Did you read the article? They cut off Advanced Server after three years, and that costs at least $800 per server to license it. (They don't give binaries out for free for that, yes, I guess someone could sit there and compile every package manually from the source...)
Business doesn't like this type of instability. Trust me, this won't do good for Linux in the enterprise...
I have some redhat boxes hooked up to an EMC SAN. They only certify their drivers for certain releases, and it takes them about a year to certify. Currently, the latest RH certified is 7.2 for example.
Redhat 6.2 is currently supported. That's been out for quite a few years... But yeah, certainly no one is expecting 8 years, but just one year is way too short.
2600 would be all into finding out how to do it and telling the world about it, but not going ahead and actually doing it. I've never seen them advocate breaking into systems, just how in can be done. If you read the letters to the editor in the mag and their responses to people who want to do malicious cracking, you'll see they stomp em pretty hard for being stupid.
Besides that, the military might have an incompetent admin that exposes something stupid like that, but I for one wouldn't want to try my luck at exploiting it. I think you'd face better odds for survival as a black man spitting on an LAPD officer in a remote area away from public view.
Duuuuude, who'd think I would get some really useful info on slashdot without even asking for it!
Thanks.:-)
btw, I swear I look in the security bulletins to see if a patch supersedes an earlier one and I don't believe I saw that that java fix did. Musta missed it. Thanks!
Oh, and welcome to my friends list!:)
p.s. That command line for msjavawu is a sin against humanity.:-(
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running...
start/wait msjavwu.exe/q/r:n
Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script..
And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoft
A post to bugtraq by George William Herbert, notes that the floods caused by this worm is causing many cisco routers to shut down, which helps contain the damage ironically enough. I've seen this happen at one of my work sites that is admined by someone else. The infected box, according to MRTG, was nailing its closest router at 100 megabits/sec for about
an hour, then the router itself went down. Sweet...
"...the volume from this triggers the Cisco
netflow switching bug and is causing routers to lock
up at places, etc."
Looks like this post to bugtraq explains why that router at my college died from this:
"Tier 1 backbones are reporting a bad night: routing
instabilities, one major dropped most of its peering
for a while, the volume from this triggers the Cisco
netflow switching bug and is causing routers to lock
up at places, etc."
I don't think so, those MS certifiable guys don't have access to the routers at my college, so they couldn't do that. I haven't been able to get hold of the personnel in charge of the routers (it IS the weekend and they don't pay people to be on standby here). One theory is that our upstream provider noticed the problem and did something. Packets going in from outside hit a routing loop at that point. The gated on my internal hosts at another location have turn off all routes to that other campus, indicating they got that route delete info from our campus's router, which chatters to the others.
At this point, I dunno, just glad it's nuked off the net for now. It was saturating our 10 megabit line to our provider for a while there...
I pity the poor saps who have hosts at colo facilities that charge for bandwidth. It's fitting if an unpatched victim pays extra, not the innocent victims who get to deal with all the useless traffic from this...
A server at one of our campuses (a college, campuses all over the state) got infected around 0900 UT and started hammering the hell out of our WAN and their local LAN, sending 10.4MB/sec through the router and then 1.2MB/sec out our internet line (bytes not bits). It stopped about an hour later. Turns out it flooded the router so hard it looks like that router has shut down. I can't ping a darn thing inside that campus now.... Fitting justice.
Re:It's lucky that the worm writer
on
Cross-Site-TRACE
·
· Score: 1
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
I dread the day when someone writes a worm exploiting unpatched windows desktops. So far, code red and this one (code blue?! -- would be fitting) have infected only unpatched windows servers. Keeping desktops patched and up-to-date is far more difficult and if a worm hit them, there'd be an insane amount of infected boxes causing havoc on the net.
/. runs a story on main page about huge security hole in all web servers that will bring the net to its knees, but it really only affects IE clients. They don't run a story about what may end up the biggest net story of the year, ala code red, the MS SQL worm running wild on the net now and shutting down entire sites and playing havoc with the backbone.
/. posters work around the damage in the story and start posting comments en masse about the SQL attack -- the real story this day -- leaving people who lack reading comprehension to confuse the two issues, therefore causing a DDOS on their brain.
If you are talking about the UK (the only place I know of that calls it VAT), you are wrong
Sigh, thanks for the correction. I believe I heard that described in a seminar I went on how to tax internet sales about two or three years ago (and basis for my parent post about the clearing house). It was explained that way with respect to how the U.S. could do a federal goods tax. Leave it to the U.S. to take a simple tax idea and complicate the hell out of it. (ps, this was just some flunkies talking out their bums, I hope. I haven't ever read any serious consideration for a national VAT here...)
VAT is paid by everyone along the supply chain. Manufacturer buys raw materials, supplier pays VAT. Then when they resell the goods, they deduct the VAT that they paid for the raw materials, and pay VAT on the goods sold to the distributor. The distributor then deducts the VAT paid, adds their markup, and sells it to the retail place, the retail place pays the VAT for the retail price after deducting what they paid for the goods. At least that's what I know about it. So VAT is normally built into the selling price.
Sales tax, on the other hand, just happens when the end-consumer purchases the product. So the product on the shelf for 99 cents ends up costing like $1.07 when you checkout.
Sales taxes vary by state too. Like, Pennsylvania doesn't tax clothing, but some other places do. Delaware charges NO sales tax. Arizona charges a sales tax, but some cities tack on a percent or two so you have differing sales taxes just by driving around in one metro area like Phoenix.
It's a complicated mess, so the real problem is, how does a net business know what tax to charge each user. It's not just a simple case of doing a table lookup of 50 elements and multiplying the sale value by it. There are thousands of different rates, and just as many rules about certain products which are exempt. Then you have the hassle of knowing what locality to remit the revenue to. Whereas a physical store just has one sales tax rate to worry about and one place to submit their receipts.
The answer being floated about is to have online tax clearing houses for the states so when you make an e-commerce purchase, the site connects to the tax site, gets the amount to charge, then submits that value to the tax site. That site (a private company) would keep a portion, and remit the rest each month to all appropriate localities.
A complicated mess, and some companies have noticed the huge potential to score a percent or two off of every net sale, and are eager to provide the service. The states and localities will accept a lower rate after fees because it's better than nothing.
Meanwhile, ailing dot-com online companies will suffer even more. You already have to pay shipping (usually). If you tack on sales tax and the hassle of waiting for the goods to arrive, most people will just as soon run down the street to buy the stuff where it will end up cheaper.
And that is why bricks-and-mortar stores are all for this idea...
I said on my web page comments linked from parent that I agree that ditching 6.2 and 7.0 is certainly reasonable, especally since 7.0 is based on kernel 2.2.
They should maintain the current release and one major release before it, or at least the last point release of the last one. for example, support for 7.1 and 7.2 could roll off fast, but give 7.3 longer support. when 9.0 comes out, ditch the last 7.x support and move to supporting the last 8.x and 9.0 series.
the way it stands now, at the end of this year, the only thing supported will be 8.1 and whatever is after that...
They usually make big jumps between major release numbers which tends to break stuff, like kernel, or libraries, etc. It just takes some time to migrate everything up....
Hate to say this, but most users will do whatever you tell them to. You start off with a normal http page and then say something like "After you click, you'll be asked to accept a certificate, click yes to continue" and they will.
Hell, even Microsoft says that on their windows update site for the active X download it throws onto your computer during your first visit!
Someone should do a study on this, sounds like a great high school science fair project! I can see the display in the gym now, pasted on the cardboard display case "Are people idiots?" and have nice pie charts and tabular data from your research. It beats boiling something in a test tube to see how long it takes at different temperatures or testing the growth rates of different molds...
It's not that easy. Drivers for my EMC SAN aren't out for 8.0 yet. Doing this to dozens of servers takes time. Testing dozens of web sites to see if anything breaks between apache 1.3 to 2.0 takes time. I still have one server running 6.2 because of some crap software on it that won't run under lk 2.4 or the new glibc or whatever (but that does need to be attended to, I admit...). 6.2 is ancient now, but kill 7.3 and 8.0 at the end of the year???
Redhat recently changed their support policy. They now will only support releases for one year with errata. Are you nervous about switching to a.0 redhat release? Well now you have little choice.
Actually, you have a choice, you can switch to their advanced server line for at least $800 per server. They will support each rev of that product with errata for up to three years. As for desktops installs...
Imagine if Microsoft only supported an OS for one year from release...
The more threatened Microsoft feels, the better their software will become. If they lock everyone in, watch the innovation grind to a halt. With the subscription model for software, they now have even less need to improve the products (since the upgrade income is no longer an issue, it's now guaranteed).
Just look at IE. It's been almost two years since IE 6 came out, and that was just a minor upgrade over 5.0 and 5.5. When Netscape ruled the browser kingdom, IE was progressing at a rapid pace. Now if Mozilla, Safari, Opera, etc, make serious dents in market share, watch IE development take off again...
Can't change %appdata%, %appdata% is just an export of the value within the OS so shell scripts can use it. It's part of the roaming profile and is all configured at the initial point in the logon and before any other scripts run. Only way to change it is through a group policy and that has to be a UNC which makes mozilla barf.
It won't work the way you envision. While the profile can be moved anywhere, the registry.dat file must be located inside %appdata%\mozilla. If %appdata% itself is moved via a GPO to a network share, then mozilla can't find registry.dat. Mapping drives does not help because the redirect for %appdata% is applied before the logon script is run and before saved drive mappings are applied. You also can't put a drive letter in the appdata redirection in the GPO inside active directory.
Note, this redirection of appdata policy doesn't apply to non-active-directory sites unless they employ some hack to scribble the appdata redirection policy into the windows registry for each user.
I have no idea, none whatsoever, how to move the location of registry.dat outside of %appdata% short of changing the source. I've looked, and bitched on bugzilla, and no one has told me it's possible there either. If you know a way, I'll glady submit to the Stark Fist of Removal!
apparently, as far as we could see, it would only happen on Win2k, on NTFS partitions. Win2k + FAT32 was ok. So, what we did was create a small D: partition as FAT32, and configured Windows to store the cached user profile on that partition.
Interesting, but unfortunately that would mean users could poke around each other's roaming profile since fat32 doesn't have object security. Since my joint is a college with a large roamer population, that'd be bad news.
Just use locked settings in the mozilla.cfg file.
Sweet. Great page too. I believe I'll incorporate a lot of this info into my stuff. I still like the repair feature of our vbscript it also works on mail settings and pre-configures mail profiles with the user's correct information.
That works for the home directory, but not for redirecting %appdata% to a home directory, because windows applies the GPO for %appdata% before any drives are mapped, including the home directory.
GPO (Group Policy Objects) is an Active Directory thing. I don't believe Samba support that (yet) so it's probably n/a in your case.
A lot of installations try to redirect everything they can out of the roaming profile because roaming profiles are the most evil and most horribly implemented thing that Microsoft has ever hoisted upon IT departments.
Slashdot Mirror
Business doesn't like this type of instability. Trust me, this won't do good for Linux in the enterprise...
I have some redhat boxes hooked up to an EMC SAN. They only certify their drivers for certain releases, and it takes them about a year to certify. Currently, the latest RH certified is 7.2 for example.
No one pays? My employer shells out a few grand a year for enterprise RHN...
Redhat 6.2 is currently supported. That's been out for quite a few years... But yeah, certainly no one is expecting 8 years, but just one year is way too short.
Besides that, the military might have an incompetent admin that exposes something stupid like that, but I for one wouldn't want to try my luck at exploiting it. I think you'd face better odds for survival as a black man spitting on an LAPD officer in a remote area away from public view.
Thanks. :-)
btw, I swear I look in the security bulletins to see if a patch supersedes an earlier one and I don't believe I saw that that java fix did. Musta missed it. Thanks!
Oh, and welcome to my friends list! :)
p.s. That command line for msjavawu is a sin against humanity. :-(
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running... Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script.. And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoft"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
"Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
At this point, I dunno, just glad it's nuked off the net for now. It was saturating our 10 megabit line to our provider for a while there...
I pity the poor saps who have hosts at colo facilities that charge for bandwidth. It's fitting if an unpatched victim pays extra, not the innocent victims who get to deal with all the useless traffic from this...
Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!
A server at one of our campuses (a college, campuses all over the state) got infected around 0900 UT and started hammering the hell out of our WAN and their local LAN, sending 10.4MB/sec through the router and then 1.2MB/sec out our internet line (bytes not bits). It stopped about an hour later. Turns out it flooded the router so hard it looks like that router has shut down. I can't ping a darn thing inside that campus now.... Fitting justice.
I dread the day when someone writes a worm exploiting unpatched windows desktops. So far, code red and this one (code blue?! -- would be fitting) have infected only unpatched windows servers. Keeping desktops patched and up-to-date is far more difficult and if a worm hit them, there'd be an insane amount of infected boxes causing havoc on the net.
Sigh, thanks for the correction. I believe I heard that described in a seminar I went on how to tax internet sales about two or three years ago (and basis for my parent post about the clearing house). It was explained that way with respect to how the U.S. could do a federal goods tax. Leave it to the U.S. to take a simple tax idea and complicate the hell out of it. (ps, this was just some flunkies talking out their bums, I hope. I haven't ever read any serious consideration for a national VAT here...)
Sales tax, on the other hand, just happens when the end-consumer purchases the product. So the product on the shelf for 99 cents ends up costing like $1.07 when you checkout.
Sales taxes vary by state too. Like, Pennsylvania doesn't tax clothing, but some other places do. Delaware charges NO sales tax. Arizona charges a sales tax, but some cities tack on a percent or two so you have differing sales taxes just by driving around in one metro area like Phoenix.
It's a complicated mess, so the real problem is, how does a net business know what tax to charge each user. It's not just a simple case of doing a table lookup of 50 elements and multiplying the sale value by it. There are thousands of different rates, and just as many rules about certain products which are exempt. Then you have the hassle of knowing what locality to remit the revenue to. Whereas a physical store just has one sales tax rate to worry about and one place to submit their receipts.
The answer being floated about is to have online tax clearing houses for the states so when you make an e-commerce purchase, the site connects to the tax site, gets the amount to charge, then submits that value to the tax site. That site (a private company) would keep a portion, and remit the rest each month to all appropriate localities.
A complicated mess, and some companies have noticed the huge potential to score a percent or two off of every net sale, and are eager to provide the service. The states and localities will accept a lower rate after fees because it's better than nothing.
Meanwhile, ailing dot-com online companies will suffer even more. You already have to pay shipping (usually). If you tack on sales tax and the hassle of waiting for the goods to arrive, most people will just as soon run down the street to buy the stuff where it will end up cheaper.
And that is why bricks-and-mortar stores are all for this idea...
(And after this comment, I expect the number of real life killers showing up on my doorstep to increase dramatically too... tehehehe)
They should maintain the current release and one major release before it, or at least the last point release of the last one. for example, support for 7.1 and 7.2 could roll off fast, but give 7.3 longer support. when 9.0 comes out, ditch the last 7.x support and move to supporting the last 8.x and 9.0 series.
the way it stands now, at the end of this year, the only thing supported will be 8.1 and whatever is after that...
They usually make big jumps between major release numbers which tends to break stuff, like kernel, or libraries, etc. It just takes some time to migrate everything up....
Hell, even Microsoft says that on their windows update site for the active X download it throws onto your computer during your first visit!
Someone should do a study on this, sounds like a great high school science fair project! I can see the display in the gym now, pasted on the cardboard display case "Are people idiots?" and have nice pie charts and tabular data from your research. It beats boiling something in a test tube to see how long it takes at different temperatures or testing the growth rates of different molds...
It's not that easy. Drivers for my EMC SAN aren't out for 8.0 yet. Doing this to dozens of servers takes time. Testing dozens of web sites to see if anything breaks between apache 1.3 to 2.0 takes time. I still have one server running 6.2 because of some crap software on it that won't run under lk 2.4 or the new glibc or whatever (but that does need to be attended to, I admit...). 6.2 is ancient now, but kill 7.3 and 8.0 at the end of the year???
Actually, you have a choice, you can switch to their advanced server line for at least $800 per server. They will support each rev of that product with errata for up to three years. As for desktops installs...
Imagine if Microsoft only supported an OS for one year from release...
I am not happy at all
Just look at IE. It's been almost two years since IE 6 came out, and that was just a minor upgrade over 5.0 and 5.5. When Netscape ruled the browser kingdom, IE was progressing at a rapid pace. Now if Mozilla, Safari, Opera, etc, make serious dents in market share, watch IE development take off again...
Competition is a wonderful thing.
Can't change %appdata%, %appdata% is just an export of the value within the OS so shell scripts can use it. It's part of the roaming profile and is all configured at the initial point in the logon and before any other scripts run. Only way to change it is through a group policy and that has to be a UNC which makes mozilla barf.
Note, this redirection of appdata policy doesn't apply to non-active-directory sites unless they employ some hack to scribble the appdata redirection policy into the windows registry for each user.
I have no idea, none whatsoever, how to move the location of registry.dat outside of %appdata% short of changing the source. I've looked, and bitched on bugzilla, and no one has told me it's possible there either. If you know a way, I'll glady submit to the Stark Fist of Removal!
Interesting, but unfortunately that would mean users could poke around each other's roaming profile since fat32 doesn't have object security. Since my joint is a college with a large roamer population, that'd be bad news.
Sweet. Great page too. I believe I'll incorporate a lot of this info into my stuff. I still like the repair feature of our vbscript it also works on mail settings and pre-configures mail profiles with the user's correct information.
GPO (Group Policy Objects) is an Active Directory thing. I don't believe Samba support that (yet) so it's probably n/a in your case.
A lot of installations try to redirect everything they can out of the roaming profile because roaming profiles are the most evil and most horribly implemented thing that Microsoft has ever hoisted upon IT departments.