How did you test? nginx does honor Range requests. The Apache killer will report that nginx not vulnerable, so what, it misreports PHP-based Apache installations too. However, this attack can be performed in more than one way. Maybe you should know that nginx maintainers have released a patch today. I wonder why.
I have read that IIS is vulnerable to this too, not sure if this is true, I have no IIS installations that I can check.
I'm not sure what Cherokee does so I can't comment here.
It's a protocol bug. Any server that implements the protocol to the letter is vulnerable. And it's not just about overlapping ranges. If the server can send a ten megabyte file, an attacker can ask it for ten million of one-byte ranges. The processing overhead will bring most servers to their knees. If the server can compress the output, an attacker can ask for ten million of compressed one-byte ranges. An attempt to execute such a request will kill just about anything. The protocol should have limited the number of ranges per request to, say, 10.
I wonder what happens if I swap an Ubuntu kernel for my own kernel, configured and compiled by myself. Do I still have a licensed Ubuntu system? Even if the kernel is from vanilla sources? What if I replace their libc? How about gnu userland, I hear there are alternatives? Do I have to use Canonical's repositories for my updates? Maybe I can switch to rpm or even portage-based package manager, do I still have an Ubuntu? It should be feasible to port Debian/FreeBSD to the Canonical platform, is it OK to use Ubuntu/FreeBSD system? In short, how much of Ubuntu can I leave in the system to be still considered a licensee?
I also wonder whether smart lawyers at MPEG LA have answers to these questions. Or maybe they have no idea of what Linux is about.
These sites are in effect off-limits to you anyway. Not because you can't type an address (you can), but because you can't bloody read the friggin' content! Insightful my ass.
Lough all you want, but Adobe DOES make a version of Photoshop for Android. I have it on my phone. It's even free! The functionality is rather limited though.
Installing software on random shit is a right specifically asserted in the US copyright law. Read it. By "it" I mean "it", not "random slashdotter's rant about it".
Besides, OS X being sold as an upgrade for anything is a myth.
Unicode does not necessarily mean any of this crap. International domain names don't use UTF-8 or UCS2 or anything like that, they are represented with a scheme called Punycode. Being a software developer, you may want to know a bit more about it. Just stop by any information kiosk marked with big rainbow-coloured GOOGLE sign and ask the friendly staff. Don't hesitate to ask about the difference between Unicode and the UTFs too, while you're at it.
The C programming language and sizeof(wchar_t) has absolutely nothing to do with this discussion. Internet standards are not defined in terms of C and its data types.
Well, it's always a good idea to have a lawyer nearby whenever you're getting paid to open your mouth in public. No, wait, scratch the bit about getting paid. Having said that, I think it's fairly safe to praise Apple without mentioning that you've got a free promotional copy of Windows ME sometime in the last century. If OTOH you want to know how to bash Apple safely, then you will have to get your own copy of he guidelines. It's free!
Oh my. 1. If you endorse someone's product and you've got stuff from them at some point in the past, check. It doesn't actually have to be in exchange for anything, that was a case of sloppy editing on my part, for which I apologize. 2. You don't have to do anything if you get stuff after the fact. 3. If you want to comment/after that/, see 1. If you still think it's complicated, then I'm sorry to say I can't help. Go back to pre-school or something.
Slashdot Mirror
It's OK, nobody uses JPEG 2000 anyway.
Billions and billions of stars!
How did you test? nginx does honor Range requests. The Apache killer will report that nginx not vulnerable, so what, it misreports PHP-based Apache installations too. However, this attack can be performed in more than one way. Maybe you should know that nginx maintainers have released a patch today. I wonder why.
I have read that IIS is vulnerable to this too, not sure if this is true, I have no IIS installations that I can check.
I'm not sure what Cherokee does so I can't comment here.
Apache has its share of its own unique bugs, that's true.
It's a protocol bug. Any server that implements the protocol to the letter is vulnerable. And it's not just about overlapping ranges. If the server can send a ten megabyte file, an attacker can ask it for ten million of one-byte ranges. The processing overhead will bring most servers to their knees. If the server can compress the output, an attacker can ask for ten million of compressed one-byte ranges. An attempt to execute such a request will kill just about anything. The protocol should have limited the number of ranges per request to, say, 10.
An attacker doesn't need to sniff anything. Why bother? Just fire up your own hotspot, name it "Courtyard Marriott" or "Starbucks", and trawl away.
Think about it every time you connect to a free public hotspot.
Maybe using that credit card number as a Twitter password wasn't such a good idea after all.
"doc" and "pro" and "ad" and "gym" are not contractions, they are clipped forms. no apostrophe in those.
I wonder what happens if I swap an Ubuntu kernel for my own kernel, configured and compiled by myself. Do I still have a licensed Ubuntu system? Even if the kernel is from vanilla sources? What if I replace their libc? How about gnu userland, I hear there are alternatives? Do I have to use Canonical's repositories for my updates? Maybe I can switch to rpm or even portage-based package manager, do I still have an Ubuntu? It should be feasible to port Debian/FreeBSD to the Canonical platform, is it OK to use Ubuntu/FreeBSD system? In short, how much of Ubuntu can I leave in the system to be still considered a licensee?
I also wonder whether smart lawyers at MPEG LA have answers to these questions. Or maybe they have no idea of what Linux is about.
These sites are in effect off-limits to you anyway. Not because you can't type an address (you can), but because you can't bloody read the friggin' content! Insightful my ass.
Lough all you want, but Adobe DOES make a version of Photoshop for Android. I have it on my phone. It's even free! The functionality is rather limited though.
"or too" --> "or two". I need some sleep...
The "study" in question was performed in an extremely amateurish, non-scientific way.
http://2jk.org/english/?p=153
Read it for a good laugh or too, but don't give it any weight because it deserves none.
The president of China, that's who.
Thank you, my collection of backgrounds has just become one step closer to ultimate perfection.
Hm. Indeed. OK. Anyway, I'm not in the US and we don't have DMCA here yet.
Installing software on random shit is a right specifically asserted in the US copyright law. Read it. By "it" I mean "it", not "random slashdotter's rant about it".
Besides, OS X being sold as an upgrade for anything is a myth.
When I decide to start distributing their OS, I sure as hell will study their license.
Could be sold as frisbies for all I care. Nobody has any right to prevent me from feeding their DVD to my pet lizard.
As MacOS is not copy protected, there's nothing to circumvent there, DMCA-wise.
*You* have restrictions on how many pictures *you* can upload on Flickr. *I* dont, because I pay for the service.
Big surprise here! Cell phones and consoles sold in foreign lands have ways to enter their respective foreign characters. Who'd think.
Unicode does not necessarily mean any of this crap. International domain names don't use UTF-8 or UCS2 or anything like that, they are represented with a scheme called Punycode. Being a software developer, you may want to know a bit more about it. Just stop by any information kiosk marked with big rainbow-coloured GOOGLE sign and ask the friendly staff. Don't hesitate to ask about the difference between Unicode and the UTFs too, while you're at it.
The C programming language and sizeof(wchar_t) has absolutely nothing to do with this discussion. Internet standards are not defined in terms of C and its data types.
Well, it's always a good idea to have a lawyer nearby whenever you're getting paid to open your mouth in public. No, wait, scratch the bit about getting paid. Having said that, I think it's fairly safe to praise Apple without mentioning that you've got a free promotional copy of Windows ME sometime in the last century. If OTOH you want to know how to bash Apple safely, then you will have to get your own copy of he guidelines. It's free!
Oh my. /after that/, see 1.
1. If you endorse someone's product and you've got stuff from them at some point in the past, check. It doesn't actually have to be in exchange for anything, that was a case of sloppy editing on my part, for which I apologize.
2. You don't have to do anything if you get stuff after the fact.
3. If you want to comment
If you still think it's complicated, then I'm sorry to say I can't help. Go back to pre-school or something.