Good instincts.
The wasted motion is bad. Not so much because of increased size and runtime, as it is distracting to understand the purpose and function of the code. What is this $var thing? Why is it called var and not something else? Whatever purpose var serves would be better served in a comment, methinks.
The main advantage is that for the places where speed does matter, it's much easier to see what is going on without extraneous stuff. About 10 percent of the code actually matters. It doesn't take much garbage added for the noise to swamp the signal.
I'm still a newbie, but I don't think the stunt is restricted to kernel only. Just shut down everything that is no longer necessary to keep running.
Instead of Microsoft Window's install or change something and reboot, you have to reboot to install or change anything. You just shut down and turn off all the nice unixy tools for yourself and any potential attacker.
closed source software is more secure because it is closed and the bugs can't easily be found? Closed source is more secure until somebody wants in. Producing an exploit requires a reasonable competence with machine language. Source is almost a liability. Fixing the vulnerability requires the source.
Opening the source compromizes your security about like lighting your perimiter helps burglers see what they are doing. You lose a little short term, and that's mostly a false sense of security, but gain enormously in the long term. If security is to become a high priority, the drill is to first publish the exploit. Then later publish the fix. Other than that, you've just got a bunch of people fooling themselves.
Actually, I think the comparison is fair. This is a count of vulnerabilities fixed or patched. Consider the depth of the fixes. Do they address the root causes or just twart a particular exploit? How often to the fixes backfire? How easy will it be to find the next exploit? Are you really that much safer with a currently patched system?
How long did it take Microsoft to make a search of Code Red return results? It was stale on/. before Microsoft seems to have heard of it. Several days may be damn fast for you, but not for me.
How many fishes in the sea?
Maybe the best measure is how hard is it to catch one. To mix metaphors, seems like the low-hanging fruit has been pretty well fished out for Linux and especially the BSDs.
With open source there is a tendency to catch as many from the same pool as possible.
With closed source, the tendency is to catch one and leave the others still in the pool.
couple of good counter examples (qmail and djbdns) I think those are done to prove that code can be secure, not that code is by nature secure. Code makes assumptions about the context in which it is run. When those assumptions are wrong, the code tends to do bad things. Minimizing those assumptions and the damage done on failure might be natural to some mathematicians, but not to any normal humans. I think Microsoft's problem is that they have no idea as to what it takes to produce secure code. Or if they know, they have decided that it is far too much work.
There is another factor involved. When bridges do fall down, the debris is analyzed. The mistakes are found and analyzed, usually somewhat publicly. That's why full and open disclosure is pretty well necessary to even stand a chance of eliminating the worst of the bugs and security holes.
Just wait until programming is nothing more than dragging pictures around and connecting them and you never see a line of code. When the hackers/crackers get ahold of the results..... Or is that what we're seeing with the Microsoft wormage?
The end-user is not an idiot, so let's booby-trap everything to prove how smart we all are. NOT.
There's a big difference between "shouldn't" and "never will". There's a big difference between "should never happen" and "can never happen". Even the things that "can never happen" sometimes happen.
I get the feeling that a lot of code is "pretty good" assuming that everybody else is perfect. When everybody is doing that, seems like you've got a recipe for instant disaster.
A program should work correctly for correct input.
A program should never go beserk on any incorrect input.
Multi-volume set, sent a volume at a time.
Multi-chapter book, sent a chapter at a time.
Newspaper serials, sent a column at a time.
I'm sure somebody has sent a longer missive, written on the back of postcards.
Still there.
http://mcwhortle.com/investnow.htm
"Bidding is now accepted for Stage 2 of the McWhortle Enterprises Pre-IPO offering. Estimated share value is approximately $10, which will, upon conclusion of the IPO offering in three (3) months, be worth more than 400 times the initial investment. To bid on these shares, you must quickly e-mail us the number of shares you wish to purchase, together with your major credit card number and social security number (for identification) so we can reserve your slot."
You don't say 1.024k bytes, you say 1k bytes and expect the listener to know that about 1000 is exactly 1024 due to the context. If 1k bytes were always 1024 bytes, how would you interpret 14.112k bytes?
3/4" pipe is 1.050" Outside Diameter.
The 3/4" refers to an Inside Diameter of a pipe with a particular wall thickness (which may or may not still be made). Regardless of how thick the walls are, and consequently what the Inside Diameter really is, 3/4" pipe is 1.050".
IIRC there is something about a US bushel being a different volume depending on what is being measured.
Most trials, are by default, closed. What?
Seems like most anybody can wander into a courtroom of choice and watch whatever is going on there. Seating space may be limited for the more popular events.
Remember how DOS deleted file?
The first character of the directory entry was overwritten by a special character and the associated clusters added to the freelist (bitmap in FAT). That's what Microsoft calls *delete*. In fact it shouldn't be that difficult to gather info specifically from *deleted* accounts.
you can't hijack someone else's account unless you also have access to their email account. The access to the email account that is required is the name of the account. Semi-public info, actually.
This is preemptorially hijacking the victim's passport account knowing only the victim's email address.
Your opinions posted on/. are opinions you chose to make public. Even opinion is a bit strong for terminology. It's a public post to make a point. The point made is not necessarily the view of the poster or of his organization. IP logs could probably be used to identify someone, but that takes a lot of work for little gain.
If an "evil hacker" took over my/. account, I wouldn't be very happy, but he would be extremely limited in what he could do with it. Passport and.NET have the potential to do a lot more damage. To a lot more people.
Do they keep backups?
Expunging all traces of information is extremely difficult at best. Your "deleted" information will probably wind up somewhere in the used disk/tape market at bargain prices.
Slashdot Mirror
Good instincts.
The wasted motion is bad. Not so much because of increased size and runtime, as it is distracting to understand the purpose and function of the code. What is this $var thing? Why is it called var and not something else? Whatever purpose var serves would be better served in a comment, methinks.
The main advantage is that for the places where speed does matter, it's much easier to see what is going on without extraneous stuff. About 10 percent of the code actually matters. It doesn't take much garbage added for the noise to swamp the signal.
I'm still a newbie, but I don't think the stunt is restricted to kernel only. Just shut down everything that is no longer necessary to keep running.
Instead of Microsoft Window's install or change something and reboot, you have to reboot to install or change anything. You just shut down and turn off all the nice unixy tools for yourself and any potential attacker.
Yeah, you're right. Linux is not superior in every way to Windows.
Linux has inferior worms.
Try WWW.TrustworthyComputing.com
Considering Microsoft's track record, I think Bill Joy is actually being kind to Microsoft.
What about AOLinux?
I think the killer app for Linux on the desktop may be the ability to run the latest worm/virus/whatever with impunity on an unpatched system.
closed source software is more secure because it is closed and the bugs can't easily be found?
Closed source is more secure until somebody wants in. Producing an exploit requires a reasonable competence with machine language. Source is almost a liability. Fixing the vulnerability requires the source.
Opening the source compromizes your security about like lighting your perimiter helps burglers see what they are doing. You lose a little short term, and that's mostly a false sense of security, but gain enormously in the long term. If security is to become a high priority, the drill is to first publish the exploit. Then later publish the fix. Other than that, you've just got a bunch of people fooling themselves.
Actually, I think the comparison is fair. This is a count of vulnerabilities fixed or patched. Consider the depth of the fixes. Do they address the root causes or just twart a particular exploit? How often to the fixes backfire? How easy will it be to find the next exploit? Are you really that much safer with a currently patched system?
How long did it take Microsoft to make a search of Code Red return results? It was stale on /. before Microsoft seems to have heard of it. Several days may be damn fast for you, but not for me.
Nice post.
How many fishes in the sea?
Maybe the best measure is how hard is it to catch one. To mix metaphors, seems like the low-hanging fruit has been pretty well fished out for Linux and especially the BSDs.
With open source there is a tendency to catch as many from the same pool as possible.
With closed source, the tendency is to catch one and leave the others still in the pool.
couple of good counter examples (qmail and djbdns)
I think those are done to prove that code can be secure, not that code is by nature secure. Code makes assumptions about the context in which it is run. When those assumptions are wrong, the code tends to do bad things. Minimizing those assumptions and the damage done on failure might be natural to some mathematicians, but not to any normal humans. I think Microsoft's problem is that they have no idea as to what it takes to produce secure code. Or if they know, they have decided that it is far too much work.
There is another factor involved. When bridges do fall down, the debris is analyzed. The mistakes are found and analyzed, usually somewhat publicly. That's why full and open disclosure is pretty well necessary to even stand a chance of eliminating the worst of the bugs and security holes.
Just wait until programming is nothing more than dragging pictures around and connecting them and you never see a line of code.
When the hackers/crackers get ahold of the results..... Or is that what we're seeing with the Microsoft wormage?
The end-user is not an idiot, so let's booby-trap everything to prove how smart we all are. NOT.
There's a big difference between "shouldn't" and "never will". There's a big difference between "should never happen" and "can never happen". Even the things that "can never happen" sometimes happen.
I get the feeling that a lot of code is "pretty good" assuming that everybody else is perfect. When everybody is doing that, seems like you've got a recipe for instant disaster.
A program should work correctly for correct input.
A program should never go beserk on any incorrect input.
Multi-volume set, sent a volume at a time.
Multi-chapter book, sent a chapter at a time.
Newspaper serials, sent a column at a time.
I'm sure somebody has sent a longer missive, written on the back of postcards.
Microsoft: "Mine is wormier than yours"
Still there.
http://mcwhortle.com/investnow.htm
"Bidding is now accepted for Stage 2 of the McWhortle Enterprises Pre-IPO offering. Estimated share value is approximately $10, which will, upon conclusion of the IPO offering in three (3) months, be worth more than 400 times the initial investment. To bid on these shares, you must quickly e-mail us the number of shares you wish to purchase, together with your major credit card number and social security number (for identification) so we can reserve your slot."
Do people actually fall for these things?
You don't say 1.024k bytes, you say 1k bytes and expect the listener to know that about 1000 is exactly 1024 due to the context. If 1k bytes were always 1024 bytes, how would you interpret 14.112k bytes?
3/4" pipe is 1.050" Outside Diameter.
The 3/4" refers to an Inside Diameter of a pipe with a particular wall thickness (which may or may not still be made). Regardless of how thick the walls are, and consequently what the Inside Diameter really is, 3/4" pipe is 1.050".
IIRC there is something about a US bushel being a different volume depending on what is being measured.
The plural of virus is Microsoft.
Most trials, are by default, closed.
What?
Seems like most anybody can wander into a courtroom of choice and watch whatever is going on there. Seating space may be limited for the more popular events.
How did the feds get uninvolved in this?
They closed the doors. It's all the damned windows they left open.
Remember how DOS deleted file?
The first character of the directory entry was overwritten by a special character and the associated clusters added to the freelist (bitmap in FAT). That's what Microsoft calls *delete*. In fact it shouldn't be that difficult to gather info specifically from *deleted* accounts.
you can't hijack someone else's account unless you also have access to their email account.
The access to the email account that is required is the name of the account. Semi-public info, actually.
This is preemptorially hijacking the victim's passport account knowing only the victim's email address.
Your opinions posted on /. are opinions you chose to make public. Even opinion is a bit strong for terminology. It's a public post to make a point. The point made is not necessarily the view of the poster or of his organization. IP logs could probably be used to identify someone, but that takes a lot of work for little gain.
/. account, I wouldn't be very happy, but he would be extremely limited in what he could do with it. Passport and .NET have the potential to do a lot more damage. To a lot more people.
If an "evil hacker" took over my
Do they keep backups?
Expunging all traces of information is extremely difficult at best. Your "deleted" information will probably wind up somewhere in the used disk/tape market at bargain prices.