If they replaced the systems with the latest HP workstations, doubtless they'd see a great speed increase as well. It's not exactly newsworthy to read 'company upgrades systems with newer systems and they are faster than the old ones'.
How about the fact they replaced $30,000 HP/UX PA-RISC systems with $5,000 Linux/i386 systems and were impressed with the upgrade? Actually these numbers are made up, but are the rough size of the price difference.
More on that custom software, it was a windows program to generate content for the NHS Trust intranet site that they were required (by NHS IA and the UK govt's e-Envoy) to have.
When I did a presentation the doctors and admins were really excited about it. Not about our software or the intranet, but they thought this meant that the dumb terminals that they had in their offices or work areas were going to be replaced with PCs. To their disappointment they weren't. No budget was allocated for PC upgrades. So they had an intranet and windows software, but mostly dumb terminals with no web client.
One hospitial I visited had a Wireless Access Point (likely with no security enabled) but not any laptops. It was purchased for when the NHS executives visited the site, which is about once a year.
The NHS is a shining example of how IT projects should not be run.
Many of the patient electronic records information systems are already Unix based (Data General's Unix DG/UX, Solaris, SunOS, Digital Unix/Tru64, SCO UnixWare, HP/UX, and I think we few others I forgot). I use to develop one of the major ones.
When I joined one of the private companies which only provides medical IS software, I wasted a month realising that the Linux based solution I was developing wouldn't be accepted because the NHS Trust wanted a Windows based solution. So I spent a week trying to understand and get actual prices and sources for discounted licenses for Microsoft's server software. A quarter of the budget for this project involving custom software went to Microsoft license fees.
The reason it had to be Windows? A serious systemic lack of resources and skills. Any IT personnel working for the NHS who has enough skills to administer a Unix machine (or has actually completed their MCSE exams even) ends up taking a better paying job elsewhere. So the NHS Trusts end up relying on untrained IT staff and nurses who have moved into IT to get away from shift work. Nevermind the fact there was a 2 to 1 ratio of managers to tehnical staff (yes, 2 managers, 1 system administrator).
I have never seen such a screwed up system on such a large scale before. It is almost impressive just how broken the NHS IA / IT is.
To 'develop and analyze forecasts' like the guys you see on TV, all you need is a degree in Broadcast Meteorology.
Let's just say I don't own a TV, so I didn't even consider the possibly of wanting to be a "TV weather bunny".
To be an "original source" meteorologist (work done at any national weather buro e.g. UK Met Office, MWS/NOAA, MSC/EC, basically any WMO member) you need plenty of education.
To point out Detroit on a map, and read from a teleprompter you need a degree in Broadcast Met.
If I was TV, I'd have to wear pants.:-p
Re:Is it me, or is this story...
on
RSA-576 Factored
·
· Score: 4, Informative
attracting only comments from old troll accounts?
No one knows anything about how you go about factoring huge composite numbers...
Mathematics has the problem that the general population has listened to claims that "math is hard" and has learnt to ignore any attempt at understanding mathematics beyond useless trivia and professional sports statistics.
To help make some sense of what they are discussing:
A few months ago I wanted to putz around with some hourly temperature data covering a year or so for a couple of cities. Since this data is produced by the National Weather Service
Other than their data for Canada (or any non-US site) may be up to 45-50 minutes late because they used publically accessible data via NOAA.
The most accurate and up to date source of Canadian weather data free for the public is via weatheroffice.ec.gc.ca. Data delays are roughly 5 minutes or less "from the wire."
The Weather Network (in Canada) are poor at not updating their forecasts and not cannot beat the source of their raw data, Meteorological Service of Canada (MSC) Environment Canada.
SELinux is not a distribution, it is a Role-Based Mandatory Access Control project for Linux (the kernel). It is mostly just kernel and a few tools. If you go to the Download page for 2.6 you will see the patched kernel and related userland tools.
I had an 18 month project at a major international investment bank, helping them put together their firewall/network security team. ...and fear of leaving a paper trail (hence formality) of email...
Am I the only one who noticed the potentially illegal attempt at bypassing the legal paper trail required by law?
Yes, that's exactly what I had in mind - thanks. Take a stock kernel, write your own drivers specific to your widget, and release a binary.
In this case the kernel would be GPL, but stock. You can get it anywhere. Your drivers would be non-GPL. They're your own business. Aren't they?
Stock or vanilla kernel is a red herring. The GPL requires those that distribute binaries (i.e. the linux kernel - vmlinuz) provide either the source code with the "product" (the thing with the binary executable code), or a written offer to customers to provide source at a reasonable cost (cost of media/shipping typically, or free via the Internet) of all GPL licensed code including the linux kernel.
Based on such a weak understanding, I suspect you need to at least some essays at FSF's web site before releasing a product. Things get tricky with binary loadable modules distributed as object code with a source code wrapper, that are added into the linux kernel.
It has been trialled enough times around the world with no critical mass of market share that like the video-telephone it will not successfull ever.
A large scale roll out will more likely than not generate unacceptable (according to existing law, of unlicensed and in this case unintended radiators) intereference with various licensed spectrum users including government, military, and amateur voice and data communications.
Handles 3d hardware acceleration fine for my ATI 9500 card, but no 3d for my 9700 pro (5 install attempts and dozens of fixes) I will not give up... Must..get...CWET...working.
Try XFree86 CVS HEAD version, or look at the latest snapshots from XFree86 or mirrors.
Well the last 3 places I've lived, including in rural Canada, a cinema that offered independent films (for the adult mind) was within 15 minutes of travelling. In all cases there were less than 5 minutes difference from a mainstream cinema, and all have a better film going expereince (no crowds of noisy teenagers more interested in being cool than seeing the film).
The cost? Always less than seeing a mainstream film.
The screen, well The Cambridge Arts Picture has a nice large high quality screen with THX sound system, while I admit the Acadia Coop and Vogue Cinemas are smaller than the nearby multiplexs' large screens. This are not basement operations, they are real old fashioned theatres (at least one was a live stage theatre at one point in history).
Amelie (or Le Fabuleux destin d'Amelie Poulain), South of Wawa, Jean de Florette, Chocolat, and depending on how you class it, Fargo.
These films have emotions, but are all fairly upbeat or are overall happy. Independent films do trade emotions and acting for special effects which their much smaller budgets cannot afford. To start with try Amelie and Chocolat.
Goodness, just stop putting with with the bad plots, where the story is second to the selection of actors. Stop putting up with canned endings, and weak story lines, where you know the entire plot by watching a 30 second ad.
SELinux is about mandatory access controls and control policy enforcement. See the SELinux FAQ for more info about SE Linux.
Sebek (now version 2) is an kernel level logger. It does not stop users from doing anything. In fact if it did, that would make it useless for its primary job, as a tool for building HoneyNets, an controlled network of systems designed to be compromised by attackers, and the methods (and related) studied by security geeks.
Which seems to be his problem. Why didn't they listen to him? The fools. The fools!. Listen to Peter (sigh) or be dooooomed. Thus the advice to take a chill pill.
Excellent. So if open source developers don't feel don't feel like fix security flaws, tell the users to "take a chill pill".
In the "real world", you tend to get what you're prepared to pay for. If you're just "using" open source projects, then you're a parasite. Good luck and all, but if the reason that the GPL insists on a disclaimer of warranty is, well, you.
Well I used quite a bit of Open Source, and frankly I don't have time to audit all the source code. I haven't measured exactly but I would not be surprised if the amount of source in a typically Linux distribution was more than 1GB, which would take any one person or company a long time to audit. So, yeah I do use a lot of open source software that I don't have the time to audit. I have to trust the developers, and that others are auditing various bits and pieces of it, on top of my own auditing.
Why am I a parasite? Because I use Open Source software Linux, Apache, Perl, Mozilla, GCC, etc. at work? Or because I expect any open source software that claims to be secure, at least makes a reasonable attempt to fix weaknesses that are pointed out to the maintainers?
So Peter Gutmann tries to do the right thing, and help the project developers fix security flaws in their projects, and they go "take a chill pill" back to him. That does not bode well for the idea that open source projects are more secure because of the "many eyes, source available" mantra which recited on Slashdot whenever a closed source product/project has a security weakness.
I'll assume that you're talking about the open source projects mentioned. Now, in theory I agree with you, but in the "real world", if you believe marketing blurb when you have the opportunity to verify or refute it yourself, then, well, good luck again.
Are you saying it is okay for open source projects to ignore security experts who take the time to point out weaknesses?
I understand that some projects need time to fix all the flaws, -- not full-time paid open source developers and all that -- but others like tinc seem to be trying very hard to pretend there is nothing wrong with their software.
Nevermind that the developers did not take the time to learn about cryptography and security engineering before developing any of these. All of the cited projects contain well-known high-level flaws. If the developers had of looked at the attacks against earlier versions of SSH and SSL, they could of saved themselves a lot of trouble.
The not-invented-here syndrome which is common in all software development, including open source development, not only makes software engineering look like a failure -- it works against the security engineering principles of using well known and tested designs in security / cryptography products / projects.
Very creative! But, since when did Alice have Mallory's public key?
No, it is a textbook attack.
Mallory could be a compromise host, a double-crossing node, a social engineering attack to get Alice to accept Mallory's public key, or any number of non-cryptographic actions.
So as Peter and I have claimed, it is possible to play a grand chessmaster attack against Alice and Bob with tinc's protocol.
Slashdot Mirror
Are the NWS guys likely to contribute back to the OSS scene? I doubt it.
Unsure about NWS, but I know Environment Canada employs (former?) kernel hackers.
If they replaced the systems with the latest HP workstations, doubtless they'd see a great speed increase as well. It's not exactly newsworthy to read 'company upgrades systems with newer systems and they are faster than the old ones'.
How about the fact they replaced $30,000 HP/UX PA-RISC systems with $5,000 Linux/i386 systems and were impressed with the upgrade? Actually these numbers are made up, but are the rough size of the price difference.
More on that custom software, it was a windows program to generate content for the NHS Trust intranet site that they were required (by NHS IA and the UK govt's e-Envoy) to have.
When I did a presentation the doctors and admins were really excited about it. Not about our software or the intranet, but they thought this meant that the dumb terminals that they had in their offices or work areas were going to be replaced with PCs. To their disappointment they weren't. No budget was allocated for PC upgrades. So they had an intranet and windows software, but mostly dumb terminals with no web client.
One hospitial I visited had a Wireless Access Point (likely with no security enabled) but not any laptops. It was purchased for when the NHS executives visited the site, which is about once a year.
The NHS is a shining example of how IT projects should not be run.
Many of the patient electronic records information systems are already Unix based (Data General's Unix DG/UX, Solaris, SunOS, Digital Unix/Tru64, SCO UnixWare, HP/UX, and I think we few others I forgot). I use to develop one of the major ones.
When I joined one of the private companies which only provides medical IS software, I wasted a month realising that the Linux based solution I was developing wouldn't be accepted because the NHS Trust wanted a Windows based solution. So I spent a week trying to understand and get actual prices and sources for discounted licenses for Microsoft's server software. A quarter of the budget for this project involving custom software went to Microsoft license fees.
The reason it had to be Windows? A serious systemic lack of resources and skills. Any IT personnel working for the NHS who has enough skills to administer a Unix machine (or has actually completed their MCSE exams even) ends up taking a better paying job elsewhere. So the NHS Trusts end up relying on untrained IT staff and nurses who have moved into IT to get away from shift work. Nevermind the fact there was a 2 to 1 ratio of managers to tehnical staff (yes, 2 managers, 1 system administrator).
I have never seen such a screwed up system on such a large scale before. It is almost impressive just how broken the NHS IA / IT is.
To 'develop and analyze forecasts' like the guys you see on TV, all you need is a degree in Broadcast Meteorology.
:-p
Let's just say I don't own a TV, so I didn't even consider the possibly of wanting to be a "TV weather bunny".
To be an "original source" meteorologist (work done at any national weather buro e.g. UK Met Office, MWS/NOAA, MSC/EC, basically any WMO member) you need plenty of education.
To point out Detroit on a map, and read from a teleprompter you need a degree in Broadcast Met.
If I was TV, I'd have to wear pants.
attracting only comments from old troll accounts?
No one knows anything about how you go about factoring huge composite numbers...
Mathematics has the problem that the general population has listened to claims that "math is hard" and has learnt to ignore any attempt at understanding mathematics beyond useless trivia and professional sports statistics.
To help make some sense of what they are discussing:
Some factoring theory and source code by Paul Herman and Ami Fischman.
From RSA Labs' FAQ - What are the best factoring methods in use today? a fairly technical but readable description of advanced factoring algorithms, and What improvements are likely in factoring capability?
The best non-commerical meta-site is the WMO - World Meteorology Organaization's World Weather site.
What kind of education is required to get a job developing and analyzing the forcasts? Would a CS master degree suffice?
How to feel about CFD? Enjoy PDEs?
Typically you need a 4 year (applied) physics degree and a 1 year diploma of meteorology or a degree in meteorology.
Or Ask these guys - met career
meteoroglogists are also members of a professional organization (the name escapes me)
American Meteorological Society I believe is the group you're referring to.
A few months ago I wanted to putz around with some hourly temperature data covering a year or so for a couple of cities. Since this data is produced by the National Weather Service
Did you try the National Climatic Data Center?
I found the data for $10 (Climate Data Online, NCDC) for a download.
Try poletopole.org
Other than their data for Canada (or any non-US site) may be up to 45-50 minutes late because they used publically accessible data via NOAA.
The most accurate and up to date source of Canadian weather data free for the public is via weatheroffice.ec.gc.ca. Data delays are roughly 5 minutes or less "from the wire."
The Weather Network (in Canada) are poor at not updating their forecasts and not cannot beat the source of their raw data, Meteorological Service of Canada (MSC) Environment Canada.
-SELinux - security above all else
SELinux is not a distribution, it is a Role-Based Mandatory Access Control project for Linux (the kernel). It is mostly just kernel and a few tools. If you go to the Download page for 2.6 you will see the patched kernel and related userland tools.
I had an 18 month project at a major international investment bank, helping them put together their firewall/network security team.
...and fear of leaving a paper trail (hence formality) of email...
Am I the only one who noticed the potentially illegal attempt at bypassing the legal paper trail required by law?
Yes, that's exactly what I had in mind - thanks. Take a stock kernel, write your own drivers specific to your widget, and release a binary.
In this case the kernel would be GPL, but stock. You can get it anywhere. Your drivers would be non-GPL. They're your own business. Aren't they?
Stock or vanilla kernel is a red herring. The GPL requires those that distribute binaries (i.e. the linux kernel - vmlinuz) provide either the source code with the "product" (the thing with the binary executable code), or a written offer to customers to provide source at a reasonable cost (cost of media/shipping typically, or free via the Internet) of all GPL licensed code including the linux kernel.
Based on such a weak understanding, I suspect you need to at least some essays at FSF's web site before releasing a product. Things get tricky with binary loadable modules distributed as object code with a source code wrapper, that are added into the linux kernel.
It has been trialled enough times around the world with no critical mass of market share that like the video-telephone it will not successfull ever.
A large scale roll out will more likely than not generate unacceptable (according to existing law, of unlicensed and in this case unintended radiators) intereference with various licensed spectrum users including government, military, and amateur voice and data communications.
Handles 3d hardware acceleration fine for my ATI 9500 card, but no 3d for my 9700 pro (5 install attempts and dozens of fixes) I will not give up... Must..get...CWET...working.
Try XFree86 CVS HEAD version, or look at the latest snapshots from XFree86 or mirrors.
So how much is a SysV source code license for my home system?
So is how much detail is the hardware hacking? Or are we limited to blinking LEDs or whatever is the basis for the dad story?
Is the hareware hacking really educational like Hacking the XBox?
How does this book compare with the other hacking tivo titles?
Well the last 3 places I've lived, including in rural Canada, a cinema that offered independent films (for the adult mind) was within 15 minutes of travelling. In all cases there were less than 5 minutes difference from a mainstream cinema, and all have a better film going expereince (no crowds of noisy teenagers more interested in being cool than seeing the film).
The cost? Always less than seeing a mainstream film.
The screen, well The Cambridge Arts Picture has a nice large high quality screen with THX sound system, while I admit the Acadia Coop and Vogue Cinemas are smaller than the nearby multiplexs' large screens. This are not basement operations, they are real old fashioned theatres (at least one was a live stage theatre at one point in history).
Amelie (or Le Fabuleux destin d'Amelie Poulain), South of Wawa, Jean de Florette, Chocolat, and depending on how you class it, Fargo.
These films have emotions, but are all fairly upbeat or are overall happy. Independent films do trade emotions and acting for special effects which their much smaller budgets cannot afford. To start with try Amelie and Chocolat.
Goodness, just stop putting with with the bad plots, where the story is second to the selection of actors. Stop putting up with canned endings, and weak story lines, where you know the entire plot by watching a 30 second ad.
Go to something like the Cambridge Arts Picturehouse or the Acadia Cinema Cooperative, or one of the many in London.
You like Linux or *BSD, because the other OSes aren't good enough for you, why not demand high quality cinema?
So how can someone get a sysV license and source code these days?
Why not just merge SELinux with Linux?
SELinux is about mandatory access controls and control policy enforcement. See the SELinux FAQ for more info about SE Linux.
Sebek (now version 2) is an kernel level logger. It does not stop users from doing anything. In fact if it did, that would make it useless for its primary job, as a tool for building HoneyNets, an controlled network of systems designed to be compromised by attackers, and the methods (and related) studied by security geeks.
Which seems to be his problem. Why didn't they listen to him? The fools. The fools!. Listen to Peter (sigh) or be dooooomed. Thus the advice to take a chill pill.
Excellent. So if open source developers don't feel don't feel like fix security flaws, tell the users to "take a chill pill".
In the "real world", you tend to get what you're prepared to pay for. If you're just "using" open source projects, then you're a parasite. Good luck and all, but if the reason that the GPL insists on a disclaimer of warranty is, well, you.
Well I used quite a bit of Open Source, and frankly I don't have time to audit all the source code. I haven't measured exactly but I would not be surprised if the amount of source in a typically Linux distribution was more than 1GB, which would take any one person or company a long time to audit. So, yeah I do use a lot of open source software that I don't have the time to audit. I have to trust the developers, and that others are auditing various bits and pieces of it, on top of my own auditing.
Why am I a parasite? Because I use Open Source software Linux, Apache, Perl, Mozilla, GCC, etc. at work? Or because I expect any open source software that claims to be secure, at least makes a reasonable attempt to fix weaknesses that are pointed out to the maintainers?
So Peter Gutmann tries to do the right thing, and help the project developers fix security flaws in their projects, and they go "take a chill pill" back to him. That does not bode well for the idea that open source projects are more secure because of the "many eyes, source available" mantra which recited on Slashdot whenever a closed source product/project has a security weakness.
I'll assume that you're talking about the open source projects mentioned. Now, in theory I agree with you, but in the "real world", if you believe marketing blurb when you have the opportunity to verify or refute it yourself, then, well, good luck again.
Are you saying it is okay for open source projects to ignore security experts who take the time to point out weaknesses?
I understand that some projects need time to fix all the flaws, -- not full-time paid open source developers and all that -- but others like tinc seem to be trying very hard to pretend there is nothing wrong with their software.
Nevermind that the developers did not take the time to learn about cryptography and security engineering before developing any of these. All of the cited projects contain well-known high-level flaws. If the developers had of looked at the attacks against earlier versions of SSH and SSL, they could of saved themselves a lot of trouble.
The not-invented-here syndrome which is common in all software development, including open source development, not only makes software engineering look like a failure -- it works against the security engineering principles of using well known and tested designs in security / cryptography products / projects.
Very creative! But, since when did Alice have Mallory's public key?
No, it is a textbook attack.
Mallory could be a compromise host, a double-crossing node, a social engineering attack to get Alice to accept Mallory's public key, or any number of non-cryptographic actions.
So as Peter and I have claimed, it is possible to play a grand chessmaster attack against Alice and Bob with tinc's protocol.