I did not lie, previously WinAmp was shareware, then it became free.
Now there is a premium product which you must pay for.
I don't have a problem with that at all.. I'm merely showing one example of a popular piece of software which used to be free becoming a paid product - sure it's still free, but the super-sexy-version is now paid only.
Kinda highlighting the original point of the "article".
.. shall I suggest that anti-GNU people are zealous now? *shrugs*
As a reminder of how to develop under MFC a couple of days ago I wrote a toy program for monitoring machines.
Kinda like Nagios does (formerly netsaint) but in a single application instead of a webbased system.
I sent a copy to a colleague who appreciated it, and one of his first comments was sell it for 29$!
I am a Debian guy, I write free software for Linux/Unix and I could do for Windows - but to be honest I have no qualms about charging for Windows.
Why? None of the software I've produced has been by any means essential, its just handy stuff for the sysadmin type who has to look after a lot of Windows desktops.
If people use it fine, if they sent me money fine, if not I really don't mind.
Under Linux or Unix I'd honestly not consider it. I might get paid to update some software, or write something specifically for you (that happens every few months, usually for peanuts; but sometimes for suprisingly large amounts of cast) - but I'll not write something random then expect people to pay for it. It's a completely different market and mindset.
People under Windows may hate it, but they have been conditioned to expect to pay for software which is any good. Winamp is even going back to a premium paid product, after previously being shareware then going free!
Re:Can't build security on a weak foundation
on
Exploiting Software
·
· Score: 1
There is far more to security than having to deal with buffer overflow attacks.
Sure Java tends to be more secure, but part of the reason for that is the lack of usage in places where normal C would be - for example I've never seen a setuid(0) Java executable.
For network servers I agree buffer overflows are pretty much prevented by the use of Java. However there are still flaws there to be exploited due to programmer error - such as writing a HTTP server and not filtering out "..".
This kind of problem is independent of the language, a real human error.
But there are already bandwidth limiting modules for Apache, I know I wrote one!
The problem is that few people use them, the only time I've really ever seen them is on the free sites like geocities where you are often greeted with an error.
"This site has used up its available bandwidth, please return in an hour".
Of course I usually don't bother returning, and rely on a google cache if it's available.
Posting regularly in USENET from 1994-2001, and having email addresses online seems to have done the trick for me.
I average a few hundred viral emails a month from infected machines with my details on them, and maybe 300 spams a day.
Most of them I don't see but that is irrelevent. People who say that spam isn't an issue are missing the point.
My colocated box costs me money for a months bandwidth, simply accepting the mail on my server eats into my total bandwidth allowance and that is directly costing me money.
(I'm in the UK, and the majority of my mail is focussed on American products containing American phone numbers - maybe not sent from inside the USA but definatey on behalf of American companies).
I'd imagine if we're really caring about the energy usage, etc, it's better to scrap the old machine and get a new one with lower power consumption, and better a energy saving mode
Even upgrading in the same distro is generally not a good idea
I guess it depends on the Distro, the BSDs and source based Linux systems should be OK for that, as it's just a matter of updating lots of packages.
Ditto for Debian - All my old machines running Debian were upgraded in place, sometimes even remotely, without any major problems.
Personally I've got a lot of Kernel modules I'm waiting on being updated before I can try 2.6.0 on my home/toy machines.
The other sticking point was waiting for a new Nvidia driver for 2.6, but I understand that's been released now official. (I do remember seeing an unofficial one a while back, but I figured the machine is fast and stable enough for me to not worry about upgrading "just because").
You seem to have the delusion that all security holes are as a result of buffer overflows.
Whilst these are the most commonly known they are by no means the only form of security problem.
More difficult to detect are such things as integer overflows, format string attacks - and even trivial problems like failing to drop privileges before using "popen".
I've been using them for my domain for a few months now and it's been very impressive.
Sometimes support requests have lagged a little, but they are competent and reliable - and getting a discount for doing free software was a nice bonus.
On the down side this is a duplicate article, on the plus side this version has a link to the Google partner version of the article. (So no login required).
I guess this means that I can't gain karma by posting a mirror. Do you think I'm in with a chance of anything else?;)
For my sins I am BOFH at a small shop which has installations of both SCO openserver and UUCP.
The combination of tracking down problems in UUCP and having to admit to my friends that I run Debian and SCO side by side is enough to make me a target of abuse!
There are probably a ton of sites sharing dialup across a company of five or ten staff using UUCP to receive files from their partners, etc.
Hell if they'd pay my flights I'd go onsite with a cable modem and setup a Linux box running SSH - never gonna happen though:(
This can sometimes be a problem - when I started my job there were a few machines which hadn't been rebooted in a year or two.
During that time extra services like SSH, rsync, etc, had been installed and they'd been started manually.
When it finally came to the time for the machines to be brought down and restarted then lots of services which had been running for the past few months would be mysteriously missing.
Several times I tracked this down to missing init scripts - and shortly afterwards I made a plan of bringing down each of our machines at least once every six months to make sure that all the startups systems work correctly.
Sure no more uptime pissing contents but I do know that if there is a power outage and the machines go down they will come back up (barring frying!)
I've been running a small audit for the past few months, mostly looking at low hanging fruit - but still in that time I've managed to have 17 advisories published.
Yet I've only recently come across your site and see there several audits which appear to show vulnerabilities but not any links to real advisories.
I think it's a worthwhile thing to do and spend several hours a week looking over code; but I've never found any volunteers either - it just isn't sexy enough for people I guess. (Apart from people who are being paid to do it, security companies and the like).
I wrote an apache module which I call mod_curb (for Apache 1.3)
This doesn't do exactly what you want, but I'm sure if you were to ask me or somebody else we could code something for you.
The basic idea I have for you problem is to have a database of currently active clients, beit MySQL/Flat files, then you can keep track of all data transferred by that address.
Once a threshold has been reached you can either stop everything, or start throttling.
However throttling alone won't help you out they'll still mirror you, just slowly.
Don't forget the often overlooked "use diagnostics;" either!
And if you're writing CGI's then for testing puposes something like "use CGI::Carp 'fatalsToBrowser';" can be a lifesaver too - but remember to setup something different when your code is in production use.
Yes I agree, I've not used friendster because I didn't really think it was too useful.
But then I discovered Lighter Thief - a simple site designed to track cigarette lighters around the world.
You sign up and create an ID for your lighter then tape it to the side. Give it to a friend and the URL can be used by them to input it's current location and how they got it.
I have seen lighters that I "liberated" in Edinburgh end up in Paris, Amsterdam (I wonder why;) and Sweden.
You can replace the shell on windows - A long time ago I used Litestep as an alternative GUI for windows.
Essentially you create a replacement process for 'explorer.exe' then you tell the system to use it, the trick is that you have to handle the same command line interface as the original explorer, and you have to do the lookups for the control panel, etc to make it useable.
There's an index of replacement UI's and wrappers at Shellcity.net.
Slashdot Mirror
I did not lie, previously WinAmp was shareware, then it became free.
Now there is a premium product which you must pay for.
I don't have a problem with that at all .. I'm merely showing one example of a popular piece of software which used to be free becoming a paid product - sure it's still free, but the super-sexy-version is now paid only.
Kinda highlighting the original point of the "article".
As a reminder of how to develop under MFC a couple of days ago I wrote a toy program for monitoring machines.
Kinda like Nagios does (formerly netsaint) but in a single application instead of a webbased system.
I sent a copy to a colleague who appreciated it, and one of his first comments was sell it for 29$!
I am a Debian guy, I write free software for Linux/Unix and I could do for Windows - but to be honest I have no qualms about charging for Windows.
Why? None of the software I've produced has been by any means essential, its just handy stuff for the sysadmin type who has to look after a lot of Windows desktops.
If people use it fine, if they sent me money fine, if not I really don't mind.
Under Linux or Unix I'd honestly not consider it. I might get paid to update some software, or write something specifically for you (that happens every few months, usually for peanuts; but sometimes for suprisingly large amounts of cast) - but I'll not write something random then expect people to pay for it. It's a completely different market and mindset.
People under Windows may hate it, but they have been conditioned to expect to pay for software which is any good. Winamp is even going back to a premium paid product, after previously being shareware then going free!
There is far more to security than having to deal with buffer overflow attacks.
Sure Java tends to be more secure, but part of the reason for that is the lack of usage in places where normal C would be - for example I've never seen a setuid(0) Java executable.
For network servers I agree buffer overflows are pretty much prevented by the use of Java. However there are still flaws there to be exploited due to programmer error - such as writing a HTTP server and not filtering out "..".
This kind of problem is independent of the language, a real human error.
But there are already bandwidth limiting modules for Apache, I know I wrote one!
The problem is that few people use them, the only time I've really ever seen them is on the free sites like geocities where you are often greeted with an error.
"This site has used up its available bandwidth, please return in an hour".
Of course I usually don't bother returning, and rely on a google cache if it's available.
Posting regularly in USENET from 1994-2001, and having email addresses online seems to have done the trick for me.
I average a few hundred viral emails a month from infected machines with my details on them, and maybe 300 spams a day.
Most of them I don't see but that is irrelevent. People who say that spam isn't an issue are missing the point.
My colocated box costs me money for a months bandwidth, simply accepting the mail on my server eats into my total bandwidth allowance and that is directly costing me money.
(I'm in the UK, and the majority of my mail is focussed on American products containing American phone numbers - maybe not sent from inside the USA but definatey on behalf of American companies).
Isn't that a false economy though?
I'd imagine if we're really caring about the energy usage, etc, it's better to scrap the old machine and get a new one with lower power consumption, and better a energy saving mode
I found the same thing.
My solution was to switch over to doing system administration.
I still get to automate stuff and write code, and I get to "test" out all the sexy kit the company buys before it hits the shop floor.
On the downside although our servers are Unix I now have to support lots of Windows workstations where I get confused often.
Yes it does.
If you install gcc v2.9x and gcc v3.x you end up with something like this
/usr/bin/gcc is symlinked to /usr/bin/gcc-3.3 and there is still a /usr/bin/gcc-2.95.
That way you have a default which is gcc, and the option of being explicit about the version if you really care which compiler you use.
I think that meets the requirements of having two side-by-side compilers.
Ummmm they do.
For example I have the following two feeds in my snownews aggregator:
I guess it depends on the Distro, the BSDs and source based Linux systems should be OK for that, as it's just a matter of updating lots of packages.
Ditto for Debian - All my old machines running Debian were upgraded in place, sometimes even remotely, without any major problems.
Personally I've got a lot of Kernel modules I'm waiting on being updated before I can try 2.6.0 on my home/toy machines.
The other sticking point was waiting for a new Nvidia driver for 2.6, but I understand that's been released now official. (I do remember seeing an unofficial one a while back, but I figured the machine is fast and stable enough for me to not worry about upgrading "just because").
You seem to have the delusion that all security holes are as a result of buffer overflows.
Whilst these are the most commonly known they are by no means the only form of security problem.
More difficult to detect are such things as integer overflows, format string attacks - and even trivial problems like failing to drop privileges before using "popen".
That stuff is scary.
I've only ever called the Emergency services for real once in my life, I gave out some details to the person I spoke to.
Before I'd even given out my address I could hear sirens in the distance.
I thought it was a coincidence - but it wasn't.
Two fire engines turned up at my house literally seconds after I'd given my address.
(For reference I'm in Edinburgh Scotland, although I was calling from a land-line not a mobile)
Except, noone wants to audit code.
Some people still want to audit code.
Although it has to be said it's not something many people have the time or patience for.
Thirded!
I've been using them for my domain for a few months now and it's been very impressive.
Sometimes support requests have lagged a little, but they are competent and reliable - and getting a discount for doing free software was a nice bonus.
On the down side this is a duplicate article, on the plus side this version has a link to the Google partner version of the article. (So no login required).
I guess this means that I can't gain karma by posting a mirror. Do you think I'm in with a chance of anything else? ;)
For my sins I am BOFH at a small shop which has installations of both SCO openserver and UUCP.
The combination of tracking down problems in UUCP and having to admit to my friends that I run Debian and SCO side by side is enough to make me a target of abuse!
There are probably a ton of sites sharing dialup across a company of five or ten staff using UUCP to receive files from their partners, etc.
Hell if they'd pay my flights I'd go onsite with a cable modem and setup a Linux box running SSH - never gonna happen though :(
This can sometimes be a problem - when I started my job there were a few machines which hadn't been rebooted in a year or two.
During that time extra services like SSH, rsync, etc, had been installed and they'd been started manually.
When it finally came to the time for the machines to be brought down and restarted then lots of services which had been running for the past few months would be mysteriously missing.
Several times I tracked this down to missing init scripts - and shortly afterwards I made a plan of bringing down each of our machines at least once every six months to make sure that all the startups systems work correctly.
Sure no more uptime pissing contents but I do know that if there is a power outage and the machines go down they will come back up (barring frying!)
I've been running a small audit for the past few months, mostly looking at low hanging fruit - but still in that time I've managed to have 17 advisories published.
Yet I've only recently come across your site and see there several audits which appear to show vulnerabilities but not any links to real advisories.
I think it's a worthwhile thing to do and spend several hours a week looking over code; but I've never found any volunteers either - it just isn't sexy enough for people I guess. (Apart from people who are being paid to do it, security companies and the like).
SSP is good, but not commonly available in distributions.
I've made packages for Debian stable/unstable which are available from my security pages.
More feedback is always appreciated - as it stands I use them, but I've no idea about others!
See my other comment about mod_curb which comes close to doing the right thing.
You could hack it, or find somebody else to do so for you.
I wrote an apache module which I call mod_curb (for Apache 1.3)
This doesn't do exactly what you want, but I'm sure if you were to ask me or somebody else we could code something for you.
The basic idea I have for you problem is to have a database of currently active clients, beit MySQL/Flat files, then you can keep track of all data transferred by that address.
Once a threshold has been reached you can either stop everything, or start throttling.
However throttling alone won't help you out they'll still mirror you, just slowly.
I'm top for myself but that's a good thing.
It'll put anybody not observent enough to notice my tattoo, piercings, and skinhead appearence off if that's not what they want.
Don't forget the often overlooked "use diagnostics;" either!
And if you're writing CGI's then for testing puposes something like "use CGI::Carp 'fatalsToBrowser';" can be a lifesaver too - but remember to setup something different when your code is in production use.
Yes I agree, I've not used friendster because I didn't really think it was too useful.
But then I discovered Lighter Thief - a simple site designed to track cigarette lighters around the world.
You sign up and create an ID for your lighter then tape it to the side. Give it to a friend and the URL can be used by them to input it's current location and how they got it.
I have seen lighters that I "liberated" in Edinburgh end up in Paris, Amsterdam (I wonder why ;) and Sweden.
Fun stuff .. I wish that had been my idea!
You can replace the shell on windows - A long time ago I used Litestep as an alternative GUI for windows.
Essentially you create a replacement process for 'explorer.exe' then you tell the system to use it, the trick is that you have to handle the same command line interface as the original explorer, and you have to do the lookups for the control panel, etc to make it useable.
There's an index of replacement UI's and wrappers at Shellcity.net.