So far, no one has come up with something that can even remotely stand up to the iPod. Its very easy... the iPod design is better, its user interface is better and, last but not least, it functions great with iTunes (gee... I wonder why:-)
I for one, am a happy Ipod owner. I am very happy that the device will let me play music files. I do not need to watch videos on it, i do not need to call with it or whatever else manufacturers want to sell me. I just want to listen to music with as little fuss as possible, and the ipod serves that purpose admirably. Not to mention it integrates great with my operating system:-)
I am getting sick and tired of people constantly recommending Linux as the solution to whatever problem someone has. Face it, people, Linux is a wonderful operating system, and given a choice I would have a Linux box on my desk instead of a Windows one, but as it stands, Linux is not what makes the world go round, Microsoft currently holds that position.
I agree that that is an unhealthy situation, but blindly recommending Linux for whatever problem someone poses is not the solution to that problem. The same counts for any other-than-Microsoft solution. Understand that sometimes a Microsoft solution is not a bad choice!
Now to the problem. The first thing you should do is investigate support options for Windows NT, and the possibility of a migration towards Windows Server 2003. While doing so, interoperability with Novell should be high on your priority list.
Also understand that there is a profound difference between NT4 domains, a Windows 2000 AD domain and a Windows Server 2003 AD domain. Where Microsoft pitched Windows 2000 AD as an enerprise directory, they have now seen their mistakes in doing so, implemented major improvements to the AD and no0w they are selling it as a systems management directory. In other words, if you want an enterprise directory, stick with Novell. If you don't want or need that, go with Windows. Take into account the fact that once you go the full Windows AD route, you are running one or more Kerberos realms, with all the associated problems. Also understand that a proper DNS infrastructure is mandatory for a healthy AD domain. The third point: AD replication. Before implementing anything, make detailed calculations about the amount of directory replication traffic if you run multiple domains (hint: you don't want to, but might need to). This last point doubles in importance when replicating to remote sites over slow wan links.
So a special purpose processor is better at doing some things than a general purpose processor. How new is that? That Cray X-1 upstairs is very good at doing vector operations, however it sucks at doing anything scalar (like compiling, perhaps?) This is why Cray gives you a general purpose workstation to go with the X-1 as a compilation workstation (among others).
First of all, this "feature" already exists, it is running on my XP machine right now and it is called Cygwin. Honestly, a good command line is all I really need, since all the other OSS tools I use are available for Windows (Firefox, Thunderbird, Putty, OpenOffice, Latex etc). So I really do not need more linux/Windows integration, I could do with a Linux machine on my desk, but corporate rules will not allow me one... but I digres.
What I really want to point at is innovative power in Linux. There does not seem to be any. Sure, Linux has made great progress since the days of 1.0 (i've been running it that long) but still, Linux is a Unix replacement that is not good enough for the big iron (which I administer daily) and for the desktop there are cleaner Unix systems (the BSD's) and nicer working ones (Mac OS X).
A couple days ago I saw an announcement from HP, where they showed off their "PC of the Future", a device that integrated everything. Phone, email, web, video, music, you name it, it had it. And what was driving this thing? The horribly bloated, slow Windows XP, which, for all the development that has gone into Windows, still functions in the same way as Windows 2.0 did. Where's the innovative new operating system interaction? Why do I still have to live with start buttons and desktops?
This is in my opinion where Linux could shine. Create a new, fast GUI. Think of a whole new paradigm for using the computer. Why do we need a desktop, a start button, folders or directories, hard disks... I don't need to know about all that, I just want to use my computer.
Microsoft is busy recreating Windows in the form of Longhorn. Undoubtedly Longhorn will be a (large) step beyond Windows XP. But the age-old paradigm of the desktop will still be there. The much-maligned start button will still be there. And all the other things that make Windows Windows will still be there. An missed opertunity, in my opinion. Just as much as Linux misses the opertunity to be truly innovative. Gates is right in that respect, the open source community is quite good at immitation, but not so good at innovation. Innovation is what is needed, not creating a cross-over between Unix and Windows.
Very true. The problem with articles like this falls under not understanding the material under review (e.g. expecting it to be a Photoshop port to Linux) and not doing research before proudly exclaiming that "Gimp Sux0rs!"
What you fail to understand is that the developers themselves often refer to Gimp as a "photoshop killer". While Gimp is a capable image manipulation program, it is nowhere near a Photoshop killer
I would most definitely not recommend SHFS for production use. The reason behind this is very simple. It is unproven for production use. With unproven i mean multi-year experience running it in a large-scale, mission critical environment. Contrary what you might think, your home setup is not a large-scale, mission critical environment.
The place where I work is a UNIX shop, we use NFS all the time, because it operates reliably between various UNIX flavours. Every vendor has a robust implementation. We share terabyte-sized file systems, with no problems whatsoever.
If you are worried about the security implications of NFS, there are other ways to combat them.
Almost every FX house worth its salt in the CG business uses Pixar's Renderman on UNIX or Linux machines. The reasons behind this choise are very simple.
Renderman is proven technology and has been so since the early '90s. Renderman is well known, its results are predictable and it is a fast renderer. Also, current production pipelines are optimised for Renderman. UNIX and Linux are quite good when it comes to distributed environments (can anyone say Render Farm?) and handle large file sizes well (Think a 2k by 2k image file, large RIB files). And last but not least, renderman is available with a source code license.
Hardware accelerated film rendering is in essence nothing but processor operations, some memory to hold objects and some I/O stuff to get the source files and output the film images. Please explain to me why a dedicated rendering device from NVidia would be any better than your average UNIX or Linux machine? Correct, there aren't any advantages, only disadvantages. (More expensive, proprietary hardware, unproven etc.)
IMO it would be a lot more challenging to try and build a native win32 binary. Yes, this means using the dreaded MFC, though I myself would prefer the way cleaner implementation of the ATL (or even the largely undocumented WTL).
Of course building a Gimp 2 in managed code on the.NET platform would be even more interesting... imagine having a complete managed open source application to run on Longhorn way before anyone else has one...
Updating a Microsoft machine is so easy that as soon as you connect a Windows 2000/XP machine to the net, it gets attacked by a whole load of other infected machines.
The fact that Microsoft has a patch out for Outlook is meaningless, since there is no Outlook update in the same way as there is Windows update. Running windows update can be automated (and should be automated for home users) but updating office is not so easy.
Since the source code to slashdot is available, domains come pretty cheap these days and even dedicated servers aren't just for the richest anymore, why don't you build your own slashdot-like WIndows community?
I am positive you are not the only Windows user lurking on slashdot for a good discussion... I know I was back in my WIndows admin days. (Which have long since passed)
When I was consulting for a large international defence organisation, I got a lot of questions on open source software, open source software security, open source legal aspects, but no questions about the current SCO misery. Apparently people (in that specific organisation) just don't care.
The EAL description levels in itself are interesting, but you should take the protection profile in account with the evaluated operating system. If you look at all evaluated operating systems, you will see that they all use the Controlled Access Protection Profile (CAPP). This PP assumes certain things about threat levels, for instance no malicious administrator and no malicious users. Therefore, the PP is quite weak. This is the PP that has been used to evaluate WIndows 2000, for instance, but other operating systems as well. I haven't seen the ToE (Target of Evaluation) for SuSE, but i expect it to be close to the CAPP as well.
A totally different PP is the Mandatory Access Protection Profile. This PP is based on mandatory access controls, of which the SELinux kernel extentions are an implementation. (Reality is far more complicated, but for now this explanation will do). The MAPP is a far more stringent PP, therefore the number of evaluated operating systems is far lower.
These PP's, along with specialized PP's for firewalls, databases, crypto devices et cetera can be found on the NIST website, if anyone would care to read them.
As noticed already by several people, a certain EAL is for a certain version of the operating system, with certain services installed, on a certain hardware configuration, thus its real life value is limited. However, given the fact that several organisations only procure ICT products that have undergone Common Criteria evaluation, this is an important step for the deployment of Linux in that type of organisation.
Given the fact that this sounds like a directory in X.500 or LDAP format, which are both extremely vulnerable to ASN.1 vulnerabilities, hackers will have a field day exploiting this directory.
Also, since ASN. is very non-trivial to program, it will be interesting to see how many programmers will be able to use this succesfully... i am referring to the ASP.NET generation:-)
It is forbidden to use banknotes because the design on a banknote is copyrighted. If you want to use for instance euro notes, you need to contact the ECB (and probably pay for the use of the design). I am sure there are usage guidelines as well.
Note that this rule equally applies to for instance wallpaper. Everything with a design on it is automatically covered by copyright law.
Windows NT/2000/XP family operating systems are NOT securable. The same counts for the average UNIX operating system (except the trusted variants). Why this is? You already mentioned it: DACL.
If you read the common criteria target of evaluation for windows 2000, you will see that Microsoft has used the Controlled Access Protection Profile. This profile assumes not malicious outsiders or administrators. The much stricter Mandatory Access Protection Profile on the other hand does assume malicious outsiders, users and administrators. The trusted UNIX variants protect against this (and SELinux does so as well).
As for securable... i much prefer to secure an Irix system over a windows system any day. UNIX in general is very transparent (less so with Irix, hence me mentioning it) where windows is very opaque. I don't know what windows components do, i do know what UNIX components do. KISS and SMILE are your friends in security, complexity is not.
Maybe, just maybe, MS will eventually get security right.
Until Microsoft decides to consider security an early design feature instead of an afterthought, perhaps then they might get security right. Right now it still feels a lot like "too little, too late". I have switched to non-Microsoft software completely, with no intention whatsoever to switch back. Using the Mac for photoshop, Linux for web stuff and Irix for 3D stuff, i never need to touch Microsoft software again... double so since OpenOffice is available on all three platforms:)
Unless Microsoft has implemented MLSA, which is atmittedly tough to do, or they have implemented a physically separated network for their high-value stuff (without internet access!!), they will indeed at some point see a compromise that touches their high-value stuff. Unfortunately for the rest of the slashdot-crowd, this equally applies to them as well:)
Also, I don't see any references to a document classification level system, plus the proper controls to implement them. We know for the halloween documents that they must have something like that. (The halloween documents are labelled microsoft confidential).
When I leave my house, car, bike or whatever unlocked and it gets broken into or stolen, I will not receive a single penny from my insurance company.
Now please, please tell me why this should be different with computers. If someone is not smart enough to use even the most basic protection, say a virus scanner and a host-based firewall, both of which get updated automatically, then such a person should either not connect their computer to a network or not have a computer in the first place.
Cluelessness should never be an excuse for ignorance. If you don't know, either ask someone more knowledgeable or just don't do it. But don't do it ignorantly!
My current employer will not allow any Linux on the network unless it is evaluated under the common criteria. The minimum EAL is EAL 3+.
SUSE and IBM got Linux EAL 2+ evaluated, and are currently working on receiving a higher level. However, when this evaluation will be undertaken is currently unknown.
Is RedHat currently planning to have their Enterprise Linux undergo common criteria evaluation, and if not, please explain your motivation.
Charles Simonyi was the man at Microsoft that tried to answer the complexity of Microsoft's software with more complexity.
Now hearing a statement like this from him sounds hardly convincing.
And... do we really want a programming language so simple everyone can use it? I thought Visual basic and VBA tought people very well that we do NOT want it!!
However, running Exchange 5.5 on Windows Server 2003 is unsupported. (And for all I know impossible... i haven't tested it yet). Believe me when I tell you that the changes in AD schema between 2000 and 2003 are massive, and in fact so massive that running Exchange 2000 on server 2003 is impossible. And I have tested that:)
So far, SuSE Enterprise 8.0 is the only Linux version, and actually the only open source product, to have ever undergo Common Criteria evaluation. Currently SuSE holds and EAL 2+, and SuSE and IBM are planning on getting that level up to 3 or 4 (can't remember exactly). Common Criteria evaluation may seem useless to a lot of people here, and those people have a point, up to a certain extent, but a lot of decision makers want to see a certain EAL, and in some organisations, a certain EAL is mandatory. So SuSE might actually have quite a nice position... since it is a non-US product, there are farr less problems with encryption as well, which is always nice, even now the US governement has lifted export restrictions.
You have a small problem. First of all, Exchange 5.5 will be unsupported by the end of this year, so the upgrade to 2k/2k3 is somewhat mandatory. Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3. Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your working Sendmail setup to Exchange. I would recommend building a test lab closely mirroring your current production environment, and see for yourself the impact of the migration to Exchange 2003.
Slashdot Mirror
I for one, am a happy Ipod owner. I am very happy that the device will let me play music files. I do not need to watch videos on it, i do not need to call with it or whatever else manufacturers want to sell me. I just want to listen to music with as little fuss as possible, and the ipod serves that purpose admirably. Not to mention it integrates great with my operating system :-)
I agree that that is an unhealthy situation, but blindly recommending Linux for whatever problem someone poses is not the solution to that problem. The same counts for any other-than-Microsoft solution. Understand that sometimes a Microsoft solution is not a bad choice!
Now to the problem. The first thing you should do is investigate support options for Windows NT, and the possibility of a migration towards Windows Server 2003. While doing so, interoperability with Novell should be high on your priority list.
Also understand that there is a profound difference between NT4 domains, a Windows 2000 AD domain and a Windows Server 2003 AD domain. Where Microsoft pitched Windows 2000 AD as an enerprise directory, they have now seen their mistakes in doing so, implemented major improvements to the AD and no0w they are selling it as a systems management directory. In other words, if you want an enterprise directory, stick with Novell. If you don't want or need that, go with Windows. Take into account the fact that once you go the full Windows AD route, you are running one or more Kerberos realms, with all the associated problems. Also understand that a proper DNS infrastructure is mandatory for a healthy AD domain. The third point: AD replication. Before implementing anything, make detailed calculations about the amount of directory replication traffic if you run multiple domains (hint: you don't want to, but might need to). This last point doubles in importance when replicating to remote sites over slow wan links.
So a special purpose processor is better at doing some things than a general purpose processor. How new is that? That Cray X-1 upstairs is very good at doing vector operations, however it sucks at doing anything scalar (like compiling, perhaps?) This is why Cray gives you a general purpose workstation to go with the X-1 as a compilation workstation (among others).
First of all, this "feature" already exists, it is running on my XP machine right now and it is called Cygwin. Honestly, a good command line is all I really need, since all the other OSS tools I use are available for Windows (Firefox, Thunderbird, Putty, OpenOffice, Latex etc). So I really do not need more linux/Windows integration, I could do with a Linux machine on my desk, but corporate rules will not allow me one... but I digres.
What I really want to point at is innovative power in Linux. There does not seem to be any. Sure, Linux has made great progress since the days of 1.0 (i've been running it that long) but still, Linux is a Unix replacement that is not good enough for the big iron (which I administer daily) and for the desktop there are cleaner Unix systems (the BSD's) and nicer working ones (Mac OS X).
A couple days ago I saw an announcement from HP, where they showed off their "PC of the Future", a device that integrated everything. Phone, email, web, video, music, you name it, it had it. And what was driving this thing? The horribly bloated, slow Windows XP, which, for all the development that has gone into Windows, still functions in the same way as Windows 2.0 did. Where's the innovative new operating system interaction? Why do I still have to live with start buttons and desktops?
This is in my opinion where Linux could shine. Create a new, fast GUI. Think of a whole new paradigm for using the computer. Why do we need a desktop, a start button, folders or directories, hard disks... I don't need to know about all that, I just want to use my computer.
Microsoft is busy recreating Windows in the form of Longhorn. Undoubtedly Longhorn will be a (large) step beyond Windows XP. But the age-old paradigm of the desktop will still be there. The much-maligned start button will still be there. And all the other things that make Windows Windows will still be there. An missed opertunity, in my opinion. Just as much as Linux misses the opertunity to be truly innovative. Gates is right in that respect, the open source community is quite good at immitation, but not so good at innovation. Innovation is what is needed, not creating a cross-over between Unix and Windows.
What you fail to understand is that the developers themselves often refer to Gimp as a "photoshop killer". While Gimp is a capable image manipulation program, it is nowhere near a Photoshop killer
The place where I work is a UNIX shop, we use NFS all the time, because it operates reliably between various UNIX flavours. Every vendor has a robust implementation. We share terabyte-sized file systems, with no problems whatsoever. If you are worried about the security implications of NFS, there are other ways to combat them.
Almost every FX house worth its salt in the CG business uses Pixar's Renderman on UNIX or Linux machines. The reasons behind this choise are very simple.
Renderman is proven technology and has been so since the early '90s. Renderman is well known, its results are predictable and it is a fast renderer. Also, current production pipelines are optimised for Renderman.
UNIX and Linux are quite good when it comes to distributed environments (can anyone say Render Farm?) and handle large file sizes well (Think a 2k by 2k image file, large RIB files).
And last but not least, renderman is available with a source code license.
Hardware accelerated film rendering is in essence nothing but processor operations, some memory to hold objects and some I/O stuff to get the source files and output the film images. Please explain to me why a dedicated rendering device from NVidia would be any better than your average UNIX or Linux machine? Correct, there aren't any advantages, only disadvantages. (More expensive, proprietary hardware, unproven etc.)
IMO it would be a lot more challenging to try and build a native win32 binary. Yes, this means using the dreaded MFC, though I myself would prefer the way cleaner implementation of the ATL (or even the largely undocumented WTL).
.NET platform would be even more interesting... imagine having a complete managed open source application to run on Longhorn way before anyone else has one...
Of course building a Gimp 2 in managed code on the
Updating a Microsoft machine is so easy that as soon as you connect a Windows 2000/XP machine to the net, it gets attacked by a whole load of other infected machines.
The fact that Microsoft has a patch out for Outlook is meaningless, since there is no Outlook update in the same way as there is Windows update. Running windows update can be automated (and should be automated for home users) but updating office is not so easy.
Since the source code to slashdot is available, domains come pretty cheap these days and even dedicated servers aren't just for the richest anymore, why don't you build your own slashdot-like WIndows community?
I am positive you are not the only Windows user lurking on slashdot for a good discussion... I know I was back in my WIndows admin days. (Which have long since passed)
When I was consulting for a large international defence organisation, I got a lot of questions on open source software, open source software security, open source legal aspects, but no questions about the current SCO misery. Apparently people (in that specific organisation) just don't care.
The EAL description levels in itself are interesting, but you should take the protection profile in account with the evaluated operating system. If you look at all evaluated operating systems, you will see that they all use the Controlled Access Protection Profile (CAPP). This PP assumes certain things about threat levels, for instance no malicious administrator and no malicious users. Therefore, the PP is quite weak. This is the PP that has been used to evaluate WIndows 2000, for instance, but other operating systems as well. I haven't seen the ToE (Target of Evaluation) for SuSE, but i expect it to be close to the CAPP as well.
A totally different PP is the Mandatory Access Protection Profile. This PP is based on mandatory access controls, of which the SELinux kernel extentions are an implementation. (Reality is far more complicated, but for now this explanation will do). The MAPP is a far more stringent PP, therefore the number of evaluated operating systems is far lower.
These PP's, along with specialized PP's for firewalls, databases, crypto devices et cetera can be found on the NIST website, if anyone would care to read them.
As noticed already by several people, a certain EAL is for a certain version of the operating system, with certain services installed, on a certain hardware configuration, thus its real life value is limited. However, given the fact that several organisations only procure ICT products that have undergone Common Criteria evaluation, this is an important step for the deployment of Linux in that type of organisation.
Given the fact that this sounds like a directory in X.500 or LDAP format, which are both extremely vulnerable to ASN.1 vulnerabilities, hackers will have a field day exploiting this directory.
:-)
Also, since ASN. is very non-trivial to program, it will be interesting to see how many programmers will be able to use this succesfully... i am referring to the ASP.NET generation
It is forbidden to use banknotes because the design on a banknote is copyrighted. If you want to use for instance euro notes, you need to contact the ECB (and probably pay for the use of the design). I am sure there are usage guidelines as well.
Note that this rule equally applies to for instance wallpaper. Everything with a design on it is automatically covered by copyright law.
Windows NT/2000/XP family operating systems are NOT securable. The same counts for the average UNIX operating system (except the trusted variants). Why this is? You already mentioned it: DACL. If you read the common criteria target of evaluation for windows 2000, you will see that Microsoft has used the Controlled Access Protection Profile. This profile assumes not malicious outsiders or administrators. The much stricter Mandatory Access Protection Profile on the other hand does assume malicious outsiders, users and administrators. The trusted UNIX variants protect against this (and SELinux does so as well). As for securable... i much prefer to secure an Irix system over a windows system any day. UNIX in general is very transparent (less so with Irix, hence me mentioning it) where windows is very opaque. I don't know what windows components do, i do know what UNIX components do. KISS and SMILE are your friends in security, complexity is not.
Until Microsoft decides to consider security an early design feature instead of an afterthought, perhaps then they might get security right. Right now it still feels a lot like "too little, too late". I have switched to non-Microsoft software completely, with no intention whatsoever to switch back. Using the Mac for photoshop, Linux for web stuff and Irix for 3D stuff, i never need to touch Microsoft software again... double so since OpenOffice is available on all three platforms :)
I am very interested to read the article itself. Could someone post a link please? (Included with the submission perhaps??)
Unless Microsoft has implemented MLSA, which is atmittedly tough to do, or they have implemented a physically separated network for their high-value stuff (without internet access!!), they will indeed at some point see a compromise that touches their high-value stuff. Unfortunately for the rest of the slashdot-crowd, this equally applies to them as well :)
Also, I don't see any references to a document classification level system, plus the proper controls to implement them. We know for the halloween documents that they must have something like that. (The halloween documents are labelled microsoft confidential).
When I leave my house, car, bike or whatever unlocked and it gets broken into or stolen, I will not receive a single penny from my insurance company.
Now please, please tell me why this should be different with computers. If someone is not smart enough to use even the most basic protection, say a virus scanner and a host-based firewall, both of which get updated automatically, then such a person should either not connect their computer to a network or not have a computer in the first place.
Cluelessness should never be an excuse for ignorance. If you don't know, either ask someone more knowledgeable or just don't do it. But don't do it ignorantly!
My current employer will not allow any Linux on the network unless it is evaluated under the common criteria. The minimum EAL is EAL 3+.
SUSE and IBM got Linux EAL 2+ evaluated, and are currently working on receiving a higher level. However, when this evaluation will be undertaken is currently unknown.
Is RedHat currently planning to have their Enterprise Linux undergo common criteria evaluation, and if not, please explain your motivation.
I am seriously wondering if anyone at Microsoft actallu paid as much attention to the Halloween documents as the open source community does.
In the first document, the writer states: "OSS is long-term credible... FUD tactics can not be used to combat it."
Charles Simonyi was the man at Microsoft that tried to answer the complexity of Microsoft's software with more complexity.
Now hearing a statement like this from him sounds hardly convincing.
And... do we really want a programming language so simple everyone can use it? I thought Visual basic and VBA tought people very well that we do NOT want it!!
Thanks for the info, interesting.
:)
However, running Exchange 5.5 on Windows Server 2003 is unsupported. (And for all I know impossible... i haven't tested it yet). Believe me when I tell you that the changes in AD schema between 2000 and 2003 are massive, and in fact so massive that running Exchange 2000 on server 2003 is impossible. And I have tested that
So far, SuSE Enterprise 8.0 is the only Linux version, and actually the only open source product, to have ever undergo Common Criteria evaluation. Currently SuSE holds and EAL 2+, and SuSE and IBM are planning on getting that level up to 3 or 4 (can't remember exactly).
Common Criteria evaluation may seem useless to a lot of people here, and those people have a point, up to a certain extent, but a lot of decision makers want to see a certain EAL, and in some organisations, a certain EAL is mandatory.
So SuSE might actually have quite a nice position... since it is a non-US product, there are farr less problems with encryption as well, which is always nice, even now the US governement has lifted export restrictions.
You have a small problem. First of all, Exchange 5.5 will be unsupported by the end of this year, so the upgrade to 2k/2k3 is somewhat mandatory.
Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3.
Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your working Sendmail setup to Exchange.
I would recommend building a test lab closely mirroring your current production environment, and see for yourself the impact of the migration to Exchange 2003.