So rather than the chronic complains from school boards of not enough money for textbooks for every students, are we going to hear of complaints of not enough money to keep the computers up-to-date with software updates, security fixes, current eBook readers, and current editions of various eBooks.
Let alone the burden of replacement cost for a below poverty line family when a child has his/her laptop stolen.
So, it's simply another type of denial of service. A TCP Reset packet can be faked, which will result in a legitimate open TCP connection being closed by a third party.
No, the ability to forge a TCP RST (reset) has been known since 1989 when Steve Bellovin published his article on insecuritys in TCP/IP.
The novelity is that this is much easier way of spoofing a RST that the TCP stack accepts.
Funny, but it seems that empherial source ports for a TCP connection may be more secure in this case, since it increases the space that the attacker has to guess within.
Of course it is a pure "D'oh" that large TCP windows increase exposure to the older known weakness of TCP RST attacks (Steve Bellovin, wrote a paper on it in 1989).
The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the the attacked TCP services....
How you feel about the ease and simplicity of installing and maintaining packaged programs versus the optimization and control that can be achieved by building from source? What are your experiences?
Humans do not scale well, they have very low bandwidth of information sharing, and have high latency (i.e. you can't get ahold of them). Humans are also expensive, wander off into different jobs, graduate or drop out of college, etc. So I tend to prefer the reducing human cost of the system administration complexity as a default position.
So my gut feeling is that unless there is a major time or dollar savings in the optimization by building from source (i.e. avoid buying 10+ new CPUs for the systems, or computation runs take a day less) go with the reducing administation complexity by using a package management systems so that you can concentrate on your actual goals (research, profit, or whatever).
Bob Colwell's column, At Random, in the IEEE Computer Society's magazine - Computer, is always an interesting if at time odd read. Computer, for those not familiar with it, is a fairly decent yet accessible magazine for IT/EE professionals.
I am too lazy to look through the archives but I felt that I read the basic gist of this article by Bob before. I know he has mentioned over-clockers before, but maybe this is the first time he focused solely on it for the entire column.
His stories from trenches are always worth reading, and they are one of the first columns I read each month when Computer shows up in the mailbox.
It sounds like I thought I was getting when I bought Hacking: The Art of Exploitation by Jon Erickson, which is fairly basic and easy to read level, other than some of the writing is not as polished as it could be. It did get through the basic concepts explained in various classic Phrack articles but without the 'leet speak which drives me crazy.
It sounds like this is a more serious and rigious book, and those that were turned off of Jon Erickson's Hacking might prefer it. I think I will take a look at it.
I think new programmers are likely better served reading something like Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World by Michael Howard and David LeBlanc or Building Secure Software by John Viega than get bogged down in details of this book.
Re:This appears to be the list since 4.3.0...
on
XFree86 4.4 Released
·
· Score: 1
..is there one for the delta between 4.4rc2 and 4.4.0?
Don't know off-hand.
IIRC at least the VIA, SiS, nv drivers, FreeType2 and Mesa stuff can't fall under the new licence
The drivers were not explicited excluded by the license change (like the xlib was). FreeType2 and Mesa have their own license(s) - FreeType2 is dual licensed. The driver licenses depend on who contributed the code. Numerous developers (namely most not on the XFree86 Board) have indicated they don't want the XFree86 1.1 license used on their code. The bulk of the code affected by the 1.1 license is the X Server code. Not the hardware drivers, and not the xlibs.
I just want a gui that works nice. What features are in the new X?
X is a low-level windowing system, not a desktop environment like CDE, KDE, GNOME, (or twm:).
It's new features are support for newer video cards, bug fixes and work arounds for broken video cards (and Dell laptop BIOSes with regards to VESA modes and 845 chipsets), IPv6 support, new version of Mesa (OpenGL 3D support), and FreeType (font library).
Can we get rid of a system that resolves all dependencies internally?
What, do you mean get rid of all the library files?
(would like to finish a compile this year)
Complex software is complex. Get a faster machine.
Can we get rid of the X11R6 subdir? (once again, stop thinking X is a world to itself)?
X11R6 name is derived from the old MIT X Windows Version 11 releases. It is not a XFree86-ism.
Re:As someone who cares not about the license
on
XFree86 4.4 Released
·
· Score: 5, Informative
* Several stability issues with the support for the Intel 830M, 845G, 852G, 855M and 865G integrated graphics chipsets have been fixed. Some limitation related to the driver's use of the video BIOS remain, especially for some laptops.
* The nv driver for NVIDIA cards has been updated as follows:
* Support added to the nv driver for the GeForce FX 5700, which didn't work with XFree86 4.3.
* The driver now does a much better job of auto-detecting which connector of dual output cards the monitor is attached to, and this should reduce or eliminate the need for manual XF86Config overrides.
* The 2D acceleration for TNT and GeForce has been completely rewritten and its performance should be substantially improved.
* TNT and GeForce cards have new XvPutImage adapter which does scales YUV bit blits.
The SiS driver has seen major updates, including:
* Support for 661/741/760 and support for 330 (Xabre).
* Merged Framebuffer mode.
* Support for DVI, and much more.
* DRI for 300 series (300/305, 540, 630, 730) is supported again.
A new driver for several VIA integrated graphics chipsets has been added.
* The mouse driver has some support on Linux and FreeBSD for auto-detecting the device to use. This makes it unnecessary to supply this information in the XF86Config file in most cases.
* XFree86 4.4 supports IPv6, based on the code contributed by Sun Microsystems, Inc. to X.Org.
* The Mesa version used for OpenGL(R) 1.3 and DRI driver support has been updated to 5.0.2.
It prevents you including GPL-licensed code in an X server derived from XFree86; that is enough reason for Debian to avoid the new release, it seems.
Huh? It is well known that you cannot freely mix BSD (old 4 clause or new 3 clause) licensed code with GPL code in the same code base. You would have to make it entirely GPL, which is the 'viral' nature of GPL that BSD fans complain about.
There are not suitable alternatives for end-users on Linux and BSD on recent hardware. freedesktop.org is an experimental play-area for developers where exciting new features are currently being developed not mundane things like updated drivers for newer video cards (Radeon 9600, 3rd party 9200LE, newer Intel 845 series, etc.), not robust "production quality" software for end-users, Xouvert doesn't actual have any unique code of their own the last time I looked, and Y Window system is more an idea and a work in progress.
I have no experience or contact with oscilloscopes, so would someone please inform me why they cost so damned much, even used (and up to friggin $20K, new!).
Target market: High end 'scopes like a digital storage oscilloscopes are made for a target market of an electronic engineering company, or electronic test centres, not your local (radio) ham or TV repair person. So does a company worry about spending $20K for a piece of equipment to sit on the desk of a $75-150K EE who is desinging something expected to make millions of dollars profit? No.
Oscilloscopes are built to last, the 100MHz analog one I own is older than I am I think.
Tektronic and HP/Agilent build them to not be obsolete, and the replacement cycle is likely about 5 years or longer depending on what electronics market segement your in.
Anyhow, don't tell me SeLinux is better because.. it would cause a flame-thread only...
So are you trying to claim Rule-set Based Access Control (RSBAC) is better? Have anything to back up that assertion?
Considering there are still too many junior and not so junior system administrations that fail to use standard Unix access controls correctly or to their full potential, I do not expect to see advanced fine-grain access controls like RSBAC, MAC, etc. to gain mainstream usage any time soon. The issue is that find-grain access control does not tend to scale well in complex and dynamic environments like found in the typical IT department of a commercial enterprise, or an academic computer centre, or the typical under (IQ) staffed government IT/IS department.
Can we expect that NSA will also do EAL5 for Linux for free?
No, because that is not a project goal. It (Security Enhanced Linux) is not designed with the goal of getting Common Criteria approval (by an independant government-approved lab).
SELinux's beginning have more to do with extending an experimental Role Based Access Control (RBAC) than trying to deliver a production quality "secure OS".
..that you can't add additional restrictions to it?
Only the restrictions RMS endorses. </flamebait>
Seriously, the issue is with linking GPL applications with X11 libraries (-L/usr/X11R6/lib -lX11)
David Dawes and others do want to resolve this issue, and has expressed this to RMS and others...
The goal was to clarify: "You can do what you like with the code except claim you wrote it".
Because as a BSD-like license, it allows binary-only distribution, which is very desireable for embedded developers, and it may not be obvious to the end-user / customer that the embedded product contains XFree86 code. I believe that it where they wanted to clarify ownership of XFree86, not create some sort of advertising burden on Linux distributions or GPL applications.
Sidenote: freedesktop.org's work is not ready for production usage, it's a developer's play area, although a very cool play area, and Xovert seems to be more talk than actual work AFAIK.
The really interesting bit is that there is a lot of GPL-ed code in XFree.
I take it you mean FreeType which is included under a dual-license of GPL and BSD-like.
Chunks have been copied from the linux kernel, and people like Alan Cox submitted patches
Alan Cox submitted patches are not under the GPL, but he wished to remain compatible with GPL applications (by using the old XFree86 license). The transfer actually has been from XFree86 to the kernel (fbdev).
Does anyone really think that if Redhat and Mandrake didn't put the notice in their documentation, that anyone would think that they had written the code.
Actually XFree86 is increasely being used in embedded systems, where it may not be obvious that it is running XFree86 on an ARM processor or whatever.
They lived without them before 4.4. What's so special about these features?
The biggest lost would be support for new video cards, such as some 3rd-party Radeon 9200, and various Radeon 9600 cards. There are some big fixes in the i8xx driver, and the SiS drivers.
Slashdot Mirror
So rather than the chronic complains from school boards of not enough money for textbooks for every students, are we going to hear of complaints of not enough money to keep the computers up-to-date with software updates, security fixes, current eBook readers, and current editions of various eBooks.
Let alone the burden of replacement cost for a below poverty line family when a child has his/her laptop stolen.
So, it's simply another type of denial of service. A TCP Reset packet can be faked, which will result in a legitimate open TCP connection being closed by a third party.
No, the ability to forge a TCP RST (reset) has been known since 1989 when Steve Bellovin published his article on insecuritys in TCP/IP.
The novelity is that this is much easier way of spoofing a RST that the TCP stack accepts.
Funny, but it seems that empherial source ports for a TCP connection may be more secure in this case, since it increases the space that the attacker has to guess within.
Of course it is a pure "D'oh" that large TCP windows increase exposure to the older known weakness of TCP RST attacks (Steve Bellovin, wrote a paper on it in 1989).
http://www.osvdb.org/displayvuln.php?osvdb_id=4030
...
TCP Reset Spoofing
OSVDB ID: 4030
Rating: TBD
Disclosure Date: Apr 20, 2004
Description:
The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the the attacked TCP services.
How you feel about the ease and simplicity of installing and maintaining packaged programs versus the optimization and control that can be achieved by building from source? What are your experiences?
Humans do not scale well, they have very low bandwidth of information sharing, and have high latency (i.e. you can't get ahold of them). Humans are also expensive, wander off into different jobs, graduate or drop out of college, etc. So I tend to prefer the reducing human cost of the system administration complexity as a default position.
So my gut feeling is that unless there is a major time or dollar savings in the optimization by building from source (i.e. avoid buying 10+ new CPUs for the systems, or computation runs take a day less) go with the reducing administation complexity by using a package management systems so that you can concentrate on your actual goals (research, profit, or whatever).
Bob Colwell's column, At Random, in the IEEE Computer Society's magazine - Computer, is always an interesting if at time odd read. Computer, for those not familiar with it, is a fairly decent yet accessible magazine for IT/EE professionals.
I am too lazy to look through the archives but I felt that I read the basic gist of this article by Bob before. I know he has mentioned over-clockers before, but maybe this is the first time he focused solely on it for the entire column.
His stories from trenches are always worth reading, and they are one of the first columns I read each month when Computer shows up in the mailbox.
For a slightly doom-spelling (unforunately Ross tends to be right far too often) check Cambridge University professor Ross Anderson's Trusted Computing FAQ. There is also his Cryptography and Competition Policy - Issues with `Trusted Computing' paper as well.
You can also look at documents at Trusted Computing Platform Alliance, and I recommend reading The TCPA; What's wrong; What's right and what to do about by William A. Arbaugh
It sounds like I thought I was getting when I bought Hacking: The Art of Exploitation by Jon Erickson, which is fairly basic and easy to read level, other than some of the writing is not as polished as it could be. It did get through the basic concepts explained in various classic Phrack articles but without the 'leet speak which drives me crazy.
It sounds like this is a more serious and rigious book, and those that were turned off of Jon Erickson's Hacking might prefer it. I think I will take a look at it.
I think new programmers are likely better served reading something like Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World by Michael Howard and David LeBlanc or Building Secure Software by John Viega than get bogged down in details of this book.
..is there one for the delta between 4.4rc2 and 4.4.0?
Don't know off-hand.
IIRC at least the VIA, SiS, nv drivers, FreeType2 and Mesa stuff can't fall under the new licence
The drivers were not explicited excluded by the license change (like the xlib was). FreeType2 and Mesa have their own license(s) - FreeType2 is dual licensed. The driver licenses depend on who contributed the code. Numerous developers (namely most not on the XFree86 Board) have indicated they don't want the XFree86 1.1 license used on their code. The bulk of the code affected by the 1.1 license is the X Server code. Not the hardware drivers, and not the xlibs.
I just want a gui that works nice. What features are in the new X?
:).
X is a low-level windowing system, not a desktop environment like CDE, KDE, GNOME, (or twm
It's new features are support for newer video cards, bug fixes and work arounds for broken video cards (and Dell laptop BIOSes with regards to VESA modes and 845 chipsets), IPv6 support, new version of Mesa (OpenGL 3D support), and FreeType (font library).
Can we get rid of a system that resolves all dependencies internally?
What, do you mean get rid of all the library files?
(would like to finish a compile this year)
Complex software is complex. Get a faster machine.
Can we get rid of the X11R6 subdir? (once again, stop thinking X is a world to itself)?
X11R6 name is derived from the old MIT X Windows Version 11 releases. It is not a XFree86-ism.
* Several stability issues with the support for the Intel 830M, 845G, 852G, 855M and 865G integrated graphics chipsets have been fixed. Some limitation related to the driver's use of the video BIOS remain, especially for some laptops.
...
* The nv driver for NVIDIA cards has been updated as follows:
* Support added to the nv driver for the GeForce FX 5700, which didn't work with XFree86 4.3.
* The driver now does a much better job of auto-detecting which connector of dual output cards the monitor is attached to, and this should reduce or eliminate the need for manual XF86Config overrides.
* The 2D acceleration for TNT and GeForce has been completely rewritten and its performance should be substantially improved.
* TNT and GeForce cards have new XvPutImage adapter which does scales YUV bit blits.
The SiS driver has seen major updates, including:
* Support for 661/741/760 and support for 330 (Xabre).
* Merged Framebuffer mode.
* Support for DVI, and much more.
* DRI for 300 series (300/305, 540, 630, 730) is supported again.
A new driver for several VIA integrated graphics chipsets has been added.
* The mouse driver has some support on Linux and FreeBSD for auto-detecting the device to use. This makes it unnecessary to supply this information in the XF86Config file in most cases.
* XFree86 4.4 supports IPv6, based on the code contributed by Sun Microsystems, Inc. to X.Org.
* The Mesa version used for OpenGL(R) 1.3 and DRI driver support has been updated to 5.0.2.
* FreeType 2 updated to version 2.1.4.
BTW since microsoft used the BSD license ip stack doesn't that make their EULA just as viral by this logic?
Yes, you cannot take any Microsoft changes to the BSD tcp/ip stack and re-introduce them back into BSD code bases, since the EULA prevents that.
It prevents you including GPL-licensed code in an X server derived from XFree86; that is enough reason for Debian to avoid the new release, it seems.
Huh? It is well known that you cannot freely mix BSD (old 4 clause or new 3 clause) licensed code with GPL code in the same code base. You would have to make it entirely GPL, which is the 'viral' nature of GPL that BSD fans complain about.
What other alternatives are there to Xfree?
There are not suitable alternatives for end-users on Linux and BSD on recent hardware. freedesktop.org is an experimental play-area for developers where exciting new features are currently being developed not mundane things like updated drivers for newer video cards (Radeon 9600, 3rd party 9200LE, newer Intel 845 series, etc.), not robust "production quality" software for end-users, Xouvert doesn't actual have any unique code of their own the last time I looked, and Y Window system is more an idea and a work in progress.
I have no experience or contact with oscilloscopes, so would someone please inform me why they cost so damned much, even used (and up to friggin $20K, new!).
Target market: High end 'scopes like a digital storage oscilloscopes are made for a target market of an electronic engineering company, or electronic test centres, not your local (radio) ham or TV repair person. So does a company worry about spending $20K for a piece of equipment to sit on the desk of a $75-150K EE who is desinging something expected to make millions of dollars profit? No.
Oscilloscopes are built to last, the 100MHz analog one I own is older than I am I think.
Tektronic and HP/Agilent build them to not be obsolete, and the replacement cycle is likely about 5 years or longer depending on what electronics market segement your in.
Anyhow, don't tell me SeLinux is better because.. it would cause a flame-thread only...
So are you trying to claim Rule-set Based Access Control (RSBAC) is better? Have anything to back up that assertion?
Considering there are still too many junior and not so junior system administrations that fail to use standard Unix access controls correctly or to their full potential, I do not expect to see advanced fine-grain access controls like RSBAC, MAC, etc. to gain mainstream usage any time soon. The issue is that find-grain access control does not tend to scale well in complex and dynamic environments like found in the typical IT department of a commercial enterprise, or an academic computer centre, or the typical under (IQ) staffed government IT/IS department.
Can we expect that NSA will also do EAL5 for Linux for free?
No, because that is not a project goal. It (Security Enhanced Linux) is not designed with the goal of getting Common Criteria approval (by an independant government-approved lab).
SELinux's beginning have more to do with extending an experimental Role Based Access Control (RBAC) than trying to deliver a production quality "secure OS".
With no reported vulnrenabilities according to mi2g, these OSes are far more secure than that run of mill *BSD stuff.
..that you can't add additional restrictions to it?
Only the restrictions RMS endorses.
</flamebait>
Seriously, the issue is with linking GPL applications with X11 libraries (-L/usr/X11R6/lib -lX11)
David Dawes and others do want to resolve this issue, and has expressed this to RMS and others...
The goal was to clarify:
"You can do what you like with the code except claim you wrote it".
Because as a BSD-like license, it allows binary-only distribution, which is very desireable for embedded developers, and it may not be obvious to the end-user / customer that the embedded product contains XFree86 code. I believe that it where they wanted to clarify ownership of XFree86, not create some sort of advertising burden on Linux distributions or GPL applications.
Sidenote: freedesktop.org's work is not ready for production usage, it's a developer's play area, although a very cool play area, and Xovert seems to be more talk than actual work AFAIK.
The really interesting bit is that there is a lot of GPL-ed code in XFree.
I take it you mean FreeType which is included under a dual-license of GPL and BSD-like.
Chunks have been copied from the linux kernel, and people like Alan Cox submitted patches
Alan Cox submitted patches are not under the GPL, but he wished to remain compatible with GPL applications (by using the old XFree86 license). The transfer actually has been from XFree86 to the kernel (fbdev).
Does anyone really think that if Redhat and Mandrake didn't put the notice in their documentation, that anyone would think that they had written the code.
Actually XFree86 is increasely being used in embedded systems, where it may not be obvious that it is running XFree86 on an ARM processor or whatever.
They lived without them before 4.4. What's so special about these features?
The biggest lost would be support for new video cards, such as some 3rd-party Radeon 9200, and various Radeon 9600 cards. There are some big fixes in the i8xx driver, and the SiS drivers.
I am not sure how pointing out previous Slashdot articles about Pulver's Free World Dialup (FWD) - is off topic.
Or pointing out an Interesting People message about the FCC ruling that "pure" VoIP like FWD is not a phone service is off-topic or overrated.
Of Rewriting Rules on Delivery of the Internet and Free World Dialup Under The Gun Again and in FCC: 'Pure' VoIP not a phone service and Mr. Pulver to D.C. (David Farber's Interesting People).