Not bad considering this is easily the toughest and most dangerous job in the world.
Well, no disrespect to anymone working in space programs, but there are a lot more dangerous jobs in the world. Just making the news now are the apparently attrocious conditions in China's mines: "More than 5,000 people were killed in coal mine accidents last year, according to the government."
Exactly. You can license your code any way you wish.
However, the combined work has to be licensed under the GPL.
You (supposedly) read source code carefully; read Ebden's language carefully as well. He writes in a very clear, consise and exact way.
Now, there is an interpretation that if your code is not functional without the GPLed other software, then it might not be considered a work in it self, but only a derivative of the GPLed work. If that interpretation is correct, then distributing your own work falls under the GPL, and you can only license it under the GPL.
I tend to think that if you are distributing your own work as source code, then you are in the clear: the code doesn't have to compile into a functioning binary as such to be useful. However, distributing binaries linked statically against GPLed code is clearly a derivative work, and you must make your source code available under the GPL.
There is some contention about dynamically-linked executables; many GPL proponents make the case that it's essentially the same as with statically linked binaries. However, in theory, anybody could implement a compatible library that has the same ABI, and so would allow running the non-GPL binary without using any GPLed code.
I personally would draw the line between "ubiqutous" APIs (libc, etc.) that are designed to be a framework, and code that has been ripped from an existing project and just compiled into a dynamic library just to avoid the "GPL hassle". Obviously, there are quite a few murky cases in between...
Lex Barebone has fan-less 533 MHz Mini-IXT boards, including one with three Realtek 10/100 chips, or two Intel 10/100 and one Intel GigE.
There's also a Atmel-based 802.11b controller you can add as an option. Can't seem to find it on their site, but I've seen it at some European resellers.
Not too expesive either: with the wireless option and the Intel chips, it runs at around 400 EUR (plus memory and storage).
How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch?
Actually, yes. This is called regression testing, and it's pretty common in the software industry.
Good point, but the parent was talking about the responsibilites of the end-user admin, not the software vendor.
Now, if I cannot trust my software vendor to properly regression-test any new release, but I have to do it myself, this leaves me as the admin in a pretty dire situation.
Usually, the documentation available about a product, and any documentation about a patch is not sufficient for me to build a complete test set around. I might be barely able to construct a test set for my custom application, but performing low-level testing on the components is next to impossible (irrespective of resources). Furthermore, any work done in this direction cannot be shared with anyone else, thanks to the great licenses imposed by the vendors.
Having a compentent admin as a pre-requisite has been mentioned in other posts. Assuming that there is a competent admin, I would rather use products where I can investigate the code and interfaces, and can share my knowledge with others then be locked in with a vendor who's only concern is to look good to upper management.
However, if you pay for your bandwidth, this could be quite expensive. As a sysadmin for a small company in Europe, with two offices, we have about 500 GB online that need backup. Let's assume a daily change rate of about 50 MB, one full backup per week, and the necessity to have at least two backups (in case one of the peers go down), we're looking at something like 4 TB volume a month. This is assuming a "classic" backup schedule, and would not only require above-average Internet connectivity, but also a lot of money.
Alternatively, let's assume the system allows us to eliminate the need for a recurring full backup, by being able to store all files individually in this distributed system, so we only need to update the backup for files that have changed. Thas still leaves us with at least 2 GB per month (50 MB * 20 days * 2 destinations); we pay 20 EUR per gig, and we only have a 2Mbit/s line.
40 EUR per month is not that expensive, but if there are massive changes (we add a new system), the volume increases steeply.
Also, one very important feature is not available: easy archive copies. For various reasons, we need to archive old projects, email, and financial data. With a tape backup, you just retire a tape set offsite.
This probably is new for sea-going ships, but for ferry-like ships and boats, where the stay will be only a few minutes, magnetic systems have been in use for quite some time.
Although I can't find any technical details from Google, the Alsterdampfer in Hamburg, Germany, have been using a magnetic system for at least 30 years (no snide comments about my age, please). In this image, you can see the magnets as the black-faced buckles on the side, just above the waterline.
For this to work, the side of the jetty is plated with steel plates for the magnets to hold on to; depending on the skill (or inclination;-) of the captain, the boat can be tucked towards the jetty quite violently...
Reminds me of that 80s music video where the gal walks into the mirror, and everything's all "pencilly-looking" but in real-time... now what was that damn song?
Sorry, my bad. And the "sheesh" bit was meant to be funny.
Anyway, after reading the bulletin again more carfully, I make the following of the situation:
Installing MDAC 2.7 will make your server invulnerable;
Installing the patch will make your server invulnerable;
Installing the patch will make your client secure as long as you don't visit a malicious site or read a malicious email, which could restore the vulnerable version of the ActiveX control.
I can't find information in the bulletin about the chances of having a malicious page load a vulnerable version of the ActiveX control on a system with MDAC 2.7 installed. The bulletin only states that Windows XP (due to it having 2.7) is not vulnerable.
So I assumed that it's still possible. Is my assumption wrong? Quite possibly. I'm sure quite a number of people will check this;-)
However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.
Sheesh, now/.er don't even read the blurb anymore?
It's worthwile mentioning that this class of exploits has many instances, and that apparently, the security model of IE is designed in a way that makes it very hard to fix them.
What I don't understand in this whole mess: when I hear "execute arbitrary code", I know something's horribly broken. Why is it worse if someone exemplifies "arbitray code" with "format a:/autotest" (in the ZDnet forum, reposted to BugTraq here) instead of
"winmine" (as in Sandblad's original advisory)? The important bit is "arbitrary code", no?
When a friend of mine quit his last job, the reason he gave in his notice was "because Dilbert isn't funny anymore." In his exit interview, he was asked what he meant by that.
The EU regulation requires the seller (i.e. the store) to repair or replace, at their choice, for free a product that breaks within 24 months of purchase, excluding wear and tear, etc. The period was recently extended from 6 months.
Manufactures may offer additional warranties under their own terms, irrespective of the dealer's obligations.
Thanks for pointing this out. But Nokia is more entrenched than you think.
Nokia is trying to market a solution that allows network operators to unify billing between WLAN hot-spots and their 2/2.5/3G networks; eventually allowing seamless roaming between high-speed, local hot-spots, and lower-speed, large area coverage by GPRS or UMTS.
So, for Nokia, free WLANs are an obvious threat to their products viability.
form teh article: You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.
This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.
If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.
Why do ISPs have the right to refuse handing over the information when they can be considered criminals?
Because they are alleged criminals. Read your constitution (or the Declaration of Human Rights). It's for a court to decide whether someone is acting illegally or not. It's not the ISP or anyone else's task.
You need legal access to a swath of land between both locations that has no point where you do not have the ability to dig a trench. There are only 3 groups that have this. Governments, Railroads and power companies.
Gas and water/sewer utilities being two more that should have the legal ability to run cable.
COLT Telecom, when building their MANs in a couple of European cities, was quite smart in a few cases. For example, in Hamburg they managed to buy old gas pipes from the local utility to shoot fibre through and save the huge expense of digging up the roads.
A very large percentage of their customers are Mac enthusiasts.
This seems ridiculously high to me. No explanation is given of what constitutes "enthusiast." Does it mean that they would rate a crapped out hard drive "almost usable"?
Furthermore, Apple is a terrible company to include in this kind of survey. A very large percentage of their customers have called tech support. Not that there is anything wrong with that, it's just that comparing an Apple customer's perception of Apple support with a Dell customer's perception of Dell support is hardly an accurate picture - the Dell customer has no particular love for tech support.
(OK, I've stolen that from (IIRC) Ken Thomson's (or someone else at AT&T labs) description of the history of the trademark and/or the evolution of Bell Labs through time, but I can't find it...)
The concern (I'm not sure it really is FUD) that some product you're using might be encumbered by patents, and the patent holder might force you to stop using the encumbered product is certainly not limited to Linux; in fact it probably does apply to any product.
However, and I this is the question I think Lisa was trying to get at: what will happen to you as a user and a customer of some software producer (be it Red Hat, SuSE, MSFT, or whatever) when a court finds some part of the product to be infringing?
What assurances, or at least, what reasonable assumptions can you make about the outcome of such a situation? I'm not saying you're going to be worse off with Linux (or any other Free/open software). WIth a big-ass software vendor, you might get screwed a little ("oh, so sorry, but just buy this upgrade, and you'll be fine"), but most likely, you will be able to continue mostly unharmed. Worst case: you'll have to pay money to continue to operate, but you won't necessarily have to change your systems.
On the other hand, it might be quite clear to the readership of this site that any substantial patent claim, if granted, will be worked around quite quickly. So by the time things get pushy, more likely than not you will have a patch available to work around the contested code.
However, in the business mindset, this is not obvious, not quantifiable (in terms of $$$), and thereby, at risk a lot harder to judge. At least business types feel it is.
And getting deeper into the matter: what is going to happen in this case? Red Hat could claim it's not theirs; so it's either up to the original authors or copyright holders, or up to each individual user to deal with the situation. Again, not necessarily a risk you want to take when you bet your business on this product.
Don't get me wrong: this applies to commercial, propritary software just the same. It's just that managers trust managers more that geeks, and this one of the concerns that come through in the article.
Slashdot Mirror
Well, no disrespect to anymone working in space programs, but there are a lot more dangerous jobs in the world. Just making the news now are the apparently attrocious conditions in China's mines: "More than 5,000 people were killed in coal mine accidents last year, according to the government."
The want you to request the actual paper by filling in a form. This is the URL they sent me http://www.reasoning.com/downloads/Open_Source_Whi te_Paper_v1.1.pdf.
However, the combined work has to be licensed under the GPL.
You (supposedly) read source code carefully; read Ebden's language carefully as well. He writes in a very clear, consise and exact way.
Now, there is an interpretation that if your code is not functional without the GPLed other software, then it might not be considered a work in it self, but only a derivative of the GPLed work. If that interpretation is correct, then distributing your own work falls under the GPL, and you can only license it under the GPL.
I tend to think that if you are distributing your own work as source code, then you are in the clear: the code doesn't have to compile into a functioning binary as such to be useful. However, distributing binaries linked statically against GPLed code is clearly a derivative work, and you must make your source code available under the GPL.
There is some contention about dynamically-linked executables; many GPL proponents make the case that it's essentially the same as with statically linked binaries. However, in theory, anybody could implement a compatible library that has the same ABI, and so would allow running the non-GPL binary without using any GPLed code.
I personally would draw the line between "ubiqutous" APIs (libc, etc.) that are designed to be a framework, and code that has been ripped from an existing project and just compiled into a dynamic library just to avoid the "GPL hassle". Obviously, there are quite a few murky cases in between...
There's also a Atmel-based 802.11b controller you can add as an option. Can't seem to find it on their site, but I've seen it at some European resellers.
Not too expesive either: with the wireless option and the Intel chips, it runs at around 400 EUR (plus memory and storage).
Good point, but the parent was talking about the responsibilites of the end-user admin, not the software vendor.
Now, if I cannot trust my software vendor to properly regression-test any new release, but I have to do it myself, this leaves me as the admin in a pretty dire situation.
Usually, the documentation available about a product, and any documentation about a patch is not sufficient for me to build a complete test set around. I might be barely able to construct a test set for my custom application, but performing low-level testing on the components is next to impossible (irrespective of resources). Furthermore, any work done in this direction cannot be shared with anyone else, thanks to the great licenses imposed by the vendors.
Having a compentent admin as a pre-requisite has been mentioned in other posts. Assuming that there is a competent admin, I would rather use products where I can investigate the code and interfaces, and can share my knowledge with others then be locked in with a vendor who's only concern is to look good to upper management.
However, if you pay for your bandwidth, this could be quite expensive. As a sysadmin for a small company in Europe, with two offices, we have about 500 GB online that need backup. Let's assume a daily change rate of about 50 MB, one full backup per week, and the necessity to have at least two backups (in case one of the peers go down), we're looking at something like 4 TB volume a month. This is assuming a "classic" backup schedule, and would not only require above-average Internet connectivity, but also a lot of money.
Alternatively, let's assume the system allows us to eliminate the need for a recurring full backup, by being able to store all files individually in this distributed system, so we only need to update the backup for files that have changed. Thas still leaves us with at least 2 GB per month (50 MB * 20 days * 2 destinations); we pay 20 EUR per gig, and we only have a 2Mbit/s line.
40 EUR per month is not that expensive, but if there are massive changes (we add a new system), the volume increases steeply.
Also, one very important feature is not available: easy archive copies. For various reasons, we need to archive old projects, email, and financial data. With a tape backup, you just retire a tape set offsite.
I have this neato mouse that has 101 buttons.
Oh, you new Americans. We old Europeans have 102 buttons on our mice, obviously...
Although I can't find any technical details from Google, the Alsterdampfer in Hamburg, Germany, have been using a magnetic system for at least 30 years (no snide comments about my age, please). In this image, you can see the magnets as the black-faced buckles on the side, just above the waterline.
For this to work, the side of the jetty is plated with steel plates for the magnets to hold on to; depending on the skill (or inclination ;-) of the captain, the boat can be tucked towards the jetty quite violently...
It's been a year since I last bought a Mac, but I got Apple stickers with mine, not Windows.
A-ha's Take on Me (MTV Real clip).
Anyway, after reading the bulletin again more carfully, I make the following of the situation:
I can't find information in the bulletin about the chances of having a malicious page load a vulnerable version of the ActiveX control on a system with MDAC 2.7 installed. The bulletin only states that Windows XP (due to it having 2.7) is not vulnerable.
So I assumed that it's still possible. Is my assumption wrong? Quite possibly. I'm sure quite a number of people will check this ;-)
However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.
Sheesh, now /.er don't even read the blurb anymore?
Here's yet another one published, and here's David Ahmad's response in light of these recenty discussions.
What I don't understand in this whole mess: when I hear "execute arbitrary code", I know something's horribly broken. Why is it worse if someone exemplifies "arbitray code" with "format a: /autotest" (in the ZDnet forum, reposted to BugTraq here) instead of
"winmine" (as in Sandblad's original advisory)? The important bit is "arbitrary code", no?
When a friend of mine quit his last job, the reason he gave in his notice was "because Dilbert isn't funny anymore." In his exit interview, he was asked what he meant by that.
Manufactures may offer additional warranties under their own terms, irrespective of the dealer's obligations.
Nokia is trying to market a solution that allows network operators to unify billing between WLAN hot-spots and their 2/2.5/3G networks; eventually allowing seamless roaming between high-speed, local hot-spots, and lower-speed, large area coverage by GPRS or UMTS.
So, for Nokia, free WLANs are an obvious threat to their products viability.
They already did!
Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.
This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.
If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.
Because they are alleged criminals. Read your constitution (or the Declaration of Human Rights). It's for a court to decide whether someone is acting illegally or not. It's not the ISP or anyone else's task.
Gas and water/sewer utilities being two more that should have the legal ability to run cable.
COLT Telecom, when building their MANs in a couple of European cities, was quite smart in a few cases. For example, in Hamburg they managed to buy old gas pipes from the local utility to shoot fibre through and save the huge expense of digging up the roads.
This sums it up pretty nicely, I think.
This seems ridiculously high to me. No explanation is given of what constitutes "enthusiast." Does it mean that they would rate a crapped out hard drive "almost usable"?
Furthermore, Apple is a terrible company to include in this kind of survey. A very large percentage of their customers have called tech support. Not that there is anything wrong with that, it's just that comparing an Apple customer's perception of Apple support with a Dell customer's perception of Dell support is hardly an accurate picture - the Dell customer has no particular love for tech support.
No, AT&T is a modem test command.
(OK, I've stolen that from (IIRC) Ken Thomson's (or someone else at AT&T labs) description of the history of the trademark and/or the evolution of Bell Labs through time, but I can't find it...)
Now, is this entire thing just a joke?
However, and I this is the question I think Lisa was trying to get at: what will happen to you as a user and a customer of some software producer (be it Red Hat, SuSE, MSFT, or whatever) when a court finds some part of the product to be infringing?
What assurances, or at least, what reasonable assumptions can you make about the outcome of such a situation? I'm not saying you're going to be worse off with Linux (or any other Free/open software). WIth a big-ass software vendor, you might get screwed a little ("oh, so sorry, but just buy this upgrade, and you'll be fine"), but most likely, you will be able to continue mostly unharmed. Worst case: you'll have to pay money to continue to operate, but you won't necessarily have to change your systems.
On the other hand, it might be quite clear to the readership of this site that any substantial patent claim, if granted, will be worked around quite quickly. So by the time things get pushy, more likely than not you will have a patch available to work around the contested code.
However, in the business mindset, this is not obvious, not quantifiable (in terms of $$$), and thereby, at risk a lot harder to judge. At least business types feel it is.
And getting deeper into the matter: what is going to happen in this case? Red Hat could claim it's not theirs; so it's either up to the original authors or copyright holders, or up to each individual user to deal with the situation. Again, not necessarily a risk you want to take when you bet your business on this product.
Don't get me wrong: this applies to commercial, propritary software just the same. It's just that managers trust managers more that geeks, and this one of the concerns that come through in the article.