Immediate disclosure does nothing but help the bad guys. Staying quiet about it too long helps the bad guys, too. The only question is, what is the proper amount of time to wait[?]
It varies depending on the complexity of the problem that requires fixing, and the resources available for the fix. Here's a couple of concrete examples:
You found a bug in Sendmail. You contact Eric Allman, you ask him how long it will take him to get his downstreams to push fixes through the distribution channels, and you agree to withold the sploit until he says everybody's ready, and he gives you credit for finding the problems and publically thanks you for your co-operation and for helping make the internet a better place.
You found a bug in a CA product. You use a library computer and an anonymous remailer to hit every CA address that seems remotely applicable, telling them the details of the spoit, and that you will release in two weeks. Two weeks later, you full disclose (again as anonymously as possible) so that CA's customers will know they need to patch (after all, CA is unlikely to aggressively publicize their mistake).
Why the difference? Sendmail Inc. and Eric Allman have proved that they won't victimize or prosecute people who help them secure their code, and that they will do everything possible to minimize damage while providing full credit to security researchers. Many open-source projects can be counted on to act this way (I'm sure others will post examples) despite operating on tiny or non-existent budgets. In contrast, most gigantic zaibatsus with enormous programming resources simply will not fix bugs if given any other choice - and discrediting or victimizing you might seem like a viable choice to some corporate pinhead who really doesn't care about anything but profits for the quarter.
You might vary that "two weeks" figure based on how big a vendor's programming staff is, or how complex the problem is, or how serious the vendor is in regards to security, but in general you need to set a hard deadline and stick to it. It's the responsible thing to do.
he test was to implement a small web server (GET/HEAD commands basically) in C++ using *no external libraries of any kind*. They stated the test should take 3 - 4 hours. The specs were extremely vague and any attempt I made to get clarification was met with "do what you think is best".
They also mailed me the test late on a thursday evening, and were calling asking where it was the following monday morning.
If I gave that test, I'd be expecting you to pull the answer out of Google.
Do you move to the suburbs so your kids can play outside more freely, but you commute for two hours wasting gas (and time you can spend with your kids), contributing to exurban spawl and living somewhere that should be arable cropland or open space?
False dichotomy. I solved this problem without doing either. I agree, though, that the problem isn't consumer electronics. It's mostly just plain old bad parenting, complicated by our changing environment.
I didn't say cell phones were viruses (or virii for that matter) or even a religion. I didn't say they were cancer or evil either. I did say something about sloppy thinking, though.
Eru, the One, is the sole True God of Tolkien's mythos, and the Valar are "demiurges" (either minor godlings or arch-arch-angels -- presumably the name derives from the greek "demiurgos" and refers to the Valar's roles as the creators of Middle-Earth). Maia are equivalent to angels, so Gandalf is sort of like one of the brawling angels of christianity (think Micheal, for example) that get involved directly with human affairs.
Morgoth was an evil valar; Sauron, his lieutentant, was an evil maiar... so technically Sauron's just a very powerful balrog with good PR.
All thoroughly explained in "The Silmarillion", which JRRT thought was not ready for publication (and I have to agree, though there are some tasty bits starring Turin Turambar).
Not so well explained is how JRRT intended this to tie in with christianity, although I believe he explicitly identified Gandalf's resurrection with Jesus's at some point.
"It appears that humankind has managed to spread cellular technology like a virus..."
Wrong. Despite propaganda about lifestyle choices, and despite the perceived indispensibility of cell phones, there is a voluntary component to cell phone use that simply does not reflect the reality of disease organism propagation. Sloppy metaphors result from sloppy thinking, and you don't want to get any of that on you.
An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only.
So, you can drop a connection at HELO if the HELO parameters are malfed, but you can't drop it just because it's unverifiable - you have to wait and drop it at RCPT if you want to be RFC-compliant. It's generally a good idea to be RFC-compliant whenever possible.
RBLs are great for weighted systems like SpamAssassin, and for blocking Open Relays. If you use an Open Relay, everyone should reject your mail, because you are either clueless or a cantankerous ass-hat.
If you implement SPF, SPF-aware mailers won't send you those reject messages. And for the most part, spammers will stop using your address in their From: fields, because it decreases their spam's penetration.
Don't confuse SPF with Microsoft's fake "sender-ID" crap, though. That's essentially useless, you want SPFv1 aka "SPF classic", then DKIM as soon as it's ready.
If you were King today, then how would you set up a patching regulatory agency?
With majestic heavenly force!
How would you staff it?
With heavily armed bruisers deemed too sadistic to work in Bagram or Abu Ghraib.
Would it be a federal agency or is each state free to have unique patching regulations?
Both. State agencies working night and day to find and severely punish patch slackards and a federal agency to abuse and oppress the state agencies. I would call this "a system of checks and balances" in my Royal Decree.
How do you determine which software is subject to patch regulation?
All software would be subject to patch regulation, but authors of free software would be punished as individuals, where authors of proprietary software would be punished in proportion to the number of unpatched users (who would, of course, also be punished). Thus, a vulnerability in Microsoft Office might result in thousands of users receiving a single lash apiece for failure to patch, but the employees and management of Microsoft corporation would receive thousands of lashes to be divided among them as deemed appropriate by the State Office of Patch Enforcement. The Federal Office of Patch Enforcement Regulation would of course dispute the distribution of lashes in most such cases and demand a re-administration along federally approved guidelines. My Royal Decree would refer to this as "effective oversight".
The devil is in the details, my friend, and I suspect any attempt to do this would result in a messy hash of confusion with no winners.
That's never stopped us before, why should we start getting reasonable about all this so late in the day?
It's running Linux, linking several 512 CPU NUMA components via Infiniband.
Hmmm. Proving both our points; IRIX was a burden that SGI was able to shed with the help of the F/OSS community.
Now I have CPU envy, Mr. Hankey.
Re:Are the dependencies still growing like topsy?
on
GNOME 2.16 Released
·
· Score: 1
Caring about the dependency graph is kind of an absurd thing to care about. Did you decide what car to buy by reading their schematics, and choosing the simplest? Use it, be happy. If you can't deal with abstractions, you shouldn't be using computers.
Um, although I certainly don't care about the dependency graph (I care about the dependencies, and I linked the graph in case anyone needed further explanation of what I was talking about) I actually did decide what car to buy by reading schematics. And no, I didn't choose the simplest; I chose the one that provided the best value to me based on my personal criteria, which include efficiency and reliability, as well as some socio-economic and political considerations.
Abstractions are great when you come up against something that's beyond your mental capacities. Perhaps for you that includes program structure, but I personally don't need to see my computer as a magical black box, I actually understand it pretty well and can make it do everything I need it to do without using any Gnome software at all.
Complexity is the enemy of reliability -- Alan Robertson
Re:Are the dependencies still growing like topsy?
on
GNOME 2.16 Released
·
· Score: 1
Thanks for the link, which in turn links to LibgnomeMustDie... I'm still unclear on whether the dependencies are growing, shrinking, or staying reasonably stable, but it's nice to see some action on this front.
I work in a HPC environment and there are some fairly large SGI systems (how's 10240 CPUs sound?)
Sounds tasty! What OS are they running?
Are the dependencies still growing like topsy?
on
GNOME 2.16 Released
·
· Score: 2, Interesting
Gnome drags an absurd number of dependencies into the distributions I use. It seems like you can't load Gnome without also loading several development libraries, a panoply of sound and video support (for hardware you don't physically have and software you have no desire to use) and various other fooferaw. I realize some of this is because of inept packaging on the part of certain distributions, but even when you take that into account Gnome's still a dependency nightmare reminiscient of Windows "DLL hell".
When the number of dependencies required to run Gnome on mainstream distributions DECREASES, that'll impress me. Until then I am unlikely to care what new eye-candy it's sporting.
Pay some ISP to do their job and get all the critical services off-site immediately.
Don't know about the OP, but my "critical services" that need internet access consist of roughly 400 humans sitting at desks who can't do their jobs without the 'net.
"Shaun Gabb, director of the anti-censorship organization the Libertarian Alliance, said: 'If you are criminalizing possession then you are giving police inquisitorial powers to come into your house and see what you've got, now we didn't have this in the past.'
Good evening!
The last scene was interesting from the point of view of a professional logician because it contained a number of logical fallacies--that is, invalid propositional constructions and syllogistic forms--of the type so often committed by my wife.
"All wood burns," states Sir Bedevere. "Therefore," he concludes, "all that burns is wood."
This is, of course, pure bullshit! Universal affirmatives can only be partially converted. All of Alma Cogan is dead, but only some of the class of dead people are Alma Cogan. Obvious one would think.
However, my wife does not understand this necessary limitation of the conversion of a proposition. Consequently, she does not understand me. For how can a woman expect to appreciate a professor of logic if the simplest cloth-eared syllogism causes her to flounder.
For example: given the premise, "All fish live underwater" and "All mackerel are fish", my wife will conclude, not that "All mackerel live underwater", but that "If she buys kippers it will not rain" or that "Trout live in trees" or even that "I do not love her any more."
This she calls "using her intuition". I call it "crap" and it gets me very IRRITATED because it is not logical!
"There will be no supper tonight," she will sometimes cry upon my return home.
"Why not?" I will ask.
"Because I have been screwing the milkman all day," she will say, quite oblivious of the howling error she has made.
"But," I will wearily point out, "even given that the activities of screwing the milkman and getting supper are mutually exclusive, now that the screwing is over, surely then, supper may, logically, be got."
"You don't love me any more!" she will now often postulate. "If you did, you would give me one now and again so that I would not have to rely on that rancid Pakistani for my orgasms!"
"I will give you one after you have got me my supper!" I now usually scream, "but not before"--as you understand, making her bang contingent on the arrival of my supper.
"God, you turn me on when you're angry, you ancient brute!" she now mysteriously deduces, forcing her sweetly throbbing tongue down my throat.
"Fuck supper!" I now invariably conclude, throwing logic somewhat joyously to the four winds, and so we thrash about on our milk-stained floor, transported by animal passion, until we sink back, exhausted, onto the cartons of yoghurt....
I'm afraid I seem to have strayed somewhat from my original brief. But in a nutshell, sex is more fun than logic. One cannot prove this, but it IS in the same sense that Mount Everest IS, or that Alma Cogan ISN'T.
If we all put our televisions and everything else that uses a remote control on power bars (and then remembered to turn them off occasionally) we'd save even more.
...something that makes Google unique, in that they are like a giant collection of startups. Google is organized into a variety of teams that operate in relative autonomy to the whole.
That strategy worked for W.L. Gore until the old man died. It takes a lot of charisma at the top (which, sadly, the boy just hasn't got) to ride herd on a collection of autonomous units.
Or, to put it more nerdly, the linux monolith was easier to build than the Hurd hird.
Oh crap, I just made a bad recursive Gnu joke. Somebody shoot me now!
I thought NASA was using components the rest of the world treated as obsolete due their proven durability and reliability in the radiation of space.
Essentially correct. It is so costly and time-consuming to get a new component certified for use that it's usually less work to find a clever way to use old components. Then ten months after launch production ceases on the old part, and you have to have special ones built at a hundred times the cost (military option) or scavenge them on eBay (scientific option).
Thanks for the screenshots. If you strip out anything that might compromise your employer's security, you can GPL it and get other people to clean and polish it up for you! I'd certainly be interested in helping out (well, when I get back from vacation anyway).
Cmdr Taco, allow me to congratulate you on your true red-blooded americanness, unless of course you are one of the many persons on our Internets who is actually a socialist-cozening Canadian.
I know I am not alone in my preference for a more masculine and aggressive stance regarding naming conventions, and I call on every American to support this fine idea.
This isn't new. I've got four pears in the fridge right now with a ripeness sticker. I'm on the East Coast of the USA; they are commonly available from PA to NC at least.
Slashdot Mirror
You found a bug in Sendmail. You contact Eric Allman, you ask him how long it will take him to get his downstreams to push fixes through the distribution channels, and you agree to withold the sploit until he says everybody's ready, and he gives you credit for finding the problems and publically thanks you for your co-operation and for helping make the internet a better place.
You found a bug in a CA product. You use a library computer and an anonymous remailer to hit every CA address that seems remotely applicable, telling them the details of the spoit, and that you will release in two weeks. Two weeks later, you full disclose (again as anonymously as possible) so that CA's customers will know they need to patch (after all, CA is unlikely to aggressively publicize their mistake).
Why the difference? Sendmail Inc. and Eric Allman have proved that they won't victimize or prosecute people who help them secure their code, and that they will do everything possible to minimize damage while providing full credit to security researchers. Many open-source projects can be counted on to act this way (I'm sure others will post examples) despite operating on tiny or non-existent budgets. In contrast, most gigantic zaibatsus with enormous programming resources simply will not fix bugs if given any other choice - and discrediting or victimizing you might seem like a viable choice to some corporate pinhead who really doesn't care about anything but profits for the quarter.
You might vary that "two weeks" figure based on how big a vendor's programming staff is, or how complex the problem is, or how serious the vendor is in regards to security, but in general you need to set a hard deadline and stick to it. It's the responsible thing to do.
False dichotomy. I solved this problem without doing either. I agree, though, that the problem isn't consumer electronics. It's mostly just plain old bad parenting, complicated by our changing environment.
I didn't say cell phones were viruses (or virii for that matter) or even a religion. I didn't say they were cancer or evil either. I did say something about sloppy thinking, though.
ANGELS, and minor ones at that, not gods.
Eru, the One, is the sole True God of Tolkien's mythos, and the Valar are "demiurges" (either minor godlings or arch-arch-angels -- presumably the name derives from the greek "demiurgos" and refers to the Valar's roles as the creators of Middle-Earth). Maia are equivalent to angels, so Gandalf is sort of like one of the brawling angels of christianity (think Micheal, for example) that get involved directly with human affairs.
Morgoth was an evil valar; Sauron, his lieutentant, was an evil maiar... so technically Sauron's just a very powerful balrog with good PR.
All thoroughly explained in "The Silmarillion", which JRRT thought was not ready for publication (and I have to agree, though there are some tasty bits starring Turin Turambar).
Not so well explained is how JRRT intended this to tie in with christianity, although I believe he explicitly identified Gandalf's resurrection with Jesus's at some point.
Cellular technology has spread like a religion.
So, you can drop a connection at HELO if the HELO parameters are malfed, but you can't drop it just because it's unverifiable - you have to wait and drop it at RCPT if you want to be RFC-compliant. It's generally a good idea to be RFC-compliant whenever possible.
RBLs are great for weighted systems like SpamAssassin, and for blocking Open Relays. If you use an Open Relay, everyone should reject your mail, because you are either clueless or a cantankerous ass-hat.
If you implement SPF, SPF-aware mailers won't send you those reject messages. And for the most part, spammers will stop using your address in their From: fields, because it decreases their spam's penetration.
Don't confuse SPF with Microsoft's fake "sender-ID" crap, though. That's essentially useless, you want SPFv1 aka "SPF classic", then DKIM as soon as it's ready.
Worked for me...
With heavily armed bruisers deemed too sadistic to work in Bagram or Abu Ghraib.
Both. State agencies working night and day to find and severely punish patch slackards and a federal agency to abuse and oppress the state agencies. I would call this "a system of checks and balances" in my Royal Decree.
All software would be subject to patch regulation, but authors of free software would be punished as individuals, where authors of proprietary software would be punished in proportion to the number of unpatched users (who would, of course, also be punished). Thus, a vulnerability in Microsoft Office might result in thousands of users receiving a single lash apiece for failure to patch, but the employees and management of Microsoft corporation would receive thousands of lashes to be divided among them as deemed appropriate by the State Office of Patch Enforcement. The Federal Office of Patch Enforcement Regulation would of course dispute the distribution of lashes in most such cases and demand a re-administration along federally approved guidelines. My Royal Decree would refer to this as "effective oversight".
That's never stopped us before, why should we start getting reasonable about all this so late in the day?
VOTE ME FOR KING! At least I have a plan.
Now I have CPU envy, Mr. Hankey.
Um, although I certainly don't care about the dependency graph (I care about the dependencies, and I linked the graph in case anyone needed further explanation of what I was talking about) I actually did decide what car to buy by reading schematics. And no, I didn't choose the simplest; I chose the one that provided the best value to me based on my personal criteria, which include efficiency and reliability, as well as some socio-economic and political considerations.
Abstractions are great when you come up against something that's beyond your mental capacities. Perhaps for you that includes program structure, but I personally don't need to see my computer as a magical black box, I actually understand it pretty well and can make it do everything I need it to do without using any Gnome software at all.
Complexity is the enemy of reliability -- Alan Robertson
Thanks for the link, which in turn links to LibgnomeMustDie... I'm still unclear on whether the dependencies are growing, shrinking, or staying reasonably stable, but it's nice to see some action on this front.
Proud Member of the Clam Shill Alliance
Gnome drags an absurd number of dependencies into the distributions I use. It seems like you can't load Gnome without also loading several development libraries, a panoply of sound and video support (for hardware you don't physically have and software you have no desire to use) and various other fooferaw. I realize some of this is because of inept packaging on the part of certain distributions, but even when you take that into account Gnome's still a dependency nightmare reminiscient of Windows "DLL hell".
When the number of dependencies required to run Gnome on mainstream distributions DECREASES, that'll impress me. Until then I am unlikely to care what new eye-candy it's sporting.
SGI ported their graphics code to linux years ago, so that they could eliminate the cost of maintaining their own unix variant.
Even chkconfig reasonably standard in mainstream linux distros. IRIX is not worth the effort.
They can now concentrate on their core competency, which is presumably better graphics hardware than their competition.
I guess Erwin will have to start shopping for spare parts on ebay...
Non-computer types often ask me what "virtual" means. I tell 'em it's the opposite of "canonical"; canonical means real and virtual means fake.
So something that's virtually free is not really free, etc.
Good evening!
The last scene was interesting from the point of view of a professional logician because it contained a number of logical fallacies--that is, invalid propositional constructions and syllogistic forms--of the type so often committed by my wife.
"All wood burns," states Sir Bedevere. "Therefore," he concludes, "all that burns is wood."
This is, of course, pure bullshit! Universal affirmatives can only be partially converted. All of Alma Cogan is dead, but only some of the class of dead people are Alma Cogan. Obvious one would think.
However, my wife does not understand this necessary limitation of the conversion of a proposition. Consequently, she does not understand me. For how can a woman expect to appreciate a professor of logic if the simplest cloth-eared syllogism causes her to flounder.
For example: given the premise, "All fish live underwater" and "All mackerel are fish", my wife will conclude, not that "All mackerel live underwater", but that "If she buys kippers it will not rain" or that "Trout live in trees" or even that "I do not love her any more."
This she calls "using her intuition". I call it "crap" and it gets me very IRRITATED because it is not logical!
"There will be no supper tonight," she will sometimes cry upon my return home.
"Why not?" I will ask.
"Because I have been screwing the milkman all day," she will say, quite oblivious of the howling error she has made.
"But," I will wearily point out, "even given that the activities of screwing the milkman and getting supper are mutually exclusive, now that the screwing is over, surely then, supper may, logically, be got."
"You don't love me any more!" she will now often postulate. "If you did, you would give me one now and again so that I would not have to rely on that rancid Pakistani for my orgasms!"
"I will give you one after you have got me my supper!" I now usually scream, "but not before"--as you understand, making her bang contingent on the arrival of my supper.
"God, you turn me on when you're angry, you ancient brute!" she now mysteriously deduces, forcing her sweetly throbbing tongue down my throat.
"Fuck supper!" I now invariably conclude, throwing logic somewhat joyously to the four winds, and so we thrash about on our milk-stained floor, transported by animal passion, until we sink back, exhausted, onto the cartons of yoghurt....
I'm afraid I seem to have strayed somewhat from my original brief. But in a nutshell, sex is more fun than logic. One cannot prove this, but it IS in the same sense that Mount Everest IS, or that Alma Cogan ISN'T.
Goodnight.
(with apologies to Monty Python's Flying Circus and Salvador Dali.)
If we all put our televisions and everything else that uses a remote control on power bars (and then remembered to turn them off occasionally) we'd save even more.
Or, to put it more nerdly, the linux monolith was easier to build than the Hurd hird.
Oh crap, I just made a bad recursive Gnu joke. Somebody shoot me now!
Thanks for the screenshots. If you strip out anything that might compromise your employer's security, you can GPL it and get other people to clean and polish it up for you! I'd certainly be interested in helping out (well, when I get back from vacation anyway).
Cmdr Taco, allow me to congratulate you on your true red-blooded americanness, unless of course you are one of the many persons on our Internets who is actually a socialist-cozening Canadian.
While your proposal to upgrade the name of one the lesser American states, which is to say one of the states which does not produce oil, is certainly sound, in fact our entire American solar system could use an image upgrade.
I know I am not alone in my preference for a more masculine and aggressive stance regarding naming conventions, and I call on every American to support this fine idea.
We'd all like to see that "convenient web interface".
.cgis in sed.
Don't worry, you won't shock me, I've written
This isn't new. I've got four pears in the fridge right now with a ripeness sticker. I'm on the East Coast of the USA; they are commonly available from PA to NC at least.