Sorry if I'm missing the point, but the whole thing seems kind of insecure to me without a method to dynamically change the knocking sequence (as you mentioned). It should be as easy to get knocking sequences as sniffing plaintext passwords with any network sniffer (like ethereal for example).
Consider the developement in 2.5, many major parts were redesigned so bugs that might still be in 2.4 or have been fixed there do not have to be in the 2.6 code (anymore) and so don't need to be fixed. I don't know if there were many fixed that got portet to 2.5, but the focus has definetly shifted towards 2.6, so you shouldn't worry about this too much.
Even though T-Online does not have the best image ever (due to the bad image of the german Telekom which was property of the country and thus a big, slow giant), but technically they are way above the market standards in germany.
Also, they made DSL available to almost everybody in germany for a price of 40 Euro (~40 Dollars) mothly inkluding a 128/768 kbit flatrate shortly after analog/ISDN flatrates massively failed here.
This was a huge step forward in my opinion and deserves some credit. Also, the service is imho a lot better (= faster) than that of the competitors (1&1 for example). Most cheap flatrates cost about 5-10 Euro less that 40 Euro, but I don't switch because of the line and ping quaility.
Some competitors even limit your edonkey-usage to a certain bandwith, do not allow you to set up a lan, do not support fastpath etc. etc.
Next point: There is a client like AOL has got one, but you are *not* forced to use it.
Even though everybody (inkluding myself) here in germany likes telekom/t-online bashing they are really not that bad, especially for a market leader.
You can minimize your risk when staying up-to-date with patches and can block incoming traffic on dangerous ports, for example, but you'll never be totally secure this way. This is why it helps so much running *ix or *bsd , because you can chroot, jail, run apache as wwwrun and so on. Windows gives you full access once exploited, as you all know.
Imagine: Somebody attacks you with a working exploit before you've got the patch installed even if you update every day - unlikely, but possible.
Or imagine: You block all incoming traffic on 135/139 with your firewall and consider yourself immune to the blaster type of windows attacks. Take a person connecting via a vpn (for example) to your network which has an infected machine at home and think of the consequences once he is connected. Effeciency of firewall -> zero (in most cases).
JFtp http://j-ftp.sourceforge.net is a GPL network browser, same as its ftp API (written by me). I can't live from the earnigs of selling licenses, but it is real money. I strongly suggest everybody who writes an GPL-api to dual license it at the beginning if you want to make money out of it (which is imho fair if a company doesn't want to be its work GPL) - if it's LGPL you can safely forget about this.
I have a medium sized (GPLed) open source project, too, for which i've created an advanced java FTP API. Both the client and the API are GPL, so i get mails for use of the API in closed source commercial applications from time to time.
Depending on what the company wants to do with it i can decide to grant them a free license or maybe make some changes they need and offer support. If they want to fork a commercial branch, ok, but that will be expensive. If they put all changes back in the main tree, ok, then it'll quite cheap.
This way has lead to some API improvement sponsored by a swedisch company so far, mostly stuff like improved javadoc and a cleaner API design (yes, i know i should have made that *before*)
You can take a look at the announcement at http://j-ftp.sourceforge.net
However, i don't expect much money out of selling API licenses, but i don't think the GPL makes it impossible to earn money as some companys do either. Also, there is *no* commercial branch with improvements not found in the open source tree!
One concern: Of course you have to trust people. Nobody gives you a warranty people do not not use your GPLed stuff in closed source apps without contacting you. BUT: If they need support, they probably will contact you, and if they "steal" your source they probably wouldn't have bought it if it was closed source either...
>>> This is known as a covert channel. Depending on what is going on this is useful or a security risk.
The german ct magazine had a working hack about a year ago which allowed network io over dsn query headers and could circumvent firewalls. Sounds like this might be pretty much the same problem, and i consider it a rather serious one because io based on such techniques may be slow because the is much more overhead than data per packet, but it *is* working and i don't know of any firewall which could prevent this. please correct me if i'm wrong in this point, of course;)
My view of the original german text...
on
Settling SCOres
·
· Score: 2, Interesting
I've read the original german text, what he sais is:
- SCO's lawyers forgot to force a person to sign a NDA, that's the reason those details came out
- 46 pages of code were compared, linux on the one side, probably (not sure because they didn't tell it) SysV-code on the other side
- most code was simliar and had some excat matching comments, but the implementation also differed in many points
- 60 lines of scheduler code were a almost exact match (!)
- all dates were cut out so nobody can tell (yet) for sure who used the code first (but SCO would not start this case if they hadn't evidence imho)
- if the GPL proofs valid, SCO can only attack parts that they have not distributed so far, and those code was only in modifications by others, *not* in the unpatched kernel source tree!
L) Set up a small web- and fileserver with the lastest patches
M) Maybe provide a small support forum where the users can post there problems to from the table of their neighbour or something. Then others can read what problem have happened so far...
i just want to make clear that this anonymous coward was not me. i really understand that was a joke and found it very funny, *but* there *might* be people who like some informations, too...
>>> I have to say I'm psyched! And I just can't wait for 2005 to come around, when I can pull them out of debian stable.;)
what about pulling it right now?
just use unstable as i do... if you want debian as a desktop unstable is a very good choice, don't think this unstable would actually mean unstable in the commen sense.
in fact, it is even considered to be more stable that testing by many people (not all people, no flaimbait please):)
while the big screen version forces the hacker to change the system's root password -- in this case to "Z1ON0101." (Note the numeral in the place of the 'I' -- more hax0r style.)
Ok, it's time to update my l33t hacking wordlist and begin scanning random ips for root telnet/ssh logins.;)
Got Debian unstable running kernel 2.5.65, latest MPlayer, MozillaFirebird, Unreal Tournament 2003 and many other things on my home workstation - and it was really easy to set up, using the old Debian potato install CDs!
Dselect is hard, and the apt-get dist-upgrade was a little bit tricky, but nothing an average linux user couldn't handle!
Note that i had only 2 problems (while upgrading almost every day) with unstable (!) packages installed via apt in the last few years and had of course never to reinstall in.
The workstation runs as a server for my home LAN/WLAN, a video player connected to the tv, too and ist of course my favourite java developement platform.
The only thing that annoys me is that i want to switch to tv mode without restarting X, but i have not figured out that yet.
I wrote a ftp API an a network client located on http://j-ftp.sourceforge.net
It is GPL, but it is stable and even javaworld has an interesting html table comparasion (link on the homepage) which shows that it is superiour to most apis out there in many cases, because no api implements *all* standards.
It is that good because it was designed completyle following the rfc and is imho fully rfc 959 compatible. That took its time, almost 3 years now, but i don't think the api could not be used in a productive environment.
Most of these problems are important, like XFree and NFS, but they are problems in software *on_top* of a unix system. don't compare apples to oranges, e.g. system design to application suite quality...
we don't need to ged rid of unix-compatibility to get a fast window system for example...
Same for me. I'm developing JFtp, a graphical java ftp/sftp/smb client which can be launched via java web start / downloaded / used in 3rdparty-products.
I have about 500 downloads during 2 weeks if i announce a release, webstart users not counted (which should be the majority of users), but there are only few incoming emails and they are often in phases of the project when no work is done for at least a week.
Most mails are about others who want to embed the ftp api, almost no bug reports even when there have been very obsolete bugs in some releases...
This is a huge disadvante to commercial product where customers tell you thousands of duplicate bugs even if there is an ovious workaround.
Slashdot Mirror
Sorry if I'm missing the point, but the whole thing seems kind of insecure to me without a method to dynamically change the knocking sequence (as you mentioned). It should be as easy to get knocking sequences as sniffing plaintext passwords with any network sniffer (like ethereal for example).
Mod parent +5 funny ;)
In soviet russia, weed uses musicians to sell itself to YOU!
Consider the developement in 2.5, many major parts were redesigned so bugs that might still be in 2.4 or have been fixed there do not have to be in the 2.6 code (anymore) and so don't need to be fixed. I don't know if there were many fixed that got portet to 2.5, but the focus has definetly shifted towards 2.6, so you shouldn't worry about this too much.
I have to disagree.
Even though T-Online does not have the best image ever (due to the bad image of the german Telekom which was property of the country and thus a big, slow giant), but technically they are way above the market standards in germany.
Also, they made DSL available to almost everybody in germany for a price of 40 Euro (~40 Dollars) mothly inkluding a 128/768 kbit flatrate shortly after analog/ISDN flatrates massively failed here.
This was a huge step forward in my opinion and deserves some credit. Also, the service is imho a lot better (= faster) than that of the competitors (1&1 for example). Most cheap flatrates cost about
5-10 Euro less that 40 Euro, but I don't switch because of the line and ping quaility.
Some competitors even limit your edonkey-usage to a certain bandwith, do not allow you to set up a lan, do not support fastpath etc. etc.
Next point: There is a client like AOL has got one, but you are *not* forced to use it.
Even though everybody (inkluding myself) here in germany likes telekom/t-online bashing they are really not that bad, especially for a market leader.
You can minimize your risk when staying up-to-date with patches and can block incoming traffic on dangerous ports, for example, but you'll never be totally secure this way. This is why it helps so much running *ix or *bsd , because you can chroot, jail, run apache as wwwrun and so on. Windows gives you full access once exploited, as you all know.
Imagine: Somebody attacks you with a working exploit before you've got the patch installed even if you update every day - unlikely, but possible.
Or imagine: You block all incoming traffic on 135/139 with your firewall and consider yourself immune to the blaster type of windows attacks.
Take a person connecting via a vpn (for example) to your network which has an infected machine at home and think of the consequences once he is connected. Effeciency of firewall -> zero (in most cases).
JFtp http://j-ftp.sourceforge.net is a GPL network browser, same as its ftp API (written by me). I can't live from the earnigs of selling licenses, but it is real money. I strongly suggest everybody who writes an GPL-api to dual license it at the beginning if you want to make money out of it (which is imho fair if a company doesn't want to be its work GPL) - if it's LGPL you can safely forget about this.
And what have having sex on a boat and american beer in common?
;)
They're both fucking close to water...
Click on the link folks - there is a whole subsection on the frontpage explaining how it is pronounced:
Zoo-vaire.
I consider mixed licensing a very good thing!
I have a medium sized (GPLed) open source project, too, for which i've created an advanced java FTP API. Both the client and the API are GPL, so i get mails for use of the API in closed source commercial applications from time to time.
Depending on what the company wants to do with it i can decide to grant them a free license or maybe make some changes they need and offer support.
If they want to fork a commercial branch, ok, but that will be expensive. If they put all changes back in the main tree, ok, then it'll quite cheap.
This way has lead to some API improvement sponsored by a swedisch company so far, mostly stuff like improved javadoc and a cleaner API design (yes, i know i should have made that *before*)
You can take a look at the announcement at http://j-ftp.sourceforge.net
However, i don't expect much money out of selling API licenses, but i don't think the GPL makes it impossible to earn money as some companys do either. Also, there is *no* commercial branch with improvements not found in the open source tree!
One concern: Of course you have to trust people. Nobody gives you a warranty people do not not use your GPLed stuff in closed source apps without contacting you. BUT: If they need support, they probably will contact you, and if they "steal" your source they probably wouldn't have bought it if it was closed source either...
>>> This is known as a covert channel. Depending on what is going on this is useful or a security risk.
;)
The german ct magazine had a working hack about a year ago which allowed network io over dsn query headers and could circumvent firewalls. Sounds like this might be pretty much the same problem, and i consider it a rather serious one because io based on such techniques may be slow because the is much more overhead than data per packet, but it *is* working and i don't know of any firewall which could prevent this. please correct me if i'm wrong in this point, of course
I've read the original german text, what he sais is:
- SCO's lawyers forgot to force a person to sign a NDA, that's the reason those details came out
- 46 pages of code were compared, linux on the one side, probably (not sure because they didn't tell it) SysV-code on the other side
- most code was simliar and had some excat matching comments, but the implementation also differed in many points
- 60 lines of scheduler code were a almost exact match (!)
- all dates were cut out so nobody can tell (yet)
for sure who used the code first (but SCO would not start this case if they hadn't evidence imho)
- if the GPL proofs valid, SCO can only attack parts that they have not distributed so far, and those code was only in modifications by others, *not* in the unpatched kernel source tree!
L) Set up a small web- and fileserver with the lastest patches
M) Maybe provide a small support forum where the users can post there problems to from the table of their neighbour or something. Then others can read what problem have happened so far...
i just want to make clear that this anonymous coward was not me. i really understand that was a joke and found it very funny, *but* there *might* be people who like some informations, too...
so i don't see a problem posting this.
>>> I have to say I'm psyched! And I just can't wait for 2005 to come around, when I can pull them out of debian stable. ;)
:)
what about pulling it right now?
just use unstable as i do... if you want debian as a desktop unstable is a very good choice, don't think this unstable would actually mean unstable in the commen sense.
in fact, it is even considered to be more stable that testing by many people (not all people, no flaimbait please)
while the big screen version forces the hacker to change the system's root password -- in this case to "Z1ON0101." (Note the numeral in the place of the 'I' -- more hax0r style.)
;)
Ok, it's time to update my l33t hacking wordlist and begin scanning random ips for root telnet/ssh logins.
Got Debian unstable running kernel 2.5.65, latest MPlayer, MozillaFirebird, Unreal Tournament 2003 and many other things on my home workstation - and it was really easy to set up, using the old Debian potato install CDs!
Dselect is hard, and the apt-get dist-upgrade was a little bit tricky, but nothing an average linux user couldn't handle!
Note that i had only 2 problems (while upgrading almost every day) with unstable (!) packages installed via apt in the last few years and had of course never to reinstall in.
The workstation runs as a server for my home LAN/WLAN, a video player connected to the tv, too and ist of course my favourite java developement platform.
The only thing that annoys me is that i want to switch to tv mode without restarting X, but i have not figured out that yet.
I'm trying it already and it's really a *lot* better than mozilla 1.3.1 i used before...
modify your /etc/apt/sources.list
and do a
apt-get dist-upgrade
I wrote a ftp API an a network client located on http://j-ftp.sourceforge.net
;)
It is GPL, but it is stable and even javaworld has an interesting html table comparasion (link on the homepage) which shows that it is superiour to most apis out there in many cases, because no api implements *all* standards.
It is that good because it was designed completyle following the rfc and is imho fully rfc 959 compatible. That took its time, almost 3 years now, but i don't think the api could not be used in a productive environment.
just my 0,019725 euro
That depends on who buys Sun... if it is IBM, maybe they'll push Java against MS, or even open the source under a BSD-style license or similar.
Let's fork XFree, merge it magically with DireectFB and produce a lightweight X-windows brother...
:)
Then, let us call it DirectX.
Most of these problems are important, like XFree and NFS, but they are problems in software *on_top* of a unix system. don't compare apples to oranges, e.g. system design to application suite quality...
we don't need to ged rid of unix-compatibility to get a fast window system for example...
Same for me. I'm developing JFtp, a graphical java ftp/sftp/smb client which can be launched via java web start / downloaded / used in 3rdparty-products.
I have about 500 downloads during 2 weeks if i announce a release, webstart users not counted (which should be the majority of users), but there are only few incoming emails and they are often in phases of the project when no work is done for at least a week.
Most mails are about others who want to embed the ftp api, almost no bug reports even when there have been very obsolete bugs in some releases...
This is a huge disadvante to commercial product where customers tell you thousands of duplicate bugs even if there is an ovious workaround.
but i do not lo-res rendering preview *after* recording to be a impressive feature, that's what i meant :)