But isnt the slashdot crowd always for the release of exploits?
Yes, indeed. However this isn't a release of an exploit, it is somebody saying "bring your machine, and I'll exploit it for you."
What this means, effectively, is that anyone who is prepared to go to the effort of sniffing packets can easily figure out what's going on, but the rest of us are still in the dark. I can't use this to test the machines on my internal network because there's no way I'm going to open the VNC ports on my firewall. He may be wrong when he says on the previous article that (e.g.) TightVNC isn't vulnerable, it may be vulnerable to a slight variation of the attack that could easy be found by somebody who knew how it worked, but because he's released no details to anyone who doesn't make a large effort to understand the problem we can't know that. But be sure that there are some blackhats out there who have already tested this and understand why it works who have tried to figure out if they can make it work on another version.
This behaviour is wrong in every way possible. Disclosure should be complete or not exist at all, IMO. Anything between is dangerous.
MS did *not* beat academia to this idea. See research performed in the late 90's, e.g. here (postscript document -- google cached html version here).
What they may have done is get the first working implementation, although I did first hear of people implementing this kind of system several years ago, I just can't find them now. There was a/. article about one, IIRC.
What happens in Alpha Centauri is that as you pump up the AI's cheat factor, the only practical difference is that it affects the odds of AI stomping on me in the first hundred turns or not. Once I get established, the AI loses almost no matter what.
I strongly suspect that this is a general pattern; as you throw resources at a bad AI, it gets linearly stronger, but at least in a Civ game, the human is getting geometrically stronger as the game progresses.
I used to see that a lot in the original Civ games, but I think in Civ3 they largely solved it by the introduction of new game rules that make it increasingly harder to grow a civilization beyond a certain size (the farther cities are from your capital, the higher the percentage of production and income is lost to 'corruption') -- this has the effect of pushing the growth of your power back towards linear. And I hate the rule, I think it's one of the worst aspects of Civ3.
The cost of additional complexity in a kernel is a couple orders of magnitude higher than your run of the mill php app.
That's just not true in most realistic situations. When my PC is working flat out on a hard problem, it typically runs with ~2% CPU time in the kernel and about 98% in userspace. Even IO bound operations tend to only use about 4% kernel CPU time. Even if the kernel took twice as long to perform each operation I'd only lose another 4/96 = less than 5% performance overall. Whereas if I double the amount of processor time it takes php to run that PHP script (lets say I'm talking about MediaWiki, which can easily reach 100% CPU usage without needing very many users to hit it on my feeble server), then I see a noticeable degradation in performance, probably more like 30-40%.
So you see putting the same efficiency loss in the kernel results in substantially less overall system performance loss, because the average computer spends much less time executing kernel code than user code. Obviously this isn't true for every system, and systems that are doing very kernel-usage-intensive operations (particularly memory thrashing during a process that forks many subprocesses, e.g. a memory intensive shell script, or passing large volumes of data through a non-shared-memory IPC mechanism) will be affected much more than user-mode-intensive operations (e.g. number crunching or data processing written in an interpreted programming language).
1. Form limited-liability company
2. Create shady online file-sharing service.
3. Attract attention to your company by any means possible EXCEPT by becoming popular amongst users.
4. Pay yourself an attractive salary out of venture capital and advertiser's money
5. Pay 30M $ of you company's money and agree to stop your company's illegal activities in order to ensure you are not personally prosecuted
6. You: Profit.
7. Your company (and any shareholders who didn't work directly for it): Loss.
If they don't open their implementation GCJ will catch in a year or so and it will quickly become the reference implementation that everyone will track in server environments.
I doubt it. Classpath is a *long* way behind the current J2SE APIs. From the site: "GNU Classpath 1.0 will be fully compatible with the 1.1 and largely compliant with the 1.2 API specification and will have a stable API for interacting with virtual machines." That version hasn't been released yet. Admittedly, some work has already been done on the 1.3 and 1.4 APIs, although these are nowhere near complete. In the meantime, Sun is preparing to release 1.6. Classpath might catch up to where Sun is now in about 2 years' time. But Sun will have moved on again, and Classpath will be struggling again.
If you have a hundred threads waiting on an object, but need to be able to notify a specific one, you have a design error. Have the threads waiting on different objects depending on which condition should wake them, then just use notify() if any one thread can procede (e.g. you've added an item to a queue to be processed by a worker thread) or notifyAll() if all can (e.g. a result that they are waiting for has been calculated).
The only downside to this is that you can't wait on multiple objects, but the need to do that is usually indicative of a design flaw, too.
The only *free* and open alternative in these terms is python, which somewhat provides the same capalibilites but is somewhat limited on other features (network class loading as one example).
I wouldn't recommend Python for work on multi-cpu systems. It has a global lock that means that only one thread may be executing python code at a time. Python only scales in a cluster-like fashion, not with big & fast systems.
From the `popular` languages, php seems to be only one who is totally ignoring threading and just focuses on having a single process for it all.
Yeah, well, you only have to look at what the language was designed for to realise that multithreading in that environment just isn't particularly useful. Not to mention that they still have problems with dependencies on non-threadsafe libraries.
Oh, come on, name me one major hollywood movie with more realistic IT in it. This is mass-market fiction, if it was authentic then it would not be as successful.
The problem is not that it is unrealistic. The problem is that the books are marketed as well-researched and authentic, and people actually believe this. From the first quoted review on Brown's web site:
MIDWEST BOOK REVIEW "Digital Fortress is the best and most realistic techno-thriller to reach the market in years.
Other reviews aren't quite so blatant, but all of them suggest that the book is in some way authentic. This is why so many people object to Brown's books when others are allowed to pass with science and technology that is at best dodgy... Brown is just as bad, but is marketed as "realistic".
Yahoo! News is reporting on the launch of the Software Freedom Conservancy
No it isn't, the link goes to a PR Newswire page, which is an automatic feed that is carried by Yahoo!. In this case, all we can say is that Yahoo is redistributing an article that was written, published and paid for by the Software Freedom Conservancy on the their own launch.
In case you don't understand the significance of this, the way it was originally written implies that Yahoo! believes this to be significant enough to report on it. They made no such assessment.
Also, why was this article submitted (and published) with a mailto link to 'nobody@example.com'? That's hardly a useful address.
You can use Diffie-Hellman or a similar mechanism to exchange keys securely, but you still can't be sure that you are communicating with the right person
Bear in mind that Diffie Hellman et al are less secure than OTP encryption; it might be impractical to do so, but it is theoretically possible to reverse the process and determine the keys involved. OTP is theoretically unbreakable.
The point is how do you get those parameters to the other party secretly? This is the same problem as giving them a one-time pad generated any random way.
Not really: those parameters are smaller than the amount of random data they generate. You end each message with 'sample the next key from quaser #332527 on frequency #3321 at 13:27:03.52 GMT tomorrow afternoon and generate a 10 meg key; I'm gonna send you a large file' or the like.
Basically, it's a compression scheme for random data. Of course, there really is no such thing and because of this the data lacks randomness, making the key potentially insecure... but it would be very difficult for a potential cracker to exploit this particular lack of randomness.
A fresh installation of my nLited XP is just over 1 GB of HDD space (whereas the typical XP installation can top 3 GB).
Err... no. I recently installed XP with default options on a 2.1GB drive, and that worked just fine. OK, it wouldn't install SP2 due to not having enough disk space to uncompress it, but then SP2 includes a copy of almost every file that's shipped with windows anyway, so what this means is that there wasn't space for two copies of WinXP on the disk.
If you have a 3GB default XP install, you've probably installed both SP1 and SP2 and not deleted the backups. Just go into %windir% and delete the uninstall directories.
Apparently each 300GB disk is about the size of a DVD (but thicker due to it having it's own little shell, like a floppy/zip/mini disk).
A DVD has a usable data area of about (6cm * 6cm - 2cm * 2cm)*PI =~ 100cm^2, or about 15.5 sq in. Allow a little for lead in and lead out, and this gives you about 20GB per square inch, not the 515 described in the article. 515 would give you a DVD sized disc that stored over 8 terabytes, i.e. substantially more than they're talking about. Anyone know what gives?
Tabs aren't MDI - MDI sucked, which is why you don't see it much any more
No, the reason you don't see MDI any more is that microsoft declared that it confused users (because they couldn't find their documents) and migrated all their apps away from it, prefering instead the I.E.-like model of using a window per document. When users complained that the number of windows was hard to manage on the desktop, they added task bar button grouping to Windows. Other developers, seeing what MS had done, decided to follow suit.
In the meantime, a number of application developers had discovered the way of solving this problem without throwing out the baby (i.e., single window/multiple documents) with the bathwater: present a list of available documents in some obvious way to the user. The earliest app I know of that did this was a text editor called EditPlus, which had a Windows-taskbar style arrangement along the bottom of its window to show what was available. I believe Opera was also an early adopter. Then Mozilla borrowed Opera's concept, and the era of the tabbed user interface was upon us. They started showing up everywhere. But, basically, they _are_ MDI -- a way of showing multiple documents in a single window. Many of them even work with the same MDI implementation that has always existed in Windows. I believe, for instance, this is how Visual Studio works these days: MDI + tabs. I'm not certain, though, I only have version 6 here. Certainly the.NET dev tools I have here (SharpCode, Microsoft WebMatrix) both use this model.
Unfortunately, OpenOffice hasn't switched to it. I really wish they would.
IE does not have popup blocking, XP does. IE on W2K doesn't block shite.
It is actually IE that does the blocking. It's just that there's a version of IE that'll only run on XP SP2 (and is only distributed with that service pack/OS).
If you don't believe me, tell me what version of IE you have on W2K. I have version "6.0.2900.2180.xpsp_sp2_gdr.050301-1519". Bet your version is a different one.
The fact that GPL requires a lawyer to describe what you can and can not do with software is scary enough for businesses. "If we compile our proprietary software with gcc, do we now have to distribute the source?"
You should check that with other compilers, too. The last commercial compiler I bought (a version of Borland C++) came with a list of exclusions to the license that meant any given project may or may not be legal to distribute in binary form if compiled by it, depending on what kind of software it was. I forget the details, but I recall that "operating environments" (which could have described what I was developing at the time) were not permitted, and I think anything that competed with a Borland product may have been excluded.
GCC's fairly simple: all you need to do is read the licences in question (there are two, the one for GCC itself, which is traditional GPL, and one for 'glibc', which is GPL plus an exception to the requirement to license any product linked with it under the GPL) to realise that the answer to your question is no. Anyone reasonably well educated can do it. Certainly any experienced and competent IT manager ought to be able to.
"If we include the GPL'd drivers for the left-handed USB Framis, are we compelled to release our source, or just the driver's source code?"
A slightly more complex question, but it's still reasonably simple to answer. Read the license. It outlines cases where this is necessary in very clear (although admittedly technical) terms. Also note, most businesses would probably ask a lawyer to check the license terms on any product that they purchased the right to use like this anyway.
Businesses do not like confusion. The government gives us all that we can stand, so adding in an obscure, vision-inspired license doesn't make us comfortable.
I think the only way you can describe the GPL as obscure is if you haven't read it. The GPL v2 is very easy to read, and the GPL v3 draft is even easier.
MPEG-1 doesn't get the nice compression that a.wmv with an mpeg-4 codec will. Stand-alone (.mp4) MPEG4 decoders aren't widespread yet, and h.264 even less so. Then again, the target audience can get themselves an h.264 decoder without much trouble.
No, but MPEG4 in AVI is much more widely supported.
Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
I believe you are mistaken. Not only would it violate the principle that once you have paid for a license it is yours to dispose of as you wish (doctrine of first sale), Microsoft specifically grants downgrade rights in many of their licenses anyway -- e.g., if you want a second license for Office 97 you can buy a recent version of Office and install from your old Office 97 disk if you want.
I mean, this is OpenOffice.org 2.0, what did Microsoft Office 2.0 look like?
Bad analogy. It might be OO.o 2, but it's also StarOffice 7. Winword is also on its 7th version, IIRC (they were numbered 1, 2, 6, 95, 97, 2000, 2003).
Mods, the parent post is *not* offtopic. It's an important question, the answer to which is "no, it isn't.".
But isnt the slashdot crowd always for the release of exploits?
Yes, indeed. However this isn't a release of an exploit, it is somebody saying "bring your machine, and I'll exploit it for you."
What this means, effectively, is that anyone who is prepared to go to the effort of sniffing packets can easily figure out what's going on, but the rest of us are still in the dark. I can't use this to test the machines on my internal network because there's no way I'm going to open the VNC ports on my firewall. He may be wrong when he says on the previous article that (e.g.) TightVNC isn't vulnerable, it may be vulnerable to a slight variation of the attack that could easy be found by somebody who knew how it worked, but because he's released no details to anyone who doesn't make a large effort to understand the problem we can't know that. But be sure that there are some blackhats out there who have already tested this and understand why it works who have tried to figure out if they can make it work on another version.
This behaviour is wrong in every way possible. Disclosure should be complete or not exist at all, IMO. Anything between is dangerous.
MS did *not* beat academia to this idea. See research performed in the late 90's, e.g. here (postscript document -- google cached html version here).
/. article about one, IIRC.
What they may have done is get the first working implementation, although I did first hear of people implementing this kind of system several years ago, I just can't find them now. There was a
What happens in Alpha Centauri is that as you pump up the AI's cheat factor, the only practical difference is that it affects the odds of AI stomping on me in the first hundred turns or not. Once I get established, the AI loses almost no matter what.
I strongly suspect that this is a general pattern; as you throw resources at a bad AI, it gets linearly stronger, but at least in a Civ game, the human is getting geometrically stronger as the game progresses.
I used to see that a lot in the original Civ games, but I think in Civ3 they largely solved it by the introduction of new game rules that make it increasingly harder to grow a civilization beyond a certain size (the farther cities are from your capital, the higher the percentage of production and income is lost to 'corruption') -- this has the effect of pushing the growth of your power back towards linear. And I hate the rule, I think it's one of the worst aspects of Civ3.
The cost of additional complexity in a kernel is a couple orders of magnitude higher than your run of the mill php app.
That's just not true in most realistic situations. When my PC is working flat out on a hard problem, it typically runs with ~2% CPU time in the kernel and about 98% in userspace. Even IO bound operations tend to only use about 4% kernel CPU time. Even if the kernel took twice as long to perform each operation I'd only lose another 4/96 = less than 5% performance overall. Whereas if I double the amount of processor time it takes php to run that PHP script (lets say I'm talking about MediaWiki, which can easily reach 100% CPU usage without needing very many users to hit it on my feeble server), then I see a noticeable degradation in performance, probably more like 30-40%.
So you see putting the same efficiency loss in the kernel results in substantially less overall system performance loss, because the average computer spends much less time executing kernel code than user code. Obviously this isn't true for every system, and systems that are doing very kernel-usage-intensive operations (particularly memory thrashing during a process that forks many subprocesses, e.g. a memory intensive shell script, or passing large volumes of data through a non-shared-memory IPC mechanism) will be affected much more than user-mode-intensive operations (e.g. number crunching or data processing written in an interpreted programming language).
This plan still isn't entirely accurate:
1. Form limited-liability company
2. Create shady online file-sharing service.
3. Attract attention to your company by any means possible EXCEPT by becoming popular amongst users.
4. Pay yourself an attractive salary out of venture capital and advertiser's money
5. Pay 30M $ of you company's money and agree to stop your company's illegal activities in order to ensure you are not personally prosecuted
6. You: Profit.
7. Your company (and any shareholders who didn't work directly for it): Loss.
Ned Ludd called. He wants his philosophy back.
If they don't open their implementation GCJ will catch in a year or so and it will quickly become the reference implementation that everyone will track in server environments.
I doubt it. Classpath is a *long* way behind the current J2SE APIs. From the site: "GNU Classpath 1.0 will be fully compatible with the 1.1 and largely compliant with the 1.2 API specification and will have a stable API for interacting with virtual machines." That version hasn't been released yet. Admittedly, some work has already been done on the 1.3 and 1.4 APIs, although these are nowhere near complete. In the meantime, Sun is preparing to release 1.6. Classpath might catch up to where Sun is now in about 2 years' time. But Sun will have moved on again, and Classpath will be struggling again.
If you have a hundred threads waiting on an object, but need to be able to notify a specific one, you have a design error. Have the threads waiting on different objects depending on which condition should wake them, then just use notify() if any one thread can procede (e.g. you've added an item to a queue to be processed by a worker thread) or notifyAll() if all can (e.g. a result that they are waiting for has been calculated).
The only downside to this is that you can't wait on multiple objects, but the need to do that is usually indicative of a design flaw, too.
The only *free* and open alternative in these terms is python, which somewhat provides the same capalibilites but is somewhat limited on other features (network class loading as one example).
I wouldn't recommend Python for work on multi-cpu systems. It has a global lock that means that only one thread may be executing python code at a time. Python only scales in a cluster-like fashion, not with big & fast systems.
From the `popular` languages, php seems to be only one who is totally ignoring threading and just focuses on having a single process for it all.
Yeah, well, you only have to look at what the language was designed for to realise that multithreading in that environment just isn't particularly useful. Not to mention that they still have problems with dependencies on non-threadsafe libraries.
The problem is not that it is unrealistic. The problem is that the books are marketed as well-researched and authentic, and people actually believe this. From the first quoted review on Brown's web site:
Other reviews aren't quite so blatant, but all of them suggest that the book is in some way authentic. This is why so many people object to Brown's books when others are allowed to pass with science and technology that is at best dodgy... Brown is just as bad, but is marketed as "realistic".
Yahoo! News is reporting on the launch of the Software Freedom Conservancy
No it isn't, the link goes to a PR Newswire page, which is an automatic feed that is carried by Yahoo!. In this case, all we can say is that Yahoo is redistributing an article that was written, published and paid for by the Software Freedom Conservancy on the their own launch.
In case you don't understand the significance of this, the way it was originally written implies that Yahoo! believes this to be significant enough to report on it. They made no such assessment.
Also, why was this article submitted (and published) with a mailto link to 'nobody@example.com'? That's hardly a useful address.
You can use Diffie-Hellman or a similar mechanism to exchange keys securely, but you still can't be sure that you are communicating with the right person
Bear in mind that Diffie Hellman et al are less secure than OTP encryption; it might be impractical to do so, but it is theoretically possible to reverse the process and determine the keys involved. OTP is theoretically unbreakable.
The point is how do you get those parameters to the other party secretly? This is the same problem as giving them a one-time pad generated any random way.
Not really: those parameters are smaller than the amount of random data they generate. You end each message with 'sample the next key from quaser #332527 on frequency #3321 at 13:27:03.52 GMT tomorrow afternoon and generate a 10 meg key; I'm gonna send you a large file' or the like.
Basically, it's a compression scheme for random data. Of course, there really is no such thing and because of this the data lacks randomness, making the key potentially insecure... but it would be very difficult for a potential cracker to exploit this particular lack of randomness.
A fresh installation of my nLited XP is just over 1 GB of HDD space (whereas the typical XP installation can top 3 GB).
Err... no. I recently installed XP with default options on a 2.1GB drive, and that worked just fine. OK, it wouldn't install SP2 due to not having enough disk space to uncompress it, but then SP2 includes a copy of almost every file that's shipped with windows anyway, so what this means is that there wasn't space for two copies of WinXP on the disk.
If you have a 3GB default XP install, you've probably installed both SP1 and SP2 and not deleted the backups. Just go into %windir% and delete the uninstall directories.
Apparently each 300GB disk is about the size of a DVD (but thicker due to it having it's own little shell, like a floppy/zip/mini disk).
A DVD has a usable data area of about (6cm * 6cm - 2cm * 2cm)*PI =~ 100cm^2, or about 15.5 sq in. Allow a little for lead in and lead out, and this gives you about 20GB per square inch, not the 515 described in the article. 515 would give you a DVD sized disc that stored over 8 terabytes, i.e. substantially more than they're talking about. Anyone know what gives?
Lem predicted Wikipedia (an encyclopedia so up-to-date, it can predict the future):
Wikipedia is not a crystal ball.
Tabs aren't MDI - MDI sucked, which is why you don't see it much any more
.NET dev tools I have here (SharpCode, Microsoft WebMatrix) both use this model.
No, the reason you don't see MDI any more is that microsoft declared that it confused users (because they couldn't find their documents) and migrated all their apps away from it, prefering instead the I.E.-like model of using a window per document. When users complained that the number of windows was hard to manage on the desktop, they added task bar button grouping to Windows. Other developers, seeing what MS had done, decided to follow suit.
In the meantime, a number of application developers had discovered the way of solving this problem without throwing out the baby (i.e., single window/multiple documents) with the bathwater: present a list of available documents in some obvious way to the user. The earliest app I know of that did this was a text editor called EditPlus, which had a Windows-taskbar style arrangement along the bottom of its window to show what was available. I believe Opera was also an early adopter. Then Mozilla borrowed Opera's concept, and the era of the tabbed user interface was upon us. They started showing up everywhere. But, basically, they _are_ MDI -- a way of showing multiple documents in a single window. Many of them even work with the same MDI implementation that has always existed in Windows. I believe, for instance, this is how Visual Studio works these days: MDI + tabs. I'm not certain, though, I only have version 6 here. Certainly the
Unfortunately, OpenOffice hasn't switched to it. I really wish they would.
It's great for Windows users also since it can show Linux-browsers like Konqueror etc also.
You can run Konq on Windows using the cygwin port of KDE. Works just fine for me.
IE does not have popup blocking, XP does. IE on W2K doesn't block shite.
It is actually IE that does the blocking. It's just that there's a version of IE that'll only run on XP SP2 (and is only distributed with that service pack/OS).
If you don't believe me, tell me what version of IE you have on W2K. I have version "6.0.2900.2180.xpsp_sp2_gdr.050301-1519". Bet your version is a different one.
The fact that GPL requires a lawyer to describe what you can and can not do with software is scary enough for businesses. "If we compile our proprietary software with gcc, do we now have to distribute the source?"
.NET framework EULA, or the even harder to understand Intel Performance Primitives Library EULA.
You should check that with other compilers, too. The last commercial compiler I bought (a version of Borland C++) came with a list of exclusions to the license that meant any given project may or may not be legal to distribute in binary form if compiled by it, depending on what kind of software it was. I forget the details, but I recall that "operating environments" (which could have described what I was developing at the time) were not permitted, and I think anything that competed with a Borland product may have been excluded.
GCC's fairly simple: all you need to do is read the licences in question (there are two, the one for GCC itself, which is traditional GPL, and one for 'glibc', which is GPL plus an exception to the requirement to license any product linked with it under the GPL) to realise that the answer to your question is no. Anyone reasonably well educated can do it. Certainly any experienced and competent IT manager ought to be able to.
"If we include the GPL'd drivers for the left-handed USB Framis, are we compelled to release our source, or just the driver's source code?"
A slightly more complex question, but it's still reasonably simple to answer. Read the license. It outlines cases where this is necessary in very clear (although admittedly technical) terms. Also note, most businesses would probably ask a lawyer to check the license terms on any product that they purchased the right to use like this anyway.
Businesses do not like confusion. The government gives us all that we can stand, so adding in an obscure, vision-inspired license doesn't make us comfortable.
I think the only way you can describe the GPL as obscure is if you haven't read it. The GPL v2 is very easy to read, and the GPL v3 draft is even easier.
Compare it with other organisations redistribution licenses, e.g. the Microsoft
As long as you went expecting a Will Smith action flick, not an Asimov big screen adaptation, it wasn't too bad.
MPEG-1 doesn't get the nice compression that a .wmv with an mpeg-4 codec will. Stand-alone (.mp4) MPEG4 decoders aren't widespread yet, and h.264 even less so. Then again, the target audience can get themselves an h.264 decoder without much trouble.
No, but MPEG4 in AVI is much more widely supported.
Under the MS EULA, once you upgrade your software, you have no rights to use the older version(s). This means that if the 'upgrade' breaks your mission-critical software you are so toast.
I believe you are mistaken. Not only would it violate the principle that once you have paid for a license it is yours to dispose of as you wish (doctrine of first sale), Microsoft specifically grants downgrade rights in many of their licenses anyway -- e.g., if you want a second license for Office 97 you can buy a recent version of Office and install from your old Office 97 disk if you want.
I mean, this is OpenOffice.org 2.0, what did Microsoft Office 2.0 look like?
Bad analogy. It might be OO.o 2, but it's also StarOffice 7. Winword is also on its 7th version, IIRC (they were numbered 1, 2, 6, 95, 97, 2000, 2003).