The main issue I have with MAPS is that they make no distinction between companies/sites that produce software used for mass-emailing (which could be spamming, but could also be used to send out messages to an opt-in list), companies/sites that sell lists of email addresses, and actual SPAM sources. Instead, they use a broad brush and declare "These are all spammers". If they offered different classifications (and it wouldn't be hard - different IP addresses for different categories of offense), and allowed individual server administrators to choose how large a brush they wanted to use against spam, then I'd have less of a problem with them tracking also companies that produce bulk email software, since those companies would be blocked only by the system administrators that explicitly wished those sources to be blocked.
The whole MAPS vs ORBS thing has also made me conclude that both sides in that debate are not worthy of my support.
The copyright clause is not the same as the advertisement clause in the original BSD license which causes the incompatibility. The copyright need only be in the source code; the advertisement clause means (among other things) that if you buy a boxed version, it has to be on the outside of the box.
The license in question here is the modified BSD license. (same page, earlier on)
The requirement that a copyright clause remain intact is NOT the same as the dreaded "BSD advertising clause".
In fact, the current BSD license is completely compatible with the GPL (Just remember that the commingled result must be GPLed). See the FSF list of GPL-Compatible licenses.
Java is NOT open source, and any familiarity with the open source definition would tell you so.
Yes, open source has a definition, and Java doesn't fit it, any more than PGP or qmail fit it.
Think that it's "practically open source"? Tell you what - why don't you create an installation of java for some linux distribution your company has just created, and then try to convince your company's lawyers that you can distribute the binaries made by your automatic nightly compilation scripts. The Sun license forbids that. (One of the reasons java2 hasn't made it into Debian)
Yes, you can (if you sign or click yes on the appropriate license) see the source, and yes that has its distinct advantages, and yes, the advantages of "visible source" (can we agree on that name for things like java, PGP, qmail and pine?) are some of the same ones touted by loud open source advocates, but it's still not open source. For example, you cannot even distribute the jdk to people not in your own organization; only the jre can be redistributed, and that only if you include enough of it.
Note that I am grateful to Sun for being as open as they have been, and often look at the source myself when the javadoc api fails to answer a question about how a given class really behaves. However, it's not open source and we shouldn't pollute the definition by saying that it is. It's not the traditional "you'll see our source code over our dead bodies" attitude either, but something in-between.
Well, it's just above your stated price range, but the net4501 from Soekris Engineering might also be worth considering (http://www.soekris.com/net4501.htm) - it's $230 plus whatever you want to pay for what you put in the CompactFlash slot. It's based around an AMD 486 clone, comes with 64 MB SDRAM and three ethernet ports, and has stated power consumption of 10 Watts. They did begin shipping earlier this year, but supplies are a bit low at the moment - the websites says they were expecting another production run at the end of September.
Google has for a while had on their website javascript code that could be put into a button to do just that in Netscape browsers, and if you download the google toolbar extension for ie, highlting text and then doing a right-click brings up a "Google Search" option.
The default assumption that of overwhelming cultural relativity ("who the fuck are you decide what is backwards and what is not") is the the same philosophy that would allow, for example, the government of China to say "Human rights are a western concept - in China there is no need for freedom of speech". While it would be unreasonable to expect another culture to be identical to that of the US, expecting all aspects of non-American cultures to be beyond reproach is silly. (After all, there's so many things screwed up with American culture, that I can't imagine that other cultures could be perfect)
It is true that ignorant cross-cultural comparisons often lead to prejudicial stereotypes; I, for example, would be unsuited to make general statements about Japanese culture, in the business place or elsewhere. However, I see no evidence that this poster is speaking from a position of ignorance or shows a marked lack of experience with the Japanese workplace.
Perhaps you know something which would contradict their observations. If so, please share that - calling all Americans cultural bigots is like shooting fish in a barrel, only without the tasty fish afterwards.
Well, at least someone is doing their job properly
Yes, but someone else clearly wasn't. What on earth was anyone doing running OpenSSH 2.2 in the middle of May? Were they doing something else so as to eliminate the known remote root exploit prior to OpenSSH 2.3.0? (said exploit having been discovered in February) If not, then they were almost asking for trouble.
This is the part that puzzles me. I'm having trouble reconciling the use of such good security practices (nightly audits that are more than just window dressing) with making the almost newbie mistake of not updating known vulnerable software. What happened here?
One thing that really annoys me is that from the title of the law, you really have no idea what the law is about. Go ahead, ask anyone what "Children's online protection act" means. Likely as not, they'll think that it has something to do with:
Preventing the marketing or display of child pornography, or
Additional criminal penalties for people who lure children out with chat-room come-ons, or
Restricting the marketing of personal information about children and their browsing habits
Note that none of these have anything to do with preventing children from seeing/accessing pornography.
Now, I realize that there is almost no way to restrict what cutesy title a lawmaker will place on his own bill; any scheme I can think of has great peripheral damage almost instantly. However, it may be that with a good enough name the media can be convinced to call this law by a different name.
Obviously, flame names like "Unconstitutional act number 23 of 1998" aren't going to work. So we need something "Online Age verification act of 1998", or "Children's Internet Access Restriction Act". We need a name that makes it obvious to parents that with this law in place the government decides what is appropriate for children to view, and that the law is about restricting access by children to certain sets of images or text.
So in the interest of coming up with a catchy yet accurate name, what are the aspects of this law besides penalizing people who put up porn (as defined by some prosecutor seeking re-election) and don't cover it with a veneer of age verification? Does the law allow parents to override this consideration? (That is, could I allow my child to see certain sites, or would any provider with such a allow-parental-override system also face prosecution?) Does this law have other effects that aren't at issue with this constitutional challenge?
... then it's something that's on the books but not enforced unless you have a parent push or have a couple of teachers push the district (as happened in my school district when I was in 10th grade - some teachers managed to set up a gifted program in the high school that some people found worthwhile).
Usually, in the absence of a real concerted program, what happens in high schools is that IEP's are filled out by using a form letter with some suitably generic text that basically just says "we gave the kid a chance to take honors classes"; these forms are then filed away somewhere in case the state wants to check the district's paperwork. It may even be that no one in the district is aware of this requirement except the one secretary who files the form letters each year.
However, if you can write a decent proposal (won't help your particular situation much, but maybe some high school junior is reading this), you can usually mention this requirement to enough people to let you do an independent study instead of a regular class. (I was able to bargain out one period a day, a promotional copy of an AP physics text they had lying around, and access to a storage closet with a desk and lamp in it - it sure beat out the "honors" 12th grade physics that just barely got to angular momentum by the end of the year)
Don't kid yourself, though - it's not as though the school actually tries to meet the needs of the bottom 2% either. My district ran a program for the mentally retarded students from several local districts, and they basically just warehoused them.
It's not just who hold the pursestrings that matters - what matters is what the University considers important. If it's money, and if enough money comes from the students, then the University might hold off for monetary reasons. However, money isn't always top on the minds of University administrators - often it's the University's image.
As an example, I was a math grad. student at Johns Hopkins. One of the things that had come down from the University administration a few years before I got there was that we were to hold the line against grade inflation. The University as a whole has made this a priority (i.e. that Hopkins grades mean something significant), and one of the consequences is that we never had to worry about a lack of administration support when it came to punishing cheaters. The image of Hopkins had been tied by the administration to the idea that grades received at Hopkins represent what they ought to.
Not that this was a completely effective deterrent. It always boggled my mind when grading tests the number of people who would cheat off their friends when their friends also had no clue what they were doing. (We usually graded tests by giving each TA one or two problems, and that TA would then grade those problems across all sections - with fewer than 200 students per class, it's pretty easy to pick up on something you've seen before) I mean, if you're going to cheat, wouldn't you at least pick someone who knew their stuff to cheat from? I'll wager that upwards of 70% of the time the cheater was cheating off someone else who had no clue. I will admit that the standard punishment was usually simply giving the student a 0 on the test, which almost inevitably led to an F in the course. I don't think we ever found sufficiently flagrant violations to warrant referring the matter upstream. (Pretty obvious acts of desperation, mostly) I also don't remember ever catching anyone who wasn't a freshman.
Compare this to the conventional wisdom about a certain other institution that apparently values above all its reputation of having the best of the best as its student body, and is seriously hostile to anything that might make a student look bad. (This is mostly mere grapevine gossip, but backed up with horror stories from someone who TAed there, and some anecdotal evidence from people who've been undergrads there) Presumably an institution with less cultural capital would want to prevent its grades from becoming meaningless, but that place has a different set of priorities.
But you had to get the right cartridge - that "speech editor" cartridge that came with the Speech Synthsizer module only had a limited vocabulary.
What you really needed was the cartridge "Terminal Emulator II"; then it was possible to write programs in TI basic that just fed the speech synthesizer bits of phonetics out of which you got speech. Actually, the phonetics were fed to the TE2 cartridge, which handed you back a huge list of numbers to feed to the synthesizer, and then your program had to feed the result to the synthesizer. I suppose that it would be possible to take the list of numbers, save them off somewhere, and then have basic programs that could swear even without the TE2 cartridge, but that never came up. Really, getting the TI to say "you asshole" once was enough.
The cover of the TE2 book even showed a little caption ballon next to the computer that read "I can say anything". And it could, sort of, in that stilted way that it had.
The vast majority of security vulnerabilities are buffer overflows.
I don't have numbers (probably only large espionage organizations do), but
I'm willing to bet that's not true.
Indeed - if we are to believe tallying the number of entries in each category given on the security focus page you mention, it would seem that "input validation" is the most common type of security error.
Looking at those vulnerabilities though leads me to conclude that "input validation" is too broad a category - unfortunately, I'm not sure how to divide it up.
If you don't mind throwing combatibility with pre-6 netscape browsers and pre-5 ie browsers out the window, it's quite possible.
Okay, I know I'm plugging my own resume, but I found that I could do CSS tricks with http://www.math.jhu.edu/~martind/resume.html
to make certain that my resume printed just the way I wanted it to from ie 5.x browsers (which were the most common in the HR departments I was targetting). Remember that a resume's purpose is to get you past the HR drones; they will either print it out and hand (or fax) it to the person who'd you would actually be working for, or ignore it entirely. In a few very rare cases, I've seen HR departments clued enough to send resumes as email attachments, but not before first converting them to Word and trashing all the formatting anyway. Therefore, ie5-specific CSS in a resume isn't that big a deal.
Not only that, but it wasn't hard to include the necessary extra xml-foo so that office 2000 would load the html as a word doc. with all the borders, etc. set correctly. This made keeping the html, pdf, plain text, and doc formats of my resume in sync quite easy - I'd update the html from anywhere, and use lynx -dump to give me the plain text. I'd then walk over to a windows machine that had the full office 2000 suite on it, and load that page up in ie5. Print to file from ie5 to generate postscript, and also load up http://math.jhu.edu/~martind/resume2k.doc in Word (that file's just a symbolic link to the html). Save the Word doc. in office 95 format and ftp/scp the postscript and '95 doc format back to the server. Then use ps2pdf on the server to turn the postscript version into pdf.
It got a bit more complicated than that for a while - inserting pdfmark stuff into the postscript so that hyperlinks worked in the pdf file - but basically, that's it. (Maintenance of the multiple separate versions has lagged since I landed a job back in August - I only generated the most recent files a few months ago to get recruiters off my back)
Re:What I don't get about the Monty Hall Problem
on
The Three Hat Problem
·
· Score: 1
> What am I missing here people?
The basic idea you're missing is that when you made your initial pick you chose from a different set of doors than you're presented with when you get to do your switch-or-stay choice.
First of all, clear your mind of the notion that simply because there are two options, both of them must be equally likely to lead to reward. The real world rarely works like that, and in fact you should never assume that even theoretical problems work that way unless its so stated. As a trivial example, suppose that we play a game in which we walk up to a random person on the street and ask them for their signature. Would you like to win when they sign with their right hand or with their left?
So what is stated: the prize is behind a randomly chosen door, and before the game is equally likely to be behind any one of the three. The host chooses randomly when he can. You are in control of your own strategy.
Now, let's take a diversion and play a game similar to Monty Hall, but with one important difference: the host chooses one of the two doors regardless of what may be behind it and just places a big X on the door marking it off-limits. You can then switch or not. Now, then, the universes play out this way:
case A: (1/3 chance) You choose initially the correct door: no matter which door the host Xes out, you lose if you switch and win if you stay.
case B: (1/3 chance) You initially choose incorrectly and the host Xes out the door with the prize. No matter what you do, you lose. Sometimes life is like that.
case C: (1/3 chance) You initially choose incorrectly and the host Xes out the other empty door. You win if you switch, but lose if you stay.
It is important to note that the probabilities for the different cases are NOT computed by simply using 1/3 since we have three cases, but rather from the statement of the problem: we _know_ that the location of the prize is distributed uniformly, and therefore have a 1/3 chance of guessing correctly initially (case A). In the 2/3 of the time that we guess incorrectly initially, half of the time the host will X out the prize door (so 2/3 * 1/2 == 1/3 chance for case B) and half the time the host will X out another empty door (2/3 * 1/2 == 1/3 chance for case C)
So we see that the strategy analysis works out like this: if you switch, you win 1/3 of the time and lose 2/3 of the time. If you stay, same odds. Therefore, there's no advantage to either strategy.
Now, how does this differ from the regular Monty Hall game? The difference is that the host doesn't choose randomly, and only Xes out a door without the prize. This then redistributes the probabilities between cases B and C. Specifically, case B never happens, so we have case A when we guess correctly initially (1/3 chance), and case C when we guess incorrectly initially.
It is important to note that the reason changing the rules and eliminating case B doesn't cause the probability of case A to go up is that the probability of case A doesn't depend at all on the host's action.
For example, let's go back to the evil game above and assume that our host doesn't like us much at all and therefore if the host can X out the door with the prize on it, he will do so 2/3 of the time. Then, the distributions become:
case A: (1/3 chance) win on stay.
case B: (2/3 * 2/3 == 4/9 chance) always lose.
case C: (2/3 * 1/3 == 1/9 chance) win on switch.
Then, we have that if we stay we will win 1/3 of the time, whereas if we switch we will win only 1/9 of the time.
It is useful to work with other Monty Hall variants (for example, if the host prefers to open the left-most door you didn't choose when given a choice, or a game where the host may choose to open the door which you initially chose, bumping your choice to the next door) and to then check one's reasoning with a math prof. or computer simulation. Going through exercises like this can really help one appreciate some of probability's finer points.
Or am I missing something? I seem to have a strategy that will work for all odd-numbers-of-players games, with a failure only when all the hats are the same color. I assume that when the article talked about the optimal strategy being unknown it was referring to the case of an even number of players.
The strategy is as follows:
Look at the other hats, and see whether there's one color that's a minority (if you see a tie, keep your mouth shut; i.e. always pass). Then, if you see m hats showing the minorty, pass until round m+1 at which point you guess that your hat has the minority color.
An example with nine players. Say players p1 through p6 have R hats, and p7, p8 and p9 have B hats:
Walking in, players p1 through p6 each see five R hats and three B hats, and so decide that if the game lasts to round four, they will guess "B".
Players p7, p8, and p9 each see six R hats and two B hats, and so decide to guess "B" in round three, if the game gets that far.
Then, everyone passes for rounds one and two. In round three, the three players with B hats all guess "B", and the game is over (with the team having won).
This strategy of course results in losing the game if all the hats are the same color, or if there are an even number of players and the number of R hats equals the number of B hats.
Though I suppose the immediate parent of this post is more wrong, in a sense.
You don't need to own the binary to have a claim to the source - you need to own a copy of a written offer to give you the source.
The person selling the binaries either has to give you such an offer (which you may then give to as many people as you wish), or has to give you the source.
In the hypothetical case imagined above, ddstreet would have to either have to: 1) buy a binary and source bundle, or 2) buy a binary, with which the distributor would have to include an offer to give the source at cost, or 3) ask someone else who bought from the producer for either their copy of the source or a copy of the written offer for the source.
Just because I have the binaries, though, doesn't give me a right to demand the source at cost - say that Geeko, Inc. made a customized version of Gnome and sold it on CD sets which always included both a binary CD and a source CD. (which they sold for, say, $100) Now, suppose that they offer a replacement source CD for $99. This is perfectly legal - because they always distribute the source with the binary, they are under no obligation to replace the source CDs of those customers who lose/misplace them.
Now what Geeko can't do is stop some other company from copying the CDs and selling them at $10/set, pocketing all the money themselves. This is one reason we don't usually see boxed linux distros selling for the same price as, say, Win2000 server. However, if Geeko could convince people to buy their CDs at the high price they were charging, that would be perfectly legal.
I am pretty sure that the GPL gives the owner the freedom to do whatever they want with the binary and the source, except use a different license (or deny the source to someone else who has the binary)
Actually, it lets you do more than that. Unless and until you actually distribute something, you have no obligations whatsoever under the GPL. I have no obligation to share with you the source of dpkg simply because I have a copy of the source and you have a copy of the binary - I don't distribute the binary myself; even if I were to distribute it, by giving away my Debian CD, I wouldn't be doing so at a profit and would be passing along the written offer from LSL (where I ordered my CDs - LSL prints the offer in small type on the front of the CD).
The only time you are prohibited from copying and distributing a binary produced from GPLed code is when all of the following are true:
You are not distributing the source (with GPL licensing) at the same time, and
You do not include a binding offer to give anyone who asks the source (and to give it to the asker under the GPL) for only a nominal fee, and
You are distributing the binary at profit or you fail to pass along someone else's offer to make the source available.
Anything else - distributing with an offer to send the source, distributing not for profit with somebody else's offer attached, or distributing with the source code itself - is perfectly legal. Even this pricing scheme is perfectly legal, so long as either they don't charge more than bandwidth costs for the source code of the GPLed portions of their distro, or include the source code when you download the binary CD images.
I should note that this is only a summary, and you really should go read the GPL yourself. Note especially the clause the defines what source code is, and the clause about aggregation on the same piece of media.
If by "debian maintainers" mailing list you mean debian-devel, remember that that's a very high-traffic list and that you're likely to get both yes and no to just about any question, with consensus emerging only after many posts on all sides.
For what it's worth, the installation scripts for the apt-move package were written in a strictly posix-compliant sh and wouldn't (due to a minor defficiency in bash's interpretation of the posix spec) install if your/bin/sh was bash. Only recently (probably after getting sick of the weekly bug report + patch telling him how to "fix" his script) did the author make it possible for apt-move to be installed on the vast majority of Debian machines.
Incidentally, bashisms are allowed if and only if the script starts with #!/bin/bash - though maintainer scripts are free to assume that bash is always installed on a debian system, they are not free to assume that/bin/sh is/bin/bash, so if you still have those old bashism bugs, submit them.
Using that key sequence to bring up a login dialog effectively prevents the "false login screen" style of password sniffers. If one of those were running, you'd press C-A-D to login, and get the wrong screen, so immediately you'd know something was wrong.
I feel that I should say something strongly worded and possibly obscene, but I really bare you personally no ill will; this misunderstanding is easy enough to make (once).
The fact is, though, that this is simply and utterly as untrue as saying that rot13 is encryption. For the actual MS documentation on how to write a logon replacement window, see the msdn site. For some preliminary information on a windows NT rootkit observed in the wild which intercepts the login screen, see the archives of the incidents mailing list. (Some of the followup posts are very helpful; use the thread index)
One thing I do hope is that Microsoft can be forced to admit that the little helpful info tip they give on Win2k logon screens about keeping your password secure with Ctrl-Alt-Del is about as close to a total lie as is possible.
Well, someone already beat me to it in pointing out that the patent was filed in 1997 (A suggestion to rob et al: on future stupid-patent stories, please give the filing date of the patent - it's not as if delphion makes it hard to look up.)
it's just more of the "if we don't talk about it, it'll go away" mentality to which our nation's school children are subjected everyday
Right sentiment, but wrong source. While I agree that in many ways America's schoolchildren are treated with this as an implicit assumption, this project would have caused a similar response (either being pulled or with people asking that it be pulled) regardless of forum. Americans cannot talk about race relations, anywhere; we don't want to admit that there is any current racial prejudice and some of us would like to conclude that America has never had serious racial inequities. (Ever hear the phrase "past injustices" used to explain away current disparities and why nothing should be done about them? It's part of the same cop-out.)
I sometimes wonder if America couldn't use a "truth commission" ala South Africa, not that it necessarily has been a great boon to interracial relations there either.
While I'll admit that the objectivity of the editors at slashdot is often disappointing, you're confusing two issues here.
There is nothing in the article (nor even the slashdot summary) to suggest that this site was shut down because the owners of that address were engaged in IP sharing on that address. Rather, the site was apparently shut down because the owners were running a website that had a petition opposing this policy. (Ok, so the official reason from the telco is that the contents of the site were slanderous to said telco and its employees, and that the site in question had "deviated from its original purpose")
It's rather similar to the difference between the police raiding a marijuana grower and shutting down a website advocating legalizing marijuana.
We should compare notes. I've been getting loads of just the probes you mention (and a few others: port 1243 (SubSeven again), udp port 22 (pcAnywhere), and I'm reasonably certain my logs point to at least one person running queso on me).
We should compare notes at some point. (or I could just go set up a web page listing what people are running against me and have people comment on that)
Slashdot Mirror
The main issue I have with MAPS is that they make no distinction between companies/sites that produce software used for mass-emailing (which could be spamming, but could also be used to send out messages to an opt-in list), companies/sites that sell lists of email addresses, and actual SPAM sources. Instead, they use a broad brush and declare "These are all spammers". If they offered different classifications (and it wouldn't be hard - different IP addresses for different categories of offense), and allowed individual server administrators to choose how large a brush they wanted to use against spam, then I'd have less of a problem with them tracking also companies that produce bulk email software, since those companies would be blocked only by the system administrators that explicitly wished those sources to be blocked.
The whole MAPS vs ORBS thing has also made me conclude that both sides in that debate are not worthy of my support.
The copyright clause is not the same as the advertisement clause in the original BSD license which causes the incompatibility. The copyright need only be in the source code; the advertisement clause means (among other things) that if you buy a boxed version, it has to be on the outside of the box.
The license in question here is the modified BSD license. (same page, earlier on)
The requirement that a copyright clause remain intact is NOT the same as the dreaded "BSD advertising clause".
In fact, the current BSD license is completely compatible with the GPL (Just remember that the commingled result must be GPLed). See the FSF list of GPL-Compatible licenses.
Java is NOT open source, and any familiarity with the open source definition would tell you so.
Yes, open source has a definition, and Java doesn't fit it, any more than PGP or qmail fit it.
Think that it's "practically open source"? Tell you what - why don't you create an installation of java for some linux distribution your company has just created, and then try to convince your company's lawyers that you can distribute the binaries made by your automatic nightly compilation scripts. The Sun license forbids that. (One of the reasons java2 hasn't made it into Debian)
Yes, you can (if you sign or click yes on the appropriate license) see the source, and yes that has its distinct advantages, and yes, the advantages of "visible source" (can we agree on that name for things like java, PGP, qmail and pine?) are some of the same ones touted by loud open source advocates, but it's still not open source. For example, you cannot even distribute the jdk to people not in your own organization; only the jre can be redistributed, and that only if you include enough of it.
Note that I am grateful to Sun for being as open as they have been, and often look at the source myself when the javadoc api fails to answer a question about how a given class really behaves. However, it's not open source and we shouldn't pollute the definition by saying that it is. It's not the traditional "you'll see our source code over our dead bodies" attitude either, but something in-between.
Well, it's just above your stated price range, but the net4501 from Soekris Engineering might also be worth considering (http://www.soekris.com/net4501.htm) - it's $230 plus whatever you want to pay for what you put in the CompactFlash slot. It's based around an AMD 486 clone, comes with 64 MB SDRAM and three ethernet ports, and has stated power consumption of 10 Watts. They did begin shipping earlier this year, but supplies are a bit low at the moment - the websites says they were expecting another production run at the end of September.
I found this device, by the way, by searching the search engine at LinuxDevices.com for "firewall".
Google has for a while had on their website javascript code that could be put into a button to do just that in Netscape browsers, and if you download the google toolbar extension for ie, highlting text and then doing a right-click brings up a "Google Search" option.
The default assumption that of overwhelming cultural relativity ("who the fuck are you decide what is backwards and what is not") is the the same philosophy that would allow, for example, the government of China to say "Human rights are a western concept - in China there is no need for freedom of speech". While it would be unreasonable to expect another culture to be identical to that of the US, expecting all aspects of non-American cultures to be beyond reproach is silly. (After all, there's so many things screwed up with American culture, that I can't imagine that other cultures could be perfect)
It is true that ignorant cross-cultural comparisons often lead to prejudicial stereotypes; I, for example, would be unsuited to make general statements about Japanese culture, in the business place or elsewhere. However, I see no evidence that this poster is speaking from a position of ignorance or shows a marked lack of experience with the Japanese workplace.
Perhaps you know something which would contradict their observations. If so, please share that - calling all Americans cultural bigots is like shooting fish in a barrel, only without the tasty fish afterwards.
Well, at least someone is doing their job properly
Yes, but someone else clearly wasn't. What on earth was anyone doing running OpenSSH 2.2 in the middle of May? Were they doing something else so as to eliminate the known remote root exploit prior to OpenSSH 2.3.0? (said exploit having been discovered in February) If not, then they were almost asking for trouble.
This is the part that puzzles me. I'm having trouble reconciling the use of such good security practices (nightly audits that are more than just window dressing) with making the almost newbie mistake of not updating known vulnerable software. What happened here?
One thing that really annoys me is that from the title of the law, you really have no idea what the law is about. Go ahead, ask anyone what "Children's online protection act" means. Likely as not, they'll think that it has something to do with:
Note that none of these have anything to do with preventing children from seeing/accessing pornography.
Now, I realize that there is almost no way to restrict what cutesy title a lawmaker will place on his own bill; any scheme I can think of has great peripheral damage almost instantly. However, it may be that with a good enough name the media can be convinced to call this law by a different name.
Obviously, flame names like "Unconstitutional act number 23 of 1998" aren't going to work. So we need something "Online Age verification act of 1998", or "Children's Internet Access Restriction Act". We need a name that makes it obvious to parents that with this law in place the government decides what is appropriate for children to view, and that the law is about restricting access by children to certain sets of images or text.
So in the interest of coming up with a catchy yet accurate name, what are the aspects of this law besides penalizing people who put up porn (as defined by some prosecutor seeking re-election) and don't cover it with a veneer of age verification? Does the law allow parents to override this consideration? (That is, could I allow my child to see certain sites, or would any provider with such a allow-parental-override system also face prosecution?) Does this law have other effects that aren't at issue with this constitutional challenge?
... then it's something that's on the books but not enforced unless you have a parent push or have a couple of teachers push the district (as happened in my school district when I was in 10th grade - some teachers managed to set up a gifted program in the high school that some people found worthwhile).
Usually, in the absence of a real concerted program, what happens in high schools is that IEP's are filled out by using a form letter with some suitably generic text that basically just says "we gave the kid a chance to take honors classes"; these forms are then filed away somewhere in case the state wants to check the district's paperwork. It may even be that no one in the district is aware of this requirement except the one secretary who files the form letters each year.
However, if you can write a decent proposal (won't help your particular situation much, but maybe some high school junior is reading this), you can usually mention this requirement to enough people to let you do an independent study instead of a regular class. (I was able to bargain out one period a day, a promotional copy of an AP physics text they had lying around, and access to a storage closet with a desk and lamp in it - it sure beat out the "honors" 12th grade physics that just barely got to angular momentum by the end of the year)
Don't kid yourself, though - it's not as though the school actually tries to meet the needs of the bottom 2% either. My district ran a program for the mentally retarded students from several local districts, and they basically just warehoused them.
It's not just who hold the pursestrings that matters - what matters is what the University considers important. If it's money, and if enough money comes from the students, then the University might hold off for monetary reasons. However, money isn't always top on the minds of University administrators - often it's the University's image.
As an example, I was a math grad. student at Johns Hopkins. One of the things that had come down from the University administration a few years before I got there was that we were to hold the line against grade inflation. The University as a whole has made this a priority (i.e. that Hopkins grades mean something significant), and one of the consequences is that we never had to worry about a lack of administration support when it came to punishing cheaters. The image of Hopkins had been tied by the administration to the idea that grades received at Hopkins represent what they ought to.
Not that this was a completely effective deterrent. It always boggled my mind when grading tests the number of people who would cheat off their friends when their friends also had no clue what they were doing. (We usually graded tests by giving each TA one or two problems, and that TA would then grade those problems across all sections - with fewer than 200 students per class, it's pretty easy to pick up on something you've seen before) I mean, if you're going to cheat, wouldn't you at least pick someone who knew their stuff to cheat from? I'll wager that upwards of 70% of the time the cheater was cheating off someone else who had no clue. I will admit that the standard punishment was usually simply giving the student a 0 on the test, which almost inevitably led to an F in the course. I don't think we ever found sufficiently flagrant violations to warrant referring the matter upstream. (Pretty obvious acts of desperation, mostly) I also don't remember ever catching anyone who wasn't a freshman.
Compare this to the conventional wisdom about a certain other institution that apparently values above all its reputation of having the best of the best as its student body, and is seriously hostile to anything that might make a student look bad. (This is mostly mere grapevine gossip, but backed up with horror stories from someone who TAed there, and some anecdotal evidence from people who've been undergrads there) Presumably an institution with less cultural capital would want to prevent its grades from becoming meaningless, but that place has a different set of priorities.
But you had to get the right cartridge - that "speech editor" cartridge that came with the Speech Synthsizer module only had a limited vocabulary.
What you really needed was the cartridge "Terminal Emulator II"; then it was possible to write programs in TI basic that just fed the speech synthesizer bits of phonetics out of which you got speech. Actually, the phonetics were fed to the TE2 cartridge, which handed you back a huge list of numbers to feed to the synthesizer, and then your program had to feed the result to the synthesizer. I suppose that it would be possible to take the list of numbers, save them off somewhere, and then have basic programs that could swear even without the TE2 cartridge, but that never came up. Really, getting the TI to say "you asshole" once was enough.
The cover of the TE2 book even showed a little caption ballon next to the computer that read "I can say anything". And it could, sort of, in that stilted way that it had.
Indeed - if we are to believe tallying the number of entries in each category given on the security focus page you mention, it would seem that "input validation" is the most common type of security error.
Looking at those vulnerabilities though leads me to conclude that "input validation" is too broad a category - unfortunately, I'm not sure how to divide it up.
If you don't mind throwing combatibility with pre-6 netscape browsers and pre-5 ie browsers out the window, it's quite possible.
Okay, I know I'm plugging my own resume, but I found that I could do CSS tricks with http://www.math.jhu.edu/~martind/resume.html to make certain that my resume printed just the way I wanted it to from ie 5.x browsers (which were the most common in the HR departments I was targetting). Remember that a resume's purpose is to get you past the HR drones; they will either print it out and hand (or fax) it to the person who'd you would actually be working for, or ignore it entirely. In a few very rare cases, I've seen HR departments clued enough to send resumes as email attachments, but not before first converting them to Word and trashing all the formatting anyway. Therefore, ie5-specific CSS in a resume isn't that big a deal.
Not only that, but it wasn't hard to include the necessary extra xml-foo so that office 2000 would load the html as a word doc. with all the borders, etc. set correctly. This made keeping the html, pdf, plain text, and doc formats of my resume in sync quite easy - I'd update the html from anywhere, and use lynx -dump to give me the plain text. I'd then walk over to a windows machine that had the full office 2000 suite on it, and load that page up in ie5. Print to file from ie5 to generate postscript, and also load up http://math.jhu.edu/~martind/resume2k.doc in Word (that file's just a symbolic link to the html). Save the Word doc. in office 95 format and ftp/scp the postscript and '95 doc format back to the server. Then use ps2pdf on the server to turn the postscript version into pdf.
It got a bit more complicated than that for a while - inserting pdfmark stuff into the postscript so that hyperlinks worked in the pdf file - but basically, that's it. (Maintenance of the multiple separate versions has lagged since I landed a job back in August - I only generated the most recent files a few months ago to get recruiters off my back)
> What am I missing here people?
The basic idea you're missing is that when you made your initial pick you chose from a different set of doors than you're presented with when you get to do your switch-or-stay choice.
First of all, clear your mind of the notion that simply because there are two options, both of them must be equally likely to lead to reward. The real world rarely works like that, and in fact you should never assume that even theoretical problems work that way unless its so stated. As a trivial example, suppose that we play a game in which we walk up to a random person on the street and ask them for their signature. Would you like to win when they sign with their right hand or with their left?
So what is stated: the prize is behind a randomly chosen door, and before the game is equally likely to be behind any one of the three. The host chooses randomly when he can. You are in control of your own strategy.
Now, let's take a diversion and play a game similar to Monty Hall, but with one important difference: the host chooses one of the two doors regardless of what may be behind it and just places a big X on the door marking it off-limits. You can then switch or not. Now, then, the universes play out this way:
case A: (1/3 chance) You choose initially the correct door: no matter which door the host Xes out, you lose if you switch and win if you stay.
case B: (1/3 chance) You initially choose incorrectly and the host Xes out the door with the prize. No matter what you do, you lose. Sometimes life is like that.
case C: (1/3 chance) You initially choose incorrectly and the host Xes out the other empty door. You win if you switch, but lose if you stay.
It is important to note that the probabilities for the different cases are NOT computed by simply using 1/3 since we have three cases, but rather from the statement of the problem: we _know_ that the location of the prize is distributed uniformly, and therefore have a 1/3 chance of guessing correctly initially (case A). In the 2/3 of the time that we guess incorrectly initially, half of the time the host will X out the prize door (so 2/3 * 1/2 == 1/3 chance for case B) and half the time the host will X out another empty door (2/3 * 1/2 == 1/3 chance for case C)
So we see that the strategy analysis works out like this: if you switch, you win 1/3 of the time and lose 2/3 of the time. If you stay, same odds. Therefore, there's no advantage to either strategy.
Now, how does this differ from the regular Monty Hall game? The difference is that the host doesn't choose randomly, and only Xes out a door without the prize. This then redistributes the probabilities between cases B and C. Specifically, case B never happens, so we have case A when we guess correctly initially (1/3 chance), and case C when we guess incorrectly initially.
It is important to note that the reason changing the rules and eliminating case B doesn't cause the probability of case A to go up is that the probability of case A doesn't depend at all on the host's action.
For example, let's go back to the evil game above and assume that our host doesn't like us much at all and therefore if the host can X out the door with the prize on it, he will do so 2/3 of the time. Then, the distributions become:
case A: (1/3 chance) win on stay.
case B: (2/3 * 2/3 == 4/9 chance) always lose.
case C: (2/3 * 1/3 == 1/9 chance) win on switch.
Then, we have that if we stay we will win 1/3 of the time, whereas if we switch we will win only 1/9 of the time.
It is useful to work with other Monty Hall variants (for example, if the host prefers to open the left-most door you didn't choose when given a choice, or a game where the host may choose to open the door which you initially chose, bumping your choice to the next door) and to then check one's reasoning with a math prof. or computer simulation. Going through exercises like this can really help one appreciate some of probability's finer points.
Or am I missing something? I seem to have a strategy that will work for all odd-numbers-of-players games, with a failure only when all the hats are the same color. I assume that when the article talked about the optimal strategy being unknown it was referring to the case of an even number of players.
The strategy is as follows:
Look at the other hats, and see whether there's one color that's a minority (if you see a tie, keep your mouth shut; i.e. always pass). Then, if you see m hats showing the minorty, pass until round m+1 at which point you guess that your hat has the minority color.
An example with nine players. Say players p1 through p6 have R hats, and p7, p8 and p9 have B hats:
Walking in, players p1 through p6 each see five R hats and three B hats, and so decide that if the game lasts to round four, they will guess "B".
Players p7, p8, and p9 each see six R hats and two B hats, and so decide to guess "B" in round three, if the game gets that far.
Then, everyone passes for rounds one and two. In round three, the three players with B hats all guess "B", and the game is over (with the team having won).
This strategy of course results in losing the game if all the hats are the same color, or if there are an even number of players and the number of R hats equals the number of B hats.
Though I suppose the immediate parent of this post is more wrong, in a sense.
You don't need to own the binary to have a claim to the source - you need to own a copy of a written offer to give you the source.
The person selling the binaries either has to give you such an offer (which you may then give to as many people as you wish), or has to give you the source.
In the hypothetical case imagined above, ddstreet would have to either have to: 1) buy a binary and source bundle, or 2) buy a binary, with which the distributor would have to include an offer to give the source at cost, or 3) ask someone else who bought from the producer for either their copy of the source or a copy of the written offer for the source.
Just because I have the binaries, though, doesn't give me a right to demand the source at cost - say that Geeko, Inc. made a customized version of Gnome and sold it on CD sets which always included both a binary CD and a source CD. (which they sold for, say, $100) Now, suppose that they offer a replacement source CD for $99. This is perfectly legal - because they always distribute the source with the binary, they are under no obligation to replace the source CDs of those customers who lose/misplace them.
Now what Geeko can't do is stop some other company from copying the CDs and selling them at $10/set, pocketing all the money themselves. This is one reason we don't usually see boxed linux distros selling for the same price as, say, Win2000 server. However, if Geeko could convince people to buy their CDs at the high price they were charging, that would be perfectly legal.
Actually, it lets you do more than that. Unless and until you actually distribute something, you have no obligations whatsoever under the GPL. I have no obligation to share with you the source of dpkg simply because I have a copy of the source and you have a copy of the binary - I don't distribute the binary myself; even if I were to distribute it, by giving away my Debian CD, I wouldn't be doing so at a profit and would be passing along the written offer from LSL (where I ordered my CDs - LSL prints the offer in small type on the front of the CD).
The only time you are prohibited from copying and distributing a binary produced from GPLed code is when all of the following are true:
Anything else - distributing with an offer to send the source, distributing not for profit with somebody else's offer attached, or distributing with the source code itself - is perfectly legal. Even this pricing scheme is perfectly legal, so long as either they don't charge more than bandwidth costs for the source code of the GPLed portions of their distro, or include the source code when you download the binary CD images.
I should note that this is only a summary, and you really should go read the GPL yourself. Note especially the clause the defines what source code is, and the clause about aggregation on the same piece of media.
If by "debian maintainers" mailing list you mean debian-devel, remember that that's a very high-traffic list and that you're likely to get both yes and no to just about any question, with consensus emerging only after many posts on all sides.
/bin/sh was bash. Only recently (probably after getting sick of the weekly bug report + patch telling him how to "fix" his script) did the author make it possible for apt-move to be installed on the vast majority of Debian machines.
/bin/sh is /bin/bash, so if you still have those old bashism bugs, submit them.
For what it's worth, the installation scripts for the apt-move package were written in a strictly posix-compliant sh and wouldn't (due to a minor defficiency in bash's interpretation of the posix spec) install if your
Incidentally, bashisms are allowed if and only if the script starts with #!/bin/bash - though maintainer scripts are free to assume that bash is always installed on a debian system, they are not free to assume that
It was written:
I feel that I should say something strongly worded and possibly obscene, but I really bare you personally no ill will; this misunderstanding is easy enough to make (once).
The fact is, though, that this is simply and utterly as untrue as saying that rot13 is encryption. For the actual MS documentation on how to write a logon replacement window, see the msdn site. For some preliminary information on a windows NT rootkit observed in the wild which intercepts the login screen, see the archives of the incidents mailing list. (Some of the followup posts are very helpful; use the thread index)
One thing I do hope is that Microsoft can be forced to admit that the little helpful info tip they give on Win2k logon screens about keeping your password secure with Ctrl-Alt-Del is about as close to a total lie as is possible.
Well, someone already beat me to it in pointing out that the patent was filed in 1997 (A suggestion to rob et al: on future stupid-patent stories, please give the filing date of the patent - it's not as if delphion makes it hard to look up.)
Oh, and here's the blatant kharma whoring: the patent (all seven claims) at delphion.
it's just more of the "if we don't talk about it, it'll go away" mentality to which our nation's school children are subjected everyday
Right sentiment, but wrong source. While I agree that in many ways America's schoolchildren are treated with this as an implicit assumption, this project would have caused a similar response (either being pulled or with people asking that it be pulled) regardless of forum. Americans cannot talk about race relations, anywhere; we don't want to admit that there is any current racial prejudice and some of us would like to conclude that America has never had serious racial inequities. (Ever hear the phrase "past injustices" used to explain away current disparities and why nothing should be done about them? It's part of the same cop-out.)
I sometimes wonder if America couldn't use a "truth commission" ala South Africa, not that it necessarily has been a great boon to interracial relations there either.
While I'll admit that the objectivity of the editors at slashdot is often disappointing, you're confusing two issues here.
There is nothing in the article (nor even the slashdot summary) to suggest that this site was shut down because the owners of that address were engaged in IP sharing on that address. Rather, the site was apparently shut down because the owners were running a website that had a petition opposing this policy. (Ok, so the official reason from the telco is that the contents of the site were slanderous to said telco and its employees, and that the site in question had "deviated from its original purpose")
It's rather similar to the difference between the police raiding a marijuana grower and shutting down a website advocating legalizing marijuana.
This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.
It's basically a bunch of existing tools snapped together by some brute-force driver scripts.
My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!
We should compare notes. I've been getting loads of just the probes you mention (and a few others: port 1243 (SubSeven again), udp port 22 (pcAnywhere), and I'm reasonably certain my logs point to at least one person running queso on me).
We should compare notes at some point. (or I could just go set up a web page listing what people are running against me and have people comment on that)