Right.
It wasn't programmed exactly that way, I just typed something out, and forgot what the inequality I actually used was. In practice I used (something like)
The idea behind copying the arguement to a local variable was to increment the pointer with no risk of loosing the original string...of course that was silly now that I think about it. Like you said, having a const arguement would solve that little problem.
Anyways, I've made enough of a fool of myself for today already.
Dave Jones, a RedHat/Fedora kernel developer, has some interesting comments on Ubuntu and how people insist in their bug reports that "it works in Ubuntu." This blog post is certainly worth reading.
Sony?! I'd have never expected them to be happy to help OSS. I've never spoken to someone about putting Linux on a Sony computer, and I realise their hardware is nice and all, but Sony hardware is known for being engineered to work only with other Sony hardware. This means that if the power supply in your Sony PC goes out you may have to get a new one from Sony and nowhere else. Proprietary hardware is bad for other hareware companies, and Sony is the worst for this kind of vendor lock-in. You'll understand my surprise that Sony would be willing to participate in a patent-sharing organization.
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
Actually, this isn't something you can control in Apache. PHP's ability to send system commands can be turned on and off in the php.ini file. Although anyone running an Apache webserver with PHP has that file, they may or may not have editted it.
The php.ini file actually gives system administrators much greater control of what users can do with their PHP websites than they ever could have in Perl through a CGI, since a simplistic explaination of how CGI works is that it executes the file your browser requests with whatever arguements you send it. Furthermore, many Perl modules are nothing more than wrappers over shell commands. If someone were to, say, compile Perl without the system() command, you'd have so many broken modules it wouldn't be useful.
The point is, someone installed AWStats two years ago and never updated it or their webserver could be wide open to this thing. That's why we blame the admin:)
You know, I'm still very interested to read exactly how the government intends to perform the actual conversion. There have to be so many documents, no doubt they intend to have someone script something together that will read each.DOC and.PDF and convert that into an OpenDocument format, but who reliable will that be? We all know saving.DOC's in OpenOffice can (occasionally) be precarious, sometimes even exporting a file to a non-standard format in MS Office leads to unexpected results. What they will have to do is run their scripts and then have a team look at each document side-by-side to ensure the conversion was successful, but even if 99% of all conversions do work according to plan, you're still looking at an enourmous task.
But, of course, we're well aware of the long-term benefits, so I suppose a three-month project of doing the actual conversion will ultimately help our grandchildren when they have to convert that into their preferred format of the day.
On one hand, writing a worm to target GAIM would be really easy, as it's open source. Replace GAIM's main executable with a new one containing whatever worm you want directly compiled into the source code would be short work for these guys.
I do not believe GAIM contains any form of failsafe...I suppose I should contribute to the community by writing a checksum of some form or another to check GAIM installations for rootkits (of course, as an open source application, such mechanisms are trivial to work around...this may require some real engineering). What I describe is the possible nightmare anti-OSS persons propose. Anyone remember IMBlaze, a GAIM ripoff?
However, from what I have seen, there are a lot more Trillian users than GAIM users. As an aside, I would probably use Trillian if there were a Linux build, but there's not, and GAIM fullfils my needs. However, Trillian does not account for nearly the audience AOL Instant Messenger has. I am continually surprised at the number of persons who insist upon using AIM rather than the superior clients that are freely available.
For this reason, I do not predict worm writers to stop hacking at AIM in favor of other instant messenging clients. If they do, the community will engineer a means to stop them before they get started.
Open Clippy: "It looks like you're writing an open source application. If you want help..." This system is shutting down. You will not be permitted to damage commercial software any longer. This shutdown was initiated by NTAUTHORITY\SYSTEM Time to shutdown: 00:00:05 Message Don't write OSS in MS Office.
The thing that's so special about Windows NT is that it originally had a completely modular microkernel (well, still not UNIX...) that provided enhanced security/stability, but at the cost of performance (in comparision to the monolithic MS-DOS/Windows 9x kernels). To quote Silberschatz, Galvin, and Gagne,
"...Unfortunately, microkernels can suffer from performance decreases due to increased system function overhead. Consider the history of Widnows NT. The first release had a layered microkernel organization. However, this version delivered low performance compared with that of Windows 95. Windows NT 4.0 partially redressed the performance problem by moving layers from user space to kernel space and more closely integrating them. By the time Windows XP was designed, its architecture was more monolithic than microkernel. (82)
I completely agree, multimedia is a serious problem in modern binary Linux distributions. Multimedia is the reason that I choose to use Gentoo Linux on my desktop/server. I want MP3 support. I want to watch encrypted DVDs. I want to watch Real videos without that confounded RealPlayer 10. It's all completely possible and completely legal if you're using Gentoo or any other source based distribution. Furthermore, it's legal to install such programs onto any Linux distribution provided you build the source yourself and do not install a binary.
After using Ubuntu on my laptop for some time I decided I needed to watch a movie on my laptop. Of course, Debian's apt system is completely foreign to me and I wasn't about to learn a new package manager after becomming used to Gentoo's portage system.
So I decided to install MPlayer and Xine-Lib from source, among other utilities. I believe this is the howto I used: http://www.oldskoolphreak.com/tfiles/hack/ubuntu.t xt So it's got me thinking I should write some scripts to perform this installation automagically. I'd really like to get some kind of project running to collaborate with others.
Do you guys think such a project would be successful? Scripting up an installer for all these programs would be really easy if I had a howto to go by, so do you all think people would be OK with such an installer? Would you find such an installer acceptable for your own personal use?
I'll probably go ahead and write some scripts and tell my fellow Gentoo users what I've done, but I'd appreciate any experiences or thoughts fellow Slashdotters have.
If someone is ready to cut your finger off to get at your data, do you really think fingerprint authentication is any more or less safe than password-based authentication? Seriously, if someone is cuts your finger off and tells you they're taking another if you don't tell them your root password, you'll probably give it to them.
IBM is no longer in the PC business and its mainframe business is all but dead. They are now a consulting company that makes a few unix boxes.
Actually, most of the servers IBM sells don't have an operating system on there at all. It's easier to sell a machine with nothing on it than try to work with a clients' Unix licenses.
That said, format your hard drive and install Linux.
If you won't do that, install a basic firewall/antivirus software such as Norton Internet Security, run through all of it's shit, and then scan your own box with nmap or nessus. Look for pretty much anything you can't explain.
Well we don't actually have a CAT scanner here, but we do have things like electron microscopes and 3D printers that aren't stable on a rough campus network.
1. The person who connected the CAT scanner to the Internet (or any untrusted network) should be sacked. It wasn't a problem a few years ago, when all viruses propogated themselves through floppy disks, pubs, and emails. Most of the people who had port scanning software knew what to and not to use it on.
But in the present we've been putting them on their own routers using NAT to keep them isolated from the rest of the network.
2. The vendor of the CAT scanner should provide a software update that stops such a critical piece of equipment from being so fragile and/or be sued for not fixing defective equipment. I wish they would, but more often than not you're looking at a poorly designed embedded system.
I don't know how some people live with themselves...but we see a lot of really, supremely shitty code in devices that try to write everything from scratch. I'm sure this trend is on its way out or already gone as Linux has shown its worth in embedded devices.
At the ISP where I work we've got an approach something like this. We've got scripts running that analyze network usage, watch for port scanning, and regulate email.
- Network usage is the easiest to monitor since it's little more than a script pointing out that a host is attacking other machines over port 445 or connected to port 6667. Just being on IRC or sharing your printer won't set off the scripts since they not only monitor raw traffic but also watch how quickly new connections are being made and such. I should mention that we allow anyone to run anything on this network with no maximum bandwidth usage, provided it's all legal (so an open Gnutella port means nothing, lots of traffic over DC++ is fine, downloading tens of Gigabytes over BitTorrent is fine - we don't care until the copyright violation letters roll in).
- Back on topic, our firewalls monitor evidence of port scanning. This is something you'd better not get caught doing since they're so destructive to the network (I.E. something like a network-aware electron microscope or CAT scanner will often crash if you send fragmented SYN packets at it, so don't).
- And best of all we not only implement PureMessage and antivirus filters on our IMAP and POP3 servers, we have two SMTP servers (one for residents, one for everything else) and all outgoing SMTP must go through those (and IIRC you must authenticate to the SMTP server as well). We realised we had no choice but to implement a very strict system like this when AOL blocked @ncsu.edu!
When we detect a machine that's been compromised it gets blocked automatically. It's nice that in the case of a resident getting blocked we send emails to both that student and their roommate as we (currently) have no way of knowing whose machine we've blocked. If they need help we've got great support.
Why don't all ISPs have strict policies like this? AOL was shown in an earlier article to be home to more compromised hosts than any other. Maybe they should start blocking MACs of known compromised hosts and better integrate antivirus software into the Win32 software. Best yet would be to automate a phone call to the household that has been blocked as soon as it happens to alert the customer that and why they've been temporarily blocked.
How hard could it really be to include Stinger on those AOL CDs?:)
Maybe the sensor should automatically call 911. Not for the police, but for the hospital when someone with a BAC of 0.50% steps into the car (lethal BAC is usually 0.44%, although people have survived greater). They're not much of a threat these people, unless they manage to knock the parking brake, dead.
Slashdot Mirror
It wasn't programmed exactly that way, I just typed something out, and forgot what the inequality I actually used was. In practice I used (something like)
The idea behind copying the arguement to a local variable was to increment the pointer with no risk of loosing the original string...of course that was silly now that I think about it. Like you said, having a const arguement would solve that little problem.
Anyways, I've made enough of a fool of myself for today already.
I can stop playing Quake anytime I want. In fact, I do, every three minutes, to refresh Slashdot.org ;)
This is something I used to drop into every C project I wrote.
Dave Jones, a RedHat/Fedora kernel developer, has some interesting comments on Ubuntu and how people insist in their bug reports that "it works in Ubuntu." This blog post is certainly worth reading.
Sony?! I'd have never expected them to be happy to help OSS. I've never spoken to someone about putting Linux on a Sony computer, and I realise their hardware is nice and all, but Sony hardware is known for being engineered to work only with other Sony hardware. This means that if the power supply in your Sony PC goes out you may have to get a new one from Sony and nowhere else. Proprietary hardware is bad for other hareware companies, and Sony is the worst for this kind of vendor lock-in. You'll understand my surprise that Sony would be willing to participate in a patent-sharing organization.
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
Actually, this isn't something you can control in Apache. PHP's ability to send system commands can be turned on and off in the php.ini file. Although anyone running an Apache webserver with PHP has that file, they may or may not have editted it.
The php.ini file actually gives system administrators much greater control of what users can do with their PHP websites than they ever could have in Perl through a CGI, since a simplistic explaination of how CGI works is that it executes the file your browser requests with whatever arguements you send it. Furthermore, many Perl modules are nothing more than wrappers over shell commands. If someone were to, say, compile Perl without the system() command, you'd have so many broken modules it wouldn't be useful.
The point is, someone installed AWStats two years ago and never updated it or their webserver could be wide open to this thing. That's why we blame the admin :)
Just as the rape victim shouldn't've worn a short skirt, the employer should've had a faster mailserver damnit!
I wasn't aware that OOo had such capabilities, thanks for your comments!
You know, I'm still very interested to read exactly how the government intends to perform the actual conversion. There have to be so many documents, no doubt they intend to have someone script something together that will read each .DOC and .PDF and convert that into an OpenDocument format, but who reliable will that be? We all know saving .DOC's in OpenOffice can (occasionally) be precarious, sometimes even exporting a file to a non-standard format in MS Office leads to unexpected results. What they will have to do is run their scripts and then have a team look at each document side-by-side to ensure the conversion was successful, but even if 99% of all conversions do work according to plan, you're still looking at an enourmous task.
But, of course, we're well aware of the long-term benefits, so I suppose a three-month project of doing the actual conversion will ultimately help our grandchildren when they have to convert that into their preferred format of the day.
On one hand, writing a worm to target GAIM would be really easy, as it's open source. Replace GAIM's main executable with a new one containing whatever worm you want directly compiled into the source code would be short work for these guys.
I do not believe GAIM contains any form of failsafe...I suppose I should contribute to the community by writing a checksum of some form or another to check GAIM installations for rootkits (of course, as an open source application, such mechanisms are trivial to work around...this may require some real engineering). What I describe is the possible nightmare anti-OSS persons propose. Anyone remember IMBlaze, a GAIM ripoff?
However, from what I have seen, there are a lot more Trillian users than GAIM users. As an aside, I would probably use Trillian if there were a Linux build, but there's not, and GAIM fullfils my needs. However, Trillian does not account for nearly the audience AOL Instant Messenger has. I am continually surprised at the number of persons who insist upon using AIM rather than the superior clients that are freely available.
For this reason, I do not predict worm writers to stop hacking at AIM in favor of other instant messenging clients. If they do, the community will engineer a means to stop them before they get started.
Open Clippy: "It looks like you're writing an open source application. If you want help..."
This system is shutting down. You will not be permitted to damage commercial software any longer. This shutdown was initiated by NTAUTHORITY\SYSTEM
Time to shutdown: 00:00:05
Message
Don't write OSS in MS Office.
Well, we can arrange that for you...but only if you really, really want us to ;)
You're thinking CFLAGS. See http://forums.gentoo.org/viewtopic-t-309752.html
I completely agree, multimedia is a serious problem in modern binary Linux distributions. Multimedia is the reason that I choose to use Gentoo Linux on my desktop/server. I want MP3 support. I want to watch encrypted DVDs. I want to watch Real videos without that confounded RealPlayer 10. It's all completely possible and completely legal if you're using Gentoo or any other source based distribution. Furthermore, it's legal to install such programs onto any Linux distribution provided you build the source yourself and do not install a binary.t xt
After using Ubuntu on my laptop for some time I decided I needed to watch a movie on my laptop. Of course, Debian's apt system is completely foreign to me and I wasn't about to learn a new package manager after becomming used to Gentoo's portage system.
So I decided to install MPlayer and Xine-Lib from source, among other utilities. I believe this is the howto I used: http://www.oldskoolphreak.com/tfiles/hack/ubuntu.
So it's got me thinking I should write some scripts to perform this installation automagically. I'd really like to get some kind of project running to collaborate with others.
Do you guys think such a project would be successful? Scripting up an installer for all these programs would be really easy if I had a howto to go by, so do you all think people would be OK with such an installer? Would you find such an installer acceptable for your own personal use?
I'll probably go ahead and write some scripts and tell my fellow Gentoo users what I've done, but I'd appreciate any experiences or thoughts fellow Slashdotters have.
AOL Dialer by Linspire.
Source code.
Spread the word :)
Here's one: compare Gaim to this pathetic Gaim ripoff named IMBlaze (heh heh search for Gaim rip off).
If someone is ready to cut your finger off to get at your data, do you really think fingerprint authentication is any more or less safe than password-based authentication? Seriously, if someone is cuts your finger off and tells you they're taking another if you don't tell them your root password, you'll probably give it to them.
IBM is no longer in the PC business and its mainframe business is all but dead. They are now a consulting company that makes a few unix boxes. Actually, most of the servers IBM sells don't have an operating system on there at all. It's easier to sell a machine with nothing on it than try to work with a clients' Unix licenses.
The mouse is the reason I do not play games on a console. If she thinks a mouse is imprecise, she should try an Xbox controller. :yuck:
Even though the CD won't boot, you could upgrade a Windows 2000 or earlier installation using one of these CDs.
Non-techies do not belong at Slashdot.
That said, format your hard drive and install Linux.
If you won't do that, install a basic firewall/antivirus software such as Norton Internet Security, run through all of it's shit, and then scan your own box with nmap or nessus. Look for pretty much anything you can't explain.
Well we don't actually have a CAT scanner here, but we do have things like electron microscopes and 3D printers that aren't stable on a rough campus network.
1. The person who connected the CAT scanner to the Internet (or any untrusted network) should be sacked.
It wasn't a problem a few years ago, when all viruses propogated themselves through floppy disks, pubs, and emails. Most of the people who had port scanning software knew what to and not to use it on.
But in the present we've been putting them on their own routers using NAT to keep them isolated from the rest of the network.
2. The vendor of the CAT scanner should provide a software update that stops such a critical piece of equipment from being so fragile and/or be sued for not fixing defective equipment.
I wish they would, but more often than not you're looking at a poorly designed embedded system.
I don't know how some people live with themselves...but we see a lot of really, supremely shitty code in devices that try to write everything from scratch. I'm sure this trend is on its way out or already gone as Linux has shown its worth in embedded devices.
At the ISP where I work we've got an approach something like this. We've got scripts running that analyze network usage, watch for port scanning, and regulate email. :)
- Network usage is the easiest to monitor since it's little more than a script pointing out that a host is attacking other machines over port 445 or connected to port 6667. Just being on IRC or sharing your printer won't set off the scripts since they not only monitor raw traffic but also watch how quickly new connections are being made and such. I should mention that we allow anyone to run anything on this network with no maximum bandwidth usage, provided it's all legal (so an open Gnutella port means nothing, lots of traffic over DC++ is fine, downloading tens of Gigabytes over BitTorrent is fine - we don't care until the copyright violation letters roll in).
- Back on topic, our firewalls monitor evidence of port scanning. This is something you'd better not get caught doing since they're so destructive to the network (I.E. something like a network-aware electron microscope or CAT scanner will often crash if you send fragmented SYN packets at it, so don't).
- And best of all we not only implement PureMessage and antivirus filters on our IMAP and POP3 servers, we have two SMTP servers (one for residents, one for everything else) and all outgoing SMTP must go through those (and IIRC you must authenticate to the SMTP server as well). We realised we had no choice but to implement a very strict system like this when AOL blocked @ncsu.edu!
When we detect a machine that's been compromised it gets blocked automatically. It's nice that in the case of a resident getting blocked we send emails to both that student and their roommate as we (currently) have no way of knowing whose machine we've blocked. If they need help we've got great support.
Why don't all ISPs have strict policies like this? AOL was shown in an earlier article to be home to more compromised hosts than any other. Maybe they should start blocking MACs of known compromised hosts and better integrate antivirus software into the Win32 software. Best yet would be to automate a phone call to the household that has been blocked as soon as it happens to alert the customer that and why they've been temporarily blocked.
How hard could it really be to include Stinger on those AOL CDs?
Maybe the sensor should automatically call 911. Not for the police, but for the hospital when someone with a BAC of 0.50% steps into the car (lethal BAC is usually 0.44%, although people have survived greater). They're not much of a threat these people, unless they manage to knock the parking brake, dead.