I wonder if the Executive was made aware of the choice of Open source for the core of the flagship product.
If they had been would they have sanctioned it?
This exec didn't have any say over it at the time; the decision was made before and they weren't responsible.
*IF* they were told 'we need this tool', they would say OK.
*IF* they were told 'we need this open source tool', they would be nervious.
*IF* they were told 'this is a great open source tool' they would kill it on the spot or roll thier eyes back and ignore the suggestion.
I always look for a commercially supported product and put it in the bid as a commercial product -- propriatory or open. I no longer mention software as being OSS though I do try and find a cheap commercial version of it; free (no $) is worthless, expensive is good, while moderately cheaper version that someone else uses is best.
As you can guess, I'm trying to introduce OSS as the third one though it's not easy.
Why are we always breaking software into open and proprietary? Why can't people just create a prioritized list of requirements and then use it to pick the software that fits the best for them?
The point of these government and corporate reviews isn't to make an artificial split open vs. proprietary, it's to legitimize the *open source* software for use at all.
I've had many conversations where people were against open source for reasons that aren't true.
Short story, I was told by one executive that 'Since the source is available, it's less secure...we'll use use our current solution'. When I pointed out that our primary web server including our flagship product were stable and secure she agreed. She went white when I started to list off the open source that the made up the core of that product. The conversion was quick, though, and they began to appreciate open source...for the flagship product only.
The chance to have that type of conversation is limited. These reports, though, can pass along those revelations without looking like a fanatic.
He needs to condition his sound a bit, just a high pass filter. There's a nasty bass hum in it. I had to switch off my sub.
I noticed that too.
The Linux Show -- thelinuxshow.com -- also has horrid sound quality. After listening to Adam Curry show off a cheap 256MB MP3 player and recorder by using it for part of his show and it sounded better than what The Linux Show does -- I just don't get it. Yes, part of the quality loss is from people calling in on phones. That does make it a bit more complex...yet, if you're going to post this stuff, get decient equipment or show that you're real geeks and fix it!
In a way, its immense flexibility is a bad thing. Open source is a nice thing, and has the potential to take over - just look at Firefox. But Linux is just too monolithic and slow-to-change to be easy to toss onto a new PC and get up and running with. There's a proliferation of different versions, all incompatible, making ease-of-use impossible to attain.
If it is so hard to change, and so incompatable, why are there so many versions and why are they all called Linux?:)
"Mixmaster is the type II remailer protocol and the most popular implementation of it.
Remailers provide protection against traffic analysis and allow sending email anonymously or pseudonymously. Mixmaster consists of both client and server installations and is designed to run on several operation systems including but not limited to *BSD, Linux and Microsoft Windows. "
Interesting...though you still have to send it through a normal mail server at some point. That system will have headers pointing back to the remailer server. Even if the headers are forged, the most recient servers will not be forged unless you use multiple mixmaster (or other) remailers that strip the headers.
Without that strip and resend capability, the bad guys can still get lots of information though I admit won't easily find the original sending machine. I'd check the headers carefully just in case, though!
I'm I the only one that thinks this is some sort of prank? I mean, does anybody actually expects a redhat/fedora user to download, compile and install an unknown source, when updates usually come from a yum ot up2date repository?
Yes I'd agree it's probably a prank.
Yet, I can't agree that nobody will do this.
I expect that a small group of novices who have some experience with admining a RH or Fedora Linux system will fall for it and never be the wiser. A total novice won't likely fall for it because they are probably used to using either nothing or up2date and will look for patches there. Someone with a little experience will because they are trying to be smart. Experts or ones with a little more experience will smell a rat and will investigate the 'security problem' using the official Fedora site.
And hosted on a Yahoo site, with a domain purchased thru Yahoo (check the domain technical contact)?
If the site owner can be found, I'd expect them to deny that they had any knowledge of the incident. I give that a 5% chance of being the truth, though I'd like to know how they intended to use such a site. (Someone mentioned it is hosted on IIS, not any *nix -- Fedora or not.)
Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.
Not if you run your own mail server(s).
As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?
(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)
Thanks for the feedback. I had used Recovery Console before, though being reminded of it is a good thing.
There is a qualitative difference between Unix-like systems and Windows on the issues I mentioned. Details are below...
Boot without a GUI.
That's too easy. Ever heard of the Recovery Console?
Not counting GUI intensive applications, Windows does not work completely when the Recovery Console is enabled. Except for limited functions, Windows is crippled without a GUI and most programs (utility, server, and applications) require a GUI for proper functioning or for configuration at a minimum.
Unix/Linux/BSD/... don't need a local display or graphics at all. If you want to run without a graphics card, you can and either skip graphics or export the display buffer to another computer. Most server apps can be monitored remotely and can use either a shell or web page for control.
Change libraries that are currently in use while the system is running.
That is impossible. Even to the extent that it is possible on Windows (you can do it if you try hard enough), it's a very bad idea. If a process doesn't load all of its libraries at startup, you can end up with mismatched binaries. That's a great recipe for data loss and other really bad things.
Windows locks files on use. Unix/Linux/BSD/... use inodes to allow different processes to see the file system in a different way. (Search for inodes if this sounds interesting to you.)
For example, if I'm editing file 'index.html' in one program I can delete it in another program. The editor neither cares nor knows that the file has been deleted...because to the editor index.html has not been deleted! You can even download files in one program and while the file is being transfered move it to another directory.
I regularly replace system libraries, application libraries, whole applications, the GUI and system tools and the kernel while using the system. Rarely is it an issue, though with the kernel if the whole thing has been replaced, a reboot is required to enable any new program to use it. If only a module is added or removed, no reboot is needed is usually required.
For example, if I update the desktop (KDE or Gnome) or the graphics subsystem (X), I usually don't bother shutting anything down or logging off right away. After a few hours *if* I encounter any oddities (say, when opening up a new application) I might be annoyed enough to log out and log back in to correct the problem...though it's such a trivial thing that I usually don't bother till I notice a few graphical glitches. The same can be done with a running server process...because the upgrades understand how to handle a running process safely and they do the right thing such as restarting the service after the files have been updated.
So, given any hardware you wish, how many different and unique users can use 1 NT 3.x or 4.x system at the same time?
I believe only one GUI session can be active at a time, but processes from any number of users can be running. (in fact, you can have processes running as different users on the same GUI session, but I would assume that's the same "physical user") You can play solitaire on a web server. Presumably not as the same user.
I'm not the OP, and I don't really know much about this, so I'm not really gonna try to defend it properly.
No problem.
Unix/... supports as many users at the same time as both system resources and the configuration allows. By default, pressing Ctrl-Alt-F1/F2/... switched virtual terminals on Linux. Each one can allow a different user to login. Running nested X allows you to login as another user in another X session. Logging in remotely to a Unix system allows you to view the system as if it were your local one. It is all built in and depends only on if it is enabled or disabled in the configuration -- no special server software like terminal services is required.
I don't think you understand just how limited Windows is.
1) Windows is not monolithic. If you or the authors of this report knew anything about OS design, you'd know this to be true.
OK. Remove IE. Boot without a GUI. Change libraries that are currently in use while the system is running.
2) They completely forget (or choose to ignore) that Windows was multiuser starting with NT. 2000 was multiuser as well. To say that XP is the first real multiuser Windows is completely false. And they use fast user switching to imply that Windows still isn't a true multi-user OS, which is complete nonsense.
So, given any hardware you wish, how many different and unique users can use 1 NT 3.x or 4.x system at the same time? What restrictions do you encounter, if any? Are there differences between desktop and 'server' versions of NT in this respect?
[rpc] -- I'll let someone else address that.
4) This point makes no sense whatsoever:
"By advocating this type of usage, Microsoft invites administrators to work with Windows Server 2003 at
the server itself, logged in with Administrator privileges. This makes the Windows administrator most vulnerable to
security flaws, because using vulnerable programs such as Internet Explorer expose the server to security risks."
Windows or Linux won't make you secure. As a friend pointed out, he's got the most secure computer around; it's in a box, unplugged. I told him I'd be glad to make it super secure for the cost of some consulting time and a full cement mixer. (I'd, ofcourse, keep the system in the box and unplugged.)
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
The conspiracy theorists on the left think that Diabold has ties to the right wing and may assist in election fraud
If you think Diebold does the rigging, you are an idiot.
You quote me, but didn't read.
The real danger here is that any state election official can tamper with the results. From what I've heard, Diebold basically uses Access to store stuff and anyone can modify it. The most likely rigging scenario is that some state employee will add/remove a few dozen extra votes from a couple of critical counties and change the outcome for that state. Sounds much more likely, doesn't it? Now tell me, how will open-sourcing the Diebold software prevent that?
It won't if the system isn't auditable. Opening the source eliminates one more level of thins that can't currently be audited. (See my other post(s).)
No shit, Sherlock.
Necessary? Hmmm....
That's why you have the machine print out the ballot with the choices filled in, and you verify it before casting it. If you are saying people make mistakes when recounting votes -- that doesn't matter if they are random mistakes and they don't happen very often. Besides, you can recount paper ballots with optical scanners -- haven't you ever taken a standardized test? Those machines are fairly simple and reliable.
As you said before "
The real danger here is that any state election official can tamper with the results. From what I've heard, Diebold basically uses Access to store stuff and anyone can modify it. The most likely rigging scenario is that some state employee will add/remove a few dozen extra votes from a couple of critical counties and change the outcome for that state. Sounds much more likely, doesn't it? Now tell me, how will open-sourcing the Diebold software prevent that?"
During the recount phase, how do you know that the people counting and the systems being used haven't been compromised? Current systems are not adequate both on the human and tech sides.
You don't need to read all of the source. A code audit can be focused. That said, if the code is not clear the audit can say so and force a re-write of the un-clear parts...making it both easier to debug (mistakes) and easier to catch and discourage any actual fraud.
How do you assure that the open-source code is what's actually being used?
The same way you would with closed source. It's not rocket science, just a lot of work involving independent investigators. As a member of the public that does vote I'd like to be one of those investigators and closed source puts one more barrier in the way of knowing what is true.
One thin example of code accountability:
code (checksum) ==> known public tool chain (checksum) ==> compile ==> checksum results. On audit, independently use the code and the exact same tool chain and compare them against the deployed systems. Prosecute anyone who screws around with the deployed systems.
I've skipped many steps and most of the human engineering security issues, though I'd expect something like the above to be the bare minimum. Keep in mind that with something as serious as an election, everything -- from BIOS firmware through to the OS and supporting libraries -- is also in that 'code' block. That necessitates available source for everything -- even if some of the code is propriatory and not open for redistribution -- because anything that is a closed binary is much harder to check (though not impossible). If any part -- say, the parser in the compiler for one library -- is not available for auditing by the general public the whole system is potentially unreliable. (Though I admit that this is very situation dependant.)
I disagree entirely. (If I didn't this wouldn't be./)
Point by point;
Do you seriously think it's more difficult to rig an election if it uses open-source software? If anything, it makes it easier.
That depends entirely on who is doing the rigging. The conspiracy theorists on the left think that Diabold has ties to the right wing and may assist in election fraud...covering over any issues with technical hand waving and hiding any of the real details.
Having all parts of government -- including the electorial process -- open to examination in detail is key to ensuring that the conspiracy theorists are never right. For all we know now, elections are rigged everywhere. Closed computer systems just automate the process.
Also, as anyone who knows how to harden systems in the field or monitor existing code knows never expect your tools to do your job . Having the source leads to the potential for absolute accountability, though if those systems aren't checked -- closed or open -- you've lost any assurance that things are working as you would expect.
The ONLY real solution is to have machines print out OFFICIAL PAPER BALLOTS that the voter can check and put in a sealed ballot box and which can later be recounted by hand. This still enables the use of the electronic feature as a convenience. This is a simple and 100% effective solution.
People make mistkes on paper all the time. That's what the dog and pony show in MD was staged to show...and they are right. What the Diabold system does not provide is complete transparency to the individual voter level let alone what the magic black boxes are actually doing. If *I* want to verify my vote, *I CAN'T* as a citizen do so with the current system. If President Carter wants to do the same, he can't either!
Paper can be ignored. Vote counts can be changed. Electronic methods can make vote counting both more accurate and more prone to fraud...transparancy and accountability to such a level that any part can be questioned and examined are needed. We haven't had that and we won't have that with the Diabold system as it currently is. That's the problem.
That's interesting. It raises the following question: Who sent him the gun and why? It doesn't pass the sniff test for being a legitimate honest gift since it is so close to the election.
While I do agree that VoIP inevitably requires more advanced routing, it is my fear that this will be abused for a long time until admins become skilled in the art of preventing unwanted forwards.
I'm even more of a pesimist (aka realist).
Yesterday's security issues have not even been addressed today.
It all boils down to how much pain someone feels at this moment in time.
That's why viruses and spyware are seen as the primary security issues, while system security itself -- something that would eliminate these and other problems -- is considered esoteric or impractical. If a security hole silently allows someone to abuse your systems and the data on it...out of sight, out of mind. If the system becomes slow or unstable, then it becomes 'a problem' that some package or product should 'fix'.
Sure, there are admins that don't think like this -- and I hope that includes whoever reads this -- though the rule still holds in general. The bad guys have lots of low hanging fruit to pick from.
I walked out of the company in disgust a few days later. They ceased trading a year or two later, after concentrating exclusively on the product at the expense of other core revenue streams.
Most corporations are run by people like that. Usually, the only difference is that they have various levels of public releations. Most are mainly marketing orginzations -- even direct-to-customer consulting groups.
I doubt it. The extra keys are usually ignored by most people *except* at purchase; seeing the extra keys looks good...so, they are persuaded to buy keyboard X over keyboard Y.
Too bad the mass media did not think of that when given the press release. No, instead, they just blindly passed it on to news consumers. This is a real problem with our media sources. Journalists do not do their jobs. Do you think any of them will learn from this? Nah, me neither.
Yep, I lost that illusion years ago!
Press releases make up a large chunk of the tech 'news' being 'reported'. I know this since I've seen it happen with the press releases a company I used to work for sent out. (Guestimate: small blurbs nearly 100% company content, medium ones over 50%, large articles much less. Typically, the larger the subject, the less corporate content.)
In the case of CherryOS, I'd guess most everything posted was corporate content. Now that there is a scandal, you'll see some 'scoop' articles here and there...with lost of corporate content.
Press releases are very effective for both reporters and companies; the reporter can meet deadlines with something to show while the company benifits from a '3rd party' saying what they wrote. My experience is that a typical 'report' that at worst the press release is printed verbatim with some paragraphs chopped for space, though many more are only 20% non-company provided content.
Why bother reading tech rags when most is not original or is overly sensationalized? (Ex: Ziff pubs.)
But they can't; how precisely can Microsoft remain a profitable publicly traded company while embracing open source? Their software is all they have.
Fork a company (or two) that is owned by Microsoft, has substantial resources, but not large enough to show up on the stockholder's radar. The company would have the job of 'eating the MS Office and Windows babies'.
If it suceeds, make a big deal about it and/or pull it in to Microsoft and convert the company in the process. Merge existing products (if possible).
This is also a good way to loose alot of money and confuse investors -- so they likely won't do it!
Slashdot Mirror
If they had been would they have sanctioned it?
This exec didn't have any say over it at the time; the decision was made before and they weren't responsible.
*IF* they were told 'we need this tool', they would say OK.
*IF* they were told 'we need this open source tool', they would be nervious.
*IF* they were told 'this is a great open source tool' they would kill it on the spot or roll thier eyes back and ignore the suggestion.
I always look for a commercially supported product and put it in the bid as a commercial product -- propriatory or open. I no longer mention software as being OSS though I do try and find a cheap commercial version of it; free (no $) is worthless, expensive is good, while moderately cheaper version that someone else uses is best.
As you can guess, I'm trying to introduce OSS as the third one though it's not easy.
The point of these government and corporate reviews isn't to make an artificial split open vs. proprietary, it's to legitimize the *open source* software for use at all.
I've had many conversations where people were against open source for reasons that aren't true.
Short story, I was told by one executive that 'Since the source is available, it's less secure...we'll use use our current solution'. When I pointed out that our primary web server including our flagship product were stable and secure she agreed. She went white when I started to list off the open source that the made up the core of that product. The conversion was quick, though, and they began to appreciate open source...for the flagship product only.
The chance to have that type of conversation is limited. These reports, though, can pass along those revelations without looking like a fanatic.
I noticed that too.
The Linux Show -- thelinuxshow.com -- also has horrid sound quality. After listening to Adam Curry show off a cheap 256MB MP3 player and recorder by using it for part of his show and it sounded better than what The Linux Show does -- I just don't get it. Yes, part of the quality loss is from people calling in on phones. That does make it a bit more complex...yet, if you're going to post this stuff, get decient equipment or show that you're real geeks and fix it!
Ahmm...you're new here, right?
If it is so hard to change, and so incompatable, why are there so many versions and why are they all called Linux? :)
Quoting from above:
Interesting...though you still have to send it through a normal mail server at some point. That system will have headers pointing back to the remailer server. Even if the headers are forged, the most recient servers will not be forged unless you use multiple mixmaster (or other) remailers that strip the headers.
Without that strip and resend capability, the bad guys can still get lots of information though I admit won't easily find the original sending machine. I'd check the headers carefully just in case, though!
Your guess is as good as mine. I'd expect quite a few.
Yes I'd agree it's probably a prank.
Yet, I can't agree that nobody will do this.
I expect that a small group of novices who have some experience with admining a RH or Fedora Linux system will fall for it and never be the wiser. A total novice won't likely fall for it because they are probably used to using either nothing or up2date and will look for patches there. Someone with a little experience will because they are trying to be smart. Experts or ones with a little more experience will smell a rat and will investigate the 'security problem' using the official Fedora site.
If the site owner can be found, I'd expect them to deny that they had any knowledge of the incident. I give that a 5% chance of being the truth, though I'd like to know how they intended to use such a site. (Someone mentioned it is hosted on IIS, not any *nix -- Fedora or not.)
Not if you run your own mail server(s).
As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?
(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)
There is a qualitative difference between Unix-like systems and Windows on the issues I mentioned. Details are below...
That's too easy. Ever heard of the Recovery Console?
Not counting GUI intensive applications, Windows does not work completely when the Recovery Console is enabled. Except for limited functions, Windows is crippled without a GUI and most programs (utility, server, and applications) require a GUI for proper functioning or for configuration at a minimum.
Unix/Linux/BSD/... don't need a local display or graphics at all. If you want to run without a graphics card, you can and either skip graphics or export the display buffer to another computer. Most server apps can be monitored remotely and can use either a shell or web page for control.
That is impossible. Even to the extent that it is possible on Windows (you can do it if you try hard enough), it's a very bad idea. If a process doesn't load all of its libraries at startup, you can end up with mismatched binaries. That's a great recipe for data loss and other really bad things.
Windows locks files on use. Unix/Linux/BSD/... use inodes to allow different processes to see the file system in a different way. (Search for inodes if this sounds interesting to you.)
For example, if I'm editing file 'index.html' in one program I can delete it in another program. The editor neither cares nor knows that the file has been deleted...because to the editor index.html has not been deleted! You can even download files in one program and while the file is being transfered move it to another directory.
I regularly replace system libraries, application libraries, whole applications, the GUI and system tools and the kernel while using the system. Rarely is it an issue, though with the kernel if the whole thing has been replaced, a reboot is required to enable any new program to use it. If only a module is added or removed, no reboot is needed is usually required.
For example, if I update the desktop (KDE or Gnome) or the graphics subsystem (X), I usually don't bother shutting anything down or logging off right away. After a few hours *if* I encounter any oddities (say, when opening up a new application) I might be annoyed enough to log out and log back in to correct the problem...though it's such a trivial thing that I usually don't bother till I notice a few graphical glitches. The same can be done with a running server process...because the upgrades understand how to handle a running process safely and they do the right thing such as restarting the service after the files have been updated.
I believe only one GUI session can be active at a time, but processes from any number of users can be running. (in fact, you can have processes running as different users on the same GUI session, but I would assume that's the same "physical user") You can play solitaire on a web server. Presumably not as the same user. I'm not the OP, and I don't really know much about this, so I'm not really gonna try to defend it properly.
No problem.
Unix/... supports as many users at the same time as both system resources and the configuration allows. By default, pressing Ctrl-Alt-F1/F2/... switched virtual terminals on Linux. Each one can allow a different user to login. Running nested X allows you to login as another user in another X session. Logging in remotely to a Unix system allows you to view the system as if it were your local one. It is all built in and depends only on if it is enabled or disabled in the configuration -- no special server software like terminal services is required.
Take a look here for one example of this.
You're not even close. Please go back and re-read what I actually did write and stop guessing what I meant. Thanks.
Main kernel *with* userland utility support. I don't think kernel patches are needed, though if they are you can check with the NSA's site for them.
The problem is defining default configuration settings. Just enabling SELinux or tweaking the wrong setting could cause you problems.
OK. Remove IE. Boot without a GUI. Change libraries that are currently in use while the system is running.
So, given any hardware you wish, how many different and unique users can use 1 NT 3.x or 4.x system at the same time? What restrictions do you encounter, if any? Are there differences between desktop and 'server' versions of NT in this respect?
[rpc] -- I'll let someone else address that.
This has been addressed by NoOneInParticular, so I won't rehash it.
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
If you think Diebold does the rigging, you are an idiot.
You quote me, but didn't read.
It won't if the system isn't auditable. Opening the source eliminates one more level of thins that can't currently be audited. (See my other post(s).)
Necessary? Hmmm....
As you said before " The real danger here is that any state election official can tamper with the results. From what I've heard, Diebold basically uses Access to store stuff and anyone can modify it. The most likely rigging scenario is that some state employee will add/remove a few dozen extra votes from a couple of critical counties and change the outcome for that state. Sounds much more likely, doesn't it? Now tell me, how will open-sourcing the Diebold software prevent that?"
During the recount phase, how do you know that the people counting and the systems being used haven't been compromised? Current systems are not adequate both on the human and tech sides.
The same way you would with closed source. It's not rocket science, just a lot of work involving independent investigators. As a member of the public that does vote I'd like to be one of those investigators and closed source puts one more barrier in the way of knowing what is true.
One thin example of code accountability:
I've skipped many steps and most of the human engineering security issues, though I'd expect something like the above to be the bare minimum. Keep in mind that with something as serious as an election, everything -- from BIOS firmware through to the OS and supporting libraries -- is also in that 'code' block. That necessitates available source for everything -- even if some of the code is propriatory and not open for redistribution -- because anything that is a closed binary is much harder to check (though not impossible). If any part -- say, the parser in the compiler for one library -- is not available for auditing by the general public the whole system is potentially unreliable. (Though I admit that this is very situation dependant.)
Point by point;
That depends entirely on who is doing the rigging. The conspiracy theorists on the left think that Diabold has ties to the right wing and may assist in election fraud...covering over any issues with technical hand waving and hiding any of the real details.
Having all parts of government -- including the electorial process -- open to examination in detail is key to ensuring that the conspiracy theorists are never right. For all we know now, elections are rigged everywhere. Closed computer systems just automate the process.
Also, as anyone who knows how to harden systems in the field or monitor existing code knows never expect your tools to do your job . Having the source leads to the potential for absolute accountability, though if those systems aren't checked -- closed or open -- you've lost any assurance that things are working as you would expect.
People make mistkes on paper all the time. That's what the dog and pony show in MD was staged to show...and they are right. What the Diabold system does not provide is complete transparency to the individual voter level let alone what the magic black boxes are actually doing. If *I* want to verify my vote, *I CAN'T* as a citizen do so with the current system. If President Carter wants to do the same, he can't either!
Paper can be ignored. Vote counts can be changed. Electronic methods can make vote counting both more accurate and more prone to fraud...transparancy and accountability to such a level that any part can be questioned and examined are needed. We haven't had that and we won't have that with the Diabold system as it currently is. That's the problem.
That's interesting. It raises the following question: Who sent him the gun and why? It doesn't pass the sniff test for being a legitimate honest gift since it is so close to the election.
I'm even more of a pesimist (aka realist).
Yesterday's security issues have not even been addressed today.
It all boils down to how much pain someone feels at this moment in time.
That's why viruses and spyware are seen as the primary security issues, while system security itself -- something that would eliminate these and other problems -- is considered esoteric or impractical. If a security hole silently allows someone to abuse your systems and the data on it...out of sight, out of mind. If the system becomes slow or unstable, then it becomes 'a problem' that some package or product should 'fix'.
Sure, there are admins that don't think like this -- and I hope that includes whoever reads this -- though the rule still holds in general. The bad guys have lots of low hanging fruit to pick from.
Most corporations are run by people like that. Usually, the only difference is that they have various levels of public releations. Most are mainly marketing orginzations -- even direct-to-customer consulting groups.
I doubt it. The extra keys are usually ignored by most people *except* at purchase; seeing the extra keys looks good...so, they are persuaded to buy keyboard X over keyboard Y.
Because that computer thing is meant to be USEFUL
Yep, I lost that illusion years ago!
Press releases make up a large chunk of the tech 'news' being 'reported'. I know this since I've seen it happen with the press releases a company I used to work for sent out. (Guestimate: small blurbs nearly 100% company content, medium ones over 50%, large articles much less. Typically, the larger the subject, the less corporate content.)
In the case of CherryOS, I'd guess most everything posted was corporate content. Now that there is a scandal, you'll see some 'scoop' articles here and there...with lost of corporate content.
Press releases are very effective for both reporters and companies; the reporter can meet deadlines with something to show while the company benifits from a '3rd party' saying what they wrote. My experience is that a typical 'report' that at worst the press release is printed verbatim with some paragraphs chopped for space, though many more are only 20% non-company provided content.
Why bother reading tech rags when most is not original or is overly sensationalized? (Ex: Ziff pubs.)
Fork a company (or two) that is owned by Microsoft, has substantial resources, but not large enough to show up on the stockholder's radar. The company would have the job of 'eating the MS Office and Windows babies'.
If it suceeds, make a big deal about it and/or pull it in to Microsoft and convert the company in the process. Merge existing products (if possible).
This is also a good way to loose alot of money and confuse investors -- so they likely won't do it!
Computer based consciousness may never happen.
Keep in mind that the traditional sci-fi 'robots' tended to be boxy automations...and that's where we were by 2000.