Slashdot Mirror
Microsoft, Monocultures, Security FUD & Other Fun
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
Now part of MS Windows source code is open on Internet so is "MS Open Source Is Fertile Ground for Foul Play"
... the old adage "No one ever got fired for choosing Microsoft" is true after all. Look what happens when you actually try speaking ill of the beast...
Veni, Vidi, Velcro!
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
Once I thought I had mono. They took a culture and it turns out I just had Windows.
WWJD.... for a Klondike bar?
... on why the Microsoft monoculture is so important; from the AP article:
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Really? Could someone more familiar with Microsoft and their products kindly give me examples?
As much as I dislike the company, there are too many critical systems that are relying on Windows Servers. The release of a kernel crippling virus or worm could result in loss of human life.
A great example of what can/will happen with the Microsoft monoculture can be found in the potato blight of Ireland. For those that lack any historical reference here, Ireland had a booming population due to the introduction of a nice, hardy breed of potato. For years, everything was going great, everyone had food, the potato became the staple of the diet. Everyone ate potatos, it is estimated to have been between 20-40% of all food consumed during this period.
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Karma Whoring for Fun and Profit.
Remebr folks the def of monoculture is not being properly use dhere..
:)
Monoculture refers to a system(ie culture) in which you have like micro systems(cells)..in other words the micro and macro systems are integrated together and this is the reason why infections are so effective!
Now in PCs for examepl unix like systems are not in the whoel a monoculture whereas MS windows is..why?
Becasue the infrastruce to produce the micro system in this case the OS is different between MS and Unix like systems and different between Unxi flavours!
If all unix flaours were using the exact saem kenrel architecture, development model, and etc yes than it woudl be amonoculture..
Alot of educated bioligists and computer professionals are getting this def worng..
Lets think a little , shall we?
Of course if youa re readin my blog, (shareMe Technologies), then you already know I liek to think and reason through problems, trends, and etc...
Don't Tread on OpenSource
"Once you start down the road with that analogy, you get stuck in it," said Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft.
One you start down the road with it, you get stuck in it. Sounds like a perfect description of the lock-in aspects of their products, though I think "Roach Motels for your data" is catchier.
This is not the first time that A. Russell Jones has made controversial claims about Linux on DevX. At the end of august last year this story was run here on /. where he claimed that there should be a standard desktop for Linux.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
It's not just monoculture that makes viruses spread so quickly. The fact that any computer can send something to any computer is bad. The fact that any computer can send something to so many computers is terrible.
Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.
Connectivity is the real driver of infection.
Two wrongs don't make a right, but three lefts do.
Clippy!
karma capped
Microsoft, which denies pressuring @stake to fire Geer, says the comparison between computers and living organisms works only so well.
Another difference: computers can be unplugged from the network and rebooted; organisms cannot.
Damn, just when I thought there was something to this monoculture thing everyones been talking about.
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened. ...and that's right when I fell out of my chair laughing. And before my morning Dew, no less!
Really. Look at all the Linux. BSD, and the other *nix distros and all the software that runs between them on different platforms with different packaging systems. I think it's messy at best, but in a world with more than one *major* operating system, the solution is standards.
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
dont u think , despite the security flaws ,msoft in a way helping the big inet with their products (in a small / big way).Can anything in this be 100% Good--without error /mistake? i think mistakes and flaws happen every where-from cars,govts etc
Why does yahoo do this
Ideally a closed-source OS is more secure. Any vulnerabilities have to be discovered after compilation, making it more of a guessing game. With open source all you have to do is read the code. But that's just the ideal. You just have to remember that our "closed source" model is hardly closed source any more, that it is (from what I have heard) crappy code to begin with, and it is poorly patched, often in an untimely manner. Then you consider the "real" open source model we live with, where most all security problems are reported/found/patched within a day or two - if not hours. The author of the above article seems to realize the ideal situation, which is fine - he makes a point. But the "security" of closed source code is really just security through obscurity. Read "The Art of Deception" by Kevin Mitnick for some great historical examples of why that model always has, and always will, fail...
For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft
Dan Greer was not fired because he criticized Microsoft. He was fired because he published his opinions about the Microsoft monoculture without making it clear that those were his personal opinions and not those of @Stake.
Tarsnap: Online backups for the truly paranoid
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
As is usual the US is slow at change. We are stuck in our was and that is especially true for the government. Were there are many places in the world that realize the problems with M$ and are migrating to alternatives it's big news here. We (US) are being slow to wake up and realize the truth. But, that is how the US works.
Evolution or ID?
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
http://alternatives.rzero.com/
What he should of said: True diversity, would require thousands of different operating systems, which we would do our best by making our own "Standards" to make integrating the computer systems and networks virtually impossible.
Somebody explain to me how this makes any sense?
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
First of all, since when are only nonfunctional portions of software targetted? A buffer overrun can occur in any portion of code. Second, exactly how would you identify nonfunctional versus functional code, and what mutations could you possibly make to it? Make a bad pointer point to even worse memory? I just don't get it. Looks like another $750K wasted on stupid research.
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened
It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.
... since the various diverse organisms on the planet seem to have made good use of the standards in place (air, water, gravity, etc.).
The problem is crappy software.
Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?
The problem is crappy software, not closed source commercial software.
It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.
I have thought about this whole monoculture thing recently, and here is my take on it...
Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.
At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?
The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.
Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.
In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.
They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
The benefit of linux, bsd, and other non-microsoft OS's come from the variety of services run. Microsoft's OS's have to run many services and modules that other OS's can leave to the discretion of the operator. For instance, I can run an old version of linux with no services and its safe. I can run any number and variety of servers. Microsoft seems to have to do it one way and one way only with all these modules that have to be running.
As easy as it is to point to Microsoft as an example of monoculture, Open Source software is equally at fault here. Take "deflate" encoding as an example: How many different implementations are there? What fraction of deflate-using applications use an implementation other than zlib?
If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.
Tarsnap: Online backups for the truly paranoid
...that Greer's against monoculture but doesn't explore the effects of what would be needed to overcome that monoculture.
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Great command of the English language!!!
You know, there was, at one time, a long running joke about Microsoft tech support. The answer to any problem, according to MS support (and I heard this directly from them on more than a few occasions) was "We suggest you reboot to fix this problem" OR, Shut up and re-install.
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
Without a doubt, online security is a major concern. The idea of monoculturism may be applicable to the computer industry due to the prevalence of MS operating systems. This, of course, assumes everyone has the same version of an MS operating system, with a single, universal exploitable flaw. The fact that not everyone has the exact same operating system nor the exact same component and software configuration tends to undermine the argument of 'monoculture' somewhat more.
However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.
People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.
I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.
it was called 'UNIX'
One solution to the monoculture problem is multi-OS architectures in which a single process is executed on multiple independent codebases within each box.
On high-reliability systems (Space Shuttle & X-29 flight controls), multiple redundant subprocessors attempt to compute the same answer. If the subprocessors get different answers, the majority-rules and the system logs the exception. If each processor ran independent code, then exploits of any one codebase would be detected and disinfected. A multi-system with one exploited/infected codebase would continue running while ignoring the output of the infected subprocessor.
The system would still have some vulnerabilties. Simultaneous attack on a majority of the codebases might succeed in redefinig the majority to suit the malware. Also, codebase independence is very hard. More than likely several codebases might share the same fault (e.g. a buffer overrun bug). Attacks on the overseer/majority-rules system might also succeed. Finally, if the standard has an exploit (e.g., decrypting WiFi WEP), then all codebases implementing the standard are vulnerable.
The biggest downside is bloat and cost. But at least it would give people a reason to buy the latest greatest chips from Intel, AMD, IBM, etc.
Two wrongs don't make a right, but three lefts do.
different operating systems, which would make integrating computer systems and networks virtually impossible.
... in the good ol' days, an "OS" was all you needed in order to get some basic work and programming done on some hardware.
...
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
What's certainly true is that there's a lot more to having good security than getting rid of the monoculture problem. Probably the most important thing is to care about security from the start...
Anyway, something the DoD and others have done for some time is to have triple barriers for certain things like firewalls. So instead of having the same firewall product and system all over the place, for each firewall, you have a series of 3 systems: one is a "hardware" firewall (an appliance basically), followed by two different firewall products running on two different architectures. This way a single flaw on one firewall or system will not comprimise overall security.
They also turn the IT infrastructure into compartments, each walled out with firewall groups. So you have one compartment for front-end servers, one for desktop users, one for your data, etc.
Yeah it adds to complexity, but this is what the paranoid types do to give themselves peace of mind.
It's Dan Geer.
-dave
If I remember my computer history, wasn't Microsoft the alternative to the IBM monoculture? Now that IBM has embraced FOSS, they're the alternative to the Microsoft monoculture...
Those who claim their OS (read Linux, OS X, OpenBSD, or whatever) is completely secure are being deceived. Currently, there is no such thing as a totally secure OS. That's just the way it is, and no argument is going to change that fact.
The Internet is created on a suite of open protocols that were originally designed for academics & research people to use. Go back 20-odd years and there were no issues of security because only a select few had access to computer networks. Consequently, there was no security built into TCP/IP because there was no need for them.
Now we have a situation whereby if you are a sensible & knowledgeable computer type, whether you use open or closed source software, you can make a pretty good job of securing computers for the Internet - sure, you probably have a reliance on getting the latest patches, putting in a firewall or two but you can do it. No computer is ever fully secure but you can make it enough of a challenge so that the 99.9% of script kiddies give up trying to crack it and the other 0.1% of knoweledgeable crackers probably don't want to waste time with your little box anyway.
Then onto email viruses... Knowledgeable computer users don't suffer from email viruses because they either use email clients that can't execute attachments or they set their machines up so that they know when and when not to run attachments - probably by simply looking at whether or not the sender of the email is to be trusted.
So, in summary, I see this as two core issues, nothing more:
1. Hype and marketing - Microsoft and other software vendors need to step away from the "sales speak" and simply not be allowed to tell Joe Public that PCs are "easy to use" or "secure". It's no different to reminding people to watch their speed and check their tyre treads on a new car, after all... Where are all these "advertising standards" groups that are supposed to ensure adverts convey truth, not lies?
2. User laziness - Joe Public needs to get off his backside and learn how to use the Internet properly and how to secure his PC - again, no different to spending time and money in learning to drive. Far too many people, taken in by the glossy adverts and hype, just sit back and expect software vendors to take away all their responsibility away from them because they themselves simply cannot be bothered.
What really annoys me about this whole issue is that software (and hardware) companies are only going to react to security issues in their products in a way that makes them more money. If the vendor already has his boxed software on the store shelves, he really has no incentive to employ people to work on further security for his products unless his reputation is so bad that he is forced to improve his software at the risk of losing sales - and you only have to look at Microsoft's currently poor reputation and their actual focus on security to see how far down that reputation must go before any action is taken...
However, on the other hand, DRM can be sold as a security-improving product on the back of peoples' fears of Internet viruses while allowing the Microsoft and others to make money licensing DRM.
I wish people like Dan Greer would focus more on the ultimate impact of letting Microsoft "take the blame" only to have Microsoft respond with a technology that will make them more money and cut off our freedoms in the process.
Gentoo Linux - another day, another USE flag.
>>...for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered.
This is news? I mean seriously, we knew Windows was insecure from the day the first NT server was hacked.
This can't possibly be news to anyone.
So rise up, all ye lost ones, as one, we'll claw the clouds.
this is the end of M$ until the *nix't beginning. (C) sid vicious
Nature deals with breakdowns in a complex system with evolution, and a very important part of evolution is the extinction of particular species. It's a sort of backtracking mechanism that corrects an evolutionary mistake. The Internet is an ecology, so if you build a species on it that is vulnerable to a certain pathogen, it can very well undergo extinction. By the way, the species that go extinct tend to have limited genetic diversity. -Atrributed to Bill Joy - Had preserved in my Blog Dan Greer's writings bear the same too.
Senthil
Since when was big news defined by Yahoo bringing it on their front page?
There is a best-of-both-worlds system out there, actually. Open where openness counts, and the fuzzy my-vendor-smooths-out-the-rough-edges and software maintenance fluff that come with a vendor taking responsibility for, well, taking care of their own product.
In the long run (think the next 10-25 years), Microsoft will be forced to go along with open standards or get left behind as Open Source picks up more momentum. As IBM, Novell, large countries, and other big gorillas put their weight behind Linux and Open Source, the standards they use could become "the standard". This isn't going to happen likely anytime soon, but it definately has to start with the corporate world. If XYZ Inc. decides to use Open Office and Linux to save money (and we know businesses aren't doing anything radical to save money these days), and suddenly their employees must use it, guess what software package could end up on their home computers? As I said, it's not going to be a fast process, but it is possible.
ce n'est pas un Sig.
Diversity can help keep viruses and such from spreading, but it can also be a hindrance. If linux had some standardization where all of the distros all used the same directory structure, package management, etc, it would be a lot easier for companies to write software for it. Now the best they can do is write the software and hope someone else will port it over, or spend time porting it to .RPM, .DEB, etc etc. With windows you don't ever run across cascading dependency nightmares, and every software company knows how to write their software for it. Yes, you should be able to compile linux packages from source without any problems, but when you're talking about trying to get home users to accept linux more, making them compile packages from source definately isn't the way to do it.
slashdot, news for crazed liberal socialist zealots
than good. yes, this is not a new idea, but the fact that M$ continues to do it is to me, evidence that they are not serious about security.
.v
Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.
just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.
while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service.
I'm switching to VxWorks ... because if it's good enough for NASA on the Mars rovers, it's good enough for me!
And before my morning Dew, no less!
"Morning dew" is a slang term, similar to the term "morning wood," but regarding the female gender.
[see romp.com for more info]
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.I have to disagree, Apple dropped certain technologies when they were replaced by superior ones, and were thus 'not that useful any more.'
PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.
Apple can act as the gentle motivational herder, because they have complete control over their flock, as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
PC manufacturers have no choice, as there is less unity and it is human nature to be wary of new things, and to want to stick to what is tried and tested. In this scenario where it is impossible to move the flock forward as a whole (as the direction of the industry is dictated by many) it must first be shown and proven that the newer technology is superior.
So I would hardly call this scenario a 'blunder' on Apple's behalf! Quite the opposite in fact - I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.
This sig has been deprecated.
...but here goes: Maybe whoever looks at the source code will fix it and give it back.
My favorite quote on the topic came from Wired. Marcus Ranum thinks Geer's message would have been mostly ignored by the public at large, except for @stake's "brilliant surgical marketing strike on its left foot by firing Dan".
I've been waiting for goatse's obituary for a while now. I'd like to know the true cause of his death. Like: did he have a mishap while getting anal sex from CmdrTaco? Or: Did a filthy Linux zealot go to far in touching his junk liberally? Too many unanswered questions. Tsk, tsk.
Start by Installing a stable, easy to use and secure Linux distro.
... Call them Alpha, Bravo and Charlie to avoid the existing OS arguments.
So.. In order to be diverse, everyone must use Linux. Aparently your dictionary has a different definition of diverse than mine.
Hackers are about to make it even easier for you to be flattened by a virii attack now that Microsoft source has been leaked to the entire world.
Exactly how is "Windows Source available on the internet" more dangerous than "Linux source available on the internet" ?
The problem isn't that Microsoft software has security issues. All the OS's have 'em to some degree. The problem is exactly "monoculture". One bullet kills all. I'm more of a mind that companies need three operating systems.
Alpha runs on the corporate web servers, ftp servers and in general anything hooked to the outside world.
Bravo runs on the intranet servers that provide file storage, user authentication, etc etc.
Charlie runs on the employee desktops.
Thus any virus that targets the public layer (Alpha) won't effect internal operations. Any virus that targets the workstations (Charlie) won't spread to the intranet servers (where important data should be stored, and regularly backed up) and any virus that targets the intranet servers (Bravo) needs to get past the other two (Alpha and Charlie) -- or introduced directly -- to be a threat.
summed up in a nifty catchphrase:
"Security through operating system diversity."
How best to implement this,I leave as an exercise for the reader.
Except that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue
This is not true, as USB was growing before Apple was involved, and continued growing after. However, it shows the problem: why force the issue at all? Things worked out a lot better in the PC world, where you had both USB and pre-USB ports, and didn't have to buy dumb dongles and convertors.
Uh, guys, that's "Dan Geer", not "Dan Greer". (Only one 'r'.)
Please show some respect by getting his name right.
"But Geer says the company should disentangle its tightly integrated products, such as Microsoft Word and Outlook."
The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.
Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".
The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.
Ruby on Rails Screencast
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
...tizzyd
OK, someone do a NO CARRIER joke now.
Apple dropped certain technologies when they were replaced by superior ones, and were thus 'not that useful any more.'
In the case of USB, Apple stopped putting non-USB ports on machines at a time when few devices had USB. At this time, the USB technology was less useful than non-USB technology.
PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.
No, as it is a free market much less manipulated by the decision of a single company, PC's dropped these things when they really WEREN'T useful anymore.
Apple can act as the gentle motivational herder....(floppy > email, legacy ports > USB).
E-mail never replaced the floppy. The "no floppy iMac" was a major blunder at the time, since ti make up for it you had to buy a much more espensive CD-R, or an external floppy.
Floppy drives only began to vanish on the PC when there was no actual need: CD-R drives and thumb/ram drives became cheap enough.
So I would hardly call this scenario a 'blunder' on Apple's behalf!
If you won't call it a blunder, call it a design flaw.
I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.
It was not a benefit to have to buy a dongled floppy drive when PC users, or to have to get converters.
"The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author of Geer's.
frisson
n : an almost pleasurable sensation of fright; "a frisson of
surprise shot through him" syn: shiver, chill, quiver,
shudder, thrill, tingle
Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.
Yep right off the edge of a cliff
Saying Apple is better than MS is like saying Botulism is better than rabies.
Hardware standards in the PC world are written in a different ivory tower: Intel.
Microsoft, of course, has a lot to say about PC hardware standards. Look at the AMD Opteron-Intel 64 bit CPU driver support with the 64bit Windows edition...
They keep all the focus on hacking their POS operating system and help my mac and linux servers avoid the amount of attacks that would happen if they didn't exist.
MS is a competitive advantaget to those that compete with vendors providing MS based services. BTW my company does have MS servers, Linux servers and we are testing some new OS X server implementations to see if we can eliminate some of our admin tasks with their slick UI & tools.
Q:What is the single protocol used by all computers
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
- these are not the droids you are looking for -
Maybe Microsoft is trying to do to ReactOS what SCO is trying to do to Linux?
No one else had the balls to say "screw dumb serial ports, USB is better".
because only complete morons say that.
Serial ports have their place and will be here for a really long time. I dare you to config a cisco router or switch with your USB port. or dare you to configure any of the middle to high end home automation equipment out there with your USB port.
USB is excellent for low-performance high bitrate data transfers.. firewire beat's it to hell for performance needs (ever wonder why you can't get high end DV cameras with USB?) and RS232/RS485 serial is better than anything that USB or firewire can do for low speed high reliability.
apple did NOT force the adoption of USB... the explosion of cheap usb products by the release of cheap usb interface chipsets.
Do not look at laser with remaining good eye.
I know it's a stupid thing to /. yourself, but here we go:
My paper on worm propagation from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Assorted stuff I do sometimes: Lemuria.org
as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
USB is not "Generally superior" for many things. Printers, for example. Stuff prints out the same on your typical inkjet whether or not it is plugged in through a Centronix port or USB.
> USB did not become ubiquitous until after Apple forced the issue.
Given the number of users, it's much more likely that USB only became ubiquitous because Win98 finally provided decent support for it.
A stupid windows user will be an even more stupid linux user. Sorry to tell y'all this. Them the breaks
Hardly true.
Anyone remember the old antiMac FUD
"When you hide how the os works the user never learns"
This is FUD not so much for being untrue but becouse MacOs dosen't hide how it works.
It's not anymore applicable to MacOs than the "Total Operating Cost" FUD is to Linux.
But Windows dose. Notice how Windows trys to do everything for the user?
MacOs however shows the user how everything works.
Linux is for the most part a cluster of tools. There is nothing between the user and the Os. Not even a road map.
The typical user has to rely on his/her computer to learn and understand how it works and when it dose not coperate the typical user dosen't presue the matter ignorent of the details.
After all most people use computers to get things done not to learn how they work. This minnor detail must mystify Microofts staff as to why people who do favor Linux do. But it's actually quite simple. Linux users want to know how things work so they can make best use of the equipment.
On that note MacOs users while not intrested in learnning do learn and end up making best use of the Mac.
MacOs guides the user.
Windows encurrages ignorence.
Linux forbids it.
I don't actually exist.
I was moderating this thread until I saw this comment - simply modding you down for being an airhead wouldn't get the point across.
LANGUAGES DO NOT CAUSE ERRORS -- BAD PROGRAMMERS CAUSE ERRORS
You call the best programming languages out there (C/C++) "buffer overflow" languages - implying that they are broken - because they give you POWER they give you the full control that allows you to write the most effective programs. I want to see you perform pointer arithmetic in perl, python, java or C# -- I can show you some simple pointer arithmetic that reduces execution time drastically.
Java = distilled OOP to the point of masochism (ie non-OO tasks in OO), drastic performance loss due to being interpreted, all the GUI toolkits are confusing at best
C# = Platform Locked result of a foul craft cross between VISUAL BASIC and C++, One of my friends had to write in this horrid language for a class project because the other three members of her group were MS-Whores -- she became a rabid MS-hater after that, she never minded them before.
Perl - Good for a great many things, GUI applications aren't typically good in this language - and absolutely not games, time critical, mission critical, etc
Python - I haven't seen a use for it yet.... but i hear of it being used.
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Apple really had nothing to do with USB adoption. The big printer companies and mouse makers could barely be bothered to make special USB versions with Mac drivers. Apple's niche market was not enough tail to wag the dog here.
Growing interest in USB in the PC world (including OS improvements where it handled it better) helped force the issue.
Anyone who assoiciates with Microsoft is a "taint by association" - as in this kind of taint.
My beliefs do not require that you agree with them.
Do the people running these systems have a UltraVeryHigh lawsuit insurance?
Or do the recipies smallprint standard incorporate "Warning, recipy might be utter bullshit" clauses?
"/Dread"
Monoculture (or, the problems associated with it) are not a new concept. When I was studying at U of Mi in 1992-93 (or thereabouts) we discussed the internet worm in my system administration class. The instructor pointed out that U of M was only moderately affected because of the variety of Unix systems comprising the network. The lesson was that a diverse network makes one less succeptible to attack affecting a single platform.
Yeah, without Microsoft products, Al Gore couldn't have invented the internet.
I see my mission now.. to reply to every post with this lame ass joke with information about how it is NOT TRUE. You've heard of snopes.com, the Urban Legends Reference Pages? Please read this article before posting this lie. The proper joke would be, "Al Gore says he took the initiative in creating the Internet!". While certainly a poor choice of words for Mr. Gore even in context of the interview, he did not claim to invent the Internet.
That goes for you too, moderators. This cliche is certainly not +5 Funny and you know it.
Speak truth to power.
If a submission with this "leaked" code is made to Linux. It will most likely be coming from a minion of MS itself. Be careful with what is accepted into the next kernel. It wouldn't be the first time MS employeed such dastardly tactics.
Monoculture or Diversity?
The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!
Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s
While this guy might be a little overzealous, this should be modded more 'informative' and less 'troll'...
Not that many care to "hack" hardware.
The etherkiller (bit of wire with plug on one end, especially a 240 V mains plug, that connects wires to the pins of an ethernet plug) is a fine choice for destroying a network and possibly starting a fire when the wiring overheats.
You can always flash someone's BIOS for them, most likely rendering the system inoperable. I think the CiH virus did that?
There was that one Linux bug that killed some CD drives or something with some bad instruction it sent.
There are probably several other ways to damage components (especially if you muck about with the BIOS settings)
Someone else could think of more?
Maybe these don't have "security" implications per se, but I'd hate to have the next Windows worm do some of these things; it'd be a PITA for all the poor techs who have to support them.
mod down - it's a troll
Hallowed are the Ori
Shouldn't that be .NET culture?
my password really is 'stinkypants'
no security built into TCP/IP because there was no need for them. TCP/IP was not developed for academics, it's development was paid for by the Department of Defense, thus security was a consideration in the design of TCP/IP from day one. That is why TCP/IP was designed to dynamically reconfigure routing to work around failures, as opposed to SNA, in which the network was statically configured.
"Freedom means freedom for everybody" -- Dick Cheney
Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?
If monoculture is such a bad thing, why are people so supportive of "write once run anywhere" Java?
To the letter of the law, that's true. However, there's also something called plagiarism which DOES NOT have to be a "cut-n-paste," but can be a situation in which I looked at your work and implemented my version in much the same way. That is a potentially illegal breach of copyright in software just as it is in school with papers.
As such, the best way to protect oneself from copyright violations is complete ignorance of anything one might potentially infringe. As you say, an implementation is not copyrightable, so if you have never seen someone eles's implementation, you're clean. Basically, proving you've seen someone else's code can be damaging if you get sued for violation. You don't want that. And there's no reason to make the first critical part of their case for them.
Of course, this is what makes copyright different than patent, as you say. Ignorance does not protect one from patent violations (although it can with regard to penalties, which can be trebled given intent, I believe). Ignorance aka "cleanroom implementation" DOES give complete immunity with regard to potential copyright violations.
I know that English is a screwed up language to begin with. But additionally, idioms like "push the envelope" and "developing solutions" would have different meanings to office secretaries and film processors than aircraft designers and anyone subjected to the marketing rhetoric of most computer companies.
I actually thought the article was pretty good when I read it, but I'm just asking people to be a bit more careful when mixing idioms of different domains.
the problem is crappy software and stupid design decisions. Read Malicious E-Cards - An Analysis of Spam in today's Slashdot articles for a quick description of how one e-mail message used no less than 5 security holes in Microsoft e-mail/web browser to take over recipients' computers.
Microsoft is the hacker's friend; Microsoft is the spammer's friend; Microsoft is NOT the user's friend!
like my dad. i forced him to stop using ie, he uses opera now. he's a typical windows user (probably wouldn't userstant outlook if i let him use it anyway).
he's a typical windows user. he does think of security. he doesn't do anything stupid outright. he insists on running a virus scanner, although he doesn't know how or why to update it, so he never does. he runs a firewall but again, does'nt update.
he's a typical home windows user. typical people are scared of virus's (because of the news coverage) but do not now how to protect themselves, nor know where to find information. He doesn't ever update windows because he doesn't have time / doesn't know how. he runs windows 98 because it 'just works'.
no matter how fast microsoft patch things, if they dont release a product thats secure upon release, whats the point to home users? thats a good reason why people should use alternatives.
I've been surprised at how much heat and how little light (as in research light) has been applied to this argument. Dan's diversity argument is on pretty solid ground in the research community. As an example, here are a set of papers nicely compiled by the City University of London's Center for Software Reliability on fault tolerance, and there are quite a few citations on the use of diversity in software. If you don't like the University's papers, you can find similar papers published by the ACM and IEEE, These might help readers with deciding which point of view is best supported by research. Diversity isn't a slam dunk (lots of nasty details to get right), but it's certainly well-examined ground for high-reliability systems, and a lot of folks are now looking how you apply these same principles to commercial, off-the-shelf systems.
A final thought: the Internet itself is one of the best examples of such a diverse system. At one point, no RFC was ever approved without two independently-developed implementations of the standard. It's one of the reasons it has worked so well and evolved so well over the last 30 years or so.
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring 'benign mutations' that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
If there is non-functional code that can be modified without causing problems, shouldn't that code be removed?
The Monoculture Song (taken from The Simpsons)
...
Lyle Lanley: Well, sir, there's nothing on earth
Like a genuine,
Bona fide,
Sanitized,
One OS
Monoculture!
What'd I say?
Ned Flanders: Monoculture!
Lyle Lanley: What's it called?
Patty+Selma: Monoculture!
Lyle Lanley: That's right! Monoculture!
[crowd chants `Monorail' softly and rhythmically]
Miss Hoover: I hear this os is filled with patches...
Lyle Lanley: You'll get them all in easy batches.
Apu: Is there a chance a buffer won't end?
Lyle Lanley: Not on your life, my Hindu friend.
Barney: What about us brain-dead slobs?
Lyle Lanley: You'll all be given MS Certified jobs.
Abe: Were you sent here by the devil?
Lyle Lanley: No, good sir, I'm on the level.
Wiggum: The worm came off my own mailbox.
Lyle Lanley: Take my advice, reboot the box.
I swear it's the earth only choice...
Throw up your hands and raise your voice!
All: [singing] Monoculture!
Lyle Lanley: What's it called?
All: Monoculture!
Lyle Lanley: Once again...
All: Monoculture!
Marge: But many servers are cracked and broken...
Bart: Sorry, Mom, the mob has spoken!
All: [singing] Monoculture!
Monoculture!
Monoculture!
[big finish]
Monoculture!
Homer: Open Source... D'oh!
- these are not the droids you are looking for -
Wait, @Stake was at least in part comprised of the old L0pht Heavy Industries guys... they made their living making Microsoft look bad!
:)
I don't buy this guy was fired for making them look bad.
If you're looking to automate administration tasks, might I suggest you take a look at cfengine?
Ooh, you got me there. That's a very common and vitally important task for a desktop personal computer. As the 90's would say ... "Not"
dare you to configure any of the middle to high end home automation equipmentMaybe true today, probably not tomorrow.
-F....there was this thing called "Hypercard." You might want to look into it, especially since it was the forefather of the WWW.
--R.J.
Electric-Escape.net
Here are some things that appear to be invented by Microsoft and are important. Unfortunately this list is not going to make even Microsoft happy since everything is somewhat old, easily emulated on other systems, etc, but these IMHO are the real innovations:
1. The "taskbar", in particular the idea that a window appears in it whether or not it is "iconized" All earlier systems I have seen had the idea that a window "turned into" the icon. Thus finding an uniconized but buried window was quite difficult until they came up with this.
2. The realization that the text in the icon (taskbar) is much more imporatant than the picture. Unfortunately the HCI dweebs probably stopped them from getting rid of the icon entirely, but at least they got it very tiny.
3. The mouse wheel. Certainly the idea of the mouse being easily switched in/out of "scroll mode", or having another control on it for scrolling, has been around much longer, but they appear to have realized that limiting the idea to one dimension would allow a user-friendly solution with reliable mechanics.
4. Rasterizing graphics to the individual rgb emitters in lcd displays (what they call Cleartype and apparently only used for fonts right now by them). Yes it seems obvious now, but nobody seems to have thought of it before somebody at Microsoft did.
5. Windows 95 design that eliminated the "border line" between the window border and the contents. For instance if you drew a window containing only a gray rectangle, it merged seamlessly into the border. All earlier systems drew a divider line there. Though I know I wrote stuff like this in 1986 for the NeXT (which let you create bascally override-redirect windows), Microsoft seems to be the first commercial venture that realized you did not have to graphically seperate the edges.
There are probably other things. These are important innovations that will affect computer design long after Microsoft is irrelevant.
Yet another sickening blow has struck what's left of the *BSD community, as a soon-to-be-released report by an independent commission doing a year-long study concludes: *BSD is dead and mummified. Here are some of the commission's findings:
.005% of internet servers. "It's just not reliable," said Christine McGee, VP of Technology for eBay, Inc. "Nor do we find it a very modern OS. I would recommend Linux to anyone contemplating a server OS, or maybe Windows, before I would recommend a BSD."
Fact: the *BSDs have balkanized yet again. There are now no less than twelve separate, competing *BSD projects, each of which has introduced fundamental incompatibilities with the other *BSDs, and frequently with Unix standards. Average number of developers in each project: fewer than five. Average number of users per project: there are no definitive numbers, but reports show that all projects are on the decline.
Fact: *BSD has no support from the media. Number of Linux magazines available at bookstores: 5 (Linux Journal, Linux World, Linux Developer, Linux Format, Linux User). Number of available *BSD magazines: 0. Current count of Linux-oriented technical books: 1071. Current count of *BSD books: 6.
Fact: XFree86 is dropping support for *BSD. The remaining core group believes that the *BSDs have strayed too far from Unix standards and have become too difficult to support along with Linux and Solaris x86. "It's too much trouble," said one anonymous developer. "If they want to make their own standards, let them doing the porting for us."
Fact: Many user-level applications will no longer work under *BSD, and no one is working to change this. The GIMP, a Photoshop-like application, has not worked at all under *BSD since version 1.1 (sorry, too much trouble for such a small base, developers have said). OpenOffice, a Microsoft Office clone, has never worked under *BSD and never will. ("Why would we bother?" said developer Steven Andrews, an OpenOffice team lead.)
Fact: servers running OpenBSD, which claims to focus on security, are frequently compromised. According to Jim Markham, editor of the online security forum SecurityWatch, the few OpenBSD servers that exist on the internet have become a joke among the hacker community. "They make a game out of it," he says. "(OpenBSD leader) Theo [de Raadt] will scramble to make a new patch to fix one problem, and they've already compromised a bunch of boxes with a different exploit."
Fact: NetBSD, which claims to focus on portability (whatever that is supposed to mean), is slow, and cannot take advantage of multiple CPUs. "That about drove the last nail in the coffin for BSD use here," said Michael Curry, CTO of Amazon.com. "We took our NetBSD boxes out to the backyard and shot them in the head. We're much happier running Linux."
Fact: There are almost no FreeBSD developers left, and its use, according to Netcraft, is down to a sadly crippled
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
With these incontroverible facts staring (what's left of) the *BSD community in the face, they can only draw one conclusion: *BSD is dead and mummified.
That's a protocol, not an implementation. If you did things just like they did, that would be a violation. However, the TCP/IP protocol itself is not copyrightable.
So what, you thought plagiarism was OK? LOL back at you.
more than likely tommorow..
the $30,000.00 systems installed today ARE NOT going to be replaced every 2 years like computer equipment. they are designed for operation for over 20 years. embedded processors and systems designed for reliability and uptime.
I saw the next-gen HA systems at CES and ALL OF THEM have rs232 and rs485 with ZERO having usb or firewire.
maybe in about 30 years they wont have rs232 or 485 but by then USB will be listed as the likes of EISA and microchannel.
Everyone seems to think the Irish Potato Famine happened because the Irish just loved potatoes and that's all they ate. This is incorrect (and seems silly if you thought about it). That's all they were allowed to eat, because the British took all the other crops*. The Irish had no choice but to only grow the one crop.
Similarly, the existing software monoculture is not a result of everyone saying "Gee, I love monocultures, so let's all buy the same OS!" It's a result of people not having (or not feeling they have) a choice.
Some day, this will be a non-issue. I'll be running Linux and Enlightenment, your corporate desktop may be FreeBSD running KDE, and your brother will have OSX/Aqua, and we won't have any problems sharing documents, files, etc. All we need to do is remove the penalty for making a choice (not having shit work). The key is to get rid of the companies that hate choice and want to make choosing different cost you. Get rid of that problem, and I feel pretty sure that people's naturally differing tastes will result in exactly the kind of healthy "ecosystem" we need.
* Even after the famine had started, of course. The British have seriously fucked over the Irish for centuries. Braveheart, wonderful movie that it was, only scratched the surface of the abuse.
The enemies of Democracy are
My issues start with the word "thousands", I believe passing a dozen with a reasonable distribution of market share would go along way, the rest is gravy.
As for interoperability, Nearly every OS available today can speak TCP, UDP, ICMP, IP, SMTP, POP, IMAP, HTTP, HTTPS, FTP, etc. I mean, seariously, when was the last time you though to use HyperCard? But, HTML, you use it every day. Which leads me to higher protocols. PDF, RTF, are all nearly ubiquitous. HTML is ubiquitous.
I have a friend who used to work in the Tote business. Every year, the companies got together to go over their protocol, talk about implementations and updates. There are alot of Tote companies out there.
So, what Charney is really saying, Microsoft does not want to have to sit down with Corel, Sun, etc. each year and talk about how they can collectively interoperate to make peoples lives not only better, but apparently safer.
Come to think about it, Charney might be right. Sending 10 people to a 2 day conference once per year may actually be insurmountable for his company.
My last point. I posit that most of the technological "advancements" made recently worth any bit of a damn were not made by Microsoft and exist outside their monocultural sphere of influence.
- C
- The web
- Perl, Python, Ruby
- Java
- The idea of a windowing system
- The internet
- email
- PostScript
- Word Processing, Spreadsheets - they didn't invent the concepts, and they never made them better than the competition. I mean, has anyone out there ever used Quattro Pro, for example. Not bad for a spreadsheet.
- I am obviously leaving out alot, this is a quick 1 minute list.
In fact, I cannot think of one thing that came out of that company that I wouldn't be happy to say goodbye to.Sorry, one last thing I just realized. Isn't it always them who spread the FUD about Linux users being comunist? It sounds to me like Charney is anti-capitalist. Well, I say competition benefits the consumer, not monoculture.
That's what I was looking for, more or less. Thanks.
You can't bring back a dead system by changing data in a field. You can't even change the data if the system is down.
That is only true if the system which crashed and the system with the database on it are the same machine. A database client on a different machine crashing would not affect the database server at all. They could have used any non-crashed terminal to access the database and change the data.
Then there is this statement, from your last linked article:
"The resulting database overload caused the ship's LAN, including 27 dual 200-MHz Pentium Pro miniature remote terminal units, to crash, they said."
It apprently took two hours to restore the network after the first time it happened. Even subsequent times: " Each time, we knew what caused the interrupt and were underway again in about 30 minutes." Thirty minutes to change a field in a database? That's suspicious. It sure seems to me like they had to go around rebooting machines before "everything [came] right back up".
I was hoping you'd find difinitive proof (i.e. a statement of the kind "The application crashed, but the computer the application was running on was not" or some such). Instead, just more vagueness. Oh well.
The enemies of Democracy are
See, in Linux, I can be logged in all the time as a non-root, non-administrative user. If I need to do some admin type activity, I type "sudo /etc/init.d/someservice restart". Done. For that brief half-second I'm using admin privileges, but that's it. Under Windows there generally isn't a way to do that unless you are fully logged-in as an admin user. Because of this I can conveniently be a non-admin user under Linux, but under Windows it's a huge pain to be a non-admin user
For every problem there is a solution that is simple, obvious and wrong.
In an age where the world is becoming ever increasingly dependent on computers, we must take a step back and formulate a strategy to make sure history does not repeat itself in the most disaterous way. It was not too long ago that Ireland suffered its infamous "potato famine" that devistated its population that was, in its day, dependent on the crop. One of the key reasons why the famine was so intense was the fact that the Irish were repeatedly planting the same type of potato throughout the country. By doing this, and not realizing that nature provided diversification in the form of hundreds of varieties of potatos to make sure that one set of circumstances could never decimate the potato population, the Irish learned a very valuable, if not painful, lesson indeed. In the land of computers, this form of "biodiversity" only makes sense. If 90% of all nodes on the network are of one kind of "potato" (namely Microsoft) than it's very easy for one plague (or virus) to have incredibly devestating results. We have already seen the damage caused by recent Windows viruses. Each of these have been relatively small and harmless annoyances compared to what a committed and intelligent person could create should such a someone be so inclined and motivated. However, if the world's computers were not so heavily tilted towards a single OS, such attacks wouldn't stand nearly as much of a chance in succeeding to harm a large section of the world's network population. In conclusion, not only do operating systems such as Mac and Linux (as well as Solaris, Unix, etc) represent an excellent freedom of choice for consumers, they represent an enlightened strategy to prevent a cataclysmic disaster to our networks that we've come so dependent on.
Sugapablo
...addresses. Wouldn't that fix most of the stack-based overflow breaches?
"No one else had the balls to say "screw dumb serial ports, USB is better"."
No one else ever had to interface custom hardware to their computer I guess...
The members of a monoculture do share the same weaknesses. However, the survivability of a monoculture of marshmallows is different than a monoculture of bricks.
http://www.kde-look.org/content/show.php?conten
While the idea of a monoculture has appeal, the common arguments for it assume a lack of diversity, which doesn't help in this case. Because it isn't lack of diversity that's the problem. MS is just too big and easy a target to ignore.
Apple has a greater installed base than Linux. Yet there are no exploits or viruses against Apple OS's to my knowledge, although OS X must open the door a little wider these days.
Programs used under Linux have their own security concerns, naturally. But these programs are used by many other OS's which have their own kinds of vulnerability. You can boil most security concerns with the Linux kernel down to one goal: privileged access. Remember, buffer exploits happen everywhere.
What really makes Microsoft a big target is the scope for attack: privileged access is the easy part. Network attacks are simple, destruction and/or theft of data a matter of social engineering. The latest MS worms are capable of all these attacks, impossible on other OS's. THAT is why it's the premier target. The flow-on effects of the different kinds of attack simply don't exist elsewhere.
insecurity asks the wrong question irritation gives the wrong answer
Resilience through diversity, not absolute immunity.
Absolutely. And not so incidentally, the classic argument in favour of biodiversity!
Corruptissima re publica plurimae leges.
DirectX
Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
He is so right. How can you argue this point? The facts support this. Without Microsoft stealing other companies technologies, these companies won't have to innovate new things to stay ahead. Those who can't innovate beyond their one hit wonder, they die (e.g. Netscape). Think Microsoft as a natural disaster, those who can't adapt extinct. So, thank you Microsoft, for screwing us for our own good.
Phytophthora infestanss ff_8J:wh yfiles.org/128potato_blight/+potato-blight+Ireland +pathogen&hl=en&lr=lang_en&ie=UTF-8
"Although the pathogen is often called a fungus, it's more closely related to kelp and other brown algae"
http://66.102.7.104/search?q=cache:T_anVN
gewg_
The rationale behind avoiding monoculture is that not all members have the same weaknesses, so an attack will not destroy the entire population. While this is a valid point for biological populations, there are some issues with it as apply to computer security. We are not dealing with "members" getting "killed" -- we are dealing with "computers" being "compromised".
The first issue is that many elements of the whole in some computer systems have the same degree of access. Perhaps half of the workstations at a company run Linux and half Windows. If all of them have roughly the same tasks (as opposed to devoting Windows to web browsing and Linux to email reading), then a compromise of *any* of them allows a compromise of all the important data. Many security systems are weakest-link -- if one element can be compromised, the whole system falls. In this case, all having a polyculture does is expose more weaknesses, reducing the security of the system as a whole.
The second element is somewhat similar -- most computer networks have some degree of trust relationship between members. It may be something explicit, like having IP-based rsh auth (though that's a bit of an old problem) or allowing access to various intranet Web pages to any internal computers. It may be just allowing a compromised computer to sniff a network that other computers pass traffic over. In this case, a compromise of one member of the network provides an attack vector against the other members of the network. Again, a polyculture exposes more weaknesses, weakening the security of the system as a whole.
Third, there are security management issues. Most medium or large computer networks have someone or some group with some degree of responsibliity for computer security. That group usually has finite resources and budget. Much of their effort can generally be replicated across similar members -- for example, securing a plaintext authentication in Windows means a fix that just has to be replicated across all members in the network. If their time and money must be spread across multiple types of members, they are less able to spend resources on any one group, and each type of member may be less well managed.
Fourth, most networks do not follow a "Russian doll" approach, where a potential cracker must compromise first one computer, then another computer, then another computer to get in to the network proper from the outside. In such a scenerio, making each of the dolls different does improve security, since a cracker must compromise all, rather than just one, system. It's pretty common to just have a NATted network with all hosts inside at roughly the same level of internal access, however.
Overall, I *do* think that it's a good idea to move away from "Microsoft only" on computer networks. Competition tends to improve products, and Microsoft has a poor security track record (and doesn't focus on security very well). However, if an CIO has the sole goal of improving security, and has the choice of rolling out Linux or rolling out Kerberos on existing Windows boxes, I'd have to say that rolling out Kerberos is probably going to do more for security.
May we never see th
Now that the Windows source code is released, when can we expect the first Windows distro?
Windows is not nearly as complex as organisms.. The theory behind the survival of organisms is unproven, just as evolution is unproven.. This has been a theory put forth to those fighting harmful bacteria/viruses that if you give people are the drugs quickly it will kill off everything, but if not applied well enough the resistent strains will survive and grow, and will be drug resistent.. However this relies on evolution of species, that the drug resistent strain is strong enough to overcome other organisms that would eat up or break apart the virus.. Anyhow, computer viruses are fairly simple, they are interpretted as instructions when given right to execution.. The primary problem with Windows is not that its random/unpredictable enough to thwart attacks, but that its overly complex, and is made so every year, through the purpose of making money, whereas Linux is relatively simple and can be protected from attacks.. Making an operating system more complex is about the same as security through obscurity, its more of a burden than a solution.. The solution for windows is to reduce the crap between the hardware and teh applications.. Microsoft money maker has always been controlling access to resources, not from hackers but from low-paying vendors, the more money you can shell out for a compiler, the closer you get to the resources and the better your applications can be made.. Its like selling seats to a Football game, those wiht the more insider information into Microsoft and those willing to pay for that information, get closer to the hardware.. And when that new version of winodws comes out that obscures the language and interface design (actually a marketing idea more than for virus reduction), the layers increase, people pay more to understand the obscurity, while holes develop in the architecture, due to complexity.. As you increase the complexity of software, you increase the vulnerability, its proven!! Linux is also not immune to this, if open source developments fail to refactor the sources, they will become more complex, and less dependable, more crackable, hackable.. The best thing to do is embrace good abstraction and ways to reduce points of failure. With the linux, this is to increase eyes... WIth Microsoft its to advertise a lot, brainwash customers with positive reassurance (eg. "no nothing is wrong, everything is okay"), while at the same time making those with something to argue look like fools.. Its like something out of a Ayn Rand book, somewhere between communism and capitalism, respect the social order, but do what you want until you can't get away with it, then give to charity or put forth a positive message such that people will instill more trust, then do what you want until you can't get away with it.. So on..
Just say no to license servers!!
I know he didn't. Really. I promise not to do it again.
Al Gore did not say he invented the Internet. Mussolini did not make the trains run on time.
Godwin's Law, I WIN! Wait, does Mussolini count? ;)
Speak truth to power.