"Irrelavent. One of the often cited benefits of Linux is that the source code is easily accessible thus leading to secure code."
Bad reading comprehension. This is not irrelevant. My point was addressing the comparison between Windows and Linux "being the same" with the regard to "serious bugs", which they most certainly are not. Your claim about the "shallow bugs" argument going out the window is also bunk, see my point about exploit complexity.
--- "There's no difference between the two. Exploits on Windows have had carefully crafted buffer overflows."
--- "I would have to say that Microsoft does a fairly good job [alerting everyone when a bug is found]."
This is naive at best, flat out ignorant on the other end. Security companies from all over have submitted bug report following bug report to Microsoft which go without acknowledgement. Undisclosed bug fixes are quietly rolled into patches designed to fix something else entirely. Many fixes in Serivce Packs either haven't been announced before or are thrown in the SP without mention.
I won't bother going into any more detail. At best, you need to do your homework, at worst, you need to stop trolling.
True, and although you see lots of features in a Linux box by default, by default you'll often find that they aren't turned on. And for those that are on by default, default firewall settings often help.
What you said still holds water, I'm not calling you a liar. I just don't think it's as serious as some folks might read.
Anyway, this whole thing is what makes Windows really dangerous. Not only do they throw everything in the pot, everything is turned on and most users have no clue how to disable it.
"Wasn't the Linux kernel just patched for a number of serious bugs that existed since 2.2? Seems to me Linux is no different than Windows in this respect"
An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.
Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.
Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).
There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.
The company I work for has some legacy code still in use... written in Fortran and originally developed on some old unix system. The compiler limited variables, function names, program names, etc. to 5 characters.
5 characters.
Combine that with the lovely syntax of Fortran 77, tons of gotos, pages of variable declarations, sparse comments, NO whitespace whatsoever, and then picture yourself debugging that for a living.
And if that weren't enough, our sourcebase was purchased from a German company. Up until a few years ago, German comments could still be found.
I'm a firm believer that all CS curriculum should have two classes for the sophomore year entitled "Real World Programming Part 1 & 2". Part 1 consists of an entire semester writing a user application to meet a loose set of design specifications.
In part 2, the students drop their own code and inherit another student's codebase from part 1. Part 2 will consist of dropping 30% of the functionality, altering another 40% of it and then adding in another set of features about half the size of the original design specification.
And in both parts the students will be under the gun to meet due dates.
Why? Because this is how it happens in the real world. Working on other programmer's bad code, bad specifications, impossible due dates, management which doesn't understand application development, etc.
The problem with all these damn college graduates is that they have no clue what it is like to maintain software. Hence, they get out of school and take about 3-5 years to pick up any kind of clue about good code. Their code is thrown together, barely tested, wasn't developed with a user in mind and doesn't catch more than 20% of possible errors.
What does all of this add up to? A bunch of n00b programmers writing crufty, unmaintainable code, ignoring existing libraries and refusing to write new ones. After years you end up with a product which has outgrown its original design and doubled in size and complexity and is impossible to maintain without hacks or rewrites.
How would I know? I got to spend almost two years taking problem reports and debugging my company's software.
Colleges who teach how to maintain but don't teach why turn out, all in all, nearly worthless programmers who make the long-haul very difficult.
I've been running Linux on an ASUS A7N8X with an MSI GeForce 4 Ti4400 for a very long time now. I can't remember the last time my system hard-locked up. I absolutely love my rig.
Perhaps you have some bad hardware or a bad config?
Speaking of file recovery, I've found testdisk to be a godsend. It'll run in Linux/DOS and can locate filesystem headers on a disk. It'll even let you browse certain filesystems without mounting them.
I've found 6+ month old partitions on my disk (complete with a few directory listings) with this thing.
I think you'll find that the more 'serious' crackers who aren't interested in harvesting boxes for DDoS purposes will be going after servers. And looking at how many servers run *NIX, Linux is going to be a very popular target, especially since many services are shared.
With high quality crackers going after Linux boxes, I think either A) somehow nobody outside of the cracker community hears about exploits and companies are keeping quiet when they get hit, or B) OSS really does have an edge.
You really are going to try and blame this guy for "possibly [exposing] thousands of users to a root exploit"?
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
"If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve."
But the biological and evolutionary nature of fork, patch, merge and the fact that some developers just don't want to reuse someone else's inferrior code makes some of this a moot point.:)
I think taking the fact that with MS, 100% of the software is the same, whereas in OSS, there are standard components but enough difference in forks and alternate solutions that we won't see near as much of a problem.
IANAL, but as far as I know, a EULA cannot circumvent law. A EULA is considered a contract and I don't believe a contract can take away a right that the government has written in law.
However, the fact that the DMCA was passed after the digital extention to the Fair Use Act might be troubling. Since it came afterwards, I've heard the argument that it overrides Fair Use.
I'm running Gentoo Linux and there is nothing, not a single package, not a single service installed on my system that I didn't instruct my system to install or was required to boot the machine to a stripped command line.
Each distro is a bit different, but that choice does wonders for the computing experience. For me, my setup fits my computing style like a glove.
This is what you get when people will vote for anyone who will agree to give them something.
Everyone has this idea that the government is there to make the country great. Wrong. The government is there to protect you so you can live your life to your own choosing.
The day has come where YOU are no longer expected to make your country great, you just tell your government to do it for you. Charity, morals, economic power regulation, all of these things have been passed to your lawmakers. Do you think you have more control over these powers in your lawmakers' hands than in your own?
Government is a tool to control power, but the individual action, the individual decision, the individual debate, the individual dollar, the individual volunteer hour... all of these things are tools more powerful than those proxied off to a self-interested, self-perpetuating government.
The problem with government is, it's all or nothing. We either outlaw X or allow X, we take money from group A and give to group B, there are few gray areas.
Government is a sledgehammer and should be used as such and only as such. It might be a good idea to consider making your country great on your own.
At the risk of sounding resoundingly cheesy, I'll end this with a quote:
"The government consists of a gang of men exactly like you and me. They have, taking one with another, no special talent for the business of government; they have only a talent for getting and holding office. Their principal device to that end is to search out groups who pant and pine for something they can't get and to promise to give it to them. Nine times out of ten that promise is worth nothing. The tenth time is made good by looting A to satisfy B. In other words, government is a broker in pillage, and every election is sort of an advance auction sale of stolen goods." -- H. L. Mencken
The underlying problem of our growth of government is that people relate "good idea" with "law".
Want to stop drug use? Want to help the poor? Want to prevent companies from becoming too powerful? Want to prevent domestic industries from bombing out?
I personally think all of these are good ideas. However, government is not the only avenue you may pursue these on and anyone stuck in this dilusion is adding to the problem this thread is talking about.
How many stories have we heard about Microsoft sitting on their hands when someone asks them to fix something?
Do recent/. articles come to mind?
While you are correct in what companies want, claiming that corporations are more reliable and cheaper than an internally hired programmer or contracted project maintainer is pretty silly.
"or any other form in which a work may be recast, transformed, or adapted."
That's what I don't get. Copyright covers physical materials, so applying those words by their definition, if you take a source file and recast it, you're taking a file and making changes to that file.
Looking at a file, taking the idea of the implementation -- as opposed to the line by line method -- with you in your head to code it later does not add up to altering an existing work.
Now sure, if you broke things down into the same functions and used the same conventions, options, error handling, etc., I can see where the case might stand that you "carried a copy inside your head", but that seems like it would be awefully difficult to prove.
All that said, this whole post is completely ignoring the reality of courtrooms. A reality in which a court says, "Well, we can't prove that you copied it so we'll settle with a good guess"[1] strikes me as absurd, but that's the world we live in.
[1]: quoting one of your posts: "because the act of copying is incredibly hard to prove unless you are dealing with a complete moron, it is not necessary under the law today for a copyright plaintiff to actually prove the act of 'copying.'"
"Copying of nonliteral elements is actionable infringement."
Not confusing copyright with patents and trade secrets, are you sure? From what text I've seen on copyright law (forget the courts for a moment), it's very clear that *ideas* are not copyrightable, that you must have a complete work. It even goes so far as to specify what types of works, e.g. written words, music, etc.
"DevX.com has reported a recent drop off in website hits and has implemented a... project entitled "Flaming Troll".... So far the project seems to be a success..."
So much of a success that their lovable closed source webserver (IIS) got trampled by the onslaught of traffic from Slashdot (Apache).
Bravo, a nice and tidy slaughter of the entire "article"!
I hope you let them know, you'd have to be pretty dense not to understand that he titled the article wrong. "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Not only that, many clans get server access through personal contacts who work for ISPs, etc. Often the only available servers are running Linux, which means it's a smart idea to go after Linux support on the server side.
Slashdot Mirror
"Irrelavent. One of the often cited benefits of Linux is that the source code is easily accessible thus leading to secure code."
Bad reading comprehension. This is not irrelevant. My point was addressing the comparison between Windows and Linux "being the same" with the regard to "serious bugs", which they most certainly are not. Your claim about the "shallow bugs" argument going out the window is also bunk, see my point about exploit complexity.
---
"There's no difference between the two. Exploits on Windows have had carefully crafted buffer overflows."
This is merely a matter of paying attention. Certainly both operating systems have had very intricate security holes, but Linux bugs tend to be, as a matter of history, more complex when compared to those on Windows. As an example comparison to see what I'm getting at:
IIS vulnerability from GET request buffer overflow and Synopsis: Linux kernel do_mremap local privilege escalation vulnerability.
---
"I would have to say that Microsoft does a fairly good job [alerting everyone when a bug is found]."
This is naive at best, flat out ignorant on the other end. Security companies from all over have submitted bug report following bug report to Microsoft which go without acknowledgement. Undisclosed bug fixes are quietly rolled into patches designed to fix something else entirely. Many fixes in Serivce Packs either haven't been announced before or are thrown in the SP without mention.
I won't bother going into any more detail. At best, you need to do your homework, at worst, you need to stop trolling.
Cheers
True, and although you see lots of features in a Linux box by default, by default you'll often find that they aren't turned on. And for those that are on by default, default firewall settings often help.
What you said still holds water, I'm not calling you a liar. I just don't think it's as serious as some folks might read.
Anyway, this whole thing is what makes Windows really dangerous. Not only do they throw everything in the pot, everything is turned on and most users have no clue how to disable it.
Cheers
"Wasn't the Linux kernel just patched for a number of serious bugs that existed since 2.2? Seems to me Linux is no different than Windows in this respect"
An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.
Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.
Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).
There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.
Cheers
That sounds pretty bad.
:)
The company I work for has some legacy code still in use... written in Fortran and originally developed on some old unix system. The compiler limited variables, function names, program names, etc. to 5 characters.
5 characters.
Combine that with the lovely syntax of Fortran 77, tons of gotos, pages of variable declarations, sparse comments, NO whitespace whatsoever, and then picture yourself debugging that for a living.
And if that weren't enough, our sourcebase was purchased from a German company. Up until a few years ago, German comments could still be found.
Yes. Laugh it up.
I agree.
I'm a firm believer that all CS curriculum should have two classes for the sophomore year entitled "Real World Programming Part 1 & 2". Part 1 consists of an entire semester writing a user application to meet a loose set of design specifications.
In part 2, the students drop their own code and inherit another student's codebase from part 1. Part 2 will consist of dropping 30% of the functionality, altering another 40% of it and then adding in another set of features about half the size of the original design specification.
And in both parts the students will be under the gun to meet due dates.
Why? Because this is how it happens in the real world. Working on other programmer's bad code, bad specifications, impossible due dates, management which doesn't understand application development, etc.
The problem with all these damn college graduates is that they have no clue what it is like to maintain software. Hence, they get out of school and take about 3-5 years to pick up any kind of clue about good code. Their code is thrown together, barely tested, wasn't developed with a user in mind and doesn't catch more than 20% of possible errors.
What does all of this add up to? A bunch of n00b programmers writing crufty, unmaintainable code, ignoring existing libraries and refusing to write new ones. After years you end up with a product which has outgrown its original design and doubled in size and complexity and is impossible to maintain without hacks or rewrites.
How would I know? I got to spend almost two years taking problem reports and debugging my company's software.
Colleges who teach how to maintain but don't teach why turn out, all in all, nearly worthless programmers who make the long-haul very difficult.
Sorry for the rant.
Cheers
I've been running Linux on an ASUS A7N8X with an MSI GeForce 4 Ti4400 for a very long time now. I can't remember the last time my system hard-locked up. I absolutely love my rig.
Perhaps you have some bad hardware or a bad config?
Cheers
Speaking of file recovery, I've found testdisk to be a godsend. It'll run in Linux/DOS and can locate filesystem headers on a disk. It'll even let you browse certain filesystems without mounting them.
l
I've found 6+ month old partitions on my disk (complete with a few directory listings) with this thing.
http://www.cgsecurity.org/index.html?testdisk.htm
Three million lines of source code leaked...
:) This should be a fun show!
It only takes a few to create a buffer overflow.
Hehe
I think you'll find that the more 'serious' crackers who aren't interested in harvesting boxes for DDoS purposes will be going after servers. And looking at how many servers run *NIX, Linux is going to be a very popular target, especially since many services are shared.
With high quality crackers going after Linux boxes, I think either A) somehow nobody outside of the cracker community hears about exploits and companies are keeping quiet when they get hit, or B) OSS really does have an edge.
I'm more inclined to believe the latter.
Cheers
You really are going to try and blame this guy for "possibly [exposing] thousands of users to a root exploit"?
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Cheers
"If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve."
:)
But the biological and evolutionary nature of fork, patch, merge and the fact that some developers just don't want to reuse someone else's inferrior code makes some of this a moot point.
I think taking the fact that with MS, 100% of the software is the same, whereas in OSS, there are standard components but enough difference in forks and alternate solutions that we won't see near as much of a problem.
Cheers
IANAL, but as far as I know, a EULA cannot circumvent law. A EULA is considered a contract and I don't believe a contract can take away a right that the government has written in law.
:)
However, the fact that the DMCA was passed after the digital extention to the Fair Use Act might be troubling. Since it came afterwards, I've heard the argument that it overrides Fair Use.
Any lawyers around?
Personally, for me, it's control.
I'm running Gentoo Linux and there is nothing, not a single package, not a single service installed on my system that I didn't instruct my system to install or was required to boot the machine to a stripped command line.
Each distro is a bit different, but that choice does wonders for the computing experience. For me, my setup fits my computing style like a glove.
Cheers
"Hey, there are plenty of great games for the Mac! Breakout, superbreakout.... photoshop."
Word Munchers!.
Anyone else find the spiral to their low light basement dwelling lifestyle rooting back to this dreadful classic?
"Come on, Timmy, it's time to do geography. Now, Timmy."
> "the leaked source files ... do not compile into a usable form of Windows."
;)
"I don't think any code can claim this, no matter M$ says"
Maybe they really do have a non-buggy OS.
This is what you get when people will vote for anyone who will agree to give them something.
Everyone has this idea that the government is there to make the country great. Wrong. The government is there to protect you so you can live your life to your own choosing.
The day has come where YOU are no longer expected to make your country great, you just tell your government to do it for you. Charity, morals, economic power regulation, all of these things have been passed to your lawmakers. Do you think you have more control over these powers in your lawmakers' hands than in your own?
Government is a tool to control power, but the individual action, the individual decision, the individual debate, the individual dollar, the individual volunteer hour... all of these things are tools more powerful than those proxied off to a self-interested, self-perpetuating government.
The problem with government is, it's all or nothing. We either outlaw X or allow X, we take money from group A and give to group B, there are few gray areas.
Government is a sledgehammer and should be used as such and only as such. It might be a good idea to consider making your country great on your own.
At the risk of sounding resoundingly cheesy, I'll end this with a quote:
"The government consists of a gang of men exactly like you and me. They have, taking one with another, no special talent for the business of government; they have only a talent for getting and holding office. Their principal device to that end is to search out groups who pant and pine for something they can't get and to promise to give it to them. Nine times out of ten that promise is worth nothing. The tenth time is made good by looting A to satisfy B. In other words, government is a broker in pillage, and every election is sort of an advance auction sale of stolen goods."
-- H. L. Mencken
The underlying problem of our growth of government is that people relate "good idea" with "law".
Want to stop drug use? Want to help the poor? Want to prevent companies from becoming too powerful? Want to prevent domestic industries from bombing out?
I personally think all of these are good ideas. However, government is not the only avenue you may pursue these on and anyone stuck in this dilusion is adding to the problem this thread is talking about.
Cheers
How many stories have we heard about Microsoft sitting on their hands when someone asks them to fix something?
/. articles come to mind?
Do recent
While you are correct in what companies want, claiming that corporations are more reliable and cheaper than an internally hired programmer or contracted project maintainer is pretty silly.
No, just amusing, being that it's anti-American and all...
"or any other form in which a work may be recast, transformed, or adapted."
That's what I don't get. Copyright covers physical materials, so applying those words by their definition, if you take a source file and recast it, you're taking a file and making changes to that file.
Looking at a file, taking the idea of the implementation -- as opposed to the line by line method -- with you in your head to code it later does not add up to altering an existing work.
Now sure, if you broke things down into the same functions and used the same conventions, options, error handling, etc., I can see where the case might stand that you "carried a copy inside your head", but that seems like it would be awefully difficult to prove.
All that said, this whole post is completely ignoring the reality of courtrooms. A reality in which a court says, "Well, we can't prove that you copied it so we'll settle with a good guess"[1] strikes me as absurd, but that's the world we live in.
[1]: quoting one of your posts: "because the act of copying is incredibly hard to prove unless you are dealing with a complete moron, it is not necessary under the law today for a copyright plaintiff to actually prove the act of 'copying.'"
"Copying of nonliteral elements is actionable infringement."
Not confusing copyright with patents and trade secrets, are you sure? From what text I've seen on copyright law (forget the courts for a moment), it's very clear that *ideas* are not copyrightable, that you must have a complete work. It even goes so far as to specify what types of works, e.g. written words, music, etc.
Can you correct me on this one?
Cheers
"DevX.com has reported a recent drop off in website hits and has implemented a ... project entitled "Flaming Troll". ... So far the project seems to be a success ..."
So much of a success that their lovable closed source webserver (IIS) got trampled by the onslaught of traffic from Slashdot (Apache).
Sometimes the jokes write themselves.
Bravo, a nice and tidy slaughter of the entire "article"!
I hope you let them know, you'd have to be pretty dense not to understand that he titled the article wrong.
"Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Cheers
I'm truly sorry for the off-topic post:
:)
The next great MMORPG [darkfallonline.com].
sperling, a couple questions I didn't catch answers for on your website (I'm assuming you're related to the project):
1) When's the projected beta start date? Up until December I earned a living debugging software and would enjoy participating.
2) Linux support?
My obscured email is in my profile if you would rather not reply here.
Cheers
Not only that, many clans get server access through personal contacts who work for ISPs, etc. Often the only available servers are running Linux, which means it's a smart idea to go after Linux support on the server side.
Cheers