Doesn't having different parts of your infrastructure spread over a smorgasbord of different operating systems just increase your exposure? Only if cracking any part of your infrastructure implies that all of it is cracked. A monoculture protected by a firewall and antivirus software is vulnerable if anyone who comes to be on the inside is ever cracked. Think executives' laptops, web browsing and emails.
A chain is only as strong as its weakest link... If any link fails, the chain fails. And a rope is very strong but made up of individually very weak strands. If every strand breaks, the rope breaks.
Not to mention the hell of having to have technical staff who are proficient in a multiplicity of different OS types, as well as internetworking them. If you've driven Fords all your life, you would be rendered incompetent if you suddenly had to drive a Chevy?? What's critical is your knowledge of your own infrastructure. The differences among the various OS's are not that great. I'm far from an expert, but I've used OpenBSD on occasion because Linux didn't get along well with a particular SCSI card if it had its BIOS turned on and I didn't really want to be booting the machine from floppy.
I hope the government, in the interest of national security, can clean up MS. Fat chance. It's not just the holes and the patches. I'm far from an expert in such matters, but it seems to me that the calibre of the exploits against BSD and Linux is far greater than that of the exploits against Microsoft Windows, but they never seem to accomplish much of anything. If anything does manage to start something, there will be a large flurry of fixes and workarounds before the mainline vendors manage to get their acts together.
"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer. [Emphasis added]
The complexity of Microsoft's software--the report claims that integrating applications with Windows results in code 15 to 35 times more complex--results in a similar increase in vulnerabilities. And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem.
"I don't think that Microsoft can ever fix this," said Geer.
For argument sake let's say I'm the spammer and you're my victim. That's victim, not spam target. I will do everything I can to make it look like you are the culprit responsible for my spam. You need the vigilantes to hunt down me, not take the easy course and assume that it's you.
In olden days I could buy a turntable, amplifier, receiver, speakers, different brands, different levels of price and quality, at widely spaced points in time, and have the justified expectation that everything would work together, within the limits of quality of the components. If and as I had money available I could upgrade the quality of my sound system. This all makes Hi-Fi desirable.
With crippled components, where you have to be very careful about what plugs into what, the expectation changes to an enormous hassle to get much of anything to work with anything else. This makes the entire mess undesirable. If some music CDs are crippled, I have better things to do (like watching the grass grow) than keep track of which are crippled and which are not. DRM may grab a bigger piece of the pie, but it will be a much smaller pie.
but what is stopping the Chinese from changing the source, not rereleasing it, then forcing out binaries to its public?
Nothing stopping it really. Except the Chinese. Let's say I take a Linux distribution, make some screwball changes, and only let out the binaries. Are you interested? No? Am I interested? As I start looking at long-term prospects, I start losing interest, AND IT'S MY STUFF!
Primary reason for not rereleasing it would be a lot of stop-gap measures that you do not want to see picked up by the mainline. I'll use stuff myself that I wouldn't want unleased on an unsuspecting world, certainly not with my name attached.
The problem with most "trusted computing" proposals so far is that "trusted" is an accurate description of them.
So are the proposals of con-men trusted.
We're already seeing the initial effects of "trusted computing". imagine a virus that couldn't be removed from a computer Piddle. Try to remove wscript.exe from current Microsoft Windows so the worms don't run. You can delete it, but it keeps coming back! Trusted computing means that the worms and virus can safely assume that the computer will do their bidding. You can keep patching holes, but having enough patched would require an A-something security that almost all commercial software wouldn't even bother to attempt.
It's small as well as having the Control and Caps Lock keys in the correct place.
How did people navigate before keyboards had arrow keys? With a CTRL key it's possible to emit all the ASCII control code with a typewriter-sized keyboard. Some editors, notably WordStar made extensive use of those control-key combinations.
Many years back, seems like everybody who made a keyboard managed to put something in a strange place. It's called innovation.
But I always have to consider the issue - can non-techsmart people handle it? Will they be able to open the documents they receive and use them.
That would be a compelling argument for paying for Star Office instead of or in addition to Open Office. Commercial software is set up to handle exactly that kind of issue, where the software itself is not what gets changed. This would hold even without the proprietary "goodies" included in Star Office.
Me, I'd be inclined to do both, letting the users decide for themselves which to use at the moment. I would also expect some major surprises as to who uses which. The real power is not from one or the other. It's from both.
I type in a numeric ip url that happens to be down at the moment and MSN search brightly buts in and tries to help. Every time I have encountered MSN search I have found it to be extremely annoying.
A few quibbles, (and I'm not at all sure which bodily orifice I'm speaking out of).
Is a packaged service a package or a service? Methinks it depends on how you want to view it. I suspect large companies view it as a product and the community views it as a service. Product because there is some identifiable token that carries a price, similar to a room key in a hotel.
free software developers tend to make bugfixes only for their latest software It's free on the bleeding edge (discounting the cost of blood;). Large enterprises will want it to be somebody else's blook and will be willing to pay for the privilege.
But whoever runs Red Hat Enterprise knows that it is a very stable software, and, once you have set it up, requires only small atention. This is not a safe bet. Red Hat will do everything they can to make it as stable as possible, however, at an enterprise scale there will be certain areas where it pays heavily to be much more aggresive than on a lesser scale. Also some problems will only show up under heavy load. Paying for support after you find out you need it seems a bit suicidal. Far better to buy the insurance (by whatever name it is called) so that the necessary machinery is in place before you need it. Even better if the "free-loaders" are the ones on the bleeding edge and they run into and fix the problems before the companies do. It's a strange ecology. Corporations pay big bucks for obsolete software which eventually comes from unpaid beta-testers. If you define symbiosis as mutual parasitism, methinks there are interesting possibilities wherein everybody gains, gains a lot.
For a mission critical system, you're ahead if it has what it needs to run the mission and nothing else. Clippy, Norton anything, firewall, utilities. If you think popups are annoying, these all want to get in your face to tell you what a good job they're doing. They're never really any help at all.
"If your computer is immune from these new strains of virii you are strongly encouraged to make it vulnerable."
What else were you expecting? Just try deleting or renaming wscript.exe on ME, 2000, or XP. You can remove the vulnerability, but Microsoft keeps putting it back.
Problems with executables in emails. Outlook will decide you can't have any and that you can't save them anywhere. It's Outlook's choice, not your choice.
but it has to be malware of some sort that just hasn't been cataloged yet.
That is how you protect today from tomorrow's malware. Antivirus software is good at protecting from yesterday's malware. Somehow I don't quite trust tomorrow's malware to be as kind as yesterday's.
You're right of course, but without portability as you call it, do you stand any chance at interoperability?
We're a long way from getting there and Microsoft looks like it's aiming the wrong direction. Interoperability is being able to send the output from the latest-and-greatest to someone with a different kind of system that (s)he hasn't upgraded in the slightest in the last 5 years, and that someone will be able to use the output!
Interoperability doesn't mean a few nice things in that general direction that last a few months. Interoperability is stuff like Sun using IBM's Java implementation. (Or IBM making their own and using Sun's). Interoperability is both IBM and Sun shying away from making their own branded Linux. They could. Easily. Too easily. But would you feel comfortable running Sun-branded Linux on your IBM mainframe? Microsoft is still far too much of a control freak to be credible at not sabatoging interoperability with competitors. Mistakes will happen, but you do not want to be in a position where your mistakes will justifiably be taken as sabatoge.
They are deciding through a court what you or a corporation is permitted to charge. Only if you or the corporation is a convicted monopolist. The normal assumption is that market forces will ensure a reasonable degree of equity. In the case of a monopoly, those market forces do not exist and some other form of relief is necessary.
If you do not want to stay poor, if you want to break out of the rat race, you need to set your own priorities, not live according to someone else's value system. Obviously, these families have the money to spend on broadband Obviously they are spending the money on broadband. Not quite the same thing.
I remember reading about some guys at MIT that made a linux CD specificaly made to find all of the drives on a machine and does a cryptographic shreading on them Optimally it would eject the CD and turn the computer off 2 or 3 days later when it's finished. (Well, maybe not that bad, but it is not a short time).
This is Slashdot. With or without disclaimers, only the postings of astroturfers connote any expression of the views of anyone else. This is a discussion forum. That I express a view does not necessarily even imply that I hold that view. It certainly does not imply that anyone else holds that view. I am not speaking for Slashdot, but I've been hanging around for a while and the above is my considered opinion based on what I have observed.
Regardless, if it has a hole and you aren't using it, uninstall it is very sound advice. Any system, any level. OpenSSH is a legitimate tool. In come contexts it is essential. However, Lindows and SSH don't really seem to go together.
How is this exploitable? Probably isn't. I suspect OpenSSH developers are freaking out, have no proof that the exploit even exists Probably.
Don't worry, it will all settle quickly, with the hole, if it was a hole, firmly eradicated. If you were wondering why Linux worms/viruses/whatever never seem to accomplish much of anything, the above is why. You almost feel sorry for the bugs.
Slashdot Mirror
Doesn't having different parts of your infrastructure spread over a smorgasbord of different operating systems just increase your exposure?
...
Only if cracking any part of your infrastructure implies that all of it is cracked. A monoculture protected by a firewall and antivirus software is vulnerable if anyone who comes to be on the inside is ever cracked. Think executives' laptops, web browsing and emails.
A chain is only as strong as its weakest link
If any link fails, the chain fails.
And a rope is very strong but made up of individually very weak strands.
If every strand breaks, the rope breaks.
Not to mention the hell of having to have technical staff who are proficient in a multiplicity of different OS types, as well as internetworking them.
If you've driven Fords all your life, you would be rendered incompetent if you suddenly had to drive a Chevy?? What's critical is your knowledge of your own infrastructure. The differences among the various OS's are not that great. I'm far from an expert, but I've used OpenBSD on occasion because Linux didn't get along well with a particular SCSI card if it had its BIOS turned on and I didn't really want to be booting the machine from floppy.
Fat chance. It's not just the holes and the patches. I'm far from an expert in such matters, but it seems to me that the calibre of the exploits against BSD and Linux is far greater than that of the exploits against Microsoft Windows, but they never seem to accomplish much of anything. If anything does manage to start something, there will be a large flurry of fixes and workarounds before the mainline vendors manage to get their acts together.
But every day is I-hate-Microsoft day at Slashdot.
That's why I'm here.
Why are you here?
The "hunting down" part is essential.
For argument sake let's say I'm the spammer and you're my victim. That's victim, not spam target.
I will do everything I can to make it look like you are the culprit responsible for my spam. You need the vigilantes to hunt down me, not take the easy course and assume that it's you.
Whoever wins, wins big.
Yep, they win the whole buggy whip market.
In olden days I could buy a turntable, amplifier, receiver, speakers, different brands, different levels of price and quality, at widely spaced points in time, and have the justified expectation that everything would work together, within the limits of quality of the components. If and as I had money available I could upgrade the quality of my sound system. This all makes Hi-Fi desirable.
With crippled components, where you have to be very careful about what plugs into what, the expectation changes to an enormous hassle to get much of anything to work with anything else. This makes the entire mess undesirable. If some music CDs are crippled, I have better things to do (like watching the grass grow) than keep track of which are crippled and which are not. DRM may grab a bigger piece of the pie, but it will be a much smaller pie.
but what is stopping the Chinese from changing the source, not rereleasing it, then forcing out binaries to its public?
Nothing stopping it really. Except the Chinese.
Let's say I take a Linux distribution, make some screwball changes, and only let out the binaries. Are you interested? No? Am I interested? As I start looking at long-term prospects, I start losing interest, AND IT'S MY STUFF!
Primary reason for not rereleasing it would be a lot of stop-gap measures that you do not want to see picked up by the mainline. I'll use stuff myself that I wouldn't want unleased on an unsuspecting world, certainly not with my name attached.
Mother nature sides with the hidden.
If it's flaws you're hiding,
That's where nature's siding.
Imperial pint > 500ml > American pint
I'm sure that means something, but I have no idea what.
The problem with most "trusted computing" proposals so far is that "trusted" is an accurate description of them.
So are the proposals of con-men trusted.
We're already seeing the initial effects of "trusted computing".
imagine a virus that couldn't be removed from a computer
Piddle. Try to remove wscript.exe from current Microsoft Windows so the worms don't run. You can delete it, but it keeps coming back! Trusted computing means that the worms and virus can safely assume that the computer will do their bidding. You can keep patching holes, but having enough patched would require an A-something security that almost all commercial software wouldn't even bother to attempt.
It's small as well as having the Control and Caps Lock keys in the correct place.
How did people navigate before keyboards had arrow keys?
With a CTRL key it's possible to emit all the ASCII control code with a typewriter-sized keyboard. Some editors, notably WordStar made extensive use of those control-key combinations.
Many years back, seems like everybody who made a keyboard managed to put something in a strange place. It's called innovation.
But I always have to consider the issue - can non-techsmart people handle it? Will they be able to open the documents they receive and use them.
That would be a compelling argument for paying for Star Office instead of or in addition to Open Office. Commercial software is set up to handle exactly that kind of issue, where the software itself is not what gets changed. This would hold even without the proprietary "goodies" included in Star Office.
Me, I'd be inclined to do both, letting the users decide for themselves which to use at the moment. I would also expect some major surprises as to who uses which. The real power is not from one or the other. It's from both.
Exactly *how* is the MSN search flaky?
I type in a numeric ip url that happens to be down at the moment and MSN search brightly buts in and tries to help. Every time I have encountered MSN search I have found it to be extremely annoying.
A few quibbles, (and I'm not at all sure which bodily orifice I'm speaking out of).
Is a packaged service a package or a service? Methinks it depends on how you want to view it. I suspect large companies view it as a product and the community views it as a service. Product because there is some identifiable token that carries a price, similar to a room key in a hotel.
free software developers tend to make bugfixes only for their latest software It's free on the bleeding edge (discounting the cost of blood;). Large enterprises will want it to be somebody else's blook and will be willing to pay for the privilege.
But whoever runs Red Hat Enterprise knows that it is a very stable software, and, once you have set it up, requires only small atention. This is not a safe bet. Red Hat will do everything they can to make it as stable as possible, however, at an enterprise scale there will be certain areas where it pays heavily to be much more aggresive than on a lesser scale. Also some problems will only show up under heavy load. Paying for support after you find out you need it seems a bit suicidal. Far better to buy the insurance (by whatever name it is called) so that the necessary machinery is in place before you need it. Even better if the "free-loaders" are the ones on the bleeding edge and they run into and fix the problems before the companies do. It's a strange ecology. Corporations pay big bucks for obsolete software which eventually comes from unpaid beta-testers. If you define symbiosis as mutual parasitism, methinks there are interesting possibilities wherein everybody gains, gains a lot.
For a mission critical system, you're ahead if it has what it needs to run the mission and nothing else. Clippy, Norton anything, firewall, utilities. If you think popups are annoying, these all want to get in your face to tell you what a good job they're doing. They're never really any help at all.
"If your computer is immune from these new strains of virii you are strongly encouraged to make it vulnerable."
What else were you expecting?
Just try deleting or renaming wscript.exe on ME, 2000, or XP.
You can remove the vulnerability, but Microsoft keeps putting it back.
Problems with executables in emails. Outlook will decide you can't have any and that you can't save them anywhere. It's Outlook's choice, not your choice.
but it has to be malware of some sort that just hasn't been cataloged yet.
That is how you protect today from tomorrow's malware.
Antivirus software is good at protecting from yesterday's malware.
Somehow I don't quite trust tomorrow's malware to be as kind as yesterday's.
You're right of course, but without portability as you call it, do you stand any chance at interoperability?
We're a long way from getting there and Microsoft looks like it's aiming the wrong direction. Interoperability is being able to send the output from the latest-and-greatest to someone with a different kind of system that (s)he hasn't upgraded in the slightest in the last 5 years, and that someone will be able to use the output!
Interoperability doesn't mean a few nice things in that general direction that last a few months.
Interoperability is stuff like Sun using IBM's Java implementation. (Or IBM making their own and using Sun's).
Interoperability is both IBM and Sun shying away from making their own branded Linux. They could. Easily. Too easily. But would you feel comfortable running Sun-branded Linux on your IBM mainframe? Microsoft is still far too much of a control freak to be credible at not sabatoging interoperability with competitors. Mistakes will happen, but you do not want to be in a position where your mistakes will justifiably be taken as sabatoge.
They are deciding through a court what you or a corporation is permitted to charge.
Only if you or the corporation is a convicted monopolist.
The normal assumption is that market forces will ensure a reasonable degree of equity. In the case of a monopoly, those market forces do not exist and some other form of relief is necessary.
If you do not want to stay poor, if you want to break out of the rat race, you need to set your own priorities, not live according to someone else's value system.
Obviously, these families have the money to spend on broadband
Obviously they are spending the money on broadband. Not quite the same thing.
I remember reading about some guys at MIT that made a linux CD specificaly made to find all of the drives on a machine and does a cryptographic shreading on them
Optimally it would eject the CD and turn the computer off 2 or 3 days later when it's finished. (Well, maybe not that bad, but it is not a short time).
This is Slashdot.
With or without disclaimers, only the postings of astroturfers connote any expression of the views of anyone else. This is a discussion forum. That I express a view does not necessarily even imply that I hold that view. It certainly does not imply that anyone else holds that view. I am not speaking for Slashdot, but I've been hanging around for a while and the above is my considered opinion based on what I have observed.
Well, I'm not as optimistic about that as you seem to be.
Take a look at the current whatever on the latest OpenSSH. Now, if it really is a hole, does it stand a chance of accomplishing anything?
Nice and orderly? No.
Does the bug have a chance? No.
Regardless, if it has a hole and you aren't using it, uninstall it is very sound advice. Any system, any level.
OpenSSH is a legitimate tool. In come contexts it is essential. However, Lindows and SSH don't really seem to go together.
How is this exploitable? Probably isn't.
I suspect OpenSSH developers are freaking out, have no proof that the exploit even exists Probably.
Don't worry, it will all settle quickly, with the hole, if it was a hole, firmly eradicated. If you were wondering why Linux worms/viruses/whatever never seem to accomplish much of anything, the above is why. You almost feel sorry for the bugs.