Re:Evolution is change over time
on
Evolving Rocks
·
· Score: 1
The really intriguing issue is the word "random" in "random mutation." Until we actually figure out what randomness is, I would respectfully suggest that the absence of this key fact prevents anybody from discussing the whole issue of evolution sensibly.
If you get hit in the gonads by a cosmic ray or whatever, that ray had mass, speed and direction: all of which are information. Where did that information, which could potentially have a great impact on your descendents, ultimately come from?
We seem to have got the physics of energy pretty much sorted out. The physics of information, if that's even the right discipline to put it in, is rather more up in the air. Can information be created or destroyed? Is it conserved? Is there such a thing as an closed system with respect to information? Is the universe such a system?
Absolutely:-) I am aware, though, that I'm getting a bit out of touch. I realize that when I'm floundering around in, say, GNOME guts, that I don't really know how it all hangs together. Dbus? gconf? There seems to be much less info about them in common currency within the culture, compared to more established parts of the system. Oh, well..
There is a certain truth behind that;-) But it seems to fit the problem and my particular skill set nicely. For added complexity, I've added an X server running on Windows running on the VM.. The aim is to migrate gently, one-at-a-time, to Linux apps, then drop the VM (or at least only access it via Seamless RDP for the one Win32 app I may not be able to get rid of.)
If you're thinking, by this point, that I'm understimulated by my day job, you would be right!
That sounds like a pretty cool merge of the two concepts. Despite the lack of hardware savings, I would assume the manageability benefits are worth having..
Its not like that 150MB instance of Outlook gets any smaller on a VM, you just have multiples of it on a single server.
If you let multiple clients attach to one VM, presumably you at least get the benefit of sharing the executable / DLL pages (I assume Win32 does this the same way *NIX does)..
Still, the user still hates you forever for saying 'no'. Lose/lose. I'm now handing out 200$ Asus EeePCs for those situations. Dual boot in Linux/Win, and user can restore from 'bricked' to original config in 30 seconds...high CPU and FPS game playing - unfortuantely - impossible;-)
Neat. It'll be interesting to see how they get treated. Something tells me people may "connect" better with a portable device that small, than a damn great desktop on a desk wired to the network. Hopefully people will feel more responsible for them, or at least their data..
Interesting - I had absolutely no idea that existed, shows how out of touch I am. Personally, I'll stick with my implementation, because it gives me a Unix host and pretty good confidence in the non-"subvertibility" of the change control (I couldn't - quickly - find any details of what level Windows Disk Protection works at), but I'll certainly suggest it for anyone who needs a Windows-based solution..
Ah yes, the eternal tension between empowering users and protecting them from themselves:)
Sticking user profiles somewhere writeable should be enough for 90% of users. For those more trustworthy and with more need for customization, their own personal disk image should do the trick. It still means firewalling and virus scanning can be run on the host where it can't be subverted, and disk images can be shunted around and rdiff'd for backups, etc.
The only snag is that playing Direct X-requiring games is probably out, and I'd bet that's what would underlie most of the moaning;-)
True, I guess with modern server and network performance and reliability fairly dumb terminals are possible again (there was a decade or so when it was all rather iffy, beginning about the time that people started using Windows.) There might be a niche for poorly connected workstations, though - offices in locations with no broadband, laptops..
I've hacked an interesting little solution together for my household, which I'm sure would scale. I've been using Linux for about 13 years, and have forgotten more tricks than most people know. Over that time I've done a certain amount with Windows, too, but the lack of a rich toolset and open / free documentation and source always put me off spending too much time on it. I understand things are a bit better now on those fronts, but I chose where to invest my time ages ago. I've certainly not bothered about keeping up to speed, have no experience with Vista, Office, 2007, etc.
Anyway.. I have to provide a Windows environment for a family member who's really not up to learning anything new. I wanted to be able to manage it, secure it, control changes to the configuration, etc., etc., and eventually hit on the idea of just running XP inside VBox on Ubuntu. It starts automatically, changes to the main Windows partition are discarded on each shutdown, and I can do all my management with ssh (and occasionally rdesktop if I need to actually fiddle with Windows, which is rare.) Performance is fine even on old hardware.
Virtualization on the server is obviously mainstream now, and I guess many users are running virtualization software themselves to provide access to apps on other platforms and run old software. I haven't seen much about using virtualization as a platform for managed desktops though, and I reckon it has some advantages: moving images between machines when hardware fails or users move departments; change control; configuration testing, etc., etc. Knowing you've got the exact same disk image in use on a herd of workstations, regardless of hardware, seems like a good thing for peace of mind..
Ye-es. I'll have to confess that I'm actually still running Gutsy, for various reasons:/
Ubuntu's kind of in a tricky position. They're aiming for usability by very non-technical / non-Unixy folk, but not being the dominant OS in the world, hardware support increasingly seems to be a pain. I'd actually quite like to see a "Recommended Hardware" list, so when I need a new graphics card, or DVD-RW drive, or whatever, I can just walk into PC World with a couple of pages of printout in my hand, rather than having to do a a couple of hours of research first (or take my chances.)
Also, a lot of Ubuntu users are going to be hobbyists, perhaps with combinations of unusual hardware or unusual mods that they've made to their existing installation. This is always going to make upgrades "interesting."
As I said before, all the Linux distros (and to a large extent the *BSDs), and most open-source software, form a big ecosystem. It's an ecosystem which treats technical knowledge as a form of culture, and once you're in it it does seem much easier to get stuff done (particularly uncommon / unusual stuff) than in the commercial world (unless you have big $$$ to spend.) I'm not sure how Linux best serves "the man in the street": apart from embedded devices, I'm guessing that it will be as a foundation platform for new appliance-y devices (netbooks, mobile phones, set-top boxes), where the hardware is modern and known, and where the users aren't necessarily expecting Windows.
I didn't know that universe was now enabled by default. That sounds like a bad move, particularly if people install network services or clients.
Depends. "Linux" in general usage = Linux kernel + critical userspace stuff (glibc, etc.) + apps / services.
Stable kernel versions are generally very, very stable. Ditto the critical, foundation userspace stuff.
As on most other platforms, the apps vary. Because we're talking open source here, unstable test versions are usually available, and often the bleeding-edge stuff the developers are still editing is available, too. Different distributions choose what to ship, depending on what their target audience is.
Also, regardless of the stability of individual components, there are often issues that arise from the interactions between the components. That's actually where Linux distros are a huge win over other OSs: the developers test, patch, and integrate a huge swathe of free software alongside the core OS, in a way that commercial OSs don't (they may do the testing bit, but that's all.)
Ubuntu, AIUI, made a deliberate decision to be slightly less anal about rock solid stability and nailing every last bug, in order to be able to ship more up-to-date versions of the applications that most people use day to day. Crashes are undesirable, but having features missing that you want to use is also undesirable. And having said that, Ubuntu is usually pretty bomb-proof too.
"Linux" is a complex ecosystem, but it offers choice, and switching between different flavours once you've found your personal "sweet spot" is still much less painful than migrating between other OSs.
The foundation of the attacks, used to establish enough connections to have an effect at the remote end, is fairly obvious (in hindsight!)
What you do once you've got that 'high impact' scalability is a different question. I got the impression from the interview that they're exploiting quite subtle issues in TCP/IP stack state machines. Plus, they're exploiting multiple bugs to give them the 'end-of-the-world' degree of coverage that's got this into the headlines. They share an underlying 'utility' technique, but in the end, it's not all down to a single bug.
The focus in the blackhat community seems to have been on exploiting buffer overflows, etc., to inject code. This allows you to do more interesting stuff than 'mere' DoS. Also, I guess people keep looking in the areas (overruns) that have provided pay-offs before. This attack, by contrast, is quite unusual - in the past, the DoS attacks against stacks have pretty much been the 'obvious' ones.
Maybe the client-side cookies allow nastier DoSs than just leaving connections open.
Yup, part of what they're describing in the interview is dicking with the session-setup state machine and associated resources on the server, e.g. timers. I guess they need some state for this, hence the client-side cookies.
Basically, they're using this one foundation technique as a platform to do a variety of different evil stuff on a larger scale than is possible without. Arguably, the mitigation is to fix all the bugs being exploited, but if this gets into the wild soon, we might have to look for a broad-spectrum silver bullet, like we did with Kaminsky's class of DNS attacks.
I'm pretty sure this is not an attack against server-side syn cookies. The syncookies thing is actually kind of irrelevant, all they're doing (AFAICT) is using the same technique that we use on servers on clients, to allow *them* to setup shed loads of connections without keeping state.
In summary, it works by establishing tons and tons of connections using carefully-forged SYN cookies.
I'm not sure that's fair. AIUI, all they're doing is using the same technique the has been used on the listening side for years (syn cookies), on the client side. It means you can have hundreds of thousands of connections in the middle of being setup, without having to hold any state.
I guess the assumption has always been that to DoS by a fully-open connection, the client would have to maintain some state, like remembering where it was trying to connect to. This eliminates that step.
Having said that, I can't quite see why you'd need to remember any state. Assume that all SYN+ACK packets were sent in response by us, and send ACKs. Maybe the client-side cookies allow nastier DoSs than just leaving connections open.
I'm listening to the interview now, English starts at 5m10s (approx.)
3.51 was nice though. I used to do my 16-bit development (Visual C++ 1.52!) on NT; when my apps crashed and corrupted shared memory, which would take Win311 down, I could just nuke them and start over. If you ran VC++ in a separate address space, you didn't need to restart that, either.
Yes, back then, this seemed seriously cool. In my defence, I'd never used a real OS;-)
On Linux, at least, it's often even easier: the flash video is usually sitting in/tmp with a reasonably obvious name, just asking to be hard linked somewhere else. Don't know if this holds true for RTMP streams, though, which I guess is what TFA is talking about.
I'm not sure the clipboard hijacking is anything to do with this new 'clickjacking' issue - it came up about a month ago, I'm fairly sure it was on slashdot at the time.
I'm really not sure what that link ("SEE: Adobe Flash ads launching clipboard hijack attack") is doing in the middle of the ZDNet post.
Blank screens of different colours when an Amiga failed to start up. Also the caps lock LED flashed different codes. Both equivalent to the PC's POST codes, I guess.
Dunno about the US, 'cos I believe you're using / going to be using a different system, but in the UK, with DVB-T:
More channels from (about) the same number of frequencies;
Better quality pictures in some cases (if your analog signal was of moderate quality, your digital picture should be better);
Possibility for OTA digital HDTV — I believe this will be trialled in 2009 in parts of the UK;
Frees up chunks of the spectrum for the government to sell^W^W^W^W use by other services (not sure quite how this works, possibly because there is less need for protection from co-channel interference, meaning a smaller range of frequencies needs to be used across the country.)
You can pull an MPEG-2 stream straight off your DVB-T TV card (and then dump to DVD or whatever) with no need for en- or trans-coding. (Sssh! Don't tell the MPAA!)
Cars have been commodity items for ages now. I just want to get places and get on with my life, I really don't care about how engines or drive-trains work.
Doesn't work like that, though. I have to keep an eye on things like oil and coolant, and they do occasionally get low. If the steering goes funny and I hear a strange flapping noise from one of the wheels, I have to be awake to the possibility that I've got a flat tyre.
I also have to remember to lock the damn thing and take the keys out of the ignition, so people don't nick it.
There are aspects of reality which can't be engineered away. If we (IT types) accepted that, and managed to make the users realize that, a lot of resources would be freed up for tackling those problems that can be solved. Hell, the users might find that being more engaged with reality was actually both interesting and empowering.
The attitude that software must be perfect, must read the users' minds, must be able to do anything the user wants, and must be able to magically cope with all aspects of reality, is a large part of the reason why software is getting more and more bloated and complex, and yet still failing to tick any of those boxes.
Reality is complicated, and sometimes bad shit happens in it. Tools used to deal with that reality unavoidably tend to mirror some of that complexity, and cannot always protect users against their own stupidity (or lack of knowledge) and / or other people's malice.
If you get in your car one morning and the engine's making a noticeably different noise than normal, it's sensible to either stop and examine it (if you know enough about cars to do so), take it to a garage, or at the very least, proceed somewhat more cautiously that you would normally.
In this instance, I'd say there was a 50:50 potential allocation of blame. User should be attuned to, and wary about, unexpected changes to the way their systems work. Software should also be more secure, and prevent untrusted code from mimicking system dialogs.
Malware authoring is a crime, designed to con people out of money, or use their machines to conduct to further crime. Most people accept the need to take certain precautions against "real world" crime - locking houses and cars, not walking in certain areas at certain times, etc... and yet many of those people don't seem to feel the need to pay anywhere near the same level of attention to crime that happens on their PC / over the net. What's the difference?
Slashdot Mirror
The really intriguing issue is the word "random" in "random mutation." Until we actually figure out what randomness is, I would respectfully suggest that the absence of this key fact prevents anybody from discussing the whole issue of evolution sensibly.
If you get hit in the gonads by a cosmic ray or whatever, that ray had mass, speed and direction: all of which are information. Where did that information, which could potentially have a great impact on your descendents, ultimately come from?
We seem to have got the physics of energy pretty much sorted out. The physics of information, if that's even the right discipline to put it in, is rather more up in the air. Can information be created or destroyed? Is it conserved? Is there such a thing as an closed system with respect to information? Is the universe such a system?
Absolutely :-) I am aware, though, that I'm getting a bit out of touch. I realize that when I'm floundering around in, say, GNOME guts, that I don't really know how it all hangs together. Dbus? gconf? There seems to be much less info about them in common currency within the culture, compared to more established parts of the system. Oh, well ..
There is a certain truth behind that ;-) But it seems to fit the problem and my particular skill set nicely. For added complexity, I've added an X server running on Windows running on the VM .. The aim is to migrate gently, one-at-a-time, to Linux apps, then drop the VM (or at least only access it via Seamless RDP for the one Win32 app I may not be able to get rid of.)
If you're thinking, by this point, that I'm understimulated by my day job, you would be right!
That sounds like a pretty cool merge of the two concepts. Despite the lack of hardware savings, I would assume the manageability benefits are worth having..
Its not like that 150MB instance of Outlook gets any smaller on a VM, you just have multiples of it on a single server.
If you let multiple clients attach to one VM, presumably you at least get the benefit of sharing the executable / DLL pages (I assume Win32 does this the same way *NIX does) ..
Still, the user still hates you forever for saying 'no'. Lose/lose. I'm now handing out 200$ Asus EeePCs for those situations. Dual boot in Linux/Win, and user can restore from 'bricked' to original config in 30 seconds...high CPU and FPS game playing - unfortuantely - impossible ;-)
Neat. It'll be interesting to see how they get treated. Something tells me people may "connect" better with a portable device that small, than a damn great desktop on a desk wired to the network. Hopefully people will feel more responsible for them, or at least their data ..
Interesting - I had absolutely no idea that existed, shows how out of touch I am. Personally, I'll stick with my implementation, because it gives me a Unix host and pretty good confidence in the non-"subvertibility" of the change control (I couldn't - quickly - find any details of what level Windows Disk Protection works at), but I'll certainly suggest it for anyone who needs a Windows-based solution ..
Ah yes, the eternal tension between empowering users and protecting them from themselves :)
Sticking user profiles somewhere writeable should be enough for 90% of users. For those more trustworthy and with more need for customization, their own personal disk image should do the trick. It still means firewalling and virus scanning can be run on the host where it can't be subverted, and disk images can be shunted around and rdiff'd for backups, etc.
The only snag is that playing Direct X-requiring games is probably out, and I'd bet that's what would underlie most of the moaning ;-)
True, I guess with modern server and network performance and reliability fairly dumb terminals are possible again (there was a decade or so when it was all rather iffy, beginning about the time that people started using Windows.) There might be a niche for poorly connected workstations, though - offices in locations with no broadband, laptops ..
I've hacked an interesting little solution together for my household, which I'm sure would scale. I've been using Linux for about 13 years, and have forgotten more tricks than most people know. Over that time I've done a certain amount with Windows, too, but the lack of a rich toolset and open / free documentation and source always put me off spending too much time on it. I understand things are a bit better now on those fronts, but I chose where to invest my time ages ago. I've certainly not bothered about keeping up to speed, have no experience with Vista, Office, 2007, etc.
Anyway .. I have to provide a Windows environment for a family member who's really not up to learning anything new. I wanted to be able to manage it, secure it, control changes to the configuration, etc., etc., and eventually hit on the idea of just running XP inside VBox on Ubuntu. It starts automatically, changes to the main Windows partition are discarded on each shutdown, and I can do all my management with ssh (and occasionally rdesktop if I need to actually fiddle with Windows, which is rare.) Performance is fine even on old hardware.
Virtualization on the server is obviously mainstream now, and I guess many users are running virtualization software themselves to provide access to apps on other platforms and run old software. I haven't seen much about using virtualization as a platform for managed desktops though, and I reckon it has some advantages: moving images between machines when hardware fails or users move departments; change control; configuration testing, etc., etc. Knowing you've got the exact same disk image in use on a herd of workstations, regardless of hardware, seems like a good thing for peace of mind ..
Ye-es. I'll have to confess that I'm actually still running Gutsy, for various reasons :/
Ubuntu's kind of in a tricky position. They're aiming for usability by very non-technical / non-Unixy folk, but not being the dominant OS in the world, hardware support increasingly seems to be a pain. I'd actually quite like to see a "Recommended Hardware" list, so when I need a new graphics card, or DVD-RW drive, or whatever, I can just walk into PC World with a couple of pages of printout in my hand, rather than having to do a a couple of hours of research first (or take my chances.)
Also, a lot of Ubuntu users are going to be hobbyists, perhaps with combinations of unusual hardware or unusual mods that they've made to their existing installation. This is always going to make upgrades "interesting."
As I said before, all the Linux distros (and to a large extent the *BSDs), and most open-source software, form a big ecosystem. It's an ecosystem which treats technical knowledge as a form of culture, and once you're in it it does seem much easier to get stuff done (particularly uncommon / unusual stuff) than in the commercial world (unless you have big $$$ to spend.) I'm not sure how Linux best serves "the man in the street": apart from embedded devices, I'm guessing that it will be as a foundation platform for new appliance-y devices (netbooks, mobile phones, set-top boxes), where the hardware is modern and known, and where the users aren't necessarily expecting Windows.
I didn't know that universe was now enabled by default. That sounds like a bad move, particularly if people install network services or clients.
Depends. "Linux" in general usage = Linux kernel + critical userspace stuff (glibc, etc.) + apps / services.
Stable kernel versions are generally very, very stable. Ditto the critical, foundation userspace stuff.
As on most other platforms, the apps vary. Because we're talking open source here, unstable test versions are usually available, and often the bleeding-edge stuff the developers are still editing is available, too. Different distributions choose what to ship, depending on what their target audience is.
Also, regardless of the stability of individual components, there are often issues that arise from the interactions between the components. That's actually where Linux distros are a huge win over other OSs: the developers test, patch, and integrate a huge swathe of free software alongside the core OS, in a way that commercial OSs don't (they may do the testing bit, but that's all.)
Ubuntu, AIUI, made a deliberate decision to be slightly less anal about rock solid stability and nailing every last bug, in order to be able to ship more up-to-date versions of the applications that most people use day to day. Crashes are undesirable, but having features missing that you want to use is also undesirable. And having said that, Ubuntu is usually pretty bomb-proof too.
"Linux" is a complex ecosystem, but it offers choice, and switching between different flavours once you've found your personal "sweet spot" is still much less painful than migrating between other OSs.
Aha! These must be the underlying physical principles of Resistentialism...
I'm not sure it is easy.
The foundation of the attacks, used to establish enough connections to have an effect at the remote end, is fairly obvious (in hindsight!)
What you do once you've got that 'high impact' scalability is a different question. I got the impression from the interview that they're exploiting quite subtle issues in TCP/IP stack state machines. Plus, they're exploiting multiple bugs to give them the 'end-of-the-world' degree of coverage that's got this into the headlines. They share an underlying 'utility' technique, but in the end, it's not all down to a single bug.
The focus in the blackhat community seems to have been on exploiting buffer overflows, etc., to inject code. This allows you to do more interesting stuff than 'mere' DoS. Also, I guess people keep looking in the areas (overruns) that have provided pay-offs before. This attack, by contrast, is quite unusual - in the past, the DoS attacks against stacks have pretty much been the 'obvious' ones.
Maybe the client-side cookies allow nastier DoSs than just leaving connections open.
Yup, part of what they're describing in the interview is dicking with the session-setup state machine and associated resources on the server, e.g. timers. I guess they need some state for this, hence the client-side cookies.
Basically, they're using this one foundation technique as a platform to do a variety of different evil stuff on a larger scale than is possible without. Arguably, the mitigation is to fix all the bugs being exploited, but if this gets into the wild soon, we might have to look for a broad-spectrum silver bullet, like we did with Kaminsky's class of DNS attacks.
The interview does actually have a lot of detail.
Skip to ~ 5m10s for the English.
I'm pretty sure this is not an attack against server-side syn cookies. The syncookies thing is actually kind of irrelevant, all they're doing (AFAICT) is using the same technique that we use on servers on clients, to allow *them* to setup shed loads of connections without keeping state.
In summary, it works by establishing tons and tons of connections using carefully-forged SYN cookies.
I'm not sure that's fair. AIUI, all they're doing is using the same technique the has been used on the listening side for years (syn cookies), on the client side. It means you can have hundreds of thousands of connections in the middle of being setup, without having to hold any state.
I guess the assumption has always been that to DoS by a fully-open connection, the client would have to maintain some state, like remembering where it was trying to connect to. This eliminates that step.
Having said that, I can't quite see why you'd need to remember any state. Assume that all SYN+ACK packets were sent in response by us, and send ACKs. Maybe the client-side cookies allow nastier DoSs than just leaving connections open.
I'm listening to the interview now, English starts at 5m10s (approx.)
3.51 was nice though. I used to do my 16-bit development (Visual C++ 1.52!) on NT; when my apps crashed and corrupted shared memory, which would take Win311 down, I could just nuke them and start over. If you ran VC++ in a separate address space, you didn't need to restart that, either.
Yes, back then, this seemed seriously cool. In my defence, I'd never used a real OS ;-)
dnsmasq has an option to reverse the effect of this sort of thing.
It runs nicely on OpenWRT.
Or you could use maradns instead, and avoid all present and future problems with your ISP's caching DNS servers..
On Linux, at least, it's often even easier: the flash video is usually sitting in /tmp with a reasonably obvious name, just asking to be hard linked somewhere else. Don't know if this holds true for RTMP streams, though, which I guess is what TFA is talking about.
I'm not sure the clipboard hijacking is anything to do with this new 'clickjacking' issue - it came up about a month ago, I'm fairly sure it was on slashdot at the time.
I'm really not sure what that link ("SEE: Adobe Flash ads launching clipboard hijack attack") is doing in the middle of the ZDNet post.
Blank screens of different colours when an Amiga failed to start up. Also the caps lock LED flashed different codes. Both equivalent to the PC's POST codes, I guess.
Dunno about the US, 'cos I believe you're using / going to be using a different system, but in the UK, with DVB-T:
See also Wikipedia: DTT
Cars have been commodity items for ages now. I just want to get places and get on with my life, I really don't care about how engines or drive-trains work.
Doesn't work like that, though. I have to keep an eye on things like oil and coolant, and they do occasionally get low. If the steering goes funny and I hear a strange flapping noise from one of the wheels, I have to be awake to the possibility that I've got a flat tyre.
I also have to remember to lock the damn thing and take the keys out of the ignition, so people don't nick it.
There are aspects of reality which can't be engineered away. If we (IT types) accepted that, and managed to make the users realize that, a lot of resources would be freed up for tackling those problems that can be solved. Hell, the users might find that being more engaged with reality was actually both interesting and empowering.
The attitude that software must be perfect, must read the users' minds, must be able to do anything the user wants, and must be able to magically cope with all aspects of reality, is a large part of the reason why software is getting more and more bloated and complex, and yet still failing to tick any of those boxes.
Reality is complicated, and sometimes bad shit happens in it. Tools used to deal with that reality unavoidably tend to mirror some of that complexity, and cannot always protect users against their own stupidity (or lack of knowledge) and / or other people's malice.
If you get in your car one morning and the engine's making a noticeably different noise than normal, it's sensible to either stop and examine it (if you know enough about cars to do so), take it to a garage, or at the very least, proceed somewhat more cautiously that you would normally.
In this instance, I'd say there was a 50:50 potential allocation of blame. User should be attuned to, and wary about, unexpected changes to the way their systems work. Software should also be more secure, and prevent untrusted code from mimicking system dialogs.
Malware authoring is a crime, designed to con people out of money, or use their machines to conduct to further crime. Most people accept the need to take certain precautions against "real world" crime - locking houses and cars, not walking in certain areas at certain times, etc. .. and yet many of those people don't seem to feel the need to pay anywhere near the same level of attention to crime that happens on their PC / over the net. What's the difference?