Well, to be honest, I don't recall every saying anything like" "how can it not happen", so I have no idea where that came from.
As to what the court(s) will do, anyone who purports to predict those actions is obviously blowing smoke, as NO ONE can predict what any court/jury will do these days.
And frankly, if Novell can confirm a $24.5M debt, I'd say they have a huge leg up on the remainder of SCO's creditors. Bankruptcy cases *do* tend to give more to the largest creditors.... (And yes, I know SCO has not gone that route --- yet.)
All I've expressed is *my* opinion; obviously the legal system is an expensive crap shoot, with no guarantees as to the outcome. Which is a diatribe for another time....
Gad, does no one have any imagination? SCO has something over $18M in assets. Novell claims they are owed some $24M. So what's to prevent the judge from sequestering, say, $12M of SCO's assets?
They don't go immediately bankrupt, and Novell has some recourse in the event they're correct -- which is exactly what they've asked the judge for.
Clearly no judge is going to 'award' Novell $24.5M without actually trying the case. That is far from saying that an interim position does not exist....
The comment I originally replied to said 'paper transaction', which is not the same as physically sequestering the funds, as I suggested was likely.
Setting aside a paper 'reserve account' does not prevent access to the root funds, as Novell's action is seeking. Any paper-only 'reserve account' is totally worthless once SCO does crash.
I also can't help but notice that apparently no one actually reads the comments either, as my original post said "at least SOME of those funds". There's a whole lot of money available there before SCO actually runs out, even if they don't have the cash for the whole boat.
110. novell also seeks an order from the court attaching SCO's assets pending adjudication of this claim because SCO is quickly dissipating its assets.....
And I disagre with your comment in at least one other regard -- I never implied that the court would "award" money. "Sequester" != "award".
Completely disagree. If SCO is bankrupt without the funds in question, and those funds do belong to Novell, then Novell stands to lose considerably if/when SCO goes bankrupt anyway.
Given that situation, it's not at all unreasonable for at least SOME of that money to be physically sequestered.
Frankly, yes, I'm _completely_ serious. I've played the corporate IT game for decades, and am painfully familiar with the obstacles and obstructions put into the path of the competent developer (often despite the best efforts of the line manager).
I'm also aware that conceiving and moving to test mode on a global patch should have _actually_ taken the developers two weeks, tops, unless they're planning on rewriting IOS from scratch. Barring those (mostly political) barriers, that is.
It's not rocket science; it's just typing. And Cisco certainly employs enough typists.
And what part of "the joint effort came about as a result of the notification" did you not understand?
Let's face it, if Lynn was employed (directly or indirectly) _by_ Cisco, then they have no possible case to sue him for reverse engineering their code, now do they?
And frankly, the strongest word I found in your post in support of that 'employement' was 'collaboration' as part of their charter. Other than, as I've already stated - in my original post - the mutual effort in the specific case of this discovery.
Personally, I believe that a four month lapse is more than adequate for Cisco to have addressed the issue, in which case his 'revelation' wouldn't mean diddly. Has Cisco even contacted any of the customers who pay hundreds of thousands of $$$ in support contracts to warn them about a potential problem? No, because if they had, we [the public] would have heard about it prior.
Cisco originally told him that they would co-present his original paper at the conference, then pulled out a week before. Why?
I am not against a staged release of security breaches, to give the originators of the software time to address the issue. However, if they can't or won't fix it, then people should be aware that they are vulnerable. It's that simple.
And if Cisco TRULY can't fix their products, and they contain crucial infrastructure holes - on which, among others, the US Homeland "Security" rely - how is that different than if Lockheed delivered a plane that you could shoot down with a sling? (Although I'm sure that if I discovered - and published - the latter, I'd wind up in some nice anonymous - offshore - prison.) Never mind the commercial customers; allowing an exploit to remain in the wild in today's world could far too easily be construed as at least aiding and abetting terrorism. (Sad, but true.)
When YOUR machine gets hacked because of an exploit that was only revealed privately and never fixed as a result, well, perhaps you'll see that [eventual] full disclosure is the only solution.
It may be a quibble, but I also enjoy the fine art of digression. And in that light, I'd have to conclude that your example is a negation, rather than a negative.
But overall, I agree that slightly different phrasing would be potentially informational to anyone who doesn't already know the background.
However, as a very good friend of mine used to say (may he RIP), "it is only sometimes necessary to be precise". A conclusion reached after several years of 'diversion'.;)
If communication is achieved, and the concepts is/are conveyed, then do the poor grammar and terrible spelling matter? Sometimes....
As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.
Four months ago.
However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>
Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?
It is, needless to say, impossible to prove a negative.
As already pointed out, Dell already tracks multiple disk images; adding another one should involve little beyond the initial setup.
The most serious flaw with your argument, though, is that it assumes that the cost of Windows is free. Add any singificant cost for Windows (which should logically be deducted from the price prior to any 'penalty' being imposed), and the disparity becomes even grosser - and less justifiable.
Personally, I recommend disabling encryption and MAC address filtering. They may prevent the casual user, but offer a false sense of security to a real attack.
A better solution (IMO) is to establish a VPN to a physically-connected computer, and route through it. That machine should also act as a firewall, and deny any non-VPN-based traffic.
This is more setup, and does require an anchor machine. However, the odds of an e.g. IPSec-based VPN getting broken are much lower then someone spoofing a dormant MAC address and cracking your WEP/WAP key.
Note that non-XPSP2 boxes may need additional software e.g. if connecting to FreeS/WAN (et alia).
On the other hand, most/.'ers will likely recognize that "Advanced Router" refers to a kernel compilation option, and was not intended as a adjectival reference.
Particularly since my firewall box, in particular, is old and slow. And why not? It only moves 10/100 traffic for a modest number of boxes across its 5 installed NICs.
The 'Advanced Router' option, however, does provide more ability to play games with the routing tables than the stock linux kernel.
I don't disagree that ACLs are a piss poor firewall solution. However, they are a method to prevent intrusion, and hence, at least in my book, meet the qualifications as [an attempt at] a firewall.
Frankly, ACLs suck, at least in the Cisco world. That doesn't stop a lot of organizations from relying on them.
In point of fact, my [local] firewall is a Linux box ---- acting as as 'advanced router', and running iptables. Whoah! It's a router AND a firewall. What a concept.
By defining simple ACLs, we further isolate our backend servers.
Personally, I've never found ACLs as easy (or as flexible) as other firewall solutions. But in any event, ACLs are firewalls, call them what you will....
I have to admit, I've fielded a few angry e-mails from customers who subscribed to our newsletters, and then somehow thought we had done it as part of some vast conspiracy.
(Our newsletters are all checkbox-activated, and all default to OFF when creating a new account, though admittedly it's not a double opt-in.)
That's one reason I started including a "click here to unsubscribe" link on all such newsletters.....
But who are you to say that that subscription for which I did double opt-in isn't something I consider spam? Maybe the first issue was valuable, and things went downhill from there. Maybe my interests changed. Whatever the case, the message - to me - is still spam. Requested or otherwise, spam is still spam.
Heck, I once PAID for a subscription to an unnamed financial publication, only to discover the whole thing was spam!
This is not to say that message senders should be punished for sending such 'requested spam', and the current attempts at spam control are sadly lacking for a sender feedback mechanism in such cases.
I disagree that SPF records are completely useless. They do pick off about 1% of my incoming spam.
And if more people would use them, I'd get fewer bogus bounce messages. They're annoying, and it's not that hard to DDoS my mail server by sending out a few zillion messages with known bogus addresses and a forged from address through one's favorite botnet.
People that configure them to 'soft fail', now that's pretty worthless.
At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).
Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.
Unless, of course, you're sending Aunt Martha that e-mail over IRC....
One can find many differences between the US and Nazi Germany. What's frightening is that one can find ANY parallels, let alone so many. How long before the PA itself becomes top secret, under the guise that knowing the details about it would give terrorists a leg up?
Be that as it may, I do agree about the value of hype, and wonder how the Unix 2038 date issue will fare in that light. Yes, we may all be using 64-bit OSes by then, but record formats exist in the Unix world, too.
I don't think the US will make the mistake of invading its neighbors, which only makes it scarier. And the art of manipulating public opinion has advancd significantly since those days, as well.
That won't change the reality of the police state.
But hey, most ['master race'] people were probably quite safe under Hitler. Not much crime on the streets with armies of jackbooted soliders parading around everywhere, and people willing to report you for a candy bar (or whatever). You know, sort of like the airports today....
There is no way to know what Nazi Germany was *really* like except to have lived there. However, the methods and techniques which were used by Hitler to create the environment are well documented, and not that hard for any intelligent person to understand.
The current U.S. society has MUCH in common with the early days of that regime, and frankly, it is frightening. Secret letters, the ability to 'disappear' people, enlisting people to spy on their neighbors - those are just some of the gross examples.
Also on point would be a reference to Y2K. If NO ONE had fixed their computers, planes would not have fallen out of the sky, nuclear missles would not have self-launched, blah, blah, blah. (Love the Simpson's Y2K episode.;) However, that level of hyperbole was useful, and, IMO necessary, to stir the PHBs of the world into doing anything about it.
If Nazi hyperbole is what it takes to stir the common citizen into thinking, well... One doesn't have to look far to draw comparisons!
Slashdot Mirror
Well, to be honest, I don't recall every saying anything like" "how can it not happen", so I have no idea where that came from.
As to what the court(s) will do, anyone who purports to predict those actions is obviously blowing smoke, as NO ONE can predict what any court/jury will do these days.
And frankly, if Novell can confirm a $24.5M debt, I'd say they have a huge leg up on the remainder of SCO's creditors. Bankruptcy cases *do* tend to give more to the largest creditors.... (And yes, I know SCO has not gone that route --- yet.)
All I've expressed is *my* opinion; obviously the legal system is an expensive crap shoot, with no guarantees as to the outcome. Which is a diatribe for another time....
Gad, does no one have any imagination? SCO has something over $18M in assets. Novell claims they are owed some $24M. So what's to prevent the judge from sequestering, say, $12M of SCO's assets?
They don't go immediately bankrupt, and Novell has some recourse in the event they're correct -- which is exactly what they've asked the judge for.
Clearly no judge is going to 'award' Novell $24.5M without actually trying the case. That is far from saying that an interim position does not exist....
Apparently you can't read, either. Oh well.
The comment I originally replied to said 'paper transaction', which is not the same as physically sequestering the funds, as I suggested was likely.
Setting aside a paper 'reserve account' does not prevent access to the root funds, as Novell's action is seeking. Any paper-only 'reserve account' is totally worthless once SCO does crash.
I also can't help but notice that apparently no one actually reads the comments either, as my original post said "at least SOME of those funds". There's a whole lot of money available there before SCO actually runs out, even if they don't have the cash for the whole boat.
As noted in a Groklaw comment:
....
110. novell also seeks an order from the court attaching SCO's assets pending
adjudication of this claim because SCO is quickly dissipating its assets.
And I disagre with your comment in at least one other regard -- I never implied that the court would "award" money. "Sequester" != "award".
Completely disagree. If SCO is bankrupt without the funds in question, and those funds do belong to Novell, then Novell stands to lose considerably if/when SCO goes bankrupt anyway.
Given that situation, it's not at all unreasonable for at least SOME of that money to be physically sequestered.
yet another piece of 'news' that has already had wide exposures on other sites.
Someone remind me again why I read this site?
Oh yeah - for the dups!
Frankly, yes, I'm _completely_ serious. I've played the corporate IT game for decades, and am painfully familiar with the obstacles and obstructions put into the path of the competent developer (often despite the best efforts of the line manager).
I'm also aware that conceiving and moving to test mode on a global patch should have _actually_ taken the developers two weeks, tops, unless they're planning on rewriting IOS from scratch. Barring those (mostly political) barriers, that is.
It's not rocket science; it's just typing. And Cisco certainly employs enough typists.
And what part of "the joint effort came about as a result of the notification" did you not understand?
Let's face it, if Lynn was employed (directly or indirectly) _by_ Cisco, then they have no possible case to sue him for reverse engineering their code, now do they?
And frankly, the strongest word I found in your post in support of that 'employement' was 'collaboration' as part of their charter. Other than, as I've already stated - in my original post - the mutual effort in the specific case of this discovery.
Personally, I believe that a four month lapse is more than adequate for Cisco to have addressed the issue, in which case his 'revelation' wouldn't mean diddly. Has Cisco even contacted any of the customers who pay hundreds of thousands of $$$ in support contracts to warn them about a potential problem? No, because if they had, we [the public] would have heard about it prior.
Cisco originally told him that they would co-present his original paper at the conference, then pulled out a week before. Why?
I am not against a staged release of security breaches, to give the originators of the software time to address the issue. However, if they can't or won't fix it, then people should be aware that they are vulnerable. It's that simple.
And if Cisco TRULY can't fix their products, and they contain crucial infrastructure holes - on which, among others, the US Homeland "Security" rely - how is that different than if Lockheed delivered a plane that you could shoot down with a sling? (Although I'm sure that if I discovered - and published - the latter, I'd wind up in some nice anonymous - offshore - prison.) Never mind the commercial customers; allowing an exploit to remain in the wild in today's world could far too easily be construed as at least aiding and abetting terrorism. (Sad, but true.)
When YOUR machine gets hacked because of an exploit that was only revealed privately and never fixed as a result, well, perhaps you'll see that [eventual] full disclosure is the only solution.
It may be a quibble, but I also enjoy the fine art of digression. And in that light, I'd have to conclude that your example is a negation, rather than a negative.
;)
But overall, I agree that slightly different phrasing would be potentially informational to anyone who doesn't already know the background.
However, as a very good friend of mine used to say (may he RIP), "it is only sometimes necessary to be precise". A conclusion reached after several years of 'diversion'.
If communication is achieved, and the concepts is/are conveyed, then do the poor grammar and terrible spelling matter? Sometimes....
As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.
Four months ago.
However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>
Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?
It is, needless to say, impossible to prove a negative.
As already pointed out, Dell already tracks multiple disk images; adding another one should involve little beyond the initial setup.
The most serious flaw with your argument, though, is that it assumes that the cost of Windows is free. Add any singificant cost for Windows (which should logically be deducted from the price prior to any 'penalty' being imposed), and the disparity becomes even grosser - and less justifiable.
Personally, I recommend disabling encryption and MAC address filtering. They may prevent the casual user, but offer a false sense of security to a real attack.
A better solution (IMO) is to establish a VPN to a physically-connected computer, and route through it. That machine should also act as a firewall, and deny any non-VPN-based traffic.
This is more setup, and does require an anchor machine. However, the odds of an e.g. IPSec-based VPN getting broken are much lower then someone spoofing a dormant MAC address and cracking your WEP/WAP key.
Note that non-XPSP2 boxes may need additional software e.g. if connecting to FreeS/WAN (et alia).
On the other hand, most /.'ers will likely recognize that "Advanced Router" refers to a kernel compilation option, and was not intended as a adjectival reference.
Particularly since my firewall box, in particular, is old and slow. And why not? It only moves 10/100 traffic for a modest number of boxes across its 5 installed NICs.
The 'Advanced Router' option, however, does provide more ability to play games with the routing tables than the stock linux kernel.
I don't disagree that ACLs are a piss poor firewall solution. However, they are a method to prevent intrusion, and hence, at least in my book, meet the qualifications as [an attempt at] a firewall.
Frankly, ACLs suck, at least in the Cisco world. That doesn't stop a lot of organizations from relying on them.
Finally, a voice of reason.
In point of fact, my [local] firewall is a Linux box ---- acting as as 'advanced router', and running iptables. Whoah! It's a router AND a firewall. What a concept.
Sounds a helluva lot like ACLs to me.
By defining simple ACLs, we further isolate our backend servers.
Personally, I've never found ACLs as easy (or as flexible) as other firewall solutions. But in any event, ACLs are firewalls, call them what you will....
I have to admit, I've fielded a few angry e-mails from customers who subscribed to our newsletters, and then somehow thought we had done it as part of some vast conspiracy.
(Our newsletters are all checkbox-activated, and all default to OFF when creating a new account, though admittedly it's not a double opt-in.)
That's one reason I started including a "click here to unsubscribe" link on all such newsletters.....
But who are you to say that that subscription for which I did double opt-in isn't something I consider spam? Maybe the first issue was valuable, and things went downhill from there. Maybe my interests changed. Whatever the case, the message - to me - is still spam. Requested or otherwise, spam is still spam.
Heck, I once PAID for a subscription to an unnamed financial publication, only to discover the whole thing was spam!
This is not to say that message senders should be punished for sending such 'requested spam', and the current attempts at spam control are sadly lacking for a sender feedback mechanism in such cases.
Just to say that it's still spam.....
BZZZZZT! Thanks for playing, would you like to try again?
I'd definitely agree that UCE is spam. However, not all spam is UCE. Spam is in the eye of the beholder.
http://www.theboyz.biz/
I disagree that SPF records are completely useless. They do pick off about 1% of my incoming spam.
And if more people would use them, I'd get fewer bogus bounce messages. They're annoying, and it's not that hard to DDoS my mail server by sending out a few zillion messages with known bogus addresses and a forged from address through one's favorite botnet.
People that configure them to 'soft fail', now that's pretty worthless.
At every company/ISP there are people who have the ability, and regularly do, delve into the data streams flowing through the routers. And yes, sometimes they read your letter to Aunt Martha (or worse).
Mostly the volume of data involved is so large that trying to monitor it without filtering for the items of interest is usually impossible. And that filter is your best defense, in this particular situation.
Unless, of course, you're sending Aunt Martha that e-mail over IRC....
Yeah, so what? So are czars, and how many 'rulers of russia' DO we have in this country today?
One can find many differences between the US and Nazi Germany. What's frightening is that one can find ANY parallels, let alone so many. How long before the PA itself becomes top secret, under the guise that knowing the details about it would give terrorists a leg up?
Be that as it may, I do agree about the value of hype, and wonder how the Unix 2038 date issue will fare in that light. Yes, we may all be using 64-bit OSes by then, but record formats exist in the Unix world, too.
I don't think the US will make the mistake of invading its neighbors, which only makes it scarier. And the art of manipulating public opinion has advancd significantly since those days, as well.
That won't change the reality of the police state.
But hey, most ['master race'] people were probably quite safe under Hitler. Not much crime on the streets with armies of jackbooted soliders parading around everywhere, and people willing to report you for a candy bar (or whatever). You know, sort of like the airports today....
There is no way to know what Nazi Germany was *really* like except to have lived there. However, the methods and techniques which were used by Hitler to create the environment are well documented, and not that hard for any intelligent person to understand.
;) However, that level of hyperbole was useful, and, IMO necessary, to stir the PHBs of the world into doing anything about it.
The current U.S. society has MUCH in common with the early days of that regime, and frankly, it is frightening. Secret letters, the ability to 'disappear' people, enlisting people to spy on their neighbors - those are just some of the gross examples.
Also on point would be a reference to Y2K. If NO ONE had fixed their computers, planes would not have fallen out of the sky, nuclear missles would not have self-launched, blah, blah, blah. (Love the Simpson's Y2K episode.
If Nazi hyperbole is what it takes to stir the common citizen into thinking, well... One doesn't have to look far to draw comparisons!