"...most of these bug postings are *theoretical* security flaws."
L0pht Heavy Industries: "Making the theoretical practical since 1992."
The fact is, a theoretical flaw is still a flaw, and it's still relevant to my original question.
"Many of these don't even have an exploit coupled with them..."
...yet.
"I guess the difference is that in a lot of these FS/OSS projects the potential problems are announced and stomped out quicker than they can become actual exploited vulnerabilities."
This is something that's been bugging me as well. It seems that more security bugs are kept quiet until a fix is prepared. Personally, I'd much rather know ASAP, so I can at least disable or filter the vulnerable service. I think that as soon as a vuln. is discovered & discussed on any public list, the more likely it will be that there is an exploit available. In some cases (WU-FTPd globbing bug comes to mind), the vuln. was known about for some time before the fix was available. In this case, there was even an exploit available. The bug was discovered in July, a security advisory was being drafted as early as September, and the fix didn't get released until December.
"I don't follow you. Because someone found a bug that means there aren't enough eyes to find the bugs? Most of the eyes aren't involved with the project, they're "out there" in the rest of the community."
I've been using FS/OSS since '94-5. It seems to me that there are many more security problems being discovered now then there were back then, and they affect some of the basic building blocks of the FS/OSS world.
What I was asking is if FS/OSS is getting more eyes on the code (e.g. more people spotting bugs) due to it's wider support & deployment now versus then.
Is it just me, or have there been a really huge amount of security issues with Free/Open Source software this year?
It just seems like there's a new hole (or two) every week. Let's see, we've had openssh, zlib, php, mod_ssl, cvs, cups, rsync, exim, ncurses, glibc and more, just since January. We've still got two-thirds of the year to go. Anyone want to make bets on what other projects will get hit? I think we're going to see problems with XFree86, samba, and apache.
So, my question is this: Do you think that this is simply a bad time for FS/OSS security? Are we at the threshold where there are enough eyes on the code to locate these kinds of bugs? Or is the quality of FS/OSS declining?
the theatrical release was 131 minutes long, the criterion edition is sometimes referred to as the "final final cut" (142 minutes), and it also has the 93-minute "love conquers all" version - the one that was hacked to bits by the studio for TV.
the normal 131-minute cut is available on dvd as well as the criterion edition.
Re:Corrections, pointers, and cautions
on
Understanding NFS
·
· Score: 2
Quick pointers to NFS U/GID space solutions:
* rpc.ugidd - easy, but insecure. can leak u/gid info to untrusted parties. only works with userspace nfs server in linux - don't know about other opsystems. * use the same u/gids on every server - almost certainly not an option. * use a shared PAM back-end, such as LDAP (what I use), MySQL, or PostgreSQL
Yes, I was also stymied by the way ALSA presents the SBLive! mixer. Having a second-hand card without any documentation doesn't help me at all. Can anyone explain why the headphone right/left mute buttons are labeled 'Headphone LFE1' (for the Right channel) and 'Headphone Center 1' (for Left)? Why can't I record from my LiveDrive! Line in? What crack-smoker coded this shit?
Don't know about other versions, but 0.9.0beta9 & beta10 are both like this.
"This leaves out the few million people who watch movies on their standalone DVD players."
there's always VCD.
"Incidentally, one other barrier to bit-for-bit ripping is that on DVD-Rs, the area normally reserved for the decryption key is zeroed out during manufacturing."
yes, but it is possible to create unencrypted DVDs. this is what the macs with superdrives do.
"I don't think DivX supports Dolby Digital 5.1 sound yet, either, although I understand that's in the works."
divx will pass the AC3 audio encodedon the DVD through today. DD & DTS should both work. obviously, this won't work if you're ripping to VCD.
let's say, for the sake of an argument, that msft really is putting all this effort into fixing bugs for a month. let's say that at the end of the month, they say that it was a huge success, fixing X thousand bugs.
how do we know that they aren't making it up?
it's not like they will release one patch for each issue; if they provide the patches for free, it will mose likely come as one big patch, which could just as easily contain an update to the NSAKEY subsystem rather than actual bugfixes. without source, there is no proof that they are doing what they say.
it sounds to me like "trusted computing" means "trust microsoft more". no thanks - i'll stick to operating systems with freely available source.
"You can't release software unless you're sure it cannot, in any way, be used to hurt AOL/TW or the rest of the content mafia."
wrong. i can't release software designed to hurt aol/tw. now, that doesn't prevent yoyodyne multinational media conglomerate from suing me if i release a tool that can destroy their empire as a side effect.
"You cannot use napster to trade mp3s of independant bands who would like you to hear their music for free."
but i can visit their website, or use gnutella, or freenet, or one of many, many other file-sharing options. i can even get their music in ogg vorbis format instead of the patent-encumbered mp3 format.
"You can always decline a EULA."
that doesn't mean i can get my money back, for example with bundled software.
"AOL is worse. It enlists the government's help in becomming more powerful. The justice department can't sue for anti-competitive practices when those practices were enacted into law by the congress."
microsoft has done more than their part to protect their interests via political manipulation. for example, their astroturf campaigns.
i'd also like to point out that any law which is passed may be removed. even changes to the constitution may be made and repealed. stating that the dmca cannot be repealed because money paid for it is daft at best.
"When I was growing up there was tons of 'peer pressure' to do all sorts of things. Drugs and other things I find to be stupid and pointless (don't bother ranting on that).
People act like peer pressure is something you have to abide by, and thats rubbish.
The choices are out there. Take them or leave them, and don't whine either way about choices you yourself made."
sure - but, the instances of peer pressure i see you referring to seem to be for one's own entertainment.
the kind of pressure i'm talking about is more along the lines of "sure, we'll hire you, send us your resume in word format."
see the difference?
you are also forgetting that most of the unwashed masses are going to take the path of least resistance. when it comes to using computers, that path leads straight to redmond. this is not the case when it comes to cable, or an isp, or a news channel. it's not like choosing to watch local news, or use a cable provider different from what joe down the street has can compare to the hassle of trying to import a word or excel document on a system without ms office.
by the way, don't you think it's awfully presumptuous to assume that i've made those choices? i'm just aware that with microsoft controllong upwards of 90% of the entire computer market, there are a lot of bodies choosing microsoft, for one reason or another.
"Small nit about your post. In contrast to your well-informed knowledge about media providers and equipment, you failed to take into consideration the fact that nowdays one can build his own x86 box. I did, and put linux on it.
Otherwise, I think the rest of your post is dead on."
thanks for the criticism. i'm aware than i can build my own systems, and every computer i own (barring laptops) are bought part-by-part and assembled by myself.
the point i was making was that for the average consumer, it's only possible to buy an x86 computer with windows. sure, you can go with a mac, but you can bet that the people who do will get locked in the microsoft monopoly just as surely as the windows users, thanks to internet explorer, windows media player, outlook and office for the mac.
on the other hand, anybody that can phone up time-warner for cable can phone up their competition just as readily.
yeah, but i can get a cableproviderother than time-warner, i can use an isp other than aol, and i can watch news on a channel that isn't cnn.
if i buy a (x86) computer, there is a 98% chance that it will come with windows, and there is a lot of pressure to use windows on that computer in the first place; pressure from friends & co-workers who use it, pressure from employers who use it, pressure from the salespeople selling me the computer. pressure from people on the 'net, who use windows media to give away audio & video clips, or word to present documentation. i don't think that kind of pressure to use aol/tw/cnn exists, at least not yet.
while i agree that aol/tw/cnn/netscape/sun/whatever has the potential to become a much larger, more powerful, and more evil empire than msft, the fact of the matter is that msft has an illegal monopoly, which they extend every day. if aol/tw/cnn/sun/netscape/whatever want to combat that, fine. frankly, the u.s. government seems incapable of bringing msft down, so if it has to come to corporate warfare- so be it. i want to go to a store and buy a pc that runs linux, or freebsd, or openbsd. or whatever other os i want.
"At least it keeps the gay porn [goatse.cx] out 95% of the time."
it doesn't keep it out - it keeps it hidden, for the people who choose to hide it. kinda like how filters & blacklists work for usenet readers.
besides, usenet supports moderation, it just doesn't encourage - or allow - the people who abuse the service to do it.
"And restrict your audience (although this may not be entirely a bad thing). Many users don't know how to switch their NNTP server. Others use newsreaders that support only one NNTP server per installation. Some users can't switch it at all (such as users of America Online)."
news://nntp.slashdot.org/msft.general.bitching would work on 99% of the browsers out there - the slashdot.org webpage could be replaced with a page that has that link.
besides, isn't this site supposed to be news for nerds? how many nerds out there do you know who use aol, or don't know how to configure a newsreader?
"Client-side searching requires the user to have downloaded multigigabytes of Slashdot's previous stories. Not all users who want to search Slashdot have the T1 to download the whole site."
unless, of course, they search through the headers. or, have older articles moved into yearly-monthly groups, e.g. discussion in msft.general.bitching from january 1999 gets moved into 1999.jan.msft.general.bitching via a modified article expiry. then, if you had some idea when the article/comment you were searching for was posted you could search within that timeframe.
"Another place for complaining about Slashcode bugs: Slashcode Bug Tracker"
"NNTP doesn't support mass moderation or metamoderation." ...which are completely broken and cause more problems than they solve.
"NNTP doesn't readily support banner advertisements that keep the server free." i'll grant you this, but it wouldn't be too difficult to hack an article-ad-interruptor, where the first (or middle, or a random) bit of the article has a textual ad (with http link) inserted.
"NNTP servers often don't have very long retention of old discussion." ...which isn't a problem if you run your own.
"NNTP doesn't have server-side search." yes, it has working client-side searching, rather than broken/incomplete server-side searching.
seriously, have you ever tried to find something you saw on slashdot, say, two months ago? what if it was a comment, not a story? it's virtually impossible. you can't even query for all the posts that user xyz has posted. i wanted to find an old (~1 year) post of mine - couldn't. if i search for "phexro" in "stories", i get some stories i submitted. if i search in "comments" i get nothing. if i search in "users", i get me, and the last 24 posts i made. if i search for some key words in my post, i get page after page after page of incorrect results. if i search for a specific phrase, i get the same thing.
i've been meaning to bitch about this... thanks for the chance to let me do it on-topic.:)
well, according to the review at dvd.ign.com, the original dvd release sucked. non-anamorphic transfer, compression artifacts in the video, and barely any special features.
a friend of mine bought it and was very disappointed. if it wasn't for the many poor reviews of the original, i'd own it already.
this is also why i didn't buy the original monty python and the holy grail dvd, and why i'm not buying the clockwork orange dvd until it gets a better release.
does anyone else find it funny that amazon has a "used price" for this movie directly above the paragraph explaining that the movie isn't even released yet?
maybe it's just their patented one-click time-travel system.
Slashdot Mirror
Or in a barber shop. Ye gods, have you seen the beard on that man?
Does anyone else see an uncanny resemblance?
"...most of these bug postings are *theoretical* security flaws."
L0pht Heavy Industries: "Making the theoretical practical since 1992."
The fact is, a theoretical flaw is still a flaw, and it's still relevant to my original question.
"Many of these don't even have an exploit coupled with them..."
...yet.
"I guess the difference is that in a lot of these FS/OSS projects the potential problems are announced and stomped out quicker than they can become actual exploited vulnerabilities."
This is something that's been bugging me as well. It seems that more security bugs are kept quiet until a fix is prepared. Personally, I'd much rather know ASAP, so I can at least disable or filter the vulnerable service. I think that as soon as a vuln. is discovered & discussed on any public list, the more likely it will be that there is an exploit available. In some cases (WU-FTPd globbing bug comes to mind), the vuln. was known about for some time before the fix was available. In this case, there was even an exploit available. The bug was discovered in July, a security advisory was being drafted as early as September, and the fix didn't get released until December.
"I don't follow you. Because someone found a bug that means there aren't enough eyes to find the bugs? Most of the eyes aren't involved with the project, they're "out there" in the rest of the community."
I've been using FS/OSS since '94-5. It seems to me that there are many more security problems being discovered now then there were back then, and they affect some of the basic building blocks of the FS/OSS world.
What I was asking is if FS/OSS is getting more eyes on the code (e.g. more people spotting bugs) due to it's wider support & deployment now versus then.
Is it just me, or have there been a really huge amount of security issues with Free/Open Source software this year?
It just seems like there's a new hole (or two) every week. Let's see, we've had openssh, zlib, php, mod_ssl, cvs, cups, rsync, exim, ncurses, glibc and more, just since January. We've still got two-thirds of the year to go. Anyone want to make bets on what other projects will get hit? I think we're going to see problems with XFree86, samba, and apache.
So, my question is this: Do you think that this is simply a bad time for FS/OSS security? Are we at the threshold where there are enough eyes on the code to locate these kinds of bugs? Or is the quality of FS/OSS declining?
that with the .dll codecs themselves, you can play .wmv & .asf in xine.
actually, you're both wrong. :)
the theatrical release was 131 minutes long, the criterion edition is sometimes referred to as the "final final cut" (142 minutes), and it also has the 93-minute "love conquers all" version - the one that was hacked to bits by the studio for TV.
the normal 131-minute cut is available on dvd as well as the criterion edition.
Quick pointers to NFS U/GID space solutions:
* rpc.ugidd - easy, but insecure. can leak u/gid info to untrusted parties. only works with userspace nfs server in linux - don't know about other opsystems.
* use the same u/gids on every server - almost certainly not an option.
* use a shared PAM back-end, such as LDAP (what I use), MySQL, or PostgreSQL
"We'll soon get GNU/KDE and KGNOME?"
never! how would application writers decide what the first letter of their program will be? it would be chaos!
no, if you want to do 5.1 or dts, you should be using the s/pdif output with an external decoder.
Yes, I was also stymied by the way ALSA presents the SBLive! mixer. Having a second-hand card without any documentation doesn't help me at all. Can anyone explain why the headphone right/left mute buttons are labeled 'Headphone LFE1' (for the Right channel) and 'Headphone Center 1' (for Left)? Why can't I record from my LiveDrive! Line in? What crack-smoker coded this shit?
Don't know about other versions, but 0.9.0beta9 & beta10 are both like this.
"This leaves out the few million people who watch movies on their standalone DVD players."
there's always VCD.
"Incidentally, one other barrier to bit-for-bit ripping is that on DVD-Rs, the area normally reserved for the decryption key is zeroed out during manufacturing."
yes, but it is possible to create unencrypted DVDs. this is what the macs with superdrives do.
"I don't think DivX supports Dolby Digital 5.1 sound yet, either, although I understand that's in the works."
divx will pass the AC3 audio encodedon the DVD through today. DD & DTS should both work. obviously, this won't work if you're ripping to VCD.
i'd be perfectly happy with 'hacking ruby for midgets'.
let's say, for the sake of an argument, that msft really is putting all this effort into fixing bugs for a month. let's say that at the end of the month, they say that it was a huge success, fixing X thousand bugs.
how do we know that they aren't making it up?
it's not like they will release one patch for each issue; if they provide the patches for free, it will mose likely come as one big patch, which could just as easily contain an update to the NSAKEY subsystem rather than actual bugfixes. without source, there is no proof that they are doing what they say.
it sounds to me like "trusted computing" means "trust microsoft more". no thanks - i'll stick to operating systems with freely available source.
this will apply all the patches in
looks like the links on that page are broken, and it seems that 4.5-release hasn't made it's way out to all the ftp sites yet.
in the mean time, here are the relnotes for 4.5-rc3 i386 alpha
"You can't release software unless you're sure it cannot, in any way, be used to hurt AOL/TW or the rest of the content mafia."
wrong. i can't release software designed to hurt aol/tw. now, that doesn't prevent yoyodyne multinational media conglomerate from suing me if i release a tool that can destroy their empire as a side effect.
"You cannot use napster to trade mp3s of independant bands who would like you to hear their music for free."
but i can visit their website, or use gnutella, or freenet, or one of many, many other file-sharing options. i can even get their music in ogg vorbis format instead of the patent-encumbered mp3 format.
"You can always decline a EULA."
that doesn't mean i can get my money back, for example with bundled software.
"AOL is worse. It enlists the government's help in becomming more powerful. The justice department can't sue for anti-competitive practices when those practices were enacted into law by the congress."
microsoft has done more than their part to protect their interests via political manipulation. for example, their astroturf campaigns.
i'd also like to point out that any law which is passed may be removed. even changes to the constitution may be made and repealed. stating that the dmca cannot be repealed because money paid for it is daft at best.
"When I was growing up there was tons of 'peer pressure' to do all sorts of things. Drugs and other things I find to be stupid and pointless (don't bother ranting on that).
People act like peer pressure is something you have to abide by, and thats rubbish.
The choices are out there. Take them or leave them, and don't whine either way about choices you yourself made."
sure - but, the instances of peer pressure i see you referring to seem to be for one's own entertainment.
the kind of pressure i'm talking about is more along the lines of "sure, we'll hire you, send us your resume in word format."
see the difference?
you are also forgetting that most of the unwashed masses are going to take the path of least resistance. when it comes to using computers, that path leads straight to redmond. this is not the case when it comes to cable, or an isp, or a news channel. it's not like choosing to watch local news, or use a cable provider different from what joe down the street has can compare to the hassle of trying to import a word or excel document on a system without ms office.
by the way, don't you think it's awfully presumptuous to assume that i've made those choices? i'm just aware that with microsoft controllong upwards of 90% of the entire computer market, there are a lot of bodies choosing microsoft, for one reason or another.
"Small nit about your post. In contrast to your well-informed knowledge about media providers and equipment, you failed to take into consideration the fact that nowdays one can build his own x86 box. I did, and put linux on it.
Otherwise, I think the rest of your post is dead on."
thanks for the criticism. i'm aware than i can build my own systems, and every computer i own (barring laptops) are bought part-by-part and assembled by myself.
the point i was making was that for the average consumer, it's only possible to buy an x86 computer with windows. sure, you can go with a mac, but you can bet that the people who do will get locked in the microsoft monopoly just as surely as the windows users, thanks to internet explorer, windows media player, outlook and office for the mac.
on the other hand, anybody that can phone up time-warner for cable can phone up their competition just as readily.
yeah, but i can get a cable provider other than time-warner, i can use an isp other than aol, and i can watch news on a channel that isn't cnn.
if i buy a (x86) computer, there is a 98% chance that it will come with windows, and there is a lot of pressure to use windows on that computer in the first place; pressure from friends & co-workers who use it, pressure from employers who use it, pressure from the salespeople selling me the computer. pressure from people on the 'net, who use windows media to give away audio & video clips, or word to present documentation. i don't think that kind of pressure to use aol/tw/cnn exists, at least not yet.
while i agree that aol/tw/cnn/netscape/sun/whatever has the potential to become a much larger, more powerful, and more evil empire than msft, the fact of the matter is that msft has an illegal monopoly, which they extend every day. if aol/tw/cnn/sun/netscape/whatever want to combat that, fine. frankly, the u.s. government seems incapable of bringing msft down, so if it has to come to corporate warfare- so be it. i want to go to a store and buy a pc that runs linux, or freebsd, or openbsd. or whatever other os i want.
you can buy the radio shows on cd from the online BBC shop, where they have an entire hhgttg department.
Earth: Mostly harmless.
you must have the new edition.
"At least it keeps the gay porn [goatse.cx] out 95% of the time."
it doesn't keep it out - it keeps it hidden, for the people who choose to hide it. kinda like how filters & blacklists work for usenet readers.
besides, usenet supports moderation, it just doesn't encourage - or allow - the people who abuse the service to do it.
"And restrict your audience (although this may not be entirely a bad thing). Many users don't know how to switch their NNTP server. Others use newsreaders that support only one NNTP server per installation. Some users can't switch it at all (such as users of America Online)."
news://nntp.slashdot.org/msft.general.bitching would work on 99% of the browsers out there - the slashdot.org webpage could be replaced with a page that has that link.
besides, isn't this site supposed to be news for nerds? how many nerds out there do you know who use aol, or don't know how to configure a newsreader?
"Client-side searching requires the user to have downloaded multigigabytes of Slashdot's previous stories. Not all users who want to search Slashdot have the T1 to download the whole site."
unless, of course, they search through the headers. or, have older articles moved into yearly-monthly groups, e.g. discussion in msft.general.bitching from january 1999 gets moved into 1999.jan.msft.general.bitching via a modified article expiry. then, if you had some idea when the article/comment you were searching for was posted you could search within that timeframe.
"Another place for complaining about Slashcode bugs: Slashcode Bug Tracker"
thanks, i'll take my bitching there.
"NNTP doesn't support mass moderation or metamoderation."
:)
...which are completely broken and cause more problems than they solve.
"NNTP doesn't readily support banner advertisements that keep the server free."
i'll grant you this, but it wouldn't be too difficult to hack an article-ad-interruptor, where the first (or middle, or a random) bit of the article has a textual ad (with http link) inserted.
"NNTP servers often don't have very long retention of old discussion."
...which isn't a problem if you run your own.
"NNTP doesn't have server-side search."
yes, it has working client-side searching, rather than broken/incomplete server-side searching.
seriously, have you ever tried to find something you saw on slashdot, say, two months ago? what if it was a comment, not a story? it's virtually impossible. you can't even query for all the posts that user xyz has posted. i wanted to find an old (~1 year) post of mine - couldn't. if i search for "phexro" in "stories", i get some stories i submitted. if i search in "comments" i get nothing. if i search in "users", i get me, and the last 24 posts i made. if i search for some key words in my post, i get page after page after page of incorrect results. if i search for a specific phrase, i get the same thing.
i've been meaning to bitch about this... thanks for the chance to let me do it on-topic.
well, according to the review at dvd.ign.com, the original dvd release sucked. non-anamorphic transfer, compression artifacts in the video, and barely any special features.
a friend of mine bought it and was very disappointed. if it wasn't for the many poor reviews of the original, i'd own it already.
this is also why i didn't buy the original monty python and the holy grail dvd, and why i'm not buying the clockwork orange dvd until it gets a better release.
does anyone else find it funny that amazon has a "used price" for this movie directly above the paragraph explaining that the movie isn't even released yet?
maybe it's just their patented one-click time-travel system.