Attackers aren't necessarily stupid. They are likely to bring their own shell, and have the same ways to check file integrity of their executables as the whitehats have. (In fact, one can generally assume that they have more and better tools - they can use all publicly available ones as well as their own they didn't tell anyone about) So it would be hard to modify their shell without them noticing. You would notice a trojaned/bin/sh on your systems too, wouldn't you?
You test it before you roll it out, like most larger sites have a policy of doing. It's not as if the vulnerability, and the patch, are brand-new, after all, it's just that nobody can afford testing something for months any more (or rather, having too much to do for months before having time to properly patch it), not when various exploits are out in the wild, taking sites down left and right. You better be damn fast at it. If their change plan takes that long, it's broken, and most likely they will just have to pay more testers, so that it becomes faster.
Of course, the money required to pay those testers/admins is not something you'll read about in most TCO studies, nor do the costs of having your network hosed because you didn't pay it. Because, you know, being hit by a worm/virus is just bad luck, and has nothing to do with the rest of your IT strategy.
Heh. Just as we are talking, a new FreeBSD advisory - ARP-related remote DOS - hits my inbox, requiring me to patch my kernels and reboot... Oh the irony.
That's uh, not rebooting your server, not-not updating.
Updating your kernel is pretty tricky to do without rebooting. Given that a kernel that old won't work with any userland for which the FreeBSD team would provide patches any more, I'd also guess that the userland is similarly old, or they are basically maintining their own forked version. Same for Apache, you won't get many patches for 1.2.4 any more.
The only useful conclusion you can get from that data is that FreeBSD and BSD/OS (still two different OSes, by the way) are popular with lousy admins. Not updating your server for years isn't something to be proud of. I'll take the timely and easy to deploy patches of FreeBSD over it's ability to wait for script kiddies to own my mighty Apache 1.2.4 any day.
How does that work when you have multiple processes, potentially implemented in various different programming languages with different object models, that need to access this data concurrently? Will my "database" still work after I modify my persistent classes, or do I have to convert it somehow? What about access control that is guaranteed to be shared by all database-accessing apps?
This might be nice for a certain class of applications, but unless that all (and more) works - and I can't see how it could - I wouldn't be too frightened if were Larry Ellison.
Not necessarily. I do respect copyright, don't run unlicesensed software, don't download mp3s or videos from p2p networks etc, yet I do think this will be cracked. And honestly, I will have a good laugh at their expense when it will be.
The problem is that copy protection has failed every time. From the first attempts from 8bit game producers over hardware dongles and broken audio-"CD"s, nothing has ever really prevented illegal distribution of media and software. But each new attempt has made life worse for the honest paying customer. Currently, I can't play a lot of my "CD"s in my computer or car stereo, because the music industry is deliberatly breaking standards - I could still grab it from Kazaa, of course, and use it without any hassle. What will those DRM-style things bring - will I be able to make a backup of my legally purchased files if I get a new computer or hard drive? Will I be able to use them if I chose to use an operating system the DRM software providers might never have heard of, or simply don't consider big enough a market?
I still think that on the long run it's a better idea to offer your customers good products at a fair price rather than treating them as a bunch of worthless criminals.
Did you read the article you linked? Or did you miss the two occurences of the word "desktop" in your parent post?
"It looks like the software will only be available for consumer electronics devices. Reading between the lines, it looks like the software will only be available to manufacturers for inclusion in media devices based on Linux. There is certainly no sign of a free download for PCs."
What I find most troublesome is that Microsoft seems to be taking the lead in providing a means of control that goes beyond the ACL approach that has been traditional until now. It's an astute move for M$. If the rest of the world doesn't come up with an alternative, it will become all that much harder to dislodge Windows from the corporate desktop.
An alternative like Mandatory Access Control, where a systems administrator can set policies describing not only which users are allowed to view/do something, but also with which applications they can, and making it unpossible for them to remove this restrictions to circumvent the policy, and more? As implemented in Trusted Solaris, FreeBSD, Linux, and other OSes?
It tends to be complex to implement due to a lot of flexibility, and definitly has different goals (securing your systems, as opposed to securing profit of others), but it isn't as Microsoft would be the only one to improve their security model.
Of course LSH team found their bug purely by random
Sort of, actually. The first thing that led to the discovery of this bug was someone being annoyed because of switching to lsh being cited as a solution for the OpenSSH bugs without much thought, and tried to pipe lots of random noise to it, only to see it crash (while OpenSSH simply reported protocol violations). So yes, in a way they found it by random,/dev/random in particular.
While SuSE is certainly the most important distro in germany (and, for example, was behind the Munich deal), I think it's quite interesting that the police desktops and servers will run Red Hat. You normally can see new SuSE releases prominently advertised in every bigger bookstore here; for a lot of people SuSE is Linux, they think they are running Linux 8.2 Professional. Finding an up-to-date Red Hat box can require some searching, sometimes you'll see Mandrake, but everything else is completly geek-only.
Applications can not be run without permissions being set,
Only means that the action people have to take when they read "please execute this random attachment" is a little more inconvenient. The linux equivalent of Swen would be a mail supposedly from RedHat Security asking you to install the attached RPM that contains, say, a fix for the recent OpenSSH bug. Social engineering is a very portable concept.
untrusted scripts or applications can not run as root,
They can not? I don't trust sendmail, yet it seems to run as root quite fine on a lot of systems.
and random applications can't grab system-wide resources (like the WSH and Outlook) and start sending out emails.
They can not? The only thing that would stop anyone from writing a trojan that reads my Evolution addressbook and sends mail to everyone in there is that bonobo is painful to work with. Writing a program that sends mail is trivial, witness the insane number of mailers on sourceforge.
The Unix world is less attractive for trojan writers because it is smaller, the average clue-factor of its users tends to be higher (fewer casual users, more admin-types), and it's more fragmented, so that a debian user is less likely to install the pseudo-RedHat-patch. Other than that, there are few real technical reasons.
Maybe that is one reason why people say this a lot, so that Joe User hears it a lot and knows better next time? Mentioning that MS has never, and will never, send patches via e-mail has become a kind of reflex for me since the (originally badly done) "Important security update" mails started, just like repeating "don't open any attachments you didn't expect getting".
On the other hand, some people really are stupid. Some guys I know that got infected run pirated copies of some Windows OS. How likely is it that Microsoft sends patches to people that they don't have a contract with, that they don't even know about? And how likely is it that they'll send 30 mails with varying senders and subjects? (I had about 700 Swen mails when I first saw them, from about one day. I really think it's unlikely that anybody only has gotten one, although it could of course happen.)
I know, some BSD funs may dislike it. But in many cases it's really easier to approve "Linux in general" and later specify that sometime it can be BSD:)
Indeed. I'm a BSD lover, user, and contributor, and yet I will support each and any initiative that is pro-linux, even if I do not see any reason to use Linux myself, personally.
Most facilities won't ever consider using BSD. Get over it. All that would have to be sold on open standards and stability versus vendor-lock-in first, so people who won't accept Linux will most likely never even consider upgrading to BSD. Once you have educated your customer enough that they value stability, conformance to open standards, and real-world performance more than marketing hype, they are ready for a BSD solution, but most aren't, so Linux is the lesser of evils.
Why you have to follow entire "fsf mantra" to fight softwre patents ? If you see that software patents are dangerous and to be opposed , then cooperate with EVERYONE who share that view.
I do. I support the FSF Europe where I can and where I think that it makes sense. I signed the online petition against software patents, and have been present at the demo in Brussels. However, if I have learned one thing about politics, it's that you'd better have a huge organization behind you if you want to make a point, and frankly, the FSF is not my organization, even if our views overlap to a degree that makes collaboration sensible in a lot of cases. I just wonder if there is another organization that would suite me better.
Lobbying w/out FFS europe?
on
Lobbying For Linux
·
· Score: 2, Interesting
Being unemployed (hence having lots of free time), living in western germany (hence being able to travel to Brussels easily) and being a free software supporter, even with some experience in political work (from being a students representative of various kinds back when life rocked), I'd like to contribute to effective lobbying in the EU. However, the only really serious EU-wide organization seems to be the FSF Europe, and I happen to disagree with the FSF on some major points. (And there's Attac, which I happen to disagree on more points with.) There doesn't seem to be any organized forums for european FLOSS supporters outside the FSF Europe right now, or is there? Maybe something more "Open Source"-related? Is there a way for someone who's experience ranges from writing code over writing press releases to organizing demonstations and legal help for demonstrators to throwing yoghurt at malevolent policemen to effectively contribute, without having to adopt the FFS mantra?
According to german police, about 50% of internet-related crimes in germany are related to eBay or other online auctions
; mostly vendors that take your money but never ever send you anything for it. They also mentioned that the rate of reported incidents that are being successfully brought to court is about 100%, but that a lot of people just won't report it to local police because they think that it's not worth the hassle, thereby letting the criminals get away with.
If you grok german, read the related item on heise news.
Proprietary software companies regularly file lawsuits against each other for copyright infringement, patent and trademark violations. Microsoft has been found guilty recently in several cases, but despite the fact that the GNU Project was begun in 1984 and Linus Torvalds began the Linux kernel in 1991, there has never been a claim of copyright infringement that we know of in all those years, let alone a finding of guilt.
There was a case where some RedHat employee submitted BSD licensed code to the Linux kernel without following the license, i.e. he claimed to have written it himself instead of including the original copyright notice as demanded by the BSD license. Here is the corresponding slashdot story.
While this was pretty ugly, it has been resolved quickly. So, while it is incorrect to say that there "has never been a claim of copyright infringement", you cannot blame anyone for not dealing with it properly. SCO could have had the same proper treatment, if they only had told people what code exactly would be the problem, but until now, they refused to.
This "point in time" would only be meaningful if you would find a definition of life that anybody would agree on. You probably won't. There isn't even consensus on what exactly the beginning and end of the life of a person means. Just think about viruses (the ones you don't read about on bugtraq), they do have DNA, but no real metabolism - are they life forms?
Sun takes open source software they haven't programmed
Hm, let's see. There's StarOffice, which they have not programmed, but simply bought, and then released as to the Open Source world as OpenOffice. Then there is Gnome, which they also haven't written themselves, only most of atk, some contributions to various libs all over the place from Pango to Gnome-UI, a lot of documentation and testing came from them. And there are things like NFS/NIS/PAM, which aren't directly relevant for the desktop, and the Linux versions tend to be rewrites based on their open specs, so that only their research and design directly helped the Linux world. So yes, I guess you are technically correct.
Sun recently started to use "Java" the way MS used to use ".NET", i.e. as a marketing term for anything new they released, whether it has anything to do with Java/.NET or not, technically.
Slashdot Mirror
Attackers aren't necessarily stupid. They are likely to bring their own shell, and have the same ways to check file integrity of their executables as the whitehats have. (In fact, one can generally assume that they have more and better tools - they can use all publicly available ones as well as their own they didn't tell anyone about) So it would be hard to modify their shell without them noticing. You would notice a trojaned /bin/sh on your systems too, wouldn't you?
Of course, the money required to pay those testers/admins is not something you'll read about in most TCO studies, nor do the costs of having your network hosed because you didn't pay it. Because, you know, being hit by a worm/virus is just bad luck, and has nothing to do with the rest of your IT strategy.
Heh. Just as we are talking, a new FreeBSD advisory - ARP-related remote DOS - hits my inbox, requiring me to patch my kernels and reboot... Oh the irony.
The only useful conclusion you can get from that data is that FreeBSD and BSD/OS (still two different OSes, by the way) are popular with lousy admins. Not updating your server for years isn't something to be proud of. I'll take the timely and easy to deploy patches of FreeBSD over it's ability to wait for script kiddies to own my mighty Apache 1.2.4 any day.
This might be nice for a certain class of applications, but unless that all (and more) works - and I can't see how it could - I wouldn't be too frightened if were Larry Ellison.
The problem is that copy protection has failed every time. From the first attempts from 8bit game producers over hardware dongles and broken audio-"CD"s, nothing has ever really prevented illegal distribution of media and software. But each new attempt has made life worse for the honest paying customer. Currently, I can't play a lot of my "CD"s in my computer or car stereo, because the music industry is deliberatly breaking standards - I could still grab it from Kazaa, of course, and use it without any hassle. What will those DRM-style things bring - will I be able to make a backup of my legally purchased files if I get a new computer or hard drive? Will I be able to use them if I chose to use an operating system the DRM software providers might never have heard of, or simply don't consider big enough a market?
I still think that on the long run it's a better idea to offer your customers good products at a fair price rather than treating them as a bunch of worthless criminals.
Have a look at the software patent site of the FFII (Foundation for a Free Infomation Infrastructure), especially their FAQ and the article Why are Software Patents so Trivial?.
"It looks like the software will only be available for consumer electronics devices. Reading between the lines, it looks like the software will only be available to manufacturers for inclusion in media devices based on Linux. There is certainly no sign of a free download for PCs."
It tends to be complex to implement due to a lot of flexibility, and definitly has different goals (securing your systems, as opposed to securing profit of others), but it isn't as Microsoft would be the only one to improve their security model.
While SuSE is certainly the most important distro in germany (and, for example, was behind the Munich deal), I think it's quite interesting that the police desktops and servers will run Red Hat. You normally can see new SuSE releases prominently advertised in every bigger bookstore here; for a lot of people SuSE is Linux, they think they are running Linux 8.2 Professional. Finding an up-to-date Red Hat box can require some searching, sometimes you'll see Mandrake, but everything else is completly geek-only.
The Unix world is less attractive for trojan writers because it is smaller, the average clue-factor of its users tends to be higher (fewer casual users, more admin-types), and it's more fragmented, so that a debian user is less likely to install the pseudo-RedHat-patch. Other than that, there are few real technical reasons.
On the other hand, some people really are stupid. Some guys I know that got infected run pirated copies of some Windows OS. How likely is it that Microsoft sends patches to people that they don't have a contract with, that they don't even know about? And how likely is it that they'll send 30 mails with varying senders and subjects? (I had about 700 Swen mails when I first saw them, from about one day. I really think it's unlikely that anybody only has gotten one, although it could of course happen.)
Most facilities won't ever consider using BSD. Get over it. All that would have to be sold on open standards and stability versus vendor-lock-in first, so people who won't accept Linux will most likely never even consider upgrading to BSD. Once you have educated your customer enough that they value stability, conformance to open standards, and real-world performance more than marketing hype, they are ready for a BSD solution, but most aren't, so Linux is the lesser of evils.
Looks reasonable. I guess I will. Thanks.
Being unemployed (hence having lots of free time), living in western germany (hence being able to travel to Brussels easily) and being a free software supporter, even with some experience in political work (from being a students representative of various kinds back when life rocked), I'd like to contribute to effective lobbying in the EU. However, the only really serious EU-wide organization seems to be the FSF Europe, and I happen to disagree with the FSF on some major points. (And there's Attac, which I happen to disagree on more points with.) There doesn't seem to be any organized forums for european FLOSS supporters outside the FSF Europe right now, or is there? Maybe something more "Open Source"-related? Is there a way for someone who's experience ranges from writing code over writing press releases to organizing demonstations and legal help for demonstrators to throwing yoghurt at malevolent policemen to effectively contribute, without having to adopt the FFS mantra?
If you grok german, read the related item on heise news.
There was a case where some RedHat employee submitted BSD licensed code to the Linux kernel without following the license, i.e. he claimed to have written it himself instead of including the original copyright notice as demanded by the BSD license. Here is the corresponding slashdot story.
While this was pretty ugly, it has been resolved quickly. So, while it is incorrect to say that there "has never been a claim of copyright infringement", you cannot blame anyone for not dealing with it properly. SCO could have had the same proper treatment, if they only had told people what code exactly would be the problem, but until now, they refused to.
This "point in time" would only be meaningful if you would find a definition of life that anybody would agree on. You probably won't. There isn't even consensus on what exactly the beginning and end of the life of a person means. Just think about viruses (the ones you don't read about on bugtraq), they do have DNA, but no real metabolism - are they life forms?
Sun recently started to use "Java" the way MS used to use ".NET", i.e. as a marketing term for anything new they released, whether it has anything to do with Java/.NET or not, technically.