The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).
The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.
The apache updates should have been days (if not a week) ago. The openssh update is recent, but there was such a fuss over the method chosen to announce it that most people updated already anyway.
Regardless, I can now confirm that there are exploits circulating in the wild for both of these vulnerabilities. I have, in my inbox, a copy of an apache worm that specifically targets freebsd 4.5 releases running apache 1.3.20, 1.3.22, and 1.3.24. Also, one of the IDS systems caught a version of the openssh 3.3 exploit wednesday morning.
Apple is quick, but still too slow, as many of these systems could have already been compromised.
But of course, the cable providers don't support this and send out their cease and desist letters if you do it!
The "cease and desist" letter above was to a person sharing his cable access with anonymous users via amplified wireless antennas; this is certainly NOT the same as using a router to provide access to three machines in the same house.
There is no way that the terms-of-service allow this sort of practice, nor should they. This introduces a number of security risks onto the network, with no accountability. It costs money in bandwidth and lowers the quality of service for many paying customers on the same end of the cable line. Indeed, the person was breaking the TOS, and should have been cut off immediately rather than warned.
Same thing with the Wireless really - just means it's not tied to where a wire runs. I guess their worry there is that my neighboor might get free service off me with a wireless card (can't even get a signal in the neighboors yard!)
Because there is always a certain percentage of the users/population who take advantage of it. In this case, someone is giving away bandwidth that they are not using (via broadcasting with an amplified antenna and posting the location on the internet). You may say: fine, it's his bandwidth, he can use it as he wants. Unfortunately, the billing rates and infrastructure logically assume that people will not use all of their bandwidth 24 hours a day, but will only use a percentage at any one time. Individuals who resell (giving away bandwidth is still reselling it, under most legal definitions) their bandwidth increase the load on the infrastructure, and cost the company money.
It's a problem, and it's against their TOS. The person knows that, and will get disconnected for it. There is no way around the problem in which neither side is adversely affected. Such is life. If he really feels like being a nice person and setting up a free access point, he should look into starting a non-profit organization, funded by donations, and lease real bandwidth, rather than a residential line.
There was an issue a while back where someone hacked a source distribution server, and replaced the configure script in the tarbell with a compiled backdoor, that also worked as a configure script. End result? a lot of people installed/ran a back door as whichever user they ran configure with, just by unpacking a source file and running configure.
Of course, I'm practically certain a large portion of that 45% is open source.
While I agree with you that the portion of the 45 percent that is open source has increased in the last year, I disagree that this portion is "large".
A lot of people download freeware and shareware, and never buy it. Try going to a site offering free downloads, and check for a "most popular" section. Last week alone, 229,000 people downloaded a program to stop pop-ups. There's a lot of people who download software, assuming open source is a large percentage is flawed.
Slashdot Mirror
[ This is not a troll, nor flame, just opinion ]
The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).
The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.
The apache updates should have been days (if not a week) ago. The openssh update is recent, but there was such a fuss over the method chosen to announce it that most people updated already anyway.
Regardless, I can now confirm that there are exploits circulating in the wild for both of these vulnerabilities. I have, in my inbox, a copy of an apache worm that specifically targets freebsd 4.5 releases running apache 1.3.20, 1.3.22, and 1.3.24. Also, one of the IDS systems caught a version of the openssh 3.3 exploit wednesday morning.
Apple is quick, but still too slow, as many of these systems could have already been compromised.
But of course, the cable providers don't support this and send out their cease and desist letters if you do it!
The "cease and desist" letter above was to a person sharing his cable access with anonymous users via amplified wireless antennas; this is certainly NOT the same as using a router to provide access to three machines in the same house.
There is no way that the terms-of-service allow this sort of practice, nor should they. This introduces a number of security risks onto the network, with no accountability. It costs money in bandwidth and lowers the quality of service for many paying customers on the same end of the cable line. Indeed, the person was breaking the TOS, and should have been cut off immediately rather than warned.
Same thing with the Wireless really - just means it's not tied to where a wire runs. I guess their worry there is that my neighboor might get free service off me with a wireless card (can't even get a signal in the neighboors yard!)
Because there is always a certain percentage of the users/population who take advantage of it. In this case, someone is giving away bandwidth that they are not using (via broadcasting with an amplified antenna and posting the location on the internet). You may say: fine, it's his bandwidth, he can use it as he wants. Unfortunately, the billing rates and infrastructure logically assume that people will not use all of their bandwidth 24 hours a day, but will only use a percentage at any one time. Individuals who resell (giving away bandwidth is still reselling it, under most legal definitions) their bandwidth increase the load on the infrastructure, and cost the company money.
It's a problem, and it's against their TOS. The person knows that, and will get disconnected for it. There is no way around the problem in which neither side is adversely affected. Such is life. If he really feels like being a nice person and setting up a free access point, he should look into starting a non-profit organization, funded by donations, and lease real bandwidth, rather than a residential line.
There was an issue a while back where someone hacked a source distribution server, and replaced the configure script in the tarbell with a compiled backdoor, that also worked as a configure script. End result? a lot of people installed/ran a back door as whichever user they ran configure with, just by unpacking a source file and running configure.
Of course, I'm practically certain a large portion of that 45% is open source.
While I agree with you that the portion of the 45 percent that is open source has increased in the last year, I disagree that this portion is "large".
A lot of people download freeware and shareware, and never buy it. Try going to a site offering free downloads, and check for a "most popular" section. Last week alone, 229,000 people downloaded a program to stop pop-ups. There's a lot of people who download software, assuming open source is a large percentage is flawed.