De-compilation is at best a violation of your license to use the library, forfeiting your ability to use it, and at worst could be a violation of the anti-circumvention clause of the DMCA, which could land you in court or in jail.
And here's (http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf) a paper demonstrating a technique for finding MD5 collisions quickly: eight hours on 1.6 GHz computer.
From the article: "MD5 hash values are a cornerstone of computer forensics and fully accepted as evidence that two files are identical copies of each other. You could claim that you didn’t download the song from the file sharing network because you were the one who uploaded it, but I doubt that will help your legal predicament."
The MD5 hash has been known insecure since at least 2005. See: http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html. I seriously doubt any computer forensics expert in 2011 would use MD5 hashes as evidence that two files are identical.
Re:Sendmail? In a secure system
on
Hardening Linux
·
· Score: 1
Yes, in a secure system!
Sendmail has as much place on a secure system as Postfix or Qmail. If either of those MTAs had been around as long as sendmail (22+ years) they would probably have as sordid a security history. The thing to remember is that those holes have been patched, some as much as ten years, or more, ago. No software is going to be bug or security hole free. (OpenBSD doesn't even have a pristine security history for all of its code audits.) Like any MTA software, sendmail can be configured to be secure, or it can be configured to be insecure. Just keep it up to date and configure it sanely.
Also, for the record, just throwing out Google results is meaningless. Here are some more for you. Results 1 - 10 of about 48,100 for Postfix "security hole". Results 1 - 10 of about 1,910,000 for Postfix bug.
Results 1 - 10 of about 44,400 for Qmail "security hole". Results 1 - 10 of about 1,660,000 for Qmail bug.
Using your logic, Qmail and Postfix must really suck too.
Instead of throwing out Google results as proof of sendmail's suckage, why not show a few examples (that are less than four years old, please) that show sendmail currently having glaring insecurity. I will be surprised if you come up with many. The fact is that sendmail has had problems in the past. No one will deny that. Those problems spring from it being basically the first SMTP server ever. However, its security history is just that, history. I am tired of people beating the dead horse of sendmail insecurity and using data from fifteen years, or dubious Google results, ago as proof. Give some real, current evidence please. Otherwise it will continue to stand to reason that sendmail has just as much place in a secure system today as Qmail.
You should look at functional languages like LISP and Scheme for good examples of this. LISP is a simple languages that is used to create small languages to solve specific problems. The programmer uses LISP as a meta-language.
These guys are quite a bit smarter than me, however. BitC looks cool. It looks like (again) a step in the right direction.
I am beginning to think, though, that mathematical proof and the low-level memory access required to implement operating systems are to some extent mutually exclusive.
The language is still based on C and allows, through the "unboxed" types, direct pointer access. (Unless I am misreading the BitC doc.) Allowing any sort of direct pointer manipulation foils any attempt at mathematical proof.
Capabilities and verifiable code are a good start. Now it just needs a systems programming language that allows for proof (mathematical proofs that is) of correctness. Basically, get something better than C and some of the problems inherant in UNIX will disappear.
There is nothing to say that SystemServices can't be used on a headless server. That does not mean that it is good software, a good idea, or a good thing to run in a server environment.
On my servers I need all the RAM I can spare. That means there is no place for D-Bus. It is just one added piece of complex software to break my servers, consume valuable system resources, and cause security problems.
Init is simple, robust, stable, lightweight and stays out of my way. It works and works well. The wheel is not broken. There is no need to fix it. Init fits with the UNIX philosophy, SystemServices does not.
I have to agree with many of the posters here and on OSnews.com. This project appears to be born of a very poor understanding of the existing init setup and a dislike of shell scripts. Runlevels are not a difficult concept to grasp and init already can support all the features that he is looking to add.
Also in college I double majored in English and Computer Science. I like being able to write in the margins of a book with a pen. I did that quite often in my English classes. I can then add my thoughts to the author's thoughts and thereby increase the value of the book, and the thoughts it contains.
I personally have never liked reading online content. I prefer printed materials for several reasons. (Yes, this includes computer related books.) I print out man pages when I am going to be reading them at length. I print out software manuals. Hell, I even print out web pages sometimes. I give you a few good reasons for this behavior.
1) Eye strain. I get eye strain easily from monitors, but not from printed pages.
2) I like to be able to read while laying in bed. It is kinda hard to do that with my desktop computer. No, I am not going to buy a laptop or PDA with ebook software just so that I can use technology in bed.
3) I don't have to worry about a hard drive crash destroying my library.
4) I like being able to put my finger between two pages to hold my place and filp around through other parts of the book.
5) No batteries required!
6) I can actually exercise ownership and fair use rights.
7) I like going to Barnes and Noble, grabbing a few books and sitting in their comfy chairs to read a little before making my purchasing decision.
Let's face it, the PUI (Printed User Interface) is simply more elegant, useful, and comfortable.
I own hundreds of books, perhaps over a thosand by now. I love the paper smell. I like fliping pages. I love going to the bookstore and being surrounded by millions of words and ideas. Ebooks will never have a place with me because they can not provide the same experience.
This is very true. My point is that he and LT aren't claiming that they have done nothing wrong. I don't think that they have much integrity, but it does take a little to publicly admit wrong doing and to face the inevitable tidal wave of flames and rages to follow.
This is just a start. There may be more to come. I personally want to see all of the allegations answered for.
Just because I think that the guy is starting to do the right thing doesn't mean that I forgive him, or don't think that he is a sleaze.
My thought is that we should pat him on the back for comming out into the open, encourage him and any others involoved to make amends, and then encouragage Internet.Com to fire the bastards.
I don't think that I am being unreasonable of wishy-washy here. I am just not getting angry about it.
I would like to thank Kevin Reichard for finally swallowing his pride and admitting to wrong doing. I agree that his excuses do seem a little weak, but at least he is not acting like the second comming of Richard Nixon ("I am not a crook!").
However, there are still many concerns which were brought up by Paul Ferris in his Linux Journal article that need to be addressed. The most important of these being LT's stance on linking to external content. Like I have said before, LT is a news portal therefore most of the relevant content that they should be printing is going to be found on external sites. As a journalist and editor Reichard should be more worried about boosting readership through quality of content, rather than keeping people "in the channel" to boost ad dollars.
It sounds to me like LT and Internet.Com have greater problems than a little bit of astroturfing. At least they still have enough integrity to own-up to the responsibility they have to their readers.
/. and LT have been two of my favorite sites since I started reading them in '97. I have never really put much stock in the talkbacks. They are sometimes fun to read, but more often they are just frustrating. It doesn't really surprise me that something like this would happen. I would expect more integrity from people like Reichard, though. I find this behavior to be extremely childish and sad. But I don't read the site for talkbacks.
The things that really burn my buttons are his insitence that there is no Linux community and his stance on linking "external content".
First, I give proof that there is a Linux community. My proof is the kernel source. Every one of the kernel developers runs some version of Linux. They are provably part of the Linux community by their use and development of Linux. Then there are the users and the distributon makers. Not so provable, but they obviously exist. If Reichard believes that there is no Linux Community, then he should just shutdown LT right now, since the site obviously caters to non-existant readers.
Second, LT is a portal. It is all about external content. I understand wanting to keep people on their sites, but don't take it too far. They should worry about providing worthwhile news stories, not their distribution channel. If they provide quality news, they will boost readership. If there are more readers, there will be more talkbacks. Obviously, if there are more talkbacks there must be more people in the "channel". LT can not be incestuous and just link to content on sister sites and still expcet to be a vital news source and keep their readership. Reichard is being a dink with this attitude.
I wonder at their silence. Do they just not care what their readers think? Do they think that we who read and support the site are just a bunch of mindless cattle to be shuffled here and there at their whim? That we will just take what they give us slurp it up and ask for more? Do they actually think that they are better than their readership? That they can throw integrity out the window and not have to own up to it?
Do they not realize that it is the readers that make them who they are, and that by hurting their readers they are hurting themselves.
It really saddens me that someone in our community would stoop as low as they have in mindless worship to the gods Page View and Almighty Buck.
Is there anyone left in this failing democracy called the United States that isn't compltetly self-serving?
One:
Why is it that everyone is supposed to have a "profit motive" in the USA for everything that they do? I am an American citizen, and I wonder just where the ideas of public service and other such non-profit motivation has disappeared to in the last few years. Since when is the "almighty buck" the most important thing in life?
Two:
Doesn't anyone in business or government realize that the Internet does NOT belong to any one country. Government and industry needs to stop trying to influence something that they can never own.
Three:
Let them fork the Internet. We can just take our Open Source/Free Software and rebuild the public Internet. We can make our own routers. We can build our own backbone. Hell, there are some of us who would go back to using UUCP or FidoNET to keep the public Internet public. We have the specs and we have the technology. They can play on their little CorpNet, and those of us that like this mangled thing that is the Net will just give them the finger and go on with our lives.
doesn't Ximian do something a little more needed, like make a replacement for M$ Exchange?
.NET sounds cool, but it is still vaporware. There is no real need for it yet in the OSS/FS community. There is, IMHO, a definite need for an Exchange Server replacement, however.
With C++ you don't need to reinvent the wheel. It already supports similar features through the use of templates and RTTI (Run-Time Type Identification). Granted the features are not quite the same, I still don't see how you can say that C++ is a primitive tool.
There is one thing that bothers me about this whole mess. (Yes, I have read the flamewar. I am on the gnome-components-list where it started. After being assaulted by almost 100 emails of ever increasing rage on Saturday, I feel qualified to call this a royal mess.) That thing is the fact that GNOME 2 is already about a year overdue. The original release date was supposed to be sometime near the release of KDE 2. GNOME has been delayed several times. Implementing a new process and starting up commitee meetings to discuss features will only slow the project more. For example, there is supposed to be an API freeze soon. This is what Martin B. was working so hard to meet.
I am just wondering how much this meltdown is going to set the project back.
It is not people flaming each other that will kill GNOME. It is the constant setbacks. I am an avid user of GNOME. I still have GNOME 1.2.x on my SuSE 7.1 box though. Looking at the progress of KDE development it is easy to see myself switching to it. Hell, the progress of GNUstep is happening at a faster rate than GNOME right now. There are too many other desktop projects out there for GNOME to survive many setbacks of this nature. There are KDE, GNUstep, XFCE (used by Alan Cox), FoxDesktop, and ROX Desktop just to name a few. I have a feeling that due to issuses like this GNOME is going to start loosing its userbase.
Falling into obscurity I think would be worse for them than a few developers quitting because of holes in their flame-retardant underwear.
A big part of the problem is that systems like Gnome are written on such a primitive foundation (C/C++)
Just curious. What sort of higher-level tools do you suggest that they use. If you are going to call these two languages primitive you might as well call all other Procedural and Object Oriented languages primitive as well, since they all share certain common features.
Oh, I know we can implement the entire system in Perl or Python. Right. These languages are good for writing applications in, but I would not suggest writing your entire desktop environment in them. You could use Common Lisp or Scheme. Those, however, are basically dead languages in the Software Industry. Perhaps Java would be a good choice. Wait, I am wrong, it shares too much syntactically with C/C++ to be much of an improvement.
You have to face facts. C and C++ are induatry standard languages. They are two of the best that we have, as evidenced by their continued popularity. Currently this is the best that we can do. If you ask me we aren't doing that badly.
You should read Bjarne Stroustrup's paper Learning C++ As A New Language. It shows how C++ can be written in a style such that it looks very much like Perl or Python. It can be as high-level as you need it to be.
Slashdot Mirror
De-compilation is at best a violation of your license to use the library, forfeiting your ability to use it, and at worst could be a violation of the anti-circumvention clause of the DMCA, which could land you in court or in jail.
And here's (http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf) a paper demonstrating a technique for finding MD5 collisions quickly: eight hours on 1.6 GHz computer.
There are collisions. It is possible with MD5 to create a hash for two completely different files. Read Schneier's blog.
Incorrect. Read Schneier's blog, which I included in my post. It is broken for file hashing.
From the article:
"MD5 hash values are a cornerstone of computer forensics and fully accepted as evidence that two files are identical copies of each other. You could claim that you didn’t download the song from the file sharing network because you were the one who uploaded it, but I doubt that will help your legal predicament."
The MD5 hash has been known insecure since at least 2005. See: http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html. I seriously doubt any computer forensics expert in 2011 would use MD5 hashes as evidence that two files are identical.
Yes, in a secure system!
Sendmail has as much place on a secure system as Postfix or Qmail. If either of those MTAs had been around as long as sendmail (22+ years) they would probably have as sordid a security history. The thing to remember is that those holes have been patched, some as much as ten years, or more, ago. No software is going to be bug or security hole free. (OpenBSD doesn't even have a pristine security history for all of its code audits.) Like any MTA software, sendmail can be configured to be secure, or it can be configured to be insecure. Just keep it up to date and configure it sanely.
Also, for the record, just throwing out Google results is meaningless. Here are some more for you.
Results 1 - 10 of about 48,100 for Postfix "security hole".
Results 1 - 10 of about 1,910,000 for Postfix bug.
Results 1 - 10 of about 44,400 for Qmail "security hole".
Results 1 - 10 of about 1,660,000 for Qmail bug.
Using your logic, Qmail and Postfix must really suck too.
Instead of throwing out Google results as proof of sendmail's suckage, why not show a few examples (that are less than four years old, please) that show sendmail currently having glaring insecurity. I will be surprised if you come up with many. The fact is that sendmail has had problems in the past. No one will deny that. Those problems spring from it being basically the first SMTP server ever. However, its security history is just that, history. I am tired of people beating the dead horse of sendmail insecurity and using data from fifteen years, or dubious Google results, ago as proof. Give some real, current evidence please. Otherwise it will continue to stand to reason that sendmail has just as much place in a secure system today as Qmail.
You should look at functional languages like LISP and Scheme for good examples of this. LISP is a simple languages that is used to create small languages to solve specific problems. The programmer uses LISP as a meta-language.
Now they just need an app named "Bases" to replace Access.
These guys are quite a bit smarter than me, however.
BitC looks cool. It looks like (again) a step in the right direction.
I am beginning to think, though, that mathematical proof and the low-level memory access required to implement operating systems are to some extent mutually exclusive.
The language is still based on C and allows, through the "unboxed" types, direct pointer access. (Unless I am misreading the BitC doc.) Allowing any sort of direct pointer manipulation foils any attempt at mathematical proof.
Therefore I think that my comment stands.
Capabilities and verifiable code are a good start. Now it just needs a systems programming language that allows for proof (mathematical proofs that is) of correctness. Basically, get something better than C and some of the problems inherant in UNIX will disappear.
Some people here need to read the KDE Licensing Policy at: http://developer.kde.org/policies/licensepolicy.ht ml.
;-)
It states that source files which are included in the kdelibs module must use either the LGPL, BSD, or X11 license.
So, KDE can be used to develop commercial apps as long as the developer has a valid QT license.
It is amazing what five minutes of research on the Net will get you.
There is nothing to say that SystemServices can't be used on a headless server. That does not mean that it is good software, a good idea, or a good thing to run in a server environment.
On my servers I need all the RAM I can spare. That means there is no place for D-Bus. It is just one added piece of complex software to break my servers, consume valuable system resources, and cause security problems.
Init is simple, robust, stable, lightweight and stays out of my way. It works and works well. The wheel is not broken. There is no need to fix it. Init fits with the UNIX philosophy, SystemServices does not.
I have to agree with many of the posters here and on OSnews.com. This project appears to be born of a very poor understanding of the existing init setup and a dislike of shell scripts. Runlevels are not a difficult concept to grasp and init already can support all the features that he is looking to add.
Slack does have some decent, IMHO, package tools. Look here. :-)
One word. Ghostscript
-LN
Also in college I double majored in English and Computer Science. I like being able to write in the margins of a book with a pen. I did that quite often in my English classes. I can then add my thoughts to the author's thoughts and thereby increase the value of the book, and the thoughts it contains.
How do you annotate an ebook?
I personally have never liked reading online content. I prefer printed materials for several reasons. (Yes, this includes computer related books.) I print out man pages when I am going to be reading them at length. I print out software manuals. Hell, I even print out web pages sometimes. I give you a few good reasons for this behavior.
1) Eye strain. I get eye strain easily from monitors, but not from printed pages.
2) I like to be able to read while laying in bed. It is kinda hard to do that with my desktop computer. No, I am not going to buy a laptop or PDA with ebook software just so that I can use technology in bed.
3) I don't have to worry about a hard drive crash destroying my library.
4) I like being able to put my finger between two pages to hold my place and filp around through other parts of the book.
5) No batteries required!
6) I can actually exercise ownership and fair use rights.
7) I like going to Barnes and Noble, grabbing a few books and sitting in their comfy chairs to read a little before making my purchasing decision.
Let's face it, the PUI (Printed User Interface) is simply more elegant, useful, and comfortable.
I own hundreds of books, perhaps over a thosand by now. I love the paper smell. I like fliping pages. I love going to the bookstore and being surrounded by millions of words and ideas. Ebooks will never have a place with me because they can not provide the same experience.
-LN
This is very true. My point is that he and LT aren't claiming that they have done nothing wrong. I don't think that they have much integrity, but it does take a little to publicly admit wrong doing and to face the inevitable tidal wave of flames and rages to follow.
This is just a start. There may be more to come. I personally want to see all of the allegations answered for.
Just because I think that the guy is starting to do the right thing doesn't mean that I forgive him, or don't think that he is a sleaze.
My thought is that we should pat him on the back for comming out into the open, encourage him and any others involoved to make amends, and then encouragage Internet.Com to fire the bastards.
I don't think that I am being unreasonable of wishy-washy here. I am just not getting angry about it.
-LN
I would like to thank Kevin Reichard for finally swallowing his pride and admitting to wrong doing. I agree that his excuses do seem a little weak, but at least he is not acting like the second comming of Richard Nixon ("I am not a crook!").
However, there are still many concerns which were brought up by Paul Ferris in his Linux Journal article that need to be addressed. The most important of these being LT's stance on linking to external content. Like I have said before, LT is a news portal therefore most of the relevant content that they should be printing is going to be found on external sites. As a journalist and editor Reichard should be more worried about boosting readership through quality of content, rather than keeping people "in the channel" to boost ad dollars.
It sounds to me like LT and Internet.Com have greater problems than a little bit of astroturfing. At least they still have enough integrity to own-up to the responsibility they have to their readers.
-LN
/. and LT have been two of my favorite sites since I started reading them in '97. I have never really put much stock in the talkbacks. They are sometimes fun to read, but more often they are just frustrating. It doesn't really surprise me that something like this would happen. I would expect more integrity from people like Reichard, though. I find this behavior to be extremely childish and sad. But I don't read the site for talkbacks.
The things that really burn my buttons are his insitence that there is no Linux community and his stance on linking "external content".
First, I give proof that there is a Linux community. My proof is the kernel source. Every one of the kernel developers runs some version of Linux. They are provably part of the Linux community by their use and development of Linux. Then there are the users and the distributon makers. Not so provable, but they obviously exist. If Reichard believes that there is no Linux Community, then he should just shutdown LT right now, since the site obviously caters to non-existant readers.
Second, LT is a portal. It is all about external content. I understand wanting to keep people on their sites, but don't take it too far. They should worry about providing worthwhile news stories, not their distribution channel. If they provide quality news, they will boost readership. If there are more readers, there will be more talkbacks. Obviously, if there are more talkbacks there must be more people in the "channel". LT can not be incestuous and just link to content on sister sites and still expcet to be a vital news source and keep their readership. Reichard is being a dink with this attitude.
I wonder at their silence. Do they just not care what their readers think? Do they think that we who read and support the site are just a bunch of mindless cattle to be shuffled here and there at their whim? That we will just take what they give us slurp it up and ask for more? Do they actually think that they are better than their readership? That they can throw integrity out the window and not have to own up to it?
Do they not realize that it is the readers that make them who they are, and that by hurting their readers they are hurting themselves.
It really saddens me that someone in our community would stoop as low as they have in mindless worship to the gods Page View and Almighty Buck.
Is there anyone left in this failing democracy called the United States that isn't compltetly self-serving?
(setq rant-mode 1)
One:
Why is it that everyone is supposed to have a "profit motive" in the USA for everything that they do? I am an American citizen, and I wonder just where the ideas of public service and other such non-profit motivation has disappeared to in the last few years. Since when is the "almighty buck" the most important thing in life?
Two:
Doesn't anyone in business or government realize that the Internet does NOT belong to any one country. Government and industry needs to stop trying to influence something that they can never own.
Three:
Let them fork the Internet. We can just take our Open Source/Free Software and rebuild the public Internet. We can make our own routers. We can build our own backbone. Hell, there are some of us who would go back to using UUCP or FidoNET to keep the public Internet public. We have the specs and we have the technology. They can play on their little CorpNet, and those of us that like this mangled thing that is the Net will just give them the finger and go on with our lives.
I am getting tired of hearing about this shit.
(setq rant-mode nil)
I feel better now, really...
--
doesn't Ximian do something a little more needed, like make a replacement for M$ Exchange?
.NET sounds cool, but it is still vaporware. There is no real need for it yet in the OSS/FS community. There is, IMHO, a definite need for an Exchange Server replacement, however.
Just a thought.
--
With C++ you don't need to reinvent the wheel. It already supports similar features through the use of templates and RTTI (Run-Time Type Identification). Granted the features are not quite the same, I still don't see how you can say that C++ is a primitive tool.
There is one thing that bothers me about this whole mess. (Yes, I have read the flamewar. I am on the gnome-components-list where it started. After being assaulted by almost 100 emails of ever increasing rage on Saturday, I feel qualified to call this a royal mess.) That thing is the fact that GNOME 2 is already about a year overdue. The original release date was supposed to be sometime near the release of KDE 2. GNOME has been delayed several times. Implementing a new process and starting up commitee meetings to discuss features will only slow the project more. For example, there is supposed to be an API freeze soon. This is what Martin B. was working so hard to meet.
I am just wondering how much this meltdown is going to set the project back.
It is not people flaming each other that will kill GNOME. It is the constant setbacks. I am an avid user of GNOME. I still have GNOME 1.2.x on my SuSE 7.1 box though. Looking at the progress of KDE development it is easy to see myself switching to it. Hell, the progress of GNUstep is happening at a faster rate than GNOME right now. There are too many other desktop projects out there for GNOME to survive many setbacks of this nature. There are KDE, GNUstep, XFCE (used by Alan Cox), FoxDesktop, and ROX Desktop just to name a few. I have a feeling that due to issuses like this GNOME is going to start loosing its userbase.
Falling into obscurity I think would be worse for them than a few developers quitting because of holes in their flame-retardant underwear.
A big part of the problem is that systems like Gnome are written on such a primitive foundation (C/C++)
Just curious. What sort of higher-level tools do you suggest that they use. If you are going to call these two languages primitive you might as well call all other Procedural and Object Oriented languages primitive as well, since they all share certain common features.
Oh, I know we can implement the entire system in Perl or Python. Right. These languages are good for writing applications in, but I would not suggest writing your entire desktop environment in them. You could use Common Lisp or Scheme. Those, however, are basically dead languages in the Software Industry. Perhaps Java would be a good choice. Wait, I am wrong, it shares too much syntactically with C/C++ to be much of an improvement.
You have to face facts. C and C++ are induatry standard languages. They are two of the best that we have, as evidenced by their continued popularity. Currently this is the best that we can do. If you ask me we aren't doing that badly.
You should read Bjarne Stroustrup's paper Learning C++ As A New Language. It shows how C++ can be written in a style such that it looks very much like Perl or Python. It can be as high-level as you need it to be.