Anyway, comparing it to Perl-written Kwiki is nonsense IMHO.
Not at all. And to all of the people who have said something along the lines of, "why can't we praise them for this release," questioning the quality of one piece of softwre vs. another is a tradition on Slashdot and has nothing to do with Microsoft (other than that they happen to be the author of one of those pieces of software in this case).
If this were a post about MySQL's latest release, you'd expect questions of how it stacks up to PostgreSQL. Same goes for Gnome/KDE or Evolution/Thunderbird, etc.
It's not that we're slapping MS down for doing this, it's fine if they release open source software, but we're not going to take it easy on them either.
Slashdot's approach to releases can be summed up thusly:
Nice software... good release...
*slap* what have you done for me lately?!
You are an "end user", my friend. This means that you should be letting others do the integration work (as others have replied).
That said, if you want to play around with it, I would suggest that you download garnome. That will build all of the current Gnome pieces on which Evolution relies and give you a starting point WITHOUT destroying your existing installation. It takes a LONG time, because it does this from source (ala BSD ports tree), but by default it installs the result in a user area. Once you do that, simply re-download evolution and build/install it under the garnome tree.
If you're rushing out the door and grabbing x.org 6.8.0, gnome 2.8.0 and evolution 2.0.0 in order to get all the nifty new features, and you don't expect there to be problems, you're being VERY unrealistic.
The goal of the "release early, release often" mentality is to get the community involved in finding and solving problems.
If you can't tollerate a few bugs, that's fine. People like that make up most of the world after all. We call that an "end user" and end-users can wait for distributions to finish kicking the tires and doing the integration work.
Myself, I'd rather have 2.0.0 out in a feature-complete state so that I can get bugs in early (and maybe even a fix or two) ahead of my favorite distro releasing it in the state that I'll have to end up using at work.
Folks, can we please not post a direct link without the disclaimer? It seems to me to be a bit beyond rude.
For the record, here's the disclaimer (which I find silly, but that's not the point, I didn't decide to take on the exposure of hosting this thing for the researchers who will need access):
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
I don't think the poster was saying "these programs are vulnerable to this virus", but rather, "these programs seem to be vulnerable to a similar class of exploit"
Certainly Gimp's segfault points to some sort of bounds-checking problem, and is likely exploitable. NO application should load this image for display. Bounds checking during load should throw an exception (or the equivalent error status for C) for the image and the application should report that the image is corrupt. Under no circumstances should a low-level library be handing this image data further up the chain.
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
Simple answer: no, and that's why buffer overflow attacks work.
Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.
Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.
And therein lies the rub. For the people that write these things, it's reaching the point of diminishing returns in terms of getting the tools installed that they need in order to efficiently, remotely manage these boxes. It was all fun and games when you just wanted 10,000 boxes to send out ping-of-deaths or SYN floods, but now you have to manage a farm of zombies and get real work out of them. The competition is fierce and the other guy is trying just as hard as you are to get large-scale admin working, and of course, like all large-scale Windows installations, they're finding that this sucks.
Several things would help:
* A virtual OS layer is needed so that the user can have Windows for their games, but the crackers can do their admin from a maintainable OS. Heck, even DOS would be more managable.
* Users should make themselves available to the crackers for physical admin needs like reboots.
* Microsoft needs to stop pushing these auto-updates. It's not as if the crackers can't find new holes faster than MS can push the updates, but the rapid change to an installed base is just too difficult to remotely manage. Bill: you're killing profits here!
Overall, we just need to start making doing business on the Internet more friendly. I don't understand why people can't understand this!
Sorry, I wasn't aware about "the point to the example" when I was fixing it. I suppose the point was also to use 250 times more disk space than necessary
As I've pointed out in another thread, I don't have time to trade sarcasm on Slashdot. If you understand the code (and it seems you have a fairly decent grasp), you know how to use it. If you understand it deeply enough, you'll probably be able to figure out that it's far, far too over-specialized (as is your response).
I don't have time to trade sarcasm on Slashdot. If you understood my code, you understand how to use it correctly. If you don't it might run/usr/games/nethack or some other such silliness. YMMV.
I am a hacker. I work in a company full of hackers. While I'm working in this company that bothers to make and understand the distinction, someone else is taking a job at a crappy company I don't want to work for.
Excuse me, how does it use 750MB of RAM? Please, explain. I ran it on my machine before posting it, and it used a negigable amount.
Were you, perhaps suggesting that *IF* you happened to place a 750MB file in "template.avi" that would be the result? I fail to see the problem with my example. Folks who place a 750MB file in "hello.c" before using K&R's compiler will also have some rather shocking results.
Few things. First off, your example is going to create some interesting files... You probably wanted to escape those HTML-escapes (as my "overly verbose" program did).
Symlinks are fine as far as they go, but the point to the example was not to provide the world's most generic tool (there are many optimizations for this), but to give people an example of the sort of code they could start with.
If I really wanted to do this, I'd probably fetch a unique mp3 and/or avi from Gnutella or BT for each file, thus confounding simple hashing tests for duplicate files.
Again, you're trying to respond to an example that I wrote in 2 minutes and posted to Slashdot as if it were a project on sourceforge. For shame.
Your modifications are mostly problematic. In future, feel free to email me any suggestions rather than posting a replacement that is less functional.
1. Don't put known text in these files. Too easy to ID. Maybe they don't look now, but in two weeks, they'd be looking for "This is not an MP3", for sure.
2. No, you don't have to escape that semi-colon. The code works just fine if you don't. You assumed I hadn't tested it?
3. No, `` isn't "bad", any more so than putting "/usr/bin/perl" at the start of the program is "bad" (someone could install a fake perl). That said, it was a short-hand, and a reasonable one at that (which I followed up with a suggestion to anyone who wanted to take the code a step further with File::Copy). Your suggestion of using fixed strings, I addressed in #1.
4. Check out the page in question before you assume a full-spectrum HTML-decoder-ring is required to parse the movie names. Sure, they could stick Javascript in the middle of any one of those names tomorrow, but you're over-generalizing, which isn't required in such a short-hand posting that was meant only to demonstrate the means of accomplishing such a task.
5. Adding a pile of painfully verbose comments to the code does not serve to enlighten the average user, and greatly complicates cut-and-paste tranferance for those with a less-than-development-friendly browser. Keep the example code simple. Write the document for it in a seperate post if you like.
it sounds more like your story (or Stephenson's idealized story) than that of anybody living in the historical period being described.
Well, I for one couldn't put a pipe organ together to save my life, and I'm not sure, but I'm guessing Stephenson couldn't either.
Stephenson's books are about the wonder that those who "need to understand" find in every-day tasks and ground-breaking discoveries alike. That's not "joe average", so sure, it's not everyone's story. It is, however, quite certainly the story of people like Newton and Turing.
Stephenson's books these days look like the phone book and tell you just about as much about the names in them
Ok, here you've gone off the rails. Are you seriously telling me that by the end of Cryptonomicon you feel you don't know the Waterhouses any better than when you started (other than having learned their names and addresses)? If so, I'm very sorry for you. I learned about a passion for math, a drive to build something new (be it modern-day business or the first computer) and a drive to impress those around him, as a way to beat back his own insecurities.
Reading about Newton's inability to cope with his homosexuality while tackling the hardest math and physics of the day was an enlightening contrast. The back-story for him and the way he was shaped by the generation of alchemists who raised him was a facinating illumination.
If you'd rather have a well-crafted ending than these characters, fine, but Cryptonomicon is, simply put, a techno-thriller, and there are two authors I know of: Clancy and Stephenson who can produce such a book without losing site of the fact that the technology that they are writing about is the life's work of some engineer somewhere. For the same reasons that the aerospace engineers were pleased with Clarke in the 50s, I'm pleased with Stephenson.
You don't have to like his works, that's fine, but don't confuse your likes and dislikes with an actual assessment of the quality of his work.
You're mis-quoting me. When I said that he loses focus, I'm talking about the END of the story. The bulk of his writing (and the bulk of these books in question), is well worth the effort.
"I suggest you need to read more historical fiction to see what a cliche his recent books have been"
I suggest you need to read Stephenson without pre-conceptions. I've read a great deal of historical fiction, and I find the vast majority of it dry and uninteresting because it fails to explore the elements that *I* find make history interesting (granted, they're not the elements that everyone finds interesting, but I thin Stephenson and I (and a great many "geeks") share this sense). Stephenson's 4-page tangent on the building of pipe-organs is seen as fluff that needs to be edited out to many in Cryptonomicon. Me? I find that to be the part of the story that's most engaging. He's telling the story of geeks from days-gone-past, and that's MY story. That's what I want to read about. I don't care if they were building organs, designing the first computers or re-defining mathematics and physics, I want to read about it, and a good story to go along with it is an added bonus!
I don't begrudge people the War and Peace style of historical story-telling, I just don't want to read it. I don't see why people should be demanding that Stephenson be edited down so that the parts that they don't enjoy are removed from their sight any more than I should ask the same of War and Peace.
PS: If you decide you want to use a 700MB avi file for input, you probably want to re-write the above using File::Copy, but then again, perhaps you don't care and swapping isn't an issue (or you have lots of RAM).
Speaking as an editor myself, "wordiness" all too often obscures the point, leads the reader astray with needless details, bogs down narrative pacing, and generally distracts from the point of the book.
You have some serious professional jading there.... Stephenson is wordy, not because he is trying to fill a book, but because he is exploring ideas. Reading cryptonomicon was a wonderful tour of a huge number of topics technical and non-technical alike. It's not that it was a bad story, but some of us aren't sitting down just to read a story (there are plenty of authors that offer me that, and I'm not reading their books, I'm reading Stephenson).
Same goes for Quicksilver, and when I get a chance to read them I'm sure it's also true for the other two books. People say that he doesn't know how to end a book, but I'm not so sure that's the case. I think there's a very clear point in time where he starts researching his next book, and THAT is when he needs some editorial whip-cracking. He loses focus because of that intensity he brings to his research (of which writing seems to merely be a by-product).
But warts-and-all, I'll take a Stephenson tour of natural philosophy or organ-making over a by-the-numbers plodding story any day.
Even more so, during my lifetime (69-now) several democratic candidates lost in primaries before ever getting to a general election on the "unilateral disarmament" platform, and AFAIK, republicans consistently ran on a "we can't afford to lose the arms race" platform (as culminated in the policies of Ronald Reagan).
Carter was an interesting candidate. He was actually very moderate for a democrat on nuclear weapons, but he won the primary because he came across as the most trustworthy candidate, and post-Nixon, that was more important.
In the end, had we wanted to vote nuclear weapons "out of office", we could have, but out of fear of the "Ruskies", we accepted them as a neccessary evil.
That looks like an interesting flick. I'm trying to find a version I can watch. Doesn't look like it's out in the US yet, and downloadables are all really crappy quality. I'll wait for an english-subtitled DVD release, but thanks for the pointer!
It's much easier to just add whitespace at the ends of lines. There's software out there that hides text in source code by doing this. Bottom line: if you get source from MS, don't give it to anyone else unless you're unafraid of being fingered as the one who did it. There are DOZENS of ways to embed IDs in code (changing variable names, subtle differences in whitespace, bury an ID in an include file somewhere, encode it in filenames, switch which files constants are defined in, etc, etc.) If they're smart (and while MS may be large and unscrupulous, we should give them credit for being smart), they'll use several of these techniques at once.
Slashdot Mirror
Not at all. And to all of the people who have said something along the lines of, "why can't we praise them for this release," questioning the quality of one piece of softwre vs. another is a tradition on Slashdot and has nothing to do with Microsoft (other than that they happen to be the author of one of those pieces of software in this case).
If this were a post about MySQL's latest release, you'd expect questions of how it stacks up to PostgreSQL. Same goes for Gnome/KDE or Evolution/Thunderbird, etc.
It's not that we're slapping MS down for doing this, it's fine if they release open source software, but we're not going to take it easy on them either.
Slashdot's approach to releases can be summed up thusly:Fair or unfair, it's not because it's MS.
You are an "end user", my friend. This means that you should be letting others do the integration work (as others have replied).
That said, if you want to play around with it, I would suggest that you download garnome. That will build all of the current Gnome pieces on which Evolution relies and give you a starting point WITHOUT destroying your existing installation. It takes a LONG time, because it does this from source (ala BSD ports tree), but by default it installs the result in a user area. Once you do that, simply re-download evolution and build/install it under the garnome tree.
If you're rushing out the door and grabbing x.org 6.8.0, gnome 2.8.0 and evolution 2.0.0 in order to get all the nifty new features, and you don't expect there to be problems, you're being VERY unrealistic.
The goal of the "release early, release often" mentality is to get the community involved in finding and solving problems.
If you can't tollerate a few bugs, that's fine. People like that make up most of the world after all. We call that an "end user" and end-users can wait for distributions to finish kicking the tires and doing the integration work.
Myself, I'd rather have 2.0.0 out in a feature-complete state so that I can get bugs in early (and maybe even a fix or two) ahead of my favorite distro releasing it in the state that I'll have to end up using at work.
And for those of you scratching your heads, yes I mis-pasted. Heh. Here's the disclaimer
The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):
Sorry about that!
Folks, can we please not post a direct link without the disclaimer? It seems to me to be a bit beyond rude.
For the record, here's the disclaimer (which I find silly, but that's not the point, I didn't decide to take on the exposure of hosting this thing for the researchers who will need access):
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
I don't think the poster was saying "these programs are vulnerable to this virus", but rather, "these programs seem to be vulnerable to a similar class of exploit"
Certainly Gimp's segfault points to some sort of bounds-checking problem, and is likely exploitable. NO application should load this image for display. Bounds checking during load should throw an exception (or the equivalent error status for C) for the image and the application should report that the image is corrupt. Under no circumstances should a low-level library be handing this image data further up the chain.
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
Simple answer: no, and that's why buffer overflow attacks work.
Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.
Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.
Not too long until we see a remote shell.
;-)
And therein lies the rub. For the people that write these things, it's reaching the point of diminishing returns in terms of getting the tools installed that they need in order to efficiently, remotely manage these boxes. It was all fun and games when you just wanted 10,000 boxes to send out ping-of-deaths or SYN floods, but now you have to manage a farm of zombies and get real work out of them. The competition is fierce and the other guy is trying just as hard as you are to get large-scale admin working, and of course, like all large-scale Windows installations, they're finding that this sucks.
Several things would help:
* A virtual OS layer is needed so that the user can have Windows for their games, but the crackers can do their admin from a maintainable OS. Heck, even DOS would be more managable.
* Users should make themselves available to the crackers for physical admin needs like reboots.
* Microsoft needs to stop pushing these auto-updates. It's not as if the crackers can't find new holes faster than MS can push the updates, but the rapid change to an installed base is just too difficult to remotely manage. Bill: you're killing profits here!
Overall, we just need to start making doing business on the Internet more friendly. I don't understand why people can't understand this!
PS:
Sorry, I wasn't aware about "the point to the example" when I was fixing it. I suppose the point was also to use 250 times more disk space than necessary
As I've pointed out in another thread, I don't have time to trade sarcasm on Slashdot. If you understand the code (and it seems you have a fairly decent grasp), you know how to use it. If you understand it deeply enough, you'll probably be able to figure out that it's far, far too over-specialized (as is your response).
YMMV.
Yes, genius.
/usr/games/nethack or some other such silliness. YMMV.
I don't have time to trade sarcasm on Slashdot. If you understood my code, you understand how to use it correctly. If you don't it might run
I am a hacker. I work in a company full of hackers. While I'm working in this company that bothers to make and understand the distinction, someone else is taking a job at a crappy company I don't want to work for.
Works for me. YMMV.
Excuse me, how does it use 750MB of RAM? Please, explain. I ran it on my machine before posting it, and it used a negigable amount.
Were you, perhaps suggesting that *IF* you happened to place a 750MB file in "template.avi" that would be the result? I fail to see the problem with my example. Folks who place a 750MB file in "hello.c" before using K&R's compiler will also have some rather shocking results.
Kids these days, I ask you.
Few things. First off, your example is going to create some interesting files... You probably wanted to escape those HTML-escapes (as my "overly verbose" program did).
Symlinks are fine as far as they go, but the point to the example was not to provide the world's most generic tool (there are many optimizations for this), but to give people an example of the sort of code they could start with.
If I really wanted to do this, I'd probably fetch a unique mp3 and/or avi from Gnutella or BT for each file, thus confounding simple hashing tests for duplicate files.
Again, you're trying to respond to an example that I wrote in 2 minutes and posted to Slashdot as if it were a project on sourceforge. For shame.
Your modifications are mostly problematic. In future, feel free to email me any suggestions rather than posting a replacement that is less functional.
1. Don't put known text in these files. Too easy to ID. Maybe they don't look now, but in two weeks, they'd be looking for "This is not an MP3", for sure.
2. No, you don't have to escape that semi-colon. The code works just fine if you don't. You assumed I hadn't tested it?
3. No, `` isn't "bad", any more so than putting "/usr/bin/perl" at the start of the program is "bad" (someone could install a fake perl). That said, it was a short-hand, and a reasonable one at that (which I followed up with a suggestion to anyone who wanted to take the code a step further with File::Copy). Your suggestion of using fixed strings, I addressed in #1.
4. Check out the page in question before you assume a full-spectrum HTML-decoder-ring is required to parse the movie names. Sure, they could stick Javascript in the middle of any one of those names tomorrow, but you're over-generalizing, which isn't required in such a short-hand posting that was meant only to demonstrate the means of accomplishing such a task.
5. Adding a pile of painfully verbose comments to the code does not serve to enlighten the average user, and greatly complicates cut-and-paste tranferance for those with a less-than-development-friendly browser. Keep the example code simple. Write the document for it in a seperate post if you like.
it sounds more like your story (or Stephenson's idealized story) than that of anybody living in the historical period being described.
Well, I for one couldn't put a pipe organ together to save my life, and I'm not sure, but I'm guessing Stephenson couldn't either.
Stephenson's books are about the wonder that those who "need to understand" find in every-day tasks and ground-breaking discoveries alike. That's not "joe average", so sure, it's not everyone's story. It is, however, quite certainly the story of people like Newton and Turing.
Stephenson's books these days look like the phone book and tell you just about as much about the names in them
Ok, here you've gone off the rails. Are you seriously telling me that by the end of Cryptonomicon you feel you don't know the Waterhouses any better than when you started (other than having learned their names and addresses)? If so, I'm very sorry for you. I learned about a passion for math, a drive to build something new (be it modern-day business or the first computer) and a drive to impress those around him, as a way to beat back his own insecurities.
Reading about Newton's inability to cope with his homosexuality while tackling the hardest math and physics of the day was an enlightening contrast. The back-story for him and the way he was shaped by the generation of alchemists who raised him was a facinating illumination.
If you'd rather have a well-crafted ending than these characters, fine, but Cryptonomicon is, simply put, a techno-thriller, and there are two authors I know of: Clancy and Stephenson who can produce such a book without losing site of the fact that the technology that they are writing about is the life's work of some engineer somewhere. For the same reasons that the aerospace engineers were pleased with Clarke in the 50s, I'm pleased with Stephenson.
You don't have to like his works, that's fine, but don't confuse your likes and dislikes with an actual assessment of the quality of his work.
You're mis-quoting me. When I said that he loses focus, I'm talking about the END of the story. The bulk of his writing (and the bulk of these books in question), is well worth the effort.
"I suggest you need to read more historical fiction to see what a cliche his recent books have been"
I suggest you need to read Stephenson without pre-conceptions. I've read a great deal of historical fiction, and I find the vast majority of it dry and uninteresting because it fails to explore the elements that *I* find make history interesting (granted, they're not the elements that everyone finds interesting, but I thin Stephenson and I (and a great many "geeks") share this sense). Stephenson's 4-page tangent on the building of pipe-organs is seen as fluff that needs to be edited out to many in Cryptonomicon. Me? I find that to be the part of the story that's most engaging. He's telling the story of geeks from days-gone-past, and that's MY story. That's what I want to read about. I don't care if they were building organs, designing the first computers or re-defining mathematics and physics, I want to read about it, and a good story to go along with it is an added bonus!
I don't begrudge people the War and Peace style of historical story-telling, I just don't want to read it. I don't see why people should be demanding that Stephenson be edited down so that the parts that they don't enjoy are removed from their sight any more than I should ask the same of War and Peace.
PS: If you decide you want to use a 700MB avi file for input, you probably want to re-write the above using File::Copy, but then again, perhaps you don't care and swapping isn't an issue (or you have lots of RAM).
Speaking as an editor myself, "wordiness" all too often obscures the point, leads the reader astray with needless details, bogs down narrative pacing, and generally distracts from the point of the book.
You have some serious professional jading there.... Stephenson is wordy, not because he is trying to fill a book, but because he is exploring ideas. Reading cryptonomicon was a wonderful tour of a huge number of topics technical and non-technical alike. It's not that it was a bad story, but some of us aren't sitting down just to read a story (there are plenty of authors that offer me that, and I'm not reading their books, I'm reading Stephenson).
Same goes for Quicksilver, and when I get a chance to read them I'm sure it's also true for the other two books. People say that he doesn't know how to end a book, but I'm not so sure that's the case. I think there's a very clear point in time where he starts researching his next book, and THAT is when he needs some editorial whip-cracking. He loses focus because of that intensity he brings to his research (of which writing seems to merely be a by-product).
But warts-and-all, I'll take a Stephenson tour of natural philosophy or organ-making over a by-the-numbers plodding story any day.
"No doubt ,this is a excellent idem within our collections.If you enter this page ,I must say you are a professional antique collector."
Ah... they're joking right? This has got to be the single most suspicious auction I've ever seen, and I've seen some doozies.
I was re-writing the gp's for loop, not golfing their code.
Even more so, during my lifetime (69-now) several democratic candidates lost in primaries before ever getting to a general election on the "unilateral disarmament" platform, and AFAIK, republicans consistently ran on a "we can't afford to lose the arms race" platform (as culminated in the policies of Ronald Reagan).
Carter was an interesting candidate. He was actually very moderate for a democrat on nuclear weapons, but he won the primary because he came across as the most trustworthy candidate, and post-Nixon, that was more important.
In the end, had we wanted to vote nuclear weapons "out of office", we could have, but out of fear of the "Ruskies", we accepted them as a neccessary evil.
That looks like an interesting flick. I'm trying to find a version I can watch. Doesn't look like it's out in the US yet, and downloadables are all really crappy quality. I'll wait for an english-subtitled DVD release, but thanks for the pointer!
It's much easier to just add whitespace at the ends of lines. There's software out there that hides text in source code by doing this. Bottom line: if you get source from MS, don't give it to anyone else unless you're unafraid of being fingered as the one who did it. There are DOZENS of ways to embed IDs in code (changing variable names, subtle differences in whitespace, bury an ID in an include file somewhere, encode it in filenames, switch which files constants are defined in, etc, etc.) If they're smart (and while MS may be large and unscrupulous, we should give them credit for being smart), they'll use several of these techniques at once.