I wouldn't donate to this fund. He crossed the line - I have no sympathy for him. He deserves punishment - he went from merely revealing security weaknesses to actually trespassing and meddling (modifying, running up bills) someone's service.
If he did that to one of my servers, I wouldn't get the law involved, I'd go over there with the wire brush of enlightenment and give him a LARTing he wouldn't forget. If he merely told me about a vulnerability without going in and meddling with things, I would view it differently though. But he didn't - and that's the difference.
The only thing I hope he avoids is prison rape because that is truly disproportionate to his non-violent crime (and barbaric to boot, rape should never be part of prison).
AOL (and Hotmail, and other large ISPs) are frequently joe-jobbed - it's therefore worth it for them. If I can tell SpamAssassin to score anything above the threshold that purports to come from AOL, but not from their SPF IP allocation, it helps. Better still, now I can tell for certain that @aol.com mail really DID come from AOL, I can assign a negative score to AOL addresses since I know it's likely to be ham.
Re:So .... what's their plan of action?
on
ISS May Have A Leak
·
· Score: 2, Informative
It wouldn't be good to subject someone to 0.5atm on regular air (20% O2) as their brain won't be functioning right even if they are still alive.
At 10,000 feet MSL, atmospheric pressure is around 19in Hg (IIRC). At sea level, standard pressure is 29.92in Hg. Most people are starting to be affected in some way by hypoxia when in an unpressurized plane at 10,000 feet MSL - they may feel perfectly alright, but they are mentally nowhere near as sharp as they would be at sea level. Not really a good thing in the ISS.
0.5atm is the equivalent of being at around 15,000 ft MSL without supplimental oxygen. The FAA requires pilots be using oxygen at this altitude in unpressurized aircraft. Most people are showing quite obvious hypoxia at this altitude without supplimental oxygen.
But will it filter the town name Scunthorpe as being offensive? AOL had this problem where people living in Scunthorpe suddenly found they could no longer use their town name.
Well, I'd disagree that it's not useful for production use - I use it in production and find it much more useful than the old 'shove all the services on one box' approach. Ideally, I'd like one physical server for each of the things I use a UML for, but that's highly wasteful of physical resources (not to mention expensive to keep at the co-lo) - I can put up with a bit of memory wastage with UML (since the box has plenty of memory).
The main thing is that each UML (with the host built with skas) is just two processes on the host. It makes a Slashdotting much more bearable than the standard 'bung all the services on one box'. Since every single process in the FreeBSD jail shows up in the "host's" process table, the FreeBSD jail doesn't give you that. It's a case of making choices - some need to be economical with memory so a FreeBSD jail is best, others (like me) get a monthly Slashdotting [0] and would like the rest of the daemons on the server to keep serving when a single website is receiving the Slashdotting.
[0] Not from Slashdot, but the term is getting to be generic like 'googling'.
It's a little more than a FreeBSD jail, which looks like an almost-VM-but-not-quite. The UML is a complete VM that runs its own kernel (which can be different to the host, so it's good for experimenting), has its own memory allocation, own swap space etc. My physical server is split up into several UML instances - a little tiny one as a DNS server, a big one as a web server, a small one as a barebones webserver for static sites, another big one as a shell machine etc.
It does require more resources than just shoving everything on one physical box, but the advantages outweigh that. At kernel upgrade time, it's a lot less stressful rebooting a UML rather than the entire box since you can fix it if it goes wrong a lot easier (since I don't have physical access to the machine). It also allows me to allocate different amounts of resources to different web servers. Also, when the main web server UML gets Slashdotted, the shell system and other UMLs don't get completely starved of resources, since the host's run queue is only half a dozen processes long. In a traditional do-everything server, if you get Slashdotted, you can't even log in at all to check why your system has become unresponsive, because there's 200 cgi-scripts in the run queue, plus god knows how many Apache and MySQL instances all trying to run meaning your shell gets a miniscule timeslice. (It also means I can just block port 80 on the host to the UML being Slashdotted if I want to stop the Slashdotting - something you can't do if there's so little CPU left that SSH times out before you can log in).
I use User-Mode-Linux for my web/email/DNS servers. The co-lo that rents servers only rents RedHat servers. The 'host' still runs RedHat, but really very little of it - I have my own custom kernel (with skas patch, very useful if you are running UML virtual machines) on the RedHat host, plus iptables to act as a firewall. The RedHat host conceptually just runs as a network router.
The real servers are all UML instances, all running Debian. The UML page on Sourceforge has a minimal Debian root disk image. I based my root images from these (created a new filesystem on the RedHat system of the appropriate size, mounted both, and cp -a from the minimal Debian install to the root filesystem file I was going to use, edited/mnt/etc/network/interface etc. to set the right IP addresses etc.) then booted. After that, it's just a case of using apt-get to get the packages you want to run.
The nice thing about separating all your services on different VMs within one host is you can apply decent firewall rules for each VM. If, say, your DNS UML got rooted because of an unpatched BIND (unlikely with Debian, since you can just apt-get update && apt-get upgrade to keep up to date) the skript kiddie - instead of having the run of your whole server and being able to deface your website (or worse) is locked into your DNS UML. Add proper egress firewall rules with iptables on the host, and you can prevent most skript kiddie attacks from being able to work.
Although I like the BSDs (I like all UNIX style OS, well, except a certain company whose name need not be mentioned), they can't yet (natively) do the equivalent of user mode Linux which is something I find incredibly useful. Hopefully they will in the future.
Sticking a few machines in your apartment and calling it a server is one thing, but needing a real (read fast and reliable) server is not something you do with consumer grade PCs. Also bear in mind physical space may be a real constraint. Co-los tend to charge quite a bit for each U in rack space, so sticking a white box mini tower is not an option. A consumer-grade box quickly gets swamped by dynamic traffic too - your typical cheap 5600 RPM ATAPI drive is just no match for an array of 15K RPM Ultra320 SCSI disks.
Try pricing up a fast AND reliable server on say, the HP site. You'll find to get the performance and reliability that Wiki needs to keep running with their level of traffic is NOT cheap.
Just a couple of days ago, I was with my Dad. We picked up our baggage from the airline baggage carousel, and we were the first to walk to the exit. Trouble is, in our absentmindedness, we both set out for the door marked 'Fire Escape' instead of the proper (well-marked) exit. At least a dozen people blindly followed us, by which point we realised our mistake and turned around...
You'll see sheeple-like behaviour all around you every day - it's almost unavoidable. I think humans have a herding instinct.
Re:source code escrow not very useful
on
Source Code Escrow
·
· Score: 1
Many escrow firms do a "Full Verification" escrow process, where the customer can go and have a look at some of the source code, and a build is demonstrated in front of the customer. That code is then immediately burned onto CD/DVD to go into escrow. Whilst you might get unlucky and only pick the really nice code examples to inspect, it's unlikely.
Re:Specific case where it hasn't worked well
on
Source Code Escrow
·
· Score: 2, Informative
Our escrow agreement with the NCC (the escrowers) wasn't like that - one of the triggering events *is* the takeover of the software vendor, or support going away.
First loves and first Unixes
on
First Computers
·
· Score: 1
My first computer was a Sinclair ZX-81 with 1K of RAM. Got it in 1982 IIRC. Then I had the Spectrum +, and then bought a second-hand Sinclair QL. Yes, I had a 32-bit machine in 1988:-)
My first PC was an Amstrad "portable" (full AT-sized keyboard, with a small 8 in or so supertwist monochrome display, and was capable of running on Duracells too). Then in 1990, I got a 386 for much less money than the dude in the article paid for his 286! About the same time I had my first experience of UNIX (an IBM PC/RT running AIX) and from then on I was hooked...I needed Unix of some sort for my 386. That dream was finally realised in early 1992 with Linux 0.12 (or was it 0.14?). In fact, one of my first USENET posts was asking about a kernel panic I was getting on the machine.
I learned C on that machine, running Linux 0.95. I even managed to get X to come up (I only had 2.5MB of RAM so it swapped a lot and wasn't really worthwhile). Upgrading to a 486 with 16MB of RAM in 1993 was luxury! And a sound card! And Ethernet! I had something like 50MB of disk space for Linux on that 486, and squeezed on gcc, X11 with the Open Look Virtual Window Manager and a few other things, and continued exploring C programming and writing small X11 apps. I only had about 2MB free. It worked with no swap space. I even built new kernels on it.
Now my machine menagerie consists of a P-II/266 used as an ADSL router running Linux, a Sun Ultra 5 (333MHz, 512MB RAM) running Solaris 8, and a P4-2GHz with 512MB of RAM running Linux.
Much of the problem with the Windows VMM is that it *doesn't* want to swap to disk when it should be pushing unused pages out to disk. The working set trimmer *only looks at pages that are in the CPU TLB* to work out whether it should be pushing pages out to swap (definitely the case with NT, almost certainly still with 2K and XP). The upshot of this is that if you have a large process that touches just a few of its memory pages many times, but most of the process's pages are going unused, the unused pages will remain in physical RAM meaning another process which really does need all those pages in physical RAM will end up thrashing the swap space because the big, mostly quiet process isn't getting swapped out.
Write a program that mallocs a very large lump of memory, and then just touches 64 pages per second, and watch its physical RAM usage in the task manager, and start up a new large process that actually has a need for pages in RAM and you'll see exactly what I mean.
Re:Why not interpreted C++, instead?
on
Perl is Sweet Sixteen
·
· Score: 4, Insightful
Because it's pointless?
Perl is a different tool to C and C++ not because it's interpreted, but because of its language features. It's also (IMHO) a much more expressive language than C or C++, and has quite a few features that these languages lack (for instance, to have dynamic binding for new() in C++ requires a very ugly hack - see James O. Coplien's 'advanced C++ programming idioms' book for details), where Perl does this sort of thing with ease.
As others have said, you should have no problem with the Quake series.
However, also consider: (and you'll have to Google, don't have links to hand)
* Old favorites - open source too: XPilot - highly addictive 'Thrust' style battle game with a half-decent physics model. XTank - Multi user tank battle game.
These games have been out a while and will play on very modest hardware. We used to have all weekend LAN parties at university with xtank and xpilot on the Sun Sparcstations...in 1992, before the Microsoft world knew what Ethernet was!
* Newer games Return to Castle Wolfenstein: Enemy Territory - will run fine on a 1.7GHz system.
OK, so I live in the Isle of Man, not the UK, but our economy mostly reflects the UK.
Firstly, the original poster compared the UK economy with the German one. All the economic indicators show that the British economy is doing significantly better than the German economy. The original poster was inferring that the German economy was doing so much better than the British one when it's clearly not. There is less unemployment in Britain than Germany. Government borrowing requirement is lower in Britain.
Even in the economic "great times" there is some unemployment. Also, some sectors can do worse than others. Although the British economy is doing generally well compared to most other western economies, there are some sectors that are in recession. The tech sector is generally slow.
I'm neither a criminal nor a lottery winner, yet I managed to afford a 4-bedroom house which I bought last year. I work for $WE_MOVE_PARCELS in a decidedly middle-class position for pay that's par for the course for a sysadmin. House prices here are similar to Worcester in England.
Taxes are shooting up because of your government's open wallet policies, not the prevailing economic conditions.
As a GA pilot, I'm always very interested in the weather. One of my favorite sites for weather in my area is westwind.ch which has a lot of good stuff, and of course the good ol' Met Office aviation weather service. When in the United States, I tend to use the NOAA's ADDS service.
You can do quite well in a portable keyboard (for only liftable by a weightlifter values of portable) like my Roland A90. It's got a remarkably good 'hammer action' feel, complete with that little bit of rebound you feel on a real piano when the hammer mechanism falls back after striking the string. The reason why the keyboard is so heavy is the components that make up this hammer action.
It makes the keyboard MUCH nicer to play than your 'piece of plastic and hinge' style keyboards.
Local holes must be considered almost as bad as remote: I almost got rooted earlier this year because the cracker got user 'nobody' access via a buggy PHP script, then used the buggy PHP script to launch a local root exploit. Fortunately, I'd implemented a workaround against the local root exploit.
I wouldn't donate to this fund. He crossed the line - I have no sympathy for him. He deserves punishment - he went from merely revealing security weaknesses to actually trespassing and meddling (modifying, running up bills) someone's service.
If he did that to one of my servers, I wouldn't get the law involved, I'd go over there with the wire brush of enlightenment and give him a LARTing he wouldn't forget. If he merely told me about a vulnerability without going in and meddling with things, I would view it differently though. But he didn't - and that's the difference.
The only thing I hope he avoids is prison rape because that is truly disproportionate to his non-violent crime (and barbaric to boot, rape should never be part of prison).
AOL (and Hotmail, and other large ISPs) are frequently joe-jobbed - it's therefore worth it for them. If I can tell SpamAssassin to score anything above the threshold that purports to come from AOL, but not from their SPF IP allocation, it helps. Better still, now I can tell for certain that @aol.com mail really DID come from AOL, I can assign a negative score to AOL addresses since I know it's likely to be ham.
It wouldn't be good to subject someone to 0.5atm on regular air (20% O2) as their brain won't be functioning right even if they are still alive.
At 10,000 feet MSL, atmospheric pressure is around 19in Hg (IIRC). At sea level, standard pressure is 29.92in Hg. Most people are starting to be affected in some way by hypoxia when in an unpressurized plane at 10,000 feet MSL - they may feel perfectly alright, but they are mentally nowhere near as sharp as they would be at sea level. Not really a good thing in the ISS.
0.5atm is the equivalent of being at around 15,000 ft MSL without supplimental oxygen. The FAA requires pilots be using oxygen at this altitude in unpressurized aircraft. Most people are showing quite obvious hypoxia at this altitude without supplimental oxygen.
But will it filter the town name Scunthorpe as being offensive? AOL had this problem where people living in Scunthorpe suddenly found they could no longer use their town name.
You can look at http://user-mode-linux.sourceforge.net for more info.
Don't worry, they'll probably post it as a dupe in half an hour's time :-)
Well, I'd disagree that it's not useful for production use - I use it in production and find it much more useful than the old 'shove all the services on one box' approach. Ideally, I'd like one physical server for each of the things I use a UML for, but that's highly wasteful of physical resources (not to mention expensive to keep at the co-lo) - I can put up with a bit of memory wastage with UML (since the box has plenty of memory).
The main thing is that each UML (with the host built with skas) is just two processes on the host. It makes a Slashdotting much more bearable than the standard 'bung all the services on one box'. Since every single process in the FreeBSD jail shows up in the "host's" process table, the FreeBSD jail doesn't give you that. It's a case of making choices - some need to be economical with memory so a FreeBSD jail is best, others (like me) get a monthly Slashdotting [0] and would like the rest of the daemons on the server to keep serving when a single website is receiving the Slashdotting.
[0] Not from Slashdot, but the term is getting to be generic like 'googling'.
It's a little more than a FreeBSD jail, which looks like an almost-VM-but-not-quite. The UML is a complete VM that runs its own kernel (which can be different to the host, so it's good for experimenting), has its own memory allocation, own swap space etc. My physical server is split up into several UML instances - a little tiny one as a DNS server, a big one as a web server, a small one as a barebones webserver for static sites, another big one as a shell machine etc.
It does require more resources than just shoving everything on one physical box, but the advantages outweigh that. At kernel upgrade time, it's a lot less stressful rebooting a UML rather than the entire box since you can fix it if it goes wrong a lot easier (since I don't have physical access to the machine). It also allows me to allocate different amounts of resources to different web servers. Also, when the main web server UML gets Slashdotted, the shell system and other UMLs don't get completely starved of resources, since the host's run queue is only half a dozen processes long. In a traditional do-everything server, if you get Slashdotted, you can't even log in at all to check why your system has become unresponsive, because there's 200 cgi-scripts in the run queue, plus god knows how many Apache and MySQL instances all trying to run meaning your shell gets a miniscule timeslice. (It also means I can just block port 80 on the host to the UML being Slashdotted if I want to stop the Slashdotting - something you can't do if there's so little CPU left that SSH times out before you can log in).
I use User-Mode-Linux for my web/email/DNS servers. The co-lo that rents servers only rents RedHat servers. The 'host' still runs RedHat, but really very little of it - I have my own custom kernel (with skas patch, very useful if you are running UML virtual machines) on the RedHat host, plus iptables to act as a firewall. The RedHat host conceptually just runs as a network router.
/mnt/etc/network/interface etc. to set the right IP addresses etc.) then booted. After that, it's just a case of using apt-get to get the packages you want to run.
The real servers are all UML instances, all running Debian. The UML page on Sourceforge has a minimal Debian root disk image. I based my root images from these (created a new filesystem on the RedHat system of the appropriate size, mounted both, and cp -a from the minimal Debian install to the root filesystem file I was going to use, edited
The nice thing about separating all your services on different VMs within one host is you can apply decent firewall rules for each VM. If, say, your DNS UML got rooted because of an unpatched BIND (unlikely with Debian, since you can just apt-get update && apt-get upgrade to keep up to date) the skript kiddie - instead of having the run of your whole server and being able to deface your website (or worse) is locked into your DNS UML. Add proper egress firewall rules with iptables on the host, and you can prevent most skript kiddie attacks from being able to work.
Although I like the BSDs (I like all UNIX style OS, well, except a certain company whose name need not be mentioned), they can't yet (natively) do the equivalent of user mode Linux which is something I find incredibly useful. Hopefully they will in the future.
Sticking a few machines in your apartment and calling it a server is one thing, but needing a real (read fast and reliable) server is not something you do with consumer grade PCs. Also bear in mind physical space may be a real constraint. Co-los tend to charge quite a bit for each U in rack space, so sticking a white box mini tower is not an option. A consumer-grade box quickly gets swamped by dynamic traffic too - your typical cheap 5600 RPM ATAPI drive is just no match for an array of 15K RPM Ultra320 SCSI disks.
Try pricing up a fast AND reliable server on say, the HP site. You'll find to get the performance and reliability that Wiki needs to keep running with their level of traffic is NOT cheap.
But people DO behave sheeplike - i.e. sheeple.
Just a couple of days ago, I was with my Dad. We picked up our baggage from the airline baggage carousel, and we were the first to walk to the exit.
Trouble is, in our absentmindedness, we both set out for the door marked 'Fire Escape' instead of the proper (well-marked) exit. At least a dozen people blindly followed us, by which point we realised our mistake and turned around...
You'll see sheeple-like behaviour all around you every day - it's almost unavoidable. I think humans have a herding instinct.
Many escrow firms do a "Full Verification" escrow process, where the customer can go and have a look at some of the source code, and a build is demonstrated in front of the customer. That code is then immediately burned onto CD/DVD to go into escrow. Whilst you might get unlucky and only pick the really nice code examples to inspect, it's unlikely.
Our escrow agreement with the NCC (the escrowers) wasn't like that - one of the triggering events *is* the takeover of the software vendor, or support going away.
My first computer was a Sinclair ZX-81 with 1K of RAM. Got it in 1982 IIRC. Then I had the Spectrum +, and then bought a second-hand Sinclair QL. Yes, I had a 32-bit machine in 1988 :-)
My first PC was an Amstrad "portable" (full AT-sized keyboard, with a small 8 in or so supertwist monochrome display, and was capable of running on Duracells too). Then in 1990, I got a 386 for much less money than the dude in the article paid for his 286! About the same time I had my first experience of UNIX (an IBM PC/RT running AIX) and from then on I was hooked...I needed Unix of some sort for my 386. That dream was finally realised in early 1992 with Linux 0.12 (or was it 0.14?). In fact, one of my first USENET posts was asking about a kernel panic I was getting on the machine.
I learned C on that machine, running Linux 0.95. I even managed to get X to come up (I only had 2.5MB of RAM so it swapped a lot and wasn't really worthwhile). Upgrading to a 486 with 16MB of RAM in 1993 was luxury! And a sound card! And Ethernet! I had something like 50MB of disk space for Linux on that 486, and squeezed on gcc, X11 with the Open Look Virtual Window Manager and a few other things, and continued exploring C programming and writing small X11 apps. I only had about 2MB free. It worked with no swap space. I even built new kernels on it.
Now my machine menagerie consists of a P-II/266 used as an ADSL router running Linux, a Sun Ultra 5 (333MHz, 512MB RAM) running Solaris 8, and a P4-2GHz with 512MB of RAM running Linux.
This is Tranquility Base...the Beagle has landed!
Ah, but in hexdecimal, he's in his early 20s!
Much of the problem with the Windows VMM is that it *doesn't* want to swap to disk when it should be pushing unused pages out to disk. The working set trimmer *only looks at pages that are in the CPU TLB* to work out whether it should be pushing pages out to swap (definitely the case with NT, almost certainly still with 2K and XP). The upshot of this is that if you have a large process that touches just a few of its memory pages many times, but most of the process's pages are going unused, the unused pages will remain in physical RAM meaning another process which really does need all those pages in physical RAM will end up thrashing the swap space because the big, mostly quiet process isn't getting swapped out.
Write a program that mallocs a very large lump of memory, and then just touches 64 pages per second, and watch its physical RAM usage in the task manager, and start up a new large process that actually has a need for pages in RAM and you'll see exactly what I mean.
Because it's pointless?
Perl is a different tool to C and C++ not because it's interpreted, but because of its language features. It's also (IMHO) a much more expressive language than C or C++, and has quite a few features that these languages lack (for instance, to have dynamic binding for new() in C++ requires a very ugly hack - see James O. Coplien's 'advanced C++ programming idioms' book for details), where Perl does this sort of thing with ease.
As others have said, you should have no problem with the Quake series.
However, also consider: (and you'll have to Google, don't have links to hand)
* Old favorites - open source too:
XPilot - highly addictive 'Thrust' style battle game with a half-decent physics model.
XTank - Multi user tank battle game.
These games have been out a while and will play on very modest hardware. We used to have all weekend LAN parties at university with xtank and xpilot on the Sun Sparcstations...in 1992, before the Microsoft world knew what Ethernet was!
* Newer games
Return to Castle Wolfenstein: Enemy Territory - will run fine on a 1.7GHz system.
OK, so I live in the Isle of Man, not the UK, but our economy mostly reflects the UK.
Firstly, the original poster compared the UK economy with the German one. All the economic indicators show that the British economy is doing significantly better than the German economy. The original poster was inferring that the German economy was doing so much better than the British one when it's clearly not. There is less unemployment in Britain than Germany. Government borrowing requirement is lower in Britain.
Even in the economic "great times" there is some unemployment. Also, some sectors can do worse than others. Although the British economy is doing generally well compared to most other western economies, there are some sectors that are in recession. The tech sector is generally slow.
I'm neither a criminal nor a lottery winner, yet I managed to afford a 4-bedroom house which I bought last year. I work for $WE_MOVE_PARCELS in a decidedly middle-class position for pay that's par for the course for a sysadmin. House prices here are similar to Worcester in England.
Taxes are shooting up because of your government's open wallet policies, not the prevailing economic conditions.
As a GA pilot, I'm always very interested in the weather. One of my favorite sites for weather in my area is westwind.ch which has a lot of good stuff, and of course the good ol' Met Office aviation weather service. When in the United States, I tend to use the NOAA's ADDS service.
You can do quite well in a portable keyboard (for only liftable by a weightlifter values of portable) like my Roland A90. It's got a remarkably good 'hammer action' feel, complete with that little bit of rebound you feel on a real piano when the hammer mechanism falls back after striking the string. The reason why the keyboard is so heavy is the components that make up this hammer action.
It makes the keyboard MUCH nicer to play than your 'piece of plastic and hinge' style keyboards.
Local holes must be considered almost as bad as remote: I almost got rooted earlier this year because the cracker got user 'nobody' access via a buggy PHP script, then used the buggy PHP script to launch a local root exploit. Fortunately, I'd implemented a workaround against the local root exploit.
I don't think anything could be worse than being stuck in "It's a small world after all". Urgh.
Slashdot is NOT supposed to be unbiased. It's called /. for heaven's sake - if it was a Microsoft oriented site it would be \. (backslashdot.org)