...his website is hosted on the same IP address as a spammer (textileshop.com) was on yesterday
I'd say this neatly demonstrates the problem with blacklists. I agree that the style is marred by the emotional state of the author, but then it's an essay on the guy's personal page.
If you want some analysis, start with a personal exmample of mine: an ISP in Israel my parents used to use would occasionally get blacklisted. Since I'm behind company-level spam filtering there was nothing I could do about it (no personal white lists).
What went wrong? The problem is exactly that not all mail from a domain/ip address is spam, and yet MAPS/SBL only give you 1 bit of information: in the list or not in the list. This bit can be very useful as an ingredit of a Bayesian filter (certainly mail coming from that ISP is more likely to be spam than mail coming from whitehouse.gov). However, letting that bit dictate the classification of messages by itself is probably not a good approximation to the true correlation between the two events "mail was sent from domain in the SBL list" and "mail is spam".
Question of Compatibility vs. Reliability
on
HTTP Request Smuggling
·
· Score: 4, Insightful
This exploit is interesting, and is related to a cultural issue: how do you handle malformed input?
There are two basic approached to this: either you reject it (the sound, security-concious way), or you attempt to make sense of it (the compatible way). The second solution allows your software to interface with badly-written external code, at the cost of interfacing with intentionally malformed requests like the exploit the describe.
The reason the exploit works is that different people have different methods for determining what the sender of the malformed packet really meant, and if two different interpretations are applied to the same packet you can use the resulting "confusion" to your advantage. Different recount results which depend on guessing "voter intent" from malformed ballots in Florida comes to mind.
Absolute security is impossible. Not even NASA of the 60s and 70s has been able to write large pieces of bug-free software, and they had one of the best QA systems ever. Moreover, the costs were incredible (you wouldn't really want to pay for the development costs of bug-free Windows, would you?). However, the kind of absolute reliability NASA was aiming for is only relevant for software that will be used for a limited time, in a controlled environment. For modern-day web browsers that are supposed to be in contiuous use (and when you can't delay the mission to rewrite the code), the important question is how long vulnerabilities last -- not just how many there are. Now this is based on anecdotal evidence, but I strongly believe that Mozilla/Firefox has a better record of quick bug-fixes than Microsoft/Internet Explorer.
Shaul Mofaz, Israel's Defense Minister, visited the US in 2002, shortly after 9/11. The border officials in JFK airport in NYC didn't let him in, becuase he was born in Iran in 1948. It took high-level diplomatic intervention to allow him to continue instead of being turned back to Israel. Apparently being a former Chief of Staff of the IDF (Israeli Army) doesn't mean you might not be an Iranian terrorist.
In March 2003, the Israeli singer Rita had to cancel a tour of the US. She applied for her visa too late, given the 3-month-long FBI security check required for Iranian-born visitors.
Here Bush goes will go breaking international laws again...
This is not to say I support Mr. Bush, but as parent clearly indicates in the rest of his post, the 1967 treaty concerns WMD -- not all weapons. Quoth TFA: "no treaty or law bans Washington from putting weapons in space, barring weapons of mass destruction."
Moreover, the pentagon isn't stupid. Using (or threatening to use) nuclear weapons is not a central aspect of US security at the moment. The main threats come either from dictatorships (think N. Korea) or terrorism. Neither kind of enemy can be deterred with nuclear weapons. They are probably trying to revive SDI (i.e. place energy/kinetic antimissile weapons in space), but they may have plans for space-to-ground weapons that are not WMD.
"Of course, the thing might be struck down as unconstitutional depending on the breadth of definitions it starts with and the zeal of the ever-loathed ACLU in promoting the letter of the First Amendment to the detriment of the spirit of it."
Actually, there's a good argument why this may be unconstitutional: this is regulation of conduct that is happenning (at least in part) outside the State of Washington. There's a reason that wire-fraud laws are federal, and this shouldn't be any different -- I'd expect this law to only reach malware vendors with Washington presence.
Couldn't agree more. The Linux market offers little opportunities for complete domination. Moreover, could you really imagine Microsoft distributing software governed by the GPL after all the "viral code" FUD?
On the news in England: a man afflicted with a degenerative brain condition has won a court ruling last year that will force doctors to give him water and food even if he cannot ask for it possibly a reaction to the then-ongoing Schiavo case in the US. Doctors are protesting that this "undamentally altered the nature of doctor / patient relationships and was not in the best interests of the patient."
I have not read the ruling, but I think it should be self-evident that if this guy wants to be sustained even when he can't ask for it, this should be done.
Doctors claim the ruling means they "would have to provide treatment which they knew would be of no benefit or could even be harmful", which is why I am making the post here. Indeed patients should not be able to force any particular doctor to give them treatment that, in his judgement, is medically unnecceary. Of course, they should be free to find a doctor who agrees with their choice of treatment. Of course, this can be bad for them, as the heading story points out, but it is their problem.
That said, I fail to see how giving someone food and water can be "harmful". It may be "of no benefit" only to the extent that the person's life is of no benefit, which is not for the doctor to judge especially when the patient has spoken on the matter.
Almost the whole point of the GPL is that you can do exactly this: you should be able to change the behavior of GPL'ed software components and replace the existing versions of it.
But they are giving you exactly this ability; they are simply advising you against doing it in practice, because they won't offer you any support if you muck things up. The GPL says you have a right to hack this code, not that you have a right for technical support while doing that.
I suspect future versions of the GPL are going to try to limit these kinds of abuses: if you distribute systems containing GPL-derived binaries, you must ensure that people can reasonably replace your GPL'ed software components with components they recompiled.
Most likely, there is no abuse here -- you can replace components of the Linux installation in any way you want. They are simply not guaranteeing that this will still work with their proprietary DVR code. Note that since GPL'd code comes with no warranty, I'm not sure what you mean by abusing warranties related to it. Certainly they cannot warrant that their proprietary code will work with whatever modified kernel you choose to put in there!
There may be a GPL violation here, actually. They say:
You cannot create a working DISH 921 DVR software build without the additional proprietary code.
There are two ways to interpret this statement; I think they are honest and mean the first, but someone (not me) might want to verify that:
The OS for the device derives from GNU/Linux/etc and is covered by the GPL; they run their written-from-scratch DVR software on top. The code they released will compile and run, but will not give you a DVR by itself.
In order to get the OS to run on the hardware, or perhaps even to compile it, you need to add in the proprietary elements they are not releasing. This would violate the terms set in the last two paragraphs of Clause 3 of the GPL.
I am still baffeld at how and why SPAM still works?!?! Everyone i know complains about spam, even the most non-technical people... Yet, apparently, some of them still go and buy stuff...
Since sending spam is so cheap, spamming can be profitable even if a tiny percentage of recipients responds. People have been falling for quack doctors for centuries, and modernization hasn't made us any smarter. As long as the recipients keep paying for getting the spam, it will be around. This leads me to believe that filtering, while it makes many of us happier, will not solve the problem. A sender-pays system is much better. Think what life would be like if credit-card companies could make the USPS and you bear the costs of shipping their offers?
I'd be very curious to see some figures on how much money was spent on spam-started purchases last year....
That would be good to know:-) even an estimate of the percentage of people who respond might be sociologically interesting.
My question is "what's their interest?" ... Are we approaching a tipping point in the perception of FOSS?
First and foremost, they get access to free software! (it wouldn't exist without this pro-bono work). Kudos to them!
\begin{rant}
Regarding your other point, I think we are reaching a tipping point in the software industry, actually. Over the last 4-5 years, this industry has been overrun by litigation to the extent that it can get very dangerous to write a major piece of code without a lawyer on your side. Gone are the days when the main problem with your software succeding was convincing people your software was better thant the competition. Your main problem now is warding off legal threats from the competition. And Prof. Moeglen is seeing that the F/OSS community can survive in this new marketplace.
Actually, the way to "recind" an established law is to make a new law stating that the old one "is hereby repealed" (Acts of congress are rife with this expression -- searching on THOMAS gave 50 hits from the current session alone). A simple majority suffices to enact the new law, just like it did the original one.
Even without super-majority requirements, enacting laws is still a non-trivial task. Formally Congress is always free to repeal old laws, of course. However, in practice a law with a sunset provision is much more limited than one without. The point is that they must debate the usefulness of the law come the sunset point if they want to keep it in the books.
... the normal process you expect in open source: You start with some one else's code, hack on it until you really understand what you wanted to do with it, and in that process replace all the original code to make your own product.
Indeed. Perhas the author can point us to the original "pre-hack" code for Emacs, LaTeX or LyX ?
I'm not trying to be snide, but your quote can be re-written as:
In other words, Microsoft Inc. spent money and did research to determine what features were needed (in MS Office). Now OpenOffice will simply implement thoses features.
You captured my point exactly. All I was trying to say was that everyone using the best ideas of everyone else leads to smaller return on the investment of writing the software. In return, us the end-users will (almost always) get better software. But this is a trade-off that does not always lead to optimal results.
I stick to Unix machines (mostly GNU/Linux), and use programs such as TeX, LaTeX and LyX, all of which are original free software, as well as programs like GNU vi & ls, free software written to duplicate the functionality of previously existing programs. Whenver available, I prefer free software, and will sometimes assist in its development. However, I know that this preference of mine means that some software will not be available on my platform of choice. Software makers will not release a Linux version of their program since this is more likely to generate a community effort to write a "free replacment".
No market system is prefect. We have to live with the inefficiencies of ours.
Fortunately, not everyone in Linux development considered a non-free program acceptable, and there was continuing pressure for a free alternative. Finally Andrew Tridgell developed an interoperating free program, so Linux developers would no longer need to use a non-free program.
In other words, BitMover Inc. spent money and did research to determine what features were needed. Now Andrew Tridgell will simply implement thoses features.
Now, equivalent free software is better than non-free software (you get the source code, and many more rights), but we have to accept that kind of incident reduces the motivation of software firms to write software in the GNU niche of the market (unless they can figure a way to make money which does not involve selling the software see SuSE or Red Hat). If I discovered that people running GNU/Linux needed some kind of software, and tried to write it and make money by selling the software itself, RMS (or someone else) would instantly sponsor a "free software alternative". Thus I'd have two options: make the software free from the start (donating the programming effort with no gain) or not write it at all.
In the GNU world, both alternatives are good. The ecology of this market drifts towards all-free software, the holy grail of the FSF. For myself, since this kind of ecology does not always guarantee the software I want being available, I'd love to buy proprietary software when the alternative is no software at all.
"Finding out whether a file is infected by a virus is a case of looking at the file and seeing if that virus signature is present in the file. This is likely to be done by a program as its easier. These chunks of virus code will live in different places dependent on the type of file being effected. This is all obvious. Surely this patent isn't worth a damn as it can be challenged as such."
Not quite. They are not patenting the idea of the anti-virus. They are patenting the idea of an anti-virus written in an interpreted language. From the patent: "The [interpreter] provides a Turing-equivalent programmable system which has all of the power of a program written in a more familiar language..."
However, that is prefectly obvious too. I'd even go further to say there is no "invention" in this patent at all.
Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes
"... to force accountability,... by recording MAC addresses (which are unique and hard-coded to a physical piece of hardware)"
Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.
We are only considering the first here. Here, nearly everyone uses off-the-shelf software. Does you bank have a vendor who maintains/modifies MS-Word? that provides bugfixes when it breaks? I'd love to hear who they are!
Items 2,3 are different. They are heavily customized (or written from scratch) and you need a software vendor. But in these cases the direct cost of the OS is a minor component. Now the choise of OS affects the stability of the system, but that's a different question.
"But this situation is not covered by a contract, it's covered by a license"
If I understand things correctly, this is a contract question. You see, the software as installed on your computer will not cease to function. It will continue working fine. What will change is software on Intuit's servers that offers additional features ("Online Services"). You'll have a hard time claiming Intuit promised to make these additional features backwards-compatible in perpetuity. There's another rub to this:
They never promised to keep providing updates to the software you bought in 2000, say, to reflect changes made to the tax law in 2005. Your software will keep working as it did in 2000, and if you want the new version you have to pay for it. It's the same with anti-virus software.
However, they do seem to have promised updates for a limit time. If you read their sunset policy, before buying the software you will know exactly how many years of updates you are paying for and can decide whether it's worth the money.
Slashdot Mirror
I'd say this neatly demonstrates the problem with blacklists. I agree that the style is marred by the emotional state of the author, but then it's an essay on the guy's personal page.
If you want some analysis, start with a personal exmample of mine: an ISP in Israel my parents used to use would occasionally get blacklisted. Since I'm behind company-level spam filtering there was nothing I could do about it (no personal white lists).
What went wrong? The problem is exactly that not all mail from a domain/ip address is spam, and yet MAPS/SBL only give you 1 bit of information: in the list or not in the list. This bit can be very useful as an ingredit of a Bayesian filter (certainly mail coming from that ISP is more likely to be spam than mail coming from whitehouse.gov). However, letting that bit dictate the classification of messages by itself is probably not a good approximation to the true correlation between the two events "mail was sent from domain in the SBL list" and "mail is spam".
This exploit is interesting, and is related to a cultural issue: how do you handle malformed input?
There are two basic approached to this: either you reject it (the sound, security-concious way), or you attempt to make sense of it (the compatible way). The second solution allows your software to interface with badly-written external code, at the cost of interfacing with intentionally malformed requests like the exploit the describe.
The reason the exploit works is that different people have different methods for determining what the sender of the malformed packet really meant, and if two different interpretations are applied to the same packet you can use the resulting "confusion" to your advantage. Different recount results which depend on guessing "voter intent" from malformed ballots in Florida comes to mind.
Parent makes a good point.
Absolute security is impossible. Not even NASA of the 60s and 70s has been able to write large pieces of bug-free software, and they had one of the best QA systems ever. Moreover, the costs were incredible (you wouldn't really want to pay for the development costs of bug-free Windows, would you?). However, the kind of absolute reliability NASA was aiming for is only relevant for software that will be used for a limited time, in a controlled environment. For modern-day web browsers that are supposed to be in contiuous use (and when you can't delay the mission to rewrite the code), the important question is how long vulnerabilities last -- not just how many there are. Now this is based on anecdotal evidence, but I strongly believe that Mozilla/Firefox has a better record of quick bug-fixes than Microsoft/Internet Explorer.
This is really happening:
Shaul Mofaz, Israel's Defense Minister, visited the US in 2002, shortly after 9/11. The border officials in JFK airport in NYC didn't let him in, becuase he was born in Iran in 1948. It took high-level diplomatic intervention to allow him to continue instead of being turned back to Israel. Apparently being a former Chief of Staff of the IDF (Israeli Army) doesn't mean you might not be an Iranian terrorist.
In March 2003, the Israeli singer Rita had to cancel a tour of the US. She applied for her visa too late, given the 3-month-long FBI security check required for Iranian-born visitors.
This is not to say I support Mr. Bush, but as parent clearly indicates in the rest of his post, the 1967 treaty concerns WMD -- not all weapons. Quoth TFA: "no treaty or law bans Washington from putting weapons in space, barring weapons of mass destruction."
Moreover, the pentagon isn't stupid. Using (or threatening to use) nuclear weapons is not a central aspect of US security at the moment. The main threats come either from dictatorships (think N. Korea) or terrorism. Neither kind of enemy can be deterred with nuclear weapons. They are probably trying to revive SDI (i.e. place energy/kinetic antimissile weapons in space), but they may have plans for space-to-ground weapons that are not WMD.
Actually, there's a good argument why this may be unconstitutional: this is regulation of conduct that is happenning (at least in part) outside the State of Washington. There's a reason that wire-fraud laws are federal, and this shouldn't be any different -- I'd expect this law to only reach malware vendors with Washington presence.
Indeed, MSR and Google Labs are starting a great rivalry. It will be fun to sit back and enjoy the results! (or at least eat some pop-corn).
Couldn't agree more. The Linux market offers little opportunities for complete domination. Moreover, could you really imagine Microsoft distributing software governed by the GPL after all the "viral code" FUD?
On the news in England: a man afflicted with a degenerative brain condition has won a court ruling last year that will force doctors to give him water and food even if he cannot ask for it possibly a reaction to the then-ongoing Schiavo case in the US. Doctors are protesting that this "undamentally altered the nature of doctor / patient relationships and was not in the best interests of the patient."
I have not read the ruling, but I think it should be self-evident that if this guy wants to be sustained even when he can't ask for it, this should be done.
Doctors claim the ruling means they "would have to provide treatment which they knew would be of no benefit or could even be harmful", which is why I am making the post here. Indeed patients should not be able to force any particular doctor to give them treatment that, in his judgement, is medically unnecceary. Of course, they should be free to find a doctor who agrees with their choice of treatment. Of course, this can be bad for them, as the heading story points out, but it is their problem.
That said, I fail to see how giving someone food and water can be "harmful". It may be "of no benefit" only to the extent that the person's life is of no benefit, which is not for the doctor to judge especially when the patient has spoken on the matter.
But they are giving you exactly this ability; they are simply advising you against doing it in practice, because they won't offer you any support if you muck things up. The GPL says you have a right to hack this code, not that you have a right for technical support while doing that.
Most likely, there is no abuse here -- you can replace components of the Linux installation in any way you want. They are simply not guaranteeing that this will still work with their proprietary DVR code. Note that since GPL'd code comes with no warranty, I'm not sure what you mean by abusing warranties related to it. Certainly they cannot warrant that their proprietary code will work with whatever modified kernel you choose to put in there!
There may be a GPL violation here, actually. They say:
There are two ways to interpret this statement; I think they are honest and mean the first, but someone (not me) might want to verify that:
Since sending spam is so cheap, spamming can be profitable even if a tiny percentage of recipients responds. People have been falling for quack doctors for centuries, and modernization hasn't made us any smarter. As long as the recipients keep paying for getting the spam, it will be around. This leads me to believe that filtering, while it makes many of us happier, will not solve the problem. A sender-pays system is much better. Think what life would be like if credit-card companies could make the USPS and you bear the costs of shipping their offers?
That would be good to know :-) even an estimate of the percentage of people who respond might be sociologically interesting.
First and foremost, they get access to free software! (it wouldn't exist without this pro-bono work). Kudos to them!
\begin{rant}Regarding your other point, I think we are reaching a tipping point in the software industry, actually. Over the last 4-5 years, this industry has been overrun by litigation to the extent that it can get very dangerous to write a major piece of code without a lawyer on your side. Gone are the days when the main problem with your software succeding was convincing people your software was better thant the competition. Your main problem now is warding off legal threats from the competition. And Prof. Moeglen is seeing that the F/OSS community can survive in this new marketplace.
\end{rant}Actually, the way to "recind" an established law is to make a new law stating that the old one "is hereby repealed" (Acts of congress are rife with this expression -- searching on THOMAS gave 50 hits from the current session alone). A simple majority suffices to enact the new law, just like it did the original one.
Even without super-majority requirements, enacting laws is still a non-trivial task. Formally Congress is always free to repeal old laws, of course. However, in practice a law with a sunset provision is much more limited than one without. The point is that they must debate the usefulness of the law come the sunset point if they want to keep it in the books.
Indeed. Perhas the author can point us to the original "pre-hack" code for Emacs, LaTeX or LyX ?
You captured my point exactly. All I was trying to say was that everyone using the best ideas of everyone else leads to smaller return on the investment of writing the software. In return, us the end-users will (almost always) get better software. But this is a trade-off that does not always lead to optimal results.
I stick to Unix machines (mostly GNU/Linux), and use programs such as TeX, LaTeX and LyX, all of which are original free software, as well as programs like GNU vi & ls, free software written to duplicate the functionality of previously existing programs. Whenver available, I prefer free software, and will sometimes assist in its development. However, I know that this preference of mine means that some software will not be available on my platform of choice. Software makers will not release a Linux version of their program since this is more likely to generate a community effort to write a "free replacment".
No market system is prefect. We have to live with the inefficiencies of ours.
In other words, BitMover Inc. spent money and did research to determine what features were needed. Now Andrew Tridgell will simply implement thoses features.
Now, equivalent free software is better than non-free software (you get the source code, and many more rights), but we have to accept that kind of incident reduces the motivation of software firms to write software in the GNU niche of the market (unless they can figure a way to make money which does not involve selling the software see SuSE or Red Hat). If I discovered that people running GNU/Linux needed some kind of software, and tried to write it and make money by selling the software itself, RMS (or someone else) would instantly sponsor a "free software alternative". Thus I'd have two options: make the software free from the start (donating the programming effort with no gain) or not write it at all.
In the GNU world, both alternatives are good. The ecology of this market drifts towards all-free software, the holy grail of the FSF. For myself, since this kind of ecology does not always guarantee the software I want being available, I'd love to buy proprietary software when the alternative is no software at all.
As far as I recall, BRM was selling anti-virus software around '85, and Symantec entered that marked soon thereafter.
"Finding out whether a file is infected by a virus is a case of looking at the file and seeing if that virus signature is present in the file. This is likely to be done by a program as its easier. These chunks of virus code will live in different places dependent on the type of file being effected. This is all obvious. Surely this patent isn't worth a damn as it can be challenged as such."
Not quite. They are not patenting the idea of the anti-virus. They are patenting the idea of an anti-virus written in an interpreted language. From the patent: "The [interpreter] provides a Turing-equivalent programmable system which has all of the power of a program written in a more familiar language..."
However, that is prefectly obvious too. I'd even go further to say there is no "invention" in this patent at all.
By the way, instructions on how to change your MAC address on various operating systems may be found in the wikipedia .
Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes
"... to force accountability,Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.
"... big banks ... [are] not in the software business. They want a vendor to ... fix an application when it stops working."
Now I think there are three kinds of software a bank uses, and they should be treated differently:
- Desktop office/business software (Word processing)
- Large Business Software (HR, Customer service)
- Line-of-business software (managing ATMs)
We are only considering the first here. Here, nearly everyone uses off-the-shelf software. Does you bank have a vendor who maintains/modifies MS-Word? that provides bugfixes when it breaks? I'd love to hear who they are!Items 2,3 are different. They are heavily customized (or written from scratch) and you need a software vendor. But in these cases the direct cost of the OS is a minor component. Now the choise of OS affects the stability of the system, but that's a different question.
"But this situation is not covered by a contract, it's covered by a license"
If I understand things correctly, this is a contract question. You see, the software as installed on your computer will not cease to function. It will continue working fine. What will change is software on Intuit's servers that offers additional features ("Online Services"). You'll have a hard time claiming Intuit promised to make these additional features backwards-compatible in perpetuity. There's another rub to this:
They never promised to keep providing updates to the software you bought in 2000, say, to reflect changes made to the tax law in 2005. Your software will keep working as it did in 2000, and if you want the new version you have to pay for it. It's the same with anti-virus software.
However, they do seem to have promised updates for a limit time. If you read their sunset policy, before buying the software you will know exactly how many years of updates you are paying for and can decide whether it's worth the money.
I wrote: there are two possibilities:
I guess this exmplifies the old ditty about the mathematician who couldn't count ...