Slashdot Mirror

Why did you pick Debian as a metric?

Because that's one of the most comprehensive studies performed on corporate contributions to open source. I'm not in a position to take the time and resources to do my own study. Here's another look at how much Sun has contributed to open source.

Debian is also a popular distro that many other distros are based on. (Ubuntu, Xandros, KNOPPIX, DSL, Linspire)

The Linux Kernel is is not the only Open Source or Free Software project out there. I'd argue it's not even the most important one. If the linux kernel one day disappeared, the rest of the open source world could continue. But without the rest of the open source world, the linux kernel is worthless.

Have you ever had IBM salespeople come in to spec out a project? You might be surprised what they have to say on AIX vs Linux. This document is old, but still available on the IBM website. It talks about how AIX is better than Linux.

Having worked in the disk mines of IBM many years ago, the SCSI disk controller is somewhat your pixie dust

Nope, that'd be on the platters.

I agree OS/2 was preemptive. It wasn't cooperative in the Windows 286, GEOS sense. What was different was the fact that apps organized themselves into threads and processes rather than just threads:

http://www.ibm.com/developerworks/linux/library/l-osmig1.html

For the most part I don't really understand all the hatred being expressed against IBM. What realistic alternatives are there?

1. Sun continues its downward spiral into irrelevance and insolvency. Eventually it goes bankrupt and its assets are sold off to the highest bidders.
Bad for obvious reasons. No one would want to see that.
2. Sun gets bought out by another company, say HP or Oracle.
It would be hard to argue that HP or Oracle would be a better owner than IBM, assuming they could even afford it. If Sun is going to get bought out, IBM is probably the best choice. IBM has a much better track record of supporting Open Source than any other old-school company except Sun itself, and heck, IBM already sells Solaris servers, so they would not kill it off for AIX or Linux. Sure they might do something like GPL Solaris technologies in order to get them into Linux, but really who would think this is a bad thing except the zealots?
3. Sun voluntarily splits itself up into separate companies (Java, Solaris, OpenOffice, MySql, etc).
Probably the best option for the technologies involved, but it would never happen because the current management would essentially be admitting their own failure. It also might spell bad news for stuff like OpenOffice and OpenSolaris, since they may not end up with a "sugar daddy" to finance development work.

I post this every time someone makes the false claim that Sun contributes more than IBM. Source.

Abstract Machine Test Utility for Linux Common Criteria Certificate
Abstract Machine Test Utility (AMTU) is an administrative utility to check whether the underlying protection mechanism of the hardware are still being enforced.

AIX Toolbox for Linux Applications
AIX Toolbox for Linux Applications contains a collection of open source and GNU software built for AIX 5L for IBM pSeries systems and IBM RS/6000.

Ami - Korean Input Method
Korean IMS (Input Method System) Ami.

Anaconda
Anaconda is the installation program for Red Hat distributions.

Apache
Home of the Apache Web server and several dozen related projects.

Apache Ant
Apache Ant is a Java-based build tool.

Apache APR
Apache Portable Runtime

Apache Cocoon
A Web development framework built around the concepts of separation of concerns and component-based Web development.

Apache DB project
Open source database solutions

Apache Directory
The Apache Directory project aims to produce a high-performance and production-quality LDAP server written in Java.

Apache Excalibur
Excalibur's primary product is a lightweight, embeddable Inversion of control container named Fortress that is written in Java code.

Apache Forrest
Apache Forrest is an XML standards-oriented documentation framework based upon Apache Cocoon, providing XSLT stylesheets and schemas, images, and other resources.

Apache Geronimo
Apache Geronimo is the J2EE server project of the Apache Software Foundation. The aim of the project is to produce a large and healthy community of J2EE developers tasked with the development of an open-source, certified J2EE server that: is licensed under the Apache License, passes Sun's TCK for J2EE 1.4, and reuses the best ASF/BSD licensed code available today, with new ASF code to complete the J2EE stack.

Apache Gump
Apache's continuous integration tool

Apache HTTP Server
The Apache project develops and maintains an open-source HTTP server for various modern desktop and server operating systems.

Apache Jakarta
A diverse set of open source Java solutions

Apache James
The Apache Java Enterprise Mail Server (Apache James) is a 100% pure Java SMTP and POP3 Mail server and NNTP News server. James was designed to be a complete and portable enterprise mail engine solution based on currently available open protocols.

Apache Lenya
Apache Lenya is an Open Source Java/XML Content Management System and comes with revision control, site management, scheduling, search, WYSIWYG editors, and workflow.

Apache Logging Services
Cross-language logging services for purposes of application debugging and auditing.

Apache Maven
Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information.

Apache mod_Perl
mod_perl brings together the full power of the Perl programming language and the Apache HTTP server

Apache Portals
Apache Portals is a collaborative software development project dedicated to providing robust, full-featured, commercial-quality, and freely available portal-related software on a variety of platforms and programming languages.

Apache SpamAssassin
SpamAssassin uses a wide variety of local and network tests to identify spam signatures.

Apache Struts
The goal of the Apache Struts project is to encourage application architectures based on the "Model 2" approach, a variation of the classic Model-View-Controller (MVC) design paradigm. Under Model 2, a servlet (or equivalent) manages business logic execution, and presentation logic resides mainly in server pages.

Apache Tcl
An umbrella for Tcl-Apache integration efforts

Apache Tuscany
Tusca

http://www.ibm.com/developerworks/opensource/library/os-php-7oohabits/

"Windows95 had full preemptive multitasking .. mainstream MS users enjoyed preemptive multitasking from 1995 on"

'Because Microsoft built Windows 95 using the same System Virtual Machine (VM) model found in Windows 3.1, the operating system is at the mercy of legacy 16-bit applications. If a Win16 program hangs, it can tie up critical 16-bit code modules located in the System VM. All other processing is halted'

'Microsoft has chosen to rely on its existing, Windows 3.1-era USER (window management) and Graphics Device Interface (GDI) modules rather than create new, 32-bit versions. In order to utilize this older, 16-bit code in potentially preemptive (with regard to Win32 applications), 32-bit multitasking environment of Windows 95, Microsoft was forced to serialize access to USER and GDI.

As a result, only a single Win32 or Win16 program can access these critical modules at any given time. This hurts application performance on heavily loaded systems as programs are forced to "line-up" and wait for a chance to execute a USER or GDI routine. All USER calls (for both 16 and 32-bit applications) are serialized and handled by the 16-bit code, while the majority of GDI calls are similarly handled (the other 50 percent are handled by newer 32-bit routines). BOTTOM LINE: WINDOWS 95'S MULTITASKING IS BEST DESCRIBED AS PREEMPTIVELY CHALLENGED'

I keep seeing people write that RMS was proven right. What was proven right?

When Stallman released the GPLv1 twenty some years ago, the naysayers and namecallers said:

1. It wouldn't work.
2. It wasn't needed.
3. Individuals would never use it.
4. Corporations would never use it.
5. Only a few "tree-hugging-nutjob-hippie" would ever use it.

Stallman was proved right and the naysayers were proved wrong on all these counts.

1. The GPL has withstood every legal challenge it has faced even though the vast majority of cases are settled before reaching a courtroom precisely because the GPL is so solid legally.
2. The all-out attack on the GPL (MS's Halloween Documents for example) demonstrate that the GPL is so effective that some companies with closed-source business models see it as their number one threat.
3. By many measures the GPL is the most used FOSS licence.
4. See IBM and Linux. As for all the "IBM hates the GPL" astroturfing see point (2) above. Also see SUSE Linux Enterprise.
5. Many major projects use the GPL including Linux, KDE, and MySQL. Many projects have switched to the GPL over the years such as Trolltech's QT framework.

But perhaps the best proof that Stallman was right is all the anti-GPL hate, lies and dirty tricks that flood the Internet crowned by the Microsoft funded SCO lawsuits against IBM and Novell and others. See especially the shameful coverage of these lawsuits by Maureen O'Gara Rob Enderle.

If Stallman was wrong, why on earth would anyone go to so much trouble trying to discredit the GPL? If Stallman had been wrong twenty years ago then his ideas would have died out by now and he would be totally ignored. People certainly wouldn't be saying that he's "wondering [sic] off to the tree-hugging-nutjob-hippie commune."

In fact, the acceptance and use of the GPL is still going strong and growing. The ideas behind the GPL have spread into other area such as Groklaw's uses them for legal research and the Creative Commons licences use them for books and other creative endeavours.

Posted the wrong link.

SOAP via xmlhttprequest: http://www.ibm.com/developerworks/webservices/library/ws-wsajax/

5 Ghz on air Power6s for you:

Costs are in the 5 digits though:

http://www-03.ibm.com/systems/power/hardware/570/specs.html/

http://www-03.ibm.com/systems/power/hardware/595/specs.html/

5 Ghz on air Power6s for you:

Costs are in the 5 digits though:

http://www-03.ibm.com/systems/power/hardware/570/specs.html/

http://www-03.ibm.com/systems/power/hardware/595/specs.html/

Uh, no.
IBM has its own version of Java on a total of 12 combinations of platforms and architectures:
Windows, x86 32/AMD64
Linux- x86 32,AMD 64, PowerPC 32/64
AIX -32/64
z/OS - 31/64
Linux on system Z- 31/64.
In addition- it also has a hybrid JDK support for HPUX and Solaris-where the base Sun JDK's security, ORB and XML components are replaced by IBM's performance enhanced implementations.
Java is a linchpin of IBM technology- the 4 main brands (Websphere,Rational,Lotus,Tivoli) all use IBM Java runtimes.
However, under the licensing terms with Sun, IBM Java cannot be distributed separately on the same platforms as Sun, which is why you cannot download JDK for windows/Linux.
You can however obtain an IBM JDK for AIX/System Z since those are IBM only OSes.

In addition to the above- the Apache Harmony open source JDK is also heavily supported and funded by IBM.
You can find more information here.

"I don't think so, IBM makes mainframes and has a very large services effort, neither of which compete with MS. If there were no MS, IBM would still continue to exist."

Bzzzt! Thanks for playing, "You Bet Your Geek Card!" Now, please hand it over.

You can't even find the word "mainframe" in most IBM quarterly earning reports. Why not? Because it's a tiny fraction of the $125 Billion in revenue that IBM generates in a year.

IBM Reports 2008 First-Quarter Results

Sales of "System Z" (they change the name every few years to try to keep it sounding fresh) are presently so small that they don't even break it out. It's bundled in with the UNIX systems sales, which include AIX and others, and with the AS/400 sales (the name of this platform and it's operating system changes about every 18 months, but it's presently called IBM i).

I maintain that IBM makes more money from Windows, by orders of magnitude, than they do from "mainframes". If you're going to convince me otherwise, you're going to need to do your own homework.

"I don't think so, IBM makes mainframes and has a very large services effort, neither of which compete with MS. If there were no MS, IBM would still continue to exist."

Bzzzt! Thanks for playing, "You Bet Your Geek Card!" Now, please hand it over.

You can't even find the word "mainframe" in most IBM quarterly earning reports. Why not? Because it's a tiny fraction of the $125 Billion in revenue that IBM generates in a year.

IBM Reports 2008 First-Quarter Results

Sales of "System Z" (they change the name every few years to try to keep it sounding fresh) are presently so small that they don't even break it out. It's bundled in with the UNIX systems sales, which include AIX and others, and with the AS/400 sales (the name of this platform and it's operating system changes about every 18 months, but it's presently called IBM i).

I maintain that IBM makes more money from Windows, by orders of magnitude, than they do from "mainframes". If you're going to convince me otherwise, you're going to need to do your own homework.

(source)

Abstract Machine Test Utility for Linux Common Criteria Certificate
Abstract Machine Test Utility (AMTU) is an administrative utility to check whether the underlying protection mechanism of the hardware are still being enforced.

AIX Toolbox for Linux Applications
AIX Toolbox for Linux Applications contains a collection of open source and GNU software built for AIX 5L for IBM pSeries systems and IBM RS/6000.

Ami - Korean Input Method

Korean IMS (Input Method System) Ami.

Anaconda
Anaconda is the installation program for Red Hat distributions.

Apache
Home of the Apache Web server and several dozen related projects.

Apache Ant
Apache Ant is a Java-based build tool.

Apache APR
Apache Portable Runtime

Apache Cocoon
A Web development framework built around the concepts of separation of concerns and component-based Web development.

Apache DB project
Open source database solutions

Apache Directory
The Apache Directory project aims to produce a high-performance and production-quality LDAP server written in Java.

Apache Excalibur
Excalibur's primary product is a lightweight, embeddable Inversion of control container named Fortress that is written in Java code.

Apache Forrest
Apache Forrest is an XML standards-oriented documentation framework based upon Apache Cocoon, providing XSLT stylesheets and schemas, images, and other resources.

Apache Geronimo
Apache Geronimo is the J2EE server project of the Apache Software Foundation. The aim of the project is to produce a large and healthy community of J2EE developers tasked with the development of an open-source, certified J2EE server that: is licensed under the Apache License, passes Sun's TCK for J2EE 1.4, and reuses the best ASF/BSD licensed code available today, with new ASF code to complete the J2EE stack.

Apache Gump
Apache's continuous integration tool

Apache HTTP Server
The Apache project develops and maintains an open-source HTTP server for various modern desktop and server operating systems.

Apache Jakarta
A diverse set of open source Java solutions

Apache James
The Apache Java Enterprise Mail Server (Apache James) is a 100% pure Java SMTP and POP3 Mail server and NNTP News server. James was designed to be a complete and portable enterprise mail engine solution based on currently available open protocols.

Apache Lenya
Apache Lenya is an Open Source Java/XML Content Management System and comes with revision control, site management, scheduling, search, WYSIWYG editors, and workflow.

Apache Logging Services
Cross-language logging services for purposes of application debugging and auditing.

Apache Maven
Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information.

Apache mod_Perl
mod_perl brings together the full power of the Perl programming language and the Apache HTTP server

Apache Portals
Apache Portals is a collaborative software development project dedicated to providing robust, full-featured, commercial-quality, and freely available portal-related software on a variety of platforms and programming languages.

Apache SpamAssassin
SpamAssassin uses a wide variety of local and network tests to identify spam signatures.

Apache Struts
The goal of the Apache Struts project is to encourage application architectures based on the "Model 2" approach, a variation of the classic Model-View-Controller (MVC) design paradigm. Under Model 2, a servlet (or equivalent) manages business logic execution, and presentation logic resides mainly in server pages.

Apache Tcl
An umbrella for Tcl-Apache integration efforts

Apache Tuscany
Tuscany provides multiple language implementations of the Service Component Architecture (S

IBM doesn't have Java?

http://www.ibm.com/developerworks/java/jdk/

Er... IBM did once have a competing JVM implementation. You can still download it. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-56888

Except for the employees of Sun. Update your resume now

Hmmm.... wouldn't be so sure of that. I'd be willing to bet that these people are pooping some square ones.

http://www-03.ibm.com/systems/power/software/aix/index.html

http://www.whywork.org/

See especially:
http://www.whywork.org/rethinking/whywork/abolition.html
"Work is the source of nearly all the misery in the world. Almost any evil you'd care to name comes from working or from living in a world designed for work. In order to stop suffering, we have to stop working. That doesn't mean we have to stop doing things. It does mean creating a new way of life based on play; in other words, a ludic revolution. By "play" I mean also festivity, creativity, conviviality, commensality, and maybe even art. There is more to play than child's play, as worthy as that is. I call for a collective adventure in generalized joy and freely interdependent exuberance. Play isn't passive. Doubtless we all need a lot more time for sheer sloth and slack than we ever enjoy now, regardless of income or occupation, but once recovered from employment-induced exhaustion nearly all of us want to act."

See also:
http://www.smallisbeautiful.org/buddhist_economics/english.html
"The Buddhist point of view takes the function of work to be at least threefold: to give man a chance to utilise and develop his faculties; to enable him to overcome his ego-centredness by joining with other people in a common task; and to bring forth the goods and services needed for a becoming existence. Again, the consequences that flow from this view are endless. To organise work in such a manner that it becomes meaningless, boring, stultifying, or nerve-racking for the worker would be little short of criminal; it would indicate a greater concern with goods than with people, an evil lack of compassion and a soul-destroying degree of attachment to the most primitive side of this worldly existence. Equally, to strive for leisure as an alternative to work would be considered a complete misunderstanding of one of the basic truths of human existence, namely that work and leisure are complementary parts of the same living process and cannot be separated without destroying the joy of work and the bliss of leisure."

On the other hand:
"Blame It on Mr. Rogers: Why Young Adults Feel So Entitled"
http://online.wsj.com/public/article/SB118358476840657463.html
And, extending that theme:
"Blame the Bailouts on Mister Rogers?"
http://emac.blogs.foxbusiness.com/2008/12/12/blame-the-crisis-on-mister-rogers/

Maybe there are deeper issues here on all sides? From:
http://groups.google.com/group/openmanufacturing/msg/72330a22bcae8928?

Consider who could pay for food or water (or copyrighted content or patented
processes) in thirty years, if robotics continues to develop just at the
current rate over the last thirty years.

Check out clerks?
"Your supermarket cashier may not know a kiwano from a tamarillo, but
Veggie Vision does."
http://domino.watson.ibm.com/comm/wwwr_thinkresearch.nsf/pages/machin...

Cab drivers?
http://en.wikipedia.org/wiki/DARPA_Grand_Challenge

Heart Surgeons?
http://en.wikipedia.org/wiki/Intuitive_Surgical

Airline pilots?
http://en.wikipedia.org/wiki/Autopilot

Nurses?
"Robot nurse escorts and schmoozes the elderly"

OK, send in the Nazgul, then:
http://domino.watson.ibm.com/comm/pr.nsf/pages/news.20070416_virtualworlds.html

IBM has many projects related to virtual worlds.

I'll take "I didn't lose my data" over "ext4 runs 1.5x faster than ext3," thank you. What use is performance to me if I have to be absolutely certain that it won't crash, or I lose my (in my very high performance filesystem) data?

Also, ext4 is toted as having additional reliability checks to keep up with scalability, etc... not less reliable at expense of performance.

Reliability

As file systems scale to the massive sizes possible with ext4, greater reliability concerns will certainly follow. Ext4 includes numerous self-protection and self-healing mechanisms to address this.

(from Anatomy of ext4)

I can only imagine the response if tests were done on Windows 7 beta that showed a crash after this or that resulted in loss of data. :)

Waiting for GPGPGPUs

Yeah, I hear those will finally support the eieio instruction. :)

OMFG! You don't know what you are talking about, do you?
Try looking at the following, and try to understand that $1000/MIP is also all other stuff...
http://en.wikipedia.org/wiki/IBM_System_z10
http://www-03.ibm.com/systems/z/advantages/newtosystemz/index.html

To get a better look at where storage came from, head on over to IBM's Archives: http://www-03.ibm.com/ibm/history/exhibits/storage/storage_intro.html Then check out the historical product profiles, documentation and videos: http://www-03.ibm.com/ibm/history/exhibits/storage/storage_reference.html

To get a better look at where storage came from, head on over to IBM's Archives: http://www-03.ibm.com/ibm/history/exhibits/storage/storage_intro.html Then check out the historical product profiles, documentation and videos: http://www-03.ibm.com/ibm/history/exhibits/storage/storage_reference.html

It will arrive in a lovely wooden crate and sometime after morning coffee he will unpack it, walk over the the Z Series, open the door, slide it into place, connect the cooling hoses and close the door. He will then walk to the maintenance terminal, type in the secret code, and your Z Series now has 64 more processors.

More like the guy acts like he is messing with the hardware and when you turn around he types the secret key into the maintenance terminal. http://publib.boulder.ibm.com/infocenter/eserver/v1r2/index.jsp?topic=/eicaz/eicazzcod.htm

"... the zSeries processor is a modified PowerPC running microcode"

While the z10 and Power6 processors share some DNA, they really are two different beasts, and much of the z10 instruction set is done closer to silicon than you might think. See the Design and microarchitecture of the IBM System z10 microprocessor PDF.

There's definitely prior art, with respect to the licensing of computing power.

http://www.ibm.com/developerworks/data/library/techarticle/dm-0611zikopoulos2/

Assume the usual comments on patents, Microsoft, IBM etc :).

However, if the nanotech sector manages to use magnetics or field manipulation in conjunction with a current in order to induce the fold (with some precision), and can keep the pathways (and the requisite etchers) tiny enough to allow the current to pass, successful micronization of both the assemblers, and the resulting constructions, to the nano level is foreseeable.

One may keep in mind progress (PDF) so far with nanomechanics (HTML).

IBM's recent work with atom manipulation could certainly assist in this endeavor, too.

>> D did another thing right: it did not remove destructors, like Java did. Instead, when there are zero references to an object, the GC calls the destructor *immediately*, but deallocates the memory previously occupied by that object whenever it wishes (or it reuses that memory). This way RAII is possible in D, which is very useful for things like scoped thread locks.

First of all, Java does have destructors. It's called finalize().

Second of all, calling destructors on a modern GC are extremely costly. Sure, your example implementation of destructors seems simple, but it is only possible in a reference counted garbage collector, which is so primitive as to be nearly useless.

Modern Java GCs are generational copying collectors. They have a young heap, where objects are allocated, and an old heap, where objects are moved when they survive an allocation. Object retention is done by tree search from a root node.

This means you can do fun things like allocate a linked list, then drop the reference node. When a collection happens, anything living is rescued from the young heap, and then it's simply wiped clean. No computation is performed regardless of how large it is or how many links it has, because there's no such thing as deallocation on the young heap. When you drop that first link, it's like the VM doesn't even know it's there anymore; the whole list just gets overwritten on the next pass over the heap.

If, however, you write a destructor for your links (or in Java, finalize()), the destructor then needs to independantly keep track of all of your destructable objects. It needs to remember that they're there so it can call their destructor when they do not survive an allocation. Furthurmore, if you impose your hard requirement of calling the destructor immediately, then the implementation of such a collector is impossible for your language. Even a primitive mark sweep collector, or anything not reference counted is impossible.

This example is discussed in detail here:

http://www.ibm.com/developerworks/java/library/j-jtp01274.html

You should familiarize yourself with modern garbage collectors. I don't know much about D, but if D really is tied down to a reference-counting collector due to its destructor requirements, that makes it extremely unnatractive as a language. Here is more information on various collector implementations:

http://www.ibm.com/developerworks/java/library/j-jtp10283/

>> D did another thing right: it did not remove destructors, like Java did. Instead, when there are zero references to an object, the GC calls the destructor *immediately*, but deallocates the memory previously occupied by that object whenever it wishes (or it reuses that memory). This way RAII is possible in D, which is very useful for things like scoped thread locks.

First of all, Java does have destructors. It's called finalize().

Second of all, calling destructors on a modern GC are extremely costly. Sure, your example implementation of destructors seems simple, but it is only possible in a reference counted garbage collector, which is so primitive as to be nearly useless.

Modern Java GCs are generational copying collectors. They have a young heap, where objects are allocated, and an old heap, where objects are moved when they survive an allocation. Object retention is done by tree search from a root node.

This means you can do fun things like allocate a linked list, then drop the reference node. When a collection happens, anything living is rescued from the young heap, and then it's simply wiped clean. No computation is performed regardless of how large it is or how many links it has, because there's no such thing as deallocation on the young heap. When you drop that first link, it's like the VM doesn't even know it's there anymore; the whole list just gets overwritten on the next pass over the heap.

If, however, you write a destructor for your links (or in Java, finalize()), the destructor then needs to independantly keep track of all of your destructable objects. It needs to remember that they're there so it can call their destructor when they do not survive an allocation. Furthurmore, if you impose your hard requirement of calling the destructor immediately, then the implementation of such a collector is impossible for your language. Even a primitive mark sweep collector, or anything not reference counted is impossible.

This example is discussed in detail here:

http://www.ibm.com/developerworks/java/library/j-jtp01274.html

You should familiarize yourself with modern garbage collectors. I don't know much about D, but if D really is tied down to a reference-counting collector due to its destructor requirements, that makes it extremely unnatractive as a language. Here is more information on various collector implementations:

http://www.ibm.com/developerworks/java/library/j-jtp10283/

These are the first ones that came to my mind, but you could try one of these, or this one, or this one, or this quite small one.

Just read the report, will you? Your question has already been answered pretty convincingly by the IBM researchers.

Here, I'll give you the link again: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

And I'll even quote:

While all of the factors considered by CVSS are important, what CVSS scores fail to capture is the economic opportunity that a vulnerability presents to an attacker. The days of amateurs, college students, or hackers taking joy rides on corporate information systems are largely over. Todayâ(TM)s attackers are economically motivated. They are international criminal organizations who make a living stealing financial information and identities. Todayâ(TM)s threat is far more sophisticated and far more dangerous than the security threats of yore, but in some ways it is more predictable.

The result of this new reality is that there have been several vulnerabilities this year that received very high CVSS scores and raised widespread alarm within the security industry. However, they were not widely exploited in the wild. In most cases, these vulnerabilities did not fit well into the current business models of computer criminals

Vulnerabilities that fit into existing processes and which can leverage existing automation are easy for criminals to monetize. Vulnerabilities that require the development of new processes or software are much less likely to present an attractive opportunity to criminals, particularly if they represent a one-of-a-kind set of circumstances that is unlikely to be repeated in the future. Even when it does make sense for criminals to develop a new attack methodology to exploit a new class of vulnerabilities, widespread attacks will usually take longer to emerge than for vulnerabilities that fit directly into an existing process.

To put all of these issues into perspective, letâ(TM)s consider them together. Figure 7 plots each issue into one of four quadrants based on the opportunity they present to a criminal and the cost of realizing that opportunity. Only issues that make it to the top right [cheap exploit, many targets] resulted in widespread exploitation. The others did not present enough of a financial opportunity or they were too expensive to monetize.

Basically both OS X and - especially - Linux fails the "many targets" test for desktop-style drive-by exploits. You could argue that Linux, which is used with Apache on most internet servers, presents a formidable number of targets. Yes, but we haven't seen a "cheap" exploit which were remotely exploitable against any of the OSes in the latter years.

There's been a lot of improvement in TtS out of university research in the past ten years. I don't think its unfair to say that given a profit motive there'd be even more investment in the field, to improve things like inflection. Check out some of the IBM samples under expressive samples.

With the risk of being modded into obscurity and burning all my karma:

Simply don't venture into the trap that OS is inherently more secure than closed source. It is unfortunately easily refuted. PHP, WordPress, Typo3, Drupal are all open source projects with very challenged security track records.

Security and open source - despite popular belief - seems to be orthogonal concepts. It seems to have more to do with the QA/QC processes in place than with the actual development model.

IBM just released a report which shows that Vista and Windows Server are actually hit by fewer vulnerabilities than "Linux kernel", although suffering from more malware. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

It actually show that through 2008 Linux kernel experienced 2x the vulnerabilities of Vista/Server 2008, Apple OS X was hit by 3x the vulnerabilities.

The IBM X-Force team went through the disclosed CVEs and attributed them to the operating systems. This way they didn't multi-count Linux because of multiple distributions, and also they didn't count vulnerabilities from the bundled apps from the distributions.

You may claim (as many surely will) that MS somehow "hides" vulnerabilities. However, that doesn't seem to be the case when you look at the information (the "bulletins") which is supplied with each patch.

Simply put, security seems to be an orthogonal issue. Open source does not seem to automatically or inherently guarantee fewer vulnerabilities or better in-depth protections. It doesn't seems to make it worse, though.

Claiming so will only make you vulnerable to counter-examples (of which there are many) and will allow the MS lackeys to paint you as an ideology-driven zealot.

Chunk it down. Point to the security track record of the products you recommend. Leave out the claim that they are more secure because they are OS, just claim that the products are produced by vendors that are accountable, dependable and transparent with proven security records.

someone did it before... with win ce at least.
http://www-307.ibm.com/pc/support/site.wss/BMOE-46XPTL.html

I don't want to get mired in a never-ending paranoia-fueled race to patch holes..

How can I take reasonable steps to protect these websites myself?

The list of things you need to protect against is actually pretty short, provided that your list is high-level and general enough. ;-)

Look at this. Most of that boils down to instances of trusting inputs, which is always a bad idea when the internet is involved.

Then audit your code and look for the mistakes. It is impossible to achieve your goal without doing this. Anyone whose todo list doesn't include this step, should be ignored.

I recommend against hiring a white-hat. If you are going to continue to develop, then you need to learn to write defensive code yourself, and auditing your existing code will really help you.

I'm honestly surprised corporations aren't simply going into countries with cheap labor and building their own "company towns" where they can bring workers for all over the world.

Back in the day plenty of companies would just build towns out of nothing, in the middle of nowhere, and move people in to work at their factory / mine / chip fab plant.

So in this day of cheap airfare and 'free' telecommunications, why haven't we seen the same idea Globalized?

Or maybe we are...

That really is a brilliant idea. If they want to show leadership, they should do just that. See the chart at the bottom of this page. What does $5.8 million come out to in Indian wages? (Sure that. a termination package, but I think it gives a hint.)

The author of the book was Edwin Black. He sued IBM at exactly the same time that he released the book and the suit was dismissed. Unfortunately for some strange reason, the dismissal of the lawsuit did not get nearly the same amount of media coverage that the initial suit timed with the book release got.

An interesting and little known fact about Mr Black is that before writing this book, he was publisher of "OS/2 Professional" when it went out of business due to IBM's killing off of the doomed OS. He seemed to have no problem with IBM's past while he was making money from a financial association with them.

Also, at least one historian who specializes in the Holocaust has called into question many of his accusations.. Again, few people care to listen to the other side, and prefer to simply assume everything Mr Black says is true.

M1 Carbines for the US, and Holleriths for the Nazis? What a brilliant business strategy! European explosive manufacturers made tons of money supplying both Iran and Iraq during their war in the 1980's. But I guess you're not supposed to do this if your country is on one side of the conflict.

I suppose that IBM would claim that the Nazis had taken over the subsidiary, and that IBM in the US had no control over it. I believe that Ford and GM (Opel) had the same problem with their subsidiaries, and faced the same allegations after the war.

If the case in the book is so strong, why hasn't anyone sued IBM over it?

"Hey, Daryl McBride! Here's your chance to try to sue IBM again!"

Or maybe some militant animal rights groups can sue them over this: http://www-03.ibm.com/ibm/history/exhibits/vintage/vintage_4506VV2154.html

"KDE is a bloated environment, which is why although there are nice KDE apps out there, I will never run them in my gnome or windowmaker environments. No thanks."
One hears this often here. Here's someone who decided to test this common Slashdot wisdom: http://www-128.ibm.com/developerworks/linux/library/l-linux-memory.html?ca=dgr-lnxw07LinuxMemory

They didn't specify the GPL, but rather OSS licenses. And it should be noted that this particular pledge only covers 500 patents (which is fairly select considering the bredth of IBM's portfolio). However, it still strikes me as much more good faith effort than Microsoft has produced.

Again - patents come in to play only because Microsoft's FUD puts it in play. If Microsoft really wants these initiatives to be accepted, I'd expect them to produce code (appropriately licensed - let's say BSD since they're so supportive of it and want to avoid the GPL) to start them out or, failing that, a license that guarantees others work won't become their stick in a later ploy.

I have no idea how I stumbled across this, but it looks very pretty...

Perhaps Linux is used ALOT more than you think, you're just not aware of the installations ;)

I know of at least 2 places which are very large and influential organizations that run ALOT of Linux and other Open-Source Systems - in one of the organizations I'm thinking of I implemented Linux in combination with MRTG, PHP and MYSQL for an application I wrote for the purposes of systems monitoring and server inventory, something I whipped up because Tivoli, a large, expensive "enterprise" product was proving too cumbersome and taking too long to implement and my Management needed something RealSoonNow(tm) to do the job.
Unfortunately though, Non-Disclosure, and fear of being publicly identified prevents me from citing the organization(s) by name.

Linux is used in quite a number of places, but it doesn't get the big "The Department of xyz for the pqr Government is installing Linux" publicity.

Don't despair, Linux is making waves, you just can't see the ripples ;)

Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.

No offense intended... but I did say that in my original post ;)

Wasn't the "secure computing" preached by Intel/MS and others a "secure" platform that would solve all the security issues?

No

To me seams that it was only a farse to disguise DRM into everyones computers...

And fail...

No again. Here is some useful information on this from IBM.

For those interested, IBM is running a primer series on the new language/runtime features.

There's also this older (but still relevant) PEP that explains things that did not change between the 2.x series and 3.0.

Personally, I'm not looking forward to migrating existing code bases (especially non-trivial ones) to 3.0, but I'm planning to do all new development against it (of course assuming that the various packages I use have ports).

For Python trivia lovers, here the the actual moment in time when 3.0 was let loose on the world. I'm such a sentimental geek :)

Please provide us with the most recent scientific breakthrough not carried out by a government funded lab or subsidized university.

Well, it's not very recent, and all I did was put "ibm scientific breakthrough" into Google and press "I'm feeling Lucky", but here's one from IBM. I can also recall various semiconductor, nano-transistor and racetrack memory discoveries from IBM, so the idea that all research is government funded isn't exactly correct.

Your question feels a bit of strange question to ask as surely anyone who has looked would notice a huge difference between the latest 2.6 (2.6.28) and the latest 2.4 (2.4.37).

Preemptible kernel (so lower latencies are possible)
Far more devices supported (both in terms of architectures and additional add on devices e.g. SATA support)
Better scheduler (initially made O(1) scales better under load and then fairer with CFS)
Task Control Groups
Better support for threads (schedules them in a more intelligent fashion)
Strict overcommit
Massive VM changes
Tickless/dynticks support
Asynchronous I/O support
Introduction of different I/O schedulers (deadline, cfq
Network stack improvements (faster, better under load e.g. NAPI support)
epoll support
Improved ACPI support
Network filesystem improvements
Initramfs support

There is a huge list of Linux kernel changes that happened between 2.4 and 2.5. There is also a good Linux kernel 2.5 changes page on IBM's developerworks. Kernelnewbies has an excellent summary of changes for each of the 2.6 kernels and a 2.5 changes page. LWN is also excellent for kernel news.

I hate it when people don't bother to state exactly the points they object to. What other changes (not listed above) do you think the question poster wouldn't benefit from? Follow the links to the full lists (don't just use the ones off the top of your head)...

If you want to minimize latency in your applications, chances are you'll like the new scheduler implemented in 2.6.23 and following. In general, 2.6 has better support for realtime (low-latency) applications: http://www.ibm.com/developerworks/linux/library/l-real-time-linux/index.html