Depends on exactly what your requirements, but generally turn off everything you don't need.
I start with a shell alias like this: alias nsl='netstat -alnp --protocol=inet|cut -c-6,21-94|tail +2|grep -v ESTABLISHED|grep -v CLOSE_WAIT'
At a glance you will see what services are running and listening to ports. The "Local Address" column is the most useful. Anything starting 127.0.0.1 can be safely ignored, the rest will be based on what you feel you need.
As a general rule, boxes I configure offer WWW (port 80), SMTP (port 25), POP3 (port 110) and DNS (port 53). I turn everything else off, or if I do need it, I firewall it (see later).
Now, how to get rid of things. Obviously, this varies from thing to thing, but take for example the lines starting
udp 0.0.0.0:2599
tcp 0.0.0.0:
udp 0.0.0.0:111
Now, as I'm not running NFS or NIS, I don't need any of these services. If you're not sure what, say, port 111 is, the -p option to netstat is great - it lists the PID and process name, so we know to close down portmap. Now, this is started by/etc/rc.d/init.d/portmap via a symlink in/etc/rc.d/rc3.d (assuming you start in runlevel 3). Simply rename the link there to start with a K, like this:
[root@pootle init.d]# cd/etc/rc.d/rc3.d/
[root@pootle rc3.d]# mv S14nfslock K86nfslock_S14
[root@pootle rc3.d]# mv S13portmap K87portmap_S13
[root@pootle rc3.d]#./K86nfslock_S14 stop
[root@pootle rc3.d]#./K87portmap_S13 stop
Now, run netstat again, and see what ports remain for you to tidy up. You'll probably remain with ones that you really do want to keep, e.g. postgres on 5432, tomcat control on 8008, MySQL on 3306, etc...
This would normally be a job for the firewall. If you have one, use it! However, just in case a machine inside your net is compromised, you can run additional filtering rules on every machine. For instance, my/etc/sysconfig/ipchains file looks like this:
# open up the POP server
-A input -p tcp -s 0/0 -d 0/0 110 -y -j ACCEPT
# open up the WWW server
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
...
# close all reserved ports
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
and so on. Basically, the theory is, explicitly open up the ports <1024 that you want to allow access to, and block anything else to the priviledged ports. Then, by default allow all higher ports access (otherwise, you'll get problems connecting from the machine to other machines), but explicitly close services you don't want publically available, e.g. databases, etc...
Other stuff you'll want to do is remove telnet and ftp from your machine and install openssh. With both of those protocols, you run the risk of passwords being snooped along the way, and ftp gets hacked fairly regularly. If you do need to upload files regularly from Windows machines, check out WinSCP2 - it's really good.
Next off is protecting services that have a track record of being hacked, such as named. There are several tricks; running as a non-root user is always best if you can, running in a chrooted environment is better still. The first gives the program so few privileges that it can basically only access files it owns. Good, unless you have have local root-exploitable holes. The second runs the application completely in a sandbox, where it sees a very restricted view of the directory system, e.g. on my machine, all DNS data lives under/chroot/named, and if it was hacked, the best they'd be able to do is destroy DNS data. This can be complicated to set up, and I'd advise you to search the web for in-depth discussions.
I will often use a combination of techniques, e.g. DNS on my systems run as user named, live in a chrooted filesystem, and also have packet filtering rules, so that they only talk to machines which are dedicated secondary DNS servers.
Of course, you also need to audit anything that is left available. If you run CGI scripts that will accept data unchecked and pass it to a shell command, your machine will be compromised. Keep an eye on security mailing lists or websites - if you run software that vulnerabilites are discovered in, you need to patch them quick, e.g. SSH bugs found a few months ago, etc... But by keeping things down to an absolute minimum (using seperate boxes for each service if you can) and really considering who needs to use them, you stand a good chance of being really secure.
This is getting too long now! Hope some of this helps...
It's a shame given how easy it is to make a RedHat box secure that they don't just do it by default.
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.
In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.
Just because it has personally-trackable info doesn't mean that it's dangerous.
Erm, it doesn't have personally-trackable info. I certainly didn't provide any when I had an octopus card a couple of years back, you just pay a one-time deposit when buying the card, simply to ensure you have an incentive not to loose it. If you return the card, you get your deposit back. IIRC, it's about HK$250 (£25 or US$35). Just to make sure my memory wasn't going completely crazy, I checked the article: Unless a holder chooses a personalized card, his or her identity is unknown.
And it truly is a fantastic system. You simply wave your wallet over the reader as you walk through the turnstile and it just deducts the money.
Every time you go through, it tells you how much is remaining on the card, and they even have a grace system whereby as long as the card is in credit, it will always let you through the turnstile, even if the credit isn't sufficient for the journey (which works as the card has value to you, so it's in your interests to top it up).
With fares on the MTR really cheap, you don't need to recharge it all that often, and when you do, the recharge process takes about 30 seconds, which is less than it takes me to buy a single ticket on the London Underground.
Leaps of faith take many forms, and none were stranger to the world of 1990's than the possibility that people might buy objects they've never touched from people they've never met and send money to addresses they've never seen on the basis of a bunch of colored stars summarizing a community's collective opinion.
Hmmm. I remember the days before the web became popular and there were so few people on usenet groups that you generally did just trust them.
I remember sending real cash through the mail to someone in the states and they sent me a tape in return. Never even crossed my mind that anyone on usenet could be dishonest, as I read so many of their postings that I just trusted them.
I guess replace postings with stars and add lots of red tape and you have eBay.:-)
Definitely a stupid word. weblog sounds far more natural and actually gives you a clue what it is too...
I think the real problem, though, is how can you be taught to write a weblog? The whole point is that they are pretty much as unstructured as you like. When you start adding rules and trying to make every one look the same, then they will just be crap journalism. Until then, some actually are interesting glimpses into the lives of real people.
Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.
Added to that as packages mature, more of the bugs are removed. In my experience, between releases you add small bits of functionality and fix bugs, so chances are a bug found in a module of the newest release will be in all previous releases that contained the module.
Personally, to get a secure system, I'd use the most recent release that has appeared to be stable for some time and limit what each machine does. e.g. a web server should only allow http and ssh to the outside world. Possibly it would have its own database running, but this should be invisible outside the box. It shouldn't trust the firewall, in case an internal machine is compromised, but do port filtering itself. &c...
Hey, I just bought a 10 gig drive, but when I formatted it there was only 9 gig available. That Linus stole my disk space, and he's a thief. I want that space back, damnit!
</taking-the-piss>
So, since I live in China, I'm immune to any kiddie porn laws.. neyya neyya.
Absolutely. I don't condone any kind of porn, that said, I think people in China should be immune to US laws.
For instance, should a Dutch citizen be prosecuted in the US for smoking drugs, even though his country has de-criminalized it? No?
Should he prosecuted for smoking drugs in the US? Yes?
Now, perhaps more interesting... Should a US citizen be prosecuted in the US if he smokes drugs whilst on holiday in Asterdam? This is the grey area, as things like espionage, treason, murder all probably would cause him to be prosecuted by the US.
Now, back to this Chinese guy with his kiddie porn... If he physically sends mail to the US, he clearly has intent to break US obscenity laws. If US people take things withouy his knowledge from his server (which remember, it is legal for him to have running), how has he broken any US laws? For a start, there is absolutely no intent.
If the US has problems with this, the correct approach is for the US to impose sanctions, e.g. creating laws requiring the firewalling of offending machines out of existance. Something hard to achieve? Not really - if it starts being hard to maintain, it's easy to employ a draconian firewall everything. If this upsets China's economy at all, then it'll in turn start having a good reason to implement obscenity laws of its own. Welcome to the world of trade sanctions.
A final note. Given that China is fairly keen to stop pretty much all internet traffic to and from China anyway, I don't think this is a great example.
And there goes my karma for replying to my own posts...
This new idea of being able to choose where to sue for copyright infringement seems very wrong to me. Surely the idea is that every citizen in any country should be responsible to keep to the laws in their country, and suffer the penalties imposed by their country when they break them.
After the ridiculous interview a few years ago where Stroustrup claimed that C++ was a practical joke designed to keep software engineers, he really has made things a bit too obviously stupid with this one. Having an important block of code reduced to two characters that you can't even type (without using a tool to insert special characters) seems frankly ridiculous.
The double backslash - everything before this is a comment - is particularly amusing.
In fact, I even started looking for a date of April 1 whilst reading this document.
The problem with this is that while (1) {...}
or more commonly for (;;) {...}
is a well known construct for infinite loop. If you turn such a simple construct into six lines of source, then I dread to think how much commenting you'll use when you actually get down to solving the problem in hand.
for (;;) {// infinite loop
is far better - it reminds people what you're doing and if someone sees your code and doesn't understand that construct then they know what it does from the comment and they can go and find out how it works and learn it for next time.
While you're at it, you should probably think about hiring real programmers who know basic constructs in their chosen language...
I was given an old 486 motherboard with not a lot else, so decided to make a floppy-based firewall so that we'd have something quiet that can stay on all the time.
I got bored of hacking my own floppy-based system, so I thought I'd try coyotelinux. It really is fantastically easy to use, and is a great way to trick Windows users into trying Linux and then realising it only has to be complicated if you want it to be.
A few things could be better documented; for instance my network cards (NetGear FA331's didn't have drivers, so I had to compile my own - fine but the docs don't say what kernel version it uses, so you have to boot up again to find out!)
But basically you can have a working Linux firewall set up in about 6 mouse clicks. And that includes DHCP client to obtain the cable IP address and server for the local net. Nice.
The server is pretty secure - the only visible service running is telnet (and that's optional), and coupled with the fact you can write-protect your floppy means it can't be tampered with.
The only downside is that it uses some sucky editor (ae) and the termcap isn't set up right... I will install vi when I have a chance:-p
Give it a go!
The LEAF stuff also looks good, but personally I'd rather loose a floppy drive than a CD drive...
Travelling around Australia, you see lots of termite mounds in various places. In some parts, they are called "magnetic termite mounds", because they are tall, long, narrow things. And the length of the mound runs north-south (to within about 5 degrees).
Apparently this is so the termites always have a warm side of the mound to rest in (the side will always be east or west of the mound, so it will always be heating up one of the long, tall sides, so there's always a lot of surface area).
One thing puzzles me - how do these termites "know" how to do this?
There are other pretty amazing things about these mounds too. They're made up entirely of waste grass, the termites eating grass and excreting this dry grass stuff, they're absolutely massive. Inside, there's a huge network of tunnel, and if you break a bit of the mound off so it's exposed, an army of termites will come out and start repairing it. Awesome!
Apparently, you can also make a drink with water and crushed termite mound, which has some medicinal value, but I've forgotten what now.
Go and visit Australia - there's so much there that's different from the rest of the world. I was gobsmacked!
A defect in the Z80 produced random results on an undocumented command... Z80 random number generator..
Urm, not that I recall. There was a way to get a kind of random seed, using the R register. This wasn't random, though, it was incremented by one every clock cycle and used for the DRAM refresh cycles. But if you checked it at the start of execution, it could act as a random seed for your real random number generator.
Then there were the undocumented shift instructions. Basically, there was a
batch of instructions that fitted into the scheme at a point that would logically be shift right, add carry, but for one opcode operating on (HL), it failed; always adding one, not the carry. But, this bug was repeatable, and so people used the instructions anyway. They just weren't documented because they didn't fit perfectly into the logical scheme.
Chances are REALLY good [...] won't have a Linux driver.. that wouldn't be a big deal if they'd just release the technical specs..
Yes, but with most things these days, it's hard to stay competitive if you publically disclose all your tricks of the trade. Particularly with hardware, if someone pinches your design, it's pretty hard to tell except by the interface it exposes to the outside world. In the old days, anyone releasing a clone of a Vic-20 would have it spotted as such (remember there were few custom logic chips), these days how would you prove that part of the internals of a graphics chip is a direct copy of part of your own? You can't short of probing it with an electron microscope or looking at the external interface to see how closely it matches your own. And lots of chip designers have deliberately undocumented stuff so that they can identify their own designs.
Tell me, when will Mickey Mouse pass into the public domain. It just passed 80 years old not too long ago...
Face it, nothing will have its copyright ever expire again.
That's a rather simplistic view, though. Remember that the copyright expires 80 years after the death of the copyright owner, not 80 years after it was created. And if you explicitly sign away copyright to someone else (e.g. your estate), the copyright will last much longer. And, of course, if you sign the copyright to a company, it's a certain period after that company ceases trading (I'm pretty certain it's a shorter time, though).
But, you're probably right. Most stuff that's copyrighted now is owned by huge companies, and so for all intents and purposes, the copyright won't expire.
I personally think a far fairer system would be based on earning from a copyrighted work. Perhaps a company should have automatic copyright for ten years, and then have to prove that the work is still making them an arbitrary amount (say $10,000 p.a.) to have extended copyrights on. This would allow people to copy software that is no longer supported by the manufacturer, books that are out of print, music only available on old scratchy 33's, etc...
But I don't suppose for one minute that it's going to happen. The major companies concerned have far too much influence over government practices (witness the MP3 / DeCSS revolution that's getting them all really scared).
Fairly fundamental to the New Jerusalem, as a concept, is the idea that it is the ultimate perfect environment in which we, as people, can relate to our creator. I really don't see how this can be applied to the Net. Sure, it has many good points, but it's nothing like something we should be spiritually hoping for.
The Net gives us another community to exist in, but far too commonly at the expense of that which we already have. Whilst it can help build relationships with other people, even people we're never likely to even meet in real life, if we fail to build relationships with people in our own physical community then this is hardly improving our lives or society as a whole.
Despite the idea of a global village sounding appealing to many, in many ways the Net is causing us to become more insular.
On the other hand you've got a distribution named "Slackware", hardly the name your tech-savvy CTO wants...
If they were really tech-savvy, then they'd realise that Slackware have been in the game far longer than most distros. I remember the day when I upgraded my prehistoric slakware with v3.0 on CD. I was so chuffed that I didn't have to deal with 50 floppies again.
I'd still bet that most people who've used Linux for more than a year or so will recognise Slackware as a good distro, with users who know what they're doing rather than just letting the installer do everything for them short of choosing an IP address.
I personally wouldn't run anything other than Solaris on one of these boxes.
I find Solaris 2.6 running on my old Sparc 2's to be a completely soporific experience... I'll probably have a go at this distro to see if it's a vaguely useful speed. Either that, or my 2's will get relegated to just doing DNS...
But I wonder if these things will network boot properly. It always used to annoy me that the old Solaris netboot image relied on packet ordering from Sun's NFS server which meant that whilst they'd TFTP the boot image they'd never get further than that unless you were using a Sun machine as the boot server. Once they were up, they would be quite happy doing NFS to a Linux box.
If you read the article, you'll see that the game they choose to use was written using SDL. This means it can be ported to Linux, Win32, BeOS, MacOS with very little effort.
Now, imagine you were writing a game with SDL. You compile up the common versions, so it can be run directly from any of the OS'es you support. If newer hardware and/or drivers have come out, then it'll just use the drivers people already have, as it's running as a regular app under their OS of choice.
But, quite often I find myself booting my machine just to have a quick round of Counter-Strike. If the dist. CD booted straight into an OS and ran the game, that would be sweet. No more faffing around, logging in, doing a clean shutdown, being tempted to check my mail, read slashdot, etc... Just shove the CD in the drive and power-on.
Yes, drivers may be updated in the mean-time, but there's no reason why a bootable CD can't scan for partitions on a hard-disk, mount FAT or ext2 ones, and check for a/bootableDrivers directory and using those drivers to replace what's already on the CD, say. And if enough people were using a common method of creating the CDs, you'd only need this once. These files could be put there by whatever OS you want to use. If you never want to boot from CD, but don't need to worry about the fact that it's a bootable CD.
Nobody looses, so I don't see how it can be considered a bad idea.
Because British stuff is only automatically de-classified 50 years after initially being classified. Sometimes it's de-classified sooner, but if it's considered too sensitive they don't until after 50 years when it has to be revealved by law.
Slashdot Mirror
I start with a shell alias like this:
alias nsl='netstat -alnp --protocol=inet|cut -c-6,21-94|tail +2|grep -v ESTABLISHED|grep -v CLOSE_WAIT'
At a glance you will see what services are running and listening to ports. The "Local Address" column is the most useful. Anything starting 127.0.0.1 can be safely ignored, the rest will be based on what you feel you need.
As a general rule, boxes I configure offer WWW (port 80), SMTP (port 25), POP3 (port 110) and DNS (port 53). I turn everything else off, or if I do need it, I firewall it (see later).
Now, how to get rid of things. Obviously, this varies from thing to thing, but take for example the lines starting
udp 0.0.0.0:2599
tcp 0.0.0.0:
udp 0.0.0.0:111
Now, as I'm not running NFS or NIS, I don't need any of these services. If you're not sure what, say, port 111 is, the -p option to netstat is great - it lists the PID and process name, so we know to close down portmap. Now, this is started by /etc/rc.d/init.d/portmap via a symlink in /etc/rc.d/rc3.d (assuming you start in runlevel 3). Simply rename the link there to start with a K, like this:
/etc/rc.d/rc3.d/
./K86nfslock_S14 stop
./K87portmap_S13 stop
[root@pootle init.d]# cd
[root@pootle rc3.d]# mv S14nfslock K86nfslock_S14
[root@pootle rc3.d]# mv S13portmap K87portmap_S13
[root@pootle rc3.d]#
[root@pootle rc3.d]#
Now, run netstat again, and see what ports remain for you to tidy up. You'll probably remain with ones that you really do want to keep, e.g. postgres on 5432, tomcat control on 8008, MySQL on 3306, etc...
This would normally be a job for the firewall. If you have one, use it! However, just in case a machine inside your net is compromised, you can run additional filtering rules on every machine. For instance, my /etc/sysconfig/ipchains file looks like this:
# open up the POP server
-A input -p tcp -s 0/0 -d 0/0 110 -y -j ACCEPT
# open up the WWW server
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
...
# close all reserved ports
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
# protect mysql
-A input -p tcp -s 0/0 -d 0/0 3306 -y -j REJECT
# protect postgres
-A input -p tcp -s 0/0 -d 0/0 5432 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 1026 -j REJECT
and so on. Basically, the theory is, explicitly open up the ports <1024 that you want to allow access to, and block anything else to the priviledged ports. Then, by default allow all higher ports access (otherwise, you'll get problems connecting from the machine to other machines), but explicitly close services you don't want publically available, e.g. databases, etc...
Other stuff you'll want to do is remove telnet and ftp from your machine and install openssh. With both of those protocols, you run the risk of passwords being snooped along the way, and ftp gets hacked fairly regularly. If you do need to upload files regularly from Windows machines, check out WinSCP2 - it's really good.
Next off is protecting services that have a track record of being hacked, such as named. There are several tricks; running as a non-root user is always best if you can, running in a chrooted environment is better still. The first gives the program so few privileges that it can basically only access files it owns. Good, unless you have have local root-exploitable holes. The second runs the application completely in a sandbox, where it sees a very restricted view of the directory system, e.g. on my machine, all DNS data lives under /chroot/named, and if it was hacked, the best they'd be able to do is destroy DNS data. This can be complicated to set up, and I'd advise you to search the web for in-depth discussions.
I will often use a combination of techniques, e.g. DNS on my systems run as user named, live in a chrooted filesystem, and also have packet filtering rules, so that they only talk to machines which are dedicated secondary DNS servers.
Of course, you also need to audit anything that is left available. If you run CGI scripts that will accept data unchecked and pass it to a shell command, your machine will be compromised. Keep an eye on security mailing lists or websites - if you run software that vulnerabilites are discovered in, you need to patch them quick, e.g. SSH bugs found a few months ago, etc... But by keeping things down to an absolute minimum (using seperate boxes for each service if you can) and really considering who needs to use them, you stand a good chance of being really secure.
This is getting too long now! Hope some of this helps...
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.
In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.
Erm, it doesn't have personally-trackable info. I certainly didn't provide any when I had an octopus card a couple of years back, you just pay a one-time deposit when buying the card, simply to ensure you have an incentive not to loose it. If you return the card, you get your deposit back. IIRC, it's about HK$250 (£25 or US$35). Just to make sure my memory wasn't going completely crazy, I checked the article: Unless a holder chooses a personalized card, his or her identity is unknown.
And it truly is a fantastic system. You simply wave your wallet over the reader as you walk through the turnstile and it just deducts the money. Every time you go through, it tells you how much is remaining on the card, and they even have a grace system whereby as long as the card is in credit, it will always let you through the turnstile, even if the credit isn't sufficient for the journey (which works as the card has value to you, so it's in your interests to top it up).
With fares on the MTR really cheap, you don't need to recharge it all that often, and when you do, the recharge process takes about 30 seconds, which is less than it takes me to buy a single ticket on the London Underground.
Hmmm. I remember the days before the web became popular and there were so few people on usenet groups that you generally did just trust them.
I remember sending real cash through the mail to someone in the states and they sent me a tape in return. Never even crossed my mind that anyone on usenet could be dishonest, as I read so many of their postings that I just trusted them.
I guess replace postings with stars and add lots of red tape and you have eBay. :-)
I think the real problem, though, is how can you be taught to write a weblog? The whole point is that they are pretty much as unstructured as you like. When you start adding rules and trying to make every one look the same, then they will just be crap journalism. Until then, some actually are interesting glimpses into the lives of real people.
Latest IE Hole Lets Gopher Root You "All versions of IE are affected" - a case in point?
Added to that as packages mature, more of the bugs are removed. In my experience, between releases you add small bits of functionality and fix bugs, so chances are a bug found in a module of the newest release will be in all previous releases that contained the module.
Personally, to get a secure system, I'd use the most recent release that has appeared to be stable for some time and limit what each machine does. e.g. a web server should only allow http and ssh to the outside world. Possibly it would have its own database running, but this should be invisible outside the box. It shouldn't trust the firewall, in case an internal machine is compromised, but do port filtering itself. &c...
Hey, I just bought a 10 gig drive, but when I formatted it there was only 9 gig available. That Linus stole my disk space, and he's a thief. I want that space back, damnit!
</taking-the-piss>
Absolutely. I don't condone any kind of porn, that said, I think people in China should be immune to US laws.
For instance, should a Dutch citizen be prosecuted in the US for smoking drugs, even though his country has de-criminalized it? No?
Should he prosecuted for smoking drugs in the US? Yes?
Now, perhaps more interesting... Should a US citizen be prosecuted in the US if he smokes drugs whilst on holiday in Asterdam? This is the grey area, as things like espionage, treason, murder all probably would cause him to be prosecuted by the US.
Now, back to this Chinese guy with his kiddie porn... If he physically sends mail to the US, he clearly has intent to break US obscenity laws. If US people take things withouy his knowledge from his server (which remember, it is legal for him to have running), how has he broken any US laws? For a start, there is absolutely no intent.
If the US has problems with this, the correct approach is for the US to impose sanctions, e.g. creating laws requiring the firewalling of offending machines out of existance. Something hard to achieve? Not really - if it starts being hard to maintain, it's easy to employ a draconian firewall everything. If this upsets China's economy at all, then it'll in turn start having a good reason to implement obscenity laws of its own. Welcome to the world of trade sanctions.
A final note. Given that China is fairly keen to stop pretty much all internet traffic to and from China anyway, I don't think this is a great example.
And there goes my karma for replying to my own posts...
This new idea of being able to choose where to sue for copyright infringement seems very wrong to me. Surely the idea is that every citizen in any country should be responsible to keep to the laws in their country, and suffer the penalties imposed by their country when they break them.
Ralf.
The double backslash - everything before this is a comment - is particularly amusing.
In fact, I even started looking for a date of April 1 whilst reading this document.
while (1) {...}
or more commonly
for (;;) {...}
is a well known construct for infinite loop. If you turn such a simple construct into six lines of source, then I dread to think how much commenting you'll use when you actually get down to solving the problem in hand.
for (;;) { // infinite loop
is far better - it reminds people what you're doing and if someone sees your code and doesn't understand that construct then they know what it does from the comment and they can go and find out how it works and learn it for next time.
While you're at it, you should probably think about hiring real programmers who know basic constructs in their chosen language...
Shame you wouldn't be able to charge for your ideas anyway, unless you hold a patent on it.
If I was hit by a truck, I don't think I'd really give a damn about the next release of the product...
I was given an old 486 motherboard with not a lot else, so decided to make a floppy-based firewall so that we'd have something quiet that can stay on all the time.
I got bored of hacking my own floppy-based system, so I thought I'd try coyotelinux. It really is fantastically easy to use, and is a great way to trick Windows users into trying Linux and then realising it only has to be complicated if you want it to be.
A few things could be better documented; for instance my network cards (NetGear FA331's didn't have drivers, so I had to compile my own - fine but the docs don't say what kernel version it uses, so you have to boot up again to find out!)
But basically you can have a working Linux firewall set up in about 6 mouse clicks. And that includes DHCP client to obtain the cable IP address and server for the local net. Nice.
The server is pretty secure - the only visible service running is telnet (and that's optional), and coupled with the fact you can write-protect your floppy means it can't be tampered with.
The only downside is that it uses some sucky editor (ae) and the termcap isn't set up right... I will install vi when I have a chance :-p
Give it a go!
The LEAF stuff also looks good, but personally I'd rather loose a floppy drive than a CD drive...
Ralf.
Apparently this is so the termites always have a warm side of the mound to rest in (the side will always be east or west of the mound, so it will always be heating up one of the long, tall sides, so there's always a lot of surface area).
One thing puzzles me - how do these termites "know" how to do this?
There are other pretty amazing things about these mounds too. They're made up entirely of waste grass, the termites eating grass and excreting this dry grass stuff, they're absolutely massive. Inside, there's a huge network of tunnel, and if you break a bit of the mound off so it's exposed, an army of termites will come out and start repairing it. Awesome!
Apparently, you can also make a drink with water and crushed termite mound, which has some medicinal value, but I've forgotten what now.
Go and visit Australia - there's so much there that's different from the rest of the world. I was gobsmacked!
Urm, not that I recall. There was a way to get a kind of random seed, using the R register. This wasn't random, though, it was incremented by one every clock cycle and used for the DRAM refresh cycles. But if you checked it at the start of execution, it could act as a random seed for your real random number generator.
Then there were the undocumented shift instructions. Basically, there was a batch of instructions that fitted into the scheme at a point that would logically be shift right, add carry, but for one opcode operating on (HL), it failed; always adding one, not the carry. But, this bug was repeatable, and so people used the instructions anyway. They just weren't documented because they didn't fit perfectly into the logical scheme.
Chances are REALLY good [...] won't have a Linux driver.. that wouldn't be a big deal if they'd just release the technical specs..
Yes, but with most things these days, it's hard to stay competitive if you publically disclose all your tricks of the trade. Particularly with hardware, if someone pinches your design, it's pretty hard to tell except by the interface it exposes to the outside world. In the old days, anyone releasing a clone of a Vic-20 would have it spotted as such (remember there were few custom logic chips), these days how would you prove that part of the internals of a graphics chip is a direct copy of part of your own? You can't short of probing it with an electron microscope or looking at the external interface to see how closely it matches your own. And lots of chip designers have deliberately undocumented stuff so that they can identify their own designs.
This box looks fairly stylish, but I can't wait to get hold of an Indrema and hack that into a general purpose DVD/DivX/E-mail box by the TV...
Face it, nothing will have its copyright ever expire again.
That's a rather simplistic view, though. Remember that the copyright expires 80 years after the death of the copyright owner, not 80 years after it was created. And if you explicitly sign away copyright to someone else (e.g. your estate), the copyright will last much longer. And, of course, if you sign the copyright to a company, it's a certain period after that company ceases trading (I'm pretty certain it's a shorter time, though).
But, you're probably right. Most stuff that's copyrighted now is owned by huge companies, and so for all intents and purposes, the copyright won't expire.
I personally think a far fairer system would be based on earning from a copyrighted work. Perhaps a company should have automatic copyright for ten years, and then have to prove that the work is still making them an arbitrary amount (say $10,000 p.a.) to have extended copyrights on. This would allow people to copy software that is no longer supported by the manufacturer, books that are out of print, music only available on old scratchy 33's, etc...
But I don't suppose for one minute that it's going to happen. The major companies concerned have far too much influence over government practices (witness the MP3 / DeCSS revolution that's getting them all really scared).
The Net gives us another community to exist in, but far too commonly at the expense of that which we already have. Whilst it can help build relationships with other people, even people we're never likely to even meet in real life, if we fail to build relationships with people in our own physical community then this is hardly improving our lives or society as a whole.
Despite the idea of a global village sounding appealing to many, in many ways the Net is causing us to become more insular.
If they were really tech-savvy, then they'd realise that Slackware have been in the game far longer than most distros. I remember the day when I upgraded my prehistoric slakware with v3.0 on CD. I was so chuffed that I didn't have to deal with 50 floppies again.
I'd still bet that most people who've used Linux for more than a year or so will recognise Slackware as a good distro, with users who know what they're doing rather than just letting the installer do everything for them short of choosing an IP address.
I find Solaris 2.6 running on my old Sparc 2's to be a completely soporific experience... I'll probably have a go at this distro to see if it's a vaguely useful speed. Either that, or my 2's will get relegated to just doing DNS...
But I wonder if these things will network boot properly. It always used to annoy me that the old Solaris netboot image relied on packet ordering from Sun's NFS server which meant that whilst they'd TFTP the boot image they'd never get further than that unless you were using a Sun machine as the boot server. Once they were up, they would be quite happy doing NFS to a Linux box.
Now, imagine you were writing a game with SDL. You compile up the common versions, so it can be run directly from any of the OS'es you support. If newer hardware and/or drivers have come out, then it'll just use the drivers people already have, as it's running as a regular app under their OS of choice.
But, quite often I find myself booting my machine just to have a quick round of Counter-Strike. If the dist. CD booted straight into an OS and ran the game, that would be sweet. No more faffing around, logging in, doing a clean shutdown, being tempted to check my mail, read slashdot, etc... Just shove the CD in the drive and power-on.
Yes, drivers may be updated in the mean-time, but there's no reason why a bootable CD can't scan for partitions on a hard-disk, mount FAT or ext2 ones, and check for a /bootableDrivers directory and using those drivers to replace what's already on the CD, say. And if enough people were using a common method of creating the CDs, you'd only need this once. These files could be put there by whatever OS you want to use. If you never want to boot from CD, but don't need to worry about the fact that it's a bootable CD.
Nobody looses, so I don't see how it can be considered a bad idea.
You should add a nop into the middle to see how many people then say: "You can save another instruction here, you know..."
Because British stuff is only automatically de-classified 50 years after initially being classified. Sometimes it's de-classified sooner, but if it's considered too sensitive they don't until after 50 years when it has to be revealved by law.