Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
Longhorn and future OSes are moving towards a two-tier OS model, where a small C++ based kernel, driver, and.Net CLR form the basis for the rest of the OS, which will be implemented in C#/.Net.
>Even if you write with a language that supposedly does not have Buffer Overflows, you still rely on other modules that were written in a language that does allow them ot happen.
You are technically right (on x86) for heap overflows, but you miss the point. There is no reason that the whole OS should be implemented in a dangerous language that uses dangerous functions by default. If 90% of the OS is implemented in a "safe" language, like Java or C#, then you get two benefits:
1) Basic programming snafus like overflows are limited to a smaller amount of code, that is more likely to be written by security aware developers and is easier to audit.
2) You have a security model that can be applied to 3rd party components in an understandable manner.
The demise of the XCF has been highly exagerated. Here at Berkeley we have a number of computer clubs that serve an approximate purpose, like the CSUA and Eta Kappa Nu, the honor society.
So they haven't had a world-famous project since the GIMP: So What? How many Universities have an organization as productive as them? Maybe MIT? They are still working on individual projects, they're just not quite as ambitious as they once were, and the CS department is very supportive of them now.
Remember, these people are undergrads in one of the hardest CS programs in the country (trust me, we're all getting our asses kicked), and everything the XCF does is in proxy of a social life. I contemplated joining once, but I realized that I wouldn't be able to give the time commitment necessary. I'm not surprised that they don't have people beating down their door.
Also don't listen to anything Daniel Silverstein has to say. The guy's a bit of a prick.
Hey Stanford people: You may still have the axe, but you don't have anything like the XCF:)
Strangely enough, I think FreeBSD has always been a more ripe opportunity for companies to provide support for, since such companies won't have to deal with the forking of user space administration code found in Linux distributions. How does Linuxcare do it? (Or do they not do it correctly?) I've learned and used Red Hat for a couple of years, and I have a lot of difficulty fixing the system's of friends running SuSE. Does LinuxCare have a department for every major distribution? Of course, it seems most BSD users have used UNIX/Linux for several years, and probably won't need the support options. Does anybody know how big of a deal this is to corporate IT managers?
That's not really true. The head effects team for The Matrix was Manex (www.mnfx.com). I know this because the head visual effects supervisor, the head CG supervisor, etc. spoke on campus (UC Berkeley) two weeks ago. They handled all of the diificult work, such as the "bullet time" shots and the animation of things like the human farms. They are based in Alameda, CA, which is in the East Bay across from San Francisco, near Berkeley and Oakland. The Australian effects houses we're used for less difficult shots like the "bug" and the zooming through the phone effects. They did this work as subcontractors under the supervision of Manex.
Slashdot Mirror
Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
Longhorn and future OSes are moving towards a two-tier OS model, where a small C++ based kernel, driver, and .Net CLR form the basis for the rest of the OS, which will be implemented in C#/.Net.
>Even if you write with a language that supposedly does not have Buffer Overflows, you still rely on other modules that were written in a language that does allow them ot happen.
You are technically right (on x86) for heap overflows, but you miss the point. There is no reason that the whole OS should be implemented in a dangerous language that uses dangerous functions by default. If 90% of the OS is implemented in a "safe" language, like Java or C#, then you get two benefits:
1) Basic programming snafus like overflows are limited to a smaller amount of code, that is more likely to be written by security aware developers and is easier to audit.
2) You have a security model that can be applied to 3rd party components in an understandable manner.
Sad
enter
Is
enter
This
enter
+ + +
Sorry. Old News. Go Bears! Beat Fresno State!
Strangely enough, I think FreeBSD has always been a more ripe opportunity for companies to provide support for, since such companies won't have to deal with the forking of user space administration code found in Linux distributions. How does Linuxcare do it? (Or do they not do it correctly?) I've learned and used Red Hat for a couple of years, and I have a lot of difficulty fixing the system's of friends running SuSE. Does LinuxCare have a department for every major distribution? Of course, it seems most BSD users have used UNIX/Linux for several years, and probably won't need the support options. Does anybody know how big of a deal this is to corporate IT managers?
That's not really true. The head effects team for The Matrix was Manex (www.mnfx.com). I know this because the head visual effects supervisor, the head CG supervisor, etc. spoke on campus (UC Berkeley) two weeks ago. They handled all of the diificult work, such as the "bullet time" shots and the animation of things like the human farms. They are based in Alameda, CA, which is in the East Bay across from San Francisco, near Berkeley and Oakland. The Australian effects houses we're used for less difficult shots like the "bug" and the zooming through the phone effects. They did this work as subcontractors under the supervision of Manex.
I've never heard this name. I think proper names for Berkeley are:
:)
University of California, Berkeley
University of California at Berkeley
Berkeley
UC Berkeley
UC
(these ones are almost exclusively used for sports)
(the) University of California (Golden Bears)
California
Cal
Stanfurd students call us Kal. I think they envy the fact that we can actually recieve C's and D's in classes.