Lord knows anyone who uses Linux or free and open source software is dedicated to spreading the gospel
This is such bull. For every Linux fanboy there are 10 regular joes using Linux to just get stuff done so they can go home and play with their kids. The zelots just draw more attention to themselves.
In fact, it is my experience that the guys spreading Linux / OSS religion know LESS than the guy just getting stuff done. They don't work in large environments where Linux is really put to work. They know nothing of Kerberos or pxe booting or anything like that. They take one look at KDE and declare Windoze obsolete but have never worked in an environment where you need to manage 20,000 desktops.
I can build a very security solaris 9 server that ends up with about 5 packages and a few things from a few other packages so it results in a nice simple stripped down system that is just enough to run the application and its great for systems that live in data centers.
Right. The power of UNIX is it's simplicity. It's the flat bed truck of operating systems. Here's my car analogy in full:
Solaris is like an 18 wheeler flat bed truck. It just runs forever and doesn't contain anything unnecessary.
Linux is like a 6 wheel king cab turbo diesel pickup (the one with double wheels in the back). It's cool looking, confortable, it can get into places you can't with an 18 wheeler but by default it comes with a lot of stuff that's unrelated to the job at hand.
Windows is like a fully loaded Mitsubishi Montero. It's easy to operatate and good for general purpose applications but it's got glitches (the CD player causes the alarm system to go off which requires turning the engine off and back on).
BSD is like a little toyota pickup. Not very powerful but it's small, fast and get's around like a car.
Mac OSX is like a Lexus RX 330. Looks and feels great but it's not a real truck.
I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.
Now if only could PHP also fix their performance and inconsistencies..
There's nothing "gaping". All the "month of bugs" were non-critical stuff pumped up by Esser for whatever reason I don't know. For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can supply their own code, they can just call popen() or system() and dispense with all the hoopla required to compermise the worker and inject shellcode.
At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.
I'm happy to see bugs fixed but actually, I'm going to hold off on updating. These sorts of releases have a tendency to break things. Of course it might not but AFAIK these releases don't fix anything remotely exploitable so you won't see me running for the nearest terminal.
Oracle's site is so bad the phone support guys are quick to point it out *to you*. I find it hard to believe SAP would want anything from their site. Oracle has one good product - their RDBMS. It's a diamond in a bowl of mush. I wish they would stop goofing off with other crap and just polish that nut to a high gloss. Remember when they introduced their Java installer? Ha ha.
I want to know how they arrived at two MILLION dollars. I would think that after having the bomb squad out to look at one of these things and after the police realized that those two dimwitts couldn't plant seeds let alone bombs (it's all about "intent") that they would just send everyone home and charge Turner $20,000. But TWO MILLION? They must have used electron microscopy trying to catalog every tool mark on every screw. Turner obviously has some business they're trying to protect. If they actually went to court over it I don't see how they could loose. The authorities in Boston should be embarrassed.
All I want to know is how to block it. I've trained spamassassin with probably a hundred of these and they just keep coming. What is the best sa check to catch stock spam?
The other thing I've been having trouble catching is image spam.
Bjarnason also believes that penzim might prove a cure for common flu and cold, eczema in children and arthritis
Admittedly I was sold because I would think charlatins would not have access to H5N1. But once it started into the elixir cure-all pitch my bull shit bell went off.
Not to detract from the issue but is this not a good opportunity to go fossil hunting? Covered in ice there might be more than just fossilized bone as well (but we'd better be quick about it because once exposed to air there really won't be anything but bone).
... Web services, patterns, Web 2.0, and business-driven development...
That's an impressive collection of nebulous terminology in a single sentence. What being served from the web could NOT be called "web services"? How can you do anything in programming without identifying "patterns". After watching Yahoo! screw their site up I would think "Web 2.0" would be a dirty word by now. And "business-driven development" is a PHB sales pitch if I ever heard one. I think IBM is better off without him.
What all of the "PHP is insecure" claims refuse to recognise is that virtually all of the vulnerabilities reported would be no different had the application been written in some other language. PHP just has a huge installation base so of course there will be a corresponding increase in vulnerabilities. And lot's of newbies are not escaping things. Perhaps most damaging, high profile vulnerabilities in popular third party packages are giving PHP a bad name (e.g. phpBB). Language bashing is fun (what happened to good ol' Java bashing?). Programmers are bored. Take your pick. Yeah, occasionally there's a real problem but like that doesn't happen to Perl?
Anyway, the PHP devs sound like they want to make things better somehow. They have accepted that even if the security issues are user perception or crowd psychology (thanks to slashdot) that is a problem in itself and therefore something must be done regardless.
Oh, and that security guy Esser that left a few weeks ago is a nut-job. I've seen him posting on the PHP internals list. I'm not saying that he doesn't know what he's talking about but I find it very hard to trust anyone who is so undiplomatic. Also, apparently he's stared a "hardened php" site which to some could be construed as motive to make noise. I don't know, I'm not very well connected but that's just my instinct.
First, this is slashdot and therefore I have made no conclusion that the researchers in question are engadged in dishonorable practices. In fact, my guess is that pressesc.com is simply spinning the story to generate ad revenue for their site.
However, Universities are very susceptible to dishonorable business practices. They don't really produce products so their revenue is based entirely on services and contributions from individuals and Big Business. They can either teach classes or get grants to do research and "buy out" of the classes. To get the grants they need to convince potential contributors that their research is worthy of further study. It is not uncommon for researchers to pump up and outright fake results to get those grants.
A solution was to upload an executable to my web hosting in America that would receive zipped executables by email, execute them, then email me the results.
If he can communicate with his web host in America and that host can communicate with./ then why not just setup a proxy on that machine? Installing and running tinyproxy on a Linux machine is mind numbingly easy.
You mean Ubuntu? If you want long term stable support I think moving to Debian is exactly the opposite of what you want. Debian has way too much religion now and they're behind on updates. I'm still running "stable" on one of my servers and I don't get some security updates for months. I'm itching to move that to CentOS too. I suspect the Debian devs all run "unstable" and basically don't care about everyone downstream. I know there are a lot of Debian fans on./ but you have to admit Debian just isn't what it used to be. Sounds like the Debian crowd is slowly but surely moving to Ubuntu.
I read that Windows Vista uses SMB2. Is this a change to make the protocol better or is it just a change to make life difficult for Samba? Maybe Microsoft was required to explain the details of SMB1 in the antitrust proceedings. No problem they figured we'll just make a new protocol and it will take ten years for the courts to make us to release that. Brahhaaa.
First, Vista will of course also do SMB1. It tries to do SMB2 and falls back to SMB1. SMB2 is much cleaner and simpler than SMB1. I think the Samba guys probably welcome the change. Of course now Samba has to support both but they've already decipered most if not all of SMB2 and the SMB2 operations map to existing actions within their code so I don't think it's a big deal for them to support it. This is definitely not a subversive tactic by Microsoft. Contrary to popular opinion Microsoft is not subversive. They're too smart for that. They're passively negligent. They just don't take the time to make things integrate well with other non-MS software. The EU effort is not about SMB really. The focus is more about complex stuff like directory replication and the semantics of Windows domain management. SMB is very well understood. In fact, I would bet the Samba guys understand SMB better than MS.
Unlike most people I don't reinstall the OS on my laptop every couple of months. Thanks to Fedora Legacy I'm happily running FC 3 and had no plans to reinstall. But now I think I'll have to look seriously at CentOS (RHEL repackaged without the copyrighted material like logos and such). RHEL (and thus CentOS) is supposed to be less "cutting edge" and more about stability over the long term. And because CentOS is just RHEL you know it's going to have more vitality than a community driven project.
One of the biggest issues in my mind is MySQLs lack of Kerberos support. With PostgreSQL you can authenticate web clients using Kebreros, export the KRB5CCNAME environment variable, call pgsql_connect and voila it just works. Single Sign On (SSO) is a critical requirement on big IntrAnets now. MySQL will never be anything but the local Linux guy's pet project if it doesn't get around to supporting GSSAPI.
Thanks, this is exactly what I wanted to know. Sounds like OO.o will work. DITA looks right on but I already have a schema that has some features I really need. For example I can have a function prototype like
struct foo *foo_new(unsigned int size, struct bar *bar);
and my HTML reference and man page XSL transforms will isolate each parameter making them bold (and in the future I could link each param). DITA didn't look like it had this. The way I see it I pretty much have to write all the XML and XSLT no matter what I do so I'm not convinced something like DITA or Docbook would help me. If I were writing a thesis maybe, but custom technical docs I don't know.
Are you using an OSS solution for FOP? Last I checked Apache FOP looked a little crunchy so I was going to do XML ->.odt -> OO.o -> PostScript -> PDF. But it would be delightful if there was a really good OSS FOP processor out there.
they enter info into the form in proscribed places and then some XSLT (etc) I wrote converts the underlying *.odt file's XML into
Actually I was only going to use the template to create the XSLT template. Then I was going to write the XML using a custom schema BY HAND. I know that sounds a little nuts but I'm a lot faster in vim than in any word processor. Then I run the XSLT processor and generate a hopefully valid OO.o document. From there I'll tweek as necessary (does OO.o support macros?), print to PS and convert to PDF using ps2pdf. But that's just for the manual. Everything else is HTML and I have a transform for man pages that I'm using already.
From your experience do you see any problems with this technique? Does OO.o support TOCs and footers and all that stuff? Last I checked it didn't even come close but I have to admit it's been years. I suppose I should just try it before coughing up $400 for Word.
Oh, please switch to the Windows focus model and key navigation. When I first used my Mac mini I thought it was broken. I litterally went to the forums and asked questions about it. I couldn't figure out how I could launch an app and then loose it even though it appeared launched in the dock. And I spend 99% of my time in WindowMaker which is also based on the NeXT focus model.
Also, keyboard navigation is useless. Why would anyone want to remember all of those shortcuts?
I just know people are going to pop up and explain that I can do everything that I'm complaining about but don't bother because it's just not "as simple as possible and not simpler".
It's HARDER than Windows. When you click on an app in the application does not appear, only the menu bar get's focus. That's very confusing. So why not just switch to the Windows focus model that everyone is already familar with?
I'm going to need to find a solution for this as well. I want to generate a PDF manual, HTML "technotes", HTML API documentation, man pages and possibly more materials. Much of the content will appear in more than one place. It seems to me the ideal solution would use a single set of XML sources written in a custom markup specific to the content (e.g. API descriptions, code examples, etc) and then translate that into HTML, PDF, and so on using XSLT. The only problem I have right now is that I need a word processor that understands XML and can display content with tables footers, footnotes, SVG graphics, etc. Then I can create a template document, write the XSLT transform and generate the manual and convert it to PDF. The only problem is the only product that I know of that can do all the footers, TOC, footnotes, tables, graphics, etc AND import and export XML is Microsoft Word 2003 but I'm not excited about the price and I don't usually have a Windows machine on in the office I'm in.
Has anyone else been doing something similar? Any tips for me? I'm going to check out OpenOffice first but based on previous experiences I'm a little skeptical that it can do more than create "Lost Dog" signs.
Wow, stunningly insightful response "that's caused by inexperienced programmers".
I think you misunderstood. He's not talking about the developers of PHP the interpreter. He's talking about developers of PHP applications. Inexperienced programmers are more likely to do stupid things like not escape their field values resulting in cross site scripting vulnerabilities. There's nothing PHP can do internally to prevent that.
My understanding is that if written correctly PHP is very secure. The code is very mature and used all over the Internet. For an Internet site it would be very hard to convince me that another language would be inherently more secure.
It's very unfortunate that this article was posted the way it was (as usual for/.) because developers will now remember this and think they might better off with another scripting language when in fact they can do stupid things just as easily with ASP as they can with PHP.
Can anyone specuate as to whether or not a similar technique could be used to split 2CO2 into 2CO+O2? That would be rather useful as well provided the CO could be fixed elsewhere.
Slashdot Mirror
Lord knows anyone who uses Linux or free and open source software is dedicated to spreading the gospel
This is such bull. For every Linux fanboy there are 10 regular joes using Linux to just get stuff done so they can go home and play with their kids. The zelots just draw more attention to themselves.
In fact, it is my experience that the guys spreading Linux / OSS religion know LESS than the guy just getting stuff done. They don't work in large environments where Linux is really put to work. They know nothing of Kerberos or pxe booting or anything like that. They take one look at KDE and declare Windoze obsolete but have never worked in an environment where you need to manage 20,000 desktops.
Right. The power of UNIX is it's simplicity. It's the flat bed truck of operating systems. Here's my car analogy in full:
I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.
Now if only could PHP also fix their performance and inconsistencies..
There's nothing "gaping". All the "month of bugs" were non-critical stuff pumped up by Esser for whatever reason I don't know. For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can supply their own code, they can just call popen() or system() and dispense with all the hoopla required to compermise the worker and inject shellcode.
At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.
I'm happy to see bugs fixed but actually, I'm going to hold off on updating. These sorts of releases have a tendency to break things. Of course it might not but AFAIK these releases don't fix anything remotely exploitable so you won't see me running for the nearest terminal.
Can't believe the trailer compared it to Blade Runner. The King Crimson / Pink Floyd references were cute tho.
Oracle's site is so bad the phone support guys are quick to point it out *to you*. I find it hard to believe SAP would want anything from their site. Oracle has one good product - their RDBMS. It's a diamond in a bowl of mush. I wish they would stop goofing off with other crap and just polish that nut to a high gloss. Remember when they introduced their Java installer? Ha ha.
Write a free cross platform client and server network filesystem which runs on Windows, OSX, Unix, Linux and whi...
And how do you hook that into Windows such that the Kernel can efficiently make access control decisions and everything else it needs to do?
I want to know how they arrived at two MILLION dollars. I would think that after having the bomb squad out to look at one of these things and after the police realized that those two dimwitts couldn't plant seeds let alone bombs (it's all about "intent") that they would just send everyone home and charge Turner $20,000. But TWO MILLION? They must have used electron microscopy trying to catalog every tool mark on every screw. Turner obviously has some business they're trying to protect. If they actually went to court over it I don't see how they could loose. The authorities in Boston should be embarrassed.
All I want to know is how to block it. I've trained spamassassin with probably a hundred of these and they just keep coming. What is the best sa check to catch stock spam?
The other thing I've been having trouble catching is image spam.
Bjarnason also believes that penzim might prove a cure for common flu and cold, eczema in children and arthritis
Admittedly I was sold because I would think charlatins would not have access to H5N1. But once it started into the elixir cure-all pitch my bull shit bell went off.
Not to detract from the issue but is this not a good opportunity to go fossil hunting? Covered in ice there might be more than just fossilized bone as well (but we'd better be quick about it because once exposed to air there really won't be anything but bone).
... Web services, patterns, Web 2.0, and business-driven development ...
That's an impressive collection of nebulous terminology in a single sentence. What being served from the web could NOT be called "web services"? How can you do anything in programming without identifying "patterns". After watching Yahoo! screw their site up I would think "Web 2.0" would be a dirty word by now. And "business-driven development" is a PHB sales pitch if I ever heard one. I think IBM is better off without him.
Maybe this is why apple didn't come out with an iPhone before. They were waiting to see if they would let the trademark lapse.
What all of the "PHP is insecure" claims refuse to recognise is that virtually all of the vulnerabilities reported would be no different had the application been written in some other language. PHP just has a huge installation base so of course there will be a corresponding increase in vulnerabilities. And lot's of newbies are not escaping things. Perhaps most damaging, high profile vulnerabilities in popular third party packages are giving PHP a bad name (e.g. phpBB). Language bashing is fun (what happened to good ol' Java bashing?). Programmers are bored. Take your pick. Yeah, occasionally there's a real problem but like that doesn't happen to Perl?
Anyway, the PHP devs sound like they want to make things better somehow. They have accepted that even if the security issues are user perception or crowd psychology (thanks to slashdot) that is a problem in itself and therefore something must be done regardless.
Oh, and that security guy Esser that left a few weeks ago is a nut-job. I've seen him posting on the PHP internals list. I'm not saying that he doesn't know what he's talking about but I find it very hard to trust anyone who is so undiplomatic. Also, apparently he's stared a "hardened php" site which to some could be construed as motive to make noise. I don't know, I'm not very well connected but that's just my instinct.
Don't be so naive.
First, this is slashdot and therefore I have made no conclusion that the researchers in question are engadged in dishonorable practices. In fact, my guess is that pressesc.com is simply spinning the story to generate ad revenue for their site.
However, Universities are very susceptible to dishonorable business practices. They don't really produce products so their revenue is based entirely on services and contributions from individuals and Big Business. They can either teach classes or get grants to do research and "buy out" of the classes. To get the grants they need to convince potential contributors that their research is worthy of further study. It is not uncommon for researchers to pump up and outright fake results to get those grants.
A solution was to upload an executable to my web hosting in America that would receive zipped executables by email, execute them, then email me the results.
./ then why not just setup a proxy on that machine? Installing and running tinyproxy on a Linux machine is mind numbingly easy.
If he can communicate with his web host in America and that host can communicate with
Debian, here we come...
./ but you have to admit Debian just isn't what it used to be. Sounds like the Debian crowd is slowly but surely moving to Ubuntu.
You mean Ubuntu? If you want long term stable support I think moving to Debian is exactly the opposite of what you want. Debian has way too much religion now and they're behind on updates. I'm still running "stable" on one of my servers and I don't get some security updates for months. I'm itching to move that to CentOS too. I suspect the Debian devs all run "unstable" and basically don't care about everyone downstream. I know there are a lot of Debian fans on
I read that Windows Vista uses SMB2. Is this a change to make the protocol better or is it just a change to make life difficult for Samba? Maybe Microsoft was required to explain the details of SMB1 in the antitrust proceedings. No problem they figured we'll just make a new protocol and it will take ten years for the courts to make us to release that. Brahhaaa.
First, Vista will of course also do SMB1. It tries to do SMB2 and falls back to SMB1. SMB2 is much cleaner and simpler than SMB1. I think the Samba guys probably welcome the change. Of course now Samba has to support both but they've already decipered most if not all of SMB2 and the SMB2 operations map to existing actions within their code so I don't think it's a big deal for them to support it. This is definitely not a subversive tactic by Microsoft. Contrary to popular opinion Microsoft is not subversive. They're too smart for that. They're passively negligent. They just don't take the time to make things integrate well with other non-MS software. The EU effort is not about SMB really. The focus is more about complex stuff like directory replication and the semantics of Windows domain management. SMB is very well understood. In fact, I would bet the Samba guys understand SMB better than MS.
Unlike most people I don't reinstall the OS on my laptop every couple of months. Thanks to Fedora Legacy I'm happily running FC 3 and had no plans to reinstall. But now I think I'll have to look seriously at CentOS (RHEL repackaged without the copyrighted material like logos and such). RHEL (and thus CentOS) is supposed to be less "cutting edge" and more about stability over the long term. And because CentOS is just RHEL you know it's going to have more vitality than a community driven project.
One of the biggest issues in my mind is MySQLs lack of Kerberos support. With PostgreSQL you can authenticate web clients using Kebreros, export the KRB5CCNAME environment variable, call pgsql_connect and voila it just works. Single Sign On (SSO) is a critical requirement on big IntrAnets now. MySQL will never be anything but the local Linux guy's pet project if it doesn't get around to supporting GSSAPI.
Are you using an OSS solution for FOP? Last I checked Apache FOP looked a little crunchy so I was going to do XML ->
they enter info into the form in proscribed places and then some XSLT (etc) I wrote converts the underlying *.odt file's XML into
Actually I was only going to use the template to create the XSLT template. Then I was going to write the XML using a custom schema BY HAND. I know that sounds a little nuts but I'm a lot faster in vim than in any word processor. Then I run the XSLT processor and generate a hopefully valid OO.o document. From there I'll tweek as necessary (does OO.o support macros?), print to PS and convert to PDF using ps2pdf. But that's just for the manual. Everything else is HTML and I have a transform for man pages that I'm using already.
From your experience do you see any problems with this technique? Does OO.o support TOCs and footers and all that stuff? Last I checked it didn't even come close but I have to admit it's been years. I suppose I should just try it before coughing up $400 for Word.
Oh, please switch to the Windows focus model and key navigation. When I first used my Mac mini I thought it was broken. I litterally went to the forums and asked questions about it. I couldn't figure out how I could launch an app and then loose it even though it appeared launched in the dock. And I spend 99% of my time in WindowMaker which is also based on the NeXT focus model.
Also, keyboard navigation is useless. Why would anyone want to remember all of those shortcuts?
I just know people are going to pop up and explain that I can do everything that I'm complaining about but don't bother because it's just not "as simple as possible and not simpler".
It's HARDER than Windows. When you click on an app in the application does not appear, only the menu bar get's focus. That's very confusing. So why not just switch to the Windows focus model that everyone is already familar with?
I'm going to need to find a solution for this as well. I want to generate a PDF manual, HTML "technotes", HTML API documentation, man pages and possibly more materials. Much of the content will appear in more than one place. It seems to me the ideal solution would use a single set of XML sources written in a custom markup specific to the content (e.g. API descriptions, code examples, etc) and then translate that into HTML, PDF, and so on using XSLT. The only problem I have right now is that I need a word processor that understands XML and can display content with tables footers, footnotes, SVG graphics, etc. Then I can create a template document, write the XSLT transform and generate the manual and convert it to PDF. The only problem is the only product that I know of that can do all the footers, TOC, footnotes, tables, graphics, etc AND import and export XML is Microsoft Word 2003 but I'm not excited about the price and I don't usually have a Windows machine on in the office I'm in.
Has anyone else been doing something similar? Any tips for me? I'm going to check out OpenOffice first but based on previous experiences I'm a little skeptical that it can do more than create "Lost Dog" signs.
Wow, stunningly insightful response "that's caused by inexperienced programmers".
/.) because developers will now remember this and think they might better off with another scripting language when in fact they can do stupid things just as easily with ASP as they can with PHP.
I think you misunderstood. He's not talking about the developers of PHP the interpreter. He's talking about developers of PHP applications. Inexperienced programmers are more likely to do stupid things like not escape their field values resulting in cross site scripting vulnerabilities. There's nothing PHP can do internally to prevent that.
My understanding is that if written correctly PHP is very secure. The code is very mature and used all over the Internet. For an Internet site it would be very hard to convince me that another language would be inherently more secure.
It's very unfortunate that this article was posted the way it was (as usual for
Can anyone specuate as to whether or not a similar technique could be used to split 2CO2 into 2CO+O2? That would be rather useful as well provided the CO could be fixed elsewhere.