Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashback: Shelter, Panic, Intrusion 110

Welcome to Slashback for the evening: Yes, another big security problem with the world's second-most popular web server, a slight revision of the plight of Silicon Valley's homeless, and good news from the Indymedia front.

Remember, Free Software Sinks Ships curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through." This might be more exciting if it was the first time, but jamie posted about a very similar-sounding flaw a few months ago.

Calling off the dogs of war. An anonymous reader writes: "Slashdot reported that Indymedia had received a court order to hand over the logs and other records pertaining to the IMC's coverage of anti-globalization protests in Quebec City. Now FBI has dropped the case. Here is the press release."

phunhippy points to coverage at Wired as well.

This Old House - gr8dane writes "I was just checking out the Sunday posting on /. about .commers in homeless shelters and Salon is running an update to the same story. The previous post prompted quite a bit of feedback on /. and this update article seems to support those who felt the Sunday article wasn't indicative of the industry as a whole. 'John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.' Quite interesting ... "

DoctorZ writes: "In response to reading the recent article about Zero-Knowledge's withdrawal from Linux development for Freedom. I emailed them discussing my concerns along with everyone else's. Here was their response:


We know....

We understand your disappointment. It is not a easy decision. We are not giving up on Linux. Our entire Freedom Network is Linux based!This decision was taken in response to the number of people purchasing the Linux version as compared to the number purchasing the Windows version. While many of us at Zero-Knowledge are Linux enthusiasts, the number of interested Linux users downloading Freedom simply didn't warrant continued development efforts, and we have chosen instead to apply our development resources in a way that will maximize value to our customers.

Once again, thank you for expressing your concerns.



This discussion has been archived. No new comments can be posted.


Comments Filter:
  • by Anonymous Coward
    If it's all a "myth", how do you explain the other 29 former tech workers in the homeless shelter?
  • by Anonymous Coward

    Figments of an overactive imagination.

    Masquerading crack addicts.

    Federal Reserve agents attempting to slow the economy by giving the illusion of mass layoffs.
  • by Anonymous Coward
  • by Anonymous Coward
    Tsk, you're not supposed to ask such questions.

    Salon might have to give the bribe back to the San Jose Chamber of Commerce, and you know how badly they need the money.

  • by Anonymous Coward
    You need to have to burn a lot of bridges to actually end up in the street. You have to lose your income, your savings, your friends (or the goodwill of your friends) and what might be called Social Capital.

    Unfortunately, all those things are related. Once you lose one, you are much more likely to start losing the others.

    You lose your income, your savings start to dwindle while you look for another job. Furthermore, you're less employable; when you apply for a job, the interviewer asks you why you aren't working now (I assume this is approximately what you mean by your "Social Capital"). As for your friends ... well, the term "fair-weather" was invented for a reason ...

  • In order to have a social network that's worth a damn, you have to not be overly selfish.


    Which explains a lot about the new breed of essentially Randite dotcommers... and what happened to them when Darwin turned out to be real, and not everybody could win.

    Which is not to say all those merrily heartless libertarian extremists turned out to be hypocrites- I am sure there are a lot of them sleeping in their cars because by God they're not taking charity! Better to die alone than to bow to others!

    It's just that... well, they can be sincere about that as much as they want, but I still can't help but think that SOCIAL NETWORKS ARE GOOD. They are how civilization has got along for centuries, for thousands of years. Scorning that seems like a singularly stupid and unhealthy attitude.

    So, if the dotcommer Randites are determined to die in the back seat of their cars from starvation rather than concede the inadequacy of selfishness as a social mechanism- maybe that's a good thing. You could almost call it Darwinian...

  • No, that is not what is meant by Social Capital. "Social Capital" is a capitalistic way of describing why it's good to have friends and family and to be good to them. "Spending" of yourself, mostly in the form of time and attention, on your friends and family is putting social "currency" in the "bank." Later, when your life goes to hell to a greater or lesser extent, you make "withdrawls" from this social bank in the form of them spending time and attention on you but also in more concrete forms like a place to sleep, a good interview suit or even a cash loan. It can go beyond friends and family to more casual relationships such as being friendly with a neighbor or a guy at the mini-mart.

    Part of me believes this is a crass and depressing way to look at it but another part appreciates how sensible and pragmatic it makes having friends sound. Maybe I should get me some.
  • I have reason to suspect that Microsoft is toning down a bit. They've gone from describing Free Software as a cancer to being "pac-man-like". []

  • Bear in mind that I.M, and the people they support, thrive on provoking confrontation with authority, for publicity. Given this, it could be argued that the FBI dropping the case actually deprives them of a source of PR.

    To be honest, my impression of IndyMedia is that they are just as biased, if not more so, than the mainstream media they want to subvert.


  • I don't think they've ever claimed a lack of bias... They just claim that their bias is better. Generally, I tend to agree.

    But frankly, indymedia's bias is why I read it (though not as regularly as I used to). You're unlikely to find truly neutral journalism anywhere, so why not at least find a couple of sources whose viewpoints are clear (and preferably at odds)?

  • Those ship-based NT systems that are less reliable will drown while those that work will survive to breed with other ships thus improving the species....

    Ships are all "she"s.

  • Which is not to say all those merrily heartless libertarian extremists turned out to be hypocrites- I am sure there are a lot of them sleeping in their cars because by God they're not taking charity! Better to die alone than to bow to others!

    FYI it isn't against libertarian beliefs to give or receive (or ask for) charity. It is against libertarian beliefs to force someone to give "charity" (quoted here because it isn't really charity if it is taken by force). So giving $5 to a homeless guy on the street is fine. Running a soup kitchen is fine. Going to one is fine. Taking 26% of someone's wages and using it to fund all manner of things including aid to the homeless is not so fine. Not because of the things funded by that money, but because it is taken, not offered up freely.

    Likewise asking someone for $5 so you can eat is OK. Telling someone to give you $5 so you can eat, or you will stab them in the eye is not OK.

  • If you do you are a major hypocrite, like most of the Libertarians I know...

    One is a hypocrite for wanting to change from a involuntary system to a voluntary one? As far as I know most libertarians (they prefer little l) don't claim to currently be living the live they want too (i.e. are not a person who puts on a false appearance of virtue or religion). They would like to privately fund schools, highways, and most want to fund national defense with excise taxes (I think). They aren't going and claiming that they are doing it, or otherwise falsely asserting that they are currently are not benefiting from the taxes of others.

    It would be rather hard to not do so since there is no alternate method set up to account for everyone's use of government services and pay for them.

    I don't think the often quoted libertarian idea of almost no government is attainable. But I do want one radically smaller then the existing one. At least on the federal level. At the state level my feeling are much more mixed. I know that would increase the local state taxes quite a bit because a lot of the funding for state works comes from the feds, but it would also increase the likelihood of being able to find a state that offers roughly the services you want for roughly the taxes you are willing to pay. Currently it is all but impossible because so many services are actually payed out of your federal taxes...

  • Check out Crowds [] from AT&T's research arm... the same people who did VNC. It's not encrypted, but it has the same pooling affect.
  • Or if not overconfidence, at least a captain far too easily influenced by the media and the fleet owner: IIRC, the Titanic was also touted as being really fast, and thus the pressure was on to prove that she could cross the Atlantic in record speed.

    IOW, egos did 'er in.

  • I'm terribly sorry to have to disagree with you there, but most buffer overflows (at least in widely deployed internet server software) do not result in remote system-level access that's not even logged (IIS crashes, restarts, and baam! your cracked - tell me how you're going to tell that crash apart from the forty other IIS crashes that happened this week).

    Try telling several million semi-clueless IIS admins on pissant corporate web sites all over the world who will be cracked over the next year or so that outrage over IIS's inexcusably woeful code is Hype Hype Hype.
  • Right now I'm keeping my fingers crossed that no security holes of similar magnitude in Open Source software are discovered for at least the next few weeks.

    Let's face it, every major operating system has security flaws, either in the past or just waiting to be discovered. The benefit of Open Source is not only that it makes it easier for everyone to see its flaws, but it makes it easier for anyone to fix them.

    Right now we have Craig Mundie preparing to argue the merits of commercial licenses over Open Source, and having a hole of this magnitude (read the article for details) showing up in closed-source software so close to this debate only serves to make our case look better.

    There are times when a closed-source license scheme will work out better for a particular company, and there are times when an open-source one will be better (and I'm only talking in regards to the company, not the rest of society). This security hole will hopefully reduce the FUD level against Open Source software, particularly from a security point of view.

    I can't wait to hear the Mundie debate [] next week.


  • Alot of times when working with a pre-existing codebase buffer overflows and problems pop up when you add new code to older code or go back and try to fuck with older code. Big software projects can get really complex which means for every so many lines you write you've fucked up so many times. Plus with writing code on a schedule you often times have to have a product ready by a certain date, not when it's finished so you don't have time to do a whole bunch of testing. Personally if I were managing something like IIS I'd give the dev guys plenty of time to work on testing and evaluation but thats just me.
  • Same applies here in Toronto.
    Ontario Power Generation wanted senior developers, and I thought that it'd be cool to write S/W for nuke plants. I was shocked to hear that they wanted M$ VB programmers :-(
  • We don't need better programming languages, we need better programmers. Those who try to code too quickly and fail to think about what they are doing are the ones that bring us buffer overflows. And now you want to encourage these same people to code with a language they are told will speed up their programming? They better not be coding anything for medical instruments, airplane controls and navigation, nor any military systems ... even if they are using Java.

    Since when was a language able to make up for neglect?

  • Followed closely by: 'But it doesn't have Rover(tm), the cute, MS-BOB-based, animated pooch that will help you figure out how to type words into the "Look For File Named"(tm) field in the "Search"(tm) Window(tm).'

  • no more unlimited futures

    Isn't that a contradiction in terms? I guess in "unlimited futures" savings accounts and wads of cash stuffed into mattresses are "off limits."

  • NT applications...provide damage control

    At my $ORK_PLACE, it's usually the other way around.

  • Maybe, but Leonardo DiCraplio sinks films.

  • You left out, "Oh, she's unsinkable, so the lifeboats are for show, and can only accomodate a fraction of the passengers."

  • You just don't understand "Microsoft Time", man. In Microsoft Time, there was never a printing of "The Road Ahead" that dismissed the importance of the Internet. Microsoft Time is completely and totally subjective, governed by the whimsies of Bill Gates, his wife, his daughter, that nice man on the corner that calls him "Mistuh Gates, Suh," and the value of the sum of the build numbers of the Release to Manufacturing of all versions of Windows 9x running on the DOS code-base that was officially declared dead with the release of the Windows OS that "Makes a Grown Man Cry" multiplied by the pequininos lucky number and divided by PI then raised to Avogadro's number.

    So you see, Microsoft is right in what they claim the date is, and it's a user error that occured during the installation of MS Office Professional that makes it appear incorrect.

  • by sharkey ( 16670 ) on Tuesday June 19, 2001 @08:35PM (#139195)
    Oh, man. I'll forgo my raise next year if only they would offically declare me the Chief Hacking Officer. (It's almost as influential as Senior Shouting Officer amongst the Vogons, you know.)

    If I were a Chief Hacking Officer, I could make broad assumptions like declaring that each domain that uses IIS only has one computer serving pages for it. I could be in article posted to Slashdot! What more could any sane geek want?

  • I hate Microsoft as much as any other red-blooded American, but there's no story here except Brock Meeks' shameful hyperbole. It's a standard buffer-overflow problem, plain and simple. It's happened a million times before and will happen a million times again.


  • ?...Working with Windows 2000 and its successor operating systems ?should reduce lifecycle crewing and maintenance costs, as well as procurement costs,? he said. ?They will be running Windows or ?Son of Windows? by the time this ship deploys.?
    • This article about the advantages of MS software was obviously written on MS software, as it has been damaged by MS proprietary characters [].
    • One of the "advantages" is a reduction in maintenance costs, but they're proud of the need to use a newer version of Windows and the expense of upgrading?
  • Also, the steel plates used to build the hull had very high sulfer content and were quite brittle, even by the standards of the day.
  • I think financial wisdom must follow a different thought pattern.

    It does. Most people call the thought pattern "blind luck". Most technical people call investing a SWAG (scientific wild ass guess). Face it, investing is no more scientific than betting on sports contest. There are some pretty good indicators that some companies are going to win, but everyone is looking at the same indicators which drives the price of that companies stock higher. Betting (investing) on a 'long shot' will provide better payoffs if that company/team wins, but there's a reason that it's called a long shot.

    The best thing I've found to do with my money is to spend it. My kids won't have a big inheritance, and both of us will have to work our asses off to get them through college (why do kids today think they shouldn't have to work while in college is beyond me). But when I'm gone they'll have a lot of fond memories of all the fun we had spending money in the good times, and I won't have to worry about anyone trying to come get their stuff during the bad times ('cause it won't be there). Reckless? Yes, but I've dug ditches before and I can do it again.

  • Taking 26% of someone's wages and using it to fund all manner of things including aid to the homeless is not so fine. Not because of the things funded by that money, but because it is taken, not offered up freely.
    Some of us (liberals) willingly pay taxes in return for services like national defense, interstate highways, public schools, etc...

    Of course you never went to a public school, don't use any interstate highways, or depend on the U.S. military to keep you safe.

    If you do you are a major hypocrite [], like most of the Libertarians I know...
    You think being a MIB is all voodoo mind control? You should see the paperwork!
  • All the recent news stories around the rise and fall of the dot coms are starting to resemble the urban myths that make up 83.2% of all corporate e-mail traffic. The truth is far more complicated and far less interesting to the average reader.

    I'm sure there's plenty of human interest stories in other boom-to-bust industries, but they lack the "magical" elements (massive wealth at a young age, mysterious computer skills) that lend the Dot Com stories their fairytale qualities.

    I personally can't wait until these stories join the Chupacabra and Monkeyman in the footnote department.
  • Yes, another big security problem with the world's second-most popular web server

    For a second I thought ./ had been compromised again.

    I guess that nobody explained to you that used to be a Microsoft website. Microsoft has simply been too embarassed about having their web sit so throroughly owned that they've never taken it back.

    (There is no truth to the rumor that, once Linux was remotely installed on their IIS box, they were not able to bring the system down.)


  • True Microsoft has its share of bugs but considering sheer number of installation running their software ( not to mention incredible amounts of extremely varied input their software is subjected too)

    Letting your paying customers find the bugs (and, in some cases, then denying the existence of bugs reported by multiple users), is not what I'd call 'testing'.. I'm not interested in paying big money to be part of an unofficial 'public beta' that never seems to end.

  • Weapons Control Specialist: Sir! Sir! The enemy has taken control of our guns!

    Captain: Frigin Script kiddies....

    Weapons Control Specialist: I think they used a Microsoft back door to..

    B O O M ! !

  • Hey, C'mon! Most large open source projects would probably take the better part of a day -- maybe even two -- to prepare and test a fix to a buffer overflow problem (mostly hunting down similare F*CK ups....

    Oh - MS was informed severeal weeks ago???

  • They're not interested in provoking confrontation. They're interested in getting out news that is being self-censored by the media. If they were interested in provoking confrontation, they would have probably done something like post the court order before the gag was lifted.

    Then again, spending the better part of a day removing posts about the (non)'raid' was a surprisingly effective way of igniting interest about the story while keeping with the spirit of the order.

    In any event. The FBI probably dropped the case because they were almost sure to lose it on appeal. The sweeping nature of the court order was bound to be seriously questioned by any upper court, and given that the original order was for a non-existant IP address, they would need to ask for a material change to the order to be able to wrest any data from I.M..

    On the other hand, if the intent of the order was to provoke disorder and chaos at I.M. in the middle of the summit, it has achieved it's purpose and outlived it's usefulness. Keeping it alive would cost the FBI lots (both money and PR), while gaining them little beyond the damage already done.

    It really seems to me like the last was the real intent of the order. Consider that it was dumped on them in the middle of the Quebec conference, referenced an unused IP address, a foreign crime and non-existant posts, while demanding that a site dedicated to getting news out to the public to not tell anybody that everything that they had done for the last 48 hours might be handed over to an organization famous for previous anti-activist activity.

    When I think about it, it's actually possible that the FBI was really probing the organization, and hoping that they would breach the gag order. If they had, then the FBI would have had an excuse to shut down the whole operation even though they had done nothing else illegal. This is not too far from a tactic often used in Canada (esp. BC).

  • by Devil Ducky ( 48672 ) <> on Tuesday June 19, 2001 @04:28PM (#139207) Homepage
    when are companies going to start coming out with really refined and good code

    Microsoft has been releasing software with good, refined code ever since they used BSD code in Windows.

    Devil Ducky
  • It refers to the World War II army saying, "Lose lips sink ships". More information Here [].
  • by Velox_SwiftFox ( 57902 ) on Tuesday June 19, 2001 @07:32PM (#139209)
    Samuel Clemens (Mark Twain) managed to blow $300,000 (19th century $) of his savings investing it in development of an automatic typesetting machine; Sir issac Newton lost his fortune in the South Sea Trading Company bubble way back in 1720; plenty of otherwise thought-to-be-intelligent people bit it investing in RCA in the 1920's, Polaroid in the 1960s, etc... I wouldn't try to judge people's intelligence based on their financial success. Human nature applies to the temptations of all, no matter how otherwise intelligent they might be. I think financial wisdom must follow a different thought pattern.
  • So... can someone in software development explain to me how it is that buffer overflow vulnerabilities are still being found? I know dick about coding, obviously, and that's why I'm asking: wouldn't it be a standard operating procedure by this point in time to make sure that buffer overflows are handled properly? What's the deal?
  • Sorry but I have to agree. It was May 18th. I was assigned the task of fixing this (yesterday) and when I first pulled up the page at MS that described the problem it said May 18th. I wondered how this could have been posted for so long without anyone knowing about it until yesterday. But when I returned to the site later, (not much later) it was corrected...unless they are trying to gaslight us.
  • I'm not so sure. Back in the mid '90's I used to subscribe to a new letter published by Ed Yourdon called the "Guerrilla Programmer." He ran a number of articles covering software developemnt practices at MS devoted to the topic of "Good enough software." The point was that given all of the function points of the typical application, only so much testing was warranted. Shipping software with bugs was better than not getting to market quick as long as users could live (and work around) the bugs. Of course the up-side is that you get to sell the fixes back as upgrades. Wish I'd thought of it.
  • Ever had a look at Indymedia? The wire's full of Marxist bleatings, bleeding-heart whining about the costs of convenience, and crackheaded posts from kooks. It's a complete waste of time.

    And I suppose news from agencies which filter out the important parts are better than Indymedia. Take a look at Jim Bell, the judge scared the media, and the media shoved their tails up their asses and stood silently as Bell was shafted.

    Take a look at the McVeigh trial, where did the media go when John Doe news was brought about from the beginning? What about CNN's actions during the Gulf War... Sure allow the military into the company to monitor what gets reported.

    Sorry sir I would rather have all forms of news to look at instead of believing what I'm fed, especially from normal news agencies which break under pressure by Big Brother's bully tactics.

    I don't see why the FBI backed off. Secret documents were stolen, and it's important to find out where they came from, lest the next stolen documents result in murders and chaos.

    It's likely they backed off because they didn't have a case to begin with jackass.

    Indymedia supports violent actions. Witness how they moan and cry about police trying to maintain order in Gothenburg, Sweden last weekend, ignoring the 50 injured officers and 5 dead horses that
    resulted from anarchist riots in the downtown core. The "collective" doesn't seem to give a shit about the one officer that got nailed in the head by a rock, knocking him unconscious, but you'll hear no end to the bitching about the attacker who got shot by fellow officers in self-defence.

    Hypocrites and suburbanite bleeding-hearts, the lot of them. They don't deserve sympathy, and they
    don't deserve pity.

    Your post means absolutely little. I read IndyMedia, and feel no need to go out and hurt anyone asshole.

    New World Disorder? []
  • C++ has a non-fixed-length "string" data type which doesn't suffer from overflows. You just need a programmer who's going to use it.

    Incidently, you could also code a variable length string type in C, and provide functions to access it, like vstrcat, vstrlen...
  • One problem I can see with your solution is how you would make the system trustworthy. As you yourself state, under ZKS's system, ZKS can figure out what you're doing. Similarly, under a collective system it seems that a node (or a sufficiently large group of nodes) could similarly gain information about any individual user's traffic. This isn't a problem for ZKS, since they control all the machines, and hence if you trust ZKS, you can trust the whole network. Under a collective system, wouldn't you have to assume that all the nodes are hostile? It seems that this would make the system virtually impossible to implement, right?

    I'm not just asking to be annoying, I'm actually curious if there's a way to do this.
  • ... that it's just another buffer overflow.

    Not to say buffer overflows aren't major, but it's not like one is typically any bigger than another. Whether you can throw a cat through or a mouse, is all up to the media and (l)user hype.

    Sorry. Just another one of those rants I guess about making mountains out of molehills.

  • John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.

    I wonder when the privatized prisons will get around to selling the labor of programmers who have been incarcerated for violation of /PL\d+-\d+/ and then having Salon "journalists" writing about how this is simply "rehab" for young men who needed guidance anyway? It would certainly appear to be a great boost to the economy to be able to compensate young programmers with rooms in the portions of the "facility" not populated by gang-rapists. That way you don't have to give them actual Federal Reserve Notes -- greedy neurotic little bastards that they are.

    ... but then there really isn't that much of a difference between Federal Reserve Notes and a pass, signed by the Warden, to a "rape-free" portion of the prison, now is there? []

  • If MS is smart, they've got a couple of holes in GPL'd software in their back pocket. They will leak them in a way that can't be traced back to them, and voila!, proof that GPL is bah,baah,baaad just in time to make the headlines.

    Or proof that I'm a paranoid conspiracy theorist.
  • by StefanJ ( 88986 ) on Tuesday June 19, 2001 @05:26PM (#139219) Homepage Journal
    There's an old truism that advocates of the homeless are fond of: "We're all one paycheck away from sleeping in the streets!"

    My response: "What do you mean WE?"

    You need to have to burn a lot of bridges to actually end up in the street. You have to lose your income, your savings, your friends (or the goodwill of your friends) and what might be called Social Capital.

    The trick is to have a lot of bridges to begin with, and to keep them from catching on fire.

    Most of this will sound utterly obvious to nearly all of you, but you've got to reserve money (for upcoming bills and insurance payments), save money (for no particular purpose . . . a rainy day fund), be absolutely fanatical about paying off your debts, and stay in good with friends and family.

    Short of a natural disaster or major crash, someone who does this won't end up on the street or "car camping."

    And if there is a major crash, think of the great blues songs you can write! "Once I built a network, made it run, . . ."


  • Ever met a poor person that make better choices then your own? Maybe that is way they are poor and you're not.

    Thomas Jefferson died broke and deeply in debt. I guess he made some really poor choices, didn't he?

  • (Score: -1, Troll)

    Analysts are also jumping into the fray, warning consumers and businesses that Microsoft's latest round of products has problems.

    "latest round"?


  • Next up: "Like some sort of teddy bear--cute but not Enterprise Class [tm]."


  • From what I understand, they did much of the sinking scenes in the movie under Linux. So free software did sink the Titanic. :P


  • It's a nice idea, but I suspect it wouldn't work. It's like free coooperative DNS - too tempting for abusers. I suspect that if Freedom takes off, Abuse will be their biggest cost center. The service is a natural haven for crackers and spammers. Hobbyists might enjoy setting up the FreeFreedom servers, but I doubt they'd enjoy chasing down and disconnecting abusers. Besides, in a free anonymous system there is really no such thing as disconnection.
    In fact, netblocks housing such servers would very likely end up on the RBL, never to be removed (until our ISP's TOS us).
  • Why do you say that the laid-off dot commers are Randites? Certainly many techies are Libertarians and many dot commers are techies, but that doesn't seem a strong enough linkage.
    Sacrosante aside, since he turns out to be non-representative, there seems to be a misperception about the dot-com boom/bust. The dot-coms were not generally full of techies. The most extravagantly doomed dot-coms gorged themselves on marketing and sales folk. They were not likely to be Randites - more likely fuzzy liberals in typical San Francisco style.
    Not that I'm claiming a belief in Ayn Rand saved anyone from the axe - on the contrary, when a company sank everyone was laid off. If I really thought any talented techie was homeless out of sheer pride and refusal to accept aid, I'd have great respect for his choice and confidence in his future success. However, it all sounds very much like an urban legend.
  • Think of Moore's Law - 18 month doubling times.

    If Java puts a 100% overhead on execution times (an excessive estimate), then it's the performance equivalent of shipping your product 18 months later. If your schedule speeds up (because Java codes faster than C++) and the debug time decreases (because Java source is less buggy, and debugs much faster than C++) then you may find that the overall saving approaches a useful fraction of the 18 months, or at least enough of it to have your users live with the slowdown.

    C++ can rot in hell (or Redmond, which is plug-compatible), as far as I'm concerned. If I can code it in a loosely typed scripting language like J[ava]script or Python I'll do that, and if I can't then I'll do it in Java.

    I also work heavily with XML and RDF. You just don't want to think about doing that in C++ !

  • We don't need better programming languages, we need better programmers.

    I consider myself a "good programmer". I still code buffer-overflow bugs, but I just mark them with comments as "Fix this later". I'm good because I know what I'm doing wrong, when I do it. I'm bad, because I still don't have the project timescale to code it all "properly" on any project I've worked on over the last 10 years.

    If you want reliable bounds checking, then you have to have it supplied automatically (i.e. Java). There's no time in project schedules for coding it by hand.

  • ...until C goes the way of the dodo. Let's face it, buffer overflows are pretty darned specific to C/C++ coding styles.

    Languages which make it easier to use variable-sized buffers are a lot less subject to this problem, and Java (for example) is quite literally immune to buffer overflow exploits. C# will also be immune to such problems short of using the unsafe keyword.

    (Naturally, when I say "immune" I'm referring to the facts that A) no real programmers use fixed-size buffers in these languages, and B) even if they did they would be unable to write past the end of the array)
  • Witness how they moan and cry about police trying to maintain order in Gothenburg, Sweden last weekend, ignoring the 50 injured officers and 5 dead horses that resulted from anarchist riots in the downtown core.

    Not true. 20 police officers were injured, no dead horses, three civilians (protestors) shot and citically injured. And they were not riots per se, they were protests which got out of hand. Now do you see how important it is with multiple news sources?

  • Too late, one of California's Nuclear reactors already is running on a 40 Million dollar multiply-redundant Windows NT network. I know of a contractor in San Diego who was trying to get 6 million to redo the whole thing using FreeBSD when he heard that they were having problems even with the multiple backup systems.

  • Running everything in a sandbox could accomplish the same thing, and you wouldn't have to re-write all your code. There's nothing about the Java language itself that prevents overruns. How many times has your VM thrown a pointer exception? The important thing is that the exception is caught and handled. Of course, if they did start writing system code in Java they would want to compile it to the native machine, and then the security is still only as good as the quality of the code generated by the compiler. There is no magic bullet.

  • It seems to me that it is entirely possible to write C code without buffer overflows, just look at OpenBSD, and the alternative is certainly no better! Could you imagine trying to run an entire operating system written in JAVA?? Turn on the computer, come back in a week when it's done booting! Aside from the speed, there are things which simply can't be done in other languages, C/C++ is just more powerful. C won't die, though it may evolve.
  • Yeah, the same way Bill Gates "forgot" his own e-mails during testimony to the U.S. Department of Justice.

    Oh, give me a break. Do you remember, off the top of your head, the content of every e-mail message you sent over a year ago? (going by the date of the linked article, 2 Nov 1998, versus the date of the mentioned message, 8 Aug 1997). I'm talking about people leaving out details of an article they just saw and could refer back to when they made the submission. I highly doubt Bill had access to his sent-items archive during the deposition.

  • by Kevinb ( 138146 ) on Tuesday June 19, 2001 @04:56PM (#139234) Homepage
    curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through."

    I wonder how many of those other submitters also conveniently "forgot" to point out that the article [] specifically mentions that a patch [] was released yesterday.

  • Riiiggghhhttt...we all know how much the popular "DotSlash" website gets hacked.

  • What I want to know is when are companies going to start coming out with really refined and good code. Doesn't it seem like companies are just trying to come out with the most features the quickest in order to try and make more money, while concepts like security and reliability hit the back burners. Maybe its time we stop immediately upgrading to the latest OS or server software and start purchasing software that has been tested and thoroughly coded.

    I posted this [] Yahoo! article describing the flaw, but it was first posted at []. Really does it suprise anyone? Now what about the poor network admin who isn't keeping updated with latest bug news, and still has the old version a month from now?

  • by J.C.B. ( 141141 ) on Tuesday June 19, 2001 @04:04PM (#139237) Homepage
    Yes, another big security problem with the world's second-most popular web server

    For a second I thought ./ had been compromised again.

  • From the article:

    Using Windows NT [...] on a warship is similar to hoping that luck will be in our favor.

    Listen to the man, he's obviously an expert :)

  • You're right, lunix is bad. Never seen lunix before, but I'm sure it's bad :)
  • ... during the aforementioned FTAA protests []
  • At the time I write this (11:12 am Australian Eastern Standard), Microsoft's announcement [] of this vulnerability at was dated May 18, not June 18.


  • No, What he meant is that the Windows NT will reduce personnel by sinking ships and thus "reducing" personnel. And this "lets just hope NT gets better..." Great they control Nuclear missles and their betting Microsoft will *improve* software (I'm so so scared... hold me) I waited for microsofts OS to get better since 95 and there has been a steady decline in stability (with the exception of 98SE)... this to the point where running me is like being a crash test dummy (Beta. Relase. Whats the difference?). Well now that I have insulted the Government and Microsloth I have fufilled my duties as a /.er return to useful postings.

  • Most people don't get that's very rare to buy a computer without the latest flavor of Windows OS and a selection of MS software installed.
  • Don't blame the poor iceberg. Running into one was a forseeable contingency. What really sank the Titanic was a combination of two human factors.

    The first factor was a design flaw. She was designed to float with any two compartments totally flooded. They could have done better by extending the bulkhead walls higher, but nobody could conceive of a collision that would flood more than two compartments. But if you head straight at an iceberg and then try to turn at the the very last minute...

    The second factor was overconfidence. "Oh, the people who built this ship have thought everything through! There's no reason we can't go at flank speed through an iceberg field!"

    Fallible engineers and blind faith in technology. Not a problem any more, right?


  • Have you ever seen a Lisp machine? They boot fast, especially considering the lousy CPU (r3000@25Mhz I think).

    I't the only other serious "system language" I can think of...

    Of course, nobody codes in Lisp except academics, but thats another enterily different matter.

  • "Microsoft worked for the past two weeks with eEye Digital to develop a patch that the company made publicly available for download Monday. But that patch does no good unless system administrators actually install it. It is that human element that security experts say is often the biggest problem involving computer security."

    Translation: "Don't blame us for bad security out-of-the-box, we can't do anything about it," or, "it's the fault of sysadmins who use IIS".

    (Also, note that "Microsoft worked for the past two weeks with eEye Digital to develop a patch," whereas Apache, the world's most popular web server, for good reason, is community-supported and -developed.)
  • by Alien54 ( 180860 ) on Tuesday June 19, 2001 @04:41PM (#139247) Journal
    NetSlaves [] has an interesting take on the San Jose news story, called The Fear Has Arrived []

    In part (it is a long and thoughtful read):

    In the story, a couple of consultants/network guys wound up in a shelter because they lost their jobs and couldn't pay their bills. One had a 100K a year job, the other a steady 60K consulting gig. These men caught the fear and it has swept them into the gutter. Is the idea of being young and homeless scary? Sure. But here are some factors people have to consider before embracing the fear. Why? Because the fear is a powerful thing. Once it has a hold of you, it owns you. You can't think, can't do anything but absorb the fear and let it control you. Why is the fear spreading so fast, based on ONE article? Because it could be anyone. It was as if everyone now had permission to be scared about their future and all of a sudden, all that liberterian thought they had sucked down was not working. The possibility of poverty, or a quick trip back to 1992 was not what they expected after the boom. And the fact that it's here scares people to the core. There's no work, there doesn't look like there's going to be any work, and people don't see a market for their skills. No more trips to Europe, no more unlimited futures, no more foosball in the office. No more office. But let's look at the circumstances of that article more closely: "

    And it goes on.

    a pretty good look at the psychology behind why the story struck a raw nerve in folks

    Check out the Vinny the Vampire [] comic strip

  • No, what actually sank the Titanic was a noticeable amount of carbon in the metal bolts. That, plus the unusually cold temperatures for that spring, lead to weakened bolts in the plates attached to the hull. When the brushed the iceberg, the bolts sheared and the metal plates fell away, thus causing the gaping hole. At no time did the iceberg ever puncture, tear a gash in, whichever, the Titanic.
  • Blockquoth the AC:

    um - no. Go read what Freedom REALLY is. The main feature is that nobody can connect your nym to you - NOT EVEN ZKS. Thats the whole point. Even they can't track you.

    And who's to say that the same level of anonymity couldn't be implemented without ZKS? It's not like they're the only ones with skills in the field of cryptography.


  • The basic idea behind Zero Knowledge's Freedom project is that your traffic gets pooled (in a cryptographically secure manner) with that of the rest of their customers in such a way that all anybody (but ZKS) can discover is that one of their customers is doing something.

    It would seem to me that a cooperative group of people could accomplish much the same without too much trouble: set up an IPSEC WAN and a bunch of proxy servers that only speak to clients on the private side of the network. Use DNS load balancing, and all you know is that a request is coming from a participant of the WAN.

    ZKS also offers psuedononymous email, web server profiles, newsgroups posting, etc--all very good. But there's no reason the cooperative couldn't provide similar functions.

    ZKS runs the servers that do all the heavy lifting. In the cooperative, all the members would provide a piece of the heavy lifting.

    Yes, I'm painting with a broad brush here, and even I could start to pick holes in the way I phrased some of all this. But, I think the basic idea is sound: rather than rely on a company like ZKS to do everything, have everybody chip in, even if it's just to share some bandwidth and CPU cycles. Surely if we can all cooperate sufficiently to create a number of operating systems--even if the form of cooperation is nothing more than using them--we can also cooperate to protect our privacy?


  • On one hand you have a company talking about leaving the linux market because people aren't buying the stuff, and on the other hand you have the world's most profitible closed source developer being exposed for another huge hole that likely would have been caught sooner under an OSS model.

    How much longer will it be till free market conditions start to force MS to shift its balance from flexibily/interoperability towards security?
  • The IIs article says Micro$oft will notify all it's newsletter subscribers. But the patch was made available this Monday. But it only works if you use it. Is microsoft saying you must check the patch pages everyday now. I'd better stop before i GO INTO M$ rant mode.

  • Of course, what you want sounds like freenet :)
    If you just reroute some of the tsaks you get to some random hosts, your adding a layer of anonymity, but the network traffic is incrased by this.
    You have to assume every single node as hostile but it's pretty safe to assume that they are not all from the same party.
  • by unformed ( 225214 ) on Tuesday June 19, 2001 @04:04PM (#139254)
    ummm...I'm pretty sure it was an ICEBERG and not Free Software that sank the Titanic.

    actually, now that I think about it, i'm pretty sure there wasn't much in the way of software back then either....

    And you guys talk about Slashdot stories not getting researched enough!
  • WIRED: EEye alerted Microsoft's security team immediately upon discovery of the vulnerability several weeks ago and has worked closely with Microsoft on the development of a patch and the expeditious alerting of system administrators worldwide.

    ZDNN: On that basis, Microsoft scores highly for its response, said International Security Systems' Rouland.

    "If you compare the speed at which Microsoft responds to these vulnerabilities, it's incredible," he said. "They get through with the information and the fix much quicker than you'd see with open-source software."

    (emphasis mine...)

    Fair to say that M. Rouland just scored a huge A+ in my "troll of the year" quest...

    But does someone knows what the hell is International Security Systems, except a lame sounding name?

    The closest I could find is a Christopher J. Rouland working for X-Force @ Internet Security Systems ( [])...

  • When are companies going to start coming out with really refined and good code?

    When customers stop paying for bad code. You said it yourself: companies are just trying to come out with the most features the quickest in order to try and make more money. And they'll keep doing that until people stop paying for it. Why should MS stop if its customers are happy, or at least happy enough to keep buying their software. Definitely by this point companies should be asking, "Why are we putting up with all this security crap from MS? We like the OS, but IIS has had too many security holes." And they should look elsewhere for internet server software.

    But MS customers are not. Their sales go up while their number of flaws go up. And until people stop paying them for bad code, MS won't beef up the quality of their software.

  • And, of course, when you apply the patch, you get a dialog box with an "OK" button that will restart the whole server, not just the service it is fixing. No "Would you like to restart now?" dialog, just "Press OK to restart." I should have expected that.
  • That reminds me of last time I've a drink with my friend who just finished his overnight work on setting up an IIS 5.0 webserver.

    Then I said "Can you tell me the address? I'd like to test a remote adminstration program called jill.c that could bring up a C:\WINNT\SYSTEM32\ prompt on my xterm."

    He told me this was impossible to hack his server as he has already applied the lastest services patch. Nevertheless, he excused himself and ran back to his office after seeing me grined evilly.

    The lastest services patch is not good enough, but I wonder there aren't too many admins there keeping up with the latest hotfix.
    /. / &nbsp&nbsp |\/| |\/| |\/| / Run, Bill!
  • Sacrosancte sounds like a mentally disturbed individual. While not quite in desperate need of institutionization, he would do good to have a psychiatrist take a look at him.

    Dancin Santa
  • Oh my god... One of the voices has escaped and posted on /.

    Dancin Santa
  • THE SECURITY HOLE exists in nearly every Web server running a default component of Internet Information Server 5.0 (IIS) on Windows 2000, Windows NT or beta versions of Windows XP, according to eEye Digital Security, the firm that discovered the vulnerability.

    I think it's saying Windows 2000, Windows NT or beta versions of Windows XP are default components of IIS and have bad bugs.

    Suprised? not really.

    The security flaw is the second in as many months for Microsoft.

    I'm noticing a trend with what MS produces.

    Analysts are also jumping into the fray, warning consumers and businesses that Microsoft's latest round of products has problems.

    Which round of products didn't have problems?


  • From my point of view, it could only be interpreted as a victory. They gain two things by this: 1) If they get treated as journalists, commesurate with implied protections, they won't have to worry about directly or indirectly revealing their sources

    But now that the FBI has withdrawn their probe, they revert legally back to the status they held previously. They aren't being treated as journalists, whatever they'd like to think. The only way they would have gained that is by winning the court battle for which they were gearing up. Someone at the FBI must have read 'The Art of War"... the feds just deprived IndyMedia of perhaps their most valuable weapon by avoiding conflict with them.

    Another thing... from reading the press reports sent out by them (I'll freely admit I don't frequent their site[s]), it seems an extreme stretch to call everyone who posts a story a 'journalist'. You could make the same case for /. posters. I think the bar ought to be a bit higher than they set it at IndyMedia.

  • by N Monkey ( 313423 ) on Wednesday June 20, 2001 @12:24AM (#139264)

    Although Unix is more reliable, Redman said, NT may become more reliable with time.

    Clearly this is a perfect strategy: Those ship-based NT systems that are less reliable will drown while those that work will survive to breed with other ships thus improving the species....

  • I'd love to write more than a me-too comment but you've pretty much nailed the issue down in 2 posts.

  • Yeah, the same way Bill Gates "forgot []" his own e-mails during testimony to the U.S. Department of Justice.
    Gates bickered with government antitrust prosecutors who grilled the Microsoft chairman over his own e-mail correspondence. Gates, co-founder of the world's largest software company, frequently forgot or disavowed meetings and correspondence to his top executives.

    "I don't remember sending it," Gates said after handed a piece of his own correspondence. He added, "It appears to be an e-mail I sent."

  • by blang ( 450736 ) on Tuesday June 19, 2001 @06:39PM (#139272)
    Yes it should be standard procedure especially for a resourceful company as Microsoft. There are a few ways to discover buffer overflows. HP has a compiler (I think the name is insure) that can discover many memory-related problems at compile time. Then there are tools that can discover memory leaks and buffer overflows at runtime (for example purify from Rational).

    Then there's proper unit testing, which should include full coverage testing. Unit test should be written so that they provide all sorts of legal and illegal input. Most software shops do not have the resources to do this properly within their deadlines. They might fore up the tools if they see som insane memory leaks or if the program crashes.

    But again, I'd think Microsoft has all the resources they need. Judging on the poor quality of their software they probably have figured that the (lack of) quality of their software has no detrimental effect on their sales, so they probably leave the testing to GUI monkeys, and hope for the best. Even a 0.5 trillion $ company can make a few bucks extra by spending a few pennies less.

  • by return 42 ( 459012 ) on Tuesday June 19, 2001 @11:23PM (#139277)
    Let's face it. If Microsoft ever made quality job one, they would very quickly catch up to free software in terms of quality. They have an insane amount of money to burn, they can hire better coders and managers and testers than they have now, they can create five departments to do it five different ways and keep the best results. I doubt their people would be as good as, say, Linus or Alan or RMS, but there would be a lot of them and they would be working on it full time, which most free software developers can't do.

    Now, I don't think they will, because it would cost a lot of money and not make them much. They know their priorities - make money and dominate the market - and they know how to achieve them. They won't work hard on quality until we really start cutting into the desktop market. And at that point it will probably be too late.

    My point is, quality is not now and never has been the point of free software. It is an important point for open source, which is basically about getting business to try free software, even if it's not all that free. If you're trying to convince executives who don't give a rat's ass about freedom, you have to put it in terms they can understand. The open source movement has gotten a lot of people to open up their code and use other people's free software, who otherwise would still be dismissing GNU as a bunch of left-wing wackos not living in the real world. Which they decidely are not, but sometimes you have to take a lateral approach to make people see that.

    Free software is, and always has been, about freedom. The fact that it tends to result in better quality code is a fortuitous side effect. It's not the reason it exists, and it's not why I use it.

Testing can show the presense of bugs, but not their absence. -- Dijkstra