Actually it sounded good until, Visual Studio.NET, Visual Studio and it's components are the WORST of tghe Worst editors and IDE's I have ever tried.
I don't know what else you have tried but emacs ain't on the same planet as far as I am concerned.
Of cource vitgh a loot of work you could get a decent editor, some version handling
Looks like you have never used Visual Studio or you would know that it will work with most of the commercial version control systems. The editor does not do mark point editing like Emacs, but thats about all it does not do out of the box.
If you come to Visual Studio with 10 years of emacs you are likely to prefer to still use emacs. I have a lot more experience with more than just emacs so changing to Visual Studio is not a big deal while the advantages are.
The problem with the pseudo-Free software movement is that they talk the libertarian talk and then reach for all types of coertion. I don't like the viral license in GPL, that is why I argued against the Web code being put under GPL. Putting the Web in the public domain rather than merely GPL had a big impact on its success.
Equally laws to coerce states into using one type of software are ridiculous and ideological. Ideology is almost always going to be wrong regardless of what it is. The cost of software is not a significant cost when hiring employees. If I chose to work for a government agency I want to be allowed to use high quality professional software not pieces of utter amateur crap that are 'almost as good, yes really'. Clearly they are not, several of the Sun people I know ended up buying Microsoft Office themselves because they refuse to use the Sun substitute. There is nothing in the open source world that touches Visio, Adobe Premiere or Visual Studio.NET.
The cost of outfitting an entire department with Microsoft everything is trivial compared to the cost of consultants. The big five charge in the region of $2,000 per consultant per day.
notice that they also asked that research not be put under GPL-like licenses, under the assumption that government-funded research should be resold afterwards...
Like the title you are mistating the issue here. I think that there is a lot of consensus that code developed with public funds should be Free. But GPL does not mean free, it means heavily encumbered by a bushel-load of RMS's ideology
If code is being developed with public funds the default license should be BSD style, free as in beer. RMS did have a point about Symbolics, huge amounts of DARPA cash went to develop the Lisp machine and Genera and was then diverted to a private company for private profit. The attempts by many universities to control the rights to code are simply grasping.
The problem with GPL is that if you take it seriously and actually read it the GPL license stops code even being used for reference purposes since a programmer who reads GPL code is just as tainted as someone who disassembled proprietary code.
Actually, diamonds AREN'T forever; they can shatter, and they can burn. Don't go looking for the missus' engagement ring in the ashes of your fire-ravaged house, you won't find it.
I keep it in the media safe which is rated for several hours.
Of course I could have bought a cubic zircon for almost the same effect, only I don't think they sell them at Tiffany's.
It's a false dichotomy to say that we should either code or lobby. We can do both and many other things we may need to do besides.
No, some people can do both, but to be honest most people can do one or the other and will self select. There are plenty of people who can't code their way out of a paper bag who can be pretty effective politicians and there are plenty of geeks whose political interfaces are well negligible.
Declan's piece is really about him having personally failled to get anywhere as a political operator, he wants to reinvent himself as a Larry Lessig or Eric Raymond, someone who speaks for the geek community.
Thing is that if we are not careful he will get away with it. I am none too happy about Lessig's blatant self promotion, Declan is a complete weasel.
Declan was singlehandedly responsible for starting that smear. The accusation was made in a Declan piece in Wired online.
Declan didn't bother to contact the Gore capaign to find out that Gore had actually promioted the funding bills and the rest of the media never bothered to check Declan's report against the actual interview.
The thing is in Declan's crackpot universe government is only evil and stupid. Nothing the government does can possibly have good effects so therefore Gore could not have had the slightest positive impact on the Internet.
I suspect the truth is that Declan is just peeved that the GOP never gave him credit for starting the whole 'Gore invented Internet smear'.
What he did was he published a piece in wired on Gore's CNN interview, then he got a comment on that piece from his girlfriend at the Cato institute. Then he reported on the comment from the Cato institute and the article was circulated by Newt Gingrich's office. Of course the smear would have died instantly if the media ever bothered to check sources.
Declan also has a pretty sordid history.
After the election Declan was real pissed that the Bushies didn't even invite him to the inauguration and published nasty stories about their Web site. So now he is persona-non-grata in both the Republican and Democrat camps.
"In fact", if you read the paper and know the OpenPGP standard, this problem was known about and fixed over a year ago. That's how open review is supposed to work - it doesn't mean there are no flaws. It means that when there are flaws (and there will be), they are fixed.
The draft was modified today specifically in response to the paper, not over a year ago.
Bruce has in the past done what you are accusing him of doing here - making a fuss about a well understood problem that is not actually an issue in a protocol implementation. In particular his IPSEC and PKI papers fell into that category.
However I have just read the PGP spec and Bruce is completely right on this occasion. The latest draft contains a mechanism that MAY be used to control the attack, however the paper demonstrates that the MAY needs changing to a MUST.
Reading through the latest draft posted today I think they still have a problem:
In late summer 2002, Jallad, Katz, and Schneier published an
interesting attack on the OpenPGP protocol and some of its
implementations [JKS02]....
Because of this happenstance -- that modification
attacks can be thwarted by decompression errors, an
implementation SHOULD treat a decompression error as a security
problem, not merely a data problem.
Simply adding a note to the considerations section is not enough, they need to rewrite the draft.
Yeah, this exploit falls under the 'social engineering' side more than anything.
Not really, it is a significant protocol flaw. The exploit of the flaw is slightly cumbersome but there are plenty of circumstances where it can be applied, in particular any application where an encrypted PGP message is sent to an automated daemon.
The flaws in the Enigma cipher were equally obscure. Protocol design should be secure against social engineering. Had the German operators used the devices correctly the attacks would have been much harder.
Only the PGP *program* seems to be affected, not the actual OpenPGP standard. Thank god.
That is completely wrong. According to the paper it is the specification that is broken NOT the implementation
In fact the implementations turn out to be more secure than the spec for purely fortuitous reasons.
The attack is possible because of confused management of compressed and uncompressed message types. It is a flaw in the PGP envelope scheme.
It does not appear to me at the moment that the attack can be extended to S/MIME, certainly S/MIME does not use completely different formats for compressed and uncompressed data so the immediate cause is not there. I suspect that Bruce will have looked at S/MIME before publishing the paper.
I think that people need to rexamine a couple of things.
First the parrot like claim that people should avoid using S/MIME and that PGP is the one true security specification.
Second the claim that open review is a panacea for security issues. The spec and PGP code were both open and there is a significant flaw.
Third the gullability of Slashdot readers who all appear to have taken the first post in the thread as accurate rather than read the actual paper.
The Google list is apparently by the number of times someone is referenced rather than attempting to be some sort of guide to emminence. The equivalent list for journalists would probably have Ann Coulter and Rush Limbaugh at the top.
Other people missing from the list include Whitt Diffie and Ron Rivest. I am suprised to see Eric Raymond but not Linus Torvald or any of the Apache people.
Given some of the names that are on the list I don't see any reason to complain about TBL. If Tim was lucky then so was Denis Richie, C was after all merely an incremental development of CPL, BCPL and B. It is very strange to have Ritchie on the list and not Hoare whose work on Algol came long before.
More interesting however than a pioneer's list is a contemporary list. I would much rather be on a list of people currently at the forefront of research than a has been's list.
EWD certainly knew that, however Simula is a very different object oriented language to the pale imitations that came later.
Simula had a true message passing architecture, C++ does not.
Java and C# have cleaned up the syntax of OOP and have made something of an improvement in this regard but they are both fairly cumbersome when it comes to writing concurrent programs, both lack any meaningful support for parallel constructs.
Basically EWD was complaining about the same thing that I once complained about to Nygaard, Object oriented has ceased to have meaning as a term since it is applied to anything, Nygaard agreed.
No need to dis Smalltalk, I wasn't (meaning) to dis Python. It's too bad there is no Python IDE akin to what you get even with a free Smalltalk system, like Squeak.
I believe that there is a Python.NET in the works. The Visual Studio.NET IDE basically has every good feature from pretty much every good IDE. It is the first I have found with a superset of the Genera functionality - and packaged a heck of a lot better than Symbolics ever did.
The Harrison H3 Watch was the most accurate timepiece of its day, but there are several hundred thousand mechanical chronometers made each year that are more accurate.
When quartz watches first appeared they were more accurate than most mechanical watches. This forced the swiss watchmakers to improve their product and they introduced the 'chronometer' certification.
For a hefty price you can now buy a mechanical watch that is significantly more accurate than most quartz watches.
The blog stuff does get news out that the mainstream media does not print. So a reference in a blog on MSNBC to an article in a small paper that reveals that Harken oil was using an offshore tax haven in the caymans to cheat the IRS while Bush was a director gets picked up by the Bush Impeachment Coundown, and I am now posting it here - all in less time than it takes Chris Mathews to give a fawning interview to Ann Coulter.
How about the blog as a political medium to influence opinion. Matt Drudge was able to parlay his blog into a Fox news talk show (until folk discovered he is really a clueless dweeb).
For a completely unbiased, bipartisan view of US politics I always go to the Bush Impeachment Countdown.
However I do protest at the posters transparent attempt to increase their position in the rankings page by using the sladshdot effect.
Everyone is saying 'you would need golden ears to tell the difference' yadda yadda. In my view the whole test is bogus because we don't have figures for the original CD track.
I would not be at all suprised to see people favor the compressed over the original. The fact is that a lot of so called audiophiles are really pretty ignorant gadget freaks. At university I knew a friend who made money by helping to repackage the components of a bog standard Philips CD player in a pretty box to sell to audiophiles for ten times the price.
I had a so called audiophile witter on for ages about how this was actually quite rational and how using a more stable motor with reduced wow and flutter dramatically improved the sound. He still does not believe that the quartz crystal controls the sound output rate.
Spaff is pretty well known in the Internet, but I am affraid I can't think of a major contribution to computer security from him since tripwire.
Incidentally, it is somewhat disappointing that he puts out the comparisons of Windows vs Unix viruses as 'proof' that UNIX is more secure without addressing the specific features of UNIX that would make it so. It is one thing for a slashdotter to assert 'unix is more secure than windows', a university professor specialising in computer security should be able to do more than recite opinions, he should be able to explain why and how one system is more secure than another. The systemic lack of security argument does not work by the way since UNIX is the only mainstream operating system that did not originally have a security model. All the security features in modern UNIX are retrofitted - in some cases (shaddow passwords) in the face of opposition from UNIX purists.
The principal reason why Macs, Ataris and MSDOS machines all had chronic virus problems is that they have no account based security controls. A rogue program can corrupt any system file it likes. A secondary reason is that in their original incarnation every one of the machines has supported the clueless operating mode of try to boot from removable media. The only difference since then is that the Internet has proven a far more effective vector for malicious programs than floppy disks and the clueless enabling vector has been run from email.
He conveniently ignores fact that there are Virus building toolkits written for Windows and the vast majority of the 'dozens of new viruses a week' are no more than minor variations on the same basic cores. Nor does he tie this back to his initial theme of an O/S monoculture which is somewhat odd because the main reason why there are epidemics of Windows viruses is simply the fact that the population of Windows machines is large enough to support epidemics. For a virus to become an epidemic all that is required is for each infected host to pass on the infection to an average of more than one new host. There are two reasons an infected Linux box is less likely to do this, first 90% of the hosts an infected linux box attempts to infect are likely to be Windows boxes imune from a linux virus. Second the remaining 10% of linux boxes are likely to be considerably more heterogeneous that the average windows machine. There are likely to be a large number of different builds and even different processors, all in all a much harder target to infect.
The heterogeneous platform argument is unfortunately one of those arguments that works fine on the individual level and fails entirely at the public policy level. The problem being that it may be logical for me to use an obscure operating system to reduce the risk of virus (or other attack) but if everyone chooses the same O/S the obscurity advantage is lost. Incidentally Linux is far too mainstream for the obscurity argument to apply, if you want to be obscure you would have to use something like the Genera (Lisp machine) system we got the Clinton administration to use to do their press release publications onto the Internet from. (The machine was not choosen for security through obscurity, however we did remark afterwards that if the machine was ever compromised we could probably write the list of suspects with the expertise to crack it for the Secret Service)
You may want to read "Secret and Lies", in which Bruce Schneier argues that computer security is like meatspace security -- uneconomical or impossible to do at 100%, but possible to do well enough to buy insurance.
That particular idea did not start with Bruce. It has been taught in computer security 101 for twenty plus years.
If as he claims in the intro Bruce only just realised that security is risk control not risk elimination then he owes me a credit, I had a long discussion with him on that point at RSA the year before the book came out.
The real explanation is that Bruce's interests have changed over the past ten or so years. When he wrote Applied Cryptography he was pretty much a specialist coder of crypto software, then after AP#1 he got deeper and deeper into cryptography and started proposing his own designs, mainly in the symmetric algorithm space.
The point is that in that part of the security world you really can provide pretty much absolute guarantees for certain security risks.
Since then he has pretty much moved from being a pure crypto specialist to being a computer security guru. Even so he does have something of a reputation of firing off attacks on the insecurity of systems without understanding the risks they are trying to mitigate.
A key case in point there being his attack on the security of IPSEC. Now whatever you think about Bruce, Steve Bellovin and Jeff Schiller are by any analysis his equal technically. Whatever reputation Bruce has with the general public, Steve and Jeff have a rather higher one within the IETF.
So yes statement to Microsoft is very much in character for Bruce, yes Bruce has an awfully high reputation, but no don't consider his word as gospel.
Two years ago there were people complaining about the number of H1Bs entering the country, but they were voices in the wilderness.
They were Cobol programmers who were wazzed off because no Internet startups wanted to hire them.
We hired H1B people because US engineers were mostly more interested in jumping on the bandwaggon of the latest no-revenues-let-alone-earnings dotcom startup than working for higher wages at a profitable company. Now that times are harder they think they have the right to the jobs of the people who would work for us???
I am tempted to tell the IEEE to go stuff themselves next time they ask me to chair a conference or workshop for them.
This type of activity is pretty clueless. Two years ago the US was screaming out for every engineer it go lay its hands on.
Pandering to populist pressure might sound good tactics to politicians but it is a pretty short term gain. The intended beneficiaries are not going to thank you for it and the naturalized citizens are going to hate you for it.
Making it harder to hire non-US workers will simply force US companies to be even more aggressive in outsourcing programing overseas. The IEEE group was also complaining about that but guess what? There is absolutely nothing Congress can do to stop it, unless they want to start a huge trade war.
I've perused the listings at monster and dice and most seem to be head hunters looking for somebody that is proficient in everything from ADA to VB or somebody with 3+ years of professional.NET experience or 10 years of Java.
I know quite a few people with ten years of Java and several more with three years of dotNet, only thing is that I doubt that people who were on the core development team of either have a problem finding a job in any market.
It is kind of surprising that we haven't heard about any new SEC investigations into MS's accounting practices. The only thing I can think of is that the SEC just called over to Justice and got all the details...
OK Einstein, perhaps you can explain how the SEC is going to improve consumer confidence in the stock market by taking a company to task for under-reporting its profits in this climate?
With the President and Vice President facing enquiries into corrupt accounting schemes that made them rich the last thing they are about to do is to make an enemy of a guy who controls a news station (MSNBC) and who can buy a network out of petty cash if it chooses (NBC is hardly a core asset in NBC's current strategy).
The 'vast right wing conspiracy' that Hilary talked about was in reality a handfull of right wing loons bankrolled by a single far right tycoon. Gates has the money and the connections to ensure that all we hear from morning to night in the mainstream media is Harken, the Rangers stadium deal and the accounting at Haliburton.
In other words the SEC is no more likely to investigate Microsoft than it is likely to re-open the enquiry into Bush's insider trading and corrupt accounting at Harken.
Another reason is that the player with the most credibility in this market at the moment is Warren Buffet who is a very good friend of Gates. If Buffet passes Microsofts accounts nobody else is going to gainsay him.
AOL is not suprisingly protecting its market share. The problem with that approach is that it only works for as long as AOL has the largest market share.
Having downloaded AOL and Real software in the past there is simply no way I will ever do so again. They simply make far to many unauthorized changes to my machine and are deliberately coded to make it hard to undo. To get rid of the blinking icon in my system tray reminding me to upgrade realplayer I eventually had to reinstall the operating system. I loathe software that won't take no for an answer when I say I don't want to register or upgrade.
While there are a lot of AOL users I get the feeling that people who use AOL regularly defect to use the Internet proper while very few people go the other way.
If an AOL user wants to instant message me I will tell them to load up software from a company that will allow interconnection. I am not going to load up AOL spyware/adware just to talk to them. [Actually this has not happened yet, probably because I tend not to be anxious to talk to the people I know who are AOL users].
Utlimately what we need to do is to design an IM infrastructure that actually works without the need for central choke points.
Slashdot Mirror
I don't know what else you have tried but emacs ain't on the same planet as far as I am concerned.
Of cource vitgh a loot of work you could get a decent editor, some version handling
Looks like you have never used Visual Studio or you would know that it will work with most of the commercial version control systems. The editor does not do mark point editing like Emacs, but thats about all it does not do out of the box.
If you come to Visual Studio with 10 years of emacs you are likely to prefer to still use emacs. I have a lot more experience with more than just emacs so changing to Visual Studio is not a big deal while the advantages are.
Equally laws to coerce states into using one type of software are ridiculous and ideological. Ideology is almost always going to be wrong regardless of what it is. The cost of software is not a significant cost when hiring employees. If I chose to work for a government agency I want to be allowed to use high quality professional software not pieces of utter amateur crap that are 'almost as good, yes really'. Clearly they are not, several of the Sun people I know ended up buying Microsoft Office themselves because they refuse to use the Sun substitute. There is nothing in the open source world that touches Visio, Adobe Premiere or Visual Studio .NET.
The cost of outfitting an entire department with Microsoft everything is trivial compared to the cost of consultants. The big five charge in the region of $2,000 per consultant per day.
notice that they also asked that research not be put under GPL-like licenses, under the assumption that government-funded research should be resold afterwards ...
Like the title you are mistating the issue here. I think that there is a lot of consensus that code developed with public funds should be Free. But GPL does not mean free, it means heavily encumbered by a bushel-load of RMS's ideology
If code is being developed with public funds the default license should be BSD style, free as in beer. RMS did have a point about Symbolics, huge amounts of DARPA cash went to develop the Lisp machine and Genera and was then diverted to a private company for private profit. The attempts by many universities to control the rights to code are simply grasping.
The problem with GPL is that if you take it seriously and actually read it the GPL license stops code even being used for reference purposes since a programmer who reads GPL code is just as tainted as someone who disassembled proprietary code.
I keep it in the media safe which is rated for several hours.
Of course I could have bought a cubic zircon for almost the same effect, only I don't think they sell them at Tiffany's.
No, some people can do both, but to be honest most people can do one or the other and will self select. There are plenty of people who can't code their way out of a paper bag who can be pretty effective politicians and there are plenty of geeks whose political interfaces are well negligible.
Declan's piece is really about him having personally failled to get anywhere as a political operator, he wants to reinvent himself as a Larry Lessig or Eric Raymond, someone who speaks for the geek community.
Thing is that if we are not careful he will get away with it. I am none too happy about Lessig's blatant self promotion, Declan is a complete weasel.
Declan didn't bother to contact the Gore capaign to find out that Gore had actually promioted the funding bills and the rest of the media never bothered to check Declan's report against the actual interview.
The thing is in Declan's crackpot universe government is only evil and stupid. Nothing the government does can possibly have good effects so therefore Gore could not have had the slightest positive impact on the Internet.
What he did was he published a piece in wired on Gore's CNN interview, then he got a comment on that piece from his girlfriend at the Cato institute. Then he reported on the comment from the Cato institute and the article was circulated by Newt Gingrich's office. Of course the smear would have died instantly if the media ever bothered to check sources.
Declan also has a pretty sordid history.
After the election Declan was real pissed that the Bushies didn't even invite him to the inauguration and published nasty stories about their Web site. So now he is persona-non-grata in both the Republican and Democrat camps.
That is all he talked about when he visited my group at MIT.
The draft was modified today specifically in response to the paper, not over a year ago.
Bruce has in the past done what you are accusing him of doing here - making a fuss about a well understood problem that is not actually an issue in a protocol implementation. In particular his IPSEC and PKI papers fell into that category.
However I have just read the PGP spec and Bruce is completely right on this occasion. The latest draft contains a mechanism that MAY be used to control the attack, however the paper demonstrates that the MAY needs changing to a MUST.
Reading through the latest draft posted today I think they still have a problem:
In late summer 2002, Jallad, Katz, and Schneier published an interesting attack on the OpenPGP protocol and some of its implementations [JKS02]. ...
Because of this happenstance -- that modification attacks can be thwarted by decompression errors, an implementation SHOULD treat a decompression error as a security problem, not merely a data problem.
Simply adding a note to the considerations section is not enough, they need to rewrite the draft.
Actually that is not accurate. PGP and GPG will both use compression if the payload is compressible but send the content plaintext otherwise.
Both programs are vulnerable if you send a gzip file.
Stop spreading Complacency and False Certainty, it is just as bad as FUD
Not really, it is a significant protocol flaw. The exploit of the flaw is slightly cumbersome but there are plenty of circumstances where it can be applied, in particular any application where an encrypted PGP message is sent to an automated daemon.
The flaws in the Enigma cipher were equally obscure. Protocol design should be secure against social engineering. Had the German operators used the devices correctly the attacks would have been much harder.
That is completely wrong. According to the paper it is the specification that is broken NOT the implementation
In fact the implementations turn out to be more secure than the spec for purely fortuitous reasons.
The attack is possible because of confused management of compressed and uncompressed message types. It is a flaw in the PGP envelope scheme.
It does not appear to me at the moment that the attack can be extended to S/MIME, certainly S/MIME does not use completely different formats for compressed and uncompressed data so the immediate cause is not there. I suspect that Bruce will have looked at S/MIME before publishing the paper.
I think that people need to rexamine a couple of things.
First the parrot like claim that people should avoid using S/MIME and that PGP is the one true security specification.
Second the claim that open review is a panacea for security issues. The spec and PGP code were both open and there is a significant flaw.
Third the gullability of Slashdot readers who all appear to have taken the first post in the thread as accurate rather than read the actual paper.
Other people missing from the list include Whitt Diffie and Ron Rivest. I am suprised to see Eric Raymond but not Linus Torvald or any of the Apache people.
Given some of the names that are on the list I don't see any reason to complain about TBL. If Tim was lucky then so was Denis Richie, C was after all merely an incremental development of CPL, BCPL and B. It is very strange to have Ritchie on the list and not Hoare whose work on Algol came long before.
More interesting however than a pioneer's list is a contemporary list. I would much rather be on a list of people currently at the forefront of research than a has been's list.
EWD certainly knew that, however Simula is a very different object oriented language to the pale imitations that came later.
Simula had a true message passing architecture, C++ does not.
Java and C# have cleaned up the syntax of OOP and have made something of an improvement in this regard but they are both fairly cumbersome when it comes to writing concurrent programs, both lack any meaningful support for parallel constructs.
Basically EWD was complaining about the same thing that I once complained about to Nygaard, Object oriented has ceased to have meaning as a term since it is applied to anything, Nygaard agreed.
I believe that there is a Python .NET in the works. The Visual Studio .NET IDE basically has every good feature from pretty much every good IDE. It is the first I have found with a superset of the Genera functionality - and packaged a heck of a lot better than Symbolics ever did.
When quartz watches first appeared they were more accurate than most mechanical watches. This forced the swiss watchmakers to improve their product and they introduced the 'chronometer' certification.
For a hefty price you can now buy a mechanical watch that is significantly more accurate than most quartz watches.
The blog stuff does get news out that the mainstream media does not print. So a reference in a blog on MSNBC to an article in a small paper that reveals that Harken oil was using an offshore tax haven in the caymans to cheat the IRS while Bush was a director gets picked up by the Bush Impeachment Coundown, and I am now posting it here - all in less time than it takes Chris Mathews to give a fawning interview to Ann Coulter.
For a completely unbiased, bipartisan view of US politics I always go to the Bush Impeachment Countdown.
However I do protest at the posters transparent attempt to increase their position in the rankings page by using the sladshdot effect.
I would not be at all suprised to see people favor the compressed over the original. The fact is that a lot of so called audiophiles are really pretty ignorant gadget freaks. At university I knew a friend who made money by helping to repackage the components of a bog standard Philips CD player in a pretty box to sell to audiophiles for ten times the price.
I had a so called audiophile witter on for ages about how this was actually quite rational and how using a more stable motor with reduced wow and flutter dramatically improved the sound. He still does not believe that the quartz crystal controls the sound output rate.
Incidentally, it is somewhat disappointing that he puts out the comparisons of Windows vs Unix viruses as 'proof' that UNIX is more secure without addressing the specific features of UNIX that would make it so. It is one thing for a slashdotter to assert 'unix is more secure than windows', a university professor specialising in computer security should be able to do more than recite opinions, he should be able to explain why and how one system is more secure than another. The systemic lack of security argument does not work by the way since UNIX is the only mainstream operating system that did not originally have a security model. All the security features in modern UNIX are retrofitted - in some cases (shaddow passwords) in the face of opposition from UNIX purists.
The principal reason why Macs, Ataris and MSDOS machines all had chronic virus problems is that they have no account based security controls. A rogue program can corrupt any system file it likes. A secondary reason is that in their original incarnation every one of the machines has supported the clueless operating mode of try to boot from removable media. The only difference since then is that the Internet has proven a far more effective vector for malicious programs than floppy disks and the clueless enabling vector has been run from email.
He conveniently ignores fact that there are Virus building toolkits written for Windows and the vast majority of the 'dozens of new viruses a week' are no more than minor variations on the same basic cores. Nor does he tie this back to his initial theme of an O/S monoculture which is somewhat odd because the main reason why there are epidemics of Windows viruses is simply the fact that the population of Windows machines is large enough to support epidemics. For a virus to become an epidemic all that is required is for each infected host to pass on the infection to an average of more than one new host. There are two reasons an infected Linux box is less likely to do this, first 90% of the hosts an infected linux box attempts to infect are likely to be Windows boxes imune from a linux virus. Second the remaining 10% of linux boxes are likely to be considerably more heterogeneous that the average windows machine. There are likely to be a large number of different builds and even different processors, all in all a much harder target to infect.
The heterogeneous platform argument is unfortunately one of those arguments that works fine on the individual level and fails entirely at the public policy level. The problem being that it may be logical for me to use an obscure operating system to reduce the risk of virus (or other attack) but if everyone chooses the same O/S the obscurity advantage is lost. Incidentally Linux is far too mainstream for the obscurity argument to apply, if you want to be obscure you would have to use something like the Genera (Lisp machine) system we got the Clinton administration to use to do their press release publications onto the Internet from. (The machine was not choosen for security through obscurity, however we did remark afterwards that if the machine was ever compromised we could probably write the list of suspects with the expertise to crack it for the Secret Service)
That particular idea did not start with Bruce. It has been taught in computer security 101 for twenty plus years.
If as he claims in the intro Bruce only just realised that security is risk control not risk elimination then he owes me a credit, I had a long discussion with him on that point at RSA the year before the book came out.
The real explanation is that Bruce's interests have changed over the past ten or so years. When he wrote Applied Cryptography he was pretty much a specialist coder of crypto software, then after AP#1 he got deeper and deeper into cryptography and started proposing his own designs, mainly in the symmetric algorithm space. The point is that in that part of the security world you really can provide pretty much absolute guarantees for certain security risks.
Since then he has pretty much moved from being a pure crypto specialist to being a computer security guru. Even so he does have something of a reputation of firing off attacks on the insecurity of systems without understanding the risks they are trying to mitigate.
A key case in point there being his attack on the security of IPSEC. Now whatever you think about Bruce, Steve Bellovin and Jeff Schiller are by any analysis his equal technically. Whatever reputation Bruce has with the general public, Steve and Jeff have a rather higher one within the IETF.
So yes statement to Microsoft is very much in character for Bruce, yes Bruce has an awfully high reputation, but no don't consider his word as gospel.
They were Cobol programmers who were wazzed off because no Internet startups wanted to hire them.
We hired H1B people because US engineers were mostly more interested in jumping on the bandwaggon of the latest no-revenues-let-alone-earnings dotcom startup than working for higher wages at a profitable company. Now that times are harder they think they have the right to the jobs of the people who would work for us???
This type of activity is pretty clueless. Two years ago the US was screaming out for every engineer it go lay its hands on.
Pandering to populist pressure might sound good tactics to politicians but it is a pretty short term gain. The intended beneficiaries are not going to thank you for it and the naturalized citizens are going to hate you for it.
Making it harder to hire non-US workers will simply force US companies to be even more aggressive in outsourcing programing overseas. The IEEE group was also complaining about that but guess what? There is absolutely nothing Congress can do to stop it, unless they want to start a huge trade war.
I know quite a few people with ten years of Java and several more with three years of dotNet, only thing is that I doubt that people who were on the core development team of either have a problem finding a job in any market.
OK Einstein, perhaps you can explain how the SEC is going to improve consumer confidence in the stock market by taking a company to task for under-reporting its profits in this climate?
With the President and Vice President facing enquiries into corrupt accounting schemes that made them rich the last thing they are about to do is to make an enemy of a guy who controls a news station (MSNBC) and who can buy a network out of petty cash if it chooses (NBC is hardly a core asset in NBC's current strategy).
The 'vast right wing conspiracy' that Hilary talked about was in reality a handfull of right wing loons bankrolled by a single far right tycoon. Gates has the money and the connections to ensure that all we hear from morning to night in the mainstream media is Harken, the Rangers stadium deal and the accounting at Haliburton.
In other words the SEC is no more likely to investigate Microsoft than it is likely to re-open the enquiry into Bush's insider trading and corrupt accounting at Harken.
Another reason is that the player with the most credibility in this market at the moment is Warren Buffet who is a very good friend of Gates. If Buffet passes Microsofts accounts nobody else is going to gainsay him.
Having downloaded AOL and Real software in the past there is simply no way I will ever do so again. They simply make far to many unauthorized changes to my machine and are deliberately coded to make it hard to undo. To get rid of the blinking icon in my system tray reminding me to upgrade realplayer I eventually had to reinstall the operating system. I loathe software that won't take no for an answer when I say I don't want to register or upgrade.
While there are a lot of AOL users I get the feeling that people who use AOL regularly defect to use the Internet proper while very few people go the other way.
If an AOL user wants to instant message me I will tell them to load up software from a company that will allow interconnection. I am not going to load up AOL spyware/adware just to talk to them. [Actually this has not happened yet, probably because I tend not to be anxious to talk to the people I know who are AOL users].
Utlimately what we need to do is to design an IM infrastructure that actually works without the need for central choke points.