I welcome the day when we no longer have security bugs.
Look how this group defines a security vulnerability. According to this one, there are no security vulnerabilities.
For the purposes of this process, a security vulnerability is a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy.
There are a few publicly available systems with documented design and security policies, but it's explicitly stated that the security assumptions only hold when the system has cooperative users and is connect to a trusted network (better yet, no network at all).
Exim has the same bad monolithic setuid-root style design as sendmail and even more useless (for the majority of people) features. It is a big messy pile of bloat code.
The code is very well-written and and properly commented. Something you can't say about qmail. It's extremely suprising that DJB's software has so few bugs, given that it's basically unmaintainable.
Monolithic MTAs have one advantage which is extremely important for most users: much, much better debugging facilities to test configurations. For example, it's possible to run relay checks against a new Exim configuration without actually activating it.
qmail is used by more people than exim, yet fewer bugs (and in particular security problems) have been found in it.
qmail is unmaintained software, and it isn't totally bug-free (in particular the documentation that ships with the sources omits a few critical details). But given the source code quality, I wouldn't want to touch it ever again if I were the author.
If you don't want to use Exim because of your religious beliefs, you should use Postfix, not qmail. You can live with qmail if you invest plenty of time and are an experience C programmer. Using qmail certainly contributes to your job security. But this makes qmail an extremely poor choice for small shops.
(And don't forget that qmail lacks so many features that you have to use helper programs such as procmail, with quite a questionable security record!)
The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.
Given that there a Cisco boxes that can switch IP traffic at line rates that exceed the PCI bus bandwidth, I seriously doubt that PCs win at this end of the spectrum.
However, PCs typically have significantly more CPU power than low-end Cisco routers (which haven't got ASICs and other stuff to speed up routing decisions, either).
I doubt that they will recover. According to their current behavior, they are dying pretty fast: They spammed the local LUG, using key phrases such as "We invite you to explore this opportunity to grow your business." Yes, according to the headers, the message has been submitted from their own address space.
You can already buy Microsoft SFU (formerly called Interix), together with large parts of the GNU system. (Microsoft does obey the GPL and distributes the source code of those GNU programs.)
Diversity would mean that there is a healthy mix of signifigantly different sytems.
If this "healthy mix" included a vulnerable MS SQL server, you lost when Slammer hit.
The problem with diversity is that considerably increases maintainance costs and requires admins with multi-platform skills. In my experience, most admins have problems staying up-to-date with respect to their primary platform and learn all this new security stuff. What will happen if they have to follow, developments for, say, three platforms, Linux, Windows and Solaris?
Diversity is a very effective defense, of course, but it comes rather late in the list of things you should do to increase security. Diversity will not help you if you can't keep up patching your machines, for example. It will make things worse in this case because diversity increases the workload and leads to less patching.
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
Let me repeat: Diversity of Windows installations caused so much pain in the case of Slammer. If all your machines are uniform, they are much easier to maintain.
And what is a heterogeneous network? One that uses IP, DECnet and IPX?
SCO published a nice timeline. The few arrows connecting Linux and their own intellectual property go into the wrong direction. If I were them, I wouldn't present this document in court. The dotted heritage line isn't very convincing, either.
But if it is, and you intend to assign all rights to the public, you had better make sure you get the patent in the first place, because whomever does get it, controls those rights.
Yes, of course, but in the case of patents, this costs quite a bit of money. As a result, hardly anybody will do this.
Look at the current case: There is no indication whatsoever that the company filing this "preemptyive patent" intends to donate the patent to the public, for example by issuing royalty-free licenses to everyone. They even talk about making money based on this patent.
This patent is meant to make sure the ideas remain in the public domain,
A patented idea is no longer in the public domain. Once patented, some party has a limited-time monopoly to comercially expoloit the idea.
and was only applied for so some money-grubbing pharmaceutical company doesn't do it and then turn around and demand money for the implementation of the ideas.
How can you infer this from the article? In the present case, the patent holding company seems to be quite intersted in the money-grabbing part, too.
Patents alone don't stifle innovation. They simply make sure nobody else is allowed to take credit for things.
Woah. Are you sure you know what a patent is? If you don't want that someone else takes credit for an idea, publish it, preferably in a well-known medical journal. No need to involve the patent system at all.
What's preemptive about this application? Any patent application is preemptive and tends to stifle research of others. If I read the article correctly, the patent holder doesn't even consider royalty-free licensing. So what's the big deal? Just another patent in the pharmaceutical sector which could ensure that developing countries won't have access to affordable SARS medicine in the future, should it become a widespread disease.
Contributors could just as easily state that they are willing to allow their work to be distributed under the GPL. This would not require copyright assignment.
In this case it would be up to the contributors to enforce the license. Few would have the time, money, and energy to do so.
To contribute to GCC, in fact, it is not enough that you GPL your code and give a license to the GNU Project. No, you have to ASSIGN COPYRIGHT of the code to GNU
This is a very good thing. It keeps the GCC license status simple and clear. Compare this situation to the Linux kernel where some parts are licensed under a self-contradicting license.
Furthermore, under the assignment contracts, the FSF is obliged to distribute GCC under a free software license. This provides some protection, should the FSF go crazy some day.
Yes, because we all know that nobody would ever leak classified research to a foreign government.
Actually, in the past, this was sometimes a good thing. It helped to keep things in balance and avoided the kind of unilateralism we see right now. Mutually assured destruction of two superpowers is indeed frightening, but it naturally restricts what one side can do to piss off the other.
In addition, we shouldn't dismiss the possibility that classified research is disclosed to allied foreign scientists on purpose. After some turns in history, your allies are your enimies, and suddenyl, you face a lot of trouble. This doesn't apply to foreign scientists only, even citizens can become crazy. What happens if some really, really rich person decides that if he or she cannot have immortality, mankind has no right to continue to exist either?
Sure you can. But you also have to remember that most backbone providers will not accept BGP advertisements smaller than/19 (32 Class Bs).
A/19 is a lot smaller than a former Class B subnet, and obviously, you can't filter everything longer than/19. For example, you simply can't do this in the former Class C swamp space.
Of course, in reality, the backbone providers are those who contribute most to the unnecessary growth of the routing table because they do not properly aggregate announcements.
Really? Why? With the method I propose, if you want to send email, it means you either have to control your own domain or use your ISP's mail relay. With what AOL is doing, you're forced to use your ISP's mail relay and don't have any other options.
It's reasonable to have a single mail relay (consisting of multiple systems, of course) to handle all incoming mail, and not to expose all internal mail servers on the Internet. (This is a very effective measure to prevent traditional open relays from popping up now and then.) To reduce load on the relay, you could instruct your internal servers to send mail directly to the listed MX records (not using the relay as a smarthost). In this situation, the internal MTAs cannot send mail to your deliberately misconfigured systems.
Such setups are quite common, especially among large networks whose operators do care about not providing unauthenticated mail relaying service. You're punishing the wrong people.
In addition, using multiple email addresses suddenly requires source routing if your proposal is universally applied.
Slashdot Mirror
Undoubtedly if the claim was that MS had included GNU code in their apps, people would automatically presume guilt
Incidentally, Microsoft obeys in such cases (Microsoft Services For UNIX contained GPLed technology at some point).
Does this mean that all undocumented behavior is considered a security flaw?
Quite the contrary. According to the definition, undocumented behavior is perfectly acceptable, even if it has obviously unwanted consequences.
I welcome the day when we no longer have security bugs.
Look how this group defines a security vulnerability. According to this one, there are no security vulnerabilities.
For the purposes of this process, a security vulnerability is a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy.
There are a few publicly available systems with documented design and security policies, but it's explicitly stated that the security assumptions only hold when the system has cooperative users and is connect to a trusted network (better yet, no network at all).
Exim has the same bad monolithic setuid-root style design as sendmail and even more useless (for the majority of people) features. It is a big messy pile of bloat code.
The code is very well-written and and properly commented. Something you can't say about qmail. It's extremely suprising that DJB's software has so few bugs, given that it's basically unmaintainable.
Monolithic MTAs have one advantage which is extremely important for most users: much, much better debugging facilities to test configurations. For example, it's possible to run relay checks against a new Exim configuration without actually activating it.
qmail is used by more people than exim, yet fewer bugs (and in particular security problems) have been found in it.
qmail is unmaintained software, and it isn't totally bug-free (in particular the documentation that ships with the sources omits a few critical details). But given the source code quality, I wouldn't want to touch it ever again if I were the author.
If you don't want to use Exim because of your religious beliefs, you should use Postfix, not qmail. You can live with qmail if you invest plenty of time and are an experience C programmer. Using qmail certainly contributes to your job security. But this makes qmail an extremely poor choice for small shops.
(And don't forget that qmail lacks so many features that you have to use helper programs such as procmail, with quite a questionable security record!)
The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.
Given that there a Cisco boxes that can switch IP traffic at line rates that exceed the PCI bus bandwidth, I seriously doubt that PCs win at this end of the spectrum.
However, PCs typically have significantly more CPU power than low-end Cisco routers (which haven't got ASICs and other stuff to speed up routing decisions, either).
I doubt that they will recover. According to their current behavior, they are dying pretty fast: They spammed the local LUG, using key phrases such as "We invite you to explore this opportunity to grow your business." Yes, according to the headers, the message has been submitted from their own address space.
Has anyone else seen this?
You can already buy Microsoft SFU (formerly called Interix), together with large parts of the GNU system. (Microsoft does obey the GPL and distributes the source code of those GNU programs.)
Any UBE supression scheme which generates more mail messages is a perverse idea. After all, we all want receive less irrelevant mail, not more.
Diversity would mean that there is a healthy mix of signifigantly different sytems.
If this "healthy mix" included a vulnerable MS SQL server, you lost when Slammer hit.
The problem with diversity is that considerably increases maintainance costs and requires admins with multi-platform skills. In my experience, most admins have problems staying up-to-date with respect to their primary platform and learn all this new security stuff. What will happen if they have to follow, developments for, say, three platforms, Linux, Windows and Solaris?
Diversity is a very effective defense, of course, but it comes rather late in the list of things you should do to increase security. Diversity will not help you if you can't keep up patching your machines, for example. It will make things worse in this case because diversity increases the workload and leads to less patching.
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
Diversity is the only way out of this, long term.
Let me repeat: Diversity of Windows installations caused so much pain in the case of Slammer. If all your machines are uniform, they are much easier to maintain.
And what is a heterogeneous network? One that uses IP, DECnet and IPX?
SCO published a nice timeline. The few arrows connecting Linux and their own intellectual property go into the wrong direction. If I were them, I wouldn't present this document in court. The dotted heritage line isn't very convincing, either.
But if it is, and you intend to assign all rights to the public, you had better make sure you get the patent in the first place, because whomever does get it, controls those rights.
Yes, of course, but in the case of patents, this costs quite a bit of money. As a result, hardly anybody will do this.
Look at the current case: There is no indication whatsoever that the company filing this "preemptyive patent" intends to donate the patent to the public, for example by issuing royalty-free licenses to everyone. They even talk about making money based on this patent.
This patent is meant to make sure the ideas remain in the public domain,
A patented idea is no longer in the public domain. Once patented, some party has a limited-time monopoly to comercially expoloit the idea.
and was only applied for so some money-grubbing pharmaceutical company doesn't do it and then turn around and demand money for the implementation of the ideas.
How can you infer this from the article? In the present case, the patent holding company seems to be quite intersted in the money-grabbing part, too.
Patents alone don't stifle innovation. They simply make sure nobody else is allowed to take credit for things.
Woah. Are you sure you know what a patent is? If you don't want that someone else takes credit for an idea, publish it, preferably in a well-known medical journal. No need to involve the patent system at all.
What's preemptive about this application? Any patent application is preemptive and tends to stifle research of others. If I read the article correctly, the patent holder doesn't even consider royalty-free licensing. So what's the big deal? Just another patent in the pharmaceutical sector which could ensure that developing countries won't have access to affordable SARS medicine in the future, should it become a widespread disease.
QoS is the key. You can make voice work in a very congested link if you turn the right knobs.
This is usually much more complicated than just increasing the bandwidth. 8-(
yeah, my friend has one of those. Runs Linux on it and everything.
Is the Linux power management able to guarantee extended battery life?
I'm still looking for something which can run Linux, has mass storage, can run Emacs confortably, and can run without reload for 5 hours or more.
So NIE....(in German, pronounced nee, and means nothing, literally. It is the German word for "nothing".)....sounds like a great name!
Actually, it's a word for "never". This gives quite a new meaning to all your release schedules, doesn't it?
Of course, I'd prefer something like MINIE Is Not Internet Explorer.
Ever hear of a VPN?
Creating a VPN for the purpose of a single phone call is not practical at the moment. Not even close.
If you encrypt everything yourself, there's not much they can do about it, now is there?
Cisco doesn't sell IPsec-enabled IP phones, as far as I know.
Contributors could just as easily state that they are willing to allow their work to be distributed under the GPL. This would not require copyright assignment.
In this case it would be up to the contributors to enforce the license. Few would have the time, money, and energy to do so.
To contribute to GCC, in fact, it is not enough that you GPL your code and give a license to the GNU Project. No, you have to ASSIGN COPYRIGHT of the code to GNU
This is a very good thing. It keeps the GCC license status simple and clear. Compare this situation to the Linux kernel where some parts are licensed under a self-contradicting license.
Furthermore, under the assignment contracts, the FSF is obliged to distribute GCC under a free software license. This provides some protection, should the FSF go crazy some day.
Yes, because we all know that nobody would ever leak classified research to a foreign government.
Actually, in the past, this was sometimes a good thing. It helped to keep things in balance and avoided the kind of unilateralism we see right now. Mutually assured destruction of two superpowers is indeed frightening, but it naturally restricts what one side can do to piss off the other.
In addition, we shouldn't dismiss the possibility that classified research is disclosed to allied foreign scientists on purpose. After some turns in history, your allies are your enimies, and suddenyl, you face a lot of trouble. This doesn't apply to foreign scientists only, even citizens can become crazy. What happens if some really, really rich person decides that if he or she cannot have immortality, mankind has no right to continue to exist either?
Sure you can. But you also have to remember that most backbone providers will not accept BGP advertisements smaller than /19 (32 Class Bs).
/19 is a lot smaller than a former Class B subnet, and obviously, you can't filter everything longer than /19. For example, you simply can't do this in the former Class C swamp space.
A
Of course, in reality, the backbone providers are those who contribute most to the unnecessary growth of the routing table because they do not properly aggregate announcements.
Really? Why? With the method I propose, if you want to send email, it means you either have to control your own domain or use your ISP's mail relay. With what AOL is doing, you're forced to use your ISP's mail relay and don't have any other options.
It's reasonable to have a single mail relay (consisting of multiple systems, of course) to handle all incoming mail, and not to expose all internal mail servers on the Internet. (This is a very effective measure to prevent traditional open relays from popping up now and then.) To reduce load on the relay, you could instruct your internal servers to send mail directly to the listed MX records (not using the relay as a smarthost). In this situation, the internal MTAs cannot send mail to your deliberately misconfigured systems.
Such setups are quite common, especially among large networks whose operators do care about not providing unauthenticated mail relaying service. You're punishing the wrong people.
In addition, using multiple email addresses suddenly requires source routing if your proposal is universally applied.