Does no one realize that this ammount of retail cost to Microsoft is pennies in production cost? They're losing virtually nothing in this and it is a complete failure of the political system to prosecute them.
That doesn't mean that they don't lose money. If a business or individual that was actually going to pay for the software gets it for free, then Microsoft loses money. (Contrary to, say, an individual who steals it that was never going to purchase it in the first place.)
I agree. Bugzilla is overkill for most people. More features doesn't mean better product.
I tried out a lot of bug trackers, and I like Mantis the best. It is simple, yet has the features needed to get the job done. It doesn't take hours to setup like Bugzilla. The user interface is much simpler, so filing bugs and using the system isn't a huge chore.
However, in New Jersey (and possibly other states?), if you own a vehicle seen passing a stopped school bus, the bus driver can write down your license plate. The police then will send a ticket via mail to the owner of the vehicle.
There is a big difference between loaning some your cell phone and loaning someone your car.
That's in.Net Server 2003. The purpose is really to support newer blade servers. But it requires hardware support. The reason Windows never supported this in the past is because the x86 design didn't. Try to get your POST info off the serial port with Linux on an x86 machine.
Spews put FOUR CLASS A's on their list. That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.
Perhaps you meant class B's? Four class A's would have been 67 million. I doubt even SPEWS is that stupid. Wait, this is SPEWS we're talking about.
Actually, you can reduce the DNS query rate by continuously setting the TTL to about half the time until the switchover. For instance, 24 hours before the switchover, set it to 12 hours. Then keep decreasing the TTL until it's down to about five minutes. This way, you won't get a continuous flood of DNS requests during the day before the switchover.
Or you could use tinydns, which handles this automatically:
You may include a timestamp on each line. If ttl is nonzero (or omitted), the timestamp is a starting time for the information in the line; the line will be ignored before that time. If ttl is zero, the timestamp is an ending time (``time to die'') for the information in the line; tinydns dynamically adjusts ttl so that the line's DNS records are not cached for more than a few seconds past the ending time. A timestamp is an external TAI64 timestamp, printed as 16 lowercase hexadecimal characters. For example, the lines
specify that www.heaven.af.mil will have address 1.2.3.4 until time 4000000038af1379 (2000-02-19 22:04:31 UTC) and will then switch to IP address 1.2.3.7.
I did almost exactly this approach. It worked well for me until I discovered I wasn't allowed to use a mail server! The two broadband providers I have available are Charter Pipeline and SBC-Yahoo DSL, and they both ban mail servers in their AUP. So now I'm scrambling to migrate my mail off of my dyndns.org address.
So upgrade to their static IP service. Then you can run a mail server.
I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:
Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.
Actually one might need to install ucspi in some configs, just to get tcpserver.
Yeah, it is necessary to use axfrdns, for example. But for just running dnscache or tinydns, it is not required. The poster was complaining that a lot of extra software was required, when it is not. (Gee, complaining that programs actually follow the UNIX tradition.)
How about Microsoft's "Hack our IIS Server" contest running on Windows 2000 Beta? Lots of people dislike Microsoft and would love to dicredit them. Nobody hacked the server and claimed the prize. Therefore IIS is secure (snicker).
Except for one little difference: no one attempting to hack it had the source code.
FWIW, I tried djbdns (via Debian's.deb wrapper that goes and gets it off cr.yp.to) at home. Then I reinstalled BIND. I didn't like installing all his other software to support djbdns and I didn't feel up to maintaining mods to change it--mods that would be violating the spirit of the license. I neither pirate commercial software nor rip off GPL'ed software: since I cannot use djbdns in the spirit of Bernstein's license, I will not use it.
Stop trolling. ``all his other software to support djbdns'' consists of one package: daemontools. And if you felt like setting up djbdns by hand, it would even work without that. Though, I don't see any reason why you wouldn't want daemontools installed. Unless, of course, you don't care if your services stay up without you constantly watching them. daemontools is useful for many things, not just djbdns.
The rest of your post is complete FUD. You are completely allowed to modify djbdns however you see fit. Patches are allowed and encourged. Although, there is no reason you should have to patch it, as the software works fine. The only thing you can't do is distribute modified versions of the software. Distributing patches is just fine.
You are being very naive. Please read this comment of mine, I don't want to repeat myself. The point is, that basically a "security guarantee backed by a cash reward" doesn't mean anything. I'm really surprised that people, sometimes even educated people, are still trusting in such poor marketing tools as "cracking contests."
You shouldn't trust the software because of the cash guarantee. You should trust it because it is secure.
Some people will audit the software in hopes of claiming the reward, either for the monetary or ego value. It also means that the author has faith in his software. How many other people will put a cash guarantee behind their code? Dan doesn't have any commercial reasons to offer this guarantee. He does it because he knows his code is secure. Why won't the BIND authors guarantee their code? Because they know that they can't.
Look at it from another perspective. How many people here dislike Dan for one reason or another? How many of those people would love to find a hole in his software to discredit him? How many of those people have found one?
djbdns is secure in the same way that qmail is secure. Read the code for yourself. You will see how different it is from other software. It is quite easy to see how Dan can guarantee that it is secure.
Though, do you like to use a not-maintained package? When was the last date it was updated? How are you going to stay in touch with current technologies if the package is not being maintained ?
djbdns is maintained. Dan Bernstein revamped the djbdns web page this month, making it even easier for people to understand and install the software. He is also active on the mailing list. There hasn't been a new release of djbdns in over a year because the software does not need to be updated. It is complete. Why update software that works?
Tell the whole truth, please: A BIND9 version was subject to one type of DoS attack. Sending a specific DNS packet to the daemon triggered that instance going into some sort of test mode where it performed an internal consistency check, effectively shutting it down.
Simply calling that a ``DoS attach'' is stretching the truth. Being able to shut down the entire DNS server by sending a single anonymous DNS packet is a much larger problem than typical DoS attacks. Network services are inherently vulnerable to DoS attacks. This is much more. I consider that a security problem.
True; however, can you now re-distribute (in a magazine, say) that doctored picture of Dubya? Not necessarily. This is where the "fair use" doctrine applies; satire (like a moustache on Dubya) is covered. A source patch to djbdns -- unclear.
You can distribute instructions on how to draw the moustache. That is the same thing as source patches. Patches are covered under software law.
In the couple of years the bind 9 code has been out there, the only vulnerabilities it's had caused the server to shut itself down immediately, as it realised something was wrong with its input. That's likely to be it's only failure mode in the future - stick a wrapper around it that restarts it when it dies, and you'll be right as rain.
You like to run software that anyone can take down anonymously? Correct, secure software like djbdns does not have these kinds of problems.
Has Bernstein put permission to redistribute any patches against djbdns in writing? If so, then the license becomes roughly equivalent to the Trolltech QPL.
He doesn't need to. djbdns doesn't have a license and doesn't need one:
What about for porting the program to operating systems that don't fit Bernstein's idea of how the directory structure should be laid out, such as Windows 2000 Server or Windows.NET Enterprise Server?
djbdns is UNIX software. If you really want to run it on Windows, then fix Cygwin so that it works under that. But if you really want to port djbdns to Windows and distribute the patches, then that is fine. You simply can't distribute a compiled version.
Buggy? At least the vulnerability mentioned in the article does not affect most recent version of BIND 9.x.
BIND 9 has had security holes. djbdns never has and never will.
May I suggest Dnsmasq [freshmeat.net], which is described by its creators as a "lightweight, easy to configure DNS forwarder designed to provide DNS (domain name) services to a small network where using BIND would be overkill".
Don't run that. Run dnscache, which is part of the djbdns package. djbdns will out perform everything else and has security guarantee backed by a cash reward for security holes. djbdns has never had a security hole and never will. Why run anything else?
And on an unrelated note, 10.3 REALLY should include a graphical DNS admin. It's really jarring to have all these great, simple controls for the whole server experience, except DNS. Webmin works, but still, that's hardly the MacOS X vision!
If you want a good, easy to use DNS server, try MyDNS. It includes a nice PHP based web interface.
I used qmail for four or five years. [snip] With qmail, I always have to read a bunch of different man pages, tracking down the particular program that happens to handle whatever I need to change. Then I echo some value into some magically named file. Then I have to read the man pages again to figure out exactly which signal I send to which program and/or programs.
You claim four or five years of qmail experience and still don't understand how qmail works? Wow. If you changed something related to delivery, then you restart qmail-send. If you changed something for qmail-smtpd, then you restart it. I don't see how that is complicated.
Maybe I just don't have enough practice adminstering Unix boxes; I've only been doing it for 15 years or so.
If this is anything like your four to five years of qmail administration, then I wouldn't count it for much.
Go browse the qmail web site. Note the dozens and dozens of links to patches, add-on programs, and other cruft.
Yes. Different people have different needs. Should the program be bloated with every possible feature that someone might want? I guess the Postfix author thinks so. But you didn't answer my question. Which of those features do _you_ need? For at least 95% of the people installing qmail, the stock distribution works just fine.
Personally, I wanted db-backed virtual domains, and pretty complex spam rules with exceptions for certain senders, certain recipients, and certain mail servers. For qmail, I just never bothered because it was too much of a pain.
Pure FUD. db-backed virtual domains? Use vpopmail or vmailmgr. Filtering? Use your favorite delivery agent, such as procmail or maildrop, as the default delivery method. Override this for specific recipients in their.qmail files. Other exceptions are handled by the delivery agent.
qmail follows the UNIX tradition: do one thing and do it well. That is why qmail is so extensible. You can easily add programs into any part of the mail process to do things how you want. You can also replace diffent components if you like. This is why qmail is so powerful.
But unlike qmail, you don't have to apply patches to get needed features.
What features do you need that are not available in stock qmail?
And the configuration files are actually readable and helpful to admins.
How are qmail control files not readable? Files are named according to their function and only contain the necessary values that you place into them. They are fully documented in the man pages. The values of all the control files can be shown easily by running qmail-showctl. How is this difficult?
That refrence you give talks about licenses with regards to restricting rights of a consumer - basically, shrink wrap licenses that limit (perhaps illegally) my ability to resell a product or modify it for my means.
Yes, which is precisely the issue being discussed here. Are you trying to distribute a modified version of qmail? No? Then why does it concern you? If you want to modify your own version of qmail, then you are perfectly free to do so. If you want other people to use your modified version, then either install it for them or give them patches.
Not being able to distribute modified binaries is a Good Thing. Read the qmail or vchkpw mailing list for a while. Users are stupid. Very stupid in many cases. It is amazing how badly people can screw things up when installing from the original, unaltered source. Now you want to let just anyone distribute screwed up binaries? Think of the support issues involved with that. If people want to install modified versions, they can patch the source themselves.
``Why can't we rename your files? Compatibility is essential. Files must be accessible by the same names on all systems.''
However, even though I may have the right to resell my copy of Windows XP Retail, I don't have the right to make 100 copies and sell them.
Yes, but because of copyright law, not because of the license. You can buy a book and resell it. You can't make copies and sell them. The same goes for software. You can buy a copy at Best Buy and then sell it. You can't make copies and sell them.
Slashdot Mirror
Does no one realize that this ammount of retail cost to Microsoft is pennies in production cost? They're losing virtually nothing in this and it is a complete failure of the political system to prosecute them.
That doesn't mean that they don't lose money. If a business or individual that was actually going to pay for the software gets it for free, then Microsoft loses money. (Contrary to, say, an individual who steals it that was never going to purchase it in the first place.)
John Carmack started the genre of 3D games on the PC. When it comes to games, who else do you think of?
I agree. Bugzilla is overkill for most people. More features doesn't mean better product.
I tried out a lot of bug trackers, and I like Mantis the best. It is simple, yet has the features needed to get the job done. It doesn't take hours to setup like Bugzilla. The user interface is much simpler, so filing bugs and using the system isn't a huge chore.
However, in New Jersey (and possibly other states?), if you own a vehicle seen passing a stopped school bus, the bus driver can write down your license plate. The police then will send a ticket via mail to the owner of the vehicle.
There is a big difference between loaning some your cell phone and loaning someone your car.
- a serial console capability
.Net Server 2003. The purpose is really to support newer blade servers. But it requires hardware support. The reason Windows never supported this in the past is because the x86 design didn't. Try to get your POST info off the serial port with Linux on an x86 machine.
That's in
You can with a PC Weasel.
Spews put FOUR CLASS A's on their list. That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.
Perhaps you meant class B's? Four class A's would have been 67 million. I doubt even SPEWS is that stupid. Wait, this is SPEWS we're talking about.
Or you could use tinydns, which handles this automatically:
http://cr.yp.to/djbdns/tinydns-data.html
I did almost exactly this approach. It worked well for me until I discovered I wasn't allowed to use a mail server! The two broadband providers I have available are Charter Pipeline and SBC-Yahoo DSL, and they both ban mail servers in their AUP. So now I'm scrambling to migrate my mail off of my dyndns.org address.
So upgrade to their static IP service. Then you can run a mail server.
A new (secure) protocol?
http://cr.yp.to/im2000.html
I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:
http://cr.yp.to/syncookies.html
Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.
Actually one might need to install ucspi in some configs, just to get tcpserver.
Yeah, it is necessary to use axfrdns, for example. But for just running dnscache or tinydns, it is not required. The poster was complaining that a lot of extra software was required, when it is not. (Gee, complaining that programs actually follow the UNIX tradition.)
How about Microsoft's "Hack our IIS Server" contest running on Windows 2000 Beta? Lots of people dislike Microsoft and would love to dicredit them. Nobody hacked the server and claimed the prize. Therefore IIS is secure (snicker).
Except for one little difference: no one attempting to hack it had the source code.
FWIW, I tried djbdns (via Debian's .deb wrapper that goes and gets it off cr.yp.to) at home. Then I reinstalled BIND. I didn't like installing all his other software to support djbdns and I didn't feel up to maintaining mods to change it--mods that would be violating the spirit of the license. I neither pirate commercial software nor rip off GPL'ed software: since I cannot use djbdns in the spirit of Bernstein's license, I will not use it.
Stop trolling. ``all his other software to support djbdns'' consists of one package: daemontools. And if you felt like setting up djbdns by hand, it would even work without that. Though, I don't see any reason why you wouldn't want daemontools installed. Unless, of course, you don't care if your services stay up without you constantly watching them. daemontools is useful for many things, not just djbdns.
The rest of your post is complete FUD. You are completely allowed to modify djbdns however you see fit. Patches are allowed and encourged. Although, there is no reason you should have to patch it, as the software works fine. The only thing you can't do is distribute modified versions of the software. Distributing patches is just fine.
You are being very naive. Please read this comment of mine, I don't want to repeat myself. The point is, that basically a "security guarantee backed by a cash reward" doesn't mean anything. I'm really surprised that people, sometimes even educated people, are still trusting in such poor marketing tools as "cracking contests."
You shouldn't trust the software because of the cash guarantee. You should trust it because it is secure.
Some people will audit the software in hopes of claiming the reward, either for the monetary or ego value. It also means that the author has faith in his software. How many other people will put a cash guarantee behind their code? Dan doesn't have any commercial reasons to offer this guarantee. He does it because he knows his code is secure. Why won't the BIND authors guarantee their code? Because they know that they can't.
Look at it from another perspective. How many people here dislike Dan for one reason or another? How many of those people would love to find a hole in his software to discredit him? How many of those people have found one?
djbdns is secure in the same way that qmail is secure. Read the code for yourself. You will see how different it is from other software. It is quite easy to see how Dan can guarantee that it is secure.
Though, do you like to use a not-maintained package? When was the last date it was updated? How are you going to stay in touch with current technologies if the package is not being maintained ?
djbdns is maintained. Dan Bernstein revamped the djbdns web page this month, making it even easier for people to understand and install the software. He is also active on the mailing list. There hasn't been a new release of djbdns in over a year because the software does not need to be updated. It is complete. Why update software that works?
Tell the whole truth, please: A BIND9 version was subject to one type of DoS attack. Sending a specific DNS packet to the daemon triggered that instance going into some sort of test mode where it performed an internal consistency check, effectively shutting it down.
Simply calling that a ``DoS attach'' is stretching the truth. Being able to shut down the entire DNS server by sending a single anonymous DNS packet is a much larger problem than typical DoS attacks. Network services are inherently vulnerable to DoS attacks. This is much more. I consider that a security problem.
True; however, can you now re-distribute (in a magazine, say) that doctored picture of Dubya? Not necessarily. This is where the "fair use" doctrine applies; satire (like a moustache on Dubya) is covered. A source patch to djbdns -- unclear.
You can distribute instructions on how to draw the moustache. That is the same thing as source patches. Patches are covered under software law.
Since the standards aren't even close to being implemented, saying "it's complete" is just stupid in this case.
Oh? What ``standards'' are missing? Which of these causes interoperability problems and why?
In the couple of years the bind 9 code has been out there, the only vulnerabilities it's had caused the server to shut itself down immediately, as it realised something was wrong with its input. That's likely to be it's only failure mode in the future - stick a wrapper around it that restarts it when it dies, and you'll be right as rain.
You like to run software that anyone can take down anonymously? Correct, secure software like djbdns does not have these kinds of problems.
Has Bernstein put permission to redistribute any patches against djbdns in writing? If so, then the license becomes roughly equivalent to the Trolltech QPL.
.NET Enterprise Server?
He doesn't need to. djbdns doesn't have a license and doesn't need one:
http://cr.yp.to/softwarelaw.html
What about for porting the program to operating systems that don't fit Bernstein's idea of how the directory structure should be laid out, such as Windows 2000 Server or Windows
djbdns is UNIX software. If you really want to run it on Windows, then fix Cygwin so that it works under that. But if you really want to port djbdns to Windows and distribute the patches, then that is fine. You simply can't distribute a compiled version.
Buggy? At least the vulnerability mentioned in the article does not affect most recent version of BIND 9.x.
BIND 9 has had security holes. djbdns never has and never will.
May I suggest Dnsmasq [freshmeat.net], which is described by its creators as a "lightweight, easy to configure DNS forwarder designed to provide DNS (domain name) services to a small network where using BIND would be overkill".
Don't run that. Run dnscache, which is part of the djbdns package. djbdns will out perform everything else and has security guarantee backed by a cash reward for security holes. djbdns has never had a security hole and never will. Why run anything else?
And on an unrelated note, 10.3 REALLY should include a graphical DNS admin. It's really jarring to have all these great, simple controls for the whole server experience, except DNS. Webmin works, but still, that's hardly the MacOS X vision!
If you want a good, easy to use DNS server, try MyDNS. It includes a nice PHP based web interface.
I used qmail for four or five years. [snip] With qmail, I always have to read a bunch of different man pages, tracking down the particular program that happens to handle whatever I need to change. Then I echo some value into some magically named file. Then I have to read the man pages again to figure out exactly which signal I send to which program and/or programs.
.qmail files. Other exceptions are handled by the delivery agent.
You claim four or five years of qmail experience and still don't understand how qmail works? Wow. If you changed something related to delivery, then you restart qmail-send. If you changed something for qmail-smtpd, then you restart it. I don't see how that is complicated.
Maybe I just don't have enough practice adminstering Unix boxes; I've only been doing it for 15 years or so.
If this is anything like your four to five years of qmail administration, then I wouldn't count it for much.
Go browse the qmail web site. Note the dozens and dozens of links to patches, add-on programs, and other cruft.
Yes. Different people have different needs. Should the program be bloated with every possible feature that someone might want? I guess the Postfix author thinks so. But you didn't answer my question. Which of those features do _you_ need? For at least 95% of the people installing qmail, the stock distribution works just fine.
Personally, I wanted db-backed virtual domains, and pretty complex spam rules with exceptions for certain senders, certain recipients, and certain mail servers. For qmail, I just never bothered because it was too much of a pain.
Pure FUD. db-backed virtual domains? Use vpopmail or vmailmgr. Filtering? Use your favorite delivery agent, such as procmail or maildrop, as the default delivery method. Override this for specific recipients in their
qmail follows the UNIX tradition: do one thing and do it well. That is why qmail is so extensible. You can easily add programs into any part of the mail process to do things how you want. You can also replace diffent components if you like. This is why qmail is so powerful.
But unlike qmail, you don't have to apply patches to get needed features.
What features do you need that are not available in stock qmail?
And the configuration files are actually readable and helpful to admins.
How are qmail control files not readable? Files are named according to their function and only contain the necessary values that you place into them. They are fully documented in the man pages. The values of all the control files can be shown easily by running qmail-showctl. How is this difficult?
That refrence you give talks about licenses with regards to restricting rights of a consumer - basically, shrink wrap licenses that limit (perhaps illegally) my ability to resell a product or modify it for my means.
Yes, which is precisely the issue being discussed here. Are you trying to distribute a modified version of qmail? No? Then why does it concern you? If you want to modify your own version of qmail, then you are perfectly free to do so. If you want other people to use your modified version, then either install it for them or give them patches.
Not being able to distribute modified binaries is a Good Thing. Read the qmail or vchkpw mailing list for a while. Users are stupid. Very stupid in many cases. It is amazing how badly people can screw things up when installing from the original, unaltered source. Now you want to let just anyone distribute screwed up binaries? Think of the support issues involved with that. If people want to install modified versions, they can patch the source themselves.
``Why can't we rename your files? Compatibility is essential. Files must be accessible by the same names on all systems.''
However, even though I may have the right to resell my copy of Windows XP Retail, I don't have the right to make 100 copies and sell them.
Yes, but because of copyright law, not because of the license. You can buy a book and resell it. You can't make copies and sell them. The same goes for software. You can buy a copy at Best Buy and then sell it. You can't make copies and sell them.