sufficient skill to provide any serious challenge to the powers that be, I generally just swallow my gripes and live with it for the parts that I like. (fantastic reliability, good uptimes, reasonable security, etc.)

  24. Re:That's a great name on Star Trek's Design Influence On Palm, New Tech · · Score: 1

    UPDATE base SET belong.to=us WHERE belong.to=you;

    Three bugs in this statement!

    1) A period (".") is not a legal ANSI SQL character in a field name.

    2) Since "us" and "you" are presumably strings, they really should be quoted. Many SQL implementations would error on unquoted strings.

    3) Don't you want everything to belong to 'us'? Why limit it to just those records with 'you'?

    4) (Pushing it, here) Mixing case makes statements harder to read. Best to write all the SQL stuff in all caps, and mix case on everything else as needed. This makes for much more readable statements!

    Try this:

    UPDATE base SET belong_to='us';

  25. This could really work. on Burnt Coffee and Burnt CDs · · Score: 2, Insightful

    After being pampered by the likes of Kazaa I decided I wanted to buy a music CD.

    I've purchased indie bands online, but I really haven't been in a music "store" for a decade. I quickly found myself in a foreign place.

    There were a number of albums for the artist I wanted, while the one I'd specifically decided to buy wasn't in stock.

    I decided that maybe I'd buy something else, too, but just as quickly found that *gulp!* there's no way to sample the tunes before you buy!

    So, you spend $12-$20 without being able to "kick the tires" and no way to sample the tunes first?

    Just rediculous. I'm surrounded by thousands of albums from hundreds of artists, and have no idea what I might be interested in.

    I eventually bought a mediocre "Alanis Morrissette unplugged" CD that I really don't appreciate all that much - she sounds bored, without her usual passion and fire.

    Preview, then buy? I might very happily do it! Ever see Magna Tunes?