> One of the applications I have envisioned for this project is a cheap and easy genuine random > number generator. True random numbers in computing are nearly impossible, and successful > solutions are very expensive systems based on radioactive decay or atmospheric measurements, for example.
In newer VIA CPUs there are instructions for pretty good randomness, but neither AMD nor Intel seems to be willing to make similar instructions available.
> While there are many "techie" people like greatcelerystalk who know what they want, we have to keep in mind that Amazon is selling to the entire spectrum.
The "entire spectrum" compromises anyone that can pay, including human right abusers.
> Frivoulous and harassing law suits, > combined with limits upon damages awarded, along with loosers pays all expenses > sure curbs much of those abuses.
Shit should learn to read before presing the submit button: Of course, "Frivoulous and harassing law suits" are frowned upon in EU.
> You sure must be assuming I'm not from the European Union.
Most Europeans, unless they watch too many US movies and television series, would not use the phrase "So sue me!". Frivoulous and harassing law suits, combined with limits upon damages awarded, along with loosers pays all expenses sure curbs much of those abuses.
> Will you now please answer the question, oh Clever One?
I will not deprive you of understanding something by searching for it yourself. There is Wikipedia and Google for your perusals. While you are at it, look for progroms and Holocaust as to why registration (and asking) for religious affiliation is so sensitive.
> In EU, a private company can not ask which religion a person has.
>> Bullshit. Kindly produce evidence and point at the law preventing me or any other private party from asking you what your >> religion is. >> BTW: What religion are you? Now go sue me!
You sure must be an American exposed to some quality Kansas public education.
I wrote "In EU", and far as I know EU is not part of USA.
on privacy in order to make as much money as possible.
In EU, a private company can not ask which religion a person has. It is illegal and most Europeans consider it a serious breach of privacy open to abuse.
As a matter of fact, in several EU states you are may deduct from the tax money paid to a church. But many Jews does not do this because of Europe and the rest of the world's long history of pogroms and persecutions[1]: similar registers was used to round up Jews to murder. Europeans are aware of this, but Americans seems not.
[1] This, of course, does not excuse Israelswar crimes and human right violations.
> Finding all POSSIBLE bugs in a software program means traversing all possible paths in the code with all possible inputs. That's a HUGE problem.
That is provable impossible for applications in general using the software tools as of today (in general). So tools concentrate on common problems, or low-hanging-fruits, so to speak.
> You can "model" the code using Logic Equations and that helps some but any errors in the conversion from code to logic equations invalidate results.
There are several logic models where everything expressed in those model is provable true or false. But using these models demands a higher level of mathematics and tolerance to "slow" progress that just about any business or open source project will tolerate. Of course, you need a programming language where this is practical, and C/C++ does not cut it.
> I'd love to see a decent open source tool to run as a first pass before applying the other tools.
OpenBSD has recently put quite a bit effort into making the in-tree lint much more useful.
> I hope these Coverity guys aren't pompous enough to think that their tool can find ALL bugs in a program with... magic...
I am sure that they know their tools limitations, but I am pretty sure that others will interpret no outstanding bugs as if the application is secure or bugfree. Ethereal (now known as wireshark) has a very low bug count, but I will not use it due to numerous past remote exploits coupled with little interest in fixing bugs contra adding new features.
> Hmm, they should run their tool on its own source code, that would be fun.
> Obviously if "security software" can bypass the restrictions, then so can malicious programs.
Indeed, that is the case, but there is a big industry making money on the numerous exploitable bugs in Windows. So when Microsoft tries to close some of the holes, there are many complaints. My heart bleeds like an overflowing river for Symantec et al.
Yes, yes, Microsoft is probably up to its very old behavior again of vendor-lock-in, but there is improvement in security.
it's written, but if you even a little bit of the linked-to article, you will see that this is for x64, but no mention about i386 bits i.e. the great majority of PC. My guess is that this will be similar for i386 as well, though.
> Presumably that was meant more or less sarcastically.
Yes, it meant that way;-) USA produce so much wonderful technology, but only to have it abused so much.
> The question I'd ask is whether you can figure out a way of providing only technology that > can't be abused in such ways (and yes, IMO, the great firewall of China is an outright abuse > of the technology).
Most technologies, as you know, can be used for evil, but that does not mean that the technology in itself is evil. However, some technologies are so dangerous or easy to abuse that they are a real concern. A well known example is usage of nuclear power.
What is objectionable is corporations like Cisco that actively facilitate human right abuses in the name of profit and "free markets". Too bad that it's not presently possible to prosecute the repsonsible Cisco executives, and others of the same ilk.
While it's applied to a much larger number of computers and a much wider variety of subject matter, I don't see a lot of difference in the basic technology or know-how involved in the great firewall of China than in quite a few perfectly legitimate corporate firewalls and such
> Fortunately the US is not installing the great firewall.
Well, in many places in USA, schools and libraries are required to use filters to remove "bad" WWW sites. Btw, the list of "bad" sites are secret, or you may use reverse engineering. Oh wait, I forgot about DMCA.
> Sadly, other countries like China are.
US companies are providing the technology and know-how, but hey, "let the market decide".
> Course, you know what this means now. All the people who'd previously spent all their time on > Slashdot opinionating that Microsoft should adopt the Linux security model will now spend all > their time on Slashdot opinionating that Microsoft stole the Linux security model:-/
And at the same time complain that the latest binary-only driver from NVidia is not supported by their Linux distribution of choice... Of course, they don't know that much of the basic security in Linux predates Linux.
> The "administrator" account that Vista creates by default is actually a standard user that > can temporarily elevate to admin privelages on a task-by-task basis -- that's what UAC is about.
Of course it's not possible to fix all bugs, but that is not an excuse to deliver software filled with bugs. It is possible to have reasonable secure (i.e. not bug-ridden) applications, but then developers have to focus less on "new features" (businesses generally only care about "features") and start looking over their code.
Sure, this is not that exiting to do, but is needed at times.
> Why not get a fundamental understanding of computer software. There is no such beast as a safe configuration. Software running on the most "secure" configurations can still be designed to do harm. Short of crippling the OS, you will never, ever, get a 100% safe configuration.
Ooooohhhh, "Short of crippling the OS, you will never, ever, get a 100% safe configuration." Are you a Microsoft Windows user, by any chance, because that sure sounds like Microsoft excuses for their security holes ridden software.
Of course there are configurations/software that can be consider safe for most usages, but hey, so many users demand bloatware.....
> Yes, Fedora is considered Beta. However, it's Beta in the same way that Google is Beta. I've been using Fedora since Core 1, and it has been deployed in many many production environments that I have worked in/around. Never had a problem.
Does your employer know that you are using Beta software? Or a better question: What do you mean by "production environment"?
> Yeah, I got screwed by the RH FC split too, but you know what? business is business. I adjusted, I use RH when certain apps my business needs require it, and FC when not.
So, a business let you hang and dry, and you still use their products? Really, what do you mean by "production environments"? Your Moms basement?
their WWW browser and/or OS is unsafe in various ways. We know that IE and Windows is not the safest combination, but looking at the recent string of security holes in Firefox/Thunderbird shows that this is not particulary safe either.
Why not fix the software and/or its default configuration so that it is safe to use?
> I mostly work with installer and kernel issues. FC5 was pretty buggy. I already had one customer ask me why FC5 hangs during > install. I told him that if he was using the text mode install that sometimes hangs so he should use the graphical install. > Otherwise he should just use FC4 or Centos.
FC is beta quality and testing ground for RHEL, so if your custumer wants something better he could pay for RHEL or use anoter distro/*BSD.
> It's like every 6 months a new installer is released and you hope all the bugs from the last one are fixed. Sometimes they are > but now a whole new lot of bugs are introduced and you have to wait 6 months only to be disappointed again.
Again, FC is beta quality.
> Could I get a bug fix for this crap or do I have to wait for the FC6 release?
> Do you see Fedora Core as targeted at a particular type of Linux user (developers, server admins, desktop users, multimedia, etc) or are you > trying to be all things to all people?
Fedora is beta testing of software that may/will end up in RHEL, so there is an implicit targetting in that. Essensially a Fedora user == beta tester.
> The way I see it, each party is as bad as the other. One's just better at it than the other one. Both try to exploit human characteristics > in order to gain and hold power.
But the Republicans specialise in using fear to manipulate. Remember all those terrorist alerts (i.e. "Threat Levels") that used to be issued by the Bush Administration? In particular when Bush has political problems or when there is an upcomming election?
Slashdot Mirror
> One of the applications I have envisioned for this project is a cheap and easy genuine random
> number generator. True random numbers in computing are nearly impossible, and successful
> solutions are very expensive systems based on radioactive decay or atmospheric measurements, for example.
In newer VIA CPUs there are instructions for pretty good randomness, but neither AMD nor
Intel seems to be willing to make similar instructions available.
but still accepts cookies from Google, even if it just for the session.
Besides, not one word about JavaScript......
> While there are many "techie" people like greatcelerystalk who know what they want, we have to keep in mind that Amazon is selling to the entire spectrum.
The "entire spectrum" compromises anyone that can pay, including human right abusers.
> Frivoulous and harassing law suits,
> combined with limits upon damages awarded, along with loosers pays all expenses
> sure curbs much of those abuses.
Shit should learn to read before presing the submit button: Of course,
"Frivoulous and harassing law suits" are frowned upon in EU.
> You sure must be assuming I'm not from the European Union.
Most Europeans, unless they watch too many US movies and television series,
would not use the phrase "So sue me!". Frivoulous and harassing law suits,
combined with limits upon damages awarded, along with loosers pays all expenses
sure curbs much of those abuses.
> Will you now please answer the question, oh Clever One?
I will not deprive you of understanding something by searching for it
yourself. There is Wikipedia and Google for your perusals. While you
are at it, look for progroms and Holocaust as to why registration (and
asking) for religious affiliation is so sensitive.
> In EU, a private company can not ask which religion a person has.
>> Bullshit. Kindly produce evidence and point at the law preventing me or any other private party from asking you what your
>> religion is.
>> BTW: What religion are you? Now go sue me!
You sure must be an American exposed to some quality Kansas public education.
I wrote "In EU", and far as I know EU is not part of USA.
on privacy in order to make as much money as possible.
In EU, a private company can not ask which religion a person has. It is illegal and
most Europeans consider it a serious breach of privacy open to abuse.
As a matter of fact, in several EU states you are may deduct from the tax money paid to
a church. But many Jews does not do this because of Europe and the rest of the world's
long history of pogroms and persecutions[1]: similar registers was used to round up Jews
to murder. Europeans are aware of this, but Americans seems not.
[1] This, of course, does not excuse Israelswar crimes and human right violations.
> Finding all POSSIBLE bugs in a software program means traversing all possible paths in the code with all possible inputs. That's a HUGE problem.
That is provable impossible for applications in general using the software tools as of today (in general).
So tools concentrate on common problems, or low-hanging-fruits, so to speak.
> You can "model" the code using Logic Equations and that helps some but any errors in the conversion from code to logic equations invalidate results.
There are several logic models where everything expressed in those model is provable true or false. But
using these models demands a higher level of mathematics and tolerance to "slow" progress that just about
any business or open source project will tolerate. Of course, you need a programming language where this
is practical, and C/C++ does not cut it.
> I'd love to see a decent open source tool to run as a first pass before applying the other tools.
OpenBSD has recently put quite a bit effort into making the in-tree lint much more useful.
> I hope these Coverity guys aren't pompous enough to think that their tool can find ALL bugs in a program with... magic...
I am sure that they know their tools limitations, but I am pretty sure that others will interpret
no outstanding bugs as if the application is secure or bugfree. Ethereal (now known as wireshark) has
a very low bug count, but I will not use it due to numerous past remote exploits coupled with
little interest in fixing bugs contra adding new features.
> Hmm, they should run their tool on its own source code, that would be fun.
I would be very surprised if they did not.
> Obviously if "security software" can bypass the restrictions, then so can malicious programs.
Indeed, that is the case, but there is a big industry making money on the numerous exploitable bugs
in Windows. So when Microsoft tries to close some of the holes, there are many complaints. My heart
bleeds like an overflowing river for Symantec et al.
Yes, yes, Microsoft is probably up to its very old behavior again of vendor-lock-in, but there is improvement
in security.
it's written, but if you even a little bit of the linked-to article, you will see that
this is for x64, but no mention about i386 bits i.e. the great majority of PC. My guess is
that this will be similar for i386 as well, though.
> Presumably that was meant more or less sarcastically.
;-) USA produce so much wonderful technology, but only to have
Yes, it meant that way
it abused so much.
> The question I'd ask is whether you can figure out a way of providing only technology that
> can't be abused in such ways (and yes, IMO, the great firewall of China is an outright abuse
> of the technology).
Most technologies, as you know, can be used for evil, but that does not mean that the technology
in itself is evil. However, some technologies are so dangerous or easy to abuse that they are
a real concern. A well known example is usage of nuclear power.
What is objectionable is corporations like Cisco that actively facilitate human right abuses
in the name of profit and "free markets". Too bad that it's not presently possible to
prosecute the repsonsible Cisco executives, and others of the same ilk.
While it's applied to a much larger number of computers and a much wider variety of subject matter, I don't see a lot of difference in the basic technology or know-how involved in the great firewall of China than in quite a few perfectly legitimate corporate firewalls and such
> Fortunately the US is not installing the great firewall.
Well, in many places in USA, schools and libraries are required to use filters
to remove "bad" WWW sites. Btw, the list of "bad" sites are secret, or you may use
reverse engineering. Oh wait, I forgot about DMCA.
> Sadly, other countries like China are.
US companies are providing the technology and know-how, but hey, "let the market decide".
> It sounds like he was forcefully ejected from his own board, but the story leads me to believe that this is what he wanted-
"forcefully ejected"? He was not re-elected.
> On a more serious note though..
;-)
> I always thought it was easier to just torture somebody for the password?
Where you by any chance stationed in Iraq
> Course, you know what this means now. All the people who'd previously spent all their time on :-/
> Slashdot opinionating that Microsoft should adopt the Linux security model will now spend all
> their time on Slashdot opinionating that Microsoft stole the Linux security model
And at the same time complain that the latest binary-only driver from NVidia is not supported
by their Linux distribution of choice... Of course, they don't know that much of the basic
security in Linux predates Linux.
> The "administrator" account that Vista creates by default is actually a standard user that
;-)
> can temporarily elevate to admin privelages on a task-by-task basis -- that's what UAC is about.
Did Microsoft put a GUI on http://www.courtesan.com/sudo/
Of course it's not possible to fix all bugs, but that is not an excuse
to deliver software filled with bugs. It is possible to have reasonable
secure (i.e. not bug-ridden) applications, but then developers have to
focus less on "new features" (businesses generally only care about
"features") and start looking over their code.
Sure, this is not that exiting to do, but is needed at times.
> Why not get a fundamental understanding of computer software. There is no such beast as a safe configuration. Software running on the most "secure" configurations can still be designed to do harm. Short of crippling the OS, you will never, ever, get a 100% safe configuration.
Ooooohhhh, "Short of crippling the OS, you will never, ever, get a 100% safe configuration."
Are you a Microsoft Windows user, by any chance, because that sure sounds like Microsoft excuses for
their security holes ridden software.
Of course there are configurations/software that can be consider safe for most usages, but hey,
so many users demand bloatware.....
> Yes, Fedora is considered Beta. However, it's Beta in the same way that Google is Beta. I've been using Fedora since Core 1, and it has been deployed in many many production environments that I have worked in/around. Never had a problem.
Does your employer know that you are using Beta software? Or a better question: What do you mean by "production environment"?
> Yeah, I got screwed by the RH FC split too, but you know what? business is business. I adjusted, I use RH when certain apps my business needs require it, and FC when not.
So, a business let you hang and dry, and you still use their products? Really, what do you mean by "production environments"? Your
Moms basement?
their WWW browser and/or OS is unsafe in various ways. We know that IE and Windows is not the safest combination,
but looking at the recent string of security holes in Firefox/Thunderbird shows that this is not particulary
safe either.
Why not fix the software and/or its default configuration so that it is safe to use?
> I mostly work with installer and kernel issues. FC5 was pretty buggy. I already had one customer ask me why FC5 hangs during
> install. I told him that if he was using the text mode install that sometimes hangs so he should use the graphical install.
> Otherwise he should just use FC4 or Centos.
FC is beta quality and testing ground for RHEL, so if your custumer wants something better he could pay for RHEL or use anoter distro/*BSD.
> It's like every 6 months a new installer is released and you hope all the bugs from the last one are fixed. Sometimes they are
> but now a whole new lot of bugs are introduced and you have to wait 6 months only to be disappointed again.
Again, FC is beta quality.
> Could I get a bug fix for this crap or do I have to wait for the FC6 release?
Use something else.
> Do you see Fedora Core as targeted at a particular type of Linux user (developers, server admins, desktop users, multimedia, etc) or are you
> trying to be all things to all people?
Fedora is beta testing of software that may/will end up in RHEL, so there is an implicit targetting in that.
Essensially a Fedora user == beta tester.
> The way I see it, each party is as bad as the other. One's just better at it than the other one. Both try to exploit human characteristics
> in order to gain and hold power.
But the Republicans specialise in using fear to manipulate. Remember all those terrorist alerts (i.e. "Threat Levels") that used to
be issued by the Bush Administration? In particular when Bush has political problems or when there is an upcomming election?
there is surplus electricity available from Guantánamo Bay in Cuba.