Perl's had support for quantum computing for three years, thanks to Damian Conway's Quantum::Superpositions module. I saw him do a presentation in Portland few months back, and it was pretty mind-blowing. It may seem odd to talk about programming a computer that doesn't exists yet, but Q::S actually works.
The promise of quantum computers is doing computations (as Damian says) "in multiple universes, in constant time" and Q::S obviously can't do this. It can and does, however, act like you're programming a quantum computer by allowing you to give one scalar multiple simultaneous values.
Like Perl wasn't confusing enough, now it's like programming line noise... in multiple universes:)
However, many analysts believe a successfully Google IPO could rejuvenated Internet-company investments.
Here's the full text:
However, many [former] analysts [polled at the local homeless shelter] believe a successfully Google IPO could rejuvenated Internet-company investments. "It'll be a brand-new economy!" they said. "Based on unshakeable principles of eternal growth, eyeballs, mindshare and synergy. Oh, God, please give us one more chance!"
Well, I hate to throw any fresh meat under the bridge, but...
I hold a Master degree in Philosophy and have recently completed a Master of Science in Psychology.
Yup. I'd say that this guy pretty much fits the Debian mold.
I suspect that someone like Linus would simply ignore the long, drawn out threads on licensing that the Debian team loves so dearly. ("Well, *this* package should be in nonfree because it depends on another package that is dual-licensed but has all new contributions donated only to the nonfree license version...").
That's one of the stupidest ad homonems I've ever seen on Slashdot, and that's saying something. If you'd studied philosophy you'd realize that your pithy little personal attack is not only completely irrelevant, but nonsensical. If you'd studied any psychology you might see that a deep understanding of your fellow human beings is important if you're going to manage a large group of them.
If there weren't a number of geeks very concerned about things like licensing we wouldn't have Linux in the first place. We might have a nice kernel, but that's a long shot from a Free OS.
Debian's view is pretty simple: "If the software we use isn't Free, then someone can legally ask us to stop using it. Therefore, our operating system and its tools will always be Free, and no parts of it will ever depend on any software that is not Free." If that's not important to you keep using Red Hat, or Gentoo, or rolling your own. But for fuck's sake spend a little time researching who writes the tools you use before you try to make lame jokes about them. I suppose you're the type to bitch about the ACLU being a bunch of extremists but posted a "Microsoft sucks" comment when they try to censor Slashdot, eh?
My new fighting technique is unstoppable "Get your war on," page 4:
"Bah! We're living in the 21st Century, and people still wage war to impress invisible superheroes who live in outer space! I thought we'd all be chilling out in solar-powered flying cars by now!"
Thank for replying, first of all. My goal here is not to flame you but convince you of the advantages of the full disclosure position.
Quothe the poster:
...how would it look, if you were a software developer, if you told your customers that your software has a hole, and that you cant fix it?
To begin with, it would look like the truth. Secondly, it would look like you're putting your customers' security needs ahead of your own public image. I realize this is anathema to most large corporations, which is why strenuous arguments need to be made in favor of the correct position.
I say keep it the way it is, only let the people who have the knowledge and desire to fix these vulnerabilities know about them.
So how do you tell who has that knowledge? Make them sign up on a list beforehand? That's meaningless. Make them take a test? That would be a nightmare to adminster. The situation now is nothing like what you describe - ability to fix the problem is not a precondition to have access to this information. As far as I can tell <opinion type="uninformed">the only requirement for getting this information is paying a hefty annual fee to CERT</opinion>.
Once they are fixed, announce the bug and the patch in the same sentence.
Perhaps you're not aware that this is the way the system operated for a long time. It was recognition of the fatal flaws of that system that started people calling for full disclosure. The vendor must be given no wiggle room, because they will almost always put their own public image ahead of the needs of their customers. Given a choice between fixing a security flaw that no one knows about and adding a new feature, which choice will a vendor make? In fact, most vendors chose to roll security patches into the new version, due in 9 months; if you got cracked in the meantime, you'd have no idea how or why, and the vendor would be no help. The game changes dramatically if there's public pressure due to rapid disclosure.
Disclose early and often to the people who can fix it, not me, I sure as hell do not know how to fix it.
Neither do I, actually. But making the information public gives you the greatest chance of reaching someone who can fix the problem. We've already established that no scalable "knowledge or desire" requirement can be imposed, so the reasonable solution is to give the information to everyone.
What you're missing, though, is that there's another solution aside from fixing faulty software: taking it offline. If a vendor announced a flaw that gave up all their servers to crackers, I'd like to be able to make the risk/benefit calculation of taking my servers offline completely, implementing different software, or trusting to luck. Without disclosure all you can do is hope to get lucky.
To get a little off-topic, remember the discussion a couple months ago about asteroid impact? Many in the atronomy community favor utter silence in the case of inevitable planetary apocalypse by asteroid impact. There are two problems with this, and both these problems map exactly onto our security disclosure argument (although the rest of the problem does not, and granted the stakes are much higher).
First, just because a small group of people can't come up with a solution does not mean that all 6 billion of us working together, or one genius working in isolation, cannot. Chances for such a solution may be small, but in this case I would leap at any small chance. Second, inevitably someone else will discover the asteroid, and then all the secrecy will have been for naught.
The only rational argument against full disclosure is that the disclosure itself can cause more harm than the vulnerability. Clueful admins will read the security bulletins and should be trusted to make their own fully-informed decisions; clueless admins don't install security fixes or read bulletins, so they may be worse off in the case of full disclosure. Fuck 'em. I have a bumper sticker on my truck: "Stupidity should be painful."
What usually happens in this scenario is that parents remove the childs seats in blind panic and as a result 10x more kids are killed by seatbelts and not being in carseats than would have been killed by the carseats.
So if it were your kid and your car seat, would you prefer to know or not to know? What do you think most other parents would say? What do you think most other parents would say to your "I know best so I'll keep you in ignorance" attitude?
In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed.... However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
You're making a dangerous and unwarranted assumption: that "white hat" hackers find vulnerability information before "black hat" crackers. This is not the case. If one person can discover a security flaw, so can another, and a cracker intending to use his knowledge for ill is certainly not going to report it to CERT.
Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone.
Script kiddies are not the problem. Sure, they might 0wn a couple Windows machines, but their very lack of subtlety is what makes them a second-rate danger. The scary crackers are those that find a single, important flaw themselves and rapidly use that information to compromise systems for their own gain, never telling anyone else. It's well-documented that most digital corporate break-ins are not brought to the attention of the authorities or the security community, so Joe Scary Cracker can continue to use his exploit until a white hat finds it.
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
Notify the manufacturer, then wait for said manufacturer to discover a fix and write a press release.
Loudly notify the entire world so that parents can reduce the risk themselves.
In the above case, the only reason to delay is to protect the manufacturer, so the analogy isn't perfect. Home burglar alarms would be a better analogy, but less vivid.
For many people charged with security, this is an easy question: they want all possible information on vulnerabilities the second that someone discovers them. They can shut off services, craft firewall rules, compile in patches, write their own damn patches. The worst-case scenario for them is that their systems are afflicted with a vulnerability that anyone else but them knows about.
Besides, here's the elephant in the living room that no one wants to address: if one person can somehow acquire this information and post it to a public list, another person can use the information for ill gain. One of these vulnerabilities wasn't due to be announced 'til June?? That's a long fucking time for (e.g.) your bank's online transaction processor to be vulnerable.
Disclose early; disclose often. Anything else multiplies the risk for the people who can least afford it.
For replacement (i.e. destruction or loss) I've yet see an extended warranty that decent homeowner's/renter's insurance wouldn't equal or beat. Sure, insurance plans have deductibles while the extended warranties generally do not, but think of the extended warranty premium as your deductible.
For repair these can be useful for extending the warranty term beyond the original manufacturer's limit, but even then some insurance will help you. Frankly, in our little consumer orgy of an economic system, most items are replaced before their manufacturer warranties run out anyway, so it's moot.
Extended warranties are nearly pure profit for retail chains: they sell you something that you'll likely never use for what is often a premium over what the service (e.g. repair) would cost you anyway.
You're quibbling about logical consistency on Star Trek???!!!!
Yes, absolutely he is, and so should you be. Good science fiction is all about internal consistency. Go ahead and invent all the technology you want, but make sure that the world you create works in a predictable way. Don't, for instance, create an android of incredible logical ability and then have him beaten in 3D chess by some bimbo counselor.
Those are interesting comparisons, but you're basically arguing about chocolate and vanilla. Spidey and Daredevil are very, very different characters. A young boy growing up on the East Side won't relate very well to a rich lawyer with an ass-kicking girlfriend, but he will relate to Spidey: too tortured to have a girlfriend, the only super-hero who goes to a landromat.
Kingpin was a much more interesting villain than the Goblin, who was basically just a cackling idiot.
I can't argue with that, though. I'm sad they used Goblin as the villain, and I can only guess that they were saving one of the weakest villains for the first of what they hoped would be a long franchise.
Nice to see support when it matters [OT ?]
on
RMS Turns 50
·
· Score: 1
When I saw this story I thought the same that many of you did: "Oh shit, this is going to be the biggest flame war ever." But so far it looks like I'm wrong. Browsing from my ivory tower of +4 most comments about RMS are respectful and informative. Slashdot has a (partially deserved) reputation as the epicenter of uninformed knee-jerk reactions, but it's good to see that when it matters there's a deep current of respect for the man.
I take your point, but in all fairness the $40k/year figure was for a band that went gold - 128 bands out of 30,000. So yeah, $40k/year, if you're in the top.005%. Doesn't sound so good now, does it?
Notice how the author compares CGI unfavorably with something he calls DMF? Here it is, and it looks like one of the flagship products of this company. Imagine that.
He's setting up a straw man, then claiming that his own (proprietary, for-profit... not that there's anything wrong with that) solution is better. When he says "CGI" he's talking about something that few people use for anything but toys. Slashdot (e.g.) uses the Perl CGI module, but runs it under mod_perl, thus obviating most of his arguments (CGI is slow, must be compiled at run-time, and has no access to the web server internals). Slashdot, again, uses a templating system, thus taking care of his second argument (programmers must copy-paste HTML into their code).
Both these problems have been solved for over 5 years, yet he's trying to make it sound like his beautiful DMF is the first to even discover them. *Yawn* - another press release day on/.
One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.
I actually work (as a programmer) in the porn industry. I'm afraid the 'no porn' standard might not work so well at the office. Any suggestions on a better strategy for us?
Yeah, log anything containing the words "Moral Majority" and bust people for that:)
The point of this rant is "trust but verify." I was pretty permissive about what people did, and almost everyone paid that back with respect for my requests. Some hard-line sysadmins I knew were always complaining of problems, and trying desperately to implement technical measures preventing people from (e.g.) shopping during their lunch hours. Consequently their users hated them. I had, and enforced, only one policy, trusting the users to make the best use of their own time. If they had a performance problem it was their manager's problem, not mine, and it was measured by actual work performance, not 'net access logs.
When I ran the network for a 60-person architecture firm, I used to bust people for porn, but nothing else. Every new employee got the same schpiel: "Do what you want with your computer, aside from setting it on fire. See these settings here? They're company-wide. You can change 'em, but they'll be back in the morning. Here's where you make your own custom settings. You can't install anything from your browser, which is for your own security; ask me if you want to install anything else and I'll probably say yes. One thing - no porn."
It worked well, and most people said it was much more lenient than other places they'd worked. The company's policy was "no porn" and I supported it whole-heartedly. I don't care if people watch porn, but doing it at work is (a) nasty and (b) begging for a lawsuit.
I'd bust someone, usually a new hire, about every six months. Some of them did a brilliant job of sanitizing their machines, but they couldn't get to the proxy logs. They'd get a stern talking to by the principals, enough to make most of 'em wet themselves, 'specially when presented with a list of all the sites they visited, and we had no repeat offenders.
And much of what has been passed off in the past as a substitute for 'meat' has been pretty unpalatable. Even food that was not passed off that way sometimes isn't very great, tofu for instance.
IAAV (vegetarian). I agree with you that most meat substitutes are pretty bad; most vegetarians I know don't eat them. They're very expensive, often taste bad, and much less interesting than (gasp) vegetables.
Tofu, on the other hand, is a wonderful food - properly prepared. As a food substitute (e.g. tofu "scrambled eggs" or, as one EX-gf used to make, vegan tofu chocolate chip cookies, with no eggs, butter, or chocolate) it's nasty, because it's coerced into being something it isn't. Preparation is the key - just like you wouldn't chop a raw chicken into cubes and throw it in a pot, tofu needs some TLC - wash it, press it, dry it, fry it is what I do.
Tofu excels at picking up the flavor of this dish. It's wonderful in asian food, where sauces and fresh vegetables are the primary attraction. Deep-fried very lightly (less than 30 seconds) it holds together, but still picks up the sauce. It's freaking brimming with protein and calcium, with very little fat. Plus it's patriotic - half the midwest is planted in soybeans.:)
Actually, no - perhaps you should have read the article before trotting out the tired, old "Blame the sysadmins" line.
Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.
However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article:
"Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
Another quote from the article:
In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again
So here you have a vendor who:
Can't keep their own systems patched, even 6 months after the fact.
Issues patches that break previous patches.
How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.
The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
Debian is great, but their ethics get in the way of putting out a first class distro.
Depends on what your goals are, doesn't it?
Anyone else think that debian is getting a bit anal in these matters?
"Getting?" Since when have Debian not been anal in this way? Their charter and policies are pretty clear, I think.
To "win the desktop"... If granny has to figure out...
This is all true, and all completely beside the point. There are few distributions more ill-suited for Granny than Debian. This has been true since Debian's inception, and will likely be true for quite some time to come. It's by design: Debian is for people who want a heavily-customizable, very stable, free, and Free OS. If you want "Granny-useful," pick another distro.
violation of blah blah charter blah blah... legal flame wars about how paragraph 32 line 8 words 14-18 in the program license
No offense, and I'm sure you realize this, but the fact that these issues appear to you to be "blah blah" is another indication that Debian is not for you. That's fine - there are many other distros that do what you want.
Sorry to rant, but I've noticed more and more lately how debian's philosophy is getting in the way of me getting the programs I want to use.
This is a result of more and more people developing software for Linux, not Debian's changing policies. Yes, they're anal; yes, they're legalistic. However their goal is a lofty one - be the Galahad of Linux distros. If you don't share that goal, use another distro and God bless you. But don't flame them for standing firm by the principles they've used, publically, since the start.
You're right, but that's a very different point from the original poster's: he said that the tracks were used as guidelines for the circles, which in many cases is obviously incorrect.
Re:Always the tracks...not true at all
on
Top of the Crops 2002
·
· Score: 3, Informative
if you look closely, the track always intersects the design in the center, or at a node that could be the "pivot point" of the design.
Demonstrably not true. This pattern isn't aligned at a right angle to the tracks, or intersected by tracks at any crucial points. Some are; some aren't apparently.
I'm not a luddite, and I don't think we should preemptively ban Segways. We've got plenty of laws for people acting unsafely in the public right-of-way. If some nut on a Segway mows down an old lady in a crosswalk, bust him for that, not for his ride. Read on, though...
Are they going to ban skateboards, roller blades, and inline electric scooters as well?
Here in Portland you're not allowed to skateboard or roller[blade|skate] on many sidewalks, and I can't imagine electric scooters are permitted on any sidewalk. Neither do I want Segways typing up the bike lane. I've put over 20,000 miles on a couple bikes in Portland, so I speak from experience. It's dangerous enough without these slow (12MPH top speed? barely spare change to me on a a bike), bulky (wider than a bike) things being driven by total newbies running down the middle of the bike lane.
Seaways are supposed to be safer then these things.
There you have the crux of it. "Supposed to be" accordng to whom? According to research done by the company that stands to make a fortune if they're are widely adopted, that's who. There have been no large-scale tests done by disinterested 3rd parties, so we have no idea how safe these things are. I've only seen one in real life, and I nearly got nailed by it. They're quiet, they're bigger, faster and heavier than anything else on the sidewalk. Maybe they have horns or bells or something, but the guy who nearly creamed me didn't use it.
Bleh, fucking lame ass government stifling innovation because of imagined phantoms.
Stifling innovation? Christ, breath into a bag for a minute before you hyperventilate; no one's outlawing the manufacture or distribution of the bloody things. A couple cities are reacting badly to being pressured to accept them site unseen. I'd much rather my city council give the high hat to a high-tech lobbying firm than just rubber-stamp their ideas. NYC also banned them in the city: the ban is only good for a year, and doesn't apply to some government employees, who will be testing them for safety. What's wrong with a city deciding for itself whether or not to allow a new and potentially disruptive form of transportation?
Lets keep things exactly the way they are... I hate this preemptive rulemaking bullshit.
If you really thought that, then you'd be equally outraged by states preemptively allowing Segways, hmm?
...is not an excuse, justification, or defense. At best it's a rationalization, and a poor one. If the best thing you (and I mean "you" in the general sense) can say about your actions is, "Everyone else is doing it, so I might as well make my lettuce while I can," then you're in sorry shape indeed.
But I said that was peripheral and it is. My main point is: your answers to the uncomfortable questions were evasive. I know you're not the architect of this scheme, and perhaps the world would be different if you ran it all, but that isn't the point. The geeks here asked you a number of questions because you're an authority. I think that either (a) I'm not just harsh but incorrect in my criticisms, in which case I'll apologize, or (b) my criticisms are correct and you did not, in fact, provide us with the honesty you could have.
Slashdot Mirror
Christ, Taco, will you read your own fucking site every now and then?
Perl's had support for quantum computing for three years, thanks to Damian Conway's Quantum::Superpositions module. I saw him do a presentation in Portland few months back, and it was pretty mind-blowing. It may seem odd to talk about programming a computer that doesn't exists yet, but Q::S actually works.
... in multiple universes :)
The promise of quantum computers is doing computations (as Damian says) "in multiple universes, in constant time" and Q::S obviously can't do this. It can and does, however, act like you're programming a quantum computer by allowing you to give one scalar multiple simultaneous values.
Like Perl wasn't confusing enough, now it's like programming line noise
If there weren't a number of geeks very concerned about things like licensing we wouldn't have Linux in the first place. We might have a nice kernel, but that's a long shot from a Free OS.
Debian's view is pretty simple: "If the software we use isn't Free, then someone can legally ask us to stop using it. Therefore, our operating system and its tools will always be Free, and no parts of it will ever depend on any software that is not Free." If that's not important to you keep using Red Hat, or Gentoo, or rolling your own. But for fuck's sake spend a little time researching who writes the tools you use before you try to make lame jokes about them. I suppose you're the type to bitch about the ACLU being a bunch of extremists but posted a "Microsoft sucks" comment when they try to censor Slashdot, eh?
My new fighting technique is unstoppable "Get your war on," page 4:
"Bah! We're living in the 21st Century, and people still wage war to impress invisible superheroes who live in outer space! I thought we'd all be chilling out in solar-powered flying cars by now!"
Quothe the poster: To begin with, it would look like the truth. Secondly, it would look like you're putting your customers' security needs ahead of your own public image. I realize this is anathema to most large corporations, which is why strenuous arguments need to be made in favor of the correct position. So how do you tell who has that knowledge? Make them sign up on a list beforehand? That's meaningless. Make them take a test? That would be a nightmare to adminster. The situation now is nothing like what you describe - ability to fix the problem is not a precondition to have access to this information. As far as I can tell <opinion type="uninformed">the only requirement for getting this information is paying a hefty annual fee to CERT</opinion>. Perhaps you're not aware that this is the way the system operated for a long time. It was recognition of the fatal flaws of that system that started people calling for full disclosure. The vendor must be given no wiggle room, because they will almost always put their own public image ahead of the needs of their customers. Given a choice between fixing a security flaw that no one knows about and adding a new feature, which choice will a vendor make? In fact, most vendors chose to roll security patches into the new version, due in 9 months; if you got cracked in the meantime, you'd have no idea how or why, and the vendor would be no help. The game changes dramatically if there's public pressure due to rapid disclosure. Neither do I, actually. But making the information public gives you the greatest chance of reaching someone who can fix the problem. We've already established that no scalable "knowledge or desire" requirement can be imposed, so the reasonable solution is to give the information to everyone.
What you're missing, though, is that there's another solution aside from fixing faulty software: taking it offline. If a vendor announced a flaw that gave up all their servers to crackers, I'd like to be able to make the risk/benefit calculation of taking my servers offline completely, implementing different software, or trusting to luck. Without disclosure all you can do is hope to get lucky.
To get a little off-topic, remember the discussion a couple months ago about asteroid impact? Many in the atronomy community favor utter silence in the case of inevitable planetary apocalypse by asteroid impact. There are two problems with this, and both these problems map exactly onto our security disclosure argument (although the rest of the problem does not, and granted the stakes are much higher).
First, just because a small group of people can't come up with a solution does not mean that all 6 billion of us working together, or one genius working in isolation, cannot. Chances for such a solution may be small, but in this case I would leap at any small chance. Second, inevitably someone else will discover the asteroid, and then all the secrecy will have been for naught.
The only rational argument against full disclosure is that the disclosure itself can cause more harm than the vulnerability. Clueful admins will read the security bulletins and should be trusted to make their own fully-informed decisions; clueless admins don't install security fixes or read bulletins, so they may be worse off in the case of full disclosure. Fuck 'em. I have a bumper sticker on my truck: "Stupidity should be painful."
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
- Notify the manufacturer, then wait for said manufacturer to discover a fix and write a press release.
- Loudly notify the entire world so that parents can reduce the risk themselves.
In the above case, the only reason to delay is to protect the manufacturer, so the analogy isn't perfect. Home burglar alarms would be a better analogy, but less vivid.For many people charged with security, this is an easy question: they want all possible information on vulnerabilities the second that someone discovers them. They can shut off services, craft firewall rules, compile in patches, write their own damn patches. The worst-case scenario for them is that their systems are afflicted with a vulnerability that anyone else but them knows about.
Besides, here's the elephant in the living room that no one wants to address: if one person can somehow acquire this information and post it to a public list, another person can use the information for ill gain. One of these vulnerabilities wasn't due to be announced 'til June?? That's a long fucking time for (e.g.) your bank's online transaction processor to be vulnerable.
Disclose early; disclose often. Anything else multiplies the risk for the people who can least afford it.
For replacement (i.e. destruction or loss) I've yet see an extended warranty that decent homeowner's/renter's insurance wouldn't equal or beat. Sure, insurance plans have deductibles while the extended warranties generally do not, but think of the extended warranty premium as your deductible.
For repair these can be useful for extending the warranty term beyond the original manufacturer's limit, but even then some insurance will help you. Frankly, in our little consumer orgy of an economic system, most items are replaced before their manufacturer warranties run out anyway, so it's moot.
Extended warranties are nearly pure profit for retail chains: they sell you something that you'll likely never use for what is often a premium over what the service (e.g. repair) would cost you anyway.
When I saw this story I thought the same that many of you did: "Oh shit, this is going to be the biggest flame war ever." But so far it looks like I'm wrong. Browsing from my ivory tower of +4 most comments about RMS are respectful and informative. Slashdot has a (partially deserved) reputation as the epicenter of uninformed knee-jerk reactions, but it's good to see that when it matters there's a deep current of respect for the man.
Wow - a total bald-faced lie. Thankfully I've got a 'foes' list to deal with trolls like you ...
I take your point, but in all fairness the $40k/year figure was for a band that went gold - 128 bands out of 30,000. So yeah, $40k/year, if you're in the top .005%. Doesn't sound so good now, does it?
Notice how the author compares CGI unfavorably with something he calls DMF? Here it is, and it looks like one of the flagship products of this company. Imagine that.
... not that there's anything wrong with that) solution is better. When he says "CGI" he's talking about something that few people use for anything but toys. Slashdot (e.g.) uses the Perl CGI module, but runs it under mod_perl, thus obviating most of his arguments (CGI is slow, must be compiled at run-time, and has no access to the web server internals). Slashdot, again, uses a templating system, thus taking care of his second argument (programmers must copy-paste HTML into their code).
/.
He's setting up a straw man, then claiming that his own (proprietary, for-profit
Both these problems have been solved for over 5 years, yet he's trying to make it sound like his beautiful DMF is the first to even discover them. *Yawn* - another press release day on
One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.
The point of this rant is "trust but verify." I was pretty permissive about what people did, and almost everyone paid that back with respect for my requests. Some hard-line sysadmins I knew were always complaining of problems, and trying desperately to implement technical measures preventing people from (e.g.) shopping during their lunch hours. Consequently their users hated them. I had, and enforced, only one policy, trusting the users to make the best use of their own time. If they had a performance problem it was their manager's problem, not mine, and it was measured by actual work performance, not 'net access logs.
When I ran the network for a 60-person architecture firm, I used to bust people for porn, but nothing else. Every new employee got the same schpiel: "Do what you want with your computer, aside from setting it on fire. See these settings here? They're company-wide. You can change 'em, but they'll be back in the morning. Here's where you make your own custom settings. You can't install anything from your browser, which is for your own security; ask me if you want to install anything else and I'll probably say yes. One thing - no porn."
It worked well, and most people said it was much more lenient than other places they'd worked. The company's policy was "no porn" and I supported it whole-heartedly. I don't care if people watch porn, but doing it at work is (a) nasty and (b) begging for a lawsuit.
I'd bust someone, usually a new hire, about every six months. Some of them did a brilliant job of sanitizing their machines, but they couldn't get to the proxy logs. They'd get a stern talking to by the principals, enough to make most of 'em wet themselves, 'specially when presented with a list of all the sites they visited, and we had no repeat offenders.
Tofu, on the other hand, is a wonderful food - properly prepared. As a food substitute (e.g. tofu "scrambled eggs" or, as one EX-gf used to make, vegan tofu chocolate chip cookies, with no eggs, butter, or chocolate) it's nasty, because it's coerced into being something it isn't. Preparation is the key - just like you wouldn't chop a raw chicken into cubes and throw it in a pot, tofu needs some TLC - wash it, press it, dry it, fry it is what I do.
Tofu excels at picking up the flavor of this dish. It's wonderful in asian food, where sauces and fresh vegetables are the primary attraction. Deep-fried very lightly (less than 30 seconds) it holds together, but still picks up the sauce. It's freaking brimming with protein and calcium, with very little fat. Plus it's patriotic - half the midwest is planted in soybeans.
Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.
However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article: Another quote from the article: So here you have a vendor who:
- Can't keep their own systems patched, even 6 months after the fact.
- Issues patches that break previous patches.
How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
You're right, but that's a very different point from the original poster's: he said that the tracks were used as guidelines for the circles, which in many cases is obviously incorrect.
This is peripheral to the main point, but:
But I said that was peripheral and it is. My main point is: your answers to the uncomfortable questions were evasive. I know you're not the architect of this scheme, and perhaps the world would be different if you ran it all, but that isn't the point. The geeks here asked you a number of questions because you're an authority. I think that either (a) I'm not just harsh but incorrect in my criticisms, in which case I'll apologize, or (b) my criticisms are correct and you did not, in fact, provide us with the honesty you could have.