I just experimented with NAGI out of mere curiosity. Unpacked the zip of SQ0 to a separate directory and ran NAGI there. *poof* Instant jump to opening screen and on with the game. From the short experience it seems to be very true to the originals.
As if I didn't have problems with my personal scheduling already. Damn.
Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here.
It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.
Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.
[...]to copy any features from AIX to Linux, even those features developed fully under the payroll of IBM, is copyright infringement.
I may have figured out a good enough of an analogy for this. So far no such thing has come across my view, and I've been reading the story of this farce since beginning.
Suppose SCO was a building contractor. They build several houses and apartments, which they sell on. They are entitled to keep their original blueprints, in case they needed to build a set of similar houses in near future. Families buy the houses and apartments and start to live in them. In the years, they each find out that certain things need improvements - that could be the plumbing, or they could find out that certain cupboards are better off removed. They also go on to change the new and better windowing.
Some 8-10 years later the contractor appears once again and announces they have absolute rights to all of the buildings and apartments. Hence, they also claim that all the modifications the tenants have made during the years are their property. Thus, the contractor requires all of the tenants to pay the contractor a set amount of cash for their right to still live in their homes and use all the modifications they have paid themselves for.
If I were one of the tenants and even not the original buyer of the apartment in question, I for one would be infinitely pissed. The claims would be both unbelievably stupid and something that several laws would protect me against. I suspect there is something fundamentally awry in my analogy, so please enlighten me what I have missed.
For the short term, that is indeed a major thing. But there is a much bigger bomb clearly put forth. The first bullet-point, about half the way in to the article:
[Bill] prohibits the Federal Communications Commission from forcing companies that make or sell PCs or digital video products to include specific copy-protection technology in them.
Read that again. It is a clear "NO" to a common DRM stranglehold. When you can't mandate by legislation a certain scheme to be used, it really is up to the buyers. This forces variety, and by snowball effect, either the need to add support for dozens of different schemes (expensive as hell), or use none at all.
Upon seeing the article, I got an instant mental image. The group is supposed to oversee, in one form or other, the development and design of secure platform.
Even at the cost of being a bit off-topic, I found one exceptionally insightful part in that editorial.
[John Carmack] believes it won't always be necessary for programmers to pump out new engines for each successive generation of releases. This could mean that it might not be long until technical innovation is no longer a driving force in interactive entertainment - at least provisionally.
I am personally eagerly waiting for this to happen in games. It has already happened in the niche area of computer demos. Just marching eye-candy and stunning visual effects on screen no longer gets the group nothing more than a few yawns. The real works of art with concept and possibly even *gasp* plot get all the appraising - and for a reason. There was a time when computer demos pushed the limits and showed what quite rudimentary setups were capable of. I really, really wish the trend saw a comeback.
Originality is, however, dangerous. It takes a certain kind of genius to design and device game with new ideas and working plot. They are far and wide apart, which means that 99% of all the games will, for the forseeable future, remain sequels of sequels and rehashes of the lowest common nominator.
And what's preventing my band from recording a new album, mixing it down, then encoding it out to mp3 to distribute on the internet...only to have RIAA BuzzKill(TM) delete them first?/
Ever considered that this collateral damage is what they might be really after? It has been speculated on several occasions that RIAA and their members are not afraid of Internet and P2P networks because of pirating, but because these media provide a means of content distribution that is NOT in their control.
Remember, even outright cynicism is just another way of expressing optimism.
Why should DARPA fund someone who proclaims that his goals are contrary to its Congressionally mandated goals?
Because they care more for the results than brief flashes of fame, and doing otherwise would imply that they are buying the person's or group's silence. Freedom of opinion is no different here. A situation to the contrary sounds awful lot like tyranny.
Also, I re-read the article that stated Theo's opinion and quote. Let me extract the relevant piece here:
Mr. de Raadt is no fan of the U.S. military at the moment. He calls the war in Iraq an oil grab. "It just sickens me."
That is nothing more than a voiced opinion, and not even targeted at any single government-funded instance. As I understand that quote, it was directed towards the entire US Military, which only does what their elected leaders directly or indirectly tell them to. You are allowed to criticize your employer, who pays your wage; you are free to criticize your parents who happen to support you for most of your youth. You are also free to criticize the politicians you YOURSELF have voted for. If we are denied the right to voice criticism the minute we are getting paid or show support, there is no real freedom of opinion.
It would be interesting to see what nations have tried to pull such a stunt off and what we remember of them from history.
Actually, I found the ending quote of the article quite hilarious. A company that both provides and distributes porn flicks, saying "We don't need a partner for years and years."
That must be just too accurate a description of their clientele.
If you loved the original, you should enjoy the jungle aerobics remix as well. RKO has a huge selection of different remixes of nostalgic tunes. I just had to put the aforementioned remix on...
For those in a hurry: this is the page you want to see. Get the remix from the page - I'm not going to put a direct link to the MP3 file on/.
Unfortunately the normal cab extractor does not work. That is meant for "regular" windows.cabs and it seems that Epic have their own.cab format. For reference, go read Happypenguin's current NWN comments.
Whereas you indeed made several good points, there are some in which certain amendments might be in place.
Remote Administration. Linux? X11 or VNC.
Who in their right minds would ever do *nix remote administration on graphic UI? In an environment like this, you have a separate test box with which you figure out and test all the things that need to be done. (Nobody rolls, neither in nor out, any modifications without first testing them.) Then you write a shell-script to accomplish this and put it up on a network-shared resource. As an admin, you have access to uid(0) account (possibly other than root) on every box. In a simple command, you cycle through all *nix boxes and set the box to execute the shellscript on a given time. You only give the authentication passphrase to your admin key once, and ssh-agent authenticates you to every box without further intervention. All *nix boxes upgrade to new, tested setups automatically at specified time. How do you accomplish this in a w32 network? And who would even need movies and/or multimedia for remote administration duties?
Automatic Updates & Patching.
I know personally people who maintain large corporate and university networks. They have a "local master" server that they use to mirror the updates. Once the updated packages are set on this box, all the client boxes are, again with short shellscripts or with automatic and timed events, set to fetch these packages and update to proper versions. Again, in an environment like you describe, no sane admin would ever allow machines to upgrade to untested versions. Automatic updates, directly from vendor's site would be a Really Bad Idea.
And by the way, the only linux distribution that requires constant recompiling, is gentoo. But that is not meant for enterprise desktops but for individual power users' home boxes. There really are things like dependency-tracking and binary packages for linux. (Debian and apt-get spring first to mind...) I would suggest you do your homework a little better.
The primary goal is not to individually administer all of the boxes, but set up batch jobs that do all the magic. Remote GUI may be nice when playing helpdesk but for real large-scale administration one should not even think about doing repetitive tasks over a remote display.
For the record, I find the study hazy and preposterous as well. It provides no solid figures, only some executive summary numbers. However, I hereby tip my hat to you. You made a worthy post with several VERY good points and aspects people either overlook or forget.
one would think that being able to SSH to it and having a command prompt
Did you give that thought any consideration whatsoever? SSH2, while secure and neat protocol, is not the leanest you could do. Try to think about it. We're talking about control channel to a moving, non-terrestrial body with probably not too much CPU cycles to spare.
To establish an SSH connection, both the client and server need to exchange public keys. After that, they need to negotiate the session key(s) over public-key cryptography. This alone is slow. Then, to have any kind of real control, the latency between SSH endpoints needs to be rather small. The symmetric encryption wouldn't take that much cycles, so I'm leaving that out of the equation.
So while FTP sounds like a really weird and unortohodox solution, it is after all a trivial protocol to transfer sets of batch commands.
I really don't understand why a large number of the comments here are negative. Simply stated, Real has released a significant piece of software under what appears to be a free/open source license (The RPSL has been submitted to the OSI for certification).
I have to agree with you. I'm just reading RPSL and it's not a bad license. Okay, it's not a license to grant complete freedom, but it is certainly a good way there. Basically, Real wants to make sure they have control over the Helix engine, and in response grant any and all OSS developers access to the source. To retain control, they require changes incorporated to the engine made public under the same license.
The best catch, I think, is the requirement to release the software that uses Helix engine under a compatible license. In effect, the RPSL license says two things:
If you change the engine, you must submit the changes back BOTH to the community and Real.
If you use Helix in a product, you must release that product under a compatible open-source license. That license does not need to be RPSL. (I suspect they are mostly thinking about GPL and other licenses that are close to its nature.)
And for commercial developers there is the RPCL that requires only the modifications to the engine released. If the Helix engine is good enough, it will be used. Real will stay in the game, with their streams usable by OSS folks and, hopefully, in return getting both increased use and improvement modifications to Helix.
Better coverage => more users => more sales of Real's streaming technology to companies providing streamed content => more incentive for end-users to use this technology. I may have missed something, but what is it that makes all of this so wrong? Heck, with this license there is nothing that prevents the OSS developers from making a capable player that has *no* spyware or other annoyances usually associated with Real's end-user products.
Yep, their playing and sounds really appeal to retroists:) I even made an audio CD out of the vorbises, so I would have something different to listen to while driving. Evidently, my girlfriend's little brother fell in love in the music when she was visiting her family back home - and asked if he could keep the CD. Well, I can always burn a new one. At the same time, I might have given the band some new listeners. Her brother will, undoubtedly, play that cd to his friends...
Their appearance on this year's Assembly was one of the reasons I organized myself a ticket there. Sure, when live, they play louder and much more aggressively than on those downloadable versions but it was a nice gig no matter what. Too bad their vocalist put too much force in his performance after the (second of third) encore that he snapped a string from his electric guitar. I never got to hear Anthem Apocalyptica live:(
Phew, thank $deity that this news item didn't appear too much sooner. Just last weekend I ordered three records from Chris's site. Lucky me, I have all the chances of actually getting what I wanted. I quite expect his stock to drop to zero after you mentioned c64audio.com in here.
The shopping cart system c64audio.com runs, uses some nasty IE-specific javascript tricks. It won't display correctly (or virtually at all) on Mozilla or Opera. Being a linux user, this was somewhat problematic. When I mailed about this, Chris was very responsive and helpful. He told me to disable javascript entirely and go directly to this page in order to see what his shop has to offer. After a little education about PGP and link-hunting, I was also able to send him my credit-card details and my order encrypted. Yes, GPG is all fine and good (I use it), but it still lacks a solid, out-of-the-box integration to w32 mail clients. As I understand it, Chris is a computer-literate person but not a techie.
Incidentally, if anyone happens to know a nice free software shopping-cart system that runs on IIS and can access and use Worldpay's brokerage system, Chris would love to know about it. I tried to find one, but it seems very few shopping cart packages actually interface with Worldpay. It would be so good to get c64audio.com usable and accessible to all users. As the situation stands at the moment, that functionality bug may cost Chris quite a many customers. Given the selection of retro spirited records there is rather impressive, it's a shame.
...rather, this looks like some sort of (centralized) email-address registry which can be accessed by e-mail clients/servers to look for a more recent version of an out-of-date e-mail address.
Say hello to Mr. Spammer.
After this "innovation", the spammers can look forward to having much better delivery rates. No need to buy the up-to-date addresses from harvesters, they can just have one collection of addresses and rely on this kind of service to deliver their load.
Not only does this sound like a no-innovation, it smells like a big no-no in practise too. Those who want to mail me, should have my current mail address anyhow.
Yes, you are right. However, this assumes that the GPG signature has been made on some other box than the one which hosts the tarball and.sig. In order to modify those files, the attacker has naturally gained root. And as we all know, there's pretty much nothing that user with root can't do.
Root account does not yield magical powers to crack the encryption protecting the private key. Nonetheless, if those signatures are generated "locally" on the hosting box, there is a small probability of a very nasty surprise. Can you say keylogger?
But in this circumstance, I don't believe it is the case. The trojan connects to port 6667, which is usually ircd. Outgoing connections to irc servers are not exactly uncommon in those boxes that run any kind of flavour of *nix. Hence, it's not a connection that really attracts attention by itself. It looks like a connection to a stand-alone ircd in netstat reading. Also, because irc is so common service to use, the firewall setups are likely to allow this through.
The other end of that connection, however, was more than likely running something totally unrelated to irc. After all, the connection itself is somewhat like a backward rsh. (I believe it actually bears the name "bindshell"...) This was a very basic case of trojan: install a backdoor that calls home and allows to execute commands remotely.
This was just one type of trojan. Some others could go dormant for several hours before contacting the world outside. Simply "building the binaries with plug off the wall" is not a solution. It's a knee-jerk reaction and still at fault. The correct way is to check the package against a MD5sum or (preferably) GPG signature - and if possible, these should be at a different machine on a different network from the tarballs.
On the other hand, just looking at the trojan source quickly, it looks very much like a slightly evolved version of those found in irssi, BitchX, dsniff and fragroute configure scripts. This has already been noted by some other individual here as well. See his post for links.
Yes, I have been following Gentoo a bit as well. A friend uses it, and has fallen in love with the idea of having hugely optimized linux binaries. I gave it a thought - having something like ports/portage for Debian packages would indeed sound good.
Then I came across this: apt-src is in the making. Imagine Debian's package and dependency system combined with ports. Instead of doing a dist-upgrade for binary packages, you would have the choice of doing the same thing, but automatically from source debs. This is already possible for individual programs:
apt-get -b source $package
does just that but doesn't do recursive builds. It only builds that particular package. Having all the build-dep packages built as well, that would indeed make a difference. Over time, it would allow to incrementally optimize all of the packages.
They have to take special precautions since there's some conference? What about the rest of the year?
My thoughts exactly. This gives me the bad feeling they are enforcing their security policies only because having yet another "breach" would be really bad PR. But why aren't they enforced all the time as rigorously? Costs. It costs both time and money to go through the entire protocol, not to mention the additional cost of properly training the employees to follow these rules.
I'm actually willing to bet some beancounter added 2 and 2 and came to the conclusion that having that much bad PR would cost the company more than enforcing the security policy strictly for a few days. Anyone care to guess how many days it takes for the situation return to "normal?"
Yes, I remember when I found out about Pov-Ray. It was version 3.0 something, fitted on a single floppy disk mounted on the cover of PC-Format. The cover art was Mike Meyer's awesome render of a malicious jack-in-the-box riding a roller coaster.
At that time I was using a sluggish 386SX-16. I still got hooked to ray-tracing, even if it took ages to get even a low-quality sample render done. Nowadays, with GHz processors, the best renders still take days to finish. Only the amount of detail and polish has risen to obscene heights.
When it comes to Moore's Law, I remember seeing a nice comment about CPU speeds and Pov-Ray: Personal computers are fast enough when one of them is enough to render a complete movie in real-time, using POV. Considering that animation studios use huge render farms and more optimized renderers, we still have a long way to go:)
I noticed the same quote, but consider the wording used...
[...] nice, low-cost platform for doing kind of everyday computing. So in effect they are saying that they consider Linux ready to be used where-ever you need a good, stable and reliable platform to run their applications. Now, isn't this kind of everyday computing just the thing that most users do at home?
I think that quote is indeed very nicely put. It may even prove valuable.
Slashdot Mirror
I just experimented with NAGI out of mere curiosity. Unpacked the zip of SQ0 to a separate directory and ran NAGI there. *poof* Instant jump to opening screen and on with the game. From the short experience it seems to be very true to the originals.
As if I didn't have problems with my personal scheduling already. Damn.
Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here.
It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.
Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.
[...]to copy any features from AIX to Linux, even those features developed fully under the payroll of IBM, is copyright infringement.
I may have figured out a good enough of an analogy for this. So far no such thing has come across my view, and I've been reading the story of this farce since beginning.
Suppose SCO was a building contractor. They build several houses and apartments, which they sell on. They are entitled to keep their original blueprints, in case they needed to build a set of similar houses in near future. Families buy the houses and apartments and start to live in them. In the years, they each find out that certain things need improvements - that could be the plumbing, or they could find out that certain cupboards are better off removed. They also go on to change the new and better windowing.
Some 8-10 years later the contractor appears once again and announces they have absolute rights to all of the buildings and apartments. Hence, they also claim that all the modifications the tenants have made during the years are their property. Thus, the contractor requires all of the tenants to pay the contractor a set amount of cash for their right to still live in their homes and use all the modifications they have paid themselves for.
If I were one of the tenants and even not the original buyer of the apartment in question, I for one would be infinitely pissed. The claims would be both unbelievably stupid and something that several laws would protect me against. I suspect there is something fundamentally awry in my analogy, so please enlighten me what I have missed.
For the short term, that is indeed a major thing. But there is a much bigger bomb clearly put forth. The first bullet-point, about half the way in to the article:
[Bill] prohibits the Federal Communications Commission from forcing companies that make or sell PCs or digital video products to include specific copy-protection technology in them.
Read that again. It is a clear "NO" to a common DRM stranglehold. When you can't mandate by legislation a certain scheme to be used, it really is up to the buyers. This forces variety, and by snowball effect, either the need to add support for dozens of different schemes (expensive as hell), or use none at all.
Can you say "Palladium-free hardware"?
Upon seeing the article, I got an instant mental image. The group is supposed to oversee, in one form or other, the development and design of secure platform.
Security Oversight Strategy, or S.O.S. for short?
Even at the cost of being a bit off-topic, I found one exceptionally insightful part in that editorial.
[John Carmack] believes it won't always be necessary for programmers to pump out new engines for each successive generation of releases. This could mean that it might not be long until technical innovation is no longer a driving force in interactive entertainment - at least provisionally.
I am personally eagerly waiting for this to happen in games. It has already happened in the niche area of computer demos. Just marching eye-candy and stunning visual effects on screen no longer gets the group nothing more than a few yawns. The real works of art with concept and possibly even *gasp* plot get all the appraising - and for a reason. There was a time when computer demos pushed the limits and showed what quite rudimentary setups were capable of. I really, really wish the trend saw a comeback.
Originality is, however, dangerous. It takes a certain kind of genius to design and device game with new ideas and working plot. They are far and wide apart, which means that 99% of all the games will, for the forseeable future, remain sequels of sequels and rehashes of the lowest common nominator.
And what's preventing my band from recording a new album, mixing it down, then encoding it out to mp3 to distribute on the internet...only to have RIAA BuzzKill(TM) delete them first?/
Ever considered that this collateral damage is what they might be really after? It has been speculated on several occasions that RIAA and their members are not afraid of Internet and P2P networks because of pirating, but because these media provide a means of content distribution that is NOT in their control.
Remember, even outright cynicism is just another way of expressing optimism.
Why should DARPA fund someone who proclaims that his goals are contrary to its Congressionally mandated goals?
Because they care more for the results than brief flashes of fame, and doing otherwise would imply that they are buying the person's or group's silence. Freedom of opinion is no different here. A situation to the contrary sounds awful lot like tyranny.
Also, I re-read the article that stated Theo's opinion and quote. Let me extract the relevant piece here:
Mr. de Raadt is no fan of the U.S. military at the moment. He calls the war in Iraq an oil grab. "It just sickens me."
That is nothing more than a voiced opinion, and not even targeted at any single government-funded instance. As I understand that quote, it was directed towards the entire US Military, which only does what their elected leaders directly or indirectly tell them to. You are allowed to criticize your employer, who pays your wage; you are free to criticize your parents who happen to support you for most of your youth. You are also free to criticize the politicians you YOURSELF have voted for. If we are denied the right to voice criticism the minute we are getting paid or show support, there is no real freedom of opinion.
It would be interesting to see what nations have tried to pull such a stunt off and what we remember of them from history.
Actually, I found the ending quote of the article quite hilarious. A company that both provides and distributes porn flicks, saying "We don't need a partner for years and years."
That must be just too accurate a description of their clientele.
If you loved the original, you should enjoy the jungle aerobics remix as well. RKO has a huge selection of different remixes of nostalgic tunes. I just had to put the aforementioned remix on...
For those in a hurry: this is the page you want to see. Get the remix from the page - I'm not going to put a direct link to the MP3 file on /.
Unfortunately the normal cab extractor does not work. That is meant for "regular" windows .cabs and it seems that Epic have their own .cab format. For reference, go read Happypenguin's current NWN comments.
Whereas you indeed made several good points, there are some in which certain amendments might be in place.
Remote Administration. Linux? X11 or VNC.
Who in their right minds would ever do *nix remote administration on graphic UI? In an environment like this, you have a separate test box with which you figure out and test all the things that need to be done. (Nobody rolls, neither in nor out, any modifications without first testing them.) Then you write a shell-script to accomplish this and put it up on a network-shared resource. As an admin, you have access to uid(0) account (possibly other than root) on every box. In a simple command, you cycle through all *nix boxes and set the box to execute the shellscript on a given time. You only give the authentication passphrase to your admin key once, and ssh-agent authenticates you to every box without further intervention. All *nix boxes upgrade to new, tested setups automatically at specified time. How do you accomplish this in a w32 network? And who would even need movies and/or multimedia for remote administration duties?
Automatic Updates & Patching.
I know personally people who maintain large corporate and university networks. They have a "local master" server that they use to mirror the updates. Once the updated packages are set on this box, all the client boxes are, again with short shellscripts or with automatic and timed events, set to fetch these packages and update to proper versions. Again, in an environment like you describe, no sane admin would ever allow machines to upgrade to untested versions. Automatic updates, directly from vendor's site would be a Really Bad Idea.
And by the way, the only linux distribution that requires constant recompiling, is gentoo. But that is not meant for enterprise desktops but for individual power users' home boxes. There really are things like dependency-tracking and binary packages for linux. (Debian and apt-get spring first to mind...) I would suggest you do your homework a little better.
The primary goal is not to individually administer all of the boxes, but set up batch jobs that do all the magic. Remote GUI may be nice when playing helpdesk but for real large-scale administration one should not even think about doing repetitive tasks over a remote display.
For the record, I find the study hazy and preposterous as well. It provides no solid figures, only some executive summary numbers. However, I hereby tip my hat to you. You made a worthy post with several VERY good points and aspects people either overlook or forget.
one would think that being able to SSH to it and having a command prompt
Did you give that thought any consideration whatsoever? SSH2, while secure and neat protocol, is not the leanest you could do. Try to think about it. We're talking about control channel to a moving, non-terrestrial body with probably not too much CPU cycles to spare.
To establish an SSH connection, both the client and server need to exchange public keys. After that, they need to negotiate the session key(s) over public-key cryptography. This alone is slow. Then, to have any kind of real control, the latency between SSH endpoints needs to be rather small. The symmetric encryption wouldn't take that much cycles, so I'm leaving that out of the equation.
So while FTP sounds like a really weird and unortohodox solution, it is after all a trivial protocol to transfer sets of batch commands.
Just a thought...
I really don't understand why a large number of the comments here are negative. Simply stated, Real has released a significant piece of software under what appears to be a free/open source license (The RPSL has been submitted to the OSI for certification).
I have to agree with you. I'm just reading RPSL and it's not a bad license. Okay, it's not a license to grant complete freedom, but it is certainly a good way there. Basically, Real wants to make sure they have control over the Helix engine, and in response grant any and all OSS developers access to the source. To retain control, they require changes incorporated to the engine made public under the same license.
The best catch, I think, is the requirement to release the software that uses Helix engine under a compatible license. In effect, the RPSL license says two things:
And for commercial developers there is the RPCL that requires only the modifications to the engine released. If the Helix engine is good enough, it will be used. Real will stay in the game, with their streams usable by OSS folks and, hopefully, in return getting both increased use and improvement modifications to Helix.
Better coverage => more users => more sales of Real's streaming technology to companies providing streamed content => more incentive for end-users to use this technology. I may have missed something, but what is it that makes all of this so wrong? Heck, with this license there is nothing that prevents the OSS developers from making a capable player that has *no* spyware or other annoyances usually associated with Real's end-user products.
Yep, their playing and sounds really appeal to retroists :) I even made an audio CD out of the vorbises, so I would have something different to listen to while driving. Evidently, my girlfriend's little brother fell in love in the music when she was visiting her family back home - and asked if he could keep the CD. Well, I can always burn a new one. At the same time, I might have given the band some new listeners. Her brother will, undoubtedly, play that cd to his friends...
Their appearance on this year's Assembly was one of the reasons I organized myself a ticket there. Sure, when live, they play louder and much more aggressively than on those downloadable versions but it was a nice gig no matter what. Too bad their vocalist put too much force in his performance after the (second of third) encore that he snapped a string from his electric guitar. I never got to hear Anthem Apocalyptica live :(
Phew, thank $deity that this news item didn't appear too much sooner. Just last weekend I ordered three records from Chris's site. Lucky me, I have all the chances of actually getting what I wanted. I quite expect his stock to drop to zero after you mentioned c64audio.com in here.
The shopping cart system c64audio.com runs, uses some nasty IE-specific javascript tricks. It won't display correctly (or virtually at all) on Mozilla or Opera. Being a linux user, this was somewhat problematic. When I mailed about this, Chris was very responsive and helpful. He told me to disable javascript entirely and go directly to this page in order to see what his shop has to offer. After a little education about PGP and link-hunting, I was also able to send him my credit-card details and my order encrypted. Yes, GPG is all fine and good (I use it), but it still lacks a solid, out-of-the-box integration to w32 mail clients. As I understand it, Chris is a computer-literate person but not a techie.
Incidentally, if anyone happens to know a nice free software shopping-cart system that runs on IIS and can access and use Worldpay's brokerage system, Chris would love to know about it. I tried to find one, but it seems very few shopping cart packages actually interface with Worldpay. It would be so good to get c64audio.com usable and accessible to all users. As the situation stands at the moment, that functionality bug may cost Chris quite a many customers. Given the selection of retro spirited records there is rather impressive, it's a shame.
Say hello to Mr. Spammer.
After this "innovation", the spammers can look forward to having much better delivery rates. No need to buy the up-to-date addresses from harvesters, they can just have one collection of addresses and rely on this kind of service to deliver their load.
Not only does this sound like a no-innovation, it smells like a big no-no in practise too. Those who want to mail me, should have my current mail address anyhow.
As others have pointed out, the suffix 'zilla' has entered common speech. Kleenex, Xerox, Hoover, ... - Well, it's not the first one.
Didn't Maxtor just name their gigantic hard drive Drivezilla?
Yes, you are right. However, this assumes that the GPG signature has been made on some other box than the one which hosts the tarball and .sig. In order to modify those files, the attacker has naturally gained root. And as we all know, there's pretty much nothing that user with root can't do.
Root account does not yield magical powers to crack the encryption protecting the private key. Nonetheless, if those signatures are generated "locally" on the hosting box, there is a small probability of a very nasty surprise. Can you say keylogger?
Sure, I'm paranoid. But am I paranoid enough?
But in this circumstance, I don't believe it is the case. The trojan connects to port 6667, which is usually ircd. Outgoing connections to irc servers are not exactly uncommon in those boxes that run any kind of flavour of *nix. Hence, it's not a connection that really attracts attention by itself. It looks like a connection to a stand-alone ircd in netstat reading. Also, because irc is so common service to use, the firewall setups are likely to allow this through.
The other end of that connection, however, was more than likely running something totally unrelated to irc. After all, the connection itself is somewhat like a backward rsh. (I believe it actually bears the name "bindshell"...) This was a very basic case of trojan: install a backdoor that calls home and allows to execute commands remotely.
This was just one type of trojan. Some others could go dormant for several hours before contacting the world outside. Simply "building the binaries with plug off the wall" is not a solution. It's a knee-jerk reaction and still at fault. The correct way is to check the package against a MD5sum or (preferably) GPG signature - and if possible, these should be at a different machine on a different network from the tarballs.
On the other hand, just looking at the trojan source quickly, it looks very much like a slightly evolved version of those found in irssi, BitchX, dsniff and fragroute configure scripts. This has already been noted by some other individual here as well. See his post for links.
Yes, I have been following Gentoo a bit as well. A friend uses it, and has fallen in love with the idea of having hugely optimized linux binaries. I gave it a thought - having something like ports/portage for Debian packages would indeed sound good.
Then I came across this: apt-src is in the making. Imagine Debian's package and dependency system combined with ports. Instead of doing a dist-upgrade for binary packages, you would have the choice of doing the same thing, but automatically from source debs. This is already possible for individual programs:
does just that but doesn't do recursive builds. It only builds that particular package. Having all the build-dep packages built as well, that would indeed make a difference. Over time, it would allow to incrementally optimize all of the packages.Personally, I'm thrilled.
They have to take special precautions since there's some conference? What about the rest of the year?
My thoughts exactly. This gives me the bad feeling they are enforcing their security policies only because having yet another "breach" would be really bad PR. But why aren't they enforced all the time as rigorously? Costs. It costs both time and money to go through the entire protocol, not to mention the additional cost of properly training the employees to follow these rules.
I'm actually willing to bet some beancounter added 2 and 2 and came to the conclusion that having that much bad PR would cost the company more than enforcing the security policy strictly for a few days. Anyone care to guess how many days it takes for the situation return to "normal?"
Yes, I remember when I found out about Pov-Ray. It was version 3.0 something, fitted on a single floppy disk mounted on the cover of PC-Format. The cover art was Mike Meyer's awesome render of a malicious jack-in-the-box riding a roller coaster.
At that time I was using a sluggish 386SX-16. I still got hooked to ray-tracing, even if it took ages to get even a low-quality sample render done. Nowadays, with GHz processors, the best renders still take days to finish. Only the amount of detail and polish has risen to obscene heights.
When it comes to Moore's Law, I remember seeing a nice comment about CPU speeds and Pov-Ray: Personal computers are fast enough when one of them is enough to render a complete movie in real-time, using POV. Considering that animation studios use huge render farms and more optimized renderers, we still have a long way to go :)
I noticed the same quote, but consider the wording used...
[...] nice, low-cost platform for doing kind of everyday computing. So in effect they are saying that they consider Linux ready to be used where-ever you need a good, stable and reliable platform to run their applications. Now, isn't this kind of everyday computing just the thing that most users do at home?
I think that quote is indeed very nicely put. It may even prove valuable.