Slashdot Mirror
Reflecting on Linux Security in 2003
LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
It's better than Microsofts! Sorry, I do not mean to troll..
(\_/)
(O.o) This is Bunny. (> <)
I haven't been r00t3d.
Sweet.
printf("%s@yahoo.co.uk\n", uid[569754].name);
Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.
They even have documents that give a step by step procedure for stealing the Microsoft fonts and installing them on Linux systems! Notice in particular the instructions for the Tahoma font.
l
- formats/html_single/FDU.html#TRUETYPE
http://www.tldp.org/HOWTO/mini/FDU/truetype.htm
Your link is bad, it should be
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other
Also, from the HOW-TO, "TrueType is a registered trademark of Apple Computer, Inc.", not Microsoft. I'm not sure if the 'Tahoma' font in particular is property of Microsoft.
Just thought that you should know.
"favour"?
Actually TrueType is an Apple invention and the trademark is properly credited. The Tahoma font is the property of Microsoft, as is Arial and many other fonts.
> From the looks of things, they still have a while to go. IMO, Linux people talking about security is like that saying about people who live in glass houses.
Note that many if not most of the vulnerable programs shown in your link to securitytracker.com are not related to the Linux kernel nor part of most Linux distributions. This makes for a potential "apples to oranges" comparison with Windows vulnerabilities.
Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples. One can also argue that IIS is not really a Windows component, since it is an optional service. But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!
Manipulate the moderator system! Mod someone as "overrated" today.
Oops .. s/Linux( community)+/Microsoft/ ..
There, now accords with reality, as documented in various trial records.
A kernel that wrote itself. Cool!
A simple backup-restore utility that allows users to backup all their filesystems, and restore them in the event of a crash. A separate unnmounted filesystem to store the 'image' - no worm can get past this simple strategy. A major security breach? Simple:
1. Remove network cable (OR) Internet connection.
2. Boot from tomsrtbt
3. Mount backup partition(s)
4. Run simple restore script.
5. Reboot and enjoy!
Can any other OS do this, with off-the-OS tools?
-
If you keep throwing chairs, one day you'll break windows....
Don't throw stones inside your modded linux box?
Right, Check.
As for security, that would explain why my Linux boxes have for years been under constant attack from compromised Windows machines without incident.
Oh boy! An article which takes 1 authors clearly subjective feelings, piles on the anecdotes, and pronounces evidentiary conclusions!
From reading this, it would appear that Gagne is pretty much what happens when you give a linux zealot some airtime. I'll comment on just a few things i got a kick out of:
At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."
but then we have
The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.
So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)
"Frankly, it seems incredible that this is even open to debate.
There's that objective analysis shining through. Definitely not the words of someone pushing a beleif as opposed to an argument :)
One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used
Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?
has nothing to do with Microsoft's market penetration.
riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.
It doesn't hurt that at its very core, Linux is designed with security in mind.
What do the original UNIX authors have to say about designing UNIX from the ground up with security in mind ? A history of linux will show a few things, I think.
No need here for launching a security initiative after years of neglect."
Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"
Despite the fact that I do not run a Microsoft computer in this office,
why am i listening to your opinion of MS software again ?
costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?
This article is pretty much a non-article.
My opinions are my own, and do not necessarily represent those of my employer.
In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user. Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on. My mother, who would "never try an operating system like 'Linus'" is just as oblivious to the necessity of a good firewall on her machine. In fact, before I intervened, she nor any of her friends even had one. Worse, they were under the opinion that you can not retrieve email without Outlook, and that Internet Explorer was the internet. That might sound preposterous to you or I, but I have found this to be true of many casual PC owners. So, beyond security problems inherent in code are problems inherent in the user as well.
;) Hmmm... that seems vaguely familiar. :)
Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success. Now, I do not subscribe to the idea of thousands of users pouring over the source code and fixing security holes, but I will assert that the small number of users who actually contribute to the community do a fine job of it, and are extremely dedicated. What Open Source offers is the ability to pour over the code, even if most of us don't take advantage of this. M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard. You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$."
If I had to put my money down on which one was more secure, my money would go on Linux.
-dexterpexter
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Ahhh, but the difference is that if I throw a stone and break my little glass Linux house, I have the ability to fix it... for free. That is the beauty of Open Source.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
It's an unpleasant truth, but Bill Gates was right when he suggested that perfect bug-free, unexploitable code is impossible. There are going to be vulnerabilities, no matter how much of an effort you make to keep them out of code.
Security has to be achieved through firewalling, shutting off unnecessary services, keeping software up to date with the latest security-related patches, and some common sense on the part of the user. In my experience, a lot of Linux users are every bit as ignorant as their Windows counterparts when it comes to security. I know plenty of people who don't know what daemons are running on their computers, who don't keep their software updated, and who don't follow basic common-sense security procedures. Unfortunately, there's the perception among a lot of people that just running Linux makes them secure. They feel they don't need to bother with things such as firewalls, because they're invincible. Even among their Windows counterparts, firewalls are considered a necessary tool for security.
There's a basic competence needed to run Linux. Unfortunately, beyond that, many users are clueless when it comes to security.
Linux doesn't lend itself to many of the problems Windows does. But that's only part of being secure.
Linux distributions shouldn't come with lots and lots of services enabled by default. We complain at Microsoft because a lot of users have IIS running on their machines and just aren't aware of it. Many Linux distributions are just as guilty as Microsoft here.
If we want to make Linux more secure, we need to fix the two biggest vulnerabilities - the default settings of many Linux distributions and the user.
do you have any substantiation of this ?
You may have heard something about software engineering, but if not, i'll tell you. The later you discover a bug, the more expensive it is.
Lets take some examples.
I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.
So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?
My opinions are my own, and do not necessarily represent those of my employer.
My God you are a useless troll.
You say:
a step by step procedure for stealing the Microsoft fonts and installing them on Linux....
Then you link to http://corefonts.sourceforge.net/
Which has a copy of the microsoft licesne the fonts were obtained under:
Reproduction and Distribution. You may reproduce and distribute an unlimited number of copies of the SOFTWARE PRODUCT; provided that each copy shall be a true and complete copy, including all copyright and trademark notices.....
> Apparently you missed that story last month regarding the hack which exploited a Kernel bug. This effected ALL distros, since it was a kernel exploit.
No, I *didn't* miss it. I'm on the BugTraq mailing list.
>Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples.
Without a direct comparison of the number of exploits for code that comes with the OS for both systems your statement is speculative at best.
>One can also argue that IIS is not really a Windows component, since it is an optional service.
Baloney. IIS comes on every Windows CD-ROM and is used by lots of Microsoft apps. And there's plenty of bugs that cross boundaries thanks to Microsoft's blurring the distinction between OS and application...like that WebDAV bug in ntdll.dll that was exploitable via IIS.
>But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!
Don't blame Security Tracker for the deficiencies in your analysis!
I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL. What does that first 'S' stand for again?
I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.
Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?
Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user.
This is a simple result of the law of large numbers. If we assume "technological savvy" is normally distributed within the population then very small samples can have on average very high "savviness" rates. Once the sample size grows the average "savviness" goes down and approaches the mean (which in today's world is still quite low) asymptotically.
Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on.
And herein lies the problem of making blanket statements: yes, most people who are not experienced with computers do run Windows at home. Of course they're going to get infected with something! They lack the experience to mitigate risks and to know what they should never do. DOS didn't have one tenth of the complexity of the latest versions of Windows and stupid DOS users still got viruses all the time.
Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success.
I'm pretty sure a bunch of CS majors deriding SCO on /. won't help Linux kernel development all that much or attribute to any possible success.
M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard.
You are Eric S. Raymond and I claim my free-as-in-beer Tux merchandise.
You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)
Naturally, since you won't find the "Linux community" putting out any patches at all, ever. They're always put out by individuals or by companies/devteams that simply wish to produce the best possible product for their users.
If I had to put my money down on which one was more secure, my money would go on Linux.
The best way to keep you computer system secure is to make sure it's not run by idiots. How do you accomplish this? Make sure it's as complicated as possible[1]. For a long time Unix had this going for it, which means that Unix administrators had to have a lot experience coupled with knowledge and consequently would usually run a secure network.
By comparison, since "any idiot can run a MS network", then idiots were hired to run MS networks, with predictable results.
[1] The same principle actually works on a broader scale. Intrinsically hard topics tend to gather a more knowledgeable crowd while idiots flock to the easy topics like politics, religion and such. Which usually means that the level of discussion over political topics is far lower than that, say, for hard sciences.
minor nitpick. if you read the link you posted, you'll see that there's infact no WebDAV code in ntdll.dll (why would there be ?)
:)
WebDAV depends on some code in ntdll.dll, and it looks like you can feed WebDAV goop that it happily uses to exploit the BO in ntdll.dll.
So, webdav is the attack vector to remotely get at a problem in ntdll.dll. it's not substantially different than php triggering a bug in kmalloc()
My opinions are my own, and do not necessarily represent those of my employer.
I am not sure if you are attempting to argue with me or not, but it sounds like you are actually agreeing/clarifying points that I actually meant, but are better said by you.
I am sure that the average Linux user was at some point technologically unsavvy, but you usually find that individuals who migrate from Windows to Linux are those users with at least some grasp on what they are doing. However, that does not change the end result, that being that the average Linux user probably has some idea of how to "secure" their computer. Now, as Linux desktops become more popular, we will find that these numbers will change. However, I would feel a lot more confident running an unpatched Open Source product than an unpatched Microsoft one, although doing either is tempting fate.
I did take the time to point out that contributors to the Linux community are far fewer than those who use Linux. However, it still holds true that the few people who do contribute, do an excellent job at it. Anyone disagree with this? I, for one, am impressed with the thankless work that they do.
And the "any idiot can run a MS network" fits perfectly in with my point that the insecurity, often times, lies in the user/administrator. *Laughs* Do Microsoft certifications even mean anything anymore? Or are there big wigs out there who use terms like "paradigm" and phrases like "thinking outside the box" that still get impressed with shiny stones and MS Certs?
As I said, same point (with an argumentative tone), better said by you.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Now don't break your arm patting yourselves on the back. That article hasn't really stated ANYTHING new or anything of even mild interest. Yeah Steve Ballmer said windows was as secure as linux, did anyone actually BELIEVE the guy? Maybe the non-techies, but this article is really only going to be read by /.ers which is the epitome of geeky techs. What point did this article actually have other than calling the kettle black?
I found the article not very informative.
It had a lot of verbiage but thats about all.
'Someone said this, someone said that, yada yada.'
Exactly how many holes were there? How many known of are still there? "Where's the beef?"
if I had mod points i would have modded parent up. the AC who posted re: "far more of the world spell it like that", and the mods who modded down parent - at least the way i see it, the parent was making the point that while the grandparent is telling the euros to fuck off because hey he's so american, he's actually using non-American spelling. which i think is a masterful point to make.
Why? There is an unvoiced feeling among software managers that they had better get the product on the shelves by Christmas or their careers will suffer. In the extreme, they become yes-men, telling their bosses only what is pleasing, with no regard for the truth. Too many yes-men and the company crashes because top management is not aware of problems until it is too late to fix them.
The solution? Software product managers must have the intelligence to recognize when their product needs more time, and the courage to tell their superiors the bad news. To encourage that behavior, top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.
John Sauter (J_Sauter@Empire.Net)
There most certainly is logic. I know because I've been in that situation. While I'm not a CEO and I'm not in the software industry, I have released a product with "bugs" which we'll try to work around or fix eventually. So I think I understand the desire to ship things before they're "ready".
It comes down to two simple words: market share. Every day, people are making decisions and buying products that serve their needs. If they're not buying your product, then they're buying your competitor's product. Moreover, if you don't have a relatively recent product, you start to lose mindshare. It's very possible to release a product so late that even though it's the best, no one cares anymore: they all bought a competitor's product and are locked in to it. So in a very real sense, every day you delay the release date is costing you money.
Thus, you need to balance the desire to ship a product with no bugs with the desire to have a product in the market now. And the way to choose when to do that is to balance the monetary costs and try to release the product when the cost is minimized.
To within half a percent, pi seconds is a nanocentury. -- Tom Duff
- XFree86 will run on a lot of stuff. However, why do you need a GUI? Last I checked, you were developing a better CLI...
- SSH?
- No Microsoft proprietary Kerberos support. There's Kerberos, just not MS Kerberos.
- I'm pretty sure it's there, and if not, someone can whip it up quickly.
- Hmm... Samba, anyone?
- I thought most of them WERE crypto...
- The "free will" contributors do a better job and go through more of a review process than your patches, thank you very much
- That's just pure BS
- No. Initial cost is much less than Windows, and TCO would have to be less.
Terry Pratchett (in his many and various Discworld novels) overed this quite clearly.
The Patrician privatised everything.
I mean everything
All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).
Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.
This ended up with them having such pleasant conversations (amongst themselves) while walking down the main business streets.
My My. Such lovely Old Buildings. Wonderful WoodWork. Would be such a shame if one of them should catch fire. Would prolly burn most of the city down. Oh Dear! What a disgrace that would be.
Basically, in our world, most people recognise that such a situation (ie charging to fix something that you should not have broken in the first place) would very rapidly lead to (essentially) rampant wholesale uncontrolled extortion.
If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.
Product quality would decrease, and administration overhead would increase.
It's the same issue with charging for software subscriptions. What is their incentive to produce another updated version with new features? After all they've already got your money.
A Software Subscription (with ALL updates FREE for 5 YEARS !!!!) does nothing more than make software updates come out once every 5 years.
Visit CryptoGnome in his home.
Baloney. IIS comes on every Windows CD-ROM and is used by lots of Microsoft apps. And there's plenty of bugs that cross boundaries thanks to Microsoft's blurring the distinction between OS and application...like that WebDAV bug in ntdll.dll that was exploitable via IIS [microsoft.com].
Where to begin?
1. Just because it comes on the CD-Rom does not make it any less of an optional component. If I started ranking on security flaws on some of the obscure, minor, optional programs what come with the varios Linux distros, you would just change song and say "hey, nobody uses that" or "its just optional, nobody is forcing them to use it". Just a tip- pick one story, and stay with it. It makes you look less hypocritical.
2. Used by other apps- MS cannot be held responsible for non-MS apps causing holes in the security. To claim otherwise is lunacy, and throws the whole issue of personal responsibility out the windows. I am responsible for what *I* do, but to hold me responsible for what people I work with do? Thats absurd.
3. You mentioning the WebDAV exploit demonstrates your lack of knowledge in how Windows uses DLLs. I try to always get my expert opinions from experts, so please stop spewing nonsense about things you dont really understand. Just because you are on a mailing list doesnt make you knowledgeable, or an expert.
Also, your former gripe regarding no kernel exploits, of which there were some, is just as valid if you want to talk about Windows. So why dont YOU stop talking about apples and oranges? You cant have it both ways.
Manipulate the moderator system! Mod someone as "overrated" today.
is that the beauty of unemployment?
Manipulate the moderator system! Mod someone as "overrated" today.
Hi Mr McBride, welcome to Slashdot :)
Another two simple words also apply: cash flow.
As employees, it can be easy to take the long view - invest a lot of resources in the product now, and it'll be that much better a product, and we won't have to do expensive fixes later.
The CEO, on the other hand, has to keep track of issues like, if we keep pushing back the release date to improve it, in a few months we won't be able to make payroll. And, besides, when cash is plentiful from sales of a release, making expensive fixes is a lot more do-able.
normal(adj)- people who don't sit on slashdot all day wondering why everyone else isn't building robots [DECS]
So? Then IIS is part of the OS(going by what your saying), what difference does it make? If the system gets cracked because of this program, whether or not it's integrated into the OS, makes no difference when you loose all of your data.
2003 was the year for LSM (Linux Security Modules) to become mainstream by the release of the 2.6.x kernel. Though LSM's basic idea is great, it doesn't at the moment include even a fraction of the required hooks (couldn't support PAX for instance!) so it is kind of useless.
In any case, the mainstream kernel still doesn't include buffer overlow protection for the userspace processes. It isn't protected itself either. Some smart people use Grsecurity and Propolice kernel patches to obtain both, but...
MS will release XP sp2 soon with "some tweaks" over the matter. Soon perhaps only the Linux boxes will be virtually breakable.
Nice going, kernel developers.
No, the plural is viruses not virii. Like you I made this mistake out of a mistaken confidence in my own superior education. Worse still I made it in a magazine article. Worse yet I'm not American which would be partial justification for being ill-informed & ill-educated.
Ouch. At least you are anonymous.
see; viruses definition
And there is a certain subset (I forget the exact fonts) of Microsoft's proprietary fonts which are freely licensed for use by anyone who has a capability to use TrueType(TM) fonts in their OS. The collection is referred to as WebFonts, I believe, the licensing exists to encourage people to use the fonts on web pages (and by extension, to encourage use of Front Page), and the collection includes, Arial and its derivatives, Tahoma, Verdana, Times New Roman, and others. These fonts have been freely available for all to use (but not redistribute) since at least 1999
So, where's the "theft?"
utter rubbish
Even more importantly, management needs to recognize bad news as input variables and nothing more. A lower manager shouldn't be making the decision whether to ship now or later; they should be able to openly pass accurate information upward to more appropriate decision makers.
A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date. A junior team leader shouldn't be the one making that call, although a culture of fear tends to make that exactly what happens all too often.
Dewey, what part of this looks like authorities should be involved?
Why on earth any sane person would want to take a bitching game machine like X-box and ruin it by installing Linux is a mystery to me.
We know you don't understand.
Your lack of understanding doesn't cause us to lose any sleep, though. We're fine with it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What you say is true, but the person you are responding to also has a point. Products of all kinds (not just software) are often shipped with known defects (and many unknown ones) for a variety of reasons. Ed Yourdon in one of his books (either "Deathmarh" or Rise and Resurection of the American Programmer, I don't remember which) advocates that there's such a thing as "good enough" software. This is software that isn't perfect, but is cheaper and faster to market than a competitors that strives for perfection. This is one way that the US has dominated the software market for the last 20+ years and fought off the off-shore invasions that Yourdon predicted in his book "The decline and fall of the american programmer".
Frankly, "good enough" software is still the norm for most things, but the bar for "good enough" has risen quite substantially in the public network world due to the exponensial increases in penetration attempts (and successes).
Closed source commerical companies aren't the only ones to do this either. Look at most Open Source software, which pretty much ships something as soon as it can compile and then slowly morphs into a solid product. Frankly, you're never going to find all the bugs in your software in the lab. It has to be exposed to the billions of permutations of end-user systems to find most of the problems. A good example was the 2.4 kernel, which was still going through major "beta" changes up until about 2.4.14, despite supposedly being "stable".
If you need web hosting, you could do worse than here
The fact of the matter is, as humans we're alwasy going to miss problems. Until software verification becomes so completely automated this will continue.
One can say the same about many products, including Linux. We shouldn't have seen the kinds of problems we saw in the early 2.4 kernels. We shouldn't be seeing the kinds of problems from Sendmail, OpenSSH, wu-ftpd, and a host of other "usual suspects" either, but we do.
Open source tends to ship early and often just as much as closed source. We just hide behind 0.x version numbers for years and tell anyone that has problems that they shouldn't be using unstable versions.
If you need web hosting, you could do worse than here
John Sauter (J_Sauter@Empire.Net)
I think you both have good points: You're right when you say that the article was not objective. It would be nice if that was hinted at in the story summary, but that may be too much to ask from the /. editors. He's right when he says you should have mentioned that you're a Microsoft employee. Most people won't check your posting history or user page to learn that, but most people will think it affects your viewpoint.
Disclaimer: I work for an advertising agency, so everything I say should be taken with a (large) grain of salt.
To understand what's right and wrong, the lawyers work in shifts ...
The difference is that each item of clothing and each bushel of grain requires a repeated amount of effort. But with open source, the first instance requires effort and each subsequent copy requires no effort at all.
To put it another way, if by sewing a single shirt I could clothe the world's homeless, and by growing a single bushel of wheat I could feed the world's hungry, then I'd do both in an instant and I would never consider the cost to me. The benefit to the world is far greater than my personal loss.
You apparently think charity of this nature is something to sneer at.
Yes, it is an unpleasant truth, but I hope you don't hold the mistaken belief that this idea is an original from Bill Gates. It's been common lore in the computer industry since before Microsoft came into being.
...the security breaches of GNU/FSF (twice), Debian, GNOME, and Gentoo. All within six months!
Don't troll if Linux has its flaws like any other operating system does.
"Sufferin' succotash."
and not so long ago, anyone remember Code Red? Former co-worker of mine saw the defaced page and that screenshot that was passed around was priceless
if you want a life get rid of you're computer ... ah, mmm, now what am I going to do? Can Slashdot send me a printed copy?
this guys just pissed because he couldn't figure out how to make a swap partition.
Crisis is the rule, not the exception.
Next we have Linux users violating the EULA for the X-Box and tinkering with it so that it can run Linux.
Why on earth any sane person would want to take a bitching game machine like X-box and ruin it by installing Linux is a mystery to me.
But that's a big question about ownership of the box. If you buy an Xbox and want to break it (by smashing it with a hammer, for example) then who is to stop you? It's your Xbox, right?
So, if you want to "break" it by attempting to install other software on it, then why should you not be allowed to? It's your Xbox, after all, and if you break it, it's your problem.
Trying to prevent people doing unintended things with equipment that they own is ridiculous. Sure, you can make it illegal, but there is no point in making laws that people are just not going to follow, since that only serves to bring the rest of the law into disrepute.
You may not understand why someone would want to run Linux on their Xbox, but really - why should Microsoft (or you, or anyone else) give a shit what anybody wants to do with their own Xbox? They stumped up the cash to buy it in the first place, therefore it's their choice what they do with it.
The DMCA is a stupid law that serves no good purpose whatsoever, and by it's very existence deserves to be disobeyed. Using a machine for something other than it's original intended purpose is a totally different ballpark to copyright infringement, and should not be illegal.
The government that governs best, governs least.
Organic free-range music... yum!
At least someone understood. This other reply to my message was apparently too pissed by the grandparent to see what I was saying.
Number 1) eula's have never stood their ground in court. certianly not my own local one. Nor have they ever constituted any sort of agreement without both parties present.
Number 2) It's an xbox. You bought it, you can break it anyway you seem fit.
Number 2) Darl... is that you??
lol
The open source development model insures that Linux code is open to scrutiny at the most basic level
That should be "ensures" not "insures".
Shame this advocate can't apply the principles himself - getting a peer review of the article should have picked up that simple mistake (assuming that his peers, at least, lernt gramer at skuwl)
Author, Shell Scripting : Expert Re
To put it another way, if by sewing a single shirt I could clothe the world's homeless, and by growing a single bushel of wheat I could feed the world's hungry, then I'd do both in an instant and I would never consider the cost to me. The benefit to the world is far greater than my personal loss.
Even if it costed you your entire lifes work? And the lifes work of all your friends, co-workers, and thousands of their friends? Even when you have to figure out some way to pay your own bills, feed yourself, and clothe yourself while doing this?
The part you seem to forget is that the cost develop software is monstrous. It takes thousands of man-years to develop something like the 2.6 kernel. It's great that these thousands of people are willing to give away their hard work for the profit of other companies, but that really doesn't mean that it's reasonable to expect that to be the norm in the world of software.
In order for "good" software to be created there must either be a viable market for software amortized over the number of copies sold (ie, you need to sell enough copies at a cost people are willing to pay to make back what you've spent and provide enough money to expand) or you need to have an army of loyal followers catalyzed against a common foe that will work for you for free and not demand any of your profits in the perhaps futile hope that when the enemy is vanquished that the world will be a nice place.
There is one thing that is fueling the vast majority of open source work these days: A combined concern about Microsoft and their products. I guarantee you that if MS did not exist, IBM, Sun, SGI, and most other corporate contributors wouldn't be doing so and Linux would still be in the stone ages of computing.
This leads to the inevitable question of, what happens when Microsoft is defeated? Well, likely the clans will turn on themselves and eat their young. Without a common enemny, the united forces will be reduced to bickering and infighting.
In a way, Linux owes it's progress to Microsoft.
If you need web hosting, you could do worse than here
All that money, and you still cant afford a Slashdot account....
Manipulate the moderator system! Mod someone as "overrated" today.
But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.
Yet Bill Gates has billions of dollars of cash. We have IT CEOs flying around in private jets. Is this where the money is going? It's not paying for developers; it's paying for junkets and jaunts and jollies for the Rich White Men in control.
The reality is that software isn't nearly as expensive as you think it is. The fact that Linux was built by volunteers in their spare time really says it all. The true cost of developing software is cheap; Linux proves that. It's the support and maintenance of software that is expensive.
Nice dichotomy. Such a shame that it's false. Software development will always be in demand. If somebody codes software as an unpaid volunteer then that's great. But there will always be some software that nobody wants to write. If that software is in demand then capitalism says that money will appear and developers will be paid, even if the fruits of their labour are open-source. Write that down as cardinal rule #1.
The real question is: will there be more or less paid software development work than we have today and how will this translate into salaries and employee numbers. In any event, there are multiple reasons why software is developed. The idea that the only way of making money from software is by hiding the source and extracting a license-fee per copy of the binary is utter nonsense.
Linux was a best of breed UNIX before any of the "corporate contributors" paid the least attention. The KDE project delivered a usable desktop in 1997; that's an achievement the combined "might" of the UNIX vendors failed to deliver despite a decade headstart.
Do you actually believe any of that nonsense?
But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.
As was your original argument about feeding the world with one field of wheat. And yes, there are some developers that are largely "starving". While RMS seems to be making good money today, there were many years where he claimed to survive the entire year on only $3000.
Yet Bill Gates has billions of dollars of cash. We have IT CEOs flying around in private jets. Is this where the money is going? It's not paying for developers; it's paying for junkets and jaunts and jollies for the Rich White Men in control.
Umm.. I think you're forgetting that Bill Gates, Larry Ellison, etc.. make their money off the sale of stock, not their salary. Revenues from the sale of software do not contribute significantly to the bank accounts of these people (in fact, Bill Gates draws one of the lowest salaries of any CEO in the industry.)
This is not to say that Microsoft itself doesn't make an absurd amount of money, it does. But this is a function of them being a monopoly. If they had more reasonable sales they wouldn't have billions in the bank.
The reality is that software isn't nearly as expensive as you think it is. The fact that Linux was built by volunteers in their spare time really says it all. The true cost of developing software is cheap; Linux proves that. It's the support and maintenance of software that is expensive.
The reality is that you don't know the value of the time and effort being contributed to Linux. You do the people that have contributed to it a great disservice by dismissing their contributions as "cheap". The fact of the matter is, you're enjoying the fruit of many *THOUSANDS* of man hours worth of effort, equaling many billions of dollars worth of work if all of those people were being paid.
Nice dichotomy. Such a shame that it's false. Software development will always be in demand.
I didn't say it wouldn't. I said "good" software. Most software developed in-house is not good software, it tends to be "good enough" (if they're lucky) software. Since companies view internal software development as an expense, they want to pay as little as possible and will seldom pay for software to be perfect.
The idea that the only way of making money from software is by hiding the source and extracting a license-fee per copy of the binary is utter nonsense.
Really? It's pretty much been proven that in all but a few exception circumstances that that's the only way to make money on software. Even Red Hat is moving towards a licensing fee per copy, which is why they've dropped RHL and is concentrating on RHEL.
Companies are becoming increasingly less likely to spend the kind of money that original software development costs, even for internal use. Internal development staffs have been slashed over the last few years.
Linux was a best of breed UNIX before any of the "corporate contributors" paid the least attention. The KDE project delivered a usable desktop in 1997; that's an achievement the combined "might" of the UNIX vendors failed to deliver despite a decade headstart.
You have got to be kidding me. You call a system that couldn't scale beyond 4 processors "best of breed"? You call a system that had such a poor VM and scheduler that it required numerous rewrites to actually make them useable by todays standards "best of breed"?
KDE's first incarnation was total crap. It may have been "useable" but it was nowhere near "best of breed" in 1997. Further, KDE was based on the work of a corporate contributor (TrollTech) that was donating the code to make it happen.
Do you actually believe any of that nonsense?
I could ask the same of you. Best of breed indeed.
If you need web hosting, you could do worse than here
He's only saying IIS is part of the OS because he doesnt know what he is talking about (despite attempts to appear so). He may impress the other guys at the help desk with his mailing list membership, but it really shouldnt impress anybody around here (especially those of us already working computer security positions).
Manipulate the moderator system! Mod someone as "overrated" today.
It wasn't my original argument. You brought up the idea that open-source programmers should "also sew your own clothes and grow your own food". I pointed out the logical fallacy in your argument that software and material goods are not the same thing. I pointed out that the production costs of software are basically zero. I illustrated the logical fallacy in your argument by demonstrating how wonderful the world would be if production costs for clothes and food were zero. Basically I was showing, in a polite way, that your argument to equate "free software" with "free clothes and free food" is invalid.
I didn't say salary. Where do you think the money comes from? The stockholders are making money, so it's not coming from them. The money is coming from the end-users when they pay their license fees. That means the billions of dollars of cash in Bill Gates wallet came from end-users. In other words, end-users have paid billions of dollars more than the actual development cost of the software.
The reality is that I do understand and you don't. I didn't say their [Linux developer's] contributions are cheap. I said the development cost of Linux is cheap. That's a simple fact. Compared to the cost of developing Windows or UNIX, the development cost of Linux has been a drop in the bucket. Yes, billions of dollars worth of man-years have been spent on Linux. This is still a tiny percentage of what has been spent on Windows or UNIX.
It's very easy to understand why open-source development is cheaper. An open-source project can build upon existing open-source projects. Open source is the perfect realisation of code re-use. Even if an open-source project dies, the code lives on. Contrast with the incredible amount of wasted and repeated effort in the proprietary world. Even with the redundant efforts in open-source - how many text editors are there? - it's nothing compared to the redundant effort in the proprietary world.
How do you think this is any different to externally developed software? Come back to the real world! Most software is shithouse. Your own company is infamous for the low-quality software it produces; the industry joke is to wait for Microsoft's third version because they might get it right by then. Your last sentence is bemusing; you say companies running internally developed projects "want to pay as little as possible and will seldom pay for software to be perfect". That sounds exactly like ALL software companies to me, both internal and external.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.