It's better to use Slackware's kernel-source-2.4.20-noarch-5.tgz package, since it already contains patches for some ext3 bugs as well as the recent ptrace exploit.
If you do use the original 2.4.20 tarball in the source/k directory, you will need to apply the linux-2.4.20.ptrace.diff.gz that you'll find in the same directory, and if you use ext3, you'll also want to apply the patches from the ext3-patches directory.
Don't you think that it is already possible to be a Doctor of Computer Science? What do you think happens when you get your PhD in computer science? Does anyone confuse Doctors of Literatures with MDs?
Unfortunately, there is such a thing as a REAL computer engineering degree from a real engineering school, and this inappropriate use of the term engineer undermines the value of a title people are supposed to have to work hard to achive. Your example actually illustrates this to a certain point -- I'm sure there are people with various liberal arts degrees passing themselves off as "doctors" (on radio talk shows, for instance) knowing full well that most people will assume they hold some kind of medical degree. Similarly, if someone calls themselves a "Foo Certified Software Engineer", I'd venture they realize most people will think that have an actual engineering degree and are more than willing to accept the respect that goes along with that without putting in the hard work.
By the way, I changed my degree program from Computer Engineering to Computer Science, so I'm fully aware of just how much harder an engineering degree is.:) I think that's what makes it especially distasteful to see the "engineer" title being used by people who don't even hold a real CS degree at all.
Er, example number one (with 'cat') does not work after all (thought it would, but it doesn't). The second example does work. Just check your/proc/sys/kernel/modprobe afterwards and make sure it's been changed.
If you can't patch this right away, you can easily work around the hole. In order to be vulnerable, you need to have kmod enabled in the kernel, and/proc/sys/kernel/modprobe must contain the name of ANY VALID EXECUTABLE. It doesn't have to be/sbin/modprobe. Even/bin/false is vulnerable on this one.
To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:
The fork of makepkg used in checkinstall produces broken packages, because it uses the wrong version of tar. This packs files differently, and it DOES make a difference.
As soon as checkinstall uses Slackware's native makepkg by default on Slackware I'll be inclined to recommend it. Still, it's misleading to users of other versions of Linux who might think they are building correct Slackware packages and aren't. I did commit one patch to installpkg to detect and correct for the most common problem with non-standard packages, but can't correct for them all.
Because checkinstall uses tar+gz instead of Slackware's package building tool (makepkg), it produces broken Slackware packages. It should be fixed to use makepkg -- then I'd actually recommend it.
Slackware packages are not simply tar+gz. It's important that the files are stored into the tar archive in a certain way, the correct version of tar is used, and the symbolic links are moved into the installation script properly, otherwise the package can't be effectively managed. You wouldn't try to make an rpm or deb with tar/cpio/bzip2/gzip/etc, so why people think they can tar up some files and call it a Slackware package is beyond me.
We thought about those kinds of solutions, but unfortunately nobody involved with Slackware had the time or interest to maintain a site like that, and volunteers weren't exactly lining up (well, completely unqualified ones were;-). It's generally best to concentrate your efforts where it does the most good (notice there's no Slashdot Linux distribution either). Anyway, I wish this experiment well, but IMO the folks at linuxquestions.org probably have a better chance of providing a troll-free forum. They seem to have a good moderation infrastructure in place already, a lot of members, and a very active community.
Cheers!
Wait a minute, aren't ALL software patents wrong?
on
Lucky Green vs. Palladium
·
· Score: 1, Insightful
I mean, really? Are we all going to give props to this guy for going out and patenting an algorithm? C'mon, this is slashdot people! Let's get those torches lit!
We all laughed when Bender refueled himself by slamming an "Olde Fortran" ale, but now it looks like alcohol _is_ going to be computer fuel soon! Who knew?
Cool. Then the SPDIF coaxial digital signal goes from my CD player into the coaxial digtal input on my sound card, and is saved to my hard drive as a file.
My Konqueror is reporting itself as IE/W98 because otherwise a lot of (stupid) sites won't work correctly. So I guess that's where I count on the Google graph... darn.
Slackware is not affected by this security problem. You need BSD_AUTH, S/KEY, or PAM to have a potential problem (PAM is still not verified), and we've never compiled in any of those options, nor are they options in a default build. So, you could just keep using a version with working compression, just don't include those options.
More simple is usually more secure.
Re:This is what the Radlight guy says...
on
Spyware Fights Back
·
· Score: 1
The difference is that AdAware is a program for removing spyware. It does what it says it does.
If RadLight were a program whose primary stated purpose was removing AdAware, I don't think you'd be encountering this kind of resistance. Furthermore, I believe you'd have been far better off just crawling back under your rock than coming here and trying (poorly) to justify your deceit.
Ah yes, the latest spin term of a diseased industry. These cheap hacks to the CD-DA standards do not protect copyrights, nor can they. Copyright protection is provided by the copyright law, and by the courts, not by some ill-conceived anti-duplication technology.
A more accurate term would be "Backup Prevention".
Re:Hold the bashing! What about Busybox?
on
Lineo near Death
·
· Score: 1
This is true -- busybox is an amazingly useful tool for any kind of small Linux system. It's a crucial part of the Slackware installer. It even includes the ash shell now, enhanced to provide readline-like tab completion and command-line editing. I just grabbed the latest stable and unstable CVS sources, because you just never know.
Another cool thing about Lineo -- they gave away free hackysacks at LinuxWorld. Gotta like that.
Slashdot Mirror
It's better to use Slackware's kernel-source-2.4.20-noarch-5.tgz package, since it already contains patches for some ext3 bugs as well as the recent ptrace exploit.
If you do use the original 2.4.20 tarball in the source/k directory, you will need to apply the linux-2.4.20.ptrace.diff.gz that you'll find in the same directory, and if you use ext3, you'll also want to apply the patches from the ext3-patches directory.
Don't you think that it is already possible to be a Doctor of Computer Science? What do you think happens when you get your PhD in computer science? Does anyone confuse Doctors of Literatures with MDs?
:) I think that's what makes it especially distasteful to see the "engineer" title being used by people who don't even hold a real CS degree at all.
Unfortunately, there is such a thing as a REAL computer engineering degree from a real engineering school, and this inappropriate use of the term engineer undermines the value of a title people are supposed to have to work hard to achive. Your example actually illustrates this to a certain point -- I'm sure there are people with various liberal arts degrees passing themselves off as "doctors" (on radio talk shows, for instance) knowing full well that most people will assume they hold some kind of medical degree. Similarly, if someone calls themselves a "Foo Certified Software Engineer", I'd venture they realize most people will think that have an actual engineering degree and are more than willing to accept the respect that goes along with that without putting in the hard work.
By the way, I changed my degree program from Computer Engineering to Computer Science, so I'm fully aware of just how much harder an engineering degree is.
I'm sorry, but this is a case where the state has every right to set some standards. Otherwise, what's next? Doctor of IIS Surgery?
Hey, do I get fp? :-)
That's right. It disables kmod.
Er, example number one (with 'cat') does not work after all (thought it would, but it doesn't). The second example does work. Just check your /proc/sys/kernel/modprobe afterwards and make sure it's been changed.
cat /this/file/aint/there > /proc/sys/kernel/modprobe
/proc/sys/kernel/modprobe
Oops... While the above also happens to work, what I meant was more like this:
echo "/this/file/aint/there" >
Pat
If you can't patch this right away, you can easily work around the hole. In order to be vulnerable, you need to have kmod enabled in the kernel, and /proc/sys/kernel/modprobe must contain the name of ANY VALID EXECUTABLE. It doesn't have to be /sbin/modprobe. Even /bin/false is vulnerable on this one.
/this/file/aint/there > /proc/sys/kernel/modprobe
To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:
cat
If you only use kmod to load modules at boot time, you might consider having this run after all your other init scripts, say in rc.local.
Pat
The fork of makepkg used in checkinstall produces broken packages, because it uses the wrong version of tar. This packs files differently, and it DOES make a difference.
As soon as checkinstall uses Slackware's native makepkg by default on Slackware I'll be inclined to recommend it. Still, it's misleading to users of other versions of Linux who might think they are building correct Slackware packages and aren't. I did commit one patch to installpkg to detect and correct for the most common problem with non-standard packages, but can't correct for them all.
Pat
Because checkinstall uses tar+gz instead of Slackware's package building tool (makepkg), it produces broken Slackware packages. It should be fixed to use makepkg -- then I'd actually recommend it.
Slackware packages are not simply tar+gz. It's important that the files are stored into the tar archive in a certain way, the correct version of tar is used, and the symbolic links are moved into the installation script properly, otherwise the package can't be effectively managed. You wouldn't try to make an rpm or deb with tar/cpio/bzip2/gzip/etc, so why people think they can tar up some files and call it a Slackware package is beyond me.
And that's the policy for nearly all of the other included packages as well.
http://www.sco.com/company/feedback/index.html
Slackware (and a lot of other distributions) got our first notice this morning on BuqTraq. Thanks, ISS.
We thought about those kinds of solutions, but unfortunately nobody involved with Slackware had the time or interest to maintain a site like that, and volunteers weren't exactly lining up (well, completely unqualified ones were ;-). It's generally best to concentrate your efforts where it does the most good (notice there's no Slashdot Linux distribution either). Anyway, I wish this experiment well, but IMO the folks at linuxquestions.org probably have a better chance of providing a troll-free forum. They seem to have a good moderation infrastructure in place already, a lot of members, and a very active community.
Cheers!
I mean, really? Are we all going to give props to this guy for going out and patenting an algorithm? C'mon, this is slashdot people! Let's get those torches lit!
We all laughed when Bender refueled himself by slamming an "Olde Fortran" ale, but now it looks like alcohol _is_ going to be computer fuel soon! Who knew?
& what's with ! using &?
Supermount has been around for a long time, but Linus has never accepted it into the kernel.
Why is that?
Is it insecure? Does it break other things? Inquiring minds want to know.
I'm sure if support for it were to show up in the standard kernel then EVERYONE would include it (hint hint). So, why isn't it?
Cool. Then the SPDIF coaxial digital signal goes from my CD player into the coaxial digtal input on my sound card, and is saved to my hard drive as a file.
Then what?
My Konqueror is reporting itself as IE/W98 because otherwise a lot of (stupid) sites won't work correctly. So I guess that's where I count on the Google graph... darn.
A lot of them compile in PAM, though. The bug involves keyboard-interactive mode plus one of the following: BSD_AUTH, S/KEY, or PAM.
More simple is usually more secure.
The difference is that AdAware is a program for removing spyware. It does what it says it does.
If RadLight were a program whose primary stated purpose was removing AdAware, I don't think you'd be encountering this kind of resistance. Furthermore, I believe you'd have been far better off just crawling back under your rock than coming here and trying (poorly) to justify your deceit.
Ah yes, the latest spin term of a diseased industry. These cheap hacks to the CD-DA standards do not protect copyrights, nor can they. Copyright protection is provided by the copyright law, and by the courts, not by some ill-conceived anti-duplication technology.
A more accurate term would be "Backup Prevention".
This is true -- busybox is an amazingly useful tool for any kind of small Linux system. It's a crucial part of the Slackware installer. It even includes the ash shell now, enhanced to provide readline-like tab completion and command-line editing. I just grabbed the latest stable and unstable CVS sources, because you just never know.
Another cool thing about Lineo -- they gave away free hackysacks at LinuxWorld. Gotta like that.