You are a complete stop and re-read my post and my previous post. I've been using Linux since Ygdrassil distro (I'm not sure where my original slackware floppies floppies, so I can't tell you what kernel rev, but whichever was out Summer of 94), so I know what the fuck kind of warranty I get.
You really don't think it's a fiasco when the stated stable kernel revs are doing development (odd or 2.5) kind of work and actually *breaking* things. Linus/Linux doesn't owe me shit, but it *IS* a fiasco when it's stable release does stupid shit like it's doing (completely replacing the VM subsystem for one) that should actually belong in the 2.5 release. (again that was a completely, tiny, itty bitty bit of my original post, that for some reason you've made into some huge issue).
Now what the heck, do you not realize that I gave you the *specific* example of a program that had a buffer overflow last month in WindowManager that you need more. Ok fine, since you are too lazy to go up and look at the example I told you, on securityfocus. I should have known better than to respond intelligently to a person who thinks that Unix code has absolutely no sloppy code in it anywhere.
bugtraq id 3177
object wmaker
class Boundary Condition Error
cve CVE-MAP-NOMATCH
remote Yes
local No
published Aug 12, 2001
updated Sep 20, 2001
vulnerable
Windowmaker Windowaker 0.60
- Conectiva Linux 4.0
Windowmaker Windowaker 0.61
- Conectiva Linux 4.2
- Conectiva Linux 5.0
- Debian Linux 2.2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.2
Windowmaker Windowaker 0.61.1
Windowmaker Windowaker 0.62
- Conectiva Linux 5.1
- Conectiva Linux 6.0
Windowmaker Windowaker 0.62.1
Windowmaker Windowaker 0.63
Windowmaker Windowaker 0.63.1
Windowmaker Windowaker 0.64
- MandrakeSoft Linux Mandrake 8.0
not vulnerable
Windowmaker Windowaker 0.65
WindowMaker is a window manager for X11 systems. It is often run on end-user systems.
WindowMaker contains a buffer overflow that may be exploitable by remote attackers. The
overflow condition is present when X11 applications are setting the titles of their windows.
This vulnerability can be exploited by X11 applications which can connect to the Xserver. Any arbitrary code that is executed will run with the privileges of the window manager. It will also execute on the system where it is running.
-----
If you are so dense that you don't realize that not doing bounds checking is the equivalent of sloppy code then here, ReiserFS earlier this year introduced a kernel level security bug (since ReiserFS hooks are now allowed into the kernel with 2.4.1) because of a buffer overflow. I put up, now you shut up.
There is a reason why I'm still at the 2.2 kernel, and unwilling to touch the non-beta, supposedly stable 2.4 kernel, even though I have people asking everyday when we can go to 2.4. You completely missed why I was posting that, you don't consider having to relase new code for kernel within days for 2.4.8 and 2.4.11 having sloppy code; *that* is my deffinition of sloppy code for a non-devl, released stable product. If this were the 2.3 kernel then I wouldn't be complaining, but the 2.4 is supposedly for a stable release, with 2.4.x being just bug fixes for that release, that is the fiasco; when we start needing bug fixes for the bug fixes; that is a sign of sloppy coding in my mind.
Here's the point that you missed, Linux's (even with all this sloppy code) core design philosophy is to run apps as a non-privileged user; so even though user Joe makes a sloppy coded web app that has security holes out the wazoo, it still doesn't allow the attacker to gain root access to the box, since it's normally ran as user nobody, httpd, etc. sloppy code gets stopped at that level. Where MS also has sloppy code (you seemed to miss that, I never said they didn't have sloppy code but that their design was more the problem), but their everything needs privileged access design
Examples... well how about the 9/20 Windomaker buffer overflow, I'd consider that well usef, that's pretty sloppy not doing bounds checking.
Let's face it, sloppy code isn't going to go away on any OS or any platform. You can strive to make sure it gets cleaned up, but it never is going to go away. MS may have more or less sloppy code than is in Linux distros but their design philosophy makes them much more vulnerable since pretty much everything has to run with admin privileges somewhere. Where Unix could have the sloppiest code around and not have root level compromises since it harldy ever really needs root access for it's apps. Which is the point I was making and you completely missed.
Normally you have this type of configuration in a HA environment where one system can mount the drives of another; he can see them he just doesn't mount them until the other node is down, often by doing a "shoot the other in the head" (I don't get to use that phrase enough) type of procedure, by just turning off the power of the other system, when a failure is noticed.
The other time that you would use this is when you have a clustered file system i.e. Veritas VCS, SGI's CXFS, Linux's GFS, etc. So everybody gets to agree who's talking to which inodes when. This does add some overhead, but if you need to share data realtime and need something at a bit lower level than nfs this is where you might look.
You do not want mount the same drive to two different systems at the same time if they are not running some type of software cluster management (either HA or filesystem). The filesystem *will* get corrupted.
Sorry I don't have any links, but you might do some searches on CXFS, VCS and GFS they'll probably give you all the info you'll need.
So you agree with me that the previous poster was incorrect in saying anything about latency in the SCSI interface matters at all.
You also agree with my statement that the performance of just one drive the controller is also not an issue.
But you might want to think out of the box sometimes; most of the the machines I run on, have 2x 1.6GB XIO bus supporting 6 cards each. On my smaller Sun/SGI boxes they have a PCI bus that does a sustained 200MB/sec.
So to out push the bus speed using drives that have a sustained rate of 35MB/sec, I'd have to have 6 IDE drives and 6 IDE controllers at a minimum. If I'm not using 1 constant read or write, and doing multiple transactions I'm going to need to add more drives & controllers to fill up my bus.
SCSI controllers are not really anymore expensive than IDE controllers these days (price watch has SCSI3 for $24).
Correction: the limiting factor for IDE storage is physical space to fit drives in the case. That single server with 300 drives goes out to my 46 terabyte EMC 8730 frame running SCSI over switched fabric; and I can push the XIO bus to a full 1.6GB so my bus speed is NOT a limiting factor.
http://www.sgi.com/origin/2000/numa_tech.html
http://www.sgi.com/Products/PDF/1150.pdf
http://www.sun.com/servers/midrange/e4500/detail s. html
http://www.sun.com/servers/workgroup/220r/featur es.html
Exactly how do you cluster IDE drives??? With SCSI I can share the the same bus with 2 different computers, and can present the same disk to two different systems at the same time.
IDE is *only* good in a single drive / single controller situation; but at that time (from most drive manufacturers websites) you are only able to push maybe 35MB/sec. So your so called controller latency is NOT an issue. Agreed IDE will perform the same on a single drive system, but as soon as you add another drive onto that channel you've possibly halfed the performance of those two drives, you could add another controller, but really starts getting rediculus (I've got one systems with over 300 drives connected to it, I'd like to see an IDE system keep up with that)
There also are quite a bit of things in the SCSI protocol that you are looking over. Command Tag Queueing is a very big one, I can send multiple commands down the SCSI chain and the drive can re-order them so that the drive can streamline where it's going to be getting data off of the drive (setting this gives a significant performance boost on our arrays). Along with the fact that IDE is completely and totaly CPU driven, try really pushing your CPU and you are either going to have to give up CPU cycles to your app or give up performance to your drive.
Could you please provide a link to Google's use of IDE drives for all their storage, I can't seem to find a page saying that their Linux are all running on IDE only.
Not to start a flame war, but your argument is fairly week. This same argument would apply Linux distros, if you went by the shear number of security issues they have had over the past years. So far this year Redhat alone has had over 54 vulnerabilities (which is more than the 42 that Windows has had so far). And don't get me started on the 2.4 kernel fiasco, it's one thing to release early and release often, but it's another to have multiple kernels get released within mere days of each other because they introduced new bugs due to sloppy code.
I've seen a whole lot of sloppy code coming out of Unix centrix projects (gives me shivers at night). But I think that the problem that MS has is less with sloppy code (I think their code really isn't any more sloppy than the rest of the world), but their OS design around one user instead of multiple users. MS has a much better file level security model then most unix platforms (throw ACL's and you've got a contender), but everything & everybody pretty much has to have hooks as an admin user. It's really the equivalent of having Grandma sitting in front of a Linux system as a root user; if Microsoft could take the single user admin privilege (for both the user and the apps) away then the issue would really start to go away.
I'd really like to see you get a sustained 100MB transfer rate for Oracle redo logs with 9 drives (triple the amount you suggest), you'll never, ever do it. You must be one of those who believe that because an IDE drive says it can do 34MB/sec, I can throw another one onto the same controller and I'll have 68MB/sec for all my apps.
I'm sorry but you really need to go back to drive technology 101, 80MB is a limitation for direct attached SCSI, 100MB is a limitation for fibre channel (soon to be 200MB and then up to 1000MB once standards are more ironed out). Each of those can do a sustained 80MB over *ANY* transation, Oracle db, mailserver, newserver, etc. no matter where the write or read is you'll max out the pipe from your computer to the SSD before you'll max out the SSD. You'll overrun your drive spindles before you'll ever run out of channel speed on any non-streaming type of application, just how fast do you think you can get data to the system when the head is on the opposite side of the platter???
For streaming apps, sure you could do what you are suggesting (you'll probably need more than 3 HD's though), but nobody has ever that had a clue has ever suggested a SSD for those apps.
Idiots like you shouldn't talk out there ass so much...
You ignorant sir need to get a history cluestick to the head.
Osama Bin Laden talked to his homeland about creating a military regime to go *AGAINST* Sadam feering that his home considered to be the most sacred place to be overrun by Iraq. Instead of taking BinLaden's militia the Saudi country invites the US to come in and protect them from Iraq. It's not that he wants us to leave him alone, he killing people for the mere fact that a non-muslim only nation is in his home country that has asked them to be there in the first place. As admitted by pretty much everyone around the world the number who believe in Osama's ideals is counted in the fraction on a percentage in the middle east. It's equivalent of the US bowing to the KKK and deporting all of the minorities out of the US, that's all they want "to be left alone" and not bothered by other races in the US.
So you agree to the Taliban's proposal that is the equivalent of having a white man tried in 1870 Georgia for killing a black man, who's entire jury are members of the KKK. Sure everybody'll agree to that, don't you??? That's a really good option that they gave us. The only country left that actually recognized the Taliban was Pakistan which the US was using for diplomatic talks. They couldn't even get the Taliban to negotiate, the only nation in the entire WORLD that recognized them. When Pakistan (again the only country in the entire WORLD talking to them) finally gave up their tries at diplomacy, did action occur. We've been trying to work with the Taliban since the US Cole and they've not moved, do we need to wait till Osama dies of old age having just diplomatic talks? All diplomatic means were exhausted, the only country left recognizing the Taliban agreed that the talks were getting nowhere, exactly when is exhausted that sure the hell sounds like exhausted to me.
http://worldhistory.com/binladen.htm
http://dailynews.yahoo.com/h/ap/20010912/wl/atta ck s_bin_laden_1.html
You aren't running into a limit of your HD, most 7200 RPM IDE drives can do around 30-40MB/sec so a single write would start to run into limitations on a 240-320mb (having concurrent actions on the drive moving the reader around is what kills the performance, along with fragmentation). On your 100mb line, you've got an additional 100mb of bandwidth before you overrun your drive (as long as you are performing 1 read or write on the drive)
You are seeing what is about average for ethernet, nobody is able to push a full 10mb, normally they can get around 780kb/sec, 100mb is the same around 70-80mb, gig-e is really more dependandt upon your CPUs (give up a full CPU per gig ethernet card), on a smallish SMP system people normally push around 300-400mb if they've got a really beefy system they can push around 600-700+ on a single card.
Collisions... it all depends upon your network topology, 100mb switched verses 100mb shared. You'll allways get collisions (even on a cross over cable), but the only ones to really care about are the collisions. A 100mb switched netowrk will get pretty close to the same performance as one with a cross over cable.
I don't know about you, but there are some countries that I would not put surprised had access to certain controls on their nuclear power plants. Chernobyl had a failure some years before it's melt down due to shoddy workmanship. There are many countries around the world using nuclear power who aren't as closely regulated as others.
I wasn't talking just deleteing money, how about mucking with a person's Quicken file to send all their money to bankaccount X in South America, the next time they login to bank online. The money went somewhere... you can't just restore the database and magically have the money back. You can obviously fight this, but again what are you going to live off of, while you fight for a year that the transaction that came from your computer, when you logged onto your accout at the back, actually didn't come from you.
You can kill someone from online, how about the guys who were breaking into the power grid? That could do some really interesting things, think home respirator getting immense electrical surge or cutting power. Also where does "online" stop, is it just the "Internet", Internet2, BBS, connection over a phoneline to another system. There's probably a nuclear power plant somewhere in the world that has a modem, etc. connection, there could be some massive deaths there (course that's very improbable of ever occuring).
I don't know about you, but if I had all my money wiped from my bank accounts it would *not* be a minor thing, it's not like people keep cash in a hole dug out back. Think about people who are retired and living off of their savings from the past 50-60 years, and ALL their money is now gone, what are they going to live off of?
I don't think anybody could support these types of arguments, and as you said are way full of holes.
You *completely* missed the point of the post, it isn't about truning into starched-collared Organization Men. It's about actually treating your company the same way you want to be treated. I have known of people who were project leads who gave notice at 4:30 that they were starting another job tommorow. It's crap like that I was talking about, there is a really big friggin difference between being a "yes" man and just not being a prick to your company. In the tech industry, I knew of a whole bunch of people who's whole philosophy in life was to be the biggest prick (I know of some who actually pulled crap like this intentionally to "pay back", and wound up getting other fired because projects got scuttled because of their shit, luckily wasn't my company).
You want to change jobs and look for better opportunities, fine no problem, as long as you treat your employer with the same amount of respect that you want from them... give them some notice, actually talk with your boss before just going for the money (often they can get you some), it tends to be a two way street most of the time; looking at the past for some reasons a lot of the techs seemed to forget that.
Look at all the posts on the message boards 2 years ago. Don't like the way your employer twirls his fingers counter clockwise (you like clockwise only); well you don't have any responsibility to your employer f'them, you don't need to give any notice just go where the money rolls. After all that, jumping to 5 different jobs in a single year, people are now wondering why employers are looking after them?
It's now time to suck it up and realize that we as employees caused this philosophy with employers, and we as employees are the only ones who can change this philosophy by actually showing loyalty to the back to the employer. Now don't get me wrong you should NOT be working there waiting on a paycheck 3 months late, getting paid in options instead until they get VC money, but putting some loyalty into your employer instead of trying to constantly pimp them is the first step.
It may have appeared that he was shirking away, but from what I understand is that when he first heard the in Florida he requested to be flown to NY to be there directly and immediately. The secret service had a clear understanding that they had to first protect him from any and all danger and flew him to the nearest secure area (Louisiana). From there the secret service took him to an even more secure area (SAC in Nebraska). Finally letting him fly to DC once things were secured. There's just no pleasing people these days, if he would have flown directly to NY, you'd probably have called him a fool and putting the leader of the US in undue jeopardy.
The only thing I wish I had seen more of was a bit more fire in his eyes, an almost WWF Smackdown, we're going to get you look for lack of better words; but of course that would probably not be appropriate for the situation (actually whoever did this would probably just enjoy seeing it).
Now is not the time Mr. Katz to forward your personal political agenda.
You should also put the japanese "Rape of Nanking" into your reference.... Hadn't heard of it? Then maybe you should look into it. It's where Japan invaded China, killed 300,000 men in the town of Nanking, and raped 20,000 women. The Japanese soldiers used live Chinese men as bayonet dummies for training. Women worked repeatedly raped until their "usefulness" wear off and they were repeatedly bayonetted (one survivor was gang raped, stabbed 30+ times in the back, and left for dead. Others had stakes driven through their vagina's, had their children bayonteded infront of them, tied up prisoners in a line and machinegunned them down into mass graves (kind of like the Nazi's), buried people alive.
The sad part of it is, the US is willing to acknowledge that it dropped a deadly weapon on a country it was at war with; but Japan is unwilling to acknowledge during WWII they ever committed these horrendous acti in China, heck they won't even acknowledge they were ever even there in their own textbooks (there's learning from the past for you).
Do you know how much of a complete idiot you just made yourself to be, and now how much harder it will be to *ever* get them to seriously look at the case with FUD you just sent them.
Read the f'ing articles he was *not* arrested for talking at the damn convention (I'm assuming this is what you mean since you didn't tell the ACLU either) he *was* arrested for being the copyright holder of the program, which was sold on the internet from systems located within the US (essentially a trafficing in goods type of case). Where exactly is the freedom of speech violation in that, where is he being prosecuted for a speech crime? You just FUD'd the ACLU, I'll bet they'll really be interested in looking into the case or DMCA when they find out you were completely wrong. I also wonder how many additional valid requests will now be ignored because you didn't get your facts straight.
Bah, he's in prison because of a speech crime, now they'll be laughing at anybody who brings DMCA up again... thanks. Sometimes we are our own worst enemy, when it comes to these things.
It's not AOL, Microsoft, or anybody big
on
Who Do You Trust Least?
·
· Score: 3, Interesting
My biggest fear would be someone who is *not* under public scrutiny like larger companies. Look how many small companies constantly try to fly under the radar and install spyware onto your computer in their latest release. The whole Gator thing is a perfect example of this, they start off initially as a company who helps people autocomplete forms on websites, then they start sending rival adds to pages that you goto, then they intentionally build an app to go over the existing banner add on the page.
A company like Microsoft would *never* be able to get away with a gator like stunt, someone would be suing the heck out of them (the government would have their antitrust lawyers out like a pack of ravenous wolfs). Only people who seem to get away with doing stuff like this is the small little company that nobody seems to really care about; but that company is the first in line to screw you over in dirty little tricks.
The statements about him breaking into the bank, is in section 17, document page number 7 (my Adobe lists it as page 8, due to the coverpage)
It states that he told the site he hacked that he had gotten into the 1st National Bank in McAlester, was able to look at checking, savings & funds transfer; then goes to tell that he informed a bank officer, who also acted in a hostile manner; so he then accessed the bank 2 additional times, and then told a senior VP of an Oklahoma City branch.
1) He tries hundreds (that's with an 's' there) of times to break into their web app
2) After the hundreds of attempts he finally gets a combination to give him a password file
3) Instead of stopping at the point he *knew* he that he had broken their security, he continue on and goes back logs in as one of the employees
It's a gray area, but there has to be a limit, it sure seems that attempting hundreds (again with an 'S') of attacks against a site, finally getting a password list, and still not stopping? Please, there has to be a sane limit here.
I've purposely ignored the bank portion of this because the above sure looks like illegal activity (curiosity is one thing but to spend hours is another). If you throw the bank stuff into it, it screams of a classic shake down. Walks into the office, I've got a floppy disk with advertisement I want you to put on your site... oh, I "accidentally" got into your site, and in the past I "accidentally" got into the 1st National Bank's website, I also talked to them about their security didn't act very nice to me, so I then talked to the Sr. VP.... It almost has a feel of the mobster saying "Hey, we wouldn't want nothing to happen to your nice establishment. Nasty accidents can happen and we don't want that to happen to you, we'll be your *insurance* to make sure that no "accidents" occur. Capish?"
Re:Linux not ready for enterprise?
on
IBM Wants Linux
·
· Score: 2
I've got some more for you, where is the decent support for:
SCSI
NFS
SMP
LVM
I've got lots more if you want them...
You won't believe the fun things I've gotten SCSI & nfs to do on Linux. Journaling FS is just starting to become stable, LVM is still pretty shaky, don't even ask me about NFS (think hard freeze of system).
What Google shows is that if you've got enough systems (8000 of them) that you can take multiple failures and stay up. Linux on the individual systems are not that stable, but you throw enough redundancy at the problem it brings up the stability by sheer brute force.
Oh really? How about this quote from the Slashdot post (just this Friday in fact) with Bradly Kuhn from the FSF, it sure seems like they really would be in favor of such a law. The VP of FSF pretty much says that the being able to choose a license is akin to the same power as being able to have slaves!
From http://slashdot.org/article.pl?sid=01/08/16/205625 2&mode=thread
Our society took away the "freedom" to own slaves. Today, no one would even argue that owning slaves is a freedom. People now say that slavery is an inappropriate power that one person holds over another person.
Today, some argue that the "right to choose your own software license" is the greatest software freedom. By contrast, I think that, like slavery, it is an inappropriate power, not a freedom. The two situations both cause harm, and they differ only in the degree of harm that each causes.
--end quote
That sure seems like they *really* want to take away the freedom/inappropriate power of a developers choice in license, again that quote was from the guy who is the VP of the FSF so the things that he says, truely represent the views that the FSF holds.
I was thinking that if I'm just another Joe on the net, who downloads some code, I modify it & post it in binary only format on my website (don't release the code because he's lazy, just doesn't want to, whatever reason).
Under the FSF the original coder is "controlling" his public code by not allowing my above example. The FSF *wants* the ability to control code after it's been released (for good or bad). The FSF license requires all others to release their changes also, which again is obviously controlling the code after it has entered to the wild and wooly public space.
I was just pointing out the incorrectness of your statement, that (paraphrasing) once code is released to the public, no laws govern it anymore and it can not be controlled, and that is what the FSF believe in. Which from the above example shows this.
I personally really don't care too much either way with licenses, but your statement was so incorrect to the point of being exactly opposite of what the FSF says that I had to point it out (I'm kinda kooky that way), before someone else incorrectly believed it.
Wait a minute here... trying to control the laughter inside...
Isn't the FSF implementation *controlling*? I believe the GPL controls me by enforcing in your words "legal fiction". Would not the restrictions within the GPL be "control", it says that there are things "I CAN NOT DO" that sure seems like control to me. You are *CONTROLLING* me by not allowing me to take your code and do what I want with it and put it back out into the work anyway that I see fit. You make like that I am forced to give back to the common good, but you sure the hell are controlling me, and your public code.
Let's really take a look at your example and put in exactly what should be in there... you let something out into the world, your fundamental control is maintained, and the control you have is a legal enforcement of what both FSF and you consider ethical. If I were able to truely be able to *any* thing at all with the code then your original statement would be correct, but it's not.
Sorry, but it seems that you are a bit confused on animation development. If you get passed some of the low end graphic cards hype you'll see that what they are good at (extremely fast fill rates) doesn't matter at all when doing development of animation. Being able to have lots of polygons on the screen and doing rotations, transformations, etc. is what matters. You are constantly rotating things around, etc. which really doesn't care about fill rates, but pushing those polys are what matters for creating the images (that is why the port Quake for Irix really sucks, they don't care about fill, just moving thousands of polys at the same time).
Slashdot Mirror
You are a complete stop and re-read my post and my previous post. I've been using Linux since Ygdrassil distro (I'm not sure where my original slackware floppies floppies, so I can't tell you what kernel rev, but whichever was out Summer of 94), so I know what the fuck kind of warranty I get.
. pl ?section=discussion&id=3177
//((block_size - BLKH_SIZE - IH_SIZE - DEH_SIZE * 2) / 2)
// two entries per block (at least)
/* too big to send back to VFS */
You really don't think it's a fiasco when the stated stable kernel revs are doing development (odd or 2.5) kind of work and actually *breaking* things. Linus/Linux doesn't owe me shit, but it *IS* a fiasco when it's stable release does stupid shit like it's doing (completely replacing the VM subsystem for one) that should actually belong in the 2.5 release. (again that was a completely, tiny, itty bitty bit of my original post, that for some reason you've made into some huge issue).
Now what the heck, do you not realize that I gave you the *specific* example of a program that had a buffer overflow last month in WindowManager that you need more. Ok fine, since you are too lazy to go up and look at the example I told you, on securityfocus. I should have known better than to respond intelligently to a person who thinks that Unix code has absolutely no sloppy code in it anywhere.
http://www.securityfocus.org/cgi-bin/vulns-item
-----
bugtraq id 3177
object wmaker
class Boundary Condition Error
cve CVE-MAP-NOMATCH
remote Yes
local No
published Aug 12, 2001
updated Sep 20, 2001
vulnerable
Windowmaker Windowaker 0.60
- Conectiva Linux 4.0
Windowmaker Windowaker 0.61
- Conectiva Linux 4.2
- Conectiva Linux 5.0
- Debian Linux 2.2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.2
Windowmaker Windowaker 0.61.1
Windowmaker Windowaker 0.62
- Conectiva Linux 5.1
- Conectiva Linux 6.0
Windowmaker Windowaker 0.62.1
Windowmaker Windowaker 0.63
Windowmaker Windowaker 0.63.1
Windowmaker Windowaker 0.64
- MandrakeSoft Linux Mandrake 8.0
not vulnerable
Windowmaker Windowaker 0.65
WindowMaker is a window manager for X11 systems. It is often run on end-user systems.
WindowMaker contains a buffer overflow that may be exploitable by remote attackers. The
overflow condition is present when X11 applications are setting the titles of their windows.
This vulnerability can be exploited by X11 applications which can connect to the Xserver. Any arbitrary code that is executed will run with the privileges of the window manager. It will also execute on the system where it is running.
-----
If you are so dense that you don't realize that not doing bounds checking is the equivalent of sloppy code then here, ReiserFS earlier this year introduced a kernel level security bug (since ReiserFS hooks are now allowed into the kernel with 2.4.1) because of a buffer overflow. I put up, now you shut up.
--- linux/include/linux/reiserfs_fs.h.1 Tue Jan 9 21:22:27 2001
+++ linux/include/linux/reiserfs_fs.h Tue Jan 9 21:22:55 2001
@@ -926,8 +926,7 @@
-#define REISERFS_MAX_NAME_LEN(block_size) \
-((block_size - BLKH_SIZE - IH_SIZE - DEH_SIZE))
+#define REISERFS_MAX_NAME_LEN(block_size) 255
--- linux/fs/reiserfs/dir.c.1 Tue Jan 9 21:22:19 2001
+++ linux/fs/reiserfs/dir.c Tue Jan 9 21:21:02 2001
@@ -142,6 +142,10 @@
if (!d_name[d_reclen - 1])
d_reclen = strlen (d_name);
+ if (d_reclen > REISERFS_MAX_NAME_LEN(inode->i_sb->s_blocksi ze)){
+
+ continue ;
+ }
d_off = deh_offset (deh);
filp->f_pos = d_off ;
d_ino = deh_objectid (deh);
There is a reason why I'm still at the 2.2 kernel, and unwilling to touch the non-beta, supposedly stable 2.4 kernel, even though I have people asking everyday when we can go to 2.4. You completely missed why I was posting that, you don't consider having to relase new code for kernel within days for 2.4.8 and 2.4.11 having sloppy code; *that* is my deffinition of sloppy code for a non-devl, released stable product. If this were the 2.3 kernel then I wouldn't be complaining, but the 2.4 is supposedly for a stable release, with 2.4.x being just bug fixes for that release, that is the fiasco; when we start needing bug fixes for the bug fixes; that is a sign of sloppy coding in my mind.
Here's the point that you missed, Linux's (even with all this sloppy code) core design philosophy is to run apps as a non-privileged user; so even though user Joe makes a sloppy coded web app that has security holes out the wazoo, it still doesn't allow the attacker to gain root access to the box, since it's normally ran as user nobody, httpd, etc. sloppy code gets stopped at that level. Where MS also has sloppy code (you seemed to miss that, I never said they didn't have sloppy code but that their design was more the problem), but their everything needs privileged access design
Examples... well how about the 9/20 Windomaker buffer overflow, I'd consider that well usef, that's pretty sloppy not doing bounds checking.
Let's face it, sloppy code isn't going to go away on any OS or any platform. You can strive to make sure it gets cleaned up, but it never is going to go away. MS may have more or less sloppy code than is in Linux distros but their design philosophy makes them much more vulnerable since pretty much everything has to run with admin privileges somewhere. Where Unix could have the sloppiest code around and not have root level compromises since it harldy ever really needs root access for it's apps. Which is the point I was making and you completely missed.
It's all going to depend upon what you are doing.
Normally you have this type of configuration in a HA environment where one system can mount the drives of another; he can see them he just doesn't mount them until the other node is down, often by doing a "shoot the other in the head" (I don't get to use that phrase enough) type of procedure, by just turning off the power of the other system, when a failure is noticed.
The other time that you would use this is when you have a clustered file system i.e. Veritas VCS, SGI's CXFS, Linux's GFS, etc. So everybody gets to agree who's talking to which inodes when. This does add some overhead, but if you need to share data realtime and need something at a bit lower level than nfs this is where you might look.
You do not want mount the same drive to two different systems at the same time if they are not running some type of software cluster management (either HA or filesystem). The filesystem *will* get corrupted.
Sorry I don't have any links, but you might do some searches on CXFS, VCS and GFS they'll probably give you all the info you'll need.
So you agree with me that the previous poster was incorrect in saying anything about latency in the SCSI interface matters at all.
l s. html
r es .html
You also agree with my statement that the performance of just one drive the controller is also not an issue.
But you might want to think out of the box sometimes; most of the the machines I run on, have 2x 1.6GB XIO bus supporting 6 cards each. On my smaller Sun/SGI boxes they have a PCI bus that does a sustained 200MB/sec.
So to out push the bus speed using drives that have a sustained rate of 35MB/sec, I'd have to have 6 IDE drives and 6 IDE controllers at a minimum. If I'm not using 1 constant read or write, and doing multiple transactions I'm going to need to add more drives & controllers to fill up my bus.
SCSI controllers are not really anymore expensive than IDE controllers these days (price watch has SCSI3 for $24).
Correction: the limiting factor for IDE storage is physical space to fit drives in the case. That single server with 300 drives goes out to my 46 terabyte EMC 8730 frame running SCSI over switched fabric; and I can push the XIO bus to a full 1.6GB so my bus speed is NOT a limiting factor.
http://www.sgi.com/origin/2000/numa_tech.html
http://www.sgi.com/Products/PDF/1150.pdf
http://www.sun.com/servers/midrange/e4500/detai
http://www.sun.com/servers/workgroup/220r/featu
Exactly how do you cluster IDE drives??? With SCSI I can share the the same bus with 2 different computers, and can present the same disk to two different systems at the same time.
o n1 1
a sc si.pdf
i to rial.html?prodkey=io_comparison
9 /
IDE is *only* good in a single drive / single controller situation; but at that time (from most drive manufacturers websites) you are only able to push maybe 35MB/sec. So your so called controller latency is NOT an issue. Agreed IDE will perform the same on a single drive system, but as soon as you add another drive onto that channel you've possibly halfed the performance of those two drives, you could add another controller, but really starts getting rediculus (I've got one systems with over 300 drives connected to it, I'd like to see an IDE system keep up with that)
There also are quite a bit of things in the SCSI protocol that you are looking over. Command Tag Queueing is a very big one, I can send multiple commands down the SCSI chain and the drive can re-order them so that the drive can streamline where it's going to be getting data off of the drive (setting this gives a significant performance boost on our arrays). Along with the fact that IDE is completely and totaly CPU driven, try really pushing your CPU and you are either going to have to give up CPU cycles to your app or give up performance to your drive.
Could you please provide a link to Google's use of IDE drives for all their storage, I can't seem to find a page saying that their Linux are all running on IDE only.
http://www.acc.umu.se/~sagge/scsi_ide/#comparis
http://www.dell.com/downloads/global/vectors/at
http://www.adaptec.com/worldwide/product/marked
http://www4.tomshardware.com/storage/01q1/01012
Not to start a flame war, but your argument is fairly week. This same argument would apply Linux distros, if you went by the shear number of security issues they have had over the past years. So far this year Redhat alone has had over 54 vulnerabilities (which is more than the 42 that Windows has had so far). And don't get me started on the 2.4 kernel fiasco, it's one thing to release early and release often, but it's another to have multiple kernels get released within mere days of each other because they introduced new bugs due to sloppy code.
I've seen a whole lot of sloppy code coming out of Unix centrix projects (gives me shivers at night). But I think that the problem that MS has is less with sloppy code (I think their code really isn't any more sloppy than the rest of the world), but their OS design around one user instead of multiple users. MS has a much better file level security model then most unix platforms (throw ACL's and you've got a contender), but everything & everybody pretty much has to have hooks as an admin user. It's really the equivalent of having Grandma sitting in front of a Linux system as a root user; if Microsoft could take the single user admin privilege (for both the user and the apps) away then the issue would really start to go away.
You must be king idiot then
I'd really like to see you get a sustained 100MB transfer rate for Oracle redo logs with 9 drives (triple the amount you suggest), you'll never, ever do it. You must be one of those who believe that because an IDE drive says it can do 34MB/sec, I can throw another one onto the same controller and I'll have 68MB/sec for all my apps.
I'm sorry but you really need to go back to drive technology 101, 80MB is a limitation for direct attached SCSI, 100MB is a limitation for fibre channel (soon to be 200MB and then up to 1000MB once standards are more ironed out). Each of those can do a sustained 80MB over *ANY* transation, Oracle db, mailserver, newserver, etc. no matter where the write or read is you'll max out the pipe from your computer to the SSD before you'll max out the SSD. You'll overrun your drive spindles before you'll ever run out of channel speed on any non-streaming type of application, just how fast do you think you can get data to the system when the head is on the opposite side of the platter???
For streaming apps, sure you could do what you are suggesting (you'll probably need more than 3 HD's though), but nobody has ever that had a clue has ever suggested a SSD for those apps.
Idiots like you shouldn't talk out there ass so much...
You ignorant sir need to get a history cluestick to the head.
a ck s_bin_laden_1.html
Osama Bin Laden talked to his homeland about creating a military regime to go *AGAINST* Sadam feering that his home considered to be the most sacred place to be overrun by Iraq. Instead of taking BinLaden's militia the Saudi country invites the US to come in and protect them from Iraq. It's not that he wants us to leave him alone, he killing people for the mere fact that a non-muslim only nation is in his home country that has asked them to be there in the first place. As admitted by pretty much everyone around the world the number who believe in Osama's ideals is counted in the fraction on a percentage in the middle east. It's equivalent of the US bowing to the KKK and deporting all of the minorities out of the US, that's all they want "to be left alone" and not bothered by other races in the US.
So you agree to the Taliban's proposal that is the equivalent of having a white man tried in 1870 Georgia for killing a black man, who's entire jury are members of the KKK. Sure everybody'll agree to that, don't you??? That's a really good option that they gave us. The only country left that actually recognized the Taliban was Pakistan which the US was using for diplomatic talks. They couldn't even get the Taliban to negotiate, the only nation in the entire WORLD that recognized them. When Pakistan (again the only country in the entire WORLD talking to them) finally gave up their tries at diplomacy, did action occur. We've been trying to work with the Taliban since the US Cole and they've not moved, do we need to wait till Osama dies of old age having just diplomatic talks? All diplomatic means were exhausted, the only country left recognizing the Taliban agreed that the talks were getting nowhere, exactly when is exhausted that sure the hell sounds like exhausted to me.
http://worldhistory.com/binladen.htm
http://dailynews.yahoo.com/h/ap/20010912/wl/att
You aren't running into a limit of your HD, most 7200 RPM IDE drives can do around 30-40MB/sec so a single write would start to run into limitations on a 240-320mb (having concurrent actions on the drive moving the reader around is what kills the performance, along with fragmentation). On your 100mb line, you've got an additional 100mb of bandwidth before you overrun your drive (as long as you are performing 1 read or write on the drive)
You are seeing what is about average for ethernet, nobody is able to push a full 10mb, normally they can get around 780kb/sec, 100mb is the same around 70-80mb, gig-e is really more dependandt upon your CPUs (give up a full CPU per gig ethernet card), on a smallish SMP system people normally push around 300-400mb if they've got a really beefy system they can push around 600-700+ on a single card.
Collisions... it all depends upon your network topology, 100mb switched verses 100mb shared. You'll allways get collisions (even on a cross over cable), but the only ones to really care about are the collisions. A 100mb switched netowrk will get pretty close to the same performance as one with a cross over cable.
I don't know about you, but there are some countries that I would not put surprised had access to certain controls on their nuclear power plants. Chernobyl had a failure some years before it's melt down due to shoddy workmanship. There are many countries around the world using nuclear power who aren't as closely regulated as others.
I wasn't talking just deleteing money, how about mucking with a person's Quicken file to send all their money to bankaccount X in South America, the next time they login to bank online. The money went somewhere... you can't just restore the database and magically have the money back. You can obviously fight this, but again what are you going to live off of, while you fight for a year that the transaction that came from your computer, when you logged onto your accout at the back, actually didn't come from you.
You can kill someone from online, how about the guys who were breaking into the power grid? That could do some really interesting things, think home respirator getting immense electrical surge or cutting power. Also where does "online" stop, is it just the "Internet", Internet2, BBS, connection over a phoneline to another system. There's probably a nuclear power plant somewhere in the world that has a modem, etc. connection, there could be some massive deaths there (course that's very improbable of ever occuring).
I don't know about you, but if I had all my money wiped from my bank accounts it would *not* be a minor thing, it's not like people keep cash in a hole dug out back. Think about people who are retired and living off of their savings from the past 50-60 years, and ALL their money is now gone, what are they going to live off of?
I don't think anybody could support these types of arguments, and as you said are way full of holes.
You *completely* missed the point of the post, it isn't about truning into starched-collared Organization Men. It's about actually treating your company the same way you want to be treated. I have known of people who were project leads who gave notice at 4:30 that they were starting another job tommorow. It's crap like that I was talking about, there is a really big friggin difference between being a "yes" man and just not being a prick to your company. In the tech industry, I knew of a whole bunch of people who's whole philosophy in life was to be the biggest prick (I know of some who actually pulled crap like this intentionally to "pay back", and wound up getting other fired because projects got scuttled because of their shit, luckily wasn't my company).
You want to change jobs and look for better opportunities, fine no problem, as long as you treat your employer with the same amount of respect that you want from them... give them some notice, actually talk with your boss before just going for the money (often they can get you some), it tends to be a two way street most of the time; looking at the past for some reasons a lot of the techs seemed to forget that.
Look at all the posts on the message boards 2 years ago. Don't like the way your employer twirls his fingers counter clockwise (you like clockwise only); well you don't have any responsibility to your employer f'them, you don't need to give any notice just go where the money rolls. After all that, jumping to 5 different jobs in a single year, people are now wondering why employers are looking after them?
It's now time to suck it up and realize that we as employees caused this philosophy with employers, and we as employees are the only ones who can change this philosophy by actually showing loyalty to the back to the employer. Now don't get me wrong you should NOT be working there waiting on a paycheck 3 months late, getting paid in options instead until they get VC money, but putting some loyalty into your employer instead of trying to constantly pimp them is the first step.
I shouldn't respond to such a stupid comment, but what the heck...
Firewire rated: 50/mBs (i.e. 400/mbs)
SCSI III rated: 80/mBs (i.e. 640/mbs)
SCSI over fibre channel: 100/mBs (i.e 800/mbs)
Most Firewire drives: 5400 RPM (I've yet to see a faster one, so I'll say most)
Fastest IDE: 7200 RPM
Fastest SCSI & Fibre: 15k RPM
That's a real big nail there.... heck IDE is faster than Firewire
It may have appeared that he was shirking away, but from what I understand is that when he first heard the in Florida he requested to be flown to NY to be there directly and immediately. The secret service had a clear understanding that they had to first protect him from any and all danger and flew him to the nearest secure area (Louisiana). From there the secret service took him to an even more secure area (SAC in Nebraska). Finally letting him fly to DC once things were secured. There's just no pleasing people these days, if he would have flown directly to NY, you'd probably have called him a fool and putting the leader of the US in undue jeopardy.
The only thing I wish I had seen more of was a bit more fire in his eyes, an almost WWF Smackdown, we're going to get you look for lack of better words; but of course that would probably not be appropriate for the situation (actually whoever did this would probably just enjoy seeing it).
Now is not the time Mr. Katz to forward your personal political agenda.
You should also put the japanese "Rape of Nanking" into your reference.... Hadn't heard of it? Then maybe you should look into it. It's where Japan invaded China, killed 300,000 men in the town of Nanking, and raped 20,000 women. The Japanese soldiers used live Chinese men as bayonet dummies for training. Women worked repeatedly raped until their "usefulness" wear off and they were repeatedly bayonetted (one survivor was gang raped, stabbed 30+ times in the back, and left for dead. Others had stakes driven through their vagina's, had their children bayonteded infront of them, tied up prisoners in a line and machinegunned them down into mass graves (kind of like the Nazi's), buried people alive.
9 55 /nanking-pics.htm
e d/ 1895-1945/jpwcrmz.htm
a ks .html
The sad part of it is, the US is willing to acknowledge that it dropped a deadly weapon on a country it was at war with; but Japan is unwilling to acknowledge during WWII they ever committed these horrendous acti in China, heck they won't even acknowledge they were ever even there in their own textbooks (there's learning from the past for you).
Here's your proof.
http://www.geocities.com/TimesSquare/Fortress/1
http://www.missouri.edu/~jschool/nanking/
http://vikingphoenix.com/public/JapanIncorporat
http://www.salon.com/books/sneaks/1999/01/11sne
Do you know how much of a complete idiot you just made yourself to be, and now how much harder it will be to *ever* get them to seriously look at the case with FUD you just sent them.
Read the f'ing articles he was *not* arrested for talking at the damn convention (I'm assuming this is what you mean since you didn't tell the ACLU either) he *was* arrested for being the copyright holder of the program, which was sold on the internet from systems located within the US (essentially a trafficing in goods type of case). Where exactly is the freedom of speech violation in that, where is he being prosecuted for a speech crime? You just FUD'd the ACLU, I'll bet they'll really be interested in looking into the case or DMCA when they find out you were completely wrong. I also wonder how many additional valid requests will now be ignored because you didn't get your facts straight.
Bah, he's in prison because of a speech crime, now they'll be laughing at anybody who brings DMCA up again... thanks. Sometimes we are our own worst enemy, when it comes to these things.
My biggest fear would be someone who is *not* under public scrutiny like larger companies. Look how many small companies constantly try to fly under the radar and install spyware onto your computer in their latest release. The whole Gator thing is a perfect example of this, they start off initially as a company who helps people autocomplete forms on websites, then they start sending rival adds to pages that you goto, then they intentionally build an app to go over the existing banner add on the page.
A company like Microsoft would *never* be able to get away with a gator like stunt, someone would be suing the heck out of them (the government would have their antitrust lawyers out like a pack of ravenous wolfs). Only people who seem to get away with doing stuff like this is the small little company that nobody seems to really care about; but that company is the first in line to screw you over in dirty little tricks.
The statements about him breaking into the bank, is in section 17, document page number 7 (my Adobe lists it as page 8, due to the coverpage)
It states that he told the site he hacked that he had gotten into the 1st National Bank in McAlester, was able to look at checking, savings & funds transfer; then goes to tell that he informed a bank officer, who also acted in a hostile manner; so he then accessed the bank 2 additional times, and then told a senior VP of an Oklahoma City branch.
Yes, but if you look at the affidavit
1) He tries hundreds (that's with an 's' there) of times to break into their web app
2) After the hundreds of attempts he finally gets a combination to give him a password file
3) Instead of stopping at the point he *knew* he that he had broken their security, he continue on and goes back logs in as one of the employees
It's a gray area, but there has to be a limit, it sure seems that attempting hundreds (again with an 'S') of attacks against a site, finally getting a password list, and still not stopping? Please, there has to be a sane limit here.
I've purposely ignored the bank portion of this because the above sure looks like illegal activity (curiosity is one thing but to spend hours is another). If you throw the bank stuff into it, it screams of a classic shake down. Walks into the office, I've got a floppy disk with advertisement I want you to put on your site... oh, I "accidentally" got into your site, and in the past I "accidentally" got into the 1st National Bank's website, I also talked to them about their security didn't act very nice to me, so I then talked to the Sr. VP.... It almost has a feel of the mobster saying "Hey, we wouldn't want nothing to happen to your nice establishment. Nasty accidents can happen and we don't want that to happen to you, we'll be your *insurance* to make sure that no "accidents" occur. Capish?"
I've got some more for you, where is the decent support for:
SCSI
NFS
SMP
LVM
I've got lots more if you want them...
You won't believe the fun things I've gotten SCSI & nfs to do on Linux. Journaling FS is just starting to become stable, LVM is still pretty shaky, don't even ask me about NFS (think hard freeze of system).
What Google shows is that if you've got enough systems (8000 of them) that you can take multiple failures and stay up. Linux on the individual systems are not that stable, but you throw enough redundancy at the problem it brings up the stability by sheer brute force.
Oh really? How about this quote from the Slashdot post (just this Friday in fact) with Bradly Kuhn from the FSF, it sure seems like they really would be in favor of such a law. The VP of FSF pretty much says that the being able to choose a license is akin to the same power as being able to have slaves!
5 2&mode=thread
From http://slashdot.org/article.pl?sid=01/08/16/20562
Our society took away the "freedom" to own slaves. Today, no one would even argue that owning slaves is a freedom. People now say that slavery is an inappropriate power that one person holds over another person.
Today, some argue that the "right to choose your own software license" is the greatest software freedom. By contrast, I think that, like slavery, it is an inappropriate power, not a freedom. The two situations both cause harm, and they differ only in the degree of harm that each causes.
--end quote
That sure seems like they *really* want to take away the freedom/inappropriate power of a developers choice in license, again that quote was from the guy who is the VP of the FSF so the things that he says, truely represent the views that the FSF holds.
I really wasn't thinking of copyright.
I was thinking that if I'm just another Joe on the net, who downloads some code, I modify it & post it in binary only format on my website (don't release the code because he's lazy, just doesn't want to, whatever reason).
Under the FSF the original coder is "controlling" his public code by not allowing my above example. The FSF *wants* the ability to control code after it's been released (for good or bad). The FSF license requires all others to release their changes also, which again is obviously controlling the code after it has entered to the wild and wooly public space.
I was just pointing out the incorrectness of your statement, that (paraphrasing) once code is released to the public, no laws govern it anymore and it can not be controlled, and that is what the FSF believe in. Which from the above example shows this.
I personally really don't care too much either way with licenses, but your statement was so incorrect to the point of being exactly opposite of what the FSF says that I had to point it out (I'm kinda kooky that way), before someone else incorrectly believed it.
Wait a minute here... trying to control the laughter inside...
Isn't the FSF implementation *controlling*? I believe the GPL controls me by enforcing in your words "legal fiction". Would not the restrictions within the GPL be "control", it says that there are things "I CAN NOT DO" that sure seems like control to me. You are *CONTROLLING* me by not allowing me to take your code and do what I want with it and put it back out into the work anyway that I see fit. You make like that I am forced to give back to the common good, but you sure the hell are controlling me, and your public code.
Let's really take a look at your example and put in exactly what should be in there... you let something out into the world, your fundamental control is maintained, and the control you have is a legal enforcement of what both FSF and you consider ethical. If I were able to truely be able to *any* thing at all with the code then your original statement would be correct, but it's not.
Sorry, but it seems that you are a bit confused on animation development. If you get passed some of the low end graphic cards hype you'll see that what they are good at (extremely fast fill rates) doesn't matter at all when doing development of animation. Being able to have lots of polygons on the screen and doing rotations, transformations, etc. is what matters. You are constantly rotating things around, etc. which really doesn't care about fill rates, but pushing those polys are what matters for creating the images (that is why the port Quake for Irix really sucks, they don't care about fill, just moving thousands of polys at the same time).