The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale. Exactly. Whoever has the program can do with it whatever they want, except that ALL RESPONSIBILITY now passes to whoever is selling or redistributing the software. That's why I can copy Red Hat Linux and call it Pink Bow Tie Linux but get into trouble if I attempt to give proper attribution for the stuff I copied.
Real "Open Source" is SOURCE not LICENSE. Open Source has nothing to do with giving anything away for free. GNU is Open Source. Not all Open Source is GNU. Some Open Source is not GNU. GNU is one of several Open Source licenses. GNU insists that whoever has the program has essentially the same rights as for a work for hire, except that these rights keep passing on.
Who's clear unified vision? Imagine the perfect meal. Now eat that, and only that for the rest of your life. There is such a thing as too much diversity, but somehow too much diversity seems a lot safer than too little diversity.
i can't see how it's the software's problem that the OS has a uneasily understood security model It's the software's problem, then it's the user's problem, then it's the company's problem, then it's everybody's problem. Attributing blame to the front end does not stop the effects.
either you have privledge, or you don't, end of story A bit is on or off, end of story.
And bitchin' about it on Slashdot really helps solve their security problems doesn't it? "Look everybody, MS has another security problem let's laugh at them (again)." MS bugs - expected What to do about them - not so expected. Whatever makes you think it's the Linux guys constantly pointing and laughing. The only thing that has a chance of causing the holes to be fixed is ridicule. Long, persistent, and annoying ridicule. The image of Microsoft's gopher holes is too good to pass up.
Another lesson that this new coalition should learn is humility. I would hope after the "Unbreakable" campaign Oracle launched, and the blowback it received, that they'd take the time to tone down their attitude and ensure they're somewhere near as unbreakable as they'd like to think. Gotta disagree. Granted it is more hype than expectation, but they've made a very clear statement of intention. I'd much rather see fireworks with no real damage done than "Well what do you expect?". The lesson to be learned from OpenBSD is to get your priorities straight.
I find it hard to belive that it just doesn't occor to people to poke around. In a stranger's kitchen, get a glass and a drink of water. It can be easy or psychologically impossible, depending. Fear of hitting the wrong button can come close to producing panic.
The company is work for is huge ($billions in assets, thousands of employees) and there are support contracts which complicate matters immensely. The question is whose neck is on the chopping block when (unless you believe there is no one both evil and intelligent in the world) something actually damaging hits. Remember Melissa? Melissa was nice.
This is fine and good, but could we please stop this needless bashing of MS? There are better places for security information than Slashdot.
Like Microsoft.com?
Search for gopher gives: "Error Message: Microsoft Gopher Publishing Service is running. Do you want to stop the service? User Action: If you are troubleshooting or modifying the configuration parameters in the Gopher Service, click Yes. Otherwise, click No."
After about 3 days, a search for Code Red finally gave results.
The breaking security information is long dead on/. before Microsoft finally wakes up.
Perhaps show just a hint of optimism instead of negativity all the time. Like you really expect the virus and worm writers to get dumber with time ???
I must admit, I find Slashdot more useful for supporting my Windows users than my Linux users. For Windows, we get up-to-the minute bug alerts - sometimes faster than the mailing list I'm on (non-MS), for Linux we get... point oh minor build releases of kernels. Linux (or any other *nix for that matter) will be much the same tomorrow as yesterday. No "news". Microsoft Windows is subject to the "Bug of the Month" syndrome (week? day??). News. Some of it matters. Whenever the "Big One" hits, Slashdot will most likely be the only competent resource for dealing with it. Why do you think Microsoft keeps spreading the myth about UNIX requiring expensive trained administrators? Set it up half-way decently and ignore it works for *nix, doesn't really work for Microsoft products. Further, *nix systems tend to be "informative" about what is going on. Microsoft systems tend to hide useful information. Slashdot is maybe the only source of unbiased information about Microsoft products. (Yeah, I know there's bias.)
The Hidden Crack -- (1) The longer a cracker has between when he discovers a security flaw and when he acts on that flaw, the more devistating his attack is likely to be. (2) If his flaw is uncovered by someone else, his attack is, in part, thwarted. (3) The lilkihood of an un-exploited crack being detected, much less repaired, in a M$ product is near zero. They don't act until the problem is very obvious, thus the damage done. (4) The liklihood of an un-exploited crack in an Open Source product being detected and repaired is reasonably high. (5) Thus the liklihood of a significant flaw being discovered by a "terrorist", and lying dormant long enough for him to arrage to exploit it, is much higher for a M$ hidden system than for an Open system.
Further. If I discover the tip of a crack in an Open Source product, with minimal personal risk, skill, and effort I can "score points" by helping to close it and its kindred. If I discover the tip of a crack in a Closed Source product, it's too much like opening a can of worms to attempt to do anything "constructive". I doubt that I'm the only one who feels this way.
It is a big deal. This is from a different angle. Red Hat Professional Server. 6.2, 7.0, 7.1, 7.2, 7.3. Never really got past the first 2 (now 3) CD's. I've never used Red Hat's installation support. Other than downloading updates, often from mirrors, I've pretty much ignored RedHat.com. For what I'm doing it doesn't even make much difference which version I'm using. I am NOT being taken advantage of. If anything, I'm taking advantage of Red Hat and the various people that download it for free. It addition to third party software, bugs in edge and corner cases tend to show up in the fringes rather than the mainline. Bluntly, if you download Red Hat for free, it makes the Red Hat I pay for more valuable because you will run into and fix problems before I encounter them.
Grabbing source and make installing it is about the same as grabbing a binary, as far as security goes. You just don't know what's in there. True for round one. Most everybody. Round two. There's always somebody that's gotta do things differently, and the nasty runs into some kind of incompatability. A few paranoid souls run diff on previous versions. Any hint of something nasty and the nasty gets a swarm of unwanted attention. Round three. However it happened, somebody is gonna make pretty damn sure it doesn't happen again, kinda embarrasing.
find / -type f -user 0 -perm +4000 Right! If you're concerned about security, all you need to do is run a command you got off of Slashdot as root! Sure, why not? Much safer than drinking from a "pure" mountain stream. Easier than man find and figuring out the parameters. If there's anything wrong or fishy about the line, there are far too many/.ers who will not pass the opportunity to jump on it. Actually safer than something from a proofread book.
Suid root files in strange places means you've been cracked.
It's your data, and you are dependent on some company staying in business and continuing to support their format? And you think crusty old COBOL programs are bad. That's actually the reason that big business is getting more and more interested in Open Source. Any data stored in a proprietary format is a ticking time bomb. Expect Star Office to take off and become dominant. If Sun can't or won't do whatever with Star Office, there's always Open Office which WILL be file compatible and documented, source if nothing else. I like cheap insurance on critical resources.
Most of the costs are handling the ore, whether or not it contains gold. They increased operating costs about 50% and increased production of gold by almost a factor of 10.
"But in digging deeper it becomes clear that there is a misunderstanding of the term "Open Source" in this application of it." No, I think they get it. Not just piddling stuff like Operating Systems and browsers. Open Source is not for the benefit of the IT industry. It's for all the suffering bastards that have to use the stuff.
Slashdot Mirror
The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.
Exactly. Whoever has the program can do with it whatever they want, except that ALL RESPONSIBILITY now passes to whoever is selling or redistributing the software. That's why I can copy Red Hat Linux and call it Pink Bow Tie Linux but get into trouble if I attempt to give proper attribution for the stuff I copied.
Real "Open Source" is SOURCE not LICENSE.
Open Source has nothing to do with giving anything away for free.
GNU is Open Source. Not all Open Source is GNU. Some Open Source is not GNU. GNU is one of several Open Source licenses.
GNU insists that whoever has the program has essentially the same rights as for a work for hire, except that these rights keep passing on.
Who's clear unified vision?
Imagine the perfect meal.
Now eat that, and only that for the rest of your life.
There is such a thing as too much diversity, but somehow too much diversity seems a lot safer than too little diversity.
i can't see how it's the software's problem that the OS has a uneasily understood security model
It's the software's problem, then it's the user's problem, then it's the company's problem, then it's everybody's problem. Attributing blame to the front end does not stop the effects.
either you have privledge, or you don't, end of story
A bit is on or off, end of story.
does Microsoft offer clustered gopher holes?
And bitchin' about it on Slashdot really helps solve their security problems doesn't it? "Look everybody, MS has another security problem let's laugh at them (again)."
MS bugs - expected
What to do about them - not so expected.
Whatever makes you think it's the Linux guys constantly pointing and laughing. The only thing that has a chance of causing the holes to be fixed is ridicule. Long, persistent, and annoying ridicule. The image of Microsoft's gopher holes is too good to pass up.
It's also a lot cheaper than having a random user error hose a production system.
Another lesson that this new coalition should learn is humility. I would hope after the "Unbreakable" campaign Oracle launched, and the blowback it received, that they'd take the time to tone down their attitude and ensure they're somewhere near as unbreakable as they'd like to think.
Gotta disagree. Granted it is more hype than expectation, but they've made a very clear statement of intention. I'd much rather see fireworks with no real damage done than "Well what do you expect?". The lesson to be learned from OpenBSD is to get your priorities straight.
I find it hard to belive that it just doesn't occor to people to poke around.
In a stranger's kitchen, get a glass and a drink of water.
It can be easy or psychologically impossible, depending.
Fear of hitting the wrong button can come close to producing panic.
What will your data gopher?
Where will your data gopher today?
The company is work for is huge ($billions in assets, thousands of employees) and there are support contracts which complicate matters immensely.
The question is whose neck is on the chopping block when (unless you believe there is no one both evil and intelligent in the world) something actually damaging hits. Remember Melissa? Melissa was nice.
This is fine and good, but could we please stop this needless bashing of MS? There are better places for security information than Slashdot.
/. before Microsoft finally wakes up.
Like Microsoft.com?
Search for gopher gives:
"Error Message: Microsoft Gopher Publishing Service is running. Do you want to stop the service? User Action: If you are troubleshooting or modifying the configuration parameters in the Gopher Service, click Yes. Otherwise, click No."
After about 3 days, a search for Code Red finally gave results.
The breaking security information is long dead on
Perhaps show just a hint of optimism instead of negativity all the time.
Like you really expect the virus and worm writers to get dumber with time ???
I send you this sig to have your advice.
There's ALWAYS a way.
I must admit, I find Slashdot more useful for supporting my Windows users than my Linux users. For Windows, we get up-to-the minute bug alerts - sometimes faster than the mailing list I'm on (non-MS), for Linux we get... point oh minor build releases of kernels.
Linux (or any other *nix for that matter) will be much the same tomorrow as yesterday. No "news".
Microsoft Windows is subject to the "Bug of the Month" syndrome (week? day??). News. Some of it matters. Whenever the "Big One" hits, Slashdot will most likely be the only competent resource for dealing with it.
Why do you think Microsoft keeps spreading the myth about UNIX requiring expensive trained administrators? Set it up half-way decently and ignore it works for *nix, doesn't really work for Microsoft products. Further, *nix systems tend to be "informative" about what is going on. Microsoft systems tend to hide useful information. Slashdot is maybe the only source of unbiased information about Microsoft products. (Yeah, I know there's bias.)
The Hidden Crack -- (1) The longer a cracker has between when he discovers a security flaw and when he acts on that flaw, the more devistating his attack is likely to be. (2) If his flaw is uncovered by someone else, his attack is, in part, thwarted. (3) The lilkihood of an un-exploited crack being detected, much less repaired, in a M$ product is near zero. They don't act until the problem is very obvious, thus the damage done. (4) The liklihood of an un-exploited crack in an Open Source product being detected and repaired is reasonably high. (5) Thus the liklihood of a significant flaw being discovered by a "terrorist", and lying dormant long enough for him to arrage to exploit it, is much higher for a M$ hidden system than for an Open system.
Further.
If I discover the tip of a crack in an Open Source product, with minimal personal risk, skill, and effort I can "score points" by helping to close it and its kindred. If I discover the tip of a crack in a Closed Source product, it's too much like opening a can of worms to attempt to do anything "constructive". I doubt that I'm the only one who feels this way.
Nobody ever got fired for buying IBM.
The old quote is becoming true again.
In other words, Windows is SO insecure that running it on a dual-boot Win/Lin machine opens a hole to infect the Linux partition.
That's cruel.
It is a big deal. This is from a different angle.
Red Hat Professional Server. 6.2, 7.0, 7.1, 7.2, 7.3. Never really got past the first 2 (now 3) CD's. I've never used Red Hat's installation support. Other than downloading updates, often from mirrors, I've pretty much ignored RedHat.com. For what I'm doing it doesn't even make much difference which version I'm using. I am NOT being taken advantage of. If anything, I'm taking advantage of Red Hat and the various people that download it for free. It addition to third party software, bugs in edge and corner cases tend to show up in the fringes rather than the mainline. Bluntly, if you download Red Hat for free, it makes the Red Hat I pay for more valuable because you will run into and fix problems before I encounter them.
kill or modify the anti-virus programs (including modifying it so it SPREADS the virus)
THAT'S the one to worry about.
Grabbing source and make installing it is about the same as grabbing a binary, as far as security goes. You just don't know what's in there.
True for round one. Most everybody.
Round two. There's always somebody that's gotta do things differently, and the nasty runs into some kind of incompatability. A few paranoid souls run diff on previous versions. Any hint of something nasty and the nasty gets a swarm of unwanted attention.
Round three. However it happened, somebody is gonna make pretty damn sure it doesn't happen again, kinda embarrasing.
find / -type f -user 0 -perm +4000 /.ers who will not pass the opportunity to jump on it. Actually safer than something from a proofread book.
Right! If you're concerned about security, all you need to do is run a command you got off of Slashdot as root!
Sure, why not? Much safer than drinking from a "pure" mountain stream. Easier than man find and figuring out the parameters. If there's anything wrong or fishy about the line, there are far too many
Suid root files in strange places means you've been cracked.
It's your data, and you are dependent on some company staying in business and continuing to support their format?
And you think crusty old COBOL programs are bad.
That's actually the reason that big business is getting more and more interested in Open Source. Any data stored in a proprietary format is a ticking time bomb. Expect Star Office to take off and become dominant. If Sun can't or won't do whatever with Star Office, there's always Open Office which WILL be file compatible and documented, source if nothing else. I like cheap insurance on critical resources.
Most of the costs are handling the ore, whether or not it contains gold.
They increased operating costs about 50% and increased production of gold by almost a factor of 10.
"But in digging deeper it becomes clear that there is a misunderstanding of the term "Open Source" in this application of it."
No, I think they get it. Not just piddling stuff like Operating Systems and browsers. Open Source is not for the benefit of the IT industry. It's for all the suffering bastards that have to use the stuff.
Microsoft, not content with just SOFTWARE security holes, has now moved on to HARDWARE security holes.