(From which many sensible people conclude that it's bad practice to write in C.)
Your 'many sensible people' would be ignoring that 'libraries allocate their own memory' and 'libraries that have fixed size return data' are not the only options.
Sure, you can do bad things in C. You can do "bad things" in pretty much any language - I just ran into an issue where a third party java library closed a stream I passed to it. It didn't create the stream, why should it assume I want it closed? It's a bogus design decision that limits the libraries usefulness - if I want a chunk of data processed by that library wrapped by other data that I write before and after the processing, I can't just write the data that goes first, pass my output stream to this lib, and then pass the data that I want after, I have to write the middle data out to a file somewhere and then reread and rewrite it. Should I now conclude that it's 'bad practice to write in java' because a third party came up with a poopy implementation of a util library?
I recognize that C allows worse things (buffer overflows, etc) to happen when such design errors are made. However, I think that anyone writing code in C should be aware of that - the code doesn't write itself, and the root of the problem is a given programmer following bad practices. You may blame the language for allowing it, but you can't blame the language for the presence of the given overflow... the language spec didn't write the code. With power should come responsibility.
To me, the issue isn't the privacy concern.An accident investigator would be able to tell the approximate speed of impact, anyway. I think there's danger here of using the 'black box' as a crutch - not verifying that the speed given by the box is reasonable according to the physical evidence, and going by the recorded data only. The more interesting issue is where such things are likely to be misinterpreted, as they are by the sister of the deceased driver.
Quoting from the Toronto Star article:
"If we didn't know about the data in the black box, we would have always thought my brother was driving fast and that he went through a red light," Belinda Matthey, the sister of Zinet, told reporters yesterday. "Without the black box we wouldn't know the truth."
Now, the black box may say that the car was doing 93mph. It may say he didn't hit the brake. There is nothing there, however, that says whether or not the deceased driver was speeding, or running a red light. Perhaps they obtained speed data from the deceased driver's vehicle as well. Neither would say whether or not the victim here ran a red light. Did the judge use anything other than the speed data to determine fault, or the required severity of the punishment? What if the driver who was sentenced didn't hit the brake because the light in his direction was indeed green, and the deceased driver did indeed run a red light, leaving no reaction time for him to hit the brakes?
Driving three times the speed limit... if the crash forensics reasonably matches the black box data, the sentenced driver was imho driving with reckless disregard for the safety of others. However, if the deceased driver did indeed run a red, can it be said that the accident is entirely the sentenced driver's fault?
I don't think so. Of course, there's not enough data here to draw solid conclusions either way, but I find it interesting that the sister is using this speed data as support statements like "we would have always thought my brother was driving fast and that he went through a red light"
You're pretty much right on. A good example of this is his complaining about 'Melding to Stone'... that's a game AI issue, not a rules issue.
Of course a human DM is not going to allow that to happen, and the AI developers shouldn't have allowed that to happen. But this bit belongs not in a 'PNPRPG vs. CRPG' discussion. A problem like this can affect any game.
Wolfenstein 3D, for example. On the last level, if you ran into the side room just right, the guy you were fighting would chase you in... and get stuck, even though graphically there was plenty of room for him to move. This allowed you to whale on him from behind without any danger of being damaged. The first time I beat that game, I accidentally caused this to happen. More playtesting helps, but you can't expect an AI to be equivalent to a real intelligence.
Some email viruses are true viruses. Email viruses that depend on a user click and just email raw or slightly modified copies of themselves are not viruses... they are trojans that self-propogate. They do not "infect" anything, they do not place themselves in an otherwise useful and desireable program, which is the core of what a virus is, and is why they are called viruses. A peice of malicious code that infects other non-malicious code and propogated via email would be a virus by my definitions. A peice of malicious code that pretends to be a.jpg but is hiding it's real extension (.jpg.exe, or whatever) that happens to send out copies of itself is not a virus. There is no *infection*. It's merely self-propogating, and it depends on the user to think it's non-malicious. The lack of infection and the dependence on the user thinking it's non-malicious is what makes it a trojan.
Viruses infect other programs, and when those programs are executed, the virus code executes. The virus code looks for other programs to write itself into and, when found, writes itself into them... this is what I mean by 'self install'. You are running something you would normally run, say, IE... and if it is infected, the virus code runs with it, and installs itself into another uninfected program, after which that program is infected. The self-propogation and the fact that infection of a non-malicious program occurs is the mark of a virus.
Both viruses and trojans depend on user actions to get executed. The difference is, the trojan depends entirely on trickery to get the user to execute what is in effect entirely a malicious program, whereas a virus writes itself into a non-malicious program that a user might execute whether it were infected or not. (Like a binary executable, or a Word template, etc). Prior to a viral infection, the programs are useful and used.
I got all definitions right. Trojans pretend to be something non-malicious but are actually malicious - "Hey, I'm a mail attachment that you want to look at, click on me!" - when it's really an executable program. Viruses -infect- other non-malicious programs, and infect more programs when those non-malicious programs are then executed during the course of normal operation by the user.
As you agree with, worms actively break in and cause themselves to execute on the new machine.
Take a step back and look at the distinctions I'm making. They depend on what the malicious code does, not what it could potentially do. If 'they could tapdance on the boot sector if they wanted to' is what defines a 'virus' then every program on your machine is a virus, whether it has malicious code or not.
These 'email viruses' that require a user to click on them aren't really viruses, they're trojans. They don't have a means to copy themselves into another program, they just send off a bunch of mails and hope somebody activates them. They have a propogation mechanism that depends on human stupidity. I would call them 'self replicating' but they have a rather uninteresting replication mechanism.
A real virus... you run an infected program (note: not the virus itself, an otherwise useful program that happens to be infected) and it installs itself in other program or you boot off an infected floppy, it infects your hard disk boot sector, and then starts infecting more floppys. These actions (running a program, or booting your machine) are entirely normal things to do, you do them because you can't get anything done with a computer without doing them.
Which brings us to worms, which are self replicating, but actively break into other machines and directly cause copies of themselves to start executing.
As far as viruses go, people install and run infected programs because they want the functionality of an uninfected program and do not know the infection (the 'undesired behavior') is there. Hence the need to scan for viruses before you install any program.
Playing feild leveled? B.S.
People wanting to shave pennies off, and being able to, is what defines a free market. Honestly, I see your post as a bunch of 'I can't compete' whining.
You want people to use your store instead of going online? Provide better service, or otherwise make it worth it to pay the few extra bucks to buy at a brick & mortar rather than online.I buy things locally all the time, even though they're slightly more expensive, at places that make the extra cash worth it.
Those cheapskates are your potential customers, and with the attitude you're displaying I'm not surprised they don't patronize your store.It's a free country, nobody has to shop at your store, they can even, if they'd like, buy at a place more expensive than your store is, to not have to deal with you. Your support for this is nothing more than a tacit admission that you'd like people to be forced to shop with you, and that's not freedom.
You know, if they were really going to do this, what better strategy is there than to announce it on April 1st? Everyone thinks it's a joke and forgets about it, until a year from now when a bunch of people have RFID tags under their skin.
From a totalitarian government'ss point of view, that would be the best April Fools Joke ever played.
You own a car made by FribbleFitz Motors, a 2003 Frobber 2000. FribbleFitz Motors issues a recall on Tuesday, indicating that radio transmissions with a frequency of 42 megahertz will cause the gas tank to explode on Frobber 2000's made from 1999 to 2004.
Before you even know about the recall notice, before you have a reasonable chance to find out about the defect, a madman who has been watching FribbleFitz's recall releases for just such an opportunity builds a transmitter to send a signal at 42 megahertz, and runs around town blowing up cars and laughing at the carnage. Your car happens to be one of them.
Now, are you responsible for the death of the little old lady who happened to be standing next to your Frobber 2000 when it exploded?
Because this, sir, is a far more applicable analogy than 'not replacing the brakes for 45k miles'. A patch is a defect fix not unlike a recall, it is not 'routine maintenence', your bits didn't wear out. The fact that such defects occur more often than in the automotive industry should not transfer the responsibility onto the end user, not everyone has the technical knowledge or the time to keep up with the patches and vulnerability notices for every single peice of software on their machine. Should your grandmother lose her house because she doesn't know what a patch is?
Well, there's only one correct meta-methodology - the meta-meta-methadology that allows you to select the best meta-methadology for selecting the best methodology for a given situation..
Why would anyone adopt it?
on
Gates on Spam
·
· Score: 1
How do they expect to get anyone to adopt this when we've got perfectly good, freely usable, SMTP standard to send mail with?
Sure, it's got it's problems (spam, etc), but I can't see why anyone would go 'hey, I'd like to have to give away processor time so I can send mail, instead of just using the firmly entrenched SMTP standard that doesn't cost anything above my connection fees'.
It doesn't make sense. How are they planning to get people to adopt this?
Postscript is actually an interpreted programming language, oriented for display, and it is powerful enough that it is entirely possible to write viruses for Postscript documents.
Do a google search and check out the rationale for ghostscript's -dSAFER option, etc.
Even in PostScript files there may be problems similar to those encountered with macro viruses. In PostScript display programs there are interpreters which process the PostScript language. Above level 2.0 of the PostScript specification there are also PostScript commands for writing files. As a result it is possible to generate PostScript files which, during processing by an interpreter, can modify, delete or rename other files as soon as they are displayed on the screen.
Specific problems exist in the ghostscript (gs) program. In the Unix versions it is possible to switch off the write facilities on files with the -dSAFER option. However this is not the pre-set option. This option is similarly named in versions for other operating systems.
With ten memos over five years the average time between memos is approximately 26 weeks. Hardly 'seemingly weekly installments' - at best you've got 'seemingly quarterly installments'.
Think about it for a minute. What is SCO's intent to have a service provider publicly say there is an agreement? To make it look like they have a leg to stand on.
They sound like they have a good hosting setup and disaster plans - but do you really want your hosting company supporting SCO? This sounds to me like a management decision, where the incident you point out is more of a 'do we get the job done' variety. Whoever gave the OK for this had to know it would make people unhappy. They probably balanced it as a risk when they made the decision - and they should get to deal with the consequences:) Picking a company to host you is more than just the technical side of things. I would not want my money going to a company that supports SCO, even if they have handled problems such as this. Your opinion may differ, I respect that, but I don't see this as overriding blatent managerial stupidity.
The people who host at EV1 right now have the opportunity to send a message, that message being that it is a bad business move to support SCO. Take that opportunity or leave it, that's your call, based on your criteria (as it should be).
What matters is that this hosting company is publicly saying that they have some arrangement with SCO, which will lend credence to SCO's claims in the minds of some.
They should be made to feel the pain - if their current customers say 'hey, I'm switching away from you because I don't want to give my money to a company that will support SCO's bull in any way, shape, or form" they will get the point.
You tell EV1 that you're taking your business elsewhere, you take your business elsewhere, and you tell your friends to stay the hell away from EV1 as a hosting company.
Okay, this is the SECOND study posted to Slashdot that has shown that Linux is the most breached operating system on the Internet...
How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution?
Where did I proclaim Linux was a magic security solution? I did nothing other than point out that this study is basically bunk.Where did I proclaim that it's the end-all solution? I did not.
There is no magic security solution, and I fail to see where you got the idea that I'd said that. Vendors want you to believe that, because if you do then you might buy their magic security solution - and so they pay for studies that purport to show that this is more secure than that - but security is not magic, it's work. It's proper designed networks, it's keeping up with the exploits that will be found lurking in the bits without regard to which operating system you're running, it's understanding that there is no way to make the problem go away, that you cannot do something now and not have to ever think about it again. Pick an OS and a set of apps, there will be vulnerabilites. *Real* security lies in how you deal with that. Relying on a study, no matter what the results, will give you a feel-good-i-must-be-secure-cause-the-study-says-so vibe right up until you find out you're owned.
Slashdotters react predictibly? You're right - in that, predictibly, some slashdotters, such as yourself, look at post and read meaning into that's not there;)
True, but what makes an architect? Formal education may do it, but how did architects become architects before there was a formal education path to becoming an architect?
There's more than one path - I think proven experience and ability is more important than how that experience and ability was obtained.
As far as I can tell, they are not discriminating to that level.
They're just throwing out *all* worms that hit MS operating systems, regardless. That doesn't make for a valid study, and it does not support your statement that it's 'More like "Let's discount all the stuff that rely on TOTAL DIPSHITS to execute on their own computer.'. Sure, those get thrown out - but so do attacks that should not be thrown out. Are they similarly throwing out automated attack scripts that break into a box, install a root kit, then start up a scanner to break into other machines? There's not enough info there to tell, but the info that is there points to the conclusion that they are not.
I'd say only 1 in 10 of admin's I've worked with actually have any formal training or a college education.
I don't think that matters much - what matters is the level of experience the person has - I.E., do they have a clue.
I dont' have any college or formal education, I'm entirely self taught - and the people who I've worked for seem to consider me 'good', and I've never had a box I admined breached to my knowledge.
On the other hand, I've personally met a guy with a Bachelors and MSCE not understand why his boot disks weren't working (he was just copying the sys files over and not replacing the boot sector) - he had a limited understanding of how the machine worked and got bitten by it. (I explained things to him and he made his disks)
There's really good and really horrible people at all levels of 'formal education', I don't think this is a generalizeable statement.
It doesn't matter what the intent of the breach is, if you're discussing whether a system is secure.
A breach is a breach, period, end of story - whether the attacker sends you a polite note saying 'here's how to fix your problem' or rapes your CC# list, your system allowed a breach.
"W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135"
That is not anything near 'rely on TOTAL DIPSHITS'.
This particular worm actively broke into the machine remotely. Discounting it for a study like this is nothing but 'let's throw away data until we've proven what we want', as other posters have noted.
whenever anyone gets a huge synflood taking down a network, do you know what a good network engineer does? They attempt to block the traffic as close to the attack as possible.
Absolutely true, but besides the point.
If you'll note, I didn't even critique the fourth paragraph of your original post.
What I critiqued was your statement that "first of all, a classic synflood is something that you and me can do from our home computers to some shitty webservers", when SCO was the one who said it was DDOS, and you yourself admitted it would have to be in the second portion of that paragraph - you note this, yet act like the bandwidth required by that would absolutely not effect an adjacent IP because of your silly contention that "secondly, just because an ip is next to another ip doesnt mean they're connected to the same switch/hub", when it's quite easily shown that traffic to those two IPs are going through the same router, which absolutely means that if left unchecked both hosts should be affected by the lack of bandwidth.
You had one possibly valid objection - which no one but the ISP can confirm - and a few quite invalid ones... yet when called on the invalid ones, you point to the valid one, which wasn't questioned.
My point wasn't to say SCO's claim was correct - just that if you're going to say 'RTFA', you might as well get your facts straight, and given that SCO originally claimed DDOS I don't think it much matters whether the summary or groklaw drops the first 'D'.
Slashdot Mirror
(From which many sensible people conclude that it's bad practice to write in C.)
... the language spec didn't write the code. With power should come responsibility.
Your 'many sensible people' would be ignoring that 'libraries allocate their own memory' and 'libraries that have fixed size return data' are not the only options.
Sure, you can do bad things in C. You can do "bad things" in pretty much any language - I just ran into an issue where a third party java library closed a stream I passed to it. It didn't create the stream, why should it assume I want it closed? It's a bogus design decision that limits the libraries usefulness - if I want a chunk of data processed by that library wrapped by other data that I write before and after the processing, I can't just write the data that goes first, pass my output stream to this lib, and then pass the data that I want after, I have to write the middle data out to a file somewhere and then reread and rewrite it. Should I now conclude that it's 'bad practice to write in java' because a third party came up with a poopy implementation of a util library?
I recognize that C allows worse things (buffer overflows, etc) to happen when such design errors are made. However, I think that anyone writing code in C should be aware of that - the code doesn't write itself, and the root of the problem is a given programmer following bad practices. You may blame the language for allowing it, but you can't blame the language for the presence of the given overflow
To me, the issue isn't the privacy concern.An accident investigator would be able to tell the approximate speed of impact, anyway. I think there's danger here of using the 'black box' as a crutch - not verifying that the speed given by the box is reasonable according to the physical evidence, and going by the recorded data only. The more interesting issue is where such things are likely to be misinterpreted, as they are by the sister of the deceased driver.
... if the crash forensics reasonably matches the black box data, the sentenced driver was imho driving with reckless disregard for the safety of others. However, if the deceased driver did indeed run a red, can it be said that the accident is entirely the sentenced driver's fault?
Quoting from the Toronto Star article:
"If we didn't know about the data in the black box, we would have always thought my brother was driving fast and that he went through a red light," Belinda Matthey, the sister of Zinet, told reporters yesterday. "Without the black box we wouldn't know the truth."
Now, the black box may say that the car was doing 93mph. It may say he didn't hit the brake. There is nothing there, however, that says whether or not the deceased driver was speeding, or running a red light. Perhaps they obtained speed data from the deceased driver's vehicle as well. Neither would say whether or not the victim here ran a red light. Did the judge use anything other than the speed data to determine fault, or the required severity of the punishment? What if the driver who was sentenced didn't hit the brake because the light in his direction was indeed green, and the deceased driver did indeed run a red light, leaving no reaction time for him to hit the brakes?
Driving three times the speed limit
I don't think so. Of course, there's not enough data here to draw solid conclusions either way, but I find it interesting that the sister is using this speed data as support statements like "we would have always thought my brother was driving fast and that he went through a red light"
You're pretty much right on. A good example of this is his complaining about 'Melding to Stone' ... that's a game AI issue, not a rules issue.
... and get stuck, even though graphically there was plenty of room for him to move. This allowed you to whale on him from behind without any danger of being damaged. The first time I beat that game, I accidentally caused this to happen. More playtesting helps, but you can't expect an AI to be equivalent to a real intelligence.
Of course a human DM is not going to allow that to happen, and the AI developers shouldn't have allowed that to happen. But this bit belongs not in a 'PNPRPG vs. CRPG' discussion. A problem like this can affect any game.
Wolfenstein 3D, for example. On the last level, if you ran into the side room just right, the guy you were fighting would chase you in
Some email viruses are true viruses. Email viruses that depend on a user click and just email raw or slightly modified copies of themselves are not viruses ... they are trojans that self-propogate. They do not "infect" anything, they do not place themselves in an otherwise useful and desireable program, which is the core of what a virus is, and is why they are called viruses. A peice of malicious code that infects other non-malicious code and propogated via email would be a virus by my definitions. A peice of malicious code that pretends to be a .jpg but is hiding it's real extension (.jpg.exe, or whatever) that happens to send out copies of itself is not a virus. There is no *infection*. It's merely self-propogating, and it depends on the user to think it's non-malicious. The lack of infection and the dependence on the user thinking it's non-malicious is what makes it a trojan.
... this is what I mean by 'self install'. You are running something you would normally run, say, IE ... and if it is infected, the virus code runs with it, and installs itself into another uninfected program, after which that program is infected. The self-propogation and the fact that infection of a non-malicious program occurs is the mark of a virus.
Viruses infect other programs, and when those programs are executed, the virus code executes. The virus code looks for other programs to write itself into and, when found, writes itself into them
Both viruses and trojans depend on user actions to get executed. The difference is, the trojan depends entirely on trickery to get the user to execute what is in effect entirely a malicious program, whereas a virus writes itself into a non-malicious program that a user might execute whether it were infected or not. (Like a binary executable, or a Word template, etc). Prior to a viral infection, the programs are useful and used.
I got all definitions right. Trojans pretend to be something non-malicious but are actually malicious - "Hey, I'm a mail attachment that you want to look at, click on me!" - when it's really an executable program. Viruses -infect- other non-malicious programs, and infect more programs when those non-malicious programs are then executed during the course of normal operation by the user.
As you agree with, worms actively break in and cause themselves to execute on the new machine.
Take a step back and look at the distinctions I'm making. They depend on what the malicious code does, not what it could potentially do. If 'they could tapdance on the boot sector if they wanted to' is what defines a 'virus' then every program on your machine is a virus, whether it has malicious code or not.
Actually, viruses do install themselves.
... you run an infected program (note: not the virus itself, an otherwise useful program that happens to be infected) and it installs itself in other program or you boot off an infected floppy, it infects your hard disk boot sector, and then starts infecting more floppys. These actions (running a program, or booting your machine) are entirely normal things to do, you do them because you can't get anything done with a computer without doing them.
These 'email viruses' that require a user to click on them aren't really viruses, they're trojans. They don't have a means to copy themselves into another program, they just send off a bunch of mails and hope somebody activates them. They have a propogation mechanism that depends on human stupidity. I would call them 'self replicating' but they have a rather uninteresting replication mechanism.
A real virus
Which brings us to worms, which are self replicating, but actively break into other machines and directly cause copies of themselves to start executing.
As far as viruses go, people install and run infected programs because they want the functionality of an uninfected program and do not know the infection (the 'undesired behavior') is there. Hence the need to scan for viruses before you install any program.
Playing feild leveled? B.S. People wanting to shave pennies off, and being able to, is what defines a free market. Honestly, I see your post as a bunch of 'I can't compete' whining.
You want people to use your store instead of going online? Provide better service, or otherwise make it worth it to pay the few extra bucks to buy at a brick & mortar rather than online.I buy things locally all the time, even though they're slightly more expensive, at places that make the extra cash worth it.
Those cheapskates are your potential customers, and with the attitude you're displaying I'm not surprised they don't patronize your store.It's a free country, nobody has to shop at your store, they can even, if they'd like, buy at a place more expensive than your store is, to not have to deal with you. Your support for this is nothing more than a tacit admission that you'd like people to be forced to shop with you, and that's not freedom.
You know, if they were really going to do this, what better strategy is there than to announce it on April 1st? Everyone thinks it's a joke and forgets about it, until a year from now when a bunch of people have RFID tags under their skin.
From a totalitarian government'ss point of view, that would be the best April Fools Joke ever played.
You own a car made by FribbleFitz Motors, a 2003 Frobber 2000. FribbleFitz Motors issues a recall on Tuesday, indicating that radio transmissions with a frequency of 42 megahertz will cause the gas tank to explode on Frobber 2000's made from 1999 to 2004.
Before you even know about the recall notice, before you have a reasonable chance to find out about the defect, a madman who has been watching FribbleFitz's recall releases for just such an opportunity builds a transmitter to send a signal at 42 megahertz, and runs around town blowing up cars and laughing at the carnage. Your car happens to be one of them.
Now, are you responsible for the death of the little old lady who happened to be standing next to your Frobber 2000 when it exploded?
Because this, sir, is a far more applicable analogy than 'not replacing the brakes for 45k miles'. A patch is a defect fix not unlike a recall, it is not 'routine maintenence', your bits didn't wear out. The fact that such defects occur more often than in the automotive industry should not transfer the responsibility onto the end user, not everyone has the technical knowledge or the time to keep up with the patches and vulnerability notices for every single peice of software on their machine. Should your grandmother lose her house because she doesn't know what a patch is?
Well, there's only one correct meta-methodology - the meta-meta-methadology that allows you to select the best meta-methadology for selecting the best methodology for a given situation ..
How do they expect to get anyone to adopt this when we've got perfectly good, freely usable, SMTP standard to send mail with?
Sure, it's got it's problems (spam, etc), but I can't see why anyone would go 'hey, I'd like to have to give away processor time so I can send mail, instead of just using the firmly entrenched SMTP standard that doesn't cost anything above my connection fees'.
It doesn't make sense. How are they planning to get people to adopt this?
Postscript is actually an interpreted programming language, oriented for display, and it is powerful enough that it is entirely possible to write viruses for Postscript documents.
Do a google search and check out the rationale for ghostscript's -dSAFER option, etc.
For example, we have here the following:
Even in PostScript files there may be problems similar to those encountered with macro viruses. In PostScript display programs there are interpreters which process the PostScript language. Above level 2.0 of the PostScript specification there are also PostScript commands for writing files. As a result it is possible to generate PostScript files which, during processing by an interpreter, can modify, delete or rename other files as soon as they are displayed on the screen.
Specific problems exist in the ghostscript (gs) program. In the Unix versions it is possible to switch off the write facilities on files with the -dSAFER option. However this is not the pre-set option. This option is similarly named in versions for other operating systems.
With ten memos over five years the average time between memos is approximately 26 weeks. Hardly 'seemingly weekly installments' - at best you've got 'seemingly quarterly installments'.
Think about it for a minute. What is SCO's intent to have a service provider publicly say there is an agreement? To make it look like they have a leg to stand on.
:) Picking a company to host you is more than just the technical side of things. I would not want my money going to a company that supports SCO, even if they have handled problems such as this. Your opinion may differ, I respect that, but I don't see this as overriding blatent managerial stupidity.
They sound like they have a good hosting setup and disaster plans - but do you really want your hosting company supporting SCO? This sounds to me like a management decision, where the incident you point out is more of a 'do we get the job done' variety. Whoever gave the OK for this had to know it would make people unhappy. They probably balanced it as a risk when they made the decision - and they should get to deal with the consequences
The people who host at EV1 right now have the opportunity to send a message, that message being that it is a bad business move to support SCO. Take that opportunity or leave it, that's your call, based on your criteria (as it should be).
It doesn't matter what the arrangement is.
What matters is that this hosting company is publicly saying that they have some arrangement with SCO, which will lend credence to SCO's claims in the minds of some.
They should be made to feel the pain - if their current customers say 'hey, I'm switching away from you because I don't want to give my money to a company that will support SCO's bull in any way, shape, or form" they will get the point.
You tell EV1 that you're taking your business elsewhere, you take your business elsewhere, and you tell your friends to stay the hell away from EV1 as a hosting company.
Yah - and have it misidentify you as an intruder.
:D
Much fun.
If I were seriously going to build a security robot, I'd arm it with a taser. Writing a targeting system would be fun.
Absolutely. Security is the whole spectrum, and people are the weakest link.
Okay, this is the SECOND study posted to Slashdot that has shown that Linux is the most breached operating system on the Internet ...
How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution?
o vibe right up until you find out you're owned.
;)
Where did I proclaim Linux was a magic security solution? I did nothing other than point out that this study is basically bunk.Where did I proclaim that it's the end-all solution? I did not.
There is no magic security solution, and I fail to see where you got the idea that I'd said that. Vendors want you to believe that, because if you do then you might buy their magic security solution - and so they pay for studies that purport to show that this is more secure than that - but security is not magic, it's work. It's proper designed networks, it's keeping up with the exploits that will be found lurking in the bits without regard to which operating system you're running, it's understanding that there is no way to make the problem go away, that you cannot do something now and not have to ever think about it again. Pick an OS and a set of apps, there will be vulnerabilites. *Real* security lies in how you deal with that. Relying on a study, no matter what the results, will give you a feel-good-i-must-be-secure-cause-the-study-says-s
Slashdotters react predictibly? You're right - in that, predictibly, some slashdotters, such as yourself, look at post and read meaning into that's not there
True, but what makes an architect? Formal education may do it, but how did architects become architects before there was a formal education path to becoming an architect?
There's more than one path - I think proven experience and ability is more important than how that experience and ability was obtained.
As far as I can tell, they are not discriminating to that level.
They're just throwing out *all* worms that hit MS operating systems, regardless. That doesn't make for a valid study, and it does not support your statement that it's 'More like "Let's discount all the stuff that rely on TOTAL DIPSHITS to execute on their own computer.'. Sure, those get thrown out - but so do attacks that should not be thrown out. Are they similarly throwing out automated attack scripts that break into a box, install a root kit, then start up a scanner to break into other machines? There's not enough info there to tell, but the info that is there points to the conclusion that they are not.
I'd say only 1 in 10 of admin's I've worked with actually have any formal training or a college education.
I don't think that matters much - what matters is the level of experience the person has - I.E., do they have a clue.
I dont' have any college or formal education, I'm entirely self taught - and the people who I've worked for seem to consider me 'good', and I've never had a box I admined breached to my knowledge.
On the other hand, I've personally met a guy with a Bachelors and MSCE not understand why his boot disks weren't working (he was just copying the sys files over and not replacing the boot sector) - he had a limited understanding of how the machine worked and got bitten by it. (I explained things to him and he made his disks)
There's really good and really horrible people at all levels of 'formal education', I don't think this is a generalizeable statement.
It doesn't matter what the intent of the breach is, if you're discussing whether a system is secure.
A breach is a breach, period, end of story - whether the attacker sends you a polite note saying 'here's how to fix your problem' or rapes your CC# list, your system allowed a breach.
More like "Let's discount all the stuff that rely on TOTAL DIPSHITS to execute on their own computer."
e nc /data/w32.blaster.worm.html
So every one of those worms required a stupid user to execute it?
Bullshit.
http://securityresponse.symantec.com/avcenter/v
"W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135"
That is not anything near 'rely on TOTAL DIPSHITS'.
This particular worm actively broke into the machine remotely. Discounting it for a study like this is nothing but 'let's throw away data until we've proven what we want', as other posters have noted.
whenever anyone gets a huge synflood taking down a network, do you know what a good network engineer does? They attempt to block the traffic as close to the attack as possible.
... yet when called on the invalid ones, you point to the valid one, which wasn't questioned.
;)
Absolutely true, but besides the point.
If you'll note, I didn't even critique the fourth paragraph of your original post.
What I critiqued was your statement that "first of all, a classic synflood is something that you and me can do from our home computers to some shitty webservers", when SCO was the one who said it was DDOS, and you yourself admitted it would have to be in the second portion of that paragraph - you note this, yet act like the bandwidth required by that would absolutely not effect an adjacent IP because of your silly contention that "secondly, just because an ip is next to another ip doesnt mean they're connected to the same switch/hub", when it's quite easily shown that traffic to those two IPs are going through the same router, which absolutely means that if left unchecked both hosts should be affected by the lack of bandwidth.
You had one possibly valid objection - which no one but the ISP can confirm - and a few quite invalid ones
Gah yourself, man
Oh, I agree.
My point wasn't to say SCO's claim was correct - just that if you're going to say 'RTFA', you might as well get your facts straight, and given that SCO originally claimed DDOS I don't think it much matters whether the summary or groklaw drops the first 'D'.