Slashdot Mirror


User: _Sprocket_

_Sprocket_'s activity in the archive.

Stories
0
Comments
5,182
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,182

  1. Numbers and Issues - Linux vs Windows on Linux Worm Creating "Attack Network" · · Score: 2


    Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?


    If the issue were as simple as counting vulnerabilities and counting exploits and comparing numbers... then it might be easy to say "yes". Or "no". Whatever the numbers end up being. And, in fact, that seems to be the entire argument some like to make when comparing the "security" of two different platforms. But the issue is not that simple. It is not about numbers.

    This is not the first time Linux vulnerabilities and worms have been the subject on Slashdot, as well as featured stories in the press. While it is a humbling reminder that no OS is invulnerable, it is also often used as a kind of red herring to deflect criticisms of Microsoft and its own offerings.

    Microsoft does not have a very positive history when it comes to security of their products. Although it would be wrong to ignore that they have made steps to improve - faster releases of patches and security tools have helped improve a dismal repuatation. However, Microsoft still continues to ignore some vulnerabilities, attempt to cover up issues, and otherwise imply that it is those who discover and publish flaws that are to blame for vulnerability - not their own products. But (bad) attitude is not everything. It is the Microsoft product itself that is at the heart of the issue.

    Sure - one can administer a fairly secure Windows environment. But it is no easy task.

    Patches (or service packs) have had a history of being dangerous - which leads to a standard policy of waiting before deploying what could be critical security fixes. Furthermore, it is now an apparent policy of Microsoft to change the legal framework of their license through the use of security patches / service packs. Installing a patch is not a simple matter for the smart Windows admin.

    Deciding to install a service pack is only the first step. Once the admin has accomblished this, they must then audit their configuration to ensure that the service pack has not replaced insecure services or configurations that the admin has removed with security in mind. Service packs tend to do this - especially if the admin has gone through the process of hardening their Windows server.

    Hardening is not a simple process either. Unix/Linux systems are very modular and allow for the removal of almost any component. Not so with Windows. Removal of unused components tends to not be suported by Microsoft and often involves following a checklist created by someone else who has already discovered what can or can not be safely removed (the dependancies of various components are not always logical). Once again, this entire process must be repeated after installation of any new system components or service packs.

    While Linux does share the dubious honor with Windows of having both vulnerabilities and worms designed to take advantage of those vulnerabilities... it does not share all the same issues. And that keeps the line between the two fairly distinct.
  2. Re:OH FOR GODS SAKE ! on Linux Worm Creating "Attack Network" · · Score: 2


    The kinda people who create virii/worms/trojans whatever are always going for the widest possible target market.


    Linux has been fairly well deployed as a server for years. Of course, various Unix flavors such as Solaris are even better represented. Yet when worms hit these platforms (and they do hit - and have hit numerous times before) they fail to generate the kinds of numbers Windows worm varients generate... nor do they stick around.

    This worm is likely to go the same direction as its predecessors. It will be "news" if it doesn't. And then we'll be back to debating over what these numbers really mean.

    If anything.
  3. No New Lesson on Linux Worm Creating "Attack Network" · · Score: 2

    There are no new lessons here. This is not the first worm for Linux. It is not the first DDoS architecture for Linux. Nor does CNET's estimation of 3,500 infected machines match its Code Red estimations that have floated from "...more than 15,000..." to "...more than 350,000...".

    It would seem anybody who is finding something insightful in this story are either a Linux or Windows zealot, brand new to the argument, or very poor students of recent history. Granted - "recent" becomes is somewhat subjective. So let's take a brief look at past DDoS applications and Linux worms.

    Distributed Denial of Service (DDoS) architectures began hitting the Industry consciousness late 1999. At that time it was trin00 and TFN. Shortly afterward, new versions showed up in the wild including TFN2K and Stacheldraht. All can be run on Linux. Although they are not, themselves, worms.

    Linux worms are not new... nor are they ancient history. There are some excellent examples from a little over a year ago. One of the first worms from 2001 was the Ramen Worm and was reported by CNET January 17, 2001. Of course, CNET's article didn't have impressive numbers to report but it did liken it to the infamous 1998 Morris Worm. The Ramen Worm was followed by a less-famous variation called Adore and it also garnered CNET coverage April 4, 2001. But it wasn't too interesting a worm. It had been overshadowed by a worm reported the previous month dubed Lion. The Lion worm also got its own CNET coverage.

    In each case, the worm in question used well-known security flaws with existing patches.

    If one wants to point out that any OS is vulnerable if it is not properly maintained, then this latest worm is simply one of a series of worms that have proved this point. And worms have made object lessons of Linux, Windows, and other popular OS variants such as Solaris (sadmind/IIS being my favorite as it propagates on Solaris machines and then attacks and defaces IIS web sites).

  4. Points, Pedestals, and Appeal on Slashback: Segwait, Farscape, Leg-pulling · · Score: 5, Insightful

    The problem with discussions like this is the potential to sink to a simple flame-fest. This discussion is especially prone to such degradation when one favorite is attacked ("I was rather happy when I heard of [Farscape's] demise in the first place") and another is placed upon a pedestal ("And Star Trek is simply way out of Farscape's league"). Further idolization with such pretentious statements such as "Star Trek has its entire universe devoted to exploring humanity itself" sets one favorite on such a high pedestal that it makes a really tempting target. But I'll avoid the temptation.

    On the other hand, I do agree with some of the observations on what makes some of the mentioned SciFi shows interesting. It might be worth noting that none of these shows are without criticism. But each show does have some appeal - whether it appeals to you personally or not is a matter of personal taste.

    So the question was asked: what is appealing about Farscape?

    Star Wars has lost its impact between the older and newer movies even as it has held on to its theme of "good vs. evil". What it didn't hold on to was its core heros. The first trilogy was not about individual characters, but rather a group thrown together by chance. Each character contributes to the bigger-than-oneself events around them and, ultimately, challenge an Empire.

    Farscape also has a core group of disparate characters thrown together by fate. And this group also challenges greater powers than themselves. Though in this case, our central core of heroes aren't always agreeable witch each other. And while it is sometimes a frustrating plot device - it also has a ring of truth for all but the most structured group environments.

    I also find the human character Crichton interesting. The character goes from being one of the top in his field (scientist and astronaut) to fish-out-of-water baggage. He then adapts to the oddity around him. Eventually, he gains the respect of his fellow fugitives and begins to thrive in his new surroundings. In effect, Crichton adapts to and overcomes the insane situation he is thrust in to... with a bit of irreverent insanity of his own.

    It might be worth noting that the Farscape world itself has some appeal. There is a different look to the show. Often animatronics and puppets are used to give the Farscape world a more alien feel. Subtle oddities such as biological ships and the human-like Sebatian race's deadly susceptibility to heat add to a fantastic, unique world.

    That's not to say Farscape is beyond criticism. Overall, I really enjoy the writing behind the series. Occasionally, there is an episode that seems to... slip. And unfortunately, the latest season seems to be slipping more often than not. I hope Farscape picks the pace back up. Or is mercilessly put out of its misery.

    I can understand why there is some shock at Farscape's popularity. It took me awhile to become a fan of the show. But once I started watching, I found more than enough to appeal to me.

  5. Re:One and the same on Physical and Network Security Merging? · · Score: 2


    Data is an asset that needs to be protected both in the physical world where it is stored and, and in the virtual world where it is acessed. The goal in each arena is the same, ignoring either is irresponsible. Thus the inevitability of these two departments combining.


    Inevitability of physical and information security combinging? Just because one involves the other does not mean they become the same activity.

    Infosec involves purchasing hardware, software, licesnse, etc... does that mean Infosec and the Purchasing department should combine? Information security involves liability and privacy issues... do we combine Infosec with Legal? A compromised system can lead to a serious public relations issue... is Infosec now under the guise of the PR department?

    No.

    Each department has its own expertise and focus. Issues that one department focuses on can certainly affect other departments. And because of that... those departments should have the ability to coordinate and communicate... and draw on each other's strengths when they hit an issue that another specializes in. But they don't become the same activity.
  6. Re:ISC^2 already defines this on Physical and Network Security Merging? · · Score: 2


    To me, the bigger relevation to "geeks" here should be that information security is about a lot more than OS vulnerabilities and firewalls.


    To anybody involved in information security, this is probably not a revelation. But just because this is an aspect of infosec, does not mean it naturally falls in to the physical security realm.

    To put another way... because infosec includes physical security, it does not mean a manager with physical security background is a good choice to lead an infosec activity.


    The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

    Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.


    One of these domains includes Law, Investigation, and ethics. And just like physical security, inclusion of legal considerations does not mean infosec should be ran by your corporate Legal office.

    Infosec personnel should be aware of legal and physical security aspects that affect their environment. Certainly. And when they need experts in those areas, they should contact their physical security activity or legal.
  7. Re:Bad idea on Physical and Network Security Merging? · · Score: 2

    Sure - physical security is a part of information security. After all, a screwdriver and wire cutters can be just as damaging to a network as a remote command line and appropriate privilidges. But that does not mean information security becomes physical security or visa versa.

    But there is still a rather wide gulf between the concepts and techniques used within information and physical security realms. To the uninitiated, they may seem to be very simular. They are not. I've seen infosec activities ran by those who have a physical security background... and they end up focusing entirely on the wrong areas.

    Information security needs to be aware of physical security. And physical security needs to have an increasing knowledge of IT. But that does not mean one activity should be ran by another.

    Just because the CISSP includes Law and Investigation, it does not mean infosec becomes a wing of the Legal department nor does infosec become a police force.

  8. Re:For those that enjoy it... on Farscape Frelling Cancelled · · Score: 3, Insightful
    To each their own...


    I'll take Enterprise any day.


    I could never get in to Enterprise.


    The story line is inspirational. The recurring characters are admirable.


    I found the storyline, while appealing to my like for "history" (even if it is fictional), doesn't really seem to go anywhere. And the characters fail to interest me.


    The production values are top-notch. The special effects are beyond reproach.


    Sure. Decent production. And they seem to do a somewhat admirable job of trying to balance between a "future" defined by our real-life past views of technology during the 60s and the current sense of ethetics that lead to the look of the "modern" Star Trek.


    And each episode stands on its own and does not require that you watch the show serially from the pilot up to the current episode to understand what is going on -- though, taken together, it tells a larger story.


    I don't find that a big selling point. Of course, I also enjoyed shows that really required a sequential following (like B5 or Twin Peaks). Having said that - I don't feel that Farscape suffers so much from this. And even if it does... that this is really a such bad thing. Unless, of course, you're a studio manager more concerned with filling in time slots than what your programming actually is.

    Farscape and Enterprise are entirely different shows and, honestly, I feel that its rather unfair to try and compare them. The only likeness between the two is that they both have a space sci-fi (sci-fantasy to the purist) background.

    And I must admit, it took me a bit to get interested in Farscape. But after watching a handfull of episodes (a couple of different times), I got hooked. Mainly because Farscape is very different. Its chaotic. Its full of very odd concepts and designs - from hardware, to aliens (and I've come to appreciate the occasional anamatronic alien puppet instead of another makeup-and-prostetic alien). And there is a certain degree of desperation that pops up occasionally that I find refreshing (as an example, running out of food and facing starvation pops up from time to time).

    Will Farscape be everyone's cup of tea? Hardly.
  9. Re:Pitfall! ][ on Interview With Pitfall! Creator, David Crane · · Score: 2
    From the article:

    MT> As well as software, you have contributed to many hardware breakthroughs including the designs of two integrated circuits used in video games. Please tell us about the Display Processor Chip (DPC) and your innovative method of bank selecting. What was your involvement with the Atari 800 computer's operating system?

    DC> My background is in hardware design. I found hardware work to be a welcome change from thousands of hours of programming and that led to the designs you mentioned. I would have to go into a highly technical explanation to delve into those two chip designs, but their intention was to try to extend the life of the 2600 even further. The hope was that the machine's capabilities could be expanded by putting extra hardware into the cartridge. The DPC chip added more graphic capability as well as 3 channel music (plus drum), and made Pitfall II possible. Unfortunately, the 2600 business died before any other games could take advantage of that technology.

    So yea... Pitfall II actually had some rather interesting additional technology hidden away in that cartridge.

    Oh. And the answer to this question continues... including the reference to Bill Gates.
  10. Re:not the reason?? on Java Media Framework Drops MP3 · · Score: 2


    The real reason they removed that exemption is so that players such as Winamp, which are commercial but distributed free of charge, have to pay a license fee.


    Is that so? Then where is the exeption in their license for non-commercial use? There is no such thing. The license applies to everyone.


    So, Thomson now is saying that the fees still apply to everyone, although Thomson is not enforcing them for what they consider free decoders. If you show me one free project that has gotten a cease-and-desist letter from Thomson, then I'll believe you. As it is, it does look like a Vorbis publicity stunt.


    The place for Thomson to make these assurances is in their license. Anywhere else is just words. If Thomson were to take you to court over this issue, their case would certainly revolve around their license. You better have a better defense than a printout of an article from The Register.

    Is it a Vorbis publicity stunt? Hardly. Thomson changed their license on their own accord - and despite their spin, the change was considerable. It is only natural for the Ogg Vorbis group to point this out as the reason they exist is to protect developers from just this kind of license issue.

    Everything else is noise. It doesn't matter what Thomson's history is, nor their current policy (policy can change on a whim, with a new CEO, after a particularly convincing PowerPoint presentation from a new marketing hot-shot, etc). It doesn't matter what supposed business case against legal action you can come up with (who says you know all the facts? Can somebody come up with a counter-case?). What matters is the words within the license.

    To put bluntly:

    Its the license, stupid.
  11. Re:Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 2

    Yea. I thought this too... but when I poked around, it looked like one needed to download the plugin. My mistake. I should have tested it myself. :)

  12. Re:Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 2

    I think one of your best bets for good testing information would be the BBC's experiment. Slashdot had posted about it, and then posted again to note that the experiment had been extended. I would expect it generated a pretty decent amount of traffic for BBC's servers.

    There were a few positive comments from ex-pats who were enjoying the streams. And I believe a comment from the sysadmin running the test with an overall positive remark and invitation to hit the streams hard.

    It'd be nice to see their data on how well it ended up doing.

  13. Re:Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 2
    Fair enough. But a couple points...


    Just cause something "disappeared" doesn't mean it doesn't still work that way. But making licensors look bad is one of the goals around here, so I'm not surprised that it was posed under false pretenses.


    First, the Thomson rep had a great chance to point out that it was all a misunderstanding. That the removal of the exlusion was an oversight. He didn't. The rep talked about their "policy" and not their "license" - two very, very different things.

    Secondly, when it comes to licenses... the devil is very much in the details. What is or is not specifically spelled out is very important. One would expect a company such as Thomson Multimedia, who's very business is licensing technology, would understand this. If they took something out that had previously been promptly displayed... its a safe bet that it was not a mistake.

    Finally, Slashdot has an axe to grind with licensing. That's pretty clear. But then, anybody who has payed attention to technology over the past couple decades has seen the industry develop a standard mode of operation which uses licensing to remove as many consumer rights as possible. It is little wonder Slashdot reflects a seige mentality that a large number of its readership feels. Myself included.

    If Slashdot has managed to make a licensor look bad, it is very likely their own doing. And in Thomson's case... red herrings such as Ogg Vorbis aside... it is very much their own actions that has brought this attention. All Slashdot had to do was point to the links.
  14. Re:Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 2


    Also of note, this is why I am leaning towards Windows Media for streaming...


    Yea. And Microsoft has a sterling reputation when it comes to licensing. Good choice. ;)

    I'm curious as to how difficult it would be to stream OGG. The BBC ran some pretty successful tests, it seemed. And there are others that are doing it. Getting users "there" would be (more or less) as easy as pointing a link to the OGG plugin for Winamp as well as other popular Windows music players that support OGG natively (such as Sonique).
  15. Re:Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 2


    Only for commercial software, however. Since everything in and around Slashdot is all about "Free Software" -- there isn't a problem. Read the Register article.


    Yes. I've read the Register article. And I've read the license. And I missed the part in the license page that says these rates apply to only commercial software. In fact... if you follow the OTHER link provided by the Register article, you'll see that the exclusion to non-commercial/free software has been removed. And THAT is what created all the attention. Not some PR plot from the Ogg Vorbis group.
  16. Re:not the reason?? on Java Media Framework Drops MP3 · · Score: 3, Insightful


    The page you linked to states explicitly that MP3 decoders are not necessarily subject to per-unit royalties: either pay a per-unit fee ($0.75) or a one-time royalty of $50 000. Pay the latter, and you're covered for any number of decoders shipped.


    That's all nice and fine. However, it misses the point.

    The attention came from a change to the license; specifically the removal of an exemption for software players/decoders distributed free of charge. And I believe THAT exclusion came about in responce to some concern over the license several years ago - although I might be remembering that wrong.

    If Thompson's agent was saying something along the lines of "we changed our license - its our technology and we can do that. Pay up or stop using our stuff" then fine. Or even if the rep had claimed it was all a mistake... a simple oversight... and the license was modified to include the origional exclusion, then even better. But that's not what is going on here.

    The license has changed. It is a very distinct and important change to the development community. And it is the very kind of change that a project like Ogg Vorbis has been created to handle.

    Meanwhile, there is a PR representative demanding that everybody ignore that license behind the curtain. And, of course, he also insists that any attention on this matter is not a responce to their own actions (changing their license) but a devious mud-slinging campaign by the Ogg Vorbis group.

    And an anonymous poster/shrill attempting to further Thomson's story while ignoring the contrary evidence included in the very article he/she mentions.
  17. Read the Article - Follow the Link! on Java Media Framework Drops MP3 · · Score: 3, Informative


    The licensing fee DOES NOT apply to software decoders, only hardware decoders.


    Really now? You might want to take a look at the link provided in that very same article you lifted the "publicity" quote. The licensing specifically lists prices for "PC Software Applications" as well as "Hardware Products".
  18. Re:Not to justify it or anything... on MIT Steals Comic Book Character · · Score: 2


    Except that if you had read the article, you would know that Radix is no longer being produced, ever since they found out about MIT's blantant rip and lodged a lawsuit.


    I'm curious about that point. Is there a valid legal reason to do this? Or is it just an attempt to inflate "damages" claimed?
  19. Re:Heh on Hotmail: Not Safe For Work? · · Score: 2

    Sure. Its funny unless you work for Jim Beam.

  20. Re:(resume) Re:To be honest on Hotmail: Not Safe For Work? · · Score: 2


    And when you've had the "screw it" attitude for the past 3 years, and either quit jobs or just generally been an ass, then how do you find another job when you have no good resume references from former employers.
    ...

    I prefer to do a good job, enjoy my work and take pride in what I do.


    Who says you have to cop an attitude, be an ass, and not take any pride/enjoyment in your work? The idea is simply being aware of the reality of today's corporate employment environment.

    I can't remember who stated it (it may have been a Slashdot post) but I read an interesting piece of advice once. The company owns your job... you own your career. Don't confuse the two.

    I am a hired technical gun. I have no personal loyalty towards any employer (and that's hard to maintain sometimes, I admit). But I am a professional. I expect to be compensated for personal sacrifices just as my employer expects to be compensated for allwowances made to personal matters. I produce the best work I am paid for. I do not betray the trust that is a very large part of my job. And I have always maintained a civil, if not friendly, attitude with coworkers and business contacts. Consquently, I have a rather large pool of former colleagues that have, and continue, to give me glowing references.

  21. Re:SPAM? on Is Win2k + SP3 HIPAA Compliant? · · Score: 1

    Sure... whats it going to hurt my mailbox by being mailed by another clueless moron thinking they can make any money off me by buying harvesting software and a "targeted" email address list.

  22. Tools vs Art on A New Model for Software Innovation · · Score: 2


    One striking example is that the GPLed games for Linux always tend to variations of Tetris, Boulder Dash, Missile Command, etc. You would expect the innovative games to be coming out for Linux: no pressure from marketing, free development tools, big community. But the games with spark, like The Sims and Grand Theft Auto 3 are coming from elsewhere.


    As others have pointed out, modern games are becoming more and more a blend of technical and multimedia artistry. Part of this may simply be exposure and time will bring more artists in to the Open Source community. But some of it is also the culture and nature of artistic work.

    On the technical side, we already have some great coders working on Open Source tools. Part of this may be that coders are the first to benefit from other Open Source projects and feel compelled to "give back" to the community. But also part of this is definitely the positive return from finding others to collaborate on your project. Development of tools benefit from multiple developers. It might be worth noting that there are some very interesting Open Source projects involving toolsets and engines for games.

    The artistic side comes from a different world. First, most of their tools are proprietary... although with tools like the GIMP and Blender (knock on wood), this may change. Secondly, art tends to have a limited collaborative nature. And finally, art does not need an equivalent of source code to improve from one example to another. In fact, artistic influence is largely unaffected by IP laws. For example, while reading many of the better fantasy novels available today... one will often see the influence of J.R.R. Tolkein - despite a rather aggressive protection of copyright by the Tolkein estate (just ask TSR/WotC or whatever they're called now). This artistic influence is felt within other aspects of artistic endeavor also. Simply put, artists do not have as much a need for Open Source ideals as coders do (although "look and feel" and other issues are very similar technical examples of influence).

    But that doesn't mean artists will never find themselves in the Open Source fold. As more and more interesting tools begin to appear, Open Source may begin providing an environment that is attractive to artists' desire to experiment. And this experimentation is often produces some of the most compelling content.

    It may simply be a mater of time.
  23. Re:Innovation on A New Model for Software Innovation · · Score: 2

    It might be worth noting that its not just being born with natural talent. Its dedication to maintaining a certain physical appearance coupled with a limited time period in which that is possible. Maintaining this image for as long as possible requires a lifestyle of strict eating behavior and a constant exercise regime. In short, an image worth $50K is not simple to maintain... a point increasing age and a penchant for fully-sugared Coke has driven home to me personally. :)

  24. Re:No, he's saying it's a LEGAL Question, and this on Is Win2k + SP3 HIPAA Compliant? · · Score: 2

    This isn't a legal advice forum, no. But discussion on this subject helps develop the issues that need to be addressed. And it alerts Slashdot readers (many who are IT professionals - and all the ones who aren't) that the issue exists and may need to be addressed in their evironment too.

    The smart reader will take the issues discussed here to their own legal councel and seek definitive answers.

  25. Re:SIM Solution for HIPPA compliance on Is Win2k + SP3 HIPAA Compliant? · · Score: 1

    ...is this spam?