First of all, Cygnus (now owned by RedHat) developed a free library that allows to compile Unix-tools on a Windows system. They have also ported a whole set of free tools to Windows.
Secondly, Perl has been ported to Windows. Now, you can run all the nice perl scripts and programs on Windows. Check the Perl Power Tools for another set of free standard Unix utilities that you can run on Windows.
The article is not at all talking about "Security through obscurity" versus disclosing the source code. It talks about public discolure of vulnerabilities before they could be fixed. It also talks about security experts distributing tools that help to attack other sites easily.
That's indeed a social problem. But what has open source to do with it? The "script kiddies" that Marcus Ranum complains about are neither able nor interested in seriously studying source code and discovering bugs. The complaint is that it gets too easy to attack without putting in that work.
I think that open software can produce the best security and that helping crackers by developing special tools for them and publishing vulnerabilities to the wrong forum is socially wrong.
Re:Collaborative webs are old news
on
Geek Flavor
·
· Score: 1
This server offers a bit more: tourists can put up CGI scripts that serve dynamic content. It would be nice to see something like this securely with a wiki web...
Re:Ha, only 3 minutes and already--solution?
on
Geek Flavor
·
· Score: 2
As soon as somebody opens up a flexible server, it is broken into and broken up. Is this necessary?
No. There exists a solution! The basic idea is to give the people who want to use it the means to observe what others are doing and to secure the system against abuse.
In fact, that is exactly what people did in the ``good old days'' in the AI lab before ``strict security'' was built into systems as a standard.
In a lecture about the history of GNU, RMS even complains about the use of passwords and "strict security". He writes about people damaging the system by accident and about outsiders using MITs computers:
On ITS [the old, anarchist Incompatible Timesharing System -- Yaakov] we evolved other means of discouraging people from doing those things by accident, but on Twenex [the new "secure" system -- Yaakov] you didn't have them because they assumed that there was going to be be strict security in effect and only the bosses were going to have the power to do them. So they didn't put in any other mechanism to make it hard to do by accident.
...That machine wasn't designed also to support the phenomenon called ``tourism''. Now ``tourism'' is a very old tradition at the AI lab, that went along with our other forms of anarchy, and that was that we'd let outsiders come and use the machine.
...The ITS machines had certain... features that helped prevent this from getting out of hand, one of these was the ``spy'' feature, where anybody could watch what anyone else was doing. And of course tourists loved to spy, they think it's such a neat thing, it's a little bit naughty you see, but the result is that if any tourist starts doing anything that causes trouble there's always somebody else watching him. So pretty soon his friends would get very mad because they would know that the continued existence of tourism depended on tourists being responsible. So usually there would be somebody who would know who the guy was, and we'd be able to let him leave us alone. And if we couldn't, then what we would do was we would turn off access from certain places completely, for a while, and when we turned it back on, he would have gone away and forgotten about us. And so it went on for years and years and years.
Maybe we can reconstruct some of the features that the AI lab used to secure ``tourism''? Maybe we can develop new mechanisms?
Of course, nowadays the job is harder than it was. Now, more people have just bad intentions and the ability to act anonymously and fast. Worse, the ``save tourism'' features haven't been developed for a long time.
Here are some suggestions how ``save tourism'' could be revived.
The following features would give a responsible person an advantage over intruders: First, allow spying what others do and save logs on another server where they can be read but not destroyed.
Second, create alerts and delays when important files are changed: Say, the changes take effect only after ten minutes during which observers have the right to veto the change. Once one person vetos another one, a trusted person can override the veto if it is not a matter of an attack.
This policy would not stop legitimate users from working with and improving the system. But an attacker would be noticed before he can take over control.
A third feature would be to back-up data on a safe account (which just serves the files) so that an original state can be rebuilt quickly after an attack.
One way to combine these features would be to request users to keep their sources and configurations on another (their own) WWW server. 10 Minutes after they notify the free system about changes, the changes are downloaded and installed. Checksums of the installation are stored safely so that the same files can be re-installed without delay when the user wants to roll back.
Finally, we would need some distributed system of trust such that a person can loose his reputation by attacking the system or recommending attackers to be trusted. Here, the PGP trust system springs to mind.
If you are looking into using LaTeX, you might want to have a look at the excellent LaTeX frontend LyX.
LyX is an advanced open source document processor running on many Unix platforms and OS/2, and experimentally under Windows/Cygwin. Unlike standard word processors, LyX encourages an approach to writing based on the structure of your documents, not their appearance. LyX lets you concentrate on writing, leaving details of visual layout to the software.
LyX produces high quality, professional output -- using LaTeX, an industrial strength typesetting engine, in the background; LyX is far more than a front-end to LaTeX, however. No knowledge of LaTeX is necessary to use LyX, although it will give a user more power.
LyX is stable and fully featured. It has been used for documents as large as a thesis, or as small as a business letter. Despite its simple GUI interface (available in many languages), it supports tables, figures, and hyperlinked cross-references, and has a best-of-breed math editor.
There is nothing in the math that ties it exclusively to the RIAA or even music.
What's new is just that encryption and decryption is fast and cheap, so that it could be used by default in almost all Internet communication, in cellular phones, smaller devices (and in case the customers really want that to keep the RIAA in power).
I am sure the technology will mainly be used where it benefits both the supplier and the consumer: secure WWW transactions, private communication etc.
So, YES I LIKE the fast public key encryption. I don't like that a new idea is described by the media only as a solution to a fashionable but out-dated problem.
Slashdot Mirror
Secondly, Perl has been ported to Windows. Now, you can run all the nice perl scripts and programs on Windows. Check the Perl Power Tools for another set of free standard Unix utilities that you can run on Windows.
That's indeed a social problem. But what has open source to do with it? The "script kiddies" that Marcus Ranum complains about are neither able nor interested in seriously studying source code and discovering bugs. The complaint is that it gets too easy to attack without putting in that work.
I think that open software can produce the best security and that helping crackers by developing special tools for them and publishing vulnerabilities to the wrong forum is socially wrong.
This server offers a bit more: tourists can put up CGI scripts that serve dynamic content. It would be nice to see something like this securely with a wiki web...
No. There exists a solution! The basic idea is to give the people who want to use it the means to observe what others are doing and to secure the system against abuse.
In fact, that is exactly what people did in the ``good old days'' in the AI lab before ``strict security'' was built into systems as a standard.
In a lecture about the history of GNU, RMS even complains about the use of passwords and "strict security". He writes about people damaging the system by accident and about outsiders using MITs computers:
On ITS [the old, anarchist Incompatible Timesharing System -- Yaakov] we evolved other means of discouraging people from doing those things by accident, but on Twenex [the new "secure" system -- Yaakov] you didn't have them because they assumed that there was going to be be strict security in effect and only the bosses were going to have the power to do them. So they didn't put in any other mechanism to make it hard to do by accident.
Maybe we can reconstruct some of the features that the AI lab used to secure ``tourism''? Maybe we can develop new mechanisms?
Of course, nowadays the job is harder than it was. Now, more people have just bad intentions and the ability to act anonymously and fast. Worse, the ``save tourism'' features haven't been developed for a long time.
Here are some suggestions how ``save tourism'' could be revived.
The following features would give a responsible person an advantage over intruders: First, allow spying what others do and save logs on another server where they can be read but not destroyed.
Second, create alerts and delays when important files are changed: Say, the changes take effect only after ten minutes during which observers have the right to veto the change. Once one person vetos another one, a trusted person can override the veto if it is not a matter of an attack.
This policy would not stop legitimate users from working with and improving the system. But an attacker would be noticed before he can take over control.
A third feature would be to back-up data on a safe account (which just serves the files) so that an original state can be rebuilt quickly after an attack.
One way to combine these features would be to request users to keep their sources and configurations on another (their own) WWW server. 10 Minutes after they notify the free system about changes, the changes are downloaded and installed. Checksums of the installation are stored safely so that the same files can be re-installed without delay when the user wants to roll back.
Finally, we would need some distributed system of trust such that a person can loose his reputation by attacking the system or recommending attackers to be trusted. Here, the PGP trust system springs to mind.
Any more ideas?
Yaakov
LyX is an advanced open source document processor running on many Unix platforms and OS/2, and experimentally under Windows/Cygwin. Unlike standard word processors, LyX encourages an approach to writing based on the structure of your documents, not their appearance. LyX lets you concentrate on writing, leaving details of visual layout to the software.
LyX produces high quality, professional output -- using LaTeX, an industrial strength typesetting engine, in the background; LyX is far more than a front-end to LaTeX, however. No knowledge of LaTeX is necessary to use LyX, although it will give a user more power.
LyX is stable and fully featured. It has been used for documents as large as a thesis, or as small as a business letter. Despite its simple GUI interface (available in many languages), it supports tables, figures, and hyperlinked cross-references, and has a best-of-breed math editor.
What's new is just that encryption and decryption is fast and cheap, so that it could be used by default in almost all Internet communication, in cellular phones, smaller devices (and in case the customers really want that to keep the RIAA in power).
I am sure the technology will mainly be used where it benefits both the supplier and the consumer: secure WWW transactions, private communication etc.
So, YES I LIKE the fast public key encryption. I don't like that a new idea is described by the media only as a solution to a fashionable but out-dated problem.
Also, I don't like much that it is patented.