People in this thread mistake that I believe in draconian security. I don't. I do, however have the facts that systems security is taking a beating like no other time in history, and the assets at stake are now huge. To blow off security as an after thought of some sort of da Vinci-worthy code still strikes me as the height of arrogance. It doesn't speak to the real pain that occurs.
Never said IT was a monolith. I fully appreciate the many responsibilities, many are now heavily distracted by the fireman's drill of dealing with security issues.
Security is indeed a process, but insufficiently applied as a discipline across IT-- including coders, viz the incredible breaches across industries, governments, and personal equipment. It's now slowing down, it's become vastly more damaging.
Underscoring your reply was a theme of trade-offs. Some people want to live a life with minimal patches, because the code was right to begin with, and withstood barrages of overflow/etc attempts because the code was well-designed, and used as one of the pragmas for its underlying theme: security.
Coders aren't getting message that security comes first. Sure, take an idea and make it into code. And if you're going to distribute that code, prevent others from coming to harm. This is the theme, this is the culture that's missing in Torvald's quote.
I'm fully aware of kernel functionality. "Imaginary" security problems become discovered often. Linux is not just the kernel, it's also all of the apps depending on kernel functionality. Yes, it's FOSS and the kernel is freaking huge, a life's work of astounding achievement.
Your pragmatist's instructions are great. This said, allowing a carefully crafted packet to push a process into an overflow that permits privileged code execution is a hideous failure. Suddenly, a machine is cracked like an egg, and rife for code injection that renders whatever real assets in use for ripoff.
Yes, things get fixed. Fewer things get fixed when code is well thought-through as a matter of innate discipline as a function of a culture of being inherently security-mindful. Such statements by Torvalds say: loose and fast is ok. We're engineers and have more meaningful things to do as our goals. Therein lies my problem with it.
If you're a real hacker, you should be immune to this kind of binary thinking. People hack stuff, and look at the damage now done given criminal motives. Nothing is foolproof, but security is a culture, a mindset. It's nice to make something nice and artistic, but if it melts like an ice sculpture, what's left?
It's not about Microsoft. It's about Lucky Linus not getting the message, being arrogant, and permeating a culture where loose-and-fast is better than thinking of security risks.
I believe you're putting words in his mouth. Sleazing on security to get as you put it "stuff DONE" is what got us here. The ends don't justify the means.
And look at the means! Systems security has become battle #1 for many, many IT people.
Were this true, a culture of security would have indeed stanched many of the problems found. Certainly the Linux kernels have been well-thought through. They are not immune.
It's not that black and white at all. The OSHA-like examples of stupidity in motion don't apply here. What is present is an enormous crime effort to make money from other's computing misery. Look at what's happened, in terms of breaches, thefts, extortion, and just plain misery.
The problem starts with every coder everywhere, every sysadmin, network engineer, and web designer. The culture of security starts at the top, and here, at the Top of Linux, Linus brushes it off. These aren't nutters or nutjobs, these are the wounded, the broke/bankrupt, and those rapidly looking at systems infrastructure as if it's a joke.
It's the very height of arrogance to not consider safety. Security isn't about paranoia, it's about bad guys, and there are a huge number of them, using coder stupidity and this sort of arrogance to rob people of real money, or ransom systems.
It's an enormous failure of engineers that don't put safety first while trying to be faster, cooler, or wittier than the next engineer. You can call it artistic creation, egalitarianism, but without the concern for the safety of others, it's boorish, arrogant, and rife for misdeed.
Correctly installed, the net senses this. I want to see a good-for-four-miles radar with a goo bazooka. Plop that sucker with peanut butter. Imagine the squirrels.
Yeah, RF jammers will be frowned on-- especially because there's no guarantee that any specific frequency or mode is being used. Non-visual lasers, have a possibility, as do bald eagles.
The Net-Over-Everything has potential, too. The best idea? $10,000 bounty for the carcass.
Get the patents, too, because you'll sell a bunch to many people, ranging from the GetOffMyLawn-types, It'sMyAirSpace peeps, to those that simply ITCH to have a reason to shoot something with a large caliber.
I favor the lock-and-load general purpose laser, myself. Fry 'em, especially when they try to catch my neighbor sunning herself. Or perhaps the OCR version, which checks to see if it's from Amazon, FedEx, Walmart, or a three letter agency.
This should all go totally out of control very shortly as capitalism once again rubs up against perceived civil liberties.
Apple's QA erodes further. They didn't pay bug bounties because they had the churl to believe in their own invincibility..... and like so many others, will meet their matches in new and interesting ways.
There might be a mutual auth like RFID tags, or even Hall sensors. Where there's a will, there's a hacker way, although I like the idea of field charging from a logistics perspective. I wonder what snow and rain and road grime might do to it.....
Yes. But this is NUMA with more randomization across memory boundaries, and the 32 scores that are in each socket. Depending on how an app is threaded, the number of stack overflow jumps that are possible become factorial, not just multiplicative.
Not 100% safe, but attempts to push the stack through overflow, prediction, or deception, become much easier to both detect, and also to shutdown. It's pretty novel, and more novel than a superficial examination might bear. This said, it's going to be an uphill battle to fight Hurd's ex employer and Intel sycophants HP, along with Dell, and other commodity server makers.
It's a big thing indeed. The Eucalyptus buy was supposed to be a big thing, but if they're going to sell servers to other cloud companies and compete with them, too, they're screwed. What made more revenue? Servers. Easy choice.
There's a really bad not-invented-here culture that permeates much of what they do. A text book of how to screw up acquisitions ranging from Compaq to Palm ought to be taught in every B-school and engineering school on the planet.
And amazingly, I have respect for some of their stuff. They try really hard. Makes Michael Dell's acquisition of EMC/VMware seem, can I say it: sane.
Just having an.xyz TLD would be enough for me to bounce it. Without a single regret, I've bounced most of the new TLDs and for good reason: not a single message wasn't spam.
Can't count the number of.eu messages that are caught up in this, as well as anything from.cn-- as we have zero business coming from China, ever. Same goes for a lot of other country TLDs..... the ISPs serving them up don't care if I send an abuse complaint, in fact, most bounce an abuse complaint.
A heavyweight board represents market diffusion. Think of what this might mean for military field operations, battlefield hospitals, trauma units, insurance companies and co-insurers, the financial people behind all of these.
Should the device actually work as described, and become evolved, and its patent lives can be extended, it's both a diagnostic miracle, and a forensic examiner's best friend.
So, like many other ostensible miracles-in-the-making, a heavyweight board gets to snack on the profits. And maybe purchasers get the rapid diagnostics they need for accurate care plans. Maybe. Maybe. That the process is opaque means that there is much patent and IP law to be considered, too.
Hams fall into many camps, but some are genuine engineers, techs, hackers, and belong in the maker communities. There's a lot of spectrum dedicated to licensed amateurs, and for the most part, the rules are respected.
There are exceptions, and the FCC doesn't have time/isn't interested/isn't funded/doesn't care to go after the rest unless they're really disruptive. Some of the rule offenders are comparatively benign. Some of them are indeed pernicious and do cause harm. Fortunately, the ham community is, to an extent, self-policing. It's not difficult for the FCC to find real offenders as radio signal sources are comparatively easily found, and therefore, offenders-- should their transmissions really foul the airwaves in some dangerous way.
Very few, as a percentage, are programmers, and fewer still, radio systems programmers, but the number is increasing. The ham bands overlap with one of the WiFi bands, specifically Channel one in the 802.11b/g/n 2.4ghz region. Unlicensed use of these bands makes it somewhat difficult to do long-distance communications, but it's certainly not unheard of in that region of the amateur bands.
Hams put together their own rigs, but more often, buy setups so that they don't have to do the work. It's my guess that less than twenty hams in 100 actually uses a soldering iron to put something together, but remember, there are over 700,000 licensed hams in the USA, and many more in the rest of the world, especially Canada, Japan, and increasingly, China and India (not to mention Europe and the UK).
I hold both licenses as well, and although very competent in programming, and RF theory, I don't believe that the criteria set by having these two licenses should be tacit endorsement or permission to modify AP object code.
Why? Easy: I consider myself to be a responsible and competent operator and hacker. The delta of hardware underneath an AP is only discernible by actual specialists in AP design.
Putting in an altered conf file with a single mistake could render the AP a big problem. I instead suggest that a class of APs whose SDR components are bolted down to the 2.4 and 5ghz channels is the only way to deal with the problem. Add all the features desired, but keep the radios and their modulation schemes at frequency, and with a ceiling of available power.
Yes, I understand that with antennas one can get great gain, the the current crop of APs can be really badly designed. Hack away, but there needs to be bounds on frequency channels, and signal amplitude at the outputs, as well as modulation types. Otherwise, undesired results will happen as they're happening now. OSS/FOSS developers can be very responsible, and still, there exists a sufficient number who are not, even with a license.
Turning a profit is a legal corporate responsibility. They have to do this. That said, some are able to champion ideals that even add to their cache and longevity as money-making machines. Others have sufficient amounts momentum to ignore any semblance of morality.
Jailbreaks come from many places, but this is certainly one more motivator. Sad to see. Doing the right thing extends as far as quarterly profit statements.
Slashdot Mirror
People in this thread mistake that I believe in draconian security. I don't. I do, however have the facts that systems security is taking a beating like no other time in history, and the assets at stake are now huge. To blow off security as an after thought of some sort of da Vinci-worthy code still strikes me as the height of arrogance. It doesn't speak to the real pain that occurs.
Never said IT was a monolith. I fully appreciate the many responsibilities, many are now heavily distracted by the fireman's drill of dealing with security issues.
Security is indeed a process, but insufficiently applied as a discipline across IT-- including coders, viz the incredible breaches across industries, governments, and personal equipment. It's now slowing down, it's become vastly more damaging.
Underscoring your reply was a theme of trade-offs. Some people want to live a life with minimal patches, because the code was right to begin with, and withstood barrages of overflow/etc attempts because the code was well-designed, and used as one of the pragmas for its underlying theme: security.
Coders aren't getting message that security comes first. Sure, take an idea and make it into code. And if you're going to distribute that code, prevent others from coming to harm. This is the theme, this is the culture that's missing in Torvald's quote.
I'm fully aware of kernel functionality. "Imaginary" security problems become discovered often. Linux is not just the kernel, it's also all of the apps depending on kernel functionality. Yes, it's FOSS and the kernel is freaking huge, a life's work of astounding achievement.
Your pragmatist's instructions are great. This said, allowing a carefully crafted packet to push a process into an overflow that permits privileged code execution is a hideous failure. Suddenly, a machine is cracked like an egg, and rife for code injection that renders whatever real assets in use for ripoff.
Yes, things get fixed. Fewer things get fixed when code is well thought-through as a matter of innate discipline as a function of a culture of being inherently security-mindful. Such statements by Torvalds say: loose and fast is ok. We're engineers and have more meaningful things to do as our goals. Therein lies my problem with it.
If you're a real hacker, you should be immune to this kind of binary thinking. People hack stuff, and look at the damage now done given criminal motives. Nothing is foolproof, but security is a culture, a mindset. It's nice to make something nice and artistic, but if it melts like an ice sculpture, what's left?
It's not about Microsoft. It's about Lucky Linus not getting the message, being arrogant, and permeating a culture where loose-and-fast is better than thinking of security risks.
I believe you're putting words in his mouth. Sleazing on security to get as you put it "stuff DONE" is what got us here. The ends don't justify the means.
And look at the means! Systems security has become battle #1 for many, many IT people.
Were this true, a culture of security would have indeed stanched many of the problems found. Certainly the Linux kernels have been well-thought through. They are not immune.
It's not that black and white at all. The OSHA-like examples of stupidity in motion don't apply here. What is present is an enormous crime effort to make money from other's computing misery. Look at what's happened, in terms of breaches, thefts, extortion, and just plain misery.
The problem starts with every coder everywhere, every sysadmin, network engineer, and web designer. The culture of security starts at the top, and here, at the Top of Linux, Linus brushes it off. These aren't nutters or nutjobs, these are the wounded, the broke/bankrupt, and those rapidly looking at systems infrastructure as if it's a joke.
No.
It's the very height of arrogance to not consider safety. Security isn't about paranoia, it's about bad guys, and there are a huge number of them, using coder stupidity and this sort of arrogance to rob people of real money, or ransom systems.
It's an enormous failure of engineers that don't put safety first while trying to be faster, cooler, or wittier than the next engineer. You can call it artistic creation, egalitarianism, but without the concern for the safety of others, it's boorish, arrogant, and rife for misdeed.
Correctly installed, the net senses this. I want to see a good-for-four-miles radar with a goo bazooka. Plop that sucker with peanut butter. Imagine the squirrels.
Yeah, RF jammers will be frowned on-- especially because there's no guarantee that any specific frequency or mode is being used. Non-visual lasers, have a possibility, as do bald eagles.
The Net-Over-Everything has potential, too. The best idea? $10,000 bounty for the carcass.
Get the patents, too, because you'll sell a bunch to many people, ranging from the GetOffMyLawn-types, It'sMyAirSpace peeps, to those that simply ITCH to have a reason to shoot something with a large caliber.
I favor the lock-and-load general purpose laser, myself. Fry 'em, especially when they try to catch my neighbor sunning herself. Or perhaps the OCR version, which checks to see if it's from Amazon, FedEx, Walmart, or a three letter agency.
This should all go totally out of control very shortly as capitalism once again rubs up against perceived civil liberties.
You're right. I sit corrected.
Apple's QA erodes further. They didn't pay bug bounties because they had the churl to believe in their own invincibility..... and like so many others, will meet their matches in new and interesting ways.
There might be a mutual auth like RFID tags, or even Hall sensors. Where there's a will, there's a hacker way, although I like the idea of field charging from a logistics perspective. I wonder what snow and rain and road grime might do to it.....
And for more fun, I see a bunch of coils on the bottom of my hybrid in my near future.
Yes. But this is NUMA with more randomization across memory boundaries, and the 32 scores that are in each socket. Depending on how an app is threaded, the number of stack overflow jumps that are possible become factorial, not just multiplicative.
Not 100% safe, but attempts to push the stack through overflow, prediction, or deception, become much easier to both detect, and also to shutdown. It's pretty novel, and more novel than a superficial examination might bear. This said, it's going to be an uphill battle to fight Hurd's ex employer and Intel sycophants HP, along with Dell, and other commodity server makers.
It's a big thing indeed. The Eucalyptus buy was supposed to be a big thing, but if they're going to sell servers to other cloud companies and compete with them, too, they're screwed. What made more revenue? Servers. Easy choice.
There's a really bad not-invented-here culture that permeates much of what they do. A text book of how to screw up acquisitions ranging from Compaq to Palm ought to be taught in every B-school and engineering school on the planet.
And amazingly, I have respect for some of their stuff. They try really hard. Makes Michael Dell's acquisition of EMC/VMware seem, can I say it: sane.
Just having an .xyz TLD would be enough for me to bounce it. Without a single regret, I've bounced most of the new TLDs and for good reason: not a single message wasn't spam.
Can't count the number of .eu messages that are caught up in this, as well as anything from .cn-- as we have zero business coming from China, ever. Same goes for a lot of other country TLDs..... the ISPs serving them up don't care if I send an abuse complaint, in fact, most bounce an abuse complaint.
A heavyweight board represents market diffusion. Think of what this might mean for military field operations, battlefield hospitals, trauma units, insurance companies and co-insurers, the financial people behind all of these.
Should the device actually work as described, and become evolved, and its patent lives can be extended, it's both a diagnostic miracle, and a forensic examiner's best friend.
So, like many other ostensible miracles-in-the-making, a heavyweight board gets to snack on the profits. And maybe purchasers get the rapid diagnostics they need for accurate care plans. Maybe. Maybe. That the process is opaque means that there is much patent and IP law to be considered, too.
Hams fall into many camps, but some are genuine engineers, techs, hackers, and belong in the maker communities. There's a lot of spectrum dedicated to licensed amateurs, and for the most part, the rules are respected.
There are exceptions, and the FCC doesn't have time/isn't interested/isn't funded/doesn't care to go after the rest unless they're really disruptive. Some of the rule offenders are comparatively benign. Some of them are indeed pernicious and do cause harm. Fortunately, the ham community is, to an extent, self-policing. It's not difficult for the FCC to find real offenders as radio signal sources are comparatively easily found, and therefore, offenders-- should their transmissions really foul the airwaves in some dangerous way.
Very few, as a percentage, are programmers, and fewer still, radio systems programmers, but the number is increasing. The ham bands overlap with one of the WiFi bands, specifically Channel one in the 802.11b/g/n 2.4ghz region. Unlicensed use of these bands makes it somewhat difficult to do long-distance communications, but it's certainly not unheard of in that region of the amateur bands.
Hams put together their own rigs, but more often, buy setups so that they don't have to do the work. It's my guess that less than twenty hams in 100 actually uses a soldering iron to put something together, but remember, there are over 700,000 licensed hams in the USA, and many more in the rest of the world, especially Canada, Japan, and increasingly, China and India (not to mention Europe and the UK).
I hold both licenses as well, and although very competent in programming, and RF theory, I don't believe that the criteria set by having these two licenses should be tacit endorsement or permission to modify AP object code.
Why? Easy: I consider myself to be a responsible and competent operator and hacker. The delta of hardware underneath an AP is only discernible by actual specialists in AP design.
Putting in an altered conf file with a single mistake could render the AP a big problem. I instead suggest that a class of APs whose SDR components are bolted down to the 2.4 and 5ghz channels is the only way to deal with the problem. Add all the features desired, but keep the radios and their modulation schemes at frequency, and with a ceiling of available power.
Yes, I understand that with antennas one can get great gain, the the current crop of APs can be really badly designed. Hack away, but there needs to be bounds on frequency channels, and signal amplitude at the outputs, as well as modulation types. Otherwise, undesired results will happen as they're happening now. OSS/FOSS developers can be very responsible, and still, there exists a sufficient number who are not, even with a license.
Turning a profit is a legal corporate responsibility. They have to do this. That said, some are able to champion ideals that even add to their cache and longevity as money-making machines. Others have sufficient amounts momentum to ignore any semblance of morality.
Jailbreaks come from many places, but this is certainly one more motivator. Sad to see. Doing the right thing extends as far as quarterly profit statements.