You wouldn't believe the amount of crap that HP install by default.
HP. Or most anybody else for that matter.
This does two things. First, it gives the malware writers essentially a how-to guide. Second, it conditions the computer user to believe that such garbage is good. Third, it makes it almost impossible to tell what belongs and what doesn't. Ok, I can't count, but with that kind of stuff driving it, things will get a lot worse before they get better.
It will eventually become so difficult to write an exploit for a Windows box that, even though Linux has a smaller market share, exploit writers will get more bang for their buck in targeting Linux.
Considering that the malware writers don't even bother to play with the modification date, yet, it doesn't look to me like they're even trying hard, yet.
Any operating system will have exploits. Operating systems are simply to complex not to have them. Any sufficiently complex system is going to have unintended outputs for highly unusual inputs. True, but there are degrees, an enormous variation in degrees. The system in which the pieces tend to assume that everything else is perfect will continue to astound with its uninteded outputs for highly unusual inputs.
Is there any reason why Linux distros in general don't default to having Apache (and other servers, for that matter) run in a chroot jail?
All the parts and pieces of the system that are required during operation must be in or be duplicated in the jail.
The first priority is to do something useful. If it is useless, being secure is pretty much irrelevant. Apache's strength is that it is highly (extremely?) configurable and should in theory be able to do essentially everything the user that apache runs as could do, and with a few sudo stunts, everything almost anybody else could do. Apache's strength is that it can run leaky and buggy modules and survive. Compared to IIS, Apache ought to be a security nightmare. It isn't.
There are two aspects to security. First, that you don't lose your stuff. Second, that unauthorized whatever doesn't get access to your stuff. Companies have ceased to exist due to errors in the first. I haven't heard of any not surviving errors in the second.
Security exploits are demonstrations of bugs. Generally they try to be spectacular but not really damaging. The same bugs are damaging when they are encountered in the normal course of business and mess up stuff they should not. Almost like the exploits are really doing us a favor.
Yes, that's bloat compared to what I can do, but I don't really care.
I beg to differ. That is not bloat.
Trading 5% slower for something that is clear and straightforward is a good trade-off. This is from someone who likes bare assembly (ix86 excluded) and appreciates things with no wasted motion.
When (not if) the requirements change, you'll get the 5% back with interest.
Bloat is taking several minutes to show a large subdirectory just so it can paint some icons. Bloat is making sure that the primary purpose never gets in the way of the special effects. Bloat is having the gizmos crowd the basic simple stuff into strange corners.
Bloat is anything that takes up too much of a valuable resource, primarily because there's just too much of it. From the standpoint of maintenance, which does have to be done, your 15% faster really is bloated because it will take too long to decipher when you have to change something.
Efficiency is really a matter of wasting cheap resources to preserve expensive resources. It's all a matter of context, but it wasn't worthwhile sacrificing clarity for minor gains in execution speed on second generation mainframes. That has to hold even more so now. Looking back, seems like the major advantage of being efficient is that even though you will change stuff for something as trivial as spacing in comments that isn't quite right, you do not even consider sacrificing clarity for minor gains.
Although using the number 30 is maybe novel and non-obvious. More likely just dumb.
I realize that the state of US education is pretty low, but seriously! Converting numbers from one base to another is what, grade school level? Handling a pair of things of the same length by concatenating them seems rather obvious.
without all of the silliness of "trusted" computing.
You trust things that are simple, transparent, obvious. That is, to the extent you need to trust them. You do not trust things that are complicated, opaque, non-obvious.
What is the bulk price of "owned" computers? Now? A few years ago? If it's as low as I think I remember seeing something about, there is something fundamentally wrong about the approach that is being taken.
But anyway, Google needs to drop it's elitist attitude about advertising if they want to succeed.
I would disagree. That "elitist attitude" is why I prefer and tend to trust Google. That extends somewhat to those who use Google for advertising. Annoying in-my-face stuff I can do very well without, and unless Google were markedly inferior (rather unlikely!), I would stick with Google just to avoid the annoyances. Seems like it's a bit like the difference between New Luxury car salesmen and low-end used car salesmen.
Red Hat are responsible for the Linux kernels that they distribute and no others.
Kinda, sorta. At least to the point where Microsoft can take responsibility.
However, if (ie when) there is a problem with Red Hat, it is not just Red Hat who is in a position to do something about it. Mandrake can and does fix Red Hat problems. Within Mandrake.(and vice-versa of course). And all the others.
'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?' Microsoft is right in that there isn't one. They fail to mention that there isn't just one. For defense, you really want multiple layers that the oponent must crack. Just like you never put general headquarters right on the front lines.
What I've seen in terms of response, with Linux, etc., third-stringers do a substantial amount to stem the tide whereas with Microsoft you have to wait for the first-stringers. The Linux first-stringers have an unfair advantage. They can use hindsight on the efforts of the second stringers, etc. etc.
Good point. There is a distinction between what something does and how it does what it does. As long as it is doing what it should be doing, I should not have to look into how it is doing it. Only if it fails to do what it should, then it gets unwrapped and becomes much much longer.
Tended to be FORTRAN for scientific computing and COBOL for business computing, with the two groups never communicating with each other. Then there was PL/I which allows writing FORTRAN and/or COBOL within an ALGOL structure.
In addition to the punch-cards, remember that second generation mainframes were the equivalent of 64k bytes. Cramped, very cramped. The 7070 was 10,000 10-digit words (decimal) with three signs, which comes out in the same neighborhood.
I'm not sure, but that looks like a one-line justification for Ada. I may be an old coward, but that looks dangerous. Someone or something will surely misinterpret it.
Self-fulfilling prophecy. There's also the fact that people will put out a bit of extra effort in order to stay up with where they think they should be.
Math is really a game. The object is to do as much as possible based on as little as possible. To create everything out of nothing, but it doesn't stretch that far. There is also the bit about knowing with as much certainty as possible.
One cheap trick. (they all are, really) Instead of learning the teacher's multiplication table, let her build her own. X 1 2 3 4 1 1 2 3 4 2 2 4 6 8 3 3 6 9 12 etc.
So... uh... blah. Agreed.... jargon is useful. Until the terms are overused and misused so much they become without meaning.
One of my "favorites" is supported. I've seen something claimed to be supported where the "support" was to turn the feature off.
I suspect that "blog" does have a specific meaning, somewhat similar to jog, actually. A blog is part of a fad whereas the other terms will retain their meanings after the fad has passed into oblivion.
But ask for a single benchmark and you're a troll.
Benchmarks are somewhere around 50 percentile. I'd guess that FreeBSD is interested in 99th percentile (or some higher number of nines), which would be compromised by striving for higher benchmark scores.
Reminds me of one of the fun things back in the days of boot sector viruses. Do a virus scan of a floppy with a known boot virus. If the virus scan detects the virus, you do not have the virus. If the virus scan does not detect the virus, you know you do have the virus.
As for spyware (or viruses or other malware) getting through, consider that whoever is doing the stuff will surely have access to the latest anti-whatever and by stumbling around and blind luck will certainly be able to find a way to be undetected.
there is no way you can hit an airplane a "few miles away" with anything a consumer can touch.
Seems like people have been signalling airplanes and ships with small hand-held mirrors for a long time. Just a brief flash of light is all that's required.
Ironically, MS doesn't want your private info, the data miners google sells data to do.
If MS doesn't want your private info, then why does it have access to it? If MS doesn't want your private info, then why would they take any precautions to protect the integrity of whatever private info that gets dumped in their lap?
I would expect Google to fully understand the implications of the form and contents of the data it sells to data miners.
In short I'd expect Google to treat my private info as a valuable resource not to be sold out cheaply.
Reading this makes me want to download every piece of code I can from DJB's site, find a hole, write an exploit, and post the most arrogant, obnoxious message I can to BUGTRAQ.
Assuming that security is a desirable goal (personally I think it's more trouble than it's worth), DJB is using a rather effective tactic. You're hardly alone and if you could you would. If you do manage to find a hole, I don't think it will be very big or last very long.
I agree with your sentiments completely, but the nature of open source tends to demolish the distinctions between the standard browser and a standard browser. It's much the same as the "World domination" from a few years ago. It's not really a case of being benign. The sense of excluding all others fizzles out. Firefox as the standard browser tends to imply that a bunch of others are at least almost as good, and we finally get to the point where choice of browser can be legitimately based on the whim of the momement. Whenever Firefox becomes the standard browser, it will be one of many standard browsers.
Care to explain what makes you so different and sets apart from the masses? Mr. Elitist.
He's a different and unique individual, just like you and me and everybody else. Some people like to watch the grass grow and converse about same. Some don't. No big deal. Some consider themselves as more or less representative of the nature of the masses. Some don't. No big deal. You're allowed to be yourself so long as that does not impinge on others' right to be themselves. You're not allowed to insist that others must help you be yourself. Humor can help. You can laugh or you can cry. Laughing's better.
The elitist here is me. I like myself and enjoy myself. With that I do not particularly care what anyone else thinks of me, which does not preclude me from having pointed opinions of other people.
In what world is entering incorrect data an acceptable solution? To some degree or another, essentially everything. Are you aware of any systems which have absolutely no errors, including errors of omission?
An incorrect value being sneaked into a large database is far, far harder to detect and correct than your query coming back with an error. True. If you attempt to put a gallon of worms into a half-pint container, you should expect troubles. Assuming that the table has any variable-length column, there is no advantage in defining cramped and limited columns. The stuff that might exist but doesn't does not occupy disk space. There is no reason for a price column to be defined as DECIMAL(2) as in the example you state. DECIMAL(18,2) would be more realistic. In terms of sneaking incorrect values into a large database, what is the value of $1234.56 discouted at 4.5%? Where does the half-cent rounding error go?
MySQL is not anything like an Oracle-lite. They use an entirely different focus and division of labor. It is designed for processing large volumes of information under time constraints and with limited resources. The design tradeoffs are not the same as for say Oracle. Having had to remove foot and inch marks from descriptions for some dBASE records to be acceptable to an Oracle system, I'm inclined to believe that Oracle is the toy system, and a rich man's toy.
Slashdot Mirror
You wouldn't believe the amount of crap that HP install by default.
HP. Or most anybody else for that matter.
This does two things.
First, it gives the malware writers essentially a how-to guide.
Second, it conditions the computer user to believe that such garbage is good.
Third, it makes it almost impossible to tell what belongs and what doesn't.
Ok, I can't count, but with that kind of stuff driving it, things will get a lot worse before they get better.
It will eventually become so difficult to write an exploit for a Windows box that, even though Linux has a smaller market share, exploit writers will get more bang for their buck in targeting Linux.
Considering that the malware writers don't even bother to play with the modification date, yet, it doesn't look to me like they're even trying hard, yet.
Any operating system will have exploits. Operating systems are simply to complex not to have them. Any sufficiently complex system is going to have unintended outputs for highly unusual inputs.
True, but there are degrees, an enormous variation in degrees. The system in which the pieces tend to assume that everything else is perfect will continue to astound with its uninteded outputs for highly unusual inputs.
Is there any reason why Linux distros in general don't default to having Apache (and other servers, for that matter) run in a chroot jail?
All the parts and pieces of the system that are required during operation must be in or be duplicated in the jail.
The first priority is to do something useful. If it is useless, being secure is pretty much irrelevant. Apache's strength is that it is highly (extremely?) configurable and should in theory be able to do essentially everything the user that apache runs as could do, and with a few sudo stunts, everything almost anybody else could do. Apache's strength is that it can run leaky and buggy modules and survive. Compared to IIS, Apache ought to be a security nightmare. It isn't.
There are two aspects to security. First, that you don't lose your stuff. Second, that unauthorized whatever doesn't get access to your stuff. Companies have ceased to exist due to errors in the first. I haven't heard of any not surviving errors in the second.
Security exploits are demonstrations of bugs. Generally they try to be spectacular but not really damaging. The same bugs are damaging when they are encountered in the normal course of business and mess up stuff they should not. Almost like the exploits are really doing us a favor.
Yes, that's bloat compared to what I can do, but I don't really care.
I beg to differ. That is not bloat.
Trading 5% slower for something that is clear and straightforward is a good trade-off. This is from someone who likes bare assembly (ix86 excluded) and appreciates things with no wasted motion.
When (not if) the requirements change, you'll get the 5% back with interest.
Bloat is taking several minutes to show a large subdirectory just so it can paint some icons.
Bloat is making sure that the primary purpose never gets in the way of the special effects.
Bloat is having the gizmos crowd the basic simple stuff into strange corners.
Bloat is anything that takes up too much of a valuable resource, primarily because there's just too much of it. From the standpoint of maintenance, which does have to be done, your 15% faster really is bloated because it will take too long to decipher when you have to change something.
Efficiency is really a matter of wasting cheap resources to preserve expensive resources. It's all a matter of context, but it wasn't worthwhile sacrificing clarity for minor gains in execution speed on second generation mainframes. That has to hold even more so now. Looking back, seems like the major advantage of being efficient is that even though you will change stuff for something as trivial as spacing in comments that isn't quite right, you do not even consider sacrificing clarity for minor gains.
It is *not* novel or non-obvious.
Although using the number 30 is maybe novel and non-obvious. More likely just dumb.
I realize that the state of US education is pretty low, but seriously!
Converting numbers from one base to another is what, grade school level?
Handling a pair of things of the same length by concatenating them seems rather obvious.
without all of the silliness of "trusted" computing.
You trust things that are simple, transparent, obvious. That is, to the extent you need to trust them.
You do not trust things that are complicated, opaque, non-obvious.
What is the bulk price of "owned" computers? Now? A few years ago?
If it's as low as I think I remember seeing something about, there is something fundamentally wrong about the approach that is being taken.
But anyway, Google needs to drop it's elitist attitude about advertising if they want to succeed.
I would disagree. That "elitist attitude" is why I prefer and tend to trust Google. That extends somewhat to those who use Google for advertising. Annoying in-my-face stuff I can do very well without, and unless Google were markedly inferior (rather unlikely!), I would stick with Google just to avoid the annoyances. Seems like it's a bit like the difference between New Luxury car salesmen and low-end used car salesmen.
Furthermore, making Windows secure is a lot like integrating Sendmail 3.0 into the Linux kernel and then trying to make it secure two years later.
Thanks. Best laugh I've had in a long while.
Red Hat are responsible for the Linux kernels that they distribute and no others.
Kinda, sorta. At least to the point where Microsoft can take responsibility.
However, if (ie when) there is a problem with Red Hat, it is not just Red Hat who is in a position to do something about it. Mandrake can and does fix Red Hat problems. Within Mandrake.(and vice-versa of course). And all the others.
'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?'
Microsoft is right in that there isn't one.
They fail to mention that there isn't just one.
For defense, you really want multiple layers that the oponent must crack.
Just like you never put general headquarters right on the front lines.
What I've seen in terms of response, with Linux, etc., third-stringers do a substantial amount to stem the tide whereas with Microsoft you have to wait for the first-stringers. The Linux first-stringers have an unfair advantage. They can use hindsight on the efforts of the second stringers, etc. etc.
Good point.
;)
There is a distinction between what something does and how it does what it does.
As long as it is doing what it should be doing, I should not have to look into how it is doing it. Only if it fails to do what it should, then it gets unwrapped and becomes much much longer.
Try writing explicable regular expressions
Tended to be FORTRAN for scientific computing and COBOL for business computing, with the two groups never communicating with each other.
Then there was PL/I which allows writing FORTRAN and/or COBOL within an ALGOL structure.
In addition to the punch-cards, remember that second generation mainframes were the equivalent of 64k bytes. Cramped, very cramped. The 7070 was 10,000 10-digit words (decimal) with three signs, which comes out in the same neighborhood.
Google is all about gathering personal information now.
Rhw question is whether this personal information is a cheap resource or a valuable resource.
I think my main objection to spam is that it places far too low a valuation on my eyeballs. Insulting, actually.
i = 2; a[i++] = ++i;
I'm not sure, but that looks like a one-line justification for Ada.
I may be an old coward, but that looks dangerous. Someone or something will surely misinterpret it.
Self-fulfilling prophecy.
There's also the fact that people will put out a bit of extra effort in order to stay up with where they think they should be.
Math is really a game. The object is to do as much as possible based on as little as possible. To create everything out of nothing, but it doesn't stretch that far. There is also the bit about knowing with as much certainty as possible.
One cheap trick. (they all are, really)
Instead of learning the teacher's multiplication table, let her build her own.
X 1 2 3 4
1 1 2 3 4
2 2 4 6 8
3 3 6 9 12
etc.
So ... uh... blah. ... jargon is useful.
Agreed.
Until the terms are overused and misused so much they become without meaning.
One of my "favorites" is supported. I've seen something claimed to be supported where the "support" was to turn the feature off.
I suspect that "blog" does have a specific meaning, somewhat similar to jog, actually. A blog is part of a fad whereas the other terms will retain their meanings after the fad has passed into oblivion.
But ask for a single benchmark and you're a troll.
Benchmarks are somewhere around 50 percentile.
I'd guess that FreeBSD is interested in 99th percentile (or some higher number of nines), which would be compromised by striving for higher benchmark scores.
This is going to be comical.
Reminds me of one of the fun things back in the days of boot sector viruses.
Do a virus scan of a floppy with a known boot virus.
If the virus scan detects the virus, you do not have the virus.
If the virus scan does not detect the virus, you know you do have the virus.
As for spyware (or viruses or other malware) getting through, consider that whoever is doing the stuff will surely have access to the latest anti-whatever and by stumbling around and blind luck will certainly be able to find a way to be undetected.
there is no way you can hit an airplane a "few miles away" with anything a consumer can touch.
Seems like people have been signalling airplanes and ships with small hand-held mirrors for a long time. Just a brief flash of light is all that's required.
Ironically, MS doesn't want your private info, the data miners google sells data to do.
If MS doesn't want your private info, then why does it have access to it?
If MS doesn't want your private info, then why would they take any precautions to protect the integrity of whatever private info that gets dumped in their lap?
I would expect Google to fully understand the implications of the form and contents of the data it sells to data miners.
In short I'd expect Google to treat my private info as a valuable resource not to be sold out cheaply.
Reading this makes me want to download every piece of code I can from DJB's site, find a hole, write an exploit, and post the most arrogant, obnoxious message I can to BUGTRAQ.
Assuming that security is a desirable goal (personally I think it's more trouble than it's worth), DJB is using a rather effective tactic. You're hardly alone and if you could you would. If you do manage to find a hole, I don't think it will be very big or last very long.
I agree with your sentiments completely, but the nature of open source tends to demolish the distinctions between the standard browser and a standard browser. It's much the same as the "World domination" from a few years ago. It's not really a case of being benign. The sense of excluding all others fizzles out. Firefox as the standard browser tends to imply that a bunch of others are at least almost as good, and we finally get to the point where choice of browser can be legitimately based on the whim of the momement. Whenever Firefox becomes the standard browser, it will be one of many standard browsers.
Target names should only exist within the namespace of the site that created them.
Dead on.
That's also how you get security and utility without going to too much effort.
The ability to mess with things you shouldn't even be able to see is no help to anyone but the makers of malware.
Oh, most people are different and unique. And they do have original thoughts, just not precisely your "original" thoughts.
Care to explain what makes you so different and sets apart from the masses? Mr. Elitist.
He's a different and unique individual, just like you and me and everybody else.
Some people like to watch the grass grow and converse about same. Some don't. No big deal.
Some consider themselves as more or less representative of the nature of the masses. Some don't. No big deal.
You're allowed to be yourself so long as that does not impinge on others' right to be themselves.
You're not allowed to insist that others must help you be yourself.
Humor can help. You can laugh or you can cry. Laughing's better.
The elitist here is me. I like myself and enjoy myself. With that I do not particularly care what anyone else thinks of me, which does not preclude me from having pointed opinions of other people.
In what world is entering incorrect data an acceptable solution?
To some degree or another, essentially everything. Are you aware of any systems which have absolutely no errors, including errors of omission?
An incorrect value being sneaked into a large database is far, far harder to detect and correct than your query coming back with an error.
True. If you attempt to put a gallon of worms into a half-pint container, you should expect troubles. Assuming that the table has any variable-length column, there is no advantage in defining cramped and limited columns. The stuff that might exist but doesn't does not occupy disk space. There is no reason for a price column to be defined as DECIMAL(2) as in the example you state. DECIMAL(18,2) would be more realistic. In terms of sneaking incorrect values into a large database, what is the value of $1234.56 discouted at 4.5%? Where does the half-cent rounding error go?
MySQL is not anything like an Oracle-lite. They use an entirely different focus and division of labor. It is designed for processing large volumes of information under time constraints and with limited resources. The design tradeoffs are not the same as for say Oracle. Having had to remove foot and inch marks from descriptions for some dBASE records to be acceptable to an Oracle system, I'm inclined to believe that Oracle is the toy system, and a rich man's toy.