I just find it odd. It's not like she's the only one of her species, is she? If I got filmed for an ad and looked like a fool in it I could understand if people laughed a bit, but this is just excessive. Can't people find something better to do? If I was in her place I think by now I'd be wishing to hide somewhere until people forgot about it.
1. IE is just a browser, and even if it's not open source workarounds are easy to make. For example you could take an open source proxy and patch it to detect and remove the exploits from websites. Or you could disable the vulnerable part if possible. Or be careful and only go to trusted sites until it's patched.
2. The probablity of me taking an action doesn't matter. I don't spend time patching bugs in OSS programs very often, but sometimes I *do* patch them. If I knew one program I really need had a bug I can fix I'd patch it. If you hide this information from me I can't patch it.
Your philosophy, BTW, is completely wrong. By following your logic we should deny all knowledge that could be used for something evil to everybody who can't prove s/he needs it. Books about networking should be only given to network administrators, the composition of gun powder should be removed from public information sources and chemistry books be banned.
Oh, great. So tell me, who are those people who need the access? Vendors? Then they could sit and ignore this stuff for months. Certified system administrators or some crap like that? Then all the people like me who run servers at home would miss it.
If you do something like that you'll be create an elite who is more informed than everybody else. This will have two effects: First, everybody who really wants the information will get it, I'm pretty sure somebody will repost information from the list openly sooner or later. Second, you will make it harder for people to keep their machines safe, which will result in more exploited computers.
This is how things would work: 1. Somebody finds an exploit, posts it to this secret list 2. The vendor takes it easy and adds the fix to the next service pack to be released next month 3. One sysadmin on the list decides that it's really cool that there are millions of vulnerable machines out there. 4. You get a mess that's even worse than Code Red.
So how do I know if some of my software is how you call it, "old crap"? Can I chroot it, strace or ltrace it, look in/proc to see what files it has open?
I do have backups, but restoring data that doesn't change often is much faster and easier than spending a whole day on installing Win2K, then applying all the patches and rebooting 8 times at least, and then reinstalling everything else because every program wants its settings to be in the registry.
I guess I may have been a power user, definitely not administrator, although I don't know because obviously I had to reinstall it, but I don't remember seeing Win2K warn about power users. I think it said they can install programs, but I never saw a detailed explanation of what security settings are used for them.
Anyway, it's quite odd. Somehow Linux lets me install programs in my own folder without any problems, and Win2K with all the money MS has still can't handle it properly.
No, I imported it accidentally. Clicked the wrong.reg in the folder. The "last known good configuration" didn't help, apparently because I had rebooted several times, because I didn't realize at first what had happened.
This means that any program can screw my registry enough to leave the system unbootable. What's the point in running as normal user, then? Just try to rm -rf/etc on Linux. I'm pretty sure that unless you're root it'll still work fine afterwards. And that's how it should be.
On Linux, if I want to try a suspicious program I can create a new user account and try it there. If I want to be more paranoid I can chroot it and use strace to find what exactly it's doing.
Now, if in Win2K it's possible to break the whole system as a normal user, where's all that security it's supposed to have?
Also, what registry tree? I've seen no detailed help files explaining every key of the Windows registry, what it's used for, and what would happen if it had too restrictive permissions. If those permissions are so badly set from the beginning it makes me think the reason is that many programs will break when they're unable to write to some places. If changing those ACLs would give me better security at the cost of breaking half of my programs, thanks, I don't want it. Linux works much better.
It is *very* flawed. This is how you can destroy a Win2K system as a normal user:
1. Boot Windows 98 2. Export HKEY_LOCAL_MACHINE to a.reg file 3. Boot Win2K 4. Log in as a normal user 5. Import the.reg file 6. Reboot
I did that, and Win2K was never able to finish booting. It got stuck at the blue desktop background and complained about missing entry points in DLLs. If that's not a structural flaw I don't know what it is.
I get paid for maintaining a VB app. But I still spend in Linux most of the time. I just bought a 80GB disk, installed vmware and now I'm like in paradise. I do almost everything with Linux, but also keep 6 VMs for development and testing purposes.
I'm hoping to learn.NET and maybe migrate the app to it, so when Mono starts working well I can try to switch to Linux completely:-) Or at least for development.
Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.
Now, good GPG signatures would have helped.
Re:Encryption and compression make a lot of sense.
on
PKWare Zips to Growth
·
· Score: 2, Interesting
From what I've read, compression helps, but not much because most compression algorhitms generate some very predictable data. For example, ZIP files begin with "PK". That alone could be enough to help decryption.
Heh, it's really funny you call that "free access". You paid for it. It doesn't really matter if that payment is included in the price of Maya. It could have been also a bit cheaper and require you to pay for the tutorials. It's definitely not free.
I just like using a decent system, and by my standards, "decent" is almost never something Microsoft makes. I'm typing thing from Konqueror, BTW. I read my mail from KMail without worrying about stupid viruses. I see slashdot news in the news ticker. I write my source code with Kate and Vim. I go to IRC servers with KVIrc, and chat with people with Jabber. When I do need Windows for my work I start VMware.
Again, I'm not trying to prove anything. I just works the way I like it.
You know, that sounds like a great idea. Is there any fighting games with real physics like this? One in which you could break the opponent's arm, for example, make him/her fall differently depending on where you hit, and things like that?
Wouldn't light speed be an issue too? I did an estimation a while ago, and at 4 GHz a clock cycle should be lost while waiting for the signal to travel over the wire. Sure it's not a huge difference if you add it to the 45 cycles above, but as CPUs get faster it'll grow.
What can you download with Kazaa has absolutely no place in its EULA. EULAs are supposed to be used to impose some conditions on the user (reverse engineering) that somehow affect the creators of the tool. What files you download with it shouldn't matter. Downloading copyrighted material you don't have rights to is already illegal, EULA or no EULA.
It's like having an EULA for a car that says you agree not to use it for kidnapping. Since that's already illegal it makes no sense to put it there.
In that case the ISP should provide some kind of notification to the person that sent message, like "Your message has been received, however, this account is temporarily suspended and the recipient won't be able to read it.". If this was what had happened there would be no problem at all.
I think what the parent means is that you shouldn't keep checksums in the kernel but a public key. It's simple. You put a public key into the kernel and have the private one on a secure computer without network access.
Say you want to update your server. You put those binaries on a floppy or whatever, take them to the signing computer and sign them. Then you copy those binaries to the server with the signature.
Since you can't fake a signature the kernel can verify that the binary has been signed by you. If you used the checksums idea you'd have to keep a checksum per file, which probably would require a recompilation and a reboot every time you wanted to update something.
I work on a program with a quite denormalized database. The thing is simple. To retrieve some kinds of data you need to do some fairly long SELECTs, so that data is duplicated. This is things like the last vendor who shipped a product, and the last date of shipment, for example. Individually this isn't that slow, of course, but we need to generate this information for every product sometimes. All this data can be easily recalculated, and I have a program exactly for that. So really there's no consistency issue unless there's a bug, and a bug fix and a pass of the program should take care of that.
The exception thing is left to whoever implements the function. And with the Carp module you can make it look like it bombed in the function call and not inside the function.
What it does is read and remove data from a hash. If after all the known arguments have been removed something remains it can produce an error. But that's left to the function's programmer to decide.
Making it mandatory everywhere in Perl is completely impossible. Due to how arguments are passed it'd make some things really icky. For example you'd be forced to use always references. Maybe it's not perfect, but I got used to it, and anyway in any project of a respectable size you have to establish rules and conventions, so this issue can be easily avoided.
It can die, or it can not depending on how it's used. It allows mixing too if done at the beginning:
function('foo', 'bar', an_arg=>'baz', anoter=>4); # works function('foo', an_arg=>'baz', 'bar', anoter=>4); # doesn't work
It works only with a fixed number of unnamed arguments. I normally use an unnamed argument for the main parameter, and the rest as named ones. For example:
open_file('foo.html', mode=>'read');
When well planned this lets me extend the function without having to replace every call to it in the source.
Named arguments can be done in Perl, as well as checking their amount and correctness. In fact, I've got a little module just for that. You call the function like this:
function(foo=>'value', bar=>1);
it dies if a required parameter is missing, or has a wrong value.
I tried having a node on my server, but it couldn't be. It's just too big for my Cyrix 233/64MB. It's written in Java. First, it was complicated to chroot. And then it was a pain to keep running. It can't be that complicated. I'm sure that a decent C implementation could use a reasonable about of RAM. The Java one used 32MB on average and quite often got killed by the kernel.
I've got a question too, why does Freenet have to use threads? I honestly don't understand why are they needed. Couldn't it just switch between connections like an IRC server? Maybe it'd be a bit smaller that way.
None of those things are stupid, IMO, on the contrarary, they're very smart.
1) If you could control your data store, the governement could just determine you're running a Freenet client and decide to send a policeman to your house. Then they could check if you have some child porn there. After all, if you can control it it's your responsibility to keep it legal, right? And they could bet most of the people wouldn't bother filtering much. In any case it's impossible to filter everything unwanted.
By encrypting the data store and keeping it obscure Freenet tries to protect you from liability. It's an attempt of making you become just a carrier, who transfers data but is not liable for it, like phone companies aren't liable for murders planned over the telephone.
2) That's just how the network works. If your files are thrown out that just means nobody wanted them. If nobody wanted them, why waste resources on keeping them? That space can be used for things people are more interested in. If you indeed think your data is valuable you could announce them in boards.
I just find it odd. It's not like she's the only one of her species, is she? If I got filmed for an ad and looked like a fool in it I could understand if people laughed a bit, but this is just excessive. Can't people find something better to do? If I was in her place I think by now I'd be wishing to hide somewhere until people forgot about it.
1. IE is just a browser, and even if it's not open source workarounds are easy to make. For example you could take an open source proxy and patch it to detect and remove the exploits from websites. Or you could disable the vulnerable part if possible. Or be careful and only go to trusted sites until it's patched.
2. The probablity of me taking an action doesn't matter. I don't spend time patching bugs in OSS programs very often, but sometimes I *do* patch them. If I knew one program I really need had a bug I can fix I'd patch it. If you hide this information from me I can't patch it.
Your philosophy, BTW, is completely wrong. By following your logic we should deny all knowledge that could be used for something evil to everybody who can't prove s/he needs it. Books about networking should be only given to network administrators, the composition of gun powder should be removed from public information sources and chemistry books be banned.
Oh, great. So tell me, who are those people who need the access? Vendors? Then they could sit and ignore this stuff for months. Certified system administrators or some crap like that? Then all the people like me who run servers at home would miss it.
If you do something like that you'll be create an elite who is more informed than everybody else. This will have two effects: First, everybody who really wants the information will get it, I'm pretty sure somebody will repost information from the list openly sooner or later. Second, you will make it harder for people to keep their machines safe, which will result in more exploited computers.
This is how things would work:
1. Somebody finds an exploit, posts it to this secret list
2. The vendor takes it easy and adds the fix to the next service pack to be released next month
3. One sysadmin on the list decides that it's really cool that there are millions of vulnerable machines out there.
4. You get a mess that's even worse than Code Red.
So how do I know if some of my software is how you call it, "old crap"? Can I chroot it, strace or ltrace it, look in /proc to see what files it has open?
I do have backups, but restoring data that doesn't change often is much faster and easier than spending a whole day on installing Win2K, then applying all the patches and rebooting 8 times at least, and then reinstalling everything else because every program wants its settings to be in the registry.
I guess I may have been a power user, definitely not administrator, although I don't know because obviously I had to reinstall it, but I don't remember seeing Win2K warn about power users. I think it said they can install programs, but I never saw a detailed explanation of what security settings are used for them.
Anyway, it's quite odd. Somehow Linux lets me install programs in my own folder without any problems, and Win2K with all the money MS has still can't handle it properly.
No, I imported it accidentally. Clicked the wrong .reg in the folder.
The "last known good configuration" didn't help, apparently because I had rebooted several times, because I didn't realize at first what had happened.
Users? You need no users for that.
/etc on Linux. I'm pretty sure that unless you're root it'll still work fine afterwards. And that's how it should be.
This means that any program can screw my registry enough to leave the system unbootable. What's the point in running as normal user, then? Just try to rm -rf
On Linux, if I want to try a suspicious program I can create a new user account and try it there. If I want to be more paranoid I can chroot it and use strace to find what exactly it's doing.
Now, if in Win2K it's possible to break the whole system as a normal user, where's all that security it's supposed to have?
Also, what registry tree? I've seen no detailed help files explaining every key of the Windows registry, what it's used for, and what would happen if it had too restrictive permissions. If those permissions are so badly set from the beginning it makes me think the reason is that many programs will break when they're unable to write to some places. If changing those ACLs would give me better security at the cost of breaking half of my programs, thanks, I don't want it. Linux works much better.
It is *very* flawed. This is how you can destroy a Win2K system as a normal user:
.reg file .reg file
1. Boot Windows 98
2. Export HKEY_LOCAL_MACHINE to a
3. Boot Win2K
4. Log in as a normal user
5. Import the
6. Reboot
I did that, and Win2K was never able to finish booting. It got stuck at the blue desktop background and complained about missing entry points in DLLs. If that's not a structural flaw I don't know what it is.
I get paid for maintaining a VB app. But I still spend in Linux most of the time. I just bought a 80GB disk, installed vmware and now I'm like in paradise. I do almost everything with Linux, but also keep 6 VMs for development and testing purposes.
.NET and maybe migrate the app to it, so when Mono starts working well I can try to switch to Linux completely :-) Or at least for development.
I'm hoping to learn
Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.
Now, good GPG signatures would have helped.
From what I've read, compression helps, but not much because most compression algorhitms generate some very predictable data. For example, ZIP files begin with "PK". That alone could be enough to help decryption.
Heh, it's really funny you call that "free access". You paid for it. It doesn't really matter if that payment is included in the price of Maya. It could have been also a bit cheaper and require you to pay for the tutorials. It's definitely not free.
Nothing, you moron.
I just like using a decent system, and by my standards, "decent" is almost never something Microsoft makes. I'm typing thing from Konqueror, BTW. I read my mail from KMail without worrying about stupid viruses. I see slashdot news in the news ticker. I write my source code with Kate and Vim. I go to IRC servers with KVIrc, and chat with people with Jabber. When I do need Windows for my work I start VMware.
Again, I'm not trying to prove anything. I just works the way I like it.
You know, that sounds like a great idea. Is there any fighting games with real physics like this? One in which you could break the opponent's arm, for example, make him/her fall differently depending on where you hit, and things like that?
Wouldn't light speed be an issue too? I did an estimation a while ago, and at 4 GHz a clock cycle should be lost while waiting for the signal to travel over the wire. Sure it's not a huge difference if you add it to the 45 cycles above, but as CPUs get faster it'll grow.
Because every bit doubles the time needed to brute force it, so it takes 2^54 = 18014398509481984 times longer.
What can you download with Kazaa has absolutely no place in its EULA. EULAs are supposed to be used to impose some conditions on the user (reverse engineering) that somehow affect the creators of the tool. What files you download with it shouldn't matter. Downloading copyrighted material you don't have rights to is already illegal, EULA or no EULA.
It's like having an EULA for a car that says you agree not to use it for kidnapping. Since that's already illegal it makes no sense to put it there.
Hopefully that means that Guybrush (RMS? Alan Cox? Bruce Perens?) will get a voodoo doll and kicks his ass!
In that case the ISP should provide some kind of notification to the person that sent message, like "Your message has been received, however, this account is temporarily suspended and the recipient won't be able to read it.". If this was what had happened there would be no problem at all.
I think what the parent means is that you shouldn't keep checksums in the kernel but a public key. It's simple. You put a public key into the kernel and have the private one on a secure computer without network access.
Say you want to update your server. You put those binaries on a floppy or whatever, take them to the signing computer and sign them. Then you copy those binaries to the server with the signature.
Since you can't fake a signature the kernel can verify that the binary has been signed by you. If you used the checksums idea you'd have to keep a checksum per file, which probably would require a recompilation and a reboot every time you wanted to update something.
I work on a program with a quite denormalized database. The thing is simple. To retrieve some kinds of data you need to do some fairly long SELECTs, so that data is duplicated. This is things like the last vendor who shipped a product, and the last date of shipment, for example. Individually this isn't that slow, of course, but we need to generate this information for every product sometimes. All this data can be easily recalculated, and I have a program exactly for that. So really there's no consistency issue unless there's a bug, and a bug fix and a pass of the program should take care of that.
The exception thing is left to whoever implements the function. And with the Carp module you can make it look like it bombed in the function call and not inside the function.
What it does is read and remove data from a hash. If after all the known arguments have been removed something remains it can produce an error. But that's left to the function's programmer to decide.
Making it mandatory everywhere in Perl is completely impossible. Due to how arguments are passed it'd make some things really icky. For example you'd be forced to use always references. Maybe it's not perfect, but I got used to it, and anyway in any project of a respectable size you have to establish rules and conventions, so this issue can be easily avoided.
It can die, or it can not depending on how it's used. It allows mixing too if done at the beginning:
function('foo', 'bar', an_arg=>'baz', anoter=>4); # works
function('foo', an_arg=>'baz', 'bar', anoter=>4); # doesn't work
It works only with a fixed number of unnamed arguments. I normally use an unnamed argument for the main parameter, and the rest as named ones. For example:
open_file('foo.html', mode=>'read');
When well planned this lets me extend the function without having to replace every call to it in the source.
Named arguments can be done in Perl, as well as checking their amount and correctness. In fact, I've got a little module just for that. You call the function like this:
function(foo=>'value', bar=>1);
it dies if a required parameter is missing, or has a wrong value.
I tried having a node on my server, but it couldn't be. It's just too big for my Cyrix 233/64MB. It's written in Java. First, it was complicated to chroot. And then it was a pain to keep running. It can't be that complicated. I'm sure that a decent C implementation could use a reasonable about of RAM. The Java one used 32MB on average and quite often got killed by the kernel.
I've got a question too, why does Freenet have to use threads? I honestly don't understand why are they needed. Couldn't it just switch between connections like an IRC server? Maybe it'd be a bit smaller that way.
None of those things are stupid, IMO, on the contrarary, they're very smart.
1) If you could control your data store, the governement could just determine you're running a Freenet client and decide to send a policeman to your house. Then they could check if you have some child porn there. After all, if you can control it it's your responsibility to keep it legal, right? And they could bet most of the people wouldn't bother filtering much. In any case it's impossible to filter everything unwanted.
By encrypting the data store and keeping it obscure Freenet tries to protect you from liability. It's an attempt of making you become just a carrier, who transfers data but is not liable for it, like phone companies aren't liable for murders planned over the telephone.
2) That's just how the network works. If your files are thrown out that just means nobody wanted them. If nobody wanted them, why waste resources on keeping them? That space can be used for things people are more interested in. If you indeed think your data is valuable you could announce them in boards.