I think it's pretty obvious that if the vendor of the OS you're running releases an advisory describing an exploitable hole in the OS and you fail to follow their instructions to patch it, the blame for getting owned via that hole is yours and yours alone. the vendor followed up on their responsibility to notify you of a defect and you failed to take the suggested steps to repair the problem.
if I buy a car and it has a faulty ABS computer and chevy issues a product recall, I cant blame them for my brakes failing if I haven't brought my car in for the recall.
(well, knowing our legal system, I could probably sue, but logically, its my problem, not theirs.)
15 years ago IBM had a monopoly. cheaper and better options to IBM machines came along. IBM watched its monopoly crumble. IBM used its vast resources to become a competitive company in spite of losing their monopolistic advantage and today, they do a lot of Cool Stuff.
is linux a better option to MicroSoft's products? you bet. is MicroSoft resourceful enough to survive losing monopolistic status, were that to occur, and produce Cool Things? I honestly hope so. I'd certainly like to see a world where a company full of money and talent contributed as much as possible. I'd much rather force MicroSoft to use their resources for the common good of the industry than see them go out of business.
eBay seems to be getting all uptight about information that they put on the web and made publicly available being used by another company.
are they upset because the other company is making money? or because they are losing consumer traffic, and therefore advertising dollars? if their business model was "we sell the service of putting your lot in front of many many people and you pay us for it" or "we provide you with many many lots which you can bid on, and you pay us for it", then they wouldnt care how many search engines distilled their content, because they'd still be making money.
unfortunately, their business model seems to be something like "we make money because lots of people come to our site and see the ads we run", and this is why they are throwing a hissy fit.
advertising on web sites isn't a good idea. there are too many ways to break the advertising-on-webpage model and there aren't any ways to fix it except by suing people who break the model. why should a company like the auction search engine company be penalized because eBay can't figure out a good way to make money?
the Web has quickly become a networked system of banner ads and popup windows, and it sucks. if businesses tried to provide services to consumers in return for payment, things would work a lot better.
there's going to come a time when the Linux community is going to have to make some architectural descisions like "We're goign to support database format X for storing configuration information." if we're not willing to have these standards, theres no way to add functionality in any major way outsie of the kernel and lots of independantly developed applications.
same with filesystems, desktop managers, etc. develop some options; pick the strongest and most flexible.
you just dont get the same functionality out of a flat text file. why not write a tool that packaged up all the relevant database entries and shipped them off to your tech support provider? wouldnt such a tool be part of any complete implementation of the configuration database?
I agree that the KISS philosophy is valid, but I think it's meant to avoid _unneccessary_ complexity. if you want to extend functionality like a configuration database would, you're bound to have to accept _some_ simplicity hit.
I've been thinking about this for a while. different users want to configure their machines via different types of mechanisms: windows lusers like their gui tools, old school unix crustys like to use vi and remember cryptic syntax in a million different formats, sysadmins would like somethign that can be managed locally and rolled out across the network easily...
would it be a Good Idea to make something akin to the Pluggable Authentication Module? people could adapt existing applications to use a Pluggable Configuration Module of their choice; the PCM lib would then translate whatever configuration type of configuration information that existed into a generalized format and then feed it to the application. the app would only have to be rewritten enough to translate the generic generalized command format into the information that it needed, and then any type of configuration format is just a module away.
IRC is a very specialized application that you dont see much of in the real world?
tons of data being transmitted to thousands of participants whose lightweight clients connect to large, high traffic servers which provide a network on top of the Internet.
how is this not a real-world system? isnt this a pretty common paradigm on the Internet?
I'm not sure why anyone even considers any of this a big deal. if Sun wants to try and bring us into a server-centric future, if they think that they can deliver more utility and ease-of-use by selling users thinclients and server-based software on a dependable network, let them.
people keep yelling nonsensically that the mainframe paradigm has already been proven wrong and useless; I would suggest that maybe they might want to compare the performance of a mainframe in 1975 on the other end of a hacked together network connected to a vt100 to that of a Sun e450 connected to your full color thin client (with smartcard slot for authentication) via adsl or cable modem or soemthing of that nature.
I say ignore Sun until they produce something; then judge it on its merits, not the MAINFRAMES R DED hype youve been hearing for years.
one of the biggest problems I have with this whole database-as-protected-intellectual-property situation is that in the case of some databases, for instance, lexis-nexis, parts of the information in the database belong to you and I. these database companies compile information from publicly available sources and then want the information as a whole protected by law.
why should my civil court records become lexis-nexis's profitable proprietary information? I certainly didn't authorize anyone to sell my property or tax records. these databases that are huge collections of public data can't logically be made private.
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
you'll all have to excuse me, but it's been 7 or 8 years since I read 2010...
remember when the rescue crew (were they russians?) heading for the Discovery ended up on Europa? didn't they discover that Europa's icy surface covered a liquid ocean? and didn't somethign come out of the ocean and eat their spaceship or something? (told you it's been a while.)
sort of interesting that Clarke forshadowed this so accurately, if I'm remembering right. If memory serves me, there's also a big white area with a black dot in the millde on the moon where dave bowman found the third monolith. (I believe I read that in some interview with Clarke or something.)
If you're too facinated with what's on your computer screen to look at what's going on in the real world, you deserve to be taken advantage of. At the very least, by failing to care about the realities of life outside your computer, you give up the right to complain about the people who are movers and shakers taking advantage of you.
People with technical skills are blessed with an opportunity to do something exciting and be very successful doing it. Shame on you if you're too captivated with your work to make anythign of yourself.
Re:What are you so damn afraid of?
on
CALEA update
·
· Score: 3
a lot of people respond to threats against privacy with this "if you're afraid of this, you must have something to hide" claim. it's a garbage argument, though. maybe today the feds don't have the technology or the will to listen to every fone conversation and prosecute every crime for which they gather evidence in this way, but if you look 10 or 20 years into the future, who's to say what the government will be capable of doing? why is it so unlikely that voice recognition and transcribing software and computer power won't have progressed to a point where "listening" to every call is possible? why are you assuming that after 20 more years of eroding our freedom and privacy, the government won't think this is a good idea?
in new york city, they arrest people for jaywalking because the mayor says it improves the "quality of life". lots of people agree with him. what if citizens in the future feel that complete monitoring of their lives increases their safety? what if the government just decides it's in our best interests to be monitored?
any legislation or policy which makes it easier for the government to invade the lives of the public is BAD. b-a-d bad.
I have a great idea - how about a ban on Amiga "news" articles until they do something newsworthy? In the past weeks we've seen them tout products that don't exist, cancel programs that were never started, revamp their leadership, and now, they are alerting the world that they aren't doing anything yet.
jesus, when does it end? enough with the Amiga trash already. we don't care, and we won't until they actually do something.
I haven't read the book being reviewed here, but if anyone is interested in a very exhaustive introductory algorithms book, I'd recommend Introduction to Algorithms from the MIT Electrical Engineering and Computer Science series. very very intelligent treatment of any algorithm-related subject you would want to read about.
back when this whole mircosoft-in-court fiasco started, I was really excited about the prospect of finally seeing a possibility that perhaps microsoft would someday have real competition in the computer marketplace, and that other operating systems and productivity suites might start gaining the market share that microsoft's unfair business tactics were keeping from better software.
now that the trial is over, the entire climate seems to have changed. no longer is NT the only option for people who wear ties to work; more and more frequently, these people are doing research and finding that maybe the microsoft solution wont work as well as other possible solutions. apple isnt currently taking on intel head-to-head in any meaningful way, but they're making some new machines, and with IBM's release of their PPC motherboard specs, it looks like intel might not be the only real game in town for very long.
in short, I dont really even care what the outcome of this trial is. the trial sparked a lot of negative press for microsoft, and I'm glad that happened, because years down the road, that might be the only real consequence of this trial. dont look for the government to break up microsoft, because the legal system is too slow and too full of loopholes for that to happen.
and dont gloat prematurely about the breakup/fall of microsoft. instead be happy that we have made great strides since the start of the trial and hope for more progress in the future.
that is, if you rely on the intruders' ignorance as your primary line of defense, you are completely screwed the moment you encounter an intruder whose knowledge includes information about the holes in your system.
much better to have a system whose exploitabilities are known and repairable than to have a system whose holes are unknown and unrepairable.
I can guarantee that at least one reporter at cnn.com is reading slashdot. click on this and scroll down to the bottom of the story to see cnn.com quote an anonymous coward regarding the recent Hotmail debacle.
ok. so youre working on a medium-large software project. you've got over 100 source files, some of which you wrote, some of which you didn't.
where is foo() defined? where is it declared? where's the next place it's used? what are the different signatures of functions named foo()?
you can answer these questions from your shell, yeah. but it takes some knowledge and application of regexps and grep and it takes some time to write these little "queries" and sift thru their results.
don't get me wrong, I'm not dissing the "vi-as-ide" method of programming. I've done a lot of it. but an IDE often gets you some of these features for free.
additionally, in good ide's you get an integrated debugger as well, and probably an improved compilation system that saves you from kludging up a whole bunch of ugly makefiles.
not to be an ass, but maybe if you'd read the article...
there's a link in there to a page that contains info on the applicable patents. in fact, the interviewer asks pretty much the question that youre asking.
Slashdot Mirror
I think it's pretty obvious that if the vendor of the OS you're running releases an advisory describing an exploitable hole in the OS and you fail to follow their instructions to patch it, the blame for getting owned via that hole is yours and yours alone. the vendor followed up on their responsibility to notify you of a defect and you failed to take the suggested steps to repair the problem.
if I buy a car and it has a faulty ABS computer and chevy issues a product recall, I cant blame them for my brakes failing if I haven't brought my car in for the recall.
(well, knowing our legal system, I could probably sue, but logically, its my problem, not theirs.)
15 years ago IBM had a monopoly.
cheaper and better options to IBM machines came along.
IBM watched its monopoly crumble.
IBM used its vast resources to become a competitive company in spite of losing their monopolistic advantage and today, they do a lot of Cool Stuff.
is linux a better option to MicroSoft's products? you bet. is MicroSoft resourceful enough to survive losing monopolistic status, were that to occur, and produce Cool Things? I honestly hope so. I'd certainly like to see a world where a company full of money and talent contributed as much as possible. I'd much rather force MicroSoft to use their resources for the common good of the industry than see them go out of business.
eBay seems to be getting all uptight about information that they put on the web and made publicly available being used by another company.
are they upset because the other company is making money? or because they are losing consumer traffic, and therefore advertising dollars? if their business model was "we sell the service of putting your lot in front of many many people and you pay us for it" or "we provide you with many many lots which you can bid on, and you pay us for it", then they wouldnt care how many search engines distilled their content, because they'd still be making money.
unfortunately, their business model seems to be something like "we make money because lots of people come to our site and see the ads we run", and this is why they are throwing a hissy fit.
advertising on web sites isn't a good idea. there are too many ways to break the advertising-on-webpage model and there aren't any ways to fix it except by suing people who break the model. why should a company like the auction search engine company be penalized because eBay can't figure out a good way to make money?
the Web has quickly become a networked system of banner ads and popup windows, and it sucks. if businesses tried to provide services to consumers in return for payment, things would work a lot better.
there's going to come a time when the Linux community is going to have to make some architectural descisions like "We're goign to support database format X for storing configuration information." if we're not willing to have these standards, theres no way to add functionality in any major way outsie of the kernel and lots of independantly developed applications.
same with filesystems, desktop managers, etc. develop some options; pick the strongest and most flexible.
functionality > simplicity
you just dont get the same functionality out of a flat text file. why not write a tool that packaged up all the relevant database entries and shipped them off to your tech support provider? wouldnt such a tool be part of any complete implementation of the configuration database?
I agree that the KISS philosophy is valid, but I think it's meant to avoid _unneccessary_ complexity. if you want to extend functionality like a configuration database would, you're bound to have to accept _some_ simplicity hit.
what are you going to do if there's a corrupt database entry?
well, presumably, this system would be open source, and so you'd find the bug that caused the corruption and fix it.
just because MicroSfot's implementation of something sucks doesn't mean we can't embrace and extend it.
I've been thinking about this for a while. different users want to configure their machines via different types of mechanisms: windows lusers like their gui tools, old school unix crustys like to use vi and remember cryptic syntax in a million different formats, sysadmins would like somethign that can be managed locally and rolled out across the network easily...
would it be a Good Idea to make something akin to the Pluggable Authentication Module? people could adapt existing applications to use a Pluggable Configuration Module of their choice; the PCM lib would then translate whatever configuration type of configuration information that existed into a generalized format and then feed it to the application. the app would only have to be rewritten enough to translate the generic generalized command format into the information that it needed, and then any type of configuration format is just a module away.
IRC is a very specialized application that you dont see much of in the real world?
tons of data being transmitted to thousands of participants whose lightweight clients connect to large, high traffic servers which provide a network on top of the Internet.
how is this not a real-world system? isnt this a pretty common paradigm on the Internet?
in 1975, servers and networks were s-l-o-o-o-w.
therefore mainframe-client computing was not as good as desktop computing.
in 2005, servers will be even faster than they are today and networks will be too. I would venture that that's a pretty substantial change.
I'm not sure why anyone even considers any of this a big deal. if Sun wants to try and bring us into a server-centric future, if they think that they can deliver more utility and ease-of-use by selling users thinclients and server-based software on a dependable network, let them.
people keep yelling nonsensically that the mainframe paradigm has already been proven wrong and useless; I would suggest that maybe they might want to compare the performance of a mainframe in 1975 on the other end of a hacked together network connected to a vt100 to that of a Sun e450 connected to your full color thin client (with smartcard slot for authentication) via adsl or cable modem or soemthing of that nature.
I say ignore Sun until they produce something; then judge it on its merits, not the MAINFRAMES R DED hype youve been hearing for years.
one of the biggest problems I have with this whole database-as-protected-intellectual-property situation is that in the case of some databases, for instance, lexis-nexis, parts of the information in the database belong to you and I. these database companies compile information from publicly available sources and then want the information as a whole protected by law.
why should my civil court records become lexis-nexis's profitable proprietary information? I certainly didn't authorize anyone to sell my property or tax records. these databases that are huge collections of public data can't logically be made private.
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.
if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
you'll all have to excuse me, but it's been 7 or 8 years since I read 2010...
remember when the rescue crew (were they russians?) heading for the Discovery ended up on Europa? didn't they discover that Europa's icy surface covered a liquid ocean? and didn't somethign come out of the ocean and eat their spaceship or something? (told you it's been a while.)
sort of interesting that Clarke forshadowed this so accurately, if I'm remembering right. If memory serves me, there's also a big white area with a black dot in the millde on the moon where dave bowman found the third monolith. (I believe I read that in some interview with Clarke or something.)
anyway, all very interesting.
If you're snorting crack, you've got a serious drug problem. Crack is meant to be smoked.
If you're too facinated with what's on your computer screen to look at what's going on in the real world, you deserve to be taken advantage of. At the very least, by failing to care about the realities of life outside your computer, you give up the right to complain about the people who are movers and shakers taking advantage of you.
People with technical skills are blessed with an opportunity to do something exciting and be very successful doing it. Shame on you if you're too captivated with your work to make anythign of yourself.
a lot of people respond to threats against privacy with this "if you're afraid of this, you must have something to hide" claim. it's a garbage argument, though. maybe today the feds don't have the technology or the will to listen to every fone conversation and prosecute every crime for which they gather evidence in this way, but if you look 10 or 20 years into the future, who's to say what the government will be capable of doing? why is it so unlikely that voice recognition and transcribing software and computer power won't have progressed to a point where "listening" to every call is possible? why are you assuming that after 20 more years of eroding our freedom and privacy, the government won't think this is a good idea?
in new york city, they arrest people for jaywalking because the mayor says it improves the "quality of life". lots of people agree with him. what if citizens in the future feel that complete monitoring of their lives increases their safety? what if the government just decides it's in our best interests to be monitored?
any legislation or policy which makes it easier for the government to invade the lives of the public is BAD. b-a-d bad.
dude, IP stands for Intellectual Property, not Internet Protocol.
I have a great idea - how about a ban on Amiga "news" articles until they do something newsworthy? In the past weeks we've seen them tout products that don't exist, cancel programs that were never started, revamp their leadership, and now, they are alerting the world that they aren't doing anything yet.
jesus, when does it end? enough with the Amiga trash already. we don't care, and we won't until they actually do something.
I haven't read the book being reviewed here, but if anyone is interested in a very exhaustive introductory algorithms book, I'd recommend Introduction to Algorithms from the MIT Electrical Engineering and Computer Science series. very very intelligent treatment of any algorithm-related subject you would want to read about.
here it is at Amazon
back when this whole mircosoft-in-court fiasco started, I was really excited about the prospect of finally seeing a possibility that perhaps microsoft would someday have real competition in the computer marketplace, and that other operating systems and productivity suites might start gaining the market share that microsoft's unfair business tactics were keeping from better software.
now that the trial is over, the entire climate seems to have changed. no longer is NT the only option for people who wear ties to work; more and more frequently, these people are doing research and finding that maybe the microsoft solution wont work as well as other possible solutions. apple isnt currently taking on intel head-to-head in any meaningful way, but they're making some new machines, and with IBM's release of their PPC motherboard specs, it looks like intel might not be the only real game in town for very long.
in short, I dont really even care what the outcome of this trial is. the trial sparked a lot of negative press for microsoft, and I'm glad that happened, because years down the road, that might be the only real consequence of this trial. dont look for the government to break up microsoft, because the legal system is too slow and too full of loopholes for that to happen.
and dont gloat prematurely about the breakup/fall of microsoft. instead be happy that we have made great strides since the start of the trial and hope for more progress in the future.
security through obscurity == no security
that is, if you rely on the intruders' ignorance as your primary line of defense, you are completely screwed the moment you encounter an intruder whose knowledge includes information about the holes in your system.
much better to have a system whose exploitabilities are known and repairable than to have a system whose holes are unknown and unrepairable.
I can guarantee that at least one reporter at cnn.com is reading slashdot. click on this and scroll down to the bottom of the story to see cnn.com quote an anonymous coward regarding the recent Hotmail debacle.
ok. so youre working on a medium-large software project. you've got over 100 source files, some of which you wrote, some of which you didn't.
where is foo() defined? where is it declared? where's the next place it's used? what are the different signatures of functions named foo()?
you can answer these questions from your shell, yeah. but it takes some knowledge and application of regexps and grep and it takes some time to write these little "queries" and sift thru their results.
don't get me wrong, I'm not dissing the "vi-as-ide" method of programming. I've done a lot of it. but an IDE often gets you some of these features for free.
additionally, in good ide's you get an integrated debugger as well, and probably an improved compilation system that saves you from kludging up a whole bunch of ugly makefiles.
not to be an ass, but maybe if you'd read the article...
there's a link in there to a page that contains info on the applicable patents. in fact, the interviewer asks pretty much the question that youre asking.