This is easy to do: check the MXes for the domain listed in the SMTP "MAIL FROM" command (not to be confused with the "From:" header in the email message itself) and reject the connection if the IP address of the connection doesn't match one of the listed MXes for the domain.
This is complete bullshit and far worse than what AOL is doing now.
But if it is altered to work particularly in one device, with "value-added engineering," the modifier retains ownership of the changed portions, although it must sublicense a copy to Microsoft.
Hey, that's as viral as the GPL! We're almost winning!
.... it will be a while before the software catches up....
For the "interesting" software, it's just a recompile away. 64 bit computing is already the norm in high-performance computing. The huge address space is one of the strongest selling point of the RISC vendors. Mere performance isn't any longer.
The cultural changes of 64 bit computing (e.g. you can memory-map any file for reading it, and many of them) will take ages to materialize ubiquitously, however.
Having served on a comittee that heard some of these cases come up, the RIAA generally asks that the school shut down the site, cut of network access, and turn over the students name.
Fortunately, this is illegal in most countries. Why is a university permitted to share the identity of students with the RIAA in the U.S., by the way? (I doubt it would matter in this case, however. Most likely, these students were tipped off by an insider.)
Sharing with your friends doesn't pay. -- Your RIAA.
OpenBSD, which does not develop as many products as Microsoft, says only one vulnerability or hole has been found in its software in the past seven years.
Sarcasm aside, I believe the government is the only part (apart from Microsoft with its cash reserves) which can invest in secure software development at the moment, so this is a step in the right direction.
I'm sure the students are breathing a sigh of relief that it's only $97.8 billion...
Yeah, indeed. I think the RIAA approach is quite reasonable in this case (going after actual offenders, not pointing at ISPs, universities or CD-R owners), but they lost me when they mentioned the $150,000 figure. Maybe they can actually get that much damages under US law, but if they fight this through, they've created four martyrs, and that's not the signal they want to send (which should be something like "sharing with your friends doesn't pay off").
in the long run you can only counter terrorism by effectively countering it in the short run, regularly.
Na, reflection requires policy changes, and this is something you can do at once, even as a president.
In addition, I don't think reflection helps that much. Nothing will prevent bored, spoiled sons of rich Saudis to kill innocent people. Reflection might help if you suffer from terrorist acts committed by people you actually harm. I'd agree with you if the US faced car bombings by Palestians or Burmans, but this is apparently not the case.
I have never seen evidence that giving up privacy actually worked effectively against terrorism. Giving up privacy provides IMHO a false sense of security.
In the short run, you can only counter terrorism by providing some sense of security, be it false or not. Terrorism is not just about killing people, but also about spreading fear. In the strictest sense of the word, anyone who questions the effectiveness of security measures fosters terrorism.
DRM in the free software spirit
on
Open Source DRM
·
· Score: 1
Both Linux (proprietary modules tainting the kernel) and GCC (the GNAT frontend can check for source code license violations) already include DRM. But these DRM systems are advisory, and not compulsory.
I think an advisory DRM system, combined with micropayment would be a nice thing, especially for free software. For example, your mail user agent could ask, "You are about to send this song to a friend. The artists suggest you donate them $0.50. Do you agree?". Too far-fetched? Maybe. But it's much more realistic than all the other DRM proposals I've seen so far.
Koetzle also said that IT professionals should work more closely with Microsoft and companies that write software for Windows to make sure computer systems are more secure, instead of blaming Microsoft for security breaches.
The funny thing is that when I offered cooperation, in particular in the resolution process of a new vulnerability (which requires a certain amount of information sharing and therefore trust, admittedly), Microsoft engineers were just too eager to point out that this kind of cooperation was not acceptable according to their company policy.
I don't work at a billion dollar company, so this shouldn't surpirse me, but I'm told that this doesn't make much of a difference at all. As most companies nowadays do, Microsoft probably talks to company representatives about security issues, but only at a level in the hierarchy at which it's unlikely that the really pressing questions are asked (e.g. "how can I detect attacks on my infrastructure, exploiting that recent bug?").
The client from Debian/unstable seems to require quite a lot of CPU (40% of an Athlon XP at 1.2 GHz, downloading around 5 Mbit/s and uploading 14 Mbit/s).
Python is probably the bottleneck. What's your experience with other clients?
I get the package sigs verification, but do you really need to download your *software packages* from a secure server?
You mean using HTTPS? I see this mainly as a cheap option to get secure access to a central, trusted package repository. It's not as good as a whole package-signing infrastructure, but it's easier to implement.
What are you kidding me??? All debain.debs are signed and checked.
Only the initial upload by the Debian developer is checked. Subsequent downloads from the mirror cascade by the users are not checked, and users have to trust the integrity of the cascade (and DNS, and their network connection, and so on).
They claim to use APT. APT (as used in Debian) does not offer any security (neither package signatures are verified, nor can you use HTTPS for download).
Does anybody know if Progeny has resolved this problem, or just doesn't care?
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
If I were Microsoft, I'd simply offer free licenses for Windows 2000 to please these customers. Most of them will be thankful for this noble generosity, and won't notice that they have to buy Windows 2003 licences (or what's its name?) when they finally switch from NT.
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
Unfortuneately, the reason the information was leaked is because CERT charges people to get early access to security problems like this...
Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.
Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:
We also send vulnerability information to others who can contribute to the solution and with whom we have a trusted relationship. In addition to vendors, this may include experts in the community, CERT/CC sponsors, and members of the Internet Security Alliance (including private sector organizations). We also send vulnerability information to sites that are part of critical infrastructures that we believe are at risk.
I've never liked the fact that CERT was more or less an exclusive security club.
CERT/CC is not an exclusive club. You can join via the Internet Security Alliance and get early access to vulnerability information (at least that is what the press reported when ISA was announced). As a result, quite a few people refuse to cooperate with CERT/CC these days.
Steyn Laubscher, Microsoft account director at Lowe Bull Advertising agency, says Microsoft is in the process of having Windows XP Professional and Windows.Net server 2003 evaluated by independent experts against the common criteria.
The result of this evaluation is that both products are not safe to use on the Internet and as a public terminal:
Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. [...]
Authorized users possess the necessary authorization to access at least some of the information management by the TOE and are expected to act in a cooperating manner in a benign environment.
Slashdot Mirror
This is easy to do: check the MXes for the domain listed in the SMTP "MAIL FROM" command (not to be confused with the "From:" header in the email message itself) and reject the connection if the IP address of the connection doesn't match one of the listed MXes for the domain.
This is complete bullshit and far worse than what AOL is doing now.
Quote from the first article:
But if it is altered to work particularly in one device, with "value-added engineering," the modifier retains ownership of the changed portions, although it must sublicense a copy to Microsoft.
Hey, that's as viral as the GPL! We're almost winning!
I think you just mean the uninteresting commodity software that can be shoved together using abstracted languages like C.
Actually, I was talking about high-performance computing. Many of these programs already need the 64 bit address space.
.... it will be a while before the software catches up ....
For the "interesting" software, it's just a recompile away. 64 bit computing is already the norm in high-performance computing. The huge address space is one of the strongest selling point of the RISC vendors. Mere performance isn't any longer.
The cultural changes of 64 bit computing (e.g. you can memory-map any file for reading it, and many of them) will take ages to materialize ubiquitously, however.
Having served on a comittee that heard some of these cases come up, the RIAA generally asks that the school shut down the site, cut of network access, and turn over the students name.
Fortunately, this is illegal in most countries. Why is a university permitted to share the identity of students with the RIAA in the U.S., by the way? (I doubt it would matter in this case, however. Most likely, these students were tipped off by an insider.)
Sharing with your friends doesn't pay. -- Your RIAA.
OpenBSD, which does not develop as many products as Microsoft, says only one vulnerability or hole has been found in its software in the past seven years.
It's good to see that OpenBSD magnificient PR campaign finally pays off.
Sarcasm aside, I believe the government is the only part (apart from Microsoft with its cash reserves) which can invest in secure software development at the moment, so this is a step in the right direction.
I'm sure the students are breathing a sigh of relief that it's only $97.8 billion...
Yeah, indeed. I think the RIAA approach is quite reasonable in this case (going after actual offenders, not pointing at ISPs, universities or CD-R owners), but they lost me when they mentioned the $150,000 figure. Maybe they can actually get that much damages under US law, but if they fight this through, they've created four martyrs, and that's not the signal they want to send (which should be something like "sharing with your friends doesn't pay off").
in the long run you can only counter terrorism by effectively countering it in the short run, regularly.
Na, reflection requires policy changes, and this is something you can do at once, even as a president.
In addition, I don't think reflection helps that much. Nothing will prevent bored, spoiled sons of rich Saudis to kill innocent people. Reflection might help if you suffer from terrorist acts committed by people you actually harm. I'd agree with you if the US faced car bombings by Palestians or Burmans, but this is apparently not the case.
I have never seen evidence that giving up privacy actually worked effectively against terrorism. Giving up privacy provides IMHO a false sense of security.
In the short run, you can only counter terrorism by providing some sense of security, be it false or not. Terrorism is not just about killing people, but also about spreading fear. In the strictest sense of the word, anyone who questions the effectiveness of security measures fosters terrorism.
Both Linux (proprietary modules tainting the kernel) and GCC (the GNAT frontend can check for source code license violations) already include DRM. But these DRM systems are advisory, and not compulsory.
I think an advisory DRM system, combined with micropayment would be a nice thing, especially for free software. For example, your mail user agent could ask, "You are about to send this song to a friend. The artists suggest you donate them $0.50. Do you agree?". Too far-fetched? Maybe. But it's much more realistic than all the other DRM proposals I've seen so far.
Koetzle also said that IT professionals should work more closely with Microsoft and companies that write software for Windows to make sure computer systems are more secure, instead of blaming Microsoft for security breaches.
The funny thing is that when I offered cooperation, in particular in the resolution process of a new vulnerability (which requires a certain amount of information sharing and therefore trust, admittedly), Microsoft engineers were just too eager to point out that this kind of cooperation was not acceptable according to their company policy.
I don't work at a billion dollar company, so this shouldn't surpirse me, but I'm told that this doesn't make much of a difference at all. As most companies nowadays do, Microsoft probably talks to company representatives about security issues, but only at a level in the hierarchy at which it's unlikely that the really pressing questions are asked (e.g. "how can I detect attacks on my infrastructure, exploiting that recent bug?").
The client from Debian/unstable seems to require quite a lot of CPU (40% of an Athlon XP at 1.2 GHz, downloading around 5 Mbit/s and uploading 14 Mbit/s).
Python is probably the bottleneck. What's your experience with other clients?
Checking the integrity of the distribution by using the signatures on the Release file is being taken care of(from IRC):
Great news. This solves the "have to trust IP/DNS/mirror cascade" problem. Thanks.
(Meaningful package signatures are a tough problem because of autobuilders.)
I get the package sigs verification, but do you really need to download your *software packages* from a secure server?
You mean using HTTPS? I see this mainly as a cheap option to get secure access to a central, trusted package repository. It's not as good as a whole package-signing infrastructure, but it's easier to implement.
What are you kidding me??? All debain .debs are signed and checked.
Only the initial upload by the Debian developer is checked. Subsequent downloads from the mirror cascade by the users are not checked, and users have to trust the integrity of the cascade (and DNS, and their network connection, and so on).
They claim to use APT. APT (as used in Debian) does not offer any security (neither package signatures are verified, nor can you use HTTPS for download).
Does anybody know if Progeny has resolved this problem, or just doesn't care?
Warning: Too many connections in /usr/local/psa/home/vhosts/madpenguin.org/httpdocs /mainfile.php on line 28
And it's the site of the submitter. His hoster will probably have a word with him. Ruin your day. Submit a story to Slashdot.
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
If I were Microsoft, I'd simply offer free licenses for Windows 2000 to please these customers. Most of them will be thankful for this noble generosity, and won't notice that they have to buy Windows 2003 licences (or what's its name?) when they finally switch from NT.
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
... Bach's polyphonic works for inspiration when I design programs.
My colleagues are horrified. Have you ever tried to change a couple of notes in a Bach fugue, and preserve the integrity of the whole work?
Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.
Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:
(From the CERT/CC FAQ.)I've never liked the fact that CERT was more or less an exclusive security club.
CERT/CC is not an exclusive club. You can join via the Internet Security Alliance and get early access to vulnerability information (at least that is what the press reported when ISA was announced). As a result, quite a few people refuse to cooperate with CERT/CC these days.
10Gbps Ethernet already exists.
Yes, but it's a pure marketing term. I haven't looked at the standard, but it's clear that it won't use CSMA/CD, so it can't be like Ethernet, really.
The result of this evaluation is that both products are not safe to use on the Internet and as a public terminal:
(Read it yourself.)
So Windows is indeed certified to be hacker-proof, unless you connect it to the Internet, or the hacker is unwilling to cooperate.
Overclocking is probably already illegal under the DMCA.