there is no guarantee that IBM doesn't have cathedral style GPL'ed development going on. They might be preparing to drop new code in the next version of the Linux kernel
From my personal observations, IBM Open Source Software developers tend to target distro releases rather than kernel releases, and they also tend to go with the ``release early, release often'' strategy.
I didn't know about the Linux symposium. I would have gone.
The kernel summit is by invitation only
The Kernel Summit is a separate event that occurs the week before the Ottawa Linux Symposium. The Kernel Summit is invitation-only. In contrast, anyone who buys a ticket can attend OLS. Most of the developers (except, notably, Linus) who attend the Kernel Summit also attend OLS. Typically the opening speech at OLS is a summary of what decisions were made at the summit. The summit is where the real near-term hard decisions are hashed out; OLS tends to focus on emerging technologies and has less of an influence over the near-term direction of the core kernel development.
It's got a pluggable PKI interface to facilitate integration into enterprise environments. But if all you need is plain old passphrase-based protection, it provides that too. It has Trusted Platform Module support, and it will soon have GnuPG support.
It's currently in the "experimental" stage, and will be for the next couple of months (or over the next year, depending on how the Linux kernel community treats it:-), but it implements almost the entire UNIX filesystem semantics at this point and is pretty stable. Anyone who is interested in transparent cryptographic filesystems with strong key management and policy capabilities might want to keep an eye on this. And if you're in the mood for testing and/or contributing patches, please do.:-)
Other crypto filesystems for Linux that I recommend include dm-crypt (it comes w/ the 2.6 kernel), EncFS, and CFS. Google around.
That said, this self-destruct hard drive is a pretty good idea in some cases, for reasons stated elsewhere in this thread. It's hard to apply "rubber hose" cryptanalysis on the user when the media itself is irreparably damaged. The real trick is to get this technology ubiquitously deployed, so that the very fact that you are using it does not arouse suspicion. The next trick is to prevent "false positives." Try explaining to a CEO why his critical documents are toast because some $8-an-hour IT intern inadvertently caused his hard drive to disentegrate.
Should the price tag drop by an order of magnitude and the false positive stats be low enough, I might consider getting one of these drives. Until then, I think that financial markets, military units, and other such high-risk/high-value will find these drives to be a worthy investment. I'm largely concerned with addressing the problem of some random crooks stealing my equipment, so good old fashioned crypto w/ a decent key protection scheme will do well enough for me.
Re:My first exposure to list ( and a mirror of boo
on
Practical Common Lisp
·
· Score: 5, Funny
Whenever I think of Lisp, I'm transported back in time to 1975 where I'm trying (unsuccessfully) to learn this as my 2nd programming language after Fortran IV (on a DECsystem-10, no less).
I've heard it said that someone just learning how to program can pick up Lisp in a day. If you happen to already know Fortran, it will take two days.
Now, I system immutable flag all my important files that I don't want to change if some script kiddy does happen to get into my OpenBSD box.
FYI, I wrote a module for Linux that does this same thing (BSD Secure Levels). It will let you set the IMMUTABLE flag on files, and then when the system is in an elevated secure level, not even the root user can unset the flag. It's in kernel versions 2.6.10 and later. Here is an article about it.
Yes, but very few people own a Mac Mini, so in most cases there is no sunk cost. So the question really is it worth it to buy a computer with an OS you intend to replace.
That's a different scenario than what the poster presented (he used the phrase already paid). Now if you're wondering whether or not to buy a Macintosh machine, and if you intend on running Linux, then you should ignore the fact that the Mac comes with MacOS X, because there is nothing you can do about that. Of course, you could always complain to Apple, telling them that you are not buying their hardware because you feel that you are constrained to pay extra for an OS that you don't want, and that may get you somewhere, if enough people do it long enough. For many Linux users, having a decent piece of POWERPC hardware offsets the surcharge of MacOS X, assuming there even is one.
It may actually cost Apple more in terms of changing their manufacturing and business processes to *exclude* MacOS X from the machines at this point, so removing MacOS X from the machines it ships may *raise* the price of the units; business economics is funny this way.
If you can't, then whats the point? You've already paid for an OS
When making decisions about your future actions, you should not take into consideration what you have already spent. That's a sunk cost, and it can only serve to bias your decision. Rather, you should be considering, from where you stand right now, what your best options are for the future. This is why companies will spend millions on building a new facility, only to abandon it one month before completion. They do this because they figure that they will wind up losing more by continuing to dump time and effort into the facility, so what's the point?
If you get more usability, security, performance, or what have you, out of Linux than you do out of MacOS X, then it does not matter whether or not you have already paid for MacOS X. That has nothing to do with what operating system you should be using from this point forward.
Wow since you have so much faith in the scientific process, I invite you to answer God's questions in Job 38-40.
Ah, yes. One must wonder just where the book of Job came from. It's about the closest thing we get to Eastern mythology in the Bible. There is no justice in that story. Justice is not an attribute of the universe; it is an entirely man-made construct.
When Job petitioned God for an explanation for what had happened to him, what did God say? ``Gee, I'm really sorry, but you see, there was this bet that I made with the devil, and well, I had to do all this to you in order to win the bet...'' No! God simply said, in a beautifully poetic manner, ``I am great! (Canst thou draw out leviathan with an hook? or his tongue with a cord which thou lettest down? Canst thou put an hook into his nose? or bore his jaw through with a thorn?)'' There is no apology, no explanation. Simply, the almightly deity smiting his creation, demonstating the fact that He is God.
At that, no Greek would have done what Job did. Just look at Prometheus. Pinned down, in desparate dependence on Zeus's mercy, yet in his predicament, he shakes his fist at the mighty god, ``I care less than nothing for Zeus; let him do what he wants!''
My apologies for the off-topicness here, but I get a kick out of mythology. I think the trouble with most religious types is that they read their scriptures like they read the morning newspaper. You really don't get much out of it by approaching it that way. That's not how the scriptures were written. They are meant to be read like poems, because that's just what they are.
Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.
It's really a matter of money and time.
And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.
Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.
Nanobots injected in our bloodstream will complement our immune system.
Actually, I do not think we will have a choice in the matter on this one. Before too long, there will be hostile (or just poorly designed and self-replicating) nanobots that will kill us when they get into our bodies. We will need some sort of immediate defense against this new threat; if anything, an outbreak caused by a malicious type of nanobot will spurn the development of the nanobot that complements our immune system and defends against the malicious nanobot. This sort of thing has long been addressed in science fiction novels, but it seems like something that is closer than we might imagine.
As one of the core IBM engineers involved the CAPP/EAL certification effort for SuSE Linux Enterprise Server, might I take the liberty of interjecting some facts here*.
Myth:
A version of SuSE Linux (with help and funding from IBM) has been certified by the NSA as secure under the "Common Criteria" at about the same sort of level as Windows NT. This was on a PC I believe. No other platform for Linux, and no other distribution of Linux, has been certified.
Fact:
We certified SLES 8 at CAPP/EAL3+. The NSA had absolutely nothing to do with it. In fact, we are currently not even including SE Linux in any of the security Target-of-Evaluations (TOE); even though it is a cool technology, it is not a requirement for CAPP/EAL4. A private certification lab, BSI, is the certifying body. EAL3 is one level below where Windows NT currently is (EAL4), but we are working on getting SLES 9 EAL4-certified at this very moment. Oh, and we certified across all major IBM platforms simultaneously, not just x86: pSeries, zSeries, xSeries, and iSeries. The only fragment of truth in your statement is that, so far, we have certified only one distro, but we are currently in the process of certifying RHEL. In addition, we have released all of our certification code as Open Source Software, to enable others to certify their Linux distributions more easily.
As far as your "10,000 Linux coders" figure, the entire IBM Linux Technology Center is comprised of about 600 employees.
* These comments represent my own, and not necessarily those of my employer, IBM. There was just too much misinformation written here for me to let it slip by uncorrected.
Up until last week, my Athlon XP machine sounded like a vacuum cleaner. Between the two fans in my 400 watt power supply and the CPU fan buzzing at 7200 RPM, it was atrocious. I finally got around to purchasing a new ``quiet'' heatsink and fan (copper, ~2700 RPM), but unfortunately, my case was designed for an old slot P-III, which meant that the fan was almost flush against the bottom of my power supply (although there were slots in the side of the fan casing for air to come in through). I got I2C sensor support compiled into my kernel and watched as my CPU temp varied from 65 to 80 degrees Celsius (as I taxed my processor). Soon, paging errors started creeping in, and the kernel would send my applications into la-la land.
I weighed my options: new CPU heatsink/fan that leaves some room between it and the power supply, underclock my current CPU (going from 1690 to 1250 MHz lowered my CPU temp by 10 degrees C), or try a new case.
At that point, I ran to Fry's and picked up one of those Altec Sonata Quiet cases (the one with a fan in the back of the unit with the 30 dollar mail-in rebate). Lots of room above the CPU fan. Now the only noise I hear from my workstation comes from the hard drives, and my CPU runs at a cool 40 degrees Celsius! That's a 20 degree difference, just by getting a decent case. A quality case and power supply do wonders for keeping a system quiet, cool, and stable. Now I need to do something about those annoying blue LED's...
...the latest Michael's Minutes from Linspire pegs all the blame for virus problems on Microsoft and basically says that Linux (well, Lindows anyway) is the cure.
The irony of this statement is that Lindows will probably be one of the driving forces in getting Linux viruses popular. By marketing the software to those who are less computer-savvy while making the root user the default user, Lindows is opening up the door for some nasty widespread security exploits. Some of the reasons why viruses have not been a problem under Linux so far has been due to smaller desktop market penetration, heterogeneity, the computer literacy of those who run Linux, and the restricted account privileges of the user. Lindows threatens all of those factors.
The entropy of the English language is 1.5 bits per character (as an example; other languages have other entropy characteristics). When performing cryptanalysis on ciphertext derived from English plaintext, the cryptographer can determine whether or not he has achieved successful decryption by calculating this entropy on the result. The accuracy of the entropy derivation depends largely on the quantity of the data used to calculate the entropy.
It appears that the message D.O.U.O.S.V.A.V.V.M. does not carry near enough information to derive any meaningful statistical information of the sort. This means pretty much that any potential decryption is as good as any other. In the worst case scenario, this message is the result of a one-time pad, in which case it is completely futile to attempt to decrypt it; even if P is proven to be equal to NP, one-time pads still maintain their security, since all possible decryptions are equally probable. Perhaps some information get be gleaned from the context of the message (the fact that it is either Latin or Greek and based on some historical happening).
In any case, I get the feeling that this particular puzzle is going to be eternally unsolved. There will be plenty of equally feasible decipherments based on defendable premises, but we will never know for sure.
I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.
I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on!:-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...
Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.
"Many run Web servers or offer copyright music or videos."
I am disturbed about the innuendo that morally equates distributing copyrighted materials (that, presumably, you do not have permission to distribute) with running a Web server. The undeniably greatest benefit that the Internet brings to us is the ability to be our own publishers, without having to try to push through an oligopoly of radio broadcast stations or television networks. We can offer any views on any subject; we can be our own content distributors. The Internet provides us with a way of making information available to others via any distribution methodology we see fit (web server, IRC, P2P, or anonymizing programs like Freenet, mixmaster, etc.). The freedom to distribute content from our own machines using any program is a freedom that we need not make excuses for exercising; in fact, we should expect and demand it!
Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.
I have a brother-in-law who sells vacuum cleaners. He told me that his company sets up sales appointments for him. I asked him how his company finds these people, and he responded that the company starts out with a "survey" call. If "they qualify," then they will get a second phone call asking if they would like a visit from a company representative to tell them more about these vacuum cleaners.
This company argues that those who participated in the initial survey have a "prior business relationship" with the company, and so even if they are on the National Do-not-call Registry, the company can still make a soliciting call to them. The survey is just a front to get around FCC regulations. Hence, I personally will never respond to a survey call, because I cannot trust the intent of the survey-takers.
On that note, I got a call on behalf of my local state trooper organization a couple of weeks ago. After some small talk, the guy on the phone asked, "We offer a $45, a $50, and a $60 contribution amount to the state trooper fund. Which of these amount would work best for you?" Well, first of all, I *hate* coercive questions. I told him, "I don't know; I'll have to think about it." He responded along the lines of, "Well, we do have a minimum contribution option of $15. Why don't I send you a letter about this, and you don't have to commit to anything at the moment." Okay, whatever. So I got a letter in the mail thanking me for committing to giving them money, and I noticed (in small print) a mention of thanks for this telemarketing company for helping the state troopers raise these funds.
That did it for me. Under no uncertain circumstances will I ever deliberately justify a telemarketing firm's existence. Part of my contribution would go to help support the telemarketers. I shredded that letter on the spot, and when that marketing firm calls again, I'm going to tell them in a very unpleasant way exactly why they never heard back from me (hint: it will probably emphasize exactly what I think about telemarketing types).
It's a final year project. Sorry, but this guy's just an undergraduate student, no offense but I find it highly unlikely he can come up with something superior to X, QT and GTK (all of which this system supposedly replaces) in a year of work.
Thus far, I have been able to get along with everyone else in the world by using Mozilla and OpenOffice. Both projects have done very well providing compatibility with files formatted for proprietary platforms (HTML for IE,.doc attachments, etc.). I can communicate with my friends, family members, co-workers, bank, etc. without any real inconveniences.
I have been able to use Free Software while acting as a functional unit of society. This has been possible because of reverse engineering efforts by members of the Free Software community. The problem is, reverse engineering can only go so far.
With this whole DRM thing, I am just waiting for the day that I receive a.doc attachment that I simply cannot read, not because the format cannot be reverse engineered, but rather because I do not have the keys to decrypt it. Obtaining those keys or circumventing the "copy protection scheme" is against the law thanks to the DMCA.
This is the breaking point. This is where those who use Free Software are left with no recourse. We cannot simply reverse engineer the file formats or find ways around the technology, since that will make us criminals. Now, when my insurance company sends me a DRM'd.doc file, or my bank requires that I run a DRM'd web browser to do my online banking, I am left with no choice but to refuse to do business with them.
I will not be coerced into running non-Free software or allowing some third party to exercise exclusive control over my own private property (my computer equipment). The DRM thing is about the closest thing that I can think of that reflect the "Mark of the Beast" that is spoken of in the book of Revelations in the Bible - those without the mark (read: DRM) will not be able to engage in commerce in society (even if you don't believe that the Bible is true, this is an interesting literary reference). I don't mean to sound apocalyptical or anything, but I thought that this parallel was just too uncanny to be left unnoticed.
I for one am prepared to go through some personal inconveniences on the basis of principle here. The minute someone demands that he wrest control of my computer equipment from me as a precondition for communicating with me, I will refuse to communicate with him. I will make it very clear that my freedom cannot be so easily relinquished.
There is no reason for a consumer level access user to need to run their own mailserver, and in fact almost none do (on purpose).
Speak for yourself. I've got a cheap $35/mo. consumer-level DSL connection through SBC (it's down to $30/mo. now) with a dynamic IP. I would like to be able to create an arbitrary number of mail accounts (for family and for spam protection; by running ``useradd -m username''; no hassles, please) and run my own web server, with my own plugins (eRuby, etc.) and with as much storage as I am willing to put on the machine, with root access on the box so I can install whatever I feel like using, while avoiding any recurring monthly fees with any ISP.
I use Dyndns to handle the DNS mapping for my domain to whatever my IP happens to be (it changes fewer than 3 times a year anyway). I picked up a $29 Pentium II machine from a discount electronics store and put Debian stable on it over a weekend. A script (ddclient) does automatic updates with Dyndns when the IP changes. It serves as my firewall/NAT server, my mail server, and my web server. I have Squirrelmail running on the thing with apache-ssl to provide secure web access to my account. I don't have to use Hotmail or Yahoo to have web access to my e-mail, with their tacky advertisements at the bottom of the messages that are sent from them. I am running uw-imapd with stunnel to allow remote IMAP access to e-mail for my family members who want it, but I usually just SSH in and use mutt.
It runs cron-apt and is configured to do automatic security updates from Debian's security apt repository. SBC's DSL connectivity, at least in my area, is outstanding. I don't recall ever having downtime. I like being able to handle my own domain and to have no middlemen messing with the e-mail messages sent to me. I like not having to pay recurring fees to ISP's to provide servers; I can do it all from my own $29 server for no additional charge.
In fact, I would not be surprised if there were a market for $49 boxen that could easily be set up on peoples' DSL lines to do exactly why my own custom-built box does (firewall/NAT, mail, web) with no recurring ISP fees.
Slashdot Mirror
there is no guarantee that IBM doesn't have cathedral style GPL'ed development going on. They might be preparing to drop new code in the next version of the Linux kernel
From my personal observations, IBM Open Source Software developers tend to target distro releases rather than kernel releases, and they also tend to go with the ``release early, release often'' strategy.
This sort of event provides motivation for overlay routing schemes, which can compensate for major outages along various routes of the backbone:
e rs/subramanianOver/subramanianOver.pdfn focom.pdf
http://www.usenix.org/events/nsdi04/tech/full_pap
http://www.eecs.umich.edu/~farnam/pubs/2005-hwj-i
I didn't know about the Linux symposium. I would have gone.
The kernel summit is by invitation only
The Kernel Summit is a separate event that occurs the week before the Ottawa Linux Symposium. The Kernel Summit is invitation-only. In contrast, anyone who buys a ticket can attend OLS. Most of the developers (except, notably, Linus) who attend the Kernel Summit also attend OLS. Typically the opening speech at OLS is a summary of what decisions were made at the summit. The summit is where the real near-term hard decisions are hashed out; OLS tends to focus on emerging technologies and has less of an influence over the near-term direction of the core kernel development.
You can download the conference proceedings in two parts:
_ procv1.pdf_ procv2.pdf
http://www.linuxsymposium.org/2005/linuxsymposium
http://www.linuxsymposium.org/2005/linuxsymposium
Software encryption is slow. Plus it requires a whole PKI infrastructure for large sytem deployments. That can be a nightmare for military operations.
:-), but it implements almost the entire UNIX filesystem semantics at this point and is pretty stable. Anyone who is interested in transparent cryptographic filesystems with strong key management and policy capabilities might want to keep an eye on this. And if you're in the mood for testing and/or contributing patches, please do. :-)
My cryptographic filesystem addresses this problem:
http://sourceforge.net/projects/ecryptfs/
It's got a pluggable PKI interface to facilitate integration into enterprise environments. But if all you need is plain old passphrase-based protection, it provides that too. It has Trusted Platform Module support, and it will soon have GnuPG support.
It's currently in the "experimental" stage, and will be for the next couple of months (or over the next year, depending on how the Linux kernel community treats it
Other crypto filesystems for Linux that I recommend include dm-crypt (it comes w/ the 2.6 kernel), EncFS, and CFS. Google around.
That said, this self-destruct hard drive is a pretty good idea in some cases, for reasons stated elsewhere in this thread. It's hard to apply "rubber hose" cryptanalysis on the user when the media itself is irreparably damaged. The real trick is to get this technology ubiquitously deployed, so that the very fact that you are using it does not arouse suspicion. The next trick is to prevent "false positives." Try explaining to a CEO why his critical documents are toast because some $8-an-hour IT intern inadvertently caused his hard drive to disentegrate.
Should the price tag drop by an order of magnitude and the false positive stats be low enough, I might consider getting one of these drives. Until then, I think that financial markets, military units, and other such high-risk/high-value will find these drives to be a worthy investment. I'm largely concerned with addressing the problem of some random crooks stealing my equipment, so good old fashioned crypto w/ a decent key protection scheme will do well enough for me.
Whenever I think of Lisp, I'm transported back in time to 1975 where I'm trying (unsuccessfully) to learn this as my 2nd programming language after Fortran IV (on a DECsystem-10, no less).
I've heard it said that someone just learning how to program can pick up Lisp in a day. If you happen to already know Fortran, it will take two days.
Now, I system immutable flag all my important files that I don't want to change if some script kiddy does happen to get into my OpenBSD box.
FYI, I wrote a module for Linux that does this same thing (BSD Secure Levels). It will let you set the IMMUTABLE flag on files, and then when the system is in an elevated secure level, not even the root user can unset the flag. It's in kernel versions 2.6.10 and later. Here is an article about it.
Yes, but very few people own a Mac Mini, so in most cases there is no sunk cost. So the question really is it worth it to buy a computer with an OS you intend to replace.
That's a different scenario than what the poster presented (he used the phrase already paid). Now if you're wondering whether or not to buy a Macintosh machine, and if you intend on running Linux, then you should ignore the fact that the Mac comes with MacOS X, because there is nothing you can do about that. Of course, you could always complain to Apple, telling them that you are not buying their hardware because you feel that you are constrained to pay extra for an OS that you don't want, and that may get you somewhere, if enough people do it long enough. For many Linux users, having a decent piece of POWERPC hardware offsets the surcharge of MacOS X, assuming there even is one.
It may actually cost Apple more in terms of changing their manufacturing and business processes to *exclude* MacOS X from the machines at this point, so removing MacOS X from the machines it ships may *raise* the price of the units; business economics is funny this way.
If you can't, then whats the point? You've already paid for an OS
When making decisions about your future actions, you should not take into consideration what you have already spent. That's a sunk cost, and it can only serve to bias your decision. Rather, you should be considering, from where you stand right now, what your best options are for the future. This is why companies will spend millions on building a new facility, only to abandon it one month before completion. They do this because they figure that they will wind up losing more by continuing to dump time and effort into the facility, so what's the point?
If you get more usability, security, performance, or what have you, out of Linux than you do out of MacOS X, then it does not matter whether or not you have already paid for MacOS X. That has nothing to do with what operating system you should be using from this point forward.
Wow since you have so much faith in the scientific process, I invite you to answer God's questions in Job 38-40.
Ah, yes. One must wonder just where the book of Job came from. It's about the closest thing we get to Eastern mythology in the Bible. There is no justice in that story. Justice is not an attribute of the universe; it is an entirely man-made construct.
When Job petitioned God for an explanation for what had happened to him, what did God say? ``Gee, I'm really sorry, but you see, there was this bet that I made with the devil, and well, I had to do all this to you in order to win the bet...'' No! God simply said, in a beautifully poetic manner, ``I am great! (Canst thou draw out leviathan with an hook? or his tongue with a cord which thou lettest down? Canst thou put an hook into his nose? or bore his jaw through with a thorn?)'' There is no apology, no explanation. Simply, the almightly deity smiting his creation, demonstating the fact that He is God.
At that, no Greek would have done what Job did. Just look at Prometheus. Pinned down, in desparate dependence on Zeus's mercy, yet in his predicament, he shakes his fist at the mighty god, ``I care less than nothing for Zeus; let him do what he wants!''
My apologies for the off-topicness here, but I get a kick out of mythology. I think the trouble with most religious types is that they read their scriptures like they read the morning newspaper. You really don't get much out of it by approaching it that way. That's not how the scriptures were written. They are meant to be read like poems, because that's just what they are.
Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.
It's really a matter of money and time.
And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.
Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.
Nanobots injected in our bloodstream will complement our immune system.
Actually, I do not think we will have a choice in the matter on this one. Before too long, there will be hostile (or just poorly designed and self-replicating) nanobots that will kill us when they get into our bodies. We will need some sort of immediate defense against this new threat; if anything, an outbreak caused by a malicious type of nanobot will spurn the development of the nanobot that complements our immune system and defends against the malicious nanobot. This sort of thing has long been addressed in science fiction novels, but it seems like something that is closer than we might imagine.
As one of the core IBM engineers involved the CAPP/EAL certification effort for SuSE Linux Enterprise Server, might I take the liberty of interjecting some facts here*.
Myth:
A version of SuSE Linux (with help and funding from IBM) has been certified by the NSA as secure under the "Common Criteria" at about the same sort of level as Windows NT. This was on a PC I believe. No other platform for Linux, and no other distribution of Linux, has been certified.
Fact:
We certified SLES 8 at CAPP/EAL3+. The NSA had absolutely nothing to do with it. In fact, we are currently not even including SE Linux in any of the security Target-of-Evaluations (TOE); even though it is a cool technology, it is not a requirement for CAPP/EAL4. A private certification lab, BSI, is the certifying body. EAL3 is one level below where Windows NT currently is (EAL4), but we are working on getting SLES 9 EAL4-certified at this very moment. Oh, and we certified across all major IBM platforms simultaneously, not just x86: pSeries, zSeries, xSeries, and iSeries. The only fragment of truth in your statement is that, so far, we have certified only one distro, but we are currently in the process of certifying RHEL. In addition, we have released all of our certification code as Open Source Software, to enable others to certify their Linux distributions more easily.
As far as your "10,000 Linux coders" figure, the entire IBM Linux Technology Center is comprised of about 600 employees.
* These comments represent my own, and not necessarily those of my employer, IBM. There was just too much misinformation written here for me to let it slip by uncorrected.
Up until last week, my Athlon XP machine sounded like a vacuum cleaner. Between the two fans in my 400 watt power supply and the CPU fan buzzing at 7200 RPM, it was atrocious. I finally got around to purchasing a new ``quiet'' heatsink and fan (copper, ~2700 RPM), but unfortunately, my case was designed for an old slot P-III, which meant that the fan was almost flush against the bottom of my power supply (although there were slots in the side of the fan casing for air to come in through). I got I2C sensor support compiled into my kernel and watched as my CPU temp varied from 65 to 80 degrees Celsius (as I taxed my processor). Soon, paging errors started creeping in, and the kernel would send my applications into la-la land.
:-)
I weighed my options: new CPU heatsink/fan that leaves some room between it and the power supply, underclock my current CPU (going from 1690 to 1250 MHz lowered my CPU temp by 10 degrees C), or try a new case.
At that point, I ran to Fry's and picked up one of those Altec Sonata Quiet cases (the one with a fan in the back of the unit with the 30 dollar mail-in rebate). Lots of room above the CPU fan. Now the only noise I hear from my workstation comes from the hard drives, and my CPU runs at a cool 40 degrees Celsius! That's a 20 degree difference, just by getting a decent case. A quality case and power supply do wonders for keeping a system quiet, cool, and stable. Now I need to do something about those annoying blue LED's...
Oh, and TAA (This Ain't Astroturf). Really!
The irony of this statement is that Lindows will probably be one of the driving forces in getting Linux viruses popular. By marketing the software to those who are less computer-savvy while making the root user the default user, Lindows is opening up the door for some nasty widespread security exploits. Some of the reasons why viruses have not been a problem under Linux so far has been due to smaller desktop market penetration, heterogeneity, the computer literacy of those who run Linux, and the restricted account privileges of the user. Lindows threatens all of those factors.
The entropy of the English language is 1.5 bits per character (as an example; other languages have other entropy characteristics). When performing cryptanalysis on ciphertext derived from English plaintext, the cryptographer can determine whether or not he has achieved successful decryption by calculating this entropy on the result. The accuracy of the entropy derivation depends largely on the quantity of the data used to calculate the entropy.
It appears that the message D.O.U.O.S.V.A.V.V.M. does not carry near enough information to derive any meaningful statistical information of the sort. This means pretty much that any potential decryption is as good as any other. In the worst case scenario, this message is the result of a one-time pad, in which case it is completely futile to attempt to decrypt it; even if P is proven to be equal to NP, one-time pads still maintain their security, since all possible decryptions are equally probable. Perhaps some information get be gleaned from the context of the message (the fact that it is either Latin or Greek and based on some historical happening).
In any case, I get the feeling that this particular puzzle is going to be eternally unsolved. There will be plenty of equally feasible decipherments based on defendable premises, but we will never know for sure.
I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.
I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on! :-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...
Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.
From the article:
"Many run Web servers or offer copyright music or videos."
I am disturbed about the innuendo that morally equates distributing copyrighted materials (that, presumably, you do not have permission to distribute) with running a Web server. The undeniably greatest benefit that the Internet brings to us is the ability to be our own publishers, without having to try to push through an oligopoly of radio broadcast stations or television networks. We can offer any views on any subject; we can be our own content distributors. The Internet provides us with a way of making information available to others via any distribution methodology we see fit (web server, IRC, P2P, or anonymizing programs like Freenet, mixmaster, etc.). The freedom to distribute content from our own machines using any program is a freedom that we need not make excuses for exercising; in fact, we should expect and demand it!
Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.
I have a brother-in-law who sells vacuum cleaners. He told me that his company sets up sales appointments for him. I asked him how his company finds these people, and he responded that the company starts out with a "survey" call. If "they qualify," then they will get a second phone call asking if they would like a visit from a company representative to tell them more about these vacuum cleaners.
This company argues that those who participated in the initial survey have a "prior business relationship" with the company, and so even if they are on the National Do-not-call Registry, the company can still make a soliciting call to them. The survey is just a front to get around FCC regulations. Hence, I personally will never respond to a survey call, because I cannot trust the intent of the survey-takers.
On that note, I got a call on behalf of my local state trooper organization a couple of weeks ago. After some small talk, the guy on the phone asked, "We offer a $45, a $50, and a $60 contribution amount to the state trooper fund. Which of these amount would work best for you?" Well, first of all, I *hate* coercive questions. I told him, "I don't know; I'll have to think about it." He responded along the lines of, "Well, we do have a minimum contribution option of $15. Why don't I send you a letter about this, and you don't have to commit to anything at the moment." Okay, whatever. So I got a letter in the mail thanking me for committing to giving them money, and I noticed (in small print) a mention of thanks for this telemarketing company for helping the state troopers raise these funds.
That did it for me. Under no uncertain circumstances will I ever deliberately justify a telemarketing firm's existence. Part of my contribution would go to help support the telemarketers. I shredded that letter on the spot, and when that marketing firm calls again, I'm going to tell them in a very unpleasant way exactly why they never heard back from me (hint: it will probably emphasize exactly what I think about telemarketing types).
I for one welcome our new kung-fu robotic overlords!
It's a final year project. Sorry, but this guy's just an undergraduate student, no offense but I find it highly unlikely he can come up with something superior to X, QT and GTK (all of which this system supposedly replaces) in a year of work.
Kerberos was invented by an undergrad.
>> It denies you root access
> Try Ctrl+Alt+F2. Replace F2 with F5 to get back to GUI screen.
Or just sudo bash.
Thus far, I have been able to get along with everyone else in the world by using Mozilla and OpenOffice. Both projects have done very well providing compatibility with files formatted for proprietary platforms (HTML for IE, .doc attachments, etc.). I can communicate with my friends, family members, co-workers, bank, etc. without any real inconveniences.
.doc attachment that I simply cannot read, not because the format cannot be reverse engineered, but rather because I do not have the keys to decrypt it. Obtaining those keys or circumventing the "copy protection scheme" is against the law thanks to the DMCA.
.doc file, or my bank requires that I run a DRM'd web browser to do my online banking, I am left with no choice but to refuse to do business with them.
I have been able to use Free Software while acting as a functional unit of society. This has been possible because of reverse engineering efforts by members of the Free Software community. The problem is, reverse engineering can only go so far.
With this whole DRM thing, I am just waiting for the day that I receive a
This is the breaking point. This is where those who use Free Software are left with no recourse. We cannot simply reverse engineer the file formats or find ways around the technology, since that will make us criminals. Now, when my insurance company sends me a DRM'd
I will not be coerced into running non-Free software or allowing some third party to exercise exclusive control over my own private property (my computer equipment). The DRM thing is about the closest thing that I can think of that reflect the "Mark of the Beast" that is spoken of in the book of Revelations in the Bible - those without the mark (read: DRM) will not be able to engage in commerce in society (even if you don't believe that the Bible is true, this is an interesting literary reference). I don't mean to sound apocalyptical or anything, but I thought that this parallel was just too uncanny to be left unnoticed.
I for one am prepared to go through some personal inconveniences on the basis of principle here. The minute someone demands that he wrest control of my computer equipment from me as a precondition for communicating with me, I will refuse to communicate with him. I will make it very clear that my freedom cannot be so easily relinquished.
There is no reason for a consumer level access user to need to run their own mailserver, and in fact almost none do (on purpose).
Speak for yourself. I've got a cheap $35/mo. consumer-level DSL connection through SBC (it's down to $30/mo. now) with a dynamic IP. I would like to be able to create an arbitrary number of mail accounts (for family and for spam protection; by running ``useradd -m username''; no hassles, please) and run my own web server, with my own plugins (eRuby, etc.) and with as much storage as I am willing to put on the machine, with root access on the box so I can install whatever I feel like using, while avoiding any recurring monthly fees with any ISP.
I use Dyndns to handle the DNS mapping for my domain to whatever my IP happens to be (it changes fewer than 3 times a year anyway). I picked up a $29 Pentium II machine from a discount electronics store and put Debian stable on it over a weekend. A script (ddclient) does automatic updates with Dyndns when the IP changes. It serves as my firewall/NAT server, my mail server, and my web server. I have Squirrelmail running on the thing with apache-ssl to provide secure web access to my account. I don't have to use Hotmail or Yahoo to have web access to my e-mail, with their tacky advertisements at the bottom of the messages that are sent from them. I am running uw-imapd with stunnel to allow remote IMAP access to e-mail for my family members who want it, but I usually just SSH in and use mutt.
It runs cron-apt and is configured to do automatic security updates from Debian's security apt repository. SBC's DSL connectivity, at least in my area, is outstanding. I don't recall ever having downtime. I like being able to handle my own domain and to have no middlemen messing with the e-mail messages sent to me. I like not having to pay recurring fees to ISP's to provide servers; I can do it all from my own $29 server for no additional charge.
In fact, I would not be surprised if there were a market for $49 boxen that could easily be set up on peoples' DSL lines to do exactly why my own custom-built box does (firewall/NAT, mail, web) with no recurring ISP fees.