I'd agree with you when talking about smaller releases but with big album releases from big artists, the reviewers are generally pretty desperate to make sure that they get a review copy. This is especiallytrue if there has been a lot of hype surrounding an impending release and the reviewers know that the public is hungry for information about the release.
The record company most probably demands that the players are returned to them intact after the review period. If one has been tampered with, broken or had the earphones cut off, they will know never to send a review copy to that reviewer again.
Surely it is newsworthy when a vulnerability is actually exploited 'in the wild' like this, even if only to remind people aboutt he importance of patching.
Are you suggesting that Code Red should not have been reported on Slashdot, as the patch was out a month before the infections took place? Or is it only Linux exploits that should be blacked out once a patch is available?
I don't think anyone is blaming the programmers - the story seemed pretty clear that it is admins that fail to patch that are at fault here.
I seem to remember code red running around for a good 2 weeks after I heard about it before anything was able to be done about it.
I think you must remember wrongly.
The Cert advisory for the exploit that let Code Red in was published in June. It references the update that will fix the vulnerability, also published in June.
Unless CERT were unusually slow in publishing their advisory on Code Red, your version of events seems strange. I can also remember IIS admins that had installed the patch having little sympathy for admins hit by Code Red.
Criticise MS where they get things wrong by all means, but please make sure the facts are right or posts like yours are just as much FUD as Bill saying that the GPL is viral.
The advisory mentions that the worm compiles code on the infected machine. Since the executable will need to be a Linux one, I would guess that the worm can only infect linux machines.
Some suggestions for related 'works of art'
on
Crushing Experience
·
· Score: 1
* A set of web servers, running different operating systems, each in a crusher. The crusher of each machine is controlled by a client that will activate it when it gets a 404 from the server. If the OS crashes, the server gets crushed. The Last OS standing gets to survive.
* The artist places themself in a crusher that is linked to a web server. The server will activate the crusher if it does not get a hit for a defined period of time. When the public are no longer interested the artist gets crushed. (The grant application for this would be based on it being some sort of reflection on internet fame and those who seek it)
Alternatively, we could dispense with all this pointless crushing and do something more useful with these machines...
Re:Moderation of hits?
on
Mr Anti-Google
·
· Score: 2, Interesting
If letting Google rank the pages is undemocratic, what about a system in which, when you go to a page from a Google search, Google adds a frame at the top of your page that let's you vote on how useful this page was on a scale of 1-10?
Are you serious?
Do you think someone might think to abuse this system? Automated form filling, anyone? Even if that were prevented, it wouldn't be too hard or expensive to hire hundreds of low paid data entry people to vote a site up.
The google alogorithm can be manipulated to some extent but it has stood up pretty well so far. A voting system could be manipulated much more easily.
I guess a lot of people weren't aware of the meetup, I think if there were perhaps a reminder of some kind for upcoming meets on the main page the turn out would have been a lot bigger.
Some good points there (someone should mod the parent up - it would be a shame for all that effort to got to waste)
The problem with enforcing copyright laws that were formed in the paper content world is that they do not apply all that well to electronic content.
What would the implications be for libraries of online content? Would they have to ensure that only one person is reading each piece of electronic content at any one time? If so, how would they do this? How would they tell that someone is reading the content? Would there have to be a check out/in system?
Without a check out/in system, the only time that the library would know there is someone accessing the content is when they are actually downloading it. This being the case, could services such as google claim that they are only sharing the content with one person at a time, as only one person is downloading it at any one time?
There are lots of difficulties here - traditional copyright simply does not work very well when we try to apply it to electronic content.
We need to get back to what the actual purpose of copyright it (hint - it's not to help people make money - see this article) and work out some laws, guidelines and ettiquette that is appropriate to electronic content. Simply trying to apply existing laws to it does not seem like the best way forward to me.
That stops it being cached in the first place but will only affect people who visit the page when the no-cache is in place.
What I was talking about was the idea of NYT asserting their 'control' of their content by sending you an emailing saying - "remove all cached content from your browser now as it is infringing our copyright"
My view is that if they posted the content on their site and allowed me to access it, they have no right to, at a later date, ask me to remove a cached copy. I think that this is similar to the NYT sending me a letter asking me to destroy the printed newspaper because they want to retract something or a publisher demanding that copyies of a book they published are removed from libraries.
(All this is a little bit irrelevent - as pointed out on another thread, google does remove content from their cache when requested)
But Google isn't a library, and there isn't a law that require web sites to send their material to Google.
But what about the libraries that don't have laws to force publishers to submit content? Are they stealing the publishers right to control their content by allowing the public to read books, even those that have been withdrawn by the publisher?
Should publishers have the right to have their books removed from all libraries whenever they like?
Perhaps a law requiring publishers of online content to submit it to online archives might not be a bad thing...
Publishing something on an internet site doesn't nescessarily mean that you put the information into the public domain, just as you don't give New York Post the right to publish an article just because your article has been published in the New York Times the day before.
Okay, bad choice of words with 'public domain' but I still think that somone who publishes information publically should not have the right to recall that content whenever they please. Stealing content is wrong but caching content is not the same thing (Should the NYT have the right to force you to empty your broswer cache of NYT sourced content at any time? Should they be able to demand that proxy servers empty their cache at any time?)
Google doesn't republish the material in the way that you are implying (i.e. by claiming it as their own)- they provide access to a cache of the content, labeling it's origin clearly and provide a link to the original content. In my mind, this is more analogous to the activities of a public library than it is to one newspaper stealing content from another.
Libraries store newspapers on microfilm for research purposes. Why should this not extend to electronic content?
Electronic content introduces many complications to this sort of issue. Libraries traditionally have provided a way for everyone to get access to content. How can this ability be protected when we are talking about electronic content?
The Google cache is causing publishers to lose control over their material.
In Britain, publishers are required by law to send a copy of everything they publish to the British Library in London. I'm not sure if the USA has anything similar but libraries exist pretty much everywhere.
Does having these copies available to the public at the British Library cause the publishers to 'lose control over their material'?
Does someone who puts information out into the public domain have the right to withdraw that information whenever they like? I don't think so.
Actually, I'm willing to bet they release it for FreeBSD as well as windows. The MS source for the CLI,CLR (can't remember what the acro's mean) and other bits can compile itself for FreeBSD already...
The FreeBSD port does not include very much of the.NET class library.
Significantly, it does not include the ASP.NET classes - so a lot of work would be required before there would be any point linking it to a web server.
Apache don't seem to think that the patch is really enough (emphasis mine):
"Note that early patches for this issue released by ISS and others do not address its full scope."
"The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue, and all users are urged to upgrade immediately."
The Apache http server page also adds:
"If, for any reason, you are unable to upgrade at this time, as a minimum, this patch for httpd 1.2.0-1.3.22 should be applied to the source code."
Apache webmasters beware: Don't fall into the trap that IIS webmasters fell into. If you fail to address security issues like this fully, you could end up making your webserver of choice look bad.
Just a side note, if anyone ever came up with a virus that was as devastating to apache as code red was to IIS, I think Linux would be doomed.
What about the Apache vulnerability that was discoverd a couple of weeks ago? I would think there are still loads of people who haven't patched their servers (and even the patch does not give full protection. See the advisory).
Microsoft are addressing the issue of applying patches to products such as IIS with features that remind system admisitrators about new patches and automate the process of applying them.
I really think that open source systems such as Apache will need to have features like these if they are to compete strongly.
If Code Red taught us one thing, it was that the application of patches is as important as the patches themselves (MS released a patch that prevented Code red infection months before the outbreak)
You want it, they offer it, you gotta pay what they ask, or tell 'em to stick it.
I think the problem that a lot of people have with this move is that they signed up for mac.com email addresses on the basis that they would be free for life and then, just as they started to rely on those addresses, Apple announced that they will have to start paying.
I'm not sure of exactly what the original deal was with mac.com email addresses but some people certainly seem to think there is a bait and switch going on here.
Offering a service for a fee is fine. Promising a service for free and then announcing a fee at a later date is somewhat underhand.
Re:Er... This doesn't sound right...
on
The Chronoliths
·
· Score: 1
So, teenagers are winning the wars fought in the future?
Maybe he means that the person involved exists today but is not currently a leader.
e.g. I am 23 right now but in 19 years I become a great leader and change my name to 'Zardan the indesctructible'. A year after that I win a great victory and the memorial says "Zardan the Indestructible won a great victory" The leader who wins the victory (me) is in his 40's and the name is not that of someone who exists as a leader today.
It's confusing wording but perhaps that is what he means.
They have ASP.NET (for that is what is running on the server) set up not to show server errors to remote clients (very sensible) but do not have a friendly error message set up.
The code that the poster quoted is from the error message that is displayed, where it tells you what you need to change in the web.config to either allow full error messages to be displayed or show a friendly error message.
Re:Editors: Anonymize the Amazon Links
on
General IT Books?
·
· Score: 2
"Could the editors please either remove the referrer-id from the Amazon links..."
Have a look at the URLs - they have different sets of numbers in them. That's because these numbers are not referal IDs that the poster has added - they are numbers that Amazon uses to track users through their site. Try going to amazon and clicking through a few pages - you will see numbers just like those in the article.
No conspiracy here - just a poster that couldn't be bothered to trim their amazon links. (You can get rid of everything after the "ASIN/[number]" part)
Good idea about adding a referrer ID for a good cause though - since there is no referrer ID there right now it would be good for someone to get the 15%
Until they actually do it I dont think anyone shoud even care
How will you know when someone builds this machine and starts actually cracking the encryption? Do you really think 'they' will advertise the fact that they can factor keys in minutes? I find it more likely that 'they' will just quietly read the encrypted messages they want to read - from their point of view the longer people stick with key lengths they can crack, the better.
The general point is - the safest thing to assume is that once something is theoretically breakable in a practical timeframe, it is broken. Assuming that we will find out when a practical implementation is available seems a little naive.
I used a 'smartboard' when I was helping out with some extra IT teaching at a school (Birmingham, UK). They are really nice to use - you can do all sorts of things with them that would be impossible with pens-and-whiteboard.
They do take a bit of getting used to - if you think of them as (a) a big computer screen or (b) an electronic whiteboard, you don't get the full benefits from them. The big leap is to start using both aspects - running computer software and then drawing on it with the pens (when you pick up one of the special pens, the software knows which one you have and your scribbles are coloured appropriately)
A friend of mine is training to be a maths teacher and he is using smart boards on a day-to-day basis - apparently they are being brought in all over schools. He says they lend a new dimension to maths teaching - allowing software to bring concepts to life. One example he mentioned was transformations. He can get kids to draw shapes on the screen, guess how they would look when rotated, translated or scaled and then have the software animate the transformation to compare the result to their predictions.
Slashdot Mirror
I'd agree with you when talking about smaller releases but with big album releases from big artists, the reviewers are generally pretty desperate to make sure that they get a review copy. This is especiallytrue if there has been a lot of hype surrounding an impending release and the reviewers know that the public is hungry for information about the release.
The record company most probably demands that the players are returned to them intact after the review period. If one has been tampered with, broken or had the earphones cut off, they will know never to send a review copy to that reviewer again.
Maybe the FUD came from somewhere else but passing on facts that you don't know to be true contributes to the FUD problem.
It doesn't take much effort to have a glance at the CERT advisories and verify the sequence of events surrounding Code Red.
The reason FUD spreads so easily at the moment is because people don't check facts before passing them on.
I agree with your last sentiment completely though - greed is the cause of most of the worlds problems.
Surely it is newsworthy when a vulnerability is actually exploited 'in the wild' like this, even if only to remind people aboutt he importance of patching.
Are you suggesting that Code Red should not have been reported on Slashdot, as the patch was out a month before the infections took place? Or is it only Linux exploits that should be blacked out once a patch is available?
I don't think anyone is blaming the programmers - the story seemed pretty clear that it is admins that fail to patch that are at fault here.
I think you must remember wrongly.
The Cert advisory for the exploit that let Code Red in was published in June. It references the update that will fix the vulnerability, also published in June.
The Code Red advsisory didn't come out until a month later, in July.
Unless CERT were unusually slow in publishing their advisory on Code Red, your version of events seems strange. I can also remember IIS admins that had installed the patch having little sympathy for admins hit by Code Red.
Criticise MS where they get things wrong by all means, but please make sure the facts are right or posts like yours are just as much FUD as Bill saying that the GPL is viral.
The advisory mentions that the worm compiles code on the infected machine. Since the executable will need to be a Linux one, I would guess that the worm can only infect linux machines.
* A set of web servers, running different operating systems, each in a crusher. The crusher of each machine is controlled by a client that will activate it when it gets a 404 from the server. If the OS crashes, the server gets crushed. The Last OS standing gets to survive.
* The artist places themself in a crusher that is linked to a web server. The server will activate the crusher if it does not get a hit for a defined period of time. When the public are no longer interested the artist gets crushed. (The grant application for this would be based on it being some sort of reflection on internet fame and those who seek it)
Alternatively, we could dispense with all this pointless crushing and do something more useful with these machines...
Are you serious?
Do you think someone might think to abuse this system? Automated form filling, anyone? Even if that were prevented, it wouldn't be too hard or expensive to hire hundreds of low paid data entry people to vote a site up.
The google alogorithm can be manipulated to some extent but it has stood up pretty well so far. A voting system could be manipulated much more easily.
Ahh - my apologies. Being at the center of the chronological world (GMT), I have an annoying tendancy not to take timezones into account.
Some good points there (someone should mod the parent up - it would be a shame for all that effort to got to waste)
The problem with enforcing copyright laws that were formed in the paper content world is that they do not apply all that well to electronic content.
What would the implications be for libraries of online content? Would they have to ensure that only one person is reading each piece of electronic content at any one time? If so, how would they do this? How would they tell that someone is reading the content? Would there have to be a check out/in system?
Without a check out/in system, the only time that the library would know there is someone accessing the content is when they are actually downloading it. This being the case, could services such as google claim that they are only sharing the content with one person at a time, as only one person is downloading it at any one time?
There are lots of difficulties here - traditional copyright simply does not work very well when we try to apply it to electronic content.
We need to get back to what the actual purpose of copyright it (hint - it's not to help people make money - see this article) and work out some laws, guidelines and ettiquette that is appropriate to electronic content. Simply trying to apply existing laws to it does not seem like the best way forward to me.
That stops it being cached in the first place but will only affect people who visit the page when the no-cache is in place.
What I was talking about was the idea of NYT asserting their 'control' of their content by sending you an emailing saying - "remove all cached content from your browser now as it is infringing our copyright"
My view is that if they posted the content on their site and allowed me to access it, they have no right to, at a later date, ask me to remove a cached copy. I think that this is similar to the NYT sending me a letter asking me to destroy the printed newspaper because they want to retract something or a publisher demanding that copyies of a book they published are removed from libraries.
(All this is a little bit irrelevent - as pointed out on another thread, google does remove content from their cache when requested)
Should publishers have the right to have their books removed from all libraries whenever they like?
Perhaps a law requiring publishers of online content to submit it to online archives might not be a bad thing... Okay, bad choice of words with 'public domain' but I still think that somone who publishes information publically should not have the right to recall that content whenever they please. Stealing content is wrong but caching content is not the same thing (Should the NYT have the right to force you to empty your broswer cache of NYT sourced content at any time? Should they be able to demand that proxy servers empty their cache at any time?)
Google doesn't republish the material in the way that you are implying (i.e. by claiming it as their own)- they provide access to a cache of the content, labeling it's origin clearly and provide a link to the original content. In my mind, this is more analogous to the activities of a public library than it is to one newspaper stealing content from another.
Libraries store newspapers on microfilm for research purposes. Why should this not extend to electronic content?
Electronic content introduces many complications to this sort of issue. Libraries traditionally have provided a way for everyone to get access to content. How can this ability be protected when we are talking about electronic content?
The Google cache is causing publishers to lose control over their material.
In Britain, publishers are required by law to send a copy of everything they publish to the British Library in London. I'm not sure if the USA has anything similar but libraries exist pretty much everywhere.
Does having these copies available to the public at the British Library cause the publishers to 'lose control over their material'?
Does someone who puts information out into the public domain have the right to withdraw that information whenever they like? I don't think so.
Even a google search couldn't help me.
Does the rest of the world know something that I should?
Actually, I'm willing to bet they release it for FreeBSD as well as windows. The MS source for the CLI,CLR (can't remember what the acro's mean) and other bits can compile itself for FreeBSD already...
.NET class library.
The FreeBSD port does not include very much of the
Significantly, it does not include the ASP.NET classes - so a lot of work would be required before there would be any point linking it to a web server.
There is an Apache fix that will patch the older versions of Apache. That is what I did on my webserver.
You might want to check out the advisory
Apache don't seem to think that the patch is really enough (emphasis mine):
"Note that early patches for this issue released by ISS and others do not
address its full scope."
"The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue, and all users are urged to upgrade
immediately."
The Apache http server page also adds:
"If, for any reason, you are unable to upgrade at this time, as a minimum, this patch for httpd 1.2.0-1.3.22 should be applied to the source code."
Apache webmasters beware: Don't fall into the trap that IIS webmasters fell into. If you fail to address security issues like this fully, you could end up making your webserver of choice look bad.
Linux is a safe haven.
Just a side note, if anyone ever came up with a virus that was as devastating to apache as code red was to IIS, I think Linux would be doomed.
What about the Apache vulnerability that was discoverd a couple of weeks ago? I would think there are still loads of people who haven't patched their servers (and even the patch does not give full protection. See the advisory).
Microsoft are addressing the issue of applying patches to products such as IIS with features that remind system admisitrators about new patches and automate the process of applying them.
I really think that open source systems such as Apache will need to have features like these if they are to compete strongly.
If Code Red taught us one thing, it was that the application of patches is as important as the patches themselves (MS released a patch that prevented Code red infection months before the outbreak)
we're damn lucky that there hasn't been a similar worm that exploits Apache servers with the vulnerability that was found a few weeks ago
If Microsoft were really evil, they'd have some people creating just such a worm right now...
You want it, they offer it, you gotta pay what they ask, or tell 'em to stick it.
I think the problem that a lot of people have with this move is that they signed up for mac.com email addresses on the basis that they would be free for life and then, just as they started to rely on those addresses, Apple announced that they will have to start paying.
I'm not sure of exactly what the original deal was with mac.com email addresses but some people certainly seem to think there is a bait and switch going on here.
Offering a service for a fee is fine. Promising a service for free and then announcing a fee at a later date is somewhat underhand.
So, teenagers are winning the wars fought in the future?
Maybe he means that the person involved exists today but is not currently a leader.
e.g. I am 23 right now but in 19 years I become a great leader and change my name to 'Zardan the indesctructible'. A year after that I win a great victory and the memorial says "Zardan the Indestructible won a great victory" The leader who wins the victory (me) is in his 40's and the name is not that of someone who exists as a leader today.
It's confusing wording but perhaps that is what he means.
That's not the source of the web.config.
They have ASP.NET (for that is what is running on the server) set up not to show server errors to remote clients (very sensible) but do not have a friendly error message set up.
The code that the poster quoted is from the error message that is displayed, where it tells you what you need to change in the web.config to either allow full error messages to be displayed or show a friendly error message.
"Could the editors please either remove the referrer-id from the Amazon links..."
Have a look at the URLs - they have different sets of numbers in them. That's because these numbers are not referal IDs that the poster has added - they are numbers that Amazon uses to track users through their site. Try going to amazon and clicking through a few pages - you will see numbers just like those in the article.
No conspiracy here - just a poster that couldn't be bothered to trim their amazon links. (You can get rid of everything after the "ASIN/[number]" part)
Good idea about adding a referrer ID for a good cause though - since there is no referrer ID there right now it would be good for someone to get the 15%
Until they actually do it I dont think anyone shoud even care
How will you know when someone builds this machine and starts actually cracking the encryption? Do you really think 'they' will advertise the fact that they can factor keys in minutes? I find it more likely that 'they' will just quietly read the encrypted messages they want to read - from their point of view the longer people stick with key lengths they can crack, the better.
The general point is - the safest thing to assume is that once something is theoretically breakable in a practical timeframe, it is broken. Assuming that we will find out when a practical implementation is available seems a little naive.
Dan.
I used a 'smartboard' when I was helping out with some extra IT teaching at a school (Birmingham, UK). They are really nice to use - you can do all sorts of things with them that would be impossible with pens-and-whiteboard.
They do take a bit of getting used to - if you think of them as (a) a big computer screen or (b) an electronic whiteboard, you don't get the full benefits from them. The big leap is to start using both aspects - running computer software and then drawing on it with the pens (when you pick up one of the special pens, the software knows which one you have and your scribbles are coloured appropriately)
A friend of mine is training to be a maths teacher and he is using smart boards on a day-to-day basis - apparently they are being brought in all over schools. He says they lend a new dimension to maths teaching - allowing software to bring concepts to life. One example he mentioned was transformations. He can get kids to draw shapes on the screen, guess how they would look when rotated, translated or scaled and then have the software animate the transformation to compare the result to their predictions.