but the intended recipient still understands the message then who cares?
Everybody should care because the intended recipient may not be the only recipient as a matter is discussed. My emails get forwarded and (b)cc:'d to others all the time and I receive similiar correspondance every day. Concise, understandable emails mean I don't have to repeat myself.
They also stand the test of time. Ever have an email come up a few months or a year later and have to address it? Something well composed is easier to explain than a choppy stream of consciousness.
Sure, its only 20 seconds, but the only point in editing your message is to conform to implied social norms - an objective that has nothing to do with getting the job done. Thankfully those silly social norms have not yet been applied to emails yet.
This shows such a lack of business savvy and professionalism it is actually depressing. You can't even invest half a minute into reviewing your work and making sure it's presentable because in your limited view it has nothing to do with your actual job. The simple fact is that in any organization you don't exist in a vacuum and being able to effectively communicate is a primary job function not some "silly social norm." Save those anarchist tendencies for IRC and/. Whether it is "fair" or not, in a business environment consistently poor writing is going to get you labeled as stupid and inept. The big problem with this is the judgement will many times come from upper management due to the simple fact that your email is the primary work product they see.
Soft skills count and as the job market gets tighter those skills will be the ones that differentiate you from the rest of the pack. It is actually called reality and not "silly social norm."
You may not be able to install immediately if the SP breaks a production app but nowadays with all the regulatory compliance issues companies face this becomes a nice club to use in forcing the vendor to clean up their broken crap.
It's also a good time to look into your SLAs and get them in order. Make sure to provide a provision that the vendor has to start taking security into consideration. Have them justify why their app needs administrator privs because *I* have to justify it to my auditor. Don't let them off the hook if you can't patch. If viable, withhold payments. Communicate with peers about the level of service the vendor provides (I don't know about small businesses but in medium to large organizations it is surprising how much weight decision makers put into these informal discussions.)
And I don't remember seeing them mention that WindowMaker has a new version out after ~2 years and only after a search did I find the article for 0.90.0 being released. A whopping 55 posts so it obviously didn't make the frontpage.
Checked and it seems 0.91.0 is available in the FreeBSD ports. I intend on upgrading in a couple of weeks when I have the time.
As if they don't already do this. I remember seeing a show talking about the original Gulf War when Bush Sr. was pres. IIRC, They would find the enemy and drop leaflets saying "We're going to bomb this position at Go home." And lo and behold the Iraqi troops went to a safe postion and we'd drop a daisy-cutter on where they were. Next day same thing. "We're going to bomb you at this time. Go home." And well right as rain they'd get some shelter and we would drop a daisy-cutter.
Third day, we sent them a leaflet basically saying "Playtime is over. We aren't telling you when we'll drop the next bomb. Go home." According to the show that last leaflet was extremely persuasive.
No. It's activism. A lot of people communicated their concerns to those companies and a majority of them have had their *decision makers* open a dialog with Theo and we are now getting results. Does it go as far as you personally want? Obviously not. But at least it's progress instead of the "suck it up and accept being inconvenienced" that you espouse. Even RMS compromises. Look at how parts of Ogg Vorbis got relicensed to promote adoption of the standard.
And just out of curiosity what totally free hardware are you using to post to/.? Video Card? Probably not. That's still talk. NIC? I ain't seeing much maybe I should make that an Ask/. question. Soundcard? What about your printer? Just how much are you sacrificing to be truely free? For the OBSD community it was some time to write a thoughtful letter to get the ball rolling. Today we now have some easily distributable firmware for desired hardware. We'll see what tomorrow brings.
The issue isn't the driver. The driver already exists. It's already open. If you had bothered to get an understanding of the issue you'd realize the problem is the firmware for the device. These companies, in an effort to save money, don't put the firmware directly on the card. They have the driver load it. If the vendor hadn't gone the cheap route this issue wouldn't exist because the firmware would be directly on the card and the free driver would just work.
What Theo and the community want is the right to distribute the firmware with the driver so it works right out of the install. There isn't anything wrong with this.
If the guy was that close to retirement he should have had the brains to not rock the boat and run some random program on the network! 2 years and he bails with all his benefits but nooooooooooooooo he has to help find E.T.
Come on, be honest, this is the career equivilent of a Darwin Award.
Yes, it matters. I can proxy a web browser. I can filter content. I can disable or modify features. I can use AV and anti-spyware software installed on both workstations and servers. I can chose to be aggressive with patching the browser. I can deploy IDS or IDP devices on the network. I can deploy personal firewalls.
And the reason I can do all of these things is because I'm aware that the browser is in place and I have an understanding of what role it plays on my network. I can access the risk and determine not only if I accept it but how much effort I want to expend in mitigating it. I can't do that with some random program surreptitiously inserted onto a server.
There is a difference between installing an approved program that has known, but accepted, security risks (along with compensating controls) and installing an unknown, unapproved and undocumented (network/server documentation that is) program.
If I may retort.... 1-Publicly insulting someone without any reason was unacceptable.
My ass. Hayes was polite. Smith imnsho was a frickin' tool. Your insinuation that the comments had no reason behind them is revisionist bunk.
2-Tom Hayes is a public servant and it makes is act much more critical because he receive is pay from taxpayers.
Hayes told it like it was. Smith was on the government dole and committed a grievious security violation. A harsh opinion doesn't cost the taxpayers jack. Incompetence does.
3-Charles E. Smith is 63 and I think that we should have much more respect for our seniors.
Respect is earned. The only thing senority gets you is the benefit of the doubt. Smith removed all doubt when he did what he did.
4-I support the SETI project as many other million people and because Tom Hayes as a lack of culture, education and sight, that doesn't give him the right to insult is ex employee and at the same time all supporters of SETI project.
Hayes took the situation and gave his opinion in a quotable snip. Again, blame Smith.
5-They should have give Charles E. Smith a warning; it's not like if he did something with malign intentions. Installing Internet Explorer is probably much more dangerous than installing SETI@home.
What was installed isn't the issue. Already posted on this. Smith abused the authority and trust provided him and changed a production server behind people's backs and without approval. If that happened in my company the auditors would have a field day. Everybody talks about how incompetent governemt is but when they finally walk the walk and it affects someone trying to "help" find E.T. it's back to being the bad guy. Sometimes I guess you can't win.
6-Tom Hayes should be sacked for is lack of judgement.
Hayes should be applauded. They should get a picture of him with an appropriate LART and make posters with the caption "Only YOU can prevent network security breaches." It is simply assine to blame the messenger and completely overlook Smith's misdeeds. Again this is completely revisionist and shows an utter lack of understanding on how to run an IT department in the real world.
Totally agree with you but I have to nitpick and say "Server." That bears repeating. A server.
The guy installed an unapproved program onto to a production server without approval and bypassing change control. What happens if his little stunt had brought the server down or worse yet the network down and had cost people in Ohio tax dollars? What if the program had allowed a breach that let confidential information out?
The retort that "It was just the SETI client" isn't the issue. Smith's complete violation of process and gross misjudgement is the matter at hand.
This reminds me of one 'tard at work who decided that he was going to install MS Works on a server so he could write his school papers. Didn't matter that the idiot was provided a workstation with the latest version of Office at the time. To make matters worse he installs the x86 binaries on the NT Alpha machine we have. So here I catch him sitting at the server merrily doing his homework and of course I have to make a shift report saying that the server has unapproved software on it after telling him to get off the box and stay away from it. He was lucky it happened back then than now. With SOX and all the auditing we have to do now he would have been fired on the spot. Smith reminds me of this guy and I have no sympathy for either.
Look, you can't have it both ways. Either the industry can file suit against the P2P networks hosting the infingement or they can go after those who are actually abusing the network. Now the ??AAs out there would love to sue the networks because it 1) gets to shut down a lot of people at once and 2) they don't have to worry about a PR backlash since it is litigation against another company. But, if you're willing to accept the argument that P2P has legitimate uses, it's better that the media companies go after the individual. It forces the likes of the RIAA to justify their claims that they are being ruined because a 12 year old shares some pop dreck over the Internet and that the millions they claim in damages are just.
And whatever happened to the old/. argument that if the individuals are abusing the system they are the ones who should be sued not the comapny providing the service? Talk about flip-flop.
Or the software requires administrator rights to run....
Let's see, other situations I've run across where the networking crew had to compensate. Patch breaks application. Antivirus software slows down PC to unusable level. User can't do something so supervisor gives him someone else's login. Users share someone's account. No budget for needed control. Trojan is out on the Internet but there is no signature update for your AV software and user clicks the attachment. I'm sure others have a lot more situations they could mention.
The hardest part is usually none of these happen in a vaccumm. They may be interrelated or they one may spin-off from another. For instance, you implement Control X which inconviences a number of users. They want the control relaxed, preferably off, and when you explain that you can't do it immediately they say they'll work around it by doing security breach Y which is much worse than the risk you origianlly meant to address. Now Y (e.g. the group is going to share all there passwords and put them on a sticky note) isn't something you can easily control through technology. It comes down to working with the users and getting them to work with the new way of doing things.
Any successful security initiative is going to have user buy-in.
Even if all you're getting is a base image to install additional software on it's usually worth it imho. My experience with images is they usually take a quarter of the time a Windows install takes. MTTR is as important as MTBF.
Who's fault is the.com bubble anyway? A bunch of investors tried to rewrite 200 years of economic theory just because companies were doing business on the Internet. You got a company with a stock ticker of LNUX and investors were willing to jack the price up so high that it would take decades before they ever saw a return. And instead of looking at the actual product the company was pushing out and valuing a company on that we were told that "eyeballs" was the new metric. The worst thing is everybody bought it.
The only way any president could have corrected that fiasco would have been to lart the financial analysts with a clue-by-four on national TV. This wasn't a Republican thing or a Democrat thing. It was a Wall Street is stupid and greedy thing.
Of course, anyone who questions the quality of an OSS project must be "making it up", as we all know OSS projects are above reproach!
No you made an assetion and didn't back it up with a link. The parent *nicely* asked you for one and now you're acting like being questioned wounded you. Welcome to the Internet. You must be new here.
Thanks for providing the link. Thanks evilNomad for being civil about it. But seriously, next time when you see the smiley just remember that it doesn't mean "with both guns blazing."
... which is exactly why a backgrounder that shows it isn't hard would have been a darned good idea.
Go back to the declaration and examine the man's credentials. IBM didn't just get an authority on comparing code they got *the* authority. Prof Davis understands the technologies used, he understands the methodologies to follow, he has previous experience in doing code comparisons for trials.
And in his declaration Prof Davis details the process he used to take the code SCO says is offending and prove that it is not. Btw, what code is he going to pull to determine a positive? One person has mentioned the various BSD codebases but come on they aren't relevent. OpenBSD isn't purloining NetBSD code and trying to maintain it's theirs. The BSD license allows others to take it so there isn't a need to obfuscate it. And I don't think Prof Davis is going to be able to go back and get proprietary code from another case to run through and provide this proof.
Then you get into the issue that providing a test case opens up another line of inquiry for SCO to attack from. "So, you're saying this method of obfuscation will be detected. But that's not the type of thing we're saying has been done here. Will your software detect this?" It is simply better that Prof Davis details why he is competent to provide expert testimony and fall back on his reputation and practical experience. He's an expert, he's looked over the tools and found them to be fit for the job at hand. The burden is now on SCO to show that those tools are not fit.
And SCO can't just spew rhetoric to get the PSJ dismissed. There has to be something that can be pursued and then taken to the jury. The bar is a little higher than casting doubt. And so far what they've been tossing out has been shredded. Note the comment made by Prof Davis re: the code Gupta says is possibly infringing:
... I compared the lines of Linux code identified by Mr. Gupta with the specific lines of System V 4.2 ES-MP code that Mr. Gupta claims matches the Linux code. As is obvious upon review
(and may be obvious even to a non-technical reviewer), the Linux code cited by Mr. Gupta does not contain any of, and is not in any way similar to, the Unix code that he cites. The code is entirely different. In my opinion, therefore, the code cited by Mr. Gupta for ipc/util.c and kernel/futex.c cannot be considered modifications or derivative works of Unix System V. <emphasis mine>
Now that's a pimp slap if I ever saw one. And remember, this is an expert dismantling a declaration submitted as personal opinion. I don't think providing proof of a positive result with the software used is going to substantially add anything to the declaration.
Slashdot Mirror
Everybody should care because the intended recipient may not be the only recipient as a matter is discussed. My emails get forwarded and (b)cc:'d to others all the time and I receive similiar correspondance every day. Concise, understandable emails mean I don't have to repeat myself.
They also stand the test of time. Ever have an email come up a few months or a year later and have to address it? Something well composed is easier to explain than a choppy stream of consciousness.
Sure, its only 20 seconds, but the only point in editing your message is to conform to implied social norms - an objective that has nothing to do with getting the job done. Thankfully those silly social norms have not yet been applied to emails yet.
This shows such a lack of business savvy and professionalism it is actually depressing. You can't even invest half a minute into reviewing your work and making sure it's presentable because in your limited view it has nothing to do with your actual job. The simple fact is that in any organization you don't exist in a vacuum and being able to effectively communicate is a primary job function not some "silly social norm." Save those anarchist tendencies for IRC and /. Whether it is "fair" or not, in a business environment consistently poor writing is going to get you labeled as stupid and inept. The big problem with this is the judgement will many times come from upper management due to the simple fact that your email is the primary work product they see.
Soft skills count and as the job market gets tighter those skills will be the ones that differentiate you from the rest of the pack. It is actually called reality and not "silly social norm."
It's also a good time to look into your SLAs and get them in order. Make sure to provide a provision that the vendor has to start taking security into consideration. Have them justify why their app needs administrator privs because *I* have to justify it to my auditor. Don't let them off the hook if you can't patch. If viable, withhold payments. Communicate with peers about the level of service the vendor provides (I don't know about small businesses but in medium to large organizations it is surprising how much weight decision makers put into these informal discussions.)
This is an opprotunity not a setback folks.
Huh, news to me. Didn't even know it existed.
Checked and it seems 0.91.0 is available in the FreeBSD ports. I intend on upgrading in a couple of weeks when I have the time.
Third day, we sent them a leaflet basically saying "Playtime is over. We aren't telling you when we'll drop the next bomb. Go home." According to the show that last leaflet was extremely persuasive.
And just out of curiosity what totally free hardware are you using to post to /.? Video Card? Probably not. That's still talk. NIC? I ain't seeing much maybe I should make that an Ask /. question. Soundcard? What about your printer? Just how much are you sacrificing to be truely free? For the OBSD community it was some time to write a thoughtful letter to get the ball rolling.
Today we now have some easily distributable firmware for desired hardware. We'll see what tomorrow brings.
What Theo and the community want is the right to distribute the firmware with the driver so it works right out of the install. There isn't anything wrong with this.
This is why we don't make /. weapons.
Wrong article, wrong state, wrong event. It's related to the topic on hand but it's not the same.
Come on, be honest, this is the career equivilent of a Darwin Award.
And the reason I can do all of these things is because I'm aware that the browser is in place and I have an understanding of what role it plays on my network. I can access the risk and determine not only if I accept it but how much effort I want to expend in mitigating it. I can't do that with some random program surreptitiously inserted onto a server.
There is a difference between installing an approved program that has known, but accepted, security risks (along with compensating controls) and installing an unknown, unapproved and undocumented (network/server documentation that is) program.
1-Publicly insulting someone without any reason was unacceptable.
My ass. Hayes was polite. Smith imnsho was a frickin' tool. Your insinuation that the comments had no reason behind them is revisionist bunk.
2-Tom Hayes is a public servant and it makes is act much more critical because he receive is pay from taxpayers.
Hayes told it like it was. Smith was on the government dole and committed a grievious security violation. A harsh opinion doesn't cost the taxpayers jack. Incompetence does.
3-Charles E. Smith is 63 and I think that we should have much more respect for our seniors.
Respect is earned. The only thing senority gets you is the benefit of the doubt. Smith removed all doubt when he did what he did.
4-I support the SETI project as many other million people and because Tom Hayes as a lack of culture, education and sight, that doesn't give him the right to insult is ex employee and at the same time all supporters of SETI project.
Hayes took the situation and gave his opinion in a quotable snip. Again, blame Smith.
5-They should have give Charles E. Smith a warning; it's not like if he did something with malign intentions. Installing Internet Explorer is probably much more dangerous than installing SETI@home.
What was installed isn't the issue. Already posted on this. Smith abused the authority and trust provided him and changed a production server behind people's backs and without approval. If that happened in my company the auditors would have a field day. Everybody talks about how incompetent governemt is but when they finally walk the walk and it affects someone trying to "help" find E.T. it's back to being the bad guy. Sometimes I guess you can't win.
6-Tom Hayes should be sacked for is lack of judgement.
Hayes should be applauded. They should get a picture of him with an appropriate LART and make posters with the caption "Only YOU can prevent network security breaches." It is simply assine to blame the messenger and completely overlook Smith's misdeeds. Again this is completely revisionist and shows an utter lack of understanding on how to run an IT department in the real world.
IHBT HAND
The guy installed an unapproved program onto to a production server without approval and bypassing change control. What happens if his little stunt had brought the server down or worse yet the network down and had cost people in Ohio tax dollars? What if the program had allowed a breach that let confidential information out?
The retort that "It was just the SETI client" isn't the issue. Smith's complete violation of process and gross misjudgement is the matter at hand.
This reminds me of one 'tard at work who decided that he was going to install MS Works on a server so he could write his school papers. Didn't matter that the idiot was provided a workstation with the latest version of Office at the time. To make matters worse he installs the x86 binaries on the NT Alpha machine we have. So here I catch him sitting at the server merrily doing his homework and of course I have to make a shift report saying that the server has unapproved software on it after telling him to get off the box and stay away from it. He was lucky it happened back then than now. With SOX and all the auditing we have to do now he would have been fired on the spot. Smith reminds me of this guy and I have no sympathy for either.
The spam filtering issue they discuss isn't a minor UI "niggle."
That's my opinion and I'm sticking to it.
And whatever happened to the old /. argument that if the individuals are abusing the system they are the ones who should be sued not the comapny providing the service? Talk about flip-flop.
Let's see, other situations I've run across where the networking crew had to compensate. Patch breaks application. Antivirus software slows down PC to unusable level. User can't do something so supervisor gives him someone else's login. Users share someone's account. No budget for needed control. Trojan is out on the Internet but there is no signature update for your AV software and user clicks the attachment. I'm sure others have a lot more situations they could mention.
The hardest part is usually none of these happen in a vaccumm. They may be interrelated or they one may spin-off from another. For instance, you implement Control X which inconviences a number of users. They want the control relaxed, preferably off, and when you explain that you can't do it immediately they say they'll work around it by doing security breach Y which is much worse than the risk you origianlly meant to address. Now Y (e.g. the group is going to share all there passwords and put them on a sticky note) isn't something you can easily control through technology. It comes down to working with the users and getting them to work with the new way of doing things.
Any successful security initiative is going to have user buy-in.
Even if all you're getting is a base image to install additional software on it's usually worth it imho. My experience with images is they usually take a quarter of the time a Windows install takes. MTTR is as important as MTBF.
And for the vendor apps which are written for Windows only??
The only way any president could have corrected that fiasco would have been to lart the financial analysts with a clue-by-four on national TV. This wasn't a Republican thing or a Democrat thing. It was a Wall Street is stupid and greedy thing.
No you made an assetion and didn't back it up with a link. The parent *nicely* asked you for one and now you're acting like being questioned wounded you. Welcome to the Internet. You must be new here.
Thanks for providing the link. Thanks evilNomad for being civil about it. But seriously, next time when you see the smiley just remember that it doesn't mean "with both guns blazing."
Go back to the declaration and examine the man's credentials. IBM didn't just get an authority on comparing code they got *the* authority. Prof Davis understands the technologies used, he understands the methodologies to follow, he has previous experience in doing code comparisons for trials.
And in his declaration Prof Davis details the process he used to take the code SCO says is offending and prove that it is not. Btw, what code is he going to pull to determine a positive? One person has mentioned the various BSD codebases but come on they aren't relevent. OpenBSD isn't purloining NetBSD code and trying to maintain it's theirs. The BSD license allows others to take it so there isn't a need to obfuscate it. And I don't think Prof Davis is going to be able to go back and get proprietary code from another case to run through and provide this proof.
Then you get into the issue that providing a test case opens up another line of inquiry for SCO to attack from. "So, you're saying this method of obfuscation will be detected. But that's not the type of thing we're saying has been done here. Will your software detect this?" It is simply better that Prof Davis details why he is competent to provide expert testimony and fall back on his reputation and practical experience. He's an expert, he's looked over the tools and found them to be fit for the job at hand. The burden is now on SCO to show that those tools are not fit.
And SCO can't just spew rhetoric to get the PSJ dismissed. There has to be something that can be pursued and then taken to the jury. The bar is a little higher than casting doubt. And so far what they've been tossing out has been shredded. Note the comment made by Prof Davis re: the code Gupta says is possibly infringing:
Now that's a pimp slap if I ever saw one. And remember, this is an expert dismantling a declaration submitted as personal opinion. I don't think providing proof of a positive result with the software used is going to substantially add anything to the declaration.
You're such a kidder :)
It's a Flash site. Works fine in FireFox if you have the plug-in.