How hopeful are you that Microsoft can be coaxed into making IE standards compliant? What exactly do you think Microsoft's motive was in not supporting HTML 4.0 completely?
Shareholders are very reluctant to initiate actions against management even if they are doing very badly: nothing like angry shareholder action to make the price of shares bottom out. The threats to badly performing management tend to come from hostile bids for the company, which aren't often made against monopolies.
On the copyright law: not necessarily, as the recent Linux Journal article argued. US law allows that free speech can override copyright. In the words of that article:
In U.S. law, it is a well-established tradition that the rights of copyright holders are not absolute, and that occasionally they must take a back seat to broader considerations of public welfare. This is precisely the line of thinking that holds the publishers of the Pentagon Papers, secret U.S. Defense Department papers regarding the Vietnam conflict, immune to prosecution under U.S. copyright law. Had the publication of the Pentagon Papers been suppressed, the U.S. presence in Vietnam may have been prolonged, and thousands more would have died in a war that, the Papers conceded, could not possibly be won.
Did anyone else find this claim of Tim's surreal? Microsoft *broke* so many existing, widely adopted industry standards (like TCP!) when they suddenly decided they needed to get in on the internet game.
Konstant, thanks for taking part in the discussion. I have a few questions that you might be able to answer about the Kerberos extension.
Did folk at Microsoft talk about how they thought the Kerberos extensions would be received in either the security/academic community, or in the developer community? One of Bruce Schneier's points about the Kerberos extensions is that a changed security protocol simply doesn't inherit the trust of its parent. Trying to keep the protocol secret had the predictable-from-the-outside consequence of losing the already thin trust of the security community. Did anyone talk about this in Microsoft?
What you say about the internal culture at Microsoft strikes me as fair and true. I have several colleagues who work at various MS research labs, and all of them have been very flattering about the high quality of staff at MS. However a darker side emerges about the arrogance of the MS world: the long list of protocols broken by MS owes more to developers within MS simply not being interested in finding out how things were done by developers outside MS than to deliberate attempts to undermine standards (though that too has indubitably happened). Is this unfair? If it is, I think it is quite appalling.
Rob's post I would say is motivated by the desire not to establish a precedent of pulling posts. Once he has done that, then slashdot can be said to exert editorial control over the contents of posts on slashdot, which exposes it to libel/slander lawsuits, etc. Bad place to be.
1. RFC 2309 describes the need for some kind of proactive congestion control to deal with protocols that do not implement any kind of backoff. This proposal spawned a whole lot of research into testing for fairness. Sally Floyd, one of the authors of the RFC, has the slides (PS) for a talk which gives a good basic overview of the issues.
2. A standard for congestion control is proposed in RFC 2481. It is easy to spot abuse by end users who claim to comply with this proposal.
I'll ask about the blacklisting and post here when I have some references.
The method described to me was based on timing the period between outgoing packets: it did not depend upon seeing the ack packets. This kind of traffic analysis of this kind was made necessary by the MBONE multicast protocol, which was built on top of UDP (which does not do the same kind of binary backoff that TCP does): if there are widely deployed protocols that do not respect binary backoff, then the network really would grind to a halt, and so some external method of `niceness checking' is required.
Cisco make routers that do the necessary tests to spot abuse. It's worth noting that the consequence of being blacklisted is not having your service blocked altogether, only that intermediate routers will have to route around the routers that drop your packets: it will spoil your performance but not interrupt it. Rememeber that IP makes no assumptions about packets actually arriving. Yes it can be abused: but we knew that anyway, and it's much harder to do that than the DDoS attacks.
Proof? You could ask Cisco I suppose. If you're willing to put up with less than proof look at all the IETF discussions about the MBONE protocol. I'll have a look around and see if I find any online articles about testing for backoff.
Jannotti says that there is nothing to stop a user ignoring the `niceness' constraints in TCP: actually the strategy suggested will get you blacklisted on quite a few routers, which means it will simply drop all packets originating from your IP address. The routers use standard traffic profiling tools to spot just the kind of tricks Janotti describes.
To plug some work done in my department, Azer Bestavros has done some nice work on network profiling : the idea I liked most was a way to make the TCP binary backoff work better by grouping together similar packets: this can be done entirely end-to-end, and really gets big improvements in overall performance. See in particular the paper `QoS Controllers for the Internet'.
How do the links work? I am familiar with http links in PDF, what other kinds are there? It seems to me that PDF can't assume much about the environment in which it is running: if PDF could be made to run a shell under UNIX I'd be interested to know the details.
Yes, it's a programming language but it has very limited I/O or system call facilities. It would be an impressive coding-with-limited-resources feat to write a virus in it. Has anyone ever thought about how you would do it?
The only Turing complete languages I ever run directly as an attachment from mutt are Postscript and PDF. Would it be *possible* to write an email virus in either of these? Sounds like a challenge to me...
I don't know NT, but aren't there administrators able to change people's levels of security, add users, deleted users, etc.? Once you have such administrator powers then effectively you have root exploits. If not, then how are user permissions handled?
To be quite extreme, opening specs to obsolete hardware is illegal.
That's too extreme: company officers are given pretty much complete freedom to decide how to pursue shareholders interest: if they think that the goodwill created by opening specs is a good investment, that's their call. Also, in the UK at least, it isn't illegal not to pursue shareholder profit. Instead shareholders have the right to kick out executives they don't think are doing well.
A good point, but it only applies to attracting new customers. Existing customers aren't going to change to Linux just because it is free: what might make them switch was if SCO stopped developing their own brand UNIX. I'm sure that thought must have entered their heads when they were thinking out their new strategy...
Re:Experience with MySQL with Ciritcal Role
on
Why Not MySQL?
·
· Score: 2
One might mistakenly get the impression that there is some information in the above post. Let's have a look.
A UK ISP has used MySQL in a mission critical application - but you can't say which one.
There's lots wrong with the article - but you can't be bothered to explain.
There's lots right with MySQL: in fact a whole list of uncontentious points.
Why did you spend 32 lines of typing-effort on your post?
Try this: if you are running a large database with lots of updates to information, where the content of those updates can depend upon the results of previous queries, and where you care about the meaningfulness of the data, then MySQL isn't even an option.
And, arguably, for very good reason. Not that I think that particular argument is correct, but it is a compelling argument, and many will think that. It's hard enough to make sure that security is air-tight for the areas where it's required without trying to make sure it is air-tight ONLY where it matters.
Got to disagree: I think you can't get security right unless you make distinctions between level's of security. If you try to make everything an organisation does operate at the highest level of security, then people's day to day antipathy for the tiresome bureaucracy involved will make them conspire against the security measures: as is happening with this Ask Slashdot.
On the other hand, they have asserted copyright on the contents of the document, and have taken `effective measures' (in the language of the DMCA) to restrict access to it. So isn't the kind of measure you propose infringement of the DMCA?
Charles
Re: Applications being rejected
on
Who Owns Dmoz?
·
· Score: 1
Tough though it sounds, I think it is right that 90% of eager volunteers are told: `go away, we don't want your sort here'. Eager volunteers who can't spell, don't see why pr0n sites shouldn't go in Reference/Education/K_through_12, and delete any and all sites that annoy them, well, they are worse than useless.
The real difficulties aren't to do with open access, they are to do with transparency of decision making and the possibility of abuse from on high.
Still, I've got to say your case is a bit surprising. How many of the sites you submitted were competitors sites?
As I said in my above post, the ODP can be forked...sort of. The data is free, but the source code for the server is very much behind closed doors.
There is code for ODP like servers out there: POD comes to mind, amongst other tools that can easily be found.
But recreating a new system to allow editors to work on the directory is much harder, and I would be somewhat happier if that kind of forking was made easier. More in line with what ESR said about making forking easier being the best insurance against proprietary abuse. So: liberate the server source!
Slashdot Mirror
How hopeful are you that Microsoft can be coaxed into making IE
standards compliant? What exactly do you think Microsoft's motive was
in not supporting HTML 4.0 completely?
Good point. IANAL and I don't think the LinuxJournal author is either...
Shareholders are very reluctant to initiate actions against management
even if they are doing very badly: nothing like angry shareholder
action to make the price of shares bottom out. The threats to badly
performing management tend to come from hostile bids for the company,
which aren't often made against monopolies.
article argued. US law allows that free speech can override
copyright. In the words of that article:
rights of copyright holders are not absolute, and that occasionally
they must take a back seat to broader considerations of public
welfare. This is precisely the line of thinking that holds the
publishers of the Pentagon Papers, secret U.S. Defense Department
papers regarding the Vietnam conflict, immune to prosecution under
U.S. copyright law. Had the publication of the Pentagon Papers been
suppressed, the U.S. presence in Vietnam may have been prolonged, and
thousands more would have died in a war that, the Papers conceded,
could not possibly be won.
Did anyone else find this claim of Tim's surreal? Microsoft *broke*
so many existing, widely adopted industry standards (like TCP!) when
they suddenly decided they needed to get in on the internet game.
questions that you might be able to answer about the Kerberos
extension.
Did folk at Microsoft talk about how they thought the Kerberos
extensions would be received in either the security/academic
community, or in the developer community? One of Bruce Schneier's
points about the Kerberos extensions is that a changed security
protocol simply doesn't inherit the trust of its parent. Trying to
keep the protocol secret had the predictable-from-the-outside
consequence of losing the already thin trust of the security
community. Did anyone talk about this in Microsoft?
What you say about the internal culture at Microsoft strikes me as
fair and true. I have several colleagues who work at various MS
research labs, and all of them have been very flattering about the
high quality of staff at MS. However a darker side emerges about the
arrogance of the MS world: the long list of protocols broken by MS
owes more to developers within MS simply not being interested in
finding out how things were done by developers outside MS than to
deliberate attempts to undermine standards (though that too has
indubitably happened). Is this unfair? If it is, I think it is quite
appalling.
precedent of pulling posts. Once he has done that, then slashdot can
be said to exert editorial control over the contents of posts on
slashdot, which exposes it to libel/slander lawsuits, etc. Bad place
to be.
BTW, wasn't it Rob Malda, not Roblimo?
1. RFC 2309
describes the need for some kind of proactive congestion control to
deal with protocols that do not implement any kind of backoff. This
proposal spawned a whole lot of research into testing for fairness.
Sally Floyd, one of the authors of the RFC, has the slides (PS) for a
talk which gives a good basic overview of the issues.
2. A standard for congestion control is proposed in RFC 2481. It is easy
to spot abuse by end users who claim to comply with this proposal.
I'll ask about the blacklisting and post here when I have some
references.
Oh really? What makes you say that, I wonder?
outgoing packets: it did not depend upon seeing the ack packets. This
kind of traffic analysis of this kind was made necessary by the MBONE
multicast protocol, which was built on top of UDP (which does not do
the same kind of binary backoff that TCP does): if there are widely
deployed protocols that do not respect binary backoff, then the
network really would grind to a halt, and so some external method of
`niceness checking' is required.
Cisco make routers that do the necessary tests to spot abuse. It's
worth noting that the consequence of being blacklisted is not having
your service blocked altogether, only that intermediate routers will
have to route around the routers that drop your packets: it will spoil
your performance but not interrupt it. Rememeber that IP makes no
assumptions about packets actually arriving. Yes it can be abused:
but we knew that anyway, and it's much harder to do that than the DDoS
attacks.
Proof? You could ask Cisco I suppose. If you're willing to put up
with less than proof look at all the IETF discussions about the MBONE
protocol. I'll have a look around and see if I find any online articles about testing for backoff.
the `niceness' constraints in TCP: actually the strategy suggested
will get you blacklisted on quite a few routers, which means it will
simply drop all packets originating from your IP address. The routers
use standard traffic profiling tools to spot just the kind of tricks
Janotti describes.
To plug some work done in my department, Azer Bestavros has done
some nice work on network
profiling : the idea I liked most was a way to make the TCP binary
backoff work better by grouping together similar packets: this can be
done entirely end-to-end, and really gets big improvements in overall
performance. See in particular the paper `QoS Controllers for the Internet'.
How do the links work? I am familiar with http links in PDF, what
other kinds are there? It seems to me that PDF can't assume much
about the environment in which it is running: if PDF could be made to
run a shell under UNIX I'd be interested to know the details.
Yes, it's a programming language but it has very limited I/O or system
call facilities. It would be an impressive coding-with-limited-resources
feat to write a virus in it. Has anyone ever thought about how you
would do it?
The only Turing complete languages I ever run directly as an
attachment from mutt are Postscript and PDF. Would it be *possible*
to write an email virus in either of these? Sounds like a challenge
to me...
Charles
I don't know NT, but aren't there administrators able to change
people's levels of security, add users, deleted users, etc.? Once you
have such administrator powers then effectively you have root
exploits. If not, then how are user permissions handled?
I don't get this criticism. Isn't security innately an `all or nothing' affair?
That's too extreme: company officers are given pretty much complete freedom to decide how to pursue shareholders interest: if they think that the goodwill created by opening specs is a good investment, that's their call. Also, in the UK at least, it isn't illegal not to pursue shareholder profit. Instead shareholders have the right to kick out executives they don't think are doing well.
this one at all:
A modular IP4 stack. Linux -should- be capable of running as an
IPv6-only system.
Why?
A good point, but it only applies to attracting new customers.
Existing customers aren't going to change to Linux just because it is
free: what might make them switch was if SCO stopped developing their
own brand UNIX. I'm sure that thought must have entered their
heads when they were thinking out their new strategy...
A UK ISP has used MySQL in a mission critical application - but you can't say which one.
There's lots wrong with the article - but you can't be bothered to explain.
There's lots right with MySQL: in fact a whole list of uncontentious points.
Why did you spend 32 lines of typing-effort on your post?
Try this: if you are running a large database with lots of updates to
information, where the content of those updates can depend upon the
results of previous queries, and where you care about the meaningfulness
of the data, then MySQL isn't even an option.
Charles
particular argument is correct, but it is a compelling argument,
and many will think that. It's hard enough to make sure that
security is air-tight for the areas where it's required without
trying to make sure it is air-tight ONLY where it matters.
Got to disagree: I think you can't get security right unless you
make distinctions between level's of security. If you try to make
everything an organisation does operate at the highest level of
security, then people's day to day antipathy for the tiresome
bureaucracy involved will make them conspire against the security
measures: as is happening with this Ask Slashdot.
so that you could be `right' about something?
Try looking up dada,
Lettrism, Situationism, Pop art, `The Plagiarist Manifesto' in an art
encyclopaedia...
On the other hand, they have asserted copyright on the contents of the
document, and have taken `effective measures' (in the language of the
DMCA) to restrict access to it. So isn't the kind of measure you
propose infringement of the DMCA?
Charles
volunteers are told: `go away, we don't want your sort here'.
Eager volunteers who can't spell, don't see why pr0n sites shouldn't
go in Reference/Education/K_through_12, and delete any and all sites
that annoy them, well, they are worse than useless.
The real difficulties aren't to do with open access, they are to do
with transparency of decision making and the possibility of abuse from
on high.
Still, I've got to say your case is a bit surprising. How many of the
sites you submitted were competitors sites?
Charles
There is code for ODP like servers out there: POD comes to mind, amongst other tools that can easily be found.
But recreating a new system to allow editors to work on the directory is much harder, and I would be somewhat happier if that kind of forking was made easier. More in line with what ESR said about making forking easier being the best insurance against proprietary abuse. So: liberate the server source!
Charles (editor cas)