Slashdot Mirror


User: WNight

WNight's activity in the archive.

Stories
0
Comments
6,024
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,024

  1. Re:Patches on the game! on Xbox Auto-Update Blocks Linux Usage · · Score: 1

    People do bitch when Tivo patches away a feature they wanted.

  2. Re:Business Opportunity on Canada Immune From RIAA? · · Score: 2, Interesting

    If the filesharing in the US was a crime, the US government could crack down on US residents. But what they'd see is people connection via some encrypted protocol to a Canadian P2P network and, if it was setup to be anonymous, all filetransfers would go through this proxy. You wouldn't know if the person who hosted the file you were downloading was in the US or anywhere else in the world.

    The US wouldn't be able to get the Canadian provider to provide information on who was downloading copyrighted music and who was only downloading Linux ISOs, because the music downloading doesn't appear to be a violation in Canada.

    The means they'd have to either firewall away access to this whole service, hard to justify if it has legal use, or try to snoop on the network traffic. Hard to justify as well as being quite hard to do.

    As you said, far more expensive either way.

  3. Re:Business Opportunity on Canada Immune From RIAA? · · Score: 1

    And how would they be caught? They'd be connecting via (I assume) encrypted connections into Canada. The US authorities would assume they're up to no good, but without the cooperation of the Canadians they wouldn't be able to prove anything.

    The Canadian company wouldn't actually provide any content, just the bandwidth. They'd get paid even if you swapped Linux ISOs so they'd have a defense in that way. (If they charged for the right to copy music they'd be violating copyright and would be in trouble. As long as they simply provide the wires, they're fine.)

  4. Re:Worrysome? on Nmap Gets Version Detection · · Score: 1

    Telnet the protocol, sure. But there's also a standard telnet server port. This is how you login remotely and where the problems are.

    Too bad SSH wasn't invented sooner, everything would be using it instead of Telnet.

  5. Re:what? on Xbox Auto-Update Blocks Linux Usage · · Score: 1

    They'll install that new speed-limiter too, while they're there. And of course, disable the air conditioner because it uses freon. But that's okay, you can always leave your CC in the glove-box and they'll put one of the new ones in next time they drop by. It won't be as efficient or anything, but they really think it's time for you to switch.

  6. Re:what? on Xbox Auto-Update Blocks Linux Usage · · Score: 1

    Just as a counterpoint to the AC, I want to say that it's people like you who keep this world from sucking. If everyone bent over for EULAs just because of a page of tiny print, we'd quickly be paying every time we looked at someone wearing copyrighted clothes and signing away our right to comment on a book or movie by buying it, yet we'd still be forced to sit through a long FBI warning and tossed in jail for trying to bypass the coming attractions.

  7. Re:Uhm... on Does C# Measure Up? · · Score: 1

    Have some experts pointed out WMDs in Iraq? If so, it is correct to say so. If some experts have suggested that there are WMDs in Iraq it's a totally different story. One is factual, the other hearsay. Either can be weaseled.

  8. Re:Again, you are speaking... on Does C# Measure Up? · · Score: 1

    Obviously, if you wanted to be able to load strcat seperately from strtok, they'd need to be written to be seperated. If they both rely on the same globals it won't work. This would require a rewrite of the standard libraries, but probably not a painful one as old monolithic libraries would suffice and as new modular libraries replaced them statically linked code would just get smaller.

    As for performance, this shouldn't matter. Of course, if you hit the disk to load each function as you got to it, you'd have trouble. There's no reason to do this though. If you're statically linking you simply only include the code asked for, if you're dynamically linking you prepare a list of the needed libraries and the OS can load them all at once at the start of executing. (This is actually how it's done, but with whole libraries at a time instead of tiny little single-function libraries.)

    As for the compiler complexity, I think it's a nonexistant issue. Compilers already recursively evaluate include statements. Instead of specifically using #include you'd be including a namespace, so the compiler knew which strcat to include, but at this point it simply links the code. A hundred external functions is a hundred external functions, regardless of being in one file or fifty. There's a slight increase in disk IO but fairly slight.

  9. Re:And this is this news to who? on Most Movies On P2P From Insiders? · · Score: 2, Insightful

    For people who scoff at conspiracy theories, remember that if only takes one boss to "joke" about such an idea, one employee to do it on his own time, and year-end bonuses to reward the employee without actually establishing a link between the illegal action and the boss or the company.

    The boss has plausible deniability. Even if the conversation was recorder he only said "Damn Company X and their fleet of trucks", he didn't tell the employee to pour sugar in their tanks. It was all a terrible misunderstanding, that terrible lawbreaking employee did it of their own initiative.

    Maybe some RIAA mid-manager in charge of P2P stuff commented on how much easier it would be to shut down KaZaa if it started to deliver kiddy porn when you searched for a song...

  10. Re:When will they give up? on HP Introduces Transmeta Thin Clients · · Score: 1

    I think it has to do with CPU speeds vs wire speeds.

    LAN networking stayed fairly steady at 1-10mbps shared until 100mbps Ethernet took off a few years ago. Easily fast enough to update text screens and to do simple GUIs. And back then it was cheaper to buy a big CPU instead of a desktop big enough to do the heavy duty stuff you have to allow for but which isn't the norm.

    But then wire speed stayed at 10mbps for a while and CPUs got cheaper while GUIs which needed this power got more common. Now it's harder to run thin clients because they demand much larger updates and these new 386 and 486 CPUs aren't really that expensive, and they're 50(!) times faster than computers from a few years ago. Not to mention, hard drives made local storage a reasonable alternative.

    But now you've got 100mbps and 1000mbps switched ethernet, delivering ten or one hundred times the speed and it becomes practical to start sending a desktop over the net again, or 100MB boot images and programs.

    The equation has also changed, now 2.5Ghz Athlon CPUs are 80USD, they give them away in crackerjack boxes. While there is never 'fast enough', there is 'fast enough for business apps' and hardware is ahead of the curve. Networking is fast, cheap, and getting faster and cheaper every year. The cost is now people. Administration, the workplace, etc. Keeping you at your desk and letting you maintain apps that everyone uses instead of travelling to maintain an app only one person uses saves the company enough money to probably buy a thin client every week.

  11. Re:Maybe Dave Barry could start a ternd. on Dave Barry Strikes Back Against Telemarketers · · Score: 1

    A very good comparison I think. By their very nature, guerilla (and terrorist) groups are distributed in nature. They share goals, but only loosely.

  12. Re:C'mon Now on More on SCO Code Snippets · · Score: 1

    Why shouldn't his family suffer? That's like saying his car shouldn't be reposessed because his wife, who doesn't follow what SCO does, drives it too.

    He's perfectly willing to ruin my family's life if he thinks suing me will help.

    He should suffer exactly the same fate he's dishing out. This namby-pamby, "we're the good guys, we suffer in silence" attitude is why this shit happens. If Enron execs actually had their ill-gotten money taken away and were tossed into prison as long as you'd be if you embezzled from your job, we might see less of their fraud and lies. If their families could be hurt (lose their houses and cars that dad money paid for) they might encourage him to a more law-abiding lifestyle.

  13. Re:Do not call lists will lower sales on Dave Barry Strikes Back Against Telemarketers · · Score: 1

    Heard of the soup kitchen?

    Hey, I'm broke and I really want to keep cable TV and net access, so because I can't find work I really want I'm going to come steal your stuff. But, I've got no choice you see... It's actually immoral of you to complain. In fact, to save time and make it easier for me in this tough world, could I ask that you have your stuff packed in the original shipping materials and sitting on the porch around 10pm, or would 11:30 work better for you? I can stop by either on my way to of from the video rental store.

    You're the one who's never been down and out. When you stop worrying about keeping your car and the TV, let alone cable TV, there's someone there to keep you from hitting rock bottom. They may drone on about god while you eat but at least they'll give you food. Starvation *does not happen* in North America, unless you choose it. We are so far from truly down and out that it's not even funny.

  14. Re:Maybe Dave Barry could start a ternd. on Dave Barry Strikes Back Against Telemarketers · · Score: 1

    The value of this posting is that it illustrates how little technical knowledge is really needed for a DoS attack and how widespread anti-SCO sentiment is. They paint it as if ESR must have been in contact with an uber-hacker, someone who takes out Gibsons for fun while skateboarding around school, when the reality is that a thousand people pissed off with SCO's lies are all independently taking their revenge, everything from a simple wget bomb to more advanced attacks.

    This isn't some huge coordinated effort that requires one of our "leaders" to perform, it's a trivial hack that anyone pissed off at McBrides latest lies can implement in a minute or two.

  15. Re:BSD and the screws: A hopeful view on Microsoft Plans IE Changes Due to Plugin Patent · · Score: 1

    How can you "invent" a pluggin where content is displayed inline?

    That's the most fucking basic idea. We display GIFs inline, why is it hard to imagine displaying QuickTime inline? And if we can imagine doing it, what does it matter if it's part of the browser (simple picture formats) or a stand-alone program? That's what OLE is/was, object-linking-and-embedding, the idea of putting a picture into a word document, yet having that be a live link to the latest copy of the picture.

    Patents these days are for shit. The stupidity of the US patent office has essentially ruined things for valid patents. Patenting "business models" and other end-results instead of patenting the specific functionality behind a new solution, goes against everything patents stand for.

    Really, the only thing to do in this case is treat this guy like a spammer, or Rambus, or SCO. He's a vandal seeking to profit off the work of others. He obviously doesn't care if he ruins legitimate inventors on the way. Scum. Hopefully someone shoots him.

  16. Re:Childish screening procedures. on Linus to SCO: 'Please Grow Up' · · Score: 1

    The AC makes a good point and perhaps I can raise it high enough so that people who don't read AC posts can see it.

    Discrimination isn't illegal. It's not even bad.

    Discriminating taste is what enables you to decide what movies to see, or what games to play, etc. (For example, my taste in movies lets me discriminate between SW:Ep3 and LotR:RotK.)

    To go further, prejudice isn't necessarily bad.

    I'm prejudiced against Star Wars movies now because the last two have been bad. I'm not going to go see the next unless I hear enough good things about it. Had it not been for the last two movies I'd have said "A StarWars movie? WOW!", as I did about the Episode 1.

    Prejudice is only a problem when you based it on stereotypes and are unwilling to change your opinions based on experience. (For example, seeing Ep3 and decided it's a good movie after all.)

  17. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    The thing is that reinstalling doesn't cost $25k, reinstalling costs a few hundred maybe. Assuming you've got procedures to deal with non-hacker downtime, like spilled coffee, or a dead motherboard, you've got procedures to rebuild a server from data (not program) backups in a short time. Ideally, you've also got a few old machines in the closet ready to be drop-in replacements for your critical machines after getting a copy of the latest data. So you pull out a spare and rebuild your server.

    The rest of that $25k, the other 24, is the sign that the NYT didn't have these procedures. They paniced and called emergency meetings, they had downtime, etc. They then tried to charge this to the hacker, even though this was all stuff they should have done before.

    What would they have done if someone had merely said "The NYT's http headers say they're using Version X, and it's got this nasty bug?" Why does the same work (ignoring the remaking of that server) get billed to the hacker, but not to the guy who announces the flaw? (Not that I'm advocating limits on announcing flaws, even ones discovered by legal snooping.)

  18. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    What can be done? Tons. Intrusion detection, robust firewalling, compartmentalization, easy backup and restore procedures. Try your best to limit everything incoming to just what you use. If you've got an internal and external NIC in the webserver, don't have anything but httpd listen to the external one, and don't have anything else but sshd running at all. Use keys and passwords. Run scripts which dump real-time logs onto a hardened machine (potentially even straight to a line printer). Run other scripts (logging to these logs) which check for any outgoing connections or open ports. Run another hidden script that watches for the death of the first one. Leave honeypot files around, like a fake SUID binary, and watch for them to be accessed. Don't just run in a chroot jail, lock the whole machine down... never need to ssh out from there? Remove ssh. Better yet, trojan it to alert you and fail with a cryptic error message. Remove everything that your webserver doesn't require to run, then run it in a chroot'ed jail. The list is endless.

    The general idea is, be prepared to respond to a break-in, and setup the system so that if they get access to one thing they can't get access to anything else. Set it up so that they don't get anything of value if they do break in.

    I don't remember the specifics of Code Red, but a friend's company runs IIS servers and they didn't get hit by Code Red. They had a Linux box in front of the servers blocking everything they didn't want to receive and it kept them safe, even before the details of Code Red were released. It even blocked it for multiple reasons, like having ".exe" in the request, the request being too long to anything other than the one upload URL, etc. That's how they remained safe when faced with a virus exploiting a hole they didn't know about.

    And, no, you can't sue the burglar for the cost of replacing the lock if he didn't damage it. It's still just as (in)effective as it was before he came through, it's your fault it's a crappy lock. If anything, sue the company that made it.

  19. Re:Certificates... on Products Seek Antiterrorism Certification · · Score: 1

    Wow, so there's a case where shooting a terrorist before he pushes a button won't help! We'd better never shoot a terrorist then because it might not work, we should all sit around uselessly and let him press the button, thus killing us anyway.

    This isn't a problem. If shooting a terrorist makes him blow up, then not shooting him also lets him blow up, as does tackling him or tazering him, etc. In other words, you're fucked anyways. All you've done is blow him up now as opposed to when he really wants to blow up, which if you follow this whole terrororism thing, is probably when it'll kill even more people. Also, deadman switches aren't as easy or reliable as people seem to think. The tech to wire them to heart-beat or something pretty much isn't there, so they'd end up being hand-held which might not work (some gunshot deaths don't cause spasms, some do) and would get in the terrorists way and be more visible.

  20. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    If I port-scanned the NYT, a legal activity, and found that they were using insecure programs I could embarass them just as much by simply revealing that they were insecure, as if I broke in. Should I be liable for their loss of credibility because I simply used my technical skills to examine their product and proclaimed it wanting? I think not.

    If so it'd be illegal to publish a negative review of a product. Or at least, if it involved opening the hood or unscrewing the case. That's a pretty fucked up kind of world.

    It's not reasonable for the NYT to blame him for their loss of face caused by their technical incompotence.

  21. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    They don't have to audit anything. They could stick their heads in the sand and reimplement exactly the same security they had before the hack. The only thing they must do, to carry on business as usual before the attack, is fix the hacked server.

    They won't. They'll implement new procedures, and try to avoid future attacks, but they should have been doing this before.

    For instance, if my company is hacked because I simply missed a new exploit on Bugtraq and they managed to find a way through our firewall with a 0-day exploit we wouldn't change anything except patch and repair. We've already got a good system and we've simply allowed for the fact that unless we read bugtraq 24/7, a hacker who reads it will have a head start. For everything else we've got a policy that I think is sound and we are working to minimize risk. We'll evaluate the attack and see if we were as protected as we could be, but we'd do that if it was the company down the street that was hacked. This planning is simply the cost of doing business.

    The NYT will of course choose to implement better security, as you would if you were burgled, but this is merely what they should have done earlier if they really wanted to be secure, not just to feel secure through ignorance of the risk.

    As such, they should claim the time spent fixing and reinstalling the compromised machines, at emergency overtime rate, but they shouldn't claim all the planning sessions and paniced changes. To use your analogy, you could pay claim the costs of having the locksmith come at 3am and fix the lock, you could claim the expenses for cleaners, etc. You couldn't claim the expense of an alarm system or a stronger lock.

  22. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    You can't claim the meetings to discuss the problem as damages from the hack. If you were on the ball you'd be having those meetings anyways. You can *ONLY* claim the actual time spent fixing the damages (or yes, suspected damages).

    What I see as the usual stupidity in these threads is some clueless admin saying "They broke in, I now have to assume that everything is trojaned and reinstall everything from the ground up!".

    Bullshit. You analyze the attack and you see what they could have done. If they penetrated a web server in your DMZ it's not inside the firewall and you have no reason to assume they got farther in because an attack from your webserver should be blocked by the firewall the same as an attack from an unknown host on the internet, it's the whole purpose of putting some machines outside the firewall.

    Also, if you can't tell if anything has been tampered with, and if you have no additional reason to expect that it was, you can't justify reinstalling it just to be sure. If you secured that machine to the best of your ability, reinstalling and resecuring to the same level, is useless. It's superstitious. You might as well wipe and reinstall the whole thing right now(!) because someone might have hacked you while you were reading this!!!!

    In short, if you have a clue of what you're doing, you've already spent time in meetings. You've already got intrusion detection systems in place, and you've got procedures around for recreating all of your machines. Not just for hack attempts, but for fires or tornadoes. This hack just means you need to implement these plans, not that you run around like a chicken with its head cut off, implementing a bunch of paniced and useless policies that don't help.

  23. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    The problem is that people seem to think that anything you do which costs a company money is illegal. Companies certainly seem to like it when people think this.

    For instance, tell people that there's a flaw in a company's product, or in the security they use, making them implement costly repairs, and they want to bill you for their expense. This is a common theme these days.

    In this case, this is coupled with illegal access, but you still can't claim that the hacker cost you $100k if that was $99k in updating infrastructure to avoid future attacks and $1k of cleanup after the intrusion. To be secure you'd have had to pay the $99k anyays. There's no way that this hack cost the company $325k, not unless the hacker figured out how to remotely destruct hardware. Claiming that much for damages makes their claim seem ridiculous.

  24. Re:Reasonable damage figures on Adrian Lamo Surrenders · · Score: 1

    People always talk about this, but really, one of the things a sysadmin should do is perform backups. Not just drive images on a fall-over server, but copies of the data, that stuff you can't execute or stick a back-door in, and instructions for how to make it into a working website with a few install disks.

    I end up building machines often enough at work, a third of which are different enough, or the requirements have slightly changed, that drive images don't work, so I've gotten to the point where I can rebuild, with redhat download disks, a backup CD of data, and a sheet of instructions, our production build server in ninety minutes, most of which is spent swapping disks. (I really have to host the disks on a local ftp site and do a net install, it couldn't help but be faster... Or, burn all of the files onto a DVD so I at least don't have to swap disks.)

    If I suspect hacker intrusion I'd unplug the machine's net connection. (It hosts our source files, our only real product.) Then I'd write (or activate) very strict firewall rules, letting nothing except known safe machines connect, and plug the connection back in, filtering as much as possible, perhaps even making the website static and filtering incoming http form responses (to perhaps trojaned CGI scripts.) Then I'd grab a spare machine and rebuild the server, copying the data from the active server, and either do a fall-over if possible, or simply switch cables quickly. Time elapsed, two hours. If I know what the exploit or hole was, I'd either patch the server or firewall out that service or those packet contents. If I didn't, it'd take longer because I'd examine the old machine, looking for the hole.

    Yes, this does take away from time I'd spend doing other things, but $100 worth, not $25k. It's like people look at the cost of the hardware and software on a comprimised machine, as if it's a total write-off, or something. Or, that they bill all their (obviously failed) security attempts and bugtraq reading to this one intrusion. Or, perhaps, they know that vandalism causing less than $1k of damage won't get the book thrown at a hacker the way inflated numbers will.

  25. Re:Slim to None on ESR to Shred SCO Claims? · · Score: 1

    This is where you'd want to be careful in accusing someone of copying. If the function they "copied" is a string copy, or a string length, chances are that you both used the simplest C idiom for it. If it's something more complex, but still only six lines, you probably just reinvented the wheel. If it's sixty lines, or ten different functions in the same functional area of code, that might indicate copying.

    Actually, for a baseline, before scanning System V Unix against Linux 2.6, scan SysV against the largest non-unix codebase you can. Against Quake2 source for example. Then discount that level of matching when comparing SysV to Linux. You'd get more, because OSes do OS-ish type things, but it'd give you an idea of how many lines of completely unrelated things would match.

    Or, if you're SCO, sue id Software. They obviously copied your string handling code!