I have used Eric's website since before he went to Wolfram, and I was really pissed when it went off the net. Eric has managed to bring it back, but in such a form that it appears that CRC will continue to receive income from the mear existance of the website, and will now be allowed to publish books based on the future changes.
To me, this means that this website is now proprietary. This is like what happened to the cddb, or SSH. Maybe it is time to start the
equivalent of freedb and OpenSSH, and to replace Eric's website. Produce a website under a publishing equivalent of the GPL or the
BSD source license.
Or is time to fork?
I don't know that it's time to fork the entire web site. But I do think it's time for contributors to start their own fork, unless they want to give away their own time and efforts. Not to Eric, not to some larger community of users, but to CRC Publishing. And keep Eric's example in mind -- once you give CRC something, you can't even put it up on your own web site!
It would take a lot of effort to re-generate Eric's site from scratch. But if you don't do it from scratch, CRC can (and, from recent history, probably will!) claim you're infringing on its copyright, signed over to them by Eric. So, unless you're willing to spend the next five years re-writing lots of math examples from lots of different books, don't even start.
It hurts me to say this, because Eric has spent so much time creating mathworld, but please consider not contributing to his web site. If you do, please do not sign over your rights to CRC. Anything you sign over to them, you will lose, and so will the larger web-based community. It's time to fork mathworld for future contributions, and keep it under some acceptable kind of license.
It would be nice if someone could work out an arrangement with Eric and Wolfram, whereby a new site could start accepting new contributions, and the old mathworld site could link to them. But that ideal would require another dedicated volunteer, and lawyerly approval.
This decision illustrates that we, the consumers, still have a bit of common law (and common sense) on our side. Pass UCITA, and shrinkwrap licenses ARE legally binding (even if you can't read them before you buy, and even if it changes because somebody posts a change without notifying you on a web site 3,000 miles away). Gear up, gearheads, legislative season is not far off.
They've added alpha as a bootable architecture. Does anybody still make alpha machines anymore? And if they do, how long will it be before HPaq kills it off entirely?
I don't think I said anything about Linux (or any other free software) being bug-free. I was commenting on the assertion that Micro$soft did all the patch preparation for you. They prepare patches, all right, but I'd rather install a kernel rpm than hope one of the MS patches was throughly tested and wouldn't cause more problems than it solves.
FWIW, the Linux kernel bugs you refer to were local exploits. You do understand the difference between a local exploit and something like Code Red/Nimda/Outhouse bugs, don't you?
BTW, when were you able to install a MS patch without rebooting? Every time I reboot, it affects my uptime!
'With Linux, customers "end up being in the operating systems business," managing software updates and security patches while making sure the multitude of software packages don't conflict with each other," Miller said. "That's the job of a software vendor like Microsoft."'
How many patches and updates have Microsoft published in the last year? And how many of those were pulled, because they weren't tested properly? I haven't had to re-install Linux on any of the boxes I admin since we went to RH 6.2. The MSCE-in-training down the hall can't say that about the last three months on his Windoze boxes. Imagine doing that for 100, 1,000, or even more! What fun! Thank you, Microsoft!
There are a couple of aspects Oram didn't address here. First, for almost all colleges and universities, there is one unavoidable chokepoint: the line to the outside. The bandwidth issue comes when you have to pay for another pipe to the outside. For a lot of suburban/rural campuses, that means you also have to pay for the installation, and possibly for the connection at the other end. With a finite number of students (constrained by available housing in many instances), that means higher fees to support flat rate connections.
Second, P2P may work fine within the university with current equipment for current applications. Now add in P2P video, streaming audio, you name it. Now you're talking about multiples, or decades, of new traffic for your new P2P applications. (Almost nobody wants to do great new things with ASCII text, alas!) Soon you will need new switches, routers, all within your on-site network. A $12,000 router may not be too bad, until you need one for every 1,000 users. And if traffic keeps growing, you may need to replace it in 3-5 years. Flat rate fees? Going up!
I'll be looking for another search engine. The cost was enormous on L-N, the search engine was archaic last time I tried, and the quality of returned searches was pathetic.
Balmer: "It's the Windows to beat Windows." Sounds like the OS/2 mantra, "A better Windows than Windows," and some advertising slogans for Amiga, Gem, DR-DOS, and surely I'm forgetting a few.
So now that MS's slogans are reduced to copying those of their deceased competitors (OK, both of you OS/2 users sit back down!), maybe now Windows will follow the same fate -- oblivion in three years.
As tightly bound up in patents as voice/sound is, unless W3C takes a truly RAND stance (free, no less), they may as well get out of the way. You may be looking at "non-discriminatory" license fees of $10,000 from half a dozen big companies. That's $10,000 EACH. (Or maybe more, depending on how greedy they are.)
Each of these will negotiate a licensing agreement with the others, for free. But they won't discriminate against anybody else, oh, no!
So why does W3C want to get their hands dirty? Let the big boys go off and negotiate it themselves; that's what they're doing now. This patent-encumbered "standard" will be rather like X was in its early days. And it will fall apart, just like X did when XFree86 started doing the real work, maintenance, and innovation.
If there is a real RAND, free to anyone using the standard (as written, no Microsoft extensions), then the standard has a chance. That's what W3C should drive home before they promulgate a bunch of "open" (aka proprietary) standards.
OK, so the brass doesn't like it. But what has pushed full and open disclosure in the past? Sun et al may have started it, but Microsoft has taken over in the last half-dozen years as the chief promulgator of these proven effective methods:
(1) Ignore bug reports. Make the people who find them so mad they look for some lever to force you, the vendor, to act.
(2) Deny bug reports. Call anyone who finds a flaw a liar. Tell all the news media they're liars trying to lower your stock price.
(3) When confronted with a real flaw, and press who have seen the reports, claim it's only a "theoretical vulnerability." Unless there's a working crack, it ain't real!
(4) Only when confronted with a working exploit should you start to work on a problem. Publish half-assed binary patches. Make sure they'll corrupt any system which doesn't have half a dozen other patches applied in the correct order.
OK, I guess that brings us up to today. Security researchers, and ordinary users, know they have to publish details of the problem and probably a working exploit to get you to work on a fix, however pathetic. Now you have lots of reports and exploits floating around. (You could have developed and published a good product to begin with, but it's too late now!) A breed of vermin known as script kiddies reads the publicly available reports and exploits, and uses them. You may have driven users, your customers, every step of the way to get here, but whose fault is it that the script kiddies are informed and armed? Naturally, it's not your fault; it's the bad people who find the flaws in your crappy software!
Sorry, I guess I didn't make it clear. The source code can persuade me (if it checks out OK) that the source they post is clean. However, you can also get your own "anonymous" e-mail, i.e., acoward@cryptomail.org.
It's this e-mail address that they control I don't trust. I don't recognize any of the e-mail addresses, or for that matter, any of the names of the developers. They may be honorable men, but I don't know them. They don't have any traceability through the names, and they don't have any organizational traceability I'd feel comfortable with. (Although I'm not sure either e-trust or BBB online would be appropriate here.)
The point I was trying to make is simply, I wouldn't trust the e-mail account they host with any sensitive information. It doesn't have to be, "Hijack today." It could just as easily be confidential business letters, love notes (especially to someone with an Arabic name), e-mail to or from some medical support group, etc.
I looked around the site, and couldn't find anything but the source code to persuade me they're honest, above-board, privacy advocates. This could just as well be an FBI front, if they really believe some criminal is too stupid to use real crytography to protect e-mail.
Either put up with the ads, or skip the site. I don't read NYTimes articles more than once every month or two. I haven't seen anything worth reading from them that doesn't show up on another, less annoying site, sooner or later. The exceptions (for me at NYT) are the articles I really want to read now.
(quick - who is the house member from your district?)
But that's just the point -- people generally don't know these things off the top of their head. And even if you did, can you recite the postal address by heart? That's much less likely.
And here's the other point: if you care, you can find out. Start with thomas.loc.gov, or www.house.gov, or www.senate.gov. If you know where you live, you can figure out who's representing you. Then you can contact them. Then you can vote, either for or against them.
If you just like to complain, don't pretend you can't do anything else. It takes a choice to try to affect your government. You can make that choice any time.
(quick - who is the house member from your district?)
But that's just the point -- people generally don't know these things off the top of their head. And even if you did, can you recite the postal address by heart? That's much less likely.
>>Does anyone have a step-by-step manual for how to implement an IIS replacement?... My company uses IIS, but we don't use many of the features. We use the VPN, Web server (basic ASP queries against Access databases), and that's about it.... To really get something out of the operating system, I need to be able to install and implement those features easily. The nice thing about IIS is that it's easy to install and administer for basic tasks for people used to the MS interface (most people that use computers). If I can be shown how easy it is to change to a Linux solution, I'd probably make the switch in a heartbeat.
It looks like you're going to let yourself be driven by ease of use. I sense you're planning to sit down one afternoon, try to learn a whole new set of tools, and then throw in the towel because it's too difficult.
Let me make a counter-suggestion. Instead of trying to learn Linux, Apache, and one of the Linux-based databases, why don't you try to learn how to harden Windows/IIS? NIST put out a document this summer on how to do that. Follow all the steps. Install all the updates. Start logging, and monitoring the logs.
Point is, it isn't a one-time operation to harden either Windows or Linux. It isn't all as easy as clicking your way through pop-up windows. If you make an honest attempt to harden Windows, that may suffice. If it doesn't, you'll know just how hard the process is; you'll be able to support a proposal to switch to something more secure; you'll have a clue what you're up against, and hopefully you'll be willing to invest the time and effort, on a continuous basis, to secure your operation.
I though the SR-71 routinely flew up in the 100,000 ft altitude range. I don't know if that was the "Aviation Leak" operational altitude, or if that's what it hit on its one unclassified flight (the one at the end of its service life where an SR-71 set a new speed record on its way to the museum).
There's been a gradual decline, but it's hard to say exactly when or where it happened. At the same time, there's now so much news that it's hard to keep track of it all. And it's not all as important as it was a few years ago, so I don't feel the need to keep up with EVERYTHING in Linux any more. There's more I just don't care about on LT than there used to be. And there's stuff I'm interested in that doesn't get covered. (Slashdot has the same problem.) So what's a reader to do?
Personally, I've added a few more sites to check in on regularly, and I've subscribed to a couple of mailing lists.
Paul did write some informative and amusing articles (and rants!). I'm glad he's found a new "home." Wonder if LT can get over their attitude long enough to link to varlinux?
I'm part-time admin over 20 Linux boxes. We replace them every 3-4 years (a few at a time). Even if we stick with one boxed set every six months (and between us part-timers, that's about the right average, even though we've stuck with Redhat 6.2), that's $150/year we spend on Linux.
Almost all our machines are from Dell. Hard to know what the Microsoft tax is, but if you assume $50/box, we're spending $250-300/year on Windoze. If you throw in the other boxes our group buys to keep updated 'doze machines on everybody's desk, it's probably double that. Double it again for Office on new machines. (AFAIK, only one person uses a feature of Office 97, everybody else could just as well use Office 95. Except to read the e-mail memos with O2000 Word and Excel attachments.) And now that some sucker in a suit signed the company up for a MS site license, we have to worry about license audits; we're spending over $4000 this year alone, just in our group, to make sure we can find all the certificates.
I like ASS. (Hmm, Freudian slip?) GNASH, they way you've got it acronymed (GNASH's Not A Secure SHell), should be GNASSH, which will confuse Tatu yet again. Somebody on Linux Today suggested blowshell - nice parallel to blowfish, and a hint of how to instruct the lawyers...
If you're using Netscape, you don't have to worry so much. First, edit the.netscape/bookmarks file. It's a text file. Delete all the lines that include doubleclick, or any other server that you don't know what it does.
Then set the bookmarks file to read-only.
This allows doubleclick and its ilk to set a cookie. But every time you re-start, it starts all over. So they get a little bit of data, but they can only trail you through one session.
Or would you rather trust those bastard's opt-out, we wouldn't do anything nasty, we're good guys farce?
In this respect, (any) certification is rather like a college degree. After you have a track record, it is (at most) a punched job ticket, and not terribly relevant. But when you're just starting out, either certification or a degree may be a job ticket you have to have before they'll let you in the door.
Slashdot Mirror
To me, this means that this website is now proprietary. This is like what happened to the cddb, or SSH. Maybe it is time to start the
equivalent of freedb and OpenSSH, and to replace Eric's website. Produce a website under a publishing equivalent of the GPL or the
BSD source license.
Or is time to fork?
I don't know that it's time to fork the entire web site. But I do think it's time for contributors to start their own fork, unless they want to give away their own time and efforts. Not to Eric, not to some larger community of users, but to CRC Publishing. And keep Eric's example in mind -- once you give CRC something, you can't even put it up on your own web site!
It would take a lot of effort to re-generate Eric's site from scratch. But if you don't do it from scratch, CRC can (and, from recent history, probably will!) claim you're infringing on its copyright, signed over to them by Eric. So, unless you're willing to spend the next five years re-writing lots of math examples from lots of different books, don't even start.
It hurts me to say this, because Eric has spent so much time creating mathworld, but please consider not contributing to his web site. If you do, please do not sign over your rights to CRC. Anything you sign over to them, you will lose, and so will the larger web-based community. It's time to fork mathworld for future contributions, and keep it under some acceptable kind of license.
It would be nice if someone could work out an arrangement with Eric and Wolfram, whereby a new site could start accepting new contributions, and the old mathworld site could link to them. But that ideal would require another dedicated volunteer, and lawyerly approval.
This decision illustrates that we, the consumers, still have a bit of common law (and common sense) on our side. Pass UCITA, and shrinkwrap licenses ARE legally binding (even if you can't read them before you buy, and even if it changes because somebody posts a change without notifying you on a web site 3,000 miles away). Gear up, gearheads, legislative season is not far off.
5 are no longer produced: amiga, hp300, mac68k, sparc, vax
2 are still sold but for how long?: alpha (Compact is droping alpha CPUs in favor of Intel 64bit CPU), mvme68k (Motorola new
model of VME board use PowerPC cpus) only 3 are actively produced: i386, macppc, sparc64
OK, so you see what I'm trying to say. Why add $10 to the price, and another CD to the pack, to be able to boot more dead architectures?
They've added alpha as a bootable architecture. Does anybody still make alpha machines anymore? And if they do, how long will it be before HPaq kills it off entirely?
FWIW, the Linux kernel bugs you refer to were local exploits. You do understand the difference between a local exploit and something like Code Red/Nimda/Outhouse bugs, don't you?
BTW, when were you able to install a MS patch without rebooting? Every time I reboot, it affects my uptime!
They (RIAA and MPAA) must not have contributed enough to various senatorial campaigns. The "United We Take Away Your Rights" act passed without it.
How many patches and updates have Microsoft published in the last year? And how many of those were pulled, because they weren't tested properly? I haven't had to re-install Linux on any of the boxes I admin since we went to RH 6.2. The MSCE-in-training down the hall can't say that about the last three months on his Windoze boxes. Imagine doing that for 100, 1,000, or even more! What fun! Thank you, Microsoft!
Second, P2P may work fine within the university with current equipment for current applications. Now add in P2P video, streaming audio, you name it. Now you're talking about multiples, or decades, of new traffic for your new P2P applications. (Almost nobody wants to do great new things with ASCII text, alas!) Soon you will need new switches, routers, all within your on-site network. A $12,000 router may not be too bad, until you need one for every 1,000 users. And if traffic keeps growing, you may need to replace it in 3-5 years. Flat rate fees? Going up!
You get what you pay for.
TANSTAAFL.
Now just how bad do you want more bandwidth?
I'll be looking for another search engine. The cost was enormous on L-N, the search engine was archaic last time I tried, and the quality of returned searches was pathetic.
Balmer: "It's the Windows to beat Windows." Sounds like the OS/2 mantra, "A better Windows than Windows," and some advertising slogans for Amiga, Gem, DR-DOS, and surely I'm forgetting a few.
So now that MS's slogans are reduced to copying those of their deceased competitors (OK, both of you OS/2 users sit back down!), maybe now Windows will follow the same fate -- oblivion in three years.
Great idea, except they'll only cross-license with each other, leaving the rest of humanity out in the cold.
As tightly bound up in patents as voice/sound is, unless W3C takes a truly RAND stance (free, no less), they may as well get out of the way. You may be looking at "non-discriminatory" license fees of $10,000 from half a dozen big companies. That's $10,000 EACH. (Or maybe more, depending on how greedy they are.)
Each of these will negotiate a licensing agreement with the others, for free. But they won't discriminate against anybody else, oh, no!
So why does W3C want to get their hands dirty? Let the big boys go off and negotiate it themselves; that's what they're doing now. This patent-encumbered "standard" will be rather like X was in its early days. And it will fall apart, just like X did when XFree86 started doing the real work, maintenance, and innovation.
If there is a real RAND, free to anyone using the standard (as written, no Microsoft extensions), then the standard has a chance. That's what W3C should drive home before they promulgate a bunch of "open" (aka proprietary) standards.
OK, so the brass doesn't like it. But what has pushed full and open disclosure in the past? Sun et al may have started it, but Microsoft has taken over in the last half-dozen years as the chief promulgator of these proven effective methods:
(1) Ignore bug reports. Make the people who find them so mad they look for some lever to force you, the vendor, to act.
(2) Deny bug reports. Call anyone who finds a flaw a liar. Tell all the news media they're liars trying to lower your stock price.
(3) When confronted with a real flaw, and press who have seen the reports, claim it's only a "theoretical vulnerability." Unless there's a working crack, it ain't real!
(4) Only when confronted with a working exploit should you start to work on a problem. Publish half-assed binary patches. Make sure they'll corrupt any system which doesn't have half a dozen other patches applied in the correct order.
OK, I guess that brings us up to today. Security researchers, and ordinary users, know they have to publish details of the problem and probably a working exploit to get you to work on a fix, however pathetic. Now you have lots of reports and exploits floating around. (You could have developed and published a good product to begin with, but it's too late now!) A breed of vermin known as script kiddies reads the publicly available reports and exploits, and uses them. You may have driven users, your customers, every step of the way to get here, but whose fault is it that the script kiddies are informed and armed? Naturally, it's not your fault; it's the bad people who find the flaws in your crappy software!
Sorry, I guess I didn't make it clear. The source code can persuade me (if it checks out OK) that the source they post is clean. However, you can also get your own "anonymous" e-mail, i.e., acoward@cryptomail.org.
It's this e-mail address that they control I don't trust. I don't recognize any of the e-mail addresses, or for that matter, any of the names of the developers. They may be honorable men, but I don't know them. They don't have any traceability through the names, and they don't have any organizational traceability I'd feel comfortable with. (Although I'm not sure either e-trust or BBB online would be appropriate here.)
The point I was trying to make is simply, I wouldn't trust the e-mail account they host with any sensitive information. It doesn't have to be, "Hijack today." It could just as easily be confidential business letters, love notes (especially to someone with an Arabic name), e-mail to or from some medical support group, etc.
I looked around the site, and couldn't find anything but the source code to persuade me they're honest, above-board, privacy advocates. This could just as well be an FBI front, if they really believe some criminal is too stupid to use real crytography to protect e-mail.
Either put up with the ads, or skip the site. I don't read NYTimes articles more than once every month or two. I haven't seen anything worth reading from them that doesn't show up on another, less annoying site, sooner or later. The exceptions (for me at NYT) are the articles I really want to read now.
Pity; Salon did have some good stuff on occasion.
(quick - who is the house member from your district?)
But that's just the point -- people generally don't know these things off the top of their head. And even if you did, can you recite the postal address by heart? That's much less likely.
And here's the other point: if you care, you can find out. Start with thomas.loc.gov, or www.house.gov, or www.senate.gov. If you know where you live, you can figure out who's representing you. Then you can contact them. Then you can vote, either for or against them.
If you just like to complain, don't pretend you can't do anything else. It takes a choice to try to affect your government. You can make that choice any time.
(quick - who is the house member from your district?)
But that's just the point -- people generally don't know these things off the top of their head. And even if you did, can you recite the postal address by heart? That's much less likely.
>>Does anyone have a step-by-step manual for how to implement an IIS replacement? ... My company uses IIS, but we don't use many of the features. We use the VPN, Web server (basic ASP queries against Access databases), and that's about it. ... To really get something out of the operating system, I need to be able to install and implement those features easily. The nice thing about IIS is that it's easy to install and administer for basic tasks for people used to the MS interface (most people that use computers). If I can be shown how easy it is to change to a Linux solution, I'd probably make the switch in a heartbeat.
It looks like you're going to let yourself be driven by ease of use. I sense you're planning to sit down one afternoon, try to learn a whole new set of tools, and then throw in the towel because it's too difficult.
Let me make a counter-suggestion. Instead of trying to learn Linux, Apache, and one of the Linux-based databases, why don't you try to learn how to harden Windows/IIS? NIST put out a document this summer on how to do that. Follow all the steps. Install all the updates. Start logging, and monitoring the logs.
Point is, it isn't a one-time operation to harden either Windows or Linux. It isn't all as easy as clicking your way through pop-up windows. If you make an honest attempt to harden Windows, that may suffice. If it doesn't, you'll know just how hard the process is; you'll be able to support a proposal to switch to something more secure; you'll have a clue what you're up against, and hopefully you'll be willing to invest the time and effort, on a continuous basis, to secure your operation.
I though the SR-71 routinely flew up in the 100,000 ft altitude range. I don't know if that was the "Aviation Leak" operational altitude, or if that's what it hit on its one unclassified flight (the one at the end of its service life where an SR-71 set a new speed record on its way to the museum).
There's been a gradual decline, but it's hard to say exactly when or where it happened. At the same time, there's now so much news that it's hard to keep track of it all. And it's not all as important as it was a few years ago, so I don't feel the need to keep up with EVERYTHING in Linux any more. There's more I just don't care about on LT than there used to be. And there's stuff I'm interested in that doesn't get covered. (Slashdot has the same problem.) So what's a reader to do?
Personally, I've added a few more sites to check in on regularly, and I've subscribed to a couple of mailing lists.
Paul did write some informative and amusing articles (and rants!). I'm glad he's found a new "home." Wonder if LT can get over their attitude long enough to link to varlinux?
I'm part-time admin over 20 Linux boxes. We replace them every 3-4 years (a few at a time). Even if we stick with one boxed set every six months (and between us part-timers, that's about the right average, even though we've stuck with Redhat 6.2), that's $150/year we spend on Linux.
Almost all our machines are from Dell. Hard to know what the Microsoft tax is, but if you assume $50/box, we're spending $250-300/year on Windoze. If you throw in the other boxes our group buys to keep updated 'doze machines on everybody's desk, it's probably double that. Double it again for Office on new machines. (AFAIK, only one person uses a feature of Office 97, everybody else could just as well use Office 95. Except to read the e-mail memos with O2000 Word and Excel attachments.) And now that some sucker in a suit signed the company up for a MS site license, we have to worry about license audits; we're spending over $4000 this year alone, just in our group, to make sure we can find all the certificates.
$5000 vs $150? Looks like Linux is a bargain!
I like ASS. (Hmm, Freudian slip?) GNASH, they way you've got it acronymed (GNASH's Not A Secure SHell), should be GNASSH, which will confuse Tatu yet again. Somebody on Linux Today suggested blowshell - nice parallel to blowfish, and a hint of how to instruct the lawyers...
If you're using Netscape, you don't have to worry so much. First, edit the .netscape/bookmarks file. It's a text file. Delete all the lines that include doubleclick, or any other server that you don't know what it does.
Then set the bookmarks file to read-only.
This allows doubleclick and its ilk to set a cookie. But every time you re-start, it starts all over. So they get a little bit of data, but they can only trail you through one session.
Or would you rather trust those bastard's opt-out, we wouldn't do anything nasty, we're good guys farce?
In this respect, (any) certification is rather like a college degree. After you have a track record, it is (at most) a punched job ticket, and not terribly relevant. But when you're just starting out, either certification or a degree may be a job ticket you have to have before they'll let you in the door.