The Android user-space isn't GPL licensed but mostly licensed under ASL2.0. They don't have to make the source available on request. But people are allowed to distribute the binaries and to distribute the source if they have it. The Android Linux kernel is GPLv2 licensed and the source, including Honeycomb, is available at http://android.git.kernel.org/.
Didn't you read about the recent DNS rebinding attack on wireless routers? It works on routers with remote access disabled but with the default administration password. The attack basically tricks the user's browser into attacking the local administration interface.
Except they don't have access to the router. The attack is tricking the user's browser into attacking their router. The router can be completely locked down on the WAN side. The router is vulnerable on the LAN side because of insecure password or some other attack. But that normally only works when you are inside someone's house. This is tricking the browser into performing the attack. The browser isn't compromised; it is just accessing a site normally and running some JavaScript.
This is tricking the little kid inside the car to unlock it for you.
DNSSEC requires EDNS. EDNS allows for UDP packets larger than the original 512-byte limit of DNS over UDP. There could be problems with fragmented packets which are larger than the MTU. Some experiments show that responses with DNSSEC and IPv6 are larger than 512-bytes but smaller than typical MTU of 1500 bytes.
There are some old firewall equipment that mistakenly prohibits DNS packets longer 512 bytes over UDP but those have caused problems for a while.
DNS uses UDP by default. If the response is too big for UDP, then it switches to TCP. The limit for UDP packets used to be 512 bytes but extensions allow the size to be much larger. Old firewalls think that 512-bytes is the limit of DNS over UDP and block any longer packets.
POSIX support is easy if you use the new generic getaddrinfo and getnameinfo. Code needs to be ported from the old way which hardcoded IPv4 addresses (AF_INET). A properly written program will support both IPv4 and IPv6 and will use the right one based on network interfaces and DNS.
In practice, IPv6 is no different than IPv4 with NAT for tracking people. With IPv4, your machine address is hidden by NAT behind your public IP address. They can track it to your house but not your computer.
By default IPv6 uses the MAC address in composing the IPv6 address which ties it to the machine. But this is recognized as a problem and there are ways of creating unique random addresses. Also, there is enough address space that you can change your address frequently. Every day or even every destination. They can still track the prefix to your house.
If they had just hashed the MAC address, it would be harder to predict and not obvious it came from the MAC address. Hashing it with a secret key (but shared key) would probably have been enough security. They would have a problem if the key was compromised but it could be model or firmware version specific.
Break out the Fair Debt Collection Practices Act and get them to stop. Answer the phone and get their name and address and all the info about the debt. Mail them a written request for verification of the debt. After that, all contact needs to be by mail. They are already doing things they shouldn't like calling late at night. They are supposed to have mailed you a description of the debt. Keep a log of all of the calls and violations. Send them to the FTC if they don't stop. You can even sue them and get $1000 in damages for violations.
This update seems to have made things worse on my MacBook Pro. I swapped the hard drive for a larger one which supports SATA 3 Gbps. Now, I am getting random freezes which look like they are caused by errors in talking to the drive. It sounds like the problems with SATA 3 Gbps which caused them to originally disable it are really there. Multiple people on the Apple forum have a similar problem.
Unfortunately, there is no way to revert to the old firmware. Or set the controller to the slower speed. And setting the speed on the drive requires Windows.
They did write a new OS with the technology from BeOS. Palm OS 6, aka Cobalt, was a failure when released five years ago. No devices were ever released that used it.
Part of the problem was the split between Palm and PalmSource. Palm went with Palm OS 5.4 for the Treo 650. And started using Windows Mobile about the same time. There were rumors that it was hard to write drivers for Cobalt.
You can have a LAN with public addresses. The only difference is that instead of having a NAT box that translates between your local private addresses to public addresses, you just have a router that routes. NAT is required with IPv4 because most ISPs only hand out single public IP addresses. To have a local network, you need to use NAT.
With IPv6, the standard assignment is a/64 subnet. That means you can have effectively unlimited public addresses on the local network.
It is because there are bugs in OSes and applications that will use the IPv6 address even when there isn't a good IPv6 connection. One cause is OSes automatically giving interfaces link-local addresses without wider IPv6 connectivity. This either leads to no connectivity when using the IPv6 or a long delay until it falls back to IPv4 address.
I would not be surprised if the breach was caused by the Debian OpenSSL fiasco. A user account with a weak key could have been compromised and escalated from there.
IPv6 could make the recent spoofing attack against DNS much harder. Instead of randomizing source ports, it would be possible to randomize source addresses. Each request could have a random address. There is enough space in the 64-bit local address part to make spoofing attacks infeasible. Unfortunately, rapidly changing IP addresses is not something operating systems and network infrastructure cope with.
Actually, IPv6 can be better than IPv4 in terms of privacy. The naive implementation uses the MAC address in constructing the IPv6 address which makes it stable and leaks private information. Newer specs talk about using random bit strings for addresses. And varying addresses over time. It is even possible to use different addresses for different destinations.
The GPLv3 states that you have to be able to use modified versions of the GPLv3 code. It doesn't say that the proprietary code has to work with modified versions of the GPLv3 program. Think of a Tivo which has an open-source kernel, userspace, and proprietary video program. If the video program refuses to work with anything other than a Tivo-provided kernel, then you may be able to upgrade the kernel but it won't be a Tivo just a hackable DVR.
This can't be achieved when the kernel is running on the bare metal. Any trusted code in the kernel (which must have source code) can be hacked. But the hypervisor can be proprietary and provide trusted verification to the proprietary code. This is the Trusted Computing model. The GPLv3 requires that the GPLv3 code be able to work so there is no locking down the system to only run signed binaries. But it doesn't, and can't, require that other proprietary code work.
It is quite likely that the patent holders won't license open source codecs even if people are paying money for them. Or they may restrict how the licensed versions can be distributed even if the source is available. The Fluendo MP3 plugin is only patent licensed for the binary version. The source is available under an MIT license but people building it from the source themselves aren't licensed under the patent. They must get the blessed version from Fluendo. These new plugins are binary-only which suggests that the patent holders would not allow the source to be available.
It would be much nicer if we could buy patent licenses for the codecs and then use them for any open-source implementation. But the patent holders don't seem to like that.
It is not a buffer overrun. It is somebody noticing that binfmt handlers are inserted at the beginning of the handler list. Well, if somebody can add a kernel module, they can do much worse than add a binfmt handler. They have complete control of the kernel.
What printing system do you think Mac OS X uses? CUPS. Just like Linux. Apple has provided some things that Linux is still working towards like a common print dialog and simple configuration tools. But the underlying drivers are the same. In fact, recent Linux distributions tend to have newer versions of the gimp-print/gutenprint drivers.
Except that VMI is not a closed-source interface. The VMI interface is an ABI specification that any hypervisor can use. It basically replaces the privledged instructions with calls to a memory block that the hypervisor sets up. The hypervisor can make them calls to the hypervisor. On a virtualized processor, it could leave them alone. Or if there is no hypervisor, the kernel can run natively. There are already open source hypervisors that use VMI. L4 is being used as a hypervisor using VMI. They also have a technique called pre-virtualization which replaces the priviledged instructions in a binary OS (ie Windows) with the VMI calls to allow them to be virtualized without patching the source like Xen (and normal VMI) requires.
Greg was talking about the modules that VMware distributes for the host-side device drivers. They are distributed as proprietary source which need to be compiled for the local kernel.
All three of them use the goffice libraries. They have a lot of interface similarities because they are Gnome applications. They are pretty much independent projects.
One big difference is that the special X11 directory,/usr/X11R6 is going away. X programs now install into/usr/bin like everything else, X libraries go in/usr/lib, X data is in/usr/libX11 and/usr/share/X11.
This can produce incompatibilities since some existing programs are hardcoded to look in/usr/X11R6. They would have broken if they went to/usr/X11R7.
Slashdot Mirror
The one place I can see gTLDs being useful is for companies that host content sites on subdomains. For example, tumblr.com or wordpress.com. Using http://foo.tumblr/ or http://bar.wordpress/ is a little nicer than http://foo.tumblr.com/ or http://bar.wordpress.com/.
The Android user-space isn't GPL licensed but mostly licensed under ASL2.0. They don't have to make the source available on request. But people are allowed to distribute the binaries and to distribute the source if they have it. The Android Linux kernel is GPLv2 licensed and the source, including Honeycomb, is available at http://android.git.kernel.org/.
Didn't you read about the recent DNS rebinding attack on wireless routers? It works on routers with remote access disabled but with the default administration password. The attack basically tricks the user's browser into attacking the local administration interface.
Except they don't have access to the router. The attack is tricking the user's browser into attacking their router. The router can be completely locked down on the WAN side. The router is vulnerable on the LAN side because of insecure password or some other attack. But that normally only works when you are inside someone's house. This is tricking the browser into performing the attack. The browser isn't compromised; it is just accessing a site normally and running some JavaScript.
This is tricking the little kid inside the car to unlock it for you.
DNSSEC requires EDNS. EDNS allows for UDP packets larger than the original 512-byte limit of DNS over UDP. There could be problems with fragmented packets which are larger than the MTU. Some experiments show that responses with DNSSEC and IPv6 are larger than 512-bytes but smaller than typical MTU of 1500 bytes.
There are some old firewall equipment that mistakenly prohibits DNS packets longer 512 bytes over UDP but those have caused problems for a while.
DNS uses UDP by default. If the response is too big for UDP, then it switches to TCP. The limit for UDP packets used to be 512 bytes but extensions allow the size to be much larger. Old firewalls think that 512-bytes is the limit of DNS over UDP and block any longer packets.
POSIX support is easy if you use the new generic getaddrinfo and getnameinfo. Code needs to be ported from the old way which hardcoded IPv4 addresses (AF_INET). A properly written program will support both IPv4 and IPv6 and will use the right one based on network interfaces and DNS.
In practice, IPv6 is no different than IPv4 with NAT for tracking people. With IPv4, your machine address is hidden by NAT behind your public IP address. They can track it to your house but not your computer.
By default IPv6 uses the MAC address in composing the IPv6 address which ties it to the machine. But this is recognized as a problem and there are ways of creating unique random addresses. Also, there is enough address space that you can change your address frequently. Every day or even every destination. They can still track the prefix to your house.
If they had just hashed the MAC address, it would be harder to predict and not obvious it came from the MAC address. Hashing it with a secret key (but shared key) would probably have been enough security. They would have a problem if the key was compromised but it could be model or firmware version specific.
Break out the Fair Debt Collection Practices Act and get them to stop. Answer the phone and get their name and address and all the info about the debt. Mail them a written request for verification of the debt. After that, all contact needs to be by mail. They are already doing things they shouldn't like calling late at night. They are supposed to have mailed you a description of the debt. Keep a log of all of the calls and violations. Send them to the FTC if they don't stop. You can even sue them and get $1000 in damages for violations.
This update seems to have made things worse on my MacBook Pro. I swapped the hard drive for a larger one which supports SATA 3 Gbps. Now, I am getting random freezes which look like they are caused by errors in talking to the drive. It sounds like the problems with SATA 3 Gbps which caused them to originally disable it are really there. Multiple people on the Apple forum have a similar problem.
Unfortunately, there is no way to revert to the old firmware. Or set the controller to the slower speed. And setting the speed on the drive requires Windows.
They did write a new OS with the technology from BeOS. Palm OS 6, aka Cobalt, was a failure when released five years ago. No devices were ever released that used it. Part of the problem was the split between Palm and PalmSource. Palm went with Palm OS 5.4 for the Treo 650. And started using Windows Mobile about the same time. There were rumors that it was hard to write drivers for Cobalt.
You can have a LAN with public addresses. The only difference is that instead of having a NAT box that translates between your local private addresses to public addresses, you just have a router that routes. NAT is required with IPv4 because most ISPs only hand out single public IP addresses. To have a local network, you need to use NAT. With IPv6, the standard assignment is a /64 subnet. That means you can have effectively unlimited public addresses on the local network.
It is because there are bugs in OSes and applications that will use the IPv6 address even when there isn't a good IPv6 connection. One cause is OSes automatically giving interfaces link-local addresses without wider IPv6 connectivity. This either leads to no connectivity when using the IPv6 or a long delay until it falls back to IPv4 address.
I would not be surprised if the breach was caused by the Debian OpenSSL fiasco. A user account with a weak key could have been compromised and escalated from there.
IPv6 could make the recent spoofing attack against DNS much harder. Instead of randomizing source ports, it would be possible to randomize source addresses. Each request could have a random address. There is enough space in the 64-bit local address part to make spoofing attacks infeasible. Unfortunately, rapidly changing IP addresses is not something operating systems and network infrastructure cope with.
Actually, IPv6 can be better than IPv4 in terms of privacy. The naive implementation uses the MAC address in constructing the IPv6 address which makes it stable and leaks private information. Newer specs talk about using random bit strings for addresses. And varying addresses over time. It is even possible to use different addresses for different destinations.
The GPLv3 states that you have to be able to use modified versions of the GPLv3 code. It doesn't say that the proprietary code has to work with modified versions of the GPLv3 program. Think of a Tivo which has an open-source kernel, userspace, and proprietary video program. If the video program refuses to work with anything other than a Tivo-provided kernel, then you may be able to upgrade the kernel but it won't be a Tivo just a hackable DVR.
This can't be achieved when the kernel is running on the bare metal. Any trusted code in the kernel (which must have source code) can be hacked. But the hypervisor can be proprietary and provide trusted verification to the proprietary code. This is the Trusted Computing model. The GPLv3 requires that the GPLv3 code be able to work so there is no locking down the system to only run signed binaries. But it doesn't, and can't, require that other proprietary code work.
It is quite likely that the patent holders won't license open source codecs even if people are paying money for them. Or they may restrict how the licensed versions can be distributed even if the source is available. The Fluendo MP3 plugin is only patent licensed for the binary version. The source is available under an MIT license but people building it from the source themselves aren't licensed under the patent. They must get the blessed version from Fluendo. These new plugins are binary-only which suggests that the patent holders would not allow the source to be available. It would be much nicer if we could buy patent licenses for the codecs and then use them for any open-source implementation. But the patent holders don't seem to like that.
It is not a buffer overrun. It is somebody noticing that binfmt handlers are inserted at the beginning of the handler list. Well, if somebody can add a kernel module, they can do much worse than add a binfmt handler. They have complete control of the kernel.
What printing system do you think Mac OS X uses? CUPS. Just like Linux. Apple has provided some things that Linux is still working towards like a common print dialog and simple configuration tools. But the underlying drivers are the same. In fact, recent Linux distributions tend to have newer versions of the gimp-print/gutenprint drivers.
Except that VMI is not a closed-source interface. The VMI interface is an ABI specification that any hypervisor can use. It basically replaces the privledged instructions with calls to a memory block that the hypervisor sets up. The hypervisor can make them calls to the hypervisor. On a virtualized processor, it could leave them alone. Or if there is no hypervisor, the kernel can run natively. There are already open source hypervisors that use VMI. L4 is being used as a hypervisor using VMI. They also have a technique called pre-virtualization which replaces the priviledged instructions in a binary OS (ie Windows) with the VMI calls to allow them to be virtualized without patching the source like Xen (and normal VMI) requires.
Greg was talking about the modules that VMware distributes for the host-side device drivers. They are distributed as proprietary source which need to be compiled for the local kernel.
All three of them use the goffice libraries. They have a lot of interface similarities because they are Gnome applications. They are pretty much independent projects.
Check again. Ogedei Khan, Genghis's son, conquered all of China.
This can produce incompatibilities since some existing programs are hardcoded to look in /usr/X11R6. They would have broken if they went to /usr/X11R7.