Regarding Windows, are you sure you can easily determine which patches need to be applied once you've got them onto CD? A friend was trying to do this for Windows XP but couldn't find out which patches they needed. How do you do this?
In answer to your general question about applying patches to RHEL, I believe up2date uses yum, which uses rpm. I'd guess you could use yum or rpm (depending on the exact function you want).
I don't use RHEL, but I believe that up2date is based on yum, which is similar in purpose to apt.
apt has function to build a mirror of a repository.
I suspect yum has similar functionality, so I would try
mirroring the repository onto another RHEL box connected to the Internet
burning this to CD/DVD
mounting the CD/DVD on your target RHEL machine
modifying yum's configuration files to look at the mirror on the CD/DVD first
retrying up2date.
Note that the repository might be larger than a CD or DVD, in which case you may need to use some other form of storage (e.g. a large USB drive).
As an aside, how does this work with Windows? If you have a box with no Internet connection, how do you find which patches you need to apply, and how do you obtain those patches?
When you say "Brits", where exactly in Britain do you think people speak like this?
I live just north of London and have travelled around England quite a lot but have never noticed anyone pronouncing these words like this.
I can believe that some people don't differentiate, but I would imagine that they're the definite minority. Where did you get the impression that "Brits" in general pronounce the words the same?
The benefit of a DDoS attack is that you can easily overload a powerful machine with a fast internet connection (your victim) by getting lots of less powerful machines with slow internet connections to send data to it simultaeneously.
However, in this case, IBM's anti-spam servers only send emails in response to emails from the victim's network, i.e. all traffic is initiated by the victim. Since, as I pointed out before, IBM's anti-spam servers only send a single email in response to each email from the victim, the bottleneck will almost certainly be the internet connection outward from the victim, not the responses going back to it. With the attack you propose, the victim will DoS itself simply by trying to send too much traffic.
In other words, you could achieve the same effect simply by sending lots of email from the victim to null email addresses. You do not need an IBM anti-spam server to target.
Also, you still haven't responded to my question about why you would want to attack in this way anyway.
As before, if you have access to a competitor's internal network, I can't see why what you're proposing is any worse/anywhere near as bad as other things you could do.
Also, let's be clear. This is not a DDos (Distributed Denial of Service) attack. This is just plain old DoS (Denial of Service). There is no distributed element of it.
The whole point of the smurf attack was that you, as an attacker, send a single ICMP packet out to a broadcast address and everyone on the broadcast address replies. In other words, you send one packet, your victim receives lots.
In this situation, every time you send an email out (from your victim's network), your victim only receives a single email back. From IBM's description of the service, it appears that it will only send a single response back even if the To: header contains lots of email addresses (this is inferred from their described network architecture).
I do, finally, understand what you are saying, although it seems somewhat different from your original point.
Anyway, your suggestion seems kind of pointless. If you hack a machine on a competitor's internal network, there are a number of highly destructive things you could do. Triggering a naive denial of service attack on machines that are already exposed to the Internet would be among the least of these.
Technically, FairUCE tries to find a relationship between the envelope sender's domain and the IP address of the client delivering the mail, using a series of cached DNS look-ups. For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response.
I interpreted this to mean that it would send the challenge/response to the client delivering the mail (as it does distinguish between this and the "envelope sender's domain"), but on re-reading, it's not clear where it sends the challenge.
If, as you suggest, it is sent back to the sender, there is indeed a problem with this.
4) IBM gets put on every RBL list because it actually is sending spam, think about it
I am thinking about it, but I can't see how what IBM is sending is spam. I understand spam to be unsolicited email. Surely IBM's response is solicited as it is in response to an email it received?
SMTP runs over TCP. Establishment of a TCP connection involves a three-way handshake, i.e. A sends a message to B, B sends a message back to A, A sends a third message to B. Each message includes information from the previous one.
If C tries to spoof a TCP connection to B as though it came from A, B will send the second message in the handshake to A, not C. As a result, unless C is capable of snooping A's traffic, C will not be able to send the third message in the handshake as it will not have sufficient information.
As a result, it will not be possible for spammers to spoof their IP addresses and cause DoS attacks to non-spammers.
The smurf attack works because ICMP is a simpler protocol that does not involve connection establishment.
Incidentally, there are techniques by which TCP connections can be spoofed, but they generally rely on guessing the information in lost packets based on known flaws in TCP implementations. I believe most current implementations have fixed these bugs.
I think your ordering of stable, testing and unstable is wrong. Stable is more stable than testing, which is more stable than unstable as this page describes.
If you've run unstable for a year with no problems, that's pretty good!
I used to run testing/unstable but switched to FC3 a few months ago (just for a change). I don't find one much better than the other, though.
Frauenhofer is not required to accept royalties in return for patent licensing. The damages would be decided by a judge. Furthermore, I understand that, since Red Hat is clearly aware that MP3 violates Frauenhofer's patents, the damages are tripled.
A normal or finished user-based distro (e.g. SUSE, FC3, Mandrake..)
I wouldn't include any FC release in a list of "finished" distributions. As I understand it, the main point of FC is that you get a nice, free, pretty cutting-edge distribution and Red Hat get a lot of free testing. If you want something to work out of the box on a wide range of hardware, you are a lot safer with something like SUSE or Mandrake.
Having said that, I use FC (3, at the moment, but will probably upgrade to 4 at some stage) and have installed it on a number of machines with no problems.
You wrote "software patents usually don't come with a useful description of how to actually do stuff, which is sad, since software can be documented by the sourcecode and printed."
I'd suggest that patent descriptions might deliberately be vague and unclear. After all, if the patent office isn't going to care, why go to the bother of describing something clearly?
With regards to your second point, I don't know if you've seen the The International Obfuscated C Code Contest or any Perl code, but it's (relatively) easy to write sourcecode that isn't easy to understand, which means that even requireing source code for software patent registrations might not be much use.
Please could you back up that statement. I have seen no evidence either way as to how significant a player Microsoft is in the "Fortune 500 server market".
You say "regardless of the context". My point was that you can't just disregard the context. ESR was talking about a very specific market segment and Microsoft's profit figures do not (as far as I've looked) demonstrate that they are a big player in this market.
Matt
To put this into context, the preceding sentence was "But Raymond is positive that open source, in the form of Linux, is about to take the battle deep into Fortune 500 server market."
I've got no idea if the profit figures give any information on how much Microsoft made from the "Fortune 500 server market".
It would be useful to know what your graphics card is if you expect to get any response on this.
It would also be useful to know what you mean by "not recognise". Do you mean that it said "Generic SVGA" or similar? Do you mean that it said "Generic ATI" (bearing in mind that often a single driver works for several types of cards)? Did your display actually work?
There's a similar "feature" that you can change the appearance of explosions (so that you no longer get the large billboarded explosions). This improves visibility when there are lots of explosions, e.g. during an artillery strike.
Try checking out some window managers other than KDE and Gnome. I recently installed a very old laptop (P133 with 48MB RAM) with IceWM (http://www.icewm.org/) and it runs fine.
The reason you need a license for the software is because that software is copyrighted and in order to use or display copyrighted material you need to have a license for it.
This isn't true.
Copyright only prevents you from copying something. If the software publisher makes the copy and gives it to you, you can read that copy (e.g. play music from a CD) without requiring any other licence from them.
Computer software is in the interesting situation of requiring making a copy before use. As a previous poster pointed out, there is an additional section of copyright law to try to get round this.
Slashdot Mirror
Regarding Windows, are you sure you can easily determine which patches need to be applied once you've got them onto CD? A friend was trying to do this for Windows XP but couldn't find out which patches they needed. How do you do this?
In answer to your general question about applying patches to RHEL, I believe up2date uses yum, which uses rpm. I'd guess you could use yum or rpm (depending on the exact function you want).
Matt
I don't use RHEL, but I believe that up2date is based on yum, which is similar in purpose to apt.
apt has function to build a mirror of a repository.
I suspect yum has similar functionality, so I would try
Note that the repository might be larger than a CD or DVD, in which case you may need to use some other form of storage (e.g. a large USB drive).
As an aside, how does this work with Windows? If you have a box with no Internet connection, how do you find which patches you need to apply, and how do you obtain those patches?
Matt
When you say "Brits", where exactly in Britain do you think people speak like this?
I live just north of London and have travelled around England quite a lot but have never noticed anyone pronouncing these words like this.
I can believe that some people don't differentiate, but I would imagine that they're the definite minority. Where did you get the impression that "Brits" in general pronounce the words the same?
Matt
The benefit of a DDoS attack is that you can easily overload a powerful machine with a fast internet connection (your victim) by getting lots of less powerful machines with slow internet connections to send data to it simultaeneously.
However, in this case, IBM's anti-spam servers only send emails in response to emails from the victim's network, i.e. all traffic is initiated by the victim. Since, as I pointed out before, IBM's anti-spam servers only send a single email in response to each email from the victim, the bottleneck will almost certainly be the internet connection outward from the victim, not the responses going back to it. With the attack you propose, the victim will DoS itself simply by trying to send too much traffic.
In other words, you could achieve the same effect simply by sending lots of email from the victim to null email addresses. You do not need an IBM anti-spam server to target.
Also, you still haven't responded to my question about why you would want to attack in this way anyway.
Matt
As before, if you have access to a competitor's internal network, I can't see why what you're proposing is any worse/anywhere near as bad as other things you could do.
Also, let's be clear. This is not a DDos (Distributed Denial of Service) attack. This is just plain old DoS (Denial of Service). There is no distributed element of it.
The whole point of the smurf attack was that you, as an attacker, send a single ICMP packet out to a broadcast address and everyone on the broadcast address replies. In other words, you send one packet, your victim receives lots.
In this situation, every time you send an email out (from your victim's network), your victim only receives a single email back. From IBM's description of the service, it appears that it will only send a single response back even if the To: header contains lots of email addresses (this is inferred from their described network architecture).
Matt
I do, finally, understand what you are saying, although it seems somewhat different from your original point.
Anyway, your suggestion seems kind of pointless. If you hack a machine on a competitor's internal network, there are a number of highly destructive things you could do. Triggering a naive denial of service attack on machines that are already exposed to the Internet would be among the least of these.
Matt
From TFA:
Technically, FairUCE tries to find a relationship between the envelope sender's domain and the IP address of the client delivering the mail, using a series of cached DNS look-ups. For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response.
I interpreted this to mean that it would send the challenge/response to the client delivering the mail (as it does distinguish between this and the "envelope sender's domain"), but on re-reading, it's not clear where it sends the challenge.
If, as you suggest, it is sent back to the sender, there is indeed a problem with this.
Matt
From your original post:
What's to stop haxx0rs exploiting this to cause a DDoS of non-spammers?
If the hacker has compromised a machine and is causing it to send spam, then the machine is not a "non-spammer".
Please can you explain what you mean?
Matt
4) IBM gets put on every RBL list because it actually is sending spam, think about it
I am thinking about it, but I can't see how what IBM is sending is spam. I understand spam to be unsolicited email. Surely IBM's response is solicited as it is in response to an email it received?
Matt
SMTP runs over TCP. Establishment of a TCP connection involves a three-way handshake, i.e. A sends a message to B, B sends a message back to A, A sends a third message to B. Each message includes information from the previous one.
If C tries to spoof a TCP connection to B as though it came from A, B will send the second message in the handshake to A, not C. As a result, unless C is capable of snooping A's traffic, C will not be able to send the third message in the handshake as it will not have sufficient information.
As a result, it will not be possible for spammers to spoof their IP addresses and cause DoS attacks to non-spammers.
The smurf attack works because ICMP is a simpler protocol that does not involve connection establishment.
Incidentally, there are techniques by which TCP connections can be spoofed, but they generally rely on guessing the information in lost packets based on known flaws in TCP implementations. I believe most current implementations have fixed these bugs.
Matt
I think your ordering of stable, testing and unstable is wrong. Stable is more stable than testing, which is more stable than unstable as this page describes.
If you've run unstable for a year with no problems, that's pretty good!
I used to run testing/unstable but switched to FC3 a few months ago (just for a change). I don't find one much better than the other, though.
Matt
IANAL but...
Frauenhofer is not required to accept royalties in return for patent licensing. The damages would be decided by a judge. Furthermore, I understand that, since Red Hat is clearly aware that MP3 violates Frauenhofer's patents, the damages are tripled.
Matt
A normal or finished user-based distro (e.g. SUSE, FC3, Mandrake..)
I wouldn't include any FC release in a list of "finished" distributions. As I understand it, the main point of FC is that you get a nice, free, pretty cutting-edge distribution and Red Hat get a lot of free testing. If you want something to work out of the box on a wide range of hardware, you are a lot safer with something like SUSE or Mandrake.
Having said that, I use FC (3, at the moment, but will probably upgrade to 4 at some stage) and have installed it on a number of machines with no problems.
Matt
The EUCD is the European Union Copyright Directive. Very roughly, it's the European equivalent of the DMCA.
Matt
You wrote "software patents usually don't come with a useful description of how to actually do stuff, which is sad, since software can be documented by the sourcecode and printed."
I'd suggest that patent descriptions might deliberately be vague and unclear. After all, if the patent office isn't going to care, why go to the bother of describing something clearly?
With regards to your second point, I don't know if you've seen the The International Obfuscated C Code Contest or any Perl code, but it's (relatively) easy to write sourcecode that isn't easy to understand, which means that even requireing source code for software patent registrations might not be much use.
Matt
Please could you back up that statement. I have seen no evidence either way as to how significant a player Microsoft is in the "Fortune 500 server market". You say "regardless of the context". My point was that you can't just disregard the context. ESR was talking about a very specific market segment and Microsoft's profit figures do not (as far as I've looked) demonstrate that they are a big player in this market. Matt
To put this into context, the preceding sentence was "But Raymond is positive that open source, in the form of Linux, is about to take the battle deep into Fortune 500 server market."
I've got no idea if the profit figures give any information on how much Microsoft made from the "Fortune 500 server market".
Matt
It would be useful to know what your graphics card is if you expect to get any response on this.
It would also be useful to know what you mean by "not recognise". Do you mean that it said "Generic SVGA" or similar? Do you mean that it said "Generic ATI" (bearing in mind that often a single driver works for several types of cards)? Did your display actually work?
Matt
As others have pointed out, you're probably going to have a hard time filling all your requirements on a really low-end box.
However, I recently installed VectorLinux on an old, mid-90s laptop (Toshiba 220CS) and it runs pretty well.
The main requirements for the laptop were word processing (Abiword) and music (XMMS).
Performance isn't stunning, but it's pretty usable.
I believe Microsoft will indemnify as long as you don't use any non-Microsoft software at all on your system.
See this article on Groklaw for a description of some of the other possible loopholes.
Matt
"Copyright is not perpetual anywhere..."
The cynical among us would point out that copyright is perpetual as long as it's possible for corporations to bribe politicians into extending copyright terms.
I think you might want to look up the definition of "marginal cost".
From here,
"Marginal costs are the costs a company incurs in producing one additional unit of a good."
In other words, the orginal poster was right (ignoring the box and the shrinkwrap) in saying that software has zero marginal cost.
There's a similar "feature" that you can change the appearance of explosions (so that you no longer get the large billboarded explosions). This improves visibility when there are lots of explosions, e.g. during an artillery strike.
Try checking out some window managers other than KDE and Gnome. I recently installed a very old laptop (P133 with 48MB RAM) with IceWM (http://www.icewm.org/) and it runs fine.
The reason you need a license for the software is because that software is copyrighted and in order to use or display copyrighted material you need to have a license for it.
This isn't true.
Copyright only prevents you from copying something. If the software publisher makes the copy and gives it to you, you can read that copy (e.g. play music from a CD) without requiring any other licence from them.
Computer software is in the interesting situation of requiring making a copy before use. As a previous poster pointed out, there is an additional section of copyright law to try to get round this.