Would it be possible to hire a spammer to offer xenu pamphlets (or other stuff from www.xenu.net) for sale?
The only real problem I see with this is that the xenu.net people would acquire a reputation as spammers, which would be most unfortunate. (well, ok, so that's not the *only* downside, but it is a major one)
That is one reason I intend to leave before my kids become school age and move to a state that actually understand what a magnet school is, and what it is for.
Why? Why depend on the state, and specifically on state employees that are notoriously low-paid and given generally inadequate resources, to do for your children what parents have been doing for their own children for centuries?
Do you really think they're going to learn something important in that mandatory middle school Home Ec. course that will both be useful later on in life and that would go unlearned were it not for that hour in the room with 30 dangerously half-broken sewing machines?
Home schooling is an option in every state (though some states make it more difficult to do than others - have you considered New Jersey?), and, contrary to popular mythology, is not generally a right-wing-fundamentalist-in-a-bunker option. It's not even necessarily that hard or expensive - you're already homeschooling your kids for the first five or so years of their life anyway. Free your children from the viscious cliques that develop at almost any school (yes, even magnet schools) and at the same time give them a better education than they're likely to get otherwise.
As a starting point, try googling on "unschooling". If you're looking for a dead tree starting point, track down a copy of "The Teenage Liberation Handbook".
Note: I don't want to imply here that I think that public school teachers don't do the best possible job with the situation handed them (though obviously some don't); rather, I think that public school teachers are in a situation where it is almost impossible to do a good job. (Reference here almost anything written by John Taylor Gatto) I'm not blaming the teachers for the poor job done by the public schools. At the same time, I don't see why the extreme difficulties of being a public school teacher should cause me to subject my children to the difficulties of being public school students.
I too was sufficiently large in middle and high school to avoid the worst of it. Joining the wrestling team (which, oddly enough, seemed to have very few B or C students on it - just people at the head of the class and those constantly on academic probation) helped too, though screwing up my shoulder was probably not the best long term health move.
I sometimes wonder what it would have been like had I not had physical size on my side, and it's not pretty.
IT outsourcing for small mom & pop businesses. Then, in a case like this, the downtime is how long it takes for the IT doctor-on-call to get to your place of business.
Actually, I think I've seen people advertising this service locally.
For Disney to pursue a trademark case against Debian they would have to demonstrate that someone might reasonably purchase a Sarge installer CD and think that they were getting a green plastic toy soldier. Either that or they'd have to prove that their Toy Story character trademarks are "famous", which only applies to very small set of trademarks, like "Coca Cola".
Or they'd have to think that perhaps they were getting a Toy Story-based computer game. Given that Disney licenses out everything (you can get Disney-branded DVD players these days), this is not actually as much of a leap as it might seem.
Too bad there just never seems to be much desire on the debian lists to move to another internal naming scheme. (inertia, and the fact that no one can really think of a pressing reason why scheme X should be preferred over scheme Y)
Nope, I'm not saying it's won't work, but I'm saying that it displays a fundamental ignorance of the language which was the reason the old code had a bug in the first place. i.e. the guy who did the patch is nearly as thick as the guy who coded the bug in the first place.
And you're a pompous blowhard. The behavior of integer overflow operations on unsigned values (which is what addr and len are in this function) is in fact prefectly strictly defined in the C standard. Your "language ignorance" comment rings hollow - either that, or more charitably you assumed that one or more of these variables were signed, which means you go spouting off about code which you haven't read even though it's perfectly available.
Now, that said, as a purely stylistic matter I would rewrite the above if statement as: if ((len > TASK_SIZE) || (addr > TASK_SIZE - len))
This is basically because this form matches the bounds checking code elsewhere in that same file, and it's easy to see that no overflows are happening anywhere. However, your implication that the previous code just happens to work because of quirky behavior on the part of the compilers involved is out of line.
If you assume that everyone who comes up with a sufficiently large number looks at it and immediately says "that can't be right" and revises it downward - that is, if there is some sort of universal human mental block to knowing the truth.
Of course, that can be disproved by finding someone who earnestly believes that the entire human race is stupid. Good luck; such people tend to have a very high opinion of themselves...
I prefer the Dilbert Principle: Everyone is an idiot about something.
Note, of course, what signed binary packages protect you against: a root compromise of the central servers, or of the local ftp archive that you pull from. What they do not protect you against is a compromise of j. random developer's personal machine.
Now, if you were hired to do evil, which job would you consider the easier one? Break into the highly monitored central server and stay undetected long enough to infect people who download rpms from that server, or break into some developer machine somewhere (many of which are not monitored nearly as carefully as the central servers) and remain undetected long enough for the next minor update of gnome-red-widget-factory to be built and uploaded? Remember, either way you only have to get into one machine, and with one of those methods you have many more targets to choose from...
Whenever signed binary packages (or the less strong version, automatically signed Packages files) are brought up on debian-devel, the desire to implement something ends up stalling with arguments similar to the above. People see little point in putting extra steel-reinforcing on the front door when the back door's still just barely locked.
The standard argument against the market goes like this:
See, I'm not worried about the person who collected some money because their bet against me or my family happened to pay off. I'm worried about the person who just "lost" the $10,000 that they had put up to back the bet.
Think about it: suppose I don't like, say, the King of Jordan. Suppose I make it very profitable for someone if he should die before the end of the year. Essentially, I've managed to hire an assassin, without having to deal with all that messy money laundering stuff
Except, of course, that this won't quite work because if I began to sell suspiciously low-priced options against his majesty's continued longevity, the options would quickly be bought by a large number of speculators with the effect of distributing the payout far and wide. It would be easy in a system like this to guarantee that if I wanted a certain leader to die, in the event of an assassination, I would lose a large amount of money. It would be very hard, however, to concentrate the money gained so that an assassin could be paid for out of my monetary loss. (This is the effect of open trades combined with standardized and small contract sizes)
I happen to think that a better argument against the market is that it wouldn't actually produce any useful information (magical belief in "the power of markets" notwithstanding, markets can't aggregate information that isn't there) and would antagonize foreign leaders to the detriment of the US's diplomatic interests.
Sorry, but.deb packages are not signed - that is, they contain nothing inside the.deb package which can be used to check a package's integrity.
What is signed are the.changes and.dsc files which are used when the file is uploaded. The only way to verify binary deb packages at the moment is to have an archive of the debian-changes and debian-devel-changes mailing lists to use as a basis for comparison.
.deb files are not signed directly; the only signing that happens is the.changes and.dsc files involved in an upload. (These are the messages you see if you monitor the lists debian-changes or debian-devel-changes) (*)
What apt-get does check files against is the md5 sums in the Packages file. The packages file, however, is only signed at each release. Not helpful in the case of a theoretical archive compromise.
To verify.deb files with a signature chain going back to private keys on individual developer machines, you'd need a debian-changes or debian-devel-changes archive which you then matched against the md5 listed in the Packages file (and complain like hell if there's a discrepancy). There is to my knowledge no automated tool to do this. (Then there's the issue that even if there were such tool, you'd likely be completely screwed if you're running one of the architectures served by an automated build daemon and someone cracked the buildd)
(*) Then there's also security announcements, which are signed and also include package md5sums, but to my knowledge there's no tool for checking them automatically either.
Unless, of course, the parents of said children decide to take the responsibility of educating their own children away from the state and pull them out of the hostile environment. Every state in the US legally allows homeschooling. Starting homeschooling with middle- or high-school aged children may be significantly more difficult than starting with 5 yr. olds, but it can (and has) been done.
Take away the legal requirement to be in school, the forced confrontations, and this issue almost completely evaporates.
Especially, practice on a willing audience. (Trying to teach people who do not want to be taught is an exercise in futility; it's better if the audience is genuinely interested in the subject, but it's adequate if they're your friends voluntarily being a guinea pig audience) Do not make the mistake so often made in elementary and secondary teacher training and practice on people who would be happiest if you dropped dead and class were cancelled. Not only will you fail to get anything across in that situation, but your failure will not be the kind you can learn from. It's better to practice in front of a video camera and then review the tape than to practice on people who don't want to be there.
Seriously, good practice is way more important than a hundred seminars on learning styles or classes on educational theory. Though, if you wanted to, I suppose that reading some of Dewey's work - "Democracy and Education" for example - could help.
I'd include a plug for reading stuff by John Holt too, (such as "Learning all the Time") just because some Holt should be read as a cautionary tale before diving too deeply into modern educational theory, but it's in many ways tangential to what you want. (although "How Children Fail" has some anecdotes that are relevant to what I often saw my professors doing, especially in graduate school)
But just like getting to Carnegie Hall, the real key is practice, practice, practice.
I know it's PC to have a specialized label for every fricking thing under the sun, but...
a Blog IS a personal website.
Amen. I cannot understand this desire to break down and categorize things into hierarchies. For instance, take the supermarket: they have a section labeled "fruit" and they still insist on labeling the individual shelves with words like "banana" and "apple". They're just fruit; why does a fruit need a special different name just because it's curvy and yellow?
For the sarcasm-impaired, while most (and perhaps all) blogs may be personal websites, not all personal websites are blogs.
As for the "assembly is the only real language, everyone else is a poeser wannabe" comment, I do have to say that the first MSWord.doc-file viruses were a cool hack, even if they were written in a dumbed-down version of visual basic.
The problem is that slashdot's moderation system encourages a result that looks like "the moderators as a whole thought that this was/really/ funny" when the cause is just "five different people saw this and gave it a funny moderation".
Thus the key to high karma: post replies that are likely to get some positive moderation (any at all) to articles that are posted early. Getting modded up rarely has anything to do with quality - it's all about getting in front of the moderators, which is all about appearing near the top of the comments page when the comments are viewed threaded, highest scores first. (Since almost no moderators follow the advice to read slashdot nested, newest first)
Lately (after reading a paper referenced in a slashdot post that presented the results of some worm propogation simulations), I've been thinking about a project that would build a worm to test some of the assumptions in that paper. After all, I want to know if it's reasonable to assume that a worm with all the intelligence described in the paper could infect and transfer itself in X seconds, because that impacts the threat we might face.
So I imagine creating a program called the "known buffer overflow service", (basically, just a gets() call after accepting a connection) that exists simply as a target for these sample worms, and then developing the worms and watching them spread on a private test network of 20 or so machines.
Now at this point there's really no chance of the sample worms as I would write them of getting out and infecting hosts on the wider network, unless people deliberately install my "come exploit me" service. However, were I to publish my worm source code you would then have a ready-to-go, tuned-for-fast-propogation worm, possibly with some kind of DDOS payload, which just needs to be customized for the exploit of the week. (and the DDOS target adjusted to whatever you want to take out today)
So then someone in India plugs the latest bugtraq post and this worm together, and thirty minutes later half the windows machines on the internet are attacking mcdonalds.com...
Now - this is where we suddenly start throwing around analogies to the difference between publishing bomb-making instructions and making bombs, and then try to argue what the result should be by analogy. Unfortunately, the analogies crumble because the worm source code is both the instructions and at the same time an almost complete worm-making kit. (just add water!)
So in this scenario would I have gone "beyond writing an exploit"? (the test used for "guilty" in the parent post)
They do what you want for certain limited image types: no alpha, rectangular images. (and some companion tools are able to extend things to add an alpha channel) The only problem is that last time I looked a few of them don't read/write to stdout.
Also, as the most common image processing I find I have to do is rotate pictures from my digital camera through 90 degrees, I find that the command line tools that come with libjpeg (often packaged as "jpegtools") are quite useful.
If any sane business had an arduous process like this to decide to change something in order to allow an arduous process to allow them to change something, they'd be out of business.
You've never worked in a business of more than 20 people, have you?
If the head of the NRA wouldn't send out fundraising letters referring to law enforcement officers as "jack booted thugs", then maybe the public's image of the NRA wouldn't be of a bunch of rifle-toting rednecks who like shooting random things for kicks.
What are the last four digits of your SSN going to give me?
Well, they're going to let you agree to stuff in my name with those companies that rely on the last four digits of the SSN as an authentication measure. Not a major risk with companies that call with offers (unless you've also tapped my phone), but there are many places that use the last four digits of the SSN as a private PIN - for example, one of the billing agencies my local hospital uses relies on the last four digits of a patient's SSN to determine with whom they can discuss a case.
IANAL, and I don't even play one that well. However:
You can invoke the takedown portions of the DMCA without having first registered the copyright. Registering the copyright only becomes relevant when you want to persue a civil claim of monetary damages for infringement. (It reduces the amount of money you can collect to, effectively, 0) However, the registration doesn't have to occur until just prior to when you file suit (the potential monetary award is smaller if you register the copyright after the infringement occurred, but it's still there).
In section 5.1.1 you use your theoretical limit, but you forget that you started with 10 infected hosts. This leads to a theoretical best time-to-saturation of 29.499 seconds, not 36.506 seconds.
I will concede that this point isn't crucial, however. It still makes a worm that hits saturation in under a minute very close to ideal.
Slashdot Mirror
Would it be possible to hire a spammer to offer xenu pamphlets (or other stuff from www.xenu.net) for sale?
The only real problem I see with this is that the xenu.net people would acquire a reputation as spammers, which would be most unfortunate. (well, ok, so that's not the *only* downside, but it is a major one)
Do you really think they're going to learn something important in that mandatory middle school Home Ec. course that will both be useful later on in life and that would go unlearned were it not for that hour in the room with 30 dangerously half-broken sewing machines?
Home schooling is an option in every state (though some states make it more difficult to do than others - have you considered New Jersey?), and, contrary to popular mythology, is not generally a right-wing-fundamentalist-in-a-bunker option. It's not even necessarily that hard or expensive - you're already homeschooling your kids for the first five or so years of their life anyway. Free your children from the viscious cliques that develop at almost any school (yes, even magnet schools) and at the same time give them a better education than they're likely to get otherwise.
As a starting point, try googling on "unschooling". If you're looking for a dead tree starting point, track down a copy of "The Teenage Liberation Handbook".
Note: I don't want to imply here that I think that public school teachers don't do the best possible job with the situation handed them (though obviously some don't); rather, I think that public school teachers are in a situation where it is almost impossible to do a good job. (Reference here almost anything written by John Taylor Gatto) I'm not blaming the teachers for the poor job done by the public schools. At the same time, I don't see why the extreme difficulties of being a public school teacher should cause me to subject my children to the difficulties of being public school students.
I too was sufficiently large in middle and high school to avoid the worst of it. Joining the wrestling team (which, oddly enough, seemed to have very few B or C students on it - just people at the head of the class and those constantly on academic probation) helped too, though screwing up my shoulder was probably not the best long term health move.
I sometimes wonder what it would have been like had I not had physical size on my side, and it's not pretty.
IT outsourcing for small mom & pop businesses. Then, in a case like this, the downtime is how long it takes for the IT doctor-on-call to get to your place of business.
Actually, I think I've seen people advertising this service locally.
Or they'd have to think that perhaps they were getting a Toy Story-based computer game. Given that Disney licenses out everything (you can get Disney-branded DVD players these days), this is not actually as much of a leap as it might seem.
Too bad there just never seems to be much desire on the debian lists to move to another internal naming scheme. (inertia, and the fact that no one can really think of a pressing reason why scheme X should be preferred over scheme Y)
And you're a pompous blowhard. The behavior of integer overflow operations on unsigned values (which is what addr and len are in this function) is in fact prefectly strictly defined in the C standard. Your "language ignorance" comment rings hollow - either that, or more charitably you assumed that one or more of these variables were signed, which means you go spouting off about code which you haven't read even though it's perfectly available.
Now, that said, as a purely stylistic matter I would rewrite the above if statement as:
if ((len > TASK_SIZE) || (addr > TASK_SIZE - len))
This is basically because this form matches the bounds checking code elsewhere in that same file, and it's easy to see that no overflows are happening anywhere. However, your implication that the previous code just happens to work because of quirky behavior on the part of the compilers involved is out of line.
If you assume that everyone who comes up with a sufficiently large number looks at it and immediately says "that can't be right" and revises it downward - that is, if there is some sort of universal human mental block to knowing the truth.
Of course, that can be disproved by finding someone who earnestly believes that the entire human race is stupid. Good luck; such people tend to have a very high opinion of themselves...
I prefer the Dilbert Principle: Everyone is an idiot about something.
Note, of course, what signed binary packages protect you against: a root compromise of the central servers, or of the local ftp archive that you pull from. What they do not protect you against is a compromise of j. random developer's personal machine.
Now, if you were hired to do evil, which job would you consider the easier one? Break into the highly monitored central server and stay undetected long enough to infect people who download rpms from that server, or break into some developer machine somewhere (many of which are not monitored nearly as carefully as the central servers) and remain undetected long enough for the next minor update of gnome-red-widget-factory to be built and uploaded? Remember, either way you only have to get into one machine, and with one of those methods you have many more targets to choose from...
Whenever signed binary packages (or the less strong version, automatically signed Packages files) are brought up on debian-devel, the desire to implement something ends up stalling with arguments similar to the above. People see little point in putting extra steel-reinforcing on the front door when the back door's still just barely locked.
I happen to think that a better argument against the market is that it wouldn't actually produce any useful information (magical belief in "the power of markets" notwithstanding, markets can't aggregate information that isn't there) and would antagonize foreign leaders to the detriment of the US's diplomatic interests.
Sorry, but .deb packages are not signed - that is, they contain nothing inside the .deb package which can be used to check a package's integrity.
.changes and .dsc files which are used when the file is uploaded. The only way to verify binary deb packages at the moment is to have an archive of the debian-changes and debian-devel-changes mailing lists to use as a basis for comparison.
What is signed are the
.deb files are not signed directly; the only signing that happens is the .changes and .dsc files involved in an upload. (These are the messages you see if you monitor the lists debian-changes or debian-devel-changes) (*)
.deb files with a signature chain going back to private keys on individual developer machines, you'd need a debian-changes or debian-devel-changes archive which you then matched against the md5 listed in the Packages file (and complain like hell if there's a discrepancy). There is to my knowledge no automated tool to do this. (Then there's the issue that even if there were such tool, you'd likely be completely screwed if you're running one of the architectures served by an automated build daemon and someone cracked the buildd)
What apt-get does check files against is the md5 sums in the Packages file. The packages file, however, is only signed at each release. Not helpful in the case of a theoretical archive compromise.
To verify
(*) Then there's also security announcements, which are signed and also include package md5sums, but to my knowledge there's no tool for checking them automatically either.
Take away the legal requirement to be in school, the forced confrontations, and this issue almost completely evaporates.
Especially, practice on a willing audience. (Trying to teach people who do not want to be taught is an exercise in futility; it's better if the audience is genuinely interested in the subject, but it's adequate if they're your friends voluntarily being a guinea pig audience) Do not make the mistake so often made in elementary and secondary teacher training and practice on people who would be happiest if you dropped dead and class were cancelled. Not only will you fail to get anything across in that situation, but your failure will not be the kind you can learn from. It's better to practice in front of a video camera and then review the tape than to practice on people who don't want to be there.
Seriously, good practice is way more important than a hundred seminars on learning styles or classes on educational theory. Though, if you wanted to, I suppose that reading some of Dewey's work - "Democracy and Education" for example - could help.
I'd include a plug for reading stuff by John Holt too, (such as "Learning all the Time") just because some Holt should be read as a cautionary tale before diving too deeply into modern educational theory, but it's in many ways tangential to what you want. (although "How Children Fail" has some anecdotes that are relevant to what I often saw my professors doing, especially in graduate school)
But just like getting to Carnegie Hall, the real key is practice, practice, practice.
For the sarcasm-impaired, while most (and perhaps all) blogs may be personal websites, not all personal websites are blogs.
Um, no. Wired has a surprisingly detailed article about slammer. If you're too lazy to read it, the poster you were disparaging was in fact completely correct.
Perhaps you're thinking of LoveSan, aka msblast?
As for the "assembly is the only real language, everyone else is a poeser wannabe" comment, I do have to say that the first MSWord
The problem is that slashdot's moderation system encourages a result that looks like "the moderators as a whole thought that this was /really/ funny" when the cause is just "five different people saw this and gave it a funny moderation".
Thus the key to high karma: post replies that are likely to get some positive moderation (any at all) to articles that are posted early. Getting modded up rarely has anything to do with quality - it's all about getting in front of the moderators, which is all about appearing near the top of the comments page when the comments are viewed threaded, highest scores first. (Since almost no moderators follow the advice to read slashdot nested, newest first)
Lately (after reading a paper referenced in a slashdot post that presented the results of some worm propogation simulations), I've been thinking about a project that would build a worm to test some of the assumptions in that paper. After all, I want to know if it's reasonable to assume that a worm with all the intelligence described in the paper could infect and transfer itself in X seconds, because that impacts the threat we might face.
So I imagine creating a program called the "known buffer overflow service", (basically, just a gets() call after accepting a connection) that exists simply as a target for these sample worms, and then developing the worms and watching them spread on a private test network of 20 or so machines.
Now at this point there's really no chance of the sample worms as I would write them of getting out and infecting hosts on the wider network, unless people deliberately install my "come exploit me" service. However, were I to publish my worm source code you would then have a ready-to-go, tuned-for-fast-propogation worm, possibly with some kind of DDOS payload, which just needs to be customized for the exploit of the week. (and the DDOS target adjusted to whatever you want to take out today)
So then someone in India plugs the latest bugtraq post and this worm together, and thirty minutes later half the windows machines on the internet are attacking mcdonalds.com...
Now - this is where we suddenly start throwing around analogies to the difference between publishing bomb-making instructions and making bombs, and then try to argue what the result should be by analogy. Unfortunately, the analogies crumble because the worm source code is both the instructions and at the same time an almost complete worm-making kit. (just add water!)
So in this scenario would I have gone "beyond writing an exploit"? (the test used for "guilty" in the parent post)
Have you looked at pnmtools?
They do what you want for certain limited image types: no alpha, rectangular images. (and some companion tools are able to extend things to add an alpha channel) The only problem is that last time I looked a few of them don't read/write to stdout.
Also, as the most common image processing I find I have to do is rotate pictures from my digital camera through 90 degrees, I find that the command line tools that come with libjpeg (often packaged as "jpegtools") are quite useful.
Being able to spell "priest" might also be useful.
If the head of the NRA wouldn't send out fundraising letters referring to law enforcement officers as "jack booted thugs", then maybe the public's image of the NRA wouldn't be of a bunch of rifle-toting rednecks who like shooting random things for kicks.
You have made the mistake of assuming that the Republican party and "the right" are the same thing.
Parties' positions in the political landscape of the country shift around. Strom Thurmond started his political career as a Democrat.
IANAL, and I don't even play one that well. However:
You can invoke the takedown portions of the DMCA without having first registered the copyright. Registering the copyright only becomes relevant when you want to persue a civil claim of monetary damages for infringement. (It reduces the amount of money you can collect to, effectively, 0) However, the registration doesn't have to occur until just prior to when you file suit (the potential monetary award is smaller if you register the copyright after the infringement occurred, but it's still there).
In section 5.1.1 you use your theoretical limit, but you forget that you started with 10 infected hosts. This leads to a theoretical best time-to-saturation of 29.499 seconds, not 36.506 seconds.
I will concede that this point isn't crucial, however. It still makes a worm that hits saturation in under a minute very close to ideal.