Pardon me, Mr. A. C., but you really should learn to read what is before you before you respond to it. I recognize that this is difficult, but it is utterly necessary if we are to discuss real-world situations.
I do not believe that the virus writer shouldn't be held responsible for his actions, nor did I imply such. I certainly do not believe that the actual victims of the virus were responsible for the damage caused, any more than the owners of the MS-robots in my fairy-tale were responsible for their own deaths.
However, I do believe that Microsoft has deceived its customers by encouraging them to think themselves secure and protected when using their computers, when in fact they are exposed to risks which a marginal amoung of responsible engineering would prevent. MS has billed its operating systems and applications software as being better than, or at least as good as, their competitors, when in fact MS software is uniformly ill-made and riddled with design flaws (not "security holes") which expose users to the kind of victimization perpetrated by the author of Melissa.
Microsoft is not the victim of the Melissa virus, except insofar as, by using their own shoddy software, they exposed themselves to the same attack to which they exposed their unsuspecting customers. Microsoft is an accessory before the fact.
The alleged author of Melissa was not caught using the GUID. This is a myth which was propagated, among other places, in the Slashdot article about his capture -- even though it was not mentioned in the linked news article.
Please stop propagating this hoax. It's almost as bad as "Good Times".
It is true that what the author of Melissa did was a Bad Thing, because it misled people and caused some amount of damage & disruption. However, this does not absolve MS of responsibility for knowingly exposing their customers to an unnecessary and unjustified risk.
Already too many analogies have been posted here, but let me contribute just one more:
Suppose that everyone in the world owned robots built by Microsoft. Everyone believed that these robots followed the Three Laws of Robotics, as put forth by Dr. Asimov:
1. A robot shall not harm a human, nor through inaction permit a human to come to harm.
2. A robot shall follow the orders of a human, except when doing so would violate Rule 1.
3. A robot shall protect its own existence, except when doing so would violate Rules 1 or 2.
All other robots followed the Three Laws, the Laws being embedded into the kernels of the other robots' OSes. However, the MS-robots were not so trustworthy. It is not that they were designed to harm people, but rather that while each of them bore a sticker printed in large letters "THIS ROBOT IS USER FRIENDLY" (which people took to mean that it followed the Laws) none of the MS-robots actually had the Laws programmed into them. When they did follow the Laws, it was because it was the easy thing to do.
Sometimes the MS-robots would run around and collide with people accidentally, hurting the people rather badly. Owners of MS-robots got used to these crashes, and accepted them as a normal part of owning a robot, even though other manufacturers' robots did not crash.
One day, a fiendish roboticist named Relkid Omadan wrote a computer virus for these MS-robots. When infected by this virus, a robot would run up to its owner, beeping happily. It would say to the owner, "Press my red button, then my blue button! Please!" As soon as the owner did this, the robot would strangle the user to death, then run off and infect twenty other robots with the virus.
Several hundred people were killed by the infected robots, and several thousand streets were clogged up with robots running around looking for other robots to infect. The disruption was massive. M. Omadan was, of course, tracked down, tried, and condemned as a murderer and a clogger-up of streets.
Some radicals claimed that MS, by not programming the Three Laws of Robotics into their robots, was complicit in the murders. People trust their robots, the radicals claimed, but MS-robots abuse that trust because they aren't secure.
Were the radicals right? Or was MS just a company trying to make money by selling robots, bearing no responsibility for the fact that its robots' deceptive friendliness concealed the capability of becoming murderers?
> Where do we draw the line between a program that > knowingly mails to everyone in your address book > (so-called virus), or a program that accidently > mails to everyone in your address book (possibly > a mail program in development, being debugged)?
... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?
Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.
Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.
Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?
That was a good reply to my comment. Please restore it from the pit of -1dom.
Linux on desktop systems for non-root people
on
Linux on Dilbert
·
· Score: 1
The problem with giving your mom a Linux system is that unless she's comfortable logging in as root and updating various packages when new versions come out --- or if you're going to regularly do this for her --- you're exposing her to a lot of security risk.
Security Responses and Free Software (long)
on
CNN on "hackers"
·
· Score: 4
If we look at the history of responses to security threats, we see a trend towards greater preparedness and automation in response to threats. Ideally, this would make it easier for people to secure their (Unixoid) systems. However, for various reasons, this isn't exactly happening.
Originally, it was considered acceptable to have a relatively open system and to tighten security only when that system was actively abused or harmed. This was partly due to simple trust, but also partly due to the fact that the consequences of security threats on Net systems weren't nearly as bad as they are today. There were very few malicious crackers, and because of the small size of the Net it was easy to track them down. Most security-hole exploitation was done in fun, and without doing damage.
Later, after the RTM Internet Worm, it became expected that security holes would be reported as bugs, and that system maintainers would upgrade their systems to patch known holes. This is what we have CERT bulletins for --- to warn us of holes which have been discovered, so that we can secure our systems before they are exploited. In addition, we have systems such as SATAN that can diagnose existing, known security holes so that we can patch them. However, none of these measures are effective against a newly-discovered exploit which only the crackers know about.
Now, however, the increasing dependence of both the global economy and global culture on the Net has made it essential that we keep ahead of the crackers. So we now keep copious logs of all network activity, and we have security packages that alert us to activities which might be a prelude to an attack --- such as portscans. Even if we don't know of a security hole in our systems, we can at least notice when someone else is looking for one. Some of these packages simply alert the sysadmin to suspicious activity; others actively firewall out a site from which they detect a portscan.
Some free-software operating systems have kept up marvelously with this trend. OpenBSD, for instance, takes pride in being "proactively" secure, and sends regular security bulletins to the system administrator. Debian GNU/Linux also stands tall in security, making many logging and threat-detection packages easily available, as well as having reasonably paranoid security defaults. Debian's apt system also makes it trivially easy for system maintainers to keep up to date on security patches.
However, despite these advances in security, it's still true that far too many "Joe Redhat" users get rooted every day. Some systems aren't keeping up --- and in a sense, because Unixoid systems run more network services and in fact are designed for network operation, a poorly-secured Linux-based system may be worse, security-wise, than Windows.
Some would say "If a user doesn't know enough to secure his/her system, s/he deserves to get rooted." As a network systems administrator for a small college, I cannot accept that as a responsible answer. We encourage technically-minded students to put up Linux- and BSD-based hosts on our campus network --- not only for fun, but to encourage them to learn about these systems. However, if one of these students gets rooted, that exposes the rest of our network to greater hazard: something that I don't want to happen. Hence, I have a vested interest in ensuring that these students have good security on their personal systems, even though I can't go around auditing them.
An inexperienced user needs more help making his/her system secure than does a seasoned sysadmin. We cannot afford to think of security as something that can be traded off for ease of configuration, system simplicity, or ease of use. Unless those who intend to deliver "free software for the masses" --- Red Hat Inc. and its ilk --- make their systems more "proactively secure", free software will not live up to its security potential. If this goes on, "Joe RedHat" will keep getting rooted, and Linux-on-the-Desktop will be a security disaster.
This means Apple might not do the heavy laying-off it had planned to do at its Cork facility. Since layoffs suck in general, that would rule.:)
To those scum who would consider this disaster a good thing --- don't forget that Apple, like any other company, carries insurance. This is only a blip in the upward-curving MacOS trend.
(We could really do far worse than to have MacOS X dominate the user desktop and Linux the server. KDE and Gnome have a lot of catching up to do... they're doing it, but it'll take time.)
It's important to note that "real" engineers (like civil or mechanical engineers) are considered to be "professionals" (like doctors and lawyers) in most jurisdictions. This means that the self-regulating associations and accreditation boards of the profession are given special legal standing, and it's illegal to bill yourself as an "engineer" if you don't have an engineering degree, just as it's illegal to practice medicine or law without a license. "Software engineering" is not legally considered engineering.
(This is why some E.E.'s look down on computer scientists; it's also why software certifications with the word "engineer" in the title have gotten "real" engineers a bit indignant at times.)
Because programming is not legally considered engineering, even though IMHO ethically there are similarities between the wrong done by an incompetent or sloppy engineer and that done by an incompetent or sloppy programmer, I doubt that MS's programmers can be held legally liable for their shoddy work.
In fact, because the EULA on all MS products disclaims "merchantability for any particular purpose", it's likely that MS can't be held legally liable if their code does nothing at all, or even does something destructive. The only way to hold them responsible is in the marketplace --- by not buying their crap.
The susceptibility of those Pintos to explosions was caused by oversights --- what we'd call bugs.
The susceptibility of Microsoft products to network-reproducing macro viruses is due to designed-in features.
Furthermore, Microsoft has known that macro viruses exist for several years now. They have done little to protect their customers --- little even to draw attention to the threat, because they don't want to be held responsible in the market for their design mistakes.
While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design.
The author of the Melissa virus was doing a bad thing in writing it. But from this bad intent comes not only the bad result --- users spammed, systems crashed --- but also potentially a good result: Microsoft being held responsible in the market for their product's blatant failure to meet basic security needs.
"Communitarian" is, in my experience, a word that socialists use when they're trying to talk about a form of socialism that minimizes the oppressive role of the state --- bottom-up socialism, basically.
However, for every socialist (such as RMS) in the FS/OSS world there's a libertarian (such as ESR) and an apolitical (such as Linus). It would not do to pass FS/OSS off as a socialist movement, since it isn't.
It's always been free software. Before ESR & Co. invented "Open Source" --- which ESR himself states to be a marketing term for free software --- there was no issue of "free software" being a politicized term. Here on/. I tend to write "FS/OSS" just to shortcut flamewars, but when I talk about it I refer to free software.
> One of the main points of the 'Bazaar' is that it's SELF-ORGANIZING. > People will coalesce around interesting projects/leaders/problems of > their own free will. When these are no longer interesting, people leave > and go elsewhere.
How does creating a new standards organization or "leadership" group change that? Nobody says you have to listen to H2O. This is no more of a threat to FS/OSS than is, say, the existence of multiple Linux-based OS distributions.
Nobody is talking about force here. Nobody is saying that all FS/OSS projects must hew to H2O lines, any more than they have to hew to GNU lines or (horrors!) Red Hat lines. This is just another organizing effort, just like a distribution or a standards body. Let it succeed or fail on its merits.
Actually, the term "Omega Point" comes from the French Jesuit philosopher Teilhard de Chardin, and was popularized in recent SF by Dan Simmons's Hyperion books. It is a theological, not a technological, term.
Unlike many other theologians of his time, De Chardin accepted the scientific theory of evolution. However, his philosophy (being, as it was, theology) went beyond what can be considered scientific. He added to Darwin's theory the idea that evolution has a telos, or end-point to which it aspires. He called this telos "the Omega Point" and considered it to be the same thing as union with God. That is, according to de Chardin, humanity is presently evolving towards literal Godhead.
Naturally, this is not reconcilable with modern evolutionary theory, which considers evolution not to have a telos. However, it does make for good SF every once in a while; the first, second, and fourth books of the _Hyperion_ saga are really quite good. (The third, _Endymion_, reads like a Star Wars novel...)
To a certain extent, I agree. Not that it's good to break into systems to prove that they're broken... but rather that when a vulnerability is well-documented, well-known, and the manufacturer continues to do nothing about it, sometimes nothing will bring it to the public attention but a massive exploit.
Compare this to the Netscan site, which lists networks which can be used to execute a smurf attack, because they haven't been secured against directed broadcast pings. On the face of it, Netscan is a huge resource for idiots who want to smurf people --- but far more importantly, it brings the brokenness of the networks to the attention of the sysadmins who run them, when they wouldn't have noticed otherwise.
Melissa is hardly a particularly damaging virus; it doesn't scrag your hard drive or damage your files. It does very little more than prove just how catastrophically broken certain Microsoft applications are --- Outloook and Word for exposing users to email-borne viruses that were once a myth, and MS's mail servers for crashing under load that Sendmail or qmail would laugh at.
By no means does this justify virus-writing. However, it places a good deal of the blame for the damage caused by Melissa at the feet of Microsoft and its unthinking customers. Buy a known-insecure system, get what you deserve.
On the contrary. Linux is not an OS; Linux is a kernel. The kernel by itself won't even boot you up to the point of being able to log in. You need utilities, libraries, and so forth in order to make up a usable OS.
A distribution is an OS. Debian GNU/Linux is an OS. Red Hat Linux is an OS. Slackware Linux The fact that these OSes have the word "Linux" in their names does not mean that Linux itself is an OS.
By way of comparison... Turbo Pascal for DOS is a development environment. Pascal is a language. Pascal by itself isn't a development environment. In fact, even a Pascal compiler by itself isn't.
The most famous part of a system does not equal the whole system.
Because it is your job to tell him what you think. He's not a pollster or an elected representative any more than he's a boss or leader. He's an opinionated man who gets listened to by the media. If you want him to speak for you, you'd better bother to convince him of what you think.
Given what he said in this article about the APSL debate, it seems to me that he'd prefer that if you have a problem with what he's said or done, that you do the simple and easy thing of emailing him, rather than posting "ESR Betrays Free Source; Film At 11!" to Slashdot. This is hardly an unreasonable request.
This isn't a matter of censorship or of ESR refusing to respond to public critiques -- as should be obvious, he does respond to public critiques. It's a matter of politeness. If someone says something mistaken or stupid in public, it might just be better to ask him/her in private "Did you really mean that? Did you consider the following implications?" rather than denouncing him/her publicly. This gives him/her the chance to amend his/her previous statements without losing face, as well as maintaining a level of civility.
I for one think that ESR should make it clear when he speaks to the media that he does not speak for all FS/OSS authors or users. I don't think he thinks he does, but it's obvious that the media would rather think of Open Source as a single, monolithic organization (like Microsoft) with a single leader and viewpoint. The media are not used to reporting on a movement that can't give press releases, so they interpret an OSI or ESR or Red Hat or BP press release as being a speech on behalf of all users.
In a certain sense, we are neither a "community" nor a "movement" in the classical senses of the word. We have no government, no Party Central Committee, no platform. We aren't like the SDS of the '60s, college students staying up late nights drafting manifestos; when we stay up late, we're writing code, configuring kernels, or just using the software. What we have in common is the code and really not much else. And this is a good thing; the more we recognize this, the more time we will spend making the code better instead of harping on political nonsense.
No doubt the unreliability of Windows-based office computers has contributed to the "security" of paper. Microsoft has made data loss an expected part of the computer-using workplace. Who doesn't feel a lot more confident with a print-out than with a binary copy that'll vanish in the next system crash?
And that's just on the desktop. What manager in her right mind would trust a business plan to, say, MS IIS? Talk about nonscalable --- the moment your business becomes well-known enough to be posted about on Slashdot, you crash and burn. Gates wants businesses to make email an element of their "digital nervous systems" --- but Microsoft's email programs, both client and server, vary from the schizophrenic to the epileptic to the catatonic. Some nervous system.
Given how much damage MS has done to the state of the art, it is the height of irony for Gates to call for the economy to become yet more dependent on information technology. It is an invitation to disaster.
The chief trouble with trusting metadata is that page owners and maintainers who are paid by advertisers for eyeballs will have every reason to label their pages with false metadata in order to attract clicks.
Consider the problem that search engines faced when they indexed solely on the basis of textual relevance: pr0n sites filled their pages with the same words, repeated over and over again: "teen sex xxx porn pictures teen lesbian sex erotic sex xxx porn porn xxx sex teen girl babe sex sex xxx" and so forth. This made their pages more likely to turn up at the top of a search, and thus garnered more eyeballs for their advertisers. Who suffered? Teen-age lesbians (etc.) looking for informative sites about issues related to their lives, not for hetero-oriented pr0n.
Metadata systems are just as exploitable. Anyone familiar with the Prisoner's Dilemma will recognize the following --- because these systems (like pure textual relevance search systems) reward "defecting" behaviors such as deliberately false labeling, they will not solve the problems that result therefrom.
Even notwithstanding the problem of dishonest behavior, there remains the problem of clueless or simply self-aggrandizing behavior: users labeling their pages as more relevant to a given topic than they really are, or not understanding distinctions among topics. A marketer at Dell might not know what "computer science" is, and insist that "computer science" be added to the metadata of Dell's e-commerce site. "After all, we sell very scientifically-designed computers. Isn't that what computer science means?" Cluelessness reigns supreme.
Until these problems can be solved, human-indexed sites like yahoo.com and dmoz.org will have some huge advantages over spider-powered search engines.
Actually, the only distro to call itself "GNU/Linux" is Debian, which has a far more effective central management system than any other --- as reflected in the dpkg/apt package management system.
Bruce, if your concern for free software exceeded your impetuosity, you wouldn't have quit OSI. If your concern for the "free software" name (which you claimed as a reason to quit OSI) exceeded your desire for recognition as important, you wouldn't keep attaching the OSI name to yours.
One thing that can be said for ESR and RMS is that they're loyal to what they believe in.
Slashdot Mirror
Pardon me, Mr. A. C., but you really should learn to read what is before you before you respond to it. I recognize that this is difficult, but it is utterly necessary if we are to discuss real-world situations.
I do not believe that the virus writer shouldn't be held responsible for his actions, nor did I imply such. I certainly do not believe that the actual victims of the virus were responsible for the damage caused, any more than the owners of the MS-robots in my fairy-tale were responsible for their own deaths.
However, I do believe that Microsoft has deceived its customers by encouraging them to think themselves secure and protected when using their computers, when in fact they are exposed to risks which a marginal amoung of responsible engineering would prevent. MS has billed its operating systems and applications software as being better than, or at least as good as, their competitors, when in fact MS software is uniformly ill-made and riddled with design flaws (not "security holes") which expose users to the kind of victimization perpetrated by the author of Melissa.
Microsoft is not the victim of the Melissa virus, except insofar as, by using their own shoddy software, they exposed themselves to the same attack to which they exposed their unsuspecting customers. Microsoft is an accessory before the fact.
The alleged author of Melissa was not caught using the GUID. This is a myth which was propagated, among other places, in the Slashdot article about his capture -- even though it was not mentioned in the linked news article.
Please stop propagating this hoax. It's almost as bad as "Good Times".
It is true that what the author of Melissa did was a Bad Thing, because it misled people and caused some amount of damage & disruption. However, this does not absolve MS of responsibility for knowingly exposing their customers to an unnecessary and unjustified risk.
Already too many analogies have been posted here, but let me contribute just one more:
Suppose that everyone in the world owned robots built by Microsoft. Everyone believed that these robots followed the Three Laws of Robotics, as put forth by Dr. Asimov:
1. A robot shall not harm a human, nor through inaction permit a human to come to harm.
2. A robot shall follow the orders of a human, except when doing so would violate Rule 1.
3. A robot shall protect its own existence, except when doing so would violate Rules 1 or 2.
All other robots followed the Three Laws, the Laws being embedded into the kernels of the other robots' OSes. However, the MS-robots were not so trustworthy. It is not that they were designed to harm people, but rather that while each of them bore a sticker printed in large letters "THIS ROBOT IS USER FRIENDLY" (which people took to mean that it followed the Laws) none of the MS-robots actually had the Laws programmed into them. When they did follow the Laws, it was because it was the easy thing to do.
Sometimes the MS-robots would run around and collide with people accidentally, hurting the people rather badly. Owners of MS-robots got used to these crashes, and accepted them as a normal part of owning a robot, even though other manufacturers' robots did not crash.
One day, a fiendish roboticist named Relkid Omadan wrote a computer virus for these MS-robots. When infected by this virus, a robot would run up to its owner, beeping happily. It would say to the owner, "Press my red button, then my blue button! Please!" As soon as the owner did this, the robot would strangle the user to death, then run off and infect twenty other robots with the virus.
Several hundred people were killed by the infected robots, and several thousand streets were clogged up with robots running around looking for other robots to infect. The disruption was massive. M. Omadan was, of course, tracked down, tried, and condemned as a murderer and a clogger-up of streets.
Some radicals claimed that MS, by not programming the Three Laws of Robotics into their robots, was complicit in the murders. People trust their robots, the radicals claimed, but MS-robots abuse that trust because they aren't secure.
Were the radicals right? Or was MS just a company trying to make money by selling robots, bearing no responsibility for the fact that its robots' deceptive friendliness concealed the capability of becoming murderers?
Actually, most crackers I know are noisy boasters and swaggering fellows. And hackers do tend to be people who hack, yes.
> Where do we draw the line between a program that
> knowingly mails to everyone in your address book
> (so-called virus), or a program that accidently
> mails to everyone in your address book (possibly
> a mail program in development, being debugged)?
... and a piece of information which suckers you into sending it to everyone in your address book (i.e. "Good Times")?
Everyone who sent along Melissa did so by pressing a button that said "Yes, run this attachment." They were conned into doing so, because the attachment was sent under false pretenses -- it seemed to be a message from a friend, but was actually a virus.
Everyone who sent along the "Good Times" warning did so by pressing a button that said "Yes, forward this message." They were conned into doing so, because the message was sent under false pretenses -- it seemed to be an important warning, but was actually a hoax.
Melissa is not entirely a computer virus. It is dependent on user interaction, making it at least partly a "virus of the mind". Where do we draw the line between a human-aided computer virus, like Melissa, and a computer-aided memetic virus, like "Good Times"?
That was a good reply to my comment. Please restore it from the pit of -1dom.
The problem with giving your mom a Linux system is that unless she's comfortable logging in as root and updating various packages when new versions come out --- or if you're going to regularly do this for her --- you're exposing her to a lot of security risk.
See my comment elsewhere on this subject.
If we look at the history of responses to security threats, we see a trend towards greater preparedness and automation in response to threats. Ideally, this would make it easier for people to secure their (Unixoid) systems. However, for various reasons, this isn't exactly happening.
Originally, it was considered acceptable to have a relatively open system and to tighten security only when that system was actively abused or harmed. This was partly due to simple trust, but also partly due to the fact that the consequences of security threats on Net systems weren't nearly as bad as they are today. There were very few malicious crackers, and because of the small size of the Net it was easy to track them down. Most security-hole exploitation was done in fun, and without doing damage.
Later, after the RTM Internet Worm, it became expected that security holes would be reported as bugs, and that system maintainers would upgrade their systems to patch known holes. This is what we have CERT bulletins for --- to warn us of holes which have been discovered, so that we can secure our systems before they are exploited. In addition, we have systems such as SATAN that can diagnose existing, known security holes so that we can patch them. However, none of these measures are effective against a newly-discovered exploit which only the crackers know about.
Now, however, the increasing dependence of both the global economy and global culture on the Net has made it essential that we keep ahead of the crackers. So we now keep copious logs of all network activity, and we have security packages that alert us to activities which might be a prelude to an attack --- such as portscans. Even if we don't know of a security hole in our systems, we can at least notice when someone else is looking for one. Some of these packages simply alert the sysadmin to suspicious activity; others actively firewall out a site from which they detect a portscan.
Some free-software operating systems have kept up marvelously with this trend. OpenBSD, for instance, takes pride in being "proactively" secure, and sends regular security bulletins to the system administrator. Debian GNU/Linux also stands tall in security, making many logging and threat-detection packages easily available, as well as having reasonably paranoid security defaults. Debian's apt system also makes it trivially easy for system maintainers to keep up to date on security patches.
However, despite these advances in security, it's still true that far too many "Joe Redhat" users get rooted every day. Some systems aren't keeping up --- and in a sense, because Unixoid systems run more network services and in fact are designed for network operation, a poorly-secured Linux-based system may be worse, security-wise, than Windows.
Some would say "If a user doesn't know enough to secure his/her system, s/he deserves to get rooted." As a network systems administrator for a small college, I cannot accept that as a responsible answer. We encourage technically-minded students to put up Linux- and BSD-based hosts on our campus network --- not only for fun, but to encourage them to learn about these systems. However, if one of these students gets rooted, that exposes the rest of our network to greater hazard: something that I don't want to happen. Hence, I have a vested interest in ensuring that these students have good security on their personal systems, even though I can't go around auditing them.
An inexperienced user needs more help making his/her system secure than does a seasoned sysadmin. We cannot afford to think of security as something that can be traded off for ease of configuration, system simplicity, or ease of use. Unless those who intend to deliver "free software for the masses" --- Red Hat Inc. and its ilk --- make their systems more "proactively secure", free software will not live up to its security potential. If this goes on, "Joe RedHat" will keep getting rooted, and Linux-on-the-Desktop will be a security disaster.
"If all are One, all violence is masochism."
"If all are One, all sex is masturbation. Let's have no more mehum metaphysics here."
-- Illuminatus!
Sure, we're all part of a gigantic energy- and information-exchanging network.
But we've always been. That's called "life".
This means Apple might not do the heavy laying-off it had planned to do at its Cork facility. Since layoffs suck in general, that would rule. :)
... they're doing it, but it'll take time.)
To those scum who would consider this disaster a good thing --- don't forget that Apple, like any other company, carries insurance. This is only a blip in the upward-curving MacOS trend.
(We could really do far worse than to have MacOS X dominate the user desktop and Linux the server. KDE and Gnome have a lot of catching up to do
It's important to note that "real" engineers (like civil or mechanical engineers) are considered to be "professionals" (like doctors and lawyers) in most jurisdictions. This means that the self-regulating associations and accreditation boards of the profession are given special legal standing, and it's illegal to bill yourself as an "engineer" if you don't have an engineering degree, just as it's illegal to practice medicine or law without a license. "Software engineering" is not legally considered engineering.
(This is why some E.E.'s look down on computer scientists; it's also why software certifications with the word "engineer" in the title have gotten "real" engineers a bit indignant at times.)
Because programming is not legally considered engineering, even though IMHO ethically there are similarities between the wrong done by an incompetent or sloppy engineer and that done by an incompetent or sloppy programmer, I doubt that MS's programmers can be held legally liable for their shoddy work.
In fact, because the EULA on all MS products disclaims "merchantability for any particular purpose", it's likely that MS can't be held legally liable if their code does nothing at all, or even does something destructive. The only way to hold them responsible is in the marketplace --- by not buying their crap.
ifconfig eth0 hw ether DE:AD:BE:EF:F0:0F
Some device drivers don't support it, though.
The susceptibility of those Pintos to explosions was caused by oversights --- what we'd call bugs.
The susceptibility of Microsoft products to network-reproducing macro viruses is due to designed-in features.
Furthermore, Microsoft has known that macro viruses exist for several years now. They have done little to protect their customers --- little even to draw attention to the threat, because they don't want to be held responsible in the market for their design mistakes.
While MS might not be legally liable for criminal negligence or complicity in the distribution of the Melissa virus, they are definitely ethically in the wrong. They are bad engineers, not simply for making a shoddy product but for ignoring and denying responsibility for the shortcomings which are direct, obvious byproducts of its design.
The author of the Melissa virus was doing a bad thing in writing it. But from this bad intent comes not only the bad result --- users spammed, systems crashed --- but also potentially a good result: Microsoft being held responsible in the market for their product's blatant failure to meet basic security needs.
"Communitarian" is, in my experience, a word that socialists use when they're trying to talk about a form of socialism that minimizes the oppressive role of the state --- bottom-up socialism, basically.
/. I tend to write "FS/OSS" just to shortcut flamewars, but when I talk about it I refer to free software.
However, for every socialist (such as RMS) in the FS/OSS world there's a libertarian (such as ESR) and an apolitical (such as Linus). It would not do to pass FS/OSS off as a socialist movement, since it isn't.
It's always been free software. Before ESR & Co. invented "Open Source" --- which ESR himself states to be a marketing term for free software --- there was no issue of "free software" being a politicized term. Here on
> One of the main points of the 'Bazaar' is that it's SELF-ORGANIZING.
> People will coalesce around interesting projects/leaders/problems of
> their own free will. When these are no longer interesting, people leave
> and go elsewhere.
How does creating a new standards organization or "leadership" group change that? Nobody says you have to listen to H2O. This is no more of a threat to FS/OSS than is, say, the existence of multiple Linux-based OS distributions.
Nobody is talking about force here. Nobody is saying that all FS/OSS projects must hew to H2O lines, any more than they have to hew to GNU lines or (horrors!) Red Hat lines. This is just another organizing effort, just like a distribution or a standards body. Let it succeed or fail on its merits.
Actually, the term "Omega Point" comes from the French Jesuit philosopher Teilhard de Chardin, and was popularized in recent SF by Dan Simmons's Hyperion books. It is a theological, not a technological, term.
Unlike many other theologians of his time, De Chardin accepted the scientific theory of evolution. However, his philosophy (being, as it was, theology) went beyond what can be considered scientific. He added to Darwin's theory the idea that evolution has a telos, or end-point to which it aspires. He called this telos "the Omega Point" and considered it to be the same thing as union with God. That is, according to de Chardin, humanity is presently evolving towards literal Godhead.
Naturally, this is not reconcilable with modern evolutionary theory, which considers evolution not to have a telos. However, it does make for good SF every once in a while; the first, second, and fourth books of the _Hyperion_ saga are really quite good. (The third, _Endymion_, reads like a Star Wars novel...)
To a certain extent, I agree. Not that it's good to break into systems to prove that they're broken ... but rather that when a vulnerability is well-documented, well-known, and the manufacturer continues to do nothing about it, sometimes nothing will bring it to the public attention but a massive exploit.
Compare this to the Netscan site, which lists networks which can be used to execute a smurf attack, because they haven't been secured against directed broadcast pings. On the face of it, Netscan is a huge resource for idiots who want to smurf people --- but far more importantly, it brings the brokenness of the networks to the attention of the sysadmins who run them, when they wouldn't have noticed otherwise.
Melissa is hardly a particularly damaging virus; it doesn't scrag your hard drive or damage your files. It does very little more than prove just how catastrophically broken certain Microsoft applications are --- Outloook and Word for exposing users to email-borne viruses that were once a myth, and MS's mail servers for crashing under load that Sendmail or qmail would laugh at.
By no means does this justify virus-writing. However, it places a good deal of the blame for the damage caused by Melissa at the feet of Microsoft and its unthinking customers. Buy a known-insecure system, get what you deserve.
On the contrary. Linux is not an OS; Linux is a kernel. The kernel by itself won't even boot you up to the point of being able to log in. You need utilities, libraries, and so forth in order to make up a usable OS.
... Turbo Pascal for DOS is a development environment. Pascal is a language. Pascal by itself isn't a development environment. In fact, even a Pascal compiler by itself isn't.
A distribution is an OS. Debian GNU/Linux is an OS. Red Hat Linux is an OS. Slackware Linux The fact that these OSes have the word "Linux" in their names does not mean that Linux itself is an OS.
By way of comparison
The most famous part of a system does not equal the whole system.
We are an R&D department.
Even if you don't code, you should at least send bug reports or suggestions to coders. That's how software gets better.
"Commercial units shipped"?
Oops. They just missed counting the second-most-widely-used distribution.
And the easiest-to-maintain --- which is valuable both on the server and on the client & desktop.
Don't underestimate Debian.
Why doesn't ESR ask "What do you people think?"
Because it is your job to tell him what you think. He's not a pollster or an elected representative any more than he's a boss or leader. He's an opinionated man who gets listened to by the media. If you want him to speak for you, you'd better bother to convince him of what you think.
Given what he said in this article about the APSL debate, it seems to me that he'd prefer that if you have a problem with what he's said or done, that you do the simple and easy thing of emailing him, rather than posting "ESR Betrays Free Source; Film At 11!" to Slashdot. This is hardly an unreasonable request.
This isn't a matter of censorship or of ESR refusing to respond to public critiques -- as should be obvious, he does respond to public critiques. It's a matter of politeness. If someone says something mistaken or stupid in public, it might just be better to ask him/her in private "Did you really mean that? Did you consider the following implications?" rather than denouncing him/her publicly. This gives him/her the chance to amend his/her previous statements without losing face, as well as maintaining a level of civility.
I for one think that ESR should make it clear when he speaks to the media that he does not speak for all FS/OSS authors or users. I don't think he thinks he does, but it's obvious that the media would rather think of Open Source as a single, monolithic organization (like Microsoft) with a single leader and viewpoint. The media are not used to reporting on a movement that can't give press releases, so they interpret an OSI or ESR or Red Hat or BP press release as being a speech on behalf of all users.
In a certain sense, we are neither a "community" nor a "movement" in the classical senses of the word. We have no government, no Party Central Committee, no platform. We aren't like the SDS of the '60s, college students staying up late nights drafting manifestos; when we stay up late, we're writing code, configuring kernels, or just using the software. What we have in common is the code and really not much else. And this is a good thing; the more we recognize this, the more time we will spend making the code better instead of harping on political nonsense.
No doubt the unreliability of Windows-based office computers has contributed to the "security" of paper. Microsoft has made data loss an expected part of the computer-using workplace. Who doesn't feel a lot more confident with a print-out than with a binary copy that'll vanish in the next system crash?
And that's just on the desktop. What manager in her right mind would trust a business plan to, say, MS IIS? Talk about nonscalable --- the moment your business becomes well-known enough to be posted about on Slashdot, you crash and burn. Gates wants businesses to make email an element of their "digital nervous systems" --- but Microsoft's email programs, both client and server, vary from the schizophrenic to the epileptic to the catatonic. Some nervous system.
Given how much damage MS has done to the state of the art, it is the height of irony for Gates to call for the economy to become yet more dependent on information technology. It is an invitation to disaster.
The chief trouble with trusting metadata is that page owners and maintainers who are paid by advertisers for eyeballs will have every reason to label their pages with false metadata in order to attract clicks.
Consider the problem that search engines faced when they indexed solely on the basis of textual relevance: pr0n sites filled their pages with the same words, repeated over and over again: "teen sex xxx porn pictures teen lesbian sex erotic sex xxx porn porn xxx sex teen girl babe sex sex xxx" and so forth. This made their pages more likely to turn up at the top of a search, and thus garnered more eyeballs for their advertisers. Who suffered? Teen-age lesbians (etc.) looking for informative sites about issues related to their lives, not for hetero-oriented pr0n.
Metadata systems are just as exploitable. Anyone familiar with the Prisoner's Dilemma will recognize the following --- because these systems (like pure textual relevance search systems) reward "defecting" behaviors such as deliberately false labeling, they will not solve the problems that result therefrom.
Even notwithstanding the problem of dishonest behavior, there remains the problem of clueless or simply self-aggrandizing behavior: users labeling their pages as more relevant to a given topic than they really are, or not understanding distinctions among topics. A marketer at Dell might not know what "computer science" is, and insist that "computer science" be added to the metadata of Dell's e-commerce site. "After all, we sell very scientifically-designed computers. Isn't that what computer science means?" Cluelessness reigns supreme.
Until these problems can be solved, human-indexed sites like yahoo.com and dmoz.org will have some huge advantages over spider-powered search engines.
Actually, the only distro to call itself "GNU/Linux" is Debian, which has a far more effective central management system than any other --- as reflected in the dpkg/apt package management system.
Bruce, if your concern for free software exceeded your impetuosity, you wouldn't have quit OSI. If your concern for the "free software" name (which you claimed as a reason to quit OSI) exceeded your desire for recognition as important, you wouldn't keep attaching the OSI name to yours.
One thing that can be said for ESR and RMS is that they're loyal to what they believe in.