I'm an American living in Germany, which gives me a somewhat unique perspective I think. The German people generally has a, shall we say, critical view of our current administration. The cynical obsession with the Bush administration's dangerousness occasionally goes off the deep end, such as a common view that Fahrenheit 911 is unbiased and to be taken at face value, and occasionally even a belief that 9/11 was self-inflicted. Whether you consider it a more balanced view or not, the media here tends to show a more depressing view of the Iraq war than the US media does. Like anywhere else in the world, what the media shows is determined by what they perceive the population wants, and vice-versa. For what it's worth, the US soldiers serving in Iraq seem to have a more optimistic view of their progress in the general case.
Despite having a strong Christian heritage and traditions, Germans today are a rather secular sort that view organized religion with suspicion and occasional disdain. This also makes Bush suspicious in the eyes of Germans.
Thankfully, the German people are good at separating their hatred of the American administration from their views of American individuals. I've found the hospitality to be quite warm. I just wish that Americans were the same, but the shameful way that we Americans have treated the French has proven otherwise. However, I'm not confident that Germans will continue to be as forgiving if Bush is re-elected. That action would make it appear that we Americans actually prefer Bush's policies and approve of his decisions. I suspect that I might start to get nasty looks if that happens, but I hope otherwise.
Whether you are for Bush or not, Bush's poor respect in the world is an unconquerable distraction that prevents any potential progress. That reason alone was enough to prevent my voting for Bush. However, that doesn't help me to decide who to vote for.
I'm personally stuck, and no party or candidate represents me. While social welfare programs and strong regulation are attractive from a certain perspective, I look at the unemployment and stagnancy within Germany and just don't see that as effective. In other words, I'm fiscally conservative. In the past, that made the Republican party a more natural match for me. However, these neo-cons these days have completely alienated me. Usually complaints against the democrats, there's a heckuva lot of pork in our budget, our foreign policy is in shambles, our military is abused, our personal lives are overly interferred with.
The libertarian party is a bit too radical for me. There is plenty of truth to the statements that the UN is corrupt, populated with dictatorships, undemocractic, wasteful, and totally ineffectual. I couldn't possibly support the banishment of the UN that Badnarik proposes. While I don't like regulation or socialism in general, the nearly complete elimination of them isn't on the menu for me. So, Badnarik is out. The other parties and candidates are far too left-wing for me.
So, a few days ago I mailed in my ballot in, my decision more a process of elimination than anything else. Yes, I'm voting for the flake (Kerry) and his partner, the ambulance chaser (Edwards). I have every bit of faith that Kerry will be just as ineffectual in the White House as he has been these many years in the Senate, and that Edwards will usher in a new age of hyperlitigation. And believe me, I'll be voting them back out of office in 2008 with even more enthusiasm than I voted them in.
If/when a $100 PC hits the market, customers will see that they can buy a tangible working PC for dirt cheap. Oh, but then they'll need software for it. At that point, they'll really start questioning why their OS and office suite each cost as much or more than the hardware. The software is easily replacable by either illicit copies or legitimate copies of linux and openoffice. It's far easier for a customer to see the value in tangible hardware (that they can resell if they want) than the value of intangible components like software (which according to their EULA they can't resell). I simply do not see how a drastic reduction in PC hardware prices benefits Microsoft. Microsoft software is taking up an increasing percentage of the cost of a PC, and in the end this could kill them. Remember, their OS and office suites are their only consistent profit makers.
I believe there's a legal concept in the US where one company cannot actively interfere in the business of another legal business, even when that business is perhaps unsavory. Where do you draw the line between legal and illegal spyware? When you have a company that provides some sort of product or "service," which includes a license agreement that states in the fine print that data collection is included, are the anti-virus vendors likely to target that? If they did, would they be likely to hit with a restraint of trade lawsuit?
I'm betting one week before the first restraint of trade lawsuit from a spyware vendor. Gator/Claria has already made threats of lawsuits in the past just for calling it spyware, and I believe that spammers have slapped various blackhole lists with such lawsuits in the past. It's only a matter of time.
Correct me if I'm wrong here, but databases that are worth a damn (e.g., Oracle) will cache optimized query plans for a helluva lot more than just stored procedures. Having dabbled more than a little in database design, administration, and programming, I know that Oracle will happily optimize a query and keep that cached in the shared pool when you do something like DBI's prepare statement in Perl. Later, you can use substitution to change values in your WHERE clauses (and other clauses) and make similar but subtly different queries while still taking advantage of the shared pool. I believe that MySQL 4.x has similar prepared query capabilities. Repeat after me: Bind variables are a good thing.
SPs and triggers have their uses, but in general the language for them is far too weak to be very useful. I think this is true even though Oracle has thrown Java into the system. Oracle made a marketing decision to choose the Java language, which simply isn't a very good compliment to SQL, instead of other languages better suited to data parsing and processing like Perl. I suppose stored procedures look really attractive when you're using another language even more poorly suited for data processing for your application, like C or Java, but given Perl or PHP, I only see limited use for SPs.
The root of the problem seems to be using commodity Ethernet networking as a message passing interconnect. It's both slow and somewhat complex to program for. How about this crazy idea for a "fix?" Develop a simple, mass-producable device that plugs into each node's AGP port. If I recall correctly, AGP 8x has a max theoretical bandwidth of about 2 GB/s, coupled with direct access to RAM. Combine this with some virtual memory hacks to keep nodes from tripping over each other or reaching across nodes unnecessarily, and you could theoretically have a cheap interconnect that would replace the ugly hack of using ethernet as an interconnect. I'd have to think that it would blow existing clustering interconnects out of the water, and probably give I/O performance approaching supercomputers. Any computer engineers out there who can tell me how crazy I am?
This ruling is just plain wrong. Here's text directly from the Electronic Communications Privacy Act. Straight from the definitions:
(1) "wire communication" means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications for communications affecting interstate or foreign commerce and such term includes any electronic storage of such communication;
and then later...
(17) "electronic storage" means--
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
So, it pretty clearly states that wire communications includes storage incidental to the communication, such as the email temporarily existing in RAM on a system before being sent. Given that RAM is typically volatile, I don't see how you could NOT call it temporary, intermediate storage.
There are no exemptions that I can find in the ECPA that might give this scumbag a way out of this. Either the judges are smoking crack, or the prosecutors failed to use the ECPA properly. I suspect it's more of the latter, as even the dissenting judge said that "the law has failed to adapt to the realities of Internet communications." This simply isn't true, because it's quite well defined in the law. The law HAS adapted to the realities of the Internet, and the ECPA is mostly quite adequate.
Here's a mirror of the full ECPA text for those curious:
It seems like most of the conclusions regarding this ruling, including that from Groklaw, are that this is good news for RedHat. I simply can't understand that. Sure, the judge ruled against SCO's motion to dismiss, but on the other hand, the judge ruled that no further action can be taken until the IBM case is resolved. That's not going to happen for months or years.
Most of the point of the RedHat vs SCO lawsuit is to eliminate the FUD surrounding Linux. This would allow RedHat to continue to market its products without its prospective customers shying away due to potential legal issues. When the judge ruled that the case is effectively on hold until the IBM case is decided, the judge effectively denied RedHat its best legal opportunity to end the SCO FUD machine in any useful timeframe. As the old saying goes, "justice delayed is justice denied."
Here's a blurb from the sister license granting use of their software patents related to the XML formats:
By including the above notice in a Licensed Implementation, you will be deemed to have accepted the terms and conditions of this license. You are not licensed to distribute a Licensed Implementation under license terms and conditions that prohibit the terms and conditions of this license.
A bit close to the GPL in some respects, hmm?
I wonder, could these licenses get the OSI good housekeeping seal of approval?
Since it is becoming more and more clear that Canopy is pulling the strings behind the SCO lawsuit, is it time, as a community, to put the heat on Canopy as a whole? Some of the other Canopy holdings are a bit of a surprise, given the direction SCO is going. Canopy happens to be big investors in Trolltech, the makers of QT. There's also some company named Linux Networx, a builder of Linux-based clusters. There are many other companies listed right on Canopy's web page. Perhaps some polite but strongly worded emails from Linux community members with relationships to these companies (e.g., KDE developers, etc.) might convince Canopy that their current direction will be detrimental to their larger business interests. Maybe it's even time to talk about a boycott of these companies' products. It's not like SCO and Canopy are playing clean here, after all. Thoughts?
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
licenses not important unless you are copying
on
Shrinkwrapped Books
·
· Score: 1
You do NOT need a license to use or read a physical book. Copyright law does NOT restrict the use or reading of copyright material. Copyright only restricts your ability to copy and redistribute a copyrighted work.
The issue of licensing only becomes important with PC software because as a part of its use copying is usually inherently required (i.e., the installation process onto the harddrive).
Unless you are planning to make copies of the book and redistributing it, you can throw that license in the trash where it belongs.
There's always the smaller, less formal things put together by folks like securitygeeks. They often have big names speaking at them, and they usually discuss some pretty cool topics. I really need to get out to the DC area securitygeeks meetings myself one of these days. You may also want to look up your local 2600 meetings.
I cannot speak to the whole industry, but I can speak about my own observations here.
Gov't contractors have a bad reputation for being incredibly anal about the workplace. I worked a couple of internships for Electronic Data Systems awhile back, and just a couple of years ago they circulated a memo that was viewed as revolutionary: ladies paintsuits were now allowed. On the other hand, at my current workplace, at another gov't contractor, I dress business casual (dockers and polo or button down shirt) most days, and occasionally wear t-shirt and jeans when I feel like it.
While some gov't contractors may be viewed as anal, large portions of the gov't itself have really loosened up. I went up to a gov't site one time to give a class. Wanting to make a good impression, I wore a suit and tie. I actually got laughed at by the gov't workers, who largely wore t-shirt and jeans. Back in the dot-com boom, many gov't workplaces loosened their workplace standards in order to compete with the dot-com world.
I can definitely confirm the article submitter's statement that clearances are genrally more important than an adequate skillset. I was a bit of an exception to the rule, but there are a lot of coworkers around me who were hired for a clearance first and skillset second, and they end up coming to me quite a lot for help with various things. Right now, gov't contracting is a very closed group as a result of clearances; you cannot get a job easily without a clearance, and cleared employees tend to be passed around between gov't and the various contractors. If there is one single thing that could open up this closed little world, it would be a complete review and replacement of the various background investigation and clearance processing bodies, but I'm not holding my breath. Waiting multiple years for a clearance that will only last five years before it must be renewed again is STUPID. The result is having a bunch of cleared but unqualified people, which is simply ineffective.
Speaking of the clearance process, I should mention that smoking dope definitely leaves you much less hirable. You're just going to have to decide which you'd rather sacrifice: employment potential or drug use.
The actual work itself really depends. Some projects are disgustingly bad and boring. Some are incredibly exciting, trying to solve problems that no one has ever solved before. There is usually less freedom in things. The individual tools and components for a job are almost never decided upon by the people who have to implement the solutions. The work of engineering involves dealing with constraints. However, it's definitely frustrating when most of those constraints are contrived and arbitrary.
It requires a certain tolerance for bullshit, but it is often rewarding work. The gov't does some very important, often very dangerous things, and it is nice to have some involvement there. If you've got a good manager who can shield you from most of the bullshit (thank God I do), it can be pretty rewarding.
As a security researcher, I can say that this is a difficult issue. I certainly benefit from having access to exploit information in my research and testing, but just as certainly the public release of exploit code is a sword that cuts both ways. At issue in many current IT-related court cases is free speech with regard to software and source code. Examples here are cryptography export regulations court cases and DMCA-related court cases. The free speech argument here (and in my mind the most correct argument) is that, just as for musicians the only practical and unambiguous method of communication is sheet music, that source code is the only practical and unambiguous method of conveying ideas about computer-related subjects. In computer security, a related argument can be made that the only practical and unambiguous method of communicating ideas about security vulnerabilities is through exploit code and programs.
The security community is so large and diverse that effective controls on exploit code and detailed vulnerability information is impossible. Who would determine who gets access? Microsoft? The US Government? The only practical method is the public one.
The enemy is not Microsoft's unwillingness to produce patches for their security vulnerabilities. They have actually proven to be one of the more cooperative vendors for recognizing flaws and producing and releasing patches, at least in recent times.
The enemy is not the public release of explicit vulnerability information, which is necessary for security research.
The enemy is also not the 13-year-old that breaks into computers. Fighting a war against 13-year-olds is a dumb war.
The enemy is the fact that software vendors like Microsoft have consistently chosen to place their customers at a ridiculous amount of risk through default configurations of their software, and the fact that a 13-year-old can break into thousands of computers with little effort or skill.
Why is it that default configurations of all major OSes (note that I'm not singling out Windows here, I'm saying all OSes) come with an absurd amounts of default services open? If the vast majority of customers do not need a service running, then it should not be running. How many nimda infections were from people who had no idea they were running a web server in the first place?
Why is it that default configurations of most prominent workstation and network client software has poor default configurations, security-wise? Do most users out there really need ActiveX or Javascript in their email client? Not only no, but hell no.
Yes, vulnerabilities do occur in all software. I don't think that anyone out there has any expection for Microsoft or any other vendor to achieve perfection here. However, the issue here is that the default posture leaves users prone not just to known vulnerabilities, but to ones that have yet to be discovered.
All software vendors (including but not limited to Microsoft) need to better examine the features of their products to discover potential points of attack. If the majority of users have no need for a particular feature that might be dangerous at some later point in time (e.g., mobile code capabilities, network services, modules to network services like IIS index server, etc.), then they should be disabled by default. Go ahead and make an easy-to-use checkbox for turning that kind of stuff on individually, but don't have it on by default.
Microsoft has recently stated that it is beginning a new initiative to ship their products in secure configurations. I believe that they probably will succeed somewhat here, but we've been hearing similar lines of bull for so long that they have no credibility here until they actually prove it.
Microsoft and other vendors should stop whining about the messengers, and should start shipping products with default configurations and initial postures that are likely to withstand existing and future attacks. Default configurations are enemy number one, not public vulnerability research. Let's see some proactive work being done instead of only reactive work. Microsoft has plenty of problems to fix in their own development processes before they worry about fixing the "problems" they feel the security community has.
If they don't comply with redbook standards, and the IEC does not either explicitly grant them a license or prosecute them, then the IEC will lose trademark protections for the relevant logos. This is perhaps one of the few examples these days of a good reason for stringent trademark protection. The IEC logos and the implied consumer protection they symbolize will otherwise be rendered completely useless.
All this so that the bad guys can still be bad (it only takes a handful of people successfully converting the stuff to MP3s and uploading them), and the good guys can be stripped of their fair use rights (e.g., conversion to MP3 format for use on their personal MP3 players).
Instead of trying to solicit companies that chose against you in the past, concentrate upon future potential customers. When you negotiate with your potential customers, advise them to think about their security requirements and to ask tough questions of you and of your competition. Advise them to layout those security requirements in writing, in the contract. They are responsible for their own security and their own decision making, not you.
We use VMware all over the place here at my workplace, where we have a large number of Unix geeks who need to be able to use Word and Excel and such (and where Star Office sometimes doesn't get the job done, unfortunately). Inside VMware, you're running a real, honest-to-goodness Windows box. You can even have it setup to do networking (I setup my linux workstation to do IP Masquerading for it). It's a heckuva lot more painless than dual booting, and you still get to run your favorite OS.
You could also try Wine perhaps, which I hear supports running Office 2000 applications now.
For those of you not familiar with stateful firewalling, it is an incredibly good thing. I've gone from using ipfwadm to using ipchains to finally using ipfilter on BSD. Because of ipf's support of stateful filtering, my firewall rulesets were *much* simpler. Given that many (most?) problems associated with firewalls is the complexity of the configuration, this is a Very Good Thing(tm). After migrating from linux/ipchains to BSD/ipf, I was able to add serious protection for my network, including my high ports (which often run the most vulnerable services, namely RPC services). I haven't used netfilter/iptables, but it looks to be a *huge* step forward for Linux.
All that being said, I have a major problem with this article. It seems to suggest to users that FTP monitoring to handle active FTP clients is a good idea. In fact, this is a *terrible* idea. I got to watch Dug Song et al at BlackHat walk right through a CheckPoint FW1 system like it wasn't even there by exploiting some assumptions that FW1 made when monitoring FTP for the PORT commands. It sounds to me like the netfilter/iptables support for FTP functions in a very similar manner as FW1. If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.
Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.
Also, please remember that a firewall only serves as a method of blocking traffic between network segments. It does not magically secure network traffic from viewing, spoofing, manipulating, or hijacking (you need to use protocols that support strong authentication and strong cryptography to achieve this). It does not secure the applications or systems which you allow traffic to touch (you need to use secure OSes under secure configurations to accomplish this). It does not magically protect your systems against insider threats (you need to have good people working for you, restrictions on outside connectivity, and thorough physical security to accomplish this). Remember, crunchy on the outside and soft and gooey on the inside is great for candy, bad for networks.
This article probably doesn't interest most slashdotters, because the OSes that we use aren't designed to protect against these kinds of things. This, of course, stems from the fact that the situations in which we use our systems do not require us to segment our users and prevent them from communicating.
In the DoD, for instance, there are situations where you would want to do this. You don't want to allow someone viewing Top Secret data to have their information leaked to someone who isn't cleared for it.
This is why Mandatory Access Controls were invented. A lot of slashdotters have probably heard of the Orange Book, in which the DoD laid out a method of classifying the security model of computer systems. Unix variants are roughly C-1'ish, which DoD doesn't even certify anymore. OSes with ACLs and such (like NT) are roughly C-2'ish (now whether NT actually gets the job done or not is up for debate). Once you get to the B and A levels, you have Mandatory Access Controls. They are designed to prevent one user from leaking classified data to another person. In a MAC system, you should not be able to "chmod" or "chown" a file to allow someone else to view it.
It goes a little bit deeper, though. You also need to protect against more subtle methods of communication, called covert channels. In a covert storage channel, a user would fill up a disk and another user would be able to tell, or one would write to a file that another had access to read, or one would twiddle a file lock. In a covert timing channel, one user would perform a CPU intensive process and the other user would be able to tell that the responsiveness of the system changed, or the user would perform an I/O intensive application and the other user would be able to tell that his own disk accesses were more or less responsive. In this way, users can communicate via manipulating shared resources.
It's not very sexy, but it is something that DoD and the intelligence community in particular care very much about. As you can guess, these aren't easy problems to solve (if they are solvable at all).
A friend of mine was in a similar position, and he decided to donate a fair chunk of change to our university's unix users group. Our treasury was then just about nil, and he just couldn't see us competing very effectively with the sororities in revenue from car washes.
If you think that they are a club that actually DOES stuff, then you might want to consider donating a little bit to them. It doesn't have to be a lot, they'll probably be thankful and find a use for anything you can give them, so there should be plenty leftover for other, larger donations.
It looks like it has been stricken from the docket of the Virginia House of Delegates. I'm not incredibly familiar with legislative rules, but I *think* that this means that it can't pass in VA without being re-introduced to the VA House. If someone can clarify this, please post it. You can find out more here.
Actually, because good string-searching algorithms are sub-linear in efficiency, providing goobeldy gook from ciphertext would do no good whatsoever. Any decent algo would recognize it as worthless to it very quickly and then move on. It is extremely unlikely that echelon keeps ciphertext for cracking except for perhaps some individual targets.
It would be better to either provide strings that will probably match their rules, or ones that will come close to matching. For instance, "xerrorist xomb xartel xuclear xspionage" would probably put a strain on a Boyer-Moore string-searching algorithm (and without actually flagging your communications, so you'd still stay clean!). Unfortunately, I would rather doubt that we could so much as put a dent into an echelon-like system without MASSIVE participation. In any case, do we really WANT to try to subvert the folks who play a large roll in protecting us from legitimate threats? This problem needs to be addressed with legislation, not with self-destructive subversive acts.
Slashdot Mirror
Don't forget that neat puzzle game with the apple logo. I beat it already, but it's still fun.
I'm an American living in Germany, which gives me a somewhat unique perspective I think. The German people generally has a, shall we say, critical view of our current administration. The cynical obsession with the Bush administration's dangerousness occasionally goes off the deep end, such as a common view that Fahrenheit 911 is unbiased and to be taken at face value, and occasionally even a belief that 9/11 was self-inflicted. Whether you consider it a more balanced view or not, the media here tends to show a more depressing view of the Iraq war than the US media does. Like anywhere else in the world, what the media shows is determined by what they perceive the population wants, and vice-versa. For what it's worth, the US soldiers serving in Iraq seem to have a more optimistic view of their progress in the general case.
Despite having a strong Christian heritage and traditions, Germans today are a rather secular sort that view organized religion with suspicion and occasional disdain. This also makes Bush suspicious in the eyes of Germans.
Thankfully, the German people are good at separating their hatred of the American administration from their views of American individuals. I've found the hospitality to be quite warm. I just wish that Americans were the same, but the shameful way that we Americans have treated the French has proven otherwise. However, I'm not confident that Germans will continue to be as forgiving if Bush is re-elected. That action would make it appear that we Americans actually prefer Bush's policies and approve of his decisions. I suspect that I might start to get nasty looks if that happens, but I hope otherwise.
Whether you are for Bush or not, Bush's poor respect in the world is an unconquerable distraction that prevents any potential progress. That reason alone was enough to prevent my voting for Bush. However, that doesn't help me to decide who to vote for.
I'm personally stuck, and no party or candidate represents me. While social welfare programs and strong regulation are attractive from a certain perspective, I look at the unemployment and stagnancy within Germany and just don't see that as effective. In other words, I'm fiscally conservative. In the past, that made the Republican party a more natural match for me. However, these neo-cons these days have completely alienated me. Usually complaints against the democrats, there's a heckuva lot of pork in our budget, our foreign policy is in shambles, our military is abused, our personal lives are overly interferred with.
The libertarian party is a bit too radical for me. There is plenty of truth to the statements that the UN is corrupt, populated with dictatorships, undemocractic, wasteful, and totally ineffectual. I couldn't possibly support the banishment of the UN that Badnarik proposes. While I don't like regulation or socialism in general, the nearly complete elimination of them isn't on the menu for me. So, Badnarik is out. The other parties and candidates are far too left-wing for me.
So, a few days ago I mailed in my ballot in, my decision more a process of elimination than anything else. Yes, I'm voting for the flake (Kerry) and his partner, the ambulance chaser (Edwards). I have every bit of faith that Kerry will be just as ineffectual in the White House as he has been these many years in the Senate, and that Edwards will usher in a new age of hyperlitigation. And believe me, I'll be voting them back out of office in 2008 with even more enthusiasm than I voted them in.
If/when a $100 PC hits the market, customers will see that they can buy a tangible working PC for dirt cheap. Oh, but then they'll need software for it. At that point, they'll really start questioning why their OS and office suite each cost as much or more than the hardware. The software is easily replacable by either illicit copies or legitimate copies of linux and openoffice. It's far easier for a customer to see the value in tangible hardware (that they can resell if they want) than the value of intangible components like software (which according to their EULA they can't resell). I simply do not see how a drastic reduction in PC hardware prices benefits Microsoft. Microsoft software is taking up an increasing percentage of the cost of a PC, and in the end this could kill them. Remember, their OS and office suites are their only consistent profit makers.
I'm betting one week before the first restraint of trade lawsuit from a spyware vendor. Gator/Claria has already made threats of lawsuits in the past just for calling it spyware, and I believe that spammers have slapped various blackhole lists with such lawsuits in the past. It's only a matter of time.
Correct me if I'm wrong here, but databases that are worth a damn (e.g., Oracle) will cache optimized query plans for a helluva lot more than just stored procedures. Having dabbled more than a little in database design, administration, and programming, I know that Oracle will happily optimize a query and keep that cached in the shared pool when you do something like DBI's prepare statement in Perl. Later, you can use substitution to change values in your WHERE clauses (and other clauses) and make similar but subtly different queries while still taking advantage of the shared pool. I believe that MySQL 4.x has similar prepared query capabilities. Repeat after me: Bind variables are a good thing.
SPs and triggers have their uses, but in general the language for them is far too weak to be very useful. I think this is true even though Oracle has thrown Java into the system. Oracle made a marketing decision to choose the Java language, which simply isn't a very good compliment to SQL, instead of other languages better suited to data parsing and processing like Perl. I suppose stored procedures look really attractive when you're using another language even more poorly suited for data processing for your application, like C or Java, but given Perl or PHP, I only see limited use for SPs.
The root of the problem seems to be using commodity Ethernet networking as a message passing interconnect. It's both slow and somewhat complex to program for. How about this crazy idea for a "fix?" Develop a simple, mass-producable device that plugs into each node's AGP port. If I recall correctly, AGP 8x has a max theoretical bandwidth of about 2 GB/s, coupled with direct access to RAM. Combine this with some virtual memory hacks to keep nodes from tripping over each other or reaching across nodes unnecessarily, and you could theoretically have a cheap interconnect that would replace the ugly hack of using ethernet as an interconnect. I'd have to think that it would blow existing clustering interconnects out of the water, and probably give I/O performance approaching supercomputers. Any computer engineers out there who can tell me how crazy I am?
Damn. I think you're right on this one.
This ruling is just plain wrong. Here's text directly from the Electronic Communications Privacy Act. Straight from the definitions:
(1) "wire communication" means any aural transfer made in
whole or in part through the use of facilities for the
transmission of communications by the aid of wire, cable, or
other like connection between the point of origin and the point
of reception (including the use of such connection in a switching
station) furnished or operated by any person engaged in providing
or operating such facilities for the transmission of interstate
or foreign communications for communications affecting interstate
or foreign commerce and such term includes any electronic storage
of such communication;
and then later...
(17) "electronic storage" means--
(A) any temporary, intermediate storage of a wire or
electronic communication incidental to the electronic
transmission thereof; and
So, it pretty clearly states that wire communications includes storage incidental to the communication, such as the email temporarily existing in RAM on a system before being sent. Given that RAM is typically volatile, I don't see how you could NOT call it temporary, intermediate storage.
There are no exemptions that I can find in the ECPA that might give this scumbag a way out of this. Either the judges are smoking crack, or the prosecutors failed to use the ECPA properly. I suspect it's more of the latter, as even the dissenting judge said that "the law has failed to adapt to the realities of Internet communications." This simply isn't true, because it's quite well defined in the law. The law HAS adapted to the realities of the Internet, and the ECPA is mostly quite adequate.
Here's a mirror of the full ECPA text for those curious:
ECPA text
It seems like most of the conclusions regarding this ruling, including that from Groklaw, are that this is good news for RedHat. I simply can't understand that. Sure, the judge ruled against SCO's motion to dismiss, but on the other hand, the judge ruled that no further action can be taken until the IBM case is resolved. That's not going to happen for months or years.
Most of the point of the RedHat vs SCO lawsuit is to eliminate the FUD surrounding Linux. This would allow RedHat to continue to market its products without its prospective customers shying away due to potential legal issues. When the judge ruled that the case is effectively on hold until the IBM case is decided, the judge effectively denied RedHat its best legal opportunity to end the SCO FUD machine in any useful timeframe. As the old saying goes, "justice delayed is justice denied."
Here's a blurb from the sister license granting use of their software patents related to the XML formats:
By including the above notice in a Licensed Implementation, you will be deemed to have accepted the terms and conditions of this license. You are not licensed to distribute a Licensed Implementation under license terms and conditions that prohibit the terms and conditions of this license.
A bit close to the GPL in some respects, hmm?
I wonder, could these licenses get the OSI good housekeeping seal of approval?
Since it is becoming more and more clear that Canopy is pulling the strings behind the SCO lawsuit, is it time, as a community, to put the heat on Canopy as a whole? Some of the other Canopy holdings are a bit of a surprise, given the direction SCO is going. Canopy happens to be big investors in Trolltech, the makers of QT. There's also some company named Linux Networx, a builder of Linux-based clusters. There are many other companies listed right on Canopy's web page. Perhaps some polite but strongly worded emails from Linux community members with relationships to these companies (e.g., KDE developers, etc.) might convince Canopy that their current direction will be detrimental to their larger business interests. Maybe it's even time to talk about a boycott of these companies' products. It's not like SCO and Canopy are playing clean here, after all. Thoughts?
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
You do NOT need a license to use or read a physical book. Copyright law does NOT restrict the use or reading of copyright material. Copyright only restricts your ability to copy and redistribute a copyrighted work.
The issue of licensing only becomes important with PC software because as a part of its use copying is usually inherently required (i.e., the installation process onto the harddrive).
Unless you are planning to make copies of the book and redistributing it, you can throw that license in the trash where it belongs.
There's always the smaller, less formal things put together by folks like securitygeeks. They often have big names speaking at them, and they usually discuss some pretty cool topics. I really need to get out to the DC area securitygeeks meetings myself one of these days. You may also want to look up your local 2600 meetings.
I cannot speak to the whole industry, but I can speak about my own observations here.
Gov't contractors have a bad reputation for being incredibly anal about the workplace. I worked a couple of internships for Electronic Data Systems awhile back, and just a couple of years ago they circulated a memo that was viewed as revolutionary: ladies paintsuits were now allowed. On the other hand, at my current workplace, at another gov't contractor, I dress business casual (dockers and polo or button down shirt) most days, and occasionally wear t-shirt and jeans when I feel like it.
While some gov't contractors may be viewed as anal, large portions of the gov't itself have really loosened up. I went up to a gov't site one time to give a class. Wanting to make a good impression, I wore a suit and tie. I actually got laughed at by the gov't workers, who largely wore t-shirt and jeans. Back in the dot-com boom, many gov't workplaces loosened their workplace standards in order to compete with the dot-com world.
I can definitely confirm the article submitter's statement that clearances are genrally more important than an adequate skillset. I was a bit of an exception to the rule, but there are a lot of coworkers around me who were hired for a clearance first and skillset second, and they end up coming to me quite a lot for help with various things. Right now, gov't contracting is a very closed group as a result of clearances; you cannot get a job easily without a clearance, and cleared employees tend to be passed around between gov't and the various contractors. If there is one single thing that could open up this closed little world, it would be a complete review and replacement of the various background investigation and clearance processing bodies, but I'm not holding my breath. Waiting multiple years for a clearance that will only last five years before it must be renewed again is STUPID. The result is having a bunch of cleared but unqualified people, which is simply ineffective.
Speaking of the clearance process, I should mention that smoking dope definitely leaves you much less hirable. You're just going to have to decide which you'd rather sacrifice: employment potential or drug use.
The actual work itself really depends. Some projects are disgustingly bad and boring. Some are incredibly exciting, trying to solve problems that no one has ever solved before. There is usually less freedom in things. The individual tools and components for a job are almost never decided upon by the people who have to implement the solutions. The work of engineering involves dealing with constraints. However, it's definitely frustrating when most of those constraints are contrived and arbitrary.
It requires a certain tolerance for bullshit, but it is often rewarding work. The gov't does some very important, often very dangerous things, and it is nice to have some involvement there. If you've got a good manager who can shield you from most of the bullshit (thank God I do), it can be pretty rewarding.
The security community is so large and diverse that effective controls on exploit code and detailed vulnerability information is impossible. Who would determine who gets access? Microsoft? The US Government? The only practical method is the public one.
The enemy is not Microsoft's unwillingness to produce patches for their security vulnerabilities. They have actually proven to be one of the more cooperative vendors for recognizing flaws and producing and releasing patches, at least in recent times.
The enemy is not the public release of explicit vulnerability information, which is necessary for security research.
The enemy is also not the 13-year-old that breaks into computers. Fighting a war against 13-year-olds is a dumb war.
The enemy is the fact that software vendors like Microsoft have consistently chosen to place their customers at a ridiculous amount of risk through default configurations of their software, and the fact that a 13-year-old can break into thousands of computers with little effort or skill.
Why is it that default configurations of all major OSes (note that I'm not singling out Windows here, I'm saying all OSes) come with an absurd amounts of default services open? If the vast majority of customers do not need a service running, then it should not be running. How many nimda infections were from people who had no idea they were running a web server in the first place?
Why is it that default configurations of most prominent workstation and network client software has poor default configurations, security-wise? Do most users out there really need ActiveX or Javascript in their email client? Not only no, but hell no.
Yes, vulnerabilities do occur in all software. I don't think that anyone out there has any expection for Microsoft or any other vendor to achieve perfection here. However, the issue here is that the default posture leaves users prone not just to known vulnerabilities, but to ones that have yet to be discovered.
All software vendors (including but not limited to Microsoft) need to better examine the features of their products to discover potential points of attack. If the majority of users have no need for a particular feature that might be dangerous at some later point in time (e.g., mobile code capabilities, network services, modules to network services like IIS index server, etc.), then they should be disabled by default. Go ahead and make an easy-to-use checkbox for turning that kind of stuff on individually, but don't have it on by default.
Microsoft has recently stated that it is beginning a new initiative to ship their products in secure configurations. I believe that they probably will succeed somewhat here, but we've been hearing similar lines of bull for so long that they have no credibility here until they actually prove it.
Microsoft and other vendors should stop whining about the messengers, and should start shipping products with default configurations and initial postures that are likely to withstand existing and future attacks. Default configurations are enemy number one, not public vulnerability research. Let's see some proactive work being done instead of only reactive work. Microsoft has plenty of problems to fix in their own development processes before they worry about fixing the "problems" they feel the security community has.
If they don't comply with redbook standards, and the IEC does not either explicitly grant them a license or prosecute them, then the IEC will lose trademark protections for the relevant logos. This is perhaps one of the few examples these days of a good reason for stringent trademark protection. The IEC logos and the implied consumer protection they symbolize will otherwise be rendered completely useless.
All this so that the bad guys can still be bad (it only takes a handful of people successfully converting the stuff to MP3s and uploading them), and the good guys can be stripped of their fair use rights (e.g., conversion to MP3 format for use on their personal MP3 players).
So where is Kevin Bacon's key in this set?
Instead of trying to solicit companies that chose against you in the past, concentrate upon future potential customers. When you negotiate with your potential customers, advise them to think about their security requirements and to ask tough questions of you and of your competition. Advise them to layout those security requirements in writing, in the contract. They are responsible for their own security and their own decision making, not you.
We use VMware all over the place here at my workplace, where we have a large number of Unix geeks who need to be able to use Word and Excel and such (and where Star Office sometimes doesn't get the job done, unfortunately). Inside VMware, you're running a real, honest-to-goodness Windows box. You can even have it setup to do networking (I setup my linux workstation to do IP Masquerading for it). It's a heckuva lot more painless than dual booting, and you still get to run your favorite OS.
You could also try Wine perhaps, which I hear supports running Office 2000 applications now.
For those of you not familiar with stateful firewalling, it is an incredibly good thing. I've gone from using ipfwadm to using ipchains to finally using ipfilter on BSD. Because of ipf's support of stateful filtering, my firewall rulesets were *much* simpler. Given that many (most?) problems associated with firewalls is the complexity of the configuration, this is a Very Good Thing(tm). After migrating from linux/ipchains to BSD/ipf, I was able to add serious protection for my network, including my high ports (which often run the most vulnerable services, namely RPC services). I haven't used netfilter/iptables, but it looks to be a *huge* step forward for Linux.
All that being said, I have a major problem with this article. It seems to suggest to users that FTP monitoring to handle active FTP clients is a good idea. In fact, this is a *terrible* idea. I got to watch Dug Song et al at BlackHat walk right through a CheckPoint FW1 system like it wasn't even there by exploiting some assumptions that FW1 made when monitoring FTP for the PORT commands. It sounds to me like the netfilter/iptables support for FTP functions in a very similar manner as FW1. If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.
Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.
Also, please remember that a firewall only serves as a method of blocking traffic between network segments. It does not magically secure network traffic from viewing, spoofing, manipulating, or hijacking (you need to use protocols that support strong authentication and strong cryptography to achieve this). It does not secure the applications or systems which you allow traffic to touch (you need to use secure OSes under secure configurations to accomplish this). It does not magically protect your systems against insider threats (you need to have good people working for you, restrictions on outside connectivity, and thorough physical security to accomplish this). Remember, crunchy on the outside and soft and gooey on the inside is great for candy, bad for networks.
This article probably doesn't interest most slashdotters, because the OSes that we use aren't designed to protect against these kinds of things. This, of course, stems from the fact that the situations in which we use our systems do not require us to segment our users and prevent them from communicating.
In the DoD, for instance, there are situations where you would want to do this. You don't want to allow someone viewing Top Secret data to have their information leaked to someone who isn't cleared for it.
This is why Mandatory Access Controls were invented. A lot of slashdotters have probably heard of the Orange Book, in which the DoD laid out a method of classifying the security model of computer systems. Unix variants are roughly C-1'ish, which DoD doesn't even certify anymore. OSes with ACLs and such (like NT) are roughly C-2'ish (now whether NT actually gets the job done or not is up for debate). Once you get to the B and A levels, you have Mandatory Access Controls. They are designed to prevent one user from leaking classified data to another person. In a MAC system, you should not be able to "chmod" or "chown" a file to allow someone else to view it.
It goes a little bit deeper, though. You also need to protect against more subtle methods of communication, called covert channels. In a covert storage channel, a user would fill up a disk and another user would be able to tell, or one would write to a file that another had access to read, or one would twiddle a file lock. In a covert timing channel, one user would perform a CPU intensive process and the other user would be able to tell that the responsiveness of the system changed, or the user would perform an I/O intensive application and the other user would be able to tell that his own disk accesses were more or less responsive. In this way, users can communicate via manipulating shared resources.
It's not very sexy, but it is something that DoD and the intelligence community in particular care very much about. As you can guess, these aren't easy problems to solve (if they are solvable at all).
A friend of mine was in a similar position, and he decided to donate a fair chunk of change to our university's unix users group. Our treasury was then just about nil, and he just couldn't see us competing very effectively with the sororities in revenue from car washes.
If you think that they are a club that actually DOES stuff, then you might want to consider donating a little bit to them. It doesn't have to be a lot, they'll probably be thankful and find a use for anything you can give them, so there should be plenty leftover for other, larger donations.
Just something to think about.
It looks like it has been stricken from the docket of the Virginia House of Delegates. I'm not incredibly familiar with legislative rules, but I *think* that this means that it can't pass in VA without being re-introduced to the VA House. If someone can clarify this, please post it. You can find out more here.
Actually, because good string-searching algorithms are sub-linear in efficiency, providing goobeldy gook from ciphertext would do no good whatsoever. Any decent algo would recognize it as worthless to it very quickly and then move on. It is extremely unlikely that echelon keeps ciphertext for cracking except for perhaps some individual targets.
It would be better to either provide strings that will probably match their rules, or ones that will come close to matching. For instance, "xerrorist xomb xartel xuclear xspionage" would probably put a strain on a Boyer-Moore string-searching algorithm (and without actually flagging your communications, so you'd still stay clean!).
Unfortunately, I would rather doubt that we could so much as put a dent into an echelon-like system without MASSIVE participation. In any case, do we really WANT to try to subvert the folks who play a large roll in protecting us from legitimate threats? This problem needs to be addressed with legislation, not with self-destructive subversive acts.