SCO may well be that stupid. Is SCO the only distributor to not have a patch for the sendmail thingee? SCO Security "We are aware of the CERT CA-2003-07 sendmail issue, and are currently working on fixes for our supported distributions. We will announce the fixes via our normal channels:"
We are aware of the CERT CA-2003-07 sendmail issue, and are currently working on fixes for our supported distributions. We will announce the fixes via our normal channels:
What!!!??? Incredible. I didn't believe you, so I checked and there it is. SCO Security
I thought that thingee was coordinated so everybody could release the patches all at the same time, with nobody even breaking a sweat. (instead of the usual melee;) Either SCO has no one semi-competent left, or they are already "out of the loop". (for a definition where OpenBSD and RedHat are in the same loop;). Incredible!
The future will require a large degree of interoperability. IBM customers do not want AIX or Linux. They want AIX and Linux. This is going in the direction where I should be able to depend on IBM big iron working productively with Sun big iron. (Which has nothing to do with IBM and Sun liking each other;) There is enough force behind Linux that whatever IP SCO had, there's always another way to do things, and SCO gets cut off and isolated. It's like owning a lot of land where the railroad decided not to go.
and again and again. Lets say there's an app written and tested for Red Hat 6.2. This can mean Red Hat 6.2 and all later versions. (And mostly works on RH 5.x) This can mean unpatched RH 6.2 only. It most likely means something in between, with nobody completely sure exactly what. Despite the best of intentions, it is impossible to know beforehand. (And not easy afterwards). Some "stable" versions aren't. Some "unstable" versions are very stable. IIRC, Apache 1.13 is the "unstable" branch and 1.12 is the "production" branch. Apache 2.0 is "stable", but a bunch of us are waiting for mod_php and mod_perl to achieve real stability. Methinks the problem is actually unsolvable, but there's most likely a lot of help to be had from nutcases who insist of running three incompatible versions of the same app at the same time. Another is the type of stunt box that allows FreeBSD and friends to run Linux binaries. Microsoft is about to make yet another one foot jump across a one meter chasm.
What is "confectionary sugar"? Powdered sugar as opposed to granulaged sugar. About the consistency of flour as opposed to table salt. Used to make icings and such.
Quoting the FreeBSD Advisory: (with a bit of emphasis added) A remote attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. The malicious message might be handled (and therefore the vulnerability triggered) by the initial sendmail MTA, any relaying sendmail MTA, or by the delivering sendmail process. Exploiting this defect is particularly difficult, but is believed to be possible.
So, the short answer is yes, it's exploitable. Whether anyone would take what appears to be considerable trouble to exploit it is a different matter. Since it's Open Source, you can be reasonably sure that the flaw was real and is now actually fixed.
The copyright holder is the party of the first part. "you" (Boeing) is the party of the second part. The US Army is the (singular) third party. If nobody else is invited to the party, they are not included in any third party. (It did not say "any other party";)
If the US Army distributes binaries, then the US Army (as the second party above) must make the source available to any third party (ie any of the third parties that the US Army distributed the binaries to).
The DOD fork of Linux won't ever make it back onto the main 'branch' Quite possible. Too little, too late. Or Linus, on a whim of his choosing, decides he doesn't like it. While the DOD can very easily make their own dead-end fork, it's probably not in their best interests to do so.
Re:Near Ground Ozone _IS_ an environmental problem
on
Ozone As Pesticide
·
· Score: 3, Insightful
Seems like grain silos and smog tend to be in different areas. I think smog comes from reacting ozone with unburned hydrocarbons.
Once in the circuit, they will be phase-locked to each other. Switching them in to the circuit needs to be done pretty much in phase or there is an extreme amount of torque to get them in phase, fast.
replace it with one that supports full co-routines. [emphasis added] Ok, you got my attention. I've done co-routines in Basic Assembly and seem to recall some in PL/I (Pl/I-F with the PL/I runtime "owned" by some BAL code). Seems like most "modern" languages have zilch support (except for local static variables). Oh can they simplify some very messy logical abilities.
How can "Trustworthy Computing" ever be achieved? Not by being opaque and complicated. Not when the creator of the opaque and complicated computing device might have a hidden agenda.
Ironically, the more that some people trust their computers, the more others will distrust them. Survival instinct as a species. The crack in OpenBSD with a patching strategy that would leave no window of exploitability. Debian dug in their heels and wouldn't buy into it. If you can get all of the population to blindly accept anything that looks like a security patch, there doesn't have to be a hole. You can make a hole.
If no human can break into your computer and steal your data, and some little thing goes wrong in a sensitive area, you've just lost all your data. It's fairly easy to make a lock that will stop the owner but only slow down a determined burglar.
They've created an atmosphere where the logical, understandable response is to mistrust them and an issue that sounds reasonable enough to grab media attention. That's their doing, and they're the ones to fix it (if at all possible). I don't think Microsoft can "fix it". The flaw isn't in the "exploit", but in the assumptions and hype about Microsoft that leads to it being perceived as an exploit. What's significant is the gradual shift from "Always trust Microsoft" to "Always blame Microsoft". The last year or so has been rather amusing to watch. The handling of issues by Open Source can be rather rag-tag, but even if you took out the first and second line of defenders, somebody somehow is gonna stop the attack. The exploits never seem to amount to much. Microsoft is maybe better prepared, but the response is slow and very brittle. Imagine Slapper if Microsoft did not already have the patch available.
Physical access means that you have the ability to install a new OS on the machine, usually without having to lose all your data on the system. (The recovery CDs that come with new laptops seem to be an exception) There are two parts to security. First that you do not lose your data. Second that "aliens" do not swipe your data. Companies have gone out of business because they lost their data. I haven't heard of any that went under because of outside security breaches. Their changing the root password is not that ridiculous. Now they know what it is and you do not. You could repeat the performance, but that would change the root password that only they know. Part of effective security is the ability to know that it has been breached. One advantage of long up-times;)
Since when has accuracy been a concern to the editors at Slashdot? Well, why should it be? You get any accuracy from a few readers who know what's going on and are provoked into responding and trying to put some sense into the thing.
Microsoft Update breaks third-party software. Now who you gonna blame? Always blame Microsoft. Works surprisingly well and is often enough right to be justified.
Now the FUD. What will Microsoft do to your system today?
but MS is claiming jurisdiction over all PCs with MS software Now you know the referent of My in My Computer. If I stick the label "My Stuff" on something, it is mine. If you stick the label "My Stuff" on something, it is yours. If I stumble over something with the label "My Stuff", the only thing I'm sure of is that it is not mine.
quite willfully ignorant and indifferent Does a New Yorker really care about what people in Nebraska are thinking? Or a Parisian about the provencials? You're very right not to trust any particular information source exclusively. Even with the best of intentions, any one source will have a lot of blind spots.
I 'spect that they're trying to insure that any bugs in the alpha version do not get a chance to live on in stale copies or in somebody else's code. Makes sense that they would want as few bugs as possible with their name on them.
Slashdot Mirror
SCO may well be that stupid.
Is SCO the only distributor to not have a patch for the sendmail thingee?
SCO Security
"We are aware of the CERT CA-2003-07 sendmail issue, and are currently working on fixes for our supported distributions. We will announce the fixes via our normal channels:"
We are aware of the CERT CA-2003-07 sendmail issue, and are currently working on fixes for our supported distributions. We will announce the fixes via our normal channels:
What!!!??? Incredible. I didn't believe you, so I checked and there it is.
SCO Security
I thought that thingee was coordinated so everybody could release the patches all at the same time, with nobody even breaking a sweat. (instead of the usual melee;)
Either SCO has no one semi-competent left, or they are already "out of the loop". (for a definition where OpenBSD and RedHat are in the same loop;). Incredible!
The future will require a large degree of interoperability. IBM customers do not want AIX or Linux. They want AIX and Linux. This is going in the direction where I should be able to depend on IBM big iron working productively with Sun big iron. (Which has nothing to do with IBM and Sun liking each other;) There is enough force behind Linux that whatever IP SCO had, there's always another way to do things, and SCO gets cut off and isolated. It's like owning a lot of land where the railroad decided not to go.
and again and again.
Lets say there's an app written and tested for Red Hat 6.2.
This can mean Red Hat 6.2 and all later versions. (And mostly works on RH 5.x)
This can mean unpatched RH 6.2 only.
It most likely means something in between, with nobody completely sure exactly what.
Despite the best of intentions, it is impossible to know beforehand. (And not easy afterwards). Some "stable" versions aren't. Some "unstable" versions are very stable. IIRC, Apache 1.13 is the "unstable" branch and 1.12 is the "production" branch. Apache 2.0 is "stable", but a bunch of us are waiting for mod_php and mod_perl to achieve real stability.
Methinks the problem is actually unsolvable, but there's most likely a lot of help to be had from nutcases who insist of running three incompatible versions of the same app at the same time. Another is the type of stunt box that allows FreeBSD and friends to run Linux binaries. Microsoft is about to make yet another one foot jump across a one meter chasm.
What is "confectionary sugar"?
Powdered sugar as opposed to granulaged sugar.
About the consistency of flour as opposed to table salt.
Used to make icings and such.
Quoting the FreeBSD Advisory: (with a bit of emphasis added)
A remote attacker could create a specially crafted message that may
cause sendmail to execute arbitrary code with the privileges of the
user running sendmail, typically root. The malicious message might be
handled (and therefore the vulnerability triggered) by the initial
sendmail MTA, any relaying sendmail MTA, or by the delivering sendmail
process. Exploiting this defect is particularly difficult, but is
believed to be possible.
So, the short answer is yes, it's exploitable. Whether anyone would take what appears to be considerable trouble to exploit it is a different matter. Since it's Open Source, you can be reasonably sure that the flaw was real and is now actually fixed.
The copyright holder is the party of the first part.
"you" (Boeing) is the party of the second part.
The US Army is the (singular) third party.
If nobody else is invited to the party, they are not included in any third party. (It did not say "any other party";)
If the US Army distributes binaries, then the US Army (as the second party above) must make the source available to any third party (ie any of the third parties that the US Army distributed the binaries to).
And ... they get to keep reinventing the fork.
The DOD fork of Linux won't ever make it back onto the main 'branch'
Quite possible. Too little, too late. Or Linus, on a whim of his choosing, decides he doesn't like it. While the DOD can very easily make their own dead-end fork, it's probably not in their best interests to do so.
Seems like grain silos and smog tend to be in different areas. I think smog comes from reacting ozone with unburned hydrocarbons.
Once in the circuit, they will be phase-locked to each other. Switching them in to the circuit needs to be done pretty much in phase or there is an extreme amount of torque to get them in phase, fast.
Is this a new virus or clever marketing scheme?
Is there a difference?
Yeah, viruses are kinder.
(You're right about the double-barreled shotgun;)
Hmmmm, that explains a few things. Not exactly what you want guarding your back.
replace it with one that supports full co-routines. [emphasis added]
Ok, you got my attention. I've done co-routines in Basic Assembly and seem to recall some in PL/I (Pl/I-F with the PL/I runtime "owned" by some BAL code). Seems like most "modern" languages have zilch support (except for local static variables). Oh can they simplify some very messy logical abilities.
Hehe. Security through obscurity does work! Only problem is that it is the vulnerabilities that are secure!
How can "Trustworthy Computing" ever be achieved?
Not by being opaque and complicated. Not when the creator of the opaque and complicated computing device might have a hidden agenda.
Ironically, the more that some people trust their computers, the more others will distrust them.
Survival instinct as a species. The crack in OpenBSD with a patching strategy that would leave no window of exploitability. Debian dug in their heels and wouldn't buy into it. If you can get all of the population to blindly accept anything that looks like a security patch, there doesn't have to be a hole. You can make a hole.
If no human can break into your computer and steal your data, and some little thing goes wrong in a sensitive area, you've just lost all your data. It's fairly easy to make a lock that will stop the owner but only slow down a determined burglar.
They've created an atmosphere where the logical, understandable response is to mistrust them and an issue that sounds reasonable enough to grab media attention. That's their doing, and they're the ones to fix it (if at all possible).
I don't think Microsoft can "fix it". The flaw isn't in the "exploit", but in the assumptions and hype about Microsoft that leads to it being perceived as an exploit. What's significant is the gradual shift from "Always trust Microsoft" to "Always blame Microsoft". The last year or so has been rather amusing to watch. The handling of issues by Open Source can be rather rag-tag, but even if you took out the first and second line of defenders, somebody somehow is gonna stop the attack. The exploits never seem to amount to much. Microsoft is maybe better prepared, but the response is slow and very brittle. Imagine Slapper if Microsoft did not already have the patch available.
Physical access means that you have the ability to install a new OS on the machine, usually without having to lose all your data on the system. (The recovery CDs that come with new laptops seem to be an exception) ;)
There are two parts to security. First that you do not lose your data. Second that "aliens" do not swipe your data. Companies have gone out of business because they lost their data. I haven't heard of any that went under because of outside security breaches.
Their changing the root password is not that ridiculous. Now they know what it is and you do not. You could repeat the performance, but that would change the root password that only they know. Part of effective security is the ability to know that it has been breached. One advantage of long up-times
What's remote about walking up to a machine?
Since when has accuracy been a concern to the editors at Slashdot?
Well, why should it be?
You get any accuracy from a few readers who know what's going on and are provoked into responding and trying to put some sense into the thing.
Microsoft Update breaks third-party software.
Now who you gonna blame?
Always blame Microsoft.
Works surprisingly well and is often enough right to be justified.
Now the FUD. What will Microsoft do to your system today?
but MS is claiming jurisdiction over all PCs with MS software
Now you know the referent of My in My Computer.
If I stick the label "My Stuff" on something, it is mine.
If you stick the label "My Stuff" on something, it is yours.
If I stumble over something with the label "My Stuff", the only thing I'm sure of is that it is not mine.
googler.microsoft.com
;-)
Interesting.
Nah, being Microsoft it still wouldn't work very well.
Seems I always get better responses when I Google for information about Microsoft software than when I Microsoft for it.
quite willfully ignorant and indifferent
Does a New Yorker really care about what people in Nebraska are thinking?
Or a Parisian about the provencials?
You're very right not to trust any particular information source exclusively. Even with the best of intentions, any one source will have a lot of blind spots.
"Per se" is what you want, methinks, meaning something like by itself or on its own merits. "Per say" I'll leave to your imagination.
I 'spect that they're trying to insure that any bugs in the alpha version do not get a chance to live on in stale copies or in somebody else's code. Makes sense that they would want as few bugs as possible with their name on them.