Where eash is an audited shell, where all shell output is logged to a remote server, identifying the server hostname and sudo user who invoked it via sudo. The shell is terminated if connectivity is lost. sudosh is similar, except that it has been revived (on SourceForge) as sudosh2, but it logs "locally".
Go ahead and craft a sudoers file that eliminates all the ways to load up a shell. Have fun with that...
That's easy once you have an audited root shell in place for infrequent exceptions. Of course, you should never allow invoking interactive tools (like an editor) via sudo, but that is what sudo -e / sudoedit is for.
The remainder of the example sudo rules above is something like this:
which covered the majority of regular privileged access admins needed in one environment I worked in. The other 90% of commands that might be used 10% of the time are what eash is for.
[ ] Implement crypt-md5 support (like/etc/shadow, strong and LDAP-compatible) hashes, or possibly crypt-sha2
Holy shit, they're actually seriously considering MD5. This is embarrassing.
Why are they limiting themselves to crypt-compatible hashes? Why not just move passwords out of applications/RDMBS to LDAP (OpenLDAP already has sha-2) or Kerberos? And if they are considering crypt-md5 an improvement, what *were* they using?
Microsoft restricted browser choice in the OS, claiming it couldn't be removed (and continuing to claim that even when it was demonstrated that they were lying about it).
Does Apple support removing Safari from Mac OS X? If so, how do they expect you to change your default browser (from say Chrome to Firefox)? Apparently you need to run Safari to do that...
Etc. Even today it's difficult to purchase a new non-Apple computer without purchasing Windows;
Can I buy an Apple computer without Mac OS X? Can I (while complying with EULAs) buy Mac OS X without an Apple computer?
major manufacturers such as Dell have only offered low-end machines with limited options compared to the rest of their PC's.
Really?? Oh, you meant laptops?. While it would be nice if there was a greater selection, there are more than just "low-end machines" available.
As bad as Apple's recent behavior has been, Microsoft has always been more evil.
If Apple is less evil, why don't they offer Mac OS X to other laptop vendors? Why don't they offer Mac OS X separately? Why don't they offer Macbooks without Mac OS X (for less)?
They are both as evil, but Microsoft is in the software monopoly business, and Apple is in the hardware and content distribution monopoly business.
A lot of responses that I have seen to this question are basically the following.
"Create your own CA (certificate authority) certificate and distribute them to the client workstations." Then they accuse the original poster of having asked an overly simple and uninteresting question.
I am going to say something nobody else seems to have said. SSL sucks big time for large workgroups inside a private intranet. It is an inappropriate solution that is being used for the lack of anything better. IE will give AD based authentication for browsers, but did not extend that to securing the communication channel itself.
GSSAPI does support this, but MS decided it was better to come up with their *own* protocol wrapping GSSAPI (which is itself a wrapper) with another non-standard one with less functionality...
This issue is much nastier and more complex then anybody has allowed for. SSL does a very good job of solving the problem of creating secure communications over untrusted anonymous networks. However, they are a real pain when the only thing you want to do is create a secure communication between two machines in the same room.
Internal networks are totally immune from spoofing, MitM, and sniffing?
In those cases, SSL comes with a lot of overhead that is really not needed. In the case of two machines in the same room (or workgroup), the machines are already on internal corporate IP addresses, so a lot of the issues that SSL was designed to solve (validating that the IP address really points to the expected entity)
SSL as used by 99% of certs doesn't validate IP addresses, certificate validation rules in SSL-using software *typically* check that the hostname being connected to matches the hostname for which the certificate has been issued (but, not always, consider the case of EAP, where there is no hostname resolution capability in place at the time the certificate is presented, as the IP stack isn't up yet), or in more rare cases that the IP address matches one of the subjectAltName extensions (which can include IP).
just are not applicable. Usually the only reason why you want to encrypt the data is so that somewhat private data won't be sniffed by other users.
E.g., by MitM.
You are not trying to prove that you are a legitimate seller of any goods or services.
What really astounded me were the claims that it would be easy to get users to accept company controlled installs of browsers and tools. I have worked in such an environment and it was actively resisted and foiled because the choices were so limiting. For those who say "it would work it was done right", probably have not done cross browser development where you had to test on Linux, Mac, and variants of Windows machines. Nor have they done Java development where the Java has to communicate to the server (over https) as well (Java has its own client CA chain distribution).
Every place I have ever worked (big or small) has had http web sites when they really should have been https because of the pain of trying to use SSL. To say that this is because of bad IT management I think gets it wrong. SSL is a bad fit for this problem space and browsers (and Java) need to support other security solutions.
What better solutions are there?
It would be nice to recommend Kerberos, but Kerberos has really only gotten full implementation with AD
My OpenLDAP+Heimdal setups say otherwise. Including those where Firefox on Linux does GSSAPI authentication to web servers and proxy servers, my mail client does GSSAPI auth to the IMAP server, virt-manager does GSSAPI auth to libvirtd etc. etc. Why doesn't this work well for Windows clients? Because the Microsoft Kerberos implementation is non-standard (and tied directly into Microsoft-specific protocols).
"Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."
If you don't have administrative control of all the clients, buy a CA certificate from a commercial CA.
If you do have administrative control of all the clients, but you don't know how to deploy self-signed CA certs, surely the users who connect to these admin interfaces should be sufficiently knowledgeable to be able to import a CA certificate (which you distribute to them by email or via URL), or you should be asking about how to automate manual configuration (and specify which platforms you are interested in).
Your CA certificate should include a CRL distribution point URI (HTTP or LDAP). Decent client software should update the CRL periodically by checking the CRL distribution point, you should not need to distribute the CRL yourself.
Clients that support OCSP should actually validate all certificates online, meaning CRLs aren't necessary (for said clients).
So, the problem is reduced to ensuring you have CA software which
Automates or reduces the effort of CRL creation and publishing
Supports OCSP
However, before you do that, you may want to test "custom" certificates on the appliances in question. A number of appliances I have used that ship with SSL certificates do not actually support custom SSL certificates that well, including:
Sun ILOMs, which offer the option to upload a certificate, but this feature hasn't ever worked for me (on Sun X4100, X4200, X4500, X4600, X4150, X4450)
HP iLOs, which generate new self-signed HP-identified certificates after power failures or iLO reset, with the same subjectDN and serial (so your browser will complain even more about it...)
Depending on how many, and what kind of, devices you have, you may also care about enrolment (and automatic renewal), so SCEP may be a useful feature (e.g. if you have Cisco devices such as VPN concentrators, or Cisco VPN client software). For platforms which don't have native certificate enrolment functionality, you may want to consider other certificate enrolment tools (e.g. autosscep). Of course, you may also need to at least think about CA certificate rollover (what you need to do when your original self-signed CA certificate has less lifetime than the cert you want to issue...)
I have used OpenCA (which supports OCSP, SCEP, CRL publishing etc.), but it is a bit fiddly, the OpenXPKI project (a fork/rewrite of OpenCA) may be usable now. Another alternatives are dogtag (the open-source version of Red Hat's Certificate Server that they got when they bought parts of Netscape).
Of course, if you have already spent a lot of money on MS-client-management solutions (AD+CALs), MS Certificate Server is a no-additional-software-licensing-cost option.
No, but CDMA supports R-UIMs, which are compatible with SIMs (IOW, if you got a R-UIM from a CDMA operator, you should be able to use it in a GSM-based phone as a SIM).
But Sprint and Verizon don't want you to know that, just in case someone decides they should be required to: 1)Provide R-UIM-capable phones 2)Provide R-UIM cards
This lack of adoption of R-UIM by the US is harming global CDMA market share. In the end, I think CDMA is dead, because Sprint and Verizon seem more intent on competing with each other for the meagre (internationally) CDMA market, instead of throwing their weight in making CDMA as interoperable as GSM (in terms of SIM/handset swap, roaming, standardised international dialing etc. etc.).
Why is Android popular in the US? There's isn't much competition in CDMA except maybe Blackberry (no iPhone, no Nokia). Why isn't Android as popular outside the US? Very few CDMA-based Android phones support R-UIM, which is a regulatory requirement in some regions.
No. In some contries, IMEIs are only allowed to be used to prevent service if the IMEI has been reported as stolen. In these countries, if it weren't for that fact, murder-for-cellphone would be even more rampant than it is already.
Operators that block unknown IMEIs are evil.
Countries that have operator-favouring laws are evil.
It would be interesting if the cell phone manufacturers offered a swappable, standardized radio module that would pop in and out like the battery.
It would be much more interesting, and much less expensive, pose no unresolved technical challenges, if the shared-majority wireless operators in the US (Sprint, Verizon), would just use an existing swappable, standardised user identity module, like R-UIM cards. However, they are too concerned with fighting each other to realise that their technology has already lost, due to not being viable in other countries (where R-UIM is a requirement, but all decent phones are made for Sprint and Verizon, almost exclusively without R-UIM support). Not separating the number from the phone makes it too much of a hassle for users to switch phones, sell used phones, travel without roaming etc. (and of course, switching networks, which is what they are actually after, but damaging the whole CDMA market in the process), which are all trivially possible with GSM.
Maybe they could allow roaming to more than just a handful of international CDMA operators. For example, there are multiple CDMA operators in many African countries, (including some that have tens of thousands of US citizens working in them), but not one is supported for roaming by Verizon or Sprint. Verizon seems to have more limited roaming than the cheapest crappiest GSM operators, and Sprint mostly provides roaming via GSM operators (so, if you travel, you already need a dual-tech phone, or two phones, why not just use GSM all the time?).
Huawei (who makes a lot of CDMA-based gear, both telco-side and handsets, mostly for China Telecom I guess) has a nice article covering the issues with CDMA roaming. Most of them are due to "American mindset" that is inherent in CDMA and CDMA deployments. Of course, Huawei is punting their solutions to these problems, but waiting for all CDMA operators to refresh their kit will make you old.
Also, maybe if CDMA operators had consistent international dialing/number representation formats (like the +XX convention used by all GSM operators), users would figure out how to actually make international calls via CDMA. But, who needs numbers that don't start with a "1" anyway...
That way you could buy an expensive smartphone, and leverage that investment by just picking up a new radio module to move to a new network.
At the moment, 52% of US subscribers can't even move between operators that use the *same* baseband modules (vs less than 15% worldwide). Maybe you should try and solve that problem first.
Does this include the directory server that mac's and windows machines can work with ?
Windows machines have poor support for "directory servers" compared to most other OSs. If you mean an Active Directory replacement, no, because Windows machines expect that Active Directory has LDAP, Kerberos, CIFS, DNS and a few other services *all* running on the "directory server" (where other OSs allow these to be separated and/or scaled differently). If you need AD support with GPOs etc., you can consider trying samba4, but it's still in alpha (although some sites are running it in production). If you just need to authenticate Windows desktops, and don't need GPO-only features (but user/group policies are sufficient, if crufty), samba-3.5 as provided in RHEL6 may be sufficient.
The OpenLDAP included with RHEL6 is good enough for all other operating systems with support for "directory servers", including Linux, Mac OS X, BSD, Solaris, AIX etc.
Of course, RH would prefer to sell you RHDS subscriptions...
Free software is not FIPS certified, and is not going to get certified as free software because no one will pay for certification.
Actually, Free Software has been in the past, and could be again, if a few more vendors who would make money from FIPS-certified Free software would sign on as additional co-sponsor (one or two vendors more may be enough).
It may drive everyone up the wall to use Serina, instead of subversion, for content management - but one is certified & the other is not.
But, subversion doesn't implement encryption directly itself, if it were using OpenSSL with the FIPS module above, AFAIK, it could be shown to be FIPS compliant.
Ditto Putty. I'd love to use it,
Putty is crap, it's only real benefit is providing a terminal emulator because Microsoft can't be bothered to supply one with their OS which is convenient to use (why else would putty ship with telnet support...). If there was a decent terminal emulator, just Mingw binaries for OpenSSH would probably be much more pupular... and those would have a chance at FIPS compliance (there are some patches around for OpenSSH FIPS compliance).
Nokia has Meego, which would be the logical step forward and an immensely better development platform than Symbian,
Meego isn't a development platform, Qt is, and it happens to ship on Symbian^3, Maemo, and Meego.
but the project is basically being kept in the dark with minimal funding,
I doubt that, but I think Nokia needs a bit more time to polish Meego, and needs to provide a path from Series60 to Meego (for existing developers, and to show commitment to developers).
while the main company pushes for buggy Symbian phones
Have you used any Symbian^3 phones?
with limited or no after-sales support.
This seems to be a US-specific phenomenon.
The Ovi store is a goddamn mess,
So, what app store should Nokia use for Meego? Does it not make sense to improve the Ovi store with existing phone lines, especially on top of Qt, to have it ready for Meego?
the phones are buggy and eclipsed hardware-wise by the offerings of HTC, Samsung and Apple.
So, only 6 years late then? SuSE just went way up in my book.
SuSE just went way down in my book, to join the "we-don't-upstream" vendors such as Canonical.
Really, there may have been an excuse for not upstreaming this during the linus-doesn't-scale period, but other distros have explicit "patch-review-in-order-to-upstream" initiatives, this one should have been caught by SuSE some time in the last 6 years, and reviewed by their kernel maintainers, and re-submitted.
Surely the goal of customer-focused 'more music choices' is already achieved, due to the availability of some models of phones which have FM receivers? The biggest variety of music choice is already provided by phones which have FM receivers and FM transmitters (allowing users to also choose whether they want to listen to their digital music on their devices on car radio or similar), but I guess these groups wouldn't want to mandate FM transmitters...
Mandating that all phones have FM receivers sounds to be less customer-focused, customers already have choices at present.
including their own version of the Registry: akonadi.
Akonadi tries to solve real problems that users of KDE 4.4 (like me) currently experience. kmail taking up the most memory on my laptop most of the time is one of them.
As opposed to, say, Africa (in some parts of South Africa, it is common to have > 200 km between fuel stations), or the Middle East, or Asia?
All of which use a fuel-per-work measurement (and standardised units...).
Then again, if you can't work out if a vehicle will make it 100 miles before buying it, or figure out how to use the range estimator, maybe expecting standard units is too much...
However, if Nokia wins, Apple has to reinvent mobile technology, then get all the networks to support their new implementation.
Which will never happen, because two mobile telephony standards (CDMA and GSM, loosely speaking) are more than enough. Even if it did, Apple would need to ensure Telco providers ship equipment, create chipsets for their (and other OEM) use, ensure it is possible to license spectrum, convince Telcos to roll out the massive infrastructure required etc. etc. etc. Of course, the question is, if Apple had not concluded licensing negotiations, why did they infringe on GSM licensing, when there were other alternatives (CDMA+EV-DO, instead of GSM+HSDPA) available to them?
E-Sata and FW 3200 would be welcome. But USB on a machine touted as 'pro'? Are bubblejet printers, light-up mice, pendrives and those silly USB keyboard vacs pro level equipment now? And no, I'm not being harsh. I've never seen any USB device being used for serious A/V work. Hell, even the writers I know use network storage or firewire drives.
Or, RAID enclosures with eSATA interfaces. Now, considering USB 3.0 is faster than eSATA and FW3200, why would one not use a USB 3.0-connected RAID enclosure? If you're using a new Macbook Pro, you wouldn't have the option of eSATA or USB 3.0, so you would have to go for the more expensive and slower Firewire option, or even more expensive NAS.
3. eSATA isn't "sleek" enough for Apple; it needs a second power cable, has a relatively flimsy plug, has hot-plugging/compatibility issues, etc, etc. They'd much rather people use Firewire.
While eSATA doesn't provide power, various storage devices (e.g. 4-disk RAID enclosures) provide eSATA interfaces, but have their own power. I guess you're limiting yourself to single 2.5" hard drives, but this isn't the only application, especially for the "pro" market.
5. Intel is dragging their feet on USB 3.0, which means most computers and peripherals won't see it for at least another year.
HP is shipping USB 3.0 on some models of their competing laptops, and have been for a few months. USB 3.0-capable peripherals have already started shipping.
6. Most people don't use ExpressCards; they'd rather have a slightly larger battery or other features taking up the space.
So, why did Apple ship ExpressCard slots before? My colleague with a MacBook Pro uses an ExpressCard... to give him eSATA.
Go spec a Macbook Pro baseline model, and an HP Envy 15 (HPs over-expensive, premium line), and just spec both sides up to the cheapest equivalents. Envy 15 ends up $500 cheaper (in either case of MBP with 1440x900 vs HP with 1366x768, or MBP with 1680x1050 vs HP with 1920x1080) . Envy quotes 2 hours on standard battery and 6 hours on the extended battery (but, it is unclear how the benchmarks relate, I haven't seen Macboook Pro make anything near the claimed 9 hours). Dimensions are similar.
However, it seems HP has dropped backlit keyboards for some reason, but they were options on the previous generation Pavillions, including my HP HDX 16, but it wasn't a large cost item... pity they dropped it.
Anyway, it seems the Apple logo ends up costing about $500.
It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.
However, the older releases page states that 3.5 will receive security updates until August 2010.
So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?
If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and not conjecture...
Mint is your hands-down best out-of-the-box choice. The reason is simple -- it comes with a Flash player already installed.
So, by this definition, any other distribution that ships flash player would also be "hands-down best out-of-the-box"?
However, I wonder, does Mint have a license for redistribution of Flash Player? According the the Adobe Flash Player EULA, you may not re-distribute without a license. Nowhere on the Mint site can I find any details about whether Mint has such a license.
As far as I know, Mandriva does have a license, which is why they include Flash on One and Powerpack distributions (but not "Free", which is composed only of free software, and not in the non-free online repo... apparently this is not allowed by the license terms they got from Adobe), so I guess that would make Mandriva "hands-down best out-of-the-box", but then again, I already knew that...
(BTW, apparently Adobe isn't allowing redistribution of the the Flash 10 alpha - which is desirable for x86_64 systems)
Now, according to the Mint site, Mint doesn't include proprietary drivers, and I wonder how it can then be the best out-of-the-box distro.
Slashdot Mirror
sudo logs are almost useless for system audit. Run sudo su - and have at it. There are no logs to follow what actions you perform.
$ sudo -l
Password:
User xxxx may run the following commands on this host:
LDAP Role: ADMINS
/usr/bin/eash
/usr/local/bin/eash
Commands:
Where eash is an audited shell, where all shell output is logged to a remote server, identifying the server hostname and sudo user who invoked it via sudo. The shell is terminated if connectivity is lost. sudosh is similar, except that it has been revived (on SourceForge) as sudosh2, but it logs "locally".
Go ahead and craft a sudoers file that eliminates all the ways to load up a shell. Have fun with that...
That's easy once you have an audited root shell in place for infrequent exceptions. Of course, you should never allow invoking interactive tools (like an editor) via sudo, but that is what sudo -e / sudoedit is for.
The remainder of the example sudo rules above is something like this:
sudoedit /etc/*
/usr/local/bin/sudoedit /etc/*
/usr/bin/yum upgrade *
/usr/bin/up2date -l
/usr/bin/up2date -u *
which covered the majority of regular privileged access admins needed in one environment I worked in. The other 90% of commands that might be used 10% of the time are what eash is for.
Holy shit, they're actually seriously considering MD5. This is embarrassing.
Why are they limiting themselves to crypt-compatible hashes? Why not just move passwords out of applications/RDMBS to LDAP (OpenLDAP already has sha-2) or Kerberos? And if they are considering crypt-md5 an improvement, what *were* they using?
Microsoft restricted browser choice in the OS, claiming it couldn't be removed (and continuing to claim that even when it was demonstrated that they were lying about it).
Does Apple support removing Safari from Mac OS X? If so, how do they expect you to change your default browser (from say Chrome to Firefox)? Apparently you need to run Safari to do that ...
Etc. Even today it's difficult to purchase a new non-Apple computer without purchasing Windows;
Can I buy an Apple computer without Mac OS X? Can I (while complying with EULAs) buy Mac OS X without an Apple computer?
major manufacturers such as Dell have only offered low-end machines with limited options compared to the rest of their PC's.
Really?? Oh, you meant laptops?. While it would be nice if there was a greater selection, there are more than just "low-end machines" available.
As bad as Apple's recent behavior has been, Microsoft has always been more evil.
If Apple is less evil, why don't they offer Mac OS X to other laptop vendors? Why don't they offer Mac OS X separately? Why don't they offer Macbooks without Mac OS X (for less)?
They are both as evil, but Microsoft is in the software monopoly business, and Apple is in the hardware and content distribution monopoly business.
A lot of responses that I have seen to this question are basically the following.
"Create your own CA (certificate authority) certificate and distribute them to the client workstations." Then they accuse the original poster of having asked an overly simple and uninteresting question.
I am going to say something nobody else seems to have said. SSL sucks big time for large workgroups inside a private intranet. It is an inappropriate solution that is being used for the lack of anything better. IE will give AD based authentication for browsers, but did not extend that to securing the communication channel itself.
GSSAPI does support this, but MS decided it was better to come up with their *own* protocol wrapping GSSAPI (which is itself a wrapper) with another non-standard one with less functionality ...
This issue is much nastier and more complex then anybody has allowed for. SSL does a very good job of solving the problem of creating secure communications over untrusted anonymous networks. However, they are a real pain when the only thing you want to do is create a secure communication between two machines in the same room.
Internal networks are totally immune from spoofing, MitM, and sniffing?
In those cases, SSL comes with a lot of overhead that is really not needed. In the case of two machines in the same room (or workgroup), the machines are already on internal corporate IP addresses, so a lot of the issues that SSL was designed to solve (validating that the IP address really points to the expected entity)
SSL as used by 99% of certs doesn't validate IP addresses, certificate validation rules in SSL-using software *typically* check that the hostname being connected to matches the hostname for which the certificate has been issued (but, not always, consider the case of EAP, where there is no hostname resolution capability in place at the time the certificate is presented, as the IP stack isn't up yet), or in more rare cases that the IP address matches one of the subjectAltName extensions (which can include IP).
just are not applicable. Usually the only reason why you want to encrypt the data is so that somewhat private data won't be sniffed by other users.
E.g., by MitM.
You are not trying to prove that you are a legitimate seller of any goods or services.
What really astounded me were the claims that it would be easy to get users to accept company controlled installs of browsers and tools. I have worked in such an environment and it was actively resisted and foiled because the choices were so limiting. For those who say "it would work it was done right", probably have not done cross browser development where you had to test on Linux, Mac, and variants of Windows machines. Nor have they done Java development where the Java has to communicate to the server (over https) as well (Java has its own client CA chain distribution).
Every place I have ever worked (big or small) has had http web sites when they really should have been https because of the pain of trying to use SSL. To say that this is because of bad IT management I think gets it wrong. SSL is a bad fit for this problem space and browsers (and Java) need to support other security solutions.
What better solutions are there?
It would be nice to recommend Kerberos, but Kerberos has really only gotten full implementation with AD
My OpenLDAP+Heimdal setups say otherwise. Including those where Firefox on Linux does GSSAPI authentication to web servers and proxy servers, my mail client does GSSAPI auth to the IMAP server, virt-manager does GSSAPI auth to libvirtd etc. etc. Why doesn't this work well for Windows clients? Because the Microsoft Kerberos implementation is non-standard (and tied directly into Microsoft-specific protocols).
and is even more painful for cli
"Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."
So, the problem is reduced to ensuring you have CA software which
However, before you do that, you may want to test "custom" certificates on the appliances in question. A number of appliances I have used that ship with SSL certificates do not actually support custom SSL certificates that well, including:
Depending on how many, and what kind of, devices you have, you may also care about enrolment (and automatic renewal), so SCEP may be a useful feature (e.g. if you have Cisco devices such as VPN concentrators, or Cisco VPN client software). For platforms which don't have native certificate enrolment functionality, you may want to consider other certificate enrolment tools (e.g. autosscep). Of course, you may also need to at least think about CA certificate rollover (what you need to do when your original self-signed CA certificate has less lifetime than the cert you want to issue ...)
I have used OpenCA (which supports OCSP, SCEP, CRL publishing etc.), but it is a bit fiddly, the OpenXPKI project (a fork/rewrite of OpenCA) may be usable now. Another alternatives are dogtag (the open-source version of Red Hat's Certificate Server that they got when they bought parts of Netscape).
Of course, if you have already spent a lot of money on MS-client-management solutions (AD+CALs), MS Certificate Server is a no-additional-software-licensing-cost option.
No, but CDMA supports R-UIMs, which are compatible with SIMs (IOW, if you got a R-UIM from a CDMA operator, you should be able to use it in a GSM-based phone as a SIM).
But Sprint and Verizon don't want you to know that, just in case someone decides they should be required to:
1)Provide R-UIM-capable phones
2)Provide R-UIM cards
This lack of adoption of R-UIM by the US is harming global CDMA market share. In the end, I think CDMA is dead, because Sprint and Verizon seem more intent on competing with each other for the meagre (internationally) CDMA market, instead of throwing their weight in making CDMA as interoperable as GSM (in terms of SIM/handset swap, roaming, standardised international dialing etc. etc.).
Why is Android popular in the US? There's isn't much competition in CDMA except maybe Blackberry (no iPhone, no Nokia). Why isn't Android as popular outside the US? Very few CDMA-based Android phones support R-UIM, which is a regulatory requirement in some regions.
IMEIs are evil.
No. In some contries, IMEIs are only allowed to be used to prevent service if the IMEI has been reported as stolen. In these countries, if it weren't for that fact, murder-for-cellphone would be even more rampant than it is already.
Operators that block unknown IMEIs are evil.
Countries that have operator-favouring laws are evil.
It would be interesting if the cell phone manufacturers offered a swappable, standardized radio module that would pop in and out like the battery.
It would be much more interesting, and much less expensive, pose no unresolved technical challenges, if the shared-majority wireless operators in the US (Sprint, Verizon), would just use an existing swappable, standardised user identity module, like R-UIM cards. However, they are too concerned with fighting each other to realise that their technology has already lost, due to not being viable in other countries (where R-UIM is a requirement, but all decent phones are made for Sprint and Verizon, almost exclusively without R-UIM support). Not separating the number from the phone makes it too much of a hassle for users to switch phones, sell used phones, travel without roaming etc. (and of course, switching networks, which is what they are actually after, but damaging the whole CDMA market in the process), which are all trivially possible with GSM.
Maybe they could allow roaming to more than just a handful of international CDMA operators. For example, there are multiple CDMA operators in many African countries, (including some that have tens of thousands of US citizens working in them), but not one is supported for roaming by Verizon or Sprint. Verizon seems to have more limited roaming than the cheapest crappiest GSM operators, and Sprint mostly provides roaming via GSM operators (so, if you travel, you already need a dual-tech phone, or two phones, why not just use GSM all the time?).
Huawei (who makes a lot of CDMA-based gear, both telco-side and handsets, mostly for China Telecom I guess) has a nice article covering the issues with CDMA roaming. Most of them are due to "American mindset" that is inherent in CDMA and CDMA deployments. Of course, Huawei is punting their solutions to these problems, but waiting for all CDMA operators to refresh their kit will make you old.
Also, maybe if CDMA operators had consistent international dialing/number representation formats (like the +XX convention used by all GSM operators), users would figure out how to actually make international calls via CDMA. But, who needs numbers that don't start with a "1" anyway ...
That way you could buy an expensive smartphone, and leverage that investment by just picking up a new radio module to move to a new network.
At the moment, 52% of US subscribers can't even move between operators that use the *same* baseband modules (vs less than 15% worldwide). Maybe you should try and solve that problem first.
Does this include the directory server that mac's and windows machines can work with ?
Windows machines have poor support for "directory servers" compared to most other OSs. If you mean an Active Directory replacement, no, because Windows machines expect that Active Directory has LDAP, Kerberos, CIFS, DNS and a few other services *all* running on the "directory server" (where other OSs allow these to be separated and/or scaled differently). If you need AD support with GPOs etc., you can consider trying samba4, but it's still in alpha (although some sites are running it in production). If you just need to authenticate Windows desktops, and don't need GPO-only features (but user/group policies are sufficient, if crufty), samba-3.5 as provided in RHEL6 may be sufficient.
The OpenLDAP included with RHEL6 is good enough for all other operating systems with support for "directory servers", including Linux, Mac OS X, BSD, Solaris, AIX etc.
Of course, RH would prefer to sell you RHDS subscriptions ...
Free software is not FIPS certified, and is not going to get certified as free software because no one will pay for certification.
Actually, Free Software has been in the past, and could be again, if a few more vendors who would make money from FIPS-certified Free software would sign on as additional co-sponsor (one or two vendors more may be enough).
It may drive everyone up the wall to use Serina, instead of subversion, for content management - but one is certified & the other is not.
But, subversion doesn't implement encryption directly itself, if it were using OpenSSL with the FIPS module above, AFAIK, it could be shown to be FIPS compliant.
Ditto Putty. I'd love to use it,
Putty is crap, it's only real benefit is providing a terminal emulator because Microsoft can't be bothered to supply one with their OS which is convenient to use (why else would putty ship with telnet support ...). If there was a decent terminal emulator, just Mingw binaries for OpenSSH would probably be much more pupular ... and those would have a chance at FIPS compliance (there are some patches around for OpenSSH FIPS compliance).
Android, without the the "silly jvm", wouldn't that be Linux? Like Meego?
If you need better software, then why not actually hire great developers to work for you?
They hired a whole company, Qt, to write their own software.
This is about gaining more 3rd-party developers, or are you saying Apple has hired the developers of all the apps available for the iPhone?
Nokia has Meego, which would be the logical step forward and an immensely better development platform than Symbian,
Meego isn't a development platform, Qt is, and it happens to ship on Symbian^3, Maemo, and Meego.
but the project is basically being kept in the dark with minimal funding,
I doubt that, but I think Nokia needs a bit more time to polish Meego, and needs to provide a path from Series60 to Meego (for existing developers, and to show commitment to developers).
while the main company pushes for buggy Symbian phones
Have you used any Symbian^3 phones?
with limited or no after-sales support.
This seems to be a US-specific phenomenon.
The Ovi store is a goddamn mess,
So, what app store should Nokia use for Meego? Does it not make sense to improve the Ovi store with existing phone lines, especially on top of Qt, to have it ready for Meego?
the phones are buggy and eclipsed hardware-wise by the offerings of HTC, Samsung and Apple.
Which phones are you referring to?
So, only 6 years late then? SuSE just went way up in my book.
SuSE just went way down in my book, to join the "we-don't-upstream" vendors such as Canonical.
Really, there may have been an excuse for not upstreaming this during the linus-doesn't-scale period, but other distros have explicit "patch-review-in-order-to-upstream" initiatives, this one should have been caught by SuSE some time in the last 6 years, and reviewed by their kernel maintainers, and re-submitted.
Surely the goal of customer-focused 'more music choices' is already achieved, due to the availability of some models of phones which have FM receivers? The biggest variety of music choice is already provided by phones which have FM receivers and FM transmitters (allowing users to also choose whether they want to listen to their digital music on their devices on car radio or similar), but I guess these groups wouldn't want to mandate FM transmitters ...
Mandating that all phones have FM receivers sounds to be less customer-focused, customers already have choices at present.
including their own version of the Registry: akonadi.
Akonadi tries to solve real problems that users of KDE 4.4 (like me) currently experience. kmail taking up the most memory on my laptop most of the time is one of them.
I really like KDE and I believe that it needs to be supported better by distributions. Kubuntu is a mess.
Then support distros that support KDE better.
As opposed to, say, Africa (in some parts of South Africa, it is common to have > 200 km between fuel stations), or the Middle East, or Asia?
All of which use a fuel-per-work measurement (and standardised units ...).
Then again, if you can't work out if a vehicle will make it 100 miles before buying it, or figure out how to use the range estimator, maybe expecting standard units is too much ...
Which is why the rest of the world uses a fuel-per-work measurement (usually l/100km, or g/kWh).
However, if Nokia wins, Apple has to reinvent mobile technology, then get all the networks to support their new implementation.
Which will never happen, because two mobile telephony standards (CDMA and GSM, loosely speaking) are more than enough. Even if it did, Apple would need to ensure Telco providers ship equipment, create chipsets for their (and other OEM) use, ensure it is possible to license spectrum, convince Telcos to roll out the massive infrastructure required etc. etc. etc. Of course, the question is, if Apple had not concluded licensing negotiations, why did they infringe on GSM licensing, when there were other alternatives (CDMA+EV-DO, instead of GSM+HSDPA) available to them?
E-Sata and FW 3200 would be welcome. But USB on a machine touted as 'pro'? Are bubblejet printers, light-up mice, pendrives and those silly USB keyboard vacs pro level equipment now? And no, I'm not being harsh. I've never seen any USB device being used for serious A/V work. Hell, even the writers I know use network storage or firewire drives.
Or, RAID enclosures with eSATA interfaces. Now, considering USB 3.0 is faster than eSATA and FW3200, why would one not use a USB 3.0-connected RAID enclosure? If you're using a new Macbook Pro, you wouldn't have the option of eSATA or USB 3.0, so you would have to go for the more expensive and slower Firewire option, or even more expensive NAS.
3. eSATA isn't "sleek" enough for Apple; it needs a second power cable, has a relatively flimsy plug, has hot-plugging/compatibility issues, etc, etc. They'd much rather people use Firewire.
While eSATA doesn't provide power, various storage devices (e.g. 4-disk RAID enclosures) provide eSATA interfaces, but have their own power. I guess you're limiting yourself to single 2.5" hard drives, but this isn't the only application, especially for the "pro" market.
5. Intel is dragging their feet on USB 3.0, which means most computers and peripherals won't see it for at least another year.
HP is shipping USB 3.0 on some models of their competing laptops, and have been for a few months. USB 3.0-capable peripherals have already started shipping.
6. Most people don't use ExpressCards; they'd rather have a slightly larger battery or other features taking up the space.
So, why did Apple ship ExpressCard slots before? My colleague with a MacBook Pro uses an ExpressCard ... to give him eSATA.
Go spec a Macbook Pro baseline model, and an HP Envy 15 (HPs over-expensive, premium line), and just spec both sides up to the cheapest equivalents. Envy 15 ends up $500 cheaper (in either case of MBP with 1440x900 vs HP with 1366x768, or MBP with 1680x1050 vs HP with 1920x1080) . Envy quotes 2 hours on standard battery and 6 hours on the extended battery (but, it is unclear how the benchmarks relate, I haven't seen Macboook Pro make anything near the claimed 9 hours). Dimensions are similar.
However, it seems HP has dropped backlit keyboards for some reason, but they were options on the previous generation Pavillions, including my HP HDX 16, but it wasn't a large cost item ... pity they dropped it.
Anyway, it seems the Apple logo ends up costing about $500.
The article says:
It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.
However, the older releases page states that 3.5 will receive security updates until August 2010.
So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?
If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and not conjecture ...
Mint is your hands-down best out-of-the-box choice. The reason is simple -- it comes with a Flash player already installed.
So, by this definition, any other distribution that ships flash player would also be "hands-down best out-of-the-box"?
However, I wonder, does Mint have a license for redistribution of Flash Player? According the the Adobe Flash Player EULA, you may not re-distribute without a license. Nowhere on the Mint site can I find any details about whether Mint has such a license.
As far as I know, Mandriva does have a license, which is why they include Flash on One and Powerpack distributions (but not "Free", which is composed only of free software, and not in the non-free online repo ... apparently this is not allowed by the license terms they got from Adobe), so I guess that would make Mandriva "hands-down best out-of-the-box", but then again, I already knew that ...
(BTW, apparently Adobe isn't allowing redistribution of the the Flash 10 alpha - which is desirable for x86_64 systems)
Now, according to the Mint site, Mint doesn't include proprietary drivers, and I wonder how it can then be the best out-of-the-box distro.
Last time I checked, the Ubuntu repo installs the 32-bit player
AFAIK, Adobe doesn't allow re-distribution of alpha releases.