Epitonic is a great place to listen to some tracks from independent bands and even has links to promote buying CDs from the bands -- after all, if everyone's griping about the artist not getting the funds, then when you do find music you like, you should support the artist. RIAA Radar is a good way to check whether the label is a member of the RIAA or not; if not, go buy a CD! If so, just check the used record stores and the RIAA doesn't get your money. Buying the independent music is a better move overall, though. And a recent comment on my weblog pointed out some other places to get music. (Gmail invites available there for additional suggestions, too.)
I would love for someone to explain to me how this isn't a violation of the Wiretap Act. Unless all the customers have given consent in the T&Cs, there would be a good case (for investigating this further. The exemptions for protecting the "rights or property" of the network provider don't really apply here, as courts have typically required a substantial nexus between the monitoring and the rights or property (think IDS on the DMZ). This sort of research project doesn't seem to fill that requirement, either.
There are actually a lot of good starts on that. tcpdump and tcpreplay, combined with etherape, are a good start to the old SilentRunner Collector. The Analyzer could be replicated with something based on graphviz. Some work has been done in this area. Granted, more is left (SilentRunner had an infrastructure to move packet data around from collectors to analyzers and such), and n-gram analysis would be useful (I just found a project, Text::Ngrams, that does it in Perl), but we're not actually that far away. SilentRunner might have been uber-cool before, but now it's actually well within the reach of the free software community. I've been thinking about this a lot for almost a year; if anyone's interested in working on this, let me know (my email address is on my website), this would be a great project (so would several of these listed, actually).
Stocks are "worth" what anybody is willing to pay for them -- a stock quote is just the going market rate at that point in time. Companies that give shares of stock as options are simply agreeing to sell the shares at a pre-determined price, either absolute or as a percentage of the market rate (depending on how it works at the company in question or in the contract).
Imagine I have 3 million widgets which other people are willing to pay me $50. But I like you, so I say, "benzapp, you're doing a good job. I'll give you a widget for just $2 instead of the $50 that other people would pay for it." Now you can buy it from me and turn around and sell it to some sucker for $50. That's where the $48 magically appears -- it's not "gone" anywhere, it came out of someone else's pocket.
Yes, and OpenBSD routers run a large portion of the backbone, too.
Or not...
Does it really matter if OpenBSD routers aren't vulnerable if they aren't used in most of the backbone because, well, they don't exactly have the capacity needed? It's great that OpenBSD doesn't have the underlying vulnerability as it could lead to other problems, not just BGP, but for crying out loud, this is about as useless as it gets.
My understanding of RHEL is that it can be installed on as many systems as you like after all, it's (almost) all GPL software. (That might not apply to any non-GPL bits.) But you're purchasing per-CPU support. If you've got servers that you don't need so much support for, at least from the vendor, then do what you like.
That said, I wish Red Hat would bring out their mid-level offering between Fedora and RHEL and quit the coy smiles. It's giving me fits for planning our deployments this year, since Fedora works great for some things and not others, but I really need a middle tier (lower than RHEL WS).
Now, when Red Hat starts exclusionary license agreements, killing competing products with vaporware announcements, and changing APIs without telling anybody, then they'd be "Microsoft-esque". But being that they're distributing Free Software, that would be really hard to do. This is more FUD from Forbes, a magazine noted in the past for its difficulty understanding Free Software.
Not that it'll convince any industry titans, but this is due to the fact that we've (mistakenly IMHO) focused as a community on the business and engineering benefits of open source software rather than the precepts behind free software. Maybe open sourcing Java won't accomplish anything -- but freeing it will.
Other than looking for non-RIAA music CDs, there are sites with legally downloadable music. It's not the pop hits of the day, but sites like Epitonic.com have great music that you can download in MP3 form legally. Google can help you find lots more sites if that's not to your liking; these are just the ones I have bookmarked.
Being held liable for how secure your software is would ruin everybody.
Well, all the developers, anyway. Users would benefit from such a regulation, and if handled properly, this could work. Whether it's a "cap" or just related to disclaimers about intended uses of products, limits could be placed on the liability. There are problems to be solved (how do you handle the case of an individual developer vs. someone like Computer Associates?), but claiming that requiring developers to be liable for damages caused by flaws in their products is the same sort of protectionism we decry in large corporations in other industries. No one seriously suggests that automobile manufacturers shouldn't be liable for certain flaws in their products it may cost them a bundle but the result is safer cars.
That said, a source code disclosure requirement is not that distant from current copyright regulation. Currently, rights holders are legally required to deposit two copies with the Library of Congress. Note that this is not a requirement to have a copyright on your works in general, there are just penalties associated. Interpreting or amending the law to include source code is not that far of a reach.
New Scientist is just carrying their little summary; one of the authors has the paper available on his site in HTML, PDF, and PostScript forms. It's to be presented at NSDI '04.
You've got a highly wired place with people using them for all sorts of things, and comparatively little training on what and what not to do. Plus you've got younger users, many of which aren't old enough yet to not know everything, and feel free to ignore the warnings and admonishments...
That sounds like a pretty common representation of the average user to me. Although many users outside of education may not be "younger", many of the characteristics hold. In fact, I would say such a user might even be more common than locked-down corporate environments. And if a major ISP ever were able to do such a scan on their customer's hosts, it wouldn't be much different.
Is that a "biased" sample? Depends on what population you're comparing against. If you're extrapolating to corporate environments, then systematic differences from the true mean may very well exist. But if you're comparing against the population of all Internet users a potentially far more interesting and useful population to study, though more difficult as well then the bias is more difficult to measure.
It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.
I don't have a lot of suggestions for you (maybe K5 and Ars Technica), but finding sights similar to those in your "net-sphere" is easy. Do a Google query for them, using a form like "related:slashdot.org" (replacing with your favorite site names). Some of the results may be what you're looking for, some may not, but they'll get you started, at least.
The problem is not that process audits aren't done they are. Both private and personal organizations have regular audits performed and reports like this generated. The real problem is that, in many cases, those with the power to make substantive changes (management) simply don't want to do so because it's too expensive, whether in terms of time, money, or other resources, and it requires some disaster to really motivate them.
So what you get are organizations that are always fixing the previous generation of problems. Challenges morph over time, and if you're fixing the problems you should have fixed ten years ago, and as cheaply as possible, then you're probably not fixing the problems you need to fix now, looking ahead to the challenges you'll be facing over the next few years.
I do some forensics for a large company, though not as much as I'd like. There's a couple of ways to get into it:
Be a cop. Yeah, it sucks for a few years, but it seems like former law enforcement keeps the fraternity going and it's a lot harder for the rest of us.
Go to a training course and network (see recent/. poll). I took an Encase course last year; if I had been looking for a job, there were probably several ways I could have gotten one just in the one class.
Know something that the forensics guys in your company typically don't and offer to help out, if you already have some contact with them. Most of them are fairly lost in Unix or Macintosh environments and could use some assistance from time to time.
I don't know how useful a graduate degree specifically in forensics might be; know what you're doing and have a cert or two and you'll be on your way. Then drop out and hang out your own shingle, but that's for another post...
This is what's changing the world. Everyone remembers those old IBM ads about global e-business or some other buzzword. Now we're seeing the reality: a relatively small business can greatly increase the scope of its market and compete with big boys. The trick has always been to overcome the power law effect and move up the curve. Google is a phenomenal equalizer in this respect: write a good ad, put a good site online, and (most importantly) have a well-run business that does its job well, and you can go somewhere because, externally, you can give the same or better impression to customers as your larger, less-savvy competitor. The.com boom and bust didn't disprove this plan, it only made it more clear that at the root of the business there has to actually be a business.
I used to get a lot of goofy questions from friends and family: "I can't find that letter I wrote last week, where is it?" "Double-click on My Documents..." and worse. So I finally hit upon a solution that works:
"You know, I don't really use Windows, most of my work is with a different operating system, UNIX. You know, you've heard people talk about Linux? Well, that's what I do. And anyway, now I do security so I'm not really the most qualified person to ask. But ask Robert, he seems to really like computers and he'd probably be happy to lend you a hand!"
The side benefit here is that some of the more clueful have started to convert to Linux (three new Fedora users in the last month!) and now I get questions about chkconfig, fstab, and other stuff. The questions are harder but now he's moving in the right direction.
We're seeing the new space race, and it's going to be something. Competition for the "high ground" between Europe, China, and the US is really getting started. If the US continues to become more insular, this will just be one more way that Americans feel the need to prove superiority. But it's also a way for Europe to assert its own primacy, and China's motive to be seen as the next superpower is clear, as well.
Whether any of it happens is almost immaterial: the perception will drive the funding, and scientists on all sides will take the money and attention happily. Let's hope that the end result really is "for all mankind".
Given OSNews' recent penchant for poorly-done benchmarks (e.g. 1, 2), I'm glad to see them run an article about someone else's (hopefully well-done) testing. By having expert teams who know what they're doing tweak the configurations, this should be a much more representative result. Hopefully OSNews will learn some methodology from these guys...
Scramjets combust the air at supersonic velocities rather than diffusing it prior to combustion the way most other engines in supersonic vehicles do. There's a lot of promise here. But in a society that can't make the Concorde profitable, will it be worth it in the end? I'd love to be able to fly to the other side of the world in something less than 24 hours. The economics of the situation seem to be against us, though.
Sardonix got me interested in source code auditing, but I didn't like the reputation model. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.
If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?
I hope to God that we don't go through another day like this. We will, though, and just like we did 17 years ago -- and 19 years before that -- we'll come out on the other side, a little saddened, but ready to take the next step and move ahead, never forgetting the memory of those who have preceded us in time but do not join us on the road ahead.
I still believe that. Bush's Mars program may or may not be the best way to go, and NASA may still need to figure out what it's really going to do about the Hubble, but the public is still talking about space exploration, the latest batch of Mars probes are capturing the imagination of the entire world, the X-Prize is still going strong, and we're making progress. The naming of the landing sites and nearby hills after those who gave their lives in this endeavor was a wonderful touch. We're ready to move forward.
Slashdot Mirror
Epitonic is a great place to listen to some tracks from independent bands and even has links to promote buying CDs from the bands -- after all, if everyone's griping about the artist not getting the funds, then when you do find music you like, you should support the artist. RIAA Radar is a good way to check whether the label is a member of the RIAA or not; if not, go buy a CD! If so, just check the used record stores and the RIAA doesn't get your money. Buying the independent music is a better move overall, though. And a recent comment on my weblog pointed out some other places to get music. (Gmail invites available there for additional suggestions, too.)
I have a set of tabs that I load every morning precisely for this; some of them are:
ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.
I would love for someone to explain to me how this isn't a violation of the Wiretap Act. Unless all the customers have given consent in the T&Cs, there would be a good case (for investigating this further. The exemptions for protecting the "rights or property" of the network provider don't really apply here, as courts have typically required a substantial nexus between the monitoring and the rights or property (think IDS on the DMZ). This sort of research project doesn't seem to fill that requirement, either.
There are actually a lot of good starts on that. tcpdump and tcpreplay, combined with etherape, are a good start to the old SilentRunner Collector. The Analyzer could be replicated with something based on graphviz. Some work has been done in this area. Granted, more is left (SilentRunner had an infrastructure to move packet data around from collectors to analyzers and such), and n-gram analysis would be useful (I just found a project, Text::Ngrams, that does it in Perl), but we're not actually that far away. SilentRunner might have been uber-cool before, but now it's actually well within the reach of the free software community. I've been thinking about this a lot for almost a year; if anyone's interested in working on this, let me know (my email address is on my website), this would be a great project (so would several of these listed, actually).
Stocks are "worth" what anybody is willing to pay for them -- a stock quote is just the going market rate at that point in time. Companies that give shares of stock as options are simply agreeing to sell the shares at a pre-determined price, either absolute or as a percentage of the market rate (depending on how it works at the company in question or in the contract).
Imagine I have 3 million widgets which other people are willing to pay me $50. But I like you, so I say, "benzapp, you're doing a good job. I'll give you a widget for just $2 instead of the $50 that other people would pay for it." Now you can buy it from me and turn around and sell it to some sucker for $50. That's where the $48 magically appears -- it's not "gone" anywhere, it came out of someone else's pocket.
Or not...
Does it really matter if OpenBSD routers aren't vulnerable if they aren't used in most of the backbone because, well, they don't exactly have the capacity needed? It's great that OpenBSD doesn't have the underlying vulnerability as it could lead to other problems, not just BGP, but for crying out loud, this is about as useless as it gets.
What do partial differential equations have to do with the Linux desktop? :)
That said, I wish Red Hat would bring out their mid-level offering between Fedora and RHEL and quit the coy smiles. It's giving me fits for planning our deployments this year, since Fedora works great for some things and not others, but I really need a middle tier (lower than RHEL WS).
Now, when Red Hat starts exclusionary license agreements, killing competing products with vaporware announcements, and changing APIs without telling anybody, then they'd be "Microsoft-esque". But being that they're distributing Free Software, that would be really hard to do. This is more FUD from Forbes, a magazine noted in the past for its difficulty understanding Free Software.
Not that it'll convince any industry titans, but this is due to the fact that we've (mistakenly IMHO) focused as a community on the business and engineering benefits of open source software rather than the precepts behind free software. Maybe open sourcing Java won't accomplish anything -- but freeing it will.
Other than looking for non-RIAA music CDs, there are sites with legally downloadable music. It's not the pop hits of the day, but sites like Epitonic.com have great music that you can download in MP3 form legally. Google can help you find lots more sites if that's not to your liking; these are just the ones I have bookmarked.
An email to info@ebgames.com (or submitting one through their website) also lets them now. Just sent mine.
Being held liable for how secure your software is would ruin everybody.
Well, all the developers, anyway. Users would benefit from such a regulation, and if handled properly, this could work. Whether it's a "cap" or just related to disclaimers about intended uses of products, limits could be placed on the liability. There are problems to be solved (how do you handle the case of an individual developer vs. someone like Computer Associates?), but claiming that requiring developers to be liable for damages caused by flaws in their products is the same sort of protectionism we decry in large corporations in other industries. No one seriously suggests that automobile manufacturers shouldn't be liable for certain flaws in their products it may cost them a bundle but the result is safer cars.
That said, a source code disclosure requirement is not that distant from current copyright regulation. Currently, rights holders are legally required to deposit two copies with the Library of Congress. Note that this is not a requirement to have a copyright on your works in general, there are just penalties associated. Interpreting or amending the law to include source code is not that far of a reach.
New Scientist is just carrying their little summary; one of the authors has the paper available on his site in HTML, PDF, and PostScript forms. It's to be presented at NSDI '04.
You've got a highly wired place with people using them for all sorts of things, and comparatively little training on what and what not to do. Plus you've got younger users, many of which aren't old enough yet to not know everything, and feel free to ignore the warnings and admonishments...
That sounds like a pretty common representation of the average user to me. Although many users outside of education may not be "younger", many of the characteristics hold. In fact, I would say such a user might even be more common than locked-down corporate environments. And if a major ISP ever were able to do such a scan on their customer's hosts, it wouldn't be much different.
Is that a "biased" sample? Depends on what population you're comparing against. If you're extrapolating to corporate environments, then systematic differences from the true mean may very well exist. But if you're comparing against the population of all Internet users a potentially far more interesting and useful population to study, though more difficult as well then the bias is more difficult to measure.
It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.
I don't have a lot of suggestions for you (maybe K5 and Ars Technica), but finding sights similar to those in your "net-sphere" is easy. Do a Google query for them, using a form like "related:slashdot.org" (replacing with your favorite site names). Some of the results may be what you're looking for, some may not, but they'll get you started, at least.
The problem is not that process audits aren't done they are. Both private and personal organizations have regular audits performed and reports like this generated. The real problem is that, in many cases, those with the power to make substantive changes (management) simply don't want to do so because it's too expensive, whether in terms of time, money, or other resources, and it requires some disaster to really motivate them.
So what you get are organizations that are always fixing the previous generation of problems. Challenges morph over time, and if you're fixing the problems you should have fixed ten years ago, and as cheaply as possible, then you're probably not fixing the problems you need to fix now, looking ahead to the challenges you'll be facing over the next few years.
I do some forensics for a large company, though not as much as I'd like. There's a couple of ways to get into it:
I don't know how useful a graduate degree specifically in forensics might be; know what you're doing and have a cert or two and you'll be on your way. Then drop out and hang out your own shingle, but that's for another post...
This is what's changing the world. Everyone remembers those old IBM ads about global e-business or some other buzzword. Now we're seeing the reality: a relatively small business can greatly increase the scope of its market and compete with big boys. The trick has always been to overcome the power law effect and move up the curve. Google is a phenomenal equalizer in this respect: write a good ad, put a good site online, and (most importantly) have a well-run business that does its job well, and you can go somewhere because, externally, you can give the same or better impression to customers as your larger, less-savvy competitor. The .com boom and bust didn't disprove this plan, it only made it more clear that at the root of the business there has to actually be a business.
It's like the Cluetrain Manifesto is proving itself out after all.
I used to get a lot of goofy questions from friends and family: "I can't find that letter I wrote last week, where is it?" "Double-click on My Documents..." and worse. So I finally hit upon a solution that works:
"You know, I don't really use Windows, most of my work is with a different operating system, UNIX. You know, you've heard people talk about Linux? Well, that's what I do. And anyway, now I do security so I'm not really the most qualified person to ask. But ask Robert, he seems to really like computers and he'd probably be happy to lend you a hand!"
The side benefit here is that some of the more clueful have started to convert to Linux (three new Fedora users in the last month!) and now I get questions about chkconfig, fstab, and other stuff. The questions are harder but now he's moving in the right direction.
We're seeing the new space race, and it's going to be something. Competition for the "high ground" between Europe, China, and the US is really getting started. If the US continues to become more insular, this will just be one more way that Americans feel the need to prove superiority. But it's also a way for Europe to assert its own primacy, and China's motive to be seen as the next superpower is clear, as well.
Whether any of it happens is almost immaterial: the perception will drive the funding, and scientists on all sides will take the money and attention happily. Let's hope that the end result really is "for all mankind".
Given OSNews' recent penchant for poorly-done benchmarks (e.g. 1, 2), I'm glad to see them run an article about someone else's (hopefully well-done) testing. By having expert teams who know what they're doing tweak the configurations, this should be a much more representative result. Hopefully OSNews will learn some methodology from these guys...
Scramjets combust the air at supersonic velocities rather than diffusing it prior to combustion the way most other engines in supersonic vehicles do. There's a lot of promise here. But in a society that can't make the Concorde profitable, will it be worth it in the end? I'd love to be able to fly to the other side of the world in something less than 24 hours. The economics of the situation seem to be against us, though.
Sardonix got me interested in source code auditing, but I didn't like the reputation model. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.
If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?
One year ago tomorrow, I posted in my weblog:
I still believe that. Bush's Mars program may or may not be the best way to go, and NASA may still need to figure out what it's really going to do about the Hubble, but the public is still talking about space exploration, the latest batch of Mars probes are capturing the imagination of the entire world, the X-Prize is still going strong, and we're making progress. The naming of the landing sites and nearby hills after those who gave their lives in this endeavor was a wonderful touch. We're ready to move forward.