All I see here is it's different. In a production environment (one in which you may have different versions of the same OS), there is a certain benefit to having the utility work the same way. In one environment I was in as an admin, we had: SunOS 4.x, Solaris 5-8, HP-UX, DEC Unix, DEC Ultrix etc. By having the "same old grep" across the Solaris boxen, we only had to script for Solaris. Granted, it would be nice to have updated (and consistent) utilities across all platforms, but this is not always possible.
Example: DSS (US Defense Security Service) requirements as documented in the NISPOM MANDATE that each individual system be approved for the version of the hardware, software and operating system which is installed. This is done by the serial number of the machine (even down to the mouse). As a result, upgrading to the "latest and greatest" is not only a tedious task but is contra-indicated unless there is a tangible benefit. To expect a production commercial grade operating system to use something other than what is proven to work is to expect to break systems. It is not all that big a deal to default to currently used utilities, while providing a backward path (/usr/ccs in Solaris), the current path (/usr) and optional (/opt and/usr/local) paths to utilities in order to accomplish a goal.
As a result, lots of applications got written that implicitly required admin rights, accidentally or because it was the path of least resistance for the developer. As a result of that, people got used to work as administrators all the time on the newer systems (Win NT and later) too. As a result of that, there was less pressure to clean up the applications
The problem was not that:
people got used to work as administrators all the time on the newer systems
The problem was that, absent extra work, people had to run as administrators all the time. When I got my new laptop (WinMCE), I tried to set my user id as a local user. The system said "There must be at least one administrator". When I logged in as Administrator (the dual sequence) and tried to lower my user id to a local user, the system still said "There must be at least one administrator" (note that I was logged in as Administrator at that time). The only work around was to create yet another user. This meant that there were two (not one) administrative users defined (the first one with no password out of the box). A security conscious operating system, IMNSHO opinion, should not make this the default case. This not only encourages, but almost demands that the user default environment is to run with all available rather than only necessary permissions.
What do you think threatens the media industries' bottom lines more; fair use or unauthorized duplication and distribution?
The issue, as I see it, is not fair use. Rather, it is the attempt by the media industry to circumvent the "law of supply and demand". Perhaps it has changed, but the whole issue of swapping music was a response to the insane prices of media without the accompanying quality ($15-20 for a CD with perhaps 2 decent songs), coupled with the availability of technology to correct same.
If the media industry concentrated more on quality and fair price instead of targeting their customers (remember that someone had to buy the CD/DVD in the first place), then both profits and satisfaction would be there. Instead, you have a model where customers (not consumers) are expected to buy the same product multiple times in a situation where utilizing the product (in each format) simultaneously is impossible. The file sharing/swapping phenomenom(sic) is simply an offshoot.
And while we're on one-time pads (not technically ONE time), why don't any wireless encryption algorithms do this? When a device connects with the correct encryption key, exchange a 256-bit pad and communicate through that.
802.1x (WPA-Enterprise):
Provides for keys to be negotiated based on an exchange of PKI information (AH-ESP).
TKIP CKMP (WPA-Personal):
Provides for keys to be negotiated (and rotated) based on a pre-shared key.
Done.
No, I think you mean somebody running a page about the part of your life that you have made very public, with your name as part of the URL.
No, I think you mean "with your name as the PRIMARY part of the URL".
Any reasonable person would infer that this page was an official page of the candidates campaign. By asking what is in effect a full year's salary in return for what he said was a volunteer effort, he indicated that his primary goal was not to elect Mr. Obama but to be a "paid" volunteer (nonsequiter, anyone?)
Having taught many courses (including Solaris administration), might I also suggest that you get involved with your local LUG? By helping new users (and making notes of what they ask), you will get a feel for those things which are *obvious* to you (now..) but not to someone new to the *nix way (ie: the temporary files usually are stored in tmp not temp).
So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point?
Later on, you say:
"Idiot" is an unfair characterization. I'd say "blundering novice".
Trust me, there are some "blundering novices" in every organization. They tend to either learn from having their feet put to the fire, or they get out. That said, based on 30 years in the business, there are very definitely enough "blithering idiots" in the organization to make your life either interesting (best case) or damned miserable (normal case).
Because of the nature of my specific duties, I cannot simply hand off localized email filtering duties to "the email guys", hand off local IOS patching and vigilance to "the network guys", the Oracle and MySQL patches to "the DB guys", and etc
Hear, Hear!! When I worked as a sysadm in classified labs, it was my job to keep the network and its attached systems secure. While the company I worked for had a network group, they were only allowed to make changes that my team approved. This meant that we (I) had to keep up with what was going on. You slip up in these situations and, worse case, you jeopardize your security clearance.
It then gets boiled down to a pass-the-blame game consisting of: "the email filters should've been updated", "No, the firewall should've stopped it outbound", "No - the workstations should've been patched!"... Typical corporate culture prevents anyone from daring to say "I fucked up..."
Wouldn't it be nice to see that statement (or PC variants) come out on a more or less regular basis? The current "In retrospect, we may have made a mistake..." kind of leaves a strange taste in one's mouth:)
Some insight on Amateur Radio from a 20-year licensee. Ham operators tend to specialize (mine is disaster management). While it is nice to wish for a cell tower wherever it is needed in an emergency, it is extremely impractical. By contrast, I and my other Emergency Coordinators can set up a world wide radio net with batteries (or solar).
Google for "ARRL" and "Field Day" - we do this at least once a year, every year.
Google for "NDMS" (National Disaster Medical System) - we are intimately involved in each biannual drill.
Ask many of the national charities who sponsor walks, bike rides etc. - we provide radio communications for each.
Note that all of the operators are not paid for their time or expertise - we do this in payment for the spectrum we have been provided under FCC rules, intended for experimentation and furtherance of the art.
We, however, do not function as a kind of "chat room" - we in ARES and RACES (more google fodder) see what we do as a serious undertaking, one in which we spend thousands of $(your currency here) as a hobby.
When the tsunami hit in the Phillipines, the first communications out was a team of ham operators who happened to be there testing long range communications. They stayed until relieved, relying on the equipment they had brought to tell the world what was happening (and pass on as many messages as they could). This was not a government (or NGO) funded operation, nor was it done with the availability of outside power. It was right place-right time. How can any government or company hope to be there with power and radio if the event is a suprise.
Cell towers already have battery backup, and some have generator backup.
This is true, but if the cell tower has no connection to the outside world, what good does this do?
IIRC, phone companies also have mobile power units as well as mobile cell towers with generators.
Again true, but they have to be able to connect to the PSTN in order for the CoW (Cell on Wheels) to function
The Federal Circuit has for a long time rejected the argument that it would have been "obvious to try," instead saying that it needs to be "obvious to do". (For example, it may be obvious to try to build a time machine, but that doesn't mean the invention of a time machine would be obvious.)
To be just a little more accurate, it would have been "obvious to try" this particular method in order to achieve the desired result.
The ruling in KSR seems to say that, building on prior art, it would not be particularly innovative to achieve the desired result (prevention of chafing wires) by substituting a fixed pivot point for a floating one. While there are any number of ways to avoid moving a wire (or bundle of wires) along an abrasive surface, that number is finite and each one would be obvious to one "skilled in the art" (as opposed to someone with no mechanical aptitude or common sense).
The bottom line in this ruling (and correct me if I am wrong) is that, for someone who designs any movable object with materials that need to be protected from normal wear and tear, there was no "AHA!!!" moment here.
6359880 - Does this look like a cellular network circa 1990?
We were doing this with Ham Radio (autopatches and APRS) in the '80s
The other two - "Enhanced" DNS? These (the second is a continuation of the first) simply describe how a particular address is resolved ie: data.vonage.com vs. voice.vonage.com.
If I am mistaken, feel free to flame me:)
If you and vendor agreed on downtime before it actually occuring, it is no longer counted against system availability numbers.
From the vendor perspective (on-site maintenance manager for a multi-national bank), we insisted that certain downtime be scheduled (IBM 3800's are *very* picky about when they are fed parts). As a result, during the 18 months I was in charge of one of the 3 data centers, we only dropped below 7/9's one week. Neither the vendor (if ethical) nor the customer wants to see any less. We also insisted that if a scheduled down time period was delayed or cancelled, this would not count against the reports (thankfully, the DC management was clueful enough that they never asked).
If KP did not pay enough attention to the criticality of their environment, that signals a major problem at all levels of IT management.
In another case (small hospital chain), we had an ongoing problem with the UPS/Generator equipment (switch to backup w/o problem, switch back to mains - down). The DP Manager and I (as the tech specialist assigned to maintain the equipment) spent an entire week onsite just in case - no emergency callouts, no searching to find who to call. Why KP had no clue as to how this is done is troubling.
That's Lexmark's particular problem. If true, it shows how short-sighted they are. Even if you don't like Vista, you have customers who will use it, and if you choose not to support you printers on Vista, you'll see those users go to someone else who will. Not good business strategy.
HP found this out the hard way. Back when the original OfficeJet came out, my two operating platforms were OS/2 and Solaris. When the original died, I bought the upgraded OfficeJet+ (it cost just a little more than the repairs to the original). This was a WinPrinter (the *copy* function would not even work without Windows). It went back and I never bought HP again.
Now, if you inquire about Linux support, they point you at Sourceforge and *suprise* the driver for *almost* all HP printers has been released by Hewlett Packard Research and Development Labs (i disremember whether it is GPL or not).
But when you're trying to write documentation to hand stuff off to the next person, it is so much easier if what you have left behind is all similar to other stuff. It's just so much more maintainable, and easier to train the new guy in.
(emphasis mine)
Choice is great if you are a rogue cowboy developer.
Frankly, if you were not documenting the necessary items (you know, the stuff *you* forgot about why this path or that path) sometime close to when you were writing the application(s) you *are* a "rouge cowboy developer". When I left a job (I was the only OS/2 developer, creating applications which communicated with an IBM mainframe, a VAX and problem management systems located in customer locations, my (distributed/duplicated in 5 dispatch centers) took all of 5 days to completely cross over to the new programmer.
Let me take a stab at this (having been through it before). The current (and past method) of handling patents in the USA has been that methods and means as well as prior art are required to be disclosed fully when filing the patent application. This is why you see the words "Patent Pending". The basis for this is to prevent someone (in the USA) from inadvertently violating your patent while going through the process. Once a patent is granted, there is a rush to get international patents (except in those countries with reciprocal patent agreements.
"Prior Art" is specifically meant to disclose what previous patents were used in the development of your invention. This is due to a recognition that, in most cases, your idea was an (non obvious) extension of someone else's work (possible in an entirely unrelated field.
In other words, as soon as the patent is published (again according to rules in the USA - not all countries), the full nature (with the exception of "Trade Secrets" - think Coca-Cola) is made available to prevent someone else from copying your idea. The purpose is not to prevent someone from inventing a "better mousetrap", it is to prevent them from inventing the same mousetrap.
That said, the current case is a perversion of the process, since the companies who are suing did not even try to invent and/or sell a mousetrap in the first place.
So as soon as they refuse something I insist on being esclated, either to the next level of support up or to their supervisor/manager. I'm not rude about it, but I am persistant. I also make sure that I have the persons name at the start of the conversation (full name, and if they won't give it I make a note of that), and inform them if they don't escalate me I will be mentioning that when I do get through to higher up.
When I have to go through first-level hell, I usually simply say my policy is to keep going up the line until someone says "why is this on my desk".
I also make sure that I have adequately done my job (ping the local router, ping the gateway, ping the provider's DNS servers, nslookup on the provider's DNS servers, nslookup on OpenDNS) and notify the first-level (located who knows where) that this is not something they can fix - it needs to go to network support. I also make sure to note that I have been on the front line and in regional and national support for 20+ years, and that I will work with them to solve the problem.
The major issue is that most help desk personnel have a checklist (reboot the modem, reboot the router , reboot the PC. Problem fixed - if no, escalate the problem.
When I have had to go this route, I have been known to tell first level "Okay, just answer yes to all the questions so that I can get to someone who will work with me to fix the problem".
Not to nit-pick (but damn, I enjoy nit-picking...)
Basically, the default behavior on any exception is to crash, and roll back any open transactions.
I certainly hope that this is not a CAD(Computed Aided Dispatch) - not CAD (Computer Aided Design) system. Otherwise, the 10 year old reporting their mother's heart attack just got ignored.
There's just no way to recover from something unexpected, and still be able to guarantee that the next commit to the DB isn't going to fuck something up.
If you assume that each event is a transaction (event meaning a discrete communication), the rollback is appropriate. If in the real world you (correctly?) assume that each communication (Janie calls 911/911 op calls FD/911 op dispatches ambulance) is a separate transation, a rollback does not result in a significant compromise of service. Therefore, a crash restart (if the restart is restricted to the thread handling this transaction is not a bad thing.
If said crash restart not only rolls back the FD call, but also rolls back the initial call for the heart attack victim at the shopping center that was received at the same time, this could easily be a Bad Thing(tm).
If the current MSW2007 bug *only* affects the current document (~.7 out of 3 in the referenced report) that is one thing. If it affects the entire space (as opposed to the individual instance - I have had more than 5 documents open at one time to do cut and paste), this is more than a fail-safe.
I have described this behaviour as intentional, and have played it off as a feature
The way you phrased this says (at least to me) that upstream validation of incoming data from a (possibly) random source is *not* your problem. If the data fits in the field it goes. From where I sit, (Incident Response|Emergency Response|Disaster Management) systems must not drop any information which did not contribute to the failure of the system.
If the system chokes on data from *one* transaction (Bobby called to say he is on the sidewalk watching for the responders), the system must be designed to treat that as a single transaction, rather than rolling back any and all transactions/events that occurred within an arbitrary timeframe.
I wasn't making an argument, I was giving a rationale. School simply do not have the money to retrain every single teacher who isn't really interested in learning in the first place.(emphasis mine)
Then the two questions that should be asked are: 1)why are they they teaching; 2)why should my child be in their class in the first place?
I hate working for a public agency personally.
Then why do you not find another job? You do not help by being part of the problem. Run for whatever board controls your agency. Run for public office (if you can stand the stench). Write articles to your news outlets. Write letters to your representatives at all levels (with copies to your news outlets).
If the best you can do is explain the status quo, you are defending the status quo. Otherwise, work to change it.
The apple (and presumably) BSD version of snprintf() always zeros the last byte. But even zeroing the end of the string doesnt avoid problems, because information has been dropped -unless the caller checks for it they will carry on, not knowing that half their string has just been discarded. IT may be robust against buffer overflows, but it has a data corruption bug that can take a while to surface. And there is nothing like a large database with invalid data to cause nightmares.
I agree with you about the possible data corruption (there is nothing better than checking the input for validity before processing). I was just sending an off the cuff (smartass - me not you) comment about sloppy coding becoming endemic to the world of "point and click" programming, where the IDE takes the place of actually knowing why you are writing the program in the first place (hint: if you cannot define input(A), output(C) and the steps(B) to get from one from the other you are in the wrong place...trust me on this).
If programming was still taught as a science (when I started in HS 40+ years ago), rather than an art (if it looks right on the page it's good to go), we would not be seeing the vast number of exploits which depend on the user realizing that they have to look both ways before crossing the street.
As long as we expect computers to be used by people who can not be bothered to learn the dangers while refusing to take even the minimal necessary (IMNSHO) steps to protect them from said dangers we will continue to provide the opportunity for those who would take advantage to do so.
As long as we (as customers) permit software and hardware vendors to define what the acceptable level of quality is in products we pay for we will see more of the same, rather than the [increased productivity|decreased cost|security] (pick one or more) that we believe we can (and should) be seeing.
As long as we (as "subject matter experts") do not tell people loudly and clearly that EULA's that say "gee, we sold you an accounting package that is incapable of adding 1+1, but we told you there was no implied or explicit warranty that it would help you do accounting for your business or that it would follow basic accounting principles", we are PART OF THE PROBLEM.
[/rant]
Code that just does snprintf() and doesnt check the results is not vulnerable to buffer overflow attacks, but you can damage a string which can be used in other functions, so lead to trailing damage.
In the 'stricter' languages: Java, C#, python, lisp, you dont have buffers, you dont have buffer or array overflow. Life is simpler.
What happened to "Clear target, copy to size of target -1, set end of target to 0"? Even in the stricter languages there is no excuse for not doing your level best to prevent "out of bounds" events from happening in the first place. If things like that had been taught from the start, "buffer overflow" would not be a well known phrase.
BSD is the thief and the thief does NOT get to complain about how the victim responds. If you break into my house I am not obliged to send you a polite letter first to ask you to please return my stuff, I send for the police, I do that publicaly and if they wake up everyone in your street and haul you out in front of your neightbours in your Steve Jobs underwear while they go about reclaiming my possesions then all the better.
Let me make this a little bit clearer:
If you break into my house (and I am in a *good* mood), I will call the paramedics.
If you break into my house (and I am in a BAD mood), I will call the coroner.
In either case, you will probably make the morning paper if not the TV news.
The moral is:
Do NOT break into my house
I seriously cannot believe this. Why should the discussion focus on shooting the messenger? A developer was caught infringing on copyrights pants down.
And the code in question was committed to a public CVS repository.
Transparency on copyright issues is just as important as transparency on security.
And it serves notice on all who may decide to check the code out that there is a serious issue regarding licensing, so that they know to steer clear until the details are worked out.
The first mail was clear, diplomatic, complete, and explicitly offers to work out a deal.
Even though the spanking was done publicly, it was none the less deserved. Both communities have lost by the unwanted attention this flame war generated.
Not sure if it was patented, but in the 70's when I worked for IBM, all office extensions worldwide went through the "tie-line". This was a linkup that used the massive IBM internal global network to make calls, i.e. I call Tokyo from LA and the call never touches the PSTN apparatus. Indeed, it never left the building on anything other than data lines. The phones at the desks were plain old analog WE2500 sets.
Slashdot Mirror
All I see here is it's different. In a production environment (one in which you may have different versions of the same OS), there is a certain benefit to having the utility work the same way. In one environment I was in as an admin, we had: SunOS 4.x, Solaris 5-8, HP-UX, DEC Unix, DEC Ultrix etc. By having the "same old grep" across the Solaris boxen, we only had to script for Solaris. Granted, it would be nice to have updated (and consistent) utilities across all platforms, but this is not always possible. Example: DSS (US Defense Security Service) requirements as documented in the NISPOM MANDATE that each individual system be approved for the version of the hardware, software and operating system which is installed. This is done by the serial number of the machine (even down to the mouse). As a result, upgrading to the "latest and greatest" is not only a tedious task but is contra-indicated unless there is a tangible benefit. To expect a production commercial grade operating system to use something other than what is proven to work is to expect to break systems. It is not all that big a deal to default to currently used utilities, while providing a backward path (/usr/ccs in Solaris), the current path (/usr) and optional (/opt and /usr/local) paths to utilities in order to accomplish a goal.
Having taught many courses (including Solaris administration), might I also suggest that you get involved with your local LUG? By helping new users (and making notes of what they ask), you will get a feel for those things which are *obvious* to you (now..) but not to someone new to the *nix way (ie: the temporary files usually are stored in tmp not temp).
6359880 - Does this look like a cellular network circa 1990? We were doing this with Ham Radio (autopatches and APRS) in the '80s The other two - "Enhanced" DNS? These (the second is a continuation of the first) simply describe how a particular address is resolved ie: data.vonage.com vs. voice.vonage.com. If I am mistaken, feel free to flame me :)
Is this flaw in madwifi or madwifi-ng? If it is in madwifi-ng, which release(s) is/are vulnerable?
Not sure if it was patented, but in the 70's when I worked for IBM, all office extensions worldwide went through the "tie-line". This was a linkup that used the massive IBM internal global network to make calls, i.e. I call Tokyo from LA and the call never touches the PSTN apparatus. Indeed, it never left the building on anything other than data lines. The phones at the desks were plain old analog WE2500 sets.