While I'm sure some people use sudo to help keep them from doing stupid things in a root shell, that's really not the main purpose. There are a whole slew of legitimate things you can do with sudo that have nothing to do with protecting the system from typos/etc.
1. Allow multiple admins to each have their own "root" password -- no password sharing required. 2. Avoid setting a root password, so it's impossible to get direct root access via password-authenticated 3. Log every command run with elevated privileges for auditing purposes. 4. Prevent (or at least make it harder) for someone to leave a root shell unattended. sudo requires re-authentication on whatever interval you desire; a root shell has no such feature 5. Reduce the amount of typing related to run a single command with elevated privileges 6. Allow non-admin users (including non-root daemons) to run specific commands with elevated privileges -- for example, allow users to edit their own config files without admin assistance and without granting them access to all config files. 7. Allow certain commands to be run with elevated privileges without a password prompt based on group memebership/etc. For example, allow anyone in the "print_admin" group to run `killall -1 lpd` without further authentication. It's not a command you want anyone running willy-nilly, but it's not dangerous enough to require re-authentication of the session either.
And I'm sure there's a whole slew of other reasons to use sudo. That's not to say a root shell isn't still a useful tool in some scenarios -- if you're going to do a series of high-privilege tasks and you're not worried about strict audit trails a root shell makes sense. But you could still get there with a non-shared password if you used sudo for privilege elevation rather than `su`.
Group Policy is useful in that it's standard. There's a lot of value in that, particularly in finding new people already familiar with it. And it addresses one of the key management problems with Windows -- the registry -- which is good because before AD it was nigh on impossible to deal with that mess.
But you can't honestly believe both that it's "more standard" and "more flexible" at the same time. Those goals are mutually exclusive. It might be flexible enough for your purposes, or even for most anyone's purposes, but it's certainly not more flexible than a custom script.
Also, you can say things like "no package...works on...multiple major distributions" and expect anyone to take you seriously. There is no such tool for Windows either -- AD is only available on the MS Windows distribution and no other system supports it at all. However, if you limit yourself to a single OS like you did for Windows there are in fact standard OS management tools built-in that can do many if not all of the things you want, and people with training and experience that know how to run them before they've ever seen your systems. All the "major distributions" now have very standard, config-driven systems and like Windows try very hard to keep you from modifying the underlying scripts directly.
/ Which drives me nuts -- it's good for configuration management but bad for actual configuration
AD is useful, as you note, insofar as it's standardized so you can learn about it on any system. And the distribution method is pretty reasonable; it's not that complicated and MS doesn't do anything terribly stupid to muck it up. It's not a bad system, and given that MS doesn't have a/etc folder that I can easily sync among systems it's a huge improvement over other options.
But being a GUI is not a benefit, at least not in the way you describe. I think it's worth having a GUI -- having a GUI provides a lower barrier to entry an can help teach you how things work. It's just that I think the GUI should output a text file (or some equivalent human-readable config in a database if that's your preferred distribution method).
Given the chance of a typo versus missing a checkbox somewhere in the hundreds of hierarchal screens in the policy manager, I'll take the text config file any day. And that's not even considering things like copying bits of a configuration among systems, which is clearly much easier with copy-and-paste than with GUI data entry.
But if you can get 100k developers writing for Arduino you have 100k developers that are 97% familiar with Atmel AVR, which is great for Atmel. It's like giving out discounted academic licenses for pricey software programs.
And who is going to file the individual tax returns for each state, with a frequency between annual and weekly depending on state-specific rules and your estimated or previous sales in the state, some of them requiring electronic filing and the related account setup, etc. And what if I don't ship a physical good -- do I still have to collect their address just to pay taxes on their behalf? What if they order in-store, pay online, and I don't ship anything -- what tax rate applies? Can't we just make people responsible for paying their own taxes, as is already required by law, rather than making every business in the country file dozens of tax returns?
If you use the "Master Password" feature there is a system-level Keychain that contains the FileVault disk keys. Otherwise the two are unrelated; a user's Keychain file is actually inside the FileVault.
On OS X systems the Keychain API/etc. is more or less the same as on iOS but a user's Keychain encryption is based on the user's login password (or if different, the keychain password), so this same attack isn't feasible (unless you do something dumb like turn on auto-login and don't set a separate keychain password). The iPhone instead uses a system similar to the system-level Keychain on OS X -- there's some machine-specific data that's used as a key to prevent trivial opening of the file, but anyone with access to the original host can get that same data.
The solution to it is pretty simple -- require a password when the phone is booted -- but many people won't go for that. Apple could at least *allow* a Keychain password though.
It's perfectly possible to recreate the same field-of-vision of a typical IMAX screen at home. All you need is a half-decent projector, something to project on, and 4 seconds of math to find out how far away you should sit. It's not even ridiculous expensive -- if you're not concerned about brightness you can get a 1080p projector for a couple of grand. And a 1080x1920 projector is not a whole lot less resolution than the 2k horizontal resolution offered in most theaters (including those that use IMAX film prints, as virtually all big-budget films are scanned at 2k). And with a projector you don't even have to dedicate a room to the thing -- mount it on the wall, roll up the screen when you're not using it, and you can do this in your dining room.
There are reasons to go to the theater, but "better technical experience than home" is quickly becoming irrelevant. Yes, not everyone wants to spend money on a high-quality home theater rig. But most of those people also wouldn't spend more for a ticket at a high-quality conventional cinema either, and likely wouldn't be bothered by the smaller size or lower technical quality of a cheaper home rig in the first place.
Nations have been taking foreign loans to go to war since before man invented the gun. And the USA wouldn't exist if the rebels here didn't get massive military and financial assistance from France, Netherlands, etc. during the revolutionary war.
If automation in warfare leads to cowardice shouldn't you also be railing against the machine gun? Real, brave warriors should have to load their musket one bullet at a time. Or maybe guns themselves are a sign of cowardice -- real men wouldn't attack from a distance. Or maybe any sort of weapon induces cowardice -- no true Scotsman would ever consider going to war with anything other than his wits and his fists.
Seriously, get some perspective before you start spewing inflammatory words like "cowardice" in public.
Or Amazon could just remove the "Buy Stuff" button from their app, let people browse to amazon.com to buy things, and forget about the whole thing.
Apple isn't forcing everyone with a web page to give up 30% for any purchase from an iPad. They're only forcing that on people who want to sell thing from their iPad apps. If Amazon simply decouples their viewer from the ability to purchase books the problem goes away.
I'm not saying I agree with Apple's choice here, but the situation isn't nearly as dire as it's being made out to be.
For the people who can get over the fact that each technology has advantages, it frequently turns out that the technical aspects of the transfer/mastering process make a bigger difference than anything else. Here's one example where a series of CD/SACD/LP sets of the same album are compared: http://www.polkaudio.com/forums/showthread.php?p=885485
Well that and the conflation of defense-industry nuclear materials production with energy production -- thorium reactors are almost certainly better for generating power, but they don't help you build nuclear bombs, so they get less funding (or at least they have historically).
The constants still have to be pretty big though. Let's say you're willing to spend 1 whole minute of your desktop CPU time to encrypt each HTTPS transaction with your bank. Even if it take 100,000 times longer to decrypt it, that's still only 70 CPU-days. Assuming the task can be divided to multiple processing units someone with access to even a moderate amount of computational units could have your password in under a day.
And that's with you waiting a full minute for each new connection, which is much more than is practical for everyday use.
"Better" is pretty subjective though. There are lots of better text editors, better page layout programs, better structured document systems, etc. MS Word takes a jack-of-all-trades approach that necessarily leads to poor mastery in any particular area. Some people are willing to make the tradeoff to only use a single program, but that's often not the "better" choice. Minivans are by far the most versatile vehicle for many people, but many people dismiss them unless they really need a car that can do it all.
Where MS Office really shines is at being pre-installed and built into the "base" computer price. And even ignoring the hidden costs, the pre-installed bit by itself can be a problem -- when MS tried to sell Works to home users, for example, there were all sorts of problems with Works vs. Word compatibility.
It's not that no one knows how to use the dock connector, it's that Apple has a patent on the actual connector itself, you so you can't sell a product that uses the dock connector without paying Apple royalties.
So I have to assume the summary talking about commercial third-party iPod accessory development rather than personal-use hacking, though they could certainly have been more clear if that's their intent.
What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?
Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?
Patents cover use in addition to distribution/etc. If you built a copy of a patented washing machine motor and used it in your own home purely for entertainment purposes, you'd still be in violation of the patent. It would be difficult to detect that you'd done such a thing, but it's a violation nonetheless.
You could just turn on LVM, which has been stable (and even the stock config in some distros) for years now and gives you dynamic volume allocation, data striping and snapshots with any filesystem. There are reasons to like ZFS/btrfs/etc., but the things you're asking for are easily available with much older, better-supported, better-documented solutions.
Though it does make it a lot easier to give your developers access to high-speed disks and a 16-core machine, so long as they don't all want those 16 cores at the same time.
Of course installing cameras helps in identification and prosecution of criminals. What these statistics don't mention is that the overall crime rate is more or less unchanged before/after the cameras. I'm all for prosecuting criminals, but these statistics are selected to make it seem like the cameras improve safety or reduce the cost of crime, and neither of those things is true -- this is an attempt to reframe the discussion from "cameras keep us safe", which they clearly don't to "cameras catch criminals" which is true but not what was promised.
I don't think _you_ understand what vertical integration is. Anytime you combine steps in the value chain of a single product/service that is vertical integration; combining production and distribution in farming is the very definition vertical integration, and it's literally the same set of steps being combined in an NBC/Comcast merger -- NBC controls production and Comcast controls distribution.
You're confusing the issue. If there's an expensive link or a bandwidth-constrained link net neutrality would not prevent the link owner from charging for use of the link or to upgrade the link. The current Internet is already based on your "toll roads" plan. Net neutrality would simply prevent the toll road operators from charging one content provider more than another based on their name. I seriously doubt you'd put up with a toll bridge that charged people named sgt101 twice the toll as everyone else.
The Internet is not currently "free from regulation" so I don't see how avoiding net neutrality would "keep" us from anything.
If there were 14 ISPs that serviced my home I wouldn't give a rat's ass about net neutrality. But there are only 2, as a direct result of governmental regulation about who can run wires to me, and I'm relatively lucky to have that "choice". Anyone claiming that net neutrality is adding regulation to an otherwise wide-open system is either uniformed or trolling.
As we're all aware, the skills one needs to succeed in society are complete static. Therefore, any attempt to remove "obsolete" skills from and educational program are clearly nothing more than an attempt to lower standards. And all these new skills they're teaching are useless anyway; if something needs to be remove it can be those silly things like "typing" and "operating a computer".
Mostly the point is old people can't imagine a world where the tools they consider essential are obsolete. But instead of dealing with that fact they throw up some strawman about how we can't lose this vital skill. The appropriate response is typically to ask if they had to learn to ride a horse before driving a car back in the 1900s.
Currently your browser will happily let you send your password with no certificate. I don't see how an unauthenticated certificate could possibly be *worse* than that scenario. At least with a certificate only one attacker could see your credentials, and they'd have to be actively participating in the attack. You'd at least be protected from the passive attackers that could otherwise read your data.
Plus "self-signed" is not the same as "unauthenticated". All CA keys are necessarily self-signed, including the dozens you have installed in your browser right now. Your bank could simply provide you their certificate out-of-band and you'd have better authentication than would ever be possible with the traditional trusted-third-party approach.
Slashdot Mirror
While I'm sure some people use sudo to help keep them from doing stupid things in a root shell, that's really not the main purpose. There are a whole slew of legitimate things you can do with sudo that have nothing to do with protecting the system from typos/etc.
1. Allow multiple admins to each have their own "root" password -- no password sharing required.
2. Avoid setting a root password, so it's impossible to get direct root access via password-authenticated
3. Log every command run with elevated privileges for auditing purposes.
4. Prevent (or at least make it harder) for someone to leave a root shell unattended. sudo requires re-authentication on whatever interval you desire; a root shell has no such feature
5. Reduce the amount of typing related to run a single command with elevated privileges
6. Allow non-admin users (including non-root daemons) to run specific commands with elevated privileges -- for example, allow users to edit their own config files without admin assistance and without granting them access to all config files.
7. Allow certain commands to be run with elevated privileges without a password prompt based on group memebership/etc. For example, allow anyone in the "print_admin" group to run `killall -1 lpd` without further authentication. It's not a command you want anyone running willy-nilly, but it's not dangerous enough to require re-authentication of the session either.
And I'm sure there's a whole slew of other reasons to use sudo. That's not to say a root shell isn't still a useful tool in some scenarios -- if you're going to do a series of high-privilege tasks and you're not worried about strict audit trails a root shell makes sense. But you could still get there with a non-shared password if you used sudo for privilege elevation rather than `su`.
Group Policy is useful in that it's standard. There's a lot of value in that, particularly in finding new people already familiar with it. And it addresses one of the key management problems with Windows -- the registry -- which is good because before AD it was nigh on impossible to deal with that mess.
But you can't honestly believe both that it's "more standard" and "more flexible" at the same time. Those goals are mutually exclusive. It might be flexible enough for your purposes, or even for most anyone's purposes, but it's certainly not more flexible than a custom script.
Also, you can say things like "no package...works on...multiple major distributions" and expect anyone to take you seriously. There is no such tool for Windows either -- AD is only available on the MS Windows distribution and no other system supports it at all. However, if you limit yourself to a single OS like you did for Windows there are in fact standard OS management tools built-in that can do many if not all of the things you want, and people with training and experience that know how to run them before they've ever seen your systems. All the "major distributions" now have very standard, config-driven systems and like Windows try very hard to keep you from modifying the underlying scripts directly.
/ Which drives me nuts -- it's good for configuration management but bad for actual configuration
AD is useful, as you note, insofar as it's standardized so you can learn about it on any system. And the distribution method is pretty reasonable; it's not that complicated and MS doesn't do anything terribly stupid to muck it up. It's not a bad system, and given that MS doesn't have a /etc folder that I can easily sync among systems it's a huge improvement over other options.
But being a GUI is not a benefit, at least not in the way you describe. I think it's worth having a GUI -- having a GUI provides a lower barrier to entry an can help teach you how things work. It's just that I think the GUI should output a text file (or some equivalent human-readable config in a database if that's your preferred distribution method).
Given the chance of a typo versus missing a checkbox somewhere in the hundreds of hierarchal screens in the policy manager, I'll take the text config file any day. And that's not even considering things like copying bits of a configuration among systems, which is clearly much easier with copy-and-paste than with GUI data entry.
But if you can get 100k developers writing for Arduino you have 100k developers that are 97% familiar with Atmel AVR, which is great for Atmel. It's like giving out discounted academic licenses for pricey software programs.
And who is going to file the individual tax returns for each state, with a frequency between annual and weekly depending on state-specific rules and your estimated or previous sales in the state, some of them requiring electronic filing and the related account setup, etc. And what if I don't ship a physical good -- do I still have to collect their address just to pay taxes on their behalf? What if they order in-store, pay online, and I don't ship anything -- what tax rate applies? Can't we just make people responsible for paying their own taxes, as is already required by law, rather than making every business in the country file dozens of tax returns?
If you use the "Master Password" feature there is a system-level Keychain that contains the FileVault disk keys. Otherwise the two are unrelated; a user's Keychain file is actually inside the FileVault.
On OS X systems the Keychain API/etc. is more or less the same as on iOS but a user's Keychain encryption is based on the user's login password (or if different, the keychain password), so this same attack isn't feasible (unless you do something dumb like turn on auto-login and don't set a separate keychain password). The iPhone instead uses a system similar to the system-level Keychain on OS X -- there's some machine-specific data that's used as a key to prevent trivial opening of the file, but anyone with access to the original host can get that same data.
The solution to it is pretty simple -- require a password when the phone is booted -- but many people won't go for that. Apple could at least *allow* a Keychain password though.
It's perfectly possible to recreate the same field-of-vision of a typical IMAX screen at home. All you need is a half-decent projector, something to project on, and 4 seconds of math to find out how far away you should sit. It's not even ridiculous expensive -- if you're not concerned about brightness you can get a 1080p projector for a couple of grand. And a 1080x1920 projector is not a whole lot less resolution than the 2k horizontal resolution offered in most theaters (including those that use IMAX film prints, as virtually all big-budget films are scanned at 2k). And with a projector you don't even have to dedicate a room to the thing -- mount it on the wall, roll up the screen when you're not using it, and you can do this in your dining room.
There are reasons to go to the theater, but "better technical experience than home" is quickly becoming irrelevant. Yes, not everyone wants to spend money on a high-quality home theater rig. But most of those people also wouldn't spend more for a ticket at a high-quality conventional cinema either, and likely wouldn't be bothered by the smaller size or lower technical quality of a cheaper home rig in the first place.
Nations have been taking foreign loans to go to war since before man invented the gun. And the USA wouldn't exist if the rebels here didn't get massive military and financial assistance from France, Netherlands, etc. during the revolutionary war.
If automation in warfare leads to cowardice shouldn't you also be railing against the machine gun? Real, brave warriors should have to load their musket one bullet at a time. Or maybe guns themselves are a sign of cowardice -- real men wouldn't attack from a distance. Or maybe any sort of weapon induces cowardice -- no true Scotsman would ever consider going to war with anything other than his wits and his fists.
Seriously, get some perspective before you start spewing inflammatory words like "cowardice" in public.
Or Amazon could just remove the "Buy Stuff" button from their app, let people browse to amazon.com to buy things, and forget about the whole thing.
Apple isn't forcing everyone with a web page to give up 30% for any purchase from an iPad. They're only forcing that on people who want to sell thing from their iPad apps. If Amazon simply decouples their viewer from the ability to purchase books the problem goes away.
I'm not saying I agree with Apple's choice here, but the situation isn't nearly as dire as it's being made out to be.
For the people who can get over the fact that each technology has advantages, it frequently turns out that the technical aspects of the transfer/mastering process make a bigger difference than anything else. Here's one example where a series of CD/SACD/LP sets of the same album are compared:
http://www.polkaudio.com/forums/showthread.php?p=885485
Well that and the conflation of defense-industry nuclear materials production with energy production -- thorium reactors are almost certainly better for generating power, but they don't help you build nuclear bombs, so they get less funding (or at least they have historically).
The constants still have to be pretty big though. Let's say you're willing to spend 1 whole minute of your desktop CPU time to encrypt each HTTPS transaction with your bank. Even if it take 100,000 times longer to decrypt it, that's still only 70 CPU-days. Assuming the task can be divided to multiple processing units someone with access to even a moderate amount of computational units could have your password in under a day.
And that's with you waiting a full minute for each new connection, which is much more than is practical for everyday use.
"Better" is pretty subjective though. There are lots of better text editors, better page layout programs, better structured document systems, etc. MS Word takes a jack-of-all-trades approach that necessarily leads to poor mastery in any particular area. Some people are willing to make the tradeoff to only use a single program, but that's often not the "better" choice. Minivans are by far the most versatile vehicle for many people, but many people dismiss them unless they really need a car that can do it all.
Where MS Office really shines is at being pre-installed and built into the "base" computer price. And even ignoring the hidden costs, the pre-installed bit by itself can be a problem -- when MS tried to sell Works to home users, for example, there were all sorts of problems with Works vs. Word compatibility.
It's not that no one knows how to use the dock connector, it's that Apple has a patent on the actual connector itself, you so you can't sell a product that uses the dock connector without paying Apple royalties.
For your own use it's possible to buy a $4 30-pin connector and wire it up to whatever you want:
http://www.allpinouts.org/index.php/Apple_iPod,_iPad_and_iPhone_dock
So I have to assume the summary talking about commercial third-party iPod accessory development rather than personal-use hacking, though they could certainly have been more clear if that's their intent.
What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?
Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?
Patents cover use in addition to distribution/etc. If you built a copy of a patented washing machine motor and used it in your own home purely for entertainment purposes, you'd still be in violation of the patent. It would be difficult to detect that you'd done such a thing, but it's a violation nonetheless.
You could just turn on LVM, which has been stable (and even the stock config in some distros) for years now and gives you dynamic volume allocation, data striping and snapshots with any filesystem. There are reasons to like ZFS/btrfs/etc., but the things you're asking for are easily available with much older, better-supported, better-documented solutions.
Though it does make it a lot easier to give your developers access to high-speed disks and a 16-core machine, so long as they don't all want those 16 cores at the same time.
Of course installing cameras helps in identification and prosecution of criminals. What these statistics don't mention is that the overall crime rate is more or less unchanged before/after the cameras. I'm all for prosecuting criminals, but these statistics are selected to make it seem like the cameras improve safety or reduce the cost of crime, and neither of those things is true -- this is an attempt to reframe the discussion from "cameras keep us safe", which they clearly don't to "cameras catch criminals" which is true but not what was promised.
I don't think _you_ understand what vertical integration is. Anytime you combine steps in the value chain of a single product/service that is vertical integration; combining production and distribution in farming is the very definition vertical integration, and it's literally the same set of steps being combined in an NBC/Comcast merger -- NBC controls production and Comcast controls distribution.
You're confusing the issue. If there's an expensive link or a bandwidth-constrained link net neutrality would not prevent the link owner from charging for use of the link or to upgrade the link. The current Internet is already based on your "toll roads" plan. Net neutrality would simply prevent the toll road operators from charging one content provider more than another based on their name. I seriously doubt you'd put up with a toll bridge that charged people named sgt101 twice the toll as everyone else.
The Internet is not currently "free from regulation" so I don't see how avoiding net neutrality would "keep" us from anything.
If there were 14 ISPs that serviced my home I wouldn't give a rat's ass about net neutrality. But there are only 2, as a direct result of governmental regulation about who can run wires to me, and I'm relatively lucky to have that "choice". Anyone claiming that net neutrality is adding regulation to an otherwise wide-open system is either uniformed or trolling.
As we're all aware, the skills one needs to succeed in society are complete static. Therefore, any attempt to remove "obsolete" skills from and educational program are clearly nothing more than an attempt to lower standards. And all these new skills they're teaching are useless anyway; if something needs to be remove it can be those silly things like "typing" and "operating a computer".
Mostly the point is old people can't imagine a world where the tools they consider essential are obsolete. But instead of dealing with that fact they throw up some strawman about how we can't lose this vital skill. The appropriate response is typically to ask if they had to learn to ride a horse before driving a car back in the 1900s.
Currently your browser will happily let you send your password with no certificate. I don't see how an unauthenticated certificate could possibly be *worse* than that scenario. At least with a certificate only one attacker could see your credentials, and they'd have to be actively participating in the attack. You'd at least be protected from the passive attackers that could otherwise read your data.
Plus "self-signed" is not the same as "unauthenticated". All CA keys are necessarily self-signed, including the dozens you have installed in your browser right now. Your bank could simply provide you their certificate out-of-band and you'd have better authentication than would ever be possible with the traditional trusted-third-party approach.