Dont forget to make that NFS mount noexec when you do it! You can't be too careful. And while we are at it, if there are compromised machines on the network, how do you know the network data stream isn't being modified? Sure, it is not easy, but it is certainly not impossible. Remember that you are mounting an export from a potentially compromised system. If the machine had enough room on it, how do you know that you are even mounting what you think you are mounting? Maybe they copied the whole file system into a loopback filesystem and they chrooted the nfs daemon. Everything checks out fine from the checker box, but the system is now running a spam server.
I don't think the technique is sound.
My personal preference is to build systems where all the binaries are on WORM media (CD-R is fine) and the modifiable parts are mounted from the hard drive (/var and/home). Everything else is on the CD-R. Sure, the box might still get rooted, but it'll be damned hard to compromise the binaries.
All this said, I completely agree with those folks who say that ultimately you trust something. You have to make practical considerations since you can only know the security is perfect if you actually fabricated every component with your own two hands.
And, to veer into another round of MS bashing, this brigs up Palladium, which is assuring you that YOU cannot trust your computer, but Microsoft and other content providers can. Swell. I'm looking forward to that...
IMHO the primary application of this is in virtual and emulated PCs. If you have ever used VMWare, you'll notice that they actually use the Phoenix BIOS. There are two Free Software projects that provide "machine in machine" capability: Bochs and plex86. Both of these require a BIOS to function. There is a closed source BIOS (I forget whose) who has allowed bochs and plex86 to distribute a binary version only for use in those programs. Having to distribute a closed binary with a Free Software product is problematic. Thus, the project to produce a Free Software BIOS.
Some low-end hardware OEMs might be interested in a Free BIOS as well, since this would allow them to sell their cheap hardware even cheaper.
But you asked about userland. In userland, the main use will be for emulators and virtual PCs.
Y'know, even though PhysicsGenius is a famous troll, I have to admit that I think "Information wants to be set on fire" is actually pretty funny.
I saw the/. story a couple of days ago that said they had "things back up and running." Does anyone know if this is at full capacity? I've been holding back from updating my Debian distros because I don't know.
I don't know. I did the "electronic" letter through the EFF's website, and I got a letter back from my congressman's office. Admittedly, it was a form letter that described the two consumer-friendly digital rights bills that didn't pass in the last session. But no matter how little the letter answers my concerns, it does most definitely indicate that staffers in his office know that this issue has a constituency. That is probably more than they knew before the compaign. As much as elected officials grovel before corporate money, they still also grovel before voting blocks. If we want these issues to have congressional advocates on the public's side, then we need to let them know that there is (and we are) a voting block. When the Sunday morning news-talk shows start talking about "the geek vote," along with the "women's vote," "the hispanic vote," "the right-to-life vote," etc. then I assure you things will be quite different from today.
Does this mean that we'll win them all? Hell, no! But it would mean that we would no longer lose them all.
Admitting up front an almost complete ignorance of the science involved here (since when has that stopped any of us on Slashdot?), I think it is absolutely amazing that one can patent a hypothesis now...
(Did I mention that I was also completely ignorant of the details of the patent application?)
I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?
So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.
The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.
To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.
There is no doubt that the regulation regime must change. It totally fails to take into account new technologies. I do not, however, buy the argument that the "free market" alone is the solution. As someone who has installed radio transmitters (admittedly amateur radio repeaters, but the issues are the same), there does need to be regulation and enforcement. It is too easy for transmitters to create spurious signals and interference. A regulatory system is, IMHO, infinitely preferable to the only other recourse in a "free market," namely, the courts.
So, while I do think the present reulatory system needs to be demolished, I think it does need to be replaced with a regulatory scheme that takes TDM and spread-spectrum technologies into account.
The present model is based around uni-directional broadcasting. Dedicated "channels." That needs to change.
In the mid to late 1970's you did a guest spot on the classic TV detective show, Columbo, titled "Fade in to Murder." In it, you played a scheming, demanding, difficult Canadian-born TV star. I'm genuinely curious if the original script contained some of these details, or if the details were added as "in-jokes." You are, after all, well known as a Canadian-born TV star, and, deserved or not, I have certainly heard the other adjectives applied to you.
Obviously, his favorite rolls were the ones he was always doing over car hoods in the T.J. Hooker series! I don't have a clue what his favorite role might be...
It should be easy to find this person. The trojan downloads evil code from a specific web site. This site is either the perps or was cracked by the perp. They will be hunted down.
There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?
The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.
Nor URL. I'm going from memory too, although I will say I saw the movie hundreds o' times and I think my version makes more sense. Using a nuke on Las Vegas is more "suitably Biblical" than "seemingly Biblical." The "suitability" of wiping Vegas clean with the nearest things humans posess to the wrath of God seems self-evident to me. Alas, I can't confirm since I long since lost my VHS copy of the movie and I don't love it anough to buy the DVD.
I will say that, despite a few pathetic lapses, this is still the best "hacker" movie I've seen. It also really captures the user group/BBS (pre-TCP/IP) hacker culture I remember so fondly from my teenage years. The two guys he goes to see about how to crack the system so well match most of the people I work with: The skinny science geek and the fat bearded *nix geek. I think I'm lucky I fall into the fat, bearded *nix geek category myself, although unlike many in that category, I shower daily. None of this is relevant, of course. So I'll shut up now.
I know it is bad form (not to mention offtopic) to respond to a sig, but isn't the Wargames quote "Suitably Biblical ending to the place" not "Seemingly?"
I agree, only if you wish to use the code of others without compensating them in kind. That's the whole point of GPL. I have not heard of a single case where a GPL-"copyleft" holder has gone after someone in court because they believe someone was "contaminated" by GPL code. I have heard of such cases involving proprietary software (not under a shared source license to my knowledge, but certainly under NDA's). I kind of doubt you will ever see such a suit. Actual USE of code, direct copying, yes. But the notion that a "non-clean" reverse engineer took place? I doubt it will ever happen. Most of us who release code under the GPL realize that there are only so many ways to skin a cat and that when confronted with a cat carcass, people of moderate to high intelligence are likely to stumble on similar solutions. People tend to use the GPL becuase they believe that owning algorithms is a bizzare idea anyways.
All of this to say that you are right, under the law the possibility exists that if you have seen open code that does something and then you try to release CLOSED code that does that same thing, you might be spanked. But if you release open code that does that same, you have and will have no problem. I still think that is a big difference. And one worthy of note. To me, the GPL license is the only license that guarantees that you will not be exploited for releasing free software. Its a simple as that.
Let's resume this srgument the first time there is a cleanroom suit over GPL'ed code. I'm guessing you and I will both pass away before this happens. I wouldn't hazard the same guess for SSI.
You're right. I didn't notice "under a different license." (I did understand it once I had some help sounding it out;-)
But people release GPL'ed code under a different license all the time. You just can't take away the GPL rights. People release GPL'ed code under additional or multiple licenses frequently.
But what proprietary license allows you to reuse code under ANY license? They are not comparable and it is unfair to suggest that they are.
Except, of course, for the fact that the GPL specifically permits you to reuse any part of the code, provided that you license the derivative work under the GPL. You don't have that with Microsoft Shared Source. In other words, you get all of the drawbacks (if you really think they are drawbacks, I don't) of the GPL with exactly none of the benefits.
In other words, you are wrong in saying the converse is the same. The FSF/GPL allows you to freely copy under the same terms as the code was initially offered. The SSI does not EVER allow you to reuse code. Period. They are not even remotely comparable.
While there are indeed nasty things in your consumer electronics, the real nasties they are talking about here are used in the fabrication of the components, and (AFAIK -- the weasel word that lets me say anything) they are not still present in the finished components. Your PC does contain lead and probably some cadmium and some other toxic heavy metals. It has been illegal to throw electronics in the trash (at least here in MN) for many years now.
Silane was the nasty gas Union Carbide leaked at Bhopal (sp? Bopahl?) India that killed and maimed hundreds. It is bad stuff. Highly reactive with organic molecules.
I maintain a FAQ on solar PV at my web site and one of my "open" questions is about the environmental hazards of PV. The finished product (at least Si PV cells, not so much the CdTe or CIS cells) is safe and stable, but the same nasties are used to make PV cells as other silicon semiconductors. I'd say that one of the "problems" of consumer culture is information hiding. We're pointing out the hazards of semiconductor production, but are you aware of how environmentally damaging many things you buy and discard without thinking are? Paper? Flour? Textiles? Don't even get me started about how much waste is produced to make an automobile. As a consumer, how do you know? Would you pay more for something if you know a cleaner but more expensive process was used to make it? Or if you knew that the manufacturer recycled and cleaned up beyond legal minimums?
I'm not a huge fan of mandates, but I am a huge fan of information. It bothers me that I can't easily find out the materials and labor (and labor conditions) that went into the manufacture of any product I think about buying.
Industry's answer to environmental regulation is predictably "It is too expensive," but I think a large number of affluent consumers would pay more for the "green" stuff (witness the surge in "organic" foods -- even though these same people often ignore public health issues in going organic) and industry wouldn't lose a dime.
There is no place to start, however, without the information.
Gee, maybe using the closed, proprietary VMWare wasn't such a great idea in the first place. This is hardly an argument against Free Software. It is an argument against closed software.
Why don't you offer a suggestion on a better design? I assure you if you really have a better way, us programmers can implement it. Maybe this is the dominant model because it is still the best one going. And, for what it is worth, the model predates MS Windows by several years.
While I agree with you that party line voting produces generally undesirable results, this election more than any other is a possibility for massive change. Voter turnout may be as low as 30%. That means that a mere 15% of adults eleigble to vote will select the winning candidate. Unless you are non-voter and you can get another non-voting friend to join you in voting for a third party. If you are of a conservative bent, go Libertarian or Constitution party. If, like me, you have a more liberal bias, go Green party. If just 3 in 10 non-voters turns out for a third party, there would be a new majority party in the house.
The major parties could certainly use a shock like that.
So, please, do not sit idly by, even if you haven't done the homework the parent poster suggests. You have the power. Check the web site for your local newspaper. You can probably learn enough to make reasonable decisions from those capsule descriptions of candidates and races. You can follow through to the actual candidate web sites.
Political parties were originally created to allow voters who knew nothing about the candidate to make a vote. This worked for many years. It fails utterly today because the modern process of "audience research" used to create a candidates "principles" produces Democrats who look vaguely Republican and Republicans who look vaguely Democratic. I'm fortunate to come from a state with a long history of maverick (some say bizzare) politicians (Minnesota). We've had multiple third-party legislators and governors. Our Democratic party is called the DFL as a result of a merger between the Democrats and a third party called the Farmer/Labor party. We know full well that the "election scientists" can be dead wrong. The nationally famous election of Ventura was preceeded by the much less known election of Arne Carlson, a Republican, who was elected by a last-minute write-in campaign. That's right. Jesse Ventura's predecessor was elected (the first time) on a write-in.
We know nothing is impossible and every vote counts. It really does. I know from several years off and on with/. that there are a lot of political issues that mean something to people on this forum. If you care about Free Software or the DMCA, DRM, better roads, prescription drugs, anti-terrorism, encryption, privacy, preventive detention, human rights, liberty, free speech, anything where the power of the state may intervene for or against your interests, then you should vote.
Voting is your most powerful, if also your bluntest instrument. You should do more than vote, you should write to your office-holders about those aforementioned issues. But don't throw away your most powerful tool just because you don't like the choices, or don't feel you are as informed as someone says you should be. If you really feel that way, promise to do better next time. The whole House is up again in just two years, and if you're voting for a senator, he or she will be up again in six. Term limits? We don't need 'em if you will VOTE. We have term limits. They're called elections. If, as I said way back in this rant, only 15% of the citizens are choosing our government, why are we surprised that our government isn't living up to our expectations? Change that number!!
Aw, hell. I'll feed the troll. The problem is that passing the common criteria does not mean that their security is improving. It means that a specific configuration of a specific collection of specific versions of software passed the common criteria. Deviate from this set and your security is "unknown." Could be better. Could be worse. The point is you don't know. The real problem in security isn't Microsoft or Open Source, hackers, crackers, or trojans. The problem is that there is no measurement of security that can be used to give a system a number that may be ordinally and proportionally compared to the number for another system.
The government is fond of the category-based "security measurement" systems, but all you can say about a system is whether it is known to be in the category, known to be outside the category, or its relation to the category is unknown. What does this really tell you about the security of a system? Nothing. What does it tell you about the relative security of any two systems? Nothing.
All of that said, Microsoft (whom I hate with a deep, abiding, and admittedly unreasoning passion) should be applauded for doing this. It is part of a worthy effort. Does it really mean anything? I just think some of the pro-MS folks here are seriously overestimating the value of this accomplishment. It ain't worth much, but if people are going to use MS software, they should be glad this happened. Does it mean they can say with confidence that they have a secure system? Hell, no. It means if they use the precise mix of software used for the evaluation in the precisely resitricted manner used in the evaluation, then their system will also meet the common criteria. Now try to run a public web server on it. Does it still meet the common criteria? Not at all.
So the truth is, once again, somewhere in the mushy middle. Big surprise. Microsoft is in the same boat as everybody else. Without a means to objectively quantify security, so it has these properties of ordinality and proportionality, no one can really say anything scientifically meaningful about their security. In the absence of such measures, they cast about for any fixed point. The common criteria is a fixed point. So I guess I'm saying this doesn't mean much, but it is not Microsoft's fault that it doesn't mean much and Microsoft *is* to be commended for putting a pin in some of their software with one of the only fixed points available.
So, yes, MS haters should be "grown up" enough to say this, but MS advocates should be "grown up" enough to admit the limitations on what one might be able to claim about security based on this situation. Passing the common critera is a single data point. It is hard to see a trend with a single data point if you are being scientific about it. If, on the other hand, you really want to see the trend, taking only one data point allows you to say the trend is whatever you wish. Take two, and the trend might be down. Best to leap to conclusions from one data point. No one can say you're wrong. There's an old joke in experimental science. If you want a linear result, take exactly two samples. This is similar. If you want to be able to say anything at all, take exactly one.
Is it fully sustainable? I'm not saying it isn't, but it is not at all clear to me that we can produce enough vegetable oil to fuel as many vehicles as we currently use. It is a popular thing for the environmental geeks out there (not meant as a pejorative, I promise!) to convert diesel cars to use used vegetable oil as fuel, then they get waste oil for free from fast-food restaurants. That's great and wonderful, but I doubt enough vegetable oil is produced to run the hundreds of millions of cars in the US. We don't have a production and distribution infrastructure for vegetable oil as fuel. Can we produce enough to meet both fuel and food needs? I don't know.
I'm not saying these things to pooh-pooh the idea. It would be great to convert even 10%-20% of US vehicles to such a system. It would be a big start on energy independence (and wouldn't that be good for the world?). I'm just not sure that sufficient capacity exists.
Still, imagine bio-diesel coupled with mass adoption of hybrids, coupled with fully eletric vehicles (for those who merely need commuter cars) charged by PV, coupled with greater efficiencies wherever they may be obtained.
I simply can't think of a more "patriotic" thing for us Americans to do. This improves the environment, combats terrorism, and saves the lives of American military personnel. I, for one, would like to see the political and cultural disputes in the Arabian Peninsula lose the dimension of "vital economic interest." There would still be an interest in peace, but if oil there were not an issue for us, well, it would simplify things quite a bit.
I know this started with me expressing a doubt about bio-diesel being "the answer," I will say that we don't need to find "The Answer." If we can find ten things that take away 10% of our current foreign oil dependence, well, we've solved a great many problems. And even if we can't, even if we can only find seven things, we've still taken away much incentive for the level of violence in the world.
Make America stronger! Use less fuel!
I do kind of doubt we'll hear this rallying cry from an adminstration largely made up of former Texas oil men, although you never know. Oil companies can still make a lot of money selling American oil...
Slashdot Mirror
Dont forget to make that NFS mount noexec when you do it! You can't be too careful. And while we are at it, if there are compromised machines on the network, how do you know the network data stream isn't being modified? Sure, it is not easy, but it is certainly not impossible. Remember that you are mounting an export from a potentially compromised system. If the machine had enough room on it, how do you know that you are even mounting what you think you are mounting? Maybe they copied the whole file system into a loopback filesystem and they chrooted the nfs daemon. Everything checks out fine from the checker box, but the system is now running a spam server.
/home). Everything else is on the CD-R. Sure, the box might still get rooted, but it'll be damned hard to compromise the binaries.
I don't think the technique is sound.
My personal preference is to build systems where all the binaries are on WORM media (CD-R is fine) and the modifiable parts are mounted from the hard drive (/var and
All this said, I completely agree with those folks who say that ultimately you trust something. You have to make practical considerations since you can only know the security is perfect if you actually fabricated every component with your own two hands.
And, to veer into another round of MS bashing, this brigs up Palladium, which is assuring you that YOU cannot trust your computer, but Microsoft and other content providers can. Swell. I'm looking forward to that...
By that logic, if we never start, aren't we already finished? ;-)
Sorry, long day...
IMHO the primary application of this is in virtual and emulated PCs. If you have ever used VMWare, you'll notice that they actually use the Phoenix BIOS. There are two Free Software projects that provide "machine in machine" capability: Bochs and plex86. Both of these require a BIOS to function. There is a closed source BIOS (I forget whose) who has allowed bochs and plex86 to distribute a binary version only for use in those programs. Having to distribute a closed binary with a Free Software product is problematic. Thus, the project to produce a Free Software BIOS.
Some low-end hardware OEMs might be interested in a Free BIOS as well, since this would allow them to sell their cheap hardware even cheaper.
But you asked about userland. In userland, the main use will be for emulators and virtual PCs.
Y'know, even though PhysicsGenius is a famous troll, I have to admit that I think "Information wants to be set on fire" is actually pretty funny.
/. story a couple of days ago that said they had "things back up and running." Does anyone know if this is at full capacity? I've been holding back from updating my Debian distros because I don't know.
I saw the
I don't know. I did the "electronic" letter through the EFF's website, and I got a letter back from my congressman's office. Admittedly, it was a form letter that described the two consumer-friendly digital rights bills that didn't pass in the last session. But no matter how little the letter answers my concerns, it does most definitely indicate that staffers in his office know that this issue has a constituency. That is probably more than they knew before the compaign. As much as elected officials grovel before corporate money, they still also grovel before voting blocks. If we want these issues to have congressional advocates on the public's side, then we need to let them know that there is (and we are) a voting block. When the Sunday morning news-talk shows start talking about "the geek vote," along with the "women's vote," "the hispanic vote," "the right-to-life vote," etc. then I assure you things will be quite different from today.
Does this mean that we'll win them all? Hell, no! But it would mean that we would no longer lose them all.
Uhhh, Sonny Bono was a Republican. Sorry.
Admitting up front an almost complete ignorance of the science involved here (since when has that stopped any of us on Slashdot?), I think it is absolutely amazing that one can patent a hypothesis now...
(Did I mention that I was also completely ignorant of the details of the patent application?)
I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?
So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.
The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.
To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.
Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.
I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.
There is no doubt that the regulation regime must change. It totally fails to take into account new technologies. I do not, however, buy the argument that the "free market" alone is the solution. As someone who has installed radio transmitters (admittedly amateur radio repeaters, but the issues are the same), there does need to be regulation and enforcement. It is too easy for transmitters to create spurious signals and interference. A regulatory system is, IMHO, infinitely preferable to the only other recourse in a "free market," namely, the courts.
So, while I do think the present reulatory system needs to be demolished, I think it does need to be replaced with a regulatory scheme that takes TDM and spread-spectrum technologies into account.
The present model is based around uni-directional broadcasting. Dedicated "channels." That needs to change.
Mr. Shatner:
In the mid to late 1970's you did a guest spot on the classic TV detective show, Columbo, titled "Fade in to Murder." In it, you played a scheming, demanding, difficult Canadian-born TV star. I'm genuinely curious if the original script contained some of these details, or if the details were added as "in-jokes." You are, after all, well known as a Canadian-born TV star, and, deserved or not, I have certainly heard the other adjectives applied to you.
Obviously, his favorite rolls were the ones he was always doing over car hoods in the T.J. Hooker series! I don't have a clue what his favorite role might be...
It should be easy to find this person. The trojan downloads evil code from a specific web site. This site is either the perps or was cracked by the perp. They will be hunted down.
There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?
The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.
Nor URL. I'm going from memory too, although I will say I saw the movie hundreds o' times and I think my version makes more sense. Using a nuke on Las Vegas is more "suitably Biblical" than "seemingly Biblical." The "suitability" of wiping Vegas clean with the nearest things humans posess to the wrath of God seems self-evident to me. Alas, I can't confirm since I long since lost my VHS copy of the movie and I don't love it anough to buy the DVD.
I will say that, despite a few pathetic lapses, this is still the best "hacker" movie I've seen. It also really captures the user group/BBS (pre-TCP/IP) hacker culture I remember so fondly from my teenage years. The two guys he goes to see about how to crack the system so well match most of the people I work with: The skinny science geek and the fat bearded *nix geek. I think I'm lucky I fall into the fat, bearded *nix geek category myself, although unlike many in that category, I shower daily. None of this is relevant, of course. So I'll shut up now.
I know it is bad form (not to mention offtopic) to respond to a sig, but isn't the Wargames quote "Suitably Biblical ending to the place" not "Seemingly?"
I agree, only if you wish to use the code of others without compensating them in kind. That's the whole point of GPL. I have not heard of a single case where a GPL-"copyleft" holder has gone after someone in court because they believe someone was "contaminated" by GPL code. I have heard of such cases involving proprietary software (not under a shared source license to my knowledge, but certainly under NDA's). I kind of doubt you will ever see such a suit. Actual USE of code, direct copying, yes. But the notion that a "non-clean" reverse engineer took place? I doubt it will ever happen. Most of us who release code under the GPL realize that there are only so many ways to skin a cat and that when confronted with a cat carcass, people of moderate to high intelligence are likely to stumble on similar solutions. People tend to use the GPL becuase they believe that owning algorithms is a bizzare idea anyways.
All of this to say that you are right, under the law the possibility exists that if you have seen open code that does something and then you try to release CLOSED code that does that same thing, you might be spanked. But if you release open code that does that same, you have and will have no problem. I still think that is a big difference. And one worthy of note. To me, the GPL license is the only license that guarantees that you will not be exploited for releasing free software. Its a simple as that.
Let's resume this srgument the first time there is a cleanroom suit over GPL'ed code. I'm guessing you and I will both pass away before this happens. I wouldn't hazard the same guess for SSI.
You're right. I didn't notice "under a different license." (I did understand it once I had some help sounding it out ;-)
But people release GPL'ed code under a different license all the time. You just can't take away the GPL rights. People release GPL'ed code under additional or multiple licenses frequently.
But what proprietary license allows you to reuse code under ANY license? They are not comparable and it is unfair to suggest that they are.
Except, of course, for the fact that the GPL specifically permits you to reuse any part of the code, provided that you license the derivative work under the GPL. You don't have that with Microsoft Shared Source. In other words, you get all of the drawbacks (if you really think they are drawbacks, I don't) of the GPL with exactly none of the benefits.
In other words, you are wrong in saying the converse is the same. The FSF/GPL allows you to freely copy under the same terms as the code was initially offered. The SSI does not EVER allow you to reuse code. Period. They are not even remotely comparable.
While there are indeed nasty things in your consumer electronics, the real nasties they are talking about here are used in the fabrication of the components, and (AFAIK -- the weasel word that lets me say anything) they are not still present in the finished components. Your PC does contain lead and probably some cadmium and some other toxic heavy metals. It has been illegal to throw electronics in the trash (at least here in MN) for many years now.
Silane was the nasty gas Union Carbide leaked at Bhopal (sp? Bopahl?) India that killed and maimed hundreds. It is bad stuff. Highly reactive with organic molecules.
I maintain a FAQ on solar PV at my web site and one of my "open" questions is about the environmental hazards of PV. The finished product (at least Si PV cells, not so much the CdTe or CIS cells) is safe and stable, but the same nasties are used to make PV cells as other silicon semiconductors. I'd say that one of the "problems" of consumer culture is information hiding. We're pointing out the hazards of semiconductor production, but are you aware of how environmentally damaging many things you buy and discard without thinking are? Paper? Flour? Textiles? Don't even get me started about how much waste is produced to make an automobile. As a consumer, how do you know? Would you pay more for something if you know a cleaner but more expensive process was used to make it? Or if you knew that the manufacturer recycled and cleaned up beyond legal minimums?
I'm not a huge fan of mandates, but I am a huge fan of information. It bothers me that I can't easily find out the materials and labor (and labor conditions) that went into the manufacture of any product I think about buying.
Industry's answer to environmental regulation is predictably "It is too expensive," but I think a large number of affluent consumers would pay more for the "green" stuff (witness the surge in "organic" foods -- even though these same people often ignore public health issues in going organic) and industry wouldn't lose a dime.
There is no place to start, however, without the information.
Gee, maybe using the closed, proprietary VMWare wasn't such a great idea in the first place. This is hardly an argument against Free Software. It is an argument against closed software.
Why don't you offer a suggestion on a better design? I assure you if you really have a better way, us programmers can implement it. Maybe this is the dominant model because it is still the best one going. And, for what it is worth, the model predates MS Windows by several years.
While I agree with you that party line voting produces generally undesirable results, this election more than any other is a possibility for massive change. Voter turnout may be as low as 30%. That means that a mere 15% of adults eleigble to vote will select the winning candidate. Unless you are non-voter and you can get another non-voting friend to join you in voting for a third party. If you are of a conservative bent, go Libertarian or Constitution party. If, like me, you have a more liberal bias, go Green party. If just 3 in 10 non-voters turns out for a third party, there would be a new majority party in the house.
/. that there are a lot of political issues that mean something to people on this forum. If you care about Free Software or the DMCA, DRM, better roads, prescription drugs, anti-terrorism, encryption, privacy, preventive detention, human rights, liberty, free speech, anything where the power of the state may intervene for or against your interests, then you should vote.
The major parties could certainly use a shock like that.
So, please, do not sit idly by, even if you haven't done the homework the parent poster suggests. You have the power. Check the web site for your local newspaper. You can probably learn enough to make reasonable decisions from those capsule descriptions of candidates and races. You can follow through to the actual candidate web sites.
Political parties were originally created to allow voters who knew nothing about the candidate to make a vote. This worked for many years. It fails utterly today because the modern process of "audience research" used to create a candidates "principles" produces Democrats who look vaguely Republican and Republicans who look vaguely Democratic. I'm fortunate to come from a state with a long history of maverick (some say bizzare) politicians (Minnesota). We've had multiple third-party legislators and governors. Our Democratic party is called the DFL as a result of a merger between the Democrats and a third party called the Farmer/Labor party. We know full well that the "election scientists" can be dead wrong. The nationally famous election of Ventura was preceeded by the much less known election of Arne Carlson, a Republican, who was elected by a last-minute write-in campaign. That's right. Jesse Ventura's predecessor was elected (the first time) on a write-in.
We know nothing is impossible and every vote counts. It really does. I know from several years off and on with
Voting is your most powerful, if also your bluntest instrument. You should do more than vote, you should write to your office-holders about those aforementioned issues. But don't throw away your most powerful tool just because you don't like the choices, or don't feel you are as informed as someone says you should be. If you really feel that way, promise to do better next time. The whole House is up again in just two years, and if you're voting for a senator, he or she will be up again in six. Term limits? We don't need 'em if you will VOTE. We have term limits. They're called elections. If, as I said way back in this rant, only 15% of the citizens are choosing our government, why are we surprised that our government isn't living up to our expectations? Change that number!!
Aw, hell. I'll feed the troll. The problem is that passing the common criteria does not mean that their security is improving. It means that a specific configuration of a specific collection of specific versions of software passed the common criteria. Deviate from this set and your security is "unknown." Could be better. Could be worse. The point is you don't know. The real problem in security isn't Microsoft or Open Source, hackers, crackers, or trojans. The problem is that there is no measurement of security that can be used to give a system a number that may be ordinally and proportionally compared to the number for another system.
The government is fond of the category-based "security measurement" systems, but all you can say about a system is whether it is known to be in the category, known to be outside the category, or its relation to the category is unknown. What does this really tell you about the security of a system? Nothing. What does it tell you about the relative security of any two systems? Nothing.
All of that said, Microsoft (whom I hate with a deep, abiding, and admittedly unreasoning passion) should be applauded for doing this. It is part of a worthy effort. Does it really mean anything? I just think some of the pro-MS folks here are seriously overestimating the value of this accomplishment. It ain't worth much, but if people are going to use MS software, they should be glad this happened. Does it mean they can say with confidence that they have a secure system? Hell, no. It means if they use the precise mix of software used for the evaluation in the precisely resitricted manner used in the evaluation, then their system will also meet the common criteria. Now try to run a public web server on it. Does it still meet the common criteria? Not at all.
So the truth is, once again, somewhere in the mushy middle. Big surprise. Microsoft is in the same boat as everybody else. Without a means to objectively quantify security, so it has these properties of ordinality and proportionality, no one can really say anything scientifically meaningful about their security. In the absence of such measures, they cast about for any fixed point. The common criteria is a fixed point. So I guess I'm saying this doesn't mean much, but it is not Microsoft's fault that it doesn't mean much and Microsoft *is* to be commended for putting a pin in some of their software with one of the only fixed points available.
So, yes, MS haters should be "grown up" enough to say this, but MS advocates should be "grown up" enough to admit the limitations on what one might be able to claim about security based on this situation. Passing the common critera is a single data point. It is hard to see a trend with a single data point if you are being scientific about it. If, on the other hand, you really want to see the trend, taking only one data point allows you to say the trend is whatever you wish. Take two, and the trend might be down. Best to leap to conclusions from one data point. No one can say you're wrong. There's an old joke in experimental science. If you want a linear result, take exactly two samples. This is similar. If you want to be able to say anything at all, take exactly one.
Is it fully sustainable? I'm not saying it isn't, but it is not at all clear to me that we can produce enough vegetable oil to fuel as many vehicles as we currently use. It is a popular thing for the environmental geeks out there (not meant as a pejorative, I promise!) to convert diesel cars to use used vegetable oil as fuel, then they get waste oil for free from fast-food restaurants. That's great and wonderful, but I doubt enough vegetable oil is produced to run the hundreds of millions of cars in the US. We don't have a production and distribution infrastructure for vegetable oil as fuel. Can we produce enough to meet both fuel and food needs? I don't know.
I'm not saying these things to pooh-pooh the idea. It would be great to convert even 10%-20% of US vehicles to such a system. It would be a big start on energy independence (and wouldn't that be good for the world?). I'm just not sure that sufficient capacity exists.
Still, imagine bio-diesel coupled with mass adoption of hybrids, coupled with fully eletric vehicles (for those who merely need commuter cars) charged by PV, coupled with greater efficiencies wherever they may be obtained.
I simply can't think of a more "patriotic" thing for us Americans to do. This improves the environment, combats terrorism, and saves the lives of American military personnel. I, for one, would like to see the political and cultural disputes in the Arabian Peninsula lose the dimension of "vital economic interest." There would still be an interest in peace, but if oil there were not an issue for us, well, it would simplify things quite a bit.
I know this started with me expressing a doubt about bio-diesel being "the answer," I will say that we don't need to find "The Answer." If we can find ten things that take away 10% of our current foreign oil dependence, well, we've solved a great many problems. And even if we can't, even if we can only find seven things, we've still taken away much incentive for the level of violence in the world.
Make America stronger! Use less fuel!
I do kind of doubt we'll hear this rallying cry from an adminstration largely made up of former Texas oil men, although you never know. Oil companies can still make a lot of money selling American oil...