The difference is that since IRC channels are basically public, monitoring them is both easier and no violation of civil rights.
IRC channels are public, but you can only monitor a channel if its messages are routed through your server. The only reliable way to ensure this is to join it, and law enforcement people do not want to do this because it would announce their presence in the whole IRC network.
Server access is another problem. Most servers are collectively administrated. Who shall be notified of the wiretapping effort?
Hercules is an S/370 etc. emulator, it does not emulate OS itself. It's complicate to run recent OS versions on Hercules for legal reasons, the operating system is usually licensed to particular machines.
It's only a fraction of the RAM size of an average supercomputer. No wonder Cray isn't at the top of supercomputing anymore, it's basically a reseller nowadays.
Gödel's Incompleteness Theorem does not apply to any set of axioms; the set of axioms has to be consistent and you must be able to express certain properties of the integers.
I don't think this is targeted primaryly at GPLed operating systems or the GPL in general. The prime target is Samba (the natural candidate for CIFS implementation). Obviously, Microsoft wants to enforce a license change to be able to use the Samba code in future versions of Windows.
I doubt that you can achieve the same amount of 3-dimensional impression using such a simple approach as, say, a CAVE with motion tracking. For example, how do they display objects with surfaces orthogonal to the two LCD screens?
how by being open source going to save millions of non technical user privacy?
User agreements for Free Software do not include provisions which allow software manufactures to spy on the users or misuse their computing equipment, otherwise it wouldn't be Free Software.
This is an attack on the web of trust. The author is spreading FUD to fool people into revoking their keys. If everybody follows his advice, the web of trust is gone, and it will take quite some time to reconstruct it. In the end, revoking keys based on such unsubstantiated threats will water the meaning of key revocation as a whole.
It's proprietary software with an extremely obnoxious license. Quote:
4. Security: CUSTOMER understands and agrees that the Software contains trade secrets belonging to XIMIAN, and will take all reasonable steps to protect its confidentiality. CUSTOMER acknowledges that the Software is the property of XIMIAN and contains confidential information. CUSTOMER agrees that, other than to its employees, it will not provide a copy of the Software nor divulge any details of it to any person without the prior consent in writing of XIMIAN.
This means that you must not talk about security problems in Connector with your hired security consultant. You can't even share information with other Ximian customers.
Until a few months ago, audio CDs featured error correction codes which permitted to reconstruct the original data stream even in the case of a few errors. The error correction information is not as verbose as on data CDs, but it is there, and if a CDs is not mutilated, it suffices to reconstruct the correct data.
However, some recording companies have started to deliberately place wrong error correction codes on the discs, to make copying harder.
The compass needle points with its north pole end to the geographic north pole. IIRC, you call this end of the needle its "north pole" and mark it with an "N". Therefore, the magnetic pole in the northern hemisphere has to be a south pole, magnetically speaking.
In addition, before the big IBM/Microsoft quarrel, the system now known as Windows NT was expected to be released as OS/2 3.0---with about the same architecture as NT, but of course featuring a Presentation Manager GUI and an OS/2 subsystem.
Until NT 4.0, Microsoft still could switch to a PM GUI rather easily (and there was even a PM 1.x subsystem, complementing the OS/2 1.x subsystem).
Older versions of ReiserFS didn't zero out the slack and nevertheless exposed it to non-privileged processes. Using ReiserFS for security in this context is a really strange thing to do.
I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.
If you look at the zlib versions some vendors are shipping and compare it with the zlib ChangeLog, you'll discover that there is far more than just a potential risk ("fix array overlay in deflate.c which sometimes caused bad compressed data" and so on). Maybe these problems are finally adressed now, though (or the vendors have silently fixed these bugs themselves over the years).
You can just look for data tables contained in the source code. These tables are rather invariant under compiler transformation, otherwise find-zlib wouldn't work. (Most vendors didn't bother to strip the copyright string, so this isn't really important in this case.)
Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.
Not quite correct. Most vendors hat several weeks to work on a fix. As usual, they were notified in advance, because of the potential seriousness of this problem (if it were actually exploitable).
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this.
I don't believe this is true. Look at this list. Many vendors were contacted in advance, vendors of proprietary and free software. However, CERT/CC probably assumed that this is a pure UNIX vulnerability, and did not contact all vendors. (In fact, they should have contacted Microsoft nevertheless, because of Interix.)
However, we can clearly see one thing (if you look at the find-zlib output): Most proprietary vendors do not update their copies of zlib at all. Previous versions of zlib had their problems, too, and yet the vendors didn't care, even though the software was still maintained. Probably they had already forgotten that the code came from an external source. Free Software projects are different here, I guess: New upstream sources are merged in a rather timely fashion.
The authors assume that there is consensus regarding dealing with disclosure of vulnerabilities, at least in the industry, i.e. some limited information is published.
However, this assumption is false. Have you ever read about a security hole in z/OS? Or SAP? Do you think these products are completely error-free?
Cairo (NT's sucessor) was once announced to have this feature, with automatic indexing in the file system and so on. I don't remember the time it was supposed to be relased. Was it 1997?
IIRC, NATO estimated that the Soviet Union would throw about one hundred nukes on Western Germany if a nuclear war started. The NATO plan for Soviet invasion of Western Germany suggsted to throw about 110 nukes on the country. The difference isn't very important, though.
This is not full disclosure. Details on how to exploit this vulnerability have not been released yet. In fact, I wouldn't have thought that this off-by-one error is exploitable.
Of course, this makes it more complicated to determine whether only authenticated users can exploit it. (I think so, because channel message processing starts only after authentication.)
Slashdot Mirror
The difference is that since IRC channels are basically public, monitoring them is both easier and no violation of civil rights.
IRC channels are public, but you can only monitor a channel if its messages are routed through your server. The only reliable way to ensure this is to join it, and law enforcement people do not want to do this because it would announce their presence in the whole IRC network.
Server access is another problem. Most servers are collectively administrated. Who shall be notified of the wiretapping effort?
Hercules is an S/370 etc. emulator, it does not emulate OS itself. It's complicate to run recent OS versions on Hercules for legal reasons, the operating system is usually licensed to particular machines.
It's only a fraction of the RAM size of an average supercomputer. No wonder Cray isn't at the top of supercomputing anymore, it's basically a reseller nowadays.
This is not funny. Not at all. The copyright industry is already indoctrinating children with its views regarding legal and illegal copying.
Gödel's Incompleteness Theorem does not apply to any set of axioms; the set of axioms has to be consistent and you must be able to express certain properties of the integers.
I don't think this is targeted primaryly at GPLed operating systems or the GPL in general. The prime target is Samba (the natural candidate for CIFS implementation). Obviously, Microsoft wants to enforce a license change to be able to use the Samba code in future versions of Windows.
Microsoft seems to have just banned any open source or even free (as in beer) CIFS implementations.
No, they just disallow strong copyleft. Licenses such as the zlib license which permit software hoarding are acceptable to Microsoft. Guess why...
I doubt that you can achieve the same amount of 3-dimensional impression using such a simple approach as, say, a CAVE with motion tracking. For example, how do they display objects with surfaces orthogonal to the two LCD screens?
how by being open source going to save millions of non technical user privacy?
User agreements for Free Software do not include provisions which allow software manufactures to spy on the users or misuse their computing equipment, otherwise it wouldn't be Free Software.
This is an attack on the web of trust. The author is spreading FUD to fool people into revoking their keys. If everybody follows his advice, the web of trust is gone, and it will take quite some time to reconstruct it. In the end, revoking keys based on such unsubstantiated threats will water the meaning of key revocation as a whole.
Until a few months ago, audio CDs featured error correction codes which permitted to reconstruct the original data stream even in the case of a few errors. The error correction information is not as verbose as on data CDs, but it is there, and if a CDs is not mutilated, it suffices to reconstruct the correct data.
However, some recording companies have started to deliberately place wrong error correction codes on the discs, to make copying harder.
The compass needle points with its north pole end to the geographic north pole. IIRC, you call this end of the needle its "north pole" and mark it with an "N". Therefore, the magnetic pole in the northern hemisphere has to be a south pole, magnetically speaking.
You mean it's not suitable for commercial off-the-shelf software, don't you?
In addition, before the big IBM/Microsoft quarrel, the system now known as Windows NT was expected to be released as OS/2 3.0---with about the same architecture as NT, but of course featuring a Presentation Manager GUI and an OS/2 subsystem.
Until NT 4.0, Microsoft still could switch to a PM GUI rather easily (and there was even a PM 1.x subsystem, complementing the OS/2 1.x subsystem).
Older versions of ReiserFS didn't zero out the slack and nevertheless exposed it to non-privileged processes. Using ReiserFS for security in this context is a really strange thing to do.
I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.
If you look at the zlib versions some vendors are shipping and compare it with the zlib ChangeLog, you'll discover that there is far more than just a potential risk ("fix array overlay in deflate.c which sometimes caused bad compressed data" and so on). Maybe these problems are finally adressed now, though (or the vendors have silently fixed these bugs themselves over the years).
You can just look for data tables contained in the source code. These tables are rather invariant under compiler transformation, otherwise find-zlib wouldn't work. (Most vendors didn't bother to strip the copyright string, so this isn't really important in this case.)
Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.
Not quite correct. Most vendors hat several weeks to work on a fix. As usual, they were notified in advance, because of the potential seriousness of this problem (if it were actually exploitable).
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this.
I don't believe this is true. Look at this list. Many vendors were contacted in advance, vendors of proprietary and free software. However, CERT/CC probably assumed that this is a pure UNIX vulnerability, and did not contact all vendors. (In fact, they should have contacted Microsoft nevertheless, because of Interix.)
However, we can clearly see one thing (if you look at the find-zlib output): Most proprietary vendors do not update their copies of zlib at all. Previous versions of zlib had their problems, too, and yet the vendors didn't care, even though the software was still maintained. Probably they had already forgotten that the code came from an external source. Free Software projects are different here, I guess: New upstream sources are merged in a rather timely fashion.
Some distributors have patched XFree86 to link dynamically against the system zlib.
The authors assume that there is consensus regarding dealing with disclosure of vulnerabilities, at least in the industry, i.e. some limited information is published.
However, this assumption is false. Have you ever read about a security hole in z/OS? Or SAP? Do you think these products are completely error-free?
Cairo (NT's sucessor) was once announced to have this feature, with automatic indexing in the file system and so on. I don't remember the time it was supposed to be relased. Was it 1997?
IIRC, NATO estimated that the Soviet Union would throw about one hundred nukes on Western Germany if a nuclear war started. The NATO plan for Soviet invasion of Western Germany suggsted to throw about 110 nukes on the country. The difference isn't very important, though.
This is not full disclosure. Details on how to exploit this vulnerability have not been released yet. In fact, I wouldn't have thought that this off-by-one error is exploitable.
Of course, this makes it more complicated to determine whether only authenticated users can exploit it. (I think so, because channel message processing starts only after authentication.)