Looking through my Snort and Apache logs, I see about 5-10 CodeRed attacks *daily*. This is something that was fixed over a year ago, and it still fills my logs. About that 'chunked' Apache vulnerability? Twice. I have seen it 2 whole times within the weeks its been out. Lets not forget about this CodeRed bug, because it surely is an attack (a full "root" attack) and I have *never* been attacked with anything else so often. I doubt any study that doesn't take this into account.
So, anything out there besides Snort? I just installed 1.8.7 on my Linux machine and was (un)pleasantly surprised to find that my (un)favorite Snort feature was brought back: random mysterious death of the snort daemon...
I will have to say I have Snort running on a Linux 2.4 host with full event logging and have yet to see it crash a single time.
UnitedLinux is clearly an attempt to raise the commercial value of compatible and LSB-compliant linux distributions.
Please keep in mind that UnitedLinux isn't the LSB. I fully agree with your later assertion of the goodness of the LSB but if your looking for LSB, UnitedLinux isn't the way to go. Its an entirely different goal.
...less-competent users could set up servers with such wild security idiocies..
How is this any different from the Codered/Nimbda attacks that countless Win32 installations saw? Many affected by it didn't even realize they were running web servers.
One of the things I really like about Linux is packaging formats like RPM and DPKG. The approach is that your system is to be built from modular pieces that can be tracked, updated, queried, and removed.
Now the problem, and source of frustration for some users of RPM, is that these management systems do not respond well to circumvention. IE, compiling an application outside of/usr/local or using an installer that doesn't let the package management system know it exists. Case and point: Perform a server-class Redhat installation. Install XFree86 from XFree86-distributed binaries then try to use something like an official xterm RPM and your system will say you need to install X11.
An interesting approach to this is that of Debian's in that you will have an official package available for just about anything you could want. Browse debian.org's unstable software archive to see. Conversely apt will handle dependencies of packages for you as a result DPKG/Apt is *more* tempermental about being circumvented.
Though I wish people would respect the original ideas of RPM and DPKG, I think the concept is great, and avoids the tomfoolery of mucking with nasty-3rd party installers if done correctly. When you can't or don't want to use a package, go with/usr/local. Things like new.net installers don't cut it over here.
...because thats exactly what I do. I have a 'media server' that basically acts as: a DVD/Divx;) player, MP3 server/streamer (for playing the same thing in multiple places in my apartment. I don't need a seperte device for that ), MAME console, and cool distracion. I use the computer to watch tv (via a TV-out vid card) and use a wireless keyboard as a glorified remote control.
To avoid ugly cat5, I have a DWL-650 wireless card/bridge setup in it and connect it to a Linksys WAP. Its not a bad idea for an old AMD K6III-450.
Pipe (fast is preferable) If it's broke, go fix it. Don't bother me with anything else. I don't want your news feeds, I don't want your portal site, I don't want your e-mail offers, I don't want your e-mail server.
Does having more competition or less competition help you get what you want? If you have only one seller, is that seller more or less likely to care about your needs?
Cable companies have enjoyed government protection for years. They are at a level they would not be at had the government not interfered. Funny though, its ok to take a government handout, but not ok to accept that there may be consequences to that handout?
4. Anyone who wants to see open standards. It was only the existance of free-for-any-use code which lead to the global use of TCP/IP -- back when every company had their own proprietary network protocols, the only reason they added TCP/IP support in was because they could do so (almost) for free.
It is most definitely a valid point that the TCP/IP stack was BSD and as a result it is more than ubiquitous. IPX, offerings from DEC, and other attempts all pretty much pale beside IP. However, there was not a GPL-ed TCP/IP implementation to compete with, so saying the BSD *won* is not entirely fair. You are implying a comparison that did not exist.
3. Those who would like to use code, are entirely willing to give credit where credit is due, but haven't decided yet if they want to (or, legally, are allowed to) release their own code.
I would never wish to live in a society where the wishes of people who take my code are more important than mine.
5. Anyone who wants commercial software companies to release their source code. Companies which operate by selling software are never going to GPL their code; they might, on the other hand, release it under a less restrictive license which would allow them to incorporate improvements back into their own codebase.
Well, two issues. Companies already release code under the GPL, even existing companies like IBM and Sun, let alone Red Hat and VA. Saying that an owner of work would not release under the GPL because it "would not allow them to incorporate improvements" is not accurate. There is *nothing* stopping them from doing so.
The misinformation that companies can't use GPL'ed code when they have been doing so for years needs to stop.
The most important thing to realize is that when a machine is comprimised, it cannot be trusted. You may think that you were running only OpenSSH but you may have been runnning other services started a long time ago. I would be curious to know what kind of logs you had to go by to see what this attacker did. Slightly-smart ones clear every trace.
Also of note is that this particular advisory is known only to affect local users. I don't think this particular bug is the cause. It may have just been a friend shoulder-surfing.
If you want to do analysis on a cracked machine, you should place the hard disk into a different machine and examine the contents.
FWIW: The BSD advertising clause would require at least one comment remain in the code, the original authors name. That would at least give someone a hint as to where the code came from when trying to interpret the "garbage" source.
If they used the BSD license, they wouldn't release the source. The point of this company's actions are to hide their changes, so why release anything if they don't have to?
What I haven't yet seen discussed is that since they are going to release something, customers would certainly be suspicious of a product licensed under the GPL with source that looks like it was written by a drunk pidgeon. If it were something like a C/C++ compiler that behaves awfully similar to lets say... GCC, I am sure we all would notice and give them some bad press.
The one thing I do feel good about in this situation is that the company is releasing the changes back. For every one company that we hear of messing with the GPL, I am sure there exist 30 more we will never even know about.
Michael Jeffrey: Neither OS is Open-Source. However, we think that the licensing and pricing is attractive to individuals and corporate users alike.
Because you can look at the code does not mean it passes the criteria of the OSD or the FSF's guidelines. Put some Plan9 code in your 'Hello World' app and im sure you will be hearing from someone...
One little nit-pick is that the article mentions both Plan9 and Inferno are not Open Source. Also, its important not to look at the significance of these operating systems as in current market saturation, but what new and exciting features they can bring.
Regarding the 'killer platform', im not sure that Holy Grail exists. However the world proves daily that implementation is more important than design, so just pick what works best for you.
It's a shame people dont have the time or money to care until it actually happens.
Not to excuse procrastination, but we couldn't afford to act on every single injustice that takes place with regard to law. Eventually, we have to rely on our elected leaders to do what we elected them for.
Why did America keep bringing up communism in the 50's?
Sorry, comparing political philosophy to software licenses isn't really fair or quantifiable. Microsoft can't do much other than get businesses more concerned with IP than community. Unfortunately they are really the only company making money from operating systems, but they want to convince that their model works for everyone. If the latter were to catch, companies would do less open development.
I worked for a company called Thruport and one of our products was a spam^H^H banner-serving program. The long and short of it is that I came out with the realization that Internet advertising is deceptive, futile, and a dead-end.
In such a business, everyone is trying to screw over everyone else. IE, inflate your impressions and click-throughs, track down to geography of users, and place as many banners on a page as humanly possible. I would get calls from irate porn-peddlers and weird clip-art pushers. The second they lost an impression, you would get a call holding whoever was in the room responsible. Nevermind that our sales team sold all sorts of unrealistic promises.
There is wonderful content on the web that simply could not survive without ad revenue. I would love to just use Junkbuster or block images with Mozilla, but I do want my measly page-view to give some $0.000000002 to the kids that make Slashdot possible. I wish Slashdot luck. Its certainly an issue I have no idea how to solve.
Oh that is so true...
on
iWarez
·
· Score: 3, Interesting
You can't even breathe in that place without getting sold a warranty or some sort of extended plan. The reason for this is that margins are so slim on large purchases (like computers and DVD players) that retailers either break even or *lose* money on them. Cables and accessories are marked up to try to make up the loss.
I do hate that. I have argued with a CompUSA employee who insisted my mother *had* to have a $30 printer cable or her printer "would print on different pages and stuff". I wonder how long CompUSA and Best Buy can last?
I am wondering if the distributors themselves don't have too much interest in offering patches upstream, not only with the kernel. Commercial distros have a chance to become "pseudo-proprietary" this way.
I think this is a rather childish behavior and use Debian [debian.org] instead.
It is extremely difficult to be proprietary when you are bound by the GPL. If your referring to Red Hat's using Rick's VM, there would be no stopping you from nabbing a.srpm and making a diff.
I also use Debian and must tell you that they make changes to the kernel. That is good, however. It just isn't practicle for a distro to try and update to the latest kernel. Plus if you like me, the first thing you do on any distro is nab a tarball from ftp.kernel.org.
I would have to agree with Bero in that the article is a tad mislead. If you listen to the mainstream Linux media as of late you would likely believe that there is a huge wealth of wonderful patches that are being dropped by Linus. This just simply isn't how kernel development works.
From Kerneltrap's wonderful interview with Andrew Morton:
there has been quite a lot of talk lately about kernel development processes, patches getting dropped, etc. I think it's all terribly overblown. The people who aren't being heard (and who aren't even bothering to comment) are the _users_ of that system - the developers. We're all just rolling our eyes and waiting for it to stop. The current system could be more efficient, but it mostly works OK; it is very unlikely to change and anything like a kernel fork is hugely improbable, even if Linus gets bored of it all and decides to do something else.
The above article should be required reading for those following/concerned about kernel development.
What you like about Linux isn't the kernel, but rather the userspace apps and utilities.
Well you see, not really. Though the userspace apps are nice, so is the kernel. The Linux kernel runs on a large amount of architectures, including the SPARCs. Also, Linux is Free in all senses of the word.
Not that Solaris isn't nice, but why run a single OS for a single arch? If Solaris can do almost everything Linux can do, why not just run Linux?
Linux isn't designed at all, which is good. Thats why its so flexible. There was already that debate a while back.
Applications that run on Linux for Intel need to be recompiled and recertified for each new platform; thus the application portfolio to run Linux on a mainframe is small(9).
Oh please. Like your going to have an easier time compiling non-Linux software? Still think so given how open and portable most Linux software is? Is mainframe software as portable? Is there lots of free mainframe software to port? Thats almost as irrational as Microsoft's "Linux isn't free" TCO argument. Per that can-of-worms, because both systems have TCOs means NT itself *is* free?
Articles like this are interesting because Sun definitly has a conflict of interest with Linux. They need to appear as if they support it so new blood will buy SPARC hardware with Solaris, but they also don't want people 'liking' Linux over Solaris/SPARC.
Personally, I love Linux on SPARC. I would prefer Sun making Linux more 'Enterprise'-like instead of hawking Solaris as a big-brother. However, I understand that Solaris is a huge investment and one they probably will think is superior for years to come.
For their sake, I hope the Penguins don't squish them. But if they don't look both ways before crossing the street...
Slashdot Mirror
Its unfortunate for the article that no quantifiable evidence is offered. For all we know the numbers were pulled from somebody's imagination.
Looking through my Snort and Apache logs, I see about 5-10 CodeRed attacks *daily*. This is something that was fixed over a year ago, and it still fills my logs. About that 'chunked' Apache vulnerability? Twice. I have seen it 2 whole times within the weeks its been out. Lets not forget about this CodeRed bug, because it surely is an attack (a full "root" attack) and I have *never* been attacked with anything else so often. I doubt any study that doesn't take this into account.
My ex-girlfriend hooked up with more girls than I did after we split. Kinda cuts the self-esteem in half.
One of the things I really like about Linux is packaging formats like RPM and DPKG. The approach is that your system is to be built from modular pieces that can be tracked, updated, queried, and removed.
/usr/local or using an installer that doesn't let the package management system know it exists. Case and point: Perform a server-class Redhat installation. Install XFree86 from XFree86-distributed binaries then try to use something like an official xterm RPM and your system will say you need to install X11.
/usr/local. Things like new.net installers don't cut it over here.
Now the problem, and source of frustration for some users of RPM, is that these management systems do not respond well to circumvention. IE, compiling an application outside of
An interesting approach to this is that of Debian's in that you will have an official package available for just about anything you could want. Browse debian.org's unstable software archive to see. Conversely apt will handle dependencies of packages for you as a result DPKG/Apt is *more* tempermental about being circumvented.
Though I wish people would respect the original ideas of RPM and DPKG, I think the concept is great, and avoids the tomfoolery of mucking with nasty-3rd party installers if done correctly. When you can't or don't want to use a package, go with
UNIX and Linux instructions:
p
http://www.new.net/download/instructions_unix.t
Wild.
...because thats exactly what I do. I have a 'media server' that basically acts as: a DVD/Divx;) player, MP3 server/streamer (for playing the same thing in multiple places in my apartment. I don't need a seperte device for that ), MAME console, and cool distracion. I use the computer to watch tv (via a TV-out vid card) and use a wireless keyboard as a glorified remote control.
To avoid ugly cat5, I have a DWL-650 wireless card/bridge setup in it and connect it to a Linksys WAP. Its not a bad idea for an old AMD K6III-450.
Does having more competition or less competition help you get what you want? If you have only one seller, is that seller more or less likely to care about your needs?
Cable companies have enjoyed government protection for years. They are at a level they would not be at had the government not interfered. Funny though, its ok to take a government handout, but not ok to accept that there may be consequences to that handout?
It is most definitely a valid point that the TCP/IP stack was BSD and as a result it is more than ubiquitous. IPX, offerings from DEC, and other attempts all pretty much pale beside IP. However, there was not a GPL-ed TCP/IP implementation to compete with, so saying the BSD *won* is not entirely fair. You are implying a comparison that did not exist.
I would never wish to live in a society where the wishes of people who take my code are more important than mine.
Well, two issues. Companies already release code under the GPL, even existing companies like IBM and Sun, let alone Red Hat and VA. Saying that an owner of work would not release under the GPL because it "would not allow them to incorporate improvements" is not accurate. There is *nothing* stopping them from doing so.
The misinformation that companies can't use GPL'ed code when they have been doing so for years needs to stop.
The most important thing to realize is that when a machine is comprimised, it cannot be trusted. You may think that you were running only OpenSSH but you may have been runnning other services started a long time ago. I would be curious to know what kind of logs you had to go by to see what this attacker did. Slightly-smart ones clear every trace.
Also of note is that this particular advisory is known only to affect local users. I don't think this particular bug is the cause. It may have just been a friend shoulder-surfing.
If you want to do analysis on a cracked machine, you should place the hard disk into a different machine and examine the contents.
If they used the BSD license, they wouldn't release the source. The point of this company's actions are to hide their changes, so why release anything if they don't have to?
What I haven't yet seen discussed is that since they are going to release something, customers would certainly be suspicious of a product licensed under the GPL with source that looks like it was written by a drunk pidgeon. If it were something like a C/C++ compiler that behaves awfully similar to lets say... GCC, I am sure we all would notice and give them some bad press.
The one thing I do feel good about in this situation is that the company is releasing the changes back. For every one company that we hear of messing with the GPL, I am sure there exist 30 more we will never even know about.
I have indeed compiled GCC on Redhat. It was actually quite simple.
#rpm --rebuild gcc*srpm
Because you can look at the code does not mean it passes the criteria of the OSD or the FSF's guidelines. Put some Plan9 code in your 'Hello World' app and im sure you will be hearing from someone...
One little nit-pick is that the article mentions both Plan9 and Inferno are not Open Source. Also, its important not to look at the significance of these operating systems as in current market saturation, but what new and exciting features they can bring.
Regarding the 'killer platform', im not sure that Holy Grail exists. However the world proves daily that implementation is more important than design, so just pick what works best for you.
Sorry, comparing political philosophy to software licenses isn't really fair or quantifiable. Microsoft can't do much other than get businesses more concerned with IP than community. Unfortunately they are really the only company making money from operating systems, but they want to convince that their model works for everyone. If the latter were to catch, companies would do less open development.
I worked for a company called Thruport and one of our products was a spam^H^H banner-serving program. The long and short of it is that I came out with the realization that Internet advertising is deceptive, futile, and a dead-end.
In such a business, everyone is trying to screw over everyone else. IE, inflate your impressions and click-throughs, track down to geography of users, and place as many banners on a page as humanly possible. I would get calls from irate porn-peddlers and weird clip-art pushers. The second they lost an impression, you would get a call holding whoever was in the room responsible. Nevermind that our sales team sold all sorts of unrealistic promises.
There is wonderful content on the web that simply could not survive without ad revenue. I would love to just use Junkbuster or block images with Mozilla, but I do want my measly page-view to give some $0.000000002 to the kids that make Slashdot possible. I wish Slashdot luck. Its certainly an issue I have no idea how to solve.
You can't even breathe in that place without getting sold a warranty or some sort of extended plan. The reason for this is that margins are so slim on large purchases (like computers and DVD players) that retailers either break even or *lose* money on them. Cables and accessories are marked up to try to make up the loss.
I do hate that. I have argued with a CompUSA employee who insisted my mother *had* to have a $30 printer cable or her printer "would print on different pages and stuff". I wonder how long CompUSA and Best Buy can last?
It is extremely difficult to be proprietary when you are bound by the GPL. If your referring to Red Hat's using Rick's VM, there would be no stopping you from nabbing a
I also use Debian and must tell you that they make changes to the kernel. That is good, however. It just isn't practicle for a distro to try and update to the latest kernel. Plus if you like me, the first thing you do on any distro is nab a tarball from ftp.kernel.org.
From Kerneltrap's wonderful interview with Andrew Morton:
The above article should be required reading for those following/concerned about kernel development.
Not that Solaris isn't nice, but why run a single OS for a single arch? If Solaris can do almost everything Linux can do, why not just run Linux?
Linux isn't designed at all, which is good. Thats why its so flexible. There was already that debate a while back.
Oh please. Like your going to have an easier time compiling non-Linux software? Still think so given how open and portable most Linux software is? Is mainframe software as portable? Is there lots of free mainframe software to port? Thats almost as irrational as Microsoft's "Linux isn't free" TCO argument. Per that can-of-worms, because both systems have TCOs means NT itself *is* free?
Articles like this are interesting because Sun definitly has a conflict of interest with Linux. They need to appear as if they support it so new blood will buy SPARC hardware with Solaris, but they also don't want people 'liking' Linux over Solaris/SPARC.
Personally, I love Linux on SPARC. I would prefer Sun making Linux more 'Enterprise'-like instead of hawking Solaris as a big-brother. However, I understand that Solaris is a huge investment and one they probably will think is superior for years to come.
For their sake, I hope the Penguins don't squish them. But if they don't look both ways before crossing the street...
So you not only make your own distribution, but you make your own userland tools? Unless yes to the above, your trusting someone.