but most people I know buy their computer to do real work running real application programs.
Right. Just running the OS is kinda stupid. The developers run as root/administrator/whatever and test as root/administrator/whatever which pretty much forces the user to run as root/administrator/whatever. Further, as I like to put it, Microsoft has a hard time walking and chewing gum at the same time. There are some fine-grained access features, but the actual limits are determined by such coarse-grained aspects such as I cannot access network shares on one different computer as two different users simultaneously. I can't have two different DOS boxes with one network drive aimed at different resources (like WfW and Novell networking). On NT4 boxes, the users are just users, not even power users. On XP boxes, I've given up and they are all local administrators. The effective security is what is practically realizable, not what is theoretically possible. Five cents per compromised computer is a good measure of how effective Microsoft's security enhancement endeavors have been.
If memory serves correctly, OpenBSD had a staged pair of patches so that there was no window of exposure even with full source disclosure. Seems like the hole had to do with something esoteric involving one-time pads, sufficiently esoteric that the same hole was a non-issue on most Linux distributions.
The image I get of OpenBSD's security is that one should be able to do an initial install. Thereafter, everything is done remotely with a competent adversary playing man-in-the-middle, including key-loggers.
However, I treat every update/patch (as small as it may be) as if it were an exploit waiting to be abused by every script kiddie out there Wise. Further, watch those updates carefully. If you are currently secure, but I can trick you into installing something that make you insecure,...
Security is a process, installing OpenBSD and then not keeping up to date on patches is nearly as bad as doing the same thing on Windows.
Strange idea of "nearly". Hmmmph, I'd take a seven-year old OpenBSD, unpatched (but avoiding one-time pads on OpenSSH), over a currently patched Windows box any day. Probably worthwhile to bring a few userland aps somewhat up-to-date, though.
Security is much more a matter of making stuff solid in the first place than scurrying around applying band-aids where the breaks are noticable.
Windows update, automatic patching, and the going rate for owned machines is a whopping five cents!
"Go buy control of my machines!" "Yes, sir, Mr. Gates."
LOL. Well it is one thing that Microsoft could do to improve its security, at least in the short term. Kinda sets a bad example, though.
Five cents per compromised machine??? Now the question is, What is the going rate for compromised Linux boxes? Or better yet, for compromised OpenBSD boxes? That my friends is how you can measure the effectiveness of the security.
The thing with messing with the environment and extinctions is that we tend to lose such as the Birds of Paradise and get left with the cockroaches and the rats.
Somehow I think I'd rather trust the "Because I can" crowd rather than the "Because I should" crowd.
"Because I should" seems to get muddled with implications going from I should to YOU should. Also any useful criteria for "should" need to come from outside the technical arena rather than from inside.
Actually, I think a lot of Open Source software is better, and is improving, precisely because the developers are sufficiently arrogant to believe that software does not have to stink and that they have sufficient skill and determination to decrease the level of the stinkiness. If they work to their own standards they will produce much better work than if they try to cater to your ideas or to my ideas.
Except that there are some of us who do not use OpenBSD but consider it as probably the best indicator of hardware quality and the quality of what the support will be for Linux and even Windows. Even to the point of using OpenBSD support as a litmus test for Windows hardware.
Put it this way. If the hardware gives OpenBSD troubles, how much do you want to risk that the troubles affect ONLY OpenBSD? Conversely, if OpenBSD has no troubles supporting the hardware, any troubles elsewhere are at least fixable. OpenBSD may be a small niche, but it is a niche that carries a lot more weight than its numbers would suggest.
What really boggles me is that a genuinely good company like Google (I've talked with several people there, and watched their business closely, and they ARE good) gets accused of having horrible malicious goals more than any 3 other companies I've ever heard of.
I think this is because Google is actually being held to a higher standard, whatever that means. The sniping is a crude attempt to find what it means, this higher standard. Basic survival instinct. If we are to trust Google, maybe better we get some idea of how well placed our trust is. Most companies, there are some good people in them, but blind trust in them is hardly advisable. Google? Certainly better than most, but how good is that really? To the extent that knowledge is power, Google will wind up being privy to a lot of private and sensitive information and may be the start of some new realization of an "information age". Me, I'd tend to trust Google with my private information, primarily because it seems like they'd tend to take better care of it than I would. Done properly, Google obeys the spirit of the law where the letter of the law has not yet been written.
Thinking it over a bit, methinks you're right. The idea of a corporation is to express the many inside as a singular outside. That is, the corporation's actions and rules are those of a singular it.
Poetic license also applies to prose, and might be used to connote something about the lack of cohesiveness that should be expected. "Their Own Rules" implying that Google has not (yet) got their act together. If they had it would be "got its act together"
Or something;-)
"Is someone (singular)" is just plain wrong for establishing the count.
Actually, when dealing with anything security related, anything automated is probably a bad idea, including any form of automating clickable URLs. Cut&paste (and removing extraneous spaces) is not that much of a burden on the user. The idea of URLs in HTML is: <A HREF="non-work-safe-site"> faked-work-safe-description </A>
Just because a corporation consists of multiple people doesn't mean it's plural. or singular. There are TWO references to Google. There is a difference in connotation between "Is Google breaking" and "Are Google breaking". There is a difference in meaning between "its own rules" and "their own rules". Presumably the meaning is best expressed by "Is Google Breaking Their Own Rules?" which translates into something like "Is someone (singular) at Google breaking rules established in general by others (plural) within Google?" Using grammar to force the count of people setting the "Rules of Google" based on the count of people breaking said rules seems a bit farfetched. Is there a grammatical equivalent of equivocation? I've come to the conclusion that any civilization that can count one, two, three, many, any always get it right, is very advanced indeed.
You can laugh or you can cry. Somehow laughing's better, or at least I thought so.
Anybody's attempts to make the "internet safe" are going to be fairly ineffective at best. In this situation, you are willing to go to a little bit of trouble to try to put a stop to it. The phishers and other malware creators are willing to go to a lot more trouble to ensure it keeps on coming.
There's a reason that Linux comes off as being much more secure than Microsoft Windows. Microsoft tries to reassure it users that everything is safe when there is no way that it can be. As Microsoft tightens things up, it just means that the malware producers will have to work a bit harder.
"But without JavaScript, verification will have to be done on the server instead of the client..."
Verification is done by something over which you do have control. Other that fresh malware, you do not necessarily have control over the browser. The browser might be faking it, scripts and all.
If I remember the terminology correctly, the one like a circle is a compact space while the one like a line is not a compact space.
A space is compact iff every open cover has a finite subcover.
A line can be made compact by adding (yes, adding!) one or two points. But that breaks the relationship to real n-space which, although infinite, doesn't have any infinities.
these folks flame and flame well. Similar fireworks seem to be an important hallmark of a healthy project.
Good! Otherwise they don't care or are not particularly interested. Real progress seems to come from heated "discussions" not from some feel-good pablum.
I'm willing to be if such things continue, some entity, perhaps IBM, will set down their foot and use pressure put maintenance of the kernel project under the jackboot of a truly dictatorial manager
Not IBM if I'm right that IBM "gets it".
It's funny how petty squabbles between key developers could tear even what is now a major, corporation-funded project apart that millions of machines and companies depend on.
Balderdash. Some people enjoy a good argument. The louder the better. Of course it's fun to imagine the average PHB stuck in the middle of one.
Closer to being left with no pants if there is a fatal flaw in either algorithm.
Combining is too much like Knuth's "Super-random" number generator. [p 4, Algorithm K, AOCP vol 2] "In fact, when this algorithm was first put onto a computer, it almost immediately converged to the 10-digit value 6065038420."
It's called Sturgeon's Law, 90% of everything is crap. Learn it, live by it for it is correct and it applies equally to people
In my experience, the 90% is pretty accurate. 10% matters and should be done well. Finding that 10% is hard. 90% is crap and while you can't get rid of it, it doesn't need to be done very well. Methinks it's the group dynamics that mess with it. That's one of the problems with a monoculture. Also, when you have to deal with it, it's not usually the intelligence you're having to deal with.
Now you've got some engineer earning six figures whose salary is being spent in playing with software instead of working on projects that earn revenue for the organization.
As opposed to that same engineer earning six figures who is effectively cripled because IT does not have the problem domain knowledge of the software which would aid said engineer's productivity.
Surely, if the software is considered valuable to productivity, it should be up to the organization to identify it, obtain it, and maintain it in a consistent and reliable manner.
Determined by whom? The engineers who understand the problem domain or IT who cannot recogize most of the vocabulary?
Slashdot Mirror
but most people I know buy their computer to do real work running real application programs.
Right. Just running the OS is kinda stupid.
The developers run as root/administrator/whatever and test as root/administrator/whatever which pretty much forces the user to run as root/administrator/whatever. Further, as I like to put it, Microsoft has a hard time walking and chewing gum at the same time. There are some fine-grained access features, but the actual limits are determined by such coarse-grained aspects such as I cannot access network shares on one different computer as two different users simultaneously. I can't have two different DOS boxes with one network drive aimed at different resources (like WfW and Novell networking). On NT4 boxes, the users are just users, not even power users. On XP boxes, I've given up and they are all local administrators. The effective security is what is practically realizable, not what is theoretically possible. Five cents per compromised computer is a good measure of how effective Microsoft's security enhancement endeavors have been.
One, actually.
...
If memory serves correctly, OpenBSD had a staged pair of patches so that there was no window of exposure even with full source disclosure. Seems like the hole had to do with something esoteric involving one-time pads, sufficiently esoteric that the same hole was a non-issue on most Linux distributions.
The image I get of OpenBSD's security is that one should be able to do an initial install. Thereafter, everything is done remotely with a competent adversary playing man-in-the-middle, including key-loggers.
However, I treat every update/patch (as small as it may be) as if it were an exploit waiting to be abused by every script kiddie out there
Wise. Further, watch those updates carefully. If you are currently secure, but I can trick you into installing something that make you insecure,
Security is a process, installing OpenBSD and then not keeping up to date on patches is nearly as bad as doing the same thing on Windows.
Strange idea of "nearly".
Hmmmph, I'd take a seven-year old OpenBSD, unpatched (but avoiding one-time pads on OpenSSH), over a currently patched Windows box any day.
Probably worthwhile to bring a few userland aps somewhat up-to-date, though.
Security is much more a matter of making stuff solid in the first place than scurrying around applying band-aids where the breaks are noticable.
Windows update, automatic patching, and the going rate for owned machines is a whopping five cents!
Can I just buy my *own* computer back for a nickle?
No.
If you could, it would be cheaper and more effective than any existing anti-virus/anti-spyware software.
Sorry.
"Go buy control of my machines!"
"Yes, sir, Mr. Gates."
LOL. Well it is one thing that Microsoft could do to improve its security, at least in the short term. Kinda sets a bad example, though.
Five cents per compromised machine???
Now the question is, What is the going rate for compromised Linux boxes? Or better yet, for compromised OpenBSD boxes?
That my friends is how you can measure the effectiveness of the security.
The thing with messing with the environment and extinctions is that we tend to lose such as the Birds of Paradise and get left with the cockroaches and the rats.
Hmmmm.
"Because I can" versus "Because I should".
Somehow I think I'd rather trust the "Because I can" crowd rather than the "Because I should" crowd.
"Because I should" seems to get muddled with implications going from I should to YOU should.
Also any useful criteria for "should" need to come from outside the technical arena rather than from inside.
Actually, I think a lot of Open Source software is better, and is improving, precisely because the developers are sufficiently arrogant to believe that software does not have to stink and that they have sufficient skill and determination to decrease the level of the stinkiness. If they work to their own standards they will produce much better work than if they try to cater to your ideas or to my ideas.
Except that there are some of us who do not use OpenBSD but consider it as probably the best indicator of hardware quality and the quality of what the support will be for Linux and even Windows. Even to the point of using OpenBSD support as a litmus test for Windows hardware.
Put it this way. If the hardware gives OpenBSD troubles, how much do you want to risk that the troubles affect ONLY OpenBSD? Conversely, if OpenBSD has no troubles supporting the hardware, any troubles elsewhere are at least fixable. OpenBSD may be a small niche, but it is a niche that carries a lot more weight than its numbers would suggest.
What really boggles me is that a genuinely good company like Google (I've talked with several people there, and watched their business closely, and they ARE good) gets accused of having horrible malicious goals more than any 3 other companies I've ever heard of.
I think this is because Google is actually being held to a higher standard, whatever that means. The sniping is a crude attempt to find what it means, this higher standard. Basic survival instinct. If we are to trust Google, maybe better we get some idea of how well placed our trust is. Most companies, there are some good people in them, but blind trust in them is hardly advisable. Google? Certainly better than most, but how good is that really? To the extent that knowledge is power, Google will wind up being privy to a lot of private and sensitive information and may be the start of some new realization of an "information age". Me, I'd tend to trust Google with my private information, primarily because it seems like they'd tend to take better care of it than I would. Done properly, Google obeys the spirit of the law where the letter of the law has not yet been written.
are handled by the resourcefulness of your people, because no platform is going to even come close to solving all of your problems.
Well, one intelligent comment at least.
I'm not sure I agree..
;-)
Thinking it over a bit, methinks you're right.
The idea of a corporation is to express the many inside as a singular outside. That is, the corporation's actions and rules are those of a singular it.
Poetic license also applies to prose, and might be used to connote something about the lack of cohesiveness that should be expected. "Their Own Rules" implying that Google has not (yet) got their act together. If they had it would be "got its act together"
Or something
"Is someone (singular)" is just plain wrong for establishing the count.
Actually, when dealing with anything security related, anything automated is probably a bad idea, including any form of automating clickable URLs.
Cut&paste (and removing extraneous spaces) is not that much of a burden on the user. The idea of URLs in HTML is:
<A HREF="non-work-safe-site"> faked-work-safe-description </A>
Just because a corporation consists of multiple people doesn't mean it's plural.
or singular.
There are TWO references to Google.
There is a difference in connotation between "Is Google breaking" and "Are Google breaking".
There is a difference in meaning between "its own rules" and "their own rules".
Presumably the meaning is best expressed by "Is Google Breaking Their Own Rules?" which translates into something like "Is someone (singular) at Google breaking rules established in general by others (plural) within Google?"
Using grammar to force the count of people setting the "Rules of Google" based on the count of people breaking said rules seems a bit farfetched.
Is there a grammatical equivalent of equivocation?
I've come to the conclusion that any civilization that can count one, two, three, many, any always get it right, is very advanced indeed.
You can laugh or you can cry. Somehow laughing's better, or at least I thought so.
Anybody's attempts to make the "internet safe" are going to be fairly ineffective at best. In this situation, you are willing to go to a little bit of trouble to try to put a stop to it. The phishers and other malware creators are willing to go to a lot more trouble to ensure it keeps on coming.
There's a reason that Linux comes off as being much more secure than Microsoft Windows. Microsoft tries to reassure it users that everything is safe when there is no way that it can be. As Microsoft tightens things up, it just means that the malware producers will have to work a bit harder.
"But without JavaScript, verification will have to be done on the server instead of the client..."
Verification is done by something over which you do have control.
Other that fresh malware, you do not necessarily have control over the browser. The browser might be faking it, scripts and all.
If I remember the terminology correctly, the one like a circle is a compact space while the one like a line is not a compact space.
A space is compact iff every open cover has a finite subcover.
A line can be made compact by adding (yes, adding!) one or two points.
But that breaks the relationship to real n-space which, although infinite, doesn't have any infinities.
these folks flame and flame well. Similar fireworks seem to be an important hallmark of a healthy project.
Good!
Otherwise they don't care or are not particularly interested.
Real progress seems to come from heated "discussions" not from some feel-good pablum.
I'm willing to be if such things continue, some entity, perhaps IBM, will set down their foot and use pressure put maintenance of the kernel project under the jackboot of a truly dictatorial manager
Not IBM if I'm right that IBM "gets it".
It's funny how petty squabbles between key developers could tear even what is now a major, corporation-funded project apart that millions of machines and companies depend on.
Balderdash. Some people enjoy a good argument. The louder the better.
Of course it's fun to imagine the average PHB stuck in the middle of one.
Closer to being left with no pants if there is a fatal flaw in either algorithm.
Combining is too much like Knuth's "Super-random" number generator. [p 4, Algorithm K, AOCP vol 2] "In fact, when this algorithm was first put onto a computer, it almost immediately converged to the 10-digit value 6065038420."
Add to that the tendency of the Chinese to take a long view of things. Sometimes measured in generations.
It's called Sturgeon's Law, 90% of everything is crap. Learn it, live by it for it is correct and it applies equally to people
In my experience, the 90% is pretty accurate.
10% matters and should be done well. Finding that 10% is hard.
90% is crap and while you can't get rid of it, it doesn't need to be done very well.
Methinks it's the group dynamics that mess with it. That's one of the problems with a monoculture.
Also, when you have to deal with it, it's not usually the intelligence you're having to deal with.
Smart people are completely capable of doing stupid things.
Then they call tech support.
No, people are intelligent. But they are intelligent according to their own definition of intelligent, not yours or mine.
"understand the problem domain" of computing infrastructure
That's not the problem domain the engineers are paid to understand.
Do you have any idea what it is that engineers do?
Now you've got some engineer earning six figures whose salary is being spent in playing with software instead of working on projects that earn revenue for the organization.
As opposed to that same engineer earning six figures who is effectively cripled because IT does not have the problem domain knowledge of the software which would aid said engineer's productivity.
Surely, if the software is considered valuable to productivity, it should be up to the organization to identify it, obtain it, and maintain it in a consistent and reliable manner.
Determined by whom? The engineers who understand the problem domain or IT who cannot recogize most of the vocabulary?