Why would this be the case? Installing a piece of software that a company owns the copyright to, that happens to be GPLed, on all the machines owned by the company, is not distribution. The users do NOT own the copies, and thus, have not been granted the rights of the GPL. Nor has the GPL been violated; no distribution has taken place. The copyright holder is the only person with a copy.
The current XenoXP port is built on top of XP Embedded, which does not require product activation; activation is done at the time you assemble the disk image just by providing an Embedded licence key (no phoning home). Actual licensing terms for XenoXP will be decided by MS (under the terms of the Shared Source agreement, we may not distribute XenoXP to anyone other than other Shared Source licencees) as and when they decide to; this will not be soon as right now, the port is not complete enough =)
Also, you don't really have virtual hardware in Xen, not the same way VMWare does; we don't emulate hardware. A virtual network interface is nothing more than a ring buffer, likewise for disks.
Actually, the hardware drivers are not very special; the device core is taken from Linux as much as possible (gotta love the GPL) so the drivers for SCSI/IDE/ethernet are slightly modified Linux drivers, nothing more. One of my colleagues ported ten or so network drivers from Linux to Xen in a day. =)
True. Ultimately the goal is to have a server edition of Windows running on Xen; XP is by way of being a feasibility study. At that point, I'm sure MS will look at distribution terms.
Right now, XP does not get far enough for anyone without the source code to even test in a way that makes any sense, as its progress is measured by many tens of thousands of lines of debugging output, much of it meaningless without reference to the source, so talking about distribution now is somewhat pointless. It certainly can't bring up an actual display =)
We did benchmark against VMWare 4 (and ESX), but those versions have a clause in their licence agreements forbidding publishing of benchmarking results without VMWare's permission. They refused us permission, from which you can deduce who is faster. =)
You need a lot more than a replacement HAL unfortunately. Under Linux the changes are relatively minor as the x86-specific stuff is confined to the x86 arch tree, and very little of the non-arch code needs modification to run under Xen. Windows, however, assumes x86 all over the place, and we've had to modify the HAL, kernel, and a few system libraries so far.
Yes, this is exactly the case, except ESX emulates a full x86, whereas Xen exposes our ring-1 architecture, xeno-x86, and thus guest OSes have to be ported. Xen is much faster than ESX as there is no need to emulate privileged accesses.
No, we aren't. I'm one of the students who has been working on the XenoXP port, and the source licence agreement I have signed does not forbid me from doing related work. I can't copy bits of the Windows code into other projects (or disclose said code) but there's no problem with me contributing my own work to Linux at a later date.
A lot of people signing up for do-not-call lists do so because they DO buy things from telemarketers; they are taken in by the sales pitches, or they feel sorry for the poor soul on the other end of the phone who's going to lose his job if he doesn't make his quota, or they have trouble talking on the phone for whatever reason and thus inadvertantly agree to things.
It's these people that telemarketers really, really wants to be able to call, and it's these people who really, really want the do-not-call lists because it takes the pressure off them.
You can digitally sign something without giving up anonymity; just use a key that doesn't have a name associated with it. If a million anonymous messages are all signed with the same key, then they are all the same person (barring compromise of the key), whether you know who that person is or not.
All you need to do is decide which keys (and by extension, people) you trust. Spammers could start their own anonymous, distributed blacklists that strategically didn't list certain hosts they were using, and nobody would know that the list was maintained by a spammer; but, well, that's the same situation as you have with DNS blacklists. There's no way to PROVE that a given DNSBL run by Joe Nobodysheardofme is actually useful other than to look at it and see what it blocks. =)
I don't spend any of my time downloading; the computer does it. =) And since when has studying been a big part of student interests? *chuckle*
Video is a recreation thing, but I listen to radio streams pretty much all my waking hours except in lectures; even over the holiday I have been streaming all day at work. I like to listen to new music, and the best way to do that is to use many, many streams, especially when there are live sets to be had. Studying and listening to Blank&Jones are not mutually exclusive; in fact, I can hardly keep my train of thought on the rails for ten-minute periods without music (normally the thumping electronic kind, though my tastes are pretty varied).
I download nightly builds of programs, often huge things like Eclipse, which is thirty-odd MB a pop, because I want to contribute to projects by testing their code under normal use. So while individual downloads might not be that big, it's conceivably desireable to repeat them every single day to keep up with the latest issues in the bug trackers.
I download Debian packages a lot as well; my laptop runs unstable which sometimes has a few dozen megabytes of updated packages a day (just in the packages I have installed), and I'm testing debian-installer by installing the testing distribution at least once or twice a week on several machines.
Sometimes, heaven forbid, I have to grab random bits of software so that I can *gasp* study. I like to follow up on things mentioned in lectures; rather than hearing a bit about Smalltalk and forgetting it, I grabbed several versions and played with them.
It all adds up; when you have 'net access at a speed where waiting for downloads ceases to take any measureable time, you discover that there are all manner of things just a click away; isn't that the whole point of the Internet? =)
On the other hand, I've stopped using P2P apps totally due to lack of interest in the files that are typically available. People keep saying "oh, there's lots of free music on P2P", but I still find that the easiest way to hear good, new music that's not from major record labels is to listen to streams and, when you hear something you like, follow links to the artist's website; I've bought more than a few CDs that way. I don't download movies either; most movies I'm interested in seeing I've either already downloaded (*grin*), would rather see in the cinema, or even buy on DVD. Few new movies interest me, so I don't need to keep downloading now that I've got copies of the movies I've always thought "Oh, I should see that.." about. Eventually I'll buy them on DVD, well, the ones that actually were worth it, simply so that I can watch them 'the way the director intended', but right now I'm too much of a poor student who doesn't own a TV or DVD player to bother. =)
Having just looked myself up on the traffic chart, I used, between my three machines, 67GB of downstream bandwidth and 11GB of upstream bandwidth last month (August). As far as I remember, that was almost entirely legal files, not unlawfully duplicated copywrited material. So, well, I think that level of use is entirely justified. You'd probably have to triple or more those figures if you were grabbing the things I download and additionally using P2P. =)
I listen to radio online at about that level (15GB/mo), I stream videos of live sets a few times a week (add about 5GB/mo), random downloaded files (not p2p, just web downloads) is another 10-20GB/mo, my net backup system can use anything up to 10GB/mo.. ooh, I'm on 50GB already and that doesn't count any P2P file transfers yet =)
Fortunately, I'm on an academic connection, so not only is my usage a drop in the bucket (the top users on our net use at least several hundred gigs a month), but I get 10.5MB/s throughput as well. No caps =)
Under IPv6, ISPs are expected to give customers (normal dialup users, cable, business, home, absolutely anything) a/64 to themselves. That's 2^64 addresses.
IPv6 is specifically designed such that every single user on every single network in the world can have 64 bits of address space to themselves. So, from your cable modem, you can give an IP address to every atom in your house. =)
I have no idea whether this is actually going to be mandated by a standard; this is just how it is *supposed* to work.
If ISPs don't do it, it would be pretty useless for them to only give you one address: IPv6 will not be able to allocate any block smaller than a/64 to any organisation, which will give any ISP enough addresses in a single allocation to provide a/31 to every single human being on Earth. In order for a single ISP to provide every human with a/64, they would only need a/33 prefix... (though there are only 131072/33 prefixes, because 16 bits are used for a type indicator)
So, it would seem pretty, well, pointless for ISPs *not* to comply =)
Well done. What do you use to catch scans? An IDS? I'd be interested to see your configuration (email me, perhaps). I could have a botnet, if I really bothered, I guess.. I have enough shells around the world, I've just never needed to use them non-interactively.
Thanks Russ, applied. Would you consider implementing something similar to the delegation-only system described in this article for djbdns? It seems to me that it would be both more likely to continue to work (no dependence on fixed IPs), and more flexible in that it would block other types of DNS abuses by the registries which may be committed in the future.
Oh, yes, it would be nice if someone would implement the delegation-only mode of filtering for djbdns, however, ignoring the IP works for now and is the easiest thing to implement reliably and securely.
I quite agree. I use Windows and Linux more or less equally on a day-to-day basis for both work and home, and I run no virus scanners or firewalls. I've been running machines like this for years and have never been infected with a virus, trojan, worm.. I've never even been the victim of the most trivial of adware programs.
I don't use IE or OE. I don't have NetBIOS active on external interfaces unless the LAN I am connected to filters NetBIOS traffic at its edge. I update from Windows Update when I remember. =)
Not running code I don't want to run seems to be quit effective.
Probably not; all xbox multiplayer games use Live as far as I'm aware (the Cube has the nifty auto-discovery on local lan, tho *grin*). You'd have to plug and unplug your ethernet cable depending on whether you were playing games, or running mediacenter/linux/whatever.. bit of a pita, but managable. More worrying would be the fact that there's nothing stopping MS from updating your dashboard through a new game; games already autoupdate the dash if they have a newer version.
So you just scan reeeealllly slowly. nmap has options to do this. I spent a while tuning nmap's parameters until it no longer alerts my university's administrators when I port scan.
Google does use robots.txt. It also uses META tags, in case you are not able to set up a robots.txt file (for example, if you do not own the root of your web server). I have a robots.txt which excludes Googlebot just fine. You may be thinking of some other search engine - 'Scooter' is AltaVista's bot, IIRC.
Re:We really need a different language
on
Secure Programming
·
· Score: 1
You can write an OS in Java, if you want, with almost no assembly. Just get yourself a chip like the Jazelle ARM cores which can execute Java bytecodes in its native instruction pipeline. You now need only your very early startup code to be in assembler, as you can bring up the majority of the environment from bytecode. There are people around at the lab where I work who are building this kind of thing, and are seeing it run comparably to an ordinary embedded OS.
Slashdot Mirror
Actually, AWE still limits you to 4GB banks; you can just use more than one of them in the same process.
Why would this be the case? Installing a piece of software that a company owns the copyright to, that happens to be GPLed, on all the machines owned by the company, is not distribution. The users do NOT own the copies, and thus, have not been granted the rights of the GPL. Nor has the GPL been violated; no distribution has taken place. The copyright holder is the only person with a copy.
Oh, and hi tepples. =)
The current XenoXP port is built on top of XP Embedded, which does not require product activation; activation is done at the time you assemble the disk image just by providing an Embedded licence key (no phoning home). Actual licensing terms for XenoXP will be decided by MS (under the terms of the Shared Source agreement, we may not distribute XenoXP to anyone other than other Shared Source licencees) as and when they decide to; this will not be soon as right now, the port is not complete enough =)
Also, you don't really have virtual hardware in Xen, not the same way VMWare does; we don't emulate hardware. A virtual network interface is nothing more than a ring buffer, likewise for disks.
Torne
XenoXP porter
Actually, the hardware drivers are not very special; the device core is taken from Linux as much as possible (gotta love the GPL) so the drivers for SCSI/IDE/ethernet are slightly modified Linux drivers, nothing more. One of my colleagues ported ten or so network drivers from Linux to Xen in a day. =)
Torne
(XenoXP porter)
True. Ultimately the goal is to have a server edition of Windows running on Xen; XP is by way of being a feasibility study. At that point, I'm sure MS will look at distribution terms.
Right now, XP does not get far enough for anyone without the source code to even test in a way that makes any sense, as its progress is measured by many tens of thousands of lines of debugging output, much of it meaningless without reference to the source, so talking about distribution now is somewhat pointless. It certainly can't bring up an actual display =)
Torne
(XenoXP porter)
We did benchmark against VMWare 4 (and ESX), but those versions have a clause in their licence agreements forbidding publishing of benchmarking results without VMWare's permission. They refused us permission, from which you can deduce who is faster. =)
Torne
(XenoXP porter)
You need a lot more than a replacement HAL unfortunately. Under Linux the changes are relatively minor as the x86-specific stuff is confined to the x86 arch tree, and very little of the non-arch code needs modification to run under Xen. Windows, however, assumes x86 all over the place, and we've had to modify the HAL, kernel, and a few system libraries so far.
Torne
(XenoXP porter)
Yes, this is exactly the case, except ESX emulates a full x86, whereas Xen exposes our ring-1 architecture, xeno-x86, and thus guest OSes have to be ported. Xen is much faster than ESX as there is no need to emulate privileged accesses.
Torne
(XenoXP porter)
No, we aren't. I'm one of the students who has been working on the XenoXP port, and the source licence agreement I have signed does not forbid me from doing related work. I can't copy bits of the Windows code into other projects (or disclose said code) but there's no problem with me contributing my own work to Linux at a later date.
A lot of people signing up for do-not-call lists do so because they DO buy things from telemarketers; they are taken in by the sales pitches, or they feel sorry for the poor soul on the other end of the phone who's going to lose his job if he doesn't make his quota, or they have trouble talking on the phone for whatever reason and thus inadvertantly agree to things.
It's these people that telemarketers really, really wants to be able to call, and it's these people who really, really want the do-not-call lists because it takes the pressure off them.
You can digitally sign something without giving up anonymity; just use a key that doesn't have a name associated with it. If a million anonymous messages are all signed with the same key, then they are all the same person (barring compromise of the key), whether you know who that person is or not.
All you need to do is decide which keys (and by extension, people) you trust. Spammers could start their own anonymous, distributed blacklists that strategically didn't list certain hosts they were using, and nobody would know that the list was maintained by a spammer; but, well, that's the same situation as you have with DNS blacklists. There's no way to PROVE that a given DNSBL run by Joe Nobodysheardofme is actually useful other than to look at it and see what it blocks. =)
I don't spend any of my time downloading; the computer does it. =) And since when has studying been a big part of student interests? *chuckle*
Video is a recreation thing, but I listen to radio streams pretty much all my waking hours except in lectures; even over the holiday I have been streaming all day at work. I like to listen to new music, and the best way to do that is to use many, many streams, especially when there are live sets to be had. Studying and listening to Blank&Jones are not mutually exclusive; in fact, I can hardly keep my train of thought on the rails for ten-minute periods without music (normally the thumping electronic kind, though my tastes are pretty varied).
I download nightly builds of programs, often huge things like Eclipse, which is thirty-odd MB a pop, because I want to contribute to projects by testing their code under normal use. So while individual downloads might not be that big, it's conceivably desireable to repeat them every single day to keep up with the latest issues in the bug trackers.
I download Debian packages a lot as well; my laptop runs unstable which sometimes has a few dozen megabytes of updated packages a day (just in the packages I have installed), and I'm testing debian-installer by installing the testing distribution at least once or twice a week on several machines.
Sometimes, heaven forbid, I have to grab random bits of software so that I can *gasp* study. I like to follow up on things mentioned in lectures; rather than hearing a bit about Smalltalk and forgetting it, I grabbed several versions and played with them.
It all adds up; when you have 'net access at a speed where waiting for downloads ceases to take any measureable time, you discover that there are all manner of things just a click away; isn't that the whole point of the Internet? =)
On the other hand, I've stopped using P2P apps totally due to lack of interest in the files that are typically available. People keep saying "oh, there's lots of free music on P2P", but I still find that the easiest way to hear good, new music that's not from major record labels is to listen to streams and, when you hear something you like, follow links to the artist's website; I've bought more than a few CDs that way. I don't download movies either; most movies I'm interested in seeing I've either already downloaded (*grin*), would rather see in the cinema, or even buy on DVD. Few new movies interest me, so I don't need to keep downloading now that I've got copies of the movies I've always thought "Oh, I should see that.." about. Eventually I'll buy them on DVD, well, the ones that actually were worth it, simply so that I can watch them 'the way the director intended', but right now I'm too much of a poor student who doesn't own a TV or DVD player to bother. =)
Having just looked myself up on the traffic chart, I used, between my three machines, 67GB of downstream bandwidth and 11GB of upstream bandwidth last month (August). As far as I remember, that was almost entirely legal files, not unlawfully duplicated copywrited material. So, well, I think that level of use is entirely justified. You'd probably have to triple or more those figures if you were grabbing the things I download and additionally using P2P. =)
I listen to radio online at about that level (15GB/mo), I stream videos of live sets a few times a week (add about 5GB/mo), random downloaded files (not p2p, just web downloads) is another 10-20GB/mo, my net backup system can use anything up to 10GB/mo.. ooh, I'm on 50GB already and that doesn't count any P2P file transfers yet =)
Fortunately, I'm on an academic connection, so not only is my usage a drop in the bucket (the top users on our net use at least several hundred gigs a month), but I get 10.5MB/s throughput as well. No caps =)
Under IPv6, ISPs are expected to give customers (normal dialup users, cable, business, home, absolutely anything) a /64 to themselves. That's 2^64 addresses.
/64 to any organisation, which will give any ISP enough addresses in a single allocation to provide a /31 to every single human being on Earth. In order for a single ISP to provide every human with a /64, they would only need a /33 prefix... (though there are only 131072 /33 prefixes, because 16 bits are used for a type indicator)
IPv6 is specifically designed such that every single user on every single network in the world can have 64 bits of address space to themselves. So, from your cable modem, you can give an IP address to every atom in your house. =)
I have no idea whether this is actually going to be mandated by a standard; this is just how it is *supposed* to work.
If ISPs don't do it, it would be pretty useless for them to only give you one address: IPv6 will not be able to allocate any block smaller than a
So, it would seem pretty, well, pointless for ISPs *not* to comply =)
Well done. What do you use to catch scans? An IDS? I'd be interested to see your configuration (email me, perhaps). I could have a botnet, if I really bothered, I guess.. I have enough shells around the world, I've just never needed to use them non-interactively.
Thanks Russ, applied. Would you consider implementing something similar to the delegation-only system described in this article for djbdns? It seems to me that it would be both more likely to continue to work (no dependence on fixed IPs), and more flexible in that it would block other types of DNS abuses by the registries which may be committed in the future.
Oh, yes, it would be nice if someone would implement the delegation-only mode of filtering for djbdns, however, ignoring the IP works for now and is the easiest thing to implement reliably and securely.
Yep, the patch for dnscache by veteran Russ Nelson is here:
tinydns.org/djbdns-1.05-ignoreip.patch
I quite agree. I use Windows and Linux more or less equally on a day-to-day basis for both work and home, and I run no virus scanners or firewalls. I've been running machines like this for years and have never been infected with a virus, trojan, worm.. I've never even been the victim of the most trivial of adware programs.
I don't use IE or OE. I don't have NetBIOS active on external interfaces unless the LAN I am connected to filters NetBIOS traffic at its edge. I update from Windows Update when I remember. =)
Not running code I don't want to run seems to be quit effective.
Probably not; all xbox multiplayer games use Live as far as I'm aware (the Cube has the nifty auto-discovery on local lan, tho *grin*). You'd have to plug and unplug your ethernet cable depending on whether you were playing games, or running mediacenter/linux/whatever.. bit of a pita, but managable. More worrying would be the fact that there's nothing stopping MS from updating your dashboard through a new game; games already autoupdate the dash if they have a newer version.
Charming.
So you just scan reeeealllly slowly. nmap has options to do this. I spent a while tuning nmap's parameters until it no longer alerts my university's administrators when I port scan.
Wrong. You do not need to be a Live subscriber to get the updates. RTFA. =)
Google does use robots.txt. It also uses META tags, in case you are not able to set up a robots.txt file (for example, if you do not own the root of your web server). I have a robots.txt which excludes Googlebot just fine. You may be thinking of some other search engine - 'Scooter' is AltaVista's bot, IIRC.
You can write an OS in Java, if you want, with almost no assembly. Just get yourself a chip like the Jazelle ARM cores which can execute Java bytecodes in its native instruction pipeline. You now need only your very early startup code to be in assembler, as you can bring up the majority of the environment from bytecode. There are people around at the lab where I work who are building this kind of thing, and are seeing it run comparably to an ordinary embedded OS.