I do have to smile about any distribution where the md5 sums are sitting side by side with the source distribution...
trojan-0.9.3.tar.gz trojan-0.9.3.tar.gz.md5
Yep, looks like everything's in order here!
That provides security against the downloaded file being mangled in transmission. The real security comes from paranoids examining the differences from trojan-0.9.2.tar.gz and by comparing the trojan-0.9.3.tar.gz.md5 at the various mirrors including assorted stale copies.
Now what's that they say about chains and the weakest link?
There are two chains here. First, the "good-guy's" chain so that everything that goes in is legit. Second, the "bad-guy's" chain so that an exploit goes in successfully.
With closed-source, you have a hard outer shell and a soft, creamy filling. Crack the shell and you're in. With open-source, the outer shell might be a bit easier to crack, but there is a tangled mess to navigate once you're inside. Once you're inside, if you move you're dead.
Methinks the security of open-source is much stronger. The alarm system is much more effective for one thing.
Honestly it seems like RH is shooting themselves in the foot with Fedora. Not at all.
It's a strange ecology. To stereotype and oversimplify, it is composed of big business aka the enterprise and the hackers. Again oversimplifying, they do not understand, appreciate, or have any use for each other.
Again oversimplifying, there is no money to be made from hackers. (Despite the media's inability to understand it, "hackers" is the correct terminology.) Hackers are accustomed to making do with what they have and not getting tripped up by minor obstacles, all without "adequate" training or education.
The money comes from enterprise users who want to pay for support that they will never need, but is there if they ever do need it. It is to the enterprise's advantage to somehow pay so that they do not need to use the support they have paid for. (Tortuous syntax, but so is the idea of the enterprise subsidizing hackers;) From the enterprise's viewpoint, they get a horde of alpha and beta testers to weed out the worst of the bugs. From the hacker's viewpoint they get to play with and use the latest cutting/bleeding edge technology. If it isn't bungled badly, both sides pretty much get something for nothing.
One thing worth understanding is that Linux is not a cheap OS. It can be had and run as cheaply as you want, but it's Microsoft Windows that is cheap, not Linux.
Microsoft spends HUNDRESDS OF MILLIONS OF DOLLARS on Software Development. And they get worms.
There is no economic imputus within the "Open Source" community, so any perceived "worth of work" is imaginary at best and hallucinatory at worst Same could be said of the America's Cup, Grand Prix, etc. Some people just like good code.
Apparently, no one ever remembers code compromises like those of the OpenSSH backdoor I would far more trust the "trojaned" OpenSSH than the "untrojaned" Passport.
where any yutz who wanted to pass themselves off as a "c0d3r" could contribute code to such an important project than one where Interviews, background checks (including Law Enforcement) and security checks can identify potential troublemakers. You seem to have an idea that it's easy to get code accepted into anything that matters. It's not.
Re: parent (MODS Read please)
on
Does IT Matter?
·
· Score: 1
Depends on what the definition of "matters" is. Information Technology is becoming part of the infrastructure that we all should be able to depend on without thinking much about it or spending a lot to use it. Methinks that, using the definition of "matters" in "Steve Ballmer says it matters", IT DOES NOT MATTER. Consider WallMart. It's a combination of IT and Management Culture that takes advantage of IT. Take away the Management Culture, and the system will start to fall apart. Take away the IT and they will regrow the IT, probably cheaper and better.
Firefighting is the most non-productive thing an IT department can do,
Firefighting is turning large disasters into smaller disasters. If the choice is between fighting the fire and not fighting the fire, firefighting is the most productive thing and IT department can do. The primary reason you have IT departments and support contracts, etc. is so you can fight the fires.
That said, if there is a lot of firefighting going on, things are not going to be very productive. The choice is to rig things so you don't need to do so much firefighting.
Clay tablets might work just as well for some applications. I have seen cases where, if the clay tablets would present themselves in the right order, everything would be faster, easier and better. And that's for data entry!
A few observations. You don't want one big site doing this. Too much concentration of power and too attractive a target. You want many small sites doing this, probably with several people members of several groups. Several approaches and several skill levels. You want spotlights on the stuff that the spammers want hidden. You want that stuff published and corroborated independently. Your resources are the many recipient copies and the headers. Since the spam is mass mailings of unwanted stuff ("Unsolicited Commercial Email" doesn't really capture the essence), it has to be automated, and being automated it has flaws which can be exploited. The problem is to aim the attacks upstream without unduely messing with innocent bystanders or (relative) innocents in the middle of the stream. What you want is to get the spammers messing with each other. (Of course the spammers want to get the anti-spammers messing with the other anti-spammers, so what works today may be counter-productive tomorrow)
the best support would be for the IT people to find a HOWTO on the 'net or ask on a mailing list rather than calling up SUN.
That is the best support, yes. You cannot buy support that good.
But. That support is dependent on having "interesting" problems. (Oversimplification, but it makes the point.) For the dull, drab uninteresting problems, you have to pay to get a much poorer level of support. However, if the first-stringers have done their job right, it takes little support and it doesn't even have to be very good. If it isn't botched, this looks like a win-win-win-win situation.
Correct. They are an illegal monopoly. The nature of legal monopolies is that they are extremely regulated by government bodies. This is required because there are not the market forces in play to ensure fair play by the monopolies.
Consider the control over your computer that Microsoft has slowly and steadily been building up over the years. To what purpose? What does Microsoft expect to gain from it?
But,... Look at the traffic after the traffic jam. It moves well, with lots of space between vehicles.
If cars are entering the jam faster than they are leaving the jam, the jam will lengthen. If cars are entering the jam slower than they are leaving, the jam will shorten until it dissappears. If the traffic behind the jam can manage to slow itself down enough to enter the point of the jam after the last car in the jam has left the jam, the jam will no longer be there.
Windows Media Player, Internet Explorer, and Outlook do NOT run in kernel mode whatsoever. They may talk to kernel-mode drivers like 95% of all user-mode software does (read from a file, talk to the network), but they absolutely do not run in kernel-mode!
Security is a perimeter-like thingee. A security fence that is mostly intact is really a very poor security fence, particularly if it leads to a false sense of security. If there is anything in kernel-space that has been rigged for the benefit of Microsoft applications, the parent's statement is effectively true. Considering that NT Server will stay up for many months as long as IE, Office, etc. are totally avoided, it's almost certain that somewhere, somehow, there is kernel-level stuff that exists solely for the benefit of Microsoft applications. With various cracks about uptimes, it's extremely likely that that stuff is buggy and has a lot of not-yet-publicized holes.
because all the Linux people have a field day bashing and bashing and bashing. Don't forget us Microsoft people. Just because we use it does not mean that we like it.
so what happened that changed Slashdot into a Microsoft news site? Dunno, but it seems like Slashdot is the place to keep up with the Microsoft wormage that matters.
"Umm... collaborate with our competition to create a new solution that we will give away when ours works fine for the most part?" Sounds counterproductive, but that is the strategy for survival. There is competition within a species and competition between species. While it is desirable to be the best within your species, the strategy loses if your species loses to other species.
Man talk about FUD. Last time I checked, almost every single hole in windows was patched before an exploit was available.
Right. We have these patched holes in windows that take down the internet after the exploit is available. For FUD value, (Fear, Uncertainty, Doubt), consider what the unpatched holes in windows will do when the exploits become available. There seems to be some sort of progression starting with Melissa. With Microsoft's efforts to patch and have systems patched, each round seems more and more effective. I don't think we're anywhere near the end yet.
If most MS patches don't break anything, why doesn't Microsoft apply them all to its own systems?
I'd say the BIND patch demonstrates the value of OSS. The respnses (plural) are fast and effective, and if there are any problems they get the full glare of publicity and will not last very long.
I would add that just because it's running it does not mean that it will ever boot again. The probability is high enough that, if you have anything that's been running a long long time, it's a good idea to back up anything important to elsewhere before shutting down.
Not being a Windows expert either, but our standard setup has been to disable the messenger service to kill annoying messages from print servers that were so proud of actually printing a job that they just had to tell somebody (everybody?) about it. I think Windows Messenger and net send can be used to annoy people. If for some reason you depend on these annoyances, you probably need it.
I knew there was something about the idea of "trusted computing" that I didn't like, but this scares me. It's like 1984, but turn the quality of life back a millenium.
bemoaning how much the "onerous" GPL is oppressing the helpless corporations.
On this side we have spare-time, hacker, hobbyist code. On this side we have MegaCorp with its highly paid Research and Development. Poor, poor MegaCorp.
Slashdot Mirror
I do have to smile about any distribution where the md5 sums are sitting side by side with the source distribution...
trojan-0.9.3.tar.gz
trojan-0.9.3.tar.gz.md5
Yep, looks like everything's in order here!
That provides security against the downloaded file being mangled in transmission. The real security comes from paranoids examining the differences from trojan-0.9.2.tar.gz and by comparing the trojan-0.9.3.tar.gz.md5 at the various mirrors including assorted stale copies.
Now what's that they say about chains and the weakest link?
There are two chains here.
First, the "good-guy's" chain so that everything that goes in is legit.
Second, the "bad-guy's" chain so that an exploit goes in successfully.
With closed-source, you have a hard outer shell and a soft, creamy filling. Crack the shell and you're in.
With open-source, the outer shell might be a bit easier to crack, but there is a tangled mess to navigate once you're inside. Once you're inside, if you move you're dead.
Methinks the security of open-source is much stronger. The alarm system is much more effective for one thing.
Honestly it seems like RH is shooting themselves in the foot with Fedora.
Not at all.
It's a strange ecology. To stereotype and oversimplify, it is composed of big business aka the enterprise and the hackers. Again oversimplifying, they do not understand, appreciate, or have any use for each other.
Again oversimplifying, there is no money to be made from hackers. (Despite the media's inability to understand it, "hackers" is the correct terminology.) Hackers are accustomed to making do with what they have and not getting tripped up by minor obstacles, all without "adequate" training or education.
The money comes from enterprise users who want to pay for support that they will never need, but is there if they ever do need it. It is to the enterprise's advantage to somehow pay so that they do not need to use the support they have paid for. (Tortuous syntax, but so is the idea of the enterprise subsidizing hackers;) From the enterprise's viewpoint, they get a horde of alpha and beta testers to weed out the worst of the bugs. From the hacker's viewpoint they get to play with and use the latest cutting/bleeding edge technology. If it isn't bungled badly, both sides pretty much get something for nothing.
One thing worth understanding is that Linux is not a cheap OS. It can be had and run as cheaply as you want, but it's Microsoft Windows that is cheap, not Linux.
Microsoft spends HUNDRESDS OF MILLIONS OF DOLLARS on Software Development.
And they get worms.
There is no economic imputus within the "Open Source" community, so any perceived "worth of work" is imaginary at best and hallucinatory at worst
Same could be said of the America's Cup, Grand Prix, etc. Some people just like good code.
Apparently, no one ever remembers code compromises like those of the OpenSSH backdoor
I would far more trust the "trojaned" OpenSSH than the "untrojaned" Passport.
where any yutz who wanted to pass themselves off as a "c0d3r" could contribute code to such an important project than one where Interviews, background checks (including Law Enforcement) and security checks can identify potential troublemakers.
You seem to have an idea that it's easy to get code accepted into anything that matters. It's not.
Depends on what the definition of "matters" is.
Information Technology is becoming part of the infrastructure that we all should be able to depend on without thinking much about it or spending a lot to use it.
Methinks that, using the definition of "matters" in "Steve Ballmer says it matters", IT DOES NOT MATTER. Consider WallMart. It's a combination of IT and Management Culture that takes advantage of IT. Take away the Management Culture, and the system will start to fall apart. Take away the IT and they will regrow the IT, probably cheaper and better.
Firefighting is the most non-productive thing an IT department can do,
Firefighting is turning large disasters into smaller disasters. If the choice is between fighting the fire and not fighting the fire, firefighting is the most productive thing and IT department can do. The primary reason you have IT departments and support contracts, etc. is so you can fight the fires.
That said, if there is a lot of firefighting going on, things are not going to be very productive. The choice is to rig things so you don't need to do so much firefighting.
Clay tablets might work just as well for some applications.
I have seen cases where, if the clay tablets would present themselves in the right order, everything would be faster, easier and better. And that's for data entry!
Sounds like you are on the right track.
A few observations.
You don't want one big site doing this. Too much concentration of power and too attractive a target.
You want many small sites doing this, probably with several people members of several groups. Several approaches and several skill levels.
You want spotlights on the stuff that the spammers want hidden. You want that stuff published and corroborated independently. Your resources are the many recipient copies and the headers. Since the spam is mass mailings of unwanted stuff ("Unsolicited Commercial Email" doesn't really capture the essence), it has to be automated, and being automated it has flaws which can be exploited. The problem is to aim the attacks upstream without unduely messing with innocent bystanders or (relative) innocents in the middle of the stream. What you want is to get the spammers messing with each other. (Of course the spammers want to get the anti-spammers messing with the other anti-spammers, so what works today may be counter-productive tomorrow)
the best support would be for the IT people to find a HOWTO on the 'net or ask on a mailing list rather than calling up SUN.
That is the best support, yes. You cannot buy support that good.
But.
That support is dependent on having "interesting" problems. (Oversimplification, but it makes the point.)
For the dull, drab uninteresting problems, you have to pay to get a much poorer level of support. However, if the first-stringers have done their job right, it takes little support and it doesn't even have to be very good. If it isn't botched, this looks like a win-win-win-win situation.
They are not a legal monopoly.
Correct. They are an illegal monopoly.
The nature of legal monopolies is that they are extremely regulated by government bodies. This is required because there are not the market forces in play to ensure fair play by the monopolies.
Careful, you're exposing Microsoft's strategy.
Consider the control over your computer that Microsoft has slowly and steadily been building up over the years. To what purpose? What does Microsoft expect to gain from it?
But, ...
Look at the traffic after the traffic jam.
It moves well, with lots of space between vehicles.
If cars are entering the jam faster than they are leaving the jam, the jam will lengthen. If cars are entering the jam slower than they are leaving, the jam will shorten until it dissappears. If the traffic behind the jam can manage to slow itself down enough to enter the point of the jam after the last car in the jam has left the jam, the jam will no longer be there.
Windows Media Player, Internet Explorer, and Outlook do NOT run in kernel mode whatsoever. They may talk to kernel-mode drivers like 95% of all user-mode software does (read from a file, talk to the network), but they absolutely do not run in kernel-mode!
Security is a perimeter-like thingee. A security fence that is mostly intact is really a very poor security fence, particularly if it leads to a false sense of security. If there is anything in kernel-space that has been rigged for the benefit of Microsoft applications, the parent's statement is effectively true. Considering that NT Server will stay up for many months as long as IE, Office, etc. are totally avoided, it's almost certain that somewhere, somehow, there is kernel-level stuff that exists solely for the benefit of Microsoft applications. With various cracks about uptimes, it's extremely likely that that stuff is buggy and has a lot of not-yet-publicized holes.
because all the Linux people have a field day bashing and bashing and bashing.
Don't forget us Microsoft people. Just because we use it does not mean that we like it.
so what happened that changed Slashdot into a Microsoft news site?
Dunno, but it seems like Slashdot is the place to keep up with the Microsoft wormage that matters.
"Umm... collaborate with our competition to create a new solution that we will give away when ours works fine for the most part?"
Sounds counterproductive, but that is the strategy for survival. There is competition within a species and competition between species. While it is desirable to be the best within your species, the strategy loses if your species loses to other species.
Man talk about FUD. Last time I checked, almost every single hole in windows was patched before an exploit was available.
Right.
We have these patched holes in windows that take down the internet after the exploit is available.
For FUD value, (Fear, Uncertainty, Doubt), consider what the unpatched holes in windows will do when the exploits become available. There seems to be some sort of progression starting with Melissa. With Microsoft's efforts to patch and have systems patched, each round seems more and more effective. I don't think we're anywhere near the end yet.
If most MS patches don't break anything, why doesn't Microsoft apply them all to its own systems?
I'd say the BIND patch demonstrates the value of OSS. The respnses (plural) are fast and effective, and if there are any problems they get the full glare of publicity and will not last very long.
Particularly effective if it leaves your opponent speachless.
The ultimate answer lies in how quickly Microsoft contains the damage from the next Microsoft worm. And the next. And the next.
I would add that just because it's running it does not mean that it will ever boot again. The probability is high enough that, if you have anything that's been running a long long time, it's a good idea to back up anything important to elsewhere before shutting down.
Nov 13th 0230 EST.
I'm an optimist.
Not being a Windows expert either, but our standard setup has been to disable the messenger service to kill annoying messages from print servers that were so proud of actually printing a job that they just had to tell somebody (everybody?) about it. I think Windows Messenger and net send can be used to annoy people. If for some reason you depend on these annoyances, you probably need it.
Since .NET is involved, it must be Microsoft's fault.
Good one, that.
The fact that you can post at all is due to that "poorly designed and coded product".
I knew there was something about the idea of "trusted computing" that I didn't like, but this scares me. It's like 1984, but turn the quality of life back a millenium.
bemoaning how much the "onerous" GPL is oppressing the helpless corporations.
On this side we have spare-time, hacker, hobbyist code.
On this side we have MegaCorp with its highly paid Research and Development.
Poor, poor MegaCorp.
About a year ago, the writers were told that if they can make a story mention "Linux" in any way, they should.
You can't buy that kind of advertising.