It seems completely outrageous from my child-of-the-seventies perspective that there was a time when the government would have considered someone who wanted women to have the right to vote to be a terrorist. And yet this really happened, not only in Britain but here in the United States.
This is why organizations like the ACLU that fight for the civil rights of anybody whose civil rights have been trampled are so important - who knows when the next Susan B. Anthony, Martin Luther King, or, heaven forfend, Richard Stallman, will rely on the precedents established by the ACLU to allow them to continue to try to make the world a better place, despite the resistance of the powers that be.
The Internet is a great place for finding certain kinds of information. If you want something up-to-the-minute, you're obviously not going to find it as ink on paper.
But if you want to research a topic in depth, and the topic is not something bleeding edge, the library is a great place to be. You can go grab reference books off the shelves, pile them around you, and really dig in. For example, if you want to know about the Pullman strike, you will find a lot of very nice one-page summaries on the Internet, but if you want to study it in depth, you have to go to the library.
At the Library, you don't get the quick link traversal of the Internet, and you have to know how to find stuff (the card catalog is the library's equivalent of Google, and it takes some work to learn how to operate it effectively).
I think that right now, probably the best way to do research is in a library with your laptop and an internet connection, so that you can use the Internet to kickstart your search, and the card catalog to fill in the blanks. Unfortunately, very little of what is in the library is yet available in digital form, so if you just use the Internet for research, you're really handicapping yourself, although I think if you eliminate the Internet you're doing the same thing.
This new design has pretty good features both for rollover protection and for protecting passengers in other cars on the road. You do know that most SUV deaths are passengers of SUVs, not the people they hit. SUVs are unfortunately quite dangerous vehicles to drive.
Some of the major improvements - unibody design, with crumple zones. Lower bumper, which makes rollovers less likely since it will hit the bumper of the other car, not go over the other car. Better roll cage, so when it does roll the passengers are protected. Better seat belts. Lots of good stuff. You should really read the article before commenting on it...
Re:DNSSEC needn't be a panacea to be useful.
on
DNSSEC: Good Enough?
·
· Score: 1
I have a lot of IE4 users. My users aren't people who have a lot of money to buy new Microsoft licenses, and because they follow the buddhist code of ethics, they also don't steal copies of Microsoft software. So they're mostly running Win95.:'}
Re:DNSSEC needn't be a panacea to be useful.
on
DNSSEC: Good Enough?
·
· Score: 1
DNSSEC provides a layer of security; a countermeasure. It absolutely does need to be a panacea- as close to it as we, as fallible humans, are capable of designing.Have we learned nothing from the weaknesses of TCP/IP, SMTP, and the like?
Hm, what I've learned is that they work. Yes, they have security problems, and yes, we need to fix them. But if we have something that's a significant incremental improvement, and don't have the complete panacea, is it a mistake to use what we have? It sounds like you're saying it is. That's not a very good attitude for an engineer to have - you never get anything done with that attitude.
Keeping this in mind, is it obtuse of me to discard, nay, to vehemently reject and persecute 'good enough' solutions as building blocks for the future?
I think it is, yes!:')
OT: BIND has a proven past and present of not doing a whole helluva lot very well.
It's unfortunate that BIND 8 and BIND 9 are always discussed by DJB and his acolytes as if they are the same product, when in fact they are two completely separate code bases, one of which was in fact engineered to specifically avoid the failings of the other. It would be much more fun to debate these points if we were actually talking about the merits of each software package, rather than tarring one with the same brush as the other.
Also OT: Your employer, whether they call themselves Nominum or theInternet Software Consortium or whatever mask they choose to wear,
The ISC and Nominum are both going concerns, with a completely unrelated set of employees - that is, nobody who works for Nominum also works for ISC, or vice versa. So to speak of them as if they are the same entity is incorrect.
writes/has written/continues to write both the perpetually buggy BIND software, and writesand sells the 'nicer' commercial software, correct? What justification, other than the desire to make more money for themselves, do they give for selling (supposedly) high-quality software and offering provably low-quality software (that runs the root nameservers, no less) to the community?
I use BIND 9 as the name server for my domain, and I'm very happy with it. I think it's very high quality software. The value added in Nominum's product have more to do with enterprise-level and telco-level support infrastructure than they do with differing levels of code quality. I am sure Nominum would love to sell our DNS products to more providers of root name service - to the extent that this hasn't happened (and I have no idea who our DNS customers are, TBH, so I don't know that it hasn't happened), I suspect it's because BIND does a good enough job for that particular application, and there's no motivation to upgrade.
DNSSEC is a half-assed attempt at getting things done the quick and dirty way. Mockapetris wants his name in a few more RFCs; the BIND/ISC/Nominum peopleneed another impressive but misleading tagline to further their marketing efforts.
You make a lot of assertions. If assertions were valid arguments, you would have just whupped my ass here.:'}
Re:DNSSEC needn't be a panacea to be useful.
on
DNSSEC: Good Enough?
·
· Score: 1
The instantssl key isn't recognized by most browsers, unfortunately. They claim something like 95% coverage, if I remember correctly, but when I tried one of their keys in a real deployment, my users got a _lot_ of certificate errors. So it's a nice idea in theory, but if you really care about people being able to use your key, it's not good enough. Nice price, though.:'(
I don't understand the security issues here? I tried reading the FAQ but I'm a mumbling nincompoop. Can someone explain in a bit better detail about why we needsecurity for DNS? Is there any actual recorded instances of people breaking into the DNS database? Is this the website hacking I've heard about?
DNS is mostly a UDP-based protocol, and it's pretty easy to spoof. When you type "www.ibm.com" in your browser, a UDP packet goes from your computer to a caching name server at your ISP (I'm oversimplifying here, BTW, but if you aren't a DNS geek this is most likely exactly what happens). The resolving name server sends another UDP packet out to the root name server to find out who to ask about "ibm.com". Then the root name server says "go talk to ibmns1.ibm.com at 10.1.17.2". Then the caching name server talks to 10.1.17.2 and asks it to resolve "www.ibm.com". Then it sends a UDP packet back to your computer telling it the IP address for www.ibm.com.
Notice that all of these UDP packets went over the network in the clear, and you can see that there were quite a number of opportunities to spoof you. If I can do a root hack on the machine that's running your ISP's caching name server, for example, I can give you a bogus IP address for www.ibm.com, and then steal your credit card info when you try to buy something there. If I can watch your packets and respond faster than the caching name server does, I can also convince you to go to the wrong place. So it's not an insignificant vulnerability.
With HTTP, if you are smart, you check to make sure that your web browser is doing a secure transaction, but frankly, most people just ignore this issue, or don't even know what it means.
With DNSSEC, your resolver on your computer knows the public half of the root DNSSEC key. So it can verify the answer it gets, all the way from the top down to the bottom. If someone spoofs the response, the resolver ignores the spoofed packet, and you get the real one. If your ISP's caching name server is compromised, you can't look up www.ibm.com, and eventually you call your ISP and complain. They fix their nameserver, and you go back to your business, unspoofed.
As I said in a previous comment, DNSSEC is also a handy place to stash keys, precisely because you can validate them as I've described.
And, BTW, I glossed over a lot of details here. If you really want to know how this stuff works, you should probably read the RFCs...:'}
DNSSEC needn't be a panacea to be useful.
on
DNSSEC: Good Enough?
·
· Score: 3, Interesting
DNSSEC provides a secure key distribution mechanism. Right now, the only secure key distribution mechanism on the Internet is the SSL key mechanism, whereby a cartel of ~5 companies with keys that got into the original Netscape release essentially rule the roost, because Joe Average has no idea how to install a new root key in his browser. The cheapest key of this type will cost you ~$150 per year, and you can't use it to make more keys.
DNSSEC does require a top-level root key, but once you have registered your domain securely, you can generate keys whose public halves are *in the DNS* where anybody can get at them. That is, you can use your key to make more keys. Also, if you don't want to do business with one registrar, you can go to another, and as you are no doubt aware, the DNS registration market is quite competitive. So in fact DNSSEC is very democratic compared to its only current alternative.
Unfortunately, this is not a glitzy thing. This is nuts and bolts, wire dragged through conduits. DNSSEC is a really nice platform for building a more secure internet, but it doesn't solve the problem on its own - you have to build on it - e.g., using it to make SMTP more verifiable.
DJB says that BIND doesn't do DNSSEC very well. It's true that BIND 8 doesn't do as well as BIND 9. If you want to spend some money, my employer will sell you something even nicer. But the fact is that there are several free, working implementations of DNSSEC out there right now.
BTW, in the interests of full disclosure, I should say that I work for the same company as Paul Mockapetris (Nominum), and have in the past worked for the company that DJB styles "the BIND company," although I know much more about DHCP than about DNS.
One of the puzzles about this article is that this biomass generator doesn't use one of the most significant sources of biomass in a typical household. I know it's icky, but there's energy in it. Plus, if you live in a place with a serious septic problem, extracting gases and composting what's left would be big win.
Bird strikes are a serious problem with big windmills. I'm a bit skeptical about another person's claim in a nearby reply that wind generators would have a serious effect on the weather, but they do kill a lot of birds. On the other hand, so do cell phone transmitters, so I suppose this is already a problem. Sigh.
Re:The ACLU is about mechanism, not policy.
on
Joining the ACLU?
·
· Score: 1
This is a joke, right? I don't know about you, but when I was 15, the last people to whom I wanted to talk about sex issues were my parents! Of course, because I was a classic geek, it didn't make any practical difference at the time...:'}
The ACLU is about mechanism, not policy.
on
Joining the ACLU?
·
· Score: 4, Insightful
The government frequently passes laws to stop the bad guys from doing things, but these laws frequently can be used against regular joes as well. So when the ACLU sees a prosecution that's been done in a way that would work on a regular joe as well as a bad guy, it often goes to bat for the bad guy. The point isn't to defend what the bad guy is doing. It's to make the government use a method of stopping the bad guy that is discrimatory - that only works on bad guys, and not on regular joes.
Consider RICO. Its intent was to stop organized crime. Apparently it works pretty well at that. Unfortunately, it also works for corrupt police departments who just want to acquire stuff or fluff their budget. They go after someone who has something that they want, and looks dirty, but that they don't really know is dirty. They use a court order to confiscate things under the RICO statute. The person whose stuff has been confiscated has to sue to get it back, has to prove that they are not guilty. The cops don't have to prove anything.
Consider the Communications Decency Act and the Child Online Protection Act. CDA sounds like a great idea - protect kids from online porn. Unfortunately, it doesn't work - there's plenty of online porn that kids can access. Worse, it actually protects kids from information that they might need - if you're 15, and wondering if having sex with your boyfriend can get you pregnant the first time, now you can't get information about it. If you want to know what the risks are from AIDS and how to fight them, that information is not available to you. COPA has actually succeeded in bowdlerizing the internet as seen from public libraries (google "Thomas Bowdler" to find out where that word came from). Although this was supposedly intended to protect children, the result is that it's also "protecting" adults who access the Internet from public libraries.
So I'm a card-carrying member of the ACLU. Hm, actually, I think I let it lapse. Hm.:'} Point is, they're good folks. Their methods are a bit difficult to fathom if all you read about them is what CNN says, but there's truly a method to their madness, and they do good work.
I have had incredibly bad luck with it, particularly with the Edirol UA-3 and UA-3D. I do some semi-professional audio mastering for a Dharma group, and I have _never_ gotten a clean recording. Usually I get little glitches every five or ten minutes. I wound up having to buy a PCI card to do the digitization. Of course, I'm doing S/PDIF digital audio, so I don't have to worry about noise from the power supply.
I have had pretty good luck with the pair of SoundSticks that I got for Christmas last year, which are USB *output* devices. They occasionally glitch out when the screen saver goes off (this is on MacOS X), but the audio quality is great otherwise - I've never heard a glitch on output other than with the screen saver.
At least, that's the theory. After doing a fair amount of mainframe work, mostly with VM/CMS, I got to the point where the extreme weirdness of the environment was kind of cool in a retro sort of way, and I began to get a sense of how it all fit together. But this is not something you're going to pick up from a tutorial on the Internet.
Basically, if you want to do mainframe stuff, you should find someone to hire you who needs some work done and doesn't mind paying you to learn, and then *don't assume you know what you're doing*. Even the way terminals and serial ports work is different. Many of the basic assumptions about how operating environments work are different on mainframes. CPU time is not free - if you accidentally run a spin loop, it can cost thousands of dollars very quickly.
It's a very weird environment...
It wouldn't surprise me if there were a 370 emulator out there, but where are you going to get the software to run on it?:'}
Ironically, the first thing I did when I installed KDE for the first time was to go looking for how to disable the virtual desktops because I wanted that real estate on the task bar. I really don't understand the value of virtual desktops - I just want to be able to switch between applications using the keyboard, so I care that meta-tab works, and that's about it.
I'm probably a bit of a freak in the geek category because I never adopted virtual desktops - I was using uwm until about five years ago, and then twm until I switched to MacOS X. Now I'm using gnome, because it's prettier than KDE. Usability is about the same - not very consistent. Some things work, some don't.
You have to bear in mind that what they mean when they talk about usability is usability for the average person, not usability for the power user. So what matters most is consistency and simplicity and, believe it or don't, easiness on the eyes. They want to see anti-aliased fonts and rounded edges and shadows. The average person doesn't want fancy stuff like virtual desktops. They want it that when they have something highlighted and then they hit 'delete', the thing they've highlighted gets deleted.
They want it that if dragging a highlighted thing works in one place, it works in other places too. They want it that the preferences dialog is always in the same menu in every application, and that to save a file you type Ctrl-S or CMD-S, depending on whether they're Windows people or Mac people. They also want it that what they expect to happen when they do a new action is what actually happens.
Really, more importantly, though, they want it to be the case that things *work*. They want the network wizard to succeed in setting up the network. They want the modem to work. They want to be able to double-click on the RPM file to install it - they do not want to have to go to a shell prompt. They don't want to know about the DHCP client - they just want their network to work.
Unfortunately, KDE and Gnome, although they have improved *tremendously* over their predecessors and even their early versions, just aren't there yet. Don't lose hope. I think they're gaining ground.
It's a very nice deal. They have fantastic service. I've purchased AppleCare on all the Apples I've bought (two), and while I've only needed the repair service on the iBook, because the power connector failed (which was probably my fault, but it's a weakness in the design, and they didn't balk at all about repairing it).
On my G4, when I couldn't figure out how to get it back to life after a power glitch, I called AppleCare, someone answered within about a minute, and they were able to get me back up and running in another minute by telling me how to open it up and what little button to press on the motherboard.
I am not exactly a beginner, so the fact that I've been able to benefit from their phone support is pretty impressive. I really can't recommend them enough - they really do a nice job, and I feel like it's a bargain at $299.
When you drink alcohol, it tweaks your liver's ability to metabolize the calories. So you wind up depositing more fat. It also damages your liver, so that you deposit more fat even when you don't have any alcohol in your system.
Beer and wine are yummy, but there's a reason why they call a potbelly a "beer belly." If you want the potbelly to go away, you can't drink "a lot" of beer. Exercising will help, but if you already have the potbelly, and you want it to go away, just ditch the beer.
You might also ask yourself why you're working ten hours a day. Trust me, on your deathbed you're not going to look back and ask yourself, "darn, why couldn't I have worked *just a few more hours*?!?"
Maybe they're bored out of their little skulls?
on
Psychotic Lab Mice
·
· Score: 4, Insightful
Gnawing on the top of the cage is a lot more fun than gnawing on the sides. Mice have to gnaw on something hard to cut their teeth - otherwise they get too big - rodent teeth grow continuously. As for backflips, well, if you could do backflips all afternoon, and you had nothing better to do, would you or would you not do backflips?
These mice aren't crazy. They just need some entertainment!
Um, hello? I run a server that serves several web sites. I'm not paid for this. If someone hacks my server, it's going to cost me a tremendous amount of effort to recover. It won't cost me any money, probably, but that's cold comfort. I doubt that I'm alone in being in this situation.
I just read the press release and the MII web site, and there's no mention of him there. I actually worked for Vixie Enterprises back when the WGI (Web Gateway Interceptor) was put together, and wrote the hacks to the NetBSD kernel to do the interception (it's not as easy as you think, BTW, and I doubt Linux 2.0 could have done it without similar hacks).
I don't recognize these other names, though. I notice that MII is located in Woburn, Massachusetts, which is a long way from Redwood City, CA, where Paul's offices are. I suspect that there's more to this story than we've heard so far - I don't remember Paul applying for a patent on the WGI.
It'll be interesting to hear the rest of this story...
If you went to buy a *new* house that hadn't been built yet, and the builder insisted on installing and charging you for wall-to-wall carpet over the hardwood floor you'd specified, and then charged you extra to take it out and fill the holes he'd nailed in the floor, you probably wouldn't be so philosophical about it...:'/
In one sense, Linux and Apple are both the same product - Unix, with a GUI. In another sense, though, they are different - Linux' strength is that it's open source, and Linux' two most Apple-like GUIs are both strongly slanted toward being a replacement for Windows.
Having recently switched from OS X to Linux, I can tell you that the switch would be maddening for the average Apple user. Nothing is where you expect it to be. You have to hit the control key to get stuff that ought to be on the command key, and there's no option key. Preferences are in the wrong place. The dock doesn't work. These aren't intended as criticisms - I'm just trying to show you how an Apple->Linux switcher would see things.
KDE has an "apple mode", but its resemblance to the Apple UI is very limited. Basically, they add a menu bar, which is clever, but just swap control and meta, which is not. It was easier for me to use the default KDE setup than the "apple-like" setup, even though I'd been using OS X for a year and a half prior to switching to Linux. I wound up switching to Gnome anyway, because it's prettier, and after a year and a half with Apple, I'm used to pretty and it's hard on my eyes when something isn't.
However, having just set up a couple of WinXP computers for some friends who weren't quite ready for Linux yet (they *were* interested, but it just isn't time for them yet), I can attest that the WinXP UI and the Linux UI are much more compatible - I can easily imagine someone switching from Windows to Linux. I think at this point they'd still be a little frustrated, but it's *very* close now. If you're a Windows user who's not a geek, but you have a friend who's a wizard to set up your Linux system, I think you can really use it at this point. I wouldn't have said that last year.
So I think that realistically, Linux is going to do two things: get new people who can't afford an expensive computer with 'doze and 'office, but can afford a cheap computer with Linux and OpenOffice. And it's going to cannibalize 'doze sales where people are just tired of paying all the stupid license fees and agreeing to all the stupid licenses. As the Linux GUIs get better and better, it's going to become a realistic platform for more and more non-geeks.
Having said that, I miss my Mac, and I don't think I'll hold out using Gnome much longer. GNOME and KDE both have a long way to go before they approach the ease-of-use of the Mac, even though they are both really very good.
Back in the day, a lot of the Linux networking utilities were based on BSD networking utilities that were released as part of the 4.4BSD release after the USL settlement. I really don't know how many Linux utilities are descended from utilities in the 4.4BSD distribution, but it could be a substantial amount of code.
What led to the settlement between Berkeley and USL (in Berkeley's favor) was that USL had been taking BSD code for years, removing the BSD copyright and license (the first act is forbidden by law, the second by the license), slapping an AT&T proprietary notice on it, and committing it to their repository.
When this was discovered, Berkeley was in the position of being able to say to AT&T "there's no way you can make up for this. You just have to stop selling System V entirely." So they were basically forced to settle.
However, SCO had been receiving SysV tapes from USL for a long time before this settlement occurred. It's quite possible that what they have in their source code repository is a bunch of BSD code with AT&T proprietary notices on it.
Without opening up the legal records from the USL lawsuit and getting testimony from the people who worked on BSD and on System 5 way back when, it would be impossible for them to tell the difference.
To a person who wasn't aware of all this history, they would see a substantial similarity between a lot of "AT&T" code and a lot of Linux code. Not knowing that the "AT&T" code was actually Linux code, they might readily conclude that the code was stolen.
So my point is that it's actually possible that SCO honestly believes they are in the right, because they don't realize that a lot of the code that they think is theirs is actually code came from BSD.
Slashdot Mirror
It seems completely outrageous from my child-of-the-seventies perspective that there was a time when the government would have considered someone who wanted women to have the right to vote to be a terrorist. And yet this really happened, not only in Britain but here in the United States.
This is why organizations like the ACLU that fight for the civil rights of anybody whose civil rights have been trampled are so important - who knows when the next Susan B. Anthony, Martin Luther King, or, heaven forfend, Richard Stallman, will rely on the precedents established by the ACLU to allow them to continue to try to make the world a better place, despite the resistance of the powers that be.
The Internet is a great place for finding certain kinds of information. If you want something up-to-the-minute, you're obviously not going to find it as ink on paper.
But if you want to research a topic in depth, and the topic is not something bleeding edge, the library is a great place to be. You can go grab reference books off the shelves, pile them around you, and really dig in. For example, if you want to know about the Pullman strike, you will find a lot of very nice one-page summaries on the Internet, but if you want to study it in depth, you have to go to the library.
At the Library, you don't get the quick link traversal of the Internet, and you have to know how to find stuff (the card catalog is the library's equivalent of Google, and it takes some work to learn how to operate it effectively).
I think that right now, probably the best way to do research is in a library with your laptop and an internet connection, so that you can use the Internet to kickstart your search, and the card catalog to fill in the blanks. Unfortunately, very little of what is in the library is yet available in digital form, so if you just use the Internet for research, you're really handicapping yourself, although I think if you eliminate the Internet you're doing the same thing.
This new design has pretty good features both for rollover protection and for protecting passengers in other cars on the road. You do know that most SUV deaths are passengers of SUVs, not the people they hit. SUVs are unfortunately quite dangerous vehicles to drive.
Some of the major improvements - unibody design, with crumple zones. Lower bumper, which makes rollovers less likely since it will hit the bumper of the other car, not go over the other car. Better roll cage, so when it does roll the passengers are protected. Better seat belts. Lots of good stuff. You should really read the article before commenting on it...
I have a lot of IE4 users. My users aren't people who have a lot of money to buy new Microsoft licenses, and because they follow the buddhist code of ethics, they also don't steal copies of Microsoft software. So they're mostly running Win95. :'}
DNSSEC provides a layer of security; a countermeasure. It absolutely does need to be a panacea- as close to it as we, as fallible humans, are capable of designing.Have we learned nothing from the weaknesses of TCP/IP, SMTP, and the like?
Hm, what I've learned is that they work. Yes, they have security problems, and yes, we need to fix them. But if we have something that's a significant incremental improvement, and don't have the complete panacea, is it a mistake to use what we have? It sounds like you're saying it is. That's not a very good attitude for an engineer to have - you never get anything done with that attitude.
Keeping this in mind, is it obtuse of me to discard, nay, to vehemently reject and persecute 'good enough' solutions as building blocks for the future?
I think it is, yes! :')
OT: BIND has a proven past and present of not doing a whole helluva lot very well.
It's unfortunate that BIND 8 and BIND 9 are always discussed by DJB and his acolytes as if they are the same product, when in fact they are two completely separate code bases, one of which was in fact engineered to specifically avoid the failings of the other. It would be much more fun to debate these points if we were actually talking about the merits of each software package, rather than tarring one with the same brush as the other.
Also OT: Your employer, whether they call themselves Nominum or theInternet Software Consortium or whatever mask they choose to wear,
The ISC and Nominum are both going concerns, with a completely unrelated set of employees - that is, nobody who works for Nominum also works for ISC, or vice versa. So to speak of them as if they are the same entity is incorrect.
writes/has written/continues to write both the perpetually buggy BIND software, and writesand sells the 'nicer' commercial software, correct? What justification, other than the desire to make more money for themselves, do they give for selling (supposedly) high-quality software and offering provably low-quality software (that runs the root nameservers, no less) to the community?
I use BIND 9 as the name server for my domain, and I'm very happy with it. I think it's very high quality software. The value added in Nominum's product have more to do with enterprise-level and telco-level support infrastructure than they do with differing levels of code quality. I am sure Nominum would love to sell our DNS products to more providers of root name service - to the extent that this hasn't happened (and I have no idea who our DNS customers are, TBH, so I don't know that it hasn't happened), I suspect it's because BIND does a good enough job for that particular application, and there's no motivation to upgrade.
DNSSEC is a half-assed attempt at getting things done the quick and dirty way. Mockapetris wants his name in a few more RFCs; the BIND/ISC/Nominum peopleneed another impressive but misleading tagline to further their marketing efforts.
You make a lot of assertions. If assertions were valid arguments, you would have just whupped my ass here. :'}
The instantssl key isn't recognized by most browsers, unfortunately. They claim something like 95% coverage, if I remember correctly, but when I tried one of their keys in a real deployment, my users got a _lot_ of certificate errors. So it's a nice idea in theory, but if you really care about people being able to use your key, it's not good enough. Nice price, though. :'(
I don't understand the security issues here? I tried reading the FAQ but I'm a mumbling nincompoop. Can someone explain in a bit better detail about why we needsecurity for DNS? Is there any actual recorded instances of people breaking into the DNS database? Is this the website hacking I've heard about?
:'}
DNS is mostly a UDP-based protocol, and it's pretty easy to spoof. When you type "www.ibm.com" in your browser, a UDP packet goes from your computer to a caching name server at your ISP (I'm oversimplifying here, BTW, but if you aren't a DNS geek this is most likely exactly what happens). The resolving name server sends another UDP packet out to the root name server to find out who to ask about "ibm.com". Then the root name server says "go talk to ibmns1.ibm.com at 10.1.17.2". Then the caching name server talks to 10.1.17.2 and asks it to resolve "www.ibm.com". Then it sends a UDP packet back to your computer telling it the IP address for www.ibm.com.
Notice that all of these UDP packets went over the network in the clear, and you can see that there were quite a number of opportunities to spoof you. If I can do a root hack on the machine that's running your ISP's caching name server, for example, I can give you a bogus IP address for www.ibm.com, and then steal your credit card info when you try to buy something there. If I can watch your packets and respond faster than the caching name server does, I can also convince you to go to the wrong place. So it's not an insignificant vulnerability.
With HTTP, if you are smart, you check to make sure that your web browser is doing a secure transaction, but frankly, most people just ignore this issue, or don't even know what it means.
With DNSSEC, your resolver on your computer knows the public half of the root DNSSEC key. So it can verify the answer it gets, all the way from the top down to the bottom. If someone spoofs the response, the resolver ignores the spoofed packet, and you get the real one. If your ISP's caching name server is compromised, you can't look up www.ibm.com, and eventually you call your ISP and complain. They fix their nameserver, and you go back to your business, unspoofed.
As I said in a previous comment, DNSSEC is also a handy place to stash keys, precisely because you can validate them as I've described.
And, BTW, I glossed over a lot of details here. If you really want to know how this stuff works, you should probably read the RFCs...
DNSSEC provides a secure key distribution mechanism. Right now, the only secure key distribution mechanism on the Internet is the SSL key mechanism, whereby a cartel of ~5 companies with keys that got into the original Netscape release essentially rule the roost, because Joe Average has no idea how to install a new root key in his browser. The cheapest key of this type will cost you ~$150 per year, and you can't use it to make more keys.
DNSSEC does require a top-level root key, but once you have registered your domain securely, you can generate keys whose public halves are *in the DNS* where anybody can get at them. That is, you can use your key to make more keys. Also, if you don't want to do business with one registrar, you can go to another, and as you are no doubt aware, the DNS registration market is quite competitive. So in fact DNSSEC is very democratic compared to its only current alternative.
Unfortunately, this is not a glitzy thing. This is nuts and bolts, wire dragged through conduits. DNSSEC is a really nice platform for building a more secure internet, but it doesn't solve the problem on its own - you have to build on it - e.g., using it to make SMTP more verifiable.
DJB says that BIND doesn't do DNSSEC very well. It's true that BIND 8 doesn't do as well as BIND 9. If you want to spend some money, my employer will sell you something even nicer. But the fact is that there are several free, working implementations of DNSSEC out there right now.
BTW, in the interests of full disclosure, I should say that I work for the same company as Paul Mockapetris (Nominum), and have in the past worked for the company that DJB styles "the BIND company," although I know much more about DHCP than about DNS.
One of the puzzles about this article is that this biomass generator doesn't use one of the most significant sources of biomass in a typical household. I know it's icky, but there's energy in it. Plus, if you live in a place with a serious septic problem, extracting gases and composting what's left would be big win.
Bird strikes are a serious problem with big windmills. I'm a bit skeptical about another person's claim in a nearby reply that wind generators would have a serious effect on the weather, but they do kill a lot of birds. On the other hand, so do cell phone transmitters, so I suppose this is already a problem. Sigh.
This is a joke, right? I don't know about you, but when I was 15, the last people to whom I wanted to talk about sex issues were my parents! Of course, because I was a classic geek, it didn't make any practical difference at the time... :'}
The government frequently passes laws to stop the bad guys from doing things, but these laws frequently can be used against regular joes as well. So when the ACLU sees a prosecution that's been done in a way that would work on a regular joe as well as a bad guy, it often goes to bat for the bad guy. The point isn't to defend what the bad guy is doing. It's to make the government use a method of stopping the bad guy that is discrimatory - that only works on bad guys, and not on regular joes.
:'} Point is, they're good folks. Their methods are a bit difficult to fathom if all you read about them is what CNN says, but there's truly a method to their madness, and they do good work.
Consider RICO. Its intent was to stop organized crime. Apparently it works pretty well at that. Unfortunately, it also works for corrupt police departments who just want to acquire stuff or fluff their budget. They go after someone who has something that they want, and looks dirty, but that they don't really know is dirty. They use a court order to confiscate things under the RICO statute. The person whose stuff has been confiscated has to sue to get it back, has to prove that they are not guilty. The cops don't have to prove anything.
Consider the Communications Decency Act and the Child Online Protection Act. CDA sounds like a great idea - protect kids from online porn. Unfortunately, it doesn't work - there's plenty of online porn that kids can access. Worse, it actually protects kids from information that they might need - if you're 15, and wondering if having sex with your boyfriend can get you pregnant the first time, now you can't get information about it. If you want to know what the risks are from AIDS and how to fight them, that information is not available to you. COPA has actually succeeded in bowdlerizing the internet as seen from public libraries (google "Thomas Bowdler" to find out where that word came from). Although this was supposedly intended to protect children, the result is that it's also "protecting" adults who access the Internet from public libraries.
So I'm a card-carrying member of the ACLU. Hm, actually, I think I let it lapse. Hm.
I have had incredibly bad luck with it, particularly with the Edirol UA-3 and UA-3D. I do some semi-professional audio mastering for a Dharma group, and I have _never_ gotten a clean recording. Usually I get little glitches every five or ten minutes. I wound up having to buy a PCI card to do the digitization. Of course, I'm doing S/PDIF digital audio, so I don't have to worry about noise from the power supply.
I have had pretty good luck with the pair of SoundSticks that I got for Christmas last year, which are USB *output* devices. They occasionally glitch out when the screen saver goes off (this is on MacOS X), but the audio quality is great otherwise - I've never heard a glitch on output other than with the screen saver.
At least, that's the theory. After doing a fair amount of mainframe work, mostly with VM/CMS, I got to the point where the extreme weirdness of the environment was kind of cool in a retro sort of way, and I began to get a sense of how it all fit together. But this is not something you're going to pick up from a tutorial on the Internet.
:'}
Basically, if you want to do mainframe stuff, you should find someone to hire you who needs some work done and doesn't mind paying you to learn, and then *don't assume you know what you're doing*. Even the way terminals and serial ports work is different. Many of the basic assumptions about how operating environments work are different on mainframes. CPU time is not free - if you accidentally run a spin loop, it can cost thousands of dollars very quickly.
It's a very weird environment...
It wouldn't surprise me if there were a 370 emulator out there, but where are you going to get the software to run on it?
Ironically, the first thing I did when I installed KDE for the first time was to go looking for how to disable the virtual desktops because I wanted that real estate on the task bar. I really don't understand the value of virtual desktops - I just want to be able to switch between applications using the keyboard, so I care that meta-tab works, and that's about it.
I'm probably a bit of a freak in the geek category because I never adopted virtual desktops - I was using uwm until about five years ago, and then twm until I switched to MacOS X. Now I'm using gnome, because it's prettier than KDE. Usability is about the same - not very consistent. Some things work, some don't.
You have to bear in mind that what they mean when they talk about usability is usability for the average person, not usability for the power user. So what matters most is consistency and simplicity and, believe it or don't, easiness on the eyes. They want to see anti-aliased fonts and rounded edges and shadows. The average person doesn't want fancy stuff like virtual desktops. They want it that when they have something highlighted and then they hit 'delete', the thing they've highlighted gets deleted.
They want it that if dragging a highlighted thing works in one place, it works in other places too. They want it that the preferences dialog is always in the same menu in every application, and that to save a file you type Ctrl-S or CMD-S, depending on whether they're Windows people or Mac people. They also want it that what they expect to happen when they do a new action is what actually happens.
Really, more importantly, though, they want it to be the case that things *work*. They want the network wizard to succeed in setting up the network. They want the modem to work. They want to be able to double-click on the RPM file to install it - they do not want to have to go to a shell prompt. They don't want to know about the DHCP client - they just want their network to work.
Unfortunately, KDE and Gnome, although they have improved *tremendously* over their predecessors and even their early versions, just aren't there yet. Don't lose hope. I think they're gaining ground.
It's a very nice deal. They have fantastic service. I've purchased AppleCare on all the Apples I've bought (two), and while I've only needed the repair service on the iBook, because the power connector failed (which was probably my fault, but it's a weakness in the design, and they didn't balk at all about repairing it).
On my G4, when I couldn't figure out how to get it back to life after a power glitch, I called AppleCare, someone answered within about a minute, and they were able to get me back up and running in another minute by telling me how to open it up and what little button to press on the motherboard.
I am not exactly a beginner, so the fact that I've been able to benefit from their phone support is pretty impressive. I really can't recommend them enough - they really do a nice job, and I feel like it's a bargain at $299.
When you drink alcohol, it tweaks your liver's ability to metabolize the calories. So you wind up depositing more fat. It also damages your liver, so that you deposit more fat even when you don't have any alcohol in your system.
Beer and wine are yummy, but there's a reason why they call a potbelly a "beer belly." If you want the potbelly to go away, you can't drink "a lot" of beer. Exercising will help, but if you already have the potbelly, and you want it to go away, just ditch the beer.
You might also ask yourself why you're working ten hours a day. Trust me, on your deathbed you're not going to look back and ask yourself, "darn, why couldn't I have worked *just a few more hours*?!?"
Gnawing on the top of the cage is a lot more fun than gnawing on the sides. Mice have to gnaw on something hard to cut their teeth - otherwise they get too big - rodent teeth grow continuously. As for backflips, well, if you could do backflips all afternoon, and you had nothing better to do, would you or would you not do backflips?
These mice aren't crazy. They just need some entertainment!
Um, hello? I run a server that serves several web sites. I'm not paid for this. If someone hacks my server, it's going to cost me a tremendous amount of effort to recover. It won't cost me any money, probably, but that's cold comfort. I doubt that I'm alone in being in this situation.
I just read the press release and the MII web site, and there's no mention of him there. I actually worked for Vixie Enterprises back when the WGI (Web Gateway Interceptor) was put together, and wrote the hacks to the NetBSD kernel to do the interception (it's not as easy as you think, BTW, and I doubt Linux 2.0 could have done it without similar hacks).
I don't recognize these other names, though. I notice that MII is located in Woburn, Massachusetts, which is a long way from Redwood City, CA, where Paul's offices are. I suspect that there's more to this story than we've heard so far - I don't remember Paul applying for a patent on the WGI.
It'll be interesting to hear the rest of this story...
RMS's insistance on the "GNU/Linux" terminology is starting to look very prescient - it makes SCO's claims look exceedingly foolish and vague.
If you went to buy a *new* house that hadn't been built yet, and the builder insisted on installing and charging you for wall-to-wall carpet over the hardwood floor you'd specified, and then charged you extra to take it out and fill the holes he'd nailed in the floor, you probably wouldn't be so philosophical about it... :'/
In one sense, Linux and Apple are both the same product - Unix, with a GUI. In another sense, though, they are different - Linux' strength is that it's open source, and Linux' two most Apple-like GUIs are both strongly slanted toward being a replacement for Windows.
Having recently switched from OS X to Linux, I can tell you that the switch would be maddening for the average Apple user. Nothing is where you expect it to be. You have to hit the control key to get stuff that ought to be on the command key, and there's no option key. Preferences are in the wrong place. The dock doesn't work. These aren't intended as criticisms - I'm just trying to show you how an Apple->Linux switcher would see things.
KDE has an "apple mode", but its resemblance to the Apple UI is very limited. Basically, they add a menu bar, which is clever, but just swap control and meta, which is not. It was easier for me to use the default KDE setup than the "apple-like" setup, even though I'd been using OS X for a year and a half prior to switching to Linux. I wound up switching to Gnome anyway, because it's prettier, and after a year and a half with Apple, I'm used to pretty and it's hard on my eyes when something isn't.
However, having just set up a couple of WinXP computers for some friends who weren't quite ready for Linux yet (they *were* interested, but it just isn't time for them yet), I can attest that the WinXP UI and the Linux UI are much more compatible - I can easily imagine someone switching from Windows to Linux. I think at this point they'd still be a little frustrated, but it's *very* close now. If you're a Windows user who's not a geek, but you have a friend who's a wizard to set up your Linux system, I think you can really use it at this point. I wouldn't have said that last year.
So I think that realistically, Linux is going to do two things: get new people who can't afford an expensive computer with 'doze and 'office, but can afford a cheap computer with Linux and OpenOffice. And it's going to cannibalize 'doze sales where people are just tired of paying all the stupid license fees and agreeing to all the stupid licenses. As the Linux GUIs get better and better, it's going to become a realistic platform for more and more non-geeks.
Having said that, I miss my Mac, and I don't think I'll hold out using Gnome much longer. GNOME and KDE both have a long way to go before they approach the ease-of-use of the Mac, even though they are both really very good.
Sigh.
Back in the day, a lot of the Linux networking utilities were based on BSD networking utilities that were released as part of the 4.4BSD release after the USL settlement. I really don't know how many Linux utilities are descended from utilities in the 4.4BSD distribution, but it could be a substantial amount of code.
What led to the settlement between Berkeley and USL (in Berkeley's favor) was that USL had been taking BSD code for years, removing the BSD copyright and license (the first act is forbidden by law, the second by the license), slapping an AT&T proprietary notice on it, and committing it to their repository.
When this was discovered, Berkeley was in the position of being able to say to AT&T "there's no way you can make up for this. You just have to stop selling System V entirely." So they were basically forced to settle.
However, SCO had been receiving SysV tapes from USL for a long time before this settlement occurred. It's quite possible that what they have in their source code repository is a bunch of BSD code with AT&T proprietary notices on it.
Without opening up the legal records from the USL lawsuit and getting testimony from the people who worked on BSD and on System 5 way back when, it would be impossible for them to tell the difference.
To a person who wasn't aware of all this history, they would see a substantial similarity between a lot of "AT&T" code and a lot of Linux code. Not knowing that the "AT&T" code was actually Linux code, they might readily conclude that the code was stolen.
So my point is that it's actually possible that SCO honestly believes they are in the right, because they don't realize that a lot of the code that they think is theirs is actually code came from BSD.
Oops, I meant "If you are using ssh or end-to-end IPsec..."