As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).
Botnet/Compromised Host Stock Exchange:
The botnet owner has 'bought' stock in the target machines by compromising them. He can offer to sell for at least a minimum price. The other party to the transaction offers to 'buy' a share of this stock at up to a given price. The 'stock market' resolves these offers by putting the two parties in touch where the buy maximum is at least the sell minimum price.
One question I've not seen answered yet is: Had the student in question (falsely...) reported the laptop as stolen. i.e. The school was using the facility as it had planned, and then happened to catch said act ?
I've certainly seen speculation that this might be what happened.
Obviously it's possible to make an AI, if only by figuring out how the known biological brains work and mimicking it.
But there is a question as to if such an AI could even be as 'powerful' as a human brain, let alone exceed it. The one advantage it might have is easy integration with raw computing power.
On the other hand maybe the same result can be achieved with computer/brain interfaces and effectively allowing us to be cyborgs.
That's been all over the tech. news, yes. To be fair to Spamassassin, at least it uses a score, not purely 'flag' system. None of my personal email was affected as my threshold is above that of the "too far in the future" rule.
I do wonder why patches didn't get pushed out sooner, apparently it was fixed in the SA CVS system months ago.
Furthermore I wonder if anyone's tried to come up with a rule that is "today's year plus X" rather than matching a fixed range of years (it was 2010-2019, now it's 2020-2029), as things now are we'll hit the same problem again in 10 years time if no-one remembers to bump things before that rollover.
Agreed, mod the 'three' guy up, it's the biggest laugh I've had out of this comment thread so far (and that IS saying something given all the other giggling, chuckling, guffawing and other outbursts I've uttered whilst reading it).
From a long experience with various SSRIs, an nSRI, an anti-psychotic and a beta blocker (and now an anti-convulsant with alleged action against anxiety, but it's too soon to draw conclusions on that one yet) I can tell you that the coin can also land on its edge, i.e. the medication does sweet fuck all other than a few side effects at the start and possible withdrawal symptoms if you come off it too quickly (thanks Venlafaxine for that lovely 'rollercoaster' effect).
And there's also another thing that confused me. There I was, following your advice, and looking at the sections I could tweak in this way... and wondering WTF the 'Contact Info' one was. It took me 5 minutes to notice the additional 'tab' near the top of the screen. Bad UI design.
But, still, even if you lock down every section to 'only some friends' using groups and/or specific friend names, all it takes is *ONE* person you've decided is trustworthy to have a moment of insanity and run an app that trawls all possible info it has access to. That or their off-spring, significant other, pet, random friend visiting etc. decides to fill in some quiz a (non-trusted for this purpose) friend had done, visible in your feed, and it's all blown out of the water again.
What is needed is a Facebook option to say "Even if I've given access to some of my profile information to someone, when they use a Facebook Application the most that Application knows about me is that a) I AM their friend, b) plus any information I have explicitly already allowed that Application to access, or c) Anything I've made available to Everyone on Facebook".
In essence it seems that Applications get sudo rights to the person using them.
Just having mmap_min_addr and setting it to a page or more above 0 isn't good enough. It also depends very much on the exact kernel version you're running. 2.6.30.2 had a problem with both SELinux and personalities making it possible to get around this. 2.6.30.3 fixed both I believe.
See http://lwn.net/Articles/342420/ for more about which versions are vulnerable and why (and, yes, I'm the same Athanasius linked to in the "This change is not enough for some users, who have requested the ability to turn off the personality feature altogether. " bit, if I could get my arse more in gear I'd have coded up a sysctl/personality patch by now).
Back in the very early days of Battlefield 1942's PC release myself and friends would waste hours doing silly things like climbing a hill, setting up explosives, and seeing who could get themselves closest to a point below.
That and landing a plane on the back of a destroyer: http://www.miggy.org/games/bf1942/pics/utini-plane-dd-back.jpg
Or on a landing craft: http://www.miggy.org/games/bf1942/pics/utini-landed-on-landing-craft-2.jpg
Or a hut: http://www.miggy.org/games/bf1942/pics/utini-plane-on-hut-2.jpg
And then there was wing walking: http://www.miggy.org/games/bf1942/pics/athan-pilot-cptdoom-wing-bridge-1.jpg (there's a sequence up to -10 there)
And of course there was a whole community focused on making videos of stunts in the game.
Indeed, my reading of the whole thing was that the Linus/Alan problem can be summed up by:
1) Linus being concerned only with fixing the reported regression even though this still left other nasty bugs in the code.
2) Alan trying to fix those other things as well.
So when Linus took Alan to task for trying to fix other things as well Alan took it as criticism of the whole patch and it took a while for them both to realise where the other was coming from (Linus has since said he'll accept patches for the other changes in post-2.6.31 release time, not now we're in the 2.6.31-rc4 phase).
This ought to be crashing at the sk = tun->sk line, because the structure is smaller than a page, and page 0 is mapped no-access (I assume Linux does this; it's been standard practice in most operating systems for a couple of decades to protect against NULL-pointer dereferencing).
If you actually read the exploit code (see: http://grsecurity.net/~spender/cheddar_bay.tgz) the thing that really enables this exploit is one of two ways to map page zero. One of these seems to be a flaw with SELinux (either with the default settings and/or how the default config commonly ships) or using personality(2) to select a personality that explicitly allows this.
From the exploit for the personality case:
int main(void) {
int ret;
struct stat fstat;
ret = personality(PER_SVR4);
if (ret == -1) {
fprintf(stderr, "Unable to set personality!\n");
return 0;
}
Note you do need some setuid root program even with this (from my reading of the exploit code).
In the SELinux case "it just works" without needing the setuid program it seems.
I think I'm correct in stating that such systems will pre-emptively *copy* some things out to swap so that if it seems some extra RAM for disk cache is a good idea then it's a near-zero cycles operation to repurpose the RAM. They're still there in RAM in the meantime if the program needs that particular page of memory. This of course would be done whilst the system was otherwise quiescent.
Why? Give another group of users access to create new folders in c:\Program Files (or equivalent), put the necessary users in that group and *NO* game should need Administrator privs to install. Yes, I know anti-cheat things like PunkBuster 'need' it else the cheats could hide behind Admin privs, but I've come to detest that.
And whilst we're moaning at the game industry for 'requiring Administrator privs to install or patch a game' let's also berate them for STILL not storing settings/save games etc under a user's My Games. There's NO reason to require someone *only* playing a game to have write access to the installation area of the game. Patching will of course require it.
Make your normal user a Limited one, not an Administrator. Try the initial install of any software as that user. Certainly playing a CD isn't going to be able to install anything rootkit-like as a Limited user. Oh, and disable Autoplay on all removeable media devices.
Yes, some programs still require Administrator access to install, although in some cases you just need to give the Limited account access to write in the global Startup menu folder or something similar, so this isn't a 100% cure-all.
I haven't even touched Vista with a bargepole myself yet, but it does occur to me that if you're using mobile devices their hardware varies a *lot* less than a random desktop machine, so I'd not be surprised by a very hardware/drivers-sensitive thing like hibernation working better on them.
Careful, the DST zealots will see this as an argument to stay on DST year-round.
For myself I'd prefer the whole stupid DST thing be dropped. As others have said, if you need to get up earlier/later so as to have the daylight when you most find it useful then do just that, i.e. get up at 06:00 instead of 07:00, or at 08:00 if you want to shift things the other way.
Pragmatically I realise that it is actually easier to shift to a different offset from UTC, as expecting everyone to change their habits, incuding every workplace offering flexi-time along with service industries having longer opening hours, isn't very realistic. *sigh*
Give it 10 years and I'd not be surprised to see the UK shift to using Central European Time, and the whole of the EU stay on CEST instead of CET. There's been a debate about this already due to the BST -> GMT change last Sunday bringing out the "let's stay on DST year-round, it gives more daylight" idiots crawling out once more.
I've pondered over SPF myself, but I'm not really enamoured of it after reading all the pros and cons. I do publish a TXT record with SPF data for miggy.org, but only to say "these are the hosts/IPs that are DEFINITELY ok to receive email from claiming to be from miggy.org, but don't go dropping things on the floor just because I don't list another host here". i.e. people can use that record to whitelist (or upscore) the genuine miggy.org email, but won't use it to definitely blacklist miggy.org email from other hosts, although I guess they can downscore such if the like.
I don't use SPF at all at the MTA level, although I do allow Spamassassin's SPF rules to add to its scoring.
My main problem with SPF is the maillist one, and of course at least one solution to that, VERP, then interacts badly with greylisting. And of course that objection applies to the variations on SPF as well, to the best of my knowledge.
Actually the way I'm using SPF sums up my approach to spam counter-measures; try to use anything only as an advisory about the likelihood of the email being spam. My one exception to this is the use of Spamhaus' RBL as past experience has shown it to work near enough to 100% accurately to not be a problem (I've never had a user report a problem sending or receiving email with the culprit turning out to be an SBL-XBL false positive).
Seconded. Use of greylisting and the sbl-xbl from spamhaus easily drop the vast majority of attempted spam aimed at the mail server I admin. I back that up with spamassassin AND bogofilter because both of them still manage to catch enough spam that the other doesn't. For the month of October and only for my own email:
Both 334 (31%) Bogo Only 256 (24%) SA Only 140 (13%) Neither 330 (31%) Total 1060
And as you can see, due to the use of greylist+spamhaus RBL I actually end up receiving a high percentage of spam that neither spamassassin or bogofilter catch. Before I used greylisting and fixed the RBL usage that uncaught percentage was much lower, i.e. greylisting gets rid of a hell of a lot of spam. And, yes, I do train both SA and bogofilter on every spam that neither catch. The biggest culprits for getting through are those emails with random main body text plus an attached gif with the actual spam in it.
Actually it's the spamhaus RBL catching most of it, 4843 items yesterday were permanently rejected via it. That's versus 1156 temporary greylisting rejections, some of which would have made it through subsequently. Note these stats are for the whole server, not just my own email.
Yes, I'd have hated it if spamhaus.org had have been closed down:/.
Slashdot Mirror
As someone else already quoted:
Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability
You can already go and download that 3.6.2 beta if you want, I did.
The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.
Real Stock Exchange:
As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).
Botnet/Compromised Host Stock Exchange:
The botnet owner has 'bought' stock in the target machines by compromising them. He can offer to sell for at least a minimum price. The other party to the transaction offers to 'buy' a share of this stock at up to a given price. The 'stock market' resolves these offers by putting the two parties in touch where the buy maximum is at least the sell minimum price.
And the hack doesn't even have to rely on the bad guys running a server. Just include it with the 'local' hack and run it on localhost.
One question I've not seen answered yet is: Had the student in question (falsely...) reported the laptop as stolen. i.e. The school was using the facility as it had planned, and then happened to catch said act ?
I've certainly seen speculation that this might be what happened.
Obviously it's possible to make an AI, if only by figuring out how the known biological brains work and mimicking it.
But there is a question as to if such an AI could even be as 'powerful' as a human brain, let alone exceed it. The one advantage it might have is easy integration with raw computing power.
On the other hand maybe the same result can be achieved with computer/brain interfaces and effectively allowing us to be cyborgs.
Perhaps the 'Purple Wage' ?
See http://www.youtube.com/watch?v=VxGBu1v6SiU for what TCP/UDP ports were involved.
A look at what exactly the 'na' (cited to probably be ICMP) stuff was, exactly, would be useful.
That's been all over the tech. news, yes. To be fair to Spamassassin, at least it uses a score, not purely 'flag' system. None of my personal email was affected as my threshold is above that of the "too far in the future" rule.
I do wonder why patches didn't get pushed out sooner, apparently it was fixed in the SA CVS system months ago.
Furthermore I wonder if anyone's tried to come up with a rule that is "today's year plus X" rather than matching a fixed range of years (it was 2010-2019, now it's 2020-2029), as things now are we'll hit the same problem again in 10 years time if no-one remembers to bump things before that rollover.
"...is like saying avoiding antibacterial soap will cause untold misery and disease."
Well, actually, it has some potential to be a problem, if not used correctly:
http://news.bbc.co.uk/1/hi/health/8427399.stm
Agreed, mod the 'three' guy up, it's the biggest laugh I've had out of this comment thread so far (and that IS saying something given all the other giggling, chuckling, guffawing and other outbursts I've uttered whilst reading it).
From a long experience with various SSRIs, an nSRI, an anti-psychotic and a beta blocker (and now an anti-convulsant with alleged action against anxiety, but it's too soon to draw conclusions on that one yet) I can tell you that the coin can also land on its edge, i.e. the medication does sweet fuck all other than a few side effects at the start and possible withdrawal symptoms if you come off it too quickly (thanks Venlafaxine for that lovely 'rollercoaster' effect).
And there's also another thing that confused me. There I was, following your advice, and looking at the sections I could tweak in this way... and wondering WTF the 'Contact Info' one was. It took me 5 minutes to notice the additional 'tab' near the top of the screen. Bad UI design.
But, still, even if you lock down every section to 'only some friends' using groups and/or specific friend names, all it takes is *ONE* person you've decided is trustworthy to have a moment of insanity and run an app that trawls all possible info it has access to. That or their off-spring, significant other, pet, random friend visiting etc. decides to fill in some quiz a (non-trusted for this purpose) friend had done, visible in your feed, and it's all blown out of the water again.
What is needed is a Facebook option to say "Even if I've given access to some of my profile information to someone, when they use a Facebook Application the most that Application knows about me is that a) I AM their friend, b) plus any information I have explicitly already allowed that Application to access, or c) Anything I've made available to Everyone on Facebook".
In essence it seems that Applications get sudo rights to the person using them.
Just having mmap_min_addr and setting it to a page or more above 0 isn't good enough. It also depends very much on the exact kernel version you're running. 2.6.30.2 had a problem with both SELinux and personalities making it possible to get around this. 2.6.30.3 fixed both I believe.
See http://lwn.net/Articles/342420/ for more about which versions are vulnerable and why (and, yes, I'm the same Athanasius linked to in the "This change is not enough for some users, who have requested the ability to turn off the personality feature altogether. " bit, if I could get my arse more in gear I'd have coded up a sysctl/personality patch by now).
Back in the very early days of Battlefield 1942's PC release myself and friends would waste hours doing silly things like climbing a hill, setting up explosives, and seeing who could get themselves closest to a point below.
That and landing a plane on the back of a destroyer: http://www.miggy.org/games/bf1942/pics/utini-plane-dd-back.jpg
Or on a landing craft: http://www.miggy.org/games/bf1942/pics/utini-landed-on-landing-craft-2.jpg
Or a hut: http://www.miggy.org/games/bf1942/pics/utini-plane-on-hut-2.jpg
And then there was wing walking: http://www.miggy.org/games/bf1942/pics/athan-pilot-cptdoom-wing-bridge-1.jpg (there's a sequence up to -10 there)
And of course there was a whole community focused on making videos of stunts in the game.
Indeed, my reading of the whole thing was that the Linus/Alan problem can be summed up by:
1) Linus being concerned only with fixing the reported regression even though this still left other nasty bugs in the code.
2) Alan trying to fix those other things as well.
So when Linus took Alan to task for trying to fix other things as well Alan took it as criticism of the whole patch and it took a while for them both to realise where the other was coming from (Linus has since said he'll accept patches for the other changes in post-2.6.31 release time, not now we're in the 2.6.31-rc4 phase).
If you actually read the exploit code (see: http://grsecurity.net/~spender/cheddar_bay.tgz) the thing that really enables this exploit is one of two ways to map page zero. One of these seems to be a flaw with SELinux (either with the default settings and/or how the default config commonly ships) or using personality(2) to select a personality that explicitly allows this.
From the exploit for the personality case:
Note you do need some setuid root program even with this (from my reading of the exploit code).
In the SELinux case "it just works" without needing the setuid program it seems.
I think I'm correct in stating that such systems will pre-emptively *copy* some things out to swap so that if it seems some extra RAM for disk cache is a good idea then it's a near-zero cycles operation to repurpose the RAM. They're still there in RAM in the meantime if the program needs that particular page of memory. This of course would be done whilst the system was otherwise quiescent.
Why? Give another group of users access to create new folders in c:\Program Files (or equivalent), put the necessary users in that group and *NO* game should need Administrator privs to install. Yes, I know anti-cheat things like PunkBuster 'need' it else the cheats could hide behind Admin privs, but I've come to detest that.
And whilst we're moaning at the game industry for 'requiring Administrator privs to install or patch a game' let's also berate them for STILL not storing settings/save games etc under a user's My Games. There's NO reason to require someone *only* playing a game to have write access to the installation area of the game. Patching will of course require it.
Make your normal user a Limited one, not an Administrator. Try the initial install of any software as that user. Certainly playing a CD isn't going to be able to install anything rootkit-like as a Limited user. Oh, and disable Autoplay on all removeable media devices.
Yes, some programs still require Administrator access to install, although in some cases you just need to give the Limited account access to write in the global Startup menu folder or something similar, so this isn't a 100% cure-all.
I haven't even touched Vista with a bargepole myself yet, but it does occur to me that if you're using mobile devices their hardware varies a *lot* less than a random desktop machine, so I'd not be surprised by a very hardware/drivers-sensitive thing like hibernation working better on them.
Oh rly?
Some of us don't care about the editor, originator, department or icon and thus don't pay attention to them.
/. story and then the body, plus comments now and then.
I for one only ever read the title of a
So, where's my option to have "stupid post about a made up story that is someone's idea of funny, but actually isn't news" stories not show to me ?
"Slashdot: News for for nerds, stuff that matters" my arse.
Careful, the DST zealots will see this as an argument to stay on DST year-round.
For myself I'd prefer the whole stupid DST thing be dropped. As others have said, if you need to get up earlier/later so as to have the daylight when you most find it useful then do just that, i.e. get up at 06:00 instead of 07:00, or at 08:00 if you want to shift things the other way.
Pragmatically I realise that it is actually easier to shift to a different offset from UTC, as expecting everyone to change their habits, incuding every workplace offering flexi-time along with service industries having longer opening hours, isn't very realistic. *sigh*
Give it 10 years and I'd not be surprised to see the UK shift to using Central European Time, and the whole of the EU stay on CEST instead of CET. There's been a debate about this already due to the BST -> GMT change last Sunday bringing out the "let's stay on DST year-round, it gives more daylight" idiots crawling out once more.
I've pondered over SPF myself, but I'm not really enamoured of it after reading all the pros and cons. I do publish a TXT record with SPF data for miggy.org, but only to say "these are the hosts/IPs that are DEFINITELY ok to receive email from claiming to be from miggy.org, but don't go dropping things on the floor just because I don't list another host here". i.e. people can use that record to whitelist (or upscore) the genuine miggy.org email, but won't use it to definitely blacklist miggy.org email from other hosts, although I guess they can downscore such if the like.
I don't use SPF at all at the MTA level, although I do allow Spamassassin's SPF rules to add to its scoring.
My main problem with SPF is the maillist one, and of course at least one solution to that, VERP, then interacts badly with greylisting. And of course that objection applies to the variations on SPF as well, to the best of my knowledge.
Actually the way I'm using SPF sums up my approach to spam counter-measures; try to use anything only as an advisory about the likelihood of the email being spam. My one exception to this is the use of Spamhaus' RBL as past experience has shown it to work near enough to 100% accurately to not be a problem (I've never had a user report a problem sending or receiving email with the culprit turning out to be an SBL-XBL false positive).