The commercials on pause was an original feature of Replay. It was 'upgraded' out months ago. You no longer get commercials when paused. They even took out the Replay Zone's that were basically commercials for one networks programming. Perhaps the original replay units are getting different upgrades, but my panasonic doesn't have these issues.
You haven't explained why you need unique version numbers. I can think of several downsides to this, and no pluses. For one, packages that check version numbers for compatibility reasons would possibly fail. If you want to know if a package has been changed, check 3 things, errata.html, plus.html and the cvs comments. If you can't bear to do this in a web browser, subscribe to the cvs changes list and write a procmail filter. I'm not sure why its Theo or anyone else responsibility to help you avoid using the provided resources for these types of issues.
I don't need anyone to write more documentation. I find the included documentation just fine. If you don't, write your own, I'm sure developers would be happy to answer your questions if they knew it was going into some documentation for others to use. Developing documentation for something is a great way to learn. Thats why they make you do all that writing stuff in college. What do you think physics students write about?
So, what you're saying is you'd like one of two things
1) don't patch bugs they know about in other folks code that is incorporated into the OS
2) don't incorporate anyone elses code in the OS
I vote for you reading errata.html. If its so hard for you to actually go to a web page, join the cvs changes list and filter for the errata.html page, its in CVS just like everything else.
Is it really too hard to read the pages at http://www.openbsd.org/errata.html and http://www.openbsd.org/plus.html? And if you want even more detail, subscribe to the source-changes mailing list.
1) OpenBSD's documentation is probably the best there is on a UNIX derivative OS. I've never seen another that could hold a candle to OpenBSD's man pages.
2) Who says OpenBSD is interested in a huge market share. Microsoft has a huge market share, and their products blow goats. I've been using OpenBSD since their first CD was released, and I think I have a fairly good idea of the mindset behind the developers (or at least Theo). They want to produce the best piece of software they possibly can. Forget all the rest. Everything else is secondary to that goal. OpenBSD's code is probably the cleanest and most correct of any operating system on the planet and every minute they spend away from keeping it that way is a minute wasted (at least in my mind)
3) Anyone who picks an operating system based on how nicely the developers treats you isn't an engineer, they're a mindless sheep. If you chose Linux over OpenBSD because, for example, you need SMP, that is an engineering decision. If you chose Linux over OpenBSD because Theo was mean to you, thats a mindless sheep decision.
4) If you don't like it, don't use it. Better yet, if you don't like it, fix it! There's nothing stopping you from writing better documentation if you find it lacking. I, as a long time OpenBSD user, would prefer the OpenBSD community stay filled with folks who are willing to use their minds (and the excellent documentation and source code) to solve problems, rather than complaining on mailing lists where the questions been answered 300 times this month already.
5) Theo has a right to be elitist...he's earned it.
And what difference does it make if the data contained in a certain band contains the word fuck? Who knows, but the FCC has decided you can't do it.
As for what the FCC is about, here's a quote from their web page:
"The FCC was established by the Communications Act of 1934 as an independent United States government agency directly responsible to Congress. The Act, which has been amended over the years, charges the Commission with establishing policies to govern interstate and international communications by television, radio, wire, satellite and cable. In February 1996, the Telecommunications Act of 1996 was signed into law, representing the first major overhaul of our nation's telecommunications policies in over 60 years. "
Any electronic communications fall under their jurisdiction, and they are directly responsible to congress, which is directly responsible to you. If enough Americans feel that such regulation of what we can do with others content is a bad idea, they have the option of making their voices heard with a vote. Those that don't vote, can't complain. The government was not created to read your minds, it was created to do what the majority ask it to do.
The FCC has to satisfy ALL Americans, including those that own stock, or just plain own companies that provide the content that goes over those airwaves. The government doesn't just represent YOU, it represents you and 275 million other Americans. Yes, even the people that run those big evil corporations and the dreaded RIAA and MPAA are Americans, just as American as you or I, maybe more so, because I'll bet they vote and make themselves a part of the political process (ethically or not);) They are part of the public, so there IS public protection involved.
No one's saying you can't make copies, you just can't make copies of something you didn't buy, and you can't give those copies away. Note, they aren't anti-copying devices, they're anti-PIRACY devices.
You're not allowed to receive ANY radio wave transmission on non-FCC (or FCC-proxy) approved equipment. This is nothing new. The reason for this is, equipment that receives radio waves, also give off radio waves, and the FCC needs to ensure that all such equipment doesn't interfere with higher priority equipment. For example, scanners which receive cell phone frequencies are illegal, and the FCC will not approve a scanner that can receive them, or can be easily modified to receive them, except for government use.
Keep in mind, OpenBSD's ports are not audited. They are just as likely to have security holes as FreeBSD's ports are. From http://www.openbsd.org/ports.html:
The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.
Telenet Systems, who was just bought out by BSDi makes fairly nice systems. We use them for firewalls and intrusion detection systems. They even have a quad xeon system now which I'm evaluating for some database work. Check them out at www.tesys.com and hardware.bsdi.com
FWIW, There's been much discussion on this the past week or so on the OpenBSD mailing list, myself and several others already have stripped down firewalls running on OpenBSD and booting off CDROM's, the plan seems to be to merge all of our efforts in order to come up with a distribution. Can't beat OpenBSD for secure code, so it makes an ideal base for a firewall. Check out the mailing lists for more info.
ICQ *is* a security risk. Anyone who's trying to run a secure network is well served in not allowing ICQ through, as its a big old avenue for someone to waltz into your network. There've already been buffer overflows found, and there's lots of folks looking for other problems with it. So, good for them, sounds like they know what they are doing. Banning telnet and ftp, sounds great to me. No one should be using telnet anymore. SSH can serve all your needs, if your vendor doesn't support an SSH daemon, get another vendor that does. FTP was obsolete years ago, and for some reason it still hangs around despite plenty of better alternatives to it. I say ban em, and let em rot.
Why exactly do any of you care what Excite does with their backbone. They paid for it, its not government funded, your taxpayers dollars didn't go towards it. Its their bandwidth, they can do whatever the hell they want with it and no one has a reasonable right to second guess them. If you don't like it, don't buy services from them. And the folks that are implying that its somehow a crime if Excite decides to devote more bandwidth to one customer over another, I'd like some of what you're smoking.
I was one of the original senior System Admin's at USA.NET (before they were even USA.NET), and a 3 year resident of Colorado Springs (up in Denver now). They aren't at all a BSDI house. They were, for a long time, one of Sun's biggest customers. I think they may be moving towards HP now for some stuff, but its most definately not a BSDI shop. Also, they aren't in the same building as USA.NET. USA.NET is on Kelly Johnson Blvd, and BSDI is over on 30th St (next door to another former employer of mine).
There's an interesting discussion going on one of the OpenBSD mailing lists about this article. It basically boils down to the fact that being able to easily upgrade to the latest version of IPF is not a security feature, in fact, its more likely a IN-security feature. The latest batch of IPF releases have suffered from some problems, and until they are all resolved, the OpenBSD folks didn't want to merge it into the tree. Basically, it boils down to newer does NOT equal better, and OpenBSD is going to be sure the software they put in their tree is as secure as it can possibly be.
> The GPL prevents any such situation from > recurring- it bars nobody from participating > (despite many attempts to add 'except Microsoft > can't use my code!' clauses) and the single > condition it imposes is that the code licensed > under the GPL remains forever open for > discussion and exchange.
If you think thats the single condition it imposes, I suggest you read it again. You forgot about the part where it infects every piece of code that comes near it with the same properties. What you're actually describing is the BSD license...a truely free license.
I had the privilege of working at SARA while building an ISP for the Dutch phone company back in '95 (great bunch of folks there, hi harold!)and got to play in the CAVE for a little while. It was a most enjoyable experience. They use the first SGI Onyx2 Reality Monster ever made! It was amazing stuff, back in '95. Of course, why this is news now, I have no idea. The coolest part of SARA though is the old Cray thats been converted to a couch in the lobby, since its too expensive to operate.
While I understand your point aboout the different viewpoints, full disclosure is better for security in general. This is a proven fact, before full disclosure came in vogue, vendor security problems dragged on forever.
The theory of full disclosure works like this. I discover a bug. I do one of two things
1) Full Disclosure I send the bug to bugtraq, along with whatever info i've been able to glean about it. This way, a huge community can first, verify that the bug exists, second, figure out an effective workaround, third, produce a patch, or make a stink about the vendor until they produce a patch
2) Partial disclosure I send a scary letter to bugtraq saying theres a bug, but i don't want to release the details, and this is how I think you should fix it. Assuming my 'fix' is fine, everything works great, but if my 'fix' has a problem with it, no one can verify the problem since they don't know the nature of the bug. Responsible vendors start looking over their code trying to find the bug, or if the finder has notified them will release a patch, eventually. There aren't many vendors with quick security turnaround, so you have no alternative but to sit around and wait and hope the fix is the correct one. In the meantime, the blackhats, who are a lot smarter and quicker about finding bugs then vendors, figure out the problem, and start exploiting the bug.
> I don't know if that's Russ Cooper's policy -- > I think he leaves it up to the person posting > the security hole.
Of course its his policy, its his mailing list, he's the moderator. You have to send posts through him before they hit the list. He has in the past held onto a bug while waiting for a vendor to make a patch.
> Whether or not it's a good thing is debatable. > It does allow security people to threaten the > vendor with disclosure without having to post > the full exploit details
Full disclosure is a good thing. It has been proven over the last 7 years of Bugtraq's existence. If vendors don't fix their bugs before they get out the door, the proven best method for getting things fixed is to force them through full disclosure.
> For example, someone can post "I discovered a > serious problem with MS XYZ, disable PDQ until > MS produces a fix. If they don't have a fix out > in 60 days, I'm going public." Now of course, > the person could be lying -- perhaps there > isn't really an exploit in MS XYZ PDQ, but > that's up to the reader to judge.
First off, this type of thing doesn't happen with a full disclosure list, because when others try and reproduce the results (one of the benefits of full disclosure) they see there isn't a problem. With 'partial' disclosure the scenario you lay out above COULD happen, since no one but the discoverer of the bug, the vendor, and perhaps the moderator of the list are involved.
Just browsing SecurityFocus can be immensely educational, especially some of the guest features. I've told them before, but if any of the securityfocus folks are reading this, Thank you for a great tool!
Slashdot Mirror
The commercials on pause was an original feature of Replay. It was 'upgraded' out months ago. You no longer get commercials when paused. They even took out the Replay Zone's that were basically commercials for one networks programming. Perhaps the original replay units are getting different upgrades, but my panasonic doesn't have these issues.
You haven't explained why you need unique version numbers. I can think of several downsides to this, and no pluses. For one, packages that check version numbers for compatibility reasons would possibly fail. If you want to know if a package has been changed, check 3 things, errata.html, plus.html and the cvs comments. If you can't bear to do this in a web browser, subscribe to the cvs changes list and write a procmail filter. I'm not sure why its Theo or anyone else responsibility to help you avoid using the provided resources for these types of issues.
I don't need anyone to write more documentation. I find the included documentation just fine. If you don't, write your own, I'm sure developers would be happy to answer your questions if they knew it was going into some documentation for others to use. Developing documentation for something is a great way to learn. Thats why they make you do all that writing stuff in college. What do you think physics students write about?
So, what you're saying is you'd like one of two things
1) don't patch bugs they know about in other folks code that is incorporated into the OS
2) don't incorporate anyone elses code in the OS
I vote for you reading errata.html. If its so hard for you to actually go to a web page, join the cvs changes list and filter for the errata.html page, its in CVS just like everything else.
Is it really too hard to read the pages at http://www.openbsd.org/errata.html and http://www.openbsd.org/plus.html? And if you want even more detail, subscribe to the source-changes mailing list.
> But that Perl ain't 5.6.0 unless it was built from
> the 5.6.0 tree.
It was built from the 5.6.0 tree with (as far as I can see) one local patch to fix some problems with suidperl
If you look at the version output from
dcfe-fw# uname -a
OpenBSD dcfe-fw 2.8 HSAGEN#2 i386
dcfe-fw# perl -v
This is perl, v5.6.0 built for i386-openbsd
(with 1 registered patch, see perl -V for more detail)
perl -V provides you with this info:
Characteristics of this binary (from libperl):
Compile-time options: USE_LARGE_FILES
Locally applied patches:
SUIDMAIL - fixes for suidperl security
Looks like its pretty clearly identified to me.
A few points
1) OpenBSD's documentation is probably the best there is on a UNIX derivative OS. I've never seen another that could hold a candle to OpenBSD's man pages.
2) Who says OpenBSD is interested in a huge market share. Microsoft has a huge market share, and their products blow goats. I've been using OpenBSD since their first CD was released, and I think I have a fairly good idea of the mindset behind the developers (or at least Theo). They want to produce the best piece of software they possibly can. Forget all the rest. Everything else is secondary to that goal. OpenBSD's code is probably the cleanest and most correct of any operating system on the planet and every minute they spend away from keeping it that way is a minute wasted (at least in my mind)
3) Anyone who picks an operating system based on how nicely the developers treats you isn't an engineer, they're a mindless sheep. If you chose Linux over OpenBSD because, for example, you need SMP, that is an engineering decision. If you chose Linux over OpenBSD because Theo was mean to you, thats a mindless sheep decision.
4) If you don't like it, don't use it. Better yet, if you don't like it, fix it! There's nothing stopping you from writing better documentation if you find it lacking. I, as a long time OpenBSD user, would prefer the OpenBSD community stay filled with folks who are willing to use their minds (and the excellent documentation and source code) to solve problems, rather than complaining on mailing lists where the questions been answered 300 times this month already.
5) Theo has a right to be elitist...he's earned it.
And what difference does it make if the data contained in a certain band contains the word fuck? Who knows, but the FCC has decided you can't do it.
;) They are part of the public, so there IS public protection involved.
As for what the FCC is about, here's a quote from their web page:
"The FCC was established by the Communications Act of 1934 as an independent United States government agency directly responsible to Congress. The Act, which has been amended over the years, charges the Commission with establishing policies to govern interstate and international communications by television, radio, wire, satellite and cable. In February 1996, the Telecommunications Act of 1996 was signed into law, representing the first major overhaul of our nation's telecommunications policies in over 60 years. "
Any electronic communications fall under their jurisdiction, and they are directly responsible to congress, which is directly responsible to you. If enough Americans feel that such regulation of what we can do with others content is a bad idea, they have the option of making their voices heard with a vote. Those that don't vote, can't complain. The government was not created to read your minds, it was created to do what the majority ask it to do.
The FCC has to satisfy ALL Americans, including those that own stock, or just plain own companies that provide the content that goes over those airwaves. The government doesn't just represent YOU, it represents you and 275 million other Americans. Yes, even the people that run those big evil corporations and the dreaded RIAA and MPAA are Americans, just as American as you or I, maybe more so, because I'll bet they vote and make themselves a part of the political process (ethically or not)
No one's saying you can't make copies, you just can't make copies of something you didn't buy, and you can't give those copies away. Note, they aren't anti-copying devices, they're anti-PIRACY devices.
You're not allowed to receive ANY radio wave transmission on non-FCC (or FCC-proxy) approved equipment. This is nothing new. The reason for this is, equipment that receives radio waves, also give off radio waves, and the FCC needs to ensure that all such equipment doesn't interfere with higher priority equipment. For example, scanners which receive cell phone frequencies are illegal, and the FCC will not approve a scanner that can receive them, or can be easily modified to receive them, except for government use.
Keep in mind, OpenBSD's ports are not audited. They are just as likely to have security holes as FreeBSD's ports are. From http://www.openbsd.org/ports.html:
The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.
Telenet Systems, who was just bought out by BSDi makes fairly nice systems. We use them for firewalls and intrusion detection systems. They even have a quad xeon system now which I'm evaluating for some database work. Check them out at www.tesys.com and hardware.bsdi.com
This is all dealt with in RFC 2267: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
FWIW, There's been much discussion on this the past week or so on the OpenBSD mailing list, myself and several others already have stripped down firewalls running on OpenBSD and booting off CDROM's, the plan seems to be to merge all of our efforts in order to come up with a distribution. Can't beat OpenBSD for secure code, so it makes an ideal base for a firewall. Check out the mailing lists for more info.
I hadn't even seen this before I posted....
t ml
http://www.cert.org/incident_notes/IN-2000-08.h
Chat Clients and Network Security
Date: Wednesday, June 21, 2000
ICQ *is* a security risk. Anyone who's trying to run a secure network is well served in not allowing ICQ through, as its a big old avenue for someone to waltz into your network. There've already been buffer overflows found, and there's lots of folks looking for other problems with it. So, good for them, sounds like they know what they are doing. Banning telnet and ftp, sounds great to me. No one should be using telnet anymore. SSH can serve all your needs, if your vendor doesn't support an SSH daemon, get another vendor that does. FTP was obsolete years ago, and for some reason it still hangs around despite plenty of better alternatives to it. I say ban em, and let em rot.
Why exactly do any of you care what Excite does with their backbone. They paid for it, its not government funded, your taxpayers dollars didn't go towards it. Its their bandwidth, they can do whatever the hell they want with it and no one has a reasonable right to second guess them. If you don't like it, don't buy services from them. And the folks that are implying that its somehow a crime if Excite decides to devote more bandwidth to one customer over another, I'd like some of what you're smoking.
I was one of the original senior System Admin's at USA.NET (before they were even USA.NET), and a 3 year resident of Colorado Springs (up in Denver now). They aren't at all a BSDI house. They were, for a long time, one of Sun's biggest customers. I think they may be moving towards HP now for some stuff, but its most definately not a BSDI shop. Also, they aren't in the same building as USA.NET. USA.NET is on Kelly Johnson Blvd, and BSDI is over on 30th St (next door to another former employer of mine).
There's an interesting discussion going on one of the OpenBSD mailing lists about this article. It basically boils down to the fact that being able to easily upgrade to the latest version of IPF is not a security feature, in fact, its more likely a IN-security feature. The latest batch of IPF releases have suffered from some problems, and until they are all resolved, the OpenBSD folks didn't want to merge it into the tree. Basically, it boils down to newer does NOT equal better, and OpenBSD is going to be sure the software they put in their tree is as secure as it can possibly be.
Which, btw, you can buy here
;)
Glad my home theater's fully equipped
> The GPL prevents any such situation from
> recurring- it bars nobody from participating
> (despite many attempts to add 'except Microsoft
> can't use my code!' clauses) and the single
> condition it imposes is that the code licensed > under the GPL remains forever open for
> discussion and exchange.
If you think thats the single condition it imposes, I suggest you read it again. You forgot about the part where it infects every piece of code that comes near it with the same properties. What you're actually describing is the BSD license...a truely free license.
I had the privilege of working at SARA while building an ISP for the Dutch phone company back in '95 (great bunch of folks there, hi harold!)and got to play in the CAVE for a little while. It was a most enjoyable experience. They use the first SGI Onyx2 Reality Monster ever made! It was amazing stuff, back in '95. Of course, why this is news now, I have no idea. The coolest part of SARA though is the old Cray thats been converted to a couch in the lobby, since its too expensive to operate.
While I understand your point aboout the different viewpoints, full disclosure is better for security in general. This is a proven fact, before full disclosure came in vogue, vendor security problems dragged on forever.
The theory of full disclosure works like this.
I discover a bug. I do one of two things
1) Full Disclosure
I send the bug to bugtraq, along with whatever info i've been able to glean about it. This way, a huge community can first, verify that the bug exists, second, figure out an effective workaround, third, produce a patch, or make a stink about the vendor until they produce a patch
2) Partial disclosure
I send a scary letter to bugtraq saying theres a bug, but i don't want to release the details, and this is how I think you should fix it. Assuming my 'fix' is fine, everything works great, but if my 'fix' has a problem with it, no one can verify the problem since they don't know the nature of the bug. Responsible vendors start looking over their code trying to find the bug, or if the finder has notified them will release a patch, eventually. There aren't many vendors with quick security turnaround, so you have no alternative but to sit around and wait and hope the fix is the correct one. In the meantime, the blackhats, who are a lot smarter and quicker about finding bugs then vendors, figure out the problem, and start exploiting the bug.
I'd much rather go for #1.
> I don't know if that's Russ Cooper's policy --
> I think he leaves it up to the person posting
> the security hole.
Of course its his policy, its his mailing list, he's the moderator. You have to send posts through him before they hit the list. He has in the past held onto a bug while waiting for a vendor to make a patch.
> Whether or not it's a good thing is debatable.
> It does allow security people to threaten the
> vendor with disclosure without having to post
> the full exploit details
Full disclosure is a good thing. It has been proven over the last 7 years of Bugtraq's existence. If vendors don't fix their bugs before they get out the door, the proven best method for getting things fixed is to force them through full disclosure.
> For example, someone can post "I discovered a
> serious problem with MS XYZ, disable PDQ until
> MS produces a fix. If they don't have a fix out
> in 60 days, I'm going public." Now of course,
> the person could be lying -- perhaps there
> isn't really an exploit in MS XYZ PDQ, but
> that's up to the reader to judge.
First off, this type of thing doesn't happen with a full disclosure list, because when others try and reproduce the results (one of the benefits of full disclosure) they see there isn't a problem. With 'partial' disclosure the scenario you lay out above COULD happen, since no one but the discoverer of the bug, the vendor, and perhaps the moderator of the list are involved.
While yer listing stuff....
Just browsing SecurityFocus can be immensely educational, especially some of the guest features. I've told them before, but if any of the securityfocus folks are reading this, Thank you for a great tool!