sh and ksh are separate for a reason. Solaris sh (more so than other sh's) is *very* stripped down -- no tab completion, no command history, etc. -- so that there are no side effects.
Side effects aren't the reason. The explanation is backwards compatibility. Any change to/bin/sh might break countless customer shell scripts, so you better don't mess with it.
I wish they could just come out and clearly advocate diverstity among OSes. The biggest threat IMO is the ubiquity of holes, not severity.
Following the diversity mantra would require me to install Windows on some servers and run IIS. I doubt that this increases security of my systems, especially because I don't know much about Windows server administration.
I mean, if you believe in creation, that's fine. If you believe in evolution, that's also fine. What does this hybrid belief offer other than a weak compatibility between religion and science?
It's completely irrational. In school, we are typically told three radically different myths of creation: two from the bible, and the evolution of species. The two myths from the bible are so far apart that it's usually not a problem for someone who presses both into a remotely consistent belief system to incorporate just another one.
If you don't acknowledge that the bible needs interpretation and sometimes has to be read with the historical context in mind, you are a fundamentalist who cannot participate in modern Western society anyway. Those people flatly refuse to take part in any intellectual discourse, and there is no way to please them, short of being intellectually dishonest.
Of course, there are fundamentalists in science, too. Science can never deliver the same absolute truth which religion promises, and some scientists fail to acknowledge that.
So... can you split up IP addresses into multiple paths to go through multiple filters?
You need additional devices for this because large routers can not efficiently base forwarding decisions on source addresses. There are load balancers which can do this, but you are probably better off if you directly install a working (!) anti-DoS device instead.
Another option is MPLS-based traffic shunting, but it only works in MPLS networks. You still need at least one specialized anti-DoS device, but you don't have to install one of them close to each of your border routers.
I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.
A lot of attacks come from completely legitimate sources. Some malware reads the local subnet address and subnet mask and spoofs from that range, revealing the origin of the packets. Other attacks are higher up in the protocol stack and require (among other things) a complete TCP handshake, so spoofing is no longer possible.
Nowadays, attackers have so many machines that they just don't care about revealing their real addresses anymore. You can't block tens of thousands of IP addresses efficiently, either.
In some cases, anti-spoofing filters do help, but I doubt that they would make a huge difference on the current network, even if they were universally deployed.
There's no magic solution for the DoS problem. Even plugging a Cisco Guard blade into every other Cisco router won't solve the problem (short-term mitigation is certainly possible, though).
How is this a problem all of that works in firefox on windows and on linux. In linux you have to have mplayer plugin for windows media.
It's of questionable legality. If it isn't right now, it will be made illegal in the future, because it undermines the industry's DRM efforts.
We need open content in open formats. Content that you can legally view on your computer, no matter what software the computer is running. We don't need content that can be viewed only because law enforcement, copyright holders, and patent owners seem to look the other way.
Firefox will only get a single shot with most users. If they download Firefox and have any problems with it at all they will go back to IE and never consider Firefox again.
Not if IE is constantly touted as insecure in the media. Quite a few people begin to understand that security is a tradeoff, some feel that they need a different tradeoff than the one which IE represents.
However, this climate might change soon because people might no longer buy into that "we need a secure browser" hype. So pushing Firefox at this point is not necessarily a bad strategy.
And who needs widespread Firefox adoption, anyway? Are there many sites that are IE-only on the public Internet? It's the proprietary add-ons (like Flash, Real Media, Windows Media etc.) that concern me the most, and Firefox doesn't make a difference in this area.
But Research In Motion's Blackberry is not any kind of free-software platform. It runs yet another proprietary operating system, requiring (at the moment) proprietary development tools. It has nothing to offer over Windows CE (except possibly quality of implementation).
What's worse, it's extremely unlikely that everyday word processing and spreadsheet calculations move to small devices such as the Blackberry. For writing letters, you really want to have a decent keyboard, and for spreadsheets, something that is larger than a 5" screen is probably a very good idea as well.
Eine Rundfunkgebührenpflicht im Rahmen des Satzes 1 besteht auch nicht für weitere Rundfunkempfangsgeräte, die von Personen zum Empfang bereitgehalten werden, welche mit dem Rundfunkteilnehmer in häuslicher Gemeinschaft leben und deren Einkommen den einfachen Sozialhilferegelsatz nicht übersteigt.
So it's same household and no substantial own income. But you still have to notify the broadcasting corporation that you own a reception device.
if the government does not interfere with broadcasting at all, you get a media environment like the US, with lots of channels competing for consumers' and sponsors' attention. The result? Ads targeted at kids, news coverage that imposes the sponsors' opinion upon everyone. Thanks a lot! As an American, this is what you should be upset about.
But the German system has also failed in this area, at least in part. Especially ZDF has been very keen on entering cooperations with the private sector. Just think of Buhl Data GmbH, or the partnership with MSN and T-Online. Nowadays, you can't watch a game of football without being presented a short commercial for some alcoholic beverage (even though advertising is forbidden at that time).
Both ARD and ZDF are guilty of some rather worthless programming, too.
The only people affected will be those who have a computer, but who don't have a TV. They aren't that many. I don't have a TV, for example, but my flatmate has one, and therefore I don't have to pay extra.
This is only correct if you have no income of your own. The fee is not per household (or per Internet connection), but per device.
If the movie is stored on a hard disk, why send it via sattelite? Just place it on an FTP server and be done with it.
I think the basic idea is that the film is never stored completely inside the theatre, on any medium. If there's nothing to make a copy from, you can't copy it.
General-purpose Internet is a bit too unreliable to work with just-in-time streaming, and extra-reliable Internet with guaranteed bandwith isn't exactly cheap.
What about using the new version of JPEG, for 'digital negatives'?
There are no royalties, no licencing, it has 2x to 5x the compression efficiency, and it's inherently multiresolutional.
Actually, Adobe did a very similar thing: they took the TIF format (the industry standard storing images with lossless compression) and added a few special fields, using the extension mechanism already provided by TIFF. As far a I can see, Adobe doesn't intend to charge royalties for DNG. It looks quite open -- even the DNG guide for manufacturers doesn't mention any licensing requirements.
Unless you're one of the unlucky who has to use a DSL provider which requires you to pay for a landline to get said DSL service. Then you're stuck in a bit of a pickle. Hopefully that will change, I seem to remember hearing about laws regarding that problem.
In Germany, you can get a DSL line from the big telco ex-monopoly, and quality Internet service from a local provider. It's a bit like B-ISDN, as it was originally proposed (but, of course, without any bandwidth and latency guarantees), only with IP signalling (mostly PPP, and L2TP for inter-ISP links) instead of ITU protocols. The only downside is that you can't get that DSL line without a PSTN line. There are other DSL offers, but those are tied to specific ISPs.
Also even if cisco did release the code for its routers, it's architecture is so specialized that you need quite expensive machinery to even get it compiled, so it wouldn't enjoy the massive development base that linux has.
This only applies to actual packet forwarding. Other interesting IOS parts are routing protocol implementations (particularly EIGRP, but another industry-strength BGP implementation won't hurt, either), scalable tunneling support (in particular mass-termination of PPP and L2TP links), and fast forwarding decisions in software (mostly CEF).
Even Cisco can't afford to build everything from scratch. Some software routing architectures are pretty standard designs with a PCI bus and a regular MIPS CPU (maybe a bit underclocked, but nothing really special). No, I'm not talking about Linksys. 8-)
I'm not familiar with dnslog, and searches in google, apt-cache, and sourceforge all came up empty. It looks like a cool tool. Mind telling me where to find it?
Currently, it's unreleased software, but you can find a draft technical report describing it (and some of its applications) on the site of my passive DNS replication project.
Nobody buys products based on that. Any company looking at sun will look past the "marketingspeak" and look at the product.
Uh-oh, do you mean that Sun doesn't invite potential customer executives to expensive dinners, or arrange helicopter transfers to important sporting events?
That indeed explains why they are failing in this market. The assumption that customers actually look at the product before they buy it is just so wrong.
Nearly every majory security problem is fixed the day it hits the media.
There are two ways to achieve that: control the media, or fix bugs quickly. 8-)
Someone who discovers a bug in free software usually delays disclosure until the fix is ready. This creates the illusion of quick fixes, despite it usually takes two weeks or more to create a fix. (It's quite instructive to look at the time stamps contained in patches released by GNU/Linux distributors.)
1) Even Sun has succumbed to recursive acronyms, now.
Maybe the specification was written in Z notation? This could explain the "provable data integrity" part, but more likely, that's just marketing hype.
2) Is it just me, or is the post surprisingly bereft of unique details?
According to the article, it's a log-structured file system. It's quite an interesting approach to file system design, but it usually results in poorer read performance than other file systems (write performance tends to be higher, though). However, it's excellent PR. From the article:
"The cost of doing something like a checksum is no longer prohibitive. Burning a small percentage of the CPU to know that data is intact is a price that administrators would gladly pay," says Moore.
Read: "Your new ZFS file system is a bit slow? -- It's part of its reliability, stupid!" (Moore is probably right about the checksumming because hard disk MTBF hasn't grown as fast as hard disk capacity.)
Nice idea, except if you've only seen the billboard, how do you know it has anything to do with Google?
Good point, but the Google hint just makes it possible to use a more selective index. It's not required, strictly speaking.
If you haven't got this piece of information, you run into another problem: false solutions. In turns out that there is more than one ten-digit domain.
For example, how would you know that this site is the wrong one?
I'm afraid, but it is. The data was collected from DNS packets flowing through various networks. If there's a match, it means that someone else has already solved the puzzle and queried for the domain name.
Of course, you could get a domain list for.COM by other means (VeriSign's TLD sharing program comes to my mind). IMHO, this wouldn't qualify as cheating (or at least, not as much).
about 20 mins worth of programming, and i'm not that smart. it ends up taking you to this page.
This one is actually quite easy. We look for a particular host name in Google's address space. So let's try:
$ host www.google.com www.google.com is an alias for www.google.akadns.net. www.google.akadns.net has address 216.239.59.147 www.google.akadns.net has address 216.239.59.99 www.google.akadns.net has address 216.239.59.104 $ dnslog 216.239.59.0/24 | grep '^[1-9][0-9]*\.com.A' $
Hmm, no luck. What about the/16?
$ dnslog 216.239.0.0/16 | grep '^[1-9][0-9]*\.com.A' 466453.com A 216.239.37.99 466453.com A 216.239.39.99 7427466391.com A 216.239.53.184 466453.com A 216.239.57.99 $
Well, we have a candidate, and it is indeed the correct one.
It's only safe against some physical attacks. Man-in-the-middle attacks are still possible because the quantum key distribution protocols offer only very weak authentication of the communication partners. When telling secrets, you want to ensure that there are no eavesdroppers AND that you are talking to the right person.
The trouble with quantum crypto networks right now is that you either need a fully meshed network (unrealistic for most applications), or the encryption can't be end-to-end (and your favorite three letter agency can eavesdrop at the relay stations). Quantum cryptography is a poor choice compared to proven cryptosystems if you are after actual security (and not some PR or research funding).
Slashdot Mirror
The results are provided by Overture. Just look at the links and compare a few queries.
sh and ksh are separate for a reason. Solaris sh (more so than other sh's) is *very* stripped down -- no tab completion, no command history, etc. -- so that there are no side effects.
/bin/sh might break countless customer shell scripts, so you better don't mess with it.
Side effects aren't the reason. The explanation is backwards compatibility. Any change to
I wish they could just come out and clearly advocate diverstity among OSes. The biggest threat IMO is the ubiquity of holes, not severity.
Following the diversity mantra would require me to install Windows on some servers and run IIS. I doubt that this increases security of my systems, especially because I don't know much about Windows server administration.
I mean, if you believe in creation, that's fine. If you believe in evolution, that's also fine. What does this hybrid belief offer other than a weak compatibility between religion and science?
It's completely irrational. In school, we are typically told three radically different myths of creation: two from the bible, and the evolution of species. The two myths from the bible are so far apart that it's usually not a problem for someone who presses both into a remotely consistent belief system to incorporate just another one.
If you don't acknowledge that the bible needs interpretation and sometimes has to be read with the historical context in mind, you are a fundamentalist who cannot participate in modern Western society anyway. Those people flatly refuse to take part in any intellectual discourse, and there is no way to please them, short of being intellectually dishonest.
Of course, there are fundamentalists in science, too. Science can never deliver the same absolute truth which religion promises, and some scientists fail to acknowledge that.
So... can you split up IP addresses into multiple paths to go through multiple filters?
You need additional devices for this because large routers can not efficiently base forwarding decisions on source addresses. There are load balancers which can do this, but you are probably better off if you directly install a working (!) anti-DoS device instead.
Another option is MPLS-based traffic shunting, but it only works in MPLS networks. You still need at least one specialized anti-DoS device, but you don't have to install one of them close to each of your border routers.
I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.
A lot of attacks come from completely legitimate sources. Some malware reads the local subnet address and subnet mask and spoofs from that range, revealing the origin of the packets. Other attacks are higher up in the protocol stack and require (among other things) a complete TCP handshake, so spoofing is no longer possible.
Nowadays, attackers have so many machines that they just don't care about revealing their real addresses anymore. You can't block tens of thousands of IP addresses efficiently, either.
In some cases, anti-spoofing filters do help, but I doubt that they would make a huge difference on the current network, even if they were universally deployed.
There's no magic solution for the DoS problem. Even plugging a Cisco Guard blade into every other Cisco router won't solve the problem (short-term mitigation is certainly possible, though).
How is this a problem all of that works in firefox on windows and on linux. In linux you have to have mplayer plugin for windows media.
It's of questionable legality. If it isn't right now, it will be made illegal in the future, because it undermines the industry's DRM efforts.
We need open content in open formats. Content that you can legally view on your computer, no matter what software the computer is running. We don't need content that can be viewed only because law enforcement, copyright holders, and patent owners seem to look the other way.
Firefox will only get a single shot with most users. If they download Firefox and have any problems with it at all they will go back to IE and never consider Firefox again.
Not if IE is constantly touted as insecure in the media. Quite a few people begin to understand that security is a tradeoff, some feel that they need a different tradeoff than the one which IE represents.
However, this climate might change soon because people might no longer buy into that "we need a secure browser" hype. So pushing Firefox at this point is not necessarily a bad strategy.
And who needs widespread Firefox adoption, anyway? Are there many sites that are IE-only on the public Internet? It's the proprietary add-ons (like Flash, Real Media, Windows Media etc.) that concern me the most, and Firefox doesn't make a difference in this area.
But Research In Motion's Blackberry is not any kind of free-software platform. It runs yet another proprietary operating system, requiring (at the moment) proprietary development tools. It has nothing to offer over Windows CE (except possibly quality of implementation).
What's worse, it's extremely unlikely that everyday word processing and spreadsheet calculations move to small devices such as the Blackberry. For writing letters, you really want to have a decent keyboard, and for spreadsheets, something that is larger than a 5" screen is probably a very good idea as well.
While the part you quote is quite insightful, saying it's per device is still incorrect or to the very least extremely easy to misunderstand.
The fee actually is per device, but there are many exceptions. I think you have to register all devices nevertheless.
This is only correct if you have no income of your own. The fee is not per household (or per Internet connection), but per device.
Any source for that information? AFAIK, it *is* per household.
Read the Rundfunkgebührenstaatsvertrag:
Eine Rundfunkgebührenpflicht im Rahmen des Satzes 1 besteht auch nicht für weitere Rundfunkempfangsgeräte, die von Personen zum Empfang bereitgehalten werden, welche mit dem Rundfunkteilnehmer in häuslicher Gemeinschaft leben und deren Einkommen den einfachen Sozialhilferegelsatz nicht übersteigt.
So it's same household and no substantial own income. But you still have to notify the broadcasting corporation that you own a reception device.
if the government does not interfere with broadcasting at all, you get a media environment like the US, with lots of channels competing for consumers' and sponsors' attention. The result? Ads targeted at kids, news coverage that imposes the sponsors' opinion upon everyone. Thanks a lot! As an American, this is what you should be upset about.
But the German system has also failed in this area, at least in part. Especially ZDF has been very keen on entering cooperations with the private sector. Just think of Buhl Data GmbH, or the partnership with MSN and T-Online. Nowadays, you can't watch a game of football without being presented a short commercial for some alcoholic beverage (even though advertising is forbidden at that time).
Both ARD and ZDF are guilty of some rather worthless programming, too.
The only people affected will be those who have a computer, but who don't have a TV. They aren't that many. I don't have a TV, for example, but my flatmate has one, and therefore I don't have to pay extra.
This is only correct if you have no income of your own. The fee is not per household (or per Internet connection), but per device.
If the movie is stored on a hard disk, why send it via sattelite? Just place it on an FTP server and be done with it.
I think the basic idea is that the film is never stored completely inside the theatre, on any medium. If there's nothing to make a copy from, you can't copy it.
General-purpose Internet is a bit too unreliable to work with just-in-time streaming, and extra-reliable Internet with guaranteed bandwith isn't exactly cheap.
What about using the new version of JPEG, for 'digital negatives'?
There are no royalties, no licencing, it has 2x to 5x the compression efficiency, and it's inherently multiresolutional.
Actually, Adobe did a very similar thing: they took the TIF format (the industry standard storing images with lossless compression) and added a few special fields, using the extension mechanism already provided by TIFF. As far a I can see, Adobe doesn't intend to charge royalties for DNG. It looks quite open -- even the DNG guide for manufacturers doesn't mention any licensing requirements.
(Adobe's DNG web site is already online.)
Unless you're one of the unlucky who has to use a DSL provider which requires you to pay for a landline to get said DSL service. Then you're stuck in a bit of a pickle. Hopefully that will change, I seem to remember hearing about laws regarding that problem.
In Germany, you can get a DSL line from the big telco ex-monopoly, and quality Internet service from a local provider. It's a bit like B-ISDN, as it was originally proposed (but, of course, without any bandwidth and latency guarantees), only with IP signalling (mostly PPP, and L2TP for inter-ISP links) instead of ITU protocols. The only downside is that you can't get that DSL line without a PSTN line. There are other DSL offers, but those are tied to specific ISPs.
Also even if cisco did release the code for its routers, it's architecture is so specialized that you need quite expensive machinery to even get it compiled, so it wouldn't enjoy the massive development base that linux has.
This only applies to actual packet forwarding. Other interesting IOS parts are routing protocol implementations (particularly EIGRP, but another industry-strength BGP implementation won't hurt, either), scalable tunneling support (in particular mass-termination of PPP and L2TP links), and fast forwarding decisions in software (mostly CEF).
Even Cisco can't afford to build everything from scratch. Some software routing architectures are pretty standard designs with a PCI bus and a regular MIPS CPU (maybe a bit underclocked, but nothing really special). No, I'm not talking about Linksys. 8-)
I'm not familiar with dnslog, and searches in google, apt-cache, and sourceforge all came up empty. It looks like a cool tool. Mind telling me where to find it?
Currently, it's unreleased software, but you can find a draft technical report describing it (and some of its applications) on the site of my passive DNS replication project.
Nobody buys products based on that. Any company looking at sun will look past the "marketingspeak" and look at the product.
Uh-oh, do you mean that Sun doesn't invite potential customer executives to expensive dinners, or arrange helicopter transfers to important sporting events?
That indeed explains why they are failing in this market. The assumption that customers actually look at the product before they buy it is just so wrong.
Nearly every majory security problem is fixed the day it hits the media.
There are two ways to achieve that: control the media, or fix bugs quickly. 8-)
Someone who discovers a bug in free software usually delays disclosure until the fix is ready. This creates the illusion of quick fixes, despite it usually takes two weeks or more to create a fix. (It's quite instructive to look at the time stamps contained in patches released by GNU/Linux distributors.)
1) Even Sun has succumbed to recursive acronyms, now.
Maybe the specification was written in Z notation? This could explain the "provable data integrity" part, but more likely, that's just marketing hype.
2) Is it just me, or is the post surprisingly bereft of unique details?
According to the article, it's a log-structured file system. It's quite an interesting approach to file system design, but it usually results in poorer read performance than other file systems (write performance tends to be higher, though). However, it's excellent PR. From the article:
"The cost of doing something like a checksum is no longer prohibitive. Burning a small percentage of the CPU to know that data is intact is a price that administrators would gladly pay," says Moore.
Read: "Your new ZFS file system is a bit slow? -- It's part of its reliability, stupid!" (Moore is probably right about the checksumming because hard disk MTBF hasn't grown as fast as hard disk capacity.)
Nice idea, except if you've only seen the billboard, how do you know it has anything to do with Google?
Good point, but the Google hint just makes it possible to use a more selective index. It's not required, strictly speaking.
If you haven't got this piece of information, you run into another problem: false solutions. In turns out that there is more than one ten-digit domain.
For example, how would you know that this site is the wrong one?
Interestingly, that's not cheating.
.COM by other means (VeriSign's TLD sharing program comes to my mind). IMHO, this wouldn't qualify as cheating (or at least, not as much).
I'm afraid, but it is. The data was collected from DNS packets flowing through various networks. If there's a match, it means that someone else has already solved the puzzle and queried for the domain name.
Of course, you could get a domain list for
This one is actually quite easy. We look for a particular host name in Google's address space. So let's try:
Hmm, no luck. What about the /16?
Well, we have a candidate, and it is indeed the correct one.
Once you have that domain name, you can search for more information.
It's only safe against some physical attacks. Man-in-the-middle attacks are still possible because the quantum key distribution protocols offer only very weak authentication of the communication partners. When telling secrets, you want to ensure that there are no eavesdroppers AND that you are talking to the right person.
The trouble with quantum crypto networks right now is that you either need a fully meshed network (unrealistic for most applications), or the encryption can't be end-to-end (and your favorite three letter agency can eavesdrop at the relay stations). Quantum cryptography is a poor choice compared to proven cryptosystems if you are after actual security (and not some PR or research funding).