(Microsoft has acknowledged the bug, so the first half of your question is complete.)
I was curious just how quickly the ICMP attack took to fix, so here is my 5 minute investigation, it's taken longer to write this than research it. Kudos to the folks at Progressive Computer Concepts for their excellent mail list archives ( www.progressive-comp.com). I assume the date/times listed are in their local time.
Bug Notice: Posted to Bugtraq by Piotr Wilkin 1 June 1999 15:43:17.
Solution: Posted to Linux Kernel by Alan Cox, 1 June 1999 22:23:04. Also Posted to Bugtraq by Alan Cox, 1 June 1999 22:30:33.
So, 6 hours, 39 minutes, 47 seconds from the time it was made public to solution (7.5 minutes more if you only monitored Bugtraq).
And then this IIS bug, reported to Microsoft 8 June 1999, made public on Bugtraq at 12:18:16 today (15 June 1999). A week lead time, and no fix in sight.
Security is the heart of any business that relies on its web page for income (order taking, etc). Now that it's been made public, I'm sure all the skript kiddies will be wreaking havoc this evening on as many servers as they can hit. Although, for completeness, I'd be interested in noting any servers that do get hit. The Wired article specifically mentions Nasdaq, Disney, and Compaq as running "large ecommerce operations" on IIS. I can't imagine how a large company could stick with it with such pathetic service from MS.
Oh wait. I went to the security web site listed in the article, and MS has posted a workaround, basically remove the.HTR extension from IIS (the post on Bugtraq lists.ASP and.IDC as being affected as well). The funny thing is their terminology and timeline. At the top it says, "Originally Posted: May 27, 1999." So they knew about it a whole 11 days before eEye told them about it. Posted where, you might ask? Who knows. But at the bottom of the page it says, "June 15, 1999: Bulletin Created." I presume that "bulletin created" means they put it on their web site. Even still, not only with a week's notice, but 18 days notice the bug is not fixed.
Other inconsistencies in the notice, in the "What Microsoft is Doing" section, "Microsoft has released patches that fix the problem identified" (my bold). Oh, it's been fixed by golly. Then you go down to the "What Customers Should Do" section (be it 4 lines down, web design cracks aside) like they say next, what does it say? "A patch will be available shortly..." So it's fixed, but you cannot have it. This just makes my point even better. Why rely your business on them with this double-talk and no real solutions??
ZMailer ( zmailer.org) is very easy to set up and stable. It has built in things for mail list management, the RBL, etc. After QMail refused to take any more mail, I had ZMailer up and running in a few minutes after download/compilation.
The lack of an Expires: tag in the HTTP response can do that. Take Slashdot for instance, every time I hit forward/back while logged on reloads the entire page. I've sent Rob my thoughts on it, but the messages probably got smothered by the thousands of "You suck" letters he gets.:)
Or it could have to deal with the banner ads being run through a CGI (to capture your IP and all). Since they don't have a real filename, perhaps Netscape isn't able to check anything in its cache and so re-downloads it.
Actually, I think if the make modules fail, then a modules_install will first try recompiling the modules and fail again. So you'll still get the error message and nothing installed.
Case 1: The ancient Novell 4 server is dying! Our 20-workstation system is in danger! Panic! Panic! Buy $Oz20,000 worth of NT server gear (multiple Xeons, bucketsful of RAM, hot swappable drives, the whole box 'n' dice) to replace it with! Well, almost... Settled for $Oz2400 worth of Linux gear and get brilliant response time now that the IPX protocol's been axed (MARS ain't so efficient). RAID-1 with caddies plus automated CD burning and checking for backup included.
I work at a fairly large company. They have 12 outlying offices around the US and Canada with 5-20 employees in each. Lord knows why, but they decided to hook each of them up with 56k dedicated lines. To salvage it, and let there be file sharing with the HQ here, I put together a plan to use spare P133s lying in the back, Linux, Samba, Perl, etc to mirror a lan drive every night to each office for a couple hundred dollars. What do they say? "We can't do that, we'll need a 'server' (that is, a machine that IBM has labeled as 'server' in the marketing brochure, at least $15k for each office), and it must be NT Server (several more hundred dollars). We can't use anythign else." And they wonder why the two NT print servers lock up and need rebooting about once a week (I won't start on the file servers). Sheesh.
Some companies, especially really large ones, latch onto a name and won't let go until the ship is 3/4 sunk. It's unfortunate, but that's the way suits can be sometimes.
As good as Unix is, I REALLY wish MS would use NT for hotmail. Only then could their spam service be slowed down enough to be merely annoying than damned annoying. Really, how many of their users are using it for normal email, 5%?
Re:What hardware/software does it use?
on
Digital VCRs
·
· Score: 1
From what I haven't found for Linux from my searches are MPEG editing utilities, or anything to reformat MPEG1 files into the VideoCD format. I'd love to dump Windows for this stuff, but currently need it to do the AVI->MPEG encoding, strip off a few seconds from the start/end and merge a couple MPEGs, and finally burn the VideoCD.
STING RAID: If you remove a system board from a running domain without enough swap space, Solaris will hang. The administrative tools do not warn you if you do not have enough swap space available.
This is pretty low. Yeah, it can happen - what else is an OS supposed to do when it has more processes than now remains as memory?
Come on now, NT's "You are running low on virtual memory" error messages is one of the most beautiful parts of the OS. It is perhaps the single most profound statements bestowed upon us. If Solaris (or Linux, what the hey) cannot provide the most highly trained administrators (I'm talkin top notch MCSErs here) with this sort of insight, well you get what you deserve then.
Re:Some real-world benchmarks
on
K7 Benchmarking
·
· Score: 1
Do Intel (or even Alpha) CPUs encode mpeg video in realtime? On my K6-2/400, Windows takes like 7 minutes to cram a 2 gig AVI file into a 50mb MPEG1. It's not an incredibly long time or anything.
Are there signal transmitters available to send a box's output to a TV elsewhere in the house? Got any particular sites for em? This apartment I'm currently in has only one cable outlet, so I had to run a huge cable all along the wall to the bedroom. Sure I could move, but I'm lazy.:)
Re:This is what compatibility standards are for.
on
On Red Hat Bashing...
·
· Score: 1
Back at Comdex (April 20something) Dan Quinlin and Maddog Hall said roughly in six months the first release of the LSB standards would be laid out. Then I'd expect about the beginning of 2000 for the different distributions to put the final tweaks to their dist to make them compliant with the standards.
Still, they aren't touching desktop environments at this time. So I doubt there'd be any mention of needing Qt/GTK libraries. Personally, I'd be thrilled if a second or third standards draft required both sets of libraries. Choice is the key thing I enjoy most in Linux.
Just please don't anyone use the recently reviewed book on RTS game programming (and many, many windows programming books) style of berating the user with what programming is, how to make a while statement, etc.
One of the main KDE developers has written an O'Reilly book on programming Qt. I'm not sure if he talks about KDE much in it, but that's certainly enough to get one going. All of the API has good documentation (could still use a bit of help); any moderate programmer who knows C++ can just take that and go.
Still, I would have to agree that a full O'Reilly book on KDE programming would be nice. On the other hand, considering KDE 2.0 may be out at the end of this year or so, perhaps waiting until then to make a book would be more appropriate.
I just find it interesting that the average time a Slashdotter takes to chew through a block is 17.5 hours, and for Microsoft's team it's just shy of 29. That's gotta hurt them.:)
I'd just like to say that this sort of review is very appreciated. Too many of the past reviews on Slashdot have been basically typing what's on the back of the book and table of contents with little review (of the sort, "This book has X, Y, Z" instead of an analysis of how well the describe X, Y, or Z).
ClanLib is one gaming API. I haven't gotten to deep into it, but it looks promising. As with many OpenSource projects, the documentation on their web page is a bit lacking. They have the functions, but usually no description or only a few words on it; a tutorial or two using the functions would be handy.
I start a week of vacation this week, I may just have to help them out with that.
The title of this book would catch my attention while browsing down the aisles at Barne's & Noble. But alas, experience tells me you'll never find a good game programming book at bookstores, until a real programmer puts something together and it published by O'Reilly.
Why would anyone want/need a book like this? Well first off, to save research time. If I had a reasonable book with at least abstract concepts of different pathfinding algorithms, details on their pros/cons, networking issues detailing pros/cons of how often to transmit a unit's current position, etc, I'd be a happy camper.
I played with a DirectX wrapper in Delphi once. I put together a terribly simple engine. You could click on a unit, move it around, but that was about it before I got busy doing other things. Sure Delphi isn't the mecca for gaming programming, but it taught me about the hassles with finding these sort of topics. After hours of perusing web pages, newsgroups, trying to remember/find notes from college classes that lightly touched these areas, I found the need for such a book is strong. It would be most prefferable if someone with a good bit of experience making a full game authored it as well.
Something like the reviewer mentions, a sort of college textbook on RTS game programming would be perfect. Present the material in a straightforward way, talking to intermediate/advanced programmers, delve into the beauty of a good algorithm and less into how-to-use-Visual-C++-for-dummies (redundant?) and it will sell 100 times what this book will ever sell.
I wasn't directing that post to you, but to ill who said how people hate RedHat because it is commercial, and only tends to the people that pay for it. I've heard some RH folks talk at conferences, briefly talked with them myself, and I don't see them as he paints them, only out for a quick buck, or that their sole motivation is what will bring in the most money.
And seeing what ill wrote just before your response, it proves my point. Too many of these people just paint these evil scenarios in their minds and then come here to spread their FUD and state their hallucinations as fact. This is what is hurting the Linux and Open Source communities more than MS or any team they form.
Many non-Linux people I've talked to see so many of these fanatics when they look into what Linux is in newsgroups, here on Slashdot, etc. I have to do more work convincing them that there is good in this community and Linux is not just about these wackos, then what it took for one of these people to type their FUD in their post.
We're killing ourselves here folks, wake up and spread the good word.
How about trying the link Justin provided in this posting to find a few things different from stock RedHat or just changed from Mandrake 5.3? Compare lists of rpms (rpm -qa > file on a Mandrake 6 and RedHat 6). I haven't yet downloaded everything to install Mandrake 6, but I see several things that weren't in RH6 just by perusing their web site. It really wasn't that difficult to find the information; it just took a little effort.
Slashdot Mirror
(Microsoft has acknowledged the bug, so the first half of your question is complete.)
.HTR extension from IIS (the post on Bugtraq lists .ASP and .IDC as being affected as well). The funny thing is their terminology and timeline. At the top it says, "Originally Posted: May 27, 1999." So they knew about it a whole 11 days before eEye told them about it. Posted where, you might ask? Who knows. But at the bottom of the page it says, "June 15, 1999: Bulletin Created." I presume that "bulletin created" means they put it on their web site. Even still, not only with a week's notice, but 18 days notice the bug is not fixed.
I was curious just how quickly the ICMP attack took to fix, so here is my 5 minute investigation, it's taken longer to write this than research it. Kudos to the folks at Progressive Computer Concepts for their excellent mail list archives ( www.progressive-comp.com). I assume the date/times listed are in their local time.
Bug Notice: Posted to Bugtraq by Piotr Wilkin 1 June 1999 15:43:17.
Solution: Posted to Linux Kernel by Alan Cox, 1 June 1999 22:23:04. Also Posted to Bugtraq by Alan Cox, 1 June 1999 22:30:33.
So, 6 hours, 39 minutes, 47 seconds from the time it was made public to solution (7.5 minutes more if you only monitored Bugtraq).
And then this IIS bug, reported to Microsoft 8 June 1999, made public on Bugtraq at 12:18:16 today (15 June 1999). A week lead time, and no fix in sight.
Security is the heart of any business that relies on its web page for income (order taking, etc). Now that it's been made public, I'm sure all the skript kiddies will be wreaking havoc this evening on as many servers as they can hit. Although, for completeness, I'd be interested in noting any servers that do get hit. The Wired article specifically mentions Nasdaq, Disney, and Compaq as running "large ecommerce operations" on IIS. I can't imagine how a large company could stick with it with such pathetic service from MS.
Oh wait. I went to the security web site listed in the article, and MS has posted a workaround, basically remove the
Other inconsistencies in the notice, in the "What Microsoft is Doing" section, "Microsoft has released patches that fix the problem identified" (my bold). Oh, it's been fixed by golly. Then you go down to the "What Customers Should Do" section (be it 4 lines down, web design cracks aside) like they say next, what does it say? "A patch will be available shortly..." So it's fixed, but you cannot have it. This just makes my point even better. Why rely your business on them with this double-talk and no real solutions??
Or are you the plant? Or am I? Or is my dog?
We shall never really know, eh? (raising one eyebrow, head slightly tilted)
ZMailer ( zmailer.org) is very easy to set up and stable. It has built in things for mail list management, the RBL, etc. After QMail refused to take any more mail, I had ZMailer up and running in a few minutes after download/compilation.
The lack of an Expires: tag in the HTTP response can do that. Take Slashdot for instance, every time I hit forward/back while logged on reloads the entire page. I've sent Rob my thoughts on it, but the messages probably got smothered by the thousands of "You suck" letters he gets. :)
Or it could have to deal with the banner ads being run through a CGI (to capture your IP and all). Since they don't have a real filename, perhaps Netscape isn't able to check anything in its cache and so re-downloads it.
Actually, I think if the make modules fail, then a modules_install will first try recompiling the modules and fail again. So you'll still get the error message and nothing installed.
Case 1: The ancient Novell 4 server is dying! Our 20-workstation system is in danger! Panic! Panic! Buy $Oz20,000 worth of NT server gear (multiple Xeons, bucketsful of RAM, hot swappable drives, the whole box 'n' dice) to replace it with! Well, almost... Settled for $Oz2400 worth of Linux gear and get brilliant response time now that the IPX protocol's been axed (MARS ain't so efficient). RAID-1 with caddies plus automated CD burning and checking for backup included.
I work at a fairly large company. They have 12 outlying offices around the US and Canada with 5-20 employees in each. Lord knows why, but they decided to hook each of them up with 56k dedicated lines. To salvage it, and let there be file sharing with the HQ here, I put together a plan to use spare P133s lying in the back, Linux, Samba, Perl, etc to mirror a lan drive every night to each office for a couple hundred dollars. What do they say? "We can't do that, we'll need a 'server' (that is, a machine that IBM has labeled as 'server' in the marketing brochure, at least $15k for each office), and it must be NT Server (several more hundred dollars). We can't use anythign else." And they wonder why the two NT print servers lock up and need rebooting about once a week (I won't start on the file servers). Sheesh.
Some companies, especially really large ones, latch onto a name and won't let go until the ship is 3/4 sunk. It's unfortunate, but that's the way suits can be sometimes.
As good as Unix is, I REALLY wish MS would use NT for hotmail. Only then could their spam service be slowed down enough to be merely annoying than damned annoying. Really, how many of their users are using it for normal email, 5%?
From what I haven't found for Linux from my searches are MPEG editing utilities, or anything to reformat MPEG1 files into the VideoCD format. I'd love to dump Windows for this stuff, but currently need it to do the AVI->MPEG encoding, strip off a few seconds from the start/end and merge a couple MPEGs, and finally burn the VideoCD.
STING RAID: If you remove a system board from a running domain without enough swap space, Solaris will hang. The administrative tools do not warn you if you do not have enough swap space available.
This is pretty low. Yeah, it can happen - what else is an OS supposed to do when it has more processes than now remains as memory?
Come on now, NT's "You are running low on virtual memory" error messages is one of the most beautiful parts of the OS. It is perhaps the single most profound statements bestowed upon us. If Solaris (or Linux, what the hey) cannot provide the most highly trained administrators (I'm talkin top notch MCSErs here) with this sort of insight, well you get what you deserve then.
Do Intel (or even Alpha) CPUs encode mpeg video in realtime? On my K6-2/400, Windows takes like 7 minutes to cram a 2 gig AVI file into a 50mb MPEG1. It's not an incredibly long time or anything.
Are there signal transmitters available to send a box's output to a TV elsewhere in the house? Got any particular sites for em? This apartment I'm currently in has only one cable outlet, so I had to run a huge cable all along the wall to the bedroom. Sure I could move, but I'm lazy. :)
Back at Comdex (April 20something) Dan Quinlin and Maddog Hall said roughly in six months the first release of the LSB standards would be laid out. Then I'd expect about the beginning of 2000 for the different distributions to put the final tweaks to their dist to make them compliant with the standards.
Still, they aren't touching desktop environments at this time. So I doubt there'd be any mention of needing Qt/GTK libraries. Personally, I'd be thrilled if a second or third standards draft required both sets of libraries. Choice is the key thing I enjoy most in Linux.
it's June already, and I don't have a K7 under my desk. I ask you AMD, why?!
Ah well, it's not like these K6's will break down anytime soon.
Just please don't anyone use the recently reviewed book on RTS game programming (and many, many windows programming books) style of berating the user with what programming is, how to make a while statement, etc.
:)
According to here, it's finished and available to read. It doesn't look like it's all that long, but still cute.
One of the main KDE developers has written an O'Reilly book on programming Qt. I'm not sure if he talks about KDE much in it, but that's certainly enough to get one going. All of the API has good documentation (could still use a bit of help); any moderate programmer who knows C++ can just take that and go.
Still, I would have to agree that a full O'Reilly book on KDE programming would be nice. On the other hand, considering KDE 2.0 may be out at the end of this year or so, perhaps waiting until then to make a book would be more appropriate.
I just find it interesting that the average time a Slashdotter takes to chew through a block is 17.5 hours, and for Microsoft's team it's just shy of 29. That's gotta hurt them. :)
You are very welcome. :)
I'd just like to say that this sort of review is very appreciated. Too many of the past reviews on Slashdot have been basically typing what's on the back of the book and table of contents with little review (of the sort, "This book has X, Y, Z" instead of an analysis of how well the describe X, Y, or Z).
Thank you.
ClanLib is one gaming API. I haven't gotten to deep into it, but it looks promising. As with many OpenSource projects, the documentation on their web page is a bit lacking. They have the functions, but usually no description or only a few words on it; a tutorial or two using the functions would be handy.
I start a week of vacation this week, I may just have to help them out with that.
The title of this book would catch my attention while browsing down the aisles at Barne's & Noble. But alas, experience tells me you'll never find a good game programming book at bookstores, until a real programmer puts something together and it published by O'Reilly.
Why would anyone want/need a book like this? Well first off, to save research time. If I had a reasonable book with at least abstract concepts of different pathfinding algorithms, details on their pros/cons, networking issues detailing pros/cons of how often to transmit a unit's current position, etc, I'd be a happy camper.
I played with a DirectX wrapper in Delphi once. I put together a terribly simple engine. You could click on a unit, move it around, but that was about it before I got busy doing other things. Sure Delphi isn't the mecca for gaming programming, but it taught me about the hassles with finding these sort of topics. After hours of perusing web pages, newsgroups, trying to remember/find notes from college classes that lightly touched these areas, I found the need for such a book is strong. It would be most prefferable if someone with a good bit of experience making a full game authored it as well.
Something like the reviewer mentions, a sort of college textbook on RTS game programming would be perfect. Present the material in a straightforward way, talking to intermediate/advanced programmers, delve into the beauty of a good algorithm and less into how-to-use-Visual-C++-for-dummies (redundant?) and it will sell 100 times what this book will ever sell.
... nothing of use to you. So does that make it useless for everyone? Everything has its niche, and no one's requiring everyone to run everything.
I wasn't directing that post to you, but to ill who said how people hate RedHat because it is commercial, and only tends to the people that pay for it. I've heard some RH folks talk at conferences, briefly talked with them myself, and I don't see them as he paints them, only out for a quick buck, or that their sole motivation is what will bring in the most money.
And seeing what ill wrote just before your response, it proves my point. Too many of these people just paint these evil scenarios in their minds and then come here to spread their FUD and state their hallucinations as fact. This is what is hurting the Linux and Open Source communities more than MS or any team they form.
Many non-Linux people I've talked to see so many of these fanatics when they look into what Linux is in newsgroups, here on Slashdot, etc. I have to do more work convincing them that there is good in this community and Linux is not just about these wackos, then what it took for one of these people to type their FUD in their post.
We're killing ourselves here folks, wake up and spread the good word.
How about trying the link Justin provided in this posting to find a few things different from stock RedHat or just changed from Mandrake 5.3? Compare lists of rpms (rpm -qa > file on a Mandrake 6 and RedHat 6). I haven't yet downloaded everything to install Mandrake 6, but I see several things that weren't in RH6 just by perusing their web site. It really wasn't that difficult to find the information; it just took a little effort.
And you base this on, what? Have you talked with Bob Young or any official RedHat representative? Or was it just your own speculation?