However, if it was just assumed that they wanted their stories told, that's treading on some very thin ice. Legally, it's probably OK, but I think that people are right in pointing out the serious ethical issues this raises. If someone were to tell me anonymously that they were sexually molested by their parents, do I have a right to put that in a book and publish it? Sure, there's probably no chance that anyone would be able to trace it back to that particular person, but wo uld that person ever trust me with confidential information ever again? Probably not.
Nice strawman, but I don't think telling you something confidential falls into the same boat as "posting to slashdot." Slashdot is an open community, and expecting words you post here to vanish never to be seen again is not reasonable.
True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
Orange Book criteria are completely obsolete. Read up on Common Criteria
Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.
Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.
They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.
What you don't realize is that Amazon's one chance at profitability is to stay ahead of the people with a lot more money and a lot less innovation and geek-friendliness. Fast patents are a way to do this.
Remember, so far they've filed one suit, against Barnes and Noble. Is that the company who's side you want to take? Try emailing the president of Barnes and Noble about their business practices, and see what kind of response you get.
I think a lot of people are throwing the baby out with the bathwater. Jeff Bezos has shown he's willing to at least talk, and that's a heck of a lot more than anybody else. Let's see what comes out of this.
If you want to see a patent free-audio codec that should end up getting twice the compression of MPEG 1-2.5 Layer 3, check out the OGG Vorbis codec at http://www.xiph.org.
The GPL is all about user's rights. Users can copy software, users get source to software, users can redistribute software.
Normal software is all about original developer rights. They can license it, they can declaim warranty, and they can charge you for upgrades.
Other licenses vary (Sun's license is closer to the latter). BSD is all about all developer's rights. You can redistribute, you can extend in proprietary or nonproprietary fashion. You just have to give credit where credit is due (original developers). This last clause has been relaxed (not revoked) recently.
Part of a distributed development process is distributed designing and distributed control. The more control you give up to the other developers you're courting, the more likely you are to gain more developers. Visibility is also important, of course, but people want to work on a project where they know they aren't just doing some corporation's work for free. So opensourcing the project means gaining momentum, noteriety, and more features in exchange of less control and giving up some intellectual property.
The more free your code is, the more free other people will be with their code in response.
Consider a group basically everyone despises: white supremacists. If an ISP were to rise up, comprised entirely of Aryan Nation skinheads, and if their thousands of clients were to post every day their noxious personal opinions all over the web, there is a smal but real possibility that some news admins would call for a UDP against the service. There is also the possibility that this UDP would go into effect, although no actual crime or harm had been committed, and the silenced participants were exercising their constitutional rights to free speech.
There has never been a UDP invoked against any ISP for any action except abusive amounts of unsolicited commercial postings. Never. Nor will there ever be. If you think that could happen, you really don't understand the people who run Usenet at all.
Under this rule, code released under the BSD or MIT X license would clearly be OK. But what if the code is licensed under the GPL? Because the GPL sets forth a specific quid pro quo for developers who wish to use the code (to wit: the developer must reveal his own source code and give away his work), it would not be exportable under this rule. This would actually be a good thing, since it would discourage the use of the GPL -- a license whose express purpose is to hurt commercial developers. But some of the GPL "faithful" would doubtless not like it.
Not true. The clause you cite CLEARLY states only "payment of a licensing fee... royalty...commercial production or sale". The GPL's restrictions would not trigger this clause.
It looks like someone in Washington is starting to realize the value of an open-sourced crypto. I wonder what made them think to include special considerations for OSS.
Considering all the recent press being accorded to Linux and friends (there's been some trial in which it's been mentioned as competition to the largest company ever, as I recall, not real firm on the details...) I'm not surprised at all. Not EVERYONE in Washington is clueless.
It's also worth noting that these rules are only in effect for 120 days, and will probably at least slightly revised at that time. If anybody reading this has any say in the matter, perhaps addressing the issue of derivative open source works -- at least in the associated documentation -- would be nice. i.e., what do I have to do if I want to contribute crypto code to my favorite os (OpenBSD, that is...).
Everyone seems to be ticked that this server is going slow... I think that's fair. It's still in beta (I'm pretty sure), and even it weren't, it would be a very low version, somewhere around 1.0. Show me a box running linux kernel 1.0 that can withstand the slashdot effect. Hmpf.
I know plenty of people who ran Linux pre-1 kernels on high traffic machines without losing them every time a couple thousand web hits clicked over.
Of course, the HURD is apparently nowhere near even pre-1, so I guess that doesn't really apply...
I applaud this article, however, There is a danger in having a girlfriend who knows next to nothing about computers: they don't understand why you need to spend so much time behind the monitor. They feel a little alienated and somehow as if the computer deserves more attention than them. The author says that you should look for a woman that is willing to accept that you spend these long periods of time, but I can tell you that those are far and few in between.
Enh. I disagree. My current girlfriend is a philosophy major currently working on her masters on her way to a PhD, and she knows next to nothing about computers. Her only email address is @hotmail.com, for chrissakes.:) But she does understand that I do things like read slashdot and news, IRC, and write code on a pretty regular basis, and she has no problem just walking up behind me and saying "okay, now pay attention to me." in exactly those words.
The important thing here is to take that seriously....:)
And what of the lurkers? Just because a person doesn't post doesn't mean they wouldn't make a good moderator.
Actually Rob, how many users are there who haven't posted, but still read regularily?
Well, I've made a grand total of about 8 posts in the last year, and I've gotten moderator status t wice. (Karma is 6, I guess only making useful posts helps).
Well, as long as I'm posting, I might as well make my own observations.
Metamoderation is good. Slashdot does have a bias towards linux and open source stories (and a bizarre fascination with that dead company Gateway bought out, but maybe Rob'll quit posting that...:). The moderation does need some sort of feedback mechanism. Though anyone who puts in too much negative feedback should be crosschecked, perhaps. As always, it comes down to a matter of trust.
I'd like to see some sort of personal scoring. I know it adds a whole new level of complexity to the database (Hey Rob, you do back this sucker up, right?) and it'll probably hammer the new machines right back into the performance pit they were in. Oh well. That's what you get for centralizing all the logic on one side. An NNTP interface would fix that, of course, but that would be a bear in and of itself. Perhaps I should dig my way into the slashdot code and do something about it myself. You know, submit some patches.... Though a posting mechanism would be harder. NNTP supports USERINFO AUTH though... but I digress.
Hmm. I had another point to make. What was it... Oh yeah. I'd like to see the unlimited moderation stuff. I think on the whole that would push positive comments up more, but more evenly. Some of us do silly things like advocate BeOS and OpenBSD, and being in the minority means we have fewer opportunities to moderate posts that make good points about our platforms that aren't otherwise moderated up. Yes, there's potential for abuse. Perhaps high-karma zero-complaint moderators (K1/K2?) could be handed this on an experimental basis....
Just a few thoughts. Maybe we should hand out positive karma points for well formatted HTML (Check out my
And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.
And if the telnet ports are open, so what? maybe a user account is compromised, but that attacker still isn't going to gain root. Compare that to Redhat Linux, shipping a remote root vulnerable imapd until the release of 6.0!
No one involved with the OpenBSD project claims that it can be used by clueless people. In fact, quite the contrary. They encourage people to discover facts for themselves, educate themselves thoroughly, rather than providing simple cookbook instructions without understanding. Rather, the emphasis is on providing an operating system that is complete, secure, stable, and instantly usable for the educated user.
I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.
This is not true. You can't directly get to a root shell like you can with single user mode (or, if single user prompts for a password, try lilo: linux rw init=/bin/sh --don't forget to umount/, then just reboot the machine, shutdown won't work) on linux. You can just pop in an install floppy and mount your / filesystem and edit the passwd file though. Physical access = root access. Shadowing the passwords doesn't change that, you can still edit/etc/shadow.
Depending on your router tables, this may be a bad idea. If you use a default route and are on a ppp link (or forward it to another machine that does the same thing), it'll forward your query to 10.1.1.1 to your ISP, which may bounce all the way out to a major backbone before getting icmp unreach'd. In which case, it will spend another 4-5 hops getting back to you.. for a round trip of around 300ms.
The correct solution would be to set it to 127.0.0.*, which is guaranteed to have a fast turnaround. Depending on your setup, you can spit back a conn refused right away, or 404 when it accesses your local webserver.
Or perhaps you could investigate the 'reject' option to route? That's the "proper" way of doing it.
Could they do the same to Mozilla? A scary thought...
The two really have very little to do with each other. TIK/TOK is a published spec to a private system operated by AOL. Mozilla, for all intents and purposes, is an independant opensource project that AOL happens to pay a lot of developers to work on. They can't simply announce that they're no longer going to support HTTP:)
If they end up going into bankruptcy somebody will get those sattelites for a song. It might be possible for some company to offer the service at a reasonable price if they don't have that huge debt to pay off.
The reason they're filing for bankruptcy is because they've gotten less than 10% of their planned number of subscribers. The reasons for this are varied, but they include greater competition from PCS and cellular phones, and the fact that the phones haven't been working well indoors.
Wouldn't it be common slashdot ettiquite to at least provide some sort of link to the people you're ripping off? I opened up slashdot this morning and felt like I'd just gotten another email forward from my aunt....
Now a question - why is it that everybody's been recommending mixers? What's the advantage of a mixer over a setup like mine (a component-based stereo system with some AUX inputs for the computer).
the main features is being able to play multiple audio sources at once and mix them (hence the name 'mixer').... Your stereo only lets you select inputs, not blend them.
There is no solution that will work for everyone. Not laws, not software, not rating systems.
Yes, rating systems are voluntary, and they're imprecise. But they're a hell of a lot better than blocking software, if people would simply use them...
There's a standard to do exactly that, it's called PICS. You describe the content in your page (nudity, violence, etc), and then the web browser can be configured with various filters.
If you want to describe the content on your site easily, you can rate with RSAC, which gives you a standard baseline and spews out the appropriate PICS metadata for your web page, and you copy and paste it into your HTML document. Easy. And any loser on the internet can configure their IE or netscape browser (or anything else that's PICS compliant) to not let a user view content above certain levels without a password. Self-governance on both sides is the only way we're ever going to get anything reasonable around here, the filters have already proven to be extremely politically biased (some of them block the National Organization for Women, for christ's sake.
Slashdot Mirror
Microsoft, on the other hand, got a lot of bad press, when Bill Gates commented that they would NOT give ANY money to any charities any time soon.
What are you talking about? Microsoft gives huge amounts of money to charity. www.microsoft.com/giving/
However, if it was just assumed that they wanted their stories told, that's treading on some very thin ice. Legally, it's probably OK, but I think that people are right in pointing out the serious ethical issues this raises. If someone were to tell me anonymously that they were sexually molested by their parents, do I have a right to put that in a book and publish it? Sure, there's probably no chance that anyone would be able to trace it back to that particular person, but wo uld that person ever trust me with confidential information ever again? Probably not.
Nice strawman, but I don't think telling you something confidential falls into the same boat as "posting to slashdot." Slashdot is an open community, and expecting words you post here to vanish never to be seen again is not reasonable.
True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
Orange Book criteria are completely obsolete. Read up on Common Criteria
Are we likely to see another "RTM worm" incident in the next year or two? Probably. Now that broadband 7/24 connections are on the rise due to DSL and cable modems, the percentage of unsecured hosts will rise. And with the increase in opportunity will come an increase in exploits. However, as the RTM worm incident showed, writing a good, well-behaved worm isn't as easy as it sounds.
Haven't we already seen things like this? Remember the DDOS attacks on yahoo and friends? Those were mostly automated attacks, scanning for multiple vunlerabilities and attaching payloads.
They aren't quite as automated because it's hard to write a fully self-distributing worm, compared to a simple boot sector virus. But with buffer overflows in almost everything shipped on linux these days (Have you upgraded your FTPD lately? Did your distribution turn on IMAPd again?) it's real easy to hit machines remotely and pop in an egg of almost arbitrary size. And if you're smart, you can use them for anything from pingflooding yahoo to voting for your entry in a $500 price from x10.
Of course, you could run audited code...
What you don't realize is that Amazon's one chance at profitability is to stay ahead of the people with a lot more money and a lot less innovation and geek-friendliness. Fast patents are a way to do this.
Remember, so far they've filed one suit, against Barnes and Noble. Is that the company who's side you want to take? Try emailing the president of Barnes and Noble about their business practices, and see what kind of response you get.
I think a lot of people are throwing the baby out with the bathwater. Jeff Bezos has shown he's willing to at least talk, and that's a heck of a lot more than anybody else. Let's see what comes out of this.
If you want to see a patent free-audio codec that should end up getting twice the compression of MPEG 1-2.5 Layer 3, check out the OGG Vorbis codec at http://www.xiph.org.
blah blah blah.
The GPL is all about user's rights. Users can copy software, users get source to software, users can redistribute software.
Normal software is all about original developer rights. They can license it, they can declaim warranty, and they can charge you for upgrades.
Other licenses vary (Sun's license is closer to the latter). BSD is all about all developer's rights. You can redistribute, you can extend in proprietary or nonproprietary fashion. You just have to give credit where credit is due (original developers). This last clause has been relaxed (not revoked) recently.
To a certain extent.
Part of a distributed development process is distributed designing and distributed control. The more control you give up to the other developers you're courting, the more likely you are to gain more developers. Visibility is also important, of course, but people want to work on a project where they know they aren't just doing some corporation's work for free. So opensourcing the project means gaining momentum, noteriety, and more features in exchange of less control and giving up some intellectual property.
The more free your code is, the more free other people will be with their code in response.
Consider a group basically everyone despises: white supremacists. If an ISP were to rise up, comprised entirely of Aryan Nation skinheads, and if their thousands of clients were to post every day their noxious personal opinions all over the web, there is a smal but real possibility that some news admins would call for a UDP against the service. There is also the possibility that this UDP would go into effect, although no actual crime or harm had been committed, and the silenced participants were exercising their constitutional rights to free speech.
There has never been a UDP invoked against any ISP for any action except abusive amounts of unsolicited commercial postings. Never. Nor will there ever be. If you think that could happen, you really don't understand the people who run Usenet at all.
Under this rule, code released under the BSD or MIT X license would clearly be OK. But what if the code is licensed under the GPL? Because the GPL sets forth a specific quid pro quo for developers who wish to use the code (to wit: the developer must reveal his own source code and give away his work), it would not be exportable under this rule. This would actually be a good thing, since it would discourage the use of the GPL -- a license whose express purpose is to hurt commercial developers. But some of the GPL "faithful" would doubtless not like it.
Not true. The clause you cite CLEARLY states only "payment of a licensing fee... royalty...commercial production or sale". The GPL's restrictions would not trigger this clause.
It looks like someone in Washington is starting to realize the value of an open-sourced crypto. I wonder what made them think to include special considerations for OSS.
Considering all the recent press being accorded to Linux and friends (there's been some trial in which it's been mentioned as competition to the largest company ever, as I recall, not real firm on the details...) I'm not surprised at all. Not EVERYONE in Washington is clueless.
It's also worth noting that these rules are only in effect for 120 days, and will probably at least slightly revised at that time. If anybody reading this has any say in the matter, perhaps addressing the issue of derivative open source works -- at least in the associated documentation -- would be nice. i.e., what do I have to do if I want to contribute crypto code to my favorite os (OpenBSD, that is...).
All in all, a very positive step. Yay.
Everyone seems to be ticked that this server is going slow... I think that's fair. It's still in beta (I'm pretty sure), and even it weren't, it would be a very low version, somewhere around 1.0. Show me a box running linux kernel 1.0 that can withstand the slashdot effect. Hmpf.
I know plenty of people who ran Linux pre-1 kernels on high traffic machines without losing them every time a couple thousand web hits clicked over.
Of course, the HURD is apparently nowhere near even pre-1, so I guess that doesn't really apply...
I applaud this article, however, There is a danger in having a girlfriend who knows next to nothing about computers: they don't understand why you need to spend so much time behind the monitor. They feel a little alienated and somehow as if the computer deserves more attention than them. The author says that you should look for a woman that is willing to accept that you spend these long periods of time, but I can tell you that those are far and few in between.
Enh. I disagree. My current girlfriend is a philosophy major currently working on her masters on her way to a PhD, and she knows next to nothing about computers. Her only email address is @hotmail.com, for chrissakes. :) But she does understand that I do things like read slashdot and news, IRC, and write code on a pretty regular basis, and she has no problem just walking up behind me and saying "okay, now pay attention to me." in exactly those words.
The important thing here is to take that seriously.... :)
Ugh. And let me say that I'd love the ability to fix that angle-P tag that got broken somehow. -dbt
And what of the lurkers? Just because a person doesn't post doesn't mean they wouldn't make a good moderator.
Actually Rob, how many users are there who haven't posted, but still read regularily?
Well, I've made a grand total of about 8 posts in the last year, and I've gotten moderator status t wice. (Karma is 6, I guess only making useful posts helps).
Well, as long as I'm posting, I might as well make my own observations.
Just a few thoughts. Maybe we should hand out positive karma points for well formatted HTML (Check out my
s!).
-Dave, going back to sleep
And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.
And if the telnet ports are open, so what? maybe a user account is compromised, but that attacker still isn't going to gain root. Compare that to Redhat Linux, shipping a remote root vulnerable imapd until the release of 6.0!
No one involved with the OpenBSD project claims that it can be used by clueless people. In fact, quite the contrary. They encourage people to discover facts for themselves, educate themselves thoroughly, rather than providing simple cookbook instructions without understanding. Rather, the emphasis is on providing an operating system that is complete, secure, stable, and instantly usable for the educated user.
I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.
This is not true. You can't directly get to a root shell like you can with single user mode (or, if single user prompts for a password, try lilo: linux rw init=/bin/sh --don't forget to umount /, then just reboot the machine, shutdown won't work) on linux. You can just pop in an install floppy and mount your / filesystem and edit the passwd file though. Physical access = root access. Shadowing the passwords doesn't change that, you can still edit /etc/shadow.
Depending on your router tables, this may be a bad idea. If you use a default route and are on a ppp link (or forward it to another machine that does the same thing), it'll forward your query to 10.1.1.1 to your ISP, which may bounce all the way out to a major backbone before getting icmp unreach'd. In which case, it will spend another 4-5 hops getting back to you.. for a round trip of around 300ms.
The correct solution would be to set it to 127.0.0.*, which is guaranteed to have a fast turnaround. Depending on your setup, you can spit back a conn refused right away, or 404 when it accesses your local webserver.
Or perhaps you could investigate the 'reject' option to route? That's the "proper" way of doing it.
Could they do the same to Mozilla? A scary thought...
The two really have very little to do with each other. TIK/TOK is a published spec to a private system operated by AOL. Mozilla, for all intents and purposes, is an independant opensource project that AOL happens to pay a lot of developers to work on. They can't simply announce that they're no longer going to support HTTP :)
If they end up going into bankruptcy somebody will get those sattelites for a song. It might be possible for some company to offer the service at a reasonable price if they don't have that huge debt to pay off.
The reason they're filing for bankruptcy is because they've gotten less than 10% of their planned number of subscribers. The reasons for this are varied, but they include greater competition from PCS and cellular phones, and the fact that the phones haven't been working well indoors.
Wouldn't it be common slashdot ettiquite to at least provide some sort of link to the people you're ripping off? I opened up slashdot this morning and felt like I'd just gotten another email forward from my aunt....
Now a question - why is it that everybody's been recommending mixers? What's the advantage of a mixer over a setup like mine (a component-based stereo system with some AUX inputs for the computer).
the main features is being able to play multiple audio sources at once and mix them (hence the name 'mixer').... Your stereo only lets you select inputs, not blend them.There is no solution that will work for everyone. Not laws, not software, not rating systems.
Yes, rating systems are voluntary, and they're imprecise. But they're a hell of a lot better than blocking software, if people would simply use them...
Dave, off to look for that perfect world...
They could have called it the Federal Intrusion Detection and Operations Network, but nooooo....
There's a standard to do exactly that, it's called PICS. You describe the content in your page (nudity, violence, etc), and then the web browser can be configured with various filters.
If you want to describe the content on your site easily, you can rate with RSAC, which gives you a standard baseline and spews out the appropriate PICS metadata for your web page, and you copy and paste it into your HTML document. Easy. And any loser on the internet can configure their IE or netscape browser (or anything else that's PICS compliant) to not let a user view content above certain levels without a password. Self-governance on both sides is the only way we're ever going to get anything reasonable around here, the filters have already proven to be extremely politically biased (some of them block the National Organization for Women, for christ's sake.