The vendor or other parties may then release
the information - possibly with additional details - to the security
community.
The idea of this is not to stop public disclosure, but rather to stop irresponsible public disclosure. There is nothing wrong with letting a vendor know about the hole, giving him some time to fix it, and then he fixes it. If there is no easy fix, a public disclosure will only allow others who do not do security research (i.e. script kiddies, not true exploit finders) to exploit the vulnerability for malicious reasons.
Since the other parts of the document designate the security community, and mention specifically two public mailing lists, that counts as public as far as I am concerned.
The goal of this process is not to regulate errors in code or deliberate exploits. It's to provide a mechanism by which the security community can interact with members of that community which are selling software ( you pretty much become a member when you publish code or a program ). What it offers is a formalized protocol for releasing exploit details that will fairly allow a vendor to release a fix, yet allow for a minimum time that the customers as a whole are vulnerable.
I have heard of the frustration on both sides with regards to this. Some vendors don't have the resources to fix a bug within 7 or 14 days. Some security consultants have reported flaws and have not recieved any word for months.
The idea is for the security community to realize that vendors are people too, and for vendos to realize that security people aren't all h4X0rZ.
Apparently you did not read the draft (which I just did)
(from the draft) 3.6.2 Reporter Responsibilities
1) The Reporter SHOULD recognize that it may be difficult for a
Vendor to resolve a vulnerability within 30 days if (1) the problem
is related to insecure design, (2) the Vendor has a diverse set of
hardware, operating systems, and/or product versions to support, or
(3) the Vendor is not skilled in security.
2) The Reporter SHOULD grant time extensions to the Vendor if the
Vendor is acting in good faith to resolve the vulnerability.
3) If the Vendor is unresponsive or uncooperative, or a dispute
arises, then the Reporter SHOULD work with a Coordinator to identify
the best available resolution for the vulnerability.
and
3.7.1 Vendor Responsibilities
1) The Vendor SHOULD work with the Reporter and involved Coordinators
to arrange a date after which the vulnerability information may be
released.
2) The Vendor MAY ask the Reporter and Coordinator to allow a "Grace
Period" up to 30 days, during which the Reporter and Coordinator do
not release details of the vulnerability that could make it easier
for hackers to create exploit programs.
so, I'm pretty sure this is the right approach for my site as well, as it will allow a lot of crossplatform-ability.
The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.
Anyone found a solution here?
Re:Moore's Law, software bloat, and the market
on
Linux on Older Hardware
·
· Score: 3, Informative
You might give a try to Gentoo linux. Part of the install/compile is that you put some parameters in a system wide file. Things like "krb5" or "kde" or "ldap". When you build your software, the build system looks in this file and configures options based on the entries here. Running on a non-krb5 network? remove that entry. Running only kde? leave out gnome.
Take my advice Rob, go simple. Kathleen, really, you do not want a big wedding.
I've heard people say, "The wedding is for the family, the honeymoon is for the couple." I say screw that. Have the wedding you want. All the headaches of a wedding are really not worth it.
For instance, my wife and I got to 2 notebook pages of people, and started cutting. We ended up having a lot of fun with a small number of people, and it was still almost too many people.
He closed off the mailing list and bulletin board.
Ok...that's not a great sign..
He complained to me repeatedly about the GPL
There are other licenses out there. Prof. Barak himself I suppose would ahve to answer what his issues with the GPL are. I wrote to him a while back and got the impression that he was not interested in the GPL
that Linus is a fool
If that's a quote, I've really lost respect for him. Linus is certainly not a fool.
In the mosix website they speak about going to user-space, which is probably being done to avoid the GPL.
While this is a possible outcome, this is a bit of fear-mongering...
Just ask yourself, if they had Mosix for 2.4.17 (they released it soon after my openMosix, so it must have been there all along) ready, why didn't Prof. Barak give it to the user-community?
actually, my first thought was that whomever hadn't gotten it to work with the new VM code, not that he was withholding it.
I guess my thought it is...He has the right to, I suppose. I'm glad that someone is taking it and keeping it not proprietary. It has the potential in some areas that I work with.
Why the fork...
on
OpenMosix
·
· Score: 4, Interesting
I guess I wanna know why there was a fork. I respect both the big Prof and Moshe from what I have read of theirs. Moshe says that Mosix is going in other directions, which sounds kinda...vague;)
you looked at krb and ldap and you didn't see enterprise level authentication? Krb is what windows is using here shortly. LDAP along side it. Novell is LDAP. Um, MIT invented krb, it can't suck;)
Perhaps you are looking for something other than authentication?
As several people pointed out, there are dual mother boards out there. The only difference between a p4 and a xeon ( new one) is that the xeon is rated by intel for doing MP.
In any event, the point still stands. They are cheaper, and for a good many applications (including scientific ones) they are faster.
I think that it will be increasingly difficult to find applications where the SGI is faster. Yes, it's not all about Mhz, but the i386 arch has made many bus speed improvements lately.
I will not let SGI sit on their laurels. They will have to prove to me that it is worth 4x money for the applications that me and my clients run.
I have one scientist I support. I told him that the p4 was some hot computing (in more ways than one). He put his app on it. His $5k linux machine (dual p4) outran his dual R10k (might have been 12k, can't remember) but 4x. Some might say "Well, ya...that's such an old box". I'll say that it has to last longer because it cost $60k! Not to mention the memory upgrade prices.
There comes a point with the hardware were it is cheaper to get a programmer to optimize your app for a linux machine, or to buy a compiler that can fake out your 32 bit box into doign 64 bit-ish instructions.
Actually, if you have information on Bill Gate's selling his wife's vibrator, I'm sure slashdot and several other news papers would love to know about it.
Inquiring minds want to know, after all;)
Who wants to talk to new people?
on
Browsing Alone
·
· Score: 2
Have you ever sat in a public chat room? I did, yesterday. The conversation consisted of one guy posting ascii art, line by line, of a hand flipping you off, and of a butt witha steaming pile of feces underneath.
Gee, wonder why I don't want to talk to just random anyone.
If there is one thing that cheap and easy computers has done, it has given the immature and the ignorant a way to express themselves.
Not that I'm saying I disapprove of the ascii art, but there is a time and a place for everything...with your friends, cool. with random people online, probably not.
it's hardly any more than an ipaq (different processor) with a HUD. Heck, I think I'd rather have a new ipaq.
I don't want to be down on Xybernaut, because it's a tough market, but what needs to go into a wearable seems pretty obvious.
Integrate one of the following
1) 2 compact flash slots
2) a microdrive
3) 802.11b ethernet.
The point is that you virtually need a network with something like this to make it anymore than a pda that you don't need hands for.
And for the love of all that is holy, why WinCE? At least put Win95 on it or something. You pretty much doomed it to be a pda, and that's it.
It's pretty straight forward to me. Wireless ethernet, a modest amount of storage ( 1gig>storage>256 megs ), audio pumped through the headset, and voice possibilities (not necessarily voice recognition).
I'd even be happy with one of the new ipaqs with an SD card, CF 802.11b card, HUD, and pointing device.
Oh geez...why. I cannot figure it out...there isn't even a sound business reason.
Note to whoever: Release it region 1 in a timely fashion (i.e. like how about at the same time) and I would buy this. Release it late, it will get ripped and distributed all over the net, and I won't feel particularly guilty about copying it. You will never be able to prove that you lost money from me, because you will have to prove that I would have bought a region 2 dvd player and your flic.
You know what? Pretty much goes the same for over seas. I don't think that other countries should be deprived of our cinema just because you are staging releases all over.
I think he's right though. I'm not sure why they would just buy the company, but I did something tonight that I don't normally do..I watched TechTV. And low and behold, I saw an MSN commercial. And they said that they were an alternative to aol.
AOL does not like alternatives:)
I wonder why IBM and AOL don't team up and crush MS off the map.
Anywho, the net appliance thing seems the most likely. There was some talk about them doing that with sun, but it has apparently fallen apart.
This sounds like it's gonna be one hell of a battle
The ramifications of this are potentially mind boggling.
Despite how much you may hate aol, the fact of the matter is that they have the hearts and computers of an incredible buttload of users, including someone in your family. It's just mind boggling.
If they decided to have an AOL operating environment (UFS mount partition or something) We could see an incredible growth in linux.
What does it really mean? Goddamn, they would do it because it would advance their business interests. How....
Do they get actual search warrents? Can you, say, deny them access to your computers? I don't think that Federal Marshals will bash in a door based on the word of a report via a web form from the BSA...
You know, it's funny, but there does not seem to be an expansion of wearables. Lots of personal assistant things, but all that require you to pull it out and look at it and control with a dull plastic implement. DO people feel they need to get even smaller?
You know, there seems to be an increasingly strong contingent of people of the "Let's think rationally. Windows is probably the best choice here" people. Perhaps there is some bitterness amongst the faithful?
Why not linux? the average home user who doesn't know crap about a computer is going to have just as hard a time with WinXP as with Mandrake setup for the home user (i.e. 1 desktop environment, 1 mailer, 1 browser, etc). Heck, maybe some of the new imacs. What I am saying is that the avergae user does not need office, they need a small word processor. They do not need exchange, they need a mail client that can do pop and recieve attachments.
I say go for it. I suggest mandrake because it's from that continent. Suse might be good as well, but i've had more experience with Mandrake.
Slashdot Mirror
towards the top it defined the release phase:
The vendor or other parties may then release
the information - possibly with additional details - to the security
community.
The idea of this is not to stop public disclosure, but rather to stop irresponsible public disclosure. There is nothing wrong with letting a vendor know about the hole, giving him some time to fix it, and then he fixes it. If there is no easy fix, a public disclosure will only allow others who do not do security research (i.e. script kiddies, not true exploit finders) to exploit the vulnerability for malicious reasons.
Since the other parts of the document designate the security community, and mention specifically two public mailing lists, that counts as public as far as I am concerned.
Can you point to a url where he refused to document the security sections? I had not heard this and am interested in reading more.
The goal of this process is not to regulate errors in code or deliberate exploits. It's to provide a mechanism by which the security community can interact with members of that community which are selling software ( you pretty much become a member when you publish code or a program ). What it offers is a formalized protocol for releasing exploit details that will fairly allow a vendor to release a fix, yet allow for a minimum time that the customers as a whole are vulnerable.
I have heard of the frustration on both sides with regards to this. Some vendors don't have the resources to fix a bug within 7 or 14 days. Some security consultants have reported flaws and have not recieved any word for months.
The idea is for the security community to realize that vendors are people too, and for vendos to realize that security people aren't all h4X0rZ.
Apparently you did not read the draft (which I just did)
(from the draft)
3.6.2 Reporter Responsibilities
1) The Reporter SHOULD recognize that it may be difficult for a
Vendor to resolve a vulnerability within 30 days if (1) the problem
is related to insecure design, (2) the Vendor has a diverse set of
hardware, operating systems, and/or product versions to support, or
(3) the Vendor is not skilled in security.
2) The Reporter SHOULD grant time extensions to the Vendor if the
Vendor is acting in good faith to resolve the vulnerability.
3) If the Vendor is unresponsive or uncooperative, or a dispute
arises, then the Reporter SHOULD work with a Coordinator to identify
the best available resolution for the vulnerability.
and
3.7.1 Vendor Responsibilities
1) The Vendor SHOULD work with the Reporter and involved Coordinators
to arrange a date after which the vulnerability information may be
released.
2) The Vendor MAY ask the Reporter and Coordinator to allow a "Grace
Period" up to 30 days, during which the Reporter and Coordinator do
not release details of the vulnerability that could make it easier
for hackers to create exploit programs.
so, I'm pretty sure this is the right approach for my site as well, as it will allow a lot of crossplatform-ability.
The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.
Anyone found a solution here?
You might give a try to Gentoo linux. Part of the install/compile is that you put some parameters in a system wide file. Things like "krb5" or "kde" or "ldap". When you build your software, the build system looks in this file and configures options based on the entries here. Running on a non-krb5 network? remove that entry. Running only kde? leave out gnome.
It's pretty spiffy.
Take my advice Rob, go simple. Kathleen, really, you do not want a big wedding.
I've heard people say, "The wedding is for the family, the honeymoon is for the couple." I say screw that. Have the wedding you want. All the headaches of a wedding are really not worth it.
For instance, my wife and I got to 2 notebook pages of people, and started cutting. We ended up having a lot of fun with a small number of people, and it was still almost too many people.
forgot to say thanks for replying ;)
He closed off the mailing list and bulletin board.
Ok...that's not a great sign..
He complained to me repeatedly about the GPL
There are other licenses out there. Prof. Barak himself I suppose would ahve to answer what his issues with the GPL are. I wrote to him a while back and got the impression that he was not interested in the GPL
that Linus is a fool
If that's a quote, I've really lost respect for him. Linus is certainly not a fool.
In the mosix website they speak about going to user-space, which is probably being done to avoid the GPL.
While this is a possible outcome, this is a bit of fear-mongering...
Just ask yourself, if they had Mosix for 2.4.17 (they released it soon after my openMosix, so it must have been there all along) ready, why didn't Prof. Barak give it to the user-community?
actually, my first thought was that whomever hadn't gotten it to work with the new VM code, not that he was withholding it.
I guess my thought it is...He has the right to, I suppose. I'm glad that someone is taking it and keeping it not proprietary. It has the potential in some areas that I work with.
I guess I wanna know why there was a fork. I respect both the big Prof and Moshe from what I have read of theirs. Moshe says that Mosix is going in other directions, which sounds kinda...vague ;)
you looked at krb and ldap and you didn't see enterprise level authentication? Krb is what windows is using here shortly. LDAP along side it. Novell is LDAP. Um, MIT invented krb, it can't suck ;)
Perhaps you are looking for something other than authentication?
As several people pointed out, there are dual mother boards out there. The only difference between a p4 and a xeon ( new one) is that the xeon is rated by intel for doing MP.
In any event, the point still stands. They are cheaper, and for a good many applications (including scientific ones) they are faster.
I think that it will be increasingly difficult to find applications where the SGI is faster. Yes, it's not all about Mhz, but the i386 arch has made many bus speed improvements lately.
I will not let SGI sit on their laurels. They will have to prove to me that it is worth 4x money for the applications that me and my clients run.
I have one scientist I support. I told him that the p4 was some hot computing (in more ways than one). He put his app on it. His $5k linux machine (dual p4) outran his dual R10k (might have been 12k, can't remember) but 4x. Some might say "Well, ya...that's such an old box". I'll say that it has to last longer because it cost $60k! Not to mention the memory upgrade prices.
There comes a point with the hardware were it is cheaper to get a programmer to optimize your app for a linux machine, or to buy a compiler that can fake out your 32 bit box into doign 64 bit-ish instructions.
Actually, if you have information on Bill Gate's selling his wife's vibrator, I'm sure slashdot and several other news papers would love to know about it.
;)
Inquiring minds want to know, after all
Have you ever sat in a public chat room? I did, yesterday. The conversation consisted of one guy posting ascii art, line by line, of a hand flipping you off, and of a butt witha steaming pile of feces underneath.
Gee, wonder why I don't want to talk to just random anyone.
If there is one thing that cheap and easy computers has done, it has given the immature and the ignorant a way to express themselves.
Not that I'm saying I disapprove of the ascii art, but there is a time and a place for everything...with your friends, cool. with random people online, probably not.
it's hardly any more than an ipaq (different processor) with a HUD. Heck, I think I'd rather have a new ipaq.
I don't want to be down on Xybernaut, because it's a tough market, but what needs to go into a wearable seems pretty obvious.
Integrate one of the following
1) 2 compact flash slots
2) a microdrive
3) 802.11b ethernet.
The point is that you virtually need a network with something like this to make it anymore than a pda that you don't need hands for.
And for the love of all that is holy, why WinCE? At least put Win95 on it or something. You pretty much doomed it to be a pda, and that's it.
It's pretty straight forward to me. Wireless ethernet, a modest amount of storage ( 1gig>storage>256 megs ), audio pumped through the headset, and voice possibilities (not necessarily voice recognition).
I'd even be happy with one of the new ipaqs with an SD card, CF 802.11b card, HUD, and pointing device.
Oh geez...why. I cannot figure it out...there isn't even a sound business reason.
Note to whoever: Release it region 1 in a timely fashion (i.e. like how about at the same time) and I would buy this. Release it late, it will get ripped and distributed all over the net, and I won't feel particularly guilty about copying it. You will never be able to prove that you lost money from me, because you will have to prove that I would have bought a region 2 dvd player and your flic.
You know what? Pretty much goes the same for over seas. I don't think that other countries should be deprived of our cinema just because you are staging releases all over.
I think he's right though. I'm not sure why they would just buy the company, but I did something tonight that I don't normally do..I watched TechTV. And low and behold, I saw an MSN commercial. And they said that they were an alternative to aol.
:)
AOL does not like alternatives
I wonder why IBM and AOL don't team up and crush MS off the map.
Anywho, the net appliance thing seems the most likely. There was some talk about them doing that with sun, but it has apparently fallen apart.
This sounds like it's gonna be one hell of a battle
Mandrake is big enough, and has a good enough distro to stand on their own. Most of their rpms are not the same anymore.
The ramifications of this are potentially mind boggling.
Despite how much you may hate aol, the fact of the matter is that they have the hearts and computers of an incredible buttload of users, including someone in your family. It's just mind boggling.
If they decided to have an AOL operating environment (UFS mount partition or something) We could see an incredible growth in linux.
What does it really mean? Goddamn, they would do it because it would advance their business interests. How....
Do they get actual search warrents? Can you, say, deny them access to your computers? I don't think that Federal Marshals will bash in a door based on the word of a report via a web form from the BSA...
You know, it's funny, but there does not seem to be an expansion of wearables. Lots of personal assistant things, but all that require you to pull it out and look at it and control with a dull plastic implement. DO people feel they need to get even smaller?
I actually ordered one after you posted this and had no problem getting one. Eariler tonight I checked and they still had 40 and 60 gig models
apt has been ported to rpm. This was not a valid comparison then (a package format vs an installation system), and it still is not.
You know, there seems to be an increasingly strong contingent of people of the "Let's think rationally. Windows is probably the best choice here" people. Perhaps there is some bitterness amongst the faithful?
Why not linux? the average home user who doesn't know crap about a computer is going to have just as hard a time with WinXP as with Mandrake setup for the home user (i.e. 1 desktop environment, 1 mailer, 1 browser, etc). Heck, maybe some of the new imacs. What I am saying is that the avergae user does not need office, they need a small word processor. They do not need exchange, they need a mail client that can do pop and recieve attachments.
I say go for it. I suggest mandrake because it's from that continent. Suse might be good as well, but i've had more experience with Mandrake.