What particularly occurs to me is that the person fishing the application out may have scribbled some signature on it themselves. In which case, and IANAL, it's forgery, or similar. Right?
Other things, just what I can remember at the moment, anyone want to remind me of what I've missed:
Program defensively. Don't just perform the bare minimum of checks required to make your system work, perform double, triple or even more checks where feasible.
Remember to encode all text correctly. This is particularly important in cases such as shell commands or SQL statements. Be careful of odd examples where multi-layered encoding is required (Javascript in HTML being a good example).
Never use data from the user without sanity checking it. Feel free to strip characters that aren't there ("../" in a file's name, rather than path, for example).
When calling external programs, use their full path. Nothing's quite as annoying as some smart ass placing an identically named file higher up the search path, that executes "rm -rf/".
Do not assume that because you can't figure out how to crack a cryptographic method, it's secure. Get a mathmatician, or even better a cryptoanalyst, to check it for you.
Security through obscurity gets a bad rep. It's a hell of a lot better than nothing, but never rely on it except where necessary (passwords are a good example of where it's necessary).
I don't know about other universities, but here the policy has always been clear. The residential network is basically there for accessing external information that you need for academic reasons. Network based research can be done from the computer science systems, where special arrangements are in place already. Okay, maybe it would be nice if non-comp sci students could do network research, but I don't see it as a critical thing that they can't!
Which is fine in small scale projects. On the other hand, we re-wrote an application from Tcl/Tk to Java and about halved the code size (it was technically less than half, but bits got cut out in the rewrite, so I'm calling it not quiet half). This was because we could write a lot of reusable code, especially as our data model fitted objects quite well.
Also, being able to catch exceptions is really useful. If a servlet in the system I work with throws an exception, it's caught, the input to the servlet analysed, and the result along with a stack trace e-mailed to the developers.
Although waking up to 20 "Internal error" e-mails is always a nuisance...
One of my colleagues read an article that said JSP was much better than servlets, and no-one should use servlets. The result was 1,200 lines of unseperated code, which no-one including the code's writer could make sense of.
If I ever find the author of that article... (yeah, I know it's not his fault I'm working with idiots, that's not the point)
Can you add some context to this? What sort of application are you writing? Roughly how many pages does it contain, and how many lines of code are we talking about?
I joined the team working on an educational web-based application in 2001. At the time, the system was written in Tcl/Tk. It rolls in at around 60,000 lines of code, across approx. 240 pages. The original development took 3 developers about 3 years.
It was decided that due to speed problems with Tcl/Tk, and the growing system complexity, we would rewrite the system from scratch.
From start 2002 to now (we've been in beta for about a year, and should have our first proper release within days), an average of myself and one other developer (we've had between 1 and 3 developers at a time, but on average) managed to not only do a complete backwards compatible rewrite, but also a new, seperate system. Sure, it helped that we had an existing design to work from, but I still reckon the Java version was a lot lot easier to write.
Java isn't for everything, but if you're writing large-scale web applications, scripting languages are really unlikely to be the answer either.
What really gets to me, is that if you shoot cars in the game, people in the game die. So, logically, in recreating scenes from GTA, they must have been looking for the same consequences - dead people.
Which tells me something's a lot more wrong with these two than any game. What did they think would happen next, little flashing stars would appear in mid-air until they got a pay&spray?
I like the AUP changes, but not quite this way. Something more vague about reserving the right to limit bandwidth/disk usage in order to preserve system stability.
Then have logs auto-trimmed and firewall the stupid company until they stop requesting every minute. For the good of system stability.
I actually admin a couple of systems at work. Was upgrading from one RedHat version to the next late one night, and the system was down for a while. Got an e-mail from some random company the next day telling me the server had been down and could they interest me in their monitoring packages. I'd never even noticed them in the logs, which kinda impressed me.
The fact of the matter is that I generally know when the server goes down (it's either my fault, or it's the LAN and it's interfering with my ability to work), and uptime isn't critical on any of the systems I admin, so the services didn't interest me. The point is, that's how it should work. Wish I could remember the name of the company.
Much more useful than the spam "I've noticed that is not on all the search engines". Well, yes, that's the site for an internal-use only application, and everyone that needs the URL is given it on a piece of paper, you crummy spammer.
Forget this "You must stay up to date or be fined" lark. If we could just have a reasonable way of getting it back to a user that their system is comprimised, that would be great! Systems I administrate get hundreds (literally) of attacks per month against them, almost all of them from Windows boxes infected with some worm.
If there was somewhere I could put in the IP addresses, and if there were enough complaints against a specific IP, they would investigate, that would be great. Give the organisation some actual power to disconnect users that are shown to be causing problems, until they get themselves patched, and we're sorted!
http://bowmore.dcs.st-andrews.ac.uk/rpms/ contains source and binary RPMs. The directory should not be accessible outside the.ac.uk domain, as I don't have the bandwidth to take a/.ing. Even if I've messed up the configuration, please do not try to download the RPMs. PLEASE
Also please note, these are barely tested. I patched, compiled, installed and ran the server/client, but haven't had time to do much more. People may want to wait until the official RedHat RPMs.
If someone wants to set up a mirror, post under here and I'll work something out.
Just thought I'd add, the university I work at is following a similar policy. Not actually fining, but you'll be disconnected. I believe you also risk disconnection if they discover you're not running a virus checker, irrespective of whether you've been infected...
First of all we have The Tyranny of E-mail, which complained about how it broke your concentration. Now it's a good thing that your communication method forces you to forget absolutely everything else?
More seriously, if people were that worried about the call, they could find a way to focus. If you're outside, find somewhere out of the way, or a phonebooth, either works. If you're inside, why are distractions a problem? If I'm not completely focused on call, it's because something in real life is more important/interesting!
So, you've been busy downloading half the Internet, and are now feeling a little guilty about it, or just worried about the RIAA. Forget this Amnesty lark, just delete the files. Do make sure you get all of them, though, it's important. Oh, and I'd delete that copy of Kazaa while you're at it.
Thing is, their evidence is probably going to boil down to computer-based logs. Which is a good start, but if you find an even half-good lawyer, they'll point out that such things can readily be faked, and without any real evidence (like MP3s of copyrighted songs), their case is going to be pretty weak.
Hangon a minute. I have a PC at home, for games. Its a 2400+ Athlon, 512mb RAM,80gb HD and Radeon 9700 Pro. I paid about 670UKP for it, inc. VAT and P&P. Yesterday, I pre-ordered a G5, for work purposes. At 1.6Ghz, 256mb RAM, 80gb HD and a Radeon 9600 Pro, it cost almost 1300UKP (at educational discount prices), inc VAT and P&P. That's almost twice what I'm paying for the PC, for about the same spec, at what I'd certainly consider mid-range.
Sure, if I needed a whole pile of raw processor power, the 2Ghz G5 would probably be good value. Except, even the servers at work don't need anything like that much processor power. Of the G5s its the only one with that sort of value - the single 1.6Ghz and single 1.8Ghz systems are both significantly more expensive than equivalent PCs. The cost of memory/HD upgrades (at build time) is also staggering - HD space is merely significantly more expensive, memory is about four times as expensive as buying direct from Crucial (100UKP for 256mb, compared to 25UKP)!
For the record, I'm not comfortable in Windows. This is in no small part because I started with Amigas, and moved to Linux, then started playing with Windows. However, I do a lot of development, and having learnt to do it with command line interfaces, fancy looking IDEs just scare me.
This is not to say that they're not great, they're just not for me.
Slashdot Mirror
What particularly occurs to me is that the person fishing the application out may have scribbled some signature on it themselves. In which case, and IANAL, it's forgery, or similar. Right?
Other things, just what I can remember at the moment, anyone want to remind me of what I've missed:
I don't know about other universities, but here the policy has always been clear. The residential network is basically there for accessing external information that you need for academic reasons. Network based research can be done from the computer science systems, where special arrangements are in place already. Okay, maybe it would be nice if non-comp sci students could do network research, but I don't see it as a critical thing that they can't!
Which is fine in small scale projects. On the other hand, we re-wrote an application from Tcl/Tk to Java and about halved the code size (it was technically less than half, but bits got cut out in the rewrite, so I'm calling it not quiet half). This was because we could write a lot of reusable code, especially as our data model fitted objects quite well.
Also, being able to catch exceptions is really useful. If a servlet in the system I work with throws an exception, it's caught, the input to the servlet analysed, and the result along with a stack trace e-mailed to the developers.
Although waking up to 20 "Internal error" e-mails is always a nuisance...
One of my colleagues read an article that said JSP was much better than servlets, and no-one should use servlets. The result was 1,200 lines of unseperated code, which no-one including the code's writer could make sense of.
If I ever find the author of that article... (yeah, I know it's not his fault I'm working with idiots, that's not the point)
Can you add some context to this? What sort of application are you writing? Roughly how many pages does it contain, and how many lines of code are we talking about?
I joined the team working on an educational web-based application in 2001. At the time, the system was written in Tcl/Tk. It rolls in at around 60,000 lines of code, across approx. 240 pages. The original development took 3 developers about 3 years.
It was decided that due to speed problems with Tcl/Tk, and the growing system complexity, we would rewrite the system from scratch.
From start 2002 to now (we've been in beta for about a year, and should have our first proper release within days), an average of myself and one other developer (we've had between 1 and 3 developers at a time, but on average) managed to not only do a complete backwards compatible rewrite, but also a new, seperate system. Sure, it helped that we had an existing design to work from, but I still reckon the Java version was a lot lot easier to write.
Java isn't for everything, but if you're writing large-scale web applications, scripting languages are really unlikely to be the answer either.
Wow, I live in the UK, and I've never seen them. I vaguely remember hearing of them, but certainly never seen them.
What really gets to me, is that if you shoot cars in the game, people in the game die. So, logically, in recreating scenes from GTA, they must have been looking for the same consequences - dead people.
Which tells me something's a lot more wrong with these two than any game. What did they think would happen next, little flashing stars would appear in mid-air until they got a pay&spray?
I like the AUP changes, but not quite this way. Something more vague about reserving the right to limit bandwidth/disk usage in order to preserve system stability.
Then have logs auto-trimmed and firewall the stupid company until they stop requesting every minute. For the good of system stability.
I actually admin a couple of systems at work. Was upgrading from one RedHat version to the next late one night, and the system was down for a while. Got an e-mail from some random company the next day telling me the server had been down and could they interest me in their monitoring packages. I'd never even noticed them in the logs, which kinda impressed me.
The fact of the matter is that I generally know when the server goes down (it's either my fault, or it's the LAN and it's interfering with my ability to work), and uptime isn't critical on any of the systems I admin, so the services didn't interest me. The point is, that's how it should work. Wish I could remember the name of the company.
Much more useful than the spam "I've noticed that is not on all the search engines". Well, yes, that's the site for an internal-use only application, and everyone that needs the URL is given it on a piece of paper, you crummy spammer.
Forget this "You must stay up to date or be fined" lark. If we could just have a reasonable way of getting it back to a user that their system is comprimised, that would be great! Systems I administrate get hundreds (literally) of attacks per month against them, almost all of them from Windows boxes infected with some worm.
If there was somewhere I could put in the IP addresses, and if there were enough complaints against a specific IP, they would investigate, that would be great. Give the organisation some actual power to disconnect users that are shown to be causing problems, until they get themselves patched, and we're sorted!
Thoughts anyone?
It wasn't a mirror, I made the RPMs myself. Actually, if I'd know RedHat would get around to it so quickly, I'd never have bothered.
Just put an update online now, and expanded the availability to include the entire .uk domain.
http://bowmore.dcs.st-andrews.ac.uk/rpms/ contains source and binary RPMs. The directory should not be accessible outside the .ac.uk domain, as I don't have the bandwidth to take a /.ing. Even if I've messed up the configuration, please do not try to download the RPMs. PLEASE
Also please note, these are barely tested. I patched, compiled, installed and ran the server/client, but haven't had time to do much more. People may want to wait until the official RedHat RPMs.
If someone wants to set up a mirror, post under here and I'll work something out.
There's a group of us that's eyeing Canada optimistically... Thoughts anyone?
Just thought I'd add, the university I work at is following a similar policy. Not actually fining, but you'll be disconnected. I believe you also risk disconnection if they discover you're not running a virus checker, irrespective of whether you've been infected...
First of all we have The Tyranny of E-mail, which complained about how it broke your concentration. Now it's a good thing that your communication method forces you to forget absolutely everything else?
More seriously, if people were that worried about the call, they could find a way to focus. If you're outside, find somewhere out of the way, or a phonebooth, either works. If you're inside, why are distractions a problem? If I'm not completely focused on call, it's because something in real life is more important/interesting!
...form a nice orderly queue, even. I want an edit button (and yes, I previewed).
...for a nice, orderly queue under this posting, so we can avoid cluttering the main topic.
Blame the Slashdot editors for this, the link wasn't there when this was first put up.
Jaguar? What about the Amiga version! Although don't ask me where it is, I've got a copy somewhere.
So, you've been busy downloading half the Internet, and are now feeling a little guilty about it, or just worried about the RIAA. Forget this Amnesty lark, just delete the files. Do make sure you get all of them, though, it's important. Oh, and I'd delete that copy of Kazaa while you're at it.
Thing is, their evidence is probably going to boil down to computer-based logs. Which is a good start, but if you find an even half-good lawyer, they'll point out that such things can readily be faked, and without any real evidence (like MP3s of copyrighted songs), their case is going to be pretty weak.
Feed an army of robotic cats?
Well, I buy the RAM from Crucial, and generally don't want a bigger HD than standard anyway. It just bugs me, y'know.
Hangon a minute. I have a PC at home, for games. Its a 2400+ Athlon, 512mb RAM,80gb HD and Radeon 9700 Pro. I paid about 670UKP for it, inc. VAT and P&P. Yesterday, I pre-ordered a G5, for work purposes. At 1.6Ghz, 256mb RAM, 80gb HD and a Radeon 9600 Pro, it cost almost 1300UKP (at educational discount prices), inc VAT and P&P. That's almost twice what I'm paying for the PC, for about the same spec, at what I'd certainly consider mid-range.
Sure, if I needed a whole pile of raw processor power, the 2Ghz G5 would probably be good value. Except, even the servers at work don't need anything like that much processor power. Of the G5s its the only one with that sort of value - the single 1.6Ghz and single 1.8Ghz systems are both significantly more expensive than equivalent PCs. The cost of memory/HD upgrades (at build time) is also staggering - HD space is merely significantly more expensive, memory is about four times as expensive as buying direct from Crucial (100UKP for 256mb, compared to 25UKP)!
For the record, I'm not comfortable in Windows. This is in no small part because I started with Amigas, and moved to Linux, then started playing with Windows. However, I do a lot of development, and having learnt to do it with command line interfaces, fancy looking IDEs just scare me.
This is not to say that they're not great, they're just not for me.