I think the support issue is not relevent. Each mandated upgrade to windows+N costs about as much in training as moving to a recent, friendly distro. The long term costs of vendor lock-in are enormous. When you hear them touting a subscription, and claiming that customers were clamoring to pay more, and more often, you have to realize it's time to go cold turkey. Maybe MS SQL is better than any other MS product, (and I find IIS, Windows, and Exchange to be abominations) but what are the licensing restrictions and costs? Don't forget to count staff time for fighting worms. They exist in the *nix world, too, but nowhere near the numbers. MS worms are wildly out of proportion to market share.
So, sure, the taxpayers should ask the questions. But the answer is, "This is a reasonable policy that will pay dividends for as long as state government uses computers."
They can insist on minimal quality standards. The product must load, for example. It ought not lose all the user's data in the course of operation. It would be nice if it didn't cause cancer. That sort of thing.
They can insist on interoperability, open protocols and document formats, etc. The Mass policy is just shorthand for that.
If MS wants to submit a linux distro, they'd qualify. But any purchaser can reasonably set standards that effectively exclude Windows and Office, just by insisting on products with the above features.
There are sound reasons for insisting on open products. Vendor lock-in is expensive. They *always* extract monopoly rent. IBM did when they could, MS has been doing so for at least 15 years. There's the monoculture argument - mass worms. Linux on the desktop, with one of the friendlier distros, is not noticibly harder to use. It is somewhat *different* to use, but not by as much as the difference between win95 and winxp. The same amount of investment in training will yeild the same proficiency, and lower costs because the stuff is not as nightmarish.
I work at an understaffed IT dept. in an underfunded institution. I have spent the last couple of weeks fighting the nachi worm. Don't even try to tell me windows TCO is lower.
All you would need to set the trojan up is a local priviledge escalation exploit to install and you're in business.
While remote exploits for win32 are so common nobody bothers with the locals, I imagine blaster could have done it, too. Edit registry, upload file, done. At next boot, keyboard is owned.
I tried a demo keystroke logger to test my antivirus setup. (The antivirus signature was useless!) The full version is stealthy and can phone the captured text home. Nasty.
I tried out a software keylogger that captured login sequences, with passwords in clear text. It appeared to daisy-chain the keyboard driver, because when I ripped it out I had no keyboard.
Nasty bit of work. Mcafee did not detect the file (which can be polymorphic), did not detect the installation program. All it did was detect the downloadable compressed archive of the installation program. Very, very broken malware detection.
SSH is amazing. Sure, I have to block it at the router at the moment, pending updates, but are you really considering it a net disadvantage? I'd say the presence of OpenSSH in the *nix world (and it's fine port Putty for win32) is a huge plus.
The equivalent in win32 is to throw a bunch of poorly implemented and largely documented controls at the world and let the kiddies run wild. A big piece of the evolution of windows is the increase in ways for strangers to do stuff to your machine. Dcom? What the hell is that? Why is it running? Why does it take a registry hack to eliminate it?
For organizations of any significant capitalization, IT is a strategic asset. Having control over that asset is pretty much the only sound strategy. Being told where you want to go today is not a good thing. Being locked into a predatory vendor is not a good thing. Especially when they can change the licensing at a whim to keep it just under the pain threshold to dump them.
There was an article on segfault, I think, reporting that some version of windows beat itself on the same hardware. Nice send-up of this kind of thing.
The architecture of the *nix-based OS's is just better. Sure, there are remote root exploits in the major apps, but these are both rarer, and more rarely encountered.
Few linux distros install samba or apache by default. Every winnt-family device was vulnerable to the rpc flaw. IIS used to be installed by default, and if so, everything in it gets stuffed into the machine. IE and outlook express are on all windows machines. If you remove them, the next service pack puts them back! Why do they put windows media player in my servers? Why do they design it with massive root holes?
This comes up in every OS flameware - the market share argument. It gets handily rebutted by the prevelance of Apache (2x IIS share) vs. remote holes compared with IIS.
Now, you don't claim that the problems would be as severe if everybody switched, just that more problems would surface. (Lots more) Maybe. I think that we've reached the critical mass of linux boxes, and the prevalence is already high enough to reward the efforts of the kidiots. I just don't think we'd see that big a difference.
The MS bashing is justified. Blaming admins for not keeping up with the patch/week is a non-starter. MS itself got hit with this. The MS patch download web server was itself compromised by the Code Red worm. If they can't afford the talent to get it done, the scope of the task is unreasonable.
They wrote shitty software, they implemented stupid designs. And we have to clean up after them. I have things I'd rather be doing, like furthering the goals of my employer.
You don't have to/aren't prompted to create an unpriviledged account.
If the vast multitude of windows exploits are merely proportionate to market share, why is it that IIS has the bulk of web server exploits, the bulk of 0wn3d sites, and lags Apache in market share?
And based on your logic, you deserve tech support from MCSE's, rather than real geeks. (Note for all the actual geeks who have the cert - I realize the sets are not mutually exclusive)
I use Windows NT, Windows 2000, Windows 2003, Redhat 7.3, OpenBSD 3.2, OpenBSD 3.3
Let's pick the more maligned Redhat 7.3 for argument's sake. In my environment, we can discard everything after 7/29 since none apply. 7/29 openssh - sophisticated timing attack, they can figure out if they guessed a valid username! 7/21 kernel update fixes LOCAL security issues 7/10 is one that doesn't apply, but could someday. 6/27, another OpenSSH issue that doesn't apply, 6/2 and June 3 - Two kernel updates - unclear severity. 5/27 Denial of Service in a printing utility. 5/14 kernel fix 4/9 Samba remote root - NOW we're talking! 4/1 Samba remote root 2/5 OpenLDAP issue - unclear relevance/severity 2/3 kernel fix - minor/irrelevant 1/9 Printer utility problem
There are only 2-3 vulnerabilities before that going back to last summer. 15 updates in a year, 2-3 of which give remote root. I can't get on to the windows update site (guess they're busy today!), but the record compares favorably.
There was plenty of capacity, but the energy providers colluded to keep plants off line. It's a fact. If it weren't the energy industry, people would be doing perp-walks. But they are much too important to Shrub for that.
Corporate waste is definitely comparable to government waste. When profits, or more importantly , stock price sours, they do ham-fisted measures like axeing departments rather than actually trim budget waste. It's hard to cut waste from hundreds of budgets, so they chop entire budgets.
Spending cuts are as arbitrary as the spending itself. The problem of government and corporate bureaucracy is similar: the incentive to do a good job is divorced from the job itself. Tech support measures calls concluded, not problems solved. If the customer can be conned into blaming something unrelated, that's a score! Similarly, if you have an open PO with someone, it's less hassle to pay more with them than get the best price elsewhere.
Bureaucracy is always and everywhere devoted to its systems, not the results those systems are an imperfect means to obtain. And it's the same in public and private sectors.
I can't quite understand the willingness to trust the assholes who colluded to create the CA power crises.
Cheney and Bush's response to the gang-rape of CA ratepayers was to hold the victim down. Since then they intervened to insure the rapists got conjugal visits with the victim, by holding them to long term contracts purchased at the height of the crises from the people who brought it about.
Come on - he's a pure politician, living his whole life off his dad's name and connections. He is not the poster child for his party's mantra of personal responsibility, now, is he? Poster child for bailouts in the expectation of political favors, yeah. Exhibit A in the usefulness of connections to get criminal records expunged, yeah.
He's been responsible for hundreds of people each doing decades of hard time for using what used to be his drug of choice.
Everything out of his mouth is a lie, every gesture calculated and rehearsed - and phony. He's constantly doing photo ops at programs he then cuts funding for. He's gung ho for free trade, then supports farm subsidies and tarrifs for steel. Pure whoring for votes.
He mouths off a lot about freedom, and implements a police state. We crossed the line where the executive branch can decide to lock someone up - and just do it. And keep them there. And when has a police agency had a power it did not abuse? Only with the kind of oversite that is totally out of fashion post-Patriot Act. Even by the supine standards of the 1950's- 1960's the FBI was still a rogue agency, spying on anyone it felt like. Now, boy, they must be really feeling their oats.
What is there to like, unless you stand to inherit big?
It's socially useful to have postal coverage to places outside dense urban corridors. Sure, UPS/FedEx et. all would like to have a crack at mail delivery in NYC.
How about a remote village in Alaska? Not much interest, especially at a flat rate.
Those are U.S. citizens living there, my conservative friend of intedeterminate age. They need to be linked to the rest of the body politic.
The service is actually pretty good for first class mail. I grant some difficulties with packages.
Windmills are actually a pretty decent solution to domestic energy production. Unlike drilling in ANWAR, which serves no real purpose except pissing off the environmentalists. You don't hear the Shrub talking about drilling off Florida, because that would send his corrupt brother to the unemployment line and diminish his chances of stealing the vote again.
What bankrupted CA's government was a massive recession followed by a manufactured energy crises. What the fuck are you thinking?
The people who manufactured the crises rigged the market through collusion. They intentionally kept power plants offline. They were invited to Cheney's little love-fest to strategize further.
The Bush team's response to the gang rape of CA ratepayers was to help hold the victim down so her struggles wouldn't cause injury.
As for tax cuts - you can certainly target them. Shifting the tax tables down would certainly help those who pay the most, but it would have a semblance of fairness. Dropping the top rate just helps those at the top, no semblance at all. Eliminating an inheritance tax - come on. This has NO bearing on your "pay the most tax" canard. It's not like it's a coincidence that the inheritance tax - which only affects million dollar estates - affects only the rich!
As a matter of efficacy, for economic stimulous the best tax cut package goes to those who spend the highest proportion of income. Those folks are at the lower end of the food chain. Cutting payroll taxes to pre-Reagan levels would do the trick.
Righties have a pretty shitty record on the economy. Who screwed up the economy and budget? The righties are in charge, numbnutz. Clinton is the only pres. who's managed a budget well in the last 25 years. I give Bush sr. partial credit for the last half of his term.
Your post is just so poorly reasoned it's staggering.
Slashdot Mirror
I think the support issue is not relevent. Each mandated upgrade to windows+N costs about as much in training as moving to a recent, friendly distro. The long term costs of vendor lock-in are enormous. When you hear them touting a subscription, and claiming that customers were clamoring to pay more, and more often, you have to realize it's time to go cold turkey. Maybe MS SQL is better than any other MS product, (and I find IIS, Windows, and Exchange to be abominations) but what are the licensing restrictions and costs? Don't forget to count staff time for fighting worms. They exist in the *nix world, too, but nowhere near the numbers. MS worms are wildly out of proportion to market share.
So, sure, the taxpayers should ask the questions. But the answer is, "This is a reasonable policy that will pay dividends for as long as state government uses computers."
They can insist on minimal quality standards. The product must load, for example. It ought not lose all the user's data in the course of operation. It would be nice if it didn't cause cancer. That sort of thing.
They can insist on interoperability, open protocols and document formats, etc. The Mass policy is just shorthand for that.
If MS wants to submit a linux distro, they'd qualify. But any purchaser can reasonably set standards that effectively exclude Windows and Office, just by insisting on products with the above features.
There are sound reasons for insisting on open products. Vendor lock-in is expensive. They *always* extract monopoly rent. IBM did when they could, MS has been doing so for at least 15 years.
There's the monoculture argument - mass worms. Linux on the desktop, with one of the friendlier distros, is not noticibly harder to use. It is somewhat *different* to use, but not by as much as the difference between win95 and winxp. The same amount of investment in training will yeild the same proficiency, and lower costs because the stuff is not as nightmarish.
I work at an understaffed IT dept. in an underfunded institution. I have spent the last couple of weeks fighting the nachi worm. Don't even try to tell me windows TCO is lower.
All you would need to set the trojan up is a local priviledge escalation exploit to install and you're in business.
While remote exploits for win32 are so common nobody bothers with the locals, I imagine blaster could have done it, too. Edit registry, upload file, done. At next boot, keyboard is owned.
I tried a demo keystroke logger to test my antivirus setup. (The antivirus signature was useless!) The full version is stealthy and can phone the captured text home. Nasty.
I tried out a software keylogger that captured login sequences, with passwords in clear text. It appeared to daisy-chain the keyboard driver, because when I ripped it out I had no keyboard.
Nasty bit of work. Mcafee did not detect the file (which can be polymorphic), did not detect the installation program. All it did was detect the downloadable compressed archive of the installation program. Very, very broken malware detection.
SSH is amazing. Sure, I have to block it at the router at the moment, pending updates, but are you really considering it a net disadvantage? I'd say the presence of OpenSSH in the *nix world (and it's fine port Putty for win32) is a huge plus.
The equivalent in win32 is to throw a bunch of poorly implemented and largely documented controls at the world and let the kiddies run wild. A big piece of the evolution of windows is the increase in ways for strangers to do stuff to your machine. Dcom? What the hell is that? Why is it running? Why does it take a registry hack to eliminate it?
Option 1) if article presents weaknesses/limitations of open source stuff, write "In your face! MS r00lz!"
Option 2) if article is critical of MS stuff, write "How come you never write anything critical of open source stuff?"
if your security (such as it is) comes from obscurity, and you then give up the obscurity, where does that leave you?
With soiled drawers.
Seriously - Windows should be withdrawn from DOD consideration. For anything.
For organizations of any significant capitalization, IT is a strategic asset. Having control over that asset is pretty much the only sound strategy. Being told where you want to go today is not a good thing. Being locked into a predatory vendor is not a good thing. Especially when they can change the licensing at a whim to keep it just under the pain threshold to dump them.
Each of the following conditions has been true for the significant vulnerabilities of the last year.
1) windows update will fail silently or, worse, fail and falsely report success.
2) windows update will install patches that will break stuff.
3) patches will frequently not address the vulnerability they claim to fix
4) patches will be difficult to apply - (MS Sql worm - oka Saphire)
"Don't use Windows" is obvious, but not silly. It's TCO is too high.
There was an article on segfault, I think, reporting that some version of windows beat itself on the same hardware. Nice send-up of this kind of thing.
Too bad segfault seems to be down.
when working - 1-2 hours /day during first term only
also, the gipper couldn't find his zipper.
I wish the current CIC would quit giving blowjobs to the oil industry in the oval office. Couldn't they at least find a motel?
The architecture of the *nix-based OS's is just better. Sure, there are remote root exploits in the major apps, but these are both rarer, and more rarely encountered.
Few linux distros install samba or apache by default. Every winnt-family device was vulnerable to the rpc flaw. IIS used to be installed by default, and if so, everything in it gets stuffed into the machine. IE and outlook express are on all windows machines. If you remove them, the next service pack puts them back! Why do they put windows media player in my servers? Why do they design it with massive root holes?
This comes up in every OS flameware - the market share argument. It gets handily rebutted by the prevelance of Apache (2x IIS share) vs. remote holes compared with IIS.
Now, you don't claim that the problems would be as severe if everybody switched, just that more problems would surface. (Lots more) Maybe. I think that we've reached the critical mass of linux boxes, and the prevalence is already high enough to reward the efforts of the kidiots. I just don't think we'd see that big a difference.
sometimes the techs are so harried for time that they don't get around to patching their own shit.
Sometimes they are so lame they can't be bothered to wipe their own asses, either...
Still, what a professional embarassment!
Community Colleges in my state are getting their nets in order.
At mine, we blocked the smb ports at the router a long time ago. We'd have been hosed if someone brought a worm inside on a laptop, though.
My internet coop was hosed.
The MS bashing is justified. Blaming admins for not keeping up with the patch/week is a non-starter. MS itself got hit with this. The MS patch download web server was itself compromised by the Code Red worm. If they can't afford the talent to get it done, the scope of the task is unreasonable.
They wrote shitty software, they implemented stupid designs. And we have to clean up after them. I have things I'd rather be doing, like furthering the goals of my employer.
You don't have to/aren't prompted to create an unpriviledged account.
If the vast multitude of windows exploits are merely proportionate to market share, why is it that IIS has the bulk of web server exploits, the bulk of 0wn3d sites, and lags Apache in market share?
And based on your logic, you deserve tech support from MCSE's, rather than real geeks. (Note for all the actual geeks who have the cert - I realize the sets are not mutually exclusive)
I use Windows NT, Windows 2000, Windows 2003, Redhat 7.3, OpenBSD 3.2, OpenBSD 3.3
/27 Denial of Service in a printing utility.
Let's pick the more maligned Redhat 7.3 for argument's sake. In my environment, we can discard everything after 7/29 since none apply.
7/29 openssh - sophisticated timing attack, they can figure out if they guessed a valid username!
7/21 kernel update fixes LOCAL security issues
7/10 is one that doesn't apply, but could someday.
6/27, another OpenSSH issue that doesn't apply,
6/2 and June 3 - Two kernel updates - unclear severity.
5
5/14 kernel fix
4/9 Samba remote root - NOW we're talking!
4/1 Samba remote root
2/5 OpenLDAP issue - unclear relevance/severity
2/3 kernel fix - minor/irrelevant
1/9 Printer utility problem
There are only 2-3 vulnerabilities before that going back to last summer. 15 updates in a year, 2-3 of which give remote root.
I can't get on to the windows update site (guess they're busy today!), but the record compares favorably.
And you know what? The autoupdates worked.
There was plenty of capacity, but the energy providers colluded to keep plants off line. It's a fact. If it weren't the energy industry, people would be doing perp-walks. But they are much too important to Shrub for that.
Corporate waste is definitely comparable to government waste. When profits, or more importantly , stock price sours, they do ham-fisted measures like axeing departments rather than actually trim budget waste. It's hard to cut waste from hundreds of budgets, so they chop entire budgets.
Spending cuts are as arbitrary as the spending itself. The problem of government and corporate bureaucracy is similar: the incentive to do a good job is divorced from the job itself. Tech support measures calls concluded, not problems solved. If the customer can be conned into blaming something unrelated, that's a score! Similarly, if you have an open PO with someone, it's less hassle to pay more with them than get the best price elsewhere.
Bureaucracy is always and everywhere devoted to its systems, not the results those systems are an imperfect means to obtain. And it's the same in public and private sectors.
I can't quite understand the willingness to trust the assholes who colluded to create the CA power crises.
Cheney and Bush's response to the gang-rape of CA ratepayers was to hold the victim down.
Since then they intervened to insure the rapists got conjugal visits with the victim, by holding them to long term contracts purchased at the height of the crises from the people who brought it about.
Shameful.
Come on - he's a pure politician, living his whole life off his dad's name and connections. He is not the poster child for his party's mantra of personal responsibility, now, is he? Poster child for bailouts in the expectation of political favors, yeah. Exhibit A in the usefulness of connections to get criminal records expunged, yeah.
He's been responsible for hundreds of people each doing decades of hard time for using what used to be his drug of choice.
Everything out of his mouth is a lie, every gesture calculated and rehearsed - and phony. He's constantly doing photo ops at programs he then cuts funding for. He's gung ho for free trade, then supports farm subsidies and tarrifs for steel. Pure whoring for votes.
He mouths off a lot about freedom, and implements a police state. We crossed the line where the executive branch can decide to lock someone up - and just do it. And keep them there. And when has a police agency had a power it did not abuse? Only with the kind of oversite that is totally out of fashion post-Patriot Act. Even by the supine standards of the 1950's- 1960's the FBI was still a rogue agency, spying on anyone it felt like. Now, boy, they must be really feeling their oats.
What is there to like, unless you stand to inherit big?
It's socially useful to have postal coverage to places outside dense urban corridors. Sure, UPS/FedEx et. all would like to have a crack at mail delivery in NYC.
How about a remote village in Alaska? Not much interest, especially at a flat rate.
Those are U.S. citizens living there, my conservative friend of intedeterminate age. They need to be linked to the rest of the body politic.
The service is actually pretty good for first class mail. I grant some difficulties with packages.
Windmills are actually a pretty decent solution to domestic energy production. Unlike drilling in ANWAR, which serves no real purpose except pissing off the environmentalists. You don't hear the Shrub talking about drilling off Florida, because that would send his corrupt brother to the unemployment line and diminish his chances of stealing the vote again.
What bankrupted CA's government was a massive recession followed by a manufactured energy crises. What the fuck are you thinking?
The people who manufactured the crises rigged the market through collusion. They intentionally kept power plants offline. They were invited to Cheney's little love-fest to strategize further.
The Bush team's response to the gang rape of CA ratepayers was to help hold the victim down so her struggles wouldn't cause injury.
As for tax cuts - you can certainly target them. Shifting the tax tables down would certainly help those who pay the most, but it would have a semblance of fairness. Dropping the top rate just helps those at the top, no semblance at all. Eliminating an inheritance tax - come on. This has NO bearing on your "pay the most tax" canard. It's not like it's a coincidence that the inheritance tax - which only affects million dollar estates - affects only the rich!
As a matter of efficacy, for economic stimulous the best tax cut package goes to those who spend the highest proportion of income. Those folks are at the lower end of the food chain. Cutting payroll taxes to pre-Reagan levels would do the trick.
Righties have a pretty shitty record on the economy. Who screwed up the economy and budget? The righties are in charge, numbnutz. Clinton is the only pres. who's managed a budget well in the last 25 years. I give Bush sr. partial credit for the last half of his term.
Your post is just so poorly reasoned it's staggering.
It is broken. It fails silently, or worse, falsely reports success. I've seen both. It's bad enough that I'm not sure it's better than nothing.