Security through obscurity does work though, so long as its not the only layer. An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure: A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc. B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.
Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.
And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.
The point would be to eliminate silent changes. Things like changing the old "informative: 3 funny: 2 offtopic:1" to the new percentages, adding a limit of 10 posts a day per ac, and all kinds of other important changes just happen with no notice. It would also allow a place for us to comment on the changes without getting modbombed with offtopic, or resorting to unpopular user journals that have to be spammed in.sig's
I'm sure I'll end up sleeping through it (sleep schedual is a bit off currently), but I'd love to know why they never publicly announce when/what they change? Many users would love if there were a slash.slashdot.org or something to just post storys whenever slashdot.org syncs with the newest slashcode, whats changed, etc.
I agree, and think thats one of the things GAIM did correctly. From their faq:
Does AOL's attempts at blocking Trillian affect Gaim?
No.
Is Gaim affected by the vulnerability found in Windows AIM or Yahoo Instant Messenger clients?
No.
Can I IM you guys?
Sure! Look at the Contact Information page!
Can I give you money/hardware/other expensive things that can be hocked for cash what with you all being students/full-time-workers and helping to produce this wonderful software instead of studying/sleeping?
No. We're completely fool-hardy and won't accept any gratuities with no strings attached for just being good guys. That and we'd have to share with everyone who has submitted patches.;-)
And as some other project(can't think of the name off hand) put it, If you'd like to help out, submit patches/artwork/docs/translations/etc.
Warez (atleast, the proper form of warez-- the one that uses rars the most) is 650megs of multipart rars, with just two files in them (bin/cue, or occasionaly just an mpeg if its porn). The compression is a waste of time, But the multipart files and CRC checksumming is very useful. One bad rar and you redownload 20megs instead of 650. It also lets other warezmonkeys 'race' uploads (definition: everyone does a server to server (fxp/ftp bounce) upload from one site to another, all trying to upload the same release at once. whoever uploads the highest percentage of rar files 'wins'. I've never seen actual rewards for the races, it's just bragging rights. And of course the ratio credits.)/nick Anonymous_Warezmonkey
Forward: It's 6am and I can't sleep, so I picked a post at random to rant under. You should probably skip reading this unless you want to enter my world of boredom/late night insanity induced writing. That said, now for something completely different.
It depends on your definition of 'large ones'. Lets say youre uploading an uncompressed TIFF image from ${insert_good_source_here} to your poor little webserver. Now on paper, '10megs' and '13megs' really dont sound like much, especially considering how many people have broadband...Until you get slashdoted, and instantly have 10,000(low estimate, considering fark/kuro5hin/etc will all run similer stories) hits. 10,000 * 3meg (difference) = 30gigs transfer = A lot more expensive than the the time you have to wait as it bzip2's slower compression.
What it really boils down to is Right tool for the job. When compressing things, you have to consider the following: 1) Does timing matter? (eg, is this something you'll have to recompress every few minutes, say in rotating files where you'll have to lock your program as it compresses the old file [bad example, but its 6am and I havn't slept])
2) How wide will it be distributed? - If you're just making backups you can use whatever odd compression you want, but if you're going for mass distribution you really need to stick to something generic that most people have. In contrast, if you're just compressing some Half Life demos for a friend, you can go ahead and just use the best of what you both have.
3) How important is filesize? - Again, related to distribution. If I'm sending a screenshot to a friend I'll rarely take the time to compress it as by the time I get something open to compress it, I could of already sent it uncompressed. Or in the above situation, if its going to be hosted somewhere where you pay bandwidth fees, every byte counts.
Only if you enjoy giving up mobility. I used to play single player quake onehanded when bored, but if its at all multiplayer you really need strafe and jump or you're just waiting to get picked off.
But what about hyping up your game right before other companies release theirs? Customers will think "Why buy $game_x when $game_y looks so much better and is comming out 'real soon now'?". Then again, Thats a really bad precident. What IDSoft did (giving away RTCW:ET) could be seen in the same light.
While I agree with you, Some minor nitpicking: Section 9 of the GPL states "Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation."
So eliminating those loopholes is impossible.(Though IANAL) It would be near impossible to get everyone that ever wrote a line of code in the kernel source tree to agree to relicense their code under a 'new gpl', and some how revoke all previous licenses (Should be impossible, but nullsoft/aol kind of pulled it off)
" Yup. Amazing, corporations want to keep you from copying the stuff they sell and giving it away to all your friends. Go figure. "
But they do it at the cost of your freedom. They could keep us from copying their stuff by making it explode upon purchase, to, but at what point do you say its ust not worth it?
disclaimer: I did read your second paragraph, and I agree with you fully. I'm just replying because I know you're not the only one that feels that way
"I don't think formatting actually deletes the files either... I think it just tells the file system that all the space is available for writing. (I may be wrong, but I don't think I am.)" You're correct. Under most circumstances, formatting just writes a new filesystem onto the harddrive. All you're really doing is changing the filesystem type and storing whatever special info the fs needs, not writing every inode it creates. To test this cat the partition you just wrote a filesystem to and look at how much stuff is still there.
Theres something like that for Shoutcast internet radio streams. I can't think of the name off hand, but it starts recording to a file based on the id3 info, when the id3 changes it starts a new file.
Especially evil since shoutcast is just mpeg over http, if the bitrate is high enough there really isnt any additional quality loss.
"At least nobody's forcing you to actually watch Joe Millionaire."
They are in a way. When they cancle our favorite shows (Eg, Dark Angel) and replace them with mindless filth (Eg, anything being promoted heavily on network tv currently) they arnt exactly leaving us with much choice.
Of course, you can still opt out of it all like most of us do.
" rainforest puppy yes, but gobbles hasn't quite proven top ten worthiness (yet) imo"
Everyones entitled to their own oppinion, But I think gobbles' ability to stand up to the egotistical OpenBSD/SSH developers 'our shit dosnt stink' attitude earns him a good spot on the list.
And he knows how to speak, which is a plus. Search around for the video of him at defcon, it's really funny.
" AOL will also be licensing Windows Media 9, which could affect WinAmp."
Yes please.
IMO WinAmp went downhill when AOL got in on it. The only upside was Justin got some well deserved pay and WinAmp got some unneeded publicity. As far as the actual product goes, I think it would of been better off untouched.
" If I like the music, generally I want the artist to produce more of it." That's why I stopped paying for music.
I'd say about 90% of signed artists that make a second cd only have 1 or 2 songs on the second cd worth listening to, if that. The second cd is almost always noticably worse, as can easily be demonstrated. I blame it on RIAA forcing artists to water down their music for lowest common denominater to meet expectations on sales, so by not paying for any music maybe they'll stop expecting such high sales and let artist actually create art./not sure if I'm sarcastic or not.
Slashdot Mirror
Security through obscurity does work though, so long as its not the only layer.
An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure:
A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc.
B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.
Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.
And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.
The point would be to eliminate silent changes. Things like changing the old "informative: 3 funny: 2 offtopic:1" to the new percentages, adding a limit of 10 posts a day per ac, and all kinds of other important changes just happen with no notice. It would also allow a place for us to comment on the changes without getting modbombed with offtopic, or resorting to unpopular user journals that have to be spammed in .sig's
I'm sure I'll end up sleeping through it (sleep schedual is a bit off currently), but I'd love to know why they never publicly announce when/what they change? Many users would love if there were a slash.slashdot.org or something to just post storys whenever slashdot.org syncs with the newest slashcode, whats changed, etc.
"It's illegal to be 'evil'"
So just set the evil bit to 0 and they'll never suspect a thing >:-]
I agree, and think thats one of the things GAIM did correctly. From their faq:
;-)
Does AOL's attempts at blocking Trillian affect Gaim?
No.
Is Gaim affected by the vulnerability found in Windows AIM or Yahoo Instant Messenger clients?
No.
Can I IM you guys?
Sure! Look at the Contact Information page!
Can I give you money/hardware/other expensive things that can be hocked for cash what with you all being students/full-time-workers and helping to produce this wonderful software instead of studying/sleeping?
No. We're completely fool-hardy and won't accept any gratuities with no strings attached for just being good guys. That and we'd have to share with everyone who has submitted patches.
And as some other project(can't think of the name off hand) put it, If you'd like to help out, submit patches/artwork/docs/translations/etc.
Warez (atleast, the proper form of warez-- the one that uses rars the most) is 650megs of multipart rars, with just two files in them (bin/cue, or occasionaly just an mpeg if its porn). The compression is a waste of time, But the multipart files and CRC checksumming is very useful. One bad rar and you redownload 20megs instead of 650. It also lets other warezmonkeys 'race' uploads (definition: everyone does a server to server (fxp/ftp bounce) upload from one site to another, all trying to upload the same release at once. whoever uploads the highest percentage of rar files 'wins'. I've never seen actual rewards for the races, it's just bragging rights. And of course the ratio credits.) /nick Anonymous_Warezmonkey
Forward: It's 6am and I can't sleep, so I picked a post at random to rant under. You should probably skip reading this unless you want to enter my world of boredom/late night insanity induced writing. That said, now for something completely different.
..Until you get slashdoted, and instantly have 10,000(low estimate, considering fark/kuro5hin/etc will all run similer stories) hits. 10,000 * 3meg (difference) = 30gigs transfer = A lot more expensive than the the time you have to wait as it bzip2's slower compression.
It depends on your definition of 'large ones'. Lets say youre uploading an uncompressed TIFF image from ${insert_good_source_here} to your poor little webserver. Now on paper, '10megs' and '13megs' really dont sound like much, especially considering how many people have broadband.
What it really boils down to is Right tool for the job. When compressing things, you have to consider the following:
1) Does timing matter? (eg, is this something you'll have to recompress every few minutes, say in rotating files where you'll have to lock your program as it compresses the old file [bad example, but its 6am and I havn't slept])
2) How wide will it be distributed? - If you're just making backups you can use whatever odd compression you want, but if you're going for mass distribution you really need to stick to something generic that most people have. In contrast, if you're just compressing some Half Life demos for a friend, you can go ahead and just use the best of what you both have.
3) How important is filesize? - Again, related to distribution. If I'm sending a screenshot to a friend I'll rarely take the time to compress it as by the time I get something open to compress it, I could of already sent it uncompressed. Or in the above situation, if its going to be hosted somewhere where you pay bandwidth fees, every byte counts.
Under your pants, or occasionaly on your head for variety.
Only if you enjoy giving up mobility. I used to play single player quake onehanded when bored, but if its at all multiplayer you really need strafe and jump or you're just waiting to get picked off.
But what about hyping up your game right before other companies release theirs? Customers will think "Why buy $game_x when $game_y looks so much better and is comming out 'real soon now'?". Then again, Thats a really bad precident. What IDSoft did (giving away RTCW:ET) could be seen in the same light.
While I agree with you, Some minor nitpicking:
.(Though IANAL)
Section 9 of the GPL states
"Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation."
So eliminating those loopholes is impossible
It would be near impossible to get everyone that ever wrote a line of code in the kernel source tree to agree to relicense their code under a 'new gpl', and some how revoke all previous licenses (Should be impossible, but nullsoft/aol kind of pulled it off)
"You're captured on film at least a dozen times a day. At least I am (and other people who go outside)."
aha!
Agoraphobics: 1 General population: 0
Take that!
" Yup. Amazing, corporations want to keep you from copying the stuff they sell and giving it away to all your friends. Go figure.
"
But they do it at the cost of your freedom. They could keep us from copying their stuff by making it explode upon purchase, to, but at what point do you say its ust not worth it?
disclaimer: I did read your second paragraph, and I agree with you fully. I'm just replying because I know you're not the only one that feels that way
"I don't think formatting actually deletes the files either... I think it just tells the file system that all the space is available for writing. (I may be wrong, but I don't think I am.)"
You're correct. Under most circumstances, formatting just writes a new filesystem onto the harddrive. All you're really doing is changing the filesystem type and storing whatever special info the fs needs, not writing every inode it creates. To test this cat the partition you just wrote a filesystem to and look at how much stuff is still there.
Theres something like that for Shoutcast internet radio streams. I can't think of the name off hand, but it starts recording to a file based on the id3 info, when the id3 changes it starts a new file.
Especially evil since shoutcast is just mpeg over http, if the bitrate is high enough there really isnt any additional quality loss.
Dropping the suit implies it, though I doubt it was ever said for legal reasons.
Think Dimitri Skylarov. Adobe dropped the case quickly, the FBI didnt.
98 here, also dosnt work. I think you nailed it.
Heh, Yeah. but I do like how the agreement on the installer is convienently not displayed in winex ;)
"At least nobody's forcing you to actually watch Joe Millionaire."
They are in a way. When they cancle our favorite shows (Eg, Dark Angel) and replace them with mindless filth (Eg, anything being promoted heavily on network tv currently) they arnt exactly leaving us with much choice.
Of course, you can still opt out of it all like most of us do.
" rainforest puppy yes, but gobbles hasn't quite proven top ten worthiness (yet) imo"
Everyones entitled to their own oppinion, But I think gobbles' ability to stand up to the egotistical OpenBSD/SSH developers 'our shit dosnt stink' attitude earns him a good spot on the list.
And he knows how to speak, which is a plus. Search around for the video of him at defcon, it's really funny.
" AOL will also be licensing Windows Media 9, which could affect WinAmp."
Yes please.
IMO WinAmp went downhill when AOL got in on it. The only upside was Justin got some well deserved pay and WinAmp got some unneeded publicity. As far as the actual product goes, I think it would of been better off untouched.
"I smell armageddon."
Whoever smelt it delt it
" If I like the music, generally I want the artist to produce more of it."
/not sure if I'm sarcastic or not.
That's why I stopped paying for music.
I'd say about 90% of signed artists that make a second cd only have 1 or 2 songs on the second cd worth listening to, if that. The second cd is almost always noticably worse, as can easily be demonstrated.
I blame it on RIAA forcing artists to water down their music for lowest common denominater to meet expectations on sales, so by not paying for any music maybe they'll stop expecting such high sales and let artist actually create art.
Step 1) Distribute DoS zombiebot to everyone you can
Step 2) ???(Take out someone with metered bandwidth)
Step 3) Profit..or lack there of.
Of course, I'm just generalizing all the bad stuff you really don't want to pay for. Spam, Broken downloads, DoS, etc.