Slashdot Mirror


User: russotto

russotto's activity in the archive.

Stories
0
Comments
9,376
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 9,376

  1. Exercise in futility on Students, ISP Sue Diebold · · Score: 2, Insightful

    Remember the DirecTV extortion case? The people complaining about the extortion not only got slapped down by the court, the court made them pay DirecTVs legal costs to the tune of $100,000. Same thing will happen here.

    The courts hate people challenging copyright.

  2. Re:Have you looked at the details of the bugs? on Apple Forcing Panther Upgrade for Security Patch · · Score: 2, Interesting

    There's no remote root exploit, I'm fairly sure. @stake assumed there was a buffer overflow in the kernel causing the system to crash when a long command line was entered. I don't think there is. Instead, there's an infinite loop:

    from xnu/bsd/kern/kern_exec.c:
    do {
    error = copyoutstr(cp, (caddr_t)ucp,
    (unsigned)cc, &len);
    ucp += len;
    cp += len;
    nc += len;
    cc -= len;
    } while (error == ENAMETOOLONG);

    Note that if the data being copied out is too big, copyoutstr returns ENAMETOOLONG with len == cc. When called with a max length of 0 (which happens next iteration), copyoutstring returns ENAMETOOLONG immediately. So it's an infinite loop. It only happens if the argument list is less than ARG_MAX, but the argument list plus the envp list is greater than ARG_MAX.

    If the argument list is greater than ARG_MAX, a similar loop correctly returns E2BIG when trying to copy data in. Copy-and-paste error anyone?

    There _might_ be a remote exploit, if some service allows you to pass arbitrarily long command lines to applications. But even if so, it's a denial of service exploit, not an arbitrary execution of commands exploit (as root or anyone else)

    The other two are both strictly local, and one isn't exploitable in the default configuration (i.e. cores disabled)

  3. @Stake's kernel buffer overflow on Panther Problem Roundup · · Score: 1

    I don't think it's a buffer overflow. I believe this is the offending code:

    xnu/bsd/kern/kern_exec.c: ...
    do {
    error = copyoutstr(cp, (caddr_t)ucp,
    (unsigned)cc, &len);
    ucp += len;
    cp += len;
    nc += len;
    cc -= len;
    } while (error == ENAMETOOLONG); ...

    This code will cause the kernel go into an infinite loop if the command line is not too long but the command line plus the environment is too long. It's a cut-and-paste error, clearly (elsewhere in the code is a copyin loop which also changes error to E2BIG if ENAMETOOLONG appears).

  4. Sales tax ban NOT expiring! on Ban On Internet Sales Tax Ends Saturday · · Score: 3, Informative

    If only there was a "WRONG" moderation and it applied to the blurbs!

    The fact that Internet and catalog retailers don't have to collect sales tax for states they don't have a business presence in is a result of a Supreme Court decision and the Interstate Commerce Clause of the US Constitution (which reserves regulation of interstate commerce to the federal government). That doesn't expire. The states have been trying, since before the Internet was a big thing, to get Congress to change that. So far they've failed, but they are still trying.

    What does expire is a moratorium on a tax on Internet services themselves -- e.g. a tax on your ISP's services.

  5. Re:So... on For Americans, Imported Textbooks Can Be Cheaper · · Score: 1

    The University of Maryland College Park didn't contract out their dining holes, and they WERE out to rape you. If they didn't give you food poisoning first, anyway.

  6. Re:BIAA - Re:Trumping Capitalism?? on For Americans, Imported Textbooks Can Be Cheaper · · Score: 2, Informative

    You think this is funny, but this sort of case has actually already been litigated, and some courts HAVE found that importing legitimate copyrighted material for resale IS a violation of copyright. The US Supreme Court disagrees, and as a result the US is in violation of some international agreement or another. Naturally the govt (legislature and executive) is working on ways to bring the US into compliance.

  7. Re:These people really don't get it. on FCC Considers Mandating HDTV Copy Protection · · Score: 1

    Rather the other way around. The trade imbalance means we're importing more than we export. When we import, we hand out dollars (of no intrinsic worth, just like those glass beads) and get valuable items in return.

  8. Score one for the government on Bernstein Cryptography Case Dismissed · · Score: 1

    This is just a way the government evades constitutional scrutiny. Drop cases they think they'll lose, without conceding the principle. And pursuing those they think they'll win. So their wins count and their losses do not. When the legal climate changes (e.g. a judge is replaced, another terrorist attack occurs), they go ahead and try again on those cases they thought they'd lose before.

  9. Re:Compatibility Issues? on PC World: Apple G5 Gets Trounced By Athlon 64 · · Score: 1

    Err, Jaguar (10.2) isn't a 64-bit OS, and it can't address more than 4 gigabytes of RAM. Panther (10.3) IS a 64-bit OS, can address more than 4GB of RAM, and can provide the other benefits of 64-bit operations as well.

  10. Now who's wearing the tinfoil hats? on The FSF, Linux's Hit Men · · Score: 1

    From the article: 'Or maybe, as some suggest, the foundation wants GPL-covered code to creep into commercial products so it can use GPL to force open those products. Kuhn says that's nuts--"pure propaganda rhetoric."'

    Uh, yeah. One of the requirements of the GPL is that you clearly label the code as covered by the GPL, and include a copy of the GPL with it. It's not going to "creep" anywhere by accident. Certainly Linux is a bit big to be "creeping"; it's more than a stretch to believe a company would use Linux as their operating system without being aware that it's covered under the GPL and have some idea of what the GPL entails.

    I had a commercial company ask me about a driver I had ported that they were interested in. I told them it was under the GPL, they said "No, thank you", and all was well. That's all LinkSys had to do with Linux; there's no shortage of proprietary redistributable (for a fee) operating systems for such devices.

  11. Re:SunnComm in the wrong on SunnComm Says Pointing to Shift Key 'Possible Felony' · · Score: 1

    No, the DMCA does not say anything about substantial noninfringing uses. That phrase is from Sony v. Universal, and is about regular copyright law, not the DMCA.

    SunnComm does have a leg to stand on. It's a weak and spindly one, but that it exists at all points out how nasty the DMCA is.

  12. Good place for a honeypot on Spammers Using Hacked Machines as Decoys · · Score: 4, Insightful

    If what they're doing is redirecting to random compromised machines which in turn go to the real site, one method for combatting them is to set up a honeypot of easily-compromised machines and wait for one or more of them to get infected by these loser's trojans. Then firewall logs (or analysis of the trojan) will reveal the real addresses being relayed.

  13. Re:Out there, but rare... on Have You Personally Used an Honest Head Hunter? · · Score: 1

    A single copyright violation is worth $150,000, thanks to the RIAA. So, new business plan 1) Register resume with copyright office 2) Put resume on website 3) PROFIT!

  14. Re:Inevitable on States Push for Net Sales Taxes · · Score: 1

    Phone orders are not currently taxed, if you phone the order in to a company which does not have a business nexus in the state. Mail-order, phone-order, and Internet-order are all the same for the purposes of sales tax.

  15. Re:Speaking of versions on Nmap Gets Version Detection · · Score: 1

    Assuming fatal() is what it says, it must be a race condition -- buffer->alloc is increased before the actual size of the buffer is increased. It must be possible to access the buffer from another thread while this is the case.

  16. Re:Verisign Slashdotted on Resolving Everything: VeriSign Adds Wildcards · · Score: 1

    Worked just now for me. If they are prepared to catch every single mistyped web and mail address (inlcluding all the broken automatic ones and the spammers sending out garbage), I doubt a little slashdotting would harm them one bit.

  17. Re:I'm sorry but totally avoid TCPA on Dartmouth Project Combines Linux With TCPA · · Score: 2, Informative

    Sorry, but TCPA pretty much can only be used for evil. The "killer app" for TCPA is DRM. The way TCPA enables -enforceable- DRM have been posted and written-about ad nauseum.

    TCPA probably wasn't devised with DRM in mind; it resembles the old "compartmented workstation" idea, and I imagine that's where its roots lie. But DRM is certainly the blazingly obvious use for it, and unlike other DRM schemes, TCPA-based schemes can actually work on general-purpose hardware.

  18. Reasonably secure -- but watch out for UPNP on Are Consumer Firewall/NAT Boxes Really Secure? · · Score: 2, Informative

    The NAT boxes will stop your garden-variety worm searching for vulnerable services on a default-configured Windows box, provided you don't open those ports.

    But a lot of them support "UPNP", which allows programs on the to automatically open up ports they need. This is a great convenience, but you're now giving the keys to your network to any random Windows program. Now any trojans don't need to actively call out -- they can just open up your firewall FOR you and wait for connections. This strikes me as definitely not a good idea.

  19. Priorities... on RIAA Sues 12-Year Old Girl · · Score: 1

    She lives in a Housing Authority project in New York and she's worried about the RIAA suing her? I'd think she'd have bigger things to worry about!

  20. Code generation a necessity on Code Generation in Action · · Score: 3, Insightful

    I work on a large Java project where we use entity EJBs. Code generation isn't an _option_ here, it's a necessity. We have hundreds of tables (over 500) and each of them has an EJB. Writing out the infrastructure for each and every one by hand would be a huge and boring waste of time. I think the necessity for code generation actually points to a problem with design of EJB itself, but that we're pretty much stuck with.

  21. Re:READ THE FRIGGEN LAW on Microsoft Prepares Office Lock-in · · Score: 1

    Only program to program interoperability. Program to data interoperability is not protected. No, this doesn't make sense; it was the excuse come up with by a court to keep DeCSS illegal.

  22. Halleluja, finally the Labyrinth game on Gyroscope Gives CellPhones 'Tilt Control' · · Score: 1

    Finally, I can get that 'Labyrinth' game on my cell phone. It's just what I've been waiting for all these years, a computerized version of 'Labyrinth'. My journey is now complete.

  23. Re:Regulation is not the answer on Increased Software Vulnerability, Gov't Regulation · · Score: 1
    Yes. What makes you so special?

    Nothing. That's just the point; I don't need to be special to practice my profession. Nor do I want to be.

    Anyone who can acquire the skills can write software. That makes software special. "Professional" licensing would throw that away.

  24. Re:Regulation is not the answer on Increased Software Vulnerability, Gov't Regulation · · Score: 1
    Having never worked in the industry, I do not know, but I can imagine that the standards required for medical equipment software (pacemakers et al) and things like nuclear power stations are much higher.
    I _have_ worked in medical equipment software; not implantable devices but other life-critical stuff. Let's just say that neither the FDA nor any other regulatory organization looked at a single line of code; there were documents they did look at, but not code. Nor was any certification required to work on this stuff.
  25. Re:Regulation is not the answer on Increased Software Vulnerability, Gov't Regulation · · Score: 1

    You want me to get a fucking license to program and toady up to a bunch of self-important people on the "Board of Professional Programmers" in order to practice my profession? That's regulation by another name, just by a different body. No thanks; leave the strangling over-regulation and "professionalism" to fields which are pretty much mature, static, and stagnant... though perhaps that's the _reason_ they're stagnant.