see here, I also think there was a flaw which was corrected seperately to do with loading and intepretting.exrc from the current directory, etc,/tmp, which was fixed as well.
Whilst they might seem trivial there are good reasons for patching them.
Consider a game which is exploitable to gain gid(games) and can modify the highscore file, then wonder if the proven buggy game doesn't check the scores properly - I could be in a position to run code whenever you run the code to show the high scores.
This takes the exploit from boring gid(games) to more interesting "become anybody who runs the game".... and sets up the route to a local root!
Other times its more simple, some binaries are installed writeable by GID(games) so subversion is trivial..
The problem with many studies on security is that they are not comparing like with like.
For example a Microsoft person should be looking at a bare install with XP, IE 6, and all service packs. Nothing else.
To contrast that with a Linux system you'd install RedHat / Debian and tons of extra softawre, basically whatever comes as part of the "default" installation - however this clearly has a lot more software included, Emacs, Vi, etc.
On the Linux side trivial security problems with games, or whatever would be counted - artificially inflating the security exploits on the Linux side.
True there have been several kernel security problems over the past few months, but they should be pretty much all that is compared against Kernel flaws in Windows + Internet Explorer bugs.
And this deluge of mostly identical bugs is what has led to the more widespread adoption of technologies such as SSP (stack protection for GCC), and SELinux.
Fedora uses SELinux, and more will probably do so given time.
All of these are steps which are gradually raising the bar and increasing security - and nobody would bother if it weren't shown how many vulnerable programs exist.
I seriously believe half the problem is the number of young developers who read manuals/textbooks/online guides which have a paragraph at the introduction saying something like "To keep the code concise we've ommitted all error checking in our examples". With nary a mention of security throughout the rest of the piece.
Finding problems which can be disclosed at the same time as a patch is very good.
All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.
Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit.
Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.
(The results of my work show that even with only a small amount of effort security can be increased)
It will certainly be interesting to see how many of these patches now get in.
The Debian X Strike Force produce a packaged version of X which runs on more platforms than the native version, seeing those patches folded in would be wonderful news.
There was a story about defeating this system on/. a while back.
Rather than using OCR or anything poeople would merely harvest a load of images from a signup site - possible when there are only a given number of finite images, or when there is a consistent naming policy.
Then once the images were collected they would merely setup an online porn site, asking people to join for free proving they were human by decoding the very images they had downloaded.
Human lust for porn meant that they could decode a large number of these images in a very short space of time, then return and mount a dictionary attack...
Quite clever really, sidestepping all the tricky obfuscation/OCR problems by tricking humans into doing their work for them..
Whilst this has been answered in terms of the GPL already it's worth remembering that as the author of some software you're entirely free to dual license it.
So people may have the GPL version for free, and customers can be given an enhanced version which is non-GPLd, either in source form or just installed as binaries.
I worked for a company that successfully managed to sell contracts of a "supported" and enhanced piece of GPL'd software they wrote.
Bayesian filtering is a great solution at stopping you from seeing spam, but it does nothing to actually make it go away.
My big problem is that I have a colocated box which gets 600-900 spam mails a day, they're filtered so I don't see them - but each incoming message still counts towards my monthly bandwidth allowance.
So.. filtering alone is not a solution.
(Sure I could filter at SMTP time, but that's a bit of a hassle to setup and wouldn't allow me to check that I've not missed something important).
The simple choice seem to be "read a range of 0-50k" to see if the data is at the start of the file. If it is then you get lucky and win!
If it isn't then you assume it's at the end, and then ideally you just want to just say "give me the last 50k".
Unfortunately you can't do that as there isn't a notion of negative offsets from the end of a file in HTTP. So in the general case you cannot do better than read the whole thing.
I guess if you have a directory index you can parse the filesize from that and then use that in your range'd request, but that's sucky too.
Because it's a simple way of locking out other people of their accounts.
I could go over to a colleagues PC and deliberately enter the wrong password five times when she's away to lunch.
When she comes back she finds her account has been disabled, and she's locked out until the sysadmin resets it.
At home this might not be a problem, but allowing people to lockout a remote worker from their VPN connection when they're working on something important isn't a good idea.
I log failed passwords on our machines sure, but disabling them automatically is too much for me.
Novatech rock - both the machines in front of me came from them.
I was just a little sad that when I put in a bid for 20 workstations for my company they were more expensive than Mesh - who ended up shipping us twenty machines for around 320 each. (From memory for a similar spec the Novatech boxes were around 379 - although they did include stuff like the onboard modems which we didn't need)
The novatech boxes I've bought in the past (maybe 8 for work and 2 for home use) have been great value - I've never had any complaints so I've no idea how good their customer support is, but I'd happily recommend them to anybody.
There have been some interesting developments though over the past few months.
I keep a livejournal which I post to, but to be honest thats mostly to organize social stuff - as a lot of people in the same area to me have accounts and we can use it for all kinds of things that you could use email/phones for.
Sure sometimes I post code snippets and things, but 95% of the readership are people in the same city as me, who aren't computery types at all.
One of the more interesting developments recently has been the creation of "Planets", aggregated blogs from multiple people all involved in one thing.
So, for example, I find Debian Planet very useful - as it allows me to learn about the real lives of Debian developers in a way that you just don't see from reading mailing list posts.
Slashdot Mirror
You can do far worse than pointing people at The Linux Cookbook.
This is something that is task orientated which seems to make lots of newcomers to Linux (but not computers)
Funny how it used to have one them ..
see here, I also think there was a flaw which was corrected seperately to do with loading and intepretting .exrc from the current directory, etc, /tmp, which was fixed as well.
No program is too trivial to have flaws.
I audit code and have found lots of problems in games.
Whilst they might seem trivial there are good reasons for patching them.
Consider a game which is exploitable to gain gid(games) and can modify the highscore file, then wonder if the proven buggy game doesn't check the scores properly - I could be in a position to run code whenever you run the code to show the high scores.
This takes the exploit from boring gid(games) to more interesting "become anybody who runs the game".... and sets up the route to a local root!
Other times its more simple, some binaries are installed writeable by GID(games) so subversion is trivial ..
The problem with many studies on security is that they are not comparing like with like.
For example a Microsoft person should be looking at a bare install with XP, IE 6, and all service packs. Nothing else.
To contrast that with a Linux system you'd install RedHat / Debian and tons of extra softawre, basically whatever comes as part of the "default" installation - however this clearly has a lot more software included, Emacs, Vi, etc.
On the Linux side trivial security problems with games, or whatever would be counted - artificially inflating the security exploits on the Linux side.
True there have been several kernel security problems over the past few months, but they should be pretty much all that is compared against Kernel flaws in Windows + Internet Explorer bugs.
And this deluge of mostly identical bugs is what has led to the more widespread adoption of technologies such as SSP (stack protection for GCC), and SELinux.
SSP is used in Adamantix, I want it in Debian proper (packages here).
Fedora uses SELinux, and more will probably do so given time.
All of these are steps which are gradually raising the bar and increasing security - and nobody would bother if it weren't shown how many vulnerable programs exist.
This is why documents such as The Secure Programming for Linux and Unix should be compulsory reading for developers.
Time after time we see the same flaws being found, sometimes by me, sometimes by more focussed groups.
I seriously believe half the problem is the number of young developers who read manuals/textbooks/online guides which have a paragraph at the introduction saying something like "To keep the code concise we've ommitted all error checking in our examples". With nary a mention of security throughout the rest of the piece.
Half joking - half serious.
Finding problems which can be disclosed at the same time as a patch is very good.
All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.
Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit.
Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.
(The results of my work show that even with only a small amount of effort security can be increased)
Did I mention that I'm available for hiring? ;)
It will certainly be interesting to see how many of these patches now get in.
The Debian X Strike Force produce a packaged version of X which runs on more platforms than the native version, seeing those patches folded in would be wonderful news.
There was a story about defeating this system on /. a while back.
Rather than using OCR or anything poeople would merely harvest a load of images from a signup site - possible when there are only a given number of finite images, or when there is a consistent naming policy.
Then once the images were collected they would merely setup an online porn site, asking people to join for free proving they were human by decoding the very images they had downloaded.
Human lust for porn meant that they could decode a large number of these images in a very short space of time, then return and mount a dictionary attack...
Quite clever really, sidestepping all the tricky obfuscation/OCR problems by tricking humans into doing their work for them ..
And that's exactly what scripts such as GNU Stow do.
The 'foo' application is installed in '/usr/local/foo-v1.x', and symlinks are placed into /usr/local/bin so that it can be run.
This makes installation and removing applications simple - and you can share your applications across NFS if you're so inclined.
Whilst this has been answered in terms of the GPL already it's worth remembering that as the author of some software you're entirely free to dual license it.
So people may have the GPL version for free, and customers can be given an enhanced version which is non-GPLd, either in source form or just installed as binaries.
I worked for a company that successfully managed to sell contracts of a "supported" and enhanced piece of GPL'd software they wrote.
I have a Prince Albert piercing, and any women who want to use it are welcome ..
I can't believe nobody has mentioned this yet, but this document has a trivial typo "matter" is spelt "mater".
Now remind me how much lawyers get paid by the hour?
Frankly I'm appalled .. I know that my spelling sucks, but I don't get most of my incoming from being able to read and write threatening letters.
If I did .. I'd do it correctly.
Bayesian filtering is a great solution at stopping you from seeing spam, but it does nothing to actually make it go away.
My big problem is that I have a colocated box which gets 600-900 spam mails a day, they're filtered so I don't see them - but each incoming message still counts towards my monthly bandwidth allowance.
So .. filtering alone is not a solution.
(Sure I could filter at SMTP time, but that's a bit of a hassle to setup and wouldn't allow me to check that I've not missed something important).
I don't know about programmers, but I've been Auditing Debian Packages for security holes for a good few months now.
You are correct, it's tedious, dull, and repetitive - but its nice when you get a good result.
The simple choice seem to be "read a range of 0-50k" to see if the data is at the start of the file. If it is then you get lucky and win!
If it isn't then you assume it's at the end, and then ideally you just want to just say "give me the last 50k".
Unfortunately you can't do that as there isn't a notion of negative offsets from the end of a file in HTTP. So in the general case you cannot do better than read the whole thing.
I guess if you have a directory index you can parse the filesize from that and then use that in your range'd request, but that's sucky too.
Just wait until the film of "Enders Game" comes out, likely they'll be a game of the Battle Room shortly afterwards.
... lets just hope it doesn't suck!
Tricking without using 'm'ake .. I guess you have to install a prebuilt binary 'm' and then bootstrap it up from there ..
GNUMP3d is now part of the GNU project, and isn't located on sourceforge any longer.
Instead find it at the GNU site, or via gnump3d.org.The right way is to promote your project on a big site like /.
Then subtly include wishlist links, and maybe pointers to other software you wrote.
Maybe you'll get lucky and somebody will buy you a thing or two ...
Because it's a simple way of locking out other people of their accounts.
I could go over to a colleagues PC and deliberately enter the wrong password five times when she's away to lunch.
When she comes back she finds her account has been disabled, and she's locked out until the sysadmin resets it.
At home this might not be a problem, but allowing people to lockout a remote worker from their VPN connection when they're working on something important isn't a good idea.
I log failed passwords on our machines sure, but disabling them automatically is too much for me.
Novatech rock - both the machines in front of me came from them.
I was just a little sad that when I put in a bid for 20 workstations for my company they were more expensive than Mesh - who ended up shipping us twenty machines for around 320 each. (From memory for a similar spec the Novatech boxes were around 379 - although they did include stuff like the onboard modems which we didn't need)
The novatech boxes I've bought in the past (maybe 8 for work and 2 for home use) have been great value - I've never had any complaints so I've no idea how good their customer support is, but I'd happily recommend them to anybody.
I moved kicking and screaming from NT4 over to 2000 soley so that I could get decent USB support.
That was always the thing holding back my use of NT, much more so than the games - after all Quake III Arena ran just fine on NT ;)
There have been some interesting developments though over the past few months.
I keep a livejournal which I post to, but to be honest thats mostly to organize social stuff - as a lot of people in the same area to me have accounts and we can use it for all kinds of things that you could use email/phones for.
Sure sometimes I post code snippets and things, but 95% of the readership are people in the same city as me, who aren't computery types at all.
One of the more interesting developments recently has been the creation of "Planets", aggregated blogs from multiple people all involved in one thing.
So, for example, I find Debian Planet very useful - as it allows me to learn about the real lives of Debian developers in a way that you just don't see from reading mailing list posts.
Debian unstable comes with 'unrar', which I've used in the past.
Whilst it's not free it doesn't require any strange libraries:
skx@undecided:~$ apt-cache show unrarPackage: unrar
Priority: optional
Section: non-free/utils