The size graph on the wikipedia article linked above suggests up to four orders of magnitude of size difference and that suggests 1% could be a very typical number. But far be it for me to suggest that anybody read the fucking articles linked from the posting they are replying to.
the need to rebuild the box from zero (to be 100% sure that no back doors are present). 3 man working days @ 1.5 k per day = 4.5 kEuro
the need to audit all logs in detail to identify what happened and be sure what data was accessed 2 mwd if already prepared in advance, more likely about 10mwd. (15kEuro)
the time spent with a lawyer to identify what further responsibilities you may have (~ Uncountable Infinity Euro ??? )
the cost of any customer notifications.
the damage to your business reputation when it gets out which hosting company you used
the cost of security measures to ensure the breach does not repeat. IMHO this should be ruled out but normally isn't
Getting over the (typical) 10k(dollar/euro/whatever) bar to get a serious international police investigation is normally a trivialitiy.
there are legitimate reasons for a provider to have *some* access
If you give your provider access, that means you should treat them like any other subcontractor; NDAs, employee vetting; security audits. Etc. It's probably just too much hassle.
As far as assistence when something goes wrong. If it's important then you have it backed up with a reliable redundant server in a separate location. Just make sure that the chance of a second outage in the time it takes you to get to the location is below the acceptable outage rate for your system. If it won't be, have three redundant locations. If you have it only in one location then you already accepted the risk of occasional multi-day outages, so just go with the flow and fix it as quick as you can.
secure your server behind a locked cabinet door
Now there is a serious idea. There are all sorts of locked enclosures. Keep your local UPS and server in one of those. This means that the provider has to actually do property damage to break in and also makes it much clearer that you took your security seriously so that you actually can lodge a complaint.
Hooking CPAN up to RPMs or DPKGs is obviously the domain of those producing the distribution not "the perl gods".
Hooking possibly yes; Providing the hooks they can hook onto is what the perl gods definitely could do and choose not to. To be honest though, even the hooking should be done by the perl people. If you want your libraries and applicatations out there and usable and you aren't in the top end of applications, then packaging is your own responsibility. Now, normally the answer at this stage is "it's given to you for free, if you don't like it go and fix it yourself". The thing, however, is that the perl community doesn't seem to want to accept fixes to these problems even when provided by others.
because I'm not the administrator and so this means that I have an incoherent second module system in parallel to the system install. If it was an RPM the admin would just install it
because I am an admin and the main reason I choose an RPM system is I don't want to lose track of my software so I don't want random software installed separately
The obvious, easy, already attempted by many people, is to use the CPAN infrastructure to build RPMs and DPKGs which people could then install and delete at will. The perl gods have had multiple fine chances to have this integrated but reject it every time because they know better.
perl -MCPAN -e'install "App::SVN::Bisect"
will be okay at the point where it installs the resulting libraries as proper packages suitable for the local package manager. Not before.
He could have sold it to the first world, gotten the economies of scale on his side
Possibly not. If I understand right, lots of the reason they can be as cheap as they can is that they don't have to pay patent royalties. Most often this is because they are a charity and not directly competing with the patent owner.
No; because a) you would be doing it with HTML not XML and b) because your style sheet would be formatting, not structure (presentation not semantic). These differences mean that you wouldn't match the patent. Note that the patent cites prior art doing more or less similar things with SGML. Now, it might seem stupid to you (and it does to me) that specifically choosing a new combination of things that nobody in particular thought of before, but which "anyone" could think of if they set out to list different cobinations then writing a document gets you a monopoly, but that is exactly how patents work and more or less what they are for. You might think this patent is "obvious", but that is because you have a different definition of the word obvious from the one used by patent lawyers.
Generally patent troll means a company which doesn't produce anything but gathers (generally buying) other peoples patents; waits for related technologies to become valuable and then runs around threatening to sue people.
i4i actually produced an XML editing extension
i4i went around trying to sell their technology
i4i still has a number of customers
i4i actually fought to the end of the law suit and
i4i has a specific patent and doesn't try to claim close by technologies like ODF
there are many different ways of doing this which don't match i4i's patent
i4i is not picking on small companies which can't defend themselves
In no way does it seem to me i4i matches a patent troll. I agree that the idea that someone can own such a trivial idea is dumb, but the patent is not "obvious" just because there are so many stupid different variants you could do which would achive the same thing differently. This is not something wrong in the patent system. This is the patent system working exactly as it is designed. If you don't like this, then you should be campaigning to get rid of software patents.
The feature i4i provided was the ability to use MS Word as a general XML editor by embedding xml codes in the word document. It did this in a special way which was, according to the court, copied by MS Word's Custom XML feature. The grandparent is kind of correct; there's no good reason for Custom XML to be in Microsoft's OOXML so whilst it is a feature of OOXML it's doesn't really have much to do with the OOXML format in general, just one feature of that format used only by MS Word.
(BTW checking this took a huge effort, and big searching and I'm still not sure it's the whole truth. It's astounding how much of the media, both "main stream" and alternative/blog is covering this whilst trying to pretend that i4i never did anything useful at all.)
Err.. Edgewall, the people who write it also provide commercial support for trac. Note: I haven't tried it yet myself so this isn't an endorsement, but normally Free software support is much better than proprietary, especially since you have the option to find another commercial option if you are unhappy.
What's the advantage of using the proprietary options over Trac? Especially since that can run on top of an advanced VCS like GIT, I think it's pretty close to ideal.
the SFLC should be guarded since you were potentialy a party in their lawsuits where they already agreed to represent another party
now that you are in active conflict with their clients, it would probably be illegal for them to represent you (which is why they should be guarded before)
you should get your own, separate, lawyer
even having majority interest may not be sufficient to overcome the minority interests; anyone with any interest can claim a GPL violation on the combined work
the time for publicity is normally after you have filed a court case and even then it should be limited to what your lawer agrees to
Given this I'm not sure I see your point with what you are doing now. Most of your complaints about the SFLC are unfair since they cannot represent two opposed clients at a time. I think they should have a duty of fair access, and representing those they can, however that doesn't extend to breaking the law or allowing conflicts of interest and in this case, Mr Andersen and Landley got there first. Sorry, bad luck.
Having said that, if it's true that your copyright on BusyBox has been deleted incorrectly, then using the SFLC way on the other Busy Box developers is a perfect example of what you should do to the Busybox developers who mistreated you; but you must use a proper lawyer. Start with a clear legal letter to the busybox developers pointing out which version had your copyright deleted and shouldn't have and asking them to come into compliance with the GPL (which has a requirement for correct labelling of authorship). Please remain as reasonable as we have seen you being before and you will get your way. We'll back you up and I hereby pledge 20 Euro towards your legal fees if you produce a reasonable lawsuit and explanation of it and how it got to this stage of breakdown. I'll give more if I'm convinced this is a worthwhile use of money.
I guess in some way you're right. When Office 2003 goes unsupported, the certificate will expire and people will be forced to upgrade and that probably is something Microsoft has documented and understands (and thus a "feature"). However, I still think we could call this an operational screw up. I really don't think they want to remind people of their power to do an Amazon on all and any of your files until they have people nice and solidly locked in.
This type of patent 'show' is common when these types of lawsuits happen. They basically give each company a good bargaining chip, [...]
And with that I have little problem. However any presentation of either Apple or Nokia as innocent little flowers being picked on by a big bully I do have a problem with. They are both big corporations which know how to look after themselves. Apple has a history of copying other people's innovation (the Mouse & Windows based interface - from Xerox) and then accusing others of stealing it (Microsoft); Apple is also running around threatening everone in the phone industry with lawsuits. In this case I really think they have it coming to them.
Trolling the RTFA troll with an RTFA; good one:-) However, I guess the quote you mean is this:
"unless VmWare (sic) becomes free software. GNOME should not provide proprietary software developers with a platform to present non-free software as a good or legitimate thing."
I don't think there's anything new in that. In fact it's more moderate than their normal position which you can find in the clear statement in the FSF service directory.
You will not take advantage of contact made through the Service Directory to advertise an unrelated business (e.g., sales of proprietary information). You may spontaneously mention your availability for general consulting, but you should not promote a specific unrelated business unless the client asks.
Basically they have, and have always had, a policy that they won't provide you with a reference (in the sense of positive reference) unless you are happy to work against proprietary software. Given their public statements (just as an example) on the matter, anyone acting surprised about that is either a) ignorant b) stupid or c) pretending.
The entire history of GNU is based in Stallman's experience that cooperating with proprietary software companies can destroy open software development. I'm not at all sure that that's an unreasonable expectation. We've seen often enough that companies that mix one with the other tend to try to put their "premium" features into the proprietary software and that ends up with the open part being much weaker.
If you restrict it and keep proprietary software off, then it will become just hobbyist platform.
Personally, I'm not sure about that. There's lots of pure GPL stuff in a standard Linux distro which is being built on, including by companies, however; nobody has suggested that. Gnome is LGPLed and Stallman didn't suggest changing that. Just that Gnome stop promoting proprietary software.
Yes, the fact that they agreed to license them on a reasonable and non-discriminatory basis when the technology they held patents for became the GSM standard.
I think we have a [citation needed] on that one. And whilst your digging out, remember that agreements to standards only apply to essential patents which the company agrees to contribute or fails to declare when actively aware of the patent during standardisation.
You might also want to have a look at this
IPR owners are only required to declare whether, or not, licenses are available, i.e. either by filing licensing declarations in respect of their Essential/potentially Essential
IPRs, or declaring the non-availability of such IPRs;
Apple is not doing this "because someone sued them". Apple made it clear that they were out to block Nokia from touch screen phones:
"We are watching the landscape," Cook told financial analysts. "We like competition, as long as they don't rip off our IP, and if they do, we're going to go after anybody that does."
EEE only applies to open standard Microsoft targets.
It also applies to Microsoft partners. The multi-media product manufacturers (including cameras, media players etc. etc.) will be the long term target. Right now their functionality is being extended with the aim of Microsoft getting lock in. Microsoft is already one of them (with it's Windows Mobile phones and XBox at least). Later, when they need to expand their market, they will wipe out the multi-media companies that have become locked in.
The thing is, and I know this from working in a potential victim company and discussing with the person who was negotiating with MS for media standards, that the extinguish is at least five years away. Almost nobody working in such a company cares about that far in the future.
Only companies, like Oracle, which decide to fight Microsoft from the beginning as hard as they can, will ever survive long term in such a market.
No you don't. This is the biggest fallacy. When the Catholics of Poland allowed the church to get a list of who they were, they thought they were just getting listed for church visits. In fact, the biggest implication was that the Nazis knew who (by subtraction) was a Jew and rounded them up and killed them. They had no idea what they were doing and would probably mostly have been horrified if they had understood.
What you give Facebook now will be something the meaning of which will only become clear in a few years. Maybe it will be the information which lets someone identify that you have been exposed to an industrial poison and save your life. Maybe it will be the information that lets someone know when you leave your wife alone at home so they can rape her. Maybe it will be the information which lets the Palinites find your libertarian best friend and kill him.
The only thing that's certain is that if you had proper privacy you would be able to choose later. Now it's too late.
It truly scares me that so many people can think that a post that proposes allowing companies to bomb each other's customers is serious. Alternatively my inability to hear the whooosh as your dead-pan humor goes by above my head must mean I am long deaf. ARRRGGGHHH.
If it is a Trojan than yes it is the user fault. If you run an executable attached to email it is your fault.
No. You cannot assume that the user knows about computers. Even if you now are a security guru you were once a two year old child and knew nothing. To get from one stage to another you had to go through a stage where you could do some stuff but didn't understand it.
If the O/S makes it possible for you to do something seriously insecure without demonstrating clear understanding of what you are doing, that is a user interface vulnerability just as bad as any buffer overflow.
What is the alternative? All attachments / html etc. should run in sandboxes where data has to be explicitly provided to the sandbox by the user. The interface should always require the user to do an affirmative action like dragging a file into the sandbox icon in order to allow access. It should never ask questions like "allow sandbox to access xyz.doc? Yes/No?" because such questions are easy to answer without understanding.
On ActiveX I agree. HTML email as it was defined yes, but a limited dialect of HTML would probably be as good as anything. However the nude tennis thing is just not true. You can click on a "rescue" application just the same as tennis. You can't tell what is from support and what is from a hacker. That is a problem.
Any user installed Trojan is the users responsibly.
This is such a bullshit answer. a) define user installed. Do you mean they clicked in the wrong place in an IE frame b) much more fundamental: in the old days, we used to send messages around saying "don't be stupid; you can't get a virus from email". The reason for that was simple; it was true. Then Microsoft invented outlook and executable attachments and so on and so forth. Basic security mechanisms that made it difficult for users to accidentally execute code were bypassed for ease of use. This was done for no reason other than marketing advantage and specifically bypassed standard windows software install mechanisms. As such user installed software is an exploit.
Slashdot Mirror
The size graph on the wikipedia article linked above suggests up to four orders of magnitude of size difference and that suggests 1% could be a very typical number. But far be it for me to suggest that anybody read the fucking articles linked from the posting they are replying to.
Getting over the (typical) 10k(dollar/euro/whatever) bar to get a serious international police investigation is normally a trivialitiy.
there are legitimate reasons for a provider to have *some* access
If you give your provider access, that means you should treat them like any other subcontractor; NDAs, employee vetting; security audits. Etc. It's probably just too much hassle.
As far as assistence when something goes wrong. If it's important then you have it backed up with a reliable redundant server in a separate location. Just make sure that the chance of a second outage in the time it takes you to get to the location is below the acceptable outage rate for your system. If it won't be, have three redundant locations. If you have it only in one location then you already accepted the risk of occasional multi-day outages, so just go with the flow and fix it as quick as you can.
secure your server behind a locked cabinet door
Now there is a serious idea. There are all sorts of locked enclosures. Keep your local UPS and server in one of those. This means that the provider has to actually do property damage to break in and also makes it much clearer that you took your security seriously so that you actually can lodge a complaint.
let me hereby advise you not to look up "arse bomber" on google. In order to avoid that here's at least one short cut.
N.B. Warning slashtrolls; if you post to this one you might end up accidentally on topic.
Hooking CPAN up to RPMs or DPKGs is obviously the domain of those producing the distribution not "the perl gods".
Hooking possibly yes; Providing the hooks they can hook onto is what the perl gods definitely could do and choose not to. To be honest though, even the hooking should be done by the perl people. If you want your libraries and applicatations out there and usable and you aren't in the top end of applications, then packaging is your own responsibility. Now, normally the answer at this stage is "it's given to you for free, if you don't like it go and fix it yourself". The thing, however, is that the perl community doesn't seem to want to accept fixes to these problems even when provided by others.
no;
The obvious, easy, already attempted by many people, is to use the CPAN infrastructure to build RPMs and DPKGs which people could then install and delete at will. The perl gods have had multiple fine chances to have this integrated but reject it every time because they know better.
perl -MCPAN -e'install "App::SVN::Bisect"
will be okay at the point where it installs the resulting libraries as proper packages suitable for the local package manager. Not before.
He could have sold it to the first world, gotten the economies of scale on his side
Possibly not. If I understand right, lots of the reason they can be as cheap as they can is that they don't have to pay patent royalties. Most often this is because they are a charity and not directly competing with the patent owner.
No; because a) you would be doing it with HTML not XML and b) because your style sheet would be formatting, not structure (presentation not semantic). These differences mean that you wouldn't match the patent. Note that the patent cites prior art doing more or less similar things with SGML. Now, it might seem stupid to you (and it does to me) that specifically choosing a new combination of things that nobody in particular thought of before, but which "anyone" could think of if they set out to list different cobinations then writing a document gets you a monopoly, but that is exactly how patents work and more or less what they are for. You might think this patent is "obvious", but that is because you have a different definition of the word obvious from the one used by patent lawyers.
In no way does it seem to me i4i matches a patent troll. I agree that the idea that someone can own such a trivial idea is dumb, but the patent is not "obvious" just because there are so many stupid different variants you could do which would achive the same thing differently. This is not something wrong in the patent system. This is the patent system working exactly as it is designed. If you don't like this, then you should be campaigning to get rid of software patents.
(BTW checking this took a huge effort, and big searching and I'm still not sure it's the whole truth. It's astounding how much of the media, both "main stream" and alternative/blog is covering this whilst trying to pretend that i4i never did anything useful at all.)
So what was the benefit again?
These people only listen to publicity.
Which people? Bruce? The Busy Box developers? The SFLC?
What's the advantage of using the proprietary options over Trac? Especially since that can run on top of an advanced VCS like GIT, I think it's pretty close to ideal.
Given this I'm not sure I see your point with what you are doing now. Most of your complaints about the SFLC are unfair since they cannot represent two opposed clients at a time. I think they should have a duty of fair access, and representing those they can, however that doesn't extend to breaking the law or allowing conflicts of interest and in this case, Mr Andersen and Landley got there first. Sorry, bad luck.
Having said that, if it's true that your copyright on BusyBox has been deleted incorrectly, then using the SFLC way on the other Busy Box developers is a perfect example of what you should do to the Busybox developers who mistreated you; but you must use a proper lawyer. Start with a clear legal letter to the busybox developers pointing out which version had your copyright deleted and shouldn't have and asking them to come into compliance with the GPL (which has a requirement for correct labelling of authorship). Please remain as reasonable as we have seen you being before and you will get your way. We'll back you up and I hereby pledge 20 Euro towards your legal fees if you produce a reasonable lawsuit and explanation of it and how it got to this stage of breakdown. I'll give more if I'm convinced this is a worthwhile use of money.
INAL and all that...
I guess in some way you're right. When Office 2003 goes unsupported, the certificate will expire and people will be forced to upgrade and that probably is something Microsoft has documented and understands (and thus a "feature"). However, I still think we could call this an operational screw up. I really don't think they want to remind people of their power to do an Amazon on all and any of your files until they have people nice and solidly locked in.
This type of patent 'show' is common when these types of lawsuits happen. They basically give each company a good bargaining chip, [...]
And with that I have little problem. However any presentation of either Apple or Nokia as innocent little flowers being picked on by a big bully I do have a problem with. They are both big corporations which know how to look after themselves. Apple has a history of copying other people's innovation (the Mouse & Windows based interface - from Xerox) and then accusing others of stealing it (Microsoft); Apple is also running around threatening everone in the phone industry with lawsuits. In this case I really think they have it coming to them.
Trolling the RTFA troll with an RTFA; good one :-) However, I guess the quote you mean is this:
"unless VmWare (sic) becomes free software. GNOME should not provide proprietary software developers with a platform to present non-free software as a good or legitimate thing."
I don't think there's anything new in that. In fact it's more moderate than their normal position which you can find in the clear statement in the FSF service directory.
You will not take advantage of contact made through the Service Directory to advertise an unrelated business (e.g., sales of proprietary information). You may spontaneously mention your availability for general consulting, but you should not promote a specific unrelated business unless the client asks.
Basically they have, and have always had, a policy that they won't provide you with a reference (in the sense of positive reference) unless you are happy to work against proprietary software. Given their public statements (just as an example) on the matter, anyone acting surprised about that is either a) ignorant b) stupid or c) pretending.
The entire history of GNU is based in Stallman's experience that cooperating with proprietary software companies can destroy open software development. I'm not at all sure that that's an unreasonable expectation. We've seen often enough that companies that mix one with the other tend to try to put their "premium" features into the proprietary software and that ends up with the open part being much weaker.
If you restrict it and keep proprietary software off, then it will become just hobbyist platform.
Personally, I'm not sure about that. There's lots of pure GPL stuff in a standard Linux distro which is being built on, including by companies, however; nobody has suggested that. Gnome is LGPLed and Stallman didn't suggest changing that. Just that Gnome stop promoting proprietary software.
Yes, the fact that they agreed to license them on a reasonable and non-discriminatory basis when the technology they held patents for became the GSM standard.
I think we have a [citation needed] on that one. And whilst your digging out, remember that agreements to standards only apply to essential patents which the company agrees to contribute or fails to declare when actively aware of the patent during standardisation. You might also want to have a look at this
IPR owners are only required to declare whether, or not, licenses are available, i.e. either by filing licensing declarations in respect of their Essential/potentially Essential IPRs, or declaring the non-availability of such IPRs;
"We are watching the landscape," Cook told financial analysts. "We like competition, as long as they don't rip off our IP, and if they do, we're going to go after anybody that does."
(see here)
Apple has been building up for a patent war and so Nokia has no choice other than to strike before their N900 phones make them vulnerable. Remember Apple's lawsuit happy history was what caused the League for Programming Freedom. I guess the fact that so many seem to believe that Nokia is the agressor here (remember, they've been trying to Negotiate for years before this suit came out) really does show that Apple can distort reality.
EEE only applies to open standard Microsoft targets.
It also applies to Microsoft partners. The multi-media product manufacturers (including cameras, media players etc. etc.) will be the long term target. Right now their functionality is being extended with the aim of Microsoft getting lock in. Microsoft is already one of them (with it's Windows Mobile phones and XBox at least). Later, when they need to expand their market, they will wipe out the multi-media companies that have become locked in.
The thing is, and I know this from working in a potential victim company and discussing with the person who was negotiating with MS for media standards, that the extinguish is at least five years away. Almost nobody working in such a company cares about that far in the future.
Only companies, like Oracle, which decide to fight Microsoft from the beginning as hard as they can, will ever survive long term in such a market.
I understand what I'm selling them
No you don't. This is the biggest fallacy. When the Catholics of Poland allowed the church to get a list of who they were, they thought they were just getting listed for church visits. In fact, the biggest implication was that the Nazis knew who (by subtraction) was a Jew and rounded them up and killed them. They had no idea what they were doing and would probably mostly have been horrified if they had understood.
What you give Facebook now will be something the meaning of which will only become clear in a few years. Maybe it will be the information which lets someone identify that you have been exposed to an industrial poison and save your life. Maybe it will be the information that lets someone know when you leave your wife alone at home so they can rape her. Maybe it will be the information which lets the Palinites find your libertarian best friend and kill him.
The only thing that's certain is that if you had proper privacy you would be able to choose later. Now it's too late.
It truly scares me that so many people can think that a post that proposes allowing companies to bomb each other's customers is serious. Alternatively my inability to hear the whooosh as your dead-pan humor goes by above my head must mean I am long deaf. ARRRGGGHHH.
\me curls up in a little ball and starts crying.
If it is a Trojan than yes it is the user fault. If you run an executable attached to email it is your fault.
No. You cannot assume that the user knows about computers. Even if you now are a security guru you were once a two year old child and knew nothing. To get from one stage to another you had to go through a stage where you could do some stuff but didn't understand it.
If the O/S makes it possible for you to do something seriously insecure without demonstrating clear understanding of what you are doing, that is a user interface vulnerability just as bad as any buffer overflow.
What is the alternative? All attachments / html etc. should run in sandboxes where data has to be explicitly provided to the sandbox by the user. The interface should always require the user to do an affirmative action like dragging a file into the sandbox icon in order to allow access. It should never ask questions like "allow sandbox to access xyz.doc? Yes/No?" because such questions are easy to answer without understanding.
On ActiveX I agree. HTML email as it was defined yes, but a limited dialect of HTML would probably be as good as anything. However the nude tennis thing is just not true. You can click on a "rescue" application just the same as tennis. You can't tell what is from support and what is from a hacker. That is a problem.
Any user installed Trojan is the users responsibly.
This is such a bullshit answer. a) define user installed. Do you mean they clicked in the wrong place in an IE frame b) much more fundamental: in the old days, we used to send messages around saying "don't be stupid; you can't get a virus from email". The reason for that was simple; it was true. Then Microsoft invented outlook and executable attachments and so on and so forth. Basic security mechanisms that made it difficult for users to accidentally execute code were bypassed for ease of use. This was done for no reason other than marketing advantage and specifically bypassed standard windows software install mechanisms. As such user installed software is an exploit.