BIOS entry for Quantex CPU?
One of my relatives has a friend (yeay, yeah, you've heard this before.. :-) who has a Quantex CPU. She now needs to get into the BIOS to change a setting, but a) the manual doesn't indicate the BIOS entry key sequence, b) Quantex is gone, and c) the [very quick] black startup screen doesn't seem to say 'press foo for system setup.' She's reluctant to press random/common keys, and I can't say I blame her. Does anyone here have any ideas? -- #kenP-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
Most of the BIOS's either use the del or one of the F keys (such as F10). I suggest she first try pressing del. If that does not work, reboot and try f10. Then possibly the esc key. Rodent of Unusual Size wrote: One of my relatives has a friend (yeay, yeah, you've heard this before.. :-) who has a Quantex CPU. She now needs to get into the BIOS to change a setting, but a) the manual doesn't indicate the BIOS entry key sequence, b) Quantex is gone, and c) the [very quick] black startup screen doesn't seem to say 'press foo for system setup.' She's reluctant to press random/common keys, and I can't say I blame her. Does anyone here have any ideas? -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * -- Jerry Feldman [EMAIL PROTECTED] Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
linux article
I love it when this type of thing shows up on MSnbc :) http://www.msnbc.com/news/718622.asp -- Seeya, Paul * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
EVERY BIOS I've ever encountered has used either the Del or F2 keys to access the BIOS. I would try one of these...after all HOW MUCH DAMAGE can you do to a machine even before the BIOS is fully loaded and the hard drives are accessed? Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com - Original Message - From: Rodent of Unusual Size [EMAIL PROTECTED] To: Triangle Linux Users Group [EMAIL PROTECTED]; Greater New Hampshire Linux Users [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 6:42 AM Subject: BIOS entry for Quantex CPU? One of my relatives has a friend (yeay, yeah, you've heard this before.. :-) who has a Quantex CPU. She now needs to get into the BIOS to change a setting, but a) the manual doesn't indicate the BIOS entry key sequence, b) Quantex is gone, and c) the [very quick] black startup screen doesn't seem to say 'press foo for system setup.' She's reluctant to press random/common keys, and I can't say I blame her. Does anyone here have any ideas? -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
Rich C [EMAIL PROTECTED] asked: after all HOW MUCH DAMAGE can you do to a machine even before the BIOS is fully loaded and the hard drives are accessed? I'm going to respond simply by quoting my famous 5th cousin: No comment and don't quote me on that... IOW, beware of Murphy's Law, as well as O'Brien's law! Cheers, Bayard --- Bayard R. Coolidge N1HODISCLAIMER: The opinions expressed are Compaq Computer Corp. solely those of the author, and not Nashua, New Hampshire, USA those of Compaq Computer Corporation [EMAIL PROTECTED] (DEC '77-'98) or any other entity. Brake for Moose - It could save your life - N.H. Fish Game Dept. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CC d+ s:+ a++ C+++$ UO++$L++$ P L++$ E-@ W+ N++ o- K? w--- O? M? V-- PS+ PE+ Y+ PGP- t++ 5? X? R* tv b++ DI+++ D? G e++ h-- r++ y? UF++ -END GEEK CODE BLOCK- --- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
- Original Message - From: Bayard Coolidge USG [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 11:35 AM Subject: Re: BIOS entry for Quantex CPU? IOW, beware of Murphy's Law, as well as O'Brien's law! Anyone who falls victim to Murphy's Law wasn't fully prepared, and I don't even know WHAT O'Brien's Law is. Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
Rich C [EMAIL PROTECTED] asked: after all HOW MUCH DAMAGE can you do to a machine even before the BIOS is fully loaded and the hard drives are accessed? That belongs in the file with 640 KB should be enough for anybody and Why would anyone want a computer on their desk?. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
Rich C [EMAIL PROTECTED] said: I don't even know WHAT O'Brien's Law is. O'Brien's Law states that Murphy Was An Optimist... :-) Cheers, Bayard * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Apache codered looming???
Call me chicken little, but I am getting worried about the looming Apache/PHP vulnerability out there: http://news.com.com/2100-1001-850752.html?tag=cd_mh http://security.e-matters.de/advisories/012002.html http://www.cert.org/advisories/CA-2002-05.html If you have a webserver on the internet with PHP I encourage you to patch it NOW. If the estimate of 1 million vulnerable php servers is correct, then as soon as someone creates a worm program that can get a shell on a vulnerable machine then all 1 million servers will be infected in about 2 hours (assuming one machine can try to infect 10 random IP's/sec). That would be worse than code red and a huge blow to Apache OSS. :-( I hope I turn out to be chicken little... Karl * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
On Tue, 5 Mar 2002, at 9:01am, Karl J. Runge wrote: Call me chicken little, but I am getting worried about the looming Apache/PHP vulnerability out there: My understanding is that this hole does not lead directly to privilege elevation. In other words, it might lead to compromise of the nobody account or similar, but not full root access (like CodeRed). Am I correct here? (I am aware of the amount of damage even an unprivileged user can do, and that root compromise is generally a short step away from an unprivileged compromise, but I want to make sure my understanding of this PHP hole itself is correct.) That would be worse than code red and a huge blow to Apache OSS. :-( Code Red was a root exploit. IIS runs with root privileges. I realize the potential for bad PR is the same regardless, but in practical terms, that is an important difference. I hope I turn out to be chicken little... Me too. But even if that is the case for this exploit, the Unix community is going to get nailed eventually. I anticipate a mass-mailing worm that propagates using Linux. Many Unix advocates act high and mighty when it comes to Outlook's security record, but the fact is that many of these worms have exploited human failures (Run this program!) first and foremost. Unix is just as vulnerable to social engineering as anything else. Cheery thoughts. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
On Tue, 5 Mar 2002, Benjamin Scott [EMAIL PROTECTED] wrote: My understanding is that this hole does not lead directly to privilege elevation. In other words, it might lead to compromise of the nobody account or similar, but not full root access (like CodeRed). Am I correct here? I believe you are correct. I am just talking about the bad PR aspect of this vulnerability leading to a fast-spreading worm. Certainly from a site administrators point of view a remote root compromise would be much worse. An amusing statistic to know would be what fraction of the ~9 million apache servers are misconfigured and running at elevated privileges, e.g. root :-) (I am aware of the amount of damage even an unprivileged user can do, and that root compromise is generally a short step away from an unprivileged compromise, but I want to make sure my understanding of this PHP hole itself is correct.) Right, I suppose the worm writer could leave a backdoor program running that would yield a shell as nobody for hackers to scan for come in trying to capture root. Not a warm thought: now all the local root compromises become remote ones... * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: linux article
It would be irresponsible to entrust the work of Parliament to closed-source software. Jorg Tauss, Deputy for the Social Democrats, when asked about switching the Parliments MS servers to Linux Nice quote! Rich [EMAIL PROTECTED] wrote: I love it when this type of thing shows up on MSnbc :) http://www.msnbc.com/news/718622.asp -- Seeya, Paul * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: linux article
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, [EMAIL PROTECTED] hath spake thusly: I love it when this type of thing shows up on MSnbc :) http://www.msnbc.com/news/718622.asp The thing that I find interesting is how many of the details they flubbed. For example, the K Desktop Environment will finally be released this spring... I guess that wasn't KDE that our users were using all along. Wonder what the hell it was... Also, Evidently Microsoft convinced the German Parliament to continue using Windows NE. I wasn't aware they had such a product. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hSLEdjdlQoHP510RAtTdAJ42THkcajyOazukcun+AYoxPNPtqQCgo/iR rgFK/aLrQH+WXnKOegP7Ypw= =rfor -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: linux article
WINDOWS.NE - Windows Not Enough. On 5 Mar 2002 at 14:55, Derek D. Martin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, [EMAIL PROTECTED] hath spake thusly: I love it when this type of thing shows up on MSnbc :) http://www.msnbc.com/news/718622.asp The thing that I find interesting is how many of the details they flubbed. For example, the K Desktop Environment will finally be released this spring... I guess that wasn't KDE that our users were using all along. Wonder what the hell it was... Also, Evidently Microsoft convinced the German Parliament to continue using Windows NE. I wasn't aware they had such a product. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hSLEdjdlQoHP510RAtTdAJ42THkcajyOazukcun+AYoxPNPtqQCgo/iR rgFK/aLrQH+WXnKOegP7Ypw= =rfor -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * Jerry Feldman [EMAIL PROTECTED] Associate Director Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, Karl J. Runge hath spake thusly: Call me chicken little, but I am getting worried about the looming Apache/PHP vulnerability out there: http://news.com.com/2100-1001-850752.html?tag=cd_mh http://security.e-matters.de/advisories/012002.html http://www.cert.org/advisories/CA-2002-05.html If you have a webserver on the internet with PHP I encourage you to patch it NOW. I'll go one better than that. If you use PHP, STOP. They have security bulletins released about once a week, it seems (o.k. I'm exaggerating A LITTLE). About the only vendor with more frequent releases is Microsoft... PHP might be a nice scripting language, but the developers really haven't shown any sort of track record that suggests they have a good handle on secure programming methods. I would advise against anyone using PHP until they manage to go a significant amount of time (say, maybe 6 months) without a security bulletin. Eventually, using PHP is bound to catch up with you. Unless of course you're willing to update PHP immediately, every time they release a new version. If you're that dilligent, you probably won't have a problem. That would be worse than code red and a huge blow to Apache OSS. :-( Apache isn't the problem... though Microsoft and their goonies will no doubt try to spin it that way. However, it's worth taking the time here to remind people again that writing secure, bug-free software is HARD, and no one is perfect (except maybe Dan J. Bernstien), so from time to time ANY software will have security updates; and if you manage a box with affected software, you do need to keep up with those updates. Security is EVERYONE's problem. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hSVWdjdlQoHP510RAvbfAJ9YVzAcpVxipoBgtzS6cbx+DNXt+gCcCcfs IuppafgTLwXz43A7gHv0d1I= =SBzt -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: linux article
- Original Message - From: Derek D. Martin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 2:55 PM Subject: Re: linux article Also, Evidently Microsoft convinced the German Parliament to continue using Windows NE. I wasn't aware they had such a product. Yes, it's the Windows Nonexistent Edition. It doesn't do much, but they finally fixed all the security holes! Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
Derek D. Martin wrote: I'll go one better than that. If you use PHP, STOP. They have security bulletins released about once a week, it seems (o.k. I'm exaggerating A LITTLE). About the only vendor with more frequent releases is Microsoft... Eh, I don't buy that. Please back it up with some references. -- #kenP-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Sun's unreal Reality Check
Yesterday, I responded to Microsoft^WSun's so-called 'Reality-Check' at http://www.sun.com/executives/realitycheck/reality-022002.html with this response: == Very Informative in one sense, that is: This article makes it clear that Sun is no better than Microsoft when addressing competitive threats in public. It is disingenuous at best, marketing drivel at worst. And this coming from someone who has long hated Microsoft and long appreciated Sun's openness. Until, that is, it's behavior with Java (refusal to certify open source implementations) and it's reaction to the Free Software / Linux threat came to the surface. IBM, on the other hand, is taking the intelligent position: Observe where the world of software is going and embrace it.Though I am cautious and skeptical of Big Blue's participation in the Free Software / open source communities, what I've seen so far puts Sun to shame. == And then, our good friend Moshe Bar posts his excellent response on Byte. Nice to a good technical critique a glaring marketing flub-up: http://www.byte.com/documents/s=7030/byt1015006951867/0304_moshe.html Yes, perhaps my post to Sun's site was bit reactionary, but I felt the company needed to here from someone used have some degree of faith in its good intentions and has since lost most of it. Read Moshe Bar's article, however. He does a much better job than I did (hey, they only provided me that little teeny-weeny box ;-)). -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
On Tue, 5 Mar 2002, at 3:27pm, Rodent of Unusual Size wrote: I'll go one better than that. If you use PHP, STOP. Eh, I don't buy that. Please back it up with some references. Yah, ditto. This is the first serious PHP security bulletin I've seen in recent memory. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Sun's unreal Reality Check
On Tue, 5 Mar 2002, at 3:21pm, Paul Iadonisi wrote: IBM, on the other hand, is taking the intelligent position: Observe where the world of software is going and embrace it. Though I am cautious and skeptical of Big Blue's participation in the Free Software / open source communities, what I've seen so far puts Sun to shame. How quickly we forget. In the 1980s, you could do s/Microsoft/IBM/ and pretty much have today's headlines W.R.T. anti-trust and related things. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Sun's unreal Reality Check
'course, IBM learned their lesson and are playing nice now. Nice being relative to a multi-billion dollar company. -Mark On Tue, 2002-03-05 at 15:39, Benjamin Scott wrote: On Tue, 5 Mar 2002, at 3:21pm, Paul Iadonisi wrote: IBM, on the other hand, is taking the intelligent position: Observe where the world of software is going and embrace it. Though I am cautious and skeptical of Big Blue's participation in the Free Software / open source communities, what I've seen so far puts Sun to shame. How quickly we forget. In the 1980s, you could do s/Microsoft/IBM/ and pretty much have today's headlines W.R.T. anti-trust and related things. * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
John Mashey and Small is Beautiful
While at BSDcon in San Francisco, I heard John Mashey's two keynote speeches Small is Beautiful and Software Army on the March. A lot of the material was from talks given twenty years ago, with additional interesting information gleaned from Brooks Mythical Man Month. Most of it is still true today, much to the software industry's chagrin. I managed to talk Mashey and USENIX to put the slides up on the web at: http://www.usenix.org/publications/library/proceedings/bsdcon02/mashey_small/ and http://www.usenix.org/publications/library/proceedings/bsdcon02/mashey_army/ Even without the stirring words of John, they are interesting bits of history to see. For those of you who like quotes in your signature lines, there are some classics. md * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Sun's unreal Reality Check
I agree. In my $.02 opinion, what made Microsoft great is that at one time they were more open than anyone else at the time. Their stuff was easier to work with... remember all the ugly copy protection schemes vendors used to prevent people from making copies of the software they shelled out $$$ for? Disks with bad sectors, dongles, programs that required the original diskette to be in the A drive etc. Ugh, that was awful. I don't recall many Microsoft products that did that sort of thing .. they were easier to work with. Then OSS came along and software becam available that was even more open while M$ has been going the other direction. M$ is doomed for the same reasons they have become great. -Andrew Gaunt Benjamin Scott wrote: How quickly we forget. In the 1980s, you could do s/Microsoft/IBM/ and pretty much have today's headlines W.R.T. anti-trust and related things. * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, Rodent of Unusual Size hath spake thusly: Derek D. Martin wrote: I'll go one better than that. If you use PHP, STOP. They have security bulletins released about once a week, it seems (o.k. I'm exaggerating A LITTLE). About the only vendor with more frequent releases is Microsoft... Eh, I don't buy that. Please back it up with some references. Ok, I'll back down partially in that upon review, many of the advisories I've seen I've mis-remembered; they were not actually PHP advisories, but for software written in PHP. However, just this year: http://online.securityfocus.com/archive/1/258995 http://online.securityfocus.com/archive/1/258662 http://online.securityfocus.com/archive/1/255037 http://online.securityfocus.com/archive/1/254846 http://online.securityfocus.com/archive/1/254005 http://online.securityfocus.com/archive/1/250196 Some of these are considered fairly minor, in that the vulnerability is a possible exposure of what may be considered sensitive info. Some of these are things that can be fixed by altering the configuration of PHP. The problem is that it shows a pattern of failing to think about programming security issues. There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. I stand by what I said: if you're using PHP, it is my opinion that you're better off from a security standpoint using something else. You have to worry about security problems in the software written using PHP, as well as those of PHP itself. For example, Perl has zero reported vulnerabilities over the same period of time, and only one report of a vulnerability in software written in it (a file disclosure bug caused by bad input validation). I personally don't feel that PHP has a track record that warrants confidence in the security of your web server, and possibly your network depending on other trust relationships with your web server. Better, mmore proven alternatives exist. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hTj2djdlQoHP510RAm8OAJ4yr+92cqQvJCNDGCSkp3te6FPetgCguyTK ryHuvFBAT2fzm9K4vP9NCOs= =nuvP -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Apache codered looming???
Anybody know anything about moto or have any opinion on it, especially security-wise? It's at http://www.webcodex.com/moto/; I ask because I *really* like the idea that it (supposedly) makes it easy to build a web application that you can first intepret (for development) and later compile into an Apache DSO. Pretty slick, and *probably* has a huge performance advantage over things like mod_perl and mod_php. Maybe, maybe not, just curious if anyone here has worked with and can comment on it's usability, performance, or security. On Tue, Mar 05, 2002 at 04:30:31PM -0500, Derek D. Martin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, Rodent of Unusual Size hath spake thusly: Derek D. Martin wrote: I'll go one better than that. If you use PHP, STOP. They have security bulletins released about once a week, it seems (o.k. I'm exaggerating A LITTLE). About the only vendor with more frequent releases is Microsoft... Eh, I don't buy that. Please back it up with some references. Ok, I'll back down partially in that upon review, many of the advisories I've seen I've mis-remembered; they were not actually PHP advisories, but for software written in PHP. However, just this year: http://online.securityfocus.com/archive/1/258995 http://online.securityfocus.com/archive/1/258662 http://online.securityfocus.com/archive/1/255037 http://online.securityfocus.com/archive/1/254846 http://online.securityfocus.com/archive/1/254005 http://online.securityfocus.com/archive/1/250196 Some of these are considered fairly minor, in that the vulnerability is a possible exposure of what may be considered sensitive info. Some of these are things that can be fixed by altering the configuration of PHP. The problem is that it shows a pattern of failing to think about programming security issues. There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. I stand by what I said: if you're using PHP, it is my opinion that you're better off from a security standpoint using something else. You have to worry about security problems in the software written using PHP, as well as those of PHP itself. For example, Perl has zero reported vulnerabilities over the same period of time, and only one report of a vulnerability in software written in it (a file disclosure bug caused by bad input validation). I personally don't feel that PHP has a track record that warrants confidence in the security of your web server, and possibly your network depending on other trust relationships with your web server. Better, mmore proven alternatives exist. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hTj2djdlQoHP510RAm8OAJ4yr+92cqQvJCNDGCSkp3te6FPetgCguyTK ryHuvFBAT2fzm9K4vP9NCOs= =nuvP -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Rackmount server case...
A quick little note of Wow! to pass on: I just bought a 4U rackmount server case for my company. The darn thing can take up to 16 3.5 hard drives, -and- a 5.25 slim-line CD-ROM -and- a 3.5 slim-line floppy drive. It's got really nice design, lots o' fans for your cooling, etc. Of course, it's not cheap ($1500, before CD-ROM and floppy), but it's one of the nicest cases I've ever seen, regardless of vendor. The one I'm talking about is an IDE model; they also have a SCSI. I'm planning on putting eight drives in with a 3Ware controller initially, with room to expand if/when required. Check it out at http://www.servercase.com/ImageFiles/SC4D.html . Note one thing -- they say Only works with IBM or Seagate. I asked them why, and they responded that it was a problem with the connectors not mating properly on other drives. Well, I took the plunge, and bought it anyway. So far, at least, it seems to be fitting my Maxtor 160's just fine. If I run into any issues, I'll be sure to let you guys know. -Ken P.S. I know that other vendors sell the same box, but this was both the cheapest, most comprehenseive, and most responsive vendor that I found. * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: linux article
Good one! I like that... JFeole Yes, it's the Windows Nonexistent Edition. It doesn't do much, but they finally fixed all the security holes! Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Mystery C question
I claim to be a software professional. I claim to know
C, including some of the more esoteric smoke-and-mirrors
aspects. I am therefore embarrassed to admit that I am
stumped by GCC's complaints about the following fragment:
= = = = = = = = = = = = = = S N I P = = = = = = = = = = = = = = = = = =
struct mysteryStruct {
struct mysteryStruct *next;
int dontCare;
};
typedef struct mysteryStruct mystery;
mystery *nextMystery;/* Pointer declaration - no problem */
mystery mysteryPool[ 200 ];/* Array of structs - no problem */
mystery * /* Function type - no problem */
problem(
mystery *mystery ) /* Parameter declaration - no problem */
{
mystery *hosed;/* Auto variable declaration - choke and die! */
hosed = mystery-next = nextMystery;
nextMystery = mystery;
return( hosed );
}
= = = = = = = = = = = = = = S N I P = = = = = = = = = = = = = = = = = =
If you put the stuff between the SNIP lines into a file and try
to compile it (it's a meaningless, contrived problem demo, don't
waste your time trying to understand it) you should see (as I did)
complaints about the variable hosed. WTF??!!! I'd be very
much obliged to anybody who can explain what I'm doing wrong.
My only excuse is that I have a *terrible* case of the flu and I'm
trying to code while enjoying an intense drug-induced stupor...
*
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*
Re: Mystery C question
mystery *mystery ) /* Parameter declaration - no problem */ What do you mean no problem??? ccb * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Mystery C question
This compiles, I think the mystery *mystery you had is not good to
have an identifier name also be that of a type. I changed mystery
to mystery_VAR below. (not sure it is doing what you want, though).
struct mysteryStruct {
struct mysteryStruct *next;
int dontCare;
};
typedef struct mysteryStruct mystery;
mystery *nextMystery;/* Pointer declaration - no problem */
mystery mysteryPool[ 200 ];/* Array of structs - no problem */
mystery * /* Function type - no problem */
problem(
mystery *mystery_VAR ) /* Parameter declaration - no problem */
{
mystery *hosed;/* Auto variable declaration - choke and die! */
hosed = mystery_VAR-next = nextMystery;
nextMystery = mystery_VAR;
return( hosed );
}
*
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*
Re: Mystery C question
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Michael O'Donnell hath spake thusly:
I claim to be a software professional. I claim to know
C, including some of the more esoteric smoke-and-mirrors
aspects. I am therefore embarrassed to admit that I am
stumped by GCC's complaints about the following fragment:
mystery * /* Function type - no problem */
problem(
mystery *mystery ) /* Parameter declaration - no problem */
{
mystery *hosed;/* Auto variable declaration - choke and die! */
hosed = mystery-next = nextMystery;
nextMystery = mystery;
return( hosed );
}
In the line in question, is mystery a type, or are you refering to
the pointer mystery? It seems GCC thinks it's the latter. I changed
your code thusly:
mystery * /* Function type - no problem */
problem(
mystery *french ) /* Parameter declaration - no problem */
{
mystery *hosed;/* Auto variable declaration - choke and die! */
hosed = french-next = nextMystery;
nextMystery = french;
return( hosed );
}
This compiles fine. It seems that GCC gets confused between the type
and the parameter. And this makes perfect sense to me... After all,
would you ever do something like:
...
int int;
int = 3;
...
This is essentially what you've done. Even if it were legal (which it
isn't), it strikes me as a really, really bad idea.
- --
Derek Martin [EMAIL PROTECTED]
- -
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8hW9jdjdlQoHP510RAjAsAJ4/+v4RbZ23pbDOXK+APme7xjVX+wCgli4t
s+3vb+ZPGK2MbUqe3poE8Zs=
=PAvZ
-END PGP SIGNATURE-
*
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*
Re: Mystery C question
You can cut the problem down to this:
typedef int mystery;
void problem(mystery *mystery)
{
mystery *hosed;
}
And I believe what's happening is that 'mystery *hosed' is parsing as
the variable 'mystery' multiplied by the variable 'hosed'
and you're being bit by the precedence between typedefs and variables.
Jeff
*
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*
Re: Mystery C question
OK - my thanks to all. Your points about the typedef colliding with the variable name are taken. I claim (without supplying examples at this time) that it's not an uncommon idiom but will avoid it if it leads to compiler problems, or even to public disapproval... BTW, I've got some *great* phenylpropanolamine! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: BIOS entry for Quantex CPU?
Thanks for the help, everyone; particularly for the pointers I didn't find in Google. -- #kenP-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
PHP security flamewar (was: Apache codered looming???)
On Tue, 5 Mar 2002, at 4:30pm, Derek D. Martin wrote: However, just this year: http://online.securityfocus.com/archive/1/258995 http://online.securityfocus.com/archive/1/258662 I believe these two are the same issue, the one originally under discussion in this thread. http://online.securityfocus.com/archive/1/255037 This is not a PHP-specific issue, but a widespread programmer brain damage issue. http://online.securityfocus.com/archive/1/254846 This is an Apache configuration error, not a PHP problem. http://online.securityfocus.com/archive/1/254005 Legit. http://online.securityfocus.com/archive/1/250196 Somewhat legit. It can be argued that /tmp is a design flaw in Unix. I would be inclined to agree with said argument. However, using an OS feature known to be broken is not exactly a good call, either. Some of these are considered fairly minor, in that the vulnerability is a possible exposure of what may be considered sensitive info. And others appear to have been included simply because the string PHP appeared in the message. ;-) There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. Okay, with all due respect, that is pure FUD. Yes, FUD -- Fear, Uncertainty, and Doubt. There isn't really anything wrong here, but if you use it, you will be burned, just because. You can make the same argument for Unix, C, Perl Java, the Internet, computers in general... You have to worry about security problems in the software written using PHP, as well as those of PHP itself. Again: This is true for *anything*. For example, Perl has zero reported vulnerabilities over the same period of time, and only one report of a vulnerability in software written in it (a file disclosure bug caused by bad input validation). Whoa! Were you not around a few years ago, when finding holes in popular Perl CGI scripts was practically a daily occurrence? I stand by what I said: if you're using PHP, it is my opinion that you're better off from a security standpoint using something else. I think the problem you are seeing is that your average web designer cannot code worth a damn. They think the system should be chmod -R 777 / because everything else is too hard to understand. They think a system is secure as long as they have purchased a certificate from VeriSign (actually using SSL is optional). Really advanced web designers might think Telnet is a really cool idea. They simply don't *get* security, usually because they simply haven't had the training [1]. Blaming that on PHP is very poor form. Footnotes - [1] Yes, I've over-generalizing. Not all web designers are security illiterate. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Mystery C question
On Tue, 5 Mar 2002, at 8:35pm, Michael O'Donnell wrote: OK - my thanks to all. Your points about the typedef colliding with the variable name are taken. I claim (without supplying examples at this time) that it's not an uncommon idiom but will avoid it if it leads to compiler problems, or even to public disapproval... Remeber: Compilers are designed and written by human beings. If it makes human beings ask, What on earth are you doing?, it is liable to do the same to the compiler. ;-) Put another way: Just because the spec *says* you can do something does not mean it is a good idea. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: PHP security flamewar (was: Apache codered looming???)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, Benjamin Scott hath spake thusly: There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. Okay, with all due respect, that is pure FUD. Yes, FUD -- Fear, Uncertainty, and Doubt. There isn't really anything wrong here, but if you use it, you will be burned, just because. You can make the same argument for Unix, C, Perl Java, the Internet, computers in general... ...except that the developers agreed. And they've in fact made design changes to reduce the negative impact of those original design decisions, and in Dec 2001 released an advisory to that effect. You have to worry about security problems in the software written using PHP, as well as those of PHP itself. Again: This is true for *anything*. Except Ben, that what I'm saying is that PHP isn't mature enough (IMO) to depend upon its security. I'm not saying that it can't and never will be mature enough. Just that it isn't right now. Many other languages have already gone through this maturation process, and their pitfalls are well understood. Perl is a good example. Sure, coding in Perl does not guarantee that your CGI programs will be bulletproof, but safe coding practices under Perl are fairly well understood. As recently as this past December, the very developers of PHP were in agreement with those who felt that the same was not true of PHP. For example, Perl has zero reported vulnerabilities over the same period of time, and only one report of a vulnerability in software written in it (a file disclosure bug caused by bad input validation). Whoa! Were you not around a few years ago, when finding holes in popular Perl CGI scripts was practically a daily occurrence? See above. I stand by what I said: if you're using PHP, it is my opinion that you're better off from a security standpoint using something else. I think the problem you are seeing is that your average web designer cannot code worth a damn. I definitely agree that this is a huge factor. But that does not go very far to explain why there have been reletively few Perl-related advisories recently as compared to PHP-related advisories. Has the web community abandoned Perl in favor of PHP? I seriously doubt it. Does it mean that no one is looking at the code of Perl to find holes? Given how many machines have Perl installed these days, I doubt that too. I believe that it is because Perl is mature, and PHP isn't. You're welcome to disagree with me. - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hZSTdjdlQoHP510RAoJBAJ41OXQK5tuMU4A6xcAgkRW2zzJcOACgjztE vNlhkpN8NApqMSk3ApC46vY= =tmqr -END PGP SIGNATURE- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: PHP security flamewar (was: Apache codered looming???)
Derek D. Martin wrote: I think the problem you are seeing is that your average web designer cannot code worth a damn. I definitely agree that this is a huge factor. But that does not go very far to explain why there have been reletively few Perl-related advisories recently as compared to PHP-related advisories. No, because apples aren't oranges. Perl as an embedded scripting language has a tiny penetration compared to PHP or ASP -- and most embedded scription, or at least more and more of it, is moving to Java-based stuff. Perl in Web servers is mostly CGI scripts, and those are on the way out. Has the web community abandoned Perl in favor of PHP? I seriously doubt it. Fruit differential again. Far and away the majority of PHP usage is embedded scripting; contrariwise, most Perl usage is CGI. CGI is being abandoned in favour of embedded scripting, which means toward ASP, PHP, and Java (servlets, JSP, ...). Does it mean that no one is looking at the code of Perl to find holes? Given how many machines have Perl installed these days, I doubt that too. I believe that it is because Perl is mature, and PHP isn't. Your privilege. I'll agree to a certain extent -- but the comparable alternatives are even less mature than PHP. -- #kenP-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ Millennium hand and shrimp! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
