There are many holes in Linux apps and distros, many of which can grant root from user, and the list keeps growing on their side of the house as well, just not as fast. Should it become a bigger target, well then we'll see more vulnerabilities sought. Simple economics here (look up opportunity costs). I am 0S agnostic, do security consulting among other things, and frankly, no OS is absolutely pure, perfectly armored, nor any application suite. [Emphasis added]
Microsoft Windows has problems. Linux isn't perfect. Conclusion?
Fact: Other things being equal, Linux is a better target. More and better tools.
Fact: Regardless of anyone's idea of what should be the results of Microsoft's security initiatives, the reality is that Microsoft software is suffering disproportionately from the effects of malware. Even with Microsoft's initiatives, there has been a steady increasing stream ever since Melissa. I'm sure the trend will change, but I haven't seen any sign of it yet. The malware is getting more and more clever, but with no sign yet of running out of room. The worst is ahead of us, not behind us.
Fact: Microsoft has had a patch for most all the vulnerabilities exploited. This means that the reality is that the user-friendly Microsoft Windows is somehow much harder to keep adequately patched than Linux or BSD. This is the same user-friendly Microsoft Windows that according to Microsoft's TCO studies requires less experienced administrators.
Fact: There are successful attacks on Linux/BSD, but they seems to be much rarer and never seem to accomplish much of anything. Now it might be that Linux/BSD administrators are uniformly much more competent than Microsoft Windows administrators, but too often they are the same people doing both. I suspect that in many cases a semi-skilled Microsoft Windows administrator is also a very green Linux newbie, myself included. There are no silver bullets, but seems like somehow Linux is effective much more secure.
you can't compare closed source with Open Source. It would be dangerous to.
Conway's law: "Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations."
Where does security fit within MS SQL's organization chart? How is security evaluated on performance reviews? Who determines the organization's structure?
With a mix of skills and interests, people generally like to do what they are good at, and people generally are good at what they like to do. Due to this self-selecting nature, open source will tend to work out better than the skill set would indicate.
Security is more the absence of holes than the addition of features. A steel security door on a tar paper shack is not going to help much.
"Machines running Windows HPC Edition could seamlessly connect to desktop computers, providing instant power for someone such as a financial analyst performing calculations on an Excel spreadsheet, said David Lifka, chief technology officer for the Cornell Theory Center, Microsoft's premier high-performance computing partner."
Since both are listed, it is safe to assume that neither is exclusionary.
A US flag is red, white, AND blue. A particular color can be red OR white OR blue. A point on the flag will be red or white or blue. The flag itself will be red, white, AND blue.
American Airlines flies to Los Angeles AND San Francisco.
There's more than one article. A particular article might be "News for nerds" or "Stuff that matters" or both. Slashdot itself has "News for nerds" AND "Stuff that matters".
Parse it: (There-Exists "News for nerds") AND (There-Exists "Stuff that matters"). (There-Exists AA flights to Los Angeles) AND (There-Exists flights to San Francisco).
(There-Exists ("News for nerds" OR "Stuff that matters")) doesn't really work.
He impresses me, as he appears to impress the orginal poster, as just the sort of intelligently sarcastic "prick," in the Swift/Dickens/Twain/Leacock mode, that I rather enjoy dealing with.
And more enjoyable when he's coming from a different perspective. Some of like a good argument.
"Linus would flunk one of his OS courses". (or some such) Or get an A. There can be an extremely fine line distinguishing the two. The threat will be there and it's not an idle threat. Something that almost works won't cut it.
AST may now be something of a hero in the Linux revolution, but he's hardly part of the Linux fan club. This makes his setting the record straight all the more credible.
Actually I think that Tanenbaum is right, but: It's feasible to make a monolithic kernel that's usable and not too wrong. It's not necessarily feasible to make a microkernel that handles all possible communication even if that would be cheaper, easier, and more efficient than a monolithic kernel with the same robustness.
You don't need to keep defending your stance on microkernels because we've gotten your point for something like 14 years!
Bah! More like nobody's gotten the point in 14 years. I'd guess that if you really need reliable and robust systems that Tanenbaum is right. With the possible exception of something by Knuth, all legitimate systems have bugs. Note, having a bug is not equivalent to being able to encounter a bug. A single bug in isolation can be incapable of doing any damage or even being noticable. It's when the bugs get together that you get undesirable behavior. Fix either and the problem goes away. (Fix both if you're smart;) Note that you often need the context of the complex interactions to be able to see that the bug is a bug. Me, I prefer to throw everything together at the beginning, then debug, design and write the system. At least I tend to early get rid of the ones whose impact is all out of proportion to the cause.
Re:We should set up better Open Source Marketing
on
More From Tanenbaum
·
· Score: 1
One of the world's most respected computer scientists just TRASHED the integrity of the guy who interviewed him. I'm sure the whatchamacallit institute [Alexis de Tocqueville Institution] will be a long time living this down.
This reflects on integrity and competence of the author of the "Brown book", The Alexis de Tocqueville Institution, and the lengths that Microsoft will go to obtain favorable "independent" results.
I reserve the right to have an opinion and to defend it. This doesn't mean that your opposite opinion isn't better (not that I'd let myself be forced to admit it;)
I have had Windows 95 respond to a ping of another computer on the LAN. with the network cable unplugged!
Actually the tech is probably right in that about once an hour they'll check to see what MAC addresses respond to your IP. Now there is a bit of a difference between 60 minutes and 30 seconds;)
What I'd be curious to know is how each OS recognized the capabilities of his drive and IDE controller.
I'm guessing, but this sounds like: QNX is doing: Read a sector. Write a sector. Repeat. Linux is doing: Read a mess of disk. Write a mess of disk. Repeat. Linux disk drivers do seem to at least attempt to get maximum performance out of the disk system.
To test, manufacture a bogus partition table where p2 is one sector after p1. If my guess is right, QNX will behave repeatedly and Linux will give random garbage. In neither case will p2-after be the same as p1-before.
Hmmmm, seems like this has played before. Big city newspapers many decades ago.
9. Google is not a monopoly; there's plenty of competition. On ethics? Google should have lots of competition. I'm not sure it does.
6. As a big company, Google has business relationships with lots of other companies Things like journalistic independence and integrity. I doubt that Google would sell its integrity cheaply.
5. Does it have a role in taste and decency? Since your tastes and my tastes differ and we have different ideas of the limits of decency, With several very big IFs, I'd say yes.
2. How much personal data should it collect? The company is going to understand more and more about what people are doing online, says Sullivan. But does that mean our information is fair game? Maybe it's just me, but I get the impression that the Google ads are done as a service to me, the consumer, rather than as a service to the advertisers who are paying for it. Google is aiming for what I am interested in. If Google is good at doing that, any of my personal information in Google's posession is a valuable resource and, bluntly, Google is going to keep a tight handle on it. Think about it. What's annoying about spam and popups is that your eyeballs have been sold for almost nothing. Positively insulting!
While admirable, their press release is nothing more than idealistic rhetoric which does nothing to actually help the situation at hand. Not in the short term at least.....
I'm not so sure. "Usually there are complex business relationships among the companies participating in a bundle. This can result in well-intentioned companies benefiting from the distribution or revenue generated by software that does not benefit you." Spyware (or spam) is not really a good way to advertise your business. Using the "services" of spyware or spamming companies is not really good business practice. Having any association with spyware or spamming companies is not good business practice. In terms of on-line reputation, Google's opinion carries a lot of weight. Google is in a position to be able to discover and punish those involved. A few well-designed Google-Bars and a mass of Google-using fans should make an effective internet-sniffing machine. Participants would include many of the tin-foil-hat crowd.
It doesn't read like empty rhetoric. Google's buisiness is being impacted and I'd be very surprised if they didn't do something about it.
A 20% performance hit really doesn't matter. Look at the rate of speed increases in hardware. When new systems come out doubling performance at such a regular pace, a one-time 20% slowdown to switch to an otherwise superior architecture with other benefits is an easy pill to swallow.
Good theory. Practice seems to work out differently.
Speed comparisons between products. Seems like 5% difference is enough to declare a clear winner. Unless you look behind the curtain.
Speed increases in hardware? At work I have two computers. I am typing this on NT4 on a 400MHz Gateway. My "other" computer is XP on a 2.4GHz Dell. Other than some legacy dBase for DOS applications the "faster" computer isn't any faster. It does boot faster which means that the XP machine is booted a lot more often than the NT. A 20% performance hit would be the same 20% on both machines.
The quoted improved performance doesn't quite translate into reality. A legitimate 10-times performance (IBM 1410 to IBM 370/135) transated into a 2-times difference in actual throughput. By the way, going the other direction won't work. As a rule of thumb, you will feel 90% of all slowdowns and only 10% of all speedups. This works both directions, like the "uphill both ways" quip.
but to criticise Linux for not being designed as a teaching tool, when that was never one of its design criteria, is a little perverse, to say the least.
"I still fervently believe that the only way to make software secure, reliable, and fast is to make it small. Fight Features." This requires an unrelenting and possibly unreasonable stance.
There's two kinds of Microsoft Windows users. One kind has screensavers and desktop wallpaper. The other kind does not. Guess which kind gets all the viruses and worms.
This from a man who describes true multitasking and multi-threaded I/O as "a performance hack."
It it's anywhere as hard to get everything right as I think it is, Tanenbaum is right. From the standpoint of teaching the stuff, I'd say that Tanenbaum's stand is very defensible and you can't fault Tannenbaum for defending it.
This doesn't mean that Linus is wrong. A useable system has a different set of priorities than a teachable system.
The quote I liked best was: [Butler Lampson] "Is there anybody here who couldn't write CTSS in a month?" Nobody raised his hand. I concluded that you'd have to be real dumb not to be able to write an operating system in a month. Writing an OS is not that big a deal. I've done it and I'm nowhere near those guy's league.
Depends on how you look at it. 3 nines to 5 nines is 99.9% to 99.999% which is a.1% improvement. From the other end,.1% to.001% is a 10000% improvement.
14-13.3 is 700M years after big bang 14-13.7 is 300M years after big bang Better than 50% improvement (using Hubble as base) Better than 100% improvement (using Webb as base)
The problem with percents is that they state one number and leave unstated the base for that number. Very little trickery is required to minimize or diminish importance without actually commiting falsehoods.
Oh, I dunno. 1) Slashdot is a very effective early warning system for Microsoft malware. 2) You can rename/delete the programs that are necessary to run the walware.
Note: 2) doesn't work with the later versions of Microsoft Windows which require that you enable viruses.
As for leaving before Microsoft released blah blah. the newer ones are more gizmo happy, which means more places for holes, which means the holes become a required part of the infrastructure. Microsoft may have patched a bunch of holes, but the overall effect is something which is intrinsically much less secure. Sure there holes found in OSS, but my impression is that there is an extreme effort required to find them. Other things equal, Linux/BSD has to be a much more attractive target. Better toolset.
Another Microsoft vulnerability is not news. Boring, boring. You need a significant new Microsoft vulnerability to make it news.
An Open Source vulnerability generally is news.
The Microsoft ads indicate that Micrsoft is feeling pressure. Be aware that ads are targeted not to the customers of the product but to the management of the company that approves the ad. The TCO ad just means that Microsoft found somebody who could figure out that a mainframe was more expensive than a dual Xeon Intel box. I'm sure an extended cab pickup is cheaper than an 85-ton earthmover.
All software has bugs. But you knew that already. We found another one. This not the first. It won't be the last. You need to update to keep your system secure.
If there ever will be a hole, your system is not secure. Not knowing of any insecurities is not equivalent to being secure.
I think they're in for the money. Long term, I'd say yes.
give them a little piece of what they can really give little by little, so people will crave to buy... They are not really in the email business (yet). Searching seems their main business as of now. And they pay that with advertising only?
I'd guess that the advertising revenues are chump change. I have 340+ meg email plus several hundred megs archived. Finding something I know "has to be there" is a PITA. And I'm not really a heavy email user. There has to be an eager market for something that can handle intelligent searches of all email.
Slashdot Mirror
There are many holes in Linux apps and distros, many of which can grant root from user, and the list keeps growing on their side of the house as well, just not as fast. Should it become a bigger target, well then we'll see more vulnerabilities sought. Simple economics here (look up opportunity costs). I am 0S agnostic, do security consulting among other things, and frankly, no OS is absolutely pure, perfectly armored, nor any application suite. [Emphasis added]
Microsoft Windows has problems.
Linux isn't perfect.
Conclusion?
Fact: Other things being equal, Linux is a better target. More and better tools.
Fact: Regardless of anyone's idea of what should be the results of Microsoft's security initiatives, the reality is that Microsoft software is suffering disproportionately from the effects of malware. Even with Microsoft's initiatives, there has been a steady increasing stream ever since Melissa. I'm sure the trend will change, but I haven't seen any sign of it yet. The malware is getting more and more clever, but with no sign yet of running out of room. The worst is ahead of us, not behind us.
Fact: Microsoft has had a patch for most all the vulnerabilities exploited. This means that the reality is that the user-friendly Microsoft Windows is somehow much harder to keep adequately patched than Linux or BSD. This is the same user-friendly Microsoft Windows that according to Microsoft's TCO studies requires less experienced administrators.
Fact: There are successful attacks on Linux/BSD, but they seems to be much rarer and never seem to accomplish much of anything. Now it might be that Linux/BSD administrators are uniformly much more competent than Microsoft Windows administrators, but too often they are the same people doing both. I suspect that in many cases a semi-skilled Microsoft Windows administrator is also a very green Linux newbie, myself included. There are no silver bullets, but seems like somehow Linux is effective much more secure.
Think of XML as Lisp for COBOL programmers.
you can't compare closed source with Open Source. It would be dangerous to.
Conway's law: "Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations."
Where does security fit within MS SQL's organization chart? How is security evaluated on performance reviews? Who determines the organization's structure?
With a mix of skills and interests, people generally like to do what they are good at, and people generally are good at what they like to do. Due to this self-selecting nature, open source will tend to work out better than the skill set would indicate.
Security is more the absence of holes than the addition of features. A steel security door on a tar paper shack is not going to help much.
"Machines running Windows HPC Edition could seamlessly connect to desktop computers, providing instant power for someone such as a financial analyst performing calculations on an Excel spreadsheet, said David Lifka, chief technology officer for the Cornell Theory Center, Microsoft's premier high-performance computing partner."
Looks like a fantastic opportunity for worms.
"News (as in stuff that matters) for Nerds".
That works. (Better than playing with AND/OR;)
any news that is of interest to our geek demographic should be posted.
Agreed.
I was more having fun with the usage of AND which tends to connnect with a scope much larger than the words themselves would indicate.
How in the world could this place possibly need 20 servers to process this much mail?!
The "lower TCO" of Microsoft Windows?
OK, I'll bite.
News for nerds.
Stuff that matters.
Since both are listed, it is safe to assume that neither is exclusionary.
A US flag is red, white, AND blue.
A particular color can be red OR white OR blue.
A point on the flag will be red or white or blue.
The flag itself will be red, white, AND blue.
American Airlines flies to Los Angeles AND San Francisco.
There's more than one article.
A particular article might be "News for nerds" or "Stuff that matters" or both.
Slashdot itself has "News for nerds" AND "Stuff that matters".
Parse it:
(There-Exists "News for nerds") AND (There-Exists "Stuff that matters").
(There-Exists AA flights to Los Angeles) AND (There-Exists flights to San Francisco).
(There-Exists ("News for nerds" OR "Stuff that matters")) doesn't really work.
IBM had their own antitrust problems
And probably a large part of why IBM is not making its own distribution of Linux.
He impresses me, as he appears to impress the orginal poster, as just the sort of intelligently sarcastic "prick," in the Swift/Dickens/Twain/Leacock mode, that I rather enjoy dealing with.
And more enjoyable when he's coming from a different perspective.
Some of like a good argument.
"Linus would flunk one of his OS courses". (or some such) Or get an A. There can be an extremely fine line distinguishing the two. The threat will be there and it's not an idle threat. Something that almost works won't cut it.
AST may now be something of a hero in the Linux revolution, but he's hardly part of the Linux fan club. This makes his setting the record straight all the more credible.
Actually I think that Tanenbaum is right, but:
It's feasible to make a monolithic kernel that's usable and not too wrong.
It's not necessarily feasible to make a microkernel that handles all possible communication even if that would be cheaper, easier, and more efficient than a monolithic kernel with the same robustness.
You don't need to keep defending your stance on microkernels because we've gotten your point for something like 14 years!
Bah! More like nobody's gotten the point in 14 years.
I'd guess that if you really need reliable and robust systems that Tanenbaum is right. With the possible exception of something by Knuth, all legitimate systems have bugs. Note, having a bug is not equivalent to being able to encounter a bug. A single bug in isolation can be incapable of doing any damage or even being noticable. It's when the bugs get together that you get undesirable behavior. Fix either and the problem goes away. (Fix both if you're smart;) Note that you often need the context of the complex interactions to be able to see that the bug is a bug.
Me, I prefer to throw everything together at the beginning, then debug, design and write the system. At least I tend to early get rid of the ones whose impact is all out of proportion to the cause.
One of the world's most respected computer scientists just TRASHED the integrity of the guy who interviewed him. I'm sure the whatchamacallit institute [Alexis de Tocqueville Institution] will be a long time living this down.
This reflects on integrity and competence of the author of the "Brown book",
The Alexis de Tocqueville Institution, and the lengths that Microsoft will go to obtain favorable "independent" results.
Some people like to argue.
I reserve the right to have an opinion and to defend it. This doesn't mean that your opposite opinion isn't better (not that I'd let myself be forced to admit it;)
Or RG-58 coax.
You have to have those caps on the ends of the cable run to keep the electrons from spilling out.
I have had Windows 95 respond to a ping of another computer on the LAN.
with the network cable unplugged!
Actually the tech is probably right in that about once an hour they'll check to see what MAC addresses respond to your IP. Now there is a bit of a difference between 60 minutes and 30 seconds;)
What I'd be curious to know is how each OS recognized the capabilities of his drive and IDE controller.
I'm guessing, but this sounds like:
QNX is doing: Read a sector. Write a sector. Repeat.
Linux is doing: Read a mess of disk. Write a mess of disk. Repeat.
Linux disk drivers do seem to at least attempt to get maximum performance out of the disk system.
To test, manufacture a bogus partition table where p2 is one sector after p1.
If my guess is right, QNX will behave repeatedly and Linux will give random garbage. In neither case will p2-after be the same as p1-before.
Hmmmm, seems like this has played before.
Big city newspapers many decades ago.
9. Google is not a monopoly; there's plenty of competition.
On ethics? Google should have lots of competition. I'm not sure it does.
6. As a big company, Google has business relationships with lots of other companies
Things like journalistic independence and integrity. I doubt that Google would sell its integrity cheaply.
5. Does it have a role in taste and decency?
Since your tastes and my tastes differ and we have different ideas of the limits of decency,
With several very big IFs, I'd say yes.
2. How much personal data should it collect? The company is going to understand more and more about what people are doing online, says Sullivan. But does that mean our information is fair game?
Maybe it's just me, but I get the impression that the Google ads are done as a service to me, the consumer, rather than as a service to the advertisers who are paying for it. Google is aiming for what I am interested in.
If Google is good at doing that, any of my personal information in Google's posession is a valuable resource and, bluntly, Google is going to keep a tight handle on it. Think about it. What's annoying about spam and popups is that your eyeballs have been sold for almost nothing. Positively insulting!
While admirable, their press release is nothing more than idealistic rhetoric which does nothing to actually help the situation at hand. Not in the short term at least.....
I'm not so sure.
"Usually there are complex business relationships among the companies participating in a bundle. This can result in well-intentioned companies benefiting from the distribution or revenue generated by software that does not benefit you."
Spyware (or spam) is not really a good way to advertise your business. Using the "services" of spyware or spamming companies is not really good business practice. Having any association with spyware or spamming companies is not good business practice. In terms of on-line reputation, Google's opinion carries a lot of weight.
Google is in a position to be able to discover and punish those involved. A few well-designed Google-Bars and a mass of Google-using fans should make an effective internet-sniffing machine. Participants would include many of the tin-foil-hat crowd.
It doesn't read like empty rhetoric. Google's buisiness is being impacted and I'd be very surprised if they didn't do something about it.
A 20% performance hit really doesn't matter. Look at the rate of speed increases in hardware. When new systems come out doubling performance at such a regular pace, a one-time 20% slowdown to switch to an otherwise superior architecture with other benefits is an easy pill to swallow.
Good theory. Practice seems to work out differently.
Speed comparisons between products. Seems like 5% difference is enough to declare a clear winner. Unless you look behind the curtain.
Speed increases in hardware? At work I have two computers. I am typing this on NT4 on a 400MHz Gateway. My "other" computer is XP on a 2.4GHz Dell. Other than some legacy dBase for DOS applications the "faster" computer isn't any faster. It does boot faster which means that the XP machine is booted a lot more often than the NT. A 20% performance hit would be the same 20% on both machines.
The quoted improved performance doesn't quite translate into reality. A legitimate 10-times performance (IBM 1410 to IBM 370/135) transated into a 2-times difference in actual throughput. By the way, going the other direction won't work. As a rule of thumb, you will feel 90% of all slowdowns and only 10% of all speedups. This works both directions, like the "uphill both ways" quip.
Turns out he really is that dumb. Weird.
What's significant is that this is what Microsoft can find to do their "independent research".
but to criticise Linux for not being designed as a teaching tool, when that was never one of its design criteria, is a little perverse, to say the least.
"I still fervently believe that the only way to make software secure, reliable, and fast is to make it small. Fight Features."
This requires an unrelenting and possibly unreasonable stance.
There's two kinds of Microsoft Windows users.
One kind has screensavers and desktop wallpaper.
The other kind does not.
Guess which kind gets all the viruses and worms.
Bitter much?
I didn't read it as such.
This from a man who describes true multitasking and multi-threaded I/O as "a performance hack."
It it's anywhere as hard to get everything right as I think it is, Tanenbaum is right. From the standpoint of teaching the stuff, I'd say that Tanenbaum's stand is very defensible and you can't fault Tannenbaum for defending it.
This doesn't mean that Linus is wrong. A useable system has a different set of priorities than a teachable system.
The quote I liked best was:
[Butler Lampson] "Is there anybody here who couldn't write CTSS in a month?" Nobody raised his hand. I concluded that you'd have to be real dumb not to be able to write an operating system in a month.
Writing an OS is not that big a deal. I've done it and I'm nowhere near those guy's league.
.03 is 3% but anyway
.1% improvement. .1% to .001% is a 10000% improvement.
Depends on how you look at it.
3 nines to 5 nines is
99.9% to 99.999% which is a
From the other end,
14-13.3 is 700M years after big bang
14-13.7 is 300M years after big bang
Better than 50% improvement (using Hubble as base)
Better than 100% improvement (using Webb as base)
The problem with percents is that they state one number and leave unstated the base for that number. Very little trickery is required to minimize or diminish importance without actually commiting falsehoods.
There's not much you can do about it, either.
Oh, I dunno.
1) Slashdot is a very effective early warning system for Microsoft malware.
2) You can rename/delete the programs that are necessary to run the walware.
Note: 2) doesn't work with the later versions of Microsoft Windows which require that you enable viruses.
As for leaving before Microsoft released blah blah. the newer ones are more gizmo happy, which means more places for holes, which means the holes become a required part of the infrastructure. Microsoft may have patched a bunch of holes, but the overall effect is something which is intrinsically much less secure. Sure there holes found in OSS, but my impression is that there is an extreme effort required to find them. Other things equal, Linux/BSD has to be a much more attractive target. Better toolset.
Another Microsoft vulnerability is not news. Boring, boring.
You need a significant new Microsoft vulnerability to make it news.
An Open Source vulnerability generally is news.
The Microsoft ads indicate that Micrsoft is feeling pressure. Be aware that ads are targeted not to the customers of the product but to the management of the company that approves the ad. The TCO ad just means that Microsoft found somebody who could figure out that a mainframe was more expensive than a dual Xeon Intel box. I'm sure an extended cab pickup is cheaper than an 85-ton earthmover.
All software has bugs. But you knew that already.
We found another one. This not the first. It won't be the last.
You need to update to keep your system secure.
If there ever will be a hole, your system is not secure.
Not knowing of any insecurities is not equivalent to being secure.
I think they're in for the money.
Long term, I'd say yes.
give them a little piece of what they can really give little by little, so people will crave to buy...
They are not really in the email business (yet). Searching seems their main business as of now. And they pay that with advertising only?
I'd guess that the advertising revenues are chump change.
I have 340+ meg email plus several hundred megs archived. Finding something I know "has to be there" is a PITA. And I'm not really a heavy email user.
There has to be an eager market for something that can handle intelligent searches of all email.