Well, you see, here's the problem with your arguments. I did thumb through Phrack, and I also browsed through their web site, before posting my messages.
Also, I never said I believe in security through obscurity. I do like to hear about vulnerabilities. However, my focus is not on how to exploit them, but rather how to protect against them. Often you need to know one to know about the other, but also quite often (ie. when a patch has been issued), you don't.
Okay, so they don't issue.c files for you to compile and use. But alot of the articles seem to focus on how you might code a.c file instead of how to protect against attacks.
As an example, if CERT were to send out an advisory, they would tell you there is a buffer overrun, but not where in the code or how to exploit it. A great majority of the time, they also tell you how to fix it.
Phrack, on the other hand, in their latest issue, had an article on "The Frame Pointer Overwrite" which explained how to exploit a buffer overrun, and even had an example of C code. Or how to build a "*REAL* NT Rootkit". Or how to exploit Win32 Buffer Overflows. Shall I go on?
That was hardly a troll. A troll is a post intended to illicit negative responses. I was only providing my opinion on Phrack and its place (or rather how I don't think it should have a place) on Slashdot. Maybe I didn't specify why I think the way I do and that's what makes you believe my post was a troll. So here I will expand on my opinion.
I question the ethics of the makers and writers of Phrack, and as a result I refuse to support them and fail to see why any respectable person in the computer industry would. Clearly most of those involved in the creation of Phrack come from the ranks of current and past crackers and phreakers, which both happen to be illegal activities in most countries. Phrack is not a respectable security information source like CERT or CIAC or BUGTRAQ. They don't just give information on vulnerabilities, but also information on how crackers and script kiddies can exploit those vulnerabilities. They've even provided examples.
The makers of Phrack certainly don't have any interest in advancing security, but rather their interest lies in cracking, phreaking, "warez", and other clearly illegal and unethical activities.
Normally, I respect Slashdot as a respectable source of information for technology news. Phrack is not respectable, and therefore Slashdot should not pay them any attention.
Here's are some of the differences between a contractor and an employee. I know because I've done both.
1. Contractors don't expect you to give any committment whatsoever to them. And you shouldn't expect a committment past the term of their contract from them either. When I was a contractor, I never counted on anyone giving me an extension. When it was offered I often had to turn it down because I had already found other work.
2. Contractors are good for work that does not relate specifically to customer or internal requirements. If you're building a project from scratch, they're worthless. They won't help with requirements and development building (even though they/you might try), because they don't and won't try to understand your company or your customers. They are in general, however very good at implementing things that just need to be done (and quickly) and don't require an understanding of your company or customers.
3. Contractors don't have any stake in your company. Employees do. They have their livelihoods at stake. And, often they have stock options at stake. So they will actually care about your company. Contractors usually couldn't care less.
4. In team environments, employees usually work best. I've been at companies where nobody worked well in teams, but usually if they do, if there's a sense of belonging and family, they're employees.
In short, don't expect anything from contractors other than quick work when you need it. Employees are best when it comes to the long-term.
Here's an example:
Your company, a large telecommunications company that starts with the letters "Luc" and ends with the letters "nt", needs to develop a new switching system from scratch, including hardware, firmware, and software.
Employees would be best in general. Perhaps you want to use contractors to do specific tasks like create the Visual C++ based monitoring and administration GUI, write specific modules, etc.
It's essential that you don't use contractors for key positions like project and product management, programming the firmware, hardware work, or writing critical backend modules.
thats the law, and the law is bastard i don't ask others to write software for me, i ask them not to tell me what to do on my computer in the privacy of my home, regardless of whether i make use of software they wrote
Listen, they wrote the software. Without them, there would be no software. So just be glad it exists and stop whining about "well, they don't let me do blah blah blah blah blah". It's their software! They have the right to do anything they want with it!
Yeah. That's a good thing. Punitive damages have to be the dumbest invention in the history of the world. "okay, so it cost me $5 to dry-clean that shirt you spilled Pepsi all over, but you also gave me severe pain and suffering, so please hand over $10 million."
Interesting. The QPL is rather weird (this is the first time I've read it). According to one term of the license, you must distribute your modifications "in a form seperate from the Software, such as patches".
But the next term of the license says you can distribute your executable forms of the modifications+original, provided you also distribute the source to the modifications+original.
So, which one is it? Can you distribute the source with your modifications already patched in, or do you have to distribute your modifications as patches?
Well, we were mostly immune to really stupid lawsuits (as far as I know, no one in Canada has sued McDonald's because their coffee was too hot!), but i guess everything is going to hell now thanks to you Americans!
Why would you have to re-write the code? Let's say I write the program "Widgets Inventory Program", and release it under the GPL. Under the GPL, I still maintain the copyright to all of the code I wrote for Widgets Inventory Program, right? So I can do whatever I want with it, including re-licensing it. On the other hand, taking other people's contributions to my code and changing them wouldn't be proper, since they hold the copyrights to their code, right?
So, essentially, I can change the license of the original code that I wrote, but I can't change the license of the contributions from others if they submitted it under the GPL (which they're required to do under a GPL license), or change the license of the combined/merged code written by myself and other developers.
Now, of course, if I did make any changes to the license, they would not be retroactive since a license is essentially a contract and you agreed to that contract before (but that doesn't mean you need to agree to it in the future!).
This is my understanding of copyright law. As long as you wrote the code, you own it, you own the copyright, and you have the right to do anything you wish to it as long as you don't break any contracts/licenses already entered into.
I am extremely pleased with Slashdot recently, as the staff appears to be doing a lot more background work on the news items they post. Its a nice thing to see Slashdot every now and then as the source of the news item rather than referring it somewhere else. I was also pleased when Roblimo did the investigate work on the Unisys/GIF thread insanity that was going on regarding that. I am also very pleased to see that Hemos got the official info from RedHat on this matter.
I too am pleased there's more follow-up being done. The only thing is, I wish that Slashdot would do the entire follow-up BEFORE posting a story. The recent Unisys and RedHat follow-up stories were nice to see, but I would have preferred to see the follow-ups with the original posts, even if it means I have to wait a few days for the story.
Real journalists have standards, and sometimes they embargo a story for weeks until everything can be confirmed. It seems that Slashdot, because they don't follow these standards, often find themselves retracting or clarifying things.
No, it's definately not still RedHat. It might have the contents of RedHat, but it's not a RedHat product. It doesn't come with the documentation and support that the real RedHat Linux comes with.
"I won't run any software unless it's completely GPL'ed software, even if its based on an incredibly-extremely-so-very-close-to-being-free license. I also want to move to Cuba and become a socialist. I also consider BSD-style licensed software not to be free, even though it lets you do way more with the code than the GPL license and is practically public domain. I also think we would have more rights by removing some guarantees of rights from the constitutions and laws of countries and international law. By the way, my name is Richard Stallman."
Wow, that was a complete flame and troll and will undoubtedly be moderated out, but I have to admit it was fun to write. By the way, if you have the urge to flame me back, get a sense of humour.
I'm not dumb here. Having put together Windows NT networks, I know that WINS resolves NetBIOS names to IP addresses. If you bothered to read the rest of the post, and the reply thereafter, you'd see that the MS DNS server can query the WINS server, so that DNS and WINS names of a machine are identical.
I'm just shaking in my boots. It's so frightening to me that a cracker with a cluster of 30 computers to spare for a period of 7 months can get all of my secret credit card information. It's much more frightening than that scary person at the gas station who processes my credit card everytime I fill up with gas.
Face it, there is no such thing as privacy, even with encryption. It's all just an *illusion* of privacy. I wouldn't be surprised if the NSA already knew how to crack 1024-bit RSA keys. Encryption, like any form of computer security, is not the process of making you invincible, it's just making it more difficult for someone to crack your information/system/network/whatever.
I'm just shaking in my boots. It's so frightening to me that a cracker with a cluster of 30 computers to spare for a period of 7 months can get all of my secret credit card information. I
Okay, I'm both a Unix/Linux sysadmin and a Windows NT sysadmin, and I can tell you this. Win NT 4.0 already does this in an ad-hoc sort of way. The Win NT DHCP server can "bind" to the MS WINS server so that when leases renew/expire, the WINS server will be properly updated to reflect changes. And, you can also "bind" the MS DNS server to the WINS server. So, in essence, you have a workaround way of getting dynamic DNS.
So, this is nothing new really. In fact, most corporations that I know of (including the one I work at), already use Win NT-based DNS servers on the LAN so that it can be "linked" into DHCP. This is essentially a requirement already, unless you want non-NETBIOS (normal old socket-based) TCP/IP to not work at all for your clients.
Essentially, MS is already forcing you into using their DNS server on your LAN if you're using DHCP. The other option, is to use static IP addresses, have no WINS server, and use DNS for NETBIOS lookups. I suspect, however, that that is changing as an option in Win2k.
This doesn't mean that BIND is going to lose any market share. As far as I know, most corps use Win NT DNS internally and BIND externally on the Internet. That's what we do at my work. And it's what we did at the place I worked at before, and the one before that too. No one in their right mind would use the Windows NT DNS server on the Internet, although some people probably do.
Re:That picture gives the wrong impression
on
911 Calls Linux
·
· Score: 1
Yeah, the only difference is that when you get a segmentation fault in *nix, all that happens is that the app terminates. In Windows, you sometimes get the blue screen of death, which almost always means you need to reboot the system.
Slashdot Mirror
Well, you see, here's the problem with your arguments. I did thumb through Phrack, and I also browsed through their web site, before posting my messages.
.c files for you to compile and use. But alot of the articles seem to focus on how you might code a .c file instead of how to protect against attacks.
Also, I never said I believe in security through obscurity. I do like to hear about vulnerabilities. However, my focus is not on how to exploit them, but rather how to protect against them. Often you need to know one to know about the other, but also quite often (ie. when a patch has been issued), you don't.
Okay, so they don't issue
As an example, if CERT were to send out an advisory, they would tell you there is a buffer overrun, but not where in the code or how to exploit it. A great majority of the time, they also tell you how to fix it.
Phrack, on the other hand, in their latest issue, had an article on "The Frame Pointer Overwrite" which explained how to exploit a buffer overrun, and even had an example of C code. Or how to build a "*REAL* NT Rootkit". Or how to exploit Win32 Buffer Overflows. Shall I go on?
There's nothing wrong with CNet. At least they don't support cracking/phreaking magazines.
That was hardly a troll. A troll is a post intended to illicit negative responses. I was only providing my opinion on Phrack and its place (or rather how I don't think it should have a place) on Slashdot. Maybe I didn't specify why I think the way I do and that's what makes you believe my post was a troll. So here I will expand on my opinion.
I question the ethics of the makers and writers of Phrack, and as a result I refuse to support them and fail to see why any respectable person in the computer industry would. Clearly most of those involved in the creation of Phrack come from the ranks of current and past crackers and phreakers, which both happen to be illegal activities in most countries. Phrack is not a respectable security information source like CERT or CIAC or BUGTRAQ. They don't just give information on vulnerabilities, but also information on how crackers and script kiddies can exploit those vulnerabilities. They've even provided examples.
The makers of Phrack certainly don't have any interest in advancing security, but rather their interest lies in cracking, phreaking, "warez", and other clearly illegal and unethical activities.
Normally, I respect Slashdot as a respectable source of information for technology news. Phrack is not respectable, and therefore Slashdot should not pay them any attention.
Here's are some of the differences between a contractor and an employee. I know because I've done both.
1. Contractors don't expect you to give any committment whatsoever to them. And you shouldn't expect a committment past the term of their contract from them either. When I was a contractor, I never counted on anyone giving me an extension. When it was offered I often had to turn it down because I had already found other work.
2. Contractors are good for work that does not relate specifically to customer or internal requirements. If you're building a project from scratch, they're worthless. They won't help with requirements and development building (even though they/you might try), because they don't and won't try to understand your company or your customers. They are in general, however very good at implementing things that just need to be done (and quickly) and don't require an understanding of your company or customers.
3. Contractors don't have any stake in your company. Employees do. They have their livelihoods at stake. And, often they have stock options at stake. So they will actually care about your company. Contractors usually couldn't care less.
4. In team environments, employees usually work best. I've been at companies where nobody worked well in teams, but usually if they do, if there's a sense of belonging and family, they're employees.
In short, don't expect anything from contractors other than quick work when you need it. Employees are best when it comes to the long-term.
Here's an example:
Your company, a large telecommunications company that starts with the letters "Luc" and ends with the letters "nt", needs to develop a new switching system from scratch, including hardware, firmware, and software.
Employees would be best in general. Perhaps you want to use contractors to do specific tasks like create the Visual C++ based monitoring and administration GUI, write specific modules, etc.
It's essential that you don't use contractors for key positions like project and product management, programming the firmware, hardware work, or writing critical backend modules.
That's my 2cents.
I'm surprised George Lucas didn't have computers write the dialogue for TPM.
Maybe for the next prequel he can put his cluster of high powered computers to a better use than doing cheesy animations that look like video games.
Listen, they wrote the software. Without them, there would be no software. So just be glad it exists and stop whining about "well, they don't let me do blah blah blah blah blah". It's their software! They have the right to do anything they want with it!
Yeah. That's a good thing. Punitive damages have to be the dumbest invention in the history of the world. "okay, so it cost me $5 to dry-clean that shirt you spilled Pepsi all over, but you also gave me severe pain and suffering, so please hand over $10 million."
Interesting. The QPL is rather weird (this is the first time I've read it). According to one term of the license, you must distribute your modifications "in a form seperate from the Software, such as patches".
But the next term of the license says you can distribute your executable forms of the modifications+original, provided you also distribute the source to the modifications+original.
So, which one is it? Can you distribute the source with your modifications already patched in, or do you have to distribute your modifications as patches?
Nice! Anyone want to build a RedHat or Mandrake distribution that uses Lizard as the installer? I volunteer! That would be swwwweeeeet.
Well, we were mostly immune to really stupid lawsuits (as far as I know, no one in Canada has sued McDonald's because their coffee was too hot!), but i guess everything is going to hell now thanks to you Americans!
Actually, Corel bought the Paradox product long ago, and it's now included as a part of Corel Wordperfect Office 2000 Professional.
So, essentially, I can change the license of the original code that I wrote, but I can't change the license of the contributions from others if they submitted it under the GPL (which they're required to do under a GPL license), or change the license of the combined/merged code written by myself and other developers.
Now, of course, if I did make any changes to the license, they would not be retroactive since a license is essentially a contract and you agreed to that contract before (but that doesn't mean you need to agree to it in the future!).
This is my understanding of copyright law. As long as you wrote the code, you own it, you own the copyright, and you have the right to do anything you wish to it as long as you don't break any contracts/licenses already entered into.
Very nice, insightful post. I agree completely! Slashdot needs to make itself more reputable.
I too am pleased there's more follow-up being done. The only thing is, I wish that Slashdot would do the entire follow-up BEFORE posting a story. The recent Unisys and RedHat follow-up stories were nice to see, but I would have preferred to see the follow-ups with the original posts, even if it means I have to wait a few days for the story.
Real journalists have standards, and sometimes they embargo a story for weeks until everything can be confirmed. It seems that Slashdot, because they don't follow these standards, often find themselves retracting or clarifying things.
No, it's definately not still RedHat. It might have the contents of RedHat, but it's not a RedHat product. It doesn't come with the documentation and support that the real RedHat Linux comes with.
"I won't run any software unless it's completely GPL'ed software, even if its based on an incredibly-extremely-so-very-close-to-being-free license. I also want to move to Cuba and become a socialist. I also consider BSD-style licensed software not to be free, even though it lets you do way more with the code than the GPL license and is practically public domain. I also think we would have more rights by removing some guarantees of rights from the constitutions and laws of countries and international law. By the way, my name is Richard Stallman."
Wow, that was a complete flame and troll and will undoubtedly be moderated out, but I have to admit it was fun to write. By the way, if you have the urge to flame me back, get a sense of humour.
I work for Corel now, and I would just love it if RedHat bought us out. But there's not much chance of that happening.
Note: I speak only for myself. This is only my opinion and not Corel's.
Sarcasm. You need to take a lesson in it
I'm not dumb here. Having put together Windows NT networks, I know that WINS resolves NetBIOS names to IP addresses. If you bothered to read the rest of the post, and the reply thereafter, you'd see that the MS DNS server can query the WINS server, so that DNS and WINS names of a machine are identical.
I'm dumb. I screwed up my last post...
Anyhow:
I'm just shaking in my boots. It's so frightening to me that a cracker with a cluster of 30 computers to spare for a period of 7 months can get all of my secret credit card information. It's much more frightening than that scary person at the gas station who processes my credit card everytime I fill up with gas.
Face it, there is no such thing as privacy, even with encryption. It's all just an *illusion* of privacy. I wouldn't be surprised if the NSA already knew how to crack 1024-bit RSA keys. Encryption, like any form of computer security, is not the process of making you invincible, it's just making it more difficult for someone to crack your information/system/network/whatever.
I'm just shaking in my boots. It's so frightening to me that a cracker with a cluster of 30 computers to spare for a period of 7 months can get all of my secret credit card information. I
If Microsoft uses Solaris on their main web site (http://www.microsoft.com), then how come I constantly get ASP/VBScript errors on the site?
Perhaps you are referring to Hotmail, which runs on Solaris servers and is supposed to take 4 years to migrate to NT?
Okay, I'm both a Unix/Linux sysadmin and a Windows NT sysadmin, and I can tell you this. Win NT 4.0 already does this in an ad-hoc sort of way. The Win NT DHCP server can "bind" to the MS WINS server so that when leases renew/expire, the WINS server will be properly updated to reflect changes. And, you can also "bind" the MS DNS server to the WINS server. So, in essence, you have a workaround way of getting dynamic DNS.
So, this is nothing new really. In fact, most corporations that I know of (including the one I work at), already use Win NT-based DNS servers on the LAN so that it can be "linked" into DHCP. This is essentially a requirement already, unless you want non-NETBIOS (normal old socket-based) TCP/IP to not work at all for your clients.
Essentially, MS is already forcing you into using their DNS server on your LAN if you're using DHCP. The other option, is to use static IP addresses, have no WINS server, and use DNS for NETBIOS lookups. I suspect, however, that that is changing as an option in Win2k.
This doesn't mean that BIND is going to lose any market share. As far as I know, most corps use Win NT DNS internally and BIND externally on the Internet. That's what we do at my work. And it's what we did at the place I worked at before, and the one before that too. No one in their right mind would use the Windows NT DNS server on the Internet, although some people probably do.
Yeah, the only difference is that when you get a segmentation fault in *nix, all that happens is that the app terminates. In Windows, you sometimes get the blue screen of death, which almost always means you need to reboot the system.
three words: amiga is dead.
Amiga is about as useful now as the Commodore 64.