The first thing I thought when I read the original/. story was that it sounded like Project David all over again.
Project David was allegedly an entirely new way of running Windows applications on Linux, covered on slashdot here which was suspiciously similar to the Wine project...
Sounds simple enough - you could write a proxy server that binds to a port upon the machine then passes on the incoming requests to the loopback interface, where the google search could use them.
Might be an interesting thing to do.. although I'd worry about the privacy implications.
If I ran the indexer on a server with all the companies home areas then a search could find results in peoples personal documents - things like saleries etc.
You'd want to be very careful you excluded these items - which might spoil the usefulness of it.
Thanks for the clarification.. that seems so alien to me.
Over here in the UK we have some stores where there will be people packing goods into bags for you, and if you're a pensioner you might find an assistant walking around who'll help you carry stuff to your car - but that's about it.
A good number of tips are provided to help you immediately incorporate better security into your app whether it's a real concern (for now) or not
Security should always be important whether you're providing a network server, a setuid application, or neither of these things.
In many cases security issues arise from having malicious input cause an exploit, even in non-security-sensitive applications if you're not careful unexpected input can cause a crash which might be just as painful from a user point of view.
Too many people forget that security is a process, and not an addon.
I was hoping for something more automatic than testing for trolls based on their words, then manually approving posts.
I wonder how well some kind of bayasian auto-classification of comments would work in practise?
I guess the majority of comments would be very small so there may not be enough to work with, but if these systems are mailing comments to the administrator already it would be fun to setup a troll/non-troll classification, and see how well it could learn.
Just like spam/non-spam handling there would likely be false positives initially, but if it worked out well you could setup some code to approve comments which scored non-troll and delete comments scored troll.
Does something like this exist already? Seems simple enough to knock up if not.
I have a couple of mice around with the Microsoft brand, but I'd change them to something else without any problem.
It's the Microsoft Natural keyboards I can't live without - I have three of those and the only way you'd take them from me is if you pried them from my cold dead hands.
I've seen the newer ones which are very big and have lots of 'multimedia' buttons, but I'm lucky enough to have bought a stack of the older, plainer, heavier, and much less flimsy looking models.
I'm fairly sure they're just rebranded keyboards made by other people but I'm very pleased with my Microsoft keyboard!
The SSP packages for Debian I've put together are available online here - and can be installed easily.
I'd love to see a project like this for Debian but I'm loathe to splinter off another group as Adamantix did. (They can no longer call themselves 'trusted Debian' for naming reasons).
To be effective it has to be a real part of Debian, and it's not clear at all that these people are.
This is what I don't understand about Gentoo, (I'm a Debian user unlikely to change any time soon).
If most of the setup is automated, to the extent that compiling and installing a package is just 'emerge foo' - how do you learn so much more about the system?
Is it the installation that allows you to learn that? My understanding was that this was also scripted? And not so manual.
Linux-From-Scratch seems to be the most lowlevel of the distros out there, but I've never tried either that or Gentoo, I'd love a comparision from somebody who has installed/maintained/used both for a significant amount of time.
unless IBM's high paying customers are paying Debian developers to fix it (which I don't think happens, yet).
There are several companies who have paid Debian Developers on staff, so it's not too bad an idea.
In our company I changed a lot of servers from ancient versions of RedHat and SuSE over to debian - the fact that I'm a Developer probably helped sell it, but in practise I know the distro and I know my packages, but I don't have any magic inside knowlege for fixing things.
I was lucky to make the change on the grounds that Debian with APT is simple to keep up to date, and the security team is very responsive. The fact that the machines I inherited hadn't been updated for years for fear of breaking things..
Bugtraq deliveries daily reports of exploitable flaws in software lots of it for Unix systems - granted that few people use most of the toy packages which people post bugs for, but they still exist and it's still mostly trivial to discover them.
Java the language? Jave the runtime? Jave the virtual machine? Jave the class libraries?
It seems like Sun haven't made this any easier for us to understand, in much the same way that Microsoft is rebranding everything as 'dotNet' a couple of years ago.
Java the language I like, although I think it's only become something I'd like to use in the most recent releases.
Java the runtime class libraries are very very very comprehensive, and usable in a verbose manner - but the write-once-run-anywhere? I'm less and less convinced of this as time goes on.
Our company uses an internal Jabber server, and all the Windows desktops have the Exodus client installed upon them.
It's great for chatting to people in other offices, makes people feel a lot more in contact, and it's a lot more immediate than using email.
I've known a lot of local companies using Jabber too - even though I'm sure sometimes the PHBs don't realise it's free software, snuck under the rader..
Slashdot Mirror
Funnily enough I used to like the FCBS when I started writing in assembly under DOS 3.3.
They allowed you to do globbing via FindfirstFile, and FindNextFile, (or whatever they were called!).
This was much simpler than using other functions - because the space inside the PSP was already setup for them.
Explain the situation to the FSF and somebody would probably approach them.
If the code is similar chances are symbol table information / exports in DLLs etc would allow binary comparisons to be used to establish a connection.
That way source wouldn't need to be visible and you'd be clean.
Failing that tip off the author - if you don't work there anymore and you feel bad why keep quiet, and then tell the world anonymously?
The first thing I thought when I read the original /. story was that it sounded like Project David all over again.
Project David was allegedly an entirely new way of running Windows applications on Linux, covered on slashdot here which was suspiciously similar to the Wine project...
Sounds simple enough - you could write a proxy server that binds to a port upon the machine then passes on the incoming requests to the loopback interface, where the google search could use them.
Might be an interesting thing to do .. although I'd worry about the privacy implications.
If I ran the indexer on a server with all the companies home areas then a search could find results in peoples personal documents - things like saleries etc.
You'd want to be very careful you excluded these items - which might spoil the usefulness of it.
I tested this as soon as I noticed. Seems to bind itself to 127.0.0.1 only.
Thanks for the clarification .. that seems so alien to me.
Over here in the UK we have some stores where there will be people packing goods into bags for you, and if you're a pensioner you might find an assistant walking around who'll help you carry stuff to your car - but that's about it.
Could you educate a simple Scotsman, what is a greeter?
I have a mad vision of somebody stood just inside the store saying "Hello, enjoy your shopping" as you walk in.
But I'm sure that's just me being too literal. Especially if they don't help you, or give you directions to stuff you want.
Security should always be important whether you're providing a network server, a setuid application, or neither of these things.
In many cases security issues arise from having malicious input cause an exploit, even in non-security-sensitive applications if you're not careful unexpected input can cause a crash which might be just as painful from a user point of view.
Too many people forget that security is a process, and not an addon.
Many good tips on secure programming can be found in David Wheeler's Secure Programming For Linux and Unix HOWto.
Read it, even if you dont think security is important for you yet. It's only a matter of time until it will be.
I was hoping for something more automatic than testing for trolls based on their words, then manually approving posts.
I wonder how well some kind of bayasian auto-classification of comments would work in practise?
I guess the majority of comments would be very small so there may not be enough to work with, but if these systems are mailing comments to the administrator already it would be fun to setup a troll/non-troll classification, and see how well it could learn.
Just like spam/non-spam handling there would likely be false positives initially, but if it worked out well you could setup some code to approve comments which scored non-troll and delete comments scored troll.
Does something like this exist already? Seems simple enough to knock up if not.
I have a couple of mice around with the Microsoft brand, but I'd change them to something else without any problem.
It's the Microsoft Natural keyboards I can't live without - I have three of those and the only way you'd take them from me is if you pried them from my cold dead hands.
I've seen the newer ones which are very big and have lots of 'multimedia' buttons, but I'm lucky enough to have bought a stack of the older, plainer, heavier, and much less flimsy looking models.
I'm fairly sure they're just rebranded keyboards made by other people but I'm very pleased with my Microsoft keyboard!
It may be obscure to some, but I remember it very well.
This was the first film I ever saw in a cinema, and it was a day that I can't ever forget.
Sure in retrospect it wasn't that great a movie, but it's a name that I'll always remember.
Right now I'm wondering if I wish to spoil the memory by watching it again on DVD or if I should just let it go.
I audit code for fun, write exploits to see if things are practical.
I'm also hirable - reckon my chances will go up if I write a mass mailer? ;)
Me too, but now I see that I'm in the top ten for image searchs on my name too - which is a little bit creepy!
Whilst it's possible using the Excellent Securing Debian manual it's best for all users if the distro is setup with sane defaults.
Debian by default does not ship with an SSP enabled GCC.
I've made packages available, and others have too - but by default the patch isn't applied to Debian's compiler.
Please see bugs 233208 and 213994 for details.
The SSP packages for Debian I've put together are available online here - and can be installed easily.
I'd love to see a project like this for Debian but I'm loathe to splinter off another group as Adamantix did. (They can no longer call themselves 'trusted Debian' for naming reasons).
To be effective it has to be a real part of Debian, and it's not clear at all that these people are.
This is what I don't understand about Gentoo, (I'm a Debian user unlikely to change any time soon).
If most of the setup is automated, to the extent that compiling and installing a package is just 'emerge foo' - how do you learn so much more about the system?
Is it the installation that allows you to learn that? My understanding was that this was also scripted? And not so manual.
Linux-From-Scratch seems to be the most lowlevel of the distros out there, but I've never tried either that or Gentoo, I'd love a comparision from somebody who has installed/maintained/used both for a significant amount of time.
There are several companies who have paid Debian Developers on staff, so it's not too bad an idea.
In our company I changed a lot of servers from ancient versions of RedHat and SuSE over to debian - the fact that I'm a Developer probably helped sell it, but in practise I know the distro and I know my packages, but I don't have any magic inside knowlege for fixing things.
I was lucky to make the change on the grounds that Debian with APT is simple to keep up to date, and the security team is very responsive. The fact that the machines I inherited hadn't been updated for years for fear of breaking things ..
A third reason that Macs have fewer attacks is that fewer of the l33t kiddies actually own them.
There's no way I could write code that attacked a Mac without having one to play with - and I don't.
I've got a collection of PCs and a collection of Sun boxes, but no Macs.
That's not entirely true, there are many tutorials on discovering and exploiting security holes on Linux / Unix platforms.
Everything from the classic Smashing The Stack For Fun And Profit paper to more recent ones.
Bugtraq deliveries daily reports of exploitable flaws in software lots of it for Unix systems - granted that few people use most of the toy packages which people post bugs for, but they still exist and it's still mostly trivial to discover them.
I audit code and it's depressingly easy to find flaws in Unix software.
Failing that:
fucking google it!
That and The Fifth Element are my two comparable films in terms of special effects.
I'm waiting for it to hit v2.71828183..
This is part of the problem of discussing Java.
Which Java?
Java the language? Jave the runtime? Jave the virtual machine? Jave the class libraries?
It seems like Sun haven't made this any easier for us to understand, in much the same way that Microsoft is rebranding everything as 'dotNet' a couple of years ago.
Java the language I like, although I think it's only become something I'd like to use in the most recent releases.
Java the runtime class libraries are very very very comprehensive, and usable in a verbose manner - but the write-once-run-anywhere? I'm less and less convinced of this as time goes on.
Our company uses an internal Jabber server, and all the Windows desktops have the Exodus client installed upon them.
It's great for chatting to people in other offices, makes people feel a lot more in contact, and it's a lot more immediate than using email.
I've known a lot of local companies using Jabber too - even though I'm sure sometimes the PHBs don't realise it's free software, snuck under the rader..