So in answer: it has *always* mattered what source information; the ends never justify the means.
Hmmm. Good point.
Do I think the person who exposed the vulnerability acted ethically, as I would expect a legitimate security researcher to act? N
Hmm. Not as clear. Commercial gain is not as bad a reason, especially since the problem has been known to HP for a long time. Plus the gain is very indirect: building reputation, rather than direct payment.
Is Tru64 really that unsecure compared with Solaris/HP-UX.
[...]
Do you have anything else to base your opinion on? I'm not flaming, I'm actualy after a serious answer.
I don't know if Tru64 is anymore unsecure than Solaris or Linux. However, the point is that if security experts who look for holes, stop analyzing Tru64 as part of their work, Tru64 will become less secure. You know, fewer eyeballs find fewer bugs.
Since HP wants to sue programmers who, without pay, find bugs in their code, why should the programmers be helping HP? Let HP suffer the consequences.
Imagine if some car company XYZZY produced a car and they threatened to sue "Consumer Reports", if "Consumer Reports" released test results on this car. All "Consumer Reports" would have to say to avoid a suit is "we did not test this car from XYZZY, because they did not want us to". What would you think?
As a community, we do ourselves an incredible injustice by lining up to defend everyone who posts an exploit as if they were
an associate professor at MIT. And that's exactly the perception that the initial commentary and posting to Slashdot of this
article tried to imply.
So free speech is good for academics, but not for random hacker?
What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.
And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.
Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?
Frankly, I think that all the security experts should stop looking at Tru64 and just publicize the fact that they don't recomend it for uses where security is required.
Some people
might argue, that by publicizing a security hole, more people will try to take advantage of that hole, and will compromise
security for anyone using the product.
So, to carry the Ford Explorer analogy, they should've stayed quiet until the manufacturer recalled all the tires?
HP had a year to deal with this! WHy don't they hire some programmers, instead of lawyers.
As a generally law abiding citizen, you have the responsibility to exhaust all available LEGAL methods of protest, before resorting to the often misunderstood and misused concept of civil disobediance.
Frankly, as a human being sometimes you may be forced to break the law to do the morally correct thing. For example, just before the Civil War there was a federal law called "futive slave law". It said that an escaped slave was to be returned to its owner.
However, many people in the North disregarded this law and did the morally correct thing of helping runaways slaves (this was not without risk - you could wind up in jail).
Current situation may not be as clear cut as slavery. But you can argue that we are protecting our individual freedom of expression and normal methods (i.e. letter writing etc) are not working, so extraordinary measures are needed.
If it is illegal to pick locks to enter houses, then what are the locks for in the first place? To prevent accidental lock picking?
Actually, picking locks is legal. Entering someone's house without permission is not (I guess that's breaking and entering, if you have to pick a lock).
DMCA makes it illegal to pick locks, without the entering part. So, if I get locked out of my house I'll get arrested for picking the lock to get back in.
Or just look at modern China, Russia, etc. I think the main thing the U.S. has going for us is that corruption is at a low enough level that it's worth it for us to support the system.
US is the worst country to live in, except for all the others...:-)
This is really getting old. Every few weeks something appears about Senator so and so passing some legislation to essentially suck off of the media giants just to make some quick money.
If you study a bit of history you'll find that this is nothing new. Read about the financial dealings and political corruption that occured during the "railroad bubble" during 1840s.
Why do you think Lincoln was referred to as "Honest Abe"? He was running as an outsider, not corrupted (or currutapble) as other present day politicians.
Read about the backstabbing that took place during the post Pearl Harbor hearings in 1942. Jeez! And you think politics today is bad?
The political process that we have is all that we have. Just work it. If enough people speak up, the world can be changed and it has been getting better, just slowly...
The days of "Cowboy Content Creation" are over. Creatrion of web content will have to be via XML with precise industry standard DTDs.
Hey, Cowboy!
You mean that "content" visible on the web will have to follow standards? Standards that no one owns? You mean that any page will be viewable with Mozilla, not just IE? If, so then let's bring it on.
Otherwise you just get lost in the noise.
Ah, but what a wonderful noise it is.
Internet makes it possible for people to communicate with other people (like I'm doing right now). This is what the big media is missing. Internet is not a broadcast medium, big media is not necessary.
I agree about pair programming. In fact, *YOU* as the lead should pair with the other developers, so that you can guide them and maybe find out what the problems are. Spend a day or two with each guy/gal.
The other thing is to make everyone write unit tests, and if possible setup a continous build that compiles everything and runs tests everytime someone checks code in (you are using source control, right?). There are many OSS tools that do this and send email when things break (compile or tests).
Then everyone will get a feel how the project is going.
Don't hog the good work for yourself, just because you think you're much better. Somebody else should know the code too, or else you'll never get any vacation.
The government has one purpose, and that's to serve the people it represents. If it allows companies to hire foreign workers at the expense of American citizens, that's a problem.
But if by allowing foreign workers we get cheaper goods and services that more citizens can afford,
then the goverment is doing it's job helping more citizens.
Look what's happening with steel industry. By protecting jobs of tens of thousands of workers, millions of people will be paying more for things that need steel (eg. cars). The protectionism also helps to prop up old technology by subsidizing it, and discourages innovation.
If you are really, really lucky you may have some of the problems you describe. Most likely no one will submit any patches to your project, so your "vision" will be safe. Most likely, no one will use your program either.
Actually, what you should do when someone requests a change or submits a patch, accept it and be grateful that someone spent time trying to improve your code.
One of the purposes of open source development is to encorage participation so that many different ideas can be tried.
Remember, Linux started as a terminal emulation program...
Maybe when they were just circles i could believe some of those dumb looking guys did it, but now they are getting more
complicated in shape, some of them would be damn hard to draw on paper, you'd need precise measurements just to draw it on
paper so whoever is doing them now is putting a great deal of effort into them.
So.... Just because it would hard for you, doesn't mean no one else can do it.
I think one of the reasons that movie theaters are not eager to convert to digital format, is that this will give the movie companies additional control over what and how things are shown in theatres.
DRM can give the movie companies almost total control over how and when movies are shown in all theaters. Which is something theater owners would prefer to control themselves - as you can respond better to your local audience.
So, if "MIB-II" is tanking in Notown, USA, start showing "Minority Report" on an extra screen to bring more people in instead.
The beauty of the now (excuse the MR pun) is that I can create content and set it free, and If you don't like mine, then find someone whose agenda you do like.
That's true for now. But as the technology for playback gets locked down, you'll find that to release content for free you have to pay licensing fees to get your content playable as an e-book, e-movie etc.
This has happened before. Look how tightly printing presses or copy machines were controlled in Communist countries.
Look what happened to "micro-radio" stations. You can provide your own content, but just try and broadcast it.
Look at the service agreements with you Cable/DSL service providers. No servers allowed!
For example, take an HTML form. Let's say you had a few hundred choices for one of the textboxes on that form. It would be incredibly useful to be able to type in the few first letters of the text and press a button to search for all matches and display them in a selection box next to it.
What's the big deal? You can do this with a browser based interface by going to the server to do the query and then displaying the result (I built several things like that with Java/JSP stuff).
Of course, you'll argue that the extra server interaction is slower, which is true. But in the real world many such application run on corporate Intranets (100mb Ethernet) or over T1 lines, so the speed is sufficient for the practical purposes.
There are other gains to be had by deploying web based apps.
Let's give them what they want. Everyone should remove links to the complaining web site, let them drop off Google (which rates pages on how many links point to it).
Slashdot Mirror
Hmmm. Good point.
Do I think the person who exposed the vulnerability acted ethically, as I would expect a legitimate security researcher to act? N
Hmm. Not as clear. Commercial gain is not as bad a reason, especially since the problem has been known to HP for a long time. Plus the gain is very indirect: building reputation, rather than direct payment.
[...]
Do you have anything else to base your opinion on? I'm not flaming, I'm actualy after a serious answer.
I don't know if Tru64 is anymore unsecure than Solaris or Linux. However, the point is that if security experts who look for holes, stop analyzing Tru64 as part of their work, Tru64 will become less secure. You know, fewer eyeballs find fewer bugs.
Since HP wants to sue programmers who, without pay, find bugs in their code, why should the programmers be helping HP? Let HP suffer the consequences.
Imagine if some car company XYZZY produced a car and they threatened to sue "Consumer Reports", if "Consumer Reports" released test results on this car. All "Consumer Reports" would have to say to avoid a suit is "we did not test this car from XYZZY, because they did not want us to". What would you think?
Is this a serious enough answer?
So free speech is good for academics, but not for random hacker?
What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.
And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.
Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?
Let the crackers have it.
So, to carry the Ford Explorer analogy, they should've stayed quiet until the manufacturer recalled all the tires?
HP had a year to deal with this! WHy don't they hire some programmers, instead of lawyers.
Frankly, as a human being sometimes you may be forced to break the law to do the morally correct thing. For example, just before the Civil War there was a federal law called "futive slave law". It said that an escaped slave was to be returned to its owner.
However, many people in the North disregarded this law and did the morally correct thing of helping runaways slaves (this was not without risk - you could wind up in jail).
Current situation may not be as clear cut as slavery. But you can argue that we are protecting our individual freedom of expression and normal methods (i.e. letter writing etc) are not working, so extraordinary measures are needed.
Depends where I am. I never lock my car when it's parked outside my house (in the suburbs), but I do when I park it in New York.
Actually, picking locks is legal. Entering someone's house without permission is not (I guess that's breaking and entering, if you have to pick a lock).
DMCA makes it illegal to pick locks, without the entering part. So, if I get locked out of my house I'll get arrested for picking the lock to get back in.
US is the worst country to live in, except for all the others... :-)
If you study a bit of history you'll find that this is nothing new. Read about the financial dealings and political corruption that occured during the "railroad bubble" during 1840s.
Why do you think Lincoln was referred to as "Honest Abe"? He was running as an outsider, not corrupted (or currutapble) as other present day politicians.
Read about the backstabbing that took place during the post Pearl Harbor hearings in 1942. Jeez! And you think politics today is bad?
The political process that we have is all that we have. Just work it. If enough people speak up, the world can be changed and it has been getting better, just slowly...
Hey, Cowboy!
You mean that "content" visible on the web will have to follow standards? Standards that no one owns? You mean that any page will be viewable with Mozilla, not just IE? If, so then let's bring it on.
Otherwise you just get lost in the noise.
Ah, but what a wonderful noise it is.
Internet makes it possible for people to communicate with other people (like I'm doing right now). This is what the big media is missing. Internet is not a broadcast medium, big media is not necessary.
I agree about pair programming. In fact, *YOU* as the lead should pair with the other developers, so that you can guide them and maybe find out what the problems are. Spend a day or two with each guy/gal.
The other thing is to make everyone write unit tests, and if possible setup a continous build that compiles everything and runs tests everytime someone checks code in (you are using source control, right?). There are many OSS tools that do this and send email when things break (compile or tests).
Then everyone will get a feel how the project is going.
Don't hog the good work for yourself, just because you think you're much better. Somebody else should know the code too, or else you'll never get any vacation.
But if by allowing foreign workers we get cheaper goods and services that more citizens can afford, then the goverment is doing it's job helping more citizens.
Look what's happening with steel industry. By protecting jobs of tens of thousands of workers, millions of people will be paying more for things that need steel (eg. cars). The protectionism also helps to prop up old technology by subsidizing it, and discourages innovation.
Actually, what you should do when someone requests a change or submits a patch, accept it and be grateful that someone spent time trying to improve your code.
One of the purposes of open source development is to encorage participation so that many different ideas can be tried.
Remember, Linux started as a terminal emulation program...
So.... Just because it would hard for you, doesn't mean no one else can do it.
Some people just don't get it. you didn't read the book. Did you?
DRM can give the movie companies almost total control over how and when movies are shown in all theaters. Which is something theater owners would prefer to control themselves - as you can respond better to your local audience.
So, if "MIB-II" is tanking in Notown, USA, start showing "Minority Report" on an extra screen to bring more people in instead.
That's true for now. But as the technology for playback gets locked down, you'll find that to release content for free you have to pay licensing fees to get your content playable as an e-book, e-movie etc.
This has happened before. Look how tightly printing presses or copy machines were controlled in Communist countries.
Look what happened to "micro-radio" stations. You can provide your own content, but just try and broadcast it.
Look at the service agreements with you Cable/DSL service providers. No servers allowed!
I guess there are more laywers than competent web masters.
What's the big deal? You can do this with a browser based interface by going to the server to do the query and then displaying the result (I built several things like that with Java/JSP stuff).
Of course, you'll argue that the extra server interaction is slower, which is true. But in the real world many such application run on corporate Intranets (100mb Ethernet) or over T1 lines, so the speed is sufficient for the practical purposes.
There are other gains to be had by deploying web based apps.
It's easy to be for free speech, if you like the someone else is saying. It's requires some courage to support free speech that you disagree with.