Actually, I *do* lament the passing of Whitesmiths. I have been trying (for a long time now) to get a copy of the Whitesmiths 8080 toolchain (native CP/M version, or VAX cross).
I had contacted the (then) current owners of the copyright -- and received permission to copy these tools; indeed they tried to read the old 9-track backup tapes. I assume for naught, because I didn't hear a good outcome.
It would be an interesting collectible. Do you (by chance) have a copy of this on 8" floppy or magtape?
Anyway, squeezing a full C compiler and making it work on a 64KB CP/M machine was a feat! (the compiler included structures, floating point, etc. It was K&R). Of course the library was Plaugher's design (just different enough from Unix to be a nuisance).
Now, some additional facts. In 2005, 159m CDs sold in the UK. Cutting off 6.5 million high-speed internet users is like increasing piracy to 100%. To quote the BPI:
"The findings of the study, revealed today by record companies' trade association the BPI, suggest that physical music piracy in the UK lost the industry 16.5m in sales - approximately £165m in retail value in 2005."
Now, the 165m pounds lost was at retail, and we can see that the BPI assumes a CD sells for 10 pounds at retail -- so the loss of the internet service is worse (internet service has less overhead -- fewer brick & mortar shops, no packaging, cheaper delivery).
Talk about extreme! Might as well just sign over the business to the BPI, and have done with it.
Let me guess. Virgin Media loses 6.5 million subscribers. Forever.
The subscribers lose a bit of music.
6.5 million at 10 pounds (or more) per month -- 65 million pounds per year at the bottom; it is probably closer to 120 million pounds. I guess "they" are betting that the revenues will be made up be increased CD sales. Personally, I don't think so.
The BPI doesn't have anything to lose. But Virgin Media? 1/4 billion dollars (US) a year from the bottom line? All I can say is: Wow, that's some bluff!
You STILL don't understand. Network DNA is what Unix (Linux) is all about. There is really no concept of NOT doing the things you want. The Windows "quick & easy" approach is too develop applications to FIX the issues that a desktop centric OS had with enterprise logistics. Issues that Unix (Linux) never had, because the base was networking.
Indeed, Linux is far closer to Solaris than it is to Windows: the SUN mantra is "The Network is the computer". Booting from the network, updating from the network, customizing from the network. Why should any of these BE issues?
Alternate example, the *other* way around -- why doesn't Windows XP SP2 authenticate (or otherwise use) with NIS out of the box? Why doesn't it understand POSIX file semantics? Why doesn't it support SUN automounter maps? Ok, I can see why NIS may not work (although it should have been implemented) -- but why not LDAP delivery of the information?
This would allow me to manage Windows like I manage Linux (Unix). Basically, I load the (unaltered) OS onto a new machine, plug it in telling it to use (NIS, LDAP, Hesiod), and presto, a user can log in to the box using their current authentication, and be placed immediately into their home directory.
And the integration is tighter. If its Linux, the user sees his desktop -- AND ALSO IF ITS SOLARIS. The same desktop. The same user/password. The same home directory. Two different OSs. N different platforms (Sparc and Intel for Solaris, a whole bunch for Linux).
With Windows? Its a completely different system.
Updating? SSH works to allow pushing active commands to (Linux, Solaris). The SAME. I tell the boxes to update. I can do thousands. If needed, I can reboot the boxes (if its a kernel level), or restart services, or even ignore. The semantics of the file system are such that I can update a file, and yet have the previous version still in use. Under Windows? File updates are queued until the next reboot. Thereby forcing an eventual reboot.
Or, I can replace (dynamically) parts of the filesystem. I can do this from the automounter.
The flexibility is built into the underlying "DNA" of Unix (Linux). But, given a tool on Windows which allows (say) 20 specific network actions, I would HOPE that the tool is "easier and quicker" for those 20 activities. And, if all you have to do is one of those 20 things, Windows is then arguably easier. But these 20 things have never been a specific problem with Unix, and that tool was considered not needed.
On to a practical networking example. I have a lot of data on a client machine. I want to back the data up to a tape drive on a server, prior to updating that client. I am remote to both systems. A copy of the local data won't fit on the client machine. The client machine is outside the server security perimeter.
On Linux (Unix) I would think a few minutes, and then issue something like:
"10 minutes" and "desktop scenarios" are key here.
You see, Unix (Linux) SOLVED these issues BY DESIGN. In other words, none of these "desktop scenarios" exist. Lets take the desktop branding issue.
Why doesn't this exist? Because/usr (including/usr/bin,/usr/sbin,/usr/local etc. which includes all application software) is mandated to NOT HAVE TO EXIST when the machine (desktop) is booted. Indeed, the whole thing could be NFS mounted.
Any desktop branding software is NOT vital to the boot (which, by definition, doesn't require an X server). The support now comes down to automount maps. I concede that proper management of automount maps may be complicated in a large organisation, but it is simply a part that needs to be learned. I can't really tell you how long it takes to manage a problem that doesn't exist...
Let's take another. Automounting home directories. Let me show you the complete contents from my 'auto.home' support file:
It has a fairly simply layout. Mainly, home directory for user "pvr" is on machine neptune, directory/data, and is to be mounted with some options. All other users have a home directory on machine ganymede, locate at/raid/home/user_name.
This isn't particularly complicated. What I find confusing is your insistence that a PARTICULAR thing take 10 minutes to solve. When that may or may not even be an issue on that other platforms.
Anyway, I generally DON'T like debuggers. Except for a very limited purpose. I don't code in an "explorative" fashion.
If using "print" statements can't "debug" your program effectively, perhaps it is time to re-examine the design? Or, are you trying cowboy-coding?
The limited purpose(s) of debuggers:
1 - quickly gaining deep understanding of an algorithm. Here ddd (and possibly others) can help -- will display data structures graphically. 2 - quickly gaining limited understanding of someone elses code (for quick changes). Sort of a "dynamic grep" facility. For this, I like breakpoints that allow me to insert program modifications in place. See point 3; I generally use DTrace for this activity these days. Especially if I don't have source code. 3 - capturing complex interactions (if a tool like "DTrace" isn't available).
Please read my embedded comments. I am going to assume the "Gnome" desktop.
- Lock-down user desktops with varying levels of security restrictions depending on their login Organisational Unit (i.e Accounts, Developers, etc)
Please note that the entire "/usr" tree is automountable. In particular, this gives you automatic lockdown on desktop by user, machine, OS level, and a number of other characteristics (x86 vs Power architecture, for example).
- Auto-mount specific network shares
Unix (linux) accomplishes this by means of the "automounter". Automounter is fed by NIS or LDAP.
- Centrally configure a patch management system (WSUS equivalent) for each workstations' software updates.
Of course this is common, as is OS loading. I don't know "WSUS", but centralised upgrades are as easy as configuring your own repository in Redhat, SuSE or Fedora. I am sure other distributions have equivalent features.
- Deploy & install automatically software packages depending on OU.
That would be "kickstart", and network booting.
- Set automatically firewall policies
Why? I really don't understand this. Do you mean packet filtering rules on the local machine? Again, automount of/usr (or below) takes care of it.
- Brand each machine with company screensaver, etc, etc.
Again, once/usr is automounted (or a piece of it), -or- software is automatically deployed, this issue is simply "solved".
It depends on your application. More specifically, is your application a derivative work?
This can be answered in a number of ways -- one way by functionality, another by the difficulty of removing the GPL licensed piece. For example, a "database manager" linking to a database would probably be considered a derivative work. On the other hand, using a database to store configuration control for your application would probably not. Is the library software under the terms of the GPL, or the LGPL? (this accounts for a GREAT deal). If under LGPL, you generally have nothing to worry about if you want to distribute a "closed source" application.
If the GPL functionality is isolated, you could further isolate it, thus producing a derivative work, and publish the source to THAT. This is what nVidia does with the Linux kernel.
On the other hand, why not open-source?
(I am not a lawyer. This is not legal advice. Please consult a lawyer familiar with the law in your jurisdiction.)
Except that Bell ads claimed: "No slowdowns! It's not shared!" Indeed, there even was a TV ad where a beaver (the mascot) uses a megaphone to ask his neighbors to please stop internet use -- he is going to download a video. His buddy then tells him that it isn't needed -- they use Bell! (last seen 3 months ago).
At least the cable internet provider was never that stupid with marketing. It was always on a "best available" basis.
Off topic, but illustrative of what I think of Bell:
Now, the ONLY reason I use cable vs. Bell service is that Bell blocks port 25 -- both outbound and INBOUND. I tried it, and was lied to when I asked that exact question. They also will NOT unblock the inbound port for me, making the service useless. The only way to run a private mail service on the Bell network, using Bell services is... there isn't a way.
As a result of the direct lie, I was convinced to try the Bell service. I installed it, and... no email. After a few days I started investigating and discovered the port 25 inbound block. What a waste of time.
Rogers, on the other hand, doesn't block port 25 inbound (they now block outbound). However the Terms of Service explicitly state that I may not run servers. But... I have tried (and continue to try) to purchase business service from them. And they refuse to sell it to me (something about the service not being available in a residential area). I have informed them that I will continue to run these services, and will purchase the business service when they decide to make it available to me. At least Rogers doesn't bother me about it...
Caps? Yes Rogers has a cap. They even allow me to exceed the cap, and tell me how much it will cost. Bell? They have already directly lied to me.
After outright lies and misleading marketing we have lawsuits.
Even though I am in London right now (for the next week), my home base is Canada (Toronto). My carrier does NOT offer that service -- they would much rather I buy a phone from them. I don't have much choice for carriers; the "competition" doesn't even offer sim card support for their phones.
Completely disgusting.
I am looking for service at £50/mo with reasonable minutes, unlimited web access, email delivery and send. I don't want to be locked into a "contract" with a £200 penalty. Based on a sim card so I can replace the phone (on my own dime). Really, am I asking too much?
I can't get a "no-phone" plan. I don't get a discount because I supply my own phone! But my "plan" is just out of the penalty fee phase. I can't change the plan without getting into ANOTHER penalty fee phase. (certain features can be added or removed, but there are limits -- and my carrier won't tell me what those are).
If I replace my phone, I get into another penalty period. If I don't... I pay the same amount; but without the penalty period. And that's it.
"in-line" encryption appliances. Tape specific devices, etc.
I'll let you in on HOW they work -- each tape is labeled and barcoded. The barcode/label is scanned, automatically by the tape device. This causes a key to be generated and stored on a key server ("security appliance"). The key is associated with the label. The key is used by hardware to encrypt the data (using AES-256 or better).
The security appliance is FIPS-140 B certified (tamper evident). Also, the key can be centrally destroyed, rendering the tape useless instantly (WHEREVER it is).
Systems like this would be the wet dream of CEOs everywhere, since, as a side-effect, they offer instant plausible deniability (anything can be converted to gibberish).
If you REALLY want an "unlisted number" -- which would be an unlisted computer, then DON'T LIST IT. Use the IP address instead.
Or, use dyndns service if you want an easier to remember sequence.
Or, use a private DNS server. You can even use your own TLDs!
If you use a registrar... you are registering the name.
I use ".org" for externally visible sites. I am POSITIVE that you don't care that my PVR is named "neptune.lan" aka "pvr.lan" or that my storage server is named "ganymede.lan". You can't get at them. Anonymity at its best. For PUBLISHED REGISTERED names, I believe the contact information should be accurate.
So, no, the "unlisted number" analogy doesn't hold.
I have domains -- all of them are.org, and ALL have valid whois information. The downside? I get spam (20 to 50 a day) that I suspect comes through the registry. But, I use my name at hotmail dot com with a forwarder for email (GetLive) and I have set the hotmail up with maximum aggressive spam filtering. I get 5 to 10 requests to "renew" my domains per year via snailmail.
All in all, not bad for 3 domains. Personally, I don't believe that fake information in the whois database should be allowed. I believe that the whois registry is like a phone book, or address list, and, because dns addresses are public, the registrants should be listed.
I do like the way you put down the abilities of "normal people". Look, here's a way to secure your house. It's called a "lock". You need to use a key -- no, not just ANY key, but the specific key. Select it, put it in and turn it. Yes, it really is three steps, so I guess the average home owner won't get it...
Tripwire -- or equivalent. Every file that is part of the system or application software is checked. Should happen every day. Any change, the owner is alerted. The approach is VERY specific. The reports generated can be (and are) very readable: a file has been added, deleted, modified in this location, with an estimated security potential of x%. Windows (as an example) ALREADY does this; this being the self-healing implementation. It doesn't extend as a generic facility (not sure why). I don't care about self-healing -- it is more important to simply know what. After all, these ARE personal systems and are easily reloaded (after all, if you DON'T KNOW why it happened, it may have resulted in a rootkit, all bets are off. Either reload with updates, or call in a specialist, meanwhile, keep the machine off the 'net, and disable any local drive writing). I wouldn't trust the systems attempt to recover.
Behavior -- an "authorized" application doesn't need to pop up any questions. After all "This may be bad" is rather stupid. How would the user know? Instead - "This application will use x amount of memory, y amount of your processor, z amount of disk and n amount of network. It promises to limit to WEB, and EMAIL". If, of course, you don't think that EMAIL is appropriate, remove that. If an application DOESN'T have such a signature, pick very low limits. 1 second of CPU, 10MB disk, 1MB memory, and 2MB network (any ports). Or whatever -- but PUBLISH the settings allowed.
The end users aren't stupid. And if you want to dispute this -- remember that you too are an end user.
There really are only two solutions - this one (control) and whitelisting. The reason that this isn't done is more of a development history issue. Microsoft started with DOS, which has a very simple policy: the running application COMPLETELY owned the machine. Thus, the expectation is this holds even today. But, all we have to do is go back to other (historical) control programs -- generally program resource requirements had to be spelled out in detail (I will use this much memory, and I want 2 tape drivers and that printer...). This works. Things like AppArmor and SElinux simply apply the rules to the resource usage of programs.
Note that you could STILL have malware, but the idea is that the resources would be constrained, making it "impotent". Remember, the dialogs "allowing" operations are futile (they can be activated too easily). It helps to begin with a source-visible kernel, simply to verify that there is no way around the OS control provisions. (I believe Windows kernel is now in this category).
Of course you can rent out movies. The Record Rental Amendment (1984) removed that right for audio records. The Computer Software Rental Amendments Act (1990) removed it for software.
However, neither books, nor videos fall into those categories.
However, it could be argued that EULA bound software (that was not purchased), is supplied to you via rental by other means. Clayton may then prevail, giving you the right to sub-rent that software. Then again, I am not in the US, and this may be wrong (any US lawyers want to comment?). I just think that you were a bit off-base.
But, look at the WAY that Java gets faster than C: by interpreting and being introspective (in your example, detecting idempostent like functions). Doesn't matter if the processor is executing Java bytecode or not. Indeed, HP has been inserting a PA-RISC interpreter into binaries to pick up similar gains.
As to the idea of higher order functions -- it's been tried. As an example, the Intel architecture has "task switch" segments. Not used, because it turns out that the incomplete case is faster. Or, examine the performance of the generic VAX call instruction. Or the idea of BCD arithmetic modes. Ideas that seemed good at the time... At a higher level - how would garbage collection be assisted? GC is now down to:
Get memory: if sufficient space, advance pointer and return
Which, in machine terms is: compare, branch_greater, add, return. Comes to four instructions. The GC operation itself is dependent on a bunch more stuff, that you (probably) don't want to bring in.
Scheduling? Where would the policy be implemented? I could see the return of "io channel programs" in order to assist the use of co-processors. But that doesn't change the instruction set architecture much.
I am not really weighing in on "RISC vs CISC" here. Generally, I prefer RISC, simply because manipulating code from a program tends to be easier. TFA indicates that the silicon to decode CISC is significant in low-power systems. I was indicating the building a Java bytecode implementation doesn't gain much.
Also, we could put more powerful instructions into the bytecode if they tend to execute too quickly. Stuff like complete control over memory management, garbage collection, etc. Each feature that would be "Kernel" could be moved into the CPU allowing even more for the hardware engineers to optimize.
You would start to lose C-style pointer functionality at some point, but you could even gain speed doing so because now the CPU can actually optimize things a compiler used to have to optimize.
We already have cases where Java can outperform C and even unoptimized assembly because they don't know enough about the code they are running.
for instance, if Java is calling a routine and that routine's data hasn't changed, java can flag that routine and stop calling it until it's data changes. Of course you could do that in assembly, but java will do it automatically for every routine in your program who's data it can isolate.
I believe that Scala could even do more with this kind of optimization.
Same with garbage collection. In C you allocate, use, then de-allocate. In Java, the VM never wastes time on the de-allocation step for the vast majority of its allocations. (See "eden" in any recent garbage collection white-paper).
Microsoft has always coded part of Excel in bytecode. Not for speed but for code-size. If it makes that much of a difference, wouldn't code-size eventually become a transfer issue?
I just think RISC is going the wrong way when you take processor improvements into consideration.
Sounds good -- do bytecode execution, as bytecode is optimized for compilation...
But - turns out bytecode directly executed is in the same ballpark as "regular" instructions. Doesn't really gain much. (sorry, can't cite)
The reason(s)?
- programming languages following instruction conventions (example: C). C is simple, and follows a "PDP-11" model
- programming languages not expressive enough, unless they are profiled (examples: C, Java). No way to mark code "rarely used", No way to indicate parallelism.
The old CDC 6000 Pascal implementation gave us a type "alpha" which was a packed array of 10 characters. Of course that machine had a 60 bit word size, and used a 6 bit character representation. The alpha type was a string that fit into a machine register. Comparing these strings was as efficient as integer comparison.
How do you do something like this in C? The program COULD note that a particular string will not exceed a limit, but it could never hard-code that into machine code, unless an exception mechanism that was less expensive than a comparison could be put into place. Altogether a nasty problem (either for the CPU, or for the compiler writer).
Actually, it is "rules". But, it is not "patterns".
Specifically, http outbound access should be allowed for firefox. The firefox binary is/usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.
Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.
Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.
It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.
What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).
Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).
"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."
Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.
As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.
I didn't buy Windows in 2004. I bought it WITH the system. And it didn't work. If there is new hardware, shouldn't Microsoft update the OS to actually be installable on it? After all, Fedora does. And Fedora is a LOT less expensive. If Fedora can afford it, surely Microsoft can be held to the same standard?
I am a Solaris/Linux user. Around two years ago, I decided to build a PVR (personal video recorder). I had heard good things about Windows XP, and the mainboard I had chosen had a note in it stating that "USB 2.0 function can only be obtained with Windows XP". And all the hardware (video input devices, video display) came with drivers for Windows XP. So I bought a copy of Windows XP (retail). Assembled the system, and attempted to load Windows XP.
After loading from the DVD drive, XP booted. However, the DVD did not show up. I reinstalled. Same thing. I assumed that the DVD was defective, and replaced it. Same thing. Tried a CD. Same thing. Turns out I need a driver from the CD supplied with the mainboard in order to use the CD/DVD. How do I get it there? XP also doesn't recognize the network adapter (same deal, I need a driver). The drivers are too large to put on a floppy.
I gave up on trying to use XP for this application, and installed Linux. At least it recognized the DVD and network "out of the box" (Fedora). I then put on MythTV (I had wanted to try a Windows PVR program, but, hey... Windows didn't work).
I tried XP on another box. It also didn't work. Turns out to need a "hard disc driver". In fact, the only thing that XP works on (for me) is a VMware session. Hell, even Mac OS works there. And that's where that copy is running today (along with MS Office and some other Microsoft stuff -- development tools, and a laser printer driver).
The only thing I conclude is that you must be a Windows XP expert. Or, that Windows XP came pre-installed. I understand that VISTA supports additional (modern) devices, but I am not going to pay hundreds more to find out it doesn't.
As a parent *I* censor my kids. I also expect my authority to be respected by schools. Nobody, and very specifically, nobody that I do not have any control on, is (should be) allowed censorship.
Child porn? Yes. Racial hate literature? Yes. Targeted anti-Jewish, Muslim, Christian material? Yes. Allow it all; we will sort it out ourselves. Censorship begins with a lack of trust. The person doing the censoring doesn't trust others to have the same "decency". If the trust were there, the censorship wouldn't be needed.
My kids do not search the internet without guidance. We discuss media literacy. Why do people not believe that?
On the other hand, if someone commits a crime in order to take pictures of pre-pubescent children, and the person is caught, they will be punished. No censorship is needed. A law is broken. However, in my jurisdiction, simply writing out a fantasy involving children is illegal -- even if it is never shared. Censorship. How many pedophiles could have taken a creative approach, but, instead, committed the "real thing" because there was no possibility for release? (Hows that for hitting the mom-and-apple-pie button?)
Please don't say "Linux". Say "Fedora". The repository is a collection for an Operating System. Linux is the kernel; Fedora is the Operating System.
Now, you find out what it is by asking, jmorris answers. Now you know. Or, you guess (I ran across an "msi" or something file for a Windows programs recently that I wanted to use with WINE; same problem, go figure). That's the beauty of the 'net and google.
docs.fedoraproject.org, pick "Managing Software with Yum", which describes repositories. Then google "fedora repository" gets you to rpm.liva.org, which has a clickable link that installs the repository into the installer. And (as a favor), type in "yum install yumex" as root to install an extended installer.
The Linux kernel will never have such support. Native or not (whatever that means).
The Linux kernel manages computer resources (CPU, memory, devices) on behalf of applications. It pretty much stops after loading initrd and executing/init on it. Anything after that is an application from the kernels perspective, and the flow of control becomes application driven.
Yes, it is possible to implement an entire application at this level (I've built installers that only use this), and I suspect that the Asus effort will be implemented at this level.
But double click installing of applications? Not the kernels responsibility.
Slashdot Mirror
Actually, I *do* lament the passing of Whitesmiths. I have been trying (for a long time now) to get a copy of the Whitesmiths 8080 toolchain (native CP/M version, or VAX cross).
I had contacted the (then) current owners of the copyright -- and received permission to copy these tools; indeed they tried to read the old 9-track backup tapes. I assume for naught, because I didn't hear a good outcome.
It would be an interesting collectible. Do you (by chance) have a copy of this on 8" floppy or magtape?
Anyway, squeezing a full C compiler and making it work on a 64KB CP/M machine was a feat! (the compiler included structures,
floating point, etc. It was K&R). Of course the library was Plaugher's design (just different enough from Unix to be a nuisance).
You are correct. My bad math!
Now, some additional facts. In 2005, 159m CDs sold in the UK. Cutting off 6.5 million high-speed internet users is like increasing piracy to 100%. To quote the BPI:
"The findings of the study, revealed today by record companies' trade association the BPI, suggest that physical music piracy in the UK lost the industry 16.5m in sales - approximately £165m in retail value in 2005."
Now, the 165m pounds lost was at retail, and we can see that the BPI assumes a CD sells for 10 pounds at retail -- so the loss of the internet service is worse (internet service has less overhead -- fewer brick & mortar shops, no packaging, cheaper delivery).
Talk about extreme! Might as well just sign over the business to the BPI, and have done with it.
Who is hurt more?
Let me guess. Virgin Media loses 6.5 million subscribers. Forever.
The subscribers lose a bit of music.
6.5 million at 10 pounds (or more) per month -- 65 million pounds per year at the bottom; it is probably closer to 120 million pounds. I guess "they" are betting that the revenues will be made up be increased CD sales. Personally, I don't think so.
The BPI doesn't have anything to lose. But Virgin Media? 1/4 billion dollars (US) a year from the bottom line? All I can say is: Wow, that's some bluff!
You STILL don't understand. Network DNA is what Unix (Linux) is all about. There is really no concept of NOT doing the things you want. The Windows "quick & easy" approach is too develop applications to FIX the issues that a desktop centric OS had with enterprise logistics. Issues that Unix (Linux) never had, because the base was networking.
Indeed, Linux is far closer to Solaris than it is to Windows: the SUN mantra is "The Network is the computer". Booting from the network, updating from the network, customizing from the network. Why should any of these BE issues?
Alternate example, the *other* way around -- why doesn't Windows XP SP2 authenticate (or otherwise use) with NIS out of the box? Why doesn't it understand POSIX file semantics? Why doesn't it support SUN automounter maps? Ok, I can see why NIS may not work (although it should have been implemented) -- but why not LDAP delivery of the information?
This would allow me to manage Windows like I manage Linux (Unix). Basically, I load the (unaltered) OS onto a new machine, plug it in telling it to use (NIS, LDAP, Hesiod), and presto, a user can log in to the box using their current authentication, and be placed immediately into their home directory.
And the integration is tighter. If its Linux, the user sees his desktop -- AND ALSO IF ITS SOLARIS. The same desktop. The same user/password. The same home directory. Two different OSs. N different platforms (Sparc and Intel for Solaris, a whole bunch for Linux).
With Windows? Its a completely different system.
Updating? SSH works to allow pushing active commands to (Linux, Solaris). The SAME. I tell the boxes to update. I can do thousands. If needed, I can reboot the boxes (if its a kernel level), or restart services, or even ignore. The semantics of the file system are such that I can update a file, and yet have the previous version still in use. Under Windows? File updates are queued until the next reboot. Thereby forcing an eventual reboot.
Or, I can replace (dynamically) parts of the filesystem. I can do this from the automounter.
The flexibility is built into the underlying "DNA" of Unix (Linux). But, given a tool on Windows which allows (say) 20 specific network actions, I would HOPE that the tool is "easier and quicker" for those 20 activities. And, if all you have to do is one of those 20 things, Windows is then arguably easier. But these 20 things have never been a specific problem with Unix, and that tool was considered not needed.
On to a practical networking example. I have a lot of data on a client machine. I want to back the data up to a tape drive on a server, prior to updating that client. I am remote to both systems. A copy of the local data won't fit on the client machine. The client machine is outside the server security perimeter.
On Linux (Unix) I would think a few minutes, and then issue something like:
ssh client-machine -c "tar --rsh-command=/usr/bin/ssh -tvf server-machine:/dev/tape"
Now, I have to mention that I don't have the slightest idea of how to do this on a Windows base -- I would do a whole lot of hunting and clicking.
"10 minutes" and "desktop scenarios" are key here.
/usr (including /usr/bin, /usr/sbin, /usr/local etc. which includes all application software) is mandated to NOT HAVE TO EXIST when the machine (desktop) is booted. Indeed, the whole thing could be NFS mounted.
/data, and is to be mounted with some options. All other users have a home directory on machine ganymede, locate at /raid/home/user_name.
You see, Unix (Linux) SOLVED these issues BY DESIGN. In other words, none of these "desktop scenarios" exist. Lets take the desktop branding issue.
Why doesn't this exist? Because
Any desktop branding software is NOT vital to the boot (which, by definition, doesn't require an X server). The support now comes down to automount maps. I concede that proper management of automount maps may be complicated in a large organisation, but it is simply a part that needs to be learned. I can't really tell you how long it takes to manage a problem that doesn't exist...
Let's take another. Automounting home directories. Let me show you the complete contents from my 'auto.home' support file:
# auto.home
pvr -rw,rsize=8192,wsize=8192,intr neptune:/data
* -rw,rsize=8192,wsize=8192,intr ganymede:/raid/home/&
It has a fairly simply layout. Mainly, home directory for user "pvr" is on machine neptune, directory
This isn't particularly complicated. What I find confusing is your insistence that a PARTICULAR thing take 10 minutes to solve. When that may or may not even be an issue on that other platforms.
Try "ddd".
Anyway, I generally DON'T like debuggers. Except for a very limited purpose. I don't code in an "explorative" fashion.
If using "print" statements can't "debug" your program effectively, perhaps it is time to re-examine the design? Or, are you trying cowboy-coding?
The limited purpose(s) of debuggers:
1 - quickly gaining deep understanding of an algorithm. Here ddd (and possibly others) can help -- will display data structures graphically.
2 - quickly gaining limited understanding of someone elses code (for quick changes). Sort of a "dynamic grep" facility. For this, I like breakpoints that allow me to insert program modifications in place. See point 3; I generally use DTrace for this activity these days. Especially if I don't have source code.
3 - capturing complex interactions (if a tool like "DTrace" isn't available).
But for your own code?
Please read my embedded comments. I am going to assume the "Gnome" desktop.
/usr (or below) takes care of it.
/usr is automounted (or a piece of it), -or- software is automatically deployed, this issue is simply "solved".
- Lock-down user desktops with varying levels of security restrictions depending on their login Organisational Unit (i.e Accounts, Developers, etc)
Please note that the entire "/usr" tree is automountable. In particular, this gives you automatic lockdown on desktop by user, machine, OS level, and a number of other characteristics (x86 vs Power architecture, for example).
- Auto-mount specific network shares
Unix (linux) accomplishes this by means of the "automounter". Automounter is fed by NIS or LDAP.
- Centrally configure a patch management system (WSUS equivalent) for each workstations' software updates.
Of course this is common, as is OS loading. I don't know "WSUS", but centralised upgrades are as easy as configuring your own repository in Redhat, SuSE or Fedora. I am sure other distributions have equivalent features.
- Deploy & install automatically software packages depending on OU.
That would be "kickstart", and network booting.
- Set automatically firewall policies
Why? I really don't understand this. Do you mean packet filtering rules on the local machine? Again, automount of
- Brand each machine with company screensaver, etc, etc.
Again, once
It depends on your application. More specifically, is your application a derivative work?
This can be answered in a number of ways -- one way by functionality, another by the difficulty of removing the GPL licensed piece. For example, a "database manager" linking to a database would probably be considered a derivative work. On the other hand, using a database to store configuration control for your application would probably not. Is the library software under the terms of the GPL, or the LGPL? (this accounts for a GREAT deal). If under LGPL, you generally have nothing to worry about if you want to distribute a "closed source" application.
If the GPL functionality is isolated, you could further isolate it, thus producing a derivative work, and publish the source to THAT. This is what nVidia does with the Linux kernel.
On the other hand, why not open-source?
(I am not a lawyer. This is not legal advice. Please consult a lawyer familiar with the law in your jurisdiction.)
Except that Bell ads claimed: "No slowdowns! It's not shared!" Indeed, there even was a TV ad where a beaver (the mascot) uses a megaphone to ask his neighbors to please stop internet use -- he is going to download a video. His buddy then tells him that it isn't needed -- they use Bell! (last seen 3 months ago).
At least the cable internet provider was never that stupid with marketing. It was always on a "best available" basis.
Off topic, but illustrative of what I think of Bell:
Now, the ONLY reason I use cable vs. Bell service is that Bell blocks port 25 -- both outbound and INBOUND. I tried it, and was lied to when I asked that exact question. They also will NOT unblock the inbound port for me, making the service useless. The only way to run a private mail service on the Bell network, using Bell services is... there isn't a way.
As a result of the direct lie, I was convinced to try the Bell service. I installed it, and... no email. After a few days I started investigating and discovered the port 25 inbound block. What a waste of time.
Rogers, on the other hand, doesn't block port 25 inbound (they now block outbound). However the Terms of Service explicitly state that I may not run servers. But... I have tried (and continue to try) to purchase business service from them. And they refuse to sell it to me (something about the service not being available in a residential area). I have informed them that I will continue to run these services, and will purchase the business service when they decide to make it available to me. At least Rogers doesn't bother me about it...
Caps? Yes Rogers has a cap. They even allow me to exceed the cap, and tell me how much it will cost. Bell? They have already directly lied to me.
After outright lies and misleading marketing we have lawsuits.
Tony
Even though I am in London right now (for the next week), my home base is Canada (Toronto). My carrier does NOT offer that service -- they would much rather I buy a phone from them. I don't have much choice for carriers; the "competition" doesn't even offer sim card support for their phones.
Completely disgusting.
I am looking for service at £50/mo with reasonable minutes, unlimited web access, email delivery and send. I don't want to be locked into a "contract" with a £200 penalty. Based on a sim card so I can replace the phone (on my own dime). Really, am I asking too much?
I envy the situation in the UK...
I can't get a "no-phone" plan. I don't get a discount because I supply my own phone! But my "plan" is just out of the penalty fee phase. I can't change the plan without getting into ANOTHER penalty fee phase. (certain features can be added or removed, but there are limits -- and my carrier won't tell me what those are).
If I replace my phone, I get into another penalty period. If I don't... I pay the same amount; but without the penalty period. And that's it.
I want to see a "no-phone" rate...
Yes, I would like to sue the provider.
No, it isn't
"in-line" encryption appliances. Tape specific devices, etc.
I'll let you in on HOW they work -- each tape is labeled and barcoded. The barcode/label is scanned, automatically by the tape device. This causes a key to be generated and stored on a key server ("security appliance"). The key is associated with the label. The key is used by hardware to encrypt the data (using AES-256 or better).
The security appliance is FIPS-140 B certified (tamper evident). Also, the key can be centrally destroyed, rendering the tape useless instantly (WHEREVER it is).
Systems like this would be the wet dream of CEOs everywhere, since, as a side-effect, they offer instant plausible deniability (anything can be converted to gibberish).
If you REALLY want an "unlisted number" -- which would be an unlisted computer, then DON'T LIST IT. Use the IP address instead.
Or, use dyndns service if you want an easier to remember sequence.
Or, use a private DNS server. You can even use your own TLDs!
If you use a registrar... you are registering the name.
I use ".org" for externally visible sites. I am POSITIVE that you don't care that my PVR is named "neptune.lan" aka "pvr.lan" or that my storage server is named "ganymede.lan". You can't get at them. Anonymity at its best. For PUBLISHED REGISTERED names, I believe the contact information should be accurate.
So, no, the "unlisted number" analogy doesn't hold.
Why thank you!
.org, and ALL have valid whois information. The downside? I get spam (20 to 50 a day) that I suspect comes through the registry. But, I use my name at hotmail dot com with a forwarder for email (GetLive) and I have set the hotmail up with maximum aggressive spam filtering. I get 5 to 10 requests to "renew" my domains per year via snailmail.
I have domains -- all of them are
All in all, not bad for 3 domains. Personally, I don't believe that fake information in the whois database should be allowed. I believe that the whois registry is like a phone book, or address list, and, because dns addresses are public, the registrants should be listed.
But maybe that's just me.
I do like the way you put down the abilities of "normal people". Look, here's a way to secure your house. It's called a "lock". You need to use a key -- no, not just ANY key, but the specific key. Select it, put it in and turn it. Yes, it really is three steps, so I guess the average home owner won't get it...
Tripwire -- or equivalent. Every file that is part of the system or application software is checked. Should happen every day. Any change, the owner is alerted. The approach is VERY specific. The reports generated can be (and are) very readable: a file has been added, deleted, modified in this location, with an estimated security potential of x%. Windows (as an example) ALREADY does this; this being the self-healing implementation. It doesn't extend as a generic facility (not sure why). I don't care about self-healing -- it is more important to simply know what. After all, these ARE personal systems and are easily reloaded (after all, if you DON'T KNOW why it happened, it may have resulted in a rootkit, all bets are off. Either reload with updates, or call in a specialist, meanwhile, keep the machine off the 'net, and disable any local drive writing). I wouldn't trust the systems attempt to recover.
Behavior -- an "authorized" application doesn't need to pop up any questions. After all "This may be bad" is rather stupid. How would the user know? Instead - "This application will use x amount of memory, y amount of your processor, z amount of disk and n amount of network. It promises to limit to WEB, and EMAIL". If, of course, you don't think that EMAIL is appropriate, remove that. If an application DOESN'T have such a signature, pick very low limits. 1 second of CPU, 10MB disk, 1MB memory, and 2MB network (any ports). Or whatever -- but PUBLISH the settings allowed.
The end users aren't stupid. And if you want to dispute this -- remember that you too are an end user.
There really are only two solutions - this one (control) and whitelisting. The reason that this isn't done is more of a development history issue. Microsoft started with DOS, which has a very simple policy: the running application COMPLETELY owned the machine. Thus, the expectation is this holds even today. But, all we have to do is go back to other (historical) control programs -- generally program resource requirements had to be spelled out in detail (I will use this much memory, and I want 2 tape drivers and that printer...). This works. Things like AppArmor and SElinux simply apply the rules to the resource usage of programs.
Note that you could STILL have malware, but the idea is that the resources would be constrained, making it "impotent". Remember, the dialogs "allowing" operations are futile (they can be activated too easily). It helps to begin with a source-visible kernel, simply to verify that there is no way around the OS control provisions. (I believe Windows kernel is now in this category).
Of course you can rent out movies. The Record Rental Amendment (1984) removed that right for audio records. The Computer Software Rental Amendments Act (1990) removed it for software.
However, neither books, nor videos fall into those categories.
However, it could be argued that EULA bound software (that was not purchased), is supplied to you via rental by other means. Clayton may then prevail, giving you the right to sub-rent that software. Then again, I am not in the US, and this may be wrong (any US lawyers want to comment?). I just think that you were a bit off-base.
Check with your lawyer, before you proceed.
For your consideration
mplayer, with the "all" codec pack. Forget about Windows and Real formats; mplayer with the "all codecs" pack handles it.
But, look at the WAY that Java gets faster than C: by interpreting and being introspective (in your example, detecting idempostent like functions). Doesn't matter if the processor is executing Java bytecode or not. Indeed, HP has been inserting a PA-RISC interpreter into binaries to pick up similar gains.
As to the idea of higher order functions -- it's been tried. As an example, the Intel architecture has "task switch" segments. Not used, because it turns out that the incomplete case is faster. Or, examine the performance of the generic VAX call instruction. Or the idea of BCD arithmetic modes. Ideas that seemed good at the time... At a higher level - how would garbage collection be assisted? GC is now down to:
Get memory: if sufficient space, advance pointer and return
Which, in machine terms is: compare, branch_greater, add, return. Comes to four instructions. The GC operation itself is dependent on a bunch more stuff, that you (probably) don't want to bring in.
Scheduling? Where would the policy be implemented? I could see the return of "io channel programs" in order to assist the use of co-processors. But that doesn't change the instruction set architecture much.
I am not really weighing in on "RISC vs CISC" here. Generally, I prefer RISC, simply because manipulating code from a program tends to be easier. TFA indicates that the silicon to decode CISC is significant in low-power systems. I was indicating the building a Java bytecode implementation doesn't gain much.
Also, we could put more powerful instructions into the bytecode if they tend to execute too quickly. Stuff like complete control over memory management, garbage collection, etc. Each feature that would be "Kernel" could be moved into the CPU allowing even more for the hardware engineers to optimize.
You would start to lose C-style pointer functionality at some point, but you could even gain speed doing so because now the CPU can actually optimize things a compiler used to have to optimize.
We already have cases where Java can outperform C and even unoptimized assembly because they don't know enough about the code they are running.
for instance, if Java is calling a routine and that routine's data hasn't changed, java can flag that routine and stop calling it until it's data changes. Of course you could do that in assembly, but java will do it automatically for every routine in your program who's data it can isolate.
I believe that Scala could even do more with this kind of optimization.
Same with garbage collection. In C you allocate, use, then de-allocate. In Java, the VM never wastes time on the de-allocation step for the vast majority of its allocations. (See "eden" in any recent garbage collection white-paper).
Microsoft has always coded part of Excel in bytecode. Not for speed but for code-size. If it makes that much of a difference, wouldn't code-size eventually become a transfer issue?
I just think RISC is going the wrong way when you take processor improvements into consideration.
Sounds good -- do bytecode execution, as bytecode is optimized for compilation...
But - turns out bytecode directly executed is in the same ballpark as "regular" instructions. Doesn't really gain much. (sorry, can't cite)
The reason(s)?
- programming languages following instruction conventions (example: C). C is simple, and follows a "PDP-11" model
- programming languages not expressive enough, unless they are profiled (examples: C, Java). No way to mark code "rarely used", No way to indicate parallelism.
The old CDC 6000 Pascal implementation gave us a type "alpha" which was a packed array of 10 characters. Of course that machine had a 60 bit word size, and used a 6 bit character representation. The alpha type was a string that fit into a machine register. Comparing these strings was as efficient as integer comparison.
How do you do something like this in C? The program COULD note that a particular string will not exceed a limit, but it could never hard-code that into machine code, unless an exception mechanism that was less expensive than a comparison could be put into place. Altogether a nasty problem (either for the CPU, or for the compiler writer).
Actually, it is "rules". But, it is not "patterns".
/usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.
Specifically, http outbound access should be allowed for firefox. The firefox binary is
Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.
Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.
It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.
What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).
Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).
"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."
Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.
As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.
I didn't buy Windows in 2004. I bought it WITH the system. And it didn't work. If there is new hardware, shouldn't Microsoft update the OS to actually be installable on it? After all, Fedora does. And Fedora is a LOT less expensive. If Fedora can afford it, surely Microsoft can be held to the same standard?
Or is Windows really that bad?
And your experience is an anecdote. Here's mine.
I am a Solaris/Linux user. Around two years ago, I decided to build a PVR (personal video recorder). I had heard good things about Windows XP, and the mainboard I had chosen had a note in it stating that "USB 2.0 function can only be obtained with Windows XP". And all the hardware (video input devices, video display) came with drivers for Windows XP. So I bought a copy of Windows XP (retail). Assembled the system, and attempted to load Windows XP.
After loading from the DVD drive, XP booted. However, the DVD did not show up. I reinstalled. Same thing. I assumed that the DVD was defective, and replaced it. Same thing. Tried a CD. Same thing. Turns out I need a driver from the CD supplied with the mainboard in order to use the CD/DVD. How do I get it there? XP also doesn't recognize the network adapter (same deal, I need a driver). The drivers are too large to put on a floppy.
I gave up on trying to use XP for this application, and installed Linux. At least it recognized the DVD and network "out of the box" (Fedora). I then put on MythTV (I had wanted to try a Windows PVR program, but, hey... Windows didn't work).
I tried XP on another box. It also didn't work. Turns out to need a "hard disc driver". In fact, the only thing that XP works on (for me) is a VMware session. Hell, even Mac OS works there. And that's where that copy is running today (along with MS Office and some other Microsoft stuff -- development tools, and a laser printer driver).
The only thing I conclude is that you must be a Windows XP expert. Or, that Windows XP came pre-installed. I understand that VISTA supports additional (modern) devices, but I am not going to pay hundreds more to find out it doesn't.
Wrong
As a parent *I* censor my kids. I also expect my authority to be respected by schools. Nobody, and very specifically, nobody that I do not have any control on, is (should be) allowed censorship.
Child porn? Yes. Racial hate literature? Yes. Targeted anti-Jewish, Muslim, Christian material? Yes. Allow it all; we will sort it out ourselves. Censorship begins with a lack of trust. The person doing the censoring doesn't trust others to have the same "decency". If the trust were there, the censorship wouldn't be needed.
My kids do not search the internet without guidance. We discuss media literacy. Why do people not believe that?
On the other hand, if someone commits a crime in order to take pictures of pre-pubescent children, and the person is caught, they will be punished. No censorship is needed. A law is broken. However, in my jurisdiction, simply writing out a fantasy involving children is illegal -- even if it is never shared. Censorship. How many pedophiles could have taken a creative approach, but, instead, committed the "real thing" because there was no possibility for release? (Hows that for hitting the mom-and-apple-pie button?)
Read my lips - there should be no censorship.
Please don't say "Linux". Say "Fedora". The repository is a collection for an Operating System. Linux is the kernel; Fedora is the Operating System.
Now, you find out what it is by asking, jmorris answers. Now you know. Or, you guess (I ran across an "msi" or something file for a Windows programs recently that I wanted to use with WINE; same problem, go figure). That's the beauty of the 'net and google.
docs.fedoraproject.org, pick "Managing Software with Yum", which describes repositories. Then google "fedora repository" gets you to rpm.liva.org, which has a clickable link that installs the repository into the installer. And (as a favor), type in "yum install yumex" as root to install an extended installer.
The Linux kernel will never have such support. Native or not (whatever that means).
/init on it. Anything after that is an application from the kernels perspective, and the flow of control becomes application driven.
The Linux kernel manages computer resources (CPU, memory, devices) on behalf of applications. It pretty much stops after loading initrd and executing
Yes, it is possible to implement an entire application at this level (I've built installers that only use this), and I suspect that the Asus effort will be implemented at this level.
But double click installing of applications? Not the kernels responsibility.