Oracle Calendar really is a nice application, both the server side and client side components. They bought it from Steltor a few years back and have put a lot of effort behind it.
I'm now very interested to see what they're going to come out with. This could make huge inroads in the small business community, where sadly Exchange (thanks to Windows Small Business Server 2003) has been gaining ground..
Pffft. They're assuming that any of us were productive to begin with. Judging by the sheer volume of posts on Slashdot these days, productivity is a pipe dream.
I think that firewalling Slashdot would wipe out any financial losses caused by geeks taking time off to see Episode III.
Then again, we're taking a work sponsored outing to see the movie. heh.
Uh, and I answered the original question. Pulling data off of machines that are in a colo. You said something stupid about getting a T1 and that if I can afford a colo, then I can afford a T1 or a tape drive.
I answered your question, plain and simple. if that's too difficult to understand, perhaps you should avoid asking difficult questions in the future.
I only looked at the Limewire bounty list, but the max they were offering is $500 for the hard projects. There's probably a few things on there that someone could bang out in a weekend. The cash might me the needed incentive.
Although I wonder how long the project list has sat open. Maybe none of the projects were getting finished because of the lack of incentive.
I have boxes in a colo in San Francisco, and I live in the south Bay Area. My cable modem hits 4mbit. I have a linux box at home with ample storage that I use to run rsync backups of data that's in the colo.
Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.
From BT:
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ helped me with the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.
However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system:)
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
Just because Google doesn't have it doesn't mean it doesn't exist.:)
There are a few posts at Red Hat's bugzilla noting it.
I'm not a developer. I have no idea what the proper protocol is, nor do I have the time and/or resources to test it. I suppose that I could sign up for the kernel mailing list and pose the question, though.
It's been in "beta" for *years* now. In the meantime, they've allegedly forked off some project called "Lightning."
Now, nearly 6 months later, there haven't been any updates. No beta releases, no nightly builds, just "first general user release in the middle of 2005."
Meanwhile, Exchange is growing. And Sunbird can't do squat in a client-server situation (a la Exchange)
Maybe we'll get lucky and the code for Netscape Calendaring Server will fall from the sky and some Mozilla Org developer will snap it up.
"Furthermore, Linux doesn't have the same diverse hardware issues when dealing with images that windows does. Think Knoppix as an example of how this works."
I used to think this was true until I found out that a $499 RAID controller that's only a couple years old was a *bitch* to get working under Linux. (MegaRAID Enterprise 1500, Series 467)
Seems that support for "older" megaraid cards was silently dropped, screwing over lots of people with older (and not even *that* old) Dell, IBM, and HP hardware that came with these cards. Google around, there's a few bugs about it on Red Hat's bugzilla. It really boned quite a few people.
So now, when I have a hodgepodge of parts, I take the time to make sure that they're supported by the Linux distro that I'm using. I no longer have to check the Microsoft HCL - the stuff Just Works under Windows, but that isn't really true of Linux anymore.
FWIW, I couldn't get the card to work at all with a new Knoppix CD, but an older Knoppix 3.6 CD (with the 2.4 kernel) had the module for the MegaRAID card. I loaded it, was able to partition the drives, and did an alternate install of Gentoo 2005.0. The correct module exists in the 2.4 kernel, and the box has been working great. Only 3 days of Googling, forums, IRC, and mailing lists wasted. Fedora Core 3 won't see the card either. Fedora Core 2 *does*
Anyway, I think that yes, Linux does have hardware issues in many places that Windows does not.
A "Gmail appliance" wouldn't be any threat at all to Exchange unless it included the calendaring features.
This is where the OSS community really has been a dismal failure - calendaring. Sorry, Sunburd does not cut it. Can you designate rights to other users? Schedule resources? Schedule groups? Either no, or nowhere near the level that Exchange/Outlook provides.
Like another poster said, there's more than just the web and email.:)
Last job I worked for, I lost all of my vacation time that I had accrued after the company decided "We're getting rid of our official vacation policy." (Translation: We're going to fire some people and we don't want to pay vacation.)
I mentioned this to my spammer boss, and he said basically said that he'd falsify paperwork saying that I had already used my vacation time.
I agree with that. I happen to enjoy taking old hard drives out to the forest and shooting them up, but I don't shoot stuff that is obviously serving some scientific purpose.
Back when I worked for a weather forecasting company in Chico, CA, one of the remote weather stations was reporting back really odd data. It decided that it was 613f outside and the winds were blowing at 1,247mph. Really bizarre stuff like that. A couple of the techs went out and got the unit, and it was still working, but riddled with bullet holes. Some idiots ignored the "please don't disturb this box" stickers and shot the thing full of holes.
Blowing up your own stuff is entertaining, but blowing up other peoples stuff is just vandalism.
Slashdot Mirror
How the hell did this get modded "Informative" anyway?
:P
Slashdot sense-o-humor meter:
E[\..........]F
Oracle Calendar really is a nice application, both the server side and client side components. They bought it from Steltor a few years back and have put a lot of effort behind it.
I'm now very interested to see what they're going to come out with. This could make huge inroads in the small business community, where sadly Exchange (thanks to Windows Small Business Server 2003) has been gaining ground..
In Soviet Russia, MPAA strengthens you!
:D
Oh wait, that might be cool.. uh.. maybe not.
I'm both drunk *and* stoned.
Should be a lot of moddin' fun today, lemme tell ya..
Really. Of course he's going to trumpet about Windows Mobile.
Bill Gates was also the guy that sounded off about how the Tablet PC was going to take off, powered by Windows XP Tablet edition, of course.
Just because Bill Gates says it, doesn't mean it'll happen. Fortunately.
"Sinistar" is still one of the best games out there. Hard as hell, action packed, and a great way to eat through quarters. heh.
:)
Actually, "Gauntlet" was the best way to eat through quarters - until you realize that the levels start to repeat themselves.
How many Pac-Man levels were there, anyway?
Pffft. They're assuming that any of us were productive to begin with. Judging by the sheer volume of posts on Slashdot these days, productivity is a pipe dream.
I think that firewalling Slashdot would wipe out any financial losses caused by geeks taking time off to see Episode III.
Then again, we're taking a work sponsored outing to see the movie. heh.
This reminds me of the movie "Screamers" and the evil self replicating robots.
;)
(actually, not a bad movie.)
Or.. how long before Skynet decides we're all rubbish and tries to obliterate us?
You haven't been to California recently, have you? :-(
(yet)
Please, let's all just wait and see what happens instead of the typical pre-WWDC/MWSF speculation about whatever ThinkSecret claims to have learned.
As the article states, Apple has patents on stuff that it may never make. Might as well grab the patent while it's available, though.
Uh, and I answered the original question. Pulling data off of machines that are in a colo. You said something stupid about getting a T1 and that if I can afford a colo, then I can afford a T1 or a tape drive.
I answered your question, plain and simple. if that's too difficult to understand, perhaps you should avoid asking difficult questions in the future.
Come back when you have a clue.
I only looked at the Limewire bounty list, but the max they were offering is $500 for the hard projects.
There's probably a few things on there that someone could bang out in a weekend. The cash might me the needed incentive.
Although I wonder how long the project list has sat open. Maybe none of the projects were getting finished because of the lack of incentive.
Personal experience you're speaking of? ;)
;)
"And, yes, many of them are Asian transsexuals - and believe me, most of those you cannot tell the difference - especially in the dark."
And you have exactly how much knowledge about what I'm doing?
Oh, that's right...you have none at all.
Buhbye, troll.
Says who?
T1 = $550/mo
Cable modem = $45
Big difference, and I get over 2x the incoming bandwidth.
I have boxes in a colo in San Francisco, and I live in the south Bay Area. My cable modem hits 4mbit. I have a linux box at home with ample storage that I use to run rsync backups of data that's in the colo.
Over a monthly period, that'll easily hit 30gb.
I used to have one of those. I put 130,000 miles on it in 4 years and the only problem I had with it was a failed fuel pump.
;)
Otherwise, the thing ran great, and I beat the hell out of cars.
Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.
:)
From BT:
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ helped me with the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.
However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm
Paul
Greyhats Security
http://greyhatsecurity.org/
Just because Google doesn't have it doesn't mean it doesn't exist. :)
There are a few posts at Red Hat's bugzilla noting it.
I'm not a developer. I have no idea what the proper protocol is, nor do I have the time and/or resources to test it. I suppose that I could sign up for the kernel mailing list and pose the question, though.
It's been in "beta" for *years* now. In the meantime, they've allegedly forked off some project called "Lightning."
Now, nearly 6 months later, there haven't been any updates. No beta releases, no nightly builds, just "first general user release in the middle of 2005."
Meanwhile, Exchange is growing. And Sunbird can't do squat in a client-server situation (a la Exchange)
Maybe we'll get lucky and the code for Netscape Calendaring Server will fall from the sky and some Mozilla Org developer will snap it up.
...when someone claims that users shouldn't have Macs or "non-Windows" because of the cross-platform issues?
Macs & Linux boxes are *excellent* cross-platform machines, but all it takes is one little "tweak" from Microsoft to really screw everything up.
"Furthermore, Linux doesn't have the same diverse hardware issues when dealing with images that windows does. Think Knoppix as an example of how this works."
I used to think this was true until I found out that a $499 RAID controller that's only a couple years old was a *bitch* to get working under Linux. (MegaRAID Enterprise 1500, Series 467)
Seems that support for "older" megaraid cards was silently dropped, screwing over lots of people with older (and not even *that* old) Dell, IBM, and HP hardware that came with these cards.
Google around, there's a few bugs about it on Red Hat's bugzilla. It really boned quite a few people.
So now, when I have a hodgepodge of parts, I take the time to make sure that they're supported by the Linux distro that I'm using. I no longer have to check the Microsoft HCL - the stuff Just Works under Windows, but that isn't really true of Linux anymore.
FWIW, I couldn't get the card to work at all with a new Knoppix CD, but an older Knoppix 3.6 CD (with the 2.4 kernel) had the module for the MegaRAID card. I loaded it, was able to partition the drives, and did an alternate install of Gentoo 2005.0. The correct module exists in the 2.4 kernel, and the box has been working great. Only 3 days of Googling, forums, IRC, and mailing lists wasted.
Fedora Core 3 won't see the card either. Fedora Core 2 *does*
Anyway, I think that yes, Linux does have hardware issues in many places that Windows does not.
A "Gmail appliance" wouldn't be any threat at all to Exchange unless it included the calendaring features.
:)
This is where the OSS community really has been a dismal failure - calendaring. Sorry, Sunburd does not cut it. Can you designate rights to other users? Schedule resources? Schedule groups? Either no, or nowhere near the level that Exchange/Outlook provides.
Like another poster said, there's more than just the web and email.
Last job I worked for, I lost all of my vacation time that I had accrued after the company decided "We're getting rid of our official vacation policy." (Translation: We're going to fire some people and we don't want to pay vacation.)
I mentioned this to my spammer boss, and he said basically said that he'd falsify paperwork saying that I had already used my vacation time.
I agree with that. I happen to enjoy taking old hard drives out to the forest and shooting them up, but I don't shoot stuff that is obviously serving some scientific purpose.
Back when I worked for a weather forecasting company in Chico, CA, one of the remote weather stations was reporting back really odd data. It decided that it was 613f outside and the winds were blowing at 1,247mph. Really bizarre stuff like that. A couple of the techs went out and got the unit, and it was still working, but riddled with bullet holes. Some idiots ignored the "please don't disturb this box" stickers and shot the thing full of holes.
Blowing up your own stuff is entertaining, but blowing up other peoples stuff is just vandalism.