I think the most important matter would be discussing what the GPL is actually compatable with. There have been so many accusations lately of incompatablity (some of which conflict with that the GPL actually states) it's getting a bit out of hand.
I had to take a required business computing class in college (1101 type course) and in it, the author has his real resume (except the address I would guess) as an example. The sad fact is, I'm more qualified to write that book than he was. He basically had a bunch of MS Office certs and could program in Visual Basic...
Not suprisingly the book was terrible.
Furthermore, the book was the equivalent of telling someone how to eat a bowl of cereal. Confusing to those not farmiliar with computers, and laughable to those who are.
No, you've got the wrong thinking. It's ok to do this to Microsoft because they beat kittens. Sometimes you just have to... rework things a little to stop the kitten beating.
This is a good point. What we hear about and what actually goes on are two different things. There a thousands of cases we never hear about. We hear about the anecdotal ones that make the press. We don't hear about the 700 failed filings, or the failed coffee cases. Two examples could be countered with millions of examples where the consumer got screwed out of a few hundred dollars and couldn't afford the money to even take it to small claims court.
People forget the legal system is expensive. Even if they could get everything done for free, most people would have to take a few hours off from work which isn't an option for some.
In America, big business always wins in the court. As much as it sucks, even if the consumer is 100% right, it's rare a consumer can afford to even take a case to court, let alone pay for a lawyer good enough to win. Sure, we hear about a few cases, but there are thousands we don't hear about.
More effective is a boycott. If EB is going to treat their customers like shit, then we can treat EB like shit. If coperate hq knows about it and the police have been involved and can verify it's her goods, then a boycott is in place. If it were just the one store acting on it's own idiocy that would be bad enough, but HQ made the final decision not to pay her back. That is definatly grounds for a nationwide EB boycott.
This is so stupid. They are not the same kind of holes. People who write things like this don't understand the severity of exploits. This is LOCAL, not remote. If fact, I am hard pressed to think of any remotely exploitable problems in the linux kernel in the last 3 years. A local root isn't a problem for 98% of linux systems. As long as any daemons listening for network connections are up to date, you really don't have anything to worry about. One could run 2.4.0 with no patches without worry as long as all network daemons are up to date.
In fact, I know of a red hat 6.2 box just running apache and ipchains on a 100mhz box that has been running for at least 4 years without a single security problem. It probably has at least 20 local roots, but it doesn't matter because apache has had a good security history.
The point is, we almost NEVER see the equivalent of local roots on windows boxen. Everything we see is remotely exploitable. It's rare that Linux sees anything remotly exploitable (in popular software...Joe's cgi script doesn't count). And when we do, the "fragmentation" of distributions that everyone bitches about helps immensly. Because most packages are compiled differently, the memory address to exploit are different. So it's difficult to exploit a box and usually you have to brute force it. As we see more things like non-executable stack patches and random memory patches these problems will be extremely difficult to exploit.
The proof is in the pudding... when's the last time we saw anything in linux so widely exploitable that 90% of affected machines are infected within 10 minutes of the release of a worm? We should have seen hundreds of apache worms by now since there are at least as many apache installations as IIS. MySQL? MySQL has gained huge popularity and is on almost as many boxen as SQL server. Why haven't we seen a single MySQL worm?
It's the fact they are RPMs. Who the fuck uses a RPM based distribution anymore? So then you have to convert it to a cpio archive and then fool with trying to get the damn thing to work with your kernel. NO THANKS. I'd rather deal with nvidia and their little wrap around script to compile a kernel module. Have run with your unresolved symbols...
I'm a programmer. My friend works in IT at a local USDA lab. One of the scientists there told my friend they needed to automate some of their "blasting". They needed to take DNA they found in plants and compare it to a bunch of national databases and depending on the results take it to other national databases, etc. etc (these national databases were all websites so it was A LOT of text processing). The final results needed to be put into an excel spreadsheet. I worked for a couple of months and had about 4 complete rewrites. It worked fine at my house, but it did not work at their labs.
What happened was, they had many many computers being natted with one ip address. These websites would see one ip address flooding their servers and cut them off or give one of MANY random errors. It was almost impossible to reproduce anywhere else. I got almost no co-operation on their part to get more ip addresses for the boxes doing the dna blasting. All they would say is "It doesn't work right". That was the extent of my bug reporting. "It doesn't work right".
It was basically impossible to get meetings with them and the project lasted about 5 months with only 5 meetings (each lasting less than a half hour). After not seeing one penny of payment and MANY thousands of lines of code later, I told them I'm not going to work on it anymore until I get some payment. That's about when I couldn't get a hold of them anymore.
That was my first and last time working on code without a contract before hand. I did not recieve a single penny for my months of work. They acted like they were in it to help out a young programmer. The USDA was in it to help the USDA. About the end of it all they hired a "programmer". One of these people who had many degrees and could "program" in many languages, but couldn't write a simple program on the spot. From what I understand they tried to get him to write it because he was supposed to be this experienced programmer with many degrees. It made me feel good that after 6 months they still don't have anything from him.
They were greedy. They taught me a lesson. Don't work for ANYONE, without a contract before hand. No matter how much they pretend they are looking out for your interests, THEY'RE NOT.
It's just a local root vuln. That's not really a huge deal. I venture to say that at least 95% of *nix systems have a local root vuln and their admins don't know about it. Not that they don't matter, it's just they aren't the end of the world. The only sititutations that this would be exploited is if it's being used as some sort of shell server, or if someone exploits a remote vuln. and gets regular user access, and uses this to get root.
But! Most *nix systems already have a billion other local root exploits because they happen all the time. The last few 2.4 series kernel updates were because of local root's. Anything that runs suid is potential for a local root.
> If this is real.....some heads will roll
You'd think, but what in Microsoft/SCO's shady unethical borderline illegal histories would make you think they will be adversly affected by it? None of this stuff ever makes the main stream press, so most will never see it. MS has the government so pussy whipped it isn't even funny, and this Bush administration is even more pussy whipped. Let's face it, big business can get away with whatever they want these days. Who's going to stop them? Government officials certainly have no insterest in losing millions of dollars in campain funds to oust them. Mainstream press just pretends like it's not going on.
Don't get me wrong, I read the letter. It's probably true and if this isn't an anti-competitive monopoly I don't know what is. But America has become a shitty country to live in. If you don't pull in 500k a year, good luck having your minority rights enforced. Just look at the Enron case. How many people have actually been convicted so far?
I think this shows SCO's future intentions of not having a company. Sueing your own damn customers? What kind of bullshit is that. Even if by some miracle they win, no one is going to buy SCO licenses. They soon rather migrate to bsd or even windows than buy licenses from a company that punishes it's customers. I wouldn't be suprised if EV1 bought the licenses because SCO was going to sue them and they decided they didn't want to be involved in a long drawn out suit.
Because people don't care doesn't mean it doesn't matter. People will start caring real soon when their credit card number is sniffed.
This gives me a chance to have an OT rant about SSL. SSL is not the one stop security shop people think it is. You talk to an admin about doing a secure site and the very first thing they will talk about is getting an SSL cert. What people don't understand is encrypting the data is like number 59 on the list of things for a secure site. I can't tell you how many sites I've seen with weak authtication systems, sql injection vulns, XSS, hidden values holding sub totals, input validation using only javascript...
People like to think SSL sites are safe because SSL sites are very easy to set up and very offical (with your offical thawte cert.). Proper programming and thinking of crazy theoritical situtations takes MUCH longer to do. How many sites check cookies for meta charaters...
I've used FreeS/WAN... it wasn't a bad project or bad software, but was just too much 99% of the time. I usually only need to encrypt data between under 5 ports. I can set up an ssh tunnel almost instantly which does the job just as well. If ssh is already set up (which it usually is more often than not these days) you can have an ssh tunnel going in a few seconds. FreeS/WAN needed kernel patches and took much longer to set up and besides that, the development didn't seem very fast.
our cable service here is awful. The channels are fuzzy, it's expensive, it takes 2 weeks for anyone to come out here to look at any problems. I would get rid of the cable TV service in a heartbeat if the tv and internet service could be seperate. btw, the internet service is awful too, but it's better than dial up.
Adelphia knows they have a shitty cable service and most would gladly switch to satellite if they didn't need their internet service.
I would like to see some sort of regulation of this. This is not fair to the consumer. It's like how PC OEM's won't usually sell a PC without an OS. Did I mention I hate adelphia?
This is a GREAT point. I am setting up a linux iscsi target for someone. I had never set one up and needed some documentation on it. I hit google "linux iscsi" and found three projects. Each one of those projects has a "docs" directory explaining how to set it up, performence tuning, etc. etc. I picked one, read all the documentation, and shortly had one set up.
OTOH, I also set up a target for windows (because I wanted to test different targets and initiators with each other). Let me tell you, the official documentation was about zero. Basically, all I got was an executable and nothing else.
This isn't the best example in the world because iscsi isn't exactly difficult to set up and tune, but the point is there. Most of the time, I've got at the very least a README giving me some time saving information and documentation on what standards it follows and where it might differ. As opposed to MS products, where I get a wizard, an icon, and that's about it.
Good old fuzzy math. It _can_ cost more under certain conditions. Basically buying a HUGE support contract, using expensive commercial development IDE's, and basically being reckless with your money. I read an article awhile back somewhere discussing why some companies end up spending more with linux. The basic conslusion was (which I agree with) those implementations that end up costing more, are usually done by MCSE's who treat linux like Windows. Paying many thousands of dollars for licenses, support, etc. etc.
A good Linux admin does not need support contracts, does not need to pay consultants, does not need "server versions" of linux distro's, _can_ program himself, and does not call a piece of software a solution!!!! (ok, that last one I threw in cause it annoys me).
You are paid to be a network administrator. Maybe instead of pumping your money into easy to use software and support contracts you can just learn how to do your job.
Slashdot Mirror
In Soviet Russia, the mother board you!
Wait... I think I screwed it up...
I think the most important matter would be discussing what the GPL is actually compatable with. There have been so many accusations lately of incompatablity (some of which conflict with that the GPL actually states) it's getting a bit out of hand.
I had to take a required business computing class in college (1101 type course) and in it, the author has his real resume (except the address I would guess) as an example. The sad fact is, I'm more qualified to write that book than he was. He basically had a bunch of MS Office certs and could program in Visual Basic...
Not suprisingly the book was terrible.
Furthermore, the book was the equivalent of telling someone how to eat a bowl of cereal. Confusing to those not farmiliar with computers, and laughable to those who are.
No, you've got the wrong thinking. It's ok to do this to Microsoft because they beat kittens. Sometimes you just have to... rework things a little to stop the kitten beating.
but I'm willing to bet your dad didn't laugh to hard at all the aggrivation it caused him.
This is a good point. What we hear about and what actually goes on are two different things. There a thousands of cases we never hear about. We hear about the anecdotal ones that make the press. We don't hear about the 700 failed filings, or the failed coffee cases. Two examples could be countered with millions of examples where the consumer got screwed out of a few hundred dollars and couldn't afford the money to even take it to small claims court.
People forget the legal system is expensive. Even if they could get everything done for free, most people would have to take a few hours off from work which isn't an option for some.
In America, big business always wins in the court. As much as it sucks, even if the consumer is 100% right, it's rare a consumer can afford to even take a case to court, let alone pay for a lawyer good enough to win. Sure, we hear about a few cases, but there are thousands we don't hear about.
More effective is a boycott. If EB is going to treat their customers like shit, then we can treat EB like shit. If coperate hq knows about it and the police have been involved and can verify it's her goods, then a boycott is in place. If it were just the one store acting on it's own idiocy that would be bad enough, but HQ made the final decision not to pay her back. That is definatly grounds for a nationwide EB boycott.
This is so stupid. They are not the same kind of holes. People who write things like this don't understand the severity of exploits. This is LOCAL, not remote. If fact, I am hard pressed to think of any remotely exploitable problems in the linux kernel in the last 3 years. A local root isn't a problem for 98% of linux systems. As long as any daemons listening for network connections are up to date, you really don't have anything to worry about. One could run 2.4.0 with no patches without worry as long as all network daemons are up to date.
In fact, I know of a red hat 6.2 box just running apache and ipchains on a 100mhz box that has been running for at least 4 years without a single security problem. It probably has at least 20 local roots, but it doesn't matter because apache has had a good security history.
The point is, we almost NEVER see the equivalent of local roots on windows boxen. Everything we see is remotely exploitable. It's rare that Linux sees anything remotly exploitable (in popular software...Joe's cgi script doesn't count). And when we do, the "fragmentation" of distributions that everyone bitches about helps immensly. Because most packages are compiled differently, the memory address to exploit are different. So it's difficult to exploit a box and usually you have to brute force it. As we see more things like non-executable stack patches and random memory patches these problems will be extremely difficult to exploit.
The proof is in the pudding... when's the last time we saw anything in linux so widely exploitable that 90% of affected machines are infected within 10 minutes of the release of a worm? We should have seen hundreds of apache worms by now since there are at least as many apache installations as IIS. MySQL? MySQL has gained huge popularity and is on almost as many boxen as SQL server. Why haven't we seen a single MySQL worm?
Not that I condone the GNAA... why don't you at least change the gay pic to Rob Enderle.
This story is old.
Version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
2.6.3 and 2.4.25 have been out a while. This is _not_ a new vuln. All this will accomplish is a bunch of idiots saying "see, linux is insecure".
It's the fact they are RPMs. Who the fuck uses a RPM based distribution anymore? So then you have to convert it to a cpio archive and then fool with trying to get the damn thing to work with your kernel. NO THANKS. I'd rather deal with nvidia and their little wrap around script to compile a kernel module. Have run with your unresolved symbols...
No it can't. It will make them really weird and widen the gap between them and reality.
Doesn't anyone remember those kids who walked around high school speaking Klingon?!? Can't we learn from history?
I'm a programmer. My friend works in IT at a local USDA lab. One of the scientists there told my friend they needed to automate some of their "blasting". They needed to take DNA they found in plants and compare it to a bunch of national databases and depending on the results take it to other national databases, etc. etc (these national databases were all websites so it was A LOT of text processing). The final results needed to be put into an excel spreadsheet. I worked for a couple of months and had about 4 complete rewrites. It worked fine at my house, but it did not work at their labs.
What happened was, they had many many computers being natted with one ip address. These websites would see one ip address flooding their servers and cut them off or give one of MANY random errors. It was almost impossible to reproduce anywhere else. I got almost no co-operation on their part to get more ip addresses for the boxes doing the dna blasting. All they would say is "It doesn't work right". That was the extent of my bug reporting. "It doesn't work right".
It was basically impossible to get meetings with them and the project lasted about 5 months with only 5 meetings (each lasting less than a half hour). After not seeing one penny of payment and MANY thousands of lines of code later, I told them I'm not going to work on it anymore until I get some payment. That's about when I couldn't get a hold of them anymore.
That was my first and last time working on code without a contract before hand. I did not recieve a single penny for my months of work. They acted like they were in it to help out a young programmer. The USDA was in it to help the USDA. About the end of it all they hired a "programmer". One of these people who had many degrees and could "program" in many languages, but couldn't write a simple program on the spot. From what I understand they tried to get him to write it because he was supposed to be this experienced programmer with many degrees. It made me feel good that after 6 months they still don't have anything from him.
They were greedy. They taught me a lesson. Don't work for ANYONE, without a contract before hand. No matter how much they pretend they are looking out for your interests, THEY'RE NOT.
I don't use Solaris or really care for it, but...
It's just a local root vuln. That's not really a huge deal. I venture to say that at least 95% of *nix systems have a local root vuln and their admins don't know about it. Not that they don't matter, it's just they aren't the end of the world. The only sititutations that this would be exploited is if it's being used as some sort of shell server, or if someone exploits a remote vuln. and gets regular user access, and uses this to get root.
But! Most *nix systems already have a billion other local root exploits because they happen all the time. The last few 2.4 series kernel updates were because of local root's. Anything that runs suid is potential for a local root.
> If this is real.....some heads will roll
You'd think, but what in Microsoft/SCO's shady unethical borderline illegal histories would make you think they will be adversly affected by it? None of this stuff ever makes the main stream press, so most will never see it. MS has the government so pussy whipped it isn't even funny, and this Bush administration is even more pussy whipped. Let's face it, big business can get away with whatever they want these days. Who's going to stop them? Government officials certainly have no insterest in losing millions of dollars in campain funds to oust them. Mainstream press just pretends like it's not going on.
Don't get me wrong, I read the letter. It's probably true and if this isn't an anti-competitive monopoly I don't know what is. But America has become a shitty country to live in. If you don't pull in 500k a year, good luck having your minority rights enforced. Just look at the Enron case. How many people have actually been convicted so far?
What would you do if you had a million dollars?
Besides 2 chicks at the same time?
Well yeah
I'd do absolutly nothing...
=)
I think this shows SCO's future intentions of not having a company. Sueing your own damn customers? What kind of bullshit is that. Even if by some miracle they win, no one is going to buy SCO licenses. They soon rather migrate to bsd or even windows than buy licenses from a company that punishes it's customers. I wouldn't be suprised if EV1 bought the licenses because SCO was going to sue them and they decided they didn't want to be involved in a long drawn out suit.
Because people don't care doesn't mean it doesn't matter. People will start caring real soon when their credit card number is sniffed.
This gives me a chance to have an OT rant about SSL. SSL is not the one stop security shop people think it is. You talk to an admin about doing a secure site and the very first thing they will talk about is getting an SSL cert. What people don't understand is encrypting the data is like number 59 on the list of things for a secure site. I can't tell you how many sites I've seen with weak authtication systems, sql injection vulns, XSS, hidden values holding sub totals, input validation using only javascript...
People like to think SSL sites are safe because SSL sites are very easy to set up and very offical (with your offical thawte cert.). Proper programming and thinking of crazy theoritical situtations takes MUCH longer to do. How many sites check cookies for meta charaters...
I've used FreeS/WAN... it wasn't a bad project or bad software, but was just too much 99% of the time. I usually only need to encrypt data between under 5 ports. I can set up an ssh tunnel almost instantly which does the job just as well. If ssh is already set up (which it usually is more often than not these days) you can have an ssh tunnel going in a few seconds. FreeS/WAN needed kernel patches and took much longer to set up and besides that, the development didn't seem very fast.
if by Asia they mean Ice Cream trucks
If by terrorism they mean bologna deoderant.
What would have been great is if they had a big stamp that said "pwnd" and as they raided they stamped it all over MS's offices.
our cable service here is awful. The channels are fuzzy, it's expensive, it takes 2 weeks for anyone to come out here to look at any problems. I would get rid of the cable TV service in a heartbeat if the tv and internet service could be seperate. btw, the internet service is awful too, but it's better than dial up.
Adelphia knows they have a shitty cable service and most would gladly switch to satellite if they didn't need their internet service.
I would like to see some sort of regulation of this. This is not fair to the consumer. It's like how PC OEM's won't usually sell a PC without an OS. Did I mention I hate adelphia?
This is a GREAT point. I am setting up a linux iscsi target for someone. I had never set one up and needed some documentation on it. I hit google "linux iscsi" and found three projects. Each one of those projects has a "docs" directory explaining how to set it up, performence tuning, etc. etc. I picked one, read all the documentation, and shortly had one set up.
OTOH, I also set up a target for windows (because I wanted to test different targets and initiators with each other). Let me tell you, the official documentation was about zero. Basically, all I got was an executable and nothing else.
This isn't the best example in the world because iscsi isn't exactly difficult to set up and tune, but the point is there. Most of the time, I've got at the very least a README giving me some time saving information and documentation on what standards it follows and where it might differ. As opposed to MS products, where I get a wizard, an icon, and that's about it.
Good old fuzzy math. It _can_ cost more under certain conditions. Basically buying a HUGE support contract, using expensive commercial development IDE's, and basically being reckless with your money. I read an article awhile back somewhere discussing why some companies end up spending more with linux. The basic conslusion was (which I agree with) those implementations that end up costing more, are usually done by MCSE's who treat linux like Windows. Paying many thousands of dollars for licenses, support, etc. etc.
A good Linux admin does not need support contracts, does not need to pay consultants, does not need "server versions" of linux distro's, _can_ program himself, and does not call a piece of software a solution!!!! (ok, that last one I threw in cause it annoys me).
You are paid to be a network administrator. Maybe instead of pumping your money into easy to use software and support contracts you can just learn how to do your job.