Not sabotage, security. In case you don't know: itojun is the guy between all the BSD's IPv6 support, and has been very active in the standarisation process.
Using an unstable development version and then complaing about instability, peppering the results with emotive commentary and clueless rhetoric. (btw the 1024-cylinder boot restriction he complains so much about has been fixed for a while) Especially funny was this idiotic statement:
OpenBSD also caused a lot of grief on the IPv6 front. The OpenBSD guys intentionally broke their IPv6 stack to not allow IPv4 connections to and from IPv6 sockets using the IPv4 mapped addresses that the IPv6 standard defines for thus purpose. I find this behaviour of pissing on internet standards despicable and unworthy of free operating systems.
Someone should hit him with a cluestick on this issue. Yeah, like itojun is despicable and unworthy...
OTOH, the results are of concern and should be verified by someone less obviously biased. I haven't noticed them in practice on moderately loaded servers though (but I'm biased in the opposite direction).
This article does belong in slashdot, but not the front page.
Wow. I was overjoyed that SlashDot had finally posted something of technical interest and not another junk piece about how the RIAA are coming to get the freedom loving song-swappers.
Don't worry, the drivel that you are used to will be back sooner than you can blink.
OpenSSH isn't remotely vulnerable to these attacks. Recent versions don't use the OpenSSL ASN.1 parsing code for signature validation (e.g. signatures coming from the network). The OpenSSL ASN.1 code is only used for parsing private keys.
This was done a little while ago, as Markus (wisely) decided that we didn't need a whole ASN.1 parser just to verify signatures.
Don't let that slow you down patching the issue - Apache and other SSL/TLS apps (OpenLDAP, the various imapd's, etc.) may be vulnerable.
Michael Robertson, in his usual marketing speak, compares this to adding "Fluoride in the water"
This is very funny. There is a long history of wackos equating floridation of drinking water with government mind control. Here is an example, which is very tame by the standards of the alternate-science crowd.
Gotta go, my alien gray masters are calling me by mind control satellite to their sub-antarctic base again!
The "Someone gets it" and "They never quite grasped" attitude may get you in trouble. Being proactive and explaining and educating instead will likely be more effective
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
The enemy of your enemy is not necessarily your friend. Domain and typosquatters are the near bottom of the barrel, just a rung above spammers. Just because they are attacking another bottom-feeder does not make them heros.
Re:Warding off the inevitable "switch to Java" com
on
Secure Programming
·
· Score: 3, Insightful
Tune in to Bugtraq some time to see a never-ending stream of web-app vulnerabilities. Most of these applications are not written in C.
Moral of the story: stupid programmers will be stupid in whatever language you give them.
Re:We already HAVE the different language.
on
Secure Programming
·
· Score: 5, Insightful
It's called LISP.
(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)
Yes, very true. "Several" is an excellent estimate of the number of LISP machines sold.
Your readme demonstrates none of the ambiguity that you have just expressed. Also what you describe as "deliberate obfuscation" (re-indenting or variable renaming) occurs as a matter of course when software is appropriated (legally or otherwise).
So, you've downloaded Comparator, and run tests, then.
I didn't need to, the following is in the readme:
comparator does not attempt to do semantic analysis and catch relatively trivial changes like renaming of variables, etc. This is because comparator is designed not as a tool to detect plagiarism of ideas (the subject of patent law), but as a tool to detect copying of the expression of ideas (the subject of copyright law).
He's wrong BTW (and he is smart enough to know it, which makes this a deliberate deception). A work is no less subject to copyright if someone does a global search and replace on a variable name.
While the concept sounds nice, any line by line comparison could easily be fooled. A run through indent, a comment change or a common search & replace on a variable will change the MD5 sum. A (rather more difficult) enhancement would be to compare code at the semantic level (perhaps using gcc's intermediate RTL or TenDRA's ANDF).
So-called "quantum encryption" may be unbreakable, but it is ignorant to portray it as a competitor to something like RSA. Quantum encrypton is a link-layer technique - something one would use to prevent eavesdropping on a single fibre hop (which is hardly a problem anyway).
Worse, it is hardly practical for real networks anyway - with routers, repeaters, EBFAs or Raman amps everywhere. If it ever makes it out of the lab, it may be useful for military systems (where money is no object), but it won't help you pirate music anonymously.
the license betrayed everyone else's freedom by allowing the spinoff to be closed
Rubbish. You are ignoring the bit where the original poster reminded you that the unclosed source would still be there. But then, the people who whine loudest in support of the GPL have almost never released a line of free code.
There is a research proposal on this and other interesting things. While I abhor the military focus, there may be useful scientific or civilian uses of this technology (e.g. energy storage for space propulsion systems).
Slashdot Mirror
Not sabotage, security. In case you don't know: itojun is the guy between all the BSD's IPv6 support, and has been very active in the standarisation process.
Using an unstable development version and then complaing about instability, peppering the results with emotive commentary and clueless rhetoric. (btw the 1024-cylinder boot restriction he complains so much about has been fixed for a while) Especially funny was this idiotic statement:
Someone should hit him with a cluestick on this issue. Yeah, like itojun is despicable and unworthy...OTOH, the results are of concern and should be verified by someone less obviously biased. I haven't noticed them in practice on moderately loaded servers though (but I'm biased in the opposite direction).
Most of the problems with bind have been with versions 4 and 8. bind 9 was a complete redesign and has proved itself to be much more secure.
VeriSlime's sitefinder is innovation is much the same way that the SARS virus is evolution.
The sounds that one hears when having an MRI can best be likened to being inside a giant floppy drive.
This article does belong in slashdot, but not the front page.
Wow. I was overjoyed that SlashDot had finally posted something of technical interest and not another junk piece about how the RIAA are coming to get the freedom loving song-swappers.
Don't worry, the drivel that you are used to will be back sooner than you can blink.
OpenSSH isn't remotely vulnerable to these attacks. Recent versions don't use the OpenSSL ASN.1 parsing code for signature validation (e.g. signatures coming from the network). The OpenSSL ASN.1 code is only used for parsing private keys.
This was done a little while ago, as Markus (wisely) decided that we didn't need a whole ASN.1 parser just to verify signatures.
Don't let that slow you down patching the issue - Apache and other SSL/TLS apps (OpenLDAP, the various imapd's, etc.) may be vulnerable.
OpenSSH isn't vulnerable to this problem. We don't use OpenSSL's ASN.1 routines for network-supplied data.
Please send patches if you are willing to do more than troll.
asexual? Then why he had an unending stream of cute, scantily-clad sidekicks?
Michael Robertson, in his usual marketing speak, compares this to adding "Fluoride in the water"
This is very funny. There is a long history of wackos equating floridation of drinking water with government mind control. Here is an example, which is very tame by the standards of the alternate-science crowd.
Gotta go, my alien gray masters are calling me by mind control satellite to their sub-antarctic base again!
The "Someone gets it" and "They never quite grasped" attitude may get you in trouble. Being proactive and explaining and educating instead will likely be more effective
Not on Slashdot, alas.
And another and yet another. (yes, this is self-promotion)
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
The enemy of your enemy is not necessarily your friend. Domain and typosquatters are the near bottom of the barrel, just a rung above spammers. Just because they are attacking another bottom-feeder does not make them heros.
In that spirit, my favourite was:
while ((var = malloc(sizeof(*var))) == NULL);
Tune in to Bugtraq some time to see a never-ending stream of web-app vulnerabilities. Most of these applications are not written in C.
Moral of the story: stupid programmers will be stupid in whatever language you give them.
Your readme demonstrates none of the ambiguity that you have just expressed. Also what you describe as "deliberate obfuscation" (re-indenting or variable renaming) occurs as a matter of course when software is appropriated (legally or otherwise).
So, you've downloaded Comparator, and run tests, then.
I didn't need to, the following is in the readme:
He's wrong BTW (and he is smart enough to know it, which makes this a deliberate deception). A work is no less subject to copyright if someone does a global search and replace on a variable name.
While the concept sounds nice, any line by line comparison could easily be fooled. A run through indent, a comment change or a common search & replace on a variable will change the MD5 sum. A (rather more difficult) enhancement would be to compare code at the semantic level (perhaps using gcc's intermediate RTL or TenDRA's ANDF).
So-called "quantum encryption" may be unbreakable, but it is ignorant to portray it as a competitor to something like RSA. Quantum encrypton is a link-layer technique - something one would use to prevent eavesdropping on a single fibre hop (which is hardly a problem anyway).
Worse, it is hardly practical for real networks anyway - with routers, repeaters, EBFAs or Raman amps everywhere. If it ever makes it out of the lab, it may be useful for military systems (where money is no object), but it won't help you pirate music anonymously.
What are you talking about? That has nothing to do with this discussion.
Exactly, patents have nothing to do with this discussion. They are a separate issue.
[...]Group A can probably take control of that patent as a derivative work of their copyrighted material.
Not a chance. Copyright law and patent law are separate legal domains, coming from completely separate sources of authority.
the license betrayed everyone else's freedom by allowing the spinoff to be closed
Rubbish. You are ignoring the bit where the original poster reminded you that the unclosed source would still be there. But then, the people who whine loudest in support of the GPL have almost never released a line of free code.
There is a research proposal on this and other interesting things. While I abhor the military focus, there may be useful scientific or civilian uses of this technology (e.g. energy storage for space propulsion systems).