Thursday Release Party
taktile writes "I started the project about a week and a half ago after learning about Apple's ASCIIMoviePlayer. QuickASCII is an Open Source project to add improvements to Apple's player."
Another user writes, "There is a small group collaboration program called iStorm that is out. It anyone gets tired of severely delayed collaboration over the Internet, maybe he should try an almost telepathic experience with this program."
ludeyork writes "I just saw that BBEdit 7.0 has been released and it's got great new features." It's very cool, and by cool, I mean totally sweet. The CVS integration is worth the upgrade for me.
yuck72 writes "Apple has just released version 5.2 of its WebObjects application server. Improvements include better J2EE integration, easy tools for building SOAP-based web services and Java Webstart support. Applications can be deployed on any machine with a Java 1.3.1 compliant JVM. Apple's 'best-kept secret' really deserves more attention than it currently gets considering that it plays in the same league as Websphere and Weblogic." Oops, maybe I should have given it its own story.
Why did the iStorm guy use the metal L&F? It's for programs that replicate physical functionality! WAY TO FUCK IT UP!
The Federal Information Assurance Conference 2002 is taking place this Tuesday through Thursday at the University of Maryland. Some of the most prestigious government agencies and private businesses in the realm of Information Security are attending, including among others the National Security Agency, the National Institute of Standards and Technology, and the Defense Information Systems Agency; and RSA Security, Symantec, and IBM, respectively. The speakers included professionals from the FBI, the U.S. Secret Service, and the Office of Homeland Security.
Yesterday, the very first day, Microsoft announced that Windows 2000 has passed all required tests for certification under the Common Criteria (CC) at Evaluated Assurance Level 4 (EAL4) to demonstrate their "commitment to security." Unlike the Windows® NT 4.0 TCSEC (Trusted Computer Security Evaluation Criteria, a.k.a. "Orange Book") C2 certification which was on a non-networked machine without a floppy drive, the Windows 2000 CC EAL4 tests included among others the Active Directory Service, Virtual Private Networking (VPN), the Kerberos implementation, and the Encrypted File System. Where was Linux(TM) when Microsoft dropped this bombshell? Linux(TM) was nowhere to be found. There was no one from Red Hat, no one from Mandrakesoft (makers of Mandrake Linux), and no one from SuSE. Linus wasn't there. Not even the self-appointed patron saint of open source, Richard Stallman, bothered to show up.
Oh Linux(TM), oh Linux(TM). Where art thou, Linux(TM)? Why dist thou not showst up? The answer lies in a small, little excerpt from John Pescatore, Director of Internet Security for Gartner. He said, "Not all but some of versions of Linux could meet this level [CC EAL4] as well."
That's right. Not all versions of Linux could meet CC EAL4. In other words, not all versions of Linux could meet the same minimum security requirements as Microsoft Windows 2000.
"Well," you ask, "exactly which versions of Linux can and cannot meet CC EAL4 requirements?" It stands to reason that the core Linux(TM) kernel, the version distributed by Linus at http://www.kernel.org, cannot meet these minimum requirements, because if it did, all versions of Linux(TM) would meet these minimum requirements. After all, other Linux distributions are not going to be made less secure. I also know for a fact that this is true. The reason that only some of the Linux(TM) versions would pass CC EAL4 is that those versions patch the main Linux(TM) distribution. In other words, those more secure versions are forks, alternative versions of Linux(TM) that were not accepted into the main distribution.
This means that Linux(TM), as released by saint Linus, the same Linux(TM) that all these so-called "experts" have been touting as the more stable, more secure alternative to Windows, is actually less secure than Windows 2000. Now I don't want to get any email from you Linux(TM) naysayers asking me that if Microsoft Windows 2000 is so secure why does Microsoft® Windows 2000 have so many more security bugs, or security bulletins, than Linux(TM). Measuring the security of an operating system by the number of security bulletins is like measuring the security of a bank by the number of robberies. By that standard, my small town bank out here in the sticks with 2 tellers, 3 security cameras, and never more than US$1,000 cash on-hand is the most secure bank in the world.
The "theory of a thousand eyes" (the theory that open source is more secure because everybody can see the code and instantly discover a problem) doesn't make an operating system any more secure either. While the potential for more security exists, this doesn't ensure that the "thousand eyes" are actually looking. To the contrary, Red Hat has discovered bugs in the Linux kernel in sections that went unchanged for years. For example, not only did the Teardrop vulnerability in TCP/IP exist for decades, but the Teardrop vulnerability was ported to other operating systems, even though "thousands of eyes" had to be looking at the code in order to port it to another operating system. Peer review, an extension of this theory, doesn't provide any assurance either, because the reviewing peer may not be well versed in security and hence not fully understand or appreciate the implications of a given piece of code.
I've said it before, and I'll say it again. The only way to fully evaluate operating system security, and to compare one operating system's security to another operating system's security, is to have that operating system evaluated under TCSEC or CC. These are comprehensive methods of fully and exhaustively evaluating security, and the fact that they are common standards allows operating systems evaluated by the same criteria to be compared in terms of total security assurance. Until Linus and his open source goons get their act together, get their kernel up to snuff, and get their kernel certified, Linux(TM) will remain less secure than its arch-nemesis, Microsoft Windows 2000.