Ok. I think that ESR is a very good writer, and I enjoy what he wrote... BUT I want to argue the other side of the coin just to see where it leads. Forgive me, if my arguments are not entirely clear. I'm not sure I agree with them yet. Just trying them on to see if they make sense.
Ok. So ESR says that what we ought to be talking about here is flerbage. Tim's premise is that a developer ought to be albe to license his/her code under any license they choose. And that if you take away that basic right, then the flerbage of developers decreases. I think that's the only possible conclusion.
But by enabling that sort of thing, you also enable a monopolistic developer to basically control your life. Which means that the flerbage of users decreases. Let's suppose that I release a piece of code and I say, "If you want to use it, you have to let me have sex with your wife." It's a relatively simple thing for you to say, "No thanks, I don't need your code." But say Microsoft does something like this? In some cases, there is simply no way that some organizations or individuals can say no. (If there were a case where every organization could simply say "no" to Microsoft, then Microsoft would *not* be a monopoly.) Well the answer is, of course, that there is legal precedent (sp?) that prevents unreasonable contract terms. A contract that requires you to become a slave in order to fulfill your part of the contract is null and void on its face.
Soooo.. Tim's freedom zero already does not exist. Developers can *not* currently release their software under any license they choose. The license has to pass some level of "reasonability". The only question now becomes what is reasonable? What limits should licensors be under when licensing their code? And where should those limits stop?
I think that RSR & FSF are trying to set a different standard for where those limits should stop. They think that it should be unreasonable to license software that doesn't include the licensee's right to modify or fix the software, and then to release those changes and fixes. Do I agree with the FSF's position? I dunno.
The point? There already are limits on how developers can license their software, and those limits are good. Reasonable people may disagree on how far those limits should go. But to say that there should be no limits, is short sighted (IMHO). And I think that Tim's "freedom zero" basically says that there should be no limits. That may not be what he intends to say. I certainly hope not. But it's not impossible to see how RSR & the FSF might interpret Tim's statement as unlimited power for software developers... especially those with a monopoly.
Your example is bad for this purpose, because a real, honest-to-goodness crime is being committed; your company never considered merely unmasking the suspect and internally disciplining them. But there are other cases that have occurred. Suppose someone was merely badmouthing the company, in such a way that they clearly worked inside the company. Companies have been bringing frivolous slander lawsuits against "John Doe"s, finding out who "John Doe" is, then dropping the suit and pursuing internal discipline against the now-unmasked employee. These disciplines are often on the wrong side of legal.
I agree with you 100%. All I'm saying is that in our zeal to prevent wrong applications of the law, lets not also prevent appropriate applications of the law. If, for example, the/. community is able to create a law that makes it illegal for anyone, under any circumstances to unmask identities on the web, that would create a lot of freedom, but it would also create problems. For example, I could legally threaten to kill you, and you would be unable to investigate whether or not that threat is realistic or false bravado.
Freedom of speech is not unlimited. The unchecked pursuit of it can be exploited, and abused into just as devilish of things as the unchecked pursuit of censorship. Yelling "Fire" in a crowded theatre is illegal because people were hurt by it.
The point? That there has to be a reasonable middle ground. Because the extremes are awful.
if the statements ticking off the company aren't truly illegal, then they have no particular right to unmask these people, and it is this anonymous speech we support: legal anonymous speech.
So do I. Just be careful not to take it too far and legalise things that currently are, and ought to remain, crimes.
I fully expect to get moderated into oblivion for this post, but....
An interesting thing happened at a former job. I used to work for a company that provided capital markets trading services. Someone found a post on a very popular web forum which included information that was *clearly* insider trading information. This is information that could only have come from *inside* the company, and released like this put the entire company in jeopardy with the OCC (Office of the Comptroller of the Currency) and the SEC (Security & Exchange Commission).
We were under SEC & OCC requirements to track down who posted this thing, or potentially shut down all of our operations. But that wasn't the only pressure. We had an ethical obligation to track this down. A crime was being committed. The ability of this person to continue to post to this forum, enabled them to perpetrate a fraud and steal money from our investors. At the time there was not a single reason that I could think not to try and get this person's identity, and I can't think of a reason now, either. Failure to do so meant that someone (potentially lots of people) lost money (potentially *LOTS* of money).
So, we checked our firewall logs, and found a couple of *possible* leads, but nothing conclusive.
After checking as many internal logs as we could find, we came to the conclusion that we had to get the web forums to give us the email address of the person who registered the account. We called the web site, explained that a crime was being committed and politely asked them to provide the identity of the person who posted the comment. They declined, citing their privacy policy.
This is the point where I no longer have first hand experience with what happened. But as I understand it, our attorneys drafted a letter to the web site stating that this information was absolutely required. Eventually, the web site backed down, provided the information. The person who allegedly posted the information was arrested.
I post this here because there seems to be a huge number of folks who seem to think that under every circumstance internet anononymity should be retained... and most of the time I agree. But sometimes it can enable crimes and I think we have to be careful about how far we take the demands for internet privacy.
$.02.
Please, commence with the karma draining moderation.
if you are a competent windows system administrator
I am not a competant windows system admin. My users run on samba (thank you very much). I know that samba supports group policies, but I didn't know that I could do this with it.
I know that this is an ignorant question, but I thought I'd ask it anyway. It may have been asked before in other/. articles. If so, my apologies.
In any case, is it true that MYSQL AB doesn't ever integrate patches that they receive into their code? If this is true, then I can't help but worry that they're eventually going to try an establish themselves as a free software company, and then, since they are the original (and only) copyright holder, that they will suddenly decide to re-license mySQL under a non-free license.
mySQL was only recently re-licenced under the GPL, so it's not like this company hasn't ever had desires to control this code.
Help me out. Is this an irrational fear? If not, then I find myself glad that Nusphere has forked a copy, and abided by the GPL. I know that it was kinda in doubt as to whether or not Nusphere was going to do this, but isn't this a good thing if only to protect against MySQL AB deciding to relicense to a non-free license?
<disclaimer>
I am not employed by, nor related to Nusphere or MYSQL AB in any way. I'm just a curious user with a stupid question.
</disclaimer>
Personally I'd mod your post up, but I can't so...
In anycase, I think you did miss the point that I was trying to make. The point is that forcing the user to download data (either large or small) without respect to whether or not they're going to use it seems prone to create the problems that you are able to fix. That makes your fixes just bandaids. The real problem is a poorly designed architecture that requires you to download everything, even if you aren't going to use it.
And that's not really a function of the file sharing mechanism. That's a function of the way that the underlying operating system provides information to user programs. The windows way is braindead. The unix way scales much better.
That only happens if you are an idiot and store everything on your desktop instead of an appropriate place.
True but misleading. The default place that office 2k takes you when you want to save your files? My Documents. Since this is a folder that's on the desktop, it gets stored in your roaming profile. Every user that I have, and I mean every single one of them, stores their files in "My Documents", and I can see why. Not only is it easy when saving, it's also easy when loading. Guess where office 2k takes you when you choose "File->Open".
How is an nfs mounted home directory any different from a windows share that gets mounted with the user logs in?
The difference between roaming profiles and NFS shares is significant. Specifically, an NFS share only requires the user to send data over the network that they are actually going to use. Everything else just sits on the network server until its needed. But with a roaming profile, the entire profile whether it will be used or not, gets downloaded everytime you log into a computer you haven't used yet. Of course, it gets cached there so that you don't have to do it again the next time. But then when you logout, if you made a change to any part of your profile, the entire profile gets uploaded to the server. Combine this with the fact that Microsoft does darn near everything they can to encourage users to store stuff in their profile, and you end up with roaming profiles being a *huge* drain on the system.
Linux isn't hard to use... it isn't hard for most users. They just need Email, a Word processor and solitair.
I get a lot of crap from friends when I tell them that my home is Microsoft free. They immediately ask things like, "You do this at home, too? Why?" There are two underlying assumptions in this:
That it's easier to use Windows so when it isn't for work, you'd choose the easier one.
That it'd be easier to get away with not being forced to use Linux at home, where you have a choice.
What I find entertaining about the whole thing is that if you swap all instances of "Linux" and "Windows" you'd get the actual set of assumptions that I have.
Anyway, I can't agree more that Linux is plenty easy to use. Case in point: my wife is a linux user. This might not sound that surprising except that my wife could be the poster child for computer illiteracy. For all of her wonderful attributes, she lacks a basic understanding of how to do anything on a computer that hasn't been shown to her by someone (usually me). But she's a linux user. How can this be? Because I manage the environment for her. I put up an icon that looks like a mailbox, when she clicks on it she gets her email (mozilla mail). I also put up an icon that looks like a world. When she clicks on it, she gets to a web browser (mozilla). She has access to any program that she'd like but I put up the ones she uses most of the time for her, and it all just works.
If my wife can get by this easily, then an office full of workers, who are paid to know how to use a computer, can certainly manage.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
You might be interested in this article titled, "Securing an unpatchable webserver"
I agree that a 15 year old breaking into a world once exclusively held by someone much older, who pursued much more education, is an exception, rather than the rule. But doesn't the fact that this is possible indicate a significant change?
Think about 20 years ago. No one, and I mean no one, would have based their business on the college project of some computer programmer in Finland. But today, Linux is a hopeful toppler of a monopoly!
The point, I think, is that the Internet by promoting anonimity, and encouraging communication, allows anyone who has a good idea, or a persuasive idea, or a popular idea to rise to the top, regardless of their financial backing, geographical location, age, or whatever. The quality of their ideas is what brings them success, not any of these other superficial issues.
While I think that much of the 15 year old stock trader stuff is overblown, the fact that it exists at all can't be reduced to nothing. It is a significant change in the way the world works.
Wow, that's excellent. Can you put up a pointer to your netcat config? I have one machine that is a webserver and it's pretty easy to track CR with it. But I'd like to be able to track on some of my other machines, and I see no reason for adding apache just to track this thing.
I route all traffic coming in on port 80 to/dev/null just so snort can keep an eye on the attacks as they're coming in.
I could be wrong, but I don't think you need to do this. Snort will track this independant of what your firewall is setup to do. Snort operates independant of the IP stack. It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.
So I don't know for sure, but I don't think you need to route your port 80 packets anywhere. I think it'll track it just as long as it gets to your interface.
You might want to consider submitting your apache logs to dshield. This will help keep track of the extent of this problem as well as help to analyze where it may have originated. If the dshield folks can correlate the earliest attacks of the latest variant, they have a chance at finding where this thing originated.
But this does nothing to prevent a user from sending a 10^6 SYN packets each of size 10k to TCP port 80. Or 10^6 ACK packets of the same size to the same port. Raw sockets allow that, and more importantly make it difficult to filter a widely distributed attack.
I don't really understand Gibson's gihad on raw sockets, and in general I agree that the risk is overblown, but it's not zero. Even if we do get all the ISP's to do proper route filtering.
The deal with raw sockets seems to be more complex than any of the posts that I've read here.
The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.
But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.
Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.
With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out. Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address, and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?
Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able
to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.
So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.
2. Older content that was not licensed under the newer contracts must be renegotiated for electronic format with the artist. That just means that older content is not likely to make it into newer distribution channels if the artist doesn't agree or can't be found.
What? According to the article, in Tasini, the supreme court specifically addressed removing the content. They seemed to have some amount of concern that "holes" would be created in the historical archive of information, so they required that compulsory licenses be negotiated.
A compulsory license limits the rights of the copyright holder, and prevents them from holding content hostage by refusing to license it at any reasonable fee. What happens is that the copyright holder and the licensee will go into arbitration, which will determine a "reasonable" compensation for the copyright holder.
So the point of the article is that if compulsory licenses are applied to RIAA and napster, then the RIAA loses some of its grip over their copyrights of the songs. Napster users will still have to pay (because compulsory licenses do not alleviate the copyright holders right to compensation) however it would prevent the RIAA from holding songs hostage in order to be able to set prices and force out competition.
Putting further restrictions on content flow is not a good thing, even if it is limiting the RIAA.
This doesn't put restrictions on content flow. It specifically puts restrictions on copyright abuse, which frees content flow. This is a good thing, and I hope it works.
Violate the law. Openly. Loudly. Celebrate people who do it and get caught. Maximize the effort required to enforce the law - minimize the impact of getting caught. If you haven't noticed, there are many people doing this.
This is called civil disobedience, and it's a common way to raise the awareness of unjust laws. I agree and applaud this.
BUT... remember, just because you proclaim a law unjust, and violate it in an effort to publicize it's unjustice, does NOT relieve you of the consequences of violating the law.
So, go ahead and stage your civil disobedience, but be prepared to be arrested, charged, prosecuted, and convicted of a crime.
All of that being said, I applaud anyone who is actually willing to do this for this clearly unjust law. As the sole bread winner for my family, I can not afford the risk. The most that I can afford is to contribute to the EFF, and ask my elected representatives for an accounting of how this law can remain on the books. --
Weird you say? There's even a precedent for my idea. When you move your eyes, images sweep across them at hundreds of degrees per second - but the world doesn't look like it's moving to you. But if you look at a screen, hold your eyes still, and sweep images at those rates everything looks like it's moving. Why? Because when you move your eye, your brain takes a copy of the eye-motion commands and subtracts that motion from what the eye really sees, resulting in a perception that the world didn't move.
Another example of the feedback loop that you're talking about this: Take your finger, and keeping your head still, wave it back and forth in front of your face with a frequency of about 2/second. Try and keep focus on your finger. It is difficult.
Now, take your finger and keep it still in front of your face, but turn your head from left to right at about the same frequency as before. You will be better able to keep your finger focused.
Why? Because your brain takes signals from your inner ears saying that your head is moving, and uses this information to help focus your eyes on your finger. But when you just move your finger alone, there's no additional information that you're able to make use of.
"Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music."
Forgive me for being over 30. But doesn't this describe a rave? Big dark room, repetitive electronic music, everyone taking ecstacy? --
Careful with that FUD you're slinging around there... Sure Cable has a higher peak bandwidth potential but neither you nor anyone else will ever actualize that potential...
Now wait a minute here, you're slinging some FUD, too.
Cable bandwidth is a shared resource, meaning that 10Mb/s is the most that can be flowing into or out of your neighborhood/apartment at one time. Furthermore, the bandwidth your modem can theoretically support is never the bandwidth your ISP will allocate to your area - typical individual cable connections are capped at around 500kb/s down and many are capped ridiculously low (in the order of 50kb/s) on the up side.
Yes cable is shared bandwidth between the end user and the cable company's equipment. And yes DSL is dedicated between the end user and the CO. But, all internet services make use of shared bandwidth. So if your DSL provider does not have enough bandwidth from it's provider, it will have exactly the same problems that you proclaim that only cable modem is susceptible to.
Now, I can't speak for every cable modem implementation. But I can speak about the implementation that I use. They have a total of 30Mb/s bandwidth dedicated to each hub, and a maximum of 500 houses per hub. If they achieve 25% sales of internet access, that's 125 houses sharing 30Mb/s of bandwidth. This is beyond the dreams of the cable company.
I have been monitoring my cable company's connection for over 3 years now by doing a download provided by the cable company every 30 minutes. Between me and the cable company I have never seen any slowdown of bandwidth at any time of the day at all. Now, I have seen slowdowns when connecting to the Internet, but never over the cable infrastructure.
DSL bandwidths, although theoretically lower, are dedicated in the same way as T1 bandwidths are - you well never share that lower bandwidth potential with your neighbor the porn freak, or his friend the MP3 fanatic.
This is just plain false. EVERYONE on the internet shares bandwidth. That's how it's built. You may not share the bandwidth with that person between you and the CO, but beyond the CO it's shared bandwidth. The only interesting question is whether or not there's enough bandwidth available for those who are sharing it.
I can prove, with data, that between my cable company and me, there's plenty of bandwidth. I can't prove, but it seems pretty obvious that the bandwidth that my cable company has purchased to get to the Internet is not enough. But switching to DSL does not necessarily fix that problem. In fact, it could make it worse.
My point: don't buy the hype that the telco's are putting out about cable infrastructure. If you want a great review of the basic differences check out this salon review. It's very good. And it supports the conclusion that the cable infrastructure is, generally speaking, better and faster than the DSL infrastructure. --
With cable modems, however, the medium is shared. The best (albeit a inadequate one) analogy is that every cable modem is a workstation on a old thinnet (10Base5) ethernet network, with IP information assigned via bootp.
Actually, this is a better analogy than you think. Most early cable modem technologies were just that: ethernet implemented over 75ohm coaxial cable. Thinnet is ethernet implemented over 50ohm coax. There are a lot of changes now, though with DOCSIS, although the underlying infrastructure is still very similar to ethernet over 75ohm coax.
it's far harder to differentiate one ISP from another.
This is not entirely accurate. The cable companies are quite capable of providing layer 2 differentiation. The way that cable modems implement their signal is to allocate channels from the underlying infrastructure. Yes the same thing that normally a TV signal would ride over. So downstream data gets sent over one channel, and upstream over a different channel. Thus it takes 2 channels (plus a lot of underlying infrastructure to be able to send the reverse path cable signal) to implement a layer 2 data network in a cable infrastructure. Well, if you want another layer 2 data network, that is completely seperate from the first, you simply allocate 2 different channels for the up/downstream data flow, and give those channels to the new ISP. Poof! The first ISP's users don't see/know/interfere with the second ISP's users. It's as if they're using completely seperate physical networks. Ain't broadband grand?
This is not just theory, it's practice. Where I live, prior to the cable company implementing DOCSIS, they used a proprietary system made by motorola. Well, in order to migrate to DOCSIS for new customers, and not disrupt old customers, they simply implemented a new layer 2 network on different channels for DOCSIS, and kept the old layer 2 network for the proprietary modems.
If AOLTW is going to provide service for Earthlink, Juno, et al, they'll simply supply two additional channels for each of their "competitors" and let them take care of the rest of it.
This of course puts a limiting factor on the number of different ISP's that can service the cable infrastructure. There is a limited number of channels available on the cable infrastructure, and by far most of them are taken up by standard TV channels, and digital TV channels.
There's a BIG difference between cable and DSL access speeds!
Hmm... my cable modem is capped at 2.0MB/s download. DSL is available at 1.5MB/s download. I would agree with you, if the difference were what it used to be (prior to the cap). It used to be closer to 6-7MB/s download. Since the cap, though, the difference seems pretty small to me.
With that small difference in speed, and due to restrictive appropriate use policies on the cable modem (i.e. no web/email servers allowed), I've been considering switching to DSL. I realize that it'll be slower, but not that much slower, and for the ability to legally run servers, it's something that makes me pause and consider.
The fact that I can make this switch, relatively easily, and say to the cable company that I don't appreciate their appropriate use policy, suggests to me at least that the TW doesn't have a monopoly in broadband services in my area. Am I wrong? Should I be concerned?
--
I read a lot about the M$ trial. I read the findings of fact, the conclusions of law, and the decision on the appeal. Every page. One of the things that I learned is that in order for it to be a monopoly, a relevant market has to be defined. Also, in order to have a monopoly, there must be no easy way for a customer to switch from the monopolist's products or service.
Isn't it reasonable to define the relavant market for AOL Time Warner's cable stuff, as the broadband market? If true, then why aren't all the DSL providers already competitors? I currently have a Time Warner cable modem in my house, but I qualify for and can easily switch to DSL.
If this is true, is it really fair to say that AOLTW has a monopoly in broadband services? --
There are also bugs associated with straight DNS queries. Go, now, and shut down BIND.
You've never been responsible for administering a secure system have you? If you have, then you're miserable at it. Read some. I'd recommend "Firewalls & Internet Security" by Cheswick & Bellovin. Or "Building Internet Firewalls" by Chapman & Zwickey. Both of these books describe one of the primary security priniciples: "least privilege". In short it says, don't allow anything that you don't have to.
If you have to allow DNS queries, then you have to. But just because you have to allow those queries doesn't mean you should also allow zone xfer. It's quite simple arithmetic: the number of security holes in DNS queries is less than the number of security holes in DNS queries + the number of secrurity holes in DNS zone transfers.
This is like a store with a "closed, come back later" sign vs. a "open" sign. Are people made criminals for looking at a closed store in your world?
No, but when people come poking at my alarm system to see what happens, especially when they have no reason for doing it, I can't help but assume that they're trying to figure out my weaknesses for some other reason.
Your analogy is collosally bad. It assumes that you can look at my computer, without it impacting my computer. In the store analogy, you are of course correct, simply looking at the store to see if its closed is not criminal. But looking at my computer, requires that you actively use bandwidth that I PAID FOR, and make use of computing equipment that I PAID FOR. You are already impacting my expenses. You should have *no* expectation that I'm providing DNS zone transfers, therefore you should not go looking. You should also not probe my syslog ports, nor my printer ports, nor my RPC ports.
Looking to see if the store is closed is one thing. Peeking through the window to see where the safe is kept is another thing altogther.
The average Internet user has no idea that you are offended when they connect to port 31337 because they were trying to get to some high-port FTP site, but they can infer from the connection refusal that there is nothing there for them.
You are an id10t. 31337 is the TCP connect port for BackOriface. 27374 is the TCP connect port for SubSeven. These are remote controllable trojan horses that have been widely spread through email virii. Anyone connecting on those ports, should by default be seen as hostile.
If security for you includes worrying about incoming TCP SYN packets, fine. But don't make trouble for users because they had the nerve to use the Internet as it was intended, because I'm sure you use the Internet too.
The original intention of the Internet also included the idea that no for profit organizations should be on the internet. The original intention of the internet included bugs. So, according to you, we should simply drop all prudence because someone 30 years ago couldn't forsee everything that would be happening today?
No. I think the deal here is that you want to continue running your port scans and justify it under the heading of "well it's just the way the Internet is sposed to work". Maybe. But do that to my machines and I will make trouble for you. Don't like it? I don't care. --
Slashdot Mirror
I wrote this on the linuxtoday talkbacks:
Ok. I think that ESR is a very good writer, and I enjoy what he wrote... BUT I want to argue the other side of the coin just to see where it leads. Forgive me, if my arguments are not entirely clear. I'm not sure I agree with them yet. Just trying them on to see if they make sense.
Ok. So ESR says that what we ought to be talking about here is flerbage. Tim's premise is that a developer ought to be albe to license his/her code under any license they choose. And that if you take away that basic right, then the flerbage of developers decreases. I think that's the only possible conclusion.
But by enabling that sort of thing, you also enable a monopolistic developer to basically control your life. Which means that the flerbage of users decreases. Let's suppose that I release a piece of code and I say, "If you want to use it, you have to let me have sex with your wife." It's a relatively simple thing for you to say, "No thanks, I don't need your code." But say Microsoft does something like this? In some cases, there is simply no way that some organizations or individuals can say no. (If there were a case where every organization could simply say "no" to Microsoft, then Microsoft would *not* be a monopoly.) Well the answer is, of course, that there is legal precedent (sp?) that prevents unreasonable contract terms. A contract that requires you to become a slave in order to fulfill your part of the contract is null and void on its face.
Soooo.. Tim's freedom zero already does not exist. Developers can *not* currently release their software under any license they choose. The license has to pass some level of "reasonability". The only question now becomes what is reasonable? What limits should licensors be under when licensing their code? And where should those limits stop?
I think that RSR & FSF are trying to set a different standard for where those limits should stop. They think that it should be unreasonable to license software that doesn't include the licensee's right to modify or fix the software, and then to release those changes and fixes. Do I agree with the FSF's position? I dunno.
The point? There already are limits on how developers can license their software, and those limits are good. Reasonable people may disagree on how far those limits should go. But to say that there should be no limits, is short sighted (IMHO). And I think that Tim's "freedom zero" basically says that there should be no limits. That may not be what he intends to say. I certainly hope not. But it's not impossible to see how RSR & the FSF might interpret Tim's statement as unlimited power for software developers... especially those with a monopoly.
I agree with you 100%. All I'm saying is that in our zeal to prevent wrong applications of the law, lets not also prevent appropriate applications of the law. If, for example, the /. community is able to create a law that makes it illegal for anyone, under any circumstances to unmask identities on the web, that would create a lot of freedom, but it would also create problems. For example, I could legally threaten to kill you, and you would be unable to investigate whether or not that threat is realistic or false bravado.
Freedom of speech is not unlimited. The unchecked pursuit of it can be exploited, and abused into just as devilish of things as the unchecked pursuit of censorship. Yelling "Fire" in a crowded theatre is illegal because people were hurt by it.
The point? That there has to be a reasonable middle ground. Because the extremes are awful.
So do I. Just be careful not to take it too far and legalise things that currently are, and ought to remain, crimes.
An interesting thing happened at a former job. I used to work for a company that provided capital markets trading services. Someone found a post on a very popular web forum which included information that was *clearly* insider trading information. This is information that could only have come from *inside* the company, and released like this put the entire company in jeopardy with the OCC (Office of the Comptroller of the Currency) and the SEC (Security & Exchange Commission).
We were under SEC & OCC requirements to track down who posted this thing, or potentially shut down all of our operations. But that wasn't the only pressure. We had an ethical obligation to track this down. A crime was being committed. The ability of this person to continue to post to this forum, enabled them to perpetrate a fraud and steal money from our investors. At the time there was not a single reason that I could think not to try and get this person's identity, and I can't think of a reason now, either. Failure to do so meant that someone (potentially lots of people) lost money (potentially *LOTS* of money).
So, we checked our firewall logs, and found a couple of *possible* leads, but nothing conclusive. After checking as many internal logs as we could find, we came to the conclusion that we had to get the web forums to give us the email address of the person who registered the account. We called the web site, explained that a crime was being committed and politely asked them to provide the identity of the person who posted the comment. They declined, citing their privacy policy.
This is the point where I no longer have first hand experience with what happened. But as I understand it, our attorneys drafted a letter to the web site stating that this information was absolutely required. Eventually, the web site backed down, provided the information. The person who allegedly posted the information was arrested.
I post this here because there seems to be a huge number of folks who seem to think that under every circumstance internet anononymity should be retained... and most of the time I agree. But sometimes it can enable crimes and I think we have to be careful about how far we take the demands for internet privacy.
$.02.
Please, commence with the karma draining moderation.
I am not a competant windows system admin. My users run on samba (thank you very much). I know that samba supports group policies, but I didn't know that I could do this with it.
Thanks for the tip.
In any case, is it true that MYSQL AB doesn't ever integrate patches that they receive into their code? If this is true, then I can't help but worry that they're eventually going to try an establish themselves as a free software company, and then, since they are the original (and only) copyright holder, that they will suddenly decide to re-license mySQL under a non-free license.
mySQL was only recently re-licenced under the GPL, so it's not like this company hasn't ever had desires to control this code.
Help me out. Is this an irrational fear? If not, then I find myself glad that Nusphere has forked a copy, and abided by the GPL. I know that it was kinda in doubt as to whether or not Nusphere was going to do this, but isn't this a good thing if only to protect against MySQL AB deciding to relicense to a non-free license?
<disclaimer>
I am not employed by, nor related to Nusphere or MYSQL AB in any way. I'm just a curious user with a stupid question.
</disclaimer>
Personally I'd mod your post up, but I can't so ...
In anycase, I think you did miss the point that I was trying to make. The point is that forcing the user to download data (either large or small) without respect to whether or not they're going to use it seems prone to create the problems that you are able to fix. That makes your fixes just bandaids. The real problem is a poorly designed architecture that requires you to download everything, even if you aren't going to use it.
And that's not really a function of the file sharing mechanism. That's a function of the way that the underlying operating system provides information to user programs. The windows way is braindead. The unix way scales much better.
True but misleading. The default place that office 2k takes you when you want to save your files? My Documents. Since this is a folder that's on the desktop, it gets stored in your roaming profile. Every user that I have, and I mean every single one of them, stores their files in "My Documents", and I can see why. Not only is it easy when saving, it's also easy when loading. Guess where office 2k takes you when you choose "File->Open".
The difference between roaming profiles and NFS shares is significant. Specifically, an NFS share only requires the user to send data over the network that they are actually going to use. Everything else just sits on the network server until its needed. But with a roaming profile, the entire profile whether it will be used or not, gets downloaded everytime you log into a computer you haven't used yet. Of course, it gets cached there so that you don't have to do it again the next time. But then when you logout, if you made a change to any part of your profile, the entire profile gets uploaded to the server. Combine this with the fact that Microsoft does darn near everything they can to encourage users to store stuff in their profile, and you end up with roaming profiles being a *huge* drain on the system.
I get a lot of crap from friends when I tell them that my home is Microsoft free. They immediately ask things like, "You do this at home, too? Why?" There are two underlying assumptions in this:
What I find entertaining about the whole thing is that if you swap all instances of "Linux" and "Windows" you'd get the actual set of assumptions that I have.
Anyway, I can't agree more that Linux is plenty easy to use. Case in point: my wife is a linux user. This might not sound that surprising except that my wife could be the poster child for computer illiteracy. For all of her wonderful attributes, she lacks a basic understanding of how to do anything on a computer that hasn't been shown to her by someone (usually me). But she's a linux user. How can this be? Because I manage the environment for her. I put up an icon that looks like a mailbox, when she clicks on it she gets her email (mozilla mail). I also put up an icon that looks like a world. When she clicks on it, she gets to a web browser (mozilla). She has access to any program that she'd like but I put up the ones she uses most of the time for her, and it all just works.
If my wife can get by this easily, then an office full of workers, who are paid to know how to use a computer, can certainly manage.
You might be interested in this article titled, "Securing an unpatchable webserver"
Think about 20 years ago. No one, and I mean no one, would have based their business on the college project of some computer programmer in Finland. But today, Linux is a hopeful toppler of a monopoly!
The point, I think, is that the Internet by promoting anonimity, and encouraging communication, allows anyone who has a good idea, or a persuasive idea, or a popular idea to rise to the top, regardless of their financial backing, geographical location, age, or whatever. The quality of their ideas is what brings them success, not any of these other superficial issues.
While I think that much of the 15 year old stock trader stuff is overblown, the fact that it exists at all can't be reduced to nothing. It is a significant change in the way the world works.
Wow, that's excellent. Can you put up a pointer to your netcat config? I have one machine that is a webserver and it's pretty easy to track CR with it. But I'd like to be able to track on some of my other machines, and I see no reason for adding apache just to track this thing.
TIA.
Of course this assumes that snort is running on your firewall! If it isn't well then of course this won't work.
I could be wrong, but I don't think you need to do this. Snort will track this independant of what your firewall is setup to do. Snort operates independant of the IP stack. It uses libpcap to sniff all packets that the interface receives. And if you configure snort to use promiscuous mode, then it'll even track attacks that aren't directed towards your machine.
So I don't know for sure, but I don't think you need to route your port 80 packets anywhere. I think it'll track it just as long as it gets to your interface.
Submissions can be made by following these instructions.
This is true, of course. This is even trivial to accomplish in Linux:
But this does nothing to prevent a user from sending a 10^6 SYN packets each of size 10k to TCP port 80. Or 10^6 ACK packets of the same size to the same port. Raw sockets allow that, and more importantly make it difficult to filter a widely distributed attack.
I don't really understand Gibson's gihad on raw sockets, and in general I agree that the risk is overblown, but it's not zero. Even if we do get all the ISP's to do proper route filtering.
The deal is that w/out raw sockets, in order to send large ammounts of data, you have to send UDP packets with the data. When creating a datagram socket (i.e. for sending UDP packets), you don't have to get a succesful return from connect() prior to sending data. Thus you can just start sending huge packets.
But with stream socket (i.e. for sending TCP packets), you have to get a successful return from connect() before you can start sending data. Which means that before you can send any data to a server, you have to send a SYN packet, get a SYN-ACK packet back, and then send an ACK packet. Only then will connect() return with a success, and then you can start bombing away at the server with huge packets. But even then if you don't send them in a form that is recognizable by the application, the server will just issue a RST and close down the connection. For example, if your stream doesn't include HELO foobar, when you connect to an email server, the server will just disconnect.
Non-raw sockets make it easier to filter out attacks at the upstream provider because they are usually UDP packets which your web application does *not* need. So you just filter them and then you're done with it.
With raw sockets, it becomes *much* harder to filter upstream. WIth a raw socket, you can create a SYN packet from a random IP address to a web server on PORT 80. That SYN packet can be 9k long if you want it to be. And it will be to a port that you can't easily filter out . Basically, it makes the DDoS attack much easier and harder to prevent. The attack could come from any IP address , and it will be destined for your web server, which (presumably) you want to keep running. How do you filter out a packet destined to port 80 from possibly anywhere without also filtering out the legitimate connections?
Of course, even without raw sockets, you can still initiate a DDoS attack against a TCP port. If there were fewer script kiddies and more programers, it would not be that difficult to write a simple program that uses a stream socket, and DDoS's with a well formed HTTP POST that posts 18MB of data. If the DDoS kiddies were able to program, then that's what they'd do, and they wouldn't need raw sockets to accomplish it.
So while I agree that the addition of raw sockets really isn't that big of a deal, it seems to me that it's a little bit more complex than what I've seen so far.
$.02
What? According to the article, in Tasini, the supreme court specifically addressed removing the content. They seemed to have some amount of concern that "holes" would be created in the historical archive of information, so they required that compulsory licenses be negotiated.
A compulsory license limits the rights of the copyright holder, and prevents them from holding content hostage by refusing to license it at any reasonable fee. What happens is that the copyright holder and the licensee will go into arbitration, which will determine a "reasonable" compensation for the copyright holder.
So the point of the article is that if compulsory licenses are applied to RIAA and napster, then the RIAA loses some of its grip over their copyrights of the songs. Napster users will still have to pay (because compulsory licenses do not alleviate the copyright holders right to compensation) however it would prevent the RIAA from holding songs hostage in order to be able to set prices and force out competition.
This doesn't put restrictions on content flow. It specifically puts restrictions on copyright abuse, which frees content flow. This is a good thing, and I hope it works.
$.02
--
This is called civil disobedience, and it's a common way to raise the awareness of unjust laws. I agree and applaud this.
BUT... remember, just because you proclaim a law unjust, and violate it in an effort to publicize it's unjustice, does NOT relieve you of the consequences of violating the law.
So, go ahead and stage your civil disobedience, but be prepared to be arrested, charged, prosecuted, and convicted of a crime.
All of that being said, I applaud anyone who is actually willing to do this for this clearly unjust law. As the sole bread winner for my family, I can not afford the risk. The most that I can afford is to contribute to the EFF, and ask my elected representatives for an accounting of how this law can remain on the books.
--
Another example of the feedback loop that you're talking about this: Take your finger, and keeping your head still, wave it back and forth in front of your face with a frequency of about 2/second. Try and keep focus on your finger. It is difficult.
Now, take your finger and keep it still in front of your face, but turn your head from left to right at about the same frequency as before. You will be better able to keep your finger focused.
Why? Because your brain takes signals from your inner ears saying that your head is moving, and uses this information to help focus your eyes on your finger. But when you just move your finger alone, there's no additional information that you're able to make use of.
$.02
--
Forgive me for being over 30. But doesn't this describe a rave? Big dark room, repetitive electronic music, everyone taking ecstacy?
--
Now wait a minute here, you're slinging some FUD, too.
Yes cable is shared bandwidth between the end user and the cable company's equipment. And yes DSL is dedicated between the end user and the CO. But, all internet services make use of shared bandwidth . So if your DSL provider does not have enough bandwidth from it's provider, it will have exactly the same problems that you proclaim that only cable modem is susceptible to.
Now, I can't speak for every cable modem implementation. But I can speak about the implementation that I use. They have a total of 30Mb/s bandwidth dedicated to each hub, and a maximum of 500 houses per hub. If they achieve 25% sales of internet access, that's 125 houses sharing 30Mb/s of bandwidth. This is beyond the dreams of the cable company.
I have been monitoring my cable company's connection for over 3 years now by doing a download provided by the cable company every 30 minutes. Between me and the cable company I have never seen any slowdown of bandwidth at any time of the day at all. Now, I have seen slowdowns when connecting to the Internet, but never over the cable infrastructure.
This is just plain false. EVERYONE on the internet shares bandwidth. That's how it's built. You may not share the bandwidth with that person between you and the CO, but beyond the CO it's shared bandwidth. The only interesting question is whether or not there's enough bandwidth available for those who are sharing it.
I can prove, with data, that between my cable company and me, there's plenty of bandwidth. I can't prove, but it seems pretty obvious that the bandwidth that my cable company has purchased to get to the Internet is not enough. But switching to DSL does not necessarily fix that problem. In fact, it could make it worse.
My point: don't buy the hype that the telco's are putting out about cable infrastructure. If you want a great review of the basic differences check out this salon review. It's very good. And it supports the conclusion that the cable infrastructure is, generally speaking, better and faster than the DSL infrastructure.
--
Actually, this is a better analogy than you think. Most early cable modem technologies were just that: ethernet implemented over 75ohm coaxial cable. Thinnet is ethernet implemented over 50ohm coax. There are a lot of changes now, though with DOCSIS, although the underlying infrastructure is still very similar to ethernet over 75ohm coax.
This is not entirely accurate. The cable companies are quite capable of providing layer 2 differentiation. The way that cable modems implement their signal is to allocate channels from the underlying infrastructure. Yes the same thing that normally a TV signal would ride over. So downstream data gets sent over one channel, and upstream over a different channel. Thus it takes 2 channels (plus a lot of underlying infrastructure to be able to send the reverse path cable signal) to implement a layer 2 data network in a cable infrastructure. Well, if you want another layer 2 data network, that is completely seperate from the first, you simply allocate 2 different channels for the up/downstream data flow, and give those channels to the new ISP. Poof! The first ISP's users don't see/know/interfere with the second ISP's users. It's as if they're using completely seperate physical networks. Ain't broadband grand?
This is not just theory, it's practice. Where I live, prior to the cable company implementing DOCSIS, they used a proprietary system made by motorola. Well, in order to migrate to DOCSIS for new customers, and not disrupt old customers, they simply implemented a new layer 2 network on different channels for DOCSIS, and kept the old layer 2 network for the proprietary modems.
If AOLTW is going to provide service for Earthlink, Juno, et al, they'll simply supply two additional channels for each of their "competitors" and let them take care of the rest of it.
This of course puts a limiting factor on the number of different ISP's that can service the cable infrastructure. There is a limited number of channels available on the cable infrastructure, and by far most of them are taken up by standard TV channels, and digital TV channels.
Hope this clears some things up.
--
Hmm... my cable modem is capped at 2.0MB/s download. DSL is available at 1.5MB/s download. I would agree with you, if the difference were what it used to be (prior to the cap). It used to be closer to 6-7MB/s download. Since the cap, though, the difference seems pretty small to me.
With that small difference in speed, and due to restrictive appropriate use policies on the cable modem (i.e. no web/email servers allowed), I've been considering switching to DSL. I realize that it'll be slower, but not that much slower, and for the ability to legally run servers, it's something that makes me pause and consider.
The fact that I can make this switch, relatively easily, and say to the cable company that I don't appreciate their appropriate use policy, suggests to me at least that the TW doesn't have a monopoly in broadband services in my area. Am I wrong? Should I be concerned?
--
I read a lot about the M$ trial. I read the findings of fact, the conclusions of law, and the decision on the appeal. Every page. One of the things that I learned is that in order for it to be a monopoly, a relevant market has to be defined. Also, in order to have a monopoly, there must be no easy way for a customer to switch from the monopolist's products or service.
Isn't it reasonable to define the relavant market for AOL Time Warner's cable stuff, as the broadband market? If true, then why aren't all the DSL providers already competitors? I currently have a Time Warner cable modem in my house, but I qualify for and can easily switch to DSL.
If this is true, is it really fair to say that AOLTW has a monopoly in broadband services?
--
You've never been responsible for administering a secure system have you? If you have, then you're miserable at it. Read some. I'd recommend "Firewalls & Internet Security" by Cheswick & Bellovin. Or "Building Internet Firewalls" by Chapman & Zwickey. Both of these books describe one of the primary security priniciples: "least privilege". In short it says, don't allow anything that you don't have to.
If you have to allow DNS queries, then you have to. But just because you have to allow those queries doesn't mean you should also allow zone xfer. It's quite simple arithmetic: the number of security holes in DNS queries is less than the number of security holes in DNS queries + the number of secrurity holes in DNS zone transfers.
No, but when people come poking at my alarm system to see what happens, especially when they have no reason for doing it, I can't help but assume that they're trying to figure out my weaknesses for some other reason.
Your analogy is collosally bad. It assumes that you can look at my computer, without it impacting my computer. In the store analogy, you are of course correct, simply looking at the store to see if its closed is not criminal. But looking at my computer, requires that you actively use bandwidth that I PAID FOR, and make use of computing equipment that I PAID FOR. You are already impacting my expenses. You should have *no* expectation that I'm providing DNS zone transfers, therefore you should not go looking. You should also not probe my syslog ports, nor my printer ports, nor my RPC ports.
Looking to see if the store is closed is one thing. Peeking through the window to see where the safe is kept is another thing altogther.
You are an id10t. 31337 is the TCP connect port for BackOriface. 27374 is the TCP connect port for SubSeven. These are remote controllable trojan horses that have been widely spread through email virii. Anyone connecting on those ports, should by default be seen as hostile.
The original intention of the Internet also included the idea that no for profit organizations should be on the internet. The original intention of the internet included bugs. So, according to you, we should simply drop all prudence because someone 30 years ago couldn't forsee everything that would be happening today?
No. I think the deal here is that you want to continue running your port scans and justify it under the heading of "well it's just the way the Internet is sposed to work". Maybe. But do that to my machines and I will make trouble for you. Don't like it? I don't care.
--