Forcing governments to use open source is a Bad Thing.
I believe that the mark "Bad Thing" (tm) can only be legally applied to things which are undesirable.
Governments using open source falls (if I'm not mistaken) squarely under the label of Good Thing. Not only are the standards available for public scrutany, but so are the innards. That could very well fall under "freedom of information".
Open source is certainly no less secure than proprietary under any account. Security by Obscurity only delays the problems until they get out of hand. Msft has testified under oath that windows is so insecure that making the source public would be a threat to national security.
What our country needs more than anything is more of that! </sarcasm>
Honestly, it sounds like an undeseriable medical condition. The last thing you want your proctologist to tell you is that you have a messy case "O. Vorbis" in your lower intestines.
Compare that with the nice clean sound of DivX or MP3, and PNG. Convincing the Moronic Masses to change is all about marketing. Immagine Sony's big relase of their new "VorbisMan". Yeah. They need a new name if they want it to become popular.
it's the only key sequence that can't be trojaned away.
Well, can't is a strong word. It's harder, yeah, but it can be done; you just have to trap it at a lower level. It can be done with the NT core at least (2K, XP, etc.) if your trojan intercepts the keystrokes more or less the same way a device driver would. It's a bit more complicated than it sounds, but totally possible.
After working on computers for 8hrs+ a day I don't feel the desire to go home and code some more.
There's a fine line between doing what you like and liking what you do.
How many professional sports players do you think don't enjoy playing a friendly game at the park with their friends when they're not "at work"? Some people love the game, some people just play the game. The same principle applies just about everywhere.
To a real hacker, programming isn't about writing code, it's about solving problems. And when solving problems is your passion, chances are you probably do it at home too.
When my day's work is done, I work on my car, I build R/C airplanes, I tweak my wirless networks I solder things on to my computer, and yes, I write programs. And somewhere in there I have an exciting social life too.
I like building things, and I love learning. Writing code, reading manuals; It's all a means to an end.
If you come across someone who enjoys writing code when he's not getting paid for it, chances are you're dealing with more than just a technician. This is the stuff that hackers are made of.
Now the question is, do you want a hacker working for you? Hackers can be tough to work with if you don't provide challenging projects, and absolutely impossible if you give them secretary-style assignments. But if you have difficult problems to solve, they can be invaluable.
He's right, you know, about the virtue of having a community of lawyers. It makes all the difference.
When you're doing anything big, there are basically two types of participants: those who are lawyers and those pay lawyers. If you can fight a legal battle for free while your opponent is fighting at $500/hour, you'll generally last longer than him.
There was a story run on eWeek many moons ago which compared the more popular DB engines in real-world applications. MySQL performed incredibly well, holding its own against Oracle, and soundly trouncing the likes of DB2 and SQL Server. MySQL proudly touted this independant study as indisputable proof that they ruled the RDBMS world.
But when it comes right down to it, MySQL is a niche player. It's niche, luckily, is the average consumer. It's a very well designed DB, but it was built for speed, not combat.
Don't pretend that it's something it isn't. Don't bash it for not being something it wasn't ever designed to be. Don't try and convince me that it's no good because it doesn't yet have features I don't need.
Oracle is a tank, MySQL is a sedan. I don't drive a tank. I don't need to. You may work where you need to drive a tank, but that doesn't make it any more appropriate for what I do. If you need that added benefits that only a tank can provide... well then I hope you can afford one. They cost a lot of money to own and to operate. MySQL is free, it works very well, it's surprisingly reliable, and it does what almost everybody needs.
Instead of asking, "How long did it take for it to get fixed", we should be asking, "How long until it is widely enough deployed such that exploit writing becomes unprofitable?"
Not so. I honestly don't care whether or not you get cracked. Whether or not your system is patched has no bearing on how useful the OS/application is to me.
While "How long did it take for it to be fixed" is a rather useless figure, It's still quite closely tied to the only important question: "How long did it take before I could patch my system(s)?"
As another observant reader pointed out, writing an expoit will always be profitable. Worms like Nimbda have been around for a year, and the funny part is they use exploits that have been "fixed" even longer. There are still quite a few computers out there that haven't patched the IIS unicode exploit.
Alerting the world of an earth-shattering discovery while at the same time systematically withholding proof that what you're saying is correct simply can't work.
Let's say I could build a practical quantum computer and wanted to alert the industry in time to allow them to launch a multi-trillion dollar campaign to revamp the world's encryption system before I unleash my discovery upon it. What kind of evidence do you think I would have to provide in order to convince the world to take me seriously?
How many people have announced to the world that they've discovered a mechanism for cold fusion? And how many of those have you actually heard about? In order to get the world's attention, you need something solid--something like a working prototype or a verifiable algorithm. You need to provide enough information to convince a very large number of people that you actually have something--enough information to allow them to reproduce your result.
The question of how to hide the information is quite pointless. The information should either remain perfectly hidden (i.e. say nothing to anybody) or be released all at once. Telling the world about the discovery while at the same time keeping the discovery itself hidden gains you nothing and can cost you a lot if the wrong people start taking you seriously.
Remember, it costs Microsoft $300 to make an XBox, but they sell it for $200. That's why:
The hardware is so good considering the price
They're losing so much money on it
They don't like the idea of people hacking the OS in any way
Keeping the system totally proprietary is more important to them than even the survival of project
They intend to make money on the games, not on the box itself. They're paying for 1/3 of the box, so they want to keep tight control over what you can do with it.
For reference for those who question the numbers, I got them from a MS programmer: Their employee purchase plan allows them to buy software at a Huge Discount. Their is no discount on the XBox; though they jokingly say you can buy it at cost if you really want to.
The question is, is the government really enforcing these regulations? Since they're not written anywhere, they would have a hard time bringing up a case against an airline which refused to comply.
I think that requiring airline passengers to identify themselves is a good thing, and I'd think that airlines have the right to refuse to serve customers who won't supply identification.
Is there anything wrong with the government suggesting that airlines require identification, and then the airlines incorporating that suggestion into their policy?
The bottom line, I think, is that if it's an unwritten regulation, it's not really a regulation. Word-of-mouth policy doesn't hold up in the courts.
Furthermore, the airlines are not really preventing you from travelling without identification; they're preventing you from using their vehicles without identification. I've flown with a dangerous weapon (a 4-inch knife) before, but I flew in a private aircraft. It was cheper and faster than going through a public airline. Didn't even have to go through a metal detector.
There's a fine distinction between not letting you fly with a major airline and not letting you travel cross-country. Comparing the airlines' policies regarding their own vehicles to the nazi-style "papers please!" checkpoints is really not fair.
While I think Mr. Gillmore has a good point, I don't think he's going to win this one. As long as the government has no official written policy on the matter (which apparently it doesn't), it's really a fight between the passenger and the airline, rather than the passenger and the government. And the airline's probably going to win.
> Netscape 4 users can go fuck themselves, though.
Thanks for your gentle advice, how thoughtful of you. The arrogance of the Web designers never ceases to amaze me.
It's a frustration that every web developer understands. I can design a web site using galeon, making sure to follow w3c standards; and when I'm done, it will display perfectly in konquerer, mozilla, ie and even lynx. But it will not display correctly using ns4. The reason being: Netscape 4 is broken! Some pages will have cosmetic problems, others will be completely unreadable. In order to fix it for ns4, I often have to mangle the code to the point that it no longer displays correctly under any other browsers.
Pretend for a moment that I decided to come out with a new x86 processor, but screwed up the interpretation of about 5% of the op codes. Still, I sold it really cheap and got it into, say, 2 or 3 OEM's computers. It might be popular and people may depend on it (and with the right assembler, you may even get it to work right) but developers would HATE it because it was broken.
Sure, a developer could skirt the problem by avoiding certain instructions, making his program "compatible," but limiting your program's functionality to support a broken system sucks. The correct response is to say (loudly), screw the people with the broken systems, we're following the spec whether it works on your box or not.
That is, in fact, the position I've taken toward ns4, and I'm not going to change my mind just because your browser's broken.
For every 3 bits of FUD you post about Microsoft, you must either... [-- irrational demands edited --]
I am a strong believer that nothing good ever comes from FUD. FUD consists almost exclusively of lies designed to mask the usefulness of a product; usually so that it can be replaced with an inferior one. Any product should survive on its merits alone: survival of the fittest should exist on the product level, rather than the producer.
So if you see any inaccurate comments regarding a Microsoft product, the appropriate response would be to correct them. But accusing others of using FUD tactics when you have no real evidence of such is, in fact, a FUD tactic in itself.
My own understanding of Palladium is limited: I've read the reports, and I have a friend who's a programmer for Msft working on the project. He seemed very excited about the project, saying that it was designed to revolutionize the server industry: for the first time Microsoft would have an implementation that could back up their security model (which is not that bad, mind you). He was certain that it would replace all other OSes on its merits alone.
What I've heard since, though, (from both sides of the fence) doesn't impress me. I can't find anything it gives me that I would want. Furthermore, I see many of its "features" as obstacles that would decrease my computer's usefulness.
If you have any evidence at all that could give me any hope for the new OS, I'd love to hear it. I don't want to be tricked into thinking a useful product is worthless, but at the same time, I don't want to be tricked into thinking that a worthless product has some value.
did you perhaps go through the tutorial? the blender interface is amazing for its job
Even vi's interface is easy once you've learned how it works. It took me three days to figure out how to select an object in Blender. Compare that to the mere 2 hours it took me to figure out how to select text in vi.
Anyone can make a functional interface, but a good interface is one that is easy to both learn and use.
I don't think that blender's interface is deficient as far as features are concerned, but I do think it could be greatly improved. The tutorial only does so much.
It's exactly the same as if I had a magazine delivered to my house, and hired someone to cut out all the ads and replace them with other ads. It's none of the magazine's business if I do that, and it's none of anyone else's business if I choose to use Gator.
I don't agree: Gator modifies the site before the customer gets to view it, and generally without the customer's permission or even knowledge. It's more like someone going to the newsstand and pasting their own customers' ads over the ads in the local newspaper before the customer buys it.
But it does bring up an interesting point:
If what Gator is doing is legal, would it still be legal for them to pay your ISP to replace all the ads that travel down your pipe with their own? Even if they did provide a way to "opt out" and see the original ads? I don't think there's a real difference between such a scheme and what they're doing right now.
Obviously, it would be illegal to break into a company's server, replacing their adds with your own. Likewise, hijacking all outboud connections from a server for the same purpose would not be legal either.
On the other hand, there's nothing wrong with telling Galeon to not load content from doubleclick.net. I don't even see anything wrong with firewalling ad companies out of my network completely. I think doing so is no different that the way I throw away the classifieds before even opening the newspaper.
I think the real difference lies in selling ad space on someone else's page.
Windows printf of death
on
Pet Bugs?
·
· Score: 4, Interesting
Here's a simple program with some unexpected consequences. It works only on windows NT-based systems, including XP.
To get the full effect you have to run it by double-clicking on the icon, rather than from a DOS prompt. If you want one you can run from a command prompt, replace the printf above with:
while (1) printf(" \b\b");
An infinte loop isn't quite as elegant as a single statement that wreaks havoc on your system, but it's still simple enough. In order to generate the "desired" result, you have to backspace beyond the first character of the terminal window, then output a printing character to the left of the beginning of the buffer. Apparently cmd.exe doesn't check for this condition, and triggers an error in a system-critical process.
I remember Microsoft bragging about how DOS programs run in their own virtual machine, so a mis-behaved DOS app can't crash your computer. I think this example here is proof-positive to the contrary.
If anybody has any more technical information about the cause (and possibly history) if this bug, I'd love to hear it.
What's it do? Oh, yeah, it reboots your computer. No shutdown, no warning. Just like hitting the power switch.
And aren't you glad you paid over $1000 for MS server software that can be rebooted by any user who executes a 4-character printf?
There may be solutions that you just don't know about.
When I was working at IBM research, we always used a customized in-house distro whenever we installed Linux on one of our machines. It was just a modified RedHat, but it was indeed modified.
The reasons why we did so were (a) it installed automagically over the network--no CDs required, (b) it installed all the stuff that we used internally, like Tivoli for backups, and (c) it installed settings and patches customized specifically for the model of IBM computer you were using.
They've put a lot of effort in making Linux work on their computers, but since you're dealing with such a huge, loosely connected corporation, it's quite possible that many of the patches and fixes haven't made it out of the company. I think this is particularly true with older models or with patches which they may consider too unstable for public consumption.
A noticable portion of the in-house distro we were using was untested and sometimes contained more bugs than most IBM customers would tolerate. I think they like to keep these things within the company until they know it works.
"'We'd be happy to teach Microsoft how to remove Windows Media Player from Windows if they need to,' Sheeran said."
My mind exactly.
And another gem:
"But he [Madnick] guessed that the change could make Windows '100 to 1,000 times more bloated.'"
I can't imagine how taking out IE and WMP would make the core Windows 2004 components take a whole Terabyte! No one but Microsoft could actually make good on that sort of dismal prognosis.
Slashdot Mirror
I believe that the mark "Bad Thing" (tm) can only be legally applied to things which are undesirable.
Governments using open source falls (if I'm not mistaken) squarely under the label of Good Thing. Not only are the standards available for public scrutany, but so are the innards. That could very well fall under "freedom of information".
Open source is certainly no less secure than proprietary under any account. Security by Obscurity only delays the problems until they get out of hand. Msft has testified under oath that windows is so insecure that making the source public would be a threat to national security.
What our country needs more than anything is more of that! </sarcasm>
Honestly, it sounds like an undeseriable medical condition. The last thing you want your proctologist to tell you is that you have a messy case "O. Vorbis" in your lower intestines.
Compare that with the nice clean sound of DivX or MP3, and PNG. Convincing the Moronic Masses to change is all about marketing. Immagine Sony's big relase of their new "VorbisMan". Yeah. They need a new name if they want it to become popular.
Well, can't is a strong word. It's harder, yeah, but it can be done; you just have to trap it at a lower level. It can be done with the NT core at least (2K, XP, etc.) if your trojan intercepts the keystrokes more or less the same way a device driver would. It's a bit more complicated than it sounds, but totally possible.
There's a fine line between doing what you like and liking what you do.
How many professional sports players do you think don't enjoy playing a friendly game at the park with their friends when they're not "at work"? Some people love the game, some people just play the game. The same principle applies just about everywhere.
To a real hacker, programming isn't about writing code, it's about solving problems. And when solving problems is your passion, chances are you probably do it at home too.
When my day's work is done, I work on my car, I build R/C airplanes, I tweak my wirless networks I solder things on to my computer, and yes, I write programs. And somewhere in there I have an exciting social life too.
I like building things, and I love learning. Writing code, reading manuals; It's all a means to an end.
If you come across someone who enjoys writing code when he's not getting paid for it, chances are you're dealing with more than just a technician. This is the stuff that hackers are made of.
Now the question is, do you want a hacker working for you? Hackers can be tough to work with if you don't provide challenging projects, and absolutely impossible if you give them secretary-style assignments. But if you have difficult problems to solve, they can be invaluable.
When you're doing anything big, there are basically two types of participants: those who are lawyers and those pay lawyers. If you can fight a legal battle for free while your opponent is fighting at $500/hour, you'll generally last longer than him.
But when it comes right down to it, MySQL is a niche player. It's niche, luckily, is the average consumer. It's a very well designed DB, but it was built for speed, not combat.
Don't pretend that it's something it isn't. Don't bash it for not being something it wasn't ever designed to be. Don't try and convince me that it's no good because it doesn't yet have features I don't need.
Oracle is a tank, MySQL is a sedan. I don't drive a tank. I don't need to. You may work where you need to drive a tank, but that doesn't make it any more appropriate for what I do. If you need that added benefits that only a tank can provide... well then I hope you can afford one. They cost a lot of money to own and to operate. MySQL is free, it works very well, it's surprisingly reliable, and it does what almost everybody needs.
Not so. I honestly don't care whether or not you get cracked. Whether or not your system is patched has no bearing on how useful the OS/application is to me.
While "How long did it take for it to be fixed" is a rather useless figure, It's still quite closely tied to the only important question: "How long did it take before I could patch my system(s)?"
As another observant reader pointed out, writing an expoit will always be profitable. Worms like Nimbda have been around for a year, and the funny part is they use exploits that have been "fixed" even longer. There are still quite a few computers out there that haven't patched the IIS unicode exploit.
Let's say I could build a practical quantum computer and wanted to alert the industry in time to allow them to launch a multi-trillion dollar campaign to revamp the world's encryption system before I unleash my discovery upon it. What kind of evidence do you think I would have to provide in order to convince the world to take me seriously?
How many people have announced to the world that they've discovered a mechanism for cold fusion? And how many of those have you actually heard about? In order to get the world's attention, you need something solid--something like a working prototype or a verifiable algorithm. You need to provide enough information to convince a very large number of people that you actually have something--enough information to allow them to reproduce your result.
The question of how to hide the information is quite pointless. The information should either remain perfectly hidden (i.e. say nothing to anybody) or be released all at once. Telling the world about the discovery while at the same time keeping the discovery itself hidden gains you nothing and can cost you a lot if the wrong people start taking you seriously.
Remember, it costs Microsoft $300 to make an XBox, but they sell it for $200. That's why:
- The hardware is so good considering the price
- They're losing so much money on it
- They don't like the idea of people hacking the OS in any way
- Keeping the system totally proprietary is more important to them than even the survival of project
They intend to make money on the games, not on the box itself. They're paying for 1/3 of the box, so they want to keep tight control over what you can do with it.For reference for those who question the numbers, I got them from a MS programmer: Their employee purchase plan allows them to buy software at a Huge Discount. Their is no discount on the XBox; though they jokingly say you can buy it at cost if you really want to.
I think that requiring airline passengers to identify themselves is a good thing, and I'd think that airlines have the right to refuse to serve customers who won't supply identification.
Is there anything wrong with the government suggesting that airlines require identification, and then the airlines incorporating that suggestion into their policy?
The bottom line, I think, is that if it's an unwritten regulation, it's not really a regulation. Word-of-mouth policy doesn't hold up in the courts.
Furthermore, the airlines are not really preventing you from travelling without identification; they're preventing you from using their vehicles without identification. I've flown with a dangerous weapon (a 4-inch knife) before, but I flew in a private aircraft. It was cheper and faster than going through a public airline. Didn't even have to go through a metal detector.
There's a fine distinction between not letting you fly with a major airline and not letting you travel cross-country. Comparing the airlines' policies regarding their own vehicles to the nazi-style "papers please!" checkpoints is really not fair.
While I think Mr. Gillmore has a good point, I don't think he's going to win this one. As long as the government has no official written policy on the matter (which apparently it doesn't), it's really a fight between the passenger and the airline, rather than the passenger and the government. And the airline's probably going to win.
Thanks for your gentle advice, how thoughtful of you. The arrogance of the Web designers never ceases to amaze me.
It's a frustration that every web developer understands. I can design a web site using galeon, making sure to follow w3c standards; and when I'm done, it will display perfectly in konquerer, mozilla, ie and even lynx. But it will not display correctly using ns4. The reason being: Netscape 4 is broken! Some pages will have cosmetic problems, others will be completely unreadable. In order to fix it for ns4, I often have to mangle the code to the point that it no longer displays correctly under any other browsers.
Pretend for a moment that I decided to come out with a new x86 processor, but screwed up the interpretation of about 5% of the op codes. Still, I sold it really cheap and got it into, say, 2 or 3 OEM's computers. It might be popular and people may depend on it (and with the right assembler, you may even get it to work right) but developers would HATE it because it was broken.
Sure, a developer could skirt the problem by avoiding certain instructions, making his program "compatible," but limiting your program's functionality to support a broken system sucks. The correct response is to say (loudly), screw the people with the broken systems, we're following the spec whether it works on your box or not.
That is, in fact, the position I've taken toward ns4, and I'm not going to change my mind just because your browser's broken.
[-- irrational demands edited --]
I am a strong believer that nothing good ever comes from FUD. FUD consists almost exclusively of lies designed to mask the usefulness of a product; usually so that it can be replaced with an inferior one. Any product should survive on its merits alone: survival of the fittest should exist on the product level, rather than the producer.
So if you see any inaccurate comments regarding a Microsoft product, the appropriate response would be to correct them. But accusing others of using FUD tactics when you have no real evidence of such is, in fact, a FUD tactic in itself.
My own understanding of Palladium is limited: I've read the reports, and I have a friend who's a programmer for Msft working on the project. He seemed very excited about the project, saying that it was designed to revolutionize the server industry: for the first time Microsoft would have an implementation that could back up their security model (which is not that bad, mind you). He was certain that it would replace all other OSes on its merits alone.
What I've heard since, though, (from both sides of the fence) doesn't impress me. I can't find anything it gives me that I would want. Furthermore, I see many of its "features" as obstacles that would decrease my computer's usefulness.
If you have any evidence at all that could give me any hope for the new OS, I'd love to hear it. I don't want to be tricked into thinking a useful product is worthless, but at the same time, I don't want to be tricked into thinking that a worthless product has some value.
Even vi's interface is easy once you've learned how it works. It took me three days to figure out how to select an object in Blender. Compare that to the mere 2 hours it took me to figure out how to select text in vi.
Anyone can make a functional interface, but a good interface is one that is easy to both learn and use.
I don't think that blender's interface is deficient as far as features are concerned, but I do think it could be greatly improved. The tutorial only does so much.
I don't agree: Gator modifies the site before the customer gets to view it, and generally without the customer's permission or even knowledge. It's more like someone going to the newsstand and pasting their own customers' ads over the ads in the local newspaper before the customer buys it.
But it does bring up an interesting point:
If what Gator is doing is legal, would it still be legal for them to pay your ISP to replace all the ads that travel down your pipe with their own? Even if they did provide a way to "opt out" and see the original ads? I don't think there's a real difference between such a scheme and what they're doing right now.
Obviously, it would be illegal to break into a company's server, replacing their adds with your own. Likewise, hijacking all outboud connections from a server for the same purpose would not be legal either.
On the other hand, there's nothing wrong with telling Galeon to not load content from doubleclick.net. I don't even see anything wrong with firewalling ad companies out of my network completely. I think doing so is no different that the way I throw away the classifieds before even opening the newspaper.
I think the real difference lies in selling ad space on someone else's page.
An infinte loop isn't quite as elegant as a single statement that wreaks havoc on your system, but it's still simple enough. In order to generate the "desired" result, you have to backspace beyond the first character of the terminal window, then output a printing character to the left of the beginning of the buffer. Apparently cmd.exe doesn't check for this condition, and triggers an error in a system-critical process.
I remember Microsoft bragging about how DOS programs run in their own virtual machine, so a mis-behaved DOS app can't crash your computer. I think this example here is proof-positive to the contrary.
If anybody has any more technical information about the cause (and possibly history) if this bug, I'd love to hear it.
What's it do? Oh, yeah, it reboots your computer. No shutdown, no warning. Just like hitting the power switch.
And aren't you glad you paid over $1000 for MS server software that can be rebooted by any user who executes a 4-character printf?
That's assuming that people are travelling in. :)
When I was working at IBM research, we always used a customized in-house distro whenever we installed Linux on one of our machines. It was just a modified RedHat, but it was indeed modified.
The reasons why we did so were (a) it installed automagically over the network--no CDs required, (b) it installed all the stuff that we used internally, like Tivoli for backups, and (c) it installed settings and patches customized specifically for the model of IBM computer you were using.
They've put a lot of effort in making Linux work on their computers, but since you're dealing with such a huge, loosely connected corporation, it's quite possible that many of the patches and fixes haven't made it out of the company. I think this is particularly true with older models or with patches which they may consider too unstable for public consumption.
A noticable portion of the in-house distro we were using was untested and sometimes contained more bugs than most IBM customers would tolerate. I think they like to keep these things within the company until they know it works.
My mind exactly.
And another gem:
"But he [Madnick] guessed that the change could make Windows '100 to 1,000 times more bloated.'"
I can't imagine how taking out IE and WMP would make the core Windows 2004 components take a whole Terabyte! No one but Microsoft could actually make good on that sort of dismal prognosis.