Just imagine how much in royalties this guy could have made if he had developed that nowadays with our patent frenzy attitude!
Err Apple had the prior art. If you look at any Apple ][ of the original series you will almost always find that there has been an after market add on to cover up the reset key which was placed in a ludicrously easy to hit by mistake location.
The only thing novel about ctrl-alt-del was that it was in the original hardware rather than an after market kludge. There were similar hacks on the PET, only there you could switch the reset off as it was a maskable interupt.
The later use came about because it is the only sequence that cannot be hijacked.
The problem here is who you trust. If hardware and software made by the same entity there's nothing to prevent corruption during couting.
Exactly, with Palladium any conspiracy would have to include Microsoft, the hardware manufacturers, the CA and the people administering the ballots.
It is one thing to have open source code review. That is great but actually irrelevant since my main concern is not that the source code offered for review would have a backdoor. My concern is that the code running on the machine might not be the code given for review.
With Palladium it is possible for an external process to determine that a specific version of a software code is running on a particular machine. That is exactly what I want in designing an internet supported voting scheme.
Incidentally I find it really interesting that everyone seems to assume from the start that any ballot tampering would be directed by the GOP.
Does SERVE use Microsoft's Palladium software architecture?
No, the Palladium software is not sufficiently ubiquitous at this time for use in SERVE.
Put asside your RIAA induced predjudices, just for a second. Exactly why would you not want to use trusted hardware for secure voting?
Palladium would be an ideal base to use. You might well want to go to the trouble of creating and signing your own version of the nexus under a different hardware key. But if the technology was available today I would be using it, absolutely.
They've counted, counted, re-counted, and counted again and they still can't get the answer they want.
Actually if you count the votes on any basis other than the one that Gore's campaign asked for Gore would have won. But that is not the point.
The point is that the rules required a recount at the request of either candidate if the vote was narrow. The Republicans ignored that requirement and under the direction of the governor and the returning officer prevented the recount.
The fact is that it was the Republican party who went to the court to stop the votes being counted in accordance with the election law.
It is the act of stopping the democratic election that makes Bush permanently and indelibly illegitimate, it does not matter what the votes would have shown, Bush is illegitimate because he went to court to have them voided.
I would actually say that Isreal is the closest ally of USA.
Sharon's support has to be bought. Sharon is no friend of the US, he merely milks the US for foreign aid.
Sharon is turning Israel into an apartheid state on the model of the US south during segregation. He is an aly that the US would be much better off without.
How is a socialist government different from a communist one except by degree? For that matter, how is the current US government different?
You might as well ask how is Capitalism different from Fascism? The difference is that they are completely different. The difference is between democratic government and totalitarian government.
At this point the US has one true aly left in the whole world, Tony Blair's socialist government in the UK. I define a true aly as being one whose support does not have to be bought with foreign aid.
The one thing that totalitarian governments do have in common is that the guiding ideology turns out to be almost irrelevant.
Socialism is not a totalitarian ideology, nor is capitalism, environmentalism or libertarianism. But you can get people who will turn any ideology into the basis for a totalitarian movement. We have already seen eco-terrorism and until 9-11 the single biggest terrorist attack in the US by far was Timothy McVeigh's bombing in Oaklahoma motivated by some right wing militia whacko ideology.
If like McVeigh you can't tell the difference between the US government and communism or Fascism then the most likely explanation is that you are the problem.
Of course, with Ascroft and Bush in power there could be an alternative explanation.
What he's saying is "Don't ignore Server 2003 simply because you hate Microsoft." And, he's right. In the end, they're tools that do a job. Pick the one that's best for you instead of picking the one that makes you cool on Slashdot.
From a security standpoint Windows 2003 does a lot right. When you bring up the machine for the first time it has nothing loaded by default. You bring up only the services you are going to actually use.
Now if I could only find a way to compile ASP pages in an offline mode so that the scripting environment could be disabled on the production system it would be a pretty solid platform.
The question is not whether this was company sponsored (which is wasn't) but whether he did it on company time and with company resources which is unclear in this article.
The problem is that Geer was a company spokesperson and CCIA is a propaganda outfit whose sole purpose is to bash Microsoft.
The report does not even pretend to be objective. The only platform that they consider is Microsoft.
With the exception of Bruce none of the people in the report are the type of people who are well known to the intended audience of the report. I know Dan and several other authors of the report but I don't think it very likely that anyone reading the report would dissociate Dan from his employer.
Quite a few folk on slashdot know who I am, but I don't post under my own name because people might associate my opinions with my employer. I find it amazing that Dan would not understand that people would make the connection.
I don't understand your characterization of Bill O'Reilly as far-right. Rush Limbaugh is far-right. Michael Savage is possibly psychotic. But O'Reilly is a registered Independant
Actually Al Franken established that Bill O'Really actually registered as a Republican. His book has a photocopy of his voter registration and it really does say Republican.
You have been taken in by yet another Bill o'Really lie. He really likes playing populist man of the people on his $20 mil a year from Murdoch.
I guess it's just that some people can't stand the fact that Fox News exists and is so popular.
It is popular with a C-D demographic of angry white males with no money to buy anything. Lou Dobbs gets less than a quarter the audience and pulls in twice the revenues.
People don't like Fox news because it tells deliberate, calculated lies.
There are small lies like Bill O'Really claiming to come from Levittstown and to have won Peabody awards and there are the big lies like the incessantly repeated claims that liberals hate america.
But I hate liars, I particularly hate Australian liars like Rupert Murdoch giving Americans lessons in patriotism.
The latter sentence contradicts the first, so the point is lost, and instead supports what the @stake authors are saying, that, like 'mono' agriculture, when there is an environment in which one company has a monopoly, it makes it very easy for a virus to cause alot of damage
I am pointing out that a variagated environment has little no no effect on security because the virus writers take account. The fact that Moriss wrote a worm that attacked multiple UNIX variants shows that the virus writers can adapt to such environments.
>NT - journeyman OS since C based? (Score:1)
by kupci (642531) on 23:54 Thursday 25 September 2003 (#7060922)
The result is that simple hybridity does very little for security.There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform.
The latter sentence contradicts the first, so the point is lost, and instead supports what the @stake authors are saying, that, like 'mono' agriculture, when there is an environment in which one company has a monopoly, it makes it very easy for a virus to cause alot of damage.
If you think that Unix is such a great security architecture take a look at the C language Certainly OSs could be written in other languages, but C is the language of choice for many reasons. Perhaps Java? VB? Ever wonder what NT is written in? Yep - a few versions of DOS were in assembler, then they went to C.
Actually Windows NT has no connection to the Dos code and is entirely written in C++. If you look at the Windows internals calls they are all written to DEC VMS coding standards and have bounds checks and internal validity checks. It is the application level code that is a disaster.
The point is that those who live in glass houses...
Perhaps to the untrained eye, but not to any CS student taking an operating system class since it would probably cover the details of the Unix security system
Well I had Tony Hoare as my college adviser, you might have heard of him, invented quicksort, the if then else statement, formal methods and so on.
CS classes teach stuff for a variety of reasons. I certainly would not consider teaching UNIX as an example of good O/S design, I might teach it as a niche skill that could get you a job.
The Unix security system is actually quite sophisticated, and probably has its roots in Multics (since the authors also worked on Multics), which goes even farther back.
UNIX has almost but not quite reached the level that VMS was at in 1980. It still has no security architecture guide.
For a security professional security is not merely a set of features added into an O/S, it is an integral part of the architecture and a commitment to detail. I see absolutely no evidence of that in the UNIX code or APIs.
Uuuhh...C has been around for years longer than BASIC. Yes, BASIC supports bounds checking, but the BASIC interpreter is written in C.
Can't say that I know when Fortran and Algol were invented, but they'd have to be pretty old to predate C.
C is a relative newcommer. FORTRAN was the first ever high level language, before COBOL even. BASIC is a stripped version of FORTRAN that was developed in 1964. Algol 60 was standardized in 1960.
C did not arrive unti 1971 and was not used to rewrite UNIX until 1973.
The concept of array bound checking had already been established in 1960 with Algol. C is a distant descendant of Algol, through CPL, BCPL and arriving at C.
C was successful because the compiler was free and the alternatives were worse. Pascal was broken as designed, ANSI Pascal claims that int [3] and int [4] are entirely irreconcilable types. ADA was too big, FORTRAN too clumsy. It is no accident that Basic and C are the two survivors, although Basic is doomed in the short run since it is clear that Basic and C# will merge very soon, they are both merely syntactic glosses over the same base.
The idea that free speech gives a punk the right to have an automated telephone dialer call me and try to sell me a fraudulent prize is completely bogus.
The idea that anyone can call me up on my telephone line to annoy me with a sales pitch when I have asked them not to is equally bogus.
I don't care how many lothesome creeps loose their jobs as a result.
Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm.
Yeah, yeah, and look at what the panel actually said rather than the slashdot headline interpreting it. The effect is kind of like Fox News commenting on Wes Clark running for president, headlined 'Hilary to run in 2004?', by the end of the piece they were discussing the fact that Chelsea is not allowed to run until 2016 at the earliest.
Bruce says a lot that makes sense. He also unfortunately says quite a lot that really needs a bit more thought. like the time he went after the design of IPSEC with a report that identified a bunch of security 'holes' that were actually well known, fully discussed and irrelevant.
The flaw in the biological analogy that he uses is that biological viruses evolve through Darwinian processes, survival of the fittests. Viruses evolve through a Lamarkian process, their creators do analyse the environmental challenges they face and adapt in direct and planned responses to those changes.
The result is that simple hybridity does very little for security. There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform.
If you think that Unix is such a great security architecture take a look at the C language and the APIs in the standard C runtime. The buffer overun problem was almost non existent before C. Fortran, Algol and even Basic always supported array bounds checking (OK some fortrans made you turn it on). Then along came C with the loosey goosey null terminated strings and array pointers without bounds specifiers.
The APIs of the standard C runtime are not much better, look at the way that functions like atoi signal that the user gave invalid input (they don't). I just spent an hour chassing down a bug in some code I wrote that turned out to be due to a math overflow when multiplying two integers. Fortunately I caught the problem because I had some assertions set up to check for wierd results. But every other language would have signalled a math overflow.
And so it goes on. UNIX is a journeyman operating system. The architecture looks good to the untrained eye but when you look real close you start to realise that the fancy raised panel doors with brass knobs are an after market 'refacing job' and behind them the cabinet frames are made out of chipboard and really don't give enough support for the heavy granite counter top that has been added.
I don't see much evidence of defensive programming or security engineering methodology when looking at UNIX code.
China doesn't seem to be falling for this. They're probably the closest thing to an enemy I can think of that can actually afford enough computers to make it worth hacking into them.
Great, lets promote an open operating system by relying on the brute power of totalitarian governments to persecute anyone who uses a rival system.
Fortunately not even the Chinese comrades are that totalitarian, although they are still running a pretty nasty regime and did kill a few hundred democracy protesters back in 1989 in Tianamen square. Fortunately China can sort its own political future out for itself, the great firewall of China is doomed to failure because the harshest critics of the regime will always be the ones inside the fence.
But even so, not a great example.
How many computers was Iraq's government relying on? (that's a serious question, I really don't know)
I was asked to attend a workshop on possible use of infrastructure warfare in Iraq. The only problem was that it turned out that there wasn't any infrastructure there to attack.
"...the way that Fox news is Fair and Balanced"
Yes it is. It presents both sides, and is centrist. Those who believe that the news should be left-wing only are rather outraged, and clammor for the censorship of it.
People will think that I am paying you to make these softballs.
The only censorship that has been going on is Bill O'Reilly going to court to supress Al Franken's book about him, appropriately titles Lies and the Lying Liars who tell them. Bill O'Reilly really does not want people to know that he lied about having a Peabody award and then lied about having lied.
But then again if you work for Fox news you must get so used to telling lies that telling the truth would become difficult.
Oh look, Al Franken still outselling O'Reilly on Amazon despite all those books he must have sold already having been number one for so many weeks. Looks like Murdoch hasn't being placing enough bulk orders.
The left-wingers, are of course to blame. The recession started during the Clinton administration, and left-wingers like Tom Daschle in Congress have successfully reduced Bush's fair across-the-board tax cuts so they have little impact
Hey bud, what happened to your 'responsibility' campaign pledge? I have yet to see one thing that has gone wrong that you Fox news clones have not blamed Clinton for. If Clinton is to blame for todays ecconomy then how come he gets absolutely no credit for 1992-2000? Yeah and Bush's tax cuts for the richest of the rich are fair and across the board the way that Fox news is Fair and Balanced.
When a war starts taxes go up sooner or later. That is why starting wars is a really bad move if you want to keep taxes low. As Sun Tzu said feeding an army of a hundred thousand men will cost a thousand gold pieces every day.
Tax cuts that are aimed primarily at the richest of the rich do not have a stimulative effect on the economy. The bulk of the tax package that Bush asked for and got kicks in in future years. Yep, the deficit is half a trillion and set to grow.
Only the deficit ain't going to grow because the failure in the Whitehouse has screwed up both the war and the economy and will shortly be sent back to Texas with his 'hooked on phonics' package. Taxes will then rise back to what they were before, plus some extra to make up for the trillion dollars of waste created by Bush.
You don't. Like I, and the dude or dudette to whom I responded, said, you just alphabetize the books and use keywords in a database (and/or card catalog) for lookup when the name of the author is not known.
NO! Books should be organized chromagrphically by the color of the spine with hue going from left to right and saturation going vertically.
Incidentally the Dewey Decimal Classification is not the Dewey Decimal System. You and I know the Dewey Decimal System as simply 'decimals'. Dewey was the guy who worked out you could represent fractions by using a decimal point and working to the right... The book catalog was the only part of his scheme to be widely used in his lifetime.
Incidentally, Dewey has been dead long enough for the copyright on the original catalog scheme to have long expired. You cannot trademark catalog values. This is yet another case of a lawsuit that really should result in sanctions against the plaintif and plaintif counsel.
I don't think that it is likely OCLC have trademarked the term Dewey in connection with the Hotel trade. Nor is their trademark likely to be very strong since the trademark strength comes from the name Dewey rather than the value that OCLC have added to the brand.
At DNS level also. Wildcard records are part of the master record format. Verisign's servers are using a more complex decision than "anything not registered" which is detailed in the IAB report.
The IAB letter is dated January and refers to the original international domain version of sitefinder. The more recent version of sitefinder is simply a standard DNS wildcard.
There are no protocol deviations in either case. The argument that synthesized domain responses are somehow illegal is completely bogus. But in any case the original objection was made to the system that only wildcarded the I18N domain codes rather than the whole zone.
There is no requirement to support domain transfers, the dotcom and dotnet servers have not supported external domain transfers for many, many years. So why being unable to support that format is an issue is a mystery.
I don't doubt that the IAB and IESG would like to discuss sitefinder. They have been discussing improvements to the DNS like I18N and DNSSEC for over ten yearsw now with negligible result. They have an I18N spec that is in limbo for reasons no DNS registrar can fathom. Meanwhile the DNSSEC spec was deliberately sabotaged to make deployment in dotcom and dotnet as hard as possible.
This is politics, don't assume that the one side story you are getting from slashdot is the whole story. There are a lot of people who are really fed up with the IETF because it takes a minimum of five years to get anything done and often more like ten years.
The IETF pretends to be open, but when you get down to it, it is really run by a small and very exclusive clique. If they don't want to take any notice of my needs I don't see why I should hold their opinions in any special regard.
With the exception of Cisco it is very hard to find a major vendor that is at all happy with the IETF. Sun, Microsoft and IBM have been pushing the majority of their standards work out into OASIS for a long time now. Things are not that much better in open source land, there are lots of IETFers who use open source but it is getting harder to find open source developers who want to take a project there.
Unfortunately, I doubt that Atlas is going to shrug any time soon, and the "good people" are going to be stuck with the "horribly stupid people" until we all blow ourselves up and the cats take over the planet.
For Atlas to shrug the creative people have to be people as greedy and self centered as Ayn Rand was.
There are a few libertarians who are involved in the forefront of Internet and Web research but not very many and I doubt that their contribution is irreplaceable.
The Web is really a piece of performance art, it kind of looses its point if nobody experiences it.
In the UK our bills have a short title, which is what they'll be known as if passed, and a long title which sets out what the law is for. The bill may not contain anything that is not consistent with the long title.
That is not the reason for the difference. In the UK the government controls time in both houses of parliament and introduces almost every bill (except for private members bills and 5 minute rule bills). The government has such a tight control on the legislature that there is nothing to be gained by adding an ammendment to an unrelated bill. If the government does not like the ammendment they can either strip it out in the Lords or gut it on the floor of the House.
There are cases of ammendments of this particular type making it into law but they would have to be attached to a relevant bill, in this case it would probably be a transport bill. What you do not get is ammendments to bills that direct money to particular interests such as a tax break for Haliburton or (Bob Dole's favorite) Archer Daniels Midland.
In effect the situation is much closer to what you would have in the US if there was a line item veto provision.
It is also possible for a private bill to get passed. This is a major undertaking but occasionally happens, usually for something like the channel tunnel, building of a railway line or such.
The idiot judge was in the wrong because Pei Wei published his browser over a year before Doyle purports to have invented the same idea.
Furthermore Pei Wei was not subject to any duty of assignability simply by virtue of the fact he was a student. Nor was he the only person who came up with the same invention.
The idea was not merely obvious, it was and is trivial.
Anyways the IEEE has a track record of working on security-related standards includnig the popular P1363 (Standard Specifications for Public Key Cryptography) standard. P1363 defines standard implementations of public key crypto ciphers based on Integer Factorization, Discrete Log, Elliptic Curve, and Lattice algorithms.
And who uses them?
Very few RSA implementations are P1363 compliant. Almost everyone uses the RSA labs PKCS#1 signature format. That is what is used in S/MIME, PKIX, SSL, all the IETF standards. There is even more reason to do this now that we have the OAEP plaintext aware signature modes which P1363 does not support.
The question I would want to know the answer to is who is supporting this standards effort? There are standards that exist on paper and there are standards that get used. Unless the group has the participation and support of some major O/S vendors it is an irrelevance. And I don't mean that the vendors just send someone so they have a warm body in the room.
For this to be significant I would want to see Sun, IBM and Microsoft in the room as a minimum. It would be nice if there was Linux or BSD participation.
Let's kill all these plugins, and have support for open standards within the browser
There are big problems here. First the Eolas patent covers technologies such as postscript. This despite the fact that the git who filled the thing was told about abundant prior art before the patent was issued. I know he was told because I was one of the people doing the telling.
The real scandal here is that the idiot judge would not allow Microsoft to argue that there was prior art. The jury was instructed to disregard the evidence of Pei Wei that he invented plug ins three years earlier.
I also happen to think that plugins suck. I hate what Javascript has done to a lot of previously usable site. Why did the idiots at netscape invent functions that allow the sender of the content to control my browser? Well yes, they were in the pocket of the content providers and they saw their market niche as being able to add corporate friendly features to the web.
It is a great pity that so few Web companies learned the lesson of Google. In the end its the users that matter.
Slashdot Mirror
Err Apple had the prior art. If you look at any Apple ][ of the original series you will almost always find that there has been an after market add on to cover up the reset key which was placed in a ludicrously easy to hit by mistake location.
The only thing novel about ctrl-alt-del was that it was in the original hardware rather than an after market kludge. There were similar hacks on the PET, only there you could switch the reset off as it was a maskable interupt.
The later use came about because it is the only sequence that cannot be hijacked.
Exactly, with Palladium any conspiracy would have to include Microsoft, the hardware manufacturers, the CA and the people administering the ballots.
It is one thing to have open source code review. That is great but actually irrelevant since my main concern is not that the source code offered for review would have a backdoor. My concern is that the code running on the machine might not be the code given for review.
With Palladium it is possible for an external process to determine that a specific version of a software code is running on a particular machine. That is exactly what I want in designing an internet supported voting scheme.
Incidentally I find it really interesting that everyone seems to assume from the start that any ballot tampering would be directed by the GOP.
No, the Palladium software is not sufficiently ubiquitous at this time for use in SERVE.
Put asside your RIAA induced predjudices, just for a second. Exactly why would you not want to use trusted hardware for secure voting?
Palladium would be an ideal base to use. You might well want to go to the trouble of creating and signing your own version of the nexus under a different hardware key. But if the technology was available today I would be using it, absolutely.
Actually if you count the votes on any basis other than the one that Gore's campaign asked for Gore would have won. But that is not the point.
The point is that the rules required a recount at the request of either candidate if the vote was narrow. The Republicans ignored that requirement and under the direction of the governor and the returning officer prevented the recount.
The fact is that it was the Republican party who went to the court to stop the votes being counted in accordance with the election law.
It is the act of stopping the democratic election that makes Bush permanently and indelibly illegitimate, it does not matter what the votes would have shown, Bush is illegitimate because he went to court to have them voided.
Sharon's support has to be bought. Sharon is no friend of the US, he merely milks the US for foreign aid.
Sharon is turning Israel into an apartheid state on the model of the US south during segregation. He is an aly that the US would be much better off without.
You might as well ask how is Capitalism different from Fascism? The difference is that they are completely different. The difference is between democratic government and totalitarian government.
At this point the US has one true aly left in the whole world, Tony Blair's socialist government in the UK. I define a true aly as being one whose support does not have to be bought with foreign aid.
The one thing that totalitarian governments do have in common is that the guiding ideology turns out to be almost irrelevant.
Socialism is not a totalitarian ideology, nor is capitalism, environmentalism or libertarianism. But you can get people who will turn any ideology into the basis for a totalitarian movement. We have already seen eco-terrorism and until 9-11 the single biggest terrorist attack in the US by far was Timothy McVeigh's bombing in Oaklahoma motivated by some right wing militia whacko ideology.
If like McVeigh you can't tell the difference between the US government and communism or Fascism then the most likely explanation is that you are the problem.
Of course, with Ascroft and Bush in power there could be an alternative explanation.
From a security standpoint Windows 2003 does a lot right. When you bring up the machine for the first time it has nothing loaded by default. You bring up only the services you are going to actually use.
Now if I could only find a way to compile ASP pages in an offline mode so that the scripting environment could be disabled on the production system it would be a pretty solid platform.
The problem is that Geer was a company spokesperson and CCIA is a propaganda outfit whose sole purpose is to bash Microsoft.
The report does not even pretend to be objective. The only platform that they consider is Microsoft.
With the exception of Bruce none of the people in the report are the type of people who are well known to the intended audience of the report. I know Dan and several other authors of the report but I don't think it very likely that anyone reading the report would dissociate Dan from his employer.
Quite a few folk on slashdot know who I am, but I don't post under my own name because people might associate my opinions with my employer. I find it amazing that Dan would not understand that people would make the connection.
Actually Al Franken established that Bill O'Really actually registered as a Republican. His book has a photocopy of his voter registration and it really does say Republican.
You have been taken in by yet another Bill o'Really lie. He really likes playing populist man of the people on his $20 mil a year from Murdoch.
It is popular with a C-D demographic of angry white males with no money to buy anything. Lou Dobbs gets less than a quarter the audience and pulls in twice the revenues.
People don't like Fox news because it tells deliberate, calculated lies.
There are small lies like Bill O'Really claiming to come from Levittstown and to have won Peabody awards and there are the big lies like the incessantly repeated claims that liberals hate america.
But I hate liars, I particularly hate Australian liars like Rupert Murdoch giving Americans lessons in patriotism.
I am pointing out that a variagated environment has little no no effect on security because the virus writers take account. The fact that Moriss wrote a worm that attacked multiple UNIX variants shows that the virus writers can adapt to such environments.
>NT - journeyman OS since C based? (Score:1) by kupci (642531) on 23:54 Thursday 25 September 2003 (#7060922) The result is that simple hybridity does very little for security.There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform. The latter sentence contradicts the first, so the point is lost, and instead supports what the @stake authors are saying, that, like 'mono' agriculture, when there is an environment in which one company has a monopoly, it makes it very easy for a virus to cause alot of damage. If you think that Unix is such a great security architecture take a look at the C language
Certainly OSs could be written in other languages, but C is the language of choice for many reasons. Perhaps Java? VB? Ever wonder what NT is written in? Yep - a few versions of DOS were in assembler, then they went to C.
Actually Windows NT has no connection to the Dos code and is entirely written in C++. If you look at the Windows internals calls they are all written to DEC VMS coding standards and have bounds checks and internal validity checks. It is the application level code that is a disaster.
The point is that those who live in glass houses...
Perhaps to the untrained eye, but not to any CS student taking an operating system class since it would probably cover the details of the Unix security system
Well I had Tony Hoare as my college adviser, you might have heard of him, invented quicksort, the if then else statement, formal methods and so on.
CS classes teach stuff for a variety of reasons. I certainly would not consider teaching UNIX as an example of good O/S design, I might teach it as a niche skill that could get you a job.
The Unix security system is actually quite sophisticated, and probably has its roots in Multics (since the authors also worked on Multics), which goes even farther back.
UNIX has almost but not quite reached the level that VMS was at in 1980. It still has no security architecture guide.
For a security professional security is not merely a set of features added into an O/S, it is an integral part of the architecture and a commitment to detail. I see absolutely no evidence of that in the UNIX code or APIs.
C is a relative newcommer. FORTRAN was the first ever high level language, before COBOL even. BASIC is a stripped version of FORTRAN that was developed in 1964. Algol 60 was standardized in 1960.
C did not arrive unti 1971 and was not used to rewrite UNIX until 1973.
The concept of array bound checking had already been established in 1960 with Algol. C is a distant descendant of Algol, through CPL, BCPL and arriving at C.
C was successful because the compiler was free and the alternatives were worse. Pascal was broken as designed, ANSI Pascal claims that int [3] and int [4] are entirely irreconcilable types. ADA was too big, FORTRAN too clumsy. It is no accident that Basic and C are the two survivors, although Basic is doomed in the short run since it is clear that Basic and C# will merge very soon, they are both merely syntactic glosses over the same base.
I wonder what his home phone number would be?
The idea that anyone can call me up on my telephone line to annoy me with a sales pitch when I have asked them not to is equally bogus.
I don't care how many lothesome creeps loose their jobs as a result.
Yeah, yeah, and look at what the panel actually said rather than the slashdot headline interpreting it. The effect is kind of like Fox News commenting on Wes Clark running for president, headlined 'Hilary to run in 2004?', by the end of the piece they were discussing the fact that Chelsea is not allowed to run until 2016 at the earliest.
Bruce says a lot that makes sense. He also unfortunately says quite a lot that really needs a bit more thought. like the time he went after the design of IPSEC with a report that identified a bunch of security 'holes' that were actually well known, fully discussed and irrelevant.
The flaw in the biological analogy that he uses is that biological viruses evolve through Darwinian processes, survival of the fittests. Viruses evolve through a Lamarkian process, their creators do analyse the environmental challenges they face and adapt in direct and planned responses to those changes.
The result is that simple hybridity does very little for security. There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform.
If you think that Unix is such a great security architecture take a look at the C language and the APIs in the standard C runtime. The buffer overun problem was almost non existent before C. Fortran, Algol and even Basic always supported array bounds checking (OK some fortrans made you turn it on). Then along came C with the loosey goosey null terminated strings and array pointers without bounds specifiers.
The APIs of the standard C runtime are not much better, look at the way that functions like atoi signal that the user gave invalid input (they don't). I just spent an hour chassing down a bug in some code I wrote that turned out to be due to a math overflow when multiplying two integers. Fortunately I caught the problem because I had some assertions set up to check for wierd results. But every other language would have signalled a math overflow.
And so it goes on. UNIX is a journeyman operating system. The architecture looks good to the untrained eye but when you look real close you start to realise that the fancy raised panel doors with brass knobs are an after market 'refacing job' and behind them the cabinet frames are made out of chipboard and really don't give enough support for the heavy granite counter top that has been added.
I don't see much evidence of defensive programming or security engineering methodology when looking at UNIX code.
Great, lets promote an open operating system by relying on the brute power of totalitarian governments to persecute anyone who uses a rival system.
Fortunately not even the Chinese comrades are that totalitarian, although they are still running a pretty nasty regime and did kill a few hundred democracy protesters back in 1989 in Tianamen square. Fortunately China can sort its own political future out for itself, the great firewall of China is doomed to failure because the harshest critics of the regime will always be the ones inside the fence.
But even so, not a great example.
How many computers was Iraq's government relying on? (that's a serious question, I really don't know)
I was asked to attend a workshop on possible use of infrastructure warfare in Iraq. The only problem was that it turned out that there wasn't any infrastructure there to attack.
Yes it is. It presents both sides, and is centrist. Those who believe that the news should be left-wing only are rather outraged, and clammor for the censorship of it.
People will think that I am paying you to make these softballs.
The only censorship that has been going on is Bill O'Reilly going to court to supress Al Franken's book about him, appropriately titles Lies and the Lying Liars who tell them. Bill O'Reilly really does not want people to know that he lied about having a Peabody award and then lied about having lied.
But then again if you work for Fox news you must get so used to telling lies that telling the truth would become difficult.
Oh look, Al Franken still outselling O'Reilly on Amazon despite all those books he must have sold already having been number one for so many weeks. Looks like Murdoch hasn't being placing enough bulk orders.
Hey bud, what happened to your 'responsibility' campaign pledge? I have yet to see one thing that has gone wrong that you Fox news clones have not blamed Clinton for. If Clinton is to blame for todays ecconomy then how come he gets absolutely no credit for 1992-2000? Yeah and Bush's tax cuts for the richest of the rich are fair and across the board the way that Fox news is Fair and Balanced.
When a war starts taxes go up sooner or later. That is why starting wars is a really bad move if you want to keep taxes low. As Sun Tzu said feeding an army of a hundred thousand men will cost a thousand gold pieces every day.
Tax cuts that are aimed primarily at the richest of the rich do not have a stimulative effect on the economy. The bulk of the tax package that Bush asked for and got kicks in in future years. Yep, the deficit is half a trillion and set to grow.
Only the deficit ain't going to grow because the failure in the Whitehouse has screwed up both the war and the economy and will shortly be sent back to Texas with his 'hooked on phonics' package. Taxes will then rise back to what they were before, plus some extra to make up for the trillion dollars of waste created by Bush.
NO! Books should be organized chromagrphically by the color of the spine with hue going from left to right and saturation going vertically.
Incidentally the Dewey Decimal Classification is not the Dewey Decimal System. You and I know the Dewey Decimal System as simply 'decimals'. Dewey was the guy who worked out you could represent fractions by using a decimal point and working to the right... The book catalog was the only part of his scheme to be widely used in his lifetime.
Incidentally, Dewey has been dead long enough for the copyright on the original catalog scheme to have long expired. You cannot trademark catalog values. This is yet another case of a lawsuit that really should result in sanctions against the plaintif and plaintif counsel.
I don't think that it is likely OCLC have trademarked the term Dewey in connection with the Hotel trade. Nor is their trademark likely to be very strong since the trademark strength comes from the name Dewey rather than the value that OCLC have added to the brand.
The IAB letter is dated January and refers to the original international domain version of sitefinder. The more recent version of sitefinder is simply a standard DNS wildcard.
There are no protocol deviations in either case. The argument that synthesized domain responses are somehow illegal is completely bogus. But in any case the original objection was made to the system that only wildcarded the I18N domain codes rather than the whole zone.
There is no requirement to support domain transfers, the dotcom and dotnet servers have not supported external domain transfers for many, many years. So why being unable to support that format is an issue is a mystery.
I don't doubt that the IAB and IESG would like to discuss sitefinder. They have been discussing improvements to the DNS like I18N and DNSSEC for over ten yearsw now with negligible result. They have an I18N spec that is in limbo for reasons no DNS registrar can fathom. Meanwhile the DNSSEC spec was deliberately sabotaged to make deployment in dotcom and dotnet as hard as possible.
This is politics, don't assume that the one side story you are getting from slashdot is the whole story. There are a lot of people who are really fed up with the IETF because it takes a minimum of five years to get anything done and often more like ten years.
The IETF pretends to be open, but when you get down to it, it is really run by a small and very exclusive clique. If they don't want to take any notice of my needs I don't see why I should hold their opinions in any special regard.
With the exception of Cisco it is very hard to find a major vendor that is at all happy with the IETF. Sun, Microsoft and IBM have been pushing the majority of their standards work out into OASIS for a long time now. Things are not that much better in open source land, there are lots of IETFers who use open source but it is getting harder to find open source developers who want to take a project there.
For Atlas to shrug the creative people have to be people as greedy and self centered as Ayn Rand was.
There are a few libertarians who are involved in the forefront of Internet and Web research but not very many and I doubt that their contribution is irreplaceable.
The Web is really a piece of performance art, it kind of looses its point if nobody experiences it.
That is not the reason for the difference. In the UK the government controls time in both houses of parliament and introduces almost every bill (except for private members bills and 5 minute rule bills). The government has such a tight control on the legislature that there is nothing to be gained by adding an ammendment to an unrelated bill. If the government does not like the ammendment they can either strip it out in the Lords or gut it on the floor of the House.
There are cases of ammendments of this particular type making it into law but they would have to be attached to a relevant bill, in this case it would probably be a transport bill. What you do not get is ammendments to bills that direct money to particular interests such as a tax break for Haliburton or (Bob Dole's favorite) Archer Daniels Midland.
In effect the situation is much closer to what you would have in the US if there was a line item veto provision.
It is also possible for a private bill to get passed. This is a major undertaking but occasionally happens, usually for something like the channel tunnel, building of a railway line or such.
Furthermore Pei Wei was not subject to any duty of assignability simply by virtue of the fact he was a student. Nor was he the only person who came up with the same invention.
The idea was not merely obvious, it was and is trivial.
And who uses them?
Very few RSA implementations are P1363 compliant. Almost everyone uses the RSA labs PKCS#1 signature format. That is what is used in S/MIME, PKIX, SSL, all the IETF standards. There is even more reason to do this now that we have the OAEP plaintext aware signature modes which P1363 does not support.
The question I would want to know the answer to is who is supporting this standards effort? There are standards that exist on paper and there are standards that get used. Unless the group has the participation and support of some major O/S vendors it is an irrelevance. And I don't mean that the vendors just send someone so they have a warm body in the room.
For this to be significant I would want to see Sun, IBM and Microsoft in the room as a minimum. It would be nice if there was Linux or BSD participation.
There are big problems here. First the Eolas patent covers technologies such as postscript. This despite the fact that the git who filled the thing was told about abundant prior art before the patent was issued. I know he was told because I was one of the people doing the telling.
The real scandal here is that the idiot judge would not allow Microsoft to argue that there was prior art. The jury was instructed to disregard the evidence of Pei Wei that he invented plug ins three years earlier.
I also happen to think that plugins suck. I hate what Javascript has done to a lot of previously usable site. Why did the idiots at netscape invent functions that allow the sender of the content to control my browser? Well yes, they were in the pocket of the content providers and they saw their market niche as being able to add corporate friendly features to the web.
It is a great pity that so few Web companies learned the lesson of Google. In the end its the users that matter.