Primarily contacted by voluntary behavior that almost everyone in the entire world has been told to avoid.
malaria,
Previously controlled by DDT, before it was removed from the market by (later disproven) fear.
hunger, lack of fresh water and overall stupidity of the general population
Assuming you meant "ignorance" instead of "stupidity", all three of those are political issues. Feel free to suggest solutions that will satisfy all affected groups.
Bird flu, on the other hand, has the potential to tear through high functioning societies. No amount of education, pesticide, food, or water can stop it. There's a reason people are afraid of the word "pandemic".
The company has resisted formally open-sourcing all of the Java software, but it has dramatically changed the development process around Java and changed licenses to make it easier to see Java source code.
Who cares? I can see the Windows source code if I sign the right NDAs. That's doesn't mean that I can actually do anything with it, though.
First, awesome comment. Really. That was excellent.
Second, does your daughter blog about your sex life on MySpace?
Third, should it come up, let her know that most rational males still consider her a virgin. You have to actually participate in something to unset that bit, and it sounds like she was probably an unwitting bystander to the act.
You're not SERIOUSLY saying that hitting the delete key, or any amount of bandwidth, is actually equal in value to a person's life, are you?
I'm certainly not. I want to see them in PMITA prison and destitute, but not dead.
However. According to a report from 2004, spammers sent about 12.4 billion messages per day. If it takes one second per email to delete, then that consumes 393 person-years to remove from our collective inboxes. Assuming an average lifespan of 75, that means spammers use the entire lives of over five people each and every day.
Put in the context that they're effectively killing 1900 unwilling people per year, that proposal doesn't seem quite as unthinkable.
Again, I don't encourage violence against spammers. Still, I can see the point of people who do, even though I don't reach the same conclusion.
They didn't seem concerned at all, it was like I was "bothering them" to ask them to stop that machine from spamming. I bet it was sending 150,000 messages between the ones I received.
And you didn't redirect the flood to their personal accounts why? Nothing seems to get a problem fixed quite as quickly as putting it back on the people causing it.
Let me get this straight: there will have been three Debian releases between major desktop Windows releases? That right there is enough to have the release management dragged out and shot. I mean, you know there's going to be a new version of OpenBSD every six months, so that's no big deal. But when Debian is out-releasing you, it's clear that your house is Not In Order.
Congratulations, folks, seriously. I'll be looking forward to that big apt-get!
is completely useless as a way of exchanging information between vendors. Yes, the framework may resemble other popular standards, but the actual contents can be arbitrary blobs of opaque badness. That solves nothing.
I looked round to see some guy making offensive gestures and very clearly mouthing "BUM" at me.
As others have mentioned, we don't honk at bums. Given that many of them are crazy, we tend to go out of our way to avoid them (who wants to risk him catching up to you while you're stopped at a traffic light?).
More likely is that whether you realized it or not, you were doing something you weren't supposed to. "Bum" can also have the connotation of "jerk" or "idiot", as in "get out of the street, ya moron!"
Never mind that the bad code is valid C, it's insane that it didn't generate a warning.
Which warning would you like it to throw? "warn: Add more parens at random places!"
Code that's conditional on "whether I'm root" is a hole waiting to open. Must better to have a separate wrapper that is setuid and accepts a constricted set of options, then calls the real program (which is not setuid).
But the setuid wrapper will still have to test for its rootness at times, and I'm not sure that moving that line of code from one program to another would make much of a difference.
The Gartner group are just a tad (to say the least) biased against Micro$oft.
They weren't when they published Microsoft's anti-Linux FUD. Maybe they've burned that bridge in the mean time. I don't know; I've tuned them out since then.
The 360 still has the best games sold/console ratio in the history of games.
Bull. I'm pretty sure I own more games for my PS2 than there are games available for 360.
Re:Source updates on a minimal system?
on
OpenBSD 3.9 Released
·
· Score: 2, Interesting
It's absolutely ridiculous to assume an intruder NEEDS you to install GCC for him. He can quite easily install OpenBSD on his own hardware and compile the code there, transfering the binary to your box. Or he can install whatever dev tools he wants, once he has root on your box.
I'm first going on the assumption that the attacker only has regular user access. If he has root, then all is lost (well, not completely, but still...). Regular users, though, might find it a bit annoying to not have any includes available when trying to compile 1337_rootkit.c. They'd have to install their own tarball, link against those headers, etc.
Would that stop a determined cracker? No! But it's an extra layer of hassle that you're making them jump through, and if it takes them an extra five minutes to figure out, then maybe that's enough. Again, it's not a solution, but a layer. It's like filtering MAC addresses: you don't use that as your sole line of defense, but it's a nice idea in addition to your other methods.
And philosophically, an ideal system is one that does not one whit more than it was designed to do. You could install X and ircd on a firewall, too, but if those don't help it fulfill its deployment goals then why do it?
Ive got a number of systems with just 6gb or less of hdd space, and I have plenty of room to build the tree. You only need around 1500Mb spare on/usr.
So you missed the entire point of my post, that I don't want GCC on my firewall, and that I don't want to maintain a build machine for the sole purpose of keeping that firewall server up to date? Re-read what I said.
What if you installed a binary with malicious code?
Given that none of the install packages on the main or mirror sites are signed, there's no more exposure from downloading a (possibly hacked) binary patch than from downloading a (possible hacked) installer. And if they adopted the practice of signing the installer, then they could also sign the patches.
I don't buy the idea that it's harder to securely distribute patches than it is the base system. Furthermore, I don't recall ever hearing any of the OpenBSD guys make that claim.
Rackmount firewall hardware recommendations?
on
OpenBSD 3.9 Released
·
· Score: 1
This article (and release) are excellent timing for me. My latest project is building a firewall to replace our SonicWALL with an OpenBSD system. I need to make a hardware recommendation for something that can:
Support at least four NICs (WAN, LAN, DMZ, wireless), with gig-eth between the LAN and DMZ.
Terminate three or four OpenVPN tunnels over a 3 Mbit connection.
Run Snort (not strictly necessary, but would be a nice bonus).
Ideally fit in 1U of rack.
I'm having a hard time with this. This will be my first rack-mount server, and I really don't know much about what's available in this space. I've seen threads from a couple of years ago about this exact subject, but hardware recommendations from '04 aren't very helpful today.
Cost is a factor to some extent, but extreme reliability isn't a strong requirement (since we can always throw in a big-box temporary replacement on short notice). In other words, we're not looking for something that fell off the truck, but quad-redundant power supplies aren't a selling point for us.
How 'bout it, Slashdotters? Seen any sweet packet-pushing hardware that a small office can afford?
Source updates on a minimal system?
on
OpenBSD 3.9 Released
·
· Score: 5, Interesting
Frankly, this is crap. 10GB drive and you can't maintain a source tree???
I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.
According to the FAQ, three file sets are required for installation:
bsd
baseXX.tgz
etcXX.tgz
Although that gets you a complete running system, it doesn't leave you with one that can self-host source updates. Given that I run exactly one OpenBSD machine at the office, I don't want to have a separate build server sitting around just to keep it updated. So, even though I have the hardware to support the process, and the technical skills to do so, it's still a major pain in the neck.
Oh, and to those saying I should just install snapshots, the FAQ says:
Between formal releases of OpenBSD, snapshots are made available through the FTP sites. As the name implies, these are builds of whatever code is in the tree at the instant the builder grabbed a copy of the code for that particular platform. Remember, on some platforms, it may be DAYS before the snapshot build is completed and put out for distribution. There is no promise that the snapshots are completely functional, or even install.
/pub/OpenBSD/snapshots/ For our major architectures, we tend to build mini releases of unknown stability and quality about every month or so. This is where we place those test releases.
Ain't no way I'm going to tell my boss that my security update process involves "mini releases of unknown stability and quality". That is why I'd like to see "baseXX-r1.tgz" at ftp.openbsd.bsd (and it's mirrors) that holds nothing but the 3 or 4 binaries I'd need to upgrade on a stock system to bring it up to date. I'm not stupid or broke - just very time-challenged. I'd be happy to pay for a subscription to such a service were one available.
Gotcha. I was hoping you'd say something like "using case-sensitive comparisons makes it less painfully slow" or something along those lines. I love our little LCD iMac, but backups border on painful ("the thing is still in the estimate phase?!?").
Indeed. I would be absolutely amazed to find that there are more Solaris installations (which I've never actually seen in the wild) than FreeBSD (which I've seen at almost every Unix-based shop I've dealt with).
I don't have any hard numbers to back that up, but experience makes me pretty skeptical of that claim.
I think the major advantage is the fast snapshotting and cloning.
FreeBSD's UFS supports snapshotting, but Apple didn't port that feature over. I'm not sure why they'd fully support ZFS when they're not fully supporting the other filesystem they already have.
I've made a few "what about UFS?" comments in this story, but I hope I don't come across as some weird filesystem fanboy. It's just that I can't figure out why this announcement is so exciting. ZFS is cool, sure, but I see it as an incremental improvement to widely used Unix filesystems rather than a quantum leap.
Doesn't OS X already have UFS? ZFS is nicely buzzword compliant, but Mac users can migrate to a standard Unix filesystem today if they want to.
However, I've never bothered to research it and this seems like an appropriate place to discuss it: what's keeping people on HFS+? Is it the case-sensitive thing, and if so, wouldn't that be an issue with switch to ZFS, too?
Primarily contacted by voluntary behavior that almost everyone in the entire world has been told to avoid.
malaria,
Previously controlled by DDT, before it was removed from the market by (later disproven) fear.
hunger, lack of fresh water and overall stupidity of the general population
Assuming you meant "ignorance" instead of "stupidity", all three of those are political issues. Feel free to suggest solutions that will satisfy all affected groups.
Bird flu, on the other hand, has the potential to tear through high functioning societies. No amount of education, pesticide, food, or water can stop it. There's a reason people are afraid of the word "pandemic".
Who cares? I can see the Windows source code if I sign the right NDAs. That's doesn't mean that I can actually do anything with it, though.
Second, does your daughter blog about your sex life on MySpace?
Third, should it come up, let her know that most rational males still consider her a virgin. You have to actually participate in something to unset that bit, and it sounds like she was probably an unwitting bystander to the act.
No, not the accounts of the alleged senders, but the accounts of the mailadmins that refuse to fix their systems. Something along the lines of
in the mail filtering language of your choice.I'm certainly not. I want to see them in PMITA prison and destitute, but not dead.
However. According to a report from 2004, spammers sent about 12.4 billion messages per day. If it takes one second per email to delete, then that consumes 393 person-years to remove from our collective inboxes. Assuming an average lifespan of 75, that means spammers use the entire lives of over five people each and every day.
Put in the context that they're effectively killing 1900 unwilling people per year, that proposal doesn't seem quite as unthinkable.
Again, I don't encourage violence against spammers. Still, I can see the point of people who do, even though I don't reach the same conclusion.
And you didn't redirect the flood to their personal accounts why? Nothing seems to get a problem fixed quite as quickly as putting it back on the people causing it.
Congratulations, folks, seriously. I'll be looking forward to that big apt-get!
The fact that
is completely useless as a way of exchanging information between vendors. Yes, the framework may resemble other popular standards, but the actual contents can be arbitrary blobs of opaque badness. That solves nothing.As others have mentioned, we don't honk at bums. Given that many of them are crazy, we tend to go out of our way to avoid them (who wants to risk him catching up to you while you're stopped at a traffic light?).
More likely is that whether you realized it or not, you were doing something you weren't supposed to. "Bum" can also have the connotation of "jerk" or "idiot", as in "get out of the street, ya moron!"
It's not because RTF isn't up to the job. If it was, that's what everyone would be using.
Which warning would you like it to throw? "warn: Add more parens at random places!"
Code that's conditional on "whether I'm root" is a hole waiting to open. Must better to have a separate wrapper that is setuid and accepts a constricted set of options, then calls the real program (which is not setuid).
But the setuid wrapper will still have to test for its rootness at times, and I'm not sure that moving that line of code from one program to another would make much of a difference.
Yes.
They weren't when they published Microsoft's anti-Linux FUD. Maybe they've burned that bridge in the mean time. I don't know; I've tuned them out since then.
Bull. I'm pretty sure I own more games for my PS2 than there are games available for 360.
I'm first going on the assumption that the attacker only has regular user access. If he has root, then all is lost (well, not completely, but still...). Regular users, though, might find it a bit annoying to not have any includes available when trying to compile 1337_rootkit.c. They'd have to install their own tarball, link against those headers, etc.
Would that stop a determined cracker? No! But it's an extra layer of hassle that you're making them jump through, and if it takes them an extra five minutes to figure out, then maybe that's enough. Again, it's not a solution, but a layer. It's like filtering MAC addresses: you don't use that as your sole line of defense, but it's a nice idea in addition to your other methods.
And philosophically, an ideal system is one that does not one whit more than it was designed to do. You could install X and ircd on a firewall, too, but if those don't help it fulfill its deployment goals then why do it?
So you missed the entire point of my post, that I don't want GCC on my firewall, and that I don't want to maintain a build machine for the sole purpose of keeping that firewall server up to date? Re-read what I said.
I guess it worked.
Given that none of the install packages on the main or mirror sites are signed, there's no more exposure from downloading a (possibly hacked) binary patch than from downloading a (possible hacked) installer. And if they adopted the practice of signing the installer, then they could also sign the patches.
I don't buy the idea that it's harder to securely distribute patches than it is the base system. Furthermore, I don't recall ever hearing any of the OpenBSD guys make that claim.
I'm having a hard time with this. This will be my first rack-mount server, and I really don't know much about what's available in this space. I've seen threads from a couple of years ago about this exact subject, but hardware recommendations from '04 aren't very helpful today.
Cost is a factor to some extent, but extreme reliability isn't a strong requirement (since we can always throw in a big-box temporary replacement on short notice). In other words, we're not looking for something that fell off the truck, but quad-redundant power supplies aren't a selling point for us.
How 'bout it, Slashdotters? Seen any sweet packet-pushing hardware that a small office can afford?
I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.
According to the FAQ, three file sets are required for installation:
Although that gets you a complete running system, it doesn't leave you with one that can self-host source updates. Given that I run exactly one OpenBSD machine at the office, I don't want to have a separate build server sitting around just to keep it updated. So, even though I have the hardware to support the process, and the technical skills to do so, it's still a major pain in the neck.
Oh, and to those saying I should just install snapshots, the FAQ says:
Elsewhere on the site are other discouraging words:For our major architectures, we tend to build mini releases of unknown stability and quality about every month or so. This is where we place those test releases.
Ain't no way I'm going to tell my boss that my security update process involves "mini releases of unknown stability and quality". That is why I'd like to see "baseXX-r1.tgz" at ftp.openbsd.bsd (and it's mirrors) that holds nothing but the 3 or 4 binaries I'd need to upgrade on a stock system to bring it up to date. I'm not stupid or broke - just very time-challenged. I'd be happy to pay for a subscription to such a service were one available.
Gotcha. I was hoping you'd say something like "using case-sensitive comparisons makes it less painfully slow" or something along those lines. I love our little LCD iMac, but backups border on painful ("the thing is still in the estimate phase?!?").
Indeed. I would be absolutely amazed to find that there are more Solaris installations (which I've never actually seen in the wild) than FreeBSD (which I've seen at almost every Unix-based shop I've dealt with).
I don't have any hard numbers to back that up, but experience makes me pretty skeptical of that claim.
FreeBSD's UFS supports snapshotting, but Apple didn't port that feature over. I'm not sure why they'd fully support ZFS when they're not fully supporting the other filesystem they already have.
I've made a few "what about UFS?" comments in this story, but I hope I don't come across as some weird filesystem fanboy. It's just that I can't figure out why this announcement is so exciting. ZFS is cool, sure, but I see it as an incremental improvement to widely used Unix filesystems rather than a quantum leap.
It never occurred to me to use a case-sensitive HFS+. What's the advantage of that?
However, I've never bothered to research it and this seems like an appropriate place to discuss it: what's keeping people on HFS+? Is it the case-sensitive thing, and if so, wouldn't that be an issue with switch to ZFS, too?