Not to burst your bubble or anything, but I'm willing to bet the time differential between when the Copyright owner of the code knows about the problem, and when the patch is released, is much larger with Microsoft then with Open Source. There are several well documented cases where Microsoft sat on their hands rather then fix a known bug, so people finally started going public with them. That's when Microsoft started fixing them. They now attempt to have people keep quiet about them, until after they release a patch. That's a whole different thing then when the holes are annouced to the public.
On the last OpenBSD issue, I think the total time between the issue being told the the guys at OpenSSH, and the fix coming out, was measured in single digit number of hours. I can be reasonably sure that doesn't happen at Microsoft.
Finally, in my experince, on a RedHat Linux machine, there is almost nothing I've upgraded in the last 3 years that was a security fix. Never, not a single one, in applying every update that RedHat has put out for 3 years for 6.2, 7.0, 7.1, 7.2, 7.3, 8.0, 9.0. I can't recall the number of people I knew who didn't apply Security Packs for NT 4.0 because they fundamentally broke other critical pieces of software (Anything past NT4.0 SP1, broke the version of Netscape Server a former employer used to use, so they never did upgrade any of the fixes past SP1 for the longest time). That's because security fixes, only fix the security problem. A lot of MS patches fix a dozen security problems, and then add a lot of functionality. That's really nice to make the compact and all. I wasn't ever a big user of individual hot fixes, which might have gotten me to work around this issue.
Now upgrading to get new functionality has screwed up a couple of machines. However, assuming you can reboot the machine, there is almost nothing that has given me problems when upgrading a RedHat machine. I know that I had trouble with a couple of PAM modules not getting reset, but that was because I wasn't trying hard enough to restart the services (they held onto the shared libraries that we're insecure, and I didn't restart them all). It's not that they didn't work, they just were not secure until I re-booted the machine.
Most of the truely horrific dependencies I've heard of out of UNIX upgrades come from SUN, most of those it's my understanding, that they essentially, are upgraded inplace, while running. That's not something a sane person tries to do. However, SUN hardware and software is special. They do a pretty good job, but the dependencies are tricky (even more so when there are patches that once installed, can never be uninstalled).
The vulnerablity going public, and the worms that exploit them months after the patches are a reflection of the users and admins of the machines, not of the software writers themselves. You can find numskulls who run RedHat or Windows with ease. My guess is that as a percentage more numskulls run Windows then RedHat, but I think that's because Windows users/admins are a significantly larger group. To run RedHat isn't done by the average home users. If RedHat shipped by default on as many machines, that statement would flip flop, and RedHat would have a higher percentage of clueless users.
Yeah, and Tripwire will tell me every time you twiddle my bits, you might also have an exploit that doesn't allow you root access, at which point, you can twiddle my bits, but not bits in/usr/bin. I've never actually forced my users to have their.bash_profiles in my tripwire db before, that's a little anal even for me. It won't tell me that you have naferiously changed my environment unless I track down every file that gets source during the login process (I could by keeping track of the appropriate files in/etc/ and ~/.bash_*, but it'd be a real pain unless I had a backup from the last tripwire run to compare the changes).
I'm not surprised they don't need to override malloc, but you can override a lot of stuff besides just malloc (I'm not familiar enough with GPG, I just know that in C++ code, the only guy who should get to override the new allocator is the guy who wrote int main(), I've had to skip using a lot of great libraries, because they felt that best way to do something was overriding the default allocator, which is why I picked malloc as my example). Hence, signal handlers, the implementation of coring (I'd really like to get my cores while debugging a problem thanks). I've found/diagnosed a number of bugs from the cores of Mozilla via gdb and reported them, I'd be plenty pissed if it had a copy of my private GPG when I shipped it off to the public bugzilla database. I don't use their mailer anymore, but I previously used it with the GPG plugin. It's not terrible hard to ensure that you clear the memory buffer, or write it directly to the tty to ensure your key isn't there (read it one char at a time in raw mode only displaying the stars, never actually having a buffer with the entire string in it). I'm mildly less parinoid about that, assuming the backtrace doesn't show me being in the password reading routine in the stack trace.
I suppose I should keep track my environment, otherwise they can use my attack on your installation, to create your attack (ie, fiddle with my environment to the point that exec( "/usr/bin/gpg",...), gets remapped to exec( "/tmp/.hacker_files/gpg",... ) via a LD_PRELOAD), that still requires a lot of access (ability to create new files, and modify existing files as a local user). At that point, neither way is more secure then the other from the perspective I've been attacking it. However, I still feel more secure about getting my cores and knowing that I can safely send them off to Mozilla.org and they don't have my key in them when I push them out to a public mailing list. I trust them to keep my password reasonable safe. Either via, never keeping the entire password in memory (the best idea, but also the least flexible), or clearing it immediatly after checking it (common practice). Then I only have to worry about cores during the actual password reading process.
No, it can't enforce the environment variables. Using say LD_PRELOAD, would mean, that I could load my GPG.so from/tmp/hackersTools/GPG.so or by altering LD_LIBRARY_PATH. Can't stop that if you are not the person doing the comiling and linking.
There are things in UNIX that if you do them in a library, no one will use your library. Setting signal handlers, setting your umask, setting up third party libraries, overriding malloc, fooling with the environment, having limitations on how the things is linked and compiled, a handful of other things, essentially tweaking any settings that are process wide libGPG.so can't do. I'm betting some of them they want to do in the name of security. I'm reasonably sure that GPG has to do some of them as a measure of security (writting handlers to ensure that close down is clean), and a library that does those is useless. Flat out, I'd refuse to use it if it was doing any of those, and I'll bet it does (now I'm going to have to strace the damn thing). It's a library that restricts what I can do, and I wouldn't use it. I'd much rather fork and exec to deal with it.
I've never compiled GPG from source, so I'm not sure if they do anything special in their build process. It's very easy to know you are running the right GPG, it's the one you get either from the hardcoded path in the config, or it's the one that is in your path. Ensure it's the real "GPG" is pretty easy. Ensuring that everyone who uses libGPG.so is using the right one is tricky, because you never know what sneaky things someone did to get you to load a different library (it doesn't have to be named libGPG.so, ths soname just has to be correct. Now if you modified ld.so to only load libraries signed with a private key, now your talking (of course that is easy to subvert if you can overwrite ld.so, but at that point, you are screwed anyways).
How you get your password to your GPG is tricky. You are right they could capture it there. It might be a bit tricker to do with way securely.
Yeah, and it's so trivial to upgrade those statically linked binaries every time there is a security problem. Shared libraries are very tricky to do absolutely securely. I'd much prefer running the GPG binary directly as a matter of security. Then as long it is sane in what it statically links in, and what it dynamically links in, and is pretty anal about what environmental hacks it enables/disables (think LD_PRELOAD, or linking with -rpath/-r), or refuses to load.
Besides, forcing you to lock in memory, and doing other various tricky bits, might be difficult to accomplish in multi-threaded/multi-process. Just the concept of having to hook the cleanup into my cleanup doesn't make me feel warm in fuzzy in the case where a signal gets sent. Making it threadsafe, and removing the races. Doing fun stuff like changing your default umask for when it wants to save a key to your key ring. All kinds of nasties get done. It has special requirements, leave it as an external problem. fork() and exec() are good for you. It keeps you at arms thing. Besides, a buffer overrun, or another flaw in your program could then enable the attacker to read your private key because it's decoded in your memory space now, not in the seperate GPG space. That's not a huge win, but it's a win.
Uhhh, hate to point out the obvious, but I'm going to anyways....
Would that be after you formatted the drive with NTFS, FAT32?
Would that be with ext2 or ext3?
When formatted with ext2 or ext3, what's the block size? How many inodes? How many duplicate super blocks? In the case of ext3, how large is the journal?
How many files will be stored on it? What will the average file size be? In the case of reiserfs do you use tail packing?
How did you partition the drive? Which style of partitioning did you use?
Is it part of a RAID array? Is it part of an LVM volume group?
There are a lot of factors that affect the size available space on a harddrive. The only thing they can control is the size of the raw filesystem.
No, I wouldn't download the binaries from some third party who compiled them. No I wouldn't run them. No I wouldn't download them. However, if they claimed that the RPM was from the original party, and they had the MD5SUM's, or it had the signature from someone I trust. Say by using"
rpm --import "/path/to/ascii/armored/PGP/key"
I'm not sure how long the --import has been around. I believe it's relatively new. Prior to that the key had to be in your PGP keyring.
Then do this:
rpm --checksig "/path/to/untrusted/rpm"
That will tell you if the files match the MD5SUM, and if it is signed by someone you trust.
Now, you are either not reading what I'm saying, or you are not understanding it. You are dogmatically saying, there is no such thing as a trusted MD5SUM. Okay, I'll repeat that back to you, so you can be sure I understand it:
It is a fact that an MD5SUM only says that the file has not been tampered with since whoever put the file and MD5SUM file there. It does *NOT* authenticate who put the MD5SUM, or there the original file.
See that, it is a list of MD5SUM's. It has something called a PGP signature. First, I have to check that authenticity of that file by using PGP or GPG. You can get the public key, either by requesting it from the pgp.mit.edu server, by downloading it from RedHat and checking the fingerprint of it off the website which is SSL encrypted, or finally, you can look for it in/usr/share/rhn/RPM-GPG-KEY. If you have older media from RedHat that you trust, it is also in the root directory of every CD they have made since at least 7.0. Then I can download the ISO image from any server on the planet. Including the one run by some crazy hacker with elite skills. I can run MD5SUM, and verify that the ISO image is that RedHat verified.
I can download the patch from anywhere I want, as long as I have a signed MD5SUM file. I can verify it's authenticity. I can be absolutely sure no matter where I download it from, that it is with very high certainty the file the RedHat released.
I haven't actually looked at the original OpenSSH patch, so there might not be an MD5SUM I trust out there. However, lots of places include signatures for example see this:
It is a signature of the tar ball for the 2.6.0-test1 kernel. I can download the tarball from absolutely anywhere, and be sure I have the right one by checking the signature. Most people don't sign tarballs, because it is computationaly expensive, so instead they sign MD5SUM's which is relatively cheap computationally speaking.
Okay, fine, I'll go hunt down the original MD5SUM from the openssh site, oops, turns out it is at the OpenBSD site.
There is URL for the MD5SUM. Given where it is at, and the nature of the fix, I'd probably trust that the MD5SUM is authentic (I can read the fix and see what it is doing given the public explaination of the exploit). I don't have to get the MD5SUM and the actually data from the same location. In the case of a kernel download, or especially a RedHat download, I only get the MD5SUM from RedHat (it's only a couple of K at most), I get the actual ISO's from someplace else that is faster.
I'm beginning to suspect you are either very dense, or you are just trolling me now. It's been fun, I'll explain it in excruciating detail to you if you really need me to. Hopefully this is enough detail for you to see that, you can download the bits for the patch from anywhere, you only have to get the MD5SUM file from a place you trust to be authentic, or have it signed in such a way that you trust it's authenticity.
Uhhh, check the MD5SUM off the original site (Downloading the MD5SUM off the original site, is less load, off the mirror if they have it)? Off the BugTraq list? Off any number of sites. You check the signature of the MD5SUM is from someone you *TRUST*, like the original author, like a security expert on a mailing list, like your distributor. Maybe possibly that's who you would check the signature from? If you go to the trouble of mirroring the original patch, you should grab the *signed* copy of the MD5SUM from the original author (Lots of authors sign their MD5SUM's, the tarballs and patches are all have a signature file on kernel.org for instance). That's how I check all of my ISO's I download, even when it is from the original site. RedHat publically lists them, I just grab the MD5SUM list from them, and I check the signature of the MD5SUM file.
You should do that no matter who you download it from, even from the original site, not that long ago the OpenBSD sites, and the GNU sites we're compromised. So just assuming they had good source, wasn't safe. Then at least you know that whoever wrote the patch, also has the private key of whoever signed it (which hopefully is the person whom you trust). If you are a good little author, you sign with a private key on a machine that you sneaker net the source code to, sign there, then sneaker net it back to the public network (or you just drag the MD5SUM there, instead of the original source). At no point, would you ever put the private key on a machine that has ever been connected to the internet (then you just have to physically secure the machine). It's much, much safer that way. Then nobody can get your key except by crytoanalysis, which needs the force of a major gov't behind it to break 4096 PGP encryption last time I checked.
Uhhh, MD5SUM's posted in a public place, and checking the signature on the MD5SUM file, or I can check the signature of the downloaded file. If you are paranoid those are the things I'd start with.
Hmmm, that's debatable. I think that paper books will stay around, and I think that print on demand will revolutionize the book business. That's just me however. It solves a lot of inventory and sales predition problems which should increase profits greatly. I think that might solve a lot of the "middle man" problem in the book business. The author of the book hires an editor and somebody to electronically typeset the book. They then request Amazon, B&N to list it, and possible online themselves on a contingency basis. It costs Amazon, virtually $0 to have the book, and they don't have to worry about printings or availability. You can print your copy on demand at the local store, or Amazon can print it to you at their closest warehouse and ship it to you. It'd be pretty cool.
I think there are too many people who like the utility of paper bound books. It'll take a long, long time to get an application tuned to the point that it is easy to use, and as useful to me as a paper bound book. The only things that I find enticing are, backup copies, being able to lug my entire book collection with me, and the ability to electronically search every book I have for a set of keywords. Even then, whenever I buy an electronic copy of a book, I always end up buying the paper copy anyways.
Put your money we're your mouth is.... If the economics are there, then do it. Economics is like evolution, it works really, really hard at killing off the weak and inefficient. If you are correct, the economics of publishing are ineffecient, turning it on it's head will do a favor for the world. My guess is that, once the playing field is leveled in music, and in publishing, the number of people who make a living wage relative to the number of people who get wildly rich will be in line with Janitors, Teachers, Car Mechanics, programmers, Grocery store workers, real estate agents. Yes, some of them will make it big. Some of them will make a decent living. Some of them will barely scrape by. It'll be the end of the multimillion dollar advances to Hillary Clinton, Stephen King, and Anne Rice. It'll just be hum-drum job. Which isn't such a bad deal.
Remember, it was authors who signed up for the deal, so they signed up to get screwed. If they could get a better deal any way, they would have. Publishing is currently as effecient as anybody has managed to make it. Music might be a cartel, but publishing I'm betting isn't.
Try being an author then... Seems like you picked the wrong line of work if you wanted recurring revenue for the hours you work. Actually, if you we're clever, you could sell the same 8 hours over, and over again. If you say worked on something and sold the results of your work.
If you did a lot of research into lets say, software engineering, and sold the results of that research, you could sell that lots of times. You only did the research once. However, you could sell them repeatedly. My sister does consulting as a Web consultant. She worked really hard to write a content engine. She fills the engine, and then bills people at 75% of the rate a custom built site would cost. 10% of the work, 75% of the money.... You probably think that's unfair too. It's entirely possible however that she would have never made a dime off the engine.
It's how the economics of Card's job is structured. Tell you what, why don't you start a publishing company, then tell the authors they have to show up to your cubical farm for 8 hours a day and write their books there. You pay them an hourly wage, so they get paid, once and only once. Then you come back in a couple of years and tell me how it turns out (I'll bet nobody wants to work for you, or at least no author worth publishing, if they do, they'll quit immediatly after earning a reputation).
The economics of being an author is very different then the economics of working as a programmer, or as a janitor, or whatever it is you do for an hourly rate. Shocking, shocking I tell you. It's entirely possible Card could work for a year on a book, and never see a dime (okay, maybe that's only true for a new author). Being an author is very risky. Your hourly job is less risky. You show up, you do whatever it is you do, and you get paid. Next you'll be telling me it's not fair that somebody makes more money they you do, because you work just as hard as they do. You earn what you negociate to earn. You don't like your deal, re-negociate.
Actually, several of my close friends do or have done drugs in the past... I'm not being a bigot, honest. Several of them are wonderful people, who just pass the time while high. Some of them when and broke into cars and did stupid stuff while drunk or high. I don't associate with them any more. They are bad people.
What I was saying was the opposite of racism. I have no problems with white people who are law abiding, responsible citizens. I have no problems with black people who are law abiding responsible citizens. I have no problems with men, woman, or neo-nazi's who are law abiding and responsible citizens (I have no problems with anybody of any profile, assuming they are law abiding and responsible). I'm specifically judging those people by their actions and how they affect me. I'm not one of those people who says, well he's a pot head, therefore, he eventually be a crackhead, therefore he'll corrupt our youth, and start committing crimes to pay for his habit. Therefore, we should throw their ass in jail. As nearly as I can tell, that's what we are doing to pot heads now. Of all the pot heads I've ever met, most of them are very nice, calm, polite people. They generally don't cause any problems while high to society as a whole. Why are we protecting ourselves from them again?
I think the laws are sterotypical, and the justification for them isn't just, or fair.
Comparing the choice of doing drugs, to the race of a person as a basis for rating people, is again intellectually dishonest. One is an property of the person, one is a behavior of that person. I choose not to hang around child molesters. Does that make me a bad person, or a bigot? I believe those people should be locked up. I've only got something bad to say about people who use their freedoms to unfairly limit the rights and freedoms of others (eventually they will try and limit mine, so I look out for everybody else to protect mine).
People are people. I judge them based on what they do that affects me. Oh, and by the way, there's absolutely nothing wrong with having an innate, and irrational hatred of people of any racial or ethnic descent. As long as you keep it to yourself, and you don't treat those people badly directly or indirectly. What business is it of mine that you hate them or me or everybody, as long as you are law abiding and responsible? You've got the intellectual freedom in this country to do that. You don't have the freedom to limit other people's freedoms.
I understood how the law was applied. I understood why it was applied. I just think it's foolish. Presuming that law was meant to be applied to terrorists. Then appling it to meth peddlers or cigarette makers is contrary to the intent of the law. There is virtually nothing in the known universe that isn't "capable of causing death or serious injury", and contains toxic chemicals.
Any building has "toxic chemicals" in it. Just crack out a geiger counter. If you eat enough bananas, it will kill you, and it 1 out of every 1 million potasium atoms is radioactive.
Depending on the legal definition of "toxic", pure oxygen might qualify. I know breathing pure oxygen will do really bad stuff to you, if not kill you outright.
Lots medicinces are capable of causing death, and contain toxic chemcials.
That's beside the point. My primary issue was with the statement "cigarettes are designed to kill people". That's patently false. During the time most cigarettes were designed, most of the people working at RJR and co, did in fact smoke. They might have known it was dangerous long before they let on to the general public, but it wasn't a conspiracy to kill people.
I'm an American. Go to an emergency room, you'll find socialized care there. If you are sick enough they will treat you without insurance.
Why do you think it costs $500 to get some asprin in a hospital? Probably to amortize the costs of the incredible expensive surgery and care that really sick people, like say lung cancer patients get. Those costs show up in the cost of my insurance. I'd be much happier if I could get insurance from the "we don't sell to smokers" insurance company. I'd be willing to bet money, it'd be a lot cheaper. Going to the hospital that doesn't care for people who smoke.
Who do you think coughs up the tax dollars to run public drug abuse/reform programs? Who do you think pays for the anti drug messages on TV?
Of course most reasonable healthy people don't want the tall overweight lazy bastard (that's a rough description of me) in their medical care group either....:-)
What's meth got to do with it? I don't believe that meth is a weapon of destruction by the terrorists. I think applying a law meant for terrorists to cigarettes is just as silly as doing it to someone who peddle meth. Now somebody who has diesal fuel and fertalizer in the back of a truck and has plans to detonate it. Yep, terrorist, yep throw the book at them. Invoke your special laws.
I think it's equally intellectually dishonest to equate meth or cigarettes to acts of terrorism. Now if they just wanted to up the penalty for killing people, why not just make the sentence on murder/manslaughter tougher?
If the drugs were legal, I'd have no problem with them being legal. That sentence was meant to imply that if the illegal drugs were hypothetically legal.
People who rob other people to pay for drugs (those people with be non-law abiding), aren't law abiding citizens. People who get drunk and cause public disturbances aren't responsible. People who get mentally incapcitated and then drive aren't law abiding or reponsible.
I didn't mean to imply that doing illegal drugs is "legal". I meant to imply that if the drugs were made legal, I'd have no problems with those people assuming the drugs didn't lead them to be non-law abiding or responsible.
I'm a non-drinker, non-smoker. Never had any, never wanted any. I've seen what genetically close members of my family do. They aren't law abiding or responsible (even with just alcohol), so I stay away from it all.
Okay, cigarettes are *NOT* designed to kill people. They are an age old tradition that dates back at least since the 1500-1600's in this country. I'm not sure how long it's been in European countries. It just so happens that cigarettes slowly create health problems, that eventually you die of. Christ, Turkey has trace amounts of some nasty stuff in them.
Cigarettes are designed to be addictive. If tabacoo companies could find a way to make them addictive and healthy, they'd do it so fast it'd take your breath away (pun intended).
Oh, I'm not a smoker. Never even tried one. My father died of lung cancer when I was 20. He smoked 4 packs a day of Pall Mall unfiltered for 40 years. I'll never smoke, I generally remind people that they shouldn't smoke, and that's it unhealthy.
However, to say that "smoking is designed to kill people", in a discussion about a law that is the result of an idiot attempt to stop terrorists is just intellectually dishonest. Smoking isn't designed to be harmful, like flying planes into buildings is harmful, or like blowing up a Ryder truck full of Diesal fuel and fertalizer is harmful, or going to holy sites in Isreal and blowing up buses full of people. It's designed to optimize the amount of money Tabacco companies make. If they could make you live longer while you did it, I'm sure they'd be up for it, it is an increased revenue stream if you lived longer... *grin*
Personally, I have no problem with people who chose to smoke. I have no problem with people who chose to drink alchol. I have no problem with people who want to use illegal drugs assuming they are law abiding and responsible. I don't want to pay to rehabilitate them, and I don't want to pay their medical expenses. If they do those things, I've got little to no issue with people who pick that as their form of enjoyment or relaxation hobby/habit.
Actually, according to his theory, it's better to pay it all off in cash today if you can. (It costs you $0 month to month). There is a theory, that cash flow is the most important. If you can arrange to have your bills lower month to month you are better off, if that costs you extra in the long run, or it saves you money (it doesn't matter, it's your monthly income). If you can arrange to have your monthly bills lower, you are better off. In some sense he is correct, you have more flexibility about what jobs you can take, and what you have for disposable income. Assuming you don't line up debt past the time you plan on retiring, it is not such a bad theory.
The reasoning goes that, if you can live off 75% of your wages, you are saving 25%. You then have 25% disposable income. Now if you save $5K today (in cost, not in cash), but it raises your monthly cost of living, that's bad. You have less disposable income, and now have to earn more money.
If you can take your money and pay off a loan today, and that lowers your monthly cost of living you should do it. Yes there is a limit to this. Taking a 1 year loan, and spreading it out over 20 years is financially stupid. However, given the option where it is a wash long term on the money, you always want to lower your monthly payments. There should be a strong bias towards lowering your monthly living expenses. The moment you aren't cash flow positive on monthly expenses, you start to run thru your credit rating, which will eventually lead you to bankrupty. That should be avoided at all costs.
Unless she actually completes the coursework, that's fraud (you can't just sign up and drop to avoid payment). If you don't start making the payments at some point, you'll be paying the interest forever. The amount of money you'll end up spending doing that will astound you (go add it all up sometime). You really should pay off as much of the princepal as you can if she is legitimately take classes. If she's not legitimately taking classes it's merely a matter of time until they catch on. Try going and renegociating with the bank your loan is from. They can do a lot of interesting things to get you to pay. You paying the princepal off, and not paying any interest is better for them then you defaulting. The way student loans work out for the banks and Universities involved amounts to it's in their own best interest to get you to pay it off, otherwise the gov't won't give them student loans in the future (which is very bad for them).
In theory, complaining to the FTC aboud deceptive trade practices, and reporting them to the appropriate state authorities should create problems for them.
With the FTC, you can file complaints on the web I believe. I'm not sure what the state offices you should report them too (especially since I don't know the state you live in).
What they are doing should be illegal. Essentially, since you called them, they don't have to identify themselves. However, if you got a live human on the phone who made the original call, it would be illegal for them not to tell you who they are so you can request to be taken off their call list. IMHO, this is just a scam to get around the no call list.
Uhhh, do you know anything about the guts of DOS? DOS really doesn't do anything. DOS isn't an OS in the technical sense. It's a boot loader, and let's you provide access to BIOS routines. It wasn't DOS that was slow. It was the BIOS routines.
That's why Windows 3.11 could run on it. It's why DOS Extenders ran on it. DOS didn't *DO* anything other then command.com really, and a little bit of filesystem stuff. Once you started running DOS you pretty much had complete control of the hardware. The BIOS did most of the heavy lifting on serial I/O, writing to the screen, reading or writing from the floppy or harddrive. That's why the BIOS had to be reversed engineered before you could make another PC run DOS. The BIOS did all the work. It's also why DOS ran a load more hardware then Linux did (at the time).
You go get a copy of DOS, go get a copy of an old Linux 0.2 kernel. Fire up program that calculates primes. Neither one of them is particularly faster or slower then the other, assuming you used similar compilers. Do that again with Windows, and you'll probably find that Windows runs about 2-5% slower (last time I checked), due to context switching speed and generic overhead of the (GUI updates, and other subsystems you don't have to have on a Linux machine).
Uhhh, you better hope an NeXT head never, ever reads that... They make Apple geeks seem like fair weather faithful.:-)
I was not much of a NeXT user (only used it a handful of times). However, their development kit, especially their AppBuilder stuff was incredible (I used that on other platforms). I've heard about the feature set the OS had in 1991 was pretty impressive. I used to work in a room full of people who talked about the wonders that NeXT was at the time. NeXT was an incredible OS from everyone I've heard from (I know at least 3 independent sources of people I trust who say that). It's largest two failings, were interrelated. It was too expensive, and nobody made third party applications for it. It was right there with Amiga and OS/2 in terms of wonderful OS that nobody used.
Possibly they could spell better then I can. That has little to do with the discussion at hand. I also misused the first "That" at the beginning too. Hell I wouldn't fit in on Slashdot if I could spell and use proper grammer. As soon as they make a language that compiles as a form of communication, I promise, I'll run all my slashdot posts thru it?
Sorry, I generally don't proofread replies while at work.
That problem at that point was that the people who where writting the code you ran under DOS we're stupid. The OS got out of your way. Other then the possibility of the filesystem was slower, DOS should have ran faster. Possibly only mildly faster, but faster.
Linux could multi-task, which means there is a scheduler. The scheduler is pure overhead in terms of speed. So now you are down to comparing apps to apps. Maybe a little bit of filesystem thrown in for giggles. I supposed DOS could have had a crappy timer interrupt or something, or crappy serial I/O interrupts. However, as I recall, most of the actual O/S of DOS was really in the BIOS, so blame the MoBo maker. The BIOS implemented all of the functionality to talk with hardware so DOS didn't have to write any real drivers.
As far as Linus not being a C programmer, go read his biographies and the early days of Linux. Go read interviews with his old roommate. He wasn't a C programmer. He originally started doing it in assembly. In fact the whole project was to learn more about the x86 assembly, it started as a terminal emulator.
He didn't know how sprintf worked. His roommate Lars implemented the original sprintf for the kernel for him.
Uhhh, there's a lot more then 4 years into Mac OS X. I was reading Mac OS X runtime docs 4 years ago (they we're the best docs for OpenStep runtime I was using at a job, I quit 3.5 years ago, and I worked there 1.5 years, so I am pretty sure it's got at least 5 years in it at Apple that they've had public documentation). They have a lot of pre-existing software from FreeBSD, and Mach. They also have all of the code and coders that cames from NeXT. It's still no small feat by Apple, but how long was BeOS around? They had pretty good stuff from what I hear, and I'm not sure how long they have been around. QNX 4 was put together pretty quickly. It was a complete re-write of QNX. So was Neutrino.
Second, Linux could have been written in a lot less time if it had been designed from the beginning to end up what it is (it might not be as good, but it could have been pretty good a lot sooner then it was). The concept that SMP existed. Having somebody who knew what the hell they we're doing at the beginning of it. Linus is a damned genious now, but when he started it, he wasn't a C programmer at all. Which leads me to guess, he wasn't much of a UNIX programmer at the time (let alone an experienced kernel programmer). It wasn't like he designed around the concept of having SMP, or even optimized disk accesses. Scalability wasn't a big deal. Running with more then 8MB of RAM was impossible (he only had 8, so if you had more and wanted to use it, you had to fix it yourself). Second, it's a whole heck of a lot easier to write an OS when the platform is relatively fixed (yeah it needs to work under x86, but if it doesn't, that's not Apple's problem).
Slashdot Mirror
On the last OpenBSD issue, I think the total time between the issue being told the the guys at OpenSSH, and the fix coming out, was measured in single digit number of hours. I can be reasonably sure that doesn't happen at Microsoft.
Finally, in my experince, on a RedHat Linux machine, there is almost nothing I've upgraded in the last 3 years that was a security fix. Never, not a single one, in applying every update that RedHat has put out for 3 years for 6.2, 7.0, 7.1, 7.2, 7.3, 8.0, 9.0. I can't recall the number of people I knew who didn't apply Security Packs for NT 4.0 because they fundamentally broke other critical pieces of software (Anything past NT4.0 SP1, broke the version of Netscape Server a former employer used to use, so they never did upgrade any of the fixes past SP1 for the longest time). That's because security fixes, only fix the security problem. A lot of MS patches fix a dozen security problems, and then add a lot of functionality. That's really nice to make the compact and all. I wasn't ever a big user of individual hot fixes, which might have gotten me to work around this issue.
Now upgrading to get new functionality has screwed up a couple of machines. However, assuming you can reboot the machine, there is almost nothing that has given me problems when upgrading a RedHat machine. I know that I had trouble with a couple of PAM modules not getting reset, but that was because I wasn't trying hard enough to restart the services (they held onto the shared libraries that we're insecure, and I didn't restart them all). It's not that they didn't work, they just were not secure until I re-booted the machine.
Most of the truely horrific dependencies I've heard of out of UNIX upgrades come from SUN, most of those it's my understanding, that they essentially, are upgraded inplace, while running. That's not something a sane person tries to do. However, SUN hardware and software is special. They do a pretty good job, but the dependencies are tricky (even more so when there are patches that once installed, can never be uninstalled).
The vulnerablity going public, and the worms that exploit them months after the patches are a reflection of the users and admins of the machines, not of the software writers themselves. You can find numskulls who run RedHat or Windows with ease. My guess is that as a percentage more numskulls run Windows then RedHat, but I think that's because Windows users/admins are a significantly larger group. To run RedHat isn't done by the average home users. If RedHat shipped by default on as many machines, that statement would flip flop, and RedHat would have a higher percentage of clueless users.
Kirby
I'm not surprised they don't need to override malloc, but you can override a lot of stuff besides just malloc (I'm not familiar enough with GPG, I just know that in C++ code, the only guy who should get to override the new allocator is the guy who wrote int main(), I've had to skip using a lot of great libraries, because they felt that best way to do something was overriding the default allocator, which is why I picked malloc as my example). Hence, signal handlers, the implementation of coring (I'd really like to get my cores while debugging a problem thanks). I've found/diagnosed a number of bugs from the cores of Mozilla via gdb and reported them, I'd be plenty pissed if it had a copy of my private GPG when I shipped it off to the public bugzilla database. I don't use their mailer anymore, but I previously used it with the GPG plugin. It's not terrible hard to ensure that you clear the memory buffer, or write it directly to the tty to ensure your key isn't there (read it one char at a time in raw mode only displaying the stars, never actually having a buffer with the entire string in it). I'm mildly less parinoid about that, assuming the backtrace doesn't show me being in the password reading routine in the stack trace.
I suppose I should keep track my environment, otherwise they can use my attack on your installation, to create your attack (ie, fiddle with my environment to the point that exec( "/usr/bin/gpg", ...), gets remapped to exec( "/tmp/.hacker_files/gpg", ... ) via a LD_PRELOAD), that still requires a lot of access (ability to create new files, and modify existing files as a local user). At that point, neither way is more secure then the other from the perspective I've been attacking it. However, I still feel more secure about getting my cores and knowing that I can safely send them off to Mozilla.org and they don't have my key in them when I push them out to a public mailing list. I trust them to keep my password reasonable safe. Either via, never keeping the entire password in memory (the best idea, but also the least flexible), or clearing it immediatly after checking it (common practice). Then I only have to worry about cores during the actual password reading process.
Kirby
There are things in UNIX that if you do them in a library, no one will use your library. Setting signal handlers, setting your umask, setting up third party libraries, overriding malloc, fooling with the environment, having limitations on how the things is linked and compiled, a handful of other things, essentially tweaking any settings that are process wide libGPG.so can't do. I'm betting some of them they want to do in the name of security. I'm reasonably sure that GPG has to do some of them as a measure of security (writting handlers to ensure that close down is clean), and a library that does those is useless. Flat out, I'd refuse to use it if it was doing any of those, and I'll bet it does (now I'm going to have to strace the damn thing). It's a library that restricts what I can do, and I wouldn't use it. I'd much rather fork and exec to deal with it.
I've never compiled GPG from source, so I'm not sure if they do anything special in their build process. It's very easy to know you are running the right GPG, it's the one you get either from the hardcoded path in the config, or it's the one that is in your path. Ensure it's the real "GPG" is pretty easy. Ensuring that everyone who uses libGPG.so is using the right one is tricky, because you never know what sneaky things someone did to get you to load a different library (it doesn't have to be named libGPG.so, ths soname just has to be correct. Now if you modified ld.so to only load libraries signed with a private key, now your talking (of course that is easy to subvert if you can overwrite ld.so, but at that point, you are screwed anyways).
How you get your password to your GPG is tricky. You are right they could capture it there. It might be a bit tricker to do with way securely.
Kirby
Besides, forcing you to lock in memory, and doing other various tricky bits, might be difficult to accomplish in multi-threaded/multi-process. Just the concept of having to hook the cleanup into my cleanup doesn't make me feel warm in fuzzy in the case where a signal gets sent. Making it threadsafe, and removing the races. Doing fun stuff like changing your default umask for when it wants to save a key to your key ring. All kinds of nasties get done. It has special requirements, leave it as an external problem. fork() and exec() are good for you. It keeps you at arms thing. Besides, a buffer overrun, or another flaw in your program could then enable the attacker to read your private key because it's decoded in your memory space now, not in the seperate GPG space. That's not a huge win, but it's a win.
Kirby
Would that be after you formatted the drive with NTFS, FAT32?
Would that be with ext2 or ext3?
When formatted with ext2 or ext3, what's the block size? How many inodes? How many duplicate super blocks? In the case of ext3, how large is the journal?
How many files will be stored on it? What will the average file size be? In the case of reiserfs do you use tail packing?
How did you partition the drive? Which style of partitioning did you use?
Is it part of a RAID array? Is it part of an LVM volume group?
There are a lot of factors that affect the size available space on a harddrive. The only thing they can control is the size of the raw filesystem.
Kirby
rpm --import "/path/to/ascii/armored/PGP/key"
I'm not sure how long the --import has been around. I believe it's relatively new. Prior to that the key had to be in your PGP keyring.
Then do this: rpm --checksig "/path/to/untrusted/rpm"
That will tell you if the files match the MD5SUM, and if it is signed by someone you trust.
Now, you are either not reading what I'm saying, or you are not understanding it. You are dogmatically saying, there is no such thing as a trusted MD5SUM. Okay, I'll repeat that back to you, so you can be sure I understand it:
It is a fact that an MD5SUM only says that the file has not been tampered with since whoever put the file and MD5SUM file there. It does *NOT* authenticate who put the MD5SUM, or there the original file.
However, please examine this file.
http://ftp.redhat.com/pub/redhat/linux/9/en/iso/i3 86/MD5SUM
See that, it is a list of MD5SUM's. It has something called a PGP signature. First, I have to check that authenticity of that file by using PGP or GPG. You can get the public key, either by requesting it from the pgp.mit.edu server, by downloading it from RedHat and checking the fingerprint of it off the website which is SSL encrypted, or finally, you can look for it in /usr/share/rhn/RPM-GPG-KEY. If you have older media from RedHat that you trust, it is also in the root directory of every CD they have made since at least 7.0. Then I can download the ISO image from any server on the planet. Including the one run by some crazy hacker with elite skills. I can run MD5SUM, and verify that the ISO image is that RedHat verified.
I can download the patch from anywhere I want, as long as I have a signed MD5SUM file. I can verify it's authenticity. I can be absolutely sure no matter where I download it from, that it is with very high certainty the file the RedHat released.
I haven't actually looked at the original OpenSSH patch, so there might not be an MD5SUM I trust out there. However, lots of places include signatures for example see this:
http://www.kernel.org/pub/linux/kernel/v2.6/linux- 2.6.0-test1.tar.sign
It is a signature of the tar ball for the 2.6.0-test1 kernel. I can download the tarball from absolutely anywhere, and be sure I have the right one by checking the signature. Most people don't sign tarballs, because it is computationaly expensive, so instead they sign MD5SUM's which is relatively cheap computationally speaking.
Okay, fine, I'll go hunt down the original MD5SUM from the openssh site, oops, turns out it is at the OpenBSD site.
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh- 3.7.1.tgz.md5
There is URL for the MD5SUM. Given where it is at, and the nature of the fix, I'd probably trust that the MD5SUM is authentic (I can read the fix and see what it is doing given the public explaination of the exploit). I don't have to get the MD5SUM and the actually data from the same location. In the case of a kernel download, or especially a RedHat download, I only get the MD5SUM from RedHat (it's only a couple of K at most), I get the actual ISO's from someplace else that is faster.
I'm beginning to suspect you are either very dense, or you are just trolling me now. It's been fun, I'll explain it in excruciating detail to you if you really need me to. Hopefully this is enough detail for you to see that, you can download the bits for the patch from anywhere, you only have to get the MD5SUM file from a place you trust to be authentic, or have it signed in such a way that you trust it's authenticity.
I still say I'm not as stupid as you think I am.
Kirby
You should do that no matter who you download it from, even from the original site, not that long ago the OpenBSD sites, and the GNU sites we're compromised. So just assuming they had good source, wasn't safe. Then at least you know that whoever wrote the patch, also has the private key of whoever signed it (which hopefully is the person whom you trust). If you are a good little author, you sign with a private key on a machine that you sneaker net the source code to, sign there, then sneaker net it back to the public network (or you just drag the MD5SUM there, instead of the original source). At no point, would you ever put the private key on a machine that has ever been connected to the internet (then you just have to physically secure the machine). It's much, much safer that way. Then nobody can get your key except by crytoanalysis, which needs the force of a major gov't behind it to break 4096 PGP encryption last time I checked.
Honest, I'm not as stupid as you think I am.
Kirby
Kirby
I think there are too many people who like the utility of paper bound books. It'll take a long, long time to get an application tuned to the point that it is easy to use, and as useful to me as a paper bound book. The only things that I find enticing are, backup copies, being able to lug my entire book collection with me, and the ability to electronically search every book I have for a set of keywords. Even then, whenever I buy an electronic copy of a book, I always end up buying the paper copy anyways.
Kirby
Remember, it was authors who signed up for the deal, so they signed up to get screwed. If they could get a better deal any way, they would have. Publishing is currently as effecient as anybody has managed to make it. Music might be a cartel, but publishing I'm betting isn't.
Kirby
If you did a lot of research into lets say, software engineering, and sold the results of that research, you could sell that lots of times. You only did the research once. However, you could sell them repeatedly. My sister does consulting as a Web consultant. She worked really hard to write a content engine. She fills the engine, and then bills people at 75% of the rate a custom built site would cost. 10% of the work, 75% of the money.... You probably think that's unfair too. It's entirely possible however that she would have never made a dime off the engine.
It's how the economics of Card's job is structured. Tell you what, why don't you start a publishing company, then tell the authors they have to show up to your cubical farm for 8 hours a day and write their books there. You pay them an hourly wage, so they get paid, once and only once. Then you come back in a couple of years and tell me how it turns out (I'll bet nobody wants to work for you, or at least no author worth publishing, if they do, they'll quit immediatly after earning a reputation).
The economics of being an author is very different then the economics of working as a programmer, or as a janitor, or whatever it is you do for an hourly rate. Shocking, shocking I tell you. It's entirely possible Card could work for a year on a book, and never see a dime (okay, maybe that's only true for a new author). Being an author is very risky. Your hourly job is less risky. You show up, you do whatever it is you do, and you get paid. Next you'll be telling me it's not fair that somebody makes more money they you do, because you work just as hard as they do. You earn what you negociate to earn. You don't like your deal, re-negociate.
Kirby
What I was saying was the opposite of racism. I have no problems with white people who are law abiding, responsible citizens. I have no problems with black people who are law abiding responsible citizens. I have no problems with men, woman, or neo-nazi's who are law abiding and responsible citizens (I have no problems with anybody of any profile, assuming they are law abiding and responsible). I'm specifically judging those people by their actions and how they affect me. I'm not one of those people who says, well he's a pot head, therefore, he eventually be a crackhead, therefore he'll corrupt our youth, and start committing crimes to pay for his habit. Therefore, we should throw their ass in jail. As nearly as I can tell, that's what we are doing to pot heads now. Of all the pot heads I've ever met, most of them are very nice, calm, polite people. They generally don't cause any problems while high to society as a whole. Why are we protecting ourselves from them again?
I think the laws are sterotypical, and the justification for them isn't just, or fair.
Comparing the choice of doing drugs, to the race of a person as a basis for rating people, is again intellectually dishonest. One is an property of the person, one is a behavior of that person. I choose not to hang around child molesters. Does that make me a bad person, or a bigot? I believe those people should be locked up. I've only got something bad to say about people who use their freedoms to unfairly limit the rights and freedoms of others (eventually they will try and limit mine, so I look out for everybody else to protect mine).
People are people. I judge them based on what they do that affects me. Oh, and by the way, there's absolutely nothing wrong with having an innate, and irrational hatred of people of any racial or ethnic descent. As long as you keep it to yourself, and you don't treat those people badly directly or indirectly. What business is it of mine that you hate them or me or everybody, as long as you are law abiding and responsible? You've got the intellectual freedom in this country to do that. You don't have the freedom to limit other people's freedoms.
Kirby
Any building has "toxic chemicals" in it. Just crack out a geiger counter. If you eat enough bananas, it will kill you, and it 1 out of every 1 million potasium atoms is radioactive.
Depending on the legal definition of "toxic", pure oxygen might qualify. I know breathing pure oxygen will do really bad stuff to you, if not kill you outright.
Lots medicinces are capable of causing death, and contain toxic chemcials.
That's beside the point. My primary issue was with the statement "cigarettes are designed to kill people". That's patently false. During the time most cigarettes were designed, most of the people working at RJR and co, did in fact smoke. They might have known it was dangerous long before they let on to the general public, but it wasn't a conspiracy to kill people.
Kirby
Why do you think it costs $500 to get some asprin in a hospital? Probably to amortize the costs of the incredible expensive surgery and care that really sick people, like say lung cancer patients get. Those costs show up in the cost of my insurance. I'd be much happier if I could get insurance from the "we don't sell to smokers" insurance company. I'd be willing to bet money, it'd be a lot cheaper. Going to the hospital that doesn't care for people who smoke.
Who do you think coughs up the tax dollars to run public drug abuse/reform programs? Who do you think pays for the anti drug messages on TV?
Of course most reasonable healthy people don't want the tall overweight lazy bastard (that's a rough description of me) in their medical care group either.... :-)
Kirby
I think it's equally intellectually dishonest to equate meth or cigarettes to acts of terrorism. Now if they just wanted to up the penalty for killing people, why not just make the sentence on murder/manslaughter tougher?
Kirby
People who rob other people to pay for drugs (those people with be non-law abiding), aren't law abiding citizens. People who get drunk and cause public disturbances aren't responsible. People who get mentally incapcitated and then drive aren't law abiding or reponsible.
I didn't mean to imply that doing illegal drugs is "legal". I meant to imply that if the drugs were made legal, I'd have no problems with those people assuming the drugs didn't lead them to be non-law abiding or responsible.
I'm a non-drinker, non-smoker. Never had any, never wanted any. I've seen what genetically close members of my family do. They aren't law abiding or responsible (even with just alcohol), so I stay away from it all.
Kirby
Cigarettes are designed to be addictive. If tabacoo companies could find a way to make them addictive and healthy, they'd do it so fast it'd take your breath away (pun intended).
Oh, I'm not a smoker. Never even tried one. My father died of lung cancer when I was 20. He smoked 4 packs a day of Pall Mall unfiltered for 40 years. I'll never smoke, I generally remind people that they shouldn't smoke, and that's it unhealthy.
However, to say that "smoking is designed to kill people", in a discussion about a law that is the result of an idiot attempt to stop terrorists is just intellectually dishonest. Smoking isn't designed to be harmful, like flying planes into buildings is harmful, or like blowing up a Ryder truck full of Diesal fuel and fertalizer is harmful, or going to holy sites in Isreal and blowing up buses full of people. It's designed to optimize the amount of money Tabacco companies make. If they could make you live longer while you did it, I'm sure they'd be up for it, it is an increased revenue stream if you lived longer... *grin*
Personally, I have no problem with people who chose to smoke. I have no problem with people who chose to drink alchol. I have no problem with people who want to use illegal drugs assuming they are law abiding and responsible. I don't want to pay to rehabilitate them, and I don't want to pay their medical expenses. If they do those things, I've got little to no issue with people who pick that as their form of enjoyment or relaxation hobby/habit.
Kirby
The reasoning goes that, if you can live off 75% of your wages, you are saving 25%. You then have 25% disposable income. Now if you save $5K today (in cost, not in cash), but it raises your monthly cost of living, that's bad. You have less disposable income, and now have to earn more money.
If you can take your money and pay off a loan today, and that lowers your monthly cost of living you should do it. Yes there is a limit to this. Taking a 1 year loan, and spreading it out over 20 years is financially stupid. However, given the option where it is a wash long term on the money, you always want to lower your monthly payments. There should be a strong bias towards lowering your monthly living expenses. The moment you aren't cash flow positive on monthly expenses, you start to run thru your credit rating, which will eventually lead you to bankrupty. That should be avoided at all costs.
Kirby
Kirby
With the FTC, you can file complaints on the web I believe. I'm not sure what the state offices you should report them too (especially since I don't know the state you live in).
What they are doing should be illegal. Essentially, since you called them, they don't have to identify themselves. However, if you got a live human on the phone who made the original call, it would be illegal for them not to tell you who they are so you can request to be taken off their call list. IMHO, this is just a scam to get around the no call list.
Kirby
That's why Windows 3.11 could run on it. It's why DOS Extenders ran on it. DOS didn't *DO* anything other then command.com really, and a little bit of filesystem stuff. Once you started running DOS you pretty much had complete control of the hardware. The BIOS did most of the heavy lifting on serial I/O, writing to the screen, reading or writing from the floppy or harddrive. That's why the BIOS had to be reversed engineered before you could make another PC run DOS. The BIOS did all the work. It's also why DOS ran a load more hardware then Linux did (at the time).
You go get a copy of DOS, go get a copy of an old Linux 0.2 kernel. Fire up program that calculates primes. Neither one of them is particularly faster or slower then the other, assuming you used similar compilers. Do that again with Windows, and you'll probably find that Windows runs about 2-5% slower (last time I checked), due to context switching speed and generic overhead of the (GUI updates, and other subsystems you don't have to have on a Linux machine).
Kirby
I was not much of a NeXT user (only used it a handful of times). However, their development kit, especially their AppBuilder stuff was incredible (I used that on other platforms). I've heard about the feature set the OS had in 1991 was pretty impressive. I used to work in a room full of people who talked about the wonders that NeXT was at the time. NeXT was an incredible OS from everyone I've heard from (I know at least 3 independent sources of people I trust who say that). It's largest two failings, were interrelated. It was too expensive, and nobody made third party applications for it. It was right there with Amiga and OS/2 in terms of wonderful OS that nobody used.
Sorry, I generally don't proofread replies while at work.
Kirby
That problem at that point was that the people who where writting the code you ran under DOS we're stupid. The OS got out of your way. Other then the possibility of the filesystem was slower, DOS should have ran faster. Possibly only mildly faster, but faster.
Linux could multi-task, which means there is a scheduler. The scheduler is pure overhead in terms of speed. So now you are down to comparing apps to apps. Maybe a little bit of filesystem thrown in for giggles. I supposed DOS could have had a crappy timer interrupt or something, or crappy serial I/O interrupts. However, as I recall, most of the actual O/S of DOS was really in the BIOS, so blame the MoBo maker. The BIOS implemented all of the functionality to talk with hardware so DOS didn't have to write any real drivers.
As far as Linus not being a C programmer, go read his biographies and the early days of Linux. Go read interviews with his old roommate. He wasn't a C programmer. He originally started doing it in assembly. In fact the whole project was to learn more about the x86 assembly, it started as a terminal emulator.
He didn't know how sprintf worked. His roommate Lars implemented the original sprintf for the kernel for him.
Kirby
Second, Linux could have been written in a lot less time if it had been designed from the beginning to end up what it is (it might not be as good, but it could have been pretty good a lot sooner then it was). The concept that SMP existed. Having somebody who knew what the hell they we're doing at the beginning of it. Linus is a damned genious now, but when he started it, he wasn't a C programmer at all. Which leads me to guess, he wasn't much of a UNIX programmer at the time (let alone an experienced kernel programmer). It wasn't like he designed around the concept of having SMP, or even optimized disk accesses. Scalability wasn't a big deal. Running with more then 8MB of RAM was impossible (he only had 8, so if you had more and wanted to use it, you had to fix it yourself). Second, it's a whole heck of a lot easier to write an OS when the platform is relatively fixed (yeah it needs to work under x86, but if it doesn't, that's not Apple's problem).
Kirby