Hmmm. You mention Apache. This is an FTP server. What kind of tool runs an FTP server using web server software? So far as we know (given that there are no details of how the server compromise was carried out), this says nothing about the security of a particular FTP server software, Apache, GNU/Linux, or any other Free Software package.
As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the weakest link: usually that's the user (and the sysadmin falls into that group). Bad passwords, bad security policies, and lax attention to security patching affect every system because every system has users.
Why might Free Software Zealots be laughing when MS products are demonstrated to be insecure? Because people have paid MS billions of dollars for that software. MS has billions of dollars in the bank. You'd think a company with those kinds of resources could hire a few security experts-- or even a few thousand-- and have them really work out the bugs. Free Software, on the other hand, is largely produced as charity, costs little or nothing to obtain, and at least when the code is demonstrably insecure, you (the user) have both the means and the right to fix it. Not so with the expensive binaries you get from Redmond.
Oh, thanks for trolling. I assume this response is exactly what you were hoping for.:)
It's obvious from the desire to keep it on a "mini CD" that this is meant for clandestine activity. Any legitimate user of "security tools" wouldn't mind simply using a regular sized CD.:)
I didn't say SCO was a sensible participant in Free Software. I said they were doing what a sensible participant in Free Software would do. In the GCC case only that means contributing patches back to the main project (even if they are only to support their own OS).
Further, your "are you now or have you ever been a SCO employee" thing: why? So far SCO has not once said that they are "taking back" their code. What they've said is that some person(s) outside of SCO, acting in contradiction of that person's agreement with SCO, has done that. Further they seem to be deluded about the general meaning of a "derivative work". Neither of these things seem to be related to code they have knowingly contributed.
That said, I'd completely support GCC and the FSF if they would not only begin refusing patches from SCO, but also actively removing SCO support from the compilers. I don't see how SCO was "poisoning the well" by clearly contributing code under the GPL-- and in the case of their GCC contributions, they must assign copyright to the FSF in writing. I know they're off the deep end, but unless you can support the claims you've made they just sound like hysteria.
Thank you for an excellent post. In an earlier post someone mentions that most of the SCO-related patches to GCC actually come from somone with a sco.com email address. So it's not like Joe GCC-Developer is out there writing SCO-specific patches. It's SCO doing what a sensible participant in the Free Software development process would do: contribute patches upstream.
Now, if it's time-consuming for the GCC team to apply those patches and/or those patches cause other problems for the rest of the GCC project, then blanket refusal of SCO contributed patches would make sense (especially given external circumstances). Would refusing those patches just to be nasty cause SCO any real harm? Probably not much, since they already have the existing code, and appear the likely authors of any new code. Their in-house GCC developer would simply have to maintain a fork. Painful, perhaps, but not entirely impossible.
This announcement is more a warning that the people who (or whose organization) holds the primary code base are taking into account SCO's non-code activities when they decide whether it is worthwhile to support SCO's proprietary OS. Sounds fair to me.
"Ironical" was in Webster's dictionary back in 1913. If you are over 90 years of age, maybe your reluctance to adopt this new-fangled terminology is understandable. Otherwise, give it up. Not to mention that your own post leaves a lot to be desired in terms of capitalization, puncuation, and grammar.
If Oracle really thought SCO had any legal legs to stand on, Oracle would put in a buy bid to SCO and Larry Ellison would stop playing second or third fiddle to you-know-who on the "World's Richest Man" lists.
What? The point of a business-- any business-- is to please the stockholders. But that statement is so vague that it's almost meaningless to point it out. It's like pointing out that the sky is blue in a discussion of meteorology. It's both obvious and irrelevant.
That might be the case if it were illegal to continue to own something that was distributed in violation of copyright law-- as far as I can tell copyright law is about copying and distributing, not possession. Can you imagine what that would mean for the readers of a newspaper should it be found that someone ran an ad or wrote an article in violation of copyright?
No. Trust is not a good security model. That's like saying, "buy the higher quality hard drives so you don't have to make backups." There is no way to know if you can trust someone. Especially not in a large corporate environment. And even if you can trust them ethically, they are human and can make mistakes.
Having a redundant permissions system to do certain activities is the equivalent of having a proofreader, in addition to an author and an editor. One person's job is to decide what to write down, another says we should keep this much or that much, and a third says, "but you spelled their there here and to two too!"
Instead of attempting to have this huge audit trail, like you suggest, which I guarantee will fail at some point, why not simply make all these types of changes require dual-authentication? Two guys turning their keys at the same time kind of thing. I realize this goes against the whole "lone cowboy" sysadmin mentality, but if it's important, then it's important.
The audit trail is going to be easy to foil. Just make the change in a batch of other similar-but-legitimate changes. Do it the day the auditor goes on vacation. Etc.
So, how exactly would Photoshop be better as a native Linux app than running in WINE? Would it suddenly not need some other GUI toolkit like Qt or GTK+? And wouldn't that be hilarious: Photoshop using the Gimp ToolKit.;)
Installation and configuration might be necessary for home users (although I bet most home users of any Microsoft Windows didn't install it themselves), but at work this is certainly not the case. Even so, with a distro like Knoppix, installation is as easy as burning an ISO and leaving it in the drive while rebooting... so I don't know how much easier installation can get than that.:)
That looks more like a "let's see if we can collect the names and addresses of our fans" than an attempt to be cool. I mean. If I just paid for the CD, why not put those on the CD, either as added tracks, or as MP3s?
Yeah, somehow case fans don't do so well with open air.:)
If you really wanted to keep the case open you'd need a desk fan maybe, or you could turn the case on its side (assuming it's a tower) so that the heat could rise away more easily. To me this would be worthwhile if you were testing lots of differnt internal cards and absolutely had to keep the case open, but in real life I don't see the point.
I never said I didn't think Apple wasn't releasing iTunes/iTMS for non-Mac platforms. I am well aware of their plans. They ought to be glad that buymusic.com doesn't sound like it's doing too well, because if people start using a service, the odds of switching seem pretty low to me once they start building up a catalog of tunes in one format or another. Sounds like maybe Slashdot needs a "-1, Touchy" moderation.
No, "he" clearly stated that the alleged escrow was a result of "all this Patriot Act stuff". As to "Guvmint spooks", I should think that a company in Taiwan is a LOT more worried about what the Chinese government wants than the U.S. government.
It helps that most of the people Apple has been targeting with their service have at least one of the following qualities: rabid devotion to Apple no matter (so they'll buy it just to make Apple look good), rabid devotion to being as "hip" as possible (so they'll buy it just to make themselves look good).
Frankly, if I were Apple I would make a version of iTunes and the Music Store that are compatible with Microsoft Windows as soon as possible-- BEFORE Microsoft and someone else come along. Online music buying is a subscription type of service and the sooner you get your suckers hooked the better. And for Apple every MS customer using their application and their service is one more MS customer who will probably consider other Apple products more seriously in the future.
How about every time you do so? The law prohibits a natural act that ought to be considered as much a human right as any other type of free speech right. There is no natural right to control the behavior of others to do as they will with their own bodies and property.
I kind of disagree. I think what you're pointing out is the major flaw in the whole Open Source movement's approach as compared to that of the Free Software movement-- and I know some people think they're interchangeable, but I feel like there are at least two prevalent strains within the larger GNU/Linux and BSD user communities.
The Open Source people want to concentrate on all the fiscal and technical reasons to use Free Software. By framing the argument as monetary, you get into this long debate about things like Total Cost of Ownership, and you have to spend hours splitting hairs and qualifying everything in order for Open Source to "win". Same with technical issues. A lot of Open Source software lacks features that proprietary software has. But the Open Source zealot goes on about "shallow eyeballs" or whatever and makes claims that the software improves more rapidly or is more secure or of higher quality because what right-minded programmer would want to show the world his or her crappy code and so on... but bugs do get into release versions. Software is found to have security holes. It's a part of designing complex systems. It's easy for someone to, as you say, "get burned", especially if they've had their expectations raised by this kind of advocacy.
The Free Software zealot, on the other hand, simply says: "So what if the software is not as feature-filled as proprietary software XYZ? So what if there's a bug? At least with Free Software I have the freedom to add that feature or to fix the bug. That's something proprietary software XYZ will never allow. Therefore, the choice is simple because freedom is too important to give up for a couple bucks or a nifty feature." That's a sort of advocacy that won't get users burned later because they'll be aware that they may be making tradeoffs... but at least they'll understand why.
Slashdot Mirror
Hmmm. You mention Apache. This is an FTP server. What kind of tool runs an FTP server using web server software? So far as we know (given that there are no details of how the server compromise was carried out), this says nothing about the security of a particular FTP server software, Apache, GNU/Linux, or any other Free Software package.
:)
As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the weakest link: usually that's the user (and the sysadmin falls into that group). Bad passwords, bad security policies, and lax attention to security patching affect every system because every system has users.
Why might Free Software Zealots be laughing when MS products are demonstrated to be insecure? Because people have paid MS billions of dollars for that software. MS has billions of dollars in the bank. You'd think a company with those kinds of resources could hire a few security experts-- or even a few thousand-- and have them really work out the bugs. Free Software, on the other hand, is largely produced as charity, costs little or nothing to obtain, and at least when the code is demonstrably insecure, you (the user) have both the means and the right to fix it. Not so with the expensive binaries you get from Redmond.
Oh, thanks for trolling. I assume this response is exactly what you were hoping for.
Fascinating article and excellent links to boot! Thank you.
It's obvious from the desire to keep it on a "mini CD" that this is meant for clandestine activity. Any legitimate user of "security tools" wouldn't mind simply using a regular sized CD. :)
I didn't say SCO was a sensible participant in Free Software. I said they were doing what a sensible participant in Free Software would do. In the GCC case only that means contributing patches back to the main project (even if they are only to support their own OS).
Further, your "are you now or have you ever been a SCO employee" thing: why? So far SCO has not once said that they are "taking back" their code. What they've said is that some person(s) outside of SCO, acting in contradiction of that person's agreement with SCO, has done that. Further they seem to be deluded about the general meaning of a "derivative work". Neither of these things seem to be related to code they have knowingly contributed.
That said, I'd completely support GCC and the FSF if they would not only begin refusing patches from SCO, but also actively removing SCO support from the compilers. I don't see how SCO was "poisoning the well" by clearly contributing code under the GPL-- and in the case of their GCC contributions, they must assign copyright to the FSF in writing. I know they're off the deep end, but unless you can support the claims you've made they just sound like hysteria.
Thank you for an excellent post. In an earlier post someone mentions that most of the SCO-related patches to GCC actually come from somone with a sco.com email address. So it's not like Joe GCC-Developer is out there writing SCO-specific patches. It's SCO doing what a sensible participant in the Free Software development process would do: contribute patches upstream.
Now, if it's time-consuming for the GCC team to apply those patches and/or those patches cause other problems for the rest of the GCC project, then blanket refusal of SCO contributed patches would make sense (especially given external circumstances). Would refusing those patches just to be nasty cause SCO any real harm? Probably not much, since they already have the existing code, and appear the likely authors of any new code. Their in-house GCC developer would simply have to maintain a fork. Painful, perhaps, but not entirely impossible.
This announcement is more a warning that the people who (or whose organization) holds the primary code base are taking into account SCO's non-code activities when they decide whether it is worthwhile to support SCO's proprietary OS. Sounds fair to me.
Er, punctuation. :)
"Ironical" was in Webster's dictionary back in 1913. If you are over 90 years of age, maybe your reluctance to adopt this new-fangled terminology is understandable. Otherwise, give it up. Not to mention that your own post leaves a lot to be desired in terms of capitalization, puncuation, and grammar.
If Oracle really thought SCO had any legal legs to stand on, Oracle would put in a buy bid to SCO and Larry Ellison would stop playing second or third fiddle to you-know-who on the "World's Richest Man" lists.
Do you process information better by talking about it or by sitting alone and thinking about it.
:)
What if I sit alone and talk to myself about it?
What? The point of a business-- any business-- is to please the stockholders. But that statement is so vague that it's almost meaningless to point it out. It's like pointing out that the sky is blue in a discussion of meteorology. It's both obvious and irrelevant.
That might be the case if it were illegal to continue to own something that was distributed in violation of copyright law-- as far as I can tell copyright law is about copying and distributing, not possession. Can you imagine what that would mean for the readers of a newspaper should it be found that someone ran an ad or wrote an article in violation of copyright?
No. Trust is not a good security model. That's like saying, "buy the higher quality hard drives so you don't have to make backups." There is no way to know if you can trust someone. Especially not in a large corporate environment. And even if you can trust them ethically, they are human and can make mistakes.
Having a redundant permissions system to do certain activities is the equivalent of having a proofreader, in addition to an author and an editor. One person's job is to decide what to write down, another says we should keep this much or that much, and a third says, "but you spelled their there here and to two too!"
Instead of attempting to have this huge audit trail, like you suggest, which I guarantee will fail at some point, why not simply make all these types of changes require dual-authentication? Two guys turning their keys at the same time kind of thing. I realize this goes against the whole "lone cowboy" sysadmin mentality, but if it's important, then it's important.
The audit trail is going to be easy to foil. Just make the change in a batch of other similar-but-legitimate changes. Do it the day the auditor goes on vacation. Etc.
So, how exactly would Photoshop be better as a native Linux app than running in WINE? Would it suddenly not need some other GUI toolkit like Qt or GTK+? And wouldn't that be hilarious: Photoshop using the Gimp ToolKit. ;)
Installation and configuration might be necessary for home users (although I bet most home users of any Microsoft Windows didn't install it themselves), but at work this is certainly not the case. Even so, with a distro like Knoppix, installation is as easy as burning an ISO and leaving it in the drive while rebooting... so I don't know how much easier installation can get than that. :)
Now that was a good one. :)
That looks more like a "let's see if we can collect the names and addresses of our fans" than an attempt to be cool. I mean. If I just paid for the CD, why not put those on the CD, either as added tracks, or as MP3s?
Yeah, somehow case fans don't do so well with open air. :)
If you really wanted to keep the case open you'd need a desk fan maybe, or you could turn the case on its side (assuming it's a tower) so that the heat could rise away more easily. To me this would be worthwhile if you were testing lots of differnt internal cards and absolutely had to keep the case open, but in real life I don't see the point.
I never said I didn't think Apple wasn't releasing iTunes/iTMS for non-Mac platforms. I am well aware of their plans. They ought to be glad that buymusic.com doesn't sound like it's doing too well, because if people start using a service, the odds of switching seem pretty low to me once they start building up a catalog of tunes in one format or another. Sounds like maybe Slashdot needs a "-1, Touchy" moderation.
So you're saying an excess of ventilation causes your computer to overheat?
FWIW, my case is closed as well. Simply because I'm not in there tinkering with hardware very often.
No, "he" clearly stated that the alleged escrow was a result of "all this Patriot Act stuff". As to "Guvmint spooks", I should think that a company in Taiwan is a LOT more worried about what the Chinese government wants than the U.S. government.
It helps that most of the people Apple has been targeting with their service have at least one of the following qualities: rabid devotion to Apple no matter (so they'll buy it just to make Apple look good), rabid devotion to being as "hip" as possible (so they'll buy it just to make themselves look good).
Frankly, if I were Apple I would make a version of iTunes and the Music Store that are compatible with Microsoft Windows as soon as possible-- BEFORE Microsoft and someone else come along. Online music buying is a subscription type of service and the sooner you get your suckers hooked the better. And for Apple every MS customer using their application and their service is one more MS customer who will probably consider other Apple products more seriously in the future.
I like the way you go on and on about "Made in China" but actually recommended shopping at Wal-Mart.
How about every time you do so? The law prohibits a natural act that ought to be considered as much a human right as any other type of free speech right. There is no natural right to control the behavior of others to do as they will with their own bodies and property.
I kind of disagree. I think what you're pointing out is the major flaw in the whole Open Source movement's approach as compared to that of the Free Software movement-- and I know some people think they're interchangeable, but I feel like there are at least two prevalent strains within the larger GNU/Linux and BSD user communities.
The Open Source people want to concentrate on all the fiscal and technical reasons to use Free Software. By framing the argument as monetary, you get into this long debate about things like Total Cost of Ownership, and you have to spend hours splitting hairs and qualifying everything in order for Open Source to "win". Same with technical issues. A lot of Open Source software lacks features that proprietary software has. But the Open Source zealot goes on about "shallow eyeballs" or whatever and makes claims that the software improves more rapidly or is more secure or of higher quality because what right-minded programmer would want to show the world his or her crappy code and so on... but bugs do get into release versions. Software is found to have security holes. It's a part of designing complex systems. It's easy for someone to, as you say, "get burned", especially if they've had their expectations raised by this kind of advocacy.
The Free Software zealot, on the other hand, simply says: "So what if the software is not as feature-filled as proprietary software XYZ? So what if there's a bug? At least with Free Software I have the freedom to add that feature or to fix the bug. That's something proprietary software XYZ will never allow. Therefore, the choice is simple because freedom is too important to give up for a couple bucks or a nifty feature." That's a sort of advocacy that won't get users burned later because they'll be aware that they may be making tradeoffs... but at least they'll understand why.