By about 10:15am on Sept 11, someone in DoJ was talking about banning strong cryptography for individuals, or at least only allowing key-escrowed crypto. It's pretty clear to me that factions in the US government (NSA? DoJ? DoD?) don't really like the idea of strong cryptography used on a daily basis on a large part of the Internet, and the events of Sept 11 merely provided an emotionally-charged fog in which to go after demonized targets.
But why? After about 30 seconds of reflection, it's pretty clear that terrorists/Russian Mafia/Red Chinese Communists/drug smugglers/money launderers/Swiss Bankers wouldn't use key-escrowed or US-government sponsored crypto products in the first place - why should the bad guys trust the US government? The bad guys don't play by the rules in the first place, so "safe" encryption won't apply to them. After 30 more seconds, it becomes apparent that key-escrowed crypto isn't crypto at all - whoever has the keys must use them constantly to determine whether the encrypted data isn't doubly-encrypted: once with a non-approved/non-key-escrowed scheme, the 2nd time with the "official" key-escrowed scheme.
One has to arrive at the conclusion that the only people that key-escrowed, or semi-weakened crypto applies to are regular, law-abiding US citizens and businesses.
Given that conclusion, why has the US government (and UK and French governments, too for that matter) tried so hard and for so long to prohibit law-abiding use of strong crypto? Feel free to speculate, I won't mind.
Define your terms better!
on
Globalization
·
· Score: 3, Insightful
You need to define your terms better - your article, as it stands is gibberish.
You confuse at least two types of "globalism":
little-g "globalization" constitutes stuff like manufacturing jobs moving to "third world" countries, highly mobile capital moving to whatever stock market around the world is hot, economic things like that. Pretty much irresistable.
Big-G "Globalization" constitutes a political and legal transfer of power from elected governments and the citizenry the governments represent, to appointed, corporate entities. Organizations like WIPO, WTO, RIAA, ICANN and Microsoft constitute the appointed, corporate entities, while DMCA, SSSCA and UCITA constitute the organizational framework that the new, corporate-oriented power structure apparently means to use.
little-g "globalization" could conceviably take place without Big-G "Globalization", I suppose, but because "globalization" currently comes along with US and Western Europe coporate entities (Ford, Microsoft, British Petroleum, Duetche Telecomm) and US-oriented Popular Culture (Coca Cola, blue jeans, Britney Spears, Hollywood movies), and "Globalization" derives its names and ruling class from US corporate entities, it's easy for some folks to confuse the two. Apparently, you (Jon Katz) haven't made this distinction too clearly.
I don't think that a straight comparison of open source to commercial software, in the context of error handling, has any merit.
I'll try to illustrate with an example. I'm running IE 5.00.2920.00 on Windows 2000. I get a huge number of "Cannot find server or DNS error" pages from IE. You know, those are the stock HTML files that IE displays that say "The page cannot be displayed", and it has a whole boatload of gibberish on it about clicking the Refresh button, contacting your network administrator, checking URL spelling, etc etc etc.
Unless the host machine is truly unreachable, I can click "Refresh" and get the appropriate page almost instantly about 80% of the time. Does that make you smell a fish? It makes me smell a fish.
The fish that I smell is commercial software handling errors in such a way as to blame anything other than itself when it encourters an error. I'm sure this works on most Windows users, because they've never used anything else, and their desktops crash all the time. Why shouldn't web sites just arbitrarily refuse to give up a page now and then? But if I'm debugging a web server that I'm telnetted to from my SPARCStation, and IE on Win2K claims that the web server can't be found 12% of the time, yet finds it instantly on refresh, I begin to see a pattern.
If you write commercial software, the pattern is to including fairly complete error handling, but make the error handling blame something else. IE didn't choke, DNS or the remote server did, or you typed the URL wrong. Anything but admit that IE had the problem.
Open source programmers don't experience pressure from marketeers and PR people and "product managers" to appear blameless. Open source programs tell it like it is, up to the limits of the programmer's articulation. That's why it's useless trying to compare the two: commercial software handles errors in order to shift the blame. Open source software handles errors in order to provide debugging information.
I wish I was financially able or had enough passion to leave a job because they didn't change over to open source or wouldn't "think outside the box". I'm content to earn a living, knowing that there will be things that I don't like or agree with. I'll save my moral stands for something that matters.
I left a company in '95 that was switching to All MSFT, All The Time. If you think about the state of the MSFT world at the time (WfWG, Windows 3.11, NT 3.51), it made sense. Manager types seemed to believe that NT 3.51 would be cheaper/easier/more productive/have zero defects/shove fried chicked under their drooling chins. The rather different reality made me think twice. Did I want to get caught between Manager Expectations and Shitty NT reality? No. Also, working with Windows was substantially less fun than working with SunOS/Solaris. I quit. That company became little more than an MSFT reseller - they never did anything interesting, and they finally disappeared.
Moving to a company that uses Unix and open source stuff isn't a matter of principal - it's a matter of survival. Remember: your NT certification expires in December, you'll have to get W2K or XP certification at a great cost. In two years, your XP certification will expire and you'll have to get YP certification, again, at great cost.
Eventually, when CD burners, Minidiscs and car MP3 players become cheap and popular enough, how do you propose artists make a living in this new world order?
I dunno, maybe the artists can't make a living because new technology changes the way the world works. This isn't unprecedented, either. Did the ice deliverymen demand some kind of legal protection from refridgerator manufacturers? Did farriers demand that auto manufactureres pay some kind of tribute because not so many horses needed shoeing any more?
What's so sacred about recording artists that they get to determine which technology gets used and how the economy changes because of it?
Anti-Spam people often seem to be so wrapped up in their cause, they often don't realise they are doing more harm than good, i.e. blocking half of Australia's email.
Spam people often seem to be so wrapped up in their advertising, they often don't realize they are doing more harm than good, i.e. pissing off 99.9% of their victims to the point where the victims engage in irrationally angry responses to the ads.
Email advertising is theft. Thieves must be punished. Corporate entities have proved more than once (AGIS, "Pink" contracts) to be basically on the side of spammers. Half of Australia's emails is blocked? Tough. I only hope that half of Korea's spam I mean email gets blocked, too.
With the deprecation or removal of an API, they can put people out of business, or send companies into bankruptcy.
MSFT has already done that sort of thing already, at least with 3D rendering APIs, and of course, to Netscape.
Industry analysts acknowledge this sort of thing. Go here, and look for the Dan Kuznetsky quote:
But Microsoft's support of Mono is simply the same old same old for the software giant, IDC analyst Dan Kusnetzky said. Microsoft has historically achieved market dominance by controlling APIs, and forcing competitors to write software to its APIs, only to turn around and change those same APIs. "Instead of satisfying their own customers' demand, competitors are busy catching up with Microsoft," Kusnetzky said. "It looks like they've gotten someone in the open source community to play the game of following Microsoft around and trying to do what they do."
.
The old Software Publishers Association knew about it. They issued a white paper on the topic. Read pages 12 to 15 of that document for an older view of the problem.
Besides, didn't the DMCA outlaw reverse-engineering?
Definitely not. First, reverse engineering is entirely legal: Sega Enterprises Ltd. v. Accolade, Inc., and Atari Games Corp. v. Nintendo of America, Inc. I know there are several more cases involving reverse engineering of boat hulls and other, more tangible things.
As I understand it, the DMCA outlaws things like making and distributing tools for encryption circumvention. Reverse engineering in and of itself isn't made illegal, just the tools to do so.
That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.
The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.
That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:
CPU architecture. Sure, Linux/Unix/etc boxes are far and away x86-based, but having a sprinkling of SPARC, Alpha, Mips and PPC probably makes a difference - no single shellcode or exploit covers all architectures.
OS architecture. Instruction-level calling sequences probably prevent a "universal" shellcode from working on all OSes that a given CPU architecture runs.
Web server variety. Sure, Apache dominates, but WN, iPlanet and thttpd have a presence.
Userland software variety. A huge variety of email clients that don't share a common scripting language or address book format keeps NIMDA and SirCam like things from happening.
I sincerely doubt we'd seem a very infectious worm like NIMDA even if Linux were a very common OS. A NIMDA style worm that propates via email clients and web servers faces a bigger uphill battle in the Linux world than in the IIS world. For starters, there are way more semi-incompatible Linux distributions floating around - it wouldn't be uncommon to find a RH 6.x server would it? There's more variation in web servers, too: Apache, WN, thttpd and others all have a presence. That means that the web server vector has barriers to propagation, one buffer overflow won't cause every web server to become a propagation vector. One IIS buffer overflow cause the Code Red worm. There is more hardware variation: Linux runs on x86, SPARC, Mips and Alpha CPUs. Shellcode to run on all 4 architectures would be difficult if not impossible. There are *vastly* more email clients in common use in the Linux world than in the Windows world: mailx, pine, elm, mutt, Netscape Communicator, balsa (?), etc etc. These various email clients don't share a common scripting language, address book, or even a common format for saved mail. Most if not all of them don't "launch" executable attachments. This would lend resistance to the Linux population.
In short, the monoculture of MSFT products (IIS, Outlook, Win32 and x86) is probably at fault for the Code Red, SirCam and NIMDA problem, not mere popularity.
Microsoft Software is more popular and so it gets hit more. If linux was just as popular you would see the same thing happen.
You wish. The MSFT-toadying media thought that x.c , a FreeBSD and Linux worm,
was going to be the "Next Code Red". My machine got more hits from sadmind/IIS worm (Solaris) than x.c. C'mon, shill-boy, why aren't you toeing the Wagg-Ed line? The truth of the matter lies more in the fact that Windows is more-or-less a software and hardware monoculture. Any flaw in IIS affects *all* of the population. The Linux/Unix/BSD/Solaris population has much greater diversity: a flaw in the WN web server isn't going to affect sites using thttpd. Similarly, there are dozens of Linux email clients in use, from mailx to Pine to mh. I don't think there's a common scripting language amongst the diversity of Linux email clients, and I don't think *any* of them are dopey enough to execute "readme.eml" files.
People that dislike windows and love linux are the reason for this attack. Its these people that are writing the viruses and worms. You've got to be kidding, right? Have you got any evidence whatsoever to back that up?
Stop trivializing the problem, Shill-boy. Of course I expect MSFT to have people use the APIs. MSFT programmers have to use them to do things like write the POSIX subsystem, write the login system.
Of course, if what you shill I mean say is true, then MSFT is keeping the native API under wraps because it's so crappy. That's not true, of course: there's some things you can do in the native API that you can't do in Win32. You can't clone a processes address space in Win32, so you can't emulate the Unix fork() system call in Win32. The POSIX subsystem does emulate fork(), so MSFT does use the native API.
But go on, tell me how to emulate fork() using Win32 calls. Tell me how to do things like write my own login service. Tell me how to cancel an outstanding asynchronous I/O request in Win32. Tell me how to do disk defragmentation using Win32 calls. Tell me how to write an IFS using Win32: I want to put my Solaris UFS disks on my W2K box so I can get rid of this expensive Sun hardware.
Really, you should read the URLs I put in my article. You don't have to believe me, you can believe Open Systems Resources, you can believe Mark Rossinovich. Read the references I put in my last article before shilling further, and please, back away from the crack pipe.
Do you need source? - go down the page about a third of the way: The conclusion was that Vogels's group used source code only as documentation (there is no other documentation for NT), examples, and to understand the behavior of NT. It turned out to be useful for debugging, and it led to the discovery of interesting APIs that are not documented or available in Win32.
Inside Windows NT Disk Defragmenting - MSFT gave one company access to the defragmenting APIs, and never bothered to document them to anyone else.
MSFT hasn't hesitated to use the secret APIs either. From the July 10 InternetWeek: Microsoft has historically achieved market dominance by controlling APIs and forcing competitors to write software to Microsoft's APIs, then changing the APIs. "Instead of satisfying their own customers' demand, competitors are busy catching up with Microsoft," said IDC analyst Dan Kusnetzky.
From the October 8, 1998 NY Times: And Microsoft, the people added, did what it has always denied it does -- used access to its technology as a powerful lever in business negotiations, by offering Netscape preferential access to the Windows "application program interfaces," or A.P.I.'s, the links that enable other companies' programs to run smoothly on the Windows operating system. By turning down the deal, Netscape, they say, would not have that preferred access to Microsoft technology -- a threat that Microsoft fiercely denies making.
Think about it - can you, using only Win32, write all of the stuff that MSFT provides with NT/W2k? No. Clearly, MSFT keeps APIs to themselves. MSFT wants to allow itself the latitude to write faster, more functional programs than the ordinary developers can write. MSFT has proven time and time again that it will use secret APIs to its own advantage, or to the advantage of selected partners (Executive Software, for example). This practice is certainly bad for the consumer. Secret APIs raise the cost of entry into the NT system software market, which will keep out competitors, raise prices, and reduce choice.
Define "quality" before trying to make "quality" code. "Quality" doesn't mean one single thing. It can and does mean different things to different people. I've seen people use "conformance to spec", "fully documented", "feature rich", "crashproof", "fast", "easy to use", "surprising", "first to market", "bug-free" as all or part of what "quality" means.
Figure out what you mean by "quality", then find out what your boss means by "quality". You may be talking across each other. You might want to look at Gerald M Weinberg's Quality Software Management for a better discussion of the meaning of "quality". I'm not sure about the rest of the book, but the section on what "quality" means is relevant.
My other advice: ignore consultants and companies who peddle a Process (a process to reach SEI CMM level 5, or ISO 9000 status, for example) as a means to acheive "quality". They often leave "quality" undefined or vaguely defined because then they get to use opposing meanings as convenient. When convincing programmers to use The Process, quality consultants will use "bug free" or "speed to market" as the implied meaning of quality. When talking to managers, they use "feature rich", "on schedule" or "completely documented" as the implied meaning of quality. When talking to corporate leadership, the use "cheap", "speed to market" as meanings. Often, some tension exists between various definitions of "quality". "Cheap" often opposes "bug free" or "fully documented". "Feature rich" can oppose "high performance". "Speed to market" can oppose "fully documented". You get the picture.
I give away some software I've written because of simple economics: the cost of one or two or even 100 transactions is just too high. I'm not set up to charge people $150 for a SPARC assembler: I don't have a tax ID, I don't want a tax ID, I don't even want to know about taxes, I can't accept credit cards. The cost of getting set up to make the transaction would be too high. I could never recoup it.
Very specialized software for certain tasks will never have very many buyers. The cost of the few transactions will always put that software in some grey area where the writer may as well give it away.
This seems like an argument for micropayments, doesn't it?
Right now 64bit computing is simply for high end workstations and servers.
Oh, rubbish. I've had a 64-bit CPU running Linux for several years.
Under no circumstances could you consider my UDB a "high end" box of any sort. 64-bit computing is for whoever wants to fiddle with it.
Microeconomics textbook, 100% pure monoplies probably can't exist in a real economy, just like physics textbook 100% pure vacuums don't exist. A vacuum doesn't exist. Does that mean that the effects of a near vacuum don't exist? Don't be silly. A monopoly, like a vacuum, doesn't constitute a black-and-white, yes-or-no phenomenon. That's why the Sherman Anti-Trust Act isn't applied very often. Business entities that probably do consitute a monopoly under the Sherman Anti-Trust Act don't get prosecuted too often because it's simply too arguable to bother.
Non-religious economists recognize that "monopoly" is a matter of degree. Get a microeconomics text book from the bookstore, or borrow one from a roomate and read up on "monopoly power". Economists even have measures for monopoly power. Look for "Four-firm concentration index" and "Herfindahl-Hirschman Index ". By either measure, the desktop computer OS market is one of the single most concentrated markets ever.
The reason why Microsoft OS and mail are attacked the most is simply because they are the most popular.
Rubbish. That's simply not true. Microsoft did illegally leverage its monopoly to get its products almost everywhere, that much is well known. But Microsoft also puts very few features in either OS or Outlook or IIS that could confer some sort of "immunity" on the host computers.
Suppose that someone discovers a buffer overflow in a server process that runs on almost all Unix platforms. Hey, wait! "telnetd" runs on almost all Unix platforms, and it's enabled by default almost everywhere. "telnetd" has just such a buffer overflow. Knowledge about the buffer overflow is everywhere, yet we don't see a worm resulting. Why not? Several factors - fractured hardware base. The exploit in question can crash Solaris and NetBSD SPARC telnetd, but can't really be used to start a root shell. HP's HP-PA architecture doesn't support executing code on the stack, so it's pretty much immune. The exploit works on x86 FreeBSD, Linux and NetBSD boxes, but not on OpenBSD boxes. A software "monoculture" doesn't exist, even amongst the same "group" of OSes. That goes double for "chainmails" like ILOVEYOU or SirCam or Mellissa - many, many email readers exist, and they all act differently. Most Unix mail readers aren't dumb enough to "launch an application" by mere double-clicking, either.
What it comes down to, is that MSFT has put in place a "monoculture", and any flaw can be used to infect virtually every member of that monoculture's population. Unix, Linux, *BSD all comprise a "multiculture" both from software and hardware viewpoints. This amounts to vastly greater "resistance" to infection. And epidemiology shows us that infections don't become epidemics unless rate of infection vs rate of disinfection passes a certain level. Even the mild resistance of user IDs and permissions has kept Unix file infector viruses from any kind of prevalence.
The Cheese Worm did this for Lion-infected hosts
on
Fight Virus With Virus?
·
· Score: 2, Informative
An Internet driven by business, for business, would hardly have the appeal of the net as it exists today. It would be nothing but banners, keywords, affiliate programs, and all the other garbage that already makes the web so annoying.
I agree with your sentiment. In 1994, did people flock to the web (remember that old IBM commercial that had the nun saying she was dying to "surf the web"?) because of advertising and slick corporate marketing materials? Hell NO! The web took off because it was full of crap, truth, lies, gibberish and FAQs that other regular folks put together. CEOs and other pointy-haired morons often forget this reality. The web succeeded because, not in spite of, it's hostility towards business.
This is more than just an opinion by some crank. An AT&T researcher named Andrew Odlyzko has written about this many times. His Content is not king article is the most accessible. Odlyzko has looked at the history of pricing of communications channels, too. More recently, the "Internet Enabled" cell phones have failed, while SMS text messaging phones have taken off, probably because the "Internet Enabled" phone depended on people wanting to view slick corporate marketing collateral, while SMS text messaging is popular because everyone can use it for their own purposes.
What you advocate is called "The Tyranny of the Majority". To a certain extent, all of us (people who notice) have an obligation to prevent actions and actors from harming the common weal.
Something like this obligation is what's behind successful systems of government that have representative democracies (USA, UK, Canada, etc). Sure, the vast bulk of the population thinks that minority X is evil, reproduces by laying eggs and prefers to eat boogers. Does that mean that the government has an obligation to sterilize all breeding-age members of minority X? No - just the contrary. The government has an obligation to educate the vast bulk of the population about the errors of their ways, and indeed, to prevent harm to members of minority X.
You also ignore a great evil when you blow off the harm that ubiquitous advertising causes. All advertising is a form of lying, adult US citizens are expected to disbelieve all claims made in ads. What do we learn from this kind of all-enveloping falsehoods? That it's acceptable behavior for sub-human marketeers like the TOPText people to insert their ads on my content without paying me for getting people to look at their falsehoods.
Please to note that many Linux distributions have done this for a long time, and not just a web server, either.
Well, that's a valid point except for the fact that the web server that many (most or all?) Linux distributions install is Apache. Apache has never exhibited the kind of unbelievable boneheaded security problems that IIS has.
throx writes: I am a person. I would use smart tags if I got to control what filters were enabled and what wasn't.
You just narrowed the group of people that you talk about from "everyone" to "throx". The narrower statement is a whole lot truer than People want to be able to enrich their web surfing, the statement that I did quibble with. I quibbled with it because it was a huge overgeneralization.
throx goes on to write: You're implying I'm not a person? No indeed. I merely pointed out that there's a difference between "everyone" and "throx". But when you wrote People want to be able to enrich their web surfing, you implied that I wasn't a person, because I wouldn't use Smart Tags, as near as I can tell from press descriptions of Smart Tags.
And no, my quibbling with your original statement was not a strawman argument. Your original statement was a counter-factual overgeneralization. Deal with it, rather than accuse me of your own logical fallacies.
ASHCROFT: I guess my question really is, does it represent an
approach to technology which would foster the potential of competition
to Microsoft, which I think we've been all pretty much agreeing here
is in a, has a monopoly share of the market. Whether or not you going
to call it monopoly or not. But I think everybody can agree that 90
plus percent of the market. Pretty strong. And I, can you comment on
that?
Observers at the time said that Ashcroft was pretty testy with Gates' shifty, dissembling answers.
Slashdot Mirror
By about 10:15am on Sept 11, someone in DoJ was talking about banning strong cryptography for individuals, or at least only allowing key-escrowed crypto. It's pretty clear to me that factions in the US government (NSA? DoJ? DoD?) don't really like the idea of strong cryptography used on a daily basis on a large part of the Internet, and the events of Sept 11 merely provided an emotionally-charged fog in which to go after demonized targets.
But why? After about 30 seconds of reflection, it's pretty clear that terrorists/Russian Mafia/Red Chinese Communists/drug smugglers/money launderers/Swiss Bankers wouldn't use key-escrowed or US-government sponsored crypto products in the first place - why should the bad guys trust the US government? The bad guys don't play by the rules in the first place, so "safe" encryption won't apply to them. After 30 more seconds, it becomes apparent that key-escrowed crypto isn't crypto at all - whoever has the keys must use them constantly to determine whether the encrypted data isn't doubly-encrypted: once with a non-approved/non-key-escrowed scheme, the 2nd time with the "official" key-escrowed scheme.
One has to arrive at the conclusion that the only people that key-escrowed, or semi-weakened crypto applies to are regular, law-abiding US citizens and businesses.
Given that conclusion, why has the US government (and UK and French governments, too for that matter) tried so hard and for so long to prohibit law-abiding use of strong crypto? Feel free to speculate, I won't mind.
You need to define your terms better - your article, as it stands is gibberish.
You confuse at least two types of "globalism":
little-g "globalization" could conceviably take place without Big-G "Globalization", I suppose, but because "globalization" currently comes along with US and Western Europe coporate entities (Ford, Microsoft, British Petroleum, Duetche Telecomm) and US-oriented Popular Culture (Coca Cola, blue jeans, Britney Spears, Hollywood movies), and "Globalization" derives its names and ruling class from US corporate entities, it's easy for some folks to confuse the two. Apparently, you (Jon Katz) haven't made this distinction too clearly.
I don't think that a straight comparison of open source to commercial software, in the context of error handling, has any merit.
I'll try to illustrate with an example. I'm running IE 5.00.2920.00 on Windows 2000. I get a huge number of "Cannot find server or DNS error" pages from IE. You know, those are the stock HTML files that IE displays that say "The page cannot be displayed", and it has a whole boatload of gibberish on it about clicking the Refresh button, contacting your network administrator, checking URL spelling, etc etc etc.
Unless the host machine is truly unreachable, I can click "Refresh" and get the appropriate page almost instantly about 80% of the time. Does that make you smell a fish? It makes me smell a fish.
The fish that I smell is commercial software handling errors in such a way as to blame anything other than itself when it encourters an error. I'm sure this works on most Windows users, because they've never used anything else, and their desktops crash all the time. Why shouldn't web sites just arbitrarily refuse to give up a page now and then? But if I'm debugging a web server that I'm telnetted to from my SPARCStation, and IE on Win2K claims that the web server can't be found 12% of the time, yet finds it instantly on refresh, I begin to see a pattern.
If you write commercial software, the pattern is to including fairly complete error handling, but make the error handling blame something else. IE didn't choke, DNS or the remote server did, or you typed the URL wrong. Anything but admit that IE had the problem.
Open source programmers don't experience pressure from marketeers and PR people and "product managers" to appear blameless. Open source programs tell it like it is, up to the limits of the programmer's articulation. That's why it's useless trying to compare the two: commercial software handles errors in order to shift the blame. Open source software handles errors in order to provide debugging information.
I wish I was financially able or had enough passion to leave a job because they didn't change over to open source or wouldn't "think outside the box". I'm content to earn a living, knowing that there will be things that I don't like or agree with. I'll save my moral stands for something that matters.
I left a company in '95 that was switching to All MSFT, All The Time. If you think about the state of the MSFT world at the time (WfWG, Windows 3.11, NT 3.51), it made sense. Manager types seemed to believe that NT 3.51 would be cheaper/easier/more productive/have zero defects/shove fried chicked under their drooling chins. The rather different reality made me think twice. Did I want to get caught between Manager Expectations and Shitty NT reality? No. Also, working with Windows was substantially less fun than working with SunOS/Solaris. I quit. That company became little more than an MSFT reseller - they never did anything interesting, and they finally disappeared.
Moving to a company that uses Unix and open source stuff isn't a matter of principal - it's a matter of survival. Remember: your NT certification expires in December, you'll have to get W2K or XP certification at a great cost. In two years, your XP certification will expire and you'll have to get YP certification, again, at great cost.
Eventually, when CD burners, Minidiscs and car MP3 players become cheap and popular enough, how do you propose artists make a living in this new world order?
I dunno, maybe the artists can't make a living because new technology changes the way the world works. This isn't unprecedented, either. Did the ice deliverymen demand some kind of legal protection from refridgerator manufacturers? Did farriers demand that auto manufactureres pay some kind of tribute because not so many horses needed shoeing any more?
What's so sacred about recording artists that they get to determine which technology gets used and how the economy changes because of it?
Anti-Spam people often seem to be so wrapped up in their cause, they often don't realise they are doing more harm than good, i.e. blocking half of Australia's email.
Spam people often seem to be so wrapped up in their advertising, they often don't realize they are doing more harm than good, i.e. pissing off 99.9% of their victims to the point where the victims engage in irrationally angry responses to the ads.
Email advertising is theft. Thieves must be punished. Corporate entities have proved more than once (AGIS, "Pink" contracts) to be basically on the side of spammers. Half of Australia's emails is blocked? Tough. I only hope that half of Korea's spam I mean email gets blocked, too.
With the deprecation or removal of an API, they can put people out of business, or send companies into bankruptcy.
MSFT has already done that sort of thing already, at least with 3D rendering APIs, and of course, to Netscape.
Industry analysts acknowledge this sort of thing. Go here, and look for the Dan Kuznetsky quote:
.The old Software Publishers Association knew about it. They issued a white paper on the topic. Read pages 12 to 15 of that document for an older view of the problem.
Besides, didn't the DMCA outlaw reverse-engineering?
Definitely not. First, reverse engineering is entirely legal: Sega Enterprises Ltd. v. Accolade, Inc., and Atari Games Corp. v. Nintendo of America, Inc. I know there are several more cases involving reverse engineering of boat hulls and other, more tangible things.
As I understand it, the DMCA outlaws things like making and distributing tools for encryption circumvention. Reverse engineering in and of itself isn't made illegal, just the tools to do so.
That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.
The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.
That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:
I sincerely doubt we'd seem a very infectious worm like NIMDA even if Linux were a very common OS. A NIMDA style worm that propates via email clients and web servers faces a bigger uphill battle in the Linux world than in the IIS world. For starters, there are way more semi-incompatible Linux distributions floating around - it wouldn't be uncommon to find a RH 6.x server would it? There's more variation in web servers, too: Apache, WN, thttpd and others all have a presence. That means that the web server vector has barriers to propagation, one buffer overflow won't cause every web server to become a propagation vector. One IIS buffer overflow cause the Code Red worm. There is more hardware variation: Linux runs on x86, SPARC, Mips and Alpha CPUs. Shellcode to run on all 4 architectures would be difficult if not impossible. There are *vastly* more email clients in common use in the Linux world than in the Windows world: mailx, pine, elm, mutt, Netscape Communicator, balsa (?), etc etc. These various email clients don't share a common scripting language, address book, or even a common format for saved mail. Most if not all of them don't "launch" executable attachments. This would lend resistance to the Linux population.
In short, the monoculture of MSFT products (IIS, Outlook, Win32 and x86) is probably at fault for the Code Red, SirCam and NIMDA problem, not mere popularity.
Microsoft Software is more popular and so it gets hit more. If linux was just as popular you would see the same thing happen.
You wish. The MSFT-toadying media thought that x.c , a FreeBSD and Linux worm, was going to be the "Next Code Red". My machine got more hits from sadmind/IIS worm (Solaris) than x.c. C'mon, shill-boy, why aren't you toeing the Wagg-Ed line? The truth of the matter lies more in the fact that Windows is more-or-less a software and hardware monoculture. Any flaw in IIS affects *all* of the population. The Linux/Unix/BSD/Solaris population has much greater diversity: a flaw in the WN web server isn't going to affect sites using thttpd. Similarly, there are dozens of Linux email clients in use, from mailx to Pine to mh. I don't think there's a common scripting language amongst the diversity of Linux email clients, and I don't think *any* of them are dopey enough to execute "readme.eml" files.
People that dislike windows and love linux are the reason for this attack. Its these people that are writing the viruses and worms. You've got to be kidding, right? Have you got any evidence whatsoever to back that up?
Stop trivializing the problem, Shill-boy. Of course I expect MSFT to have people use the APIs. MSFT programmers have to use them to do things like write the POSIX subsystem, write the login system.
Of course, if what you shill I mean say is true, then MSFT is keeping the native API under wraps because it's so crappy. That's not true, of course: there's some things you can do in the native API that you can't do in Win32. You can't clone a processes address space in Win32, so you can't emulate the Unix fork() system call in Win32. The POSIX subsystem does emulate fork(), so MSFT does use the native API.
But go on, tell me how to emulate fork() using Win32 calls. Tell me how to do things like write my own login service. Tell me how to cancel an outstanding asynchronous I/O request in Win32. Tell me how to do disk defragmentation using Win32 calls. Tell me how to write an IFS using Win32: I want to put my Solaris UFS disks on my W2K box so I can get rid of this expensive Sun hardware.
Really, you should read the URLs I put in my article. You don't have to believe me, you can believe Open Systems Resources, you can believe Mark Rossinovich. Read the references I put in my last article before shilling further, and please, back away from the crack pipe.
The "secret APIs" are not a rumor. Notice the dates on these references, the secret APIs have been in NT all along.
MSFT hasn't hesitated to use the secret APIs either. From the July 10 InternetWeek: Microsoft has historically achieved market dominance by controlling APIs and forcing competitors to write software to Microsoft's APIs, then changing the APIs. "Instead of satisfying their own customers' demand, competitors are busy catching up with Microsoft," said IDC analyst Dan Kusnetzky.
From the October 8, 1998 NY Times: And Microsoft, the people added, did what it has always denied it does -- used access to its technology as a powerful lever in business negotiations, by offering Netscape preferential access to the Windows "application program interfaces," or A.P.I.'s, the links that enable other companies' programs to run smoothly on the Windows operating system. By turning down the deal, Netscape, they say, would not have that preferred access to Microsoft technology -- a threat that Microsoft fiercely denies making.
Think about it - can you, using only Win32, write all of the stuff that MSFT provides with NT/W2k? No. Clearly, MSFT keeps APIs to themselves. MSFT wants to allow itself the latitude to write faster, more functional programs than the ordinary developers can write. MSFT has proven time and time again that it will use secret APIs to its own advantage, or to the advantage of selected partners (Executive Software, for example). This practice is certainly bad for the consumer. Secret APIs raise the cost of entry into the NT system software market, which will keep out competitors, raise prices, and reduce choice.
Define "quality" before trying to make "quality" code. "Quality" doesn't mean one single thing. It can and does mean different things to different people. I've seen people use "conformance to spec", "fully documented", "feature rich", "crashproof", "fast", "easy to use", "surprising", "first to market", "bug-free" as all or part of what "quality" means.
Figure out what you mean by "quality", then find out what your boss means by "quality". You may be talking across each other. You might want to look at Gerald M Weinberg's Quality Software Management for a better discussion of the meaning of "quality". I'm not sure about the rest of the book, but the section on what "quality" means is relevant.
My other advice: ignore consultants and companies who peddle a Process (a process to reach SEI CMM level 5, or ISO 9000 status, for example) as a means to acheive "quality". They often leave "quality" undefined or vaguely defined because then they get to use opposing meanings as convenient. When convincing programmers to use The Process, quality consultants will use "bug free" or "speed to market" as the implied meaning of quality. When talking to managers, they use "feature rich", "on schedule" or "completely documented" as the implied meaning of quality. When talking to corporate leadership, the use "cheap", "speed to market" as meanings. Often, some tension exists between various definitions of "quality". "Cheap" often opposes "bug free" or "fully documented". "Feature rich" can oppose "high performance". "Speed to market" can oppose "fully documented". You get the picture.
I give away some software I've written because of simple economics: the cost of one or two or even 100 transactions is just too high. I'm not set up to charge people $150 for a SPARC assembler: I don't have a tax ID, I don't want a tax ID, I don't even want to know about taxes, I can't accept credit cards. The cost of getting set up to make the transaction would be too high. I could never recoup it.
Very specialized software for certain tasks will never have very many buyers. The cost of the few transactions will always put that software in some grey area where the writer may as well give it away.
This seems like an argument for micropayments, doesn't it?
Right now 64bit computing is simply for high end workstations and servers.
Oh, rubbish. I've had a 64-bit CPU running Linux for several years.
Under no circumstances could you consider my UDB a "high end" box of any sort. 64-bit computing is for whoever wants to fiddle with it.
If MSFT isn't a monopoly, what is?
Microeconomics textbook, 100% pure monoplies probably can't exist in a real economy, just like physics textbook 100% pure vacuums don't exist. A vacuum doesn't exist. Does that mean that the effects of a near vacuum don't exist? Don't be silly. A monopoly, like a vacuum, doesn't constitute a black-and-white, yes-or-no phenomenon. That's why the Sherman Anti-Trust Act isn't applied very often. Business entities that probably do consitute a monopoly under the Sherman Anti-Trust Act don't get prosecuted too often because it's simply too arguable to bother.
Non-religious economists recognize that "monopoly" is a matter of degree. Get a microeconomics text book from the bookstore, or borrow one from a roomate and read up on "monopoly power". Economists even have measures for monopoly power. Look for "Four-firm concentration index" and "Herfindahl-Hirschman Index ". By either measure, the desktop computer OS market is one of the single most concentrated markets ever.
The reason why Microsoft OS and mail are attacked the most is simply because they are the most popular.
Rubbish. That's simply not true. Microsoft did illegally leverage its monopoly to get its products almost everywhere, that much is well known. But Microsoft also puts very few features in either OS or Outlook or IIS that could confer some sort of "immunity" on the host computers.
Suppose that someone discovers a buffer overflow in a server process that runs on almost all Unix platforms. Hey, wait! "telnetd" runs on almost all Unix platforms, and it's enabled by default almost everywhere. "telnetd" has just such a buffer overflow. Knowledge about the buffer overflow is everywhere, yet we don't see a worm resulting. Why not? Several factors - fractured hardware base. The exploit in question can crash Solaris and NetBSD SPARC telnetd, but can't really be used to start a root shell. HP's HP-PA architecture doesn't support executing code on the stack, so it's pretty much immune. The exploit works on x86 FreeBSD, Linux and NetBSD boxes, but not on OpenBSD boxes. A software "monoculture" doesn't exist, even amongst the same "group" of OSes. That goes double for "chainmails" like ILOVEYOU or SirCam or Mellissa - many, many email readers exist, and they all act differently. Most Unix mail readers aren't dumb enough to "launch an application" by mere double-clicking, either.
What it comes down to, is that MSFT has put in place a "monoculture", and any flaw can be used to infect virtually every member of that monoculture's population. Unix, Linux, *BSD all comprise a "multiculture" both from software and hardware viewpoints. This amounts to vastly greater "resistance" to infection. And epidemiology shows us that infections don't become epidemics unless rate of infection vs rate of disinfection passes a certain level. Even the mild resistance of user IDs and permissions has kept Unix file infector viruses from any kind of prevalence.
The Cheese Worm seems to constitute exactly what you want. Cheese actually sought out Linux hosts infected by the Lion worm and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known.
Another first for Linux and Open Source software!
An Internet driven by business, for business, would hardly have the appeal of the net as it exists today. It would be nothing but banners, keywords, affiliate programs, and all the other garbage that already makes the web so annoying.
I agree with your sentiment. In 1994, did people flock to the web (remember that old IBM commercial that had the nun saying she was dying to "surf the web"?) because of advertising and slick corporate marketing materials? Hell NO! The web took off because it was full of crap, truth, lies, gibberish and FAQs that other regular folks put together. CEOs and other pointy-haired morons often forget this reality. The web succeeded because, not in spite of, it's hostility towards business.
This is more than just an opinion by some crank. An AT&T researcher named Andrew Odlyzko has written about this many times. His Content is not king article is the most accessible. Odlyzko has looked at the history of pricing of communications channels, too. More recently, the "Internet Enabled" cell phones have failed, while SMS text messaging phones have taken off, probably because the "Internet Enabled" phone depended on people wanting to view slick corporate marketing collateral, while SMS text messaging is popular because everyone can use it for their own purposes.
What you advocate is called "The Tyranny of the Majority". To a certain extent, all of us (people who notice) have an obligation to prevent actions and actors from harming the common weal.
Something like this obligation is what's behind successful systems of government that have representative democracies (USA, UK, Canada, etc). Sure, the vast bulk of the population thinks that minority X is evil, reproduces by laying eggs and prefers to eat boogers. Does that mean that the government has an obligation to sterilize all breeding-age members of minority X? No - just the contrary. The government has an obligation to educate the vast bulk of the population about the errors of their ways, and indeed, to prevent harm to members of minority X.
You also ignore a great evil when you blow off the harm that ubiquitous advertising causes. All advertising is a form of lying, adult US citizens are expected to disbelieve all claims made in ads. What do we learn from this kind of all-enveloping falsehoods? That it's acceptable behavior for sub-human marketeers like the TOPText people to insert their ads on my content without paying me for getting people to look at their falsehoods.
Please to note that many Linux distributions have done this for a long time, and not just a web server, either.
Well, that's a valid point except for the fact that the web server that many (most or all?) Linux distributions install is Apache. Apache has never exhibited the kind of unbelievable boneheaded security problems that IIS has.
Mathematician/Economist Andrew Odlyzko has studied this sort of issue extensively from economical and historical viewpoints.
You might want to look at:
"The bumpy road of electronic commerce" paper deals extensively with why micropayments won't happen.
throx writes: I am a person. I would use smart tags if I got to control what filters were enabled and what wasn't.
You just narrowed the group of people that you talk about from "everyone" to "throx". The narrower statement is a whole lot truer than People want to be able to enrich their web surfing, the statement that I did quibble with. I quibbled with it because it was a huge overgeneralization.
throx goes on to write: You're implying I'm not a person? No indeed. I merely pointed out that there's a difference between "everyone" and "throx". But when you wrote People want to be able to enrich their web surfing, you implied that I wasn't a person, because I wouldn't use Smart Tags, as near as I can tell from press descriptions of Smart Tags.
And no, my quibbling with your original statement was not a strawman argument. Your original statement was a counter-factual overgeneralization. Deal with it, rather than accuse me of your own logical fallacies.
Does anyone really expect Ashcroft to pursue Microsoft?
Well, yes. Gates testified in front of the U.S. Senate Judiciary Committee in 1998, and Ashcroft said things like this: